Computer Forensics | Cell Phone Forensics

A brief overview of current topics in digital forensics and related subjects

Uses of Computer Forensics

Posted on | November 6, 2011 | No Comments

There are many practical uses of computer forensics.  The recovery of data that can aid in a criminal or civil investigation is one such use.  Computer forensics can also be used to recreate how and when a computer was used or how a virus was able to infiltrate into a network.

Evidence can be extracted from many different sources

Document access time can be important in cases where intellectual property is important.  For example, when an employee goes from one company to another, they are often faced with the temptation to take some important data with them.  Depending on the type of file and type of hard drive formatting used, important metadata such as date created, date last accessed, and date last modified can be used to determine if and when a file was accessed.  Of course, a computer forensics expert is needed in many of these cases to determine whether the file was accessed by a user or by some system process (such as an anti-virus scan or a disk defragmentation operation).

Internet history can also prove useful during the course of an investigation.  Modern web browsers keep history files, passwords, and other valuable information.  In fact, you could even call the browser cookie a form of computer forensics, as this information allows web sites to track what you are searching for and what websites you are visiting.  This information is often used to direct users to relevant ads and products, and internet marketers are able to use this to create finely-tuned customer demographics.

Often neglected until recently is the value of forensic information that can be stored in smartphones.  Modern smartphones not only keep call logs, but also can store text messages, credentials to internet services, internet history, and even location information (such as GPS coordinates, or the location of WiFi hotspots near you).  Some modern smartphones use this location information to display ads, but the impact on forensic investigations is also enormous.  This info can often be extracted from a digital forensics pro, or with a device like Cellebrite’s UFED.

There are more uses of computer forensics, but these are some basic ideas that can get you started.  If you have any other uses, be sure to leave them in the comments!

Category: Computer Forensics, Evidence Analysis
Tags: > > > >

Cellebrite UFED and Cell Phone Forensics

Posted on | September 26, 2011 | No Comments

Got a chance to play with Cellebrite’s UFED device recently.  This device is commonly use by law enforcement to quickly collect data in many modern smartphones.  Much of the appeal for the UFED is that it can collect data from a wide variety of devices, and this data can be analyzed on the spot or later in the lab.

The Cellebrite UFED comes with a variety of cables and cords, designed to work with many popular smartphone models.  The data that it can recover depends upon the model of phone, but usually includes quite a bit of valuable forensic information.  SMS messages, contact lists, and call history are typically available for most models of phones.  Voicemail is still problematic for most cell phone acquisitions, as this data is usually stored by the service provider and accessed only from within the phone’s interface.

The UFED also has a slot to insert and retrieve information from SIM cards, found in most modern cellphones, aside from those offered by Verizon.  It can also retrieve data from some GPS devices, though I did not have one to test.  Of course, valuable location data, including dates and times traveled, can be retreived from most GPS devices, as this data is often stored indefinitely.

All in all, Cellebrite’s UFED is a must-have for any forensic lab.  The variety of devices it covers alone make it worthwhile for recovering data from even the most obscure phones, when the alternative is often to turn the phone on and take pictures of the screen, which is a shaky forensic prospect at best.

Category: Android, Cell Phone Forensics, GPS, iPhone
Tags: > > > >

Google-Motorola acquisition

Posted on | August 17, 2011 | No Comments


While plenty of ink has spilled over the acquisition of Motorola by Google, this merger has a good chance to push the Android platform past the tipping point.  While Android has been languishing, this move gives Google a little bit more control over the hardware required to produce a cell phone.  While Google is unlikely to get into the mobile phone business, this also strengthens their patent portfolio, giving them more flexibility and muscle when it comes to getting what they want.

This merger gives Google an opportunity to consolidate some of the many handset versions that have come out over the past few year.  Part of the reason Android has been less successful than Apple in the handset market is because of all the different hardware makes and models that Android must be compatible with.  Apple, on the other hand, exerts a far greater control over their hardware with the iPhone, and can design features without worrying about cross-compatibility with different models of phones.  Perhaps Google sees this and will attempt to use the power of their operating system to increase the standardization of the hardware for Android phones.
Category: Android
Tags: > > > >

Updated the glossary

Posted on | March 17, 2011 | No Comments

I’ve added a few new terms to the digital forensics glossary.  Right now there are just some very basic definitions, but I’ll work on adding some links to articles (external and internal) and see if I can expand it a bit more.

Category: Computer Forensics

Full-Disk Encryption comes to Android

Posted on | March 16, 2011 | No Comments

The wonderful folks over at WhisperSys have released a new product called WhisperCore.  This product provides full-disk encryption for the Android-enabled Nexus S smartphone.  WhisperCore can also be configured to encrypt an SD card.  Unfortunately, I do not own a Google Nexus S, so I’m not available to test this piece of software.

Of course, the product is still in beta, so be sure you know how to create an image of your phone (and be able to restore from it!) before attempting to use this software.  No word on whether this product will be expanded to cover additional phone models, but I expect more competition in the Android market for reliable full disk encryption.

Category: Android, Computer Forensics, computer security, Encryption
Tags: > > > >

Information Security – Protecting your business online

Posted on | February 21, 2011 | No Comments

Occasionally someone will ask me what potential vectors for security breaches are for their company.  While there are many bases to cover, some are more important than others, so I thought I’d discuss a few of the simple ones.

First of all, where is your important data located?  If you keep some important client data on your web server (or a database that the web server calls upon), then you may wish to do a database security audit.  SQL injection attacks are a very common and easy way for an attacker to gain access to your data.  Make sure your database inputs are sanitized to make sure you’re not part of the low-hanging fruit that can be exploited by script kiddies.

If you publish some documents online (such as Word documents, PDFs, or Powerpoint presentations), know that those documents often contain metadata that can reveal important information within your company.   Automated tools like metagoofil can scrape your entire website (via google) for documents, then analyze the metadata within them.  What can this reveal?  Names of employees, versions of software (info that can be used for exploits), email addresses, operating system versions, creation dates, and more.  There is plenty of software that is specifically designed to wipe metadata from documents before they are published – use this to your advantage to reduce your overall attack surface.

More recently, there has been an increase in spear-phishing attacks.  These types of attacks target an individual, and are often crafted to get them to visit a malicious link or open a malicious document.  This is more of a trust issue than anything else – you have to trust the people that you are communicating with.  If someone contacts you out of the blue with an offer that is too good to be true, it probably is.  Remember to not open attachments you are not expecting, and the same applies to links to websites.

Category: computer security, Internet Privacy

DEFT Linux 6 coming soon

Posted on | January 4, 2011 | No Comments

It was just announced that DEFT Linux 6 will be released later this month.  The downside?  The initial release will be in Italian, with English and Spanish support coming in the next few months.  Not that I’m complaining at all – if you’re excited to see what this release will contain, check out the DEFT Linux Release Candidate.  It’s one of my favorite forensics live CDs right now.

Category: Computer Forensics, Evidence Analysis
Tags: > > >

Digital Copiers as a Forensic Utility

Posted on | November 30, 2010 | No Comments

Just ran across this article on digital copiers – while the deployment of “smart” copiers isn’t exactly new, I think it’s worth briefly discussing.  People often forget that many digital devices need to store data in order to function properly.  When most people think of digital or computer forensics, they think of computers, cell phones, and servers (and networking and database analysis if they’re really on the ball).  But often that important document exists in more than one place – in this example, it can be stored on the hard drive of a digital copier.
Of course, if data needs to be manipulated in some way, there’s probably a way to forensically extract it – even from a digital copier.  In this case, even the simple act of scanning a document creates an additional copy on a storage medium that you will probably never have direct access to.  This is why it’s important to properly protect (and destroy after their lifecycle) your technology investments.  It’s also just another reason to keep a digital forensics expert on staff to identify these types of problems before that copier you threw out gets salvaged by some enterprising hacker.
Also, apparently some companies are now starting to provide a ‘wiping’ utility within the software that runs the digital copier – for an additional fee, of course!
Category: Evidence Analysis
Tags: > >

Cybersecurity Paper from Harvard National Security Journal

Posted on | November 11, 2010 | No Comments

Just found this interesting paper on cybersecurity published over at the Harvard National Security Journal.  The paper emphasizes that the United States’ ability to project power is dependent upon information technology, therefore cybersecurity needs to become a top priority for national security advisors.  I also like it because the author does not use terms like “Cyber War” which implies the existence of cyber weapons and encourages thinking in a conventional military sense.  A better analogy might be to a toolbox – there is plenty of damage you can do with a “Cyber Hammer” or a “Cyber Circular Saw” but these are primarily used as tools to build something.  Seymour Hersh’s article on in the New Yorker last week is another good read that also touches on this subject.
While I agree with the sentiment, unfortunately it may take a Black Swan type of event to get the ball rolling towards a more robust national security policy when it comes to information technology.  Both articles are good, thought-provoking reads if you like to think about online security and what challenges the world will face as we progress further into the information age.
Category: computer security
Tags: > > > > >

SANS Blog Survey Results

Posted on | November 9, 2010 | No Comments

Over at the SANS Blog, they recently published some stats from a survey we were all encouraged to take.  Most of the information is routine, but there were some interesting things in there relating to computer forensics.
First interesting thing I noticed is that the GCFA (GIAC Certified Forensic Analyst) was the most common type of certification by far.  The Encase Certified Examiner (EnCE) and the AccessData Certified Examiner (ACE) were the next most common, which isn’t too surprising considering both are software-specific certs.  Not sure how long it’s going to be before we see a good hardware-agnostic forensic certification for mobile devices, but I’d expect that to be popular in the future.
The SANS Blog looks like it’s going to have more How-To’s in the future, which I think is always good.  Sometimes it’s easy to get stuck in one methodology, and seeing how other people approach problems only helps us broaden our horizons.  If you primarily do computer forensic work focused on hard drives for example, it will never hurt to learn something about network forensics or cell phone forensics.  Memory forensics and artifact analysis were two other topics that ranked highly in the survey, and I think those will also become increasingly important in the future.
Category: Computer Forensics
Tags: > > > > > >
keep looking »