Latest Story

Book Review – XBOX 360 Forensics

January 8, 2012
By

A Digital Forensic Guide to Examining Artifacts Rating ****

XBOX 360 Forensics offers a fairly in-depth introduction into the world of Games Console Forensics and the tools and techniques required to carry out investigations into Next-Generation Games Consoles.

As popular gaming platforms become more and more sophisticated, using their own operating systems and accessing the Internet for various types of transactions, the potential for illegal and malicious activity is dramatically increasing.

Bolt starts the book with a detailed description of the XBOX 360 system, the setup process and how to sign up, and connect to, the social aspects of the XBOX 360 gaming experience: XBOX Live. It is this social outlet that is the main cause of concern for the population with news reports about paedophilia and child abuse stemming from meetings organised using the mail and chat functions inbuilt into the online portal.

Bolt does not provide much information on other crimes that can be committed using the console such as malicious activity as the result of installing a secondary operating system (for example, Linux), but the emphasis of the malicious potential is made quite clear and the need for a set method of investigating consoles is prominent.

With very little documentation on the investigation of consoles available to the investigator, Bolt has provided the perfect starter guide for forensic investigation all the way from acquisition through to analysis. Rather than just provide the tools and techniques, however, Bolt takes the reader along the journey of investigation and provides a very detailed walkthrough of the baseline contents of the XBOX 360 Hard Drive, explaining the various different file types (such as PIRS, LIVE and CON files) and sector locations of valuable information.

The guide describes the use of only a few tools but within this provides an in-depth and efficient investigation method to analyse the Hard Disk Drive. The tool that takes the spotlight in the investigation, Xplorer 360, is not strictly a Forensic tool but more of a console management tool used to connect the XBOX 360 to a Computer via the network and interact with it. it is interesting that this piece of software should provide a solution to the investigator to find artifacts previously unfound by the standard Forensic tools such as Guidance Software’s EnCase and AccessData’s Forensic Toolkit Imager. A criticism of the guide is that its main focus is on the Hard Disk Drive, which, while holding some of the user information and game saves, does not contain information of the operating system or memory stack. Bolt mentions that this information is held within specific hardware inside the console itself and it would seem prudent to provide methods to investigate these artifacts, especially when the need for Live Analysis is increasing.

Summary

The book does seem quite basic throughout, providing technical details that most investigators would probably be able to figure out for themselves, however, it is an easy read and one that would prove interesting to most who do not know much about the investigation of games consoles.

Willem Knot

Book Title:   XBOX 360 Forensics

Book Subtitle:   A Digital Forensic Guide to Examining Artifacts

Author(s):   Steven Bolt (Samuel Liles – Technical Editor)

Publisher:   Syngress/Elsevier

Date of Publishing:   7th February 2011

ISBN-13: 978-1597496230

Price:   £36.99 (UK), $59.95 (USA)

Share

Book Review – Extrusion Detection

January 8, 2012
By

Security Monitoring for Internal Intrusions

 

 

 

 

 

 

Rating *****

Despite being over six years old now, this book is certainly not outdated in the slightest. While most network security books and guides would focus on perimeter defence from outsider threats, Bejtlich concentrates on attacks launched within the organisation. At the time of publishing, this book was unique in its approach to defensive practices and is aimed to go hand in hand with Bejtlich’s ‘Tao of Network Security’, picking up where Tao left off and concentrating solely on defence, where Tao started from the point of view of the attacker.

First thing to notice about this book is the foreword by Marcus Ranum, which, unusual to most books, consists of an interview with the author and highlights how different Extrusion Detection is from other Network Security Guides.

The book is aimed at all those who have an intermediate to advance knowledge of network security and so should be used by those just starting out in the industry, especially as Bejtlich talks about tools and techniques that, at the time of writing, were not common practices amongst professionals. However, it holds great potential value as an addition to anyone’s security/information assurance library.

Traditionally, the main focus of network security has been about keeping the hackers and malicious users out. The book is split into three specific sections, Detecting and Controlling Intrusions, Network Security Operations and Internal Intrusions, taking the reader on a journey from the reasons to look for Extrusions through to the various types of Extrusion, such as Malicious IRC Bots. Bejtlich uses various technologies, such as Proxies and IDS/IPS, as demonstrations using commands that can easily be adapted into organizations’ own technologies.

To those specifically interested in Network Forensics, Bejtlich devotes an entire chapter to just this and discusses the links between the security practices discussed throughout the book and the forensics practices used within the chapter. Incident Response is also explained prior to Forensics. Bejtlich gives a detailed introduction to Network Forensics and describes it as being different from Digital Forensics in that it is focused on Packet Capture, using tools such as Wireshark/Ethereal. The emphasis here, however, is the Network Forensics is a valuable and crucial part in the defence of a network infrastructure both from internal and external threats.

Followers of Richard Bejtlich’s Tao security blog will instantly recognise his unique method of describing and demonstrating the various tools and techniques required to put Extrusion Detection into practice. Throughout the book there are valuable diagrams, screenshots and actual packet captures that help the reader to fully understand each point that is made, a feature that is often overlooked in many security guides.

Summary

This book is a valuable read for anyone interested, or working, in the security and forensics industry. Betjlich provides a refreshing approach to defensive methods and illuminates the potential damage of insider threats. Highly recommended as a partner guide to ‘The Tao of Network Security’, which together provide an ultimate guide to Network Security.

Reviewer Name:   Willem Knot

Book Title:   Extrusion Detection

Book Subtitle:   Security Monitoring for Internal Intrusions

Author(s):   Richard Bejtlich (Foreword by Marcus Ranum)

Publisher:   Addison-Wesley

Date of Publishing:   8th November 2005

ISBN-13: 978-0321349965

Price: £39.99 (UK), $54.99 (USA)

Share

Call for Forensic Practitioners to Beta Test new Tool

August 4, 2011
By

CCL-Forensics based in the UK are offering Digital Forensics Practitioners the opportunity to take part in the final beta test which is now underway, any interested practitioners wishing to be involved should register at www.ccl-forensics.com/pip.

Researchers at CCL-Forensics have developed an innovative application for presenting the data held in XML format – a common data storage format, found on a wide range of digital devices and platforms including PCs, phones and SatNavs. The development in complex data interpretation is set to significantly speed up digital forensic investigations by enhancing the presentation of evidence from a range of commonly used devices.

Although XML is a text-based format, it’s not user-friendly in its raw format, meaning digital investigators often have to manually manipulate large amounts of data to locate evidence relevant to their enquiry.  XML files can contain, for example, internet history, web searches, SatNav recent locations, social networking history – and more.

CCL-Forensics has developed “PIP” to eradicate this problem.  PIP is a software tool which parses data from XML files, using the XPath query language and presents the investigator with a results in a user-friendly, easy-to-interpret form.  This saves a considerable amount of time, and means costs to investigators are kept to a minimum.

In addition, PIP natively supports AppleTM’s property list (“plist”) file format, both in their XML and binary forms.

“An XML file shown both in its raw form and when presented using PIP”

A regularly updated library of XPath queries is included within PIP and CCL-Forensics is constantly researching opportunities for new additions to the library, however, for the advanced practitioner, PIP allows bespoke queries to be written for new data types which may be uncovered during the course of an investigation.

The team behind PIP also recognised the need for investigators to process a number of similar files simultaneously, and therefore developed a batch processing capability.

PIP was created in response to demand from Law Enforcement Agencies to streamline the presentation from the increasingly complex range of digital devices – for little additional cost to the taxpayer.

Alex Caithness, the developer of PIP says “One of the biggest frustrations of any digital examiner is the fact that their tools extract data which they have to manually interpret to turn into a reportable format. PIP is designed to eradicate this problem for XML and plist files.

These files are used in many different devices and applications – the iPhone to name just one.  Investigators are seeing a great deal more of these devices, and without a tool like PIP, they may spending time manually processing them.

This is doubly unfortunate, because they have already carried out the first step – by extracting the data.  They just now need to interpret it.  PIP does this effortlessly.”

PIP is a constantly evolving tool and the developers would welcome suggestions for future functionality.  For more information, please contact Marketing Manager Andy Holmes on +44 1789 2621200 or email aholmes@ccl-forensics.com.

 

Share

I’m about to enrol on a forensics degree at university, can you give me any hints/tips on how to be successful in forensic IT?

July 30, 2011
By

The above question was sent to Digital Forensics Magazine and we thought it warranted a thoughtful answer so we asked Dr. Richard Howley who is the MSc Forensic Computing and MSc Computer Security Course Leader De Montfort University his views.

The suggestions below focus on the early part of your career, i.e., your degree and entry into the profession. Others may contribute suggestions regarding being successful as you join the profession.

1.    Get your degree from an established, respected and well connected institution. Ask your university who they work with, what visiting lectures did they have last year, what national and international initiatives are they involved in? Research into who these people are, what their organisations do and what the initiatives are. Building up your knowledge of the UK and USA forensic IT landscape is important.

2.    Get qualified. The importance of training and qualifications in this business is well known and documented. Academic awards are highly prized as is evidenced by the popularity of MScs amongst members of the profession.

3.    Get connected. Register with as many forensic IT professional bodies, forums and blogs as you can manage and monitor their work.

4.    Ask your university to provide you with some suggested preparatory materials and or activities. At De Montfort University we hope that you are already hungry for knowledge and motivated enough to seek it out; we expect you to be pushing us to provide you with work you can be doing before joining us. A list of technical skills that new entrants to our courses can develop prior to starting is provided at: http://www.cse.dmu.ac.uk/~rgh/MSc_FC_MSc_CS_FAQs.htm#q16

5.    If your university doesn’t provide pre-course guidance then  consider the following:

  • There are many very good text books on this subject and many come with an extensive set of investigative exercises. They take you through the process of ‘static’ PC based forensics very well. All the software, cases and evidence files you need are usually included on a DVD –a great resource. For recommendations email me.
  • Seek to understand ‘live’ forensics including malware analysis, reversing, live network forensics, memory forensics and virtualisation. Many good online and text based resources exist to support your study of these topics.
  • Other emerging concerns that you should seek information about include small scale mobile devices, e-discovery and massive data sets, the ‘cloud’, etc.
  • Mobile phone forensics is very popular and worth looking into – partly because some of the major software companies provide free trial versions of their software with online tutorials.

6.    Linking academic and professional practise include issues such as continued professional development, research design and implementation and report writing.

  • Your degree is the first step in a process of life-long learning; forensic IT never stands still and as such the learning you undertake prior to starting and during your degree will provide you with independent study skills that will serve you well throughout your entire career.
  • Whilst your course and profession may appear predominantly technical never underestimate the importance of the social, ethical and legal context of your work. You will cover this at university and your knowledge and consideration of it should be updated and applied throughout your career.
  • When you start work in the field you will quickly discover that the text books don’t have all the answers. You will need to identify and research new solutions to novel situations. This will involve designing experiments and implementing them to explore and inform your evidential hypothesis – this classic academic/research process has huge relevance to your later professional practise, so don’t underestimate it and take every opportunity to practice and develop these skills whilst at university and after.
  • Writing essays or reports and giving presentations at university are not just academic exercises. It is direct training in skills that the forensic IT professional needs. You must be able to write concisely, persuasively, accurately, with precision and in an evidenced based manner. The same is true of public speaking and presentation, i.e., giving evidence. The more frightening you find the prospect of public speaking – the more you must do it! Start in a gentle way; asking questions in class or contributing to discussions is a first step in public speaking, so do try and take part. Take every opportunity to develop and practice these skills – we can all improve no matter how experienced we are.

7.    Finally, in the profession you will be expected to know multiple operating systems (Windows and Linux extensively), file systems, hardware, connection protocols, cables, devices, etc. So get an old machine or two, a screwdriver, a bunch of operating systems and play (carefully!) – and learn!

It’s a great profession – good luck on your degree course and in the profession that follows.

Dr. Richard Howley
MSc Forensic Computing and MSc Computer Security Course Leader
De Montfort University

Share

The first annual (ISC)² Security Congress

June 22, 2011
By

(ISC)² Security Congress – Collocated with the ASIS International 57th Annual Seminar and Exhibits – September 19th – 22nd, Orlando, Florida

The first annual (ISC)² Security Congress offers invaluable education to all levels of information security professionals, not just (ISC)² members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC)² and ASIS International have teamed up to bring you the largest security conference in the world, with five days of education and networking opportunities. Don’t miss out. Register today! To make your selection from over 200 conference sessions, free education and special pricing on official CISSP and CSSLP Intensive education. For more information, please visit:
www.isc2.org/congress2011

Share

From the Archives