Let the Voting Commence

I have finally found the time to count the nominations. Below are the top three nominations in each category.

***Voting is now open***

Please email your votes to ‘vote@forensic4cast.com’. Remember, unlike the nominations, you can only vote once in each category.

Please take 5 minutes out of your day to vote for the people you feel deserve recognition.

The Forensic 4cast Awards – because even nerds deserve an award!

Outstanding Contribution to Digital Forensics (Individual)
Matt Shannon (F-Response)
Rob Lee (SANS/Mandiant)
Jamie Morris (Forensic Focus)

Outstanding Contribution  to Digital Forensics (Company)
F-Response
Sans
X-Ways

Best Digital Forensic Article/Blog Posting
Iphone White Paper
pdgMail
Memory Forensic Acquisition and Analysis 101

Best Digital Forensic Blog
Windows IR (Harlan Carvey)
Sans (Sans Forensics Team)
Forensickb (Lance Mueller)

Best Digital Forensic Book
Windows Forensic Analysis (Harlan Carvey)
IPhone Forensics (Jonathan Zdziarski)
File System Forensic Analysis (Brian Carrier)

Best Computer Forensic Hardware Tool
Tableau
Fastbloc
Macquisition

Best Computer Forensic Software Tool
X-Ways Forensics
DCFLDD
Drive Prophet

Best Phone Forensic Hardware Tool
Cellebrite
Susteen
XRY

Best Phone Forensic Software Tool
Datapilot
XRY
Pandora’s Box

Digital Forensic Examiner of the Year
David Kleiman
Rob Lee
Jonathan Zdzjarski

Lifetime Achievement Award
Rob Lee
Brian Carrier
Ovie Carrol

On July 19 2009 we will be doing a live video broadcast on Stickam. You can watch it on the Stickam website or right here. More details of the broadcast will be revealed as the time gets closer.

More on EnCase Portable

At CEIC Guidance announced their two latest products, one of which was EnCase Portable.

Aside from a few vague details we were given very little information about this new product, but the Guidance website has now been updated to provide some additional information and a new YouTube video has also been posted.

Starting with the information from the Guidance website we can see that EnCase Portable kit includes:

• 4GB USB drive with EnCase Portable preinstalled
• 16GB drive for additional storage
• 4 port USB hub
• EnCase Portable security key
• User guide
• EnCase Portable installation CD
• Carrying Case

Guidance also state key benefits and features on its website:

Key Benefits

• Police, civilian investigators and parole officers can acquire data without requiring an onsite forensic expert
• Military and other government personnel can quickly and accurately collect data during covert operations
• Corporate IT or law firm personnel can acquire information at any location for eDiscovery or corporate investigations purposes

Key Features

• Plug in and collect data immediately
• Enable novice computer users to be data collectors in matter of minutes
• Acquire data anywhere with EnCase Portable’s pocket-sized kit
• Search and collect cyber-intelligence without leaving a trace
• Store collected data in the forensically sound, court-validated EnCase® Logical Evidence File format
• Capture data from running or powered-off systems
• Customize search and collection jobs to create and configure more complex search criteria
• Easily install EnCase Portable on any USB drive

These details obviously raise more questions than they answer and I’m sure that Guidance will reveal more details as the release become imminent.

The YouTube video, on the other hand, provides quite a lot in terms of answers. The video can be found here. The video shows the contents of EnCase Portable and some of the potential capabilities of the software.

As is noted in the video the software is booted to, what appears to be, a live Windows environment and is capable of performing the following:

• Collect Internet Artifacts
• Collect Windows Event Logs
• ICONS
• Collect all Word Documents
• Collect all Images
• All PST
• All MPG
• Collect all Archive Files
• Capture Registry
• Collect EXE Files
• Collect all Email Archives
• Collect Mail Archives
• Collect TEMP Files

I suspect that, given that some of this information is quite repetitive and/or ambiguous (such as ‘Collect all Images’) that users will be able to preconfigure the software to capture whatever data they wish. They then select the required options and capture that data to the relevant device in an EnCase logical evidence file. It appears quite simple and straight forward. Once I’m able to see one of these things up close I’ll give a more indepth review.

Forensic 4cast Episode 17 – Free is not Free

In this episode we discuss a decision for the state of Michigan, giving evidence back, a lawyer having his name changed, and ebook piracy. Harlan Carvey joins us and tells us about his new book.

Forensic Focus Interview

I was recently asked by Jamie Morris of Forensic Focus to participate in an interview for his website. You can read the interview here. If I said anything that you agree/disagree with feel free to post comments here and I’ll reply in due course.

Awards Update

I just wanted to post a quick update about the Forensic 4cast Awards.

There is a new static page for the awards so that it doesn’t get bumped off the list of articles.

The awards have already been covered by Matt Shannon over at F-Response, ForensicFocus, and by Harlan Carvey and Larry Daniel on their respective blogs.

So far the front runners for each category are:

Outstanding Contribution to Digital Forensics (Individual)
Matt Shannon, Rob Lee

Outstanding Contribution to Digital Forensics (Company)
F-Response, Sans Forensics

Best Digital Forensic Article/Blog Posting
iPhone White Paper – Andrew Hoog

Best Digital Forensic Blog
Windows Incident Response – Harlan Carvey
Sans Forensic Blog

Best Digital Forensic Book
Windows Forensic Analysis – Harlan Carvey

Best Computer Forensic Hardware Tool
Tableau Write Blockers

Best Computer Forensic Software Tool
X-Ways Forensics, DCFLDD

Best Phone Forensic Hardware Tool
Cellebrite

All the others are too close to call.

Is there someone missing from the list that you think should be there? Get your nominations in by emailing them to nominations@forensic4cast.com

Remember, even nerds deserve an award!

Forensic 4cast Episode 16 – Tool

In this episode of Forensic 4cast we discuss the latest news, the Forensic 4cast awards, and Rob Lee joins us to discuss, among other things, the Sans Forensic Summit.

As a special bonus for listeners Rob has arranged for listeners of Forensic 4cast to attend the summit for a discount of 10%. Just use the code 4cast10 when making your booking.

Forensic 4cast Awards

The company for which I work has been nominated for an award. This award is not the most significant in the world but if we win I’m sure that we’ll feel a sense of honour and pride.  This award is a business award, not an award for digital forensics. This got me thinking.

Why don’t we have an series of awards for special achievement in the field of digital forensics? There is no reason that I can think of so, on July 19th 2009, in our first live broadcast, we are going to hold the first annual Forensic 4cast awards.

As with any awards ceremony we have formed a series of categories and will give awards for those people that have received the most votes in their nominated categories.

The categories are as follows:

• Outstanding Contribution to Digital Forensics (Individual)
• Outstanding Contribution to Digital Forensics (Company)
• Best Digital Forensic Article/Blog Posting
• Best Digital Forensic Blog
• Best Digital Forensic Book
• Best Computer Forensic Hardware Tool
• Best Computer Forensic Software Tool
• Best Phone Forensic Hardware Tool
• Best Phone Forensic Software Tool
• Digital Forensic Examiner of the Year
• Lifetime Achievement Award
• The Huh? Award (chosen by Simon)

All but the ‘Huh?’ award are open for nominations and voting.

The Rules

Nominations are open now. All nominations should be sent by email to ‘nominations@forensic4cast.com’. Nominations will be open until 21st June 2009. After this time the nominations will be closed. The top three nominations in each category will go forward for voting. A list of the nominees will be posted on the Forensic 4cast website and all voting will commence on 23rd June 2009.  Voting closes on 17th July 2009.  The awards will be given to the those with the most votes. You can not nominate or vote for yourself.

You can nominate more than one person in any category but, once voting commences, you may only vote once in each category. If I have reason to believe that someone is cheating the system their votes will be vetoed.

The winner in each field will be sent a digital trophy that they can place on their website, blog, or email communications.

I am trying to make this a big deal not only to show people in the field that we appreciate them, but also to help others aspire to improve themselves and the community. Please let your colleagues know about these awards, who knows, they may nominate you.

Best of luck.

Mac Forensics

Last Thursday I had the pleasure of attending the Mac Forensics F3 training day.  For those of you that do not know what F3 is, it is the ‘First Forensic Forum’.  Most digital forensic investigators in the UK are linked to this organisation in some way and they offer training days every few months.

I thought that I would quickly note some items that were shared with us before I either forget about it or lose my notes.

Imaging

This can be accomplished on either a Mac or a PC. If you’re looking to image with a Mac there are a few options to choose from but one of the best is offered by the guys over at http://macosxforensics.com.  Their Mac OS X Forensics Imager is based on libewf and offers a graphical interface to the console-driven acquisition tool.

Obviously there are the common everyday items such as DD and DCFLDD that are easily run on the Mac.

Although a write blocker is always recommended it is possible to image a drive without.  In order to do this you need to turn off ‘Disk Arbitration’. This is the process that automounts drives when they are connected to the computer.  After turning this off any newly connected drives will not be mounted. Just don’t forget to turn it back on once you’re finished otherwise you may run into some difficulty.  In order to turn this off just open Terminal and type:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitration.plist

To turn it back on type:

sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitration.plist

Artefacts

Spotlight Files – These maintain an index of the volume from which the file is taken.

Swap File – /private/var/vm/swapfile0

Sleepimage – This file is like the hiberfile on Windows.

Log Files – /var/log – can be opened with the Mac ‘Console’

Property Lists – Two main types: XML and Binary – plists are like the Windows registry. A plist editor is available on the Mac Developer Tools provided with a new Mac. There is also ‘Pref Setter’ (which has a nice search feature) and iPod Robot offers a plist reader for Windows.

Printing – The Mac has an inbuilt PDF printer. This doubles up as a printer spool. This means that, regardless of the printer used, a PDF is created of anything that is printed from a Mac. Once the printing is finished the PDF is released into unallocated clusters. A file carve for PDFs in unallocated space will return items printed with the Mac. These PDFs will also contain metadata providing the application used to print.  I thought that this was the most interesting part of the day. This may be worth some more investigation and a full article written.

Useful Software

PeekIt, iBored, Hex Fiend, File Juicer, Mactracker, and Firefox Add-ons – CacheViewer and SQLiteManager.