Computer Forensics
The Lead
Destroyed Evidence: Deleted Files
June 14, 2013 6:59 am | by Yuri Gubanov | Belkasoft | Articles | Comments
Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).
Solid State Drives: Part 1
April 16, 2013 5:21 pm | by John J. Barbara | Articles | CommentsThe construction and design of SSDs provide many advantages versus traditional hard drives, but...
Starting A Career in Digital Forensics: Part 1
February 8, 2013 11:36 am | by John J. Barbara | Articles | CommentsA question often asked is, “What education and training is necessary to work in digital forensics...
Mozilla Firefox Forensics: Part 4
January 23, 2013 6:50 am | Articles | CommentsFirefox (version 16.0.2) typically includes twelve SQLite databases, each of which performs a...
SUBSCRIBE TO FREE
DFI News EMAIL NEWSLETTER
There are Four Lights: LNK Parsing tools
June 18, 2013 3:47 pm | by Keydet89 | Blogs | CommentsSome of the things I'm most interested in when looking at tools for parsing LNK files include completeness/correctness of output, ease of use, the ease with which I can incorporate the output into my analysis processes, etc. I know that some of these aspects may mean different things to different people ... for example, if you're not familiar with parsing shell item ID lists, how do you determine completeness/correctness?
Hardware Encryption Solution
June 18, 2013 6:19 am | Product Releases | CommentsAddonics Technologies is shipping a new family of USB hardware encryption solutions that protect sensitive data stored on hard drives, removable drives, flash media, optical media, or in the cloud with bullet proof security.
Paraben Sells Enterprise Forensics Division to CyFIR
June 17, 2013 8:36 am | News | CommentsParaben Corporation, a leader in the digital forensics industry, announced the sale of its enterprise digital forensics platform — P2 Enterprise to CyFIR, Inc. The revolutionary new platform — CyFIR Enterprise — will be released in June 2013. CyFIR, Inc. is excited to continue the development of its P2 Enterprise Investigator product line as CyFIR Enterprise.
7 Cybersecurity, Forensics Tools to Watch
June 17, 2013 8:22 am | by Sean Doherty | Blogs | CommentsAt the Computer and Enterprise Investigations Conference in Orlando, Fla., a number of vendors in computer forensics, cybersecurity, and e-discovery released new products, which make CEIC an annual event for Law Technology News to attend. Cellebrite's UFED series of mobile forensic devices got a new stand-alone application, called UFED Link Analysis.
Summation 5.0
June 17, 2013 6:54 am | AccessData Group | Product Releases | CommentsSummation 5.0 represents an enormous leap forward for the Summation product line with a free fully interoperable FTK license for renewing customers. Customers can now use the full power of FTK to forensically process and analyze data and view the processed data directly using the Summation 5.0 interface.
Hidden Source for Two Vital Pieces of Computer Evidence
June 14, 2013 8:52 am | by Jacob Goodwin | News | CommentsSometimes, when a computer forensics expert is dissecting a suspect’s computer, the most important question to answer is this: “Am I looking at the original hard-drive, with all of its incriminating evidence, or has that drive been swapped out surreptitiously for a new drive, which will not contain the evidence that I’m hoping to find?”
Unwinding the Dead
June 12, 2013 4:58 pm | by Editor | Blogs | CommentsI have had a run of cases where significant information has been found in the iTunes backups on computers that I have looked at. If you weren't aware, owners of iPhone/iPad/iPod mobile devices can hook them up to their computers for backing-up purposes.
Reversing Basics Part 1: Understanding the C Code
June 11, 2013 4:21 pm | by Editor | Blogs | CommentsThis is the first in a series of blog posts which will cover basic reversing of a very simple program written in C. The first post will walk through the simple C program and explain how it is constructed and a bit about C syntax and functions.
Sneak Preview: FOR572 on PaulDotCom
June 11, 2013 11:26 am | by Phil Hagen | Blogs | CommentsYou might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis. FOR572 will include a lot of tcpdump and Wireshark work, but also goes beyond that, using a "big picture" approach that incorporates evidence and methods covering all kinds of network-based systems and devices.
MOVP II - 4.4 - What's in Your Mac OSX Kernel Memory?
June 10, 2013 11:19 am | by Andrew Case | Blogs | CommentsToday's post will discuss a number of plugins that can retrieve forensically interesting information from within the kernel. Keep in mind, you can also use mac_yarascan to search kernel memory with yara signatures and you can use mac_volshell as an interactive tool to print kernel data structures, display kernel memory addresses as bytes, dword, qwords, or disassemble code in kernel space.
Live Digital Forensics
June 7, 2013 7:29 am | by Matthew J. Decker, Warren G. Kruse II, Bill Long, and Greg Kelley | Articles | CommentsMyth: Actions taken by a digital forensics practitioner must not change the data held on a digital device’s storage media if such data is to be relied upon in a court of law. Reality: The Court places no such demand on the digital forensics practitioner.
To Catch a Cyber Thief
June 6, 2013 8:59 am | by Cléa Desjardins | News | CommentsWhen local police came calling with child porn allegations last January, former Saint John city councillor Donnie Snook fled his house clutching a laptop. It was clear that the computer contained damning data. Six months later, police have finally gathered enough evidence to land him in jail for a long time to come. With a case seemingly so cut and dry, why the lag time?
Computer Forensics Analysis Software
June 6, 2013 6:34 am | GetData | Product Releases | CommentsGetData Forensics has announced the release of its computer forensics analysis software, Forensic Explorer. With an easy to use interface and a strong forensic tool-set, Forensic Explorer offers investigators a cost effective but powerful alternative to current industry tools.
Control Panel Forensics: Evidence of Time Manipulation and More
June 5, 2013 5:00 pm | by Chad Tilbury | Blogs | CommentsThe GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity.
There Are Four Lights: Shell Items
June 4, 2013 10:25 am | by Keydet89 | Blogs | CommentsThere's a good bit of information available on artifacts referred to as "shellbags," but not much information, nor discussion, on the underlying data structures within shellbags ... shell items. Shell items are data structures used to identify various elements within the Windows folder hierarchy.
Becoming a Computer Forensic Examiner
May 31, 2013 10:54 am | News | CommentsSince the advent of affordable personal computers, digital devices, and later the Internet, these technologies have been used for both legal and illegal purposes, and in order to collect evidence to help prosecute some of the people engaged in the latter, a new science had to be born: digital forensics.
Forensics Investigations: Do Not Forget the Database!
May 29, 2013 2:21 pm | by Daniel Caban and Christiaan Beek | Blogs | CommentsIn our investigations it is typical for us to see an attacker use an exploit to first compromise a web server, then launch further attacks against the internal network via a webshell. Looking at the scenario described, the same files were acquired from the Database server and, of course, firewall logs. The ultimate goal is to create a timeline where all actions executed by the attacker(s) are mapped in time.
Uncommon Event Log Analysis for Incident Response and Forensic Investigations
May 29, 2013 10:18 am | by Gary Golomb | Blogs | CommentsWe'll examine artifacts created after a compromise, yet not directly related to the malware itself. The practice of identifying these artifacts in a formal process allows an investigator to find troves of artifacts/intelligence, even when direct access to the malware is not possible (for example, on a live system with sophisticated kernel-level malware).
Passware Kit Forensic v.12.5
May 29, 2013 7:56 am | Passware, Inc. | Product Releases | CommentsPassware Kit Forensic v.12.5 can now recognize hard disk images and containers, such as TrueCrypt, BitLocker, PGP, etc. during a computer scan. For a computer forensic professional this means that no evidence is hidden inside a volume.
Catching the Ghost: How to Discover Ephemeral Evidence through Live RAM Analysis
May 28, 2013 12:49 pm | by Oleg Afonin and Yuri Gubanov | Belkasoft | Articles | CommentsUntil recently it was standard practice to approach running computers with a “pull-the-plug” attitude without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Capturing and analyzing volatile data is essential for discovering important evidence. Making a RAM dump should become a standard operating procedure when acquiring digital evidence before pulling the plug and taking the hard drive out.
Training is Not Enough: A Case for Education Over Training
May 28, 2013 12:43 pm | by Tim Wedge | Articles | CommentsIf we make the argument that a degree is necessary in order to be a more effective digital forensic examiner, we need to show a tangible benefit of the time and money spent, particularly when vendor training in digital forensics and forensic tool use may be had for a fraction of the cost, and an even smaller fraction of the time. The case needs to be made not only to aspiring examiners, but also to those who will ultimately hire them.
Between a Rock and a Hard Drive
May 28, 2013 12:30 pm | by Douglas Page | Articles | CommentsThe means by which data can be forensically retrieved from badly damaged hard drives is being put to extreme tests in the high-profile Sandy Hook Elementary School shooting case in Newtown, CT. The shooter, Adam Lanza, removed the hard drive from his computer, then smashed it before driving to the school, where he murdered 20 first-grade children and six staff members before killing himself.
Forensic Insight into Solid State Drives
May 28, 2013 12:13 pm | by James Wiebe | CRU-DataPort/WiebeTech | Articles | CommentsSSDs are a game changer for forensic investigators, but insight into their operation can make your case. Tablet, notebook, and desktop computers are expected to have sales of about 600 million units worldwide in 2013, and a substantial portion of those will be built using Solid State Drives (SSDs).
Skype Shared .xml and the 'ContraProbeResults' Tag
May 28, 2013 11:24 am | by Hal Pomeranz | Blogs | CommentsSkype is a popular instant messaging, audio and video teleconferencing program. The Skype application data directory contains a file named shared.xml. As the extension implies, the file is XML formatted, but most of the entries are encoded. This encoding has not been documented or reversed to my knowledge.
Digital Company Thrives on Cheating Spouses and Forensics
May 28, 2013 11:08 am | by Virginia Bridges | News | CommentsEllington Digital Forensics’ services include slipping into homes to preserve snap shots of hard drives before divorce papers are filed, recovering erased text messages on cheating spouses’ cellphones, combing through computers and serving as an expert witness in civil court.
