Advertisement
Computer Forensics
Subscribe to Computer Forensics

The Lead

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and

Retrieving Obscured Files

September 19, 2014 10:00 am | Articles | Comments

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files. 

Logical Forensic Imaging

September 16, 2014 4:03 pm | Product Releases | Comments

CRU has made available of the Logical Imaging feature for its rugged, silent, and reliable...

Post-detection Event Management and Recovery

September 12, 2014 10:02 am | Product Releases | Comments

Guidance Software, Inc. has announced an event management and response solution that...

Moving Ever Closer to the 'Find All Evidence' Button

September 11, 2014 8:17 am | by Stuart Clarke | Blogs | Comments

Nuix has demonstrated time and again that there are smarter ways to investigate big data....

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing th

Forensic Subcommittee on Digital Evidence Added to NIST Committees

September 10, 2014 9:50 am | by NIST | News | Comments

Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States.

When examining ASCII text data during a forensic investigation, it is often useful to extract proper names and then rank those proper names by the highest number of occurrences. The Python language has built-in capabilities that will perform this extracti

Python Single Word / Proper Name Extraction

September 5, 2014 12:51 pm | by Chet Hosmer | Blogs | Comments

When examining ASCII text data during a forensic investigation, it is often useful to extract proper names and then rank those proper names by the highest number of occurrences. The Python language has built-in capabilities that will perform this extraction swiftly and easily.

In my last post, I talked about sharing what things "look like" on a system, illustrating indicators of the use of lateral movement via the 'at.exe' command. I wanted to take a moment to provide some additional insight into that post, with a view towards

What Does That Look Like, Pt II

September 5, 2014 12:42 pm | by Harlan Carvey | Blogs | Comments

In my last post, I talked about sharing what things "look like" on a system, illustrating indicators of the use of lateral movement via the 'at.exe' command. I wanted to take a moment to provide some additional insight into that post, with a view towards potentially-available indicators that did not make it into the article, simply because I felt that they didn't fit with the focus of the article.

Advertisement
Over the years, cookies have been overlooked in forensic examinations. For the most part, cookies were used to show that a user account had accessed a website. Since no set structure for cookies existed, determining the content’s meaning was problematic.

Finding Good Cookies

September 5, 2014 12:14 pm | Articles | Comments

Over the years, cookies have been overlooked in forensic examinations. For the most part, cookies were used to show that a user account had accessed a website. Since no set structure for cookies existed, determining the content’s meaning was problematic. With the advent of Google Analytics (GA) cookies, that has changed.

Apple has blamed a "very targeted attack" for the suspected breach of numerous celebrities' iCloud accounts, which resulted in nude photographs and videos being leaked to the 4chan image board. But some security experts have taken issue with Apple's expla

Is Apple iCloud Safe?

September 4, 2014 12:10 pm | by Mathew J. Schwartz, Gov Info Security | News | Comments

Apple has blamed a "very targeted attack" for the suspected breach of numerous celebrities' iCloud accounts, which resulted in nude photographs and videos being leaked to the 4chan image board. But some security experts have taken issue with Apple's explanation for the attacks. And they contend the company's iCloud service remains vulnerable to similar exploits.

Recently, I had the opportunity to do forensic analysis on a HDD extracted from a Canon ImageRunner Advanced C5240 Multifunction Copier. After a story was broken by CBS News, back in 2010, it seemed likely that less would be available than is described in

Copier Forensics in 2014: The Good, the Bad, and the Ugly

September 4, 2014 11:43 am | by Editor | Blogs | Comments

Recently, I had the opportunity to do forensic analysis on a HDD extracted from a Canon ImageRunner Advanced C5240 Multifunction Copier. After a story was broken by CBS News, back in 2010, it seemed likely that less would be available than is described in the copier forensic write-ups here and here. Nonetheless, I was hopeful.

FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd

Forced to Adapt: XSLCmd Backdoor Now on OS X

September 4, 2014 11:34 am | by James T. Bennett and Mike Scott | Blogs | Comments

FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd — OSX.XSLCmd — which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009.

Building out an organization's security detection capability can be a daunting task. The complexity of the network, number of applications/servers/clients, the sheer number of potential threats, and the unlimited attack avenues those threats can use are o

SIEM Use Case Implementation Mind Map

September 2, 2014 12:13 pm | by Corey Harrell | Blogs | Comments

Building out an organization's security detection capability can be a daunting task. The complexity of the network, number of applications/ servers/ clients, the sheer number of potential threats, and the unlimited attack avenues those threats can use are only a few of the challenges. To tackle this daunting task there are different ways to build out the detection capability.

Advertisement
Ciphertex Data Security has introducted the CX-4K-NAS, a high performing, portable, reliable and encrypted NAS server with up to 32TB of storage capacity and four bays.

Portable NAS Server

August 26, 2014 8:59 am | Ciphertex Data Security | Product Releases | Comments

Ciphertex Data Security has introducted the CX-4K-NAS, a high performing, portable, reliable and encrypted NAS server with up to 32TB of storage capacity and four bays.

To help digital forensic and incident response (DFIR) professionals take on any Apple case without hesitation, the SANS Institute has introduced the new FOR518: Mac Forensic Analysis course. This intense hands-on forensic analysis course will help Windows

SANS Introduces Apple, Mac and iDevice, Forensic Analysis Course

August 26, 2014 7:56 am | SANS Institute | News | Comments

To help digital forensic and incident response (DFIR) professionals take on any Apple case without hesitation, the SANS Institute has introduced the new FOR518: Mac Forensic Analysis course. This intense hands-on forensic analysis course will help Windows-based investigators broaden their analysis capabilities and achieve the confidence and knowledge needed to comfortably analyze any Mac or iOS system without hesitation. 

I’ve seen some email threads on a few listserv groups talking about developing a capability to take indicators from threat feeds and automatically generating signatures that can be used in various detection technologies. I have some issues with taking thi

Feeds, Feeds and More Feeds

August 25, 2014 10:37 am | by Editor | Blogs | Comments

I’ve seen some email threads on a few listserv groups talking about developing a capability to take indicators from threat feeds and automatically generating signatures that can be used in various detection technologies. I have some issues with taking this approach and thought a blog post on it may be better than replying to these threads.

Basis Technology has released Autopsy 3.1, the latest version of its flagship open source digital forensics platform. Autopsy is a free and open source Windows-based digital forensics platform that has been built to provide an intuitive workflow for users

Autopsy 3.1

August 25, 2014 8:35 am | Basis Technology | Product Releases | Comments

Basis Technology has released Autopsy 3.1, the latest version of its flagship open source digital forensics platform. Autopsy is a free and open source Windows-based digital forensics platform that has been built to provide an intuitive workflow for users in the law enforcement, intelligence, cybersecurity and incident response communities.  

What does that 'look like'?

August 22, 2014 8:52 am | by Harlan Carvey | Blogs | Comments

We've heard this question a lot, haven't we? I attended a conference about 2 1/2 years ago, and the agenda for that conference had about half a dozen or more presentations that contained "APT" in their title. I attended several of them, and I have to say ... I walked out of some of them.

Advertisement
Dealing with insider threats, as in dealing with any threat to your network, requires a plan for incident response. An effective response includes forensics, and forensics and storage go hand in hand. With the window of time between a compromise and its d

Incident Response Requires Forensics and Storage

August 21, 2014 9:49 am | by William Jackson, GCN | News | Comments

Dealing with insider threats, as in dealing with any threat to your network, requires a plan for incident response. An effective response includes forensics, and forensics and storage go hand in hand. With the window of time between a compromise and its discovery widening, the amount of storage needed to accommodate data is becoming greater.

auto_rip is a wrapper script for Harlan Carvey's RegRipper and the script has a few updates. The script's home has always been on the RegRipper Google Code site but Google dropped support for adding new downloads. As a result, I thought it might be helpfu

auto_rip, tr3secure_collection & DFS Updates

August 20, 2014 10:09 am | by Corey Harrell | Blogs | Comments

auto_rip is a wrapper script for Harlan Carvey's RegRipper and the script has a few updates. The script's home has always been on the RegRipper Google Code site but Google dropped support for adding new downloads. As a result, I thought it might be helpful to make newer versions available at different places since Google Code can no longer be used.

CCL will be demonstrating the social media monitoring tool Signal at the UK’s first international social media law enforcement conference.

CCL to Showcase Social Media Tools for Law Enforcement at Smile Conference

August 20, 2014 8:08 am | CCL-Forensics Limited | News | Comments

CCL will be demonstrating the social media monitoring tool Signal at the UK’s first international social media law enforcement conference.                               

The new digital forensics program at the University at Albany is designed to educate and prepare students to work in a fast-growing, billion-dollar market with high, long-term projected demand for trained professionals.

Digital Forensics Program Prepares Students to Tackle Cyber Crime

August 20, 2014 8:07 am | by Univ. of Albany | News | Comments

The new digital forensics program at the University at Albany is designed to educate and prepare students to work in a fast-growing, billion-dollar market with high, long-term projected demand for trained professionals.         

Cybersecurity experts raise doubts whether the National Security Agency has successfully deployed an automated hack-back system known as MonsterMind, as revealed by former NSA contractor Edward Snowden in an interview with Wired.

Experts Raise Doubts about MonsterMind

August 18, 2014 10:23 am | by Eric Chabrow, Gov Info Security | News | Comments

Cybersecurity experts raise doubts whether the National Security Agency has successfully deployed an automated hack-back system known as MonsterMind, as revealed by former NSA contractor Edward Snowden in an interview with Wired.     

Triaging a computer can be a methodology to avoid many issues inherent with “pulling the plug.” For instance, capturing the system volatile information can very quickly provide investigators valuable information.

When Not to 'Pull the Plug'

August 15, 2014 8:52 am | Articles | Comments

Triaging a computer can be a methodology to avoid many issues inherent with “pulling the plug.” For instance, capturing the system volatile information can very quickly provide investigators valuable information.           

Where's the IR in DFIR Training?

August 13, 2014 9:12 am | by Corey Harrell | Blogs | Comments

I'm writing this post to voice a concern about trainings for incident response. I am painting this picture with a broad stroke. The picture does not apply to every $vendor nor does it apply to every training course.         

To Solve Cybercrime, Some In Silicon Valley Ditch The Data

August 8, 2014 9:51 am | News | Comments

Collecting data about people has become $1 trillion industry, but keeping this information safe is proving near impossible. So, a small group of entrepreneurs and developers are building new technologies that don't rely on data as a digital currency.

Guidance Software

EnCase 7.10

August 6, 2014 11:15 am | Guidance Software, Inc. | Product Releases | Comments

EnCase 7.10 expands on its visibility by unlocking self-encrypting drives and supporting OS X investigations with HFS+ Double Files, Quick Look Thumbnail Caches, and Keychain parsing. EnCase 7.10 simplifies analysis and reporting through a new Report Template Wizard. Not every investigation is a “dead box” investigation, and EnCase 7.10 has adapted to include EnCase Portable volatile data collection and triage capabilities at no additional cost. 

Streamlining the Digital Forensic Workflow: Part 1

August 6, 2014 10:59 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

It has now reached the point that it is no longer practical for an examiner to forensically analyze each and every piece of evidence. Depending upon the alleged crime, often the incriminating evidence can be found in an e-mail, a document, the browser history, an SMS, or some other source. This leads to the obvious conclusion that examiners are going to need a new approach to streamline their workflow.

Case Study: Chesterfield County Police Department

August 5, 2014 9:30 am | by Editor | Blogs | Comments

Many digital investigators in law enforcement work for multiple teams and agencies. Keith Vincent is no exception. In his current role in the Economic Crimes Unit of the Chesterfield County Police Department, his title is Detective. 

Google Gives Police Child Pornography Evidence

August 5, 2014 7:41 am | by Conor Dougherty | News | Comments

Federal law requires people and companies to report child exploitation when they see it. This includes Google, whose automated eyes tipped law enforcement about a Houston-area man whom the police say was using the company’s Gmail service to email pornographic images of a child.

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading