Sunday, November 13, 2016

Graduation exams at VSITE

Last week I've been on a few final graduation exams. One of the candidates Antonio Zekić did perfectly. His thesis "Forenzička analiza malicioznih programa" was under done my mentorship, I had hardy anything to do, just to enjoy reading

Here is summary  and keywords of the thesis:

"This thesis briefly describes the process of identifying, documenting and collecting data which is subject to forensic analysis. Techniques described include the process of proactive data collection, forensic hard drive duplication and collection of other key evidence.
The thesis also presents methods used in forensic analysis of collected data and key evidence which includes analysis of the file system, memory image, Registry database, Prefetch files, scheduled tasks and Event log entries. Most commonly used malware persistence mechanisms are described along with dynamic and static analysis of malicious software.
The thesis concludes with the practical work based on an the actual case in a which pre-prepared computer is infected with malicious software. The process of forensic analysis presented in the practical work includes analysis of memory image using the Volatility tool and its modules as well as file system analysis which is carried out using the Autopsy tool. The thesis also describes the techniques of dynamic and static analysis of malicious programs conducted in order to collect the information about the malicious program itself, its functions and purpose."


Keywords: Forensic analysis, malware, memory analysis, hard disk analysis, static analysis, dynamic analysis, Volatility, Autopsy

It was done from the real life everyday work practice, we are thinking of extending our lab exercises based on this paper because our current materials are bit old, The problem we have with RFOR curriculum at Vsite is cronical lack of trained  people so materials and equipment stays unchanged for a long time.

Tuesday, November 1, 2016

Urgent Issue with Encase v8 and Windows 10

It was just announced with v8.02.01, there is  a big problem with foreign languages (no plain English), indexing is not working correctly.

In the "EnCase Forensic Version 8.02.01 Release Notes October 25, 2016 Found in Version 8.02.01";
Quote: "FOR-5348: Foreign languages are not properly indexed when running EnCase Forensic on a Microsoft Windows 10 operating system."

To make things worse Microsoft stops selling windows 7 and 8, so all new sells installations are now in Limbo.

Work around is not using windows 10, or using virtualization  on windows 10 if it is not possible to install windows 7 on your machine.  Actually for any stronger machine more than 8 cores and more than 64 GB of RAM the good idea is virtualization, since most of forensic software can not utilize full resources.


6.11.2016

There wa also additional problem which is looks like solved now,  Initial distribution of v8.02.01 was done without correct certificate for dongles, result was EnCase starting in acquisition mode, accessing and reading licence dongle correctly but being unable to register with it. Debug output from codemeter shows that straight. It was about two days to get correct certificates distributed. In mean time v7.14.01 get out too I have not even touch it yet.

I have a horrible wooden feeling of deja-vu on early days of v7 ..

The good news is that keyword / raw search in now how it was to be in v6, with even conditions and filters able to work on search results. Still there is no method of accessing code of default conditions, Copy feature is not yet implemented, you have to do like this How to edit or reuse system provided condition code in EnCase v8

19.12.2016

Since all this start we have v8.03 roll out, with  programmable pathways, and still issues with indexing and keyword searches. I've noticed that keyword search can't be updated till at least one keyword search was successful, or at least it behaves in that way in my environment. I have not yet check indexing but there is a lot of yammer on forum about indexing troubles.
Programmable pathways looks a bit unfinished and rough, it all boils down to to create simple investigation workflow or a high level program ... I'm tired of pointing finger on such issue and concept well known from other area of computing science :) :)
Instead of using wizard to copy from one pane to another why not to write

open investigation "myinvestigation" by template "basic"
add evidece file x.ex01
do processing
do indexing
do find partiotins and mount findings
tag search by keyowrdlist "listone"
bookmark findings
end

20.12.2016

I forget to mention issues with new licence manager schema :) there are so many issues now that it is easy to forget about some of them. GuidanceSoftware did some licence technology change in version 8, probably with some good reason, but that caused a lot of problems (I've posted few lines about it and v8.02.01 and first roll out) . At the moment SAFE and NAS are separated into two distinctive services SAFE and LM (licence manager) we have a lot of problems in one university classroom with this "migration" process. There is hugely ovecomplicated procedure how to do migration from v7 safe/nas to v8 safe/lm  but it does not correctly  cover educational licences.. Here is the link to official procedure.

At the end after detailed testing and checkup it was working, but we get into one of the features :) The final LM issues was Tools->options ->Licence manger entry about IP address. It was a chain of events. Form documentation it is not clear that you have to put there not only IP address of LM but a TCP port too. Also looks like there is no validation on input values for that field.  So we have first failure of putting only IP, support suggested to add port to, and here the second error fired, during copy paste somehow one blank before IP was copied into filed and that was enough to break it. so instead of "IP:PORT" it was " IP:PORT" invisible error and a lot of figuring out what is wrong...



This is how it should be, without any leading invisible chars ..

22.3.2017
Again almost a nightmare with classroom at one of our educational clients, with edu licencees now on the  LM. It was renewed and forms for safe/lm arrived, actually a links to upload page. We followed procedure and get new safe/lm certificates.  Everything works and looks magnificent but only one thing was bothering me, a expiration time visible trough help->about was same as before renewal, a possible quirk ..   In fact it was not quirk, renewal failed, since Guid was unable to send to us a real dongle extension certificate. A lot of chatting with tech support to find out what was wrong, we got apologize but also a living fear about upgrades and new versions...

29.3,2017
Correct dongle certificate arrived,with apologize, but now safe/lm is not working almost unbelievable situation. Looks like whole Guid certificate generation system was broken when we send request to  Guidance.  So back to support portal to get all this was Guidance messed up.

6.4.2017
Mess is finally over, with latest dongle extension certificate, for forensic v8,  LM and SAFE can not be on the same machine, even if in SAFE a.03 installer there is an recommended configuration to use both SAFE and LM, but this is for Enterprise version. So we got instruction what to do, uninstall safe, enable LM and it is working.

11.4.2018
A year later, with licence upgrade same torture again ..opentextguidance send wrong certificate ..


Tuesday, September 20, 2016

How to edit or reuse system provided condition code in EnCase v8

It is a bit strange combination since v8 EnCase returned back condition/enscript pane from v6, but with unexpected twist. Why to be simple if it can force you to hack your way.
Probably because in v6 users were able to modify system provided conditions and render it useless now it is impossible for user to see edit/open code of condition and use it as template for further development. You can only execute code and hope it is what you think it is since you can see what it is doing :)

Fortunately conditions and rest are still plain txt files somewhere on your disk and you can basically copy it from system provided path into your own user path and edit it. Plainly it is manipulation trough file system. Remember it is in internal format not easily readable by plain humans.

Conditions pane now contains two folders:

  1. Default
  2. User

Default folder contains all system provide conditions, while User is for your development, to edit anything you have to be in User sub folders, since User is also system folder and no-editable for users.

So how to simply hack this this to see code and reuse it ?

1) open condition pane and in "User" sub folder add new sub folder, this is only place where you are allowed to make folder as user or add new condition. It is on right-click action on your mouse

2)find in the Default folder condition you like to edit/analyze and right-click "Browse" on it. This will open widows explorer in folder containing your chosen condition.
Select your chosen condition and copy it by CRTL-C  or right-click copy option, than
close explorer window

3) In condition pane go to "User" folder, select you folder you created there in step (1) and right-clik browse on it. This will open windows explorer window where you can paste your chosen condition.
Close explorer window

4) Condition pane, on "User" folder right-click "refresh" that will show your condition in your sub folder,

5) choose your condition and right-clink "Edit" on it, you can edit and see how it works!!!!!

All this will be unneeded if copy function is still there in condition pane ...

Ages ago I've mentioned that it will be very good to force practice of standardized help or man page for each enscript or condition or filter but it will be never done.

PS: I'm quite sure this works for filters too

25.10.2016

To do things in more efficient way you can copy/paste whole condition tree from default folder to user folder, obviously conditions will be available only for user who does copy/paste.

The default condition are in installation folder in condition subfolder "C:\Program Files\EnCase8.01\Condition", so you just copy it content into your user condition folder:  "C:\Users\\Documents\EnCase\Condition". 
If Encase is running you'll have to restart Encase  to see the change

Looks like in v8.02 or later we will have copy ability in condition interface in encase, so we will not have to do dumb things like this workaround



Sunday, September 18, 2016

FSEC 2016

My mistake, I forget to put link to presentation for FSEC 2016, but somehow it goes with other developement. It was nice in Opera House in Varazdin, food was perfect, day was wonderful but in our track lectures were derailed because of sounds system failure. Than for second day we have to change our plans. To be honest it all started when our colleague who was supposed to go there went to Ireland, it was a change and we decided to put another lecture, this time about "Remote Digital Forensic" It was logical developement after I had serious discusion about enterprise network as part of forensic investigation

Saturday, September 17, 2016

Introducing myself into EnCase v8

Since we finally get workable dongles I've started to get into v8 to see it, feel it myself and
find possible drawbacks.
Since experience with introduction of v7 there is no enough testing.

 There are already some very good comparative testing done with earlier versions and other forensic tools like this one
I'd like to try it on configurations have close and how different version influence each other, especially since there are issues with v7 and new v8 dongles.

I've noticed two things, on very low end configuration v8 gets about 25% improvement in case processing speed, what looks related to improvement in disk access. The other thing is that if you change dongle to v7 and start v7 it hangs if it was done after using v8, reboot helps . This is consistent with problems in version licencing differences.

At the moment I' using tdurden evidence file which comes with intro self trainign for v7. I'll post configurations and results later.
After playing with tdurden I'll go for new versions of EnCase training and try to see if all works as it should be. After that I'll go to try some NIST materials to see how that work too.

My first impressions are not very dramatic, it is interface polish with appearance change but again with some important issues missed, still no conditions in bookmark view and for some strange reason renaming records view into artifacts.

24th Sep. 2017
I forget to mention most of old scripts which works in recent v7 version also works in v8, shame for this is not true for regripper wrpapper.

Wednesday, August 31, 2016

Lack of talents in cybersecurity

"Lack of talents in cybersecurity", it was a title on one of the miriard articles and posts about current sorry state of  security in IT.  So at the moment there is shortage of people, in that branch but what are actually expertise, skills and capabilities, what problems have to be solved by this people and why they are called talents and most important why there is shortage ?

I don't think it was much reaserached but more seen as golden opportunity. Educational / training industry is mass producing certified experts, recruiters are recruting, experts are "experting" all around but somehow only one gaining results are attackers.

Actually there was one research here, recently among employers about IT sec. profession and IT security general, it turns out that virtually no employer see a need for such expertise or knowledge in next 10 years period.

Lets get back from local peculiarities to big picture.So there is a shortage of cybersecurity experts, without actually providing a definition what is a "cybersecuirty talent",  it's a bit fishy isn't it ?
And most of it how this new branch of experts will fit into existing systems ?

I should say it is a big failure of academic education and professional trainign since a huge amount of IT professionals are stamped out each year and somehow all this professionals are missing security awareness and skills.  It simply sounds silly if someone will hire programmer who does not know to write safe and reliable code but looks like this is a standard practice  Same for the syadmins or any other role in the big picture. What I like to stress is  ability to provide secure and reliable IT products and services, not to produce and use new branch of epxerts, It is like a game of adding people to project which is late, it will only slow it down and make  things worse.

You don't need to be rocket scientist or cybersecurity talent to know that if you enterprise is running on windows infrastructure you are in trouble. It is actually fixing a problem from inside of system, not from top with blessed talents. There is gaziolion of vendors, tools companies, almost miracle makers and not much more security and reliability. It is fun watching all this but somehow I'm expecting to see cyberplaque  (I can't resist to user Cy-word again) like old  black death plaque with real deaths before something change ...

Tuesday, August 2, 2016

TV CSI horrors anywhere

Recently while I spend some time on vacation I was forced to watch and listen, listen mostly,  some of horrible CSI-everywhere, Criminal Minds and such TV shows. TV producers are making a lot of money out of that misery, out of that science and law-enforcement exploitation TV programs.
If there is only a way to sue TV producers to get that profit into something useful like enhancing security and safety,   

Monday, July 25, 2016

Some thoughts about SWIFT banking incident

One of my recent gigs was result of  SWIFT banking incident in Bangladesh, Just to put thighs right I'm not expert on the malware analyses, my knowledge is related only to few online papers about incident  and chats with few law enforcement officers who were involved. My experience with SWIFT and banking is ancient one, last meddling was more than 10 years ago my last SWIFT system was installed on AIX machines.

Available resources in detail presents how attacked worked, high quality of attack code, results of investigations etc.. very much detailed from technical point. Since original incident  same attack was also done in fer other places.

What surprised me horribly was fact that SWIFT subsystem was implemented on windows machine,
I'm really curious why and how something so critical was put on windows and what was reasoning for that. Decision to use windows OS and SWIFT looks like disaster from any angle I can think of.  I really can't figure out what is a benefit of such solution. I really like to understand a) what was reason for SWIFT  to create windows version and b) what was the reason for bank to use windows version of SWIFT.

The scenario which comes to my mind is very much like one been explained to my why major forensic software vendors does not have UNIX versions. It is like our customers want us to use windows platform because this is the only platform they can efficiently use ... Basically it boils down to cutting expenses what is as we know from history a common cause of any horrible disaster
The reasoning chain behind this is very common among no-IT industries, where people do not understand their own business process, its critical dependency on IT and related risks. I'm quite confident we will see a lot of trouble of that type in future especially with "intelligent" devices and IOT (Internet of Things) expansion.

27.7.2016

So how can we rationally explain using swift on windows ? When you chat with people it comes out that the most common technical expertise is based on windows OS and MS based OS are majority in medium business and enterprise, so it means a huge base of people and low expenses. In the other hand UNIX based expertise is scare and not easy to find, sometimes it is even worse UNIX based systems and expertise are lot more expensive.  Using AIX machine for this purpose in completely windows based enterprise create small expensive island if you compare it only to production costs, but if you compare it to possible incident cost  it is quite cheap.  It is easy to prove, total breach was about 800 million dollars, while unrecoverd sum is about 80 millions, compared to 80 millions total costs of any AIX swift subsystem is invisible.
So we have here a rational chain of thought, decision based on available expertise, commonality of OS and not taking into account risks and its costs. Something to think about since this is not technical issues but organisational and managerial.

PS: I'm talking about AIX not because of IBM PR, but because my only SWIFT experience is with AIX. To be honest in my days I've seen few situations which were very deadly even for AIX/SWIFT combination but there was no breach.

1.8.2016
Very detailed report about bank interaction on Reuters site, worth of reading , The SWIFT hack How the New York Fed fumbled over the Bangladesh Bank cyber-heist

26.8.2016
I finally managed to chat about this story with friend and  coleagues. Different postions  and experiences from FIRST to banking regulatory.

1.9.2016
A new articles about new developments and new attacks.
When you think, for attacker it is best to have weak entry-point into system, like windows node, than to attack connection between bank and swift or bank IT. It is cheaper, since it is common point, in other hand each internal banking IT is a uniqe form of chaos ..

2.9.2016
From SANS newsbites

SWIFT Warns Member Banks of More Attacks
(August 31, 2016)
 
In February 2016, attackers stole US $81 million from Bangladesh Bank. In a letter to its clients earlier this week, global financial messaging system SWIFT disclosed that there have been more attacks, some successful, against member banks and urged them to adopt strong security measures.

Read more in:
-
 http://www.reuters.com

16.10.2016
Again From SANS newsbites, now everyone found that SWIFT systems are hackable

Odinaff Trojan Targets SWIFT System
(October 11, 2016)
 
Malware known as Odinaff is being used to target the SWIFT funds transfer system. Symantec says that roughly 100 organizations have been infected with Odinaff. The malware makes its way into systems by getting users to click on a malicious Microsoft office macro or password-protected RAR archive file.
Editor's Note

[William Hugh Murray]
Banks should use the indicators of compromise (IoCs) at https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99&tabid=2

Read more in:
- 
http://www.eweek.com: Odinaff Trojan Taking Aim at Financial Services
- http://www.theregister.co.uk: Second hacking group targets SWIFT-connected banks
- http://www.v3.co.uk: British banks targeted in new wave of Swift payments system attacks
- http://arstechnica.com: Emboldened by $1B Bangladesh hackers, new group targets SWIFT users
- http://www.computerworld.com: Second group of hackers found also targeting SWIFT users



19.12.2016 
There are more news about this story, looks like more incident happened and been "under-carpet-stored" interestingly not much fuss, Now it is normal that such "strong" organisation  fails with huge flop.. Banks, governments.. .. 
All this and yahoo breach story remembers me on old truth if you need action you must have a heap of dead bodies.

 7.3.2018
New stories about swift bank attacks about some banks in Russia. It is on the Sans news  bites. It show how a good investment pays off for a long time

Saturday, July 23, 2016

Probably a scam ...

A lot of connections coming trough this URL http://bit.ly/29ufKZW to this blog, It redirects to some fraud page somewhere far away ..  so be careful

Wednesday, July 6, 2016

Trying to get EnCase v8 ..

On the dreaded Guid portal  "Customer Community knowledge base" new version of EnCase is listed

Software


EnCase v8 - 8.01
EnCase v7 - 7.13
EnCase v6 - 6.19.7
Portable - 4.06.02
eDiscovery - 5.13
Endpoint- 5.13

But ... when you'll get only v7.12 when you try to download it ..

also customerservice@guidancesoftware.com. does not exist

KB is almost empty with one article about codemeter problems with v8


12. July 2016 today we just get announcement of v7.13 release, intead of 8 :)

It starts to be scary .. I suppose everyone is dead scared of version 8, Guid because of disaster with 7, customers because of getting something completely different and no one knows what from Guid.

It looks like a lost-lost situation

A than suddenly on completely unexpected account v8 arrived
looks like there is a v8.0.1 in wild

13. July 2016 v8 is not working with our edu dongles :)

It means no way to try and test trainign scenarios to see how it works. It is our practice for each release, since v7 get out into public, too see how trainign scenarios behave with new EnCase.
We always tried from EnCase Essentials,  Forensic 1 and Forensic 2 with some examples from Advanced Forensics training.  Encase essential is perfect since each dongle can open tdirden evidence file and customer can do test in environment.

2. August 2016

This morning we have announcement about v8 version of former EnCase Forensic I and EnCase Forensic II. Now there are new names:

EnCase Computer Forensics I is DF120-Foundations in Digital Forensics with EnCase Forensic.

EnCase Computer Forensics II is DF210-Building an Investigation with EnCase Forensic

What worries me my educational dongles are still not working with v8 and there is no official policy or announcement what and when this will happen. Looks like all training partners are in same trouble.

8.8.2016

looks like it is possible now to get a extension certificate for edu dongles, we will see if this will work
basically procedure is to contact customer support as ATP, send request for update with dongle id and order id.

20.8.2016

Still same, no version which can run on educational dongles

26.8.2016 

Finally organised and negotiated we will get a educational v8 dongles, our v7 dongles will get usual extension certificates for one year more, but we will get no NAS licence.
I feel tired it takes us as ATP almost a month to get v8.
As collateral looks like it is again possible to get demo versions of enterprise and related tools.
I am so tired and fed up of commercial forensic vendors and products
It is quite obvious why any attacker can wreck havoc ...

12.9.2016

Finally we get v8 dongles and it works !

20.10.2016 
There was announcement of new licencing server for integration of dongles or better to say NAS replacement with EnCase v7,14, instructions are extremely long and look complex, not a promising sign.

Thursday, June 30, 2016

Classroom and training preparation


Recently I've been involved in training abroad, mostly Middle east and Asia, some interesting figures shows up. There is procedure when we negotiate training in someoneelse classroom, we always send a minimal requirements to training partner. Basically we have to get confirmation if we can use classroom,  
Somehow this procedure failed, recently we have almost 75% of partners provided classrooms not satisfying minimal requirements.  Incredible combination of wrong configurations, wrong OS, heavy infected machines, broken hardware, wrong type of machines (MACs instead of PCs), power problems, everything bundled up,  you just  mention it. In all this situation there was a common line, we were negotiating with another company who was than facilitating things, in fact we were never in touch with technical staff responsible for classroom. A broken phone problem. Looks like this is unsolvable issue cultural thing, so how to prevent or mitigate such problems ?
Obvious solution, one where  to quit course and force partner to accept responsibility and pay penalities for mistakes will not work. So we are left with be smart, plan, prepare and adopt in your budget limits, This rules out "bringing the whole HW and SW class in one big pelican box" a wonderful solution but way to costly.
To be honest I love to have even a small pelican box with me, something reliable in wilderness, but 
we can only  afford approach where pelican box is small one , with minimal HW :) 

On what facts we can rely :

  1. classrooms are based on intel machines 
    • mixes of configurations, from dual core 32 bit machines up, 
    • minimum  USB 2.0 ports, bootable from USB
    • various localisations keyboard layouts / languages
    • most of machines does not have CD workable drive 
  1. networking is usually there (wifi or wired) but can't be relied on
  2. computers are in various states of OS and SW anarchy 

Strategy to win such classroom :

1) we will use existing classroom computers but in safe and reliable way,

  • boot each student PC into reliable and safe linux configuration and use appropriate virtual machine for student work
  • boot can be from USB or over network or from CD (rarely)

2) for clasroom server use trainer or trainer backup machine

  • again use virtual machine 
  •  boot from safe boot source, usb or network or from CD (rarely)

3) for networking use existing infrastructure or wifi over usb and 3G/4G hotspot on local mobile device, can be challenging

From this requirements you can easily draw a list of HW and SW which fits into one small pelican box ,  but a huge set of planning, testing and preparations, I'll cover that later

13.7.2016 List of devices and tools for such classrom



Items
Tablet / smartphone as local 3G/4G wifi hotspot, 8 conncetions
USB 3.0 stick with write block HW switch, 32 GB or more
USB 3.0 HUB with 4 ports and power
USB wifi module with windows & linux drivers
Labtops: 64 bit 4 core, 3 HD, 16 GB+, 4 USB 3.0 ports, GB etherent
USB 3.0 external disks and enclOsures
(with encRyprtIon)
CD with various linux distributions
USB CD rom / DVD
PCMCIA usb 3.0 card
USB 3.0/2.0 cables
USB 3.0/2.0 connectros / gender changers
Powersupplies for all devices and spares
Extension cords, power connetors etc
Tools, labels, stickers
Pelican box

Monday, June 13, 2016

Some thougths on research, education and valorisation for cybersecuirty

Dhaka,
Bangladesh,
11.6.2016

Vision on research, education and valorization for cybersecurity

There is a huge problem based on the introduction of modern deeply penetrating computer based technologies into society and into personal life of every individual. The term cybersecurity is just one small but crucial part of controlling this problem or better to say understanding it. We do not yet understand how and why these technologies will change our society, we don't even have reliable definitions of cyber and cyber-related issues. Even among professionals in the field we don't have complete understanding or a good intuition, I don't like to mention other involved but deeply ignorant parts of society, from general population to top decision makers. For some of this issues we can find parallels in the past, my deep concern is that we are not understanding this processes, maybe we are even using wrong methods to explore and analyze situation. Some of this events looks more like biological and medical than technical phenomena, more like great medieval plaques when we observe behavior and possible impacts on our society.
For this reasons I believe cybersecurity should be looked on as something essential for modern society, practically like a role medicine have achieved today with same organizational approach to the society highly trained and highly ethical professionals and widespread general knowledge with practice of hygiene, in this case recently developed cyberhygine. The analogy should be even wider, we should think about introducing biological and medical ideas and concepts into our approach to cybersecurity.
In lecturing and research, we should concentrate on the good general IT knowledge and technical perspective in various technologies, proving students with skills and ability for fast adopting new knowledge. We should widen the knowledge of students providing them with social, legal and historical perspective for events and technologies what is crucial, I believe, for understanding future events and trends. Such approach is currently painfully missing leaving students without knowledge about interaction among technology society, history and law.
For example, network security is crucial part of the cybersecurity but for most of the current networking curriculums, networking is presented as just set of standards and developments. Networking in a sense of security needs a holistic description of technology development and its impact on society. In that context parallels with US DOD approach in solving railway transport problems during civil war and solving communication problems introducing TCP/IP in cold war looks very similar with very same effects on society, there are commonalities even in morphing and developing a new types of crimes. Without such approach networking especially TCP/IP is just technical issues of set of protocols, not something opening new social development, a whole new wild west frontier. Providing such historical, social and legal context to teaching we enable students to grasp dynamics and get better understanding of current events and future developments. Applying this approach to cybersecurity we have to provide students not only with historical context, but with legislative and human context of crime and law also. As to get better understanding on human element of “cyber” I believe we can introduce reading fictions authors like Stanislav Lem, Isaac Asimov because of their intriguing insight.
For IT side we should provide students with IT skills in programming (especially defensive programming), scripting languages, theory of operating systems, networking, language theory, digital forensics, system and network administrations and security, big data handling, artificial intelligence and other relevant IT and science fields (especially practical mathematical knowledge).
Teaching should include practical work and theory but in a sense that student should be able to solve problems using scientific methods based on accepted theoretical knowledge, not just doing repetitive hands-on tasks or being frozen in theoretical framework. The key quality will be stress on analyzing problem, understanding it, finding solution and implementing it with evaluation of results, not just trying tools and raw computing power. Also we should stress the ethical approach and legal problems in solving complex real situations. By my observations we should also include more women in cybersecurity education, not only because of lack of women in cybersecurity but at least because of qualities of better group work in solving problems.
To achieve this goal there should be adequate technical resources (laboratories, classrooms, simulators with appropriate tools and equipment), cooperation with other academia, business, law enforcement locally and internationally. Practical work can be done in virtual and simulated environments but there should be student exposure to physical equipment and real working conditions, minimum of 10% of practical should be with real hardware. Academic research should provide framework and improve practicals while practical problems and solutions should be based on theoretically predicted scenarios or conquered real life events. There should be mandatory involvement of lecturing personnel in practicals and in supporting of CERT type organization with goal to keep practical skills up to date and understanding student community. I should suggest rotational approach with 25% of personnel in lecturing theory, 25% doing practical with students, 25% doing research, liaison and 25% in other activities. To keep with development practical should be modified or replaced yearly a good measure will be 30% changed per year, same for the theoretical part.


Wednesday, June 1, 2016

EnCase direct servlet preview

I've done a short ppt on how direct servlet is created and used in EnCase. Recently we often have such  questions so to simplify my work I've done small ppt which follows manual and put in on the Slideshare. It is easier to discuss with ppt than with going trough manual pages.

Monday, May 30, 2016

Managing digital forensic lab

For last few weeks I found myself in awkward situation, almost like echo from some previous jobs,
preparing materials for training titled "Managing digital forensic laboratory".  This is almost accidental event, a first run of that training since we announced it few years ago.
The story behind course is strange by itself too, It all started as result of a failure. There was one nice big project about setting up digital forensic lab, for dual purpose forensics and education. Huge effort was put into project, especially in preparation for managing lab materials and intro course for that. Since project didn't realise we did logical move, reused prepared materials, and squeezed into 3 day trainng expandable to 5 days.  Basic theory  is based on excellent "Building a Digital Forensic.Laboratory: Establishing and Managing a Successful Facility"book by Andrew Jones and Craig Valli. I've decided to add additional things based of recent development for datacenters and open source tools for compatibility and certification based on "Sarbanes-Oxley IT Compliance Using Open Source Tools, 2nd Edition" where we can show how to inexpensively build a managing and control infrastructure even on knoppix.  For lab case management I've decided to implement Foreman tool  and mention comparation with other case management tools like FTK lab.
To cover datacenter approach and introduce good practice in managing a lot of computing power, what is always missing  I've decided to use "Enterprise Data Center Design and Methodology"
By: Rob Snevely. There is a lot of other papers and web resources to mention and talk about ...

Thursday, May 19, 2016

FER lecture "Moć forenzičkih alata"

Yesterday I done small 60 minutes lecture on my old UNI, going there always brings nostalgia back, remebering and daydreaming. What always  hits you is how many years have passed. Faces looks same, bright, young only difference are labtops and smartphones all around, when I saw myself in reflection I feel a pang of jealousy,  Amstrad 6128 and  ZX81 from my days will be helplesly  lost among new thingies around. Even mighty VAX under ULTRIX too..

With such thoughts, new wrinkles on my face, and new glasess I've get into old lecture room, same where 20 years ago we were playing with Expect langugage scripts  tailoring   some Cisco ATM switches configuration for experimental live video streaming.

This time skill was needed only to find right presenter stick all other was working more or less as expected. My battred Dell labtop was working well, MS Powerpoint 2016 has frozen only once, probably just to show who is the boss. In the audience was few familiar faces, in first row left my young and gifted colleague Savina Gruicic.

On the FER lecture home page there are links to video capture and links to presentation.

Dr Pale did intro words and I've started. My plan was to do short as possible, skimming on top of digital forensic topics, badmouth a bit about current tools and practices, show brief run trough Encase v6,v7 Ufed, get people thinking about and asking, hardest of all forcing myself to keep in 60 minutes boundaries.  People there are all from computer science community, I just need to show a topic, put a few words on context and let them think laudly :)
At the end we put in some new cyber-X words, Cyber-Hygiene and Cyber-illiteracy really it is fun to do Cyber words.
There was plenty of questions I can recall only a few,  Like where you can get careere and trainign for digital forensic in Croatia, it was hard to answer since in 2 weeks I'll do some work in Daka, Bangladesh to eran my living :) ..



Thursday, May 5, 2016

Setting up EnCase classroom in Polytechnic of Zagreb

Just today we managed to setup EnCase classroom with 10 workplaces. It was pleasure and fun, relaxed work with everyone cooperating. Really relaxing action

20.5.2016 Still no official photos from classroom... I don't know if this is just laziness or hush-hush

Actually this is the first official classroom for digital forensic with state of art commercial software. around 

Tuesday, May 3, 2016

Cyber attacks and energy dependecy

In the sense of recent attacks on power providing infrastructure around the globe, I've remembered my thoughts when I was last time in Gulf countries, Bahrain and Saudi Arabia. These countries are even intuitively related to energy. If you think on oil and petrol first association is usually oil and money reach gulf countries. If you think more there is also a most modern technology there, since it can be easily bought and requires minimal local workforce to deal with it. It is same for all other aspects of life conclusion Is this combination is extremely vulnerable to cyber threats. They are impossibly depend on energy and technology to live everyday life, more than any the place on earth, only maybe the scientific base on Antarctica is more dependent. Last incidents show can misconfiguration or lack of proactivity can lead to disaster. What makes me thinking are recent fires in Dubai and some other issue which show “quality” control problems, and such problems are important in cyber attacks. It will be nice to have time and opportunity to work more, looks like very good situation for preventive digital forensics, but because of sheer size something vendor agnostic like Google GRR tool. 

4th May 2016,
Nice article on "Procurement: Saudis In Search Of Their Lost Work Ethic" StrartegyPage.com, which talks about quality problem, wokrforce etc, things so important in cyber vulnerability. 

Friday, April 8, 2016

Some raw thoughts on current digital forensics, IT security and data science

Recently I’ve been tasked with writing down some thoughts as discussion ideas and teasers on current digital forensics, It security and data science. Some of this were floating around for a long time more as reaction to events than real effort to do a serious discussion.
At first glance digital forensics and data science does not have much in common, especially when we are talking about how digital forensics is approached and executed today. What is usually not taken into the account is the fact that digital forensics is the part of both computer and forensic science, two very different science fields. At the moment digital forensics is a new field getting incorporated into forensics, digital specifics should be recognized and incorporated into traditional forensic environment.
For start definitions should be stated. First we can introduce forensics and digital forensics. Forensics is “The application of scientific knowledge to legal problems" (Merriam-Webster), what includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA, firearm analysis, accounting all traditional sciences. In the other hand for the digital forensics we have first idea of “Forensic Computing” by V. Venema, D. Farmer late in 1990’s: „Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system.”. When this definition of forensic computing is expanded with digital evidence we get what is in current sense digital forensics. By Wikipedia “Digital forensics and Computer forensics” is: defined as “Computer forensics, sometimes known as computer forensic science is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information”. In this context digital evidence or electronic evidence is defined as “any probative information stored or transmitted in digital form that a party to a court case may use at trial.”
To make things difficult digital evidence is the key element of digital forensics, what makes it hard to accept in the traditional forensics and law where sound physical evidence is golden standard. Also forensics science is not dealing with big amount of data but with specific science scenarios and analysis resulting in limited datasets, what causes different sensitivity and understanding of the data and computer science.
Even the basic Locard principle on which forensic science is build up, has its digital twist; Lockard’s Exchange Principle is "Every contact leaves a trace" (Prof. Edmond Locard, c. 1910). It is perfectly correct, log analysis was one of the first evolved branches of IT security and digital forensics. .One of the key forensic principles is not to change evidence; when applied to digital forensics means working with read only data copies with hash signatures providing proof of data not being changed. Translating this to practical computing means ability to do parallel processing limited only by media and processing bandwidth.
The core problem of digital forensics today is the problem of processing huge volumes of data. To be honest this is really a big unspoken obstacle which is often overlooked, sometimes not understood by digital forensic practitioners and even vendors. Disks size skyrocket from megabytes to tens of terabytes; this sheer volume of data where relevant digital evidence is hidden is a huge problem. Only to create a forensic copy of one terabyte disk you need at least 3 hours and this is even before any analysis can be done. After that step even more time consuming process of digital evidence finding and extraction is started and it takes usually much longer - sometimes days are used in this process. This step is analysis in digital forensics and is conceptually very close to datamining process.
Current mainstream digital forensic tools are not capable of efficient parallelism, automation or scripting and are limited to Microsoft Windows platforms on Intel architecture, “general purpose PC paradigm” which is not best choice for fast and efficient data processing.

Current problems and computing development makes this issues practically unsolvable without using knowledge and experience form other computing science fields, especially from data science. From data point of view, we can separate digital forensics into two broad categories: classic postmortem forensics and live forensic, in sense where we are dealing with static data or dynamically changing data. In both situations we have to work with raw data and transform it into meaningful digital evidence. This is even more significant if we are talking about incident response in modern networked systems. We can approach each end node involved in incident as data source which has to be collected and analyzed; a situation where we have very different types of data from raw binary disk and memory images to process structures, elaborate log information or local agent database. At the moment all this data is handled separately, not as a part of one picture. To address this issues in efficient way data science knowledge should be used, to refine methods and tools in digital forensics. 

11.04.2016 link to draft presentation  for this discussion 

Wednesday, April 6, 2016

Datafocus 2016 and day after

Our small digital forensic conference finished yesterday,  nice event a lot of people some interesting lectures and good food.  Our colleague Steve Gregory caused a lot of interest, this year he was on MagnetForensic booth just across his former company booth. Steve was here since our first event becoming practically avatar for EnCase and GuidanceSoftware, this year he changed colors and caused a lot of "what are you doing on this boot and in this shirt" questions.  On Guid booth was Mr.Jeff Hedlesky,
Forensic Evangelist from Guidance Software, answering  questions about changes and events in GuiddanceSoftware. Looks like CEIC or EnFuse this year will be interesting probably dispersing some fears  and providing some long expected news. 
For me the most interesting lectures was by Steven Manson about intrepretation of electronic evidence.

Tuesday, March 22, 2016

Looks like GuidanceSoftware / Guid support forum is not working

I've run into issue with new EnCase v7.12 during Encase Advanced trainign, processor start to die with error messages. Almost same problem happened before and solution was listed  on of the support forum topics, Looks like GuidanceSoftware (now Guid) decides to move from old support forum to new one, it was announced about month ago and looks like it is not working yet.
It was announced that old accounts are not migrated and now  there are some issues with creating new accounts, so effectively it is not working . Some of our customers already asked us what is going on and what are that doing wrong. Extremely unpleasant situation.
It was so embarrassing trying to log in, creating account and getting strange messages about email being already used. Maybe to most comic moment was during password reset effort when I've tried to guess answer to secret question
It was almost same situation with partner portal some time ago and it takes quite a lot of time to resolve. Partner web is not critical but a support forum is, especially for such troublesome version as v7 is critical, Looks like bad luck or bad decisions continues plague EnCase, even after cosmetic re-branding and huge product name changes. 

Friday, March 18, 2016

Nice warning on hacking of cars

Just article on BBC "FBI warns on risks of car hacking" It will be much better if we have a legal framework regulating manufacturer responsibility for dangerous and unnecessary tehnology embedded into systems. Just project this on ITO idea and paranoia steps in :)
Fridge works perfectly without Ip connection, haidryer too..
It is not problem in tehnology but in designers and unintelligent application of tehnology. Usual free market mantra "a market forces will remove unsuccessful products and companies" simply does not apply, wee need legal framework and clear responsibilities.
Also it should be good to have a technical description of such critical systems approved trough formal testing and tools to do such tasks.  Again I'll strongly recommend  Nancy Leveson writings.

Wednesday, March 16, 2016

Interpol and digital forensic training

Interpol is working on  cybercrime training proposal, as I understand it is still in early stage, but shows huge possibility of setting standards in this wild zone, Probably we will get something like ISO/OSI networking model for law enforcement cybercrime training, if we a lucky a gold standard.

Looks like there will be set of  tracks, based on current practice compilation, Digital Forensics is separated from other roles, especially  from investigation and intelligence / analytic so it means full understanding of digital forensics role what is a bit obscured in many law enforcement environments. Same is for judiciary and management, also clearly separated from other roles, but having same requests to knowledge as other roles. .

We will compare our training curriculum with the ideas from Interpol, tu see what we are missing and how to improve. 

Friday, March 11, 2016

It is hard to write something to blog

It is hard to to write something for blog, plenty of things happen but I can't see any usefulness writing about it. I've finished one training of Advanced Forensic and found EnCase servlets for latest mac OS faulty, fortunately new release of Encase gets updated servlets, Nice to see EnCase is still trying to survive but it all looks supernatural. Almost all people I know left company in last few months, re-branding product, name changes, communication channels and support links almost all is changed or gone.
Even worse there was some arguments among shareholders and management mentioned recently on LinkeInd, all this are not good signs,  Looks like trouble with version v7, well known, but an publicly unspoken thing is taking its toll. Even  after so many years v7 is still dobious among many users.
Other big vendors had its own troubles too,  Access data had some reorganisation and splinting into different companies lately, same signs of kind of trouble, but at least FTK is still working in acceptable manner.
I suppose this is final signs of problems which this market has, even better to say whole IT security and law enforcement oriented digital forensics vendors.
All this leaves bad taste and big frustration.
I hope EnCase as product can survive, since it has some great things in it, but also a lot of misconceptions, Enterprise version with its fine tunned acces control system is good, perfect thing which is strangely seldom seen in usage. Ability to develop code for your own extensions is extremly useful but again seldom used in community. Looking from distant Europe even further from broke and technically undeveloped Croatia whole market looks in turmoil with plenty of snake oil around.
It all looks like a giant flop waiting to happen.
Verizon put some nice case studies online worth of reading, "Data breach digest" nice reading,  I'll prepare some of cases as material for my students.  

Monday, February 15, 2016

Unusual idea for digital forensic lab implementation

Some time ago I managed to have coffee wth friend of mine from IBM, we chat about old times and about new things, trends etc. I've learned that there is a beautiful new a bit scaled down host machine designed to be Linux visualization platform on the old reliable host procesor approach LinuxOne idea.

Wonderfull thing for any data crunching and passing trough system based on Linux. It sounds like perfect consolidation point for forensic lab, with Linux machines running powerful database engines like Oracle, PostgreSQL or any other supported by Linux. Looks like that Oracle is also taking this machine very serious, 



It's almost perfect database server platform for forensic lab, as it was earlier FTK lab which was capable of running on Oracle database. This machine can probably outperform Intel based servers and provide much faster response for frontend forensic tools. Unfortunately latest FTK does not has possibility of using non windows database engine eg running database on Linux, what was theoretically possible with earlier versions. 

Wednesday, February 10, 2016

RFOR 2015/2016 finished



This semester lectures are in late evening, from 19:15 till 21:00 unbelievably hard time to concentrate for students and for me too.  My old age is creeping on me :)  Still it is true quality of my lecture is not as good as I've been expecting.  During morning office hours I've been doing a 2 days intro training into AcessData Sentinel Silent Runner what takes a lot effort and had influence on materials and scores. I've tried to introduce python and Linux but because of some other arrangements I had not enough time to put in detail.

Labs was also done satisfactory, my colleague Dario Puntaric who was in charge for labs and me will introduce more more network forensic practicals for next run. A lot of materials are prepared so I assume we can do that without much drama. Also we need some mobiles practicals and some opensource intelligence things for students like maltego from Paterva.

Some interesting student seminal work was done:

  • iPhone forenzika 
  • Forenzika XBOX360 
  • Tehnike anti-forenzike 
  • Sigurnost android OS
  • Oporavak izgubljenih podataka
  • Računalna forenzika
  • Digitalna forenzika slika 
  • Kritpografija  i PGP
  • Forenzika SSD diskova
  • Forenzika digitalnih slika

 It shows each student can find relevant sources, do good compilation and extract most important steps how to apply methods and tools from sources to solve some problem.

Especially good one, which will be for sure used in next lecture is "Steganografija" by
Mladen Strbad