Uses of Computer Forensics
Posted on | November 6, 2011 | No Comments
There are many practical uses of computer forensics. The recovery of data that can aid in a criminal or civil investigation is one such use. Computer forensics can also be used to recreate how and when a computer was used or how a virus was able to infiltrate into a network.
Evidence can be extracted from many different sources
Document access time can be important in cases where intellectual property is important. For example, when an employee goes from one company to another, they are often faced with the temptation to take some important data with them. Depending on the type of file and type of hard drive formatting used, important metadata such as date created, date last accessed, and date last modified can be used to determine if and when a file was accessed. Of course, a computer forensics expert is needed in many of these cases to determine whether the file was accessed by a user or by some system process (such as an anti-virus scan or a disk defragmentation operation).
Internet history can also prove useful during the course of an investigation. Modern web browsers keep history files, passwords, and other valuable information. In fact, you could even call the browser cookie a form of computer forensics, as this information allows web sites to track what you are searching for and what websites you are visiting. This information is often used to direct users to relevant ads and products, and internet marketers are able to use this to create finely-tuned customer demographics.
Often neglected until recently is the value of forensic information that can be stored in smartphones. Modern smartphones not only keep call logs, but also can store text messages, credentials to internet services, internet history, and even location information (such as GPS coordinates, or the location of WiFi hotspots near you). Some modern smartphones use this location information to display ads, but the impact on forensic investigations is also enormous. This info can often be extracted from a digital forensics pro, or with a device like Cellebrite’s UFED.
There are more uses of computer forensics, but these are some basic ideas that can get you started. If you have any other uses, be sure to leave them in the comments!
Tags: Computer Forensics > internet history > investigation > metadata > uses of computer forensics
Cellebrite UFED and Cell Phone Forensics
Posted on | September 26, 2011 | No Comments
Got a chance to play with Cellebrite’s UFED device recently. This device is commonly use by law enforcement to quickly collect data in many modern smartphones. Much of the appeal for the UFED is that it can collect data from a wide variety of devices, and this data can be analyzed on the spot or later in the lab.
The Cellebrite UFED comes with a variety of cables and cords, designed to work with many popular smartphone models. The data that it can recover depends upon the model of phone, but usually includes quite a bit of valuable forensic information. SMS messages, contact lists, and call history are typically available for most models of phones. Voicemail is still problematic for most cell phone acquisitions, as this data is usually stored by the service provider and accessed only from within the phone’s interface.
The UFED also has a slot to insert and retrieve information from SIM cards, found in most modern cellphones, aside from those offered by Verizon. It can also retrieve data from some GPS devices, though I did not have one to test. Of course, valuable location data, including dates and times traveled, can be retreived from most GPS devices, as this data is often stored indefinitely.
All in all, Cellebrite’s UFED is a must-have for any forensic lab. The variety of devices it covers alone make it worthwhile for recovering data from even the most obscure phones, when the alternative is often to turn the phone on and take pictures of the screen, which is a shaky forensic prospect at best.
Tags: Android > Cellebrite > GPS > SIM card > UFED
Google-Motorola acquisition
Posted on | August 17, 2011 | No Comments
Updated the glossary
Posted on | March 17, 2011 | No Comments
I’ve added a few new terms to the digital forensics glossary. Right now there are just some very basic definitions, but I’ll work on adding some links to articles (external and internal) and see if I can expand it a bit more.
Full-Disk Encryption comes to Android
Posted on | March 16, 2011 | No Comments
The wonderful folks over at WhisperSys have released a new product called WhisperCore. This product provides full-disk encryption for the Android-enabled Nexus S smartphone. WhisperCore can also be configured to encrypt an SD card. Unfortunately, I do not own a Google Nexus S, so I’m not available to test this piece of software.
Of course, the product is still in beta, so be sure you know how to create an image of your phone (and be able to restore from it!) before attempting to use this software. No word on whether this product will be expanded to cover additional phone models, but I expect more competition in the Android market for reliable full disk encryption.
Tags: Android encryption > encryption > Full-Disk Encryption > WhisperCore > WhisperSys
Information Security – Protecting your business online
Posted on | February 21, 2011 | No Comments
Occasionally someone will ask me what potential vectors for security breaches are for their company. While there are many bases to cover, some are more important than others, so I thought I’d discuss a few of the simple ones.
First of all, where is your important data located? If you keep some important client data on your web server (or a database that the web server calls upon), then you may wish to do a database security audit. SQL injection attacks are a very common and easy way for an attacker to gain access to your data. Make sure your database inputs are sanitized to make sure you’re not part of the low-hanging fruit that can be exploited by script kiddies.
If you publish some documents online (such as Word documents, PDFs, or Powerpoint presentations), know that those documents often contain metadata that can reveal important information within your company. Automated tools like metagoofil can scrape your entire website (via google) for documents, then analyze the metadata within them. What can this reveal? Names of employees, versions of software (info that can be used for exploits), email addresses, operating system versions, creation dates, and more. There is plenty of software that is specifically designed to wipe metadata from documents before they are published – use this to your advantage to reduce your overall attack surface.
More recently, there has been an increase in spear-phishing attacks. These types of attacks target an individual, and are often crafted to get them to visit a malicious link or open a malicious document. This is more of a trust issue than anything else – you have to trust the people that you are communicating with. If someone contacts you out of the blue with an offer that is too good to be true, it probably is. Remember to not open attachments you are not expecting, and the same applies to links to websites.
DEFT Linux 6 coming soon
Posted on | January 4, 2011 | No Comments
It was just announced that DEFT Linux 6 will be released later this month. The downside? The initial release will be in Italian, with English and Spanish support coming in the next few months. Not that I’m complaining at all – if you’re excited to see what this release will contain, check out the DEFT Linux Release Candidate. It’s one of my favorite forensics live CDs right now.
Tags: Computer Forensics > DEFT > forensics live CD > linux
Digital Copiers as a Forensic Utility
Posted on | November 30, 2010 | No Comments
Cybersecurity Paper from Harvard National Security Journal
Posted on | November 11, 2010 | No Comments
Tags: cybersecurity > cybersecurity policy > Harvard > National Security Journal > online security > security
SANS Blog Survey Results
Posted on | November 9, 2010 | No Comments
Tags: ACE > certification > Computer Forensics > EnCE > GCFA > SANS > SANS Blog