last five weeks

In last five weeks, since August 19th I've done 3 separate 5 day training on 4 different commercial digital forensics platforms. So I feel all hell of digital forensic standardization, compatibility issues.
Basically it is always the same thing to do (even on the same evidence files :) ) but with deliberately different terminology, methodology a nightmare actually.
We are asking question why current state of IT security is such shamble, how things are done now are really good example of how not to do things.  This is really material for a good scientific research why such important part of life is in such horror.
I'll add some thoughts later,  at the moment amuses me parallel with maths before introduction of Indian (Arabic) numbers with 0.

30.9.2017
As tools mentioned before

• Magnet Forensic Interent Evidence Finder
• Encase v7 and v8
• X-ways
• MobileEdit Forensic Express
• and some references to F-Response  

So you can imagine the differences and consistency problems ... 

Some irregular thoughts on cyber weapons

My thought about cyber weapons ..

I'm thinking how we are probably misinterpreting cyber weapons, probably because there is no bodypile at the moment. 

From web, Cyberweapon is "A cyberweapon is a malware agent employed for military, paramilitary, or intelligence objectives." it is not very helpful definition. I should say that much better definition is derived directly from term weapon where intention is much clearer. 

Anyhow we are missing part of cyber weapons and its environments where it is used. The space where cyber weapons are used should be studied and analyzed in sense to show how this space reacts and than interacts with cyber weapon. Also how cyberweapon can be prevented or minimized as possible tool for retribution.

I should say ti will be important to understand epidemiological approach to cyber weapon and space of its application. For example lets look at last cyberweapons exposure or weapon leaks. First weapon was developed, stockpiled and than used, some time after usage weapon was exposed trough leak and used by criminal organisation and other non-original users.  Here we have interesting events going on. As soon as weapon is used (activated since it can be dormant) or better to say released (like germs) it will be also available to its primary target. If weapon is active there will be some effects on the targets and target will soon find out what and how it was attacked. Results are this weapon is not secret to primary target attack, but it is still secret for most of the world. This provides primary target with opportunity to strike collateral area in attackers domain with same weapon this time reverse engendered from primary attack artifacts and traces. How this can be prevented or controled from primary attacker viewpoint ? One method is mimic the medicine and use "vaccination" process, this is the timely exposure of the attack weapon to its collateral area. Result is that collateral area is exposed, damaged a bit and effectively vaccinated to effects of weapon primary used. Looks very much like not petya events ..

Recent huge databreaches

Since last few weeks a set of really important databreaches were posted. Looks rather real about current state of affairs. I'm wondering if this is because of some offensive escalation in attacks or just more effective monitoring or more strict reporting rules ?
Anyhow it is hard to find impact results for this databreaches I start to worry if this is maybe result of an effort to do a real economical damage ?
We will see in the future how things will develop

30.9.2017
Reports about size and impacts of recent databreaches are still coming with new information. The Delloite story is going one and getting more scary.  Maybe we are here talking of new type of asymmetric warfare ? All events and strategic value of data stolen, information learned and knowledge achieved is frightening. Also we don't know about other economical targtes in same class if and how being affected. Just think about what analysts and strategic usage of all this data collected can do do US economy and indirectly to military power.
Looks like my paranoia kick in, into some global conspiracy theory :) But why not it is like adding a new dimension to existing human activities and one dimension in which all activities are interconnected, accessible and almost not defended. 

Mipro 2017 conference in Opatija

MIPRO 2017 finished last week in Opatija. It is a nice conference where we usually presents a few papers. This year I've put there a cooperation with my former student Antonio Zekic. Paper was supposed to be something else but it morphed differently, into "Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnosti upotrebom studentskih radova"

The day before I was presenting there was lecture  "Životni ciklus elektroničkog dokaza" at Faculty of Law, University of Rijeka. It was a two hours talk about digital forensics and digital evidence for law students. more or less usual intro, but this time I feel some better more alive examples and cases are needed.

Incident response and forensic tools my fears

Since 2008 when we mastered Encase Enterprise and its derivatives it was our tool of choice for enterprise / system level of forensic data collecting. It was reliable and easy to use for data collecting with ability to script "specific" tasks. Also it was easy to put collected data to other tools for further tasks.  It had its quirks and really not to helpful user interface but it was much better than anything else on the market.  Unfortunately with version 7 things start to become worse and now, last few months with version 8 we have continuous problems. It is not so much with tool but with licencing, getting extension certificates, reliability of licence manager, documentation, support response , etc. Last change from Safe/NAS configuration in v7 to Safe for enterprise and LM for distributed licencing caused surge of problem with customers. At the moment it almost looks like situation when Cellebrite was hacked,  when Cellebrite support database was compromised. Anyhow whatever cause is, conclusion is even tool is functional, because of this licensing issues it is not reliable enough to be used reliably in any real incident situation.  In the lab environment in sterile and not being time bound it is OK for forensic analyses, but for incident response in compromised network it is simple not reliable enough, especially in a sense of targeted attacked, like recent SWIFT affair.  Anything of that type with strategic implications is situation where we can expect well organised and prepared attack aiming at weak points of response chain, For such attacker it will be relatively easy to attack licensing and authentication mechanisms of EnCase enterprise tool to disable it, and trough this rendering IR useless or at least very slow. There is even more cunning, an paranoid scenario, which will include attack on GuidanceSoftware itself to damage its capabilities to maintain licences and certificates for products, Current SMS extension scheme which is now in action, with current  forced moving customers from "bad" v7 to new v8 is almost perfect opportunity for such idea.  
Having all this in mind some alternative should be found, I was working with several tools to see its features in such conditions and still there is no silver bullet, Conclusion is to have a set of tools which complicate things a lot, with stress on ability of early detection. Combination of GRR as opensource at one end of spectrum to Fidelis cybersecurity at the other one looks as a good but complicated situation. 

Interesting new webcast on SANS "Forensic State Analysis: A New Approach to Threat Hunting"

A new title  "Forensic State Analysis: A New Approach to Threat Hunting" , for old cumbersome name "preemptive enterprise forensic". Very interesting one, lightweight approach :)
It is worth of watching and projecting to your system.

Farrady bags

We have a set of new Farady bags, at first glance very good ones, from disklabs.com
It was just a few test mobiles and tablets tested, but looks very good even one  was able to cut off wifi, 3g, bluetooth signals completely.

I think maybe of planning some student research work, as for possible graduation  thesis, to do set of measurements with different devices and different bags and summarize at the end.

15th May 2017

After about 2 months of looking we found no one interested in this type of research. I've contacted local universities but unfortunately no candidates  get back, The idea, tools and rest will be left in waiting till something happen.
Unfortunately it is not the first time to get such response ...

23rd Sep. 2017
No activity even after summer vacation :)
the idea will be shelved for good 

Lectures in ORF just started

Lectures in Basics of Digital Forensics (ORF) just started last week. This time we have 6 students
so it is small easy to work group, there is one peculiarity .. classroom is huge :) It is stark contrast whren we had about 18 students in very tiny classrom :) :)
First lecture was also videtaped, but video failed in the second half.

very cute animation on BBC about IoT

Nice animation on BBC site The era of ‘computerised catastrophic failure’ is here
based on  what Bruce Schneier  believes is a ‘grand challenge’ in his field for 2017.
Simple to understand and beautifull to see, also based on vunerable flash ?

Just a few minutes later I've noticed this post on local news portal
"Proizvodjaci vibratora moraju korisnicima isplatiti 4 milijuna dolara zbog spijuniranja"  it goes so well, at the end of the article is one very curious line "An unwanted activation of the vibrator is a potential rape" ... maybe far fetched but ..


15th May 2017
There is very good article on the  SANS  reading room  about securing home IOTs "Securing the Home IoT Network" it si worth of reading and applying it to your home :)

Digital forensic sites from the past

I was recently taken down by an almost almighty flu. Among numerous cups of tea and aspirins there was time to catch-up with reading and visit old web locations. It was refreshing to visit V. Venema porcupine.org site and read book and classroom slides in detail. There is my favorite definition of forensic computing and probably the earliest scholar writing on digital forensic, still very much worth of reading. When I'm lecturing digital forensics on uni, I'm always referencing to this site and its ideas. With the time understanding of UNIX like OS diminished among students, but still is is something what IT expert have to read if wants to in IT security.  Unfortunately this site of often only referenced in digital forensics curriculums, what is a great shame. Brian Carrier book on file system forensic build on knowledge you can get from porcupine, 

windows 10 unix power tools and forensic tools

Since win 10 has ability to use UNIX power tools in native environment it gives a nice field to experiment. In theory tools like bash, awk, sed, grep, ed, vi ... and many more can be integrated into forensic process with standard commercial tools like encase or ftk or whatever can run on windows 10 platform.
It was possible even earlier trough cygwin or othet similar tools but with more or less trouble, converting data with iconv etc ..
There is great potential, but I'm skeptical since even existing ordinary  windows script like tools were not much used. There is no reason to change this just because of UNIX power tools.

In the other hand it will provide much simpler environment around tools like volatility, I always dread way how volatility was handled in some training materials I've seen for commercial digital forensic software.  The script command will now be natural and all IO will be processed much more consistent way :) :) I suppose the "expect"  will be also able to run on windows 10.
I'll try it a bit and post results, this is nice extension possibility for current trend of using python in forensics

Some time ago I was writing about using cmd line grep from cygwin to filter out result of sweep operation, it was not integrated but still shows the basic idea.  Perl is here very mature solution, but tow drawback exists, knowledge and unicode handling. Lack of knowledge is definitely the biggest problem especially current attitude to "exotic" knowledge, as we've seen in problems with swift attacks.

EnCase training changes

Looks like GuidanceSoftware or now GUID decided to close down its network of international training partners (ATP). There were also some internal reduction since Chicago training center was closed in 2016. Now 90 day closing period is on , by end of April 2017 it all should be closed.
I suppose that will be harsh option for police forces of smaller  no-english speaking countries, Training will probably has  translators service involved ...