Google Voice - Call phones - lovin' the log!

I decided to give Google Voice a try - was kind of difficult to ignore the "reminder" that popped up each time I logged into a GMail account.  Here's what I learned:
- CallerID shows the originating number coming from (760) 705-8888.
- Voice quality was good.  During my tests, I spoke with a colleague and we estimated the lag as 1 second. 
- very easy to use.

Now in Googling the phone number from the call display, I noted that the prank/harassing phone calls are starting already.  So, I decided to see what I could find in terms of call history on the originating (source) computer.  Like so many programs, Google Voice leaves a log - an a nicely detailed log at that!

Location/Path:  (Copied from EnCase-USER Acct edited for privacy)    
GMail Phone\C\Users\USER\AppData\Local\Google\Google Talk Plugin\gtalkplugin-c1598929683.log.bz2

Call History from within Google Account (required to be logged in).

Inside the bz2 archive is single log file containing a wealth of information including:
- IP address of the computer used (including port). Also includes NAT'ed IP address.
- full information on the computer used, including CPU details, OS, GPU details, etc.
- date/time stamps (GMT)
- associated GMail address.
- list of all network adapters on computer and their associated IP addresses.
- reference to address "+1XXX XXX-XXXX@voice.google.com" (XXXX - numbers from the 10 digit phone# removed for privacy)
- log is fully timestamped and appears to contain a lot more information.
- each call generated an individual log file within it's own bz2 archive.

I found the log file quite detailed.  To activate the phone feature, make a 1-1/2 minute call and disconnect, the log file generated approx 247 entries.  As much of the information was new, I imported the log file into Splunk on my MacBook Pro.  Seamlessly, the log file was parsed (with exception of a few stray lines of left-over log entries - which appear to have been created by the use of the right-square bracket.  This is the 3rd time I've used Splunk this last week - absolutely invaluable). 

Definitely more to look through......

"The Missing Link" in my computer forensic training.....Network Forensics!

Over the years, I've taken several classes in computer forensics (vendor specific and neutral), information security and networks. Back in April, I realized what was missing - specific training in acquiring and analyzing network-based evidence in a methodical and reproduceable format.  Oh sure, I've used many of the current network tools, but I've always wondered if there was a better way to collect the evidence.  That's when a colleague of mine pointed out a new training course, specifically aimed at meeting this need; and perhaps completing my "Circle of Forensics".

In July, 2010 I had the privilege of attending the new Network Forensics Course - Forensics 558 being offered by the SANS Institute (Washington, DC).  The instructors were Johathan Ham (co-author of the course) and Alan Ptak who provided outstanding training over the 5-day course.  I can tell you, it was very different than my previous training in "traditional forensics".  For over a year now, we've been preparing, training and researching various techniques for acquiring targeted data in a scenario which required us to specifically target and forensically acquire the data which will/would form our evidence (and ensure we do not miss anything, overtly or covertly).  In the day and age of TB-sized hard drives, FDE, volatile data, etc, the move to identify and target key evidentiary information is needed.  Jonathan and Alan's training not only identified key areas to focus on, but several techniques on how to acquire and analyze this information in a more forensically-sound manner.  The course requires a "moderate" degree of Linux familiarity; the instructor's exceptional knowledge and instructional technique more than made up if someone was a little weak in any area.

One point worth mentioning.  While SANS appears to offer laptops on some courses, I have to say that the pre-loaded laptop provided on this course was a good move.  The SNIFT kit had been preloaded onto the laptop and for five straight days, I never heard a single complaint of "something not working", "hardware issues", "I don't have that version", etc.  The laptop had a 250GB hard drive, with VM Workstation and several pre-configured VM sessions (which were essential to the course).   If anyone from SANS reads this - good call!  The hardware (Lenovo S10-3) and software (SNIFT Kit) worked - each and every time.  (if it didn't, it was likely my fault :)

From hearing the various instructors and other speaking during the Summit and Network Forensics course, it appears that SANS has found another niche with a huge demand.  It was an expensive trip - but all in all, very well worth the high quality training.

ps..the presentation from Chris Pogue on Sniper Forensics was awesome and coincidentally, complemented the training provided by Jonathan.  If you ever get to attend this presentation by Chris, don't pass on the opportunity.

In terms of identifying information "to be sniped" from within a larger system, I see a huge need for someone to lead discussion in this area.  It will be necessary to qualify the type of investigation, type of guest/target systems and OS, type of forensics system/tools available, criminal/non-criminal, etc.  The biggest problem I see is that discussions in this area focus on EITHER network/volatile-based evidence, or that normally acquired through "traditional" hard-drive forensics.  We need a discussion which includes all areas of forensics.