Archive for Forensics
Author: Dave Lewis
April 23, 2008 at 9:26 am · Filed under Forensics
I noticed this article written by Kyle Rankin over on Linux Journal. It provides an intro to computer forensics.
From Linux Journal:
A break-in can happen to any system administrator. Find out how to use Autopsy and Sleuthkit to hit the ground running on your first forensics project.
There are certain aspects to system administration that you can learn only from experience. Computer forensics (among other things the ability to piece together clues from a system to determine how an intruder broke in) can take years or even decades to master. If you have never conducted a forensics analysis on a computer, you might not even know exactly where to start. In this guide, I cover how to use the set of forensics tools in Sleuthkit with its Web front end, Autopsy, to organize your first forensics case.
An extensive read.
Article Link
Author: Dave Lewis
April 2, 2008 at 3:15 pm · Filed under Forensics
Here is a topic that seems to be heating up in the press lately. E-discovery is fast becoming an attention grabbing headline.
From GCN:
New rules for electronic data discovery during litigation, combined with the massive amount of electronic data now available in federal databases, will require closer communication between the legal and information technology departments at federal agencies and standardized processes across business units, according to panelists discussing enterprise search and e-discovery at the FOSE Conference and Exposition in Washington.
The civil rules of procedure, which went into effect Dec. 1, 2006, have “really changed the environment for the IT folks” in the last year, said Edward Meagher, deputy chief information officer at the Interior Department. “We need to start saving documents that we previously didn’t save and ensure documents are searchable and retrievable and do it very rapidly. E-mail, voice mail, instant messages, text messages — all are now in discovery [in a legal case] and so they need to be searchable,” he said. “It’s one of those issues that’s really crept up on us.”
With millions—and perhaps billions—of e-mails alone in even a single part of the federal government, searching electronic data is no small task, and the technology to do so is still a work in progress. Add to that legacy data that is no longer accessible and the relative difficulty today in searching electronic documents, combined with expectations that enterprise searches should be as easy as a Google Internet search, and compliance with e-discovery rules becomes all the more challenging.
Read on.
Article Link
ed. On a completely unrelated note…it has been a lonnnng day.
Tags: E-Discovery, Computer Forensics
Author: Dave Lewis
March 6, 2008 at 10:33 am · Filed under Forensics, Legal Aspects
Um, wow. While I can fully understand and appreciate their frustration, I see this as a legal minefield. They may want this power but, I cannot fathom how they would intend to examine systems that reside in another country unless there was a reciprocal agreement in place.
From ABC (AU):
The New South Wales Cabinet has approved new powers for police designed to help them track terrorist threats, fraudsters and paedophiles through computer networks.
The proposed laws would allow police to search computers networked to those listed on a search warrant.
Police could also seize computer hard drives and memory sticks for up to seven days.
Police Minister David Campbell says police are currently only able to search computer hardware found on a premises named in a search warrant.
He says with the changes, they will be able to go a step further and search other networked computers, regardless of where they are located.
“What we know is that there are organised crime gangs who use the internet and other forms of technology to hide their crimes,” he said.
I can see their pain point. But, I think this will open a can o’ worms.
Article Link
Author: Dave Lewis
March 5, 2008 at 10:09 am · Filed under Data Security, Forensics
Having dealt with NATO folks in the past I can safely say that they’re a hard working and dedicated bunch. I’m pleased to see that they are rolling out Guidance Software’s EnCase product across their enterprise.
From Silicon dot com:
The system provides an immediate snapshot of any intrusions and will provide forensic-level analysis across its network, which spans thousands of miles.
Nato’s Computer Incident Response Capability (NCIRC) unit has deployed a large scale cyber defence project combining intrusion detection and prevention systems, security information and event management and automated incident response.
Ian West, director of NCIRC technical centre, said this will significantly enhance Nato’s ability to counter today’s online threats and attacks.
It’s very good software and extremely powerful. EnCase does manage to take a lot of the hand cranking out of the mix when conducting an investigation.
Hell, if they’re hiring… HA!
Article Link
Tags: NATO Computer Security, EnCase, Guidance Software
Author: Dave Lewis
February 8, 2008 at 8:29 am · Filed under Forensics, Tools
From the press release:
Backbone Security, the market leader in advanced digital steganalysis tools, proudly announced their industry leading steganography application detection tool, Steganography Analyzer Artifact Scanner, passed rigorous testing by the Defense Cyber Crime Institute (DCCI) at the opening of The Computer Forensics Show today.
Developed in Backbone’s Steganography Analysis and Research Center (SARC), StegAlyzerAS is the most comprehensive and accurate steganography application detection tool available on the commercial market. Capable of detecting file and Windows registry artifacts associated with 650 steganography applications, StegAlyzerAS V3.0 is the digital forensic examiner’s tool of choice for detecting use of steganography to conceal evidence of criminal activity.
The DCCI test report states that StegAlyzerAS was able to: 1) identify the hash values of a significant number of files in the distribution libraries of a considerable number of steganography programs, 2) minimize the number of false positives by ignoring files typically associated with steganography applications but are also used in versions of the Windows operating system and popular software applications not associated with steganography, and 3) identify, with a high degree of accuracy, steganography programs that have been installed on suspect media even though only a small number of files associated with the programs currently reside on the media.
Article Link
Tags: Forensics, Computer Forensics, Stego, StegAlyzerAS
Author: Dave Lewis
January 24, 2008 at 1:47 pm · Filed under Forensics
If you ask, they will build it. A little different than the quote I had in mind from Field of Dreams. Still, interesting article.
From Computer World:
Start-up Packet Analytics Corp. on Monday announced a tool for searching aggregated log data to analyze traffic activity between IP-based host computers.
Net/FSE, which stands for Network Forensic Search Engine, is Linux-based server software that provides a Web interface for network managers to easily see an analytical profile of host-to-host activity based on NetFlow router data as well as log information related to the organization’s firewall, intrusion-detection systems and security information management. (Learn more about Security Information Management products from our Security Information Management Buyer’s Guide.
The Net/FSE tool was developed at Los Alamos National Laboratory by Packet Analysis co-founders Ben Uphoff and Paul Criscuolo, both former technical staff members at the lab.
“If an enterprise already has centralized logging, we can start directly searching that, and we can also act as the data-aggregation point,” said Uphoff, vice president of research, about Net/FSE.
Read on.
Article Link
Tags: FBI, Network Forensics
Author: Dave Lewis
January 15, 2008 at 7:46 am · Filed under Apple, Forensics
One of the pain in the butt aspects of conducting computer forensic investigations is running into the one offs and stranger OS platforms. One of the new kids to hit the scene, iPhone, presents and interesting wrinkle. What to do if there is a need to conduct a forensic investigation on one of these iconic devices? The operating system for the the iPhone is a closed version of the Mac OS X. So, what are folks in the business saying?
From Wired:
But not every forensics expert is convinced. “The iPhone is evil,” says Amber Schroader, CEO of Utah-based Paraben, a leader in digital-forensics software development. “It’s Mac OS X, and it’s a completely closed system.”
In other words, it’s not easy for a forensics team to guarantee that the data extracted from an iPhone has not been tampered with. The result is that juries may find reasonable doubt in how that data was extracted.
Hmm, so how does one retrieve the data without altering it in the process? A quick search of the portal at Guidance Software, the makers of forensic software EnCase, revealed no hits.
Today at MacWorldExpo data recovery firm DriveSavers will reveal their service offering for recovering data from iPhones. Apparently, according to their press release, they have managed to accomplish this task but, there was no word yet on exactly how they managed to accomplish this task. “Will it stand up in court” is the real test. I guess we have to stay tuned.
Tags: EnCase, Computer Forensics, iPhone Forensics, iPhone Recovery, DriveSavers
Author: Dave Lewis
January 15, 2008 at 7:27 am · Filed under Conventions, Forensics
Guidance announced yesterday it will be leading a seminar on how to manage the complex, large-scale intrusion investigations at the U.S. Department of Defense Cyber Crime Conference 2008. Guidance Software’s seminar will be held on Thursday, January 17, 2008 at the Renaissance Grand Hotel in St. Louis, Missouri for those of you who may be interested.
The presentation entitled, “Large Scale Incident Response Best Practices and Case Study Analysis,” will cover a range of topics such as malware analysis, tips for assembling an effective team during an investigation and identifying and containing affected machines. It will be led by Jim Butterworth, Guidance Software’s Director of Incident Response and Federal Services, who has more than 14 years of hands-on experience in computer network security and has dedicated 20 years of distinguished and highly decorated service to the U.S. Navy.
Being a long time EnCase user I can safely say that this will be a good preso. I have been fortunate enough to attend several EnCase training sessions at their Pasadena office and I was quite pleased with them.
Site Link
Tags: Guidance Software, EnCase, Incident Response
Author: Dave Lewis
January 8, 2008 at 8:01 am · Filed under Forensics
Computer forensics looks like it is getting a little harder to perform in the US.
From Baseline Magazine:
The Internet is boundless and cybercrime scenes stretch from personal desktops across the fiber networks that circle the globe. Digital forensic investigators like Harold Phipps, vice president of industry relations at Norcross Group in Norcross, Ga., routinely slip across conventional geographic jurisdictions in pursuit of digital evidence and wrongdoers.
Lawmakers across the Savannah River in Columbia, S.C., have different ideas, however. Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed agency.
My initial reaction was “wtf” but, that subsided when I realized the real underlying problem here has little to do with computer forensics. This is a case of cash grab from a fast growing market segment. Other states that are flirting with the idea of cashing in are New York, Nevada, North Carolina, Texas, Virgina and Washington. The idea being that only a registered private investigator has the ability to collect evidence or testify is nonsense.
With much of today’s evidence lingering on computers and handhelds, PIs see this is as a lucrative field to pursue, even if they lack the requisite experience, contend digital forensic experts like John Mellon, founder of the International Society of Forensic Computer Examiners (ISFCE) based in Brentwood, Tenn.
I’m wondering which lawmaker the PIs have black & white photos of?
Article Link
Tags: Computer Forensics, Data Forensics, EnCase, Private Eye, PI
Author: Myrcurial
November 27, 2007 at 10:49 am · Filed under Education, Forensics, Hardware, Intrusion Detection, Tools
Ok everyone, here’s your chance to comment, make yourself heard, voice an opinion, tell me I don’t know what the heck I’m talking about.
The question:
Using as little money as possible, assemble a list of tools (software, hardware, wetware or other) which would serve the needs of a CSIRT in time of crisis.
Lets call the time limit for responses Thursday, November 29th 2007 at 19:00EST. At that point, I’ll summarize and wrap up.
For my picks, please see comments below.
Tags: open loops, challenge, CSIRT, toolkit, hardware, software, wetware
Next entries »
Explore
Security Bloggers Network
