Tuesday, June 23, 2015

Summer 2015 coming

It's 15C outside and heavy rain.. wonderful intro into glorious summer. I suppose it will be different summer, more in house and working one.

Since I'm feeling lazy and slow there is a set of unfinished posts here on the blog ...
"Problems with malware"  started 5/9/15
"Classification of digital forensic tools" started 5/1/15
"Tools and users woes" started  5/1/15
"Ransomware and some ideas" started  5/1/15
"Some post Riga conference thoughts" started  6/21/15
"Digital forensics and really big data" started  6/13/15
Hopefully this shameful list will force me to finish it ... to be honest I feel somehow restraint in writing. There are also some personal issues both with glorious 50th birthday coming 

Lecturing at Racunarstvo.hr slowly comes to end just two more lectures to go. I'm not satisfied this time, probably because I was not able to force myself to introduce new things into lecture. Somehow I feel I missed hearts & minds, probably to sleepy minds at lecture time 18:45 till 22:00.  I've introduced some points and discussions from ERA conferece as interesting live points in legal part.  The Bahrain training left some bouncing questions in my mind. It all remembers me on the old Science Fiction from Asimov and Stanislav Lem. The python lectures  was left out this time,  I was thinking to mix it up with practical command line linux issues like in B.J Grundy LinuxLeo guide.

NUIX is coming back to schedule to do preparations, actually to prepare it as part of our portfolio, but I feel I miss hardware for enough power to implement and test solutions.



Posted by at No comments:

Thursday, June 11, 2015

EnCase v7 and some indexing woes

EnCase v7 is deeply oriented to indexing as fundamental step in investigation and data analyses, but looks like bad luck which EnCase had in v6 with indexing continues also in v7. It turns out in first few sub-versions of v7 indexing was not implemented correctly and in real life of not much benefit, more horror source.

Things get better and in lastest version 7.9 and 7.10, Now  indexing is working more or less ok, but with still some peculiarities and not easy to digest features. I'll compile in this articles some notes, tips  which maybe can help.

One quite useful thing from indexed data is to get list of keywords, it can be very useful in password cracking and many other purposes. In version 6 it was possible ti dump this data trough enscript, but in version 7 now this is in passware tool interface. Even if you don't have passware kit, dump can be done, it will generate index.words.txt file which contains data from index file. Documentation is missing and no explanation what is what.But still from there it is possible to feed some dictionary attack tools etc, you'll need some regular expression tools to further extract useful data from it.

A huge issue is also lack of examples, per instance there are predefined patterns in indexing for finding email addresses, credit card numbers etc, but no examples.

There is no clue whatsoever how it works at all, Trying combinations you'll get no result or some confusing errors, there is only one small passus in support forum about but no details, results are erratic even in the latest version v7.10.5.

In ordinary indexing search it is possible to use wild  chars and patterns but again it can be quite erratic, I was positive there are some issues with our local language localisation, but never been able to reproduce it in satisfactory way.  Very confusing issue is globbing in indexing search and regexp search in raw search. Since it is possible to combine both of it t in same search,  using two different query syntax is often misleading.








Posted by at No comments:

Tuesday, June 2, 2015

ERA conference Riga June 2nd 2015

Today I've done presentation "Collecting and processing electronic evidence and the essential difference between evidence and “traditional” forms of evidence" on conference  "Planning and Justifying the Search and Seizure of Electronic Evidence"  . 

I think I pressed listeners to much since I've done two presentations in one, first setting the terms and definitions of digital evidence and digital forensics and second presenting trough slides how to use EnCase v7 in basic digital investigation.
Impression are good, almost same good feeling as after Bahrain last week, but still I can say that there is a lot of issues in relations among lawyers and computer science.
One exciting talk on the margin of conference, so interesting that I lost my way to hotel, 
was about data center data seizure. Extremely interesting question because of possible technical twists and volume of data. 

There was set of very interesting presentation, very advanced,  I was last one and going fast to keep schedule. 

Ian Walden:
  • Computer forensics and the presentation of electronic evidence in criminal cases and
  • Planning and justifying the search and seizure of electronic evidence in the Clouds


Stephen Mason:
  • Challenges of international investigations (search and seizure) and other trial considerations (methods of presentation, admissibility tests)


Federico Paesano:
  • Investigating money laundering with bitcoins and other virtual currencies: challenges and solutions


Posted by at No comments:
Subscribe to: Posts (Atom)