Sunday, November 14, 2010

Windows Event Logs and F-Response

I have been looking to better define my ability to identify, preview and analyze Windows logs.  When I am looking at identifying key information/evidence to acquire from a target system, I found that the area of Windows Event logs was not as well defined as I would like (in terms of a defined methodology).  I set out to find a solution for analyzing Windows Event logs on both remote systems, as well as over a write-protected connection (such as F-Response).  I am aware that Windows has it's build in Event Viewer; however, my experiences with this application have been less than satisfying for the purpose of forensic documentation.

Here's what I found...

Tools I used:
1.  F-Response (Tactical Edition).
2.  Windows 7 Ultimate (Examiner's machine).
3.  Windows 7 Starter Edition (Target machine).
4.  Cross-over cable.
5.  Event Log Explorer v3.3  (by FSPro Labs).

a.  I connected my Examiner laptop and the Target laptop via a cross-over cable, and allowed the laptops to each assign an IP address.
b.  Started F-Response on each machine with the write-protected Subject and Examiner's dongles.  Connection established:

c.  Started Event Log Explorer on the Examiner's machine.  When the program starts, it automatically enumerated my Examiner's machine (local). 

d.  To avoid any confusion/contamination, I removed my local machine from the Computer Tree.  This leaves the column blank, ready to enumerate your remote machines, or other locally identified event log files.

e.    I saved the workspace with an identifiable name.

f.  In  Event Log Explorer, I selected   File > Open Log File > Direct  and pointed to the TARGET system that I had mounted using F-Response. 

**  The Windows Event Logs were found at \Windows\System32\winevt\Logs **

g.  I then loaded one of several different Event Log files - in this case, I loaded "system.evtx".  Like with any log, I was presented with thousands of entries - 25,385 to be precise.

h.  And this is where I found Event Log Explorer to take off, in terms of features.  I am familiar with using a more robust Log Analysis tool such as Splunk, so I am aware of the importance of learning about filters.   Filtering is straight-forward, and I'd recommend it. 

And this leads to filtered results:

i.  I also used color coding to better identify my filtered Event Logs, based on any of the criteria present in the Event Log.  The coding is completely configurable.

j.  Reporting - you can export your Event Log in one of many formats including HTML, tab separated and Excel formats.

While Event Log Explorer excels at offering flexible filtering and reporting, I personally found the most useful feature is the ability to merge logs.  When logs are merged, and then properly filtered, I found that I could create a very good timeline of a systems event logging.  In combination with tools such as RegRipper, these tools are invaluable when attempting to (in Chris Pogue's terms), conduct your "Sniper Forensics".

I believe that the noted programs offer a useful solution for previewing and collecting evidence from Windows Events Logs, in a live-analysis situation.  My preference will alway be to conduct a full analysis at the lab;  in circumstances where one needs to conduct an at-scene triage, this combination of tools may assist.

ps.. I was wondering how this tool (Event Log Explorer) would work within WinFE.  I had just burned off my most recent version, so this may have to wait.  I can tell you that I tested the installation directory of Event Log Explorer by copying it to a USB Drive, and trying the tool on a different computer.  It worked very well, however prompted for my Registration key (I entered 30 day demo and continued on). 

Some references on Windows Event Logs
Event Logs (TechNet)
Event Viewer  (TechNet)

Monday, October 25, 2010

Blackberry IPD files and FTK 3.2

I was curious as to FTK's ability to analyze RIM Blackberry IPD files.  I imported 7 backup files - some were "Autobackups" and others were manually created backup files.  The process of importing them was as simply as pointing to a live directory, and you are given the option of creating a image of the files or working from the "live files".

After the processing was complete (took about 1 minute), here's what the files looked like within FTK:

When you open up each of the IPD archives, you will note 89 different fields; some are populated with information and some are empty.  The fields which have data within them will most often produce HTML files which start with rows_0000000_0000xxx.html.  The .html report can be viewed and read quite readily in the "filtered" or "natural" mode.  There are some other formats as well.  The image below shows the database-type format in which the data appears.

An exception to the "row_000..." format is noted below.  You will note that the directory structures indicates that the parsed data is stored within "blobs".  Each of the 89 fields had a folder titled "blob", although many did not contain any data.  In the absence of any noteable file structure, I would think that this would refer to Binary Large Objects (string of binary with no associated code).  In the example below, the "Content Store" folder had several files.  Several of the files were images, which had file names blob_Data_00000xx, where xx was a number.  The numbers appeared to be incremental.  (image was purposely blurred for privacy).  Other files within the folder include exif data for the images - FTK "Properties" show that these files were created by the FTK carving process.  FTK was able to carve out images from the IPD files, although the number of images I retrieved (4) would suggest that the images were not truly "carved" from any undeleted area.  The properties of the carved images show that they were carved from "Blackberry backup files/blackberrybackup.ipd>>tables>>Content Store>>blobs>>blob_Data00000xx.>>Carved [120].jpeg" (where xx is an incremental number).  The path references a full-size photo, whereas the carved image appears to be thumbnail size.

When you open up the Case Overview tab, you'll see that many of the files have been categorized into the noted fields.

Email was nicely extracted, and displayed in traditional FTK format.  The fields appeared to parse out quite nicely.

And lastly, FTK has always been known for it's indexed search capability.  The following two images reinforce the power of FTK in finding results within the compound IPD file.  I would suspect that use of the Indexing feature will make it easier to identify areas where evidentiary information may be stored; whether the information was parsed out or not.

When you compare the output with that of ABC (Amber's Blackberry Converter), FTK does not parse out nearly the amount of information available from ABC; but, it does appear to provide us a more "forensic" approach to data whereby the data can be more easily validated against the raw data.

I'm am guessing that more fields will be retrievable as versions develop.  Overall, another great improvement in FTK 3.2.

Friday, October 22, 2010

Updated Windows Registry and Mac resources & Jad's Software....updated

As several sites have rightfully pointed out....Accessdata has made a huge jump ahead with their recent release of FTK Imager v3.0.  (not to mention FTK 3.2 and their most recent "Volatile tab.")   Just finished testing it today by mounting physical images and using VFC to virtually boot XP and Win7 systems.  Flawless!    While wandering around their site (actually looking for updated RSR files to add to their most recent Registry Viewer version), I stumbled across two additional documents that I believe are very worthy of a good read - or at least printing out as a permanent reference.

Registry Quick Find Chart - a very recently updated 34-page reference documenting Registry locations for the standard 5 Registry files.  The document has a few new columns in the document - one which lists what versions of Windows the reference pertains to (ie: XP, Vista or Win7) and a second column that states when the Registry reference is updated (immediately, when document opened, at logon...)    This document would also be great starting reference to initiate further research on Registry locations and extractable artifacts.  D/L it....know it....print it and keep it handy!

Mac System Artifacts - another reference document which provides 7 pages of Mac Artifact locations.  With FTK's amazing ability to parse out the Mac OS (including Plists), this document is another one to print off.  Updated in 2010.

Jad has also updated three of his applications:
Internet Evidence Finder (IEF) - updated to v3.6 to handle recent updates to Facebook Live chat.  Commercial - Cdn $49.00; Free for Law Enforcement.
FChat - updated to v1.20.    Commercial - Cdn $29.99
FJF - Facebook JPG finder - updated to v1.2.1.  Currently free for use.

Sunday, October 3, 2010

Kindle 3G Wireless Reading Device - forensically speaking

Having just acquired the new model of Kindle, I got to wondering what kind of information was stored on the device and if necessary, how would I go about accessing this information in the most forensically-sound manner possible.  Here's what I found.

1.  Using a Digital Intelligence Tableau Ultrablock USB write-blocker, I connected my forensic computer to the device through the micro-USB cable that was provided with the Kindle. 
2.  Realizing that it was necessary to power on the device, I did so.  I noted the date/time to compare this with the date/time stamps that were likely to change upon boot. 
3.  When powered on, I immediately checked to ensure the 3G/Wireless was turned off.  Select "Menu", toggle the five-way controller up to "Turn Wireless Off" and select the five-way controller (center button).  Alternatively, I could conduct the acquisition within our Faraday tent.
4.   Using FTKImager v2.9.0.5, identified the physical drive attributed to the Kindle.

5.  As noted, the drive recognized as "Kindle Internal Storage" with a size of 3240MB.  I noted that this differs from the stated size of the device (4GB).  Specifically, Amazon states the device has "Storage 4GB internal (approximately 3GB available for user content)."  I then acquired the physical drive as a RAW (DD) format to allow a more robust selection of analysis tools.

Here's what the partition looks like:

And contents of the "documents" directory:

6.  Made note of the filesystem, and VBR header - as noted in the following screenshot.

The filesystem is FAT32, formatted with mkdosfs - DOS formatting within a Linux environment.  From looking at the USER partition which was available, I'm asking whether the SYSTEM partition is ARM Linux Kernel (?).

While admittedly, my Kindle had not been populated with a lot of user interaction, the Kindle definitely does not appear to readily give up information.  It was obvious what books and documents were on my Kindle, and what the last document I accessed was, but as far as other artifacts,  my brief analysis was not overly productive.  I have surfed the Internet, opened several websites and likely populated the device with considerable Internet History.  I could not readily locate any of this history.

Just for heck of it, I through Jad's Internet Evidence Finder at it - nothing.   I'm thinking that a GREP search for Internet History might have more success.  I'm also interesting in running a search for my Wireless Access Point SSID and see what other artifacts might show up.

Other things I found:
- IMEI (3G) information on the device.
-  lots of deleted information.
- a significant number of dictionary terms (including in the unallocated space).

Eric Huber has a posting on the Kindle at A Fistful of Dongles - more great information.

More to come....perhaps I'll see how a boot CD such as Caine interacts with the device.  I'm going to continue to see what the imaged USER image is willing to give up in terms of forensic artifacts.  ps..EnCase will also be involved.

Any thoughts or ideas are welcome.

Thursday, September 23, 2010

Caine v2.0 - Newlight released !

The newest version of Caine, a forensics live Linux distro, has been released. Some of the 20 new tools include MountManager, SSDeep, Air v2.0.0, Log2Timeline and a whole pile of Scripts which are accessed off the file browser. A full list of tools is available on their site.  If you use WinTaylor, the versions been updated to v2.1. Downloading the new version as I type. For the price (Open Source), it's a "must have" for your forensic arsenal. It was less than two months ago when Caine was the only toolset I could get to recognize a signficantly corrupted 500GB portable USB drive, and then carve out images, WordPerfect files, raw images, etc. Directions are available on the site for creating a USB version for a Netbook.  More to come as I try out the new features.  Download the ISO (Caine and NBCaine v2.0) here.

Wednesday, September 8, 2010

Google Voice - Call phones - lovin' the log!

I decided to give Google Voice a try - was kind of difficult to ignore the "reminder" that popped up each time I logged into a GMail account.  Here's what I learned:
- CallerID shows the originating number coming from (760) 705-8888.
- Voice quality was good.  During my tests, I spoke with a colleague and we estimated the lag as 1 second. 
- very easy to use.

Now in Googling the phone number from the call display, I noted that the prank/harassing phone calls are starting already.  So, I decided to see what I could find in terms of call history on the originating (source) computer.  Like so many programs, Google Voice leaves a log - an a nicely detailed log at that!

Location/Path:  (Copied from EnCase-USER Acct edited for privacy)    
GMail Phone\C\Users\USER\AppData\Local\Google\Google Talk Plugin\gtalkplugin-c1598929683.log.bz2

Call History from within Google Account (required to be logged in).

Inside the bz2 archive is single log file containing a wealth of information including:
- IP address of the computer used (including port). Also includes NAT'ed IP address.
- full information on the computer used, including CPU details, OS, GPU details, etc.
- date/time stamps (GMT)
- associated GMail address.
- list of all network adapters on computer and their associated IP addresses.
- reference to address "+1XXX" (XXXX - numbers from the 10 digit phone# removed for privacy)
- log is fully timestamped and appears to contain a lot more information.
- each call generated an individual log file within it's own bz2 archive.

I found the log file quite detailed.  To activate the phone feature, make a 1-1/2 minute call and disconnect, the log file generated approx 247 entries.  As much of the information was new, I imported the log file into Splunk on my MacBook Pro.  Seamlessly, the log file was parsed (with exception of a few stray lines of left-over log entries - which appear to have been created by the use of the right-square bracket.  This is the 3rd time I've used Splunk this last week - absolutely invaluable). 

Definitely more to look through......

Wednesday, August 18, 2010

Want to learn Python....for free?

It's been more than a few years since I took my programming classes and to be honest, it's difficult to keep a skill unless you use it often.  So I decided I'd like to take a programming class and took a close look at Python and Perl.  Has anyone tried to find a good post-secondary class in either language??  Didn't go well.

I persisted in my search and believe I've found a fantastic opportunity...and it's free!!!  You may ask "Yeah, but how good can a free class in programming really be??".  Well, I'll answer that in three letters - M.I.T.

That's right, MIT offers several courses under their MITOPENCOURSEWARE program from courses in Aeronautics and Astronautics, to Writing and Humanistic Studies.  Of course, they have several courses under the area "Electrical Engineering and Computer Science."  Take for instance, the course "Introduction to Computer Science and Programming - Course #6.00".  The course includes full video of classroom lectures,  assignments, exams, solutions - they even have transcripts of the classroom lectures.  You can also download everything so you can study offline if necessary.  Did I mention that it's free?  How about a course specifically in Python - as taught in January, 2010 - A Gentle Introduction to Programming Using Python - Course #6.189.  There are classes in Java, C++, and numerous other areas.

Their Privacy and Terms of Use and information about the Creative Commons licence can be found here.

Monday, August 2, 2010

"The Missing Link" in my computer forensic training.....Network Forensics!

Over the years, I've taken several classes in computer forensics (vendor specific and neutral), information security and networks. Back in April, I realized what was missing - specific training in acquiring and analyzing network-based evidence in a methodical and reproduceable format.  Oh sure, I've used many of the current network tools, but I've always wondered if there was a better way to collect the evidence.  That's when a colleague of mine pointed out a new training course, specifically aimed at meeting this need; and perhaps completing my "Circle of Forensics".

In July, 2010 I had the privilege of attending the new Network Forensics Course - Forensics 558 being offered by the SANS Institute (Washington, DC).  The instructors were Johathan Ham (co-author of the course) and Alan Ptak who provided outstanding training over the 5-day course.  I can tell you, it was very different than my previous training in "traditional forensics".  For over a year now, we've been preparing, training and researching various techniques for acquiring targeted data in a scenario which required us to specifically target and forensically acquire the data which will/would form our evidence (and ensure we do not miss anything, overtly or covertly).  In the day and age of TB-sized hard drives, FDE, volatile data, etc, the move to identify and target key evidentiary information is needed.  Jonathan and Alan's training not only identified key areas to focus on, but several techniques on how to acquire and analyze this information in a more forensically-sound manner.  The course requires a "moderate" degree of Linux familiarity; the instructor's exceptional knowledge and instructional technique more than made up if someone was a little weak in any area.

One point worth mentioning.  While SANS appears to offer laptops on some courses, I have to say that the pre-loaded laptop provided on this course was a good move.  The SNIFT kit had been preloaded onto the laptop and for five straight days, I never heard a single complaint of "something not working", "hardware issues", "I don't have that version", etc.  The laptop had a 250GB hard drive, with VM Workstation and several pre-configured VM sessions (which were essential to the course).   If anyone from SANS reads this - good call!  The hardware (Lenovo S10-3) and software (SNIFT Kit) worked - each and every time.  (if it didn't, it was likely my fault :)

From hearing the various instructors and other speaking during the Summit and Network Forensics course, it appears that SANS has found another niche with a huge demand.  It was an expensive trip - but all in all, very well worth the high quality training.

ps..the presentation from Chris Pogue on Sniper Forensics was awesome and coincidentally, complemented the training provided by Jonathan.  If you ever get to attend this presentation by Chris, don't pass on the opportunity.

In terms of identifying information "to be sniped" from within a larger system, I see a huge need for someone to lead discussion in this area.  It will be necessary to qualify the type of investigation, type of guest/target systems and OS, type of forensics system/tools available, criminal/non-criminal, etc.  The biggest problem I see is that discussions in this area focus on EITHER network/volatile-based evidence, or that normally acquired through "traditional" hard-drive forensics.  We need a discussion which includes all areas of forensics.

Sunday, July 11, 2010

What's next in Volume Shadow Copies...?

Having just attended a presentation by Mark McKinnon (RedWolf Computer Forensics) and Lee Whitfield (Disklabs and Forensic4cast) at the SANS What Works in Forensics and Incident Response Summit 2010, I'd like to make a few comments on the excellent presentation by Mark and Lee. 

The presentation was on Volume Shadow Copies and started with a detailed description of what is currently known about this relatively new avenue in digital forensics.  From the information presented in this 1 hr presentation, if you have not started to think about Volume Shadow Copies, you had better start paying attention in the months to come.  While the process of getting information is moderately complex, the amount of information produced by the Volume Shadow Service will eventually be one of those tasks we must not ignore.  The presentation did a live demo of the product, and gave us an idea of just what we're missing.  While the state of the file may be dependent on the quality/existence of the previous snapshots in place, Mark and Lee have developed a tools which intends to automate the Volume Shadow Copy recovery process.  Timeline to release you ask....?  The authors indicated a few months.  They appear very committed to releasing a stable and tested product.

From their new site for Shadow Analyzer, here's a small idea of what the product can recover:
Shadow Analyser eliminates the hassle of analysing Microsoft volume shadow files. It allows a digital forensic investigators to take a disk image and, using that image:
■view the contents of the hard disk drive at a point in time
■recover deleted and erased files
■extract older versions of current files
■view historic date and time information for all files, both live and deleted
■view changes to files across days, weeks, or even months
■extract complete files from volume shadow files
The authors are putting a lot of time into the development of this tool; the shear volume of information that they are finding within the Volume Shadow Copies seems to be a driving force and motivation behind getting this tool to the end-stages of development.  You can follow their development on Twitter as well at @ShadowAnalyzer  .

Keep up the progress guys.....great presentation and even greater tool !!  Oh yeah....forgot to mention, the tool will be "tri-platform" - Win, Linux and Mac.

For more information on Volume Shadow Copies, take a look here:
Into the Shadows
Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7 (pdf)
Volume Shadow Copy Forensics - the Robocopy method Part 1
Volume Shadow Copy Forensics - the Robocopy method Part 2

More to come on the's take days to digest!

Sunday, July 4, 2010

The iPhone and Corporate Security

I have done my fair share of mobile analyses over the last 4-5 years including logical extractions of Blackberry's and both logical and physical extractions of iPhones.  With a larger number of cellular providers carrying iPhones, I am often asked to compare the Blackberry to the iPhone within a corporate domain.

While I understand that the iPhone is constantly increasing the number of "apps" that they carry, I simply cannot find a logical reason why a corporation (who presumably does not want company information/secrets shared with the world) would opt to incorporate the iPhone into it's corporate enterprise.

As recent as last week, I was reminded that many corporations will almost always opt for "availability" over "confidentiality".  While I believe that both are important, I simply do not see why a company would so severely sacrifice data integrity as to choose the iPhone over the Blackberry. 

Let's look at a few ideas with which to draw a comparison:
- the iPhone allows both a logical and full physical extraction of it's user partition.
- the iPhone password can be bypassed with a known commercial technique.
- Insofar as data, the iPhone retains vasts amount of data in relatively easy to extract/read format.  The use of EnCase and FTK to analyze a physical iPhone partition exposes just how robust the information is.

- there are no commercial techniques to bypass the Blackberry password (yes, I know about BES pwd resets, looking for IPD backups, etc).
- Blackberry does not seem to have jumped on the "app train", pushing out new apps each day. (this is good, no?)

So I ask....beyond being the "new kid with a new toy", why are companies asking about iPhones and security?

Last time I did an iPhone analysis, I mentioned to my colleagues that we ought to be classifying the iPhone analysis the SAME as a full Mac analysis.  File structure, artifacts, geo information, Internet History, Email, ....  it may just be my .02 cents, but any company with any sense of security ought to give this a very long, hard look before seriously considering an iPhone within their corporate domain.

ps...note to Apple....why has it taken you so long to realize this.  (or have you already realized it and simply believe that pushing out "apps" for the home market would be more lucrative?  (huh?))

Tuesday, May 11, 2010

BackTrack R1 Dev Public Release is out!

I notice that the creators of BackTrack have released "BackTrack R1" version.  I didn't read much fanfare about the "unofficial build", but the improved drivers, updated kernel and other programs updated make the D/L worth a try.  It appears that many changes are geared towards addressing hardware issues.

Friday, April 30, 2010

Symantec Internet Security Threat Report (April, 2010)

Symantec has published their Internet Security Threat Report - both the Internet Security Threat Report: Volume XV: April 2010 and their Executive Summary.  Their annual reports confirms many of the threat vectors we've heard about over the previous months including PDF documents, Active X, web-based attack, etc.  Included is browser comparison, and more definitive information related to hacking, phishing, spam and botnets.

I have been looking for information which can be added to a presentation that I can present to various C-Level Executives.  Realizing that the focal points of said presentation is inevitably different than that directed at mid-level managers, I found such information within this report.  For example, on Pg. 48 of the full document, there is a bar graph detailing New malicious code signatures from 2002 - 2009.  The significance is obvious when you look at the graph.  The question is however, can we translate this trend into additional resources to enhance IT/Information Security within an organization?

Thursday, April 22, 2010

Mac OSX Forensics becomes "The Apple Examiner"

For the last few years, has been a continuing reference source for my Mac-based forensic investigations.  The website has now changed names, and moved to The Apple Examiner Website.  The site is very nicely laid out, easy to understand and contains information on the newest of Apple technology.  I see a new area on iPhone/IPad/IPod.

I've been analyzing some iPhones lately, and instead of focusing on the (logical) information parsed out by Cellebrite and XRY, I've been throwing the images into FTK and EnCase.   FTK does a very good job parsing out the PLISTS for examination.  If you're more partial to EnCase, there is a PLIST parser on the Guidance Website (created 03/2010 by Simon Key) which can be downloaded from here  (you'll likely need an account to log into the Support Portal.)  Once these PLISTS have been parsed out, you cannot imagine the information forensically available within an iPhone.  I'm doing up some screenshots of how to bring the Physical Image into FTK and EnCase to preview it (you have to change a byte).  Of course, I maintain the original, and flip the byte on a copy.

Check out Ryan and Dave's website.  If you're interested in Mac Forensics, you HAVE to bookmark this one.

Monday, April 5, 2010

MoonSols Windows Memory Toolkit

Matthieu Suiche has "made the move in a new direction" and created a new website and toolkit. His new site/company is MoonSols.

Matthieu states:

MoonSols is releasing his first product called "MoonSols Windows Memory Toolkit". MoonSols Windows Memory Toolkit is the most advanced toolkit for Windows physical memory snapshot management.

MoonSols Windows Memory Toolkit had been designed to deal with Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 in both 32-bits and 64-bits (x64) Editions), Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions), and raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare). Moreover, MoonSols Windows Memory Toolkit also contains new version of win32dd and win64dd.
Two versions are available - Community (free) and Professional (cost).

Matthieu's WinDD tool has been part of our lab's Incident Response toolset for almost 2 years now. I expect that testing of his toolset will be equally as effective as WinDD.

The continued R&D and commitment of persons like Matthieu (and several others) continue to move our profession forward - almost at a rate that is difficult to keep up with :)

Saturday, March 27, 2010

Windows Memory Analysis - EnScript

I recently tried an EnCase EnScript called "Memory Forensic Toolkit". The tool is used as any EnScript is used, and uses the processes run in Volatility however, within the Windows EnCase environment. The download has three distinct directories for the various Windows OS versions it supports (XP, Win7 and Server2003). From some basic testing, so far the EnScripts (13 or so for each OS Version) have worked as anticipated. My tests using the EnScripts with Vista - not so good (although it does not claim to support Vista). Newest version 1.69 was just released today.

The site is in primarily Japanese CCI: Computer Crime Investigation and appears to be run by Takahiro Haruyama.

Next up...comparing the EnScript results with those produced by running Volatility.

Friday, March 26, 2010

SIFT v2.0

I have been taking SIFT 2.0 for a test drive over the week and notice that the official release has been posted to the SANS Computer Forensics website. The amount of information on this release is incredible. It is quite apparent that Rob Lee has spent considerable time and thought in this update. You will need an account with SANS to be able to download.

There is also a detailed SIFT Tool Listing (download link). The document is very detailed and for those who may be new to SIFT VM appliance, the first few pages may help you get started. An example of the robustness - Volatility has over 50 plug-ins, many programs for Timeline Analysis, artifact and Registry analysis, Data Carving...and the list goes on.

What are you telling your investigators/officers?

We had some discussion over the last few weeks about the ability (or inability) of non-forensically trained investigators to assist in the collection of digital evidence at crime scenes.

As we see the field of forensics adopting a stronger move towards live acquisitions (including RAM, certain (un)scripted processes and eventually the hard drive), we are wondering what we should be tasking our investigators to do. Our unir simply cannot assist at every scene. Too many cases and far too wide a geographical area. Is pulling the plug in these circumstances still acceptable? Should we be moving to a "Cofee-type" procedure where little training is required. One significant challenge is the numerous different areas in which our officers must acquire and maintain skills (in traditional policing areas). Can we really expect them to rise to a new level??

Any comments or suggestions would be welcome.

Wednesday, March 17, 2010

Knew it was going to happen....

It finally happened. Those "old school" forensic practices caught some colleagues while seizing a Dell laptop. The old practice of pulling the plug led to the drive being inaccessible when they returned to the lab due to a bios password being present. The actual hard drive was removed but various imaging techniques did not work. That being said, RAM had been imaged and a password was located in RAM (for an email account). Luckily the password was the same and we were able to access the drive.

One more reason to hasten our move to 100% live imaging at the scene; grabbing both the RAM and the drive. One more reason to get F-Response for everyone in the office!

FYI...once we had the password, we booted the laptop (with hard drive enclosed) using Helix Pro. Using Helix, we imaged the drive to a RW-mounted wiped external USB drive. Worked like a charm.

Good guys 1 - Bad guys 0 (but just barely).