Advertisement
Computer Forensics
Subscribe to Computer Forensics

The Lead

Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new

Incident Response Fail

September 25, 2014 8:15 am | by Kelly Jackson Higgins | Blogs | Comments

Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new study.

Police Dog Can Smell a Hidden USB Drive

September 24, 2014 10:56 am | by Kristen Schweizer, Bloomberg | News | Comments

Dogs have been trained to pick up the scent for laptops, digital cameras and those easy-to-...

Massive Viator Data Breach Hits 1.4 Million Victims

September 24, 2014 10:20 am | by Tara Seals, Infosecurity Magazine | News | Comments

Viator, a tour-booking website used by TripAdvisor and others, has just notified 1.4...

Streamlining the Digital Forensic Workflow: Part 2

September 24, 2014 8:58 am | by John J. Barbara | Articles | Comments

Often an examiner will analyze all the digital media only to determine that the probative...

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly qui

Avoid Wasting Time During a Breach Investigation

September 23, 2014 10:08 am | by Rekha Shenoy, Tripwire | News | Comments

After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly quickly the organization is left with no choice but to assume the worst.

Who? What? When? Why? Where? And How?

September 23, 2014 8:22 am | by Brett Shavers | Articles | Comments

A key factor in placing any person at the scene of a crime is obtaining evidence that can place an identified suspect as it relates to the scene of the crime. Previously discussed methods of physical surveillance and obtaining records are usually the best evidence of placing a suspect at a specific place and at a specific time, but as most investigations involve reacting to incidents, this may not be always possible.

String-Centered Analysis Techniques

September 23, 2014 8:18 am | by Michael Barr | Articles | Comments

A surprisingly powerful and less costly binary analysis technique, which does not require reverse engineering, is a review of the character strings contained in the executable. These strings might include, in an ATM machine, words like “Please enter your 4-digit PIN."

Advertisement

Legal Aspects and Tool Reliability

September 23, 2014 8:13 am | by Gary C. Kessler and Matt Fasulo | Articles | Comments

Because of the newness of network forensic activity, network examiners are often left to use existing and emerging tools that have not yet faced the challenge of being proven valid in court. In some respects, the presentation phase of a digital investigation is the most critical; regardless of what has been found, it is worthless if the information cannot be convincingly conveyed to a judge and jury.

Data Storage Issues: Part 4

September 23, 2014 6:12 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

Future data storage needs for businesses, corporations, and governments are going to far exceed the ability of current technology to provide those storage devices. Obviously, without major technological advancements, the cost of future data storage could be unprecedented. There are however, a number of technologies under development which may eventually be able to store vast amounts of information, far exceeding today’s devices.

Book Excerpt: Checklist: Building a Penetration Testing Lab

September 23, 2014 6:06 am | by Bruce Middleton | CRC Press/Taylor & Francis Group LLC | Articles | Comments

This checklist can help you to build a penetration testing lab. To successfully set up your lab will require attention to detail, redundancy, and a littel bit of paranoia.                   

Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection, and Exclusions

September 23, 2014 5:50 am | by Yuri Gubanov and Oleg Afonin | Belkasoft | Articles | Comments

In 2012 we published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It,” back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks different. We now know things about SSD drives that allow forensic specialists to obtain information from them despite the obstacles. 

Using Metadata in Litigation

September 23, 2014 5:37 am | by Gary Torgersen | Articles | Comments

When it comes to metadata as part of a litigation strategy, we mostly see it used as supporting information about the data. It is unusual, but not unheard of, to see metadata used directly as evidence. That is likely to change as more people understand the role metadata can have in developing legal strategy. With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps in the data.

Advertisement

Understanding Malware

September 23, 2014 5:30 am | by Cindy Murphy | SANS Institute | Articles | Comments

Malware is an important consideration for examiners working on traditional computer forensic cases. Malware can add complexity to a case, but in some instances, it actually can help investigators. Like any other piece of data, malware can be used as a clue within a forensic examination. 

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and

Retrieving Obscured Files

September 19, 2014 10:00 am | Articles | Comments

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files. 

CRU has made available of the Logical Imaging feature for its rugged, silent, and reliable remote/network operable CRU WiebeTech Ditto Forensic FieldStation.

Logical Forensic Imaging

September 16, 2014 4:03 pm | CRU-DataPort/WiebeTech | Product Releases | Comments

CRU has made available of the Logical Imaging feature for its rugged, silent, and reliable remote/network operable CRU WiebeTech Ditto Forensic FieldStation.

Guidance Software, Inc. has announced an event management and response solution that bundles EnCase® Cybersecurity and HP ArcSight Express. The new bundled solution is designed for organizations that have invested in the ability to detect threats, but are

Post-detection Event Management and Recovery

September 12, 2014 10:02 am | Guidance Software, Inc. | Product Releases | Comments

Guidance Software, Inc. has announced an event management and response solution that bundles EnCase® Cybersecurity and HP ArcSight Express. The new bundled solution is designed for organizations that have invested in the ability to detect threats, but are challenged with determining which of the countless alerts being generated are meaningful, and can help to mitigate successful cyber attacks.

Nuix has demonstrated time and again that there are smarter ways to investigate big data. Customers use technologies such as near-duplicate analysis, shingle lists, topic modeling, text summarization and named entities as powerful shortcuts to the evidenc

Moving Ever Closer to the 'Find All Evidence' Button

September 11, 2014 8:17 am | by Stuart Clarke | Nuix | Blogs | Comments

Nuix has demonstrated time and again that there are smarter ways to investigate big data. Customers use technologies such as near-duplicate analysis, shingle lists, topic modeling, text summarization and named entities as powerful shortcuts to the evidence they seek.

Advertisement
Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing th

Forensic Subcommittee on Digital Evidence Added to NIST Committees

September 10, 2014 9:50 am | by NIST | News | Comments

Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States.

When examining ASCII text data during a forensic investigation, it is often useful to extract proper names and then rank those proper names by the highest number of occurrences. The Python language has built-in capabilities that will perform this extracti

Python Single Word / Proper Name Extraction

September 5, 2014 12:51 pm | by Chet Hosmer | Blogs | Comments

When examining ASCII text data during a forensic investigation, it is often useful to extract proper names and then rank those proper names by the highest number of occurrences. The Python language has built-in capabilities that will perform this extraction swiftly and easily.

In my last post, I talked about sharing what things "look like" on a system, illustrating indicators of the use of lateral movement via the 'at.exe' command. I wanted to take a moment to provide some additional insight into that post, with a view towards

What Does That Look Like, Pt II

September 5, 2014 12:42 pm | by Harlan Carvey | Blogs | Comments

In my last post, I talked about sharing what things "look like" on a system, illustrating indicators of the use of lateral movement via the 'at.exe' command. I wanted to take a moment to provide some additional insight into that post, with a view towards potentially-available indicators that did not make it into the article, simply because I felt that they didn't fit with the focus of the article.

Over the years, cookies have been overlooked in forensic examinations. For the most part, cookies were used to show that a user account had accessed a website. Since no set structure for cookies existed, determining the content’s meaning was problematic.

Finding Good Cookies

September 5, 2014 12:14 pm | Articles | Comments

Over the years, cookies have been overlooked in forensic examinations. For the most part, cookies were used to show that a user account had accessed a website. Since no set structure for cookies existed, determining the content’s meaning was problematic. With the advent of Google Analytics (GA) cookies, that has changed.

Apple has blamed a "very targeted attack" for the suspected breach of numerous celebrities' iCloud accounts, which resulted in nude photographs and videos being leaked to the 4chan image board. But some security experts have taken issue with Apple's expla

Is Apple iCloud Safe?

September 4, 2014 12:10 pm | by Mathew J. Schwartz, Gov Info Security | News | Comments

Apple has blamed a "very targeted attack" for the suspected breach of numerous celebrities' iCloud accounts, which resulted in nude photographs and videos being leaked to the 4chan image board. But some security experts have taken issue with Apple's explanation for the attacks. And they contend the company's iCloud service remains vulnerable to similar exploits.

Recently, I had the opportunity to do forensic analysis on a HDD extracted from a Canon ImageRunner Advanced C5240 Multifunction Copier. After a story was broken by CBS News, back in 2010, it seemed likely that less would be available than is described in

Copier Forensics in 2014: The Good, the Bad, and the Ugly

September 4, 2014 11:43 am | by Editor | Blogs | Comments

Recently, I had the opportunity to do forensic analysis on a HDD extracted from a Canon ImageRunner Advanced C5240 Multifunction Copier. After a story was broken by CBS News, back in 2010, it seemed likely that less would be available than is described in the copier forensic write-ups here and here. Nonetheless, I was hopeful.

FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd

Forced to Adapt: XSLCmd Backdoor Now on OS X

September 4, 2014 11:34 am | by James T. Bennett and Mike Scott | Blogs | Comments

FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd — OSX.XSLCmd — which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009.

Building out an organization's security detection capability can be a daunting task. The complexity of the network, number of applications/servers/clients, the sheer number of potential threats, and the unlimited attack avenues those threats can use are o

SIEM Use Case Implementation Mind Map

September 2, 2014 12:13 pm | by Corey Harrell | Blogs | Comments

Building out an organization's security detection capability can be a daunting task. The complexity of the network, number of applications/ servers/ clients, the sheer number of potential threats, and the unlimited attack avenues those threats can use are only a few of the challenges. To tackle this daunting task there are different ways to build out the detection capability.

Ciphertex Data Security has introducted the CX-4K-NAS, a high performing, portable, reliable and encrypted NAS server with up to 32TB of storage capacity and four bays.

Portable NAS Server

August 26, 2014 8:59 am | Ciphertex Data Security | Product Releases | Comments

Ciphertex Data Security has introducted the CX-4K-NAS, a high performing, portable, reliable and encrypted NAS server with up to 32TB of storage capacity and four bays.

To help digital forensic and incident response (DFIR) professionals take on any Apple case without hesitation, the SANS Institute has introduced the new FOR518: Mac Forensic Analysis course. This intense hands-on forensic analysis course will help Windows

SANS Introduces Apple, Mac and iDevice, Forensic Analysis Course

August 26, 2014 7:56 am | SANS Institute | News | Comments

To help digital forensic and incident response (DFIR) professionals take on any Apple case without hesitation, the SANS Institute has introduced the new FOR518: Mac Forensic Analysis course. This intense hands-on forensic analysis course will help Windows-based investigators broaden their analysis capabilities and achieve the confidence and knowledge needed to comfortably analyze any Mac or iOS system without hesitation. 

I’ve seen some email threads on a few listserv groups talking about developing a capability to take indicators from threat feeds and automatically generating signatures that can be used in various detection technologies. I have some issues with taking thi

Feeds, Feeds and More Feeds

August 25, 2014 10:37 am | by Editor | Blogs | Comments

I’ve seen some email threads on a few listserv groups talking about developing a capability to take indicators from threat feeds and automatically generating signatures that can be used in various detection technologies. I have some issues with taking this approach and thought a blog post on it may be better than replying to these threads.

Basis Technology has released Autopsy 3.1, the latest version of its flagship open source digital forensics platform. Autopsy is a free and open source Windows-based digital forensics platform that has been built to provide an intuitive workflow for users

Autopsy 3.1

August 25, 2014 8:35 am | Basis Technology | Product Releases | Comments

Basis Technology has released Autopsy 3.1, the latest version of its flagship open source digital forensics platform. Autopsy is a free and open source Windows-based digital forensics platform that has been built to provide an intuitive workflow for users in the law enforcement, intelligence, cybersecurity and incident response communities.  

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading