Monday, August 31, 2009

"Click" kiddies

I was doing an assessment today and thought to myself....outside of using our traditional commercial forensic software, what steps has this employee taken to the "why" and "how" the software does what it does.

Have we become too reliant on software that does "what it is supposed to do" or are you routinely validating the software to ensure it's accuracy? It seems to me that the course materials being taught in the SANS Forensic tracks do just that - teach us how to use more of a "grassroot type" forensics whereby we are able to better validate our results.

My conclusion - we need a little bit of both. The commercial software is polished and quite frankly, I don't know if we could keep up without it. That being said, as a Forensic Analyst I believe it is important for us to "question the obvious", "test our theories" and quite frankly, do what we can to disprove our assumptions. Back to basics - when we can answer the 5 "W's" and "how", perhaps we can truly be confident of the integrity of our results.

Saturday, August 29, 2009

Internet Evidence Finder - IEF

Trying a tool from JadSoftware which can be run against a physical drive, or a logically mounted drive (PDE, Mount Image Pro) or a single file (such as a imaged memory, pagefile or hyberfil). Tool now extracts:
  • Facebook Chat
  • Yahoo Messenger Chat
  • Live Messenger Chat
  • GoogleChat
  • Yahoo Mail Chat
  • Facebook Page Fragments
  • Limewire Search History
  • GMail fragments

Output is placed into folders that are created for each type of evidence being searched for. From initial testing, it appears to work quite nice and has even pulled chat that EnCase EnScripts have missed. The program references the physical sector where the chat/fragments, etc are located allowing for a manual verification.

v2.0.1 now released. Price: Free.

Update August 31st, 2009
And v2.0.2 was released today to correct the accuracy of a LimeWire Keyword Search.