Conference in Belgrade

Our colleague suggested one conference in Belgrade on 11th and 12th December 2014, about money laundering, fraud, financial forensics and similar issues "Stručni skup - Borba protiv prevara i korupcije u privredi". First day was interesting a professional auditors and experts were talking about their practice and experience in the region which is probably the most corrupted and fraudulent in whole Europe. Nice touch a bit off from forensic but very interesting was lecture about lies and detecting fraud and lies in communication. To summarize  first, technical day was very good one.

Second day was intended to be scientific one, but it turned into something strange, almost supernatural.  Schedule was changed, lectures was not done in language noted in materials but on whatever author was found of, talking mostly without presentations ... horrible. There was even a bit of a scandal when one ambassador left the in the middle of presenting of the papers being probably insluted with topics. This whole days looks like straight from Branislav Nušić play "Gospođa Ministarka".

Also it was fun to watch and listen trying to figure what presenters are talking about on Russian, Bulgarian etc ..

Anyhow I don't think we will attend same conference next year 

Programming and digital forensics

Just again trying to get some courage and inspiration to write about programming and digital forensics, or even wider aspect of why introduction of purposely designed language can be a good idea.

It looks all not very important issue to have programming and specially defined language, but in my opinion and by experience from other computer fields purpose oriented language or dialect can be very beneficial.

Digital forensics is troubled from begining with it different sources and legal overlooking.  As any forensic science it is partly forensic and partly computer science and engineering. Unfortunately tools and practices and not good as it should be and it suffers a lot from not using ideas like scripting, automation, parallelism which are in use for ages in computer engineering and computer science.

Depending on canned solutions which are powerful in its own world but very limiting in cooperation and performance is a mayor problem. This is again coupled with Microsoft Windows as mayor platform and not a lot of not enough educated and trained users. And are in most  scenarios maybe well trained in using specific tool but usually missed understanding how to efficiently use modern computers or better to say missing the whole idea why computer is here and why it is programmable in more complex way than a washing machine.
Very often basic idea of what we are actually doing is missing,  inadequate procedures, huge volume of data which should be processed which again overwhelms capacity of forensic workstation are common problems. Huge bottlenecks in processing is usual state of art, days long processing also.
Maybe most strange is inability to share results among tools (there are few exceptions to be honest). Impossible situation when something should be compared or reused and vendor tool simply does not allow that .. and everyone involved accept such state of affairs as normal, or when you know that data are already here but because of clumsy interface or any other reason you can't reach it without a lot of codding and using other non forensic tools.

So why all this and specific language ?  Because language is a tool to describe tasks and data involved and result produced. When there is something like that tools are not so important since there is specification which gives clear idea what should be done.  It also means using different tools are simple since all have common language and most of the tasks can be automated and parallelised.


create case  caseone
 add evidence evidence1-file with filesystem
 do signature analyses
 do hash analyses
 do search raw  by keyword list list1, bookmark finds
 do image search by hashset hashone, bookmark finds
 report from bookmark
 close case

This looks like one small dedicated program ... and you have to learn additional syntax :)
so where are advantages ? Ok, lets imagine EnCase has module to process this code and FTK has same, or any other tool


I have to elaborate this more ... :)

Some python scripts ideas as examples in digital forensics

Python works perfectly in UNIX like environment, also very well in windows but when we start to tackle low level issues like accessing raw devices some troubles get to surface ...

It is not about python but about MS platform and it very non-posix behavior, worse of all lack of documentation about some system programming issues on the windows. All this issues makes very hard to achieve reliability required for forensic grade application,  basically you can't trust code because it is not defined how it should work or how it is working this is why most of python forensic things and other serious forensic tool exists on UNIX.

Same problem can be defined for commercially available forensic applications, we only can trust their developers that code is right and doing right thing since we don't have access to it and don't have specification what it should do, especially if we are talking about some esoteric situation about complex registry interpretations etc ..

Let talk about simple task of erasing disk, on posix machine it is easy since all steps are defined and standardized.. on windows it is nightmare standard fileio calls are not working because of some obscure security mechanism which is not described well and semantics of operation can be found only trough scattered examples. Worst of it if example works on XP it will surely not work on newer platforms because of security straightening.

Since we are bound to use windows as platform implementation some examples are quite challenge

• Forensically acceptable media erasing
• Hashing files, folders, raw devices
• Keyword search
• File indexing and using index structures for search
• Timeline analyses
• Interacting with other tools and programs
• Recycle bin recovery
• Windows registry file access

In  more details whet we will play with in future

Excersice script task	Description
Version and type of OS	Get the type and vesrion of OS on your living machine, trough python. Can be done trough from command line or from application
OS module in python to retrive this informations	Type command in cmd line of python and than execute script
Interaction with live live program from python interpreter	Call cmdline windows utilty from python and filter out required data
Hashing	Create the script to hash files, folders and raw devices on windows, also entropy is defined too
Hash files, folders and has for raw devices and logical devices	Create the script to hash files, folders and raw devices on windows, dicuss issues in various implementation solutions and storing / reuing results
redirection of output / input	How to conncet two python scripts together in pipe in command line
storing output data in cvs format	Hot to store results into other formats like cvs, and log the events during execution
Keyword search	Do search for keyowrds in various files Show results in hex and string mode
Grep, plain search in binary/ hex formatu	Introuction to regexp usage
storing results of search to list or dictinary	How to store reuslts
Indexing	How to index file content
Indexing set of files and storing data for usage	How to index file content and use reuslts for search, hotw to store results
Using existing index from other python programs / cmd line
Timeline creation
log2timeline as application (?) probably not because of sift WS	Create timeline from set of files based on metadata values and analyze it (?) Log2timeline as tool called from cmdline
Metadata EXIF / GPS handling	How to extract and anylze EXIF / GPS metadata from pitcures by python script
Windows registry analyses access	How to acess data in registry files and analyze it trough python
general access to registry files	How to acess regitry from command line
WIFI locations as example	How to extract WIFI location stored in registry
Recyle bin access	How to access recyle bin windows folder and recover data
Examining Metadata in PDFs and Microsoft Documents
Investigating Skype Artifacts
Enumerating Browser Artifacts from Firefox Databases
Examining Mobile Device Artifacts
drive cleaning	Cleaning the drive by means of external program from pytohon command line
using drive cleanser as module or as external tool	Cleaning the drive by means of external program from pytohon command line
libwef compliation on windows	Compile / or just install libwef library which allows to access images in e01 and other formats
detecting truecrypt volumes in DD or forensic images	Comment script and how to reuse script or change it for your enviroment

Python training for forensics

Python training for forensics  is very interesting topic, taking into account all issues around professional digital forensic training.  I'll put some articles about since it is intriguing and a challenge .

When you start to play to define tasks, scenarios and scripts to be used it becomes even more interesting. Basically most of the forensic work with python is done on UNIX based platforms and not so much on windows, but as usual because of some strange conditions we are bound to do a training which is based on windows platform.

My colleague Jakob Vukalović is developing full scale tools and scripts, some topics will be soon posted on his blog

So first issue is how to calculate hash on different files and evidence ?
For entry in the file system it is relatively easy traverse folders and run hash on it, but what about the E01 files and dd and other formats, some of them are easy, external tools can be used like FTKimager or python libraries to access it.

If we have e01 image and FTKimager simplest way is to do image mount and get the image as windows raw and hard disk in read only access mode.

When we have a raw device available can we use python to get check-sum as for raw devices on UNIX like machines ? Yes it is possible but a bit strange

On  MS support forum you can find how to access raw devices and logical devices trough open/read/close paradigm. If we are going to access physical disk N device path is "\\.\PhysicalDriveN" and for logical drive X path is "\\.\X:" .   So basic idea is to use same semantics as on other platforms, open device path in read-only and binary access mode, read data from file to buffer , update hash with buffer and do all that  till EOF is reached, than print hash and close file. Strangely there is an error on reaching EOF on the reading raw  physical disk "IOError: [Errno 13] Permission denied" which does not make much sense but kills the process, fortunately python has exception capabilities and this paradigm saves the day :)

Still this tweak does not sound right, since handling exception always mean something went wrong and that is a bad sing in forensic process.. but this is MS operating system and its semantics in working environment of scripting language which is not native to the that closed platform whatever we say.

#!/usr/bin/python

###################################################################

#code snippet to show how to calculate md5 on raw disk 2 on windows platform

#and how to handle  IOError: [Errno 13] Permission denied

#'\\\\.\\PhysicalDrive2' how to code path to pyhsical drive 2 

#'\\\\.\\X:'  how to code path to logical drive X

#this is just a skeleton and must be much much improved for real usage :) 

###################################################################

import os

import sys 

import hashlib

#path to raw the device 

p='\\\\.\\PhysicalDrive2'

#flags can be 'r' or 'rb' same behaviour 

#open path p for reading 

f=open(p,'r')

#initialise the hash module

h=hashlib.md5()

#set the size of read from file, performance varies on the size

#if size is not defined f.read try to load whole file and full memory and crash
s=4096

#optimal size for buffer is 32K  32768  found it later in
#http://ojs.pythonpapers.org/index.php/tpp/article/viewFile/243/211

#reading loop, basically read chunk into rd, if exception it is EOF kink break loop

#also rd is than "" 

while True:

 try:

  rd=f.read(s)

 except IOError: 

  rd="" 

 h.update(rd)

 if rd=="" :

  break

#close raw device, good behavior

f.close() 

#print hash 

print h.hexdigest()

###################################################################

9.2.2017
There was a huge peak on this page in February 3, almost 70 visits mostly from Germany, very unusual.

It is worth of mentioning a new very interesting book by Chet Hosmer "Integrating Python with Leading Computer Forensics Platforms"  I have not yet get a copy, but topics listed are very intriguing. I see one thing missing at first glance python and mobile forensic tool, but probably there are some copyright issues. 

Excellent book about Python and digital forensics "Python Forensics"

It is an excellent book, I finally get some time to read it in detail on O'reily web. Perfect one with practical things and how to think about problem attitude. Some time ago while we were preparing taring curriculum for OLAF I've suggested one week training with almost same idea.

I'll definitely include it into net redo of my forensic curriculum on Vsite and Algebra as extension of practicals.

This will bring some more excitement into class and practicals, I've noticed that my teaching becomes a bit dull during last class...

I was thinking earlier about using only "Violent Python" but "Python Forensics" is better suited for pure forensic training while violent one is better for general security issues. 

EnCase training last week

Last week I've been doing very pleasant and intense but still very exhausting EnCase training
Forensic 2 and Transition in 7 days in row.  It was for 2 attendees, so more discussion than real training with a lot of time to go trough things, do variations etc.

We have done some scenarios with  USB devices  and processing, very interesting with some surprises :)

It was very challenging and take a lot of from all of us especially since we put effort on solving some practical problems, I finally get confirmation both attendees survived harsh tempo and EnCase peculiarities.

Version we used is v7,10.01 which is last release, more stable than previous but since not as reliable as now almost formally abandoned version 6.  We used processed cases as backup and done real processing during lunch breaks, it was about 1 minute for 1 GB processing time, what is acceptable for small educational images. Caches are now much more stable and indexing is working acceptably, but there are quirks while new views are generated on evidence trough filters and conditions.  Missing conditions in bookmarks and some other views are extremely annoying but as user can't do much. 

Dark Web Impressions

I've done a panel discussion on Digital Investigations in the Deep Web two weeks ago. It was very pleasant event in Milan. As always it seems to small time frame to address ideas and issues. As I'm not expert on deep web issues my research was done to define terminology and phenomenology.
For my deepest impression from this event I can put that for no-technical users fact that google can not reach all data on Internet comes as a surprise, with some sinister afterthoughts, there must be something bad because your web page is not indexed, you are hiding something.

Since event was with experts from various fields, many of them lawyers or law enforcement it is obvious that solid  definitions are needed with good understanding how www works. This is something to think about in sense of conservatism in Europe law education and trainign.

Modeling in security investment

Just yesterday I've get again to browse trough SANS reading room newly posted articles, it is monthly task (usually) for me. One title catch my attention, even get pang of envy  :)

It is Modeling Security Investments With Monte Carlo Simulations remeber me on ongoing effort by my friend Biljana Petreska and her paper "Biljana R. Petreska, Tatjana D. Kolemisevska-Gugulovska: A fuzzy rate-of-return based model for portfolio selection and risk estimation. SMC 2010: 1871-1877".

We were often discussing how to adopt this model for presenting ROI for enterprise security investment, using SANS Critical Security Controls as technical inputs. Fuzzy modeling can probably better capture and predict but this is to try and prove, what is advantage is in presenting the security as portfolio of options ...

I was thinking of using my ancient tcl port of fuzzy tools but this is too old and there are better solution in python.

Enterprise security Messiah

There were some articles about looking for talents in computer security industry this last days in the promised land of USA and EU.

I don't think the intention of authors was such but I've start to get images of almost biblical class of saviors for enterprise security issues, almost like a prophets searching and moaning for Messiah 
I suppose such thoughts are politically incorrect to think and speak about, but for me as a shamless non believer into religion of security and with Sunday school experience from communist regime past it is nothing :)

Without much joke it really sounds like searching for someone omnipotent who will cure all wrong in your busted and by evil penetrated enterpsie security and bring salvation ...
Bit silly but makes sense in distorted religious way ... as examples is we look on the SANS for
http://www.sans.org/critical-security-controls/ and just try to imagine how much it really cost to implement it, it is obvious why security managers prefer searching for miracles and messiah. You need faith to belive into your savior instead of start working and finding competent professionals, not a miracle makers

After summer 2014

Recently I've finished  2 three day on-demand trainings.  First one was for forensic bridges and write-blockers and the other one was for elcomsoft password recovery bundle. Second was was challenging because there is no official training fro product we decided to modify our anti forensics and encryption materials to create suitable training bundle. From forensic point of view most challenging task is to keep forensically correct environment while data is going from one tool to another and back into final report.

I was trying to avoid heavy math as possible from this training, since it does not belongs there it is about tools and forensics not about cryptography. You must have understanding what cryptography is, how it works and how it is used in anti forensics and most important hos to handle it in forensically sound way. One often overlooked issue is reliability and forensic acceptability of all used tools in processing of evidence. Good practice is to have prof of correctness for each tool in chain but also to have prof for each step in data transfer among tools.

As example I've used windows virtual machines with bitlocker, truecrypt volumes as investigation targets. We used various tools and scenarios to create memory dumps and tested if we can retrieve keys from dumps. All that was done in safe forensic framework of  proven tool like EnCase and its VFS and PDE features. Trough such features it is possible to extract keys from memory dumps or hibernation files and use and use elcomsoft tool to access and dump protected volume. That extracted data is than reacquired into original case in forensic framework tool. More or less same approach works for all of the password extrcators/breakers in elcomsoft bundle.

Practicals and hands on :

Zip peculiarities

Mils unbreakable encryption

Encryption based on dedicated external device

Password vault tool

Password recovery for truecrypt volume

Password recovery for truecrypt volume

Windows logon password

Office documents

Bitlocker password  removal in elcomsoft

Live forensic access to encrypted data

Live – encase forensic

Ftk imager – memory capture

Memory capture – words extraction

Topics discussed:

Encryption and Antiforensics

Antiforensics or counter forensics

Antiforensics methods

Hiding Data - Encryption

The Caesar Cipher

Example: rot13

Some common types of encryption

Steganography

Data destruction

Antiforensics impact

Encryption and Digital Forensics

Background

Sources

Terminology

Encryption algorithms

Encryption keys

Password/Passphrase Implementation

Key space

Breaking passwords

zip – removing encryption or changing password

Truecrypt – removing enrcyption or changing the password

Identifying encrypted data

Encryption software

Encrypted files

Approaching decryption

Human factor

Human factor - language

Decryption methodology

Dictionary Attack

Dictionary-based attack tools

Brute force attack

Brute Force Attacks tools

Key-based attack

Password Reset

Rainbow tables

Encryption and digital evidence

Accessing Encrypted Evidence

Encrypted Evidence is real

Decryption in digital forensic investigation: Perception vs. Reality

Types of Encrypted Evidence

Types of Encryption

Where are passwords

How to attack password-protected artifacts

Workflow is repetitive

Additional word sources

Encryption tools

What is there in the wild ?

Example: Passware Kit Forensic

Example: FTK PRTK/DNA

Example: Elcomsoft bundle

Forensic tool approach

Practical Decryption Tool

Dedicated Decryption Tool

Decryption as part of the general purpose forensic tool

SANS Cyber Aces Online Tutorials

Sans again has excellent materials online for anyone interested in renewing general knowledge in computer security it is for CyberAcess program Cyberaces online tutorial

Covers the most essential areas for going into security:

1. Introduction to Operating Systems, covers Linux, Windows and using virtual labs
2. Networking, covers all important practical networking issues from layering to appllication security
3. System Administration, covers Web Scripting,Bash, PowerShell

Even if you don't plan to do certification it is good to read and remember what you forget :)

My favorite is system administration part, especially power shell, myself always being lagging on windows scritping

Comment on Likedin

Few days ago I've posted a bit bitter comment on LinkedIn
it was on topic "Do you have insight that could help reduce backlogs in digital forensics?"
My comment was " I don't have insight ...
but I'll suggest to use in digital forensics what other fields in computer science and practice have discovered and used ever since dark ages with great success.
Efficient scripting for task automation, standardization, tool compatibility, proper training and education, parallelism in design and task solving, using other OS, not only windows, to deal efficiently with wast amount of data we have today, use proper design techniques and methods to address data processing issues in digital forensic labs ...  probably other issues too, but this comes to my mind now :) "

It really tackles what I learned from working with many commercial forensic tools in last few years, this elements simply stands as very painful obstacles.

Summer lazy ...

I've just noticed it is more than a month I've posted page. Actually there is a few drafts but somehow can't find a form to finish it, definitively it is summer :)

There is one big post about parallelism in digital forensics which I can't finish and also a few smaller things
like comments on the end of academic year and first run of ORF.
I have some ideas on tools classification but this also needs serious thought and work

To be honest I'm getting frustrated with state of affairs in digital forensics locally and in general sense, simply can't avoid impression about things being done in a wrong way in opposite what we know about computer science and engineering, but this again requires elaboration and cold head to write about.

Post OLAF things to do

Since OLAF spring session finished last week there are some interesting things to do with equipment. Mobile phone forensics training was done with new phones and new phone images created locally. Two training were done "Mobile Phone Forensics basic" and "Mobile Forensics Intermediate"

For this event phone preparation was done in  a hurry, but all went well. It is a brand new phone image done locally by some very helpful students who were fill phones with results of real actions and activities.
What is interesting  is to compare what is on the phones after training are finished and how much and why this phone content diverse since it was all done from same master image (for each model of phone we had master image to clone it).

Plan is to do imaging with two tools UFED and XRAY for each phone and than analyze it.
It will take some time, there is about 30 phones what take few days to acquire data. If we will have enough time EnCase and MPE will be also used.

I'll be updating this post as we are going trough whole process.

As first batch nine Samsung s5280 are processed. Phones are bought in same box, configured together before training and now after training there are some differences, one has not enabled debug mode, batteries are in different levels.

We manage to process 9 Samsungs in two working days, what was interesting is processing time varies a lot, from 30 minutes to few hours

For the rest of phones it takes longer time than expected with some peculiarities, it will be all discussed here
In general there is about 70 dump images from phones, physical, logcal, filesystem dump.

Learning NUIX

Been playing with NUIX in the time slot which opened  since I'm not involved in training on OLAF 2014 spring event. My understanding of NUIX product as my NUIX skills are far from good, but feeling is definitively good.  In nutshell I'm redoing things which were done in EnCase or some other tool.

There is nice article "A broad evidental view" about integration of NUIX and UFED eg, ability of NUIX to process results of UFED phone extractions. It works as it is suggested and quite fast, but my results are a bit unexpected because of lack of skill. Since I have XRY and UFED available I'll try same method for both tools.

For a such powerful tool manuals are bit small, it is easy to do things in a wrong way and terminology is different to EnCase jargon. One need to learn and re-calibrate to new tool

What really makes me happy is easiness to incorporate the ufed results into case with other tools results, it is as simple as adding a directory where UFED report files are stored into NUIX case. Same is for XRY image, looks to me in my lack of experience that NUIX is perfect integration tool ..

Only drawback is documentation, but this is common weakness in today digital forensic tools, can't do much about that but try, test and learn what is correct.

There are plenty of possibilities to try and evaluate, since it can be scripted and used from command line hot to create batching and automated processing also ability to use collaborative web interface.  Actually in current context NUIX as second level, more integration tool, makes much more sense. In that scenario collaborating   web interface is a big advantage.

SlideShare data and blues

A few days ago I've accidentally compared Slideshare reports mails there was something looking like pattern. I'm not sure but maybe it is.
Slideshare is perfect to keep old materials handy and maybe useful to someone else too, I'm putting there almost all presentations and papers which I've been publicly presenting.
It is on various languages,  that accidentally provides some additional insight into statistic data. Basically idea is English text is for anyone, local lingo is only useful for local community.

What catch my eye is slight increase in accessing one presentation dealing with CyberSecurity product by GuidanceSoftware, there is increase in activity on it in last few months. Since presentation is on local language (heavilyloaded with technical English terms) I suppose it is mostly accessed by local people.
What is interesting this hits are almost parallel with two other events, discount on CyberSecurity product and some cyber attacks on local banks. Interesting to see and think about, but unfortuanatelly threre was no official requests for CyberSecurity product ...

The week after CEIC 2014, stats changed in completely different way on the top is Encase Enterprise Basic File Collection which jumped for more that 100 hits in  a week ... there must be something embarrassing in it to cause such surge.  Again some changes this week too, week before 27th June 2014, 

"Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2" Views 213 making total  1007 and for  "EnCase Enterprise Basic File Collection" Views 127 making total 923

Some thoughts about mobile forensics tools

Recently I've been talking about mobile forensics with some people from prominent mobile forensic vendors. I was curious to ask why their (and other vendors too) does not use IP connection to acquire data from smatrphones. Such question was asked few times before but never get any answer. This time answer was a bit of  surprise and why not to roll the idea. It was shocking revelation .. and I'm still not sure if this is not just a joke answer to my question.

So let me put some theory on the paper ...

Mobile forensics is wild, uncharted area with extreme development, cycle is fast, possible gains in market share are big, there are miriard of various phones each vastly different as devices

Since devices start to be a real computers pretending to be a phone while having a real operating system, huge storage space and memory thing get different perspective ...

Mobile forensic vendors are traditionally locked into approach "do-one-phone" at the time, while accessing phone over serial line, usb, bluetooth or IR connection. If we compare current mobile forensic tools to general purpose forensic tools there are huge differences, no standard format, ability only to handle phones, limited number of device images in one case and only recently some analylitics on extracted data. I even don't like to mention problems in interopretations among tools.

This are all sings of young, unmature market and fast development cycle. I suppose cycle is so fast that it keeps vendors locked in their niche, without much time to look from wider position.
As soon as mobile networks develop data transfer over TCP/IP mobile devices get a new access method
IP interface over 3G/2G network or wifi access. Strangely this very effective door to phone is not used :)
IP access provides you with practically unlimited number of devices being analyzed from one forensic workstation, limitation is in licencing and bandwidth.

First question to answer is is this approach forensically acceptable ?  This is actually a key method in live and network forensics where live machines are acquired and analyzed in forensically sound way over IP, for details there are many tools, enterprise wide forensic tools encase  ftk,  fsecure ... Same for some anti-malware tools and ability to remotely erase the mobile device.
Access methods are various but rely on the same idea.

There is one very interesting quirk also, this tools have support for mobile devices but strangely no over IP. I was not recently on the encase support site, but when I was there last time there is a thread where people ask why there is not yet a servlet for android or ios, servlet is encase forensic agent for remote access.

One of the possible explanation is in history of now defunct product Neutrino, encase mobile phone version. It failed because vendor was unable to provide resources to keep it with phone development .. each phone  model requires a lot off effort to keep it in system.What was left is support for smartphones almost as hunchback on encase today since it looks not fully integrated. This provides a reason for reluctance in pushing servlet technology to smartphones.

If we forget about existing enterprise forensic tools what can used for proof of concept ? There is one old, reliable tool, CF engine very reasonable tool to try. It works on  ios, andriod and windows it is logical test-bed to try, especially since it is event driven.

Davno zaboravio postati na blog .. teme za seminare, diplomske i sl ..

Za studente i ostale  zainteresirane, neke ideje za seminarske radove, diplomske...
Za sve teme postoji lista refrenci, literatura i sl.

Forenzička analiza društvenih mreža Prikazati društvene mreže (facebook, linkedin i sl.) načine upotrebe, te načine rada tih sustava. Za takve sustave objasniti što mogu biti artefakti i dokazi, te koje se metode i načini mogu primjeniti za pronalaženje, akvizijciju i analizu tih dokaza i artefakaka.

Forenzička analiza mobilnih uređaja baziranih na Android operacijskom sustavu Proučiti i istražiti forenzičku analizu mobilnih uređaja koji koriste Android operacijski sustav. U radu se treba osloniti na korištenje dostupnih nekomercijalnih alata i komercijalnih alata u smislu kontrole. Ustanoviti pouzdanost forenzičke akvizicije podataka iz mobilnog uređaja i opisati cijeli postupak na praktičnom primjeru

Postupak akvizicije digitalnog medija Prikaz i analiza postupaka akvizicije digitalnog medija u računalnoj forenzici

Simulatori računalnih mreža i sustava Pregled i analiza simulatora računalnih mreža i sustava

Računalni forenzički jezik visokog nivoa Izrada specifikacije za računalni forenzički jezik visokog nivoa, na osnovi postojećih alata u phytonu i drugim jezicima

Primjena računalne forenzike na inteligetnim kućnim uređajima Prikazati metode računalne forenzike na inteligetnimkučnim uređajima tj uređajima koji sadrže računalne i druge eletroničke komponene a koriste se u kučanstvu

Alati računalne forenzike u jeziku python Istražiti mogučnosti alata za računalnu forenziku baziranih na jeziku python. Posebno razraditi repozitorije alata, pronalaženje alata prikladnog za neki problem, te korištenje alata na odabranoj platformi i moguću integraciju ili povezivanje sa drugim forenzičkim alatima

  

Implementacija prospojnika drugog sloja u otovorenom kodu Proučiti i razraditi mogučnosti implementacije prospojnika drugog sloja u otovorenom kodu (open source layer 2 switch) u računalnim mrežama

Forenzika račualnih i mrežnih sustava u modernim automobilima Prikazati računalne i mrežne sustave u modernim automobilima. Na osnovi analize dostupnih podataka o radu tih sustava predložiti i razraditi metodologiju i postupke forenzike takvih računalnih sustava.

Računalna forenzika i vritualizacija sustava Korištenje virtualizacije u postupicma računalne forenzike, te forenzika virtualiziranih sustava

Forenzika aktivne mrežne opreme Forenzički postupci za aktivnu mrežnu opremu.

Forenzika baza podataka Računalna forenzika sustava baza podataka i sustava za trajnu pohranu podataka

Kučanski roboti i računalna forenzika Potrebno je razraditi forenzičku analizu kučanskih robota poput robota usisivača, robota čistaća i drugih slični uređaja.

Industrijski roboti i računalna forenzika Potrebno je prikazati i razraditi metode računalne forenzike za robotizirane industrijske sustave.

Dgitalni sustavi video nadzora i metode računalne forenzike Potrebno je prikazati primjenu računalne forenzike na sustavim digitalnog video nadzora.

Održavanje kontinuiteta poslovanja IT sustava Prikazati metode održavanja kontinuiteta poslovanja za IT sustav. Razraditi metode prkupljnja i analize podataka bez namjenskih programskih alata.

Održavanje kontinuiteta poslovanja Teoretksi obraditi sustav za nastavak poslovanja, pri tome se služiti postojeći standardima i praksom sa podrucja kontinuiteta poslovanja. Kao praktični dio razviti web bazirani sustav za kontrolu i provođenje kontinuiteta poslovanja.

Cyberwarfare napadački programi Prikaz rada i ofenzivnog ponašanja ratnog koda. Potrebno je prikazati kako radi prvi pravi ratni napadacki program stuxnet crv te naične obrane i detekcije tog crva.

Sustavi za automatsko trgovanje Opisati i analizirati sustave za automatsko trgovanje na burzama. Posebno proučiti probleme sigurnosti takvih sustava i na izvedbenoj i na algoritamskoj osnovi

Pregled modela digitalne forenzike Navesti, prikazati i objasniti modele izvođenja digitalne forenzike. Predložiti moguća rješenja za probleme zaostatka u forenzičkim laboratorijama te predložiti metodološke i tehničke mjere koje se mogu primjeniti za smanjenje zaostataka. Ocjeniti moguće modifikacije potojećih alata i procedura u skladu sa predloženim mjerama i modelima

Krizno umrežavanje Prikazati izgradnju jednostavne wifi mreže bazirane na ofshelf kompomentama i opensource kodu koja bi omogučila funkcioniranje i u slučaju ispada glavni IP i GMS providera.

Sigurno brisanje medija za pohranu podataka Prikazati i razraditi tehnike sigurnog brisanja podataka sa medija za pohranu. Posebno razraditi slučajeve novih tehnologija kao što je SSD

Korištenje Android simulatora u digitalnoj forenzici Proučiti mogučnosti simulatora ili korištenja virtualnog Android operacijskog sustava u forenzičkim postupcima. Pri analizi mobinih i drugih uređaja pod Andriod operacijskoim sustavom potrebno je ustanovit stanja uređaja, ponovo ga pokrenuti da se vidi ponašanje aplikacija i sl, a za te primjene isprobati simulator ili virtualni andorid te proučiti načine prenošenja slike uređaja u takvo simulirano okruženje. Predložiti postupke i navesti prednosti i nedostatke.

Mogučnosti primjene CFengine sustava u računalnoj forenzici Potrebno je proučiti mogučnosti primjene upravljačkog i sigurnosnog sustava CFengine u okvirima live forenzičkih zadataka mrežnih računalnih sustava.

Forenzička analiza metadata podataka u postojećim formatima dokumenata Analizirati poznate formate dokumenata za digitalne slike, digitalne dokumente, elektroničku poštu i druge tipove digitalnih dokumenata. Na osnovi forenzičke analize razraditi mehanizme izdvajanja metapodataka iz dokumenata i u mirovanju i mrežnom prijenosu i na osnovu tih mehanizama prikazati sigurnosne rizike te mehanizme uklanjanja tih rizika. Korištenjem dostupnih alata demonstrirati rezultate analize i otkrivene rizike

EnCase v7, UFED logical extraction data and frustration ...

I'm always frustrated with state of facts, where you are in huge trouble if you need to incorporate data from one forensic tool into another one. It is ridiculous  situation, but shows how unmature this market is. Lack of standardization, common formats, compatibility it is state of art :(

Anyhow to stop trolling about troubles what we can do ? Since there is no one like DOD in the  networking crisis of 1970, before TCP/IP revolution, who can force all vendors to stop doing silly things and start to cooperate ?  We can try to use features and existing tools to put kind of cooperation into action.

Since there is a strong invisible thin line among vendors doing mobile forensics and general forensics it is very hard to combine results this two class of tools.
There are some exceptions like NUIX but let us stay with older generation tools

Let imagine we have set of UFED logical extractions and set of PC images in EnCase we have to look as one job. Ufed things we can combine in UFED , same for PC images in EnCase but we can't process PC stuff in UFED so we have to move to EnCase and try some magic

Strategy is to move UFED data into logical evidence file and turn it somehow into data in EnCase, it will require a lot of scripting to do a full working importer. Idea is to use xml file created by UFED to populate records structure created by hand in EnCase and than later process new L01 file as part of bigger case.
Ill add later some examples and steps, maybe whole script too

Ufed logical extraction structure is well knwon, it is folder named by phone model and timestamp. In that folder there are subfolders and files with artifacts extracted. Key file is report.xml, a xml glue file which wraps all that together.

File report.xml is glue to keep findings together in ufed folder.

In enscript we have various code examples for creating L01, for xmls parsing but what we don't have is a mechanism to map UFED data to EnCase phone extraction record structure. This is a guessing task, to be done by custom enscript.

 EnCase view on the Ufed data stored in L01 file.

In EnCase in preview pane xml structure is easy visible, we can use Generic XML viewer plugin to see deeper into xml structure. It is easy to bookmark it or preview it. 

Structure of the file is visible, very intuitive, but not directly related to structure how encase present phones. 

If we use Report.htm instead of Report.xml, it actually requires less work but data is still not too usefull. 

It is possible to do indexing on evidence so search is possible to find out relevant data about phone results. Unfortunately this also does not provide full access to imporatnt information. 

Same situation we have with other artifacts, slightly better is with email addresses and phone numbers since there is a set of pasterns predefined in search.

Search by email pattern and keyword also give some results but still not good enough

Same results we have if we try to work with ufed report file in xml format there we have control on data which are selected for report. Xml parssing is well supported, there are encsript examples hot to parse and bookmark xml, but not much documentation how and where to store parsed data if we like to create L01 file which contains data extracted by ufed. Code which works in close manner exists, Belkaosft integration modules, Magnetforensic tools integration and some others.

One thing which makes all this very unpleasant is fact that in 7.09.05 (and probably earlier versions too) index search by pattern does not work as it is intended (there is this topic raised support issue about PII information idnexing )  simply index pattern for phone numbers does not return phone numbers and simmilar  does not return email addresses. There is almost nothing about this patterns in documentation only explanation with examples which I found was in that support topic. 
This actually makes whole effort senseless because we don't know what also is not working and why.

My unfortunate  conclusion is EnCase in current state can't be trusted as integration tool, if you like to analyze together data from mobiles or something similar.

Using NUIX

I'm using test version of NUIX, must say I'm delighted with it. First impressions are really good, haven't done comparation yet but at the same HW and on the same  evidence files it looks faster than other tools I've been using. User interface is consistent data presentation simple and understandable what is a huge advantage. It logs all relevant information into plain text log files, configuration is easy, only java has its own quirks.

I've managed to chrash it few times but this is mostly because of my unexperience and wrongly tuned parameters.   Ability to handle different evidence formats and results are great thing, ruby as scripting tool is also great.  I hope I'll get much deeper into NUIX  

ORF lectures about anti-forensics

Today we will talk about antiforensic methods and tools, mostly about methods and ideas since tools are changing with time
I'll stress the difference among offensive and defensive methods and the simple ideas how to hide important things among huge pile of files.
Strong encryption is definitely best method since without key it is impossible to get data, it is more defensive method but effective. For protecting active systems or active data in use , more offensive approach have to applied.

One of the most interesting is site https://www.anti-forensics.com/

My all time  favorites is a "Breaking Forensics Software: Weaknesses in Critical Evidence Collection"  article  with video  "Defcon 15 - Breaking Forensics Software: Weaknesses in Critical Evidence Collection"

There are also plenty of presentations and new developments. Very inspiring presentation from Takahiro Haruyama  "Malicious File for Exploiting Forensic Software"  and "One-Byte Modification for Breaking Memory Forensic Analysis",

The other tools and ideas are very well documented stenography, encryption, etc

There is also some rather terminal approach to antiforensics and we have to think about it if we are thinking about serious crimes it is using brute force, explosives, attacks to physically destroy media and evidence both with forensics and forensics lab ..
As an idea think about hard drive which instead of  platters has explosive charge and primer contacted to power line.. this is also antoforensic but a bit out of box in digital sense.

When we are talking about antiforensics and contraforensics measures it is important to understand that context of the situation and value item which are to be protected are actually key element in understanding how this items can be protected and why. The conficker worm is very good example.

ORF lecture about Windows artifacts

Last topic we covered in ORF curriculum was MS windows artifacts, talking a lot about how and why things were developed, It was just glancing over a lot of issues

• Finding Deleted Data
• Hibernation Files
• Examining the Window Registry
• Print Spooling Evidence
• Recycle bin Operation
• Metadata: What It Is and How It’s Used
• Thumbnail Images as Evidence 
• Most Recently Used Lists: How They’re Created and Their Forensic Value 
• Examining Prefetch and Link Files 
• Windows log analyses
• Windows search and indexing engine artifacts

A few books were mentioned like excellent "Mastering Windows Network Forensics and Investigation" and "Windows Forensic Analysis Toolkit, 3rd Edition" 

There was talk about how this things evolved and come part of the system, how  it evolved what was driving force behind it and how one can think about this resources as a source of data for digital forensics. 

In digital forensic in computer science curriculum it is important to stress  what are this artifacts in the global picture of the operating systems and how development of hardware and software influenced this artifacts. 

This elements are so often completely ignored in professional digital forensic training or in pure forensic curriculum it is one of the reasons why we have so much problems in the digital forensics especially law enforcement related situations.

ECTEG European Cybercrime Training and Education Group

One of the most interesting location for planning Digital Forensic education is E.C.T.E.G

European Cybercrime Training and Education Group. 

It is vendor independent training and  based on cooperation with well established academic curriculum, what is sometimes missing part. 

link is http://www.ecteg.eu/courses.html

What is important here is a set of learning / specialization paths which provides a good estimate what one have to learn and understand, 

ORF lectures preparation for data colecting

Last week we finished forensic laboratories, what is a pure theory issue in our local environment. This part  also does intro into forensic tools. I've decide to extend this with some topics about comparation of forensic tools available.
My ideas was to show and compare basic features and ideas of some tools. We were talking about opensource tools and commercial tools, like sleuthkit, ftk, encase, to get some ideas how tools are designed hot it works and what to choose for what purpose.

For students it is important to that understand current versions of digital forensic tools tends to separate aqusition of evidence from analyse and reporting steps.  Also how the forensic workflow is incorporated into user interface design

DataFocus 2014

On the 8th April we will have our digital forensic conference here in Zagreb, Croatia
it is DataFocus 2014. In one day there will be two workshops, lectures and round table talks.

Topics are from our local digital forensic community, mostly ex Yugoslavia countries with some interesting lectures from the rest of the world. IACIS will be also here since digital forensic training and education is big part of our agenda. My tiny part will be last lecture on Investigation section of the conference, about the live investigation methods with EnCase v7. It is actually a compiling and recycling of the material I've used in this year EnCase Enterprise Examination training. It will be summarized and presented under title "On-line digital forensic investigations" hopefully it will have some effect on the way how tools are  used and data acquisition and collecting is done.

Nuix presentation

I forget to put few lines about Nuix presentation we had last Friday, unforgivable. My only excuse is this was a second try since first one on Tuesday ended in complete technical disaster. It was funny web-ex connection was dying slowly in one moment it sounded like HAL9000 dying with french accent. Strangely all that fits into pattern since there was a few earlier no-success efforts with Nuix.
Nuix is such a good digital forensic tool of the second generation, well designed and well thought,  with lessons learned from the tools of previous generations like FTK, EnCase. It is so much more data oriented and more data manageable than other earlier tools.
Ability to use and handle all results and outoputs of most of other forensic tools makes Nuix extremely handy tool in any a bit more complex case. When any kind of analyses on the current state of forensic tools is done one things strikes it is impossibility to integrate results of different tools, what is clear sign of un-mature market. Fortunately looks like that new generation of forensic  tools like Nuix forced tradiotional vendors into kind of reality acceptance. This is painfully visible expecially for mobile devices forensic tools, that it is better to have smaller percentage but of much bigger market than big percetage of small market.   Nuix and related platoforms can easily cover such gap among tools, it is not complicated to put into one case resutls and evidence created by UFED, XRY, EnCase ...

Using wellknow and reliable scripting interface is also extremly important feture a strategic advantage, rubby is here very good choice. Maybe only drawback is MS platform as basis since we are talking here about huge volume of data. 

Logical Evidence Files

The structure of logical evidence file, L01, is important for understanding how many interesting and useful features of EnCase tool actually works. Since it is a proprietary format not all vendors support it and it is not so well documented and known in forensic community.

To get  look into it you have to get into EnCase EnSscript help to see related class structures and methods. Logical evidence file is key container for results of the analysts and extraction from evidence files. It is an data safe for data extracted from devices and original evidence, for storing in minimal and forensically sound way. Still it internal structure has some compromises or its look that. In the logical evidence file you can store all data EnCase recognize as logical entities, files, records, results of operations . During working with evidence logical evidence files should be used as cache and container for data organisation. Most of the enscripts for v6 and v7 which does tasks automatically results or part of results stores in L01 files. 

With today disks sized  in terabytes it is not wise to handle all that data in one case,  especially when we are interested only in handful emails or files from that vast disks. Simple and efficient way of preserving resource and performance is to store relevant data into logical evidence file and work with this files in further steps.

Sometimes using logical evidence format has curious repercussions like in data collection in sweep enterprise tool. It is logical to store collected data separately for each end node, but since it is stored in L01 file accessing  that collected data is not very intuitive until you  take into account purpose and structure of L01 file.

Since in L01 file more than type of data can be stored (look in description of (LogicalEvidenceFileClass in Enscript help) it is important to understand how this data can be accessed and presented in EnCase graphical user interface. This feature of datatype separation cause all trouble in viewing collection data in EnCase directly. 

Other key feature of L01 file is that it can be extended with additional data till file is deliberately locked for further extending. This is extremely useful feature since it allows user to logically organize data as  data is discovered and keep it in forensically sound container. All this good features should be defined in SOPs and legally presented and cleared for benefit of all involved.

There are some issues which are often asked about logical evidence format and data in ordinary evidence file. One of the most often asked if L01 keeps only logical data, on the file system level that means files and metadata in the filesystem, what about unalocated space, internal files, slack etc ?  Answer is easy, since EnCase all this entities in the evidence presents as virtual files. For example "Unallocated Clusters" on volume are accessible as "Unallocated Clusters" vitual file and trough that it is also possible to put it into L01 file. It is same for the volume slack, lost files, unused disk area and internal file system objects and files.

Lecture in "Digital Forensic Basis" file system disk structures and data

Today we will cover file systems, disk structures and raw disk data. Extremely important field where Brian Carrier book "File System Forensic Analysis" is excellent source http://www.digital-evidence.org/fsfa/.
It is especially important for engineers since we try to ignore such "low" machine related data and overlook the important data there.

Is is so easy to think I understand that or I know that, what is almost a lie :)
History, reasons interactions,  behavior of file system all that such be familiar to one doing data analyses

Understanding of data and file systems and how forensic tools presents and handle this data is crucial and often overlooked. Being humble and do you homework this is a real virtue.

Knowing the history of some file systems family like FAT gives us a insight into many peculiar things and situations, also understanding and intuition what we can find, where and why.

EnCase refresher

A week ago small EnCase refresh was done for some of our clients.  Since EnCase has plenty of sub-releases in one year it is wise to do leveling and new features discussion. The key new concept which was added since last meeting is distributed processing and remote preview without safe. Also plenty of other changes in interface, tagging, file attributes tab, conditions etc. There were also some hardware issues about machine configurations, adding disks, memory, processor dongle issues.

Many things to go trough in two days, it was interesting we do a bit of pizza party too.

We have plenty of talk about conditions and conditions usage, especially strategy of creating and using conditions. We were shoving methods and how to combine and reuse condition among cases and among members of the team.  Naming conventions, commenting, internal filters .. a lot of things to talk about
I've put some thought on attribute conditions before on this blog.
Basically there are two methods one when you use simple conditions and use it recursively on results of previous conditions or when you write  a big monolithic condition in advance.
There was discussion what is better and why, what is faster, how to organise attributes in conditions
a lot of theory.