Advertisement
Computer Forensics
Subscribe to Computer Forensics

The Lead

Ciphertex Data Security has introducted the CX-4K-NAS, a high performing, portable, reliable and encrypted NAS server with up to 32TB of storage capacity and four bays.

Portable NAS Server

August 26, 2014 8:59 am | Ciphertex Data Security | Product Releases | Comments

Ciphertex Data Security has introducted the CX-4K-NAS, a high performing, portable, reliable and encrypted NAS server with up to 32TB of storage capacity and four bays.

SANS Introduces Apple, Mac and iDevice, Forensic Analysis Course

August 26, 2014 7:56 am | News | Comments

To help digital forensic and incident response (DFIR) professionals take on any Apple case...

Feeds, Feeds and More Feeds

August 25, 2014 10:37 am | by Editor | Blogs | Comments

I’ve seen some email threads on a few listserv groups talking about developing a capability to...

Autopsy 3.1

August 25, 2014 8:35 am | Product Releases | Comments

Basis Technology has released Autopsy 3.1, the latest version of its flagship open source...

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

What does that 'look like'?

August 22, 2014 8:52 am | by Harlan Carvey | Blogs | Comments

We've heard this question a lot, haven't we? I attended a conference about 2 1/2 years ago, and the agenda for that conference had about half a dozen or more presentations that contained "APT" in their title. I attended several of them, and I have to say ... I walked out of some of them.

Dealing with insider threats, as in dealing with any threat to your network, requires a plan for incident response. An effective response includes forensics, and forensics and storage go hand in hand. With the window of time between a compromise and its d

Incident Response Requires Forensics and Storage

August 21, 2014 9:49 am | by William Jackson, GCN | News | Comments

Dealing with insider threats, as in dealing with any threat to your network, requires a plan for incident response. An effective response includes forensics, and forensics and storage go hand in hand. With the window of time between a compromise and its discovery widening, the amount of storage needed to accommodate data is becoming greater.

auto_rip is a wrapper script for Harlan Carvey's RegRipper and the script has a few updates. The script's home has always been on the RegRipper Google Code site but Google dropped support for adding new downloads. As a result, I thought it might be helpfu

auto_rip, tr3secure_collection & DFS Updates

August 20, 2014 10:09 am | by Corey Harrell | Blogs | Comments

auto_rip is a wrapper script for Harlan Carvey's RegRipper and the script has a few updates. The script's home has always been on the RegRipper Google Code site but Google dropped support for adding new downloads. As a result, I thought it might be helpful to make newer versions available at different places since Google Code can no longer be used.

Advertisement
CCL will be demonstrating the social media monitoring tool Signal at the UK’s first international social media law enforcement conference.

CCL to Showcase Social Media Tools for Law Enforcement at Smile Conference

August 20, 2014 8:08 am | CCL-Forensics Limited | News | Comments

CCL will be demonstrating the social media monitoring tool Signal at the UK’s first international social media law enforcement conference.                               

The new digital forensics program at the University at Albany is designed to educate and prepare students to work in a fast-growing, billion-dollar market with high, long-term projected demand for trained professionals.

Digital Forensics Program Prepares Students to Tackle Cyber Crime

August 20, 2014 8:07 am | by Univ. of Albany | News | Comments

The new digital forensics program at the University at Albany is designed to educate and prepare students to work in a fast-growing, billion-dollar market with high, long-term projected demand for trained professionals.         

Cybersecurity experts raise doubts whether the National Security Agency has successfully deployed an automated hack-back system known as MonsterMind, as revealed by former NSA contractor Edward Snowden in an interview with Wired.

Experts Raise Doubts about MonsterMind

August 18, 2014 10:23 am | by Eric Chabrow, Gov Info Security | News | Comments

Cybersecurity experts raise doubts whether the National Security Agency has successfully deployed an automated hack-back system known as MonsterMind, as revealed by former NSA contractor Edward Snowden in an interview with Wired.     

Triaging a computer can be a methodology to avoid many issues inherent with “pulling the plug.” For instance, capturing the system volatile information can very quickly provide investigators valuable information.

When Not to 'Pull the Plug'

August 15, 2014 8:52 am | Articles | Comments

Triaging a computer can be a methodology to avoid many issues inherent with “pulling the plug.” For instance, capturing the system volatile information can very quickly provide investigators valuable information.           

Where's the IR in DFIR Training?

August 13, 2014 9:12 am | by Corey Harrell | Blogs | Comments

I'm writing this post to voice a concern about trainings for incident response. I am painting this picture with a broad stroke. The picture does not apply to every $vendor nor does it apply to every training course.         

Advertisement

To Solve Cybercrime, Some In Silicon Valley Ditch The Data

August 8, 2014 9:51 am | News | Comments

Collecting data about people has become $1 trillion industry, but keeping this information safe is proving near impossible. So, a small group of entrepreneurs and developers are building new technologies that don't rely on data as a digital currency.

Guidance Software

EnCase 7.10

August 6, 2014 11:15 am | Guidance Software, Inc. | Product Releases | Comments

EnCase 7.10 expands on its visibility by unlocking self-encrypting drives and supporting OS X investigations with HFS+ Double Files, Quick Look Thumbnail Caches, and Keychain parsing. EnCase 7.10 simplifies analysis and reporting through a new Report Template Wizard. Not every investigation is a “dead box” investigation, and EnCase 7.10 has adapted to include EnCase Portable volatile data collection and triage capabilities at no additional cost. 

Streamlining the Digital Forensic Workflow: Part 1

August 6, 2014 10:59 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

It has now reached the point that it is no longer practical for an examiner to forensically analyze each and every piece of evidence. Depending upon the alleged crime, often the incriminating evidence can be found in an e-mail, a document, the browser history, an SMS, or some other source. This leads to the obvious conclusion that examiners are going to need a new approach to streamline their workflow.

Case Study: Chesterfield County Police Department

August 5, 2014 9:30 am | by Editor | Blogs | Comments

Many digital investigators in law enforcement work for multiple teams and agencies. Keith Vincent is no exception. In his current role in the Economic Crimes Unit of the Chesterfield County Police Department, his title is Detective. 

Google Gives Police Child Pornography Evidence

August 5, 2014 7:41 am | by Conor Dougherty | News | Comments

Federal law requires people and companies to report child exploitation when they see it. This includes Google, whose automated eyes tipped law enforcement about a Houston-area man whom the police say was using the company’s Gmail service to email pornographic images of a child.

Advertisement

Special Cyber Crime Team

August 4, 2014 9:47 am | News | Comments

City police in Surat, India, will soon have a dedicated group of cops to fight the menace of cyber crimes. The cops in the group would need to clear a certification examination to become eligible to carry out cyber crime-related investigation. Each police station in the city will have experts to investigate internet-related crimes.

Squirrelling Away Plists

July 31, 2014 2:36 pm | by Editor | Blogs | Comments

Plists are Apple's way of retaining configuration information. They're scattered throughout OS X and iOS like acorns and come in 2 main types — XML and binary. Due to their scattered nature and the potential for containing juicy artefacts, monkey thought a script to read plists and extract their data into an SQLite database might prove useful. 

Digital forensic science is not a matter of recovering a file that proves   somebody’s guilt; it is about wading through hundreds of thousands, possibly   millions, of a wide variety of digital artifacts and making very pointed   critical judgments about

Find the Context

July 30, 2014 3:50 pm | Articles | Comments

Digital forensic science is not a matter of recovering a file that proves somebody’s guilt; it is about wading through hundreds of thousands, possibly millions, of a wide variety of digital artifacts and making very pointed critical judgments about which provide some sort of inculpatory or exculpatory evidence relevant to the case.

I'm writing this review as someone who has used Volatility for some time, albeit not to it's fullest possible extent. I'm more of an incident responder, and not so much a malware reverse engineer; I tend to work with some really good malware RE folks and

Book Review: 'The Art of Memory Forensics'

July 30, 2014 3:23 pm | by Harlan Carvey | Blogs | Comments

I'm writing this review as someone who has used Volatility for some time, albeit not to it's fullest possible extent. I'm more of an incident responder, and not so much a malware reverse engineer; I tend to work with some really good malware RE folks and usually go to them for the deeper stuff. 

Cookies are an essential part of the way the web works and occupy a pivotal position in the online privacy arms race. Organizations who want to track and profile people give them cookies and users who don't want to be tracked disable or delete them. But w

Panopticlick Reveals the Cookie You Can't Delete

July 29, 2014 10:36 am | by Mark Stockley | Blogs | Comments

Cookies are an essential part of the way the web works and occupy a pivotal position in the online privacy arms race. Organizations who want to track and profile people give them cookies and users who don't want to be tracked disable or delete them. But what if there was a cookie you couldn't delete, and what if the steps you took to guard your privacy made you easier to track?

SiQuest Corporation has added a feature to its Internet Examiner Toolkit (IXTK). With the current release of Version 4.0.1407.2503, IXTK now forensically recovers evidence of “watched YouTube videos” from the Unallocated Space and browser cache repositori

Software Forensically Recovers Watched YouTube Videos

July 28, 2014 10:32 am | by John Bradley | SiQuest Corporation | News | Comments

SiQuest Corporation has added a feature to its Internet Examiner Toolkit (IXTK). With the current release of Version 4.0.1407.2503, IXTK now forensically recovers evidence of “watched YouTube videos” from the Unallocated Space and browser cache repositories of computer hard drives, and the YouTube website directly.

As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.

File System Ops, Testing Phase 2

July 25, 2014 9:43 am | by Corey Harrell | Blogs | Comments

As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.    

Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral.

Limitations of Volatile Memory Analysis

July 25, 2014 8:51 am | Articles | Comments

Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral. While information about running processes will not disappear until they are finished, remnants of recent chats, communications, and other user activities may be overwritten with other content any moment the operating system demands yet another memory block.

I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.

File System Ops, Effects on MFT Records

July 24, 2014 8:17 am | by Corey Harrell | Blogs | Comments

I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records. 

The early use of digital forensics proved invaluable in a company’s investigation and legal pursuit of a renegade employee, averting potentially large business losses. Such effective outcomes can be challenging due to constant advancment of technology.

Digital Forensics in the Mobile, BYOD, Cloud Era

July 23, 2014 10:59 am | by Kerry Francis and Matt Larson, Inside Counsel | News | Comments

The early use of digital forensics proved invaluable in a company’s investigation and legal pursuit of a renegade employee, averting potentially large business losses. Such effective outcomes can be challenging due to constant advancment of technology.

I put together a python script that parses out several plist files related to Safari Internet History. Since the iPhone also uses Safari, I decided to expand the script to parse some iPhone Safari artifacts.

Safari and iPhone Internet History Parser

July 23, 2014 9:32 am | by Mari DeGrazia | Blogs | Comments

I put together a python script that parses out several plist files related to Safari Internet History. Since the iPhone also uses Safari, I decided to expand the script to parse some iPhone Safari artifacts.            

Computer Forensics Reveal Murderous Searches

July 21, 2014 9:04 am | by Andy Kravetz, Journal Star | News | Comments

Although they don’t have an eyewitness or the actual murder weapon, Peoria County, Illinois prosecutors believe they have the next best thing — a series of Internet searches on Nathan Leuthold’s computer about ways to kill someone.     

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading