Advertisement
Computer Forensics
Subscribe to Computer Forensics

The Lead

When compared to a typical hard drive, SSDs are totally different in design and functionality which leads to some difficult issues to deal with pertaining to their forensic analysis.

Solid State/Hard Drive Differences

November 21, 2014 9:16 am | Articles | Comments

When compared to a typical hard drive, SSDs are totally different in design and functionality which leads to some difficult issues to deal with pertaining to their forensic analysis.                   

Growth of Digital Forensic Workflow

November 14, 2014 12:05 pm | Articles | Comments

As digital devices continue to proliferate, digital storage capacities are approximately...

PFIC 2014 - A Great Exchange of Ideas

November 13, 2014 10:16 am | by Chet Hosmer | Blogs | Comments

Once again the Paraben team has put together just the right Forensic Innovation Environment with...

Pa AG's Agents Wage Battle against Child Pornographers

November 12, 2014 10:34 am | by Brian Bowling, TribLive | News | Comments

Most stories about child pornography focus on high-profile offenders such as priests and...

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 20

The Future of Incident Response

November 12, 2014 9:19 am | by Bruce Schneier | Blogs | Comments

Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of detection products and services. This decade is one of response.

There are few things more frustrating to users than using a tool which doesn't support (or may even be at odds with) their processes. Tools should be designed to support our workflows, and the more often we perform a workflow, the more important it is tha

Triage Any Alert with These Five Weird Questions!

November 6, 2014 9:58 am | by David Bianco | Blogs | Comments

There are few things more frustrating to users than using a tool which doesn't support (or may even be at odds with) their processes. Tools should be designed to support our workflows, and the more often we perform a workflow, the more important it is that our tools support it.

 The alert fired and the end point needs to be triaged but what options do you have. Do you spend the time to physically track down the end point, remove the hard drive, image the drive, and then start your analysis. How much time and resources would be s

Triaging with Tr3Secure Script's NTFS Artifacts Only Option

November 6, 2014 9:49 am | by Corey Harrell | Blogs | Comments

The alert fired and the end point needs to be triaged but what options do you have. Do you spend the time to physically track down the end point, remove the hard drive, image the drive, and then start your analysis. How much time and resources would be spent approaching triage in this manner? 

Advertisement
Future data storage needs for businesses, corporations, and governments are going to far exceed the ability of current technology to provide those storage devices. Obviously, without major technological advancements, the cost of future data storage could

Data Storage Issues: Part 4

November 5, 2014 8:20 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

Future data storage needs for businesses, corporations, and governments are going to far exceed the ability of current technology to provide those storage devices. Obviously, without major technological advancements, the cost of future data storage could be unprecedented. There are however, a number of technologies under development which may eventually be able to store vast amounts of information, far exceeding today’s devices.

Email Infidelity in a Computer Forensics Investigation

November 3, 2014 9:35 am | by Editor | Blogs | Comments

Email infidelity is a challenge amongst the investigators to resolve cyber crime cases. Forging the sender’s address, also known as email spoofing is one of the illegitimate ways to diverge the investigation process.         

IBM has developed new high-speed analysis and criminal investigation software that is designed to uncover hidden criminal threats buried deep inside massive volumes of disparate corporate data.

IBM Big Data Uncovers Criminal Cyber Activity

October 30, 2014 4:27 pm | by IBM | News | Comments

IBM has developed new high-speed analysis and criminal investigation software that is designed to uncover hidden criminal threats buried deep inside massive volumes of disparate corporate data.                

On my to-do list for some time has been to add support back into the Tr3Secure collection script to obtain the NTFS Change Journal ($UsnJrnl). This is a quick post about this functionality being added back to the collection script.

Tr3Secure Collection Script Updated

October 30, 2014 8:51 am | by Corey Harrell | Blogs | Comments

On my to-do list for some time has been to add support back into the Tr3Secure collection script to obtain the NTFS Change Journal ($UsnJrnl). This is a quick post about this functionality being added back to the collection script.     

In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account.

Hackers Hiding Data in Gmail Drafts

October 29, 2014 10:39 am | by Andy Greenberg, Wired | News | Comments

In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned the same trick.

Advertisement

Book Excerpt: Checklist: Building a Penetration Testing Lab

October 29, 2014 8:48 am | by Bruce Middleton | CRC Press/Taylor & Francis Group LLC | Articles | Comments

This checklist can help you to build a penetration testing lab. To successfully set up your lab will require attention to detail, redundancy, and a littel bit of paranoia.                   

IBM has a new high-speed analysis and criminal investigation software that is designed to uncover hidden criminal threats buried deep inside massive volumes of disparate corporate data.

Big Data Uncovers Cyber Crime at High Speeds

October 28, 2014 10:31 am | by IBM | News | Comments

IBM has a new high-speed analysis and criminal investigation software that is designed to uncover hidden criminal threats buried deep inside massive volumes of disparate corporate data.                   

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and

FAA Seeks App to Preserve Digital Evidence

October 23, 2014 12:01 pm | News | Comments

To help with the collection, management, protection and preservation of digital forensic evidence, the Federal Aviation Administration is turning to industry. In an Oct. 15 posting, the FAA said it's seeking a commercial off-the-shelf application that will create a remotely accessible depository where digital media analysts can store digital forensic evidence and distribute forensic workload among investigators.

How to Collect Internet Evidence

October 22, 2014 8:00 pm | Articles | Comments

The courts have generally accepted evidence collected from the Internet as long as its authenticity can be established. Commonly accepted digital forensic methodologies can all be used to identify a three-pronged approach to Internet forensics.

Timeline Analysis by Categories

October 22, 2014 11:24 am | by Corey Harrell | Blogs | Comments

"Corey, at times our auditors find fraud and when they do sometimes they need help collecting and analyzing the data on the computers and network. Could you look into this digital forensic thing just in case if something comes up?" This simple request is what lead me into the digital forensic and incident response field. In this post I'm highlighting how this type of organization is applied to timeline analysis leveraging Plaso.

Advertisement

Canada to Deport Alleged Anonymous Hacker

October 22, 2014 10:40 am | News | Comments

Matt DeHart, an American who believes the United States is pursuing sham child-porn charges against him as cover for a national security investigation, has been ordered deported from Canada. The 30-year-old faces up to 25 years in prison if convicted of child pornography charges in Tennessee.

NetClean Helps UK Home Office Fight Child Abuse

October 21, 2014 6:21 am | News | Comments

NetClean has announced that it has successfully collaborated with its partners, Hubstream and L-3 ASA, to implement the first phase of the UK’s national Child Abuse Image Database (CAID). The CAID plays a key part in delivering on the UK government’s promise to create a central repository for consolidating data in cases of child sexual abuse material.

Jasper Duplicator Series

October 20, 2014 11:18 am | Addonics Technologies | Product Releases | Comments

Addonics Technologies announced the Jupiter series of drive duplicators that, unlike traditional duplicators designed for a fixed number of targets, allow you to connect multiple units together. The Jasper Duplicator offers high performance 150 MB/sec copy speed depending on the read/write speed of the source and target media. 

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response.

Forensics in the Amazon Cloud

October 17, 2014 10:19 am | by Editor | Blogs | Comments

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response.           

Who? What? When? Why? Where? And How?

October 17, 2014 8:13 am | by Brett Shavers | Articles | Comments

A key factor in placing any person at the scene of a crime is obtaining evidence that can place an identified suspect as it relates to the scene of the crime. Previously discussed methods of physical surveillance and obtaining records are usually the best evidence of placing a suspect at a specific place and at a specific time, but as most investigations involve reacting to incidents, this may not be always possible.

It’s easy to see how forensics used during a cyberattack investigation are similar to those used in a physical crime scene.

Crime Scene Mistakes Can Sink a Digital Forensic Investigation

October 16, 2014 9:33 am | by Jayne Friedland Holland, GCN | News | Comments

It’s easy to see how forensics used during a cyberattack investigation are similar to those used in a physical crime scene.                                    

In 2012 we published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It,” back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks diffe

Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection, and Exclusions

October 15, 2014 8:47 am | by Yuri Gubanov and Oleg Afonin | Belkasoft | Articles | Comments

In 2012 we published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It,” back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks different. We now know things about SSD drives that allow forensic specialists to obtain information from them despite the obstacles. 

Inside the Homeland Security Investigations Computer Forensics Lab

October 10, 2014 10:57 am | by Vince Lattanzio, NBC Philidelphia | News | Comments

Nearly every case Homeland Security Investigations (HSI) opens has some sort of digital evidence to be collected and analyzed. But the work can’t be done by just anyone. The data must be meticulously cared for by agents trained to preserve the integrity of the material, who can also combat suspects’ attempts to erase their digital dealings — even from afar.

Ever looked closely at a Google search URL and seen a weird "ei" parameter in there? While it doesn't seem to occur for every search, when it does, that "ei" parameter contains an encoded Unix UTC timestamp (and other things Google only knows). Interpreti

Google-ei'd ?!

October 10, 2014 10:38 am | by Editor | Blogs | Comments

Ever looked closely at a Google search URL and seen a weird "ei" parameter in there? While it doesn't seem to occur for every search, when it does, that "ei" parameter contains an encoded Unix UTC timestamp (and other things Google only knows). Interpreting this artifact can thus allow forensic analysts to date a particular search session.

String-Centered Analysis Techniques

October 10, 2014 8:27 am | by Michael Barr | Articles | Comments

A surprisingly powerful and less costly binary analysis technique, which does not require reverse engineering, is a review of the character strings contained in the executable. These strings might include, in an ATM machine, words like “Please enter your 4-digit PIN."

Malware is an important consideration for examiners working on traditional computer forensic cases. Malware can add complexity to a case, but in some instances, it actually can help investigators. Like any other piece of data, malware can be used as a clu

Understanding Malware

October 8, 2014 9:19 am | by Cindy Murphy | SANS Institute | Articles | Comments

Malware is an important consideration for examiners working on traditional computer forensic cases. Malware can add complexity to a case, but in some instances, it actually can help investigators. Like any other piece of data, malware can be used as a clue within a forensic examination.

There is a misconception that having an IR plan will suffice and the statistics seem to indicate having a plan is on the rise. While having a plan is great, they are rarely more than just guidelines and are not the robust set of company specific procedure

Embedding Incident Response into the DNA of the Organization

October 7, 2014 9:05 am | by Sean Mason | Blogs | Comments

There is a misconception that having an IR plan will suffice and the statistics seem to indicate having a plan is on the rise. While having a plan is great, they are rarely more than just guidelines and are not the robust set of company specific procedures they should be, especially if you don’t have people practicing them day in and day out.

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading