Forensic 4cast Awards 2010

That’s right, its that time again. The second annual Forensic 4cast Awards will be held as part of the SANS Forensic Summit in Washington DC on Thursday July 8 2010 at 7:30pm.

Whereas last year Simon and I stood in front of a camera and broadcast the event live, this time a live audience will be in attendance meaning that several of the winners will be there to pick up their awards, give speeches, etc. Yes, you did read that right… there will be actual physical awards presented this year too.

What should you do next?

Well, sadly the nominations for this year’s awards are now closed. Nominations will reopen next year.

Lessons from Data Recovery – Part 1 (Repost)

I originally posted this entry over on the Disklabs computer forensic forum (http://www.computer-forensics.co.uk/computer-forensics-forums/forum.php) but also thought a lot of people would benefit from it being repeated here too.

I’ve been working at Disklabs for a few weeks now. I’ve mostly been confined to the digital forensics lab but I’ve been able to poke my head out from time to time and see what the data recovery department are up to. I’m happy for this opportunity as it has taught me some interesting things that are useful for computer forensics, and some things that are potentially dangerous.

Over the next few weeks I’ll be posting articles about how data recovery has the potential to impact computer forensics in ways that few have thought possible.

A scenario occurred recently in which an employee left a company on less than gracious terms. The next day the employee’s former colleagues showed up for work and realised that the file server was inoperable. Upon closer inspection they found that all of the server’s drives were blank. Forensic analysis was conducted and nothing was found. If the drive had been wiped it had been done so with undetectable software. The forensic investigator, and the tools at his disposal, had failed to provide an adequate answer.

What would you do in a situation like this? I imagine that my report would be very sparse and contain very little information at all. You could look at wiping software artefacts, such as the sequence of bytes used, in order to determine if this individual had maliciously wiped the data from the drive but, failing this, what other avenues of investigation could be followed?

One of the first things I learned after starting at Disklabs was that each hard drive contains certain information that is not stored on the platters, but on the system area of the drive. The two items that I found to be of most interest are the number of times the drive has been powered on and the number of hours that the drive has been active. This may not seem like a huge finding but the implications are awesome.

Going back to our scenario the hard disk drives were turned over to a data recovery expert who was able to unequivocally state that the drive had only been powered on a handful of times and only had only been in operation for a few hours. What does this means in terms of this investigation? We can draw one of two conclusions either the drives had been replaced as a result of drive failure or they were replaced as a deliberate act intended to deceive. As it turns out the IT department of this company stated that the original drives should still be in operation inside the file server and that the information provided by the data recovery expert contradicted their own opinions.

The original drives were recovered from the former employee’s home a few days later.

My short time at Disklabs has proven to me that we need to educate ourselves on these matters. How can we offer opinion or facts in our reports if we haven’t covered every possibility?

Forensic 4cast Named One of 50 Top Criminology Blogs

Yesterday I received an email saying that Forensic 4cast has been named as one of the top 50 criminology blogs by CriminoBlogica. In fact we didn’t just make the top 50, we made number 19!

CriminoBlogica is a high-quality internet resource for people interested in criminology, forensics, and general law enforcement. Their authors write articles focusing on collecting useful criminology resources from all over the web, as well as offering general advice to anyone interested in pursuing a career in criminology.

I take great pride in this website so it is always nice to have some recognition now and again.

The article can be found here:

http://www.mastersincriminology.com/top-50-criminology-blogs.html

Digital Forensics – What We Don’t Know CAN Hurt Us

If my work with Volume Shadow Copies has taught me one thing it is that I don’t know anything. I have often said the more I learn, the less I know. Everything that we learn about computer investigations leads to more learning. It never ends. Anyone that thinks they know everything there is to know about digital forensics is either a liar or delusional. Each case should be teaching us something new and we should be learning from it.

The same goes for any new developments in the field. If we don’t keep up with all the latest developments how do we expect to be able to conduct a full investigation?

I have noticed a worrying arrogance lately in that digital forensic investigators believe that they know all that they need to know. They’ve been on all the AccessData and Guidance courses that are on offer, so they have all the knowledge they could ever hope to amass. There is no more room for progression.

This is incredibly dangerous not only to the analyst, but to the people that we represent.

A little while ago a friend of mine conducted an investigation for a police force. I remember him working very hard to experiment and test his findings, like any good examiner. He sent his report to the relevant authorities and got on with his next case.

Some months later the defence report arrived on our doorstep. This report was compiled by a digital forensic investigator professing nearly 20 years experience in the field.

His report went on to attack my colleague’s findings. This is not unusual but the manner in which he tried to do this left me feeling completely stunned.

The report was simply dismissive. This ‘veteran’ stated that he did not believe my colleague’s finding were accurate. He did not give any justification for this, he did not conduct any testing, he just said something along the lines of “I know of no method to recover this data so his findings must be incorrect.”

What?

I couldn’t believe this. At what point does an investigator allow himself to interpret his own limited knowledge as fact? It is disturbing and I hope that I never fall into this trap.

The question I would ask is: How do we safeguard against such arrogance? Clearly our field is intellectual and we know a great deal but how do we stop ourselves from becoming like this examiner? How do we keep ourselves firmly anchored?

Episode 28 – Xerox This!

This week we’re joined by Eric Huber (@ericjhuber) from ‘A Fistful of Dongles‘, Tom Yarrish (@CDTDelta), and Martin Fisher (@armorguy) from the ‘Southern Fried Security‘ podcast.

In this episode we discuss the Gizmodo/Apple situation, the death of privacy, forensicating photocopiers, more on schools spying on students, and a potentially dangerous exploit that could put digital forensic investigations at risk.