• Forensic 4cast Awards 2013 – Meet the Nominees

    Posted on April 10, 2013 by Lee Whitfield in News.

    You may be aware that the voting for the 2013 Forensic 4cast Awards is now open. Voting will remain open until May 31 2013. Voting will close afterwards to allow time to get the awards engraved.

    Many people in the field placed their nominations and the top three from each category progressed to the voting stage. You can place your votes here.

    If you don’t know the nominees have no fear, Brian Moran has put together a list of the nominees along with a description of why they were nominated:

    Computer Forensic Software of the Year

    4n6time

    4n6time (formally l2t_Review) is an open source tool created by David Nides (author of the Forensic4Cast 2012 Digital Forensic Article of the Year) that presents/parses data generated by the Forensic 4Cast 2012 Computer Forensic Software Tool of the Year “log2timeline”.  4n6time allows the user to filter, highlight, sort, tag, bookmark, and search on common data fields.  It also presents the data in an easy to understand and recognize format, which further enhances the overall value of timeline data.

    If you would like to learn more about this nominee, please visit the following link: https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time

    Internet Evidence Finder

    Internet Evidence Finder (IEF) is a commercial tool released by Magnet Forensics (formerly JADsoftware) that allows an examiner to search and correlate over 200 artifacts and present the data in an easy to digest format. Magnet Forensics has also made a fully functional free trial of IEF available to examiners seeking to evaluate the product.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.magnetforensics.com/products/internet-evidence-finder/

    Volatility

    The Volatility Framework is an open source collection of tools that allows the extraction of digital artifacts from volatile memory (RAM).  The tool suite supports memory dumps from every major 32 and 64 bit Windows operating system, including crash dumps, hibernation files, and virtual machine snapshots.  The Volatility Development team is continually working on refining and increasing the capabilities of the tool.

    If you would like to learn more about this nominee, please visit the following link:

    https://code.google.com/p/volatility/

    Digital Forensic Blog of the Year

    “Volatility Labs Blog” – Volatility Team

    The Volatility Labs Blog is a collaborative effort of the Volatility Team that not only highlights developments with the Volatility Framework; it also provides real-world examples and insights to the utilization of memory analysis during an investigation. The team combined for 34 blog posts during a 4-month period in 2012.

    If you would like to learn more about this nominee, please visit the following link:

    http://volatility-labs.blogspot.com/

    “Digital Forensics Blog” – Ken Pryor

    The Digital Forensic Blog, maintained by Ken Pryor, offers insight to the digital forensics field through the eyes of an individual with a law enforcement background.  Ken covers a wide variety of topics in a very practical and easy to understand format (as if the material written by Ken wasn’t enough, he also welcomes guest bloggers).  Ken also routinely reviews DFIR related publications on his blog.

    If you would like to learn more about this nominee, please visit the following link:

    http://digiforensics.blogspot.com/

    “Journey into Incident Response” –  Corey Harrell

    The Journey Into Incident Response (Growing into a Cyber Investigator) blog, maintained by Corey Harrell, presents information that Corey has found useful during the course of examinations and research.  Corey also covers a wide variety of topics in great detail (thankfully with lots of examples/pictures!) and is a great resource for both junior and seasoned examiners.

    If you would like to learn more about this nominee, please visit the following link:

    http://journeyintoir.blogspot.com/

    Phone Forensic Hardware of the Year

    UFED Touch

    The UFED Touch is the successor to the Forensic 4Cast 2009-2012 Phone Forensic Hardware Tool of the Year award winner “Cellebrite UFED”. The UFED Touch provides a portable device with an easy to follow user interface that allows on-site acquisition, decoding, and analysis of a wide range of mobile devices.  The UFED Touch utilizes a new cable management system and a more advance operating system that allows faster acquisition of mobile devices compared to previous models.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.cellebrite.com/mobile-forensic-products/ufed-touch-logical.html

    Project-a-Phone

    The Project-a-Phone product line offered by paraben provides examiners a robust solution to document data presented on the screens of mobile devices, it also creates the ability to document the status of mobile devices during the course of an examination.  The Project-a-Phone is a perfect solution for an examiner that is required to perform “scroll analysis” on the device and document that data in pictures/video.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.projectaphone.com/

    XRY Field Version

    The XRY Field Version is a portable mobile device forensic solution that is produced by Micro Systemation.  The XRY Field Version combines a hardware and software solution in to one rugged, portable case.  The XRY Field Version allows examiners to conduct a mobile device acquisition and analysis under pretty much any imaginable situation.  Micro Systemation also allows the user to choose between a netbook or upgrade to a more a powerful laptop, which can be converted into a tablet.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.msab.com/xry/field-version

    Digital Forensics Book of the Year

    “Malware Forensics Field Guide” – Cameron Malin, Eoghan Casey & James Aquilina

    Cameron Malin, Eoghan Casey, and James Aquilina released the Windows version of the Malware Forensic Field Guide in 2012. The book is meant to serve as a roadmap for dealing with malware in an incident response and/or a forensic analysis capacity.  The book correlates information in an easy to follow a reference guide that allows the examiner to increase the chances of successfully understanding presence of malware on a system.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.syngress.com/digital-forensics/Malware-Forensics-Field-Guide-for-Windows-Systems/

    “Practical Malware Analysis”  – Michael Sikorski & Andrew Honig

    Michael Sikorski and Andrew Honig co-authored the book Practical Malware Analysis (The Hands-On Guide to Dissecting Malicious Software) in 2012.  This book details every aspect needed to perform malware analysis, starting with the creation of a safe testing environment, covers many of the popular malware analysis tools/services, and allows users to get hands on experience with dealing with malware analysis skills. This is one of the few books that can appeal to both seasoned malware analysis as well as individuals interested in learning about the field.

    If you would like to learn more about this nominee, please visit the following link:

    http://nostarch.com/malware

    “The Basics of Digital Forensics”  – John Sammons

    Syngress added another entry to their digital forensics library with The Basics of Digital Forensics in 2012.  The Basics of Digital Forensics is meant to provide a baseline for new entries into the digital forensics field.  In this book, John Sammons reviews methodologies, concepts, and tools that are utilized by examiners every day.  While the book is intended for new/future DFIR professionals, it also serves as a great “back to basics” refresher for experienced analysts.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.syngress.com/digital-forensics/The-Basics-of-Digital-Forensics/

    Computer Forensic Hardware of the Year

    Tableau TD3

    The Tableau TD3 Forensic Duplicator is the successor to the Forensic 4Cast 2012 Computer Forensic Hardware Tool of the Year “Tableau TD2”.  The TD3 model of the very popular forensic duplicator line includes a touch screen user interface, the ability to acquire a variety of hard drive types, networked devices, USB devices, and FireWire devices.  It is one of the most flexible and robust forensic imaging solutions currently available on the market.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.tableau.com/index.php?pageid=products&model=TD3

    UltraDock 5

    The UltraDock V5 is the latest forensic write-blocker offering from WiebeTech.  The UltraDock V5 contains an updated chipset and offers an USB 3, eSATA, and FireWire 800 host connection.  The UltraDock V5 was the first forensic write-blocker on the market to offer USB 3 connectivity and is currently the most cost-effective solution for USB 3 enabled forensic write-blockers.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.wiebetech.com/products/Forensic_UltraDock_v5.php

    Tableau T35u

    The Tableau T35u is the first forensic-bridge offering by Tableau that contains a USB 3 port.  The T35u also features updated internal components and a new “firmware update mode” that decreases the chances of inadvertent failure when updating the firmware on the device.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.tableau.com/index.php?pageid=products&model=T35u

    Phone Forensic Software of the Year

    Cellebrite Physical Analyzer

    It’s back! The Forensic 4Cast 2012 Phone Forensic Software Tool of the Year winner is looking to defend the award in 2013! The Cellebrite Physical Analyzer went through a few major updates, including an industry first malware-detection capability and a streamline timeline analysis feature.  It also is able to recognize and parse data from a variety of sources, including mobile forensic images acquired utilizing a different tool/technique and mobile device backups.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.cellebrite.com/mobile-forensic-products/ufed-applications/ufed-physical-analyzer.html

    XRY

    XRY is a software application that compliments Micro Systemation’s XRY hardware products.  XRY also allows a user to digest data from a variety of mobile device sources.  As the mobile device saturation continues to grow at such as rapid pace, Micro Systemation realized the potential of mobile device case backlog and added the capability to extract data from multiple devices at the same time to XRY.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.msab.com/xry/what-is-xry

    WhatsApp Xtract

    WhatsApp Xtract is an open-source, Python based tool from Zena Forensics that allows an examiner to quickly extract and parse data contained within the popular “WhatsApp” messaging program on mobile devices.  This tool simplifies of correlating data from multiple tables (and depending on the mobile device, even files!) and presents data within the WhatsApp application in an easy to digest format.

     If you would like to learn more about this nominee, please visit the following link:

    http://blog.digital-forensics.it/2012/05/whatsapp-forensics.html

    Digital Forensic Article of the Year

    “Incident Response with NTFS INDX Buffers” Hamm & Ballenthin

    The NTFS file system uses INDX buffers to track the contents of a folder.  Jeff Hamm and William Ballenthin combined to write a 4 part series of articles on the Mandiant blog regarding the extraction, structures, and parsing of INDX buffers and attributes.  Hamm and Ballenthin detail how the methodology can be used to recover information about deleted files on a file system and subsequently add even more tools to the arsenal of a digital forensic analyst.

    If you would like to learn more about this nominee, please visit the following link:

    https://www.mandiant.com/blog/striking-gold-incident-response-ntfs-indx-buffers-part-1-extracting-indx/

    “NTFS Triforce – A deeper look inside the artifacts” Cowen

    David Cowen authored this post detailing how information from the $MFT (Master File Table), the $logfile, and the $USNJrnl can be combined to show changes in the ownership, SID, timestamps, and attributes of a file, the moving and renaming of a file, and even a summary of actions that occurred to a file.  The information contained in the post can be utilized across the entire DFIR community.

    If you would like to learn more about this nominee, please visit the following link:

    http://hackingexposedcomputerforensicsblog.blogspot.com/2013/01/ntfs-triforce-deeper-look-inside.html

    “Leveraging the Application Compatibility Cache in Forensic Investigations” Davis

    Andrew Davis authored this post on the Mandiant blog which not only covers finding metadata such as file size, modification and last execution times within the Windows Application Compatibility Database, it also announced the freeware tool “Shim Cache Parser”.  The post also contained a link to a white paper regarding more details on the cache; however, the link is no longer working.

    If you would like to learn more about this nominee, please visit the following link:

    https://www.mandiant.com/blog/leveraging-application-compatibility-cache-forensic-investigations/

    Digital Forensic Organization of the Year

    Volatility Team

    The Volatility Team (who are also behind the Computer Forensic Software and Digital Forensics Blog nominees) is the driving force behind the inclusion of memory acquisition and analysis into a standard forensic examination.  Thanks to the hard work of the team, the practice of “powering down” a system and performing dead-box forensics has been replaced with a mind set of “gather live data” and have revolutionized the incident response and digital forensics field.

    If you would like to learn more about this nominee, please visit the following link:

    https://code.google.com/p/volatility/wiki/VolatilityTeam

    Verizon RISK

    The Verizon RISK team is an integral part of the Verizon Security Products offerings.  The RISK team responds to incidents, gathers data, and returns actionable intelligence for their clients.  The RISK team also helps the community by providing analysis and indicators as well as the widely read Data Breach Investigations Report.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.verizonenterprise.com/products/security/risk-team/

    Mandiant

    Mandiant offers clients the ability to implement homegrown products, services, and professionals in an effort to not only respond to an incident/data breach, but also protect clients from potential incidents.  Mandiant provides several products and solutions to include an annual threat report, community drive indicators of compromise, and the M-Unition security blog.

    If you would like to learn more about this nominee, please visit the following link:

    http://www.mandiant.com/

    Digital Forensic Examiner of the Year

    Andrew Case

    Andrew is currently a research engineer at where he is responsible for research and development projects related to memory, disk, and network forensics.  He is the co-developer of Registry Decoder and is a member of the Volatility Team and has presented at numerous security conferences and gatherings.

    Andrew can be found on Twitter with the handle @attrc

    Alissa Torres

    Alissa is currently an incident handler at Mandiant, where she finds evil on a daily basis.  She is an instructor with SANS and has presented at numerous security conferences and gatherings.

    Alissa can be found on Twitter with the handle @sibertor

    Heather Mahalik

    Heather is currently the mobile device group technical lead at Basis Technology.   She has over 10 years experience in the DFIR field and specializes in mobile device forensics, research, and instruction and Windows & Macintosh forensics.

    Heather can be found on Twitter with the handle @HeatherMahalik

Leave a Reply

Your email address will not be published. Required fields are marked *