A newly-created HMRC specialist cyber crime team will protect the exchequer from attempted fraud by cyber criminals who are using increasingly sophisticated ways to target HMRC’s repayment systems. They will build on HMRC’s existing cyber counter-fraud capability and existing investigation and intelligence work and are a key element of HMRCs Cyber Crime and Security Strategy. Join our new Cyber Crime Team, and you will play a critical role in protecting your own, and everyone else’s information.

We’ll look to you to provide technical expertise and consultancy on the impact of cyber crime on our systems, providing authoritative advice to regime owners and system designers. An excellent communicator, you’ll develop and maintain strong relationships with government and industry bodies to enhance our electronic fraud prevention and criminal investigation capabilities. You’ll also take the technical lead in complex criminal investigations, supporting investigative teams by identifying and securing digital evidence from internal and external computer networks – evidence to be used in criminal and civil proceedings.

You’ll come to us with a proven track record of conducting cyber crime or digital forensics examinations in a commercial or criminal justice capacity. Able to explain technical information effectively to the wider population as well as our national and international partners, you will have a mix of law enforcement and Information Security experience.

You might currently be working for the police or a similar law enforcement agency, or in a consultancy or in-house role. It’s likely you’ll have a postgraduate-level qualification in cyber crime forensics, digital forensics or information security and you’ll definitely have a sound understanding of computer network infrastructure. A full driving licence would be desirable.

HMRC plays a vital role in the economic wellbeing of the nation by assessing and collecting tax revenues, and administering benefits and credits to support families and workers. Protecting these revenues has never been more important.

This is a reserved post, open to UK nationals only. For full details on nationality requirements, please refer to http://bit.ly/IgGJRm

Closing date: 20th April 2012
Interview date: week commencing 30th April 2012

At HMRC we welcome applications from people from every kind of background so that we mirror the community we serve.

XBOX 360 Forensics offers a fairly in-depth introduction into the world of Games Console Forensics and the tools and techniques required to carry out investigations into Next-Generation Games Consoles.

As popular gaming platforms become more and more sophisticated, using their own operating systems and accessing the Internet for various types of transactions, the potential for illegal and malicious activity is dramatically increasing.

Bolt starts the book with a detailed description of the XBOX 360 system, the setup process and how to sign up, and connect to, the social aspects of the XBOX 360 gaming experience: XBOX Live. It is this social outlet that is the main cause of concern for the population with news reports about paedophilia and child abuse stemming from meetings organised using the mail and chat functions inbuilt into the online portal.

Bolt does not provide much information on other crimes that can be committed using the console such as malicious activity as the result of installing a secondary operating system (for example, Linux), but the emphasis of the malicious potential is made quite clear and the need for a set method of investigating consoles is prominent.

With very little documentation on the investigation of consoles available to the investigator, Bolt has provided the perfect starter guide for forensic investigation all the way from acquisition through to analysis. Rather than just provide the tools and techniques, however, Bolt takes the reader along the journey of investigation and provides a very detailed walkthrough of the baseline contents of the XBOX 360 Hard Drive, explaining the various different file types (such as PIRS, LIVE and CON files) and sector locations of valuable information.

The guide describes the use of only a few tools but within this provides an in-depth and efficient investigation method to analyse the Hard Disk Drive. The tool that takes the spotlight in the investigation, Xplorer 360, is not strictly a Forensic tool but more of a console management tool used to connect the XBOX 360 to a Computer via the network and interact with it. it is interesting that this piece of software should provide a solution to the investigator to find artifacts previously unfound by the standard Forensic tools such as Guidance Software’s EnCase and AccessData’s Forensic Toolkit Imager. A criticism of the guide is that its main focus is on the Hard Disk Drive, which, while holding some of the user information and game saves, does not contain information of the operating system or memory stack. Bolt mentions that this information is held within specific hardware inside the console itself and it would seem prudent to provide methods to investigate these artifacts, especially when the need for Live Analysis is increasing.

Summary

The book does seem quite basic throughout, providing technical details that most investigators would probably be able to figure out for themselves, however, it is an easy read and one that would prove interesting to most who do not know much about the investigation of games consoles.

Willem Knot

Book Title:   XBOX 360 Forensics

Book Subtitle:   A Digital Forensic Guide to Examining Artifacts

Author(s):   Steven Bolt (Samuel Liles – Technical Editor)

Publisher:   Syngress/Elsevier

Date of Publishing:   7th February 2011

ISBN-13: 978-1597496230

Price:   £36.99 (UK), $59.95 (USA)

Rating *****

Despite being over six years old now, this book is certainly not outdated in the slightest. While most network security books and guides would focus on perimeter defence from outsider threats, Bejtlich concentrates on attacks launched within the organisation. At the time of publishing, this book was unique in its approach to defensive practices and is aimed to go hand in hand with Bejtlich’s ‘Tao of Network Security’, picking up where Tao left off and concentrating solely on defence, where Tao started from the point of view of the attacker.

First thing to notice about this book is the foreword by Marcus Ranum, which, unusual to most books, consists of an interview with the author and highlights how different Extrusion Detection is from other Network Security Guides.

The book is aimed at all those who have an intermediate to advance knowledge of network security and so should be used by those just starting out in the industry, especially as Bejtlich talks about tools and techniques that, at the time of writing, were not common practices amongst professionals. However, it holds great potential value as an addition to anyone’s security/information assurance library.

Traditionally, the main focus of network security has been about keeping the hackers and malicious users out. The book is split into three specific sections, Detecting and Controlling Intrusions, Network Security Operations and Internal Intrusions, taking the reader on a journey from the reasons to look for Extrusions through to the various types of Extrusion, such as Malicious IRC Bots. Bejtlich uses various technologies, such as Proxies and IDS/IPS, as demonstrations using commands that can easily be adapted into organizations’ own technologies.

To those specifically interested in Network Forensics, Bejtlich devotes an entire chapter to just this and discusses the links between the security practices discussed throughout the book and the forensics practices used within the chapter. Incident Response is also explained prior to Forensics. Bejtlich gives a detailed introduction to Network Forensics and describes it as being different from Digital Forensics in that it is focused on Packet Capture, using tools such as Wireshark/Ethereal. The emphasis here, however, is the Network Forensics is a valuable and crucial part in the defence of a network infrastructure both from internal and external threats.

Followers of Richard Bejtlich’s Tao security blog will instantly recognise his unique method of describing and demonstrating the various tools and techniques required to put Extrusion Detection into practice. Throughout the book there are valuable diagrams, screenshots and actual packet captures that help the reader to fully understand each point that is made, a feature that is often overlooked in many security guides.

Summary

This book is a valuable read for anyone interested, or working, in the security and forensics industry. Betjlich provides a refreshing approach to defensive methods and illuminates the potential damage of insider threats. Highly recommended as a partner guide to ‘The Tao of Network Security’, which together provide an ultimate guide to Network Security.

Reviewer Name:   Willem Knot

Book Title:   Extrusion Detection

Book Subtitle:   Security Monitoring for Internal Intrusions

Author(s):   Richard Bejtlich (Foreword by Marcus Ranum)

Publisher:   Addison-Wesley

Date of Publishing:   8th November 2005

ISBN-13: 978-0321349965

Price: £39.99 (UK), $54.99 (USA)

Researchers at CCL-Forensics have developed an innovative application for presenting the data held in XML format – a common data storage format, found on a wide range of digital devices and platforms including PCs, phones and SatNavs. The development in complex data interpretation is set to significantly speed up digital forensic investigations by enhancing the presentation of evidence from a range of commonly used devices.

Although XML is a text-based format, it’s not user-friendly in its raw format, meaning digital investigators often have to manually manipulate large amounts of data to locate evidence relevant to their enquiry.  XML files can contain, for example, internet history, web searches, SatNav recent locations, social networking history – and more.

CCL-Forensics has developed “PIP” to eradicate this problem.  PIP is a software tool which parses data from XML files, using the XPath query language and presents the investigator with a results in a user-friendly, easy-to-interpret form.  This saves a considerable amount of time, and means costs to investigators are kept to a minimum.

In addition, PIP natively supports AppleTM’s property list (“plist”) file format, both in their XML and binary forms.

“An XML file shown both in its raw form and when presented using PIP”

A regularly updated library of XPath queries is included within PIP and CCL-Forensics is constantly researching opportunities for new additions to the library, however, for the advanced practitioner, PIP allows bespoke queries to be written for new data types which may be uncovered during the course of an investigation.

The team behind PIP also recognised the need for investigators to process a number of similar files simultaneously, and therefore developed a batch processing capability.

PIP was created in response to demand from Law Enforcement Agencies to streamline the presentation from the increasingly complex range of digital devices – for little additional cost to the taxpayer.

Alex Caithness, the developer of PIP says “One of the biggest frustrations of any digital examiner is the fact that their tools extract data which they have to manually interpret to turn into a reportable format. PIP is designed to eradicate this problem for XML and plist files.

These files are used in many different devices and applications – the iPhone to name just one.  Investigators are seeing a great deal more of these devices, and without a tool like PIP, they may spending time manually processing them.

This is doubly unfortunate, because they have already carried out the first step – by extracting the data.  They just now need to interpret it.  PIP does this effortlessly.”

PIP is a constantly evolving tool and the developers would welcome suggestions for future functionality.  For more information, please contact Marketing Manager Andy Holmes on +44 1789 2621200 or email aholmes@ccl-forensics.com.

The suggestions below focus on the early part of your career, i.e., your degree and entry into the profession. Others may contribute suggestions regarding being successful as you join the profession.

1.    Get your degree from an established, respected and well connected institution. Ask your university who they work with, what visiting lectures did they have last year, what national and international initiatives are they involved in? Research into who these people are, what their organisations do and what the initiatives are. Building up your knowledge of the UK and USA forensic IT landscape is important.

2.    Get qualified. The importance of training and qualifications in this business is well known and documented. Academic awards are highly prized as is evidenced by the popularity of MScs amongst members of the profession.

3.    Get connected. Register with as many forensic IT professional bodies, forums and blogs as you can manage and monitor their work.

4.    Ask your university to provide you with some suggested preparatory materials and or activities. At De Montfort University we hope that you are already hungry for knowledge and motivated enough to seek it out; we expect you to be pushing us to provide you with work you can be doing before joining us. A list of technical skills that new entrants to our courses can develop prior to starting is provided at: http://www.cse.dmu.ac.uk/~rgh/MSc_FC_MSc_CS_FAQs.htm#q16

5.    If your university doesn’t provide pre-course guidance then  consider the following:

• There are many very good text books on this subject and many come with an extensive set of investigative exercises. They take you through the process of ‘static’ PC based forensics very well. All the software, cases and evidence files you need are usually included on a DVD –a great resource. For recommendations email me.
• Seek to understand ‘live’ forensics including malware analysis, reversing, live network forensics, memory forensics and virtualisation. Many good online and text based resources exist to support your study of these topics.
• Other emerging concerns that you should seek information about include small scale mobile devices, e-discovery and massive data sets, the ‘cloud’, etc.
• Mobile phone forensics is very popular and worth looking into – partly because some of the major software companies provide free trial versions of their software with online tutorials.

6.    Linking academic and professional practise include issues such as continued professional development, research design and implementation and report writing.

• Your degree is the first step in a process of life-long learning; forensic IT never stands still and as such the learning you undertake prior to starting and during your degree will provide you with independent study skills that will serve you well throughout your entire career.
• Whilst your course and profession may appear predominantly technical never underestimate the importance of the social, ethical and legal context of your work. You will cover this at university and your knowledge and consideration of it should be updated and applied throughout your career.
• When you start work in the field you will quickly discover that the text books don’t have all the answers. You will need to identify and research new solutions to novel situations. This will involve designing experiments and implementing them to explore and inform your evidential hypothesis – this classic academic/research process has huge relevance to your later professional practise, so don’t underestimate it and take every opportunity to practice and develop these skills whilst at university and after.
• Writing essays or reports and giving presentations at university are not just academic exercises. It is direct training in skills that the forensic IT professional needs. You must be able to write concisely, persuasively, accurately, with precision and in an evidenced based manner. The same is true of public speaking and presentation, i.e., giving evidence. The more frightening you find the prospect of public speaking – the more you must do it! Start in a gentle way; asking questions in class or contributing to discussions is a first step in public speaking, so do try and take part. Take every opportunity to develop and practice these skills – we can all improve no matter how experienced we are.

7.    Finally, in the profession you will be expected to know multiple operating systems (Windows and Linux extensively), file systems, hardware, connection protocols, cables, devices, etc. So get an old machine or two, a screwdriver, a bunch of operating systems and play (carefully!) – and learn!

It’s a great profession – good luck on your degree course and in the profession that follows.

Dr. Richard Howley
MSc Forensic Computing and MSc Computer Security Course Leader
De Montfort University

The first annual (ISC)² Security Congress offers invaluable education to all levels of information security professionals, not just (ISC)² members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC)² and ASIS International have teamed up to bring you the largest security conference in the world, with five days of education and networking opportunities. Don’t miss out. Register today! To make your selection from over 200 conference sessions, free education and special pricing on official CISSP and CSSLP Intensive education. For more information, please visit:
www.isc2.org/congress2011

The problem: your organization has been subject to intellectual property theft, or stolen data, or inappropriate web surfing and/or emails.  These problems pose potential risks including economic espionage, unauthorized access, unauthorized use and possibly civil liabilities, among other risks.  IT audit procedures can help facilitate an understanding of both the computing environment and corresponding controls, which can help with a  forensics investigation.  What follows are six IT audit areas of inquiry.

1.      IT Standards, Policies and Procedures – In the event of inappropriate activity by employees, one area to audit are IT standards, policies and procedures with a specific focus on the acceptable use or end user policy.  Questions to address in the review include:

• Is an acceptable use policy in place?
• Is it formally documented?
• Has the policy been formally communicated to all employees?
• Are employees required to formally sign an acknowledgement of receipt and review of said policy?
• Does the policy explicitly denote what behavior is acceptable and unacceptable?
• Does the policy address the various methods of computing use, e.g. email, web surfing, social media use, etc.

2.      User Access Monitoring – The IT auditor should also gain an understanding of the user access monitoring.  Consider the following:

• Is both traditional user and privileged user access subject to monitoring?
• At what layer is access monitored (e.g. database, application, network layers)?
• What type of activity is monitored (e.g. direct data access, etc.)?
• Does monitoring include a review of unsuccessful login attempts?
• Does monitoring include a review of unusual access attempts (e.g. weekends, off-hours, etc.)?
• Are inactive accounts disabled?

3.      Web Access Monitoring –

• Is user activity on web surfing tracked by computer? By user?
• Is web access filtered (blocked) by keyword and/or URL?

4.      Password Controls –

• Are password required for system access?
• Is a password policy in place and enforced?
• Are passwords required to be complex?
• Are password periodically changed?

5.      Backup Procedures –

• Are backups being performed?
• What is being backed up? Application? Database? Configuration settings?
• Has a restore been performed to ensure backups operate as intended?

6.      Audit Trails –

• Determine if automatic logging of activity takes place?
• Gain an understanding of what activity is logged?
• Determine if audit trails are in place at the OS, application or database layer.
• Determine if audit trails are periodically reviewed.

These six areas of inquiry are meant to begin a conversation and provide a framework of understanding to a computer forensics team conducting an investigation.

By Muema Lombe, CRISC, CSSLP, CGEIT, CISA

Rating: ***

Windows Registry Forensics is a three-star book with five-star content. It has one mission: to persuade you that examining the Windows registry is an essential and valuable component of any Windows system examination. The author does this by presenting a variety of registry keys and values that can be leveraged to answer important investigative questions. The book does not, however, try to be an exhaustive guide to the Windows registry. Instead, Mr. Carvey focuses on an educated selection of high-value registry keys, in order to demonstrate how to add context and depth to one’s findings.

The book seems most useful to beginning and intermediate practitioners, but even advanced examiners may find registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations.

Windows Registry Forensics is divided into four chapters. The first provides an introduction to both the Windows registry and to registry analysis, including a look at the data structure of the registry hive files. The second chapter introduces numerous tools that can be used to examine the registry, both during live response and dead disk analysis. Chapters three and four dive into specific registry artifacts and their investigative value, dividing the discussion between System (chapter 3) and User (chapter 4) activity.

The reader will learn to use the Windows registry to perform valuable investigative tasks such as: profile what a user did and when they did it, identify the physical locations of wireless access points used, determine whether a particular user account has a password set, discover which files may have been accessed on a USB device, and address whether malware could have been responsible for activity attributed to the user (the Trojan defense).

There are moments in the book, however, when more advanced or curious readers will find themselves wanting more. With few exceptions, the book focuses on the meaning of the registry values at hand and on how the data can be extracted using tools provided by the author. As a result, the book sometimes refers to the binary data structures contained within certain keys, and the need to parse those correctly, without discussing how the structures should be parsed. In these instances, the author simply notes that one or more of his RegRipper plugins will parse the data, then moves on to the meaning of that data.

These moments that want more technical depth are relatively few, however. The information Mr. Carvey does provide is still well worth the price of admission. It is the egregious number of proofing and editing errors, ranging from simple typos to flawed organization, that compels me to give this book three stars. The author is not entirely at fault, as Syngress titles by other authors have shown similar problems. The company seems to suffer a serious quality control problem. But the author is not without fault. In particular, the choice to organize the later chapters based on System versus User settings leads to a disorganized presentation in which the information needed to answer particular investigative questions is sometimes scattered across two chapters. Windows Registry Forensics would be much more cohesive if it had been organized around specific investigative questions. In this way, the approach to answering a question, or set of questions, would be presented in one place, regardless of which registry hives the relevant data resided in. The reader would not be forced to jump between chapters to find all of the information relevant to a particular question.

When all is said and done, however, Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read, aforementioned defects notwithstanding. In short, the book is certainly worth adding to your library. But I would be remiss if I did not point out that the number of flaws, both big and small, is unacceptable for any book, especially one with a list price of $69.95/£42.99.

Gregory Prendergast   (This was incorrectly attributed to John Hughes in Digital Forensics Magazine, our apologies to Greg)

Book Title: Windows Registry Forensics

Book Subtitle: Advanced Digital Forensic Analysis of the Windows Registry

Author(s): Harlan Carvey

Publisher: Syngress

Date of Publishing: February 2011

ISBN: 9781597495806

Price: $69.95 / £42.99

Rating: ***

Even though I’m a qualified ISO 27001 Lead Auditor and former “management consultant” I’m still basically a technical geek. So when I was asked to review this book I was not particularly looking forward to it and I asked myself what relevance did this book have to digital forensics?  I have to say having reviewed the book my mindset has changed.

The book contains 12 chapters, divided into three sections. The first section contains four chapters.  It explains social engineering and describes the risks to an organization of social engineering attacks.  It then goes on to explain why people are the weakest link in an organization.  Finally it explains why current thinking and approaches, including ISO 27001, do not pay due attention to social engineering risks. The second section then goes on to explain human vulnerabilities.  It does this by examining a number of topics in the section’s chapters, including building trust, reading a person, subconscious techniques (including Neuro-Linguistic Programming) and then different roles a social engineer attacker could take.  The final section concentrates on countermeasures to social engineering.  It does this by describing techniques to assess an organization’s vulnerabilities, explaining security controls to counter defined vulnerabilities, including awareness and training.  Finally the section explains how the countermeasures can be tested.

The book comprises 254 pages and given the retail price it is not the best value book I have come across.

So given all of the above, why did I get some value out of reviewing it?  The answer lies within the number of examples and incidents of social engineering attacks it describes.  There are over a dozen.  Whilst a few of them have only a human element to them, most involve to some degree IT or phone technology.  So I started thinking!  If one of these attacks occurred what evidence would I need to find to prove such an attack had occurred, or how would it be possible to establish an innocent victim wasn’t actually the perpetrator?  It was quite thought provoking.

This is not a book on IT security, or Digital Forensics.  Given the number of pages and the sell price it is not particularly good value.  However if you would like to understand social engineering attacks and consider its relevance to digital forensics this is a reasonable edition to your library.

John Hughes

Book Title: Hacking the Human

Book Subtitle: Social Engineering Techniques & Security Countermeasures

Author(s): Ian Mann

Publisher: Gower Publishing Ltd.

Date of Publishing: November 2008

ISBN(13): 978-0566087738

Price: $104.95 / £60.00

-----------------------------

Solid State Drives are getting increasingly more affordable and therefore increasingly more common, especially with expensive laptops having them built in.  If you’re not familiar with them; they basically use flash memory instead of magnetic disks; hence the name.  They don’t need an arm to move across the disk reading the data so the seek times are much better and therefore they read data much faster than a normal hard-disk.  They have a few different utilities  which are meant to speed up the drive, I won’t go too technical but TRIM is one of these functions and when a file is deleted the area the file is stored is wiped to allow for quicker write speeds later.
Seeing as I just bought a Solid State Drive I thought it would be a good idea to check TRIM was working:  I found a couple of utilities to get me started.  The first thing to do was to launch the Computer Management program:  This is obviously with Windows 7 as TRIM is supported by the OS without any fiddling around.  Ubuntu will require further research.  With Computer Management open you choose the drive in question and enter its properties menu.

In this case it is disk 0. The drive is only a 64gb drive due to lack of funds, its used primarily as an OS drive with the majority of programs also installed.  It doesn’t half fly though!   Remember to right-click on the Disk and not the partition.  From here navigate to the details tab and choose Hardware Id’s from the drop down menu.

_

As you can see from the screenshot there is a long list of information but the end of each entry is key, in my case there is “0006”, this refers to the firmware number.  As drives get newer all will have TRIM enabled by default but in my case it was essential to check the firmware supported it, and it does.  The next thing to do is to run a command within command prompt to determine whether its enabled within Windows 7 (It should be).  You need to launch the prompt as administrator otherwise the command won’t work.  Easiest way to do this is search for cmd in the start menu and right-click run-as administrator and press yes/continue to the UAC.   Once you have done this the following command needs to be entered:

fsutil behavior query disabledeletenotify

If it is set to 0 then TRIM commands are enabled, set to 1 and they are disabled.  So Trim is enabled.

I also came across some software which supposedly tells you if TRIM is supported by the drive but I’m unsure if it just checks the drive type so in my opinion this is a better way of checking, but if you want to have a play the software is called “CrystalDiskInfo” available here: http://crystalmark.info/software/CrystalDiskInfo/index-e.html

Anyway now for the forensic side of it all.  I took two drives, my main drive which is only 6 months old and the fastest HDD other than raptors – the F3 1TB and the c300 64GB.  The fact that the drives are different sizes doesn’t matter here as there’s plenty of space free on each drive.  I created two identical files with the word “TESTER” flooded until the file was 548KB.  I saved this to the root directory of the main partition on each drive.  I previewed the drives within EnCase with the files not deleted to ensure that they were visible as normal which they were:

SSD:

HDD:

As you can see they are visible.  I then removed the drives from the case and proceeded to delete both files from the drives using shift-delete to permanently delete them without entering the recycle bin.  From deleting the files to adding the drives back into encase the whole process took 30 seconds.  In this case both files were visible as deleted files:
SSD:

HDD:

The interesting thing was that even though the file was deleted from both, the SSD entry had the data wiped from where the file supposedly was whereas the HDD entry had the data intact.  I searched the SSD for the word TESTER. But nothing was found.  About ten minutes had passed in this time so I decided to add the devices back into encase and see if the file was still visible as a name for both. Low and behold the file had disappeared from the SSD and remained on the HDD.
SSD:

HDD:

This indicates that in the 30 seconds the entire file was wiped, it was interesting to see that in the first 30 seconds the file name was still visible but with no content this is almost useless.  The HDD behaved as expected as it doesn’t support TRIM.  After 10 minutes the file name was completely gone and I imagine it disappeared shortly after the device was added to EnCase.  In theory all TRIM is handled in exactly the same way as it’s a call from the operating system which handles the blocks on the drive being wiped and not like garbage collection which is initiated solely by the firmware of the drive.  It bares great significance to forensic acquisition as it’s not something that’s going to go away, it greatly improves write-speeds on SSD’s and could eventually be used on USB pen drives as they function in a very similar way.