As IT diversifies and grows increasingly complex, we can no longer afford to base our security on such outdated concepts. More and more, discovery and response are becoming focal points for strategic areas. We call this evolution cyber resilience.
Examining static properties of suspicious files is a good starting point for malware analysis....
Belkasoft, manufacturer of digital forensic software, becomes Guidance Software’s Partner of the...
The situation was that we had a Windows system that had been compromised ... the bad guy had accessed the system using stolen credentials, then used it to move laterally to other systems. Between this and the response activities, the system had been infected with malware that overwrites and deletes files.
Ed Primeau, a Michigan-based audio forensic expert, plays an important role analyzing sound recordings to be presented as admissible evidence in a court of law, and typically completes 40 to 50 voice identification cases each year. DFI News spoke with him to see what it takes to specialize in audio forensics.
Digital forensics examiners all confront ethical dilemmas. In fact, examiners are ill prepared to solve these dilemmas. The profession has, for its part, endeavored to provide examiners with a framework within which the digital forensics examiner must not only recognize, classify, and manage ethical dilemmas, but also respect boundaries and honor obligations.
It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Web services companies are taking notice, and we have already seen some very useful artifacts disappear.
We begin with OJ TheColonial Reeves' new optimized sub encoding module (opt_sub.rb). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit that triggers a file path buffer overflow, where you typically have a pretty limited character set to work with.
Magnet Forensics has released Internet Evidence Finder™ (IEF) v6.3. Key release updates include enhanced tools for investigation of pictures; additional support for volume shadow copies, support for an expanded range of mobile chat and social networking artifacts; as well as support for analysis of Kindle Fire tablets.
The Application Experience and Compatibility feature ensures compatibility of existing software between different versions of the Windows operating system. The implementation of this feature results in some interesting program execution artifacts that are relevant to Digital Forensic and Incident Response (DFIR).
About a month ago, I was involved in an investigation that revealed a targeted attacker using an interesting variation of a well-known persistence mechanism – a technique that is relevant both to incident responders hunting for evil and penetration testers looking to add post-exploitation methods to their toolkit. Today, I’m going to talk about this persistence mechanism and discuss some ways to go about identifying it in your environment.
Men who have seen and suffered the horrors of combat steel themselves each day for a job some find just as wrenching: fighting child sex crimes back home.
When you hear about recent organizations who have achieved ASCLD/LAB accreditation, you may not expect to hear Wal-mart Stores, Inc. named. Ken Mohr, a principal at Crime Lab Design, heard about the project Larry Depew and his company, Digital Forensics.US, LLC was doing with Walmart’s E-Discovery and Forensic Services Laboratory and wanted to learn more about the trend for convergence of E-Discovery and digital forensic services.
Source code and text comparison is an established, well-known analysis technique. Using a program capable of simply listing file A in the left window and file B in the right window and highlighting the differences between each and every line, preferably in a different color, is frequently an easy way to detect copied text. Some of the more advanced analysis utilities can also compare, merge, and synchronize files and directories.
Microsoft Office 2013 continues to yield very interesting artifacts related to user activity. Harlan posted recently about the "PendingChanges" subkeys associated with PowerPoint, and I have previously posted about MS Word's "Reading Locations" subkeys as well as the last saved location metadata in Excel 2013 spreadsheets.
Recently I have had cause to look again at how the Apple Safari web browser stores cache. The introduction of OSX Lion brought some changes in that a new table cfurl_cache_receiver_data was created within the SQLite cache.db database and used to store the cached item as a binary large object in the receiver_data field. Previously this field was within the cfurl_cache_blob_data table.
I was interested in seeing if there were any similar artifacts available for other MS Office apps, such as PowerPoint or Excel. I exchanged a couple of emails with Jason, and ran a somewhat simple, atomic test to see what artifacts might be available.
Anyone who has done lots of port scanning over the internet will know that Nmap often identifies certain ports as filtered. In this blog post, we'll look at alternative scans that can help truly identify the state of a particular port.
When a file is deleted in the Microsoft Windows operating system, it doesn’t delete it permanently; it is stored in the recycle bin. From the forensic point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. By analyzing the recycle bin, we can recover useful data.
By far the most useful tool released this year is the updated Process Explorer program since it now checks running processes against VirusTotal. This added feature makes it very easy to spot malicious programs and should be a welcome toolset addition to those who are constantly battling malware. To turn on the functionality all you need to do is to select the "Check Virustotal" option from the Options menu.
One of the greatest mistakes that can be made is to look at any digital evidence in isolation without properly considering all of the processes, inputs, and outputs that can impact the interpretation. Accordingly, I believe examiners should insist upon unfettered access not only to the media, but also to the court filings and related discovery.
This chapter describes common scenarios in the work of forensic document examiners (FDEs), the objects they examine and the goals of the expertise. To calibrate their intended research projects it is important that computer scientists know and understand what the issues are that FDEs have to solve.
The investigative process has been anything but easy, normally requiring that organizations hire outside contractors to conduct forensic investigation and rely on those third parties to deliver actionable evidence. Yet, HR has the most to gain from the process and arguably offers the least path to resistance for an investigative event.
A Rye private investigator who has received $23,000 from the state since 2006 to do computer forensic investigations for indigent defendants pleaded guilty recently to misrepresenting some of her investigative certifications on her company’s website.
The CRU Ditto Forensic FieldStation combines special-purpose computing hardware, capable of fast analysis, and carefully selected duplication of attached hard drive data. It has all of the classic characteristics required for forensic investigations and IT personnel.
CyanLine, a New Jersey-based company dedicated to the prevention, detection, and investigation of cyber crimes, has announced that its computer forensic imaging system, FDAS, now enables “cloud-based forensics.” With the addition of network capability, FDAS can transmit directly to a secure SANS environment to allow investigators to collaborate on evidentiary images.
A few weeks ago I attended Shmoocon and sat in the presentation by Jake Williams and Alissa Torres regarding subverting memory forensics. As I sat through the talk I kept thinking to myself that it would be impossible to completely hide every artifact related to your activity, which Jake also stated in his presentation.
Similar to a rootkit, an anti-forensics tool or technique must possess two critical traits in order to be significant: 1. It must do something 2. It must get away with it. Satisfying #1 is the easy part. You can hide a process, hide a kernel module, or in the case of ADD — create fake, decoy objects to lead investigators down the wrong path.
- Page 1