Voting for the Forensic 4cast Awards is now open. You can cast your votes at: http://www.forensic4cast.com/forensic-4cast-awards/
Please take some time out of your busy day to learn about the nominees below.
Outstanding Contribution to Digital Forensics (Individual)
Through numerous books, blogging, and free software that is widely used, Harlan Carvey has made significant effort on numerous fronts to advance the field of Windows forensics and share his knowledge with the community. He makes every other examiner’s job easier by writing and providing the software that he makes available.
Rob doesn’t sleep. That can be the only answer as to how he accomplishes so much. He organises the SANS Forensic Summits, teaches the SANS classes, conducts investigations for Mandiant, and still finds the time to write blog articles, conduct presentations at various conferences, and keep up to date with the latest happenings in the field.
Ryan has provided invaluable assistance with Mac/iOS forensics both by the resources on his Apple Examiner website as well as the indivual assistance he has offered. He is the go-to person with advanced technical questions on topics such as performing a Mac OS X analysis, mounting a corrupt disk image file, or recovering deleted videos, and always pulls through.
Outstanding Contribution to Digital Forensics (Company)
The creators of XRY and XACT offer, perhaps, the best phone coverage, most data and best quality data. They also offer tremendous support for their products, paying careful attention to their customers. As a result of this they are very responsive to customer needs. They continue to innovate and drive the field of mobile device forensics.
In its eleventh year, The Computer and Enterprise Investigations Conference (CEIC), is the industry’s premier digital investigations conference. Hosted by Guidance Software, Inc,., the conference offers one of the few opportunities for the digital forensics community to come together to learn from each other and share best practices. The conference offers hundreds of educational and training opportunities led by some of the world’s foremost experts in computer forensics, e-discovery, cybersecurity, and enterprise investigations. Last year, a record 1,300 attendees joined the tenth anniversary of CEIC.
AccessData has pioneered digital investigations since 1987, beginning with its widely used decryption solutions and growing over the years to deliver the most comprehensive portfolio of digital investigations solutions on the market. AccessData provides stand-alone and network-enabled forensics solutions, as well as network forensics, mobile device, triage, forensic lab, e-discovery and legal review solutions. The company prides itself on the fact that half of its employees are in development and QA. Forensic Toolkit (FTK) is its flagship technology. The technology is recognized for its memory analysis, for having the broadest Mac analysis of any Windows computer forensics solution and for its premier email analysis. The innovations AccessData has delivered to the computer forensics market through FTK have dramatically enhanced customers’ ability to process and analyze massive volumes of data. The company reengineered FTK to be database driven, which allows the solution to scale to handle large cases with greater stability than other computer forensics solutions. In addition, the company introduced distributed processing that organizations around the world are using now to process terabytes of data per day, leveraging legacy hardware to create dedicated worker pools. This new FTK architecture has given AccessData customers an enterprise-class forensics solution at a stand-alone price. Finally, AccessData added memory acquisition and analysis to the broad range of analysis capabilities already in FTK. AccessData opted to also provide RAM acquisition in its free solution, FTK Imager. AccessData continues to innovate, in order to bring greater flexibility, stability, scalability and analysis capabilities to its customers. In addition to software and field triage solutions, AccessData is a leading provider of computer forensics training and delivers valuable education both in a classroom setting and in a live, interactive online environment, which allows forensics professionals to get the education they need without the travel expenses.
Best Digital Forensic Blog
Windows Incident Response
Harlan Carvey’s blog Windows IR provided a wealth of information about using timelines and his posts are what opened my eyes to this valuable technique.
Visit the blog at http://windowsir.blogspot.com
A Fistful of Dongles
Eric is an excellent spokesman, willing to tackle controversial topics and more important, a fellow who’s ideas are provocative and interesting.
Visit the blog at http://ericjhuber.com
Lenny Zeltser on Information Security
Lenny Zeltser has been pumping out blogs and articles lately on a daily basis. Add to teaching for SANS and being a incredibly nice guy he deserves his nods
Visit the blog at http://blog.zeltser.com
Best Digital Forensic Blog Post / Article
Ken Pryor – “I’m here, now what?”
A great resource for people that are coming into the field. A great listing of where to find more information as well as stuff to “play” with.
Read it at http://computer-forensics.sans.org/blog/2010/07/27/im-here-now-what
Matt Churchill – “Free Digital Forensics Triage Tool”
Matt, from http://mattchurchill.net/, in September released a forensic triage tool. This tool has been a great proof of concept in helping non-experts process data in a time sensitive manner.
Read it at http://continuumww.com/digifonics/10-09-16/Free_Digital_Forensics_Triage_Tool.aspx
Rob Lee – “Digital Forensic SIFTing: SUPER Timeline Analysis and Creation”
Numerous bloggers post about timelines and they frequently reference Rob Lee’s post about super timelines. I think this post helped people understand how timelines can be automated which resulted in more people trying out the technique.
Read it here http://computer-forensics.sans.org/blog/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation
Best Digital Forensic Book
Windows Registry Forensics
Harlan Carvey has done it (again) and continues to raise the bar. It’s a must read for the digital forensic analyst! Harlan has brought his many years of experience and research in forensic analysis of the windows registry, into one book. As Rob Lee (SANS Institute) stated, “Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case.”
Malware Analysis Cookbook and DVD
The Malware Analysis Cookbook is basically a self training guide for under $100. Anyone performing digital forensics will find some useful information in the book that can be used in their investigations
Virtualization and Forensics
This is a great book that shows where the future is really going with digital forensics. It reminds us to keep looking further out of the box for evidence.
Best Digital Forensic Podcast
The panel format of the current incarnation of Forensic 4Cast has been both informative and entertaining. The concurrent chat used on the live podcasts was an on-line geek party that.
Joe has managed to consistently create an excellent and accessible podcast. His Cybercrime 101 podcast is something that is of interest to those who are just interested in general information security as well as more in depth digital forensics. I always seem to walk away learning something I didn’t know after listening to his podcasts. Some recognition of the quality of his efforts is long overdue.
Fresh and relevant technical and legal perspectives are shared by Mr. Carroll and his guests. An entertaining a educational podcast that engages the listener from first to last second of the MP3.
Best Computer Forensic Hardware
Very fast, very compact. The ideal tool to use either in the lab or on-site.
Voom Hardcopy 3
Voom released the HardCopy 3 at the tail end of 2009 and released the 3p version in 2010. I got my first Voom in 2010 and it reduced my collection times by more than half. Great product
The Tableau TMSS-IIO1 Integrated Storage Module is a compact, easily transportable, high availability (RAID 5) storage system that gives forensic investigators the storage capacity they need to handle large cases in the field. Standalone RAID systems have historically suffered from poorly designed RAID management software. The Tableau TMSS-IIO1 includes the Tableau Storage Manager, a Windows application built to streamline and simplify the management of TMSS-IIO1. The Tableau Storage Manager provides a simple interface for initializing the drive array, monitoring the health of the modular storage system hard drives, identifying failing hard drives, and rebuilding the RAID array. The product stands out among competitors not only for its performance, but also for its ergonomic features such as a built-in, recessed handle and a unique, patented slot for an evidence tag help to set it apart.
Best Computer Forensic Software
Log2timeline is a great tool for creating timelines and I started using it on my cases in 2010 with amazing results. The updates to the program in 2010 made it even better such as the ability to specify input modules with timescanner.
AccessData has come a long way with FTK, and was named a 2010 Innovator by SC Magazine. Technically speaking, FTK has proven itself to provide the fastest processing with distributed processing, which is included out of the box. It has an enterprise-class architecture, which has allowed computer forensics labs to expand their capabilities to include larger-scale distributed processing and collaborative analysis. It is now recognized as having the most comprehensive Mac analysis. (“…Mac features that can’t be found in any other Windows analysis tool,” Ryan Kubasiak of appleexaminer.com), and FTK was the first to deliver live device acquisition and memory analysis. In addition, FTK comes with built in decryption capabilities, resource throttling for processing and delivers broad support for file systems, compound files, email and encryption technologies. AccessData has done its best to provide the stability and broad functionality that the computer forensics community has been asking for.
Guidance Software’s EnCase Forensic is the industry-standard computer investigation solution for forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process. In November 2010, the company announced EnCase Forensic version 6.18, with new support to search and collect evidence from drives encrypted with Windows BitLocker 7 and BitLocker to Go. This support, in addition to updated support for PGP, CREDANT, and Symantec’s GuardianEdge Encryption, enables investigators to analyze more evidence than ever before.
Best Phone Forensic Hardware
XRY is easy to use, has excellent help that shows what can and cannot be extracted for each phone mode, and performs stable extractions. It is very consistent and reliable.
MPE+ Field Tablet
The MPE+ Field Tablet comes preconfigured with Mobile Phone Examiner Plus software and allows examiners to acquire and analyze mobile devices on scene. It supports more than 2500 phones, as well as iPhone, iPad and androids. MPE+ has a built-in carver, so examiners can analyze media without having to export to FTK or another tool. MPE+ also provides physical support for Apple iOS, giving examiners access to unallocated space that contains deleted plists, SQLite dbs, deleted media (pictures, videos etc). Also the MPE+ Tablet allows examiners to quick print data on scene. Finally, using the field tablet, examiners can import AD01s from previously acquired phones. So if an examiner encounters a device in the field that may be related to a previously acquired phone, he or she can refer back to that phone right there on the scene.
UFED introduced new methods for physical extraction that allowed unique support for many mobile phones that no other tool supports.
Best Phone Forensic Software
XRY has one of the most comprehensive coverage of mobile phones in the market. With the release of 5.4 which allows us to image 3 phones at the same time results in an increase in productivity and turnaround time. Their technical support is one of the best to deal with as they get back to us very quickly.
MPE+ supports more than 2500 phones, as well as iPhone, iPad and androids. It offers physical support for Apple iOS, giving examiners access to unallocated space that contains deleted plists, SQLite dbs and deleted media (pictures, videos etc). The solution integrates with FTK, allowing examiners to analyze and correlate data from multiple phones and computers within the FTK interface. It has a built-in carver allowing analysis without export into FTK, if desired. In addition, MPE+ can come preconfigured on a rugged field tablet, allowing examiners in the field to acquire and analyze phones on-scene for quick triage.
Paraben Device Seizure
Paraben’s Device Seizure product provides the greatest number of supported phone models while remaining true to digital forensic practices. Device Seizure has great usability and is effective for every step of the investigation process. Additionally the company has always provided immediate support on every occasion we’ve asked for help. Whether Paraben provides an early release for a case dealing with an extremely new phone model or adds support for specific and obscure phone models we request, they have always been accommodating and prompt.
Best Civilian Forensic Team
NID Forensics Academy
NID Forensics Academy, an organization from Brazil, in 2006 opened the CDFI(Certified Digital Forensic Investigator) certification. This certification was recognized by ACFE at 2011. CDFI is the first Brazilian-based forensic certification recognized throughout the world.
Digital Discovery Corporation
Digital Discovery Corporation went above and beyond on a very sensitive, high-pressure project this past year. They immediately mobilized and went on-site to a client’s offices, imaged over 100 machines and 20 servers, and immediately began a large-scale key-word of relevant terms, and gave us the results in record time.
Mandiant consultants have the expertise to solve proactive and responsive security issues accurately, timely and professionally. Our professionals have security and consulting experience, advanced degrees from the most reputable computer science universities, multiple industry certifications, top government clearances, and experience as analysts and federal investigators. Further, we have authored several security publications, including Incident Response: Investigating Computer Crime, Rootkits: Subverting the Windows Kernel, and Hacking Exposed: Network Security Secrets & Solutions.
Digital Forensic Examiner of the Year
Lee has been a generous and indefatigable contributor to the digital forensics community. He has made a invaluable contribution through his research efforts into digital forensics artifacts such as Volume Shadow Copies as well as his incredible communication ability through his blog, podcasts, and Twitter feeds.
Aside from his forensic triage tool, Matt took the lead in setting up http://forensicartifacts.com in an effort to build a community supported archive of forensic traces that examiners are likely to encounter.
He is a professor at Champlain College, has been working in the field since it’s near infancy. He has worked with law enforcement, Vermont ICAC, Mandiant, civilian cases, etc, and he has been the best professor that can really get his students motivated and wanting to learn more about Computer and Digital Forensics. He assists his students every step of the way, but also pushes them to go further and learn on their own.