Advertisement
Computer Forensics
Subscribe to Computer Forensics

The Lead

FAA Seeks App to Preserve Digital Evidence

October 23, 2014 12:01 pm | News | Comments

To help with the collection, management, protection and preservation of digital forensic evidence, the Federal Aviation Administration is turning to industry. In an Oct. 15 posting, the FAA said it's seeking a commercial off-the-shelf application that will create a remotely accessible depository where digital media analysts can store digital forensic evidence and distribute forensic workload among investigators.

How to Collect Internet Evidence

October 22, 2014 8:00 pm | Articles | Comments

The courts have generally accepted evidence collected from the Internet as long as its...

Timeline Analysis by Categories

October 22, 2014 11:24 am | by Corey Harrell | Blogs | Comments

"Corey, at times our auditors find fraud and when they do sometimes they need help...

Canada to Deport Alleged Anonymous Hacker

October 22, 2014 10:40 am | News | Comments

Matt DeHart, an American who believes the United States is pursuing sham child-porn...

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

NetClean Helps UK Home Office Fight Child Abuse

October 21, 2014 6:21 am | News | Comments

NetClean has announced that it has successfully collaborated with its partners, Hubstream and L-3 ASA, to implement the first phase of the UK’s national Child Abuse Image Database (CAID). The CAID plays a key part in delivering on the UK government’s promise to create a central repository for consolidating data in cases of child sexual abuse material.

Jasper Duplicator Series

October 20, 2014 11:18 am | Addonics Technologies | Product Releases | Comments

Addonics Technologies announced the Jupiter series of drive duplicators that, unlike traditional duplicators designed for a fixed number of targets, allow you to connect multiple units together. The Jasper Duplicator offers high performance 150 MB/sec copy speed depending on the read/write speed of the source and target media. 

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response.

Forensics in the Amazon Cloud

October 17, 2014 10:19 am | by Editor | Blogs | Comments

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response.           

Advertisement

Who? What? When? Why? Where? And How?

October 17, 2014 8:13 am | by Brett Shavers | Articles | Comments

A key factor in placing any person at the scene of a crime is obtaining evidence that can place an identified suspect as it relates to the scene of the crime. Previously discussed methods of physical surveillance and obtaining records are usually the best evidence of placing a suspect at a specific place and at a specific time, but as most investigations involve reacting to incidents, this may not be always possible.

It’s easy to see how forensics used during a cyberattack investigation are similar to those used in a physical crime scene.

Crime Scene Mistakes Can Sink a Digital Forensic Investigation

October 16, 2014 9:33 am | by Jayne Friedland Holland, GCN | News | Comments

It’s easy to see how forensics used during a cyberattack investigation are similar to those used in a physical crime scene.                                    

In 2012 we published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It,” back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks diffe

Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection, and Exclusions

October 15, 2014 8:47 am | by Yuri Gubanov and Oleg Afonin | Belkasoft | Articles | Comments

In 2012 we published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It,” back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks different. We now know things about SSD drives that allow forensic specialists to obtain information from them despite the obstacles. 

Inside the Homeland Security Investigations Computer Forensics Lab

October 10, 2014 10:57 am | by Vince Lattanzio, NBC Philidelphia | News | Comments

Nearly every case Homeland Security Investigations (HSI) opens has some sort of digital evidence to be collected and analyzed. But the work can’t be done by just anyone. The data must be meticulously cared for by agents trained to preserve the integrity of the material, who can also combat suspects’ attempts to erase their digital dealings — even from afar.

Ever looked closely at a Google search URL and seen a weird "ei" parameter in there? While it doesn't seem to occur for every search, when it does, that "ei" parameter contains an encoded Unix UTC timestamp (and other things Google only knows). Interpreti

Google-ei'd ?!

October 10, 2014 10:38 am | by Editor | Blogs | Comments

Ever looked closely at a Google search URL and seen a weird "ei" parameter in there? While it doesn't seem to occur for every search, when it does, that "ei" parameter contains an encoded Unix UTC timestamp (and other things Google only knows). Interpreting this artifact can thus allow forensic analysts to date a particular search session.

Advertisement

String-Centered Analysis Techniques

October 10, 2014 8:27 am | by Michael Barr | Articles | Comments

A surprisingly powerful and less costly binary analysis technique, which does not require reverse engineering, is a review of the character strings contained in the executable. These strings might include, in an ATM machine, words like “Please enter your 4-digit PIN."

Malware is an important consideration for examiners working on traditional computer forensic cases. Malware can add complexity to a case, but in some instances, it actually can help investigators. Like any other piece of data, malware can be used as a clu

Understanding Malware

October 8, 2014 9:19 am | by Cindy Murphy | SANS Institute | Articles | Comments

Malware is an important consideration for examiners working on traditional computer forensic cases. Malware can add complexity to a case, but in some instances, it actually can help investigators. Like any other piece of data, malware can be used as a clue within a forensic examination.

There is a misconception that having an IR plan will suffice and the statistics seem to indicate having a plan is on the rise. While having a plan is great, they are rarely more than just guidelines and are not the robust set of company specific procedure

Embedding Incident Response into the DNA of the Organization

October 7, 2014 9:05 am | by Sean Mason | Blogs | Comments

There is a misconception that having an IR plan will suffice and the statistics seem to indicate having a plan is on the rise. While having a plan is great, they are rarely more than just guidelines and are not the robust set of company specific procedures they should be, especially if you don’t have people practicing them day in and day out.

This new version of XORSearch integrates Frank Boldewin’s shellcode detector. In his Hack.lu 2009 presentation, Frank explains how he detects shellcode in Microsoft Office documents by searching for byte sequences often used in shellcode.

XORSearch with Shellcode Detector

September 30, 2014 10:36 am | by Editor | Blogs | Comments

This new version of XORSearch integrates Frank Boldewin’s shellcode detector. In his Hack.lu 2009 presentation, Frank explains how he detects shellcode in Microsoft Office documents by searching for byte sequences often used in shellcode.    

In this post I'm releasing an installation guide to build a custom ticketing system to track and document security incidents. The guide contains nothing groundbreaking; just instructions on how to install and configure Request Tracker in CentOS with a Pos

CSIRT Request Tracker Installation Guide

September 29, 2014 10:39 am | by Corey Harrell | Blogs | Comments

In this post I'm releasing an installation guide to build a custom ticketing system to track and document security incidents. The guide contains nothing groundbreaking; just instructions on how to install and configure Request Tracker in CentOS with a PostgreSQL database and Apache web server. 

Advertisement
Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new

Incident Response Fail

September 25, 2014 8:15 am | by Kelly Jackson Higgins | Blogs | Comments

Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new study.

Dogs have been trained to pick up the scent for laptops, digital cameras and   those easy-to-conceal USB drives. Devices such as these are often used to   stash illegal materials like child pornography, which the FBI says is growing   fast.

Police Dog Can Smell a Hidden USB Drive

September 24, 2014 10:56 am | by Kristen Schweizer, Bloomberg | News | Comments

Dogs have been trained to pick up the scent for laptops, digital cameras and those easy-to-conceal USB drives. Devices such as these are often used to stash illegal materials like child pornography, which the FBI says is growing fast.     

Viator, a tour-booking website used by TripAdvisor and others, has just notified 1.4 million customers that their data may have been compromised in a recent data breach. In all, 880,000 customers may have had their payment information compromised, while a

Massive Viator Data Breach Hits 1.4 Million Victims

September 24, 2014 10:20 am | by Tara Seals, Infosecurity Magazine | News | Comments

Viator, a tour-booking website used by TripAdvisor and others, has just notified 1.4 million customers that their data may have been compromised in a recent data breach. In all, 880,000 customers may have had their payment information compromised, while another 560,000 likely had their email address and encrypted Viator password leaked.

Often an examiner will analyze all the digital media only to determine that the probative data was limited to a browser’s history file, an e-mail, a document, the mobile devices’ logs, or an inappropriate graphic video or picture. Finding the critical pro

Streamlining the Digital Forensic Workflow: Part 2

September 24, 2014 8:58 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

Often an examiner will analyze all the digital media only to determine that the probative data was limited to a browser’s history file, an e-mail, a document, the mobile devices’ logs, or an inappropriate graphic video or picture. Finding the critical probative data faster in a cost effective manner while reducing or eliminating case backlogs is going to require a more efficient methodology.

After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly qui

Avoid Wasting Time During a Breach Investigation

September 23, 2014 10:08 am | by Rekha Shenoy, Tripwire | News | Comments

After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly quickly the organization is left with no choice but to assume the worst.

Legal Aspects and Tool Reliability

September 23, 2014 8:13 am | by Gary C. Kessler and Matt Fasulo | Articles | Comments

Because of the newness of network forensic activity, network examiners are often left to use existing and emerging tools that have not yet faced the challenge of being proven valid in court. In some respects, the presentation phase of a digital investigation is the most critical; regardless of what has been found, it is worthless if the information cannot be convincingly conveyed to a judge and jury.

Data Storage Issues: Part 4

September 23, 2014 6:12 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

Future data storage needs for businesses, corporations, and governments are going to far exceed the ability of current technology to provide those storage devices. Obviously, without major technological advancements, the cost of future data storage could be unprecedented. There are however, a number of technologies under development which may eventually be able to store vast amounts of information, far exceeding today’s devices.

Book Excerpt: Checklist: Building a Penetration Testing Lab

September 23, 2014 6:06 am | by Bruce Middleton | CRC Press/Taylor & Francis Group LLC | Articles | Comments

This checklist can help you to build a penetration testing lab. To successfully set up your lab will require attention to detail, redundancy, and a littel bit of paranoia.                   

Using Metadata in Litigation

September 23, 2014 5:37 am | by Andy Spore | Articles | Comments

When it comes to metadata as part of a litigation strategy, we mostly see it used as supporting information about the data. It is unusual, but not unheard of, to see metadata used directly as evidence. That is likely to change as more people understand the role metadata can have in developing legal strategy. With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps in the data.

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and

Retrieving Obscured Files

September 19, 2014 10:00 am | Articles | Comments

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files. 

CRU has made available of the Logical Imaging feature for its rugged, silent, and reliable remote/network operable CRU WiebeTech Ditto Forensic FieldStation.

Logical Forensic Imaging

September 16, 2014 4:03 pm | CRU-DataPort/WiebeTech | Product Releases | Comments

CRU has made available of the Logical Imaging feature for its rugged, silent, and reliable remote/network operable CRU WiebeTech Ditto Forensic FieldStation.

Guidance Software, Inc. has announced an event management and response solution that bundles EnCase® Cybersecurity and HP ArcSight Express. The new bundled solution is designed for organizations that have invested in the ability to detect threats, but are

Post-detection Event Management and Recovery

September 12, 2014 10:02 am | Guidance Software, Inc. | Product Releases | Comments

Guidance Software, Inc. has announced an event management and response solution that bundles EnCase® Cybersecurity and HP ArcSight Express. The new bundled solution is designed for organizations that have invested in the ability to detect threats, but are challenged with determining which of the countless alerts being generated are meaningful, and can help to mitigate successful cyber attacks.

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading