Nuix presentation

I forget to put few lines about Nuix presentation we had last Friday, unforgivable. My only excuse is this was a second try since first one on Tuesday ended in complete technical disaster. It was funny web-ex connection was dying slowly in one moment it sounded like HAL9000 dying with french accent. Strangely all that fits into pattern since there was a few earlier no-success efforts with Nuix.
Nuix is such a good digital forensic tool of the second generation, well designed and well thought,  with lessons learned from the tools of previous generations like FTK, EnCase. It is so much more data oriented and more data manageable than other earlier tools.
Ability to use and handle all results and outoputs of most of other forensic tools makes Nuix extremely handy tool in any a bit more complex case. When any kind of analyses on the current state of forensic tools is done one things strikes it is impossibility to integrate results of different tools, what is clear sign of un-mature market. Fortunately looks like that new generation of forensic  tools like Nuix forced tradiotional vendors into kind of reality acceptance. This is painfully visible expecially for mobile devices forensic tools, that it is better to have smaller percentage but of much bigger market than big percetage of small market.   Nuix and related platoforms can easily cover such gap among tools, it is not complicated to put into one case resutls and evidence created by UFED, XRY, EnCase ...

Using wellknow and reliable scripting interface is also extremly important feture a strategic advantage, rubby is here very good choice. Maybe only drawback is MS platform as basis since we are talking here about huge volume of data. 

Logical Evidence Files

The structure of logical evidence file, L01, is important for understanding how many interesting and useful features of EnCase tool actually works. Since it is a proprietary format not all vendors support it and it is not so well documented and known in forensic community.

To get  look into it you have to get into EnCase EnSscript help to see related class structures and methods. Logical evidence file is key container for results of the analysts and extraction from evidence files. It is an data safe for data extracted from devices and original evidence, for storing in minimal and forensically sound way. Still it internal structure has some compromises or its look that. In the logical evidence file you can store all data EnCase recognize as logical entities, files, records, results of operations . During working with evidence logical evidence files should be used as cache and container for data organisation. Most of the enscripts for v6 and v7 which does tasks automatically results or part of results stores in L01 files. 

With today disks sized  in terabytes it is not wise to handle all that data in one case,  especially when we are interested only in handful emails or files from that vast disks. Simple and efficient way of preserving resource and performance is to store relevant data into logical evidence file and work with this files in further steps.

Sometimes using logical evidence format has curious repercussions like in data collection in sweep enterprise tool. It is logical to store collected data separately for each end node, but since it is stored in L01 file accessing  that collected data is not very intuitive until you  take into account purpose and structure of L01 file.

Since in L01 file more than type of data can be stored (look in description of (LogicalEvidenceFileClass in Enscript help) it is important to understand how this data can be accessed and presented in EnCase graphical user interface. This feature of datatype separation cause all trouble in viewing collection data in EnCase directly. 

Other key feature of L01 file is that it can be extended with additional data till file is deliberately locked for further extending. This is extremely useful feature since it allows user to logically organize data as  data is discovered and keep it in forensically sound container. All this good features should be defined in SOPs and legally presented and cleared for benefit of all involved.

There are some issues which are often asked about logical evidence format and data in ordinary evidence file. One of the most often asked if L01 keeps only logical data, on the file system level that means files and metadata in the filesystem, what about unalocated space, internal files, slack etc ?  Answer is easy, since EnCase all this entities in the evidence presents as virtual files. For example "Unallocated Clusters" on volume are accessible as "Unallocated Clusters" vitual file and trough that it is also possible to put it into L01 file. It is same for the volume slack, lost files, unused disk area and internal file system objects and files.

Lecture in "Digital Forensic Basis" file system disk structures and data

Today we will cover file systems, disk structures and raw disk data. Extremely important field where Brian Carrier book "File System Forensic Analysis" is excellent source http://www.digital-evidence.org/fsfa/.
It is especially important for engineers since we try to ignore such "low" machine related data and overlook the important data there.

Is is so easy to think I understand that or I know that, what is almost a lie :)
History, reasons interactions,  behavior of file system all that such be familiar to one doing data analyses

Understanding of data and file systems and how forensic tools presents and handle this data is crucial and often overlooked. Being humble and do you homework this is a real virtue.

Knowing the history of some file systems family like FAT gives us a insight into many peculiar things and situations, also understanding and intuition what we can find, where and why.

EnCase refresher

A week ago small EnCase refresh was done for some of our clients.  Since EnCase has plenty of sub-releases in one year it is wise to do leveling and new features discussion. The key new concept which was added since last meeting is distributed processing and remote preview without safe. Also plenty of other changes in interface, tagging, file attributes tab, conditions etc. There were also some hardware issues about machine configurations, adding disks, memory, processor dongle issues.

Many things to go trough in two days, it was interesting we do a bit of pizza party too.

We have plenty of talk about conditions and conditions usage, especially strategy of creating and using conditions. We were shoving methods and how to combine and reuse condition among cases and among members of the team.  Naming conventions, commenting, internal filters .. a lot of things to talk about
I've put some thought on attribute conditions before on this blog.
Basically there are two methods one when you use simple conditions and use it recursively on results of previous conditions or when you write  a big monolithic condition in advance.
There was discussion what is better and why, what is faster, how to organise attributes in conditions
a lot of theory.







  

First two lectures in "Digital Forensic Basis"

First two lectures fly away, relatively small group 10 students and more like debate and chat than hard lecture. Actually we a going bit slower than I planned but it is exciting and interesting. It is general intro what we been done, some issues with other similar curriculum here etc.

I have one long intro presentation where I put most of the general ideas and subjects. It is more or less updated of this one I've put ages ago on the slideshare,

What we will cover in lectures:

• Introduction to digital forensics
• Basic concepts and definitions
• Basic operation of digital forensics
• What are digital evidence and artifacts
• Links with other areas of computer security
• The legal significance of digital evidence and artifacts
• Characteristics of digital forensics tools
• Applications of digital forensics tools and preparation of system
• Verification and selecting tools
• Antiforensics: methods and tools 
• Traces of the antiforensics 
• Legal aspects 
• Mobile devices, network forensics
• Preventive forensics 
• Cloud forensics

Also I'll prvovide some profesional devices and tools to present it during lectures, so students can get the idea of how it operates.

Opencourseware and digital forensics

Opencourseware is great idea started long ago, today there are also topics on the digital forensics too. Very good site is opensecuritytraining.info I was really delighted with Andorid forensic training.