Digital Forensics Magazine August 2012 Newsletter
The Latest News and Offerings from the DFM Team

Is this email not displaying properly?
View it in your browser.

Welcome to the August edition of the Digital Forensics Magazine Newsletter. This month saw the release of Issue 12 and we are already hearing great reviews!

In this months newsletter we bring you details of what you can find in Issue 12, the latest news and what's coming up in Issue 13.

Information Assurance Strategies Ltd

/In The News

ATC-NY Announces New Computer Forensics Tool - Mem Marshal

Forensic tool available free to US law enforcement

ATC-NY's new forensics tool - Mem Marshal(TM) 1.0 - is a user-friendly, automated memory analysis system that assists and automates computer forensic investigations of volatile memory (RAM) images. Mem Marshal enables computer forensic investigators to analyze and effectively make use of information contained in volatile memory. Memory analysis produces important, case-relevant data for investigators that cannot be obtained from disk analysis, such as running applications, open files, and a ctive network connections.

Mem Marshal enables investigators to focus and enhance time-consuming disk analysis. It reduces investigation time by using information acquired from memory images, which can be searched and analyzed quickly.

Mem Marshal follows forensic best practices and maintains a detailed log file of all activities it perform. It produces reports in RTF, PDF, and HTML formats. Mem Marshal is currently available at no cost to U.S. Law Enforcement. For more information on how to obtain a free copy visit their web site at:

Dropbox breach shows how personal and corporate cannot crossover in security

Cryptzone says Dropbox breach could have been a lot worse - but it’s still time to wake-up-and-smell-the-coffee

Commenting on an admission by Dropbox’s Vice President of engineering that the spamming of many of the cloud service provider’s clients in recent weeks has been traced to an employee password re-use breach, Cryptzone says this highlights the dangers of using the same password for both business and personal usage.

“Most governance experts – ourselves included – will tell you to use different passwords for different systems, but this case is one of those `wake-up-and-smell-the-coffee’ moments for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities,” said Grant Taylor, European Vice President of the IT threat mitigation specialist.

“We would go further and argue that people should not be using Dropbox for many business purposes. CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation’s sphere of control. Free services by their very nature don’t have the features to facilitate corporate control and management.

The problem here, the Cryptzone European VP says, is that members of staff, particularly the young, tend to blur the lines between work and play – and whilst it is perfectly understandable for them to use the convenience of a service like Dropbox to access work files at their leisure, their managers need to explain that when it comes to corporate data, such practices simply are not acceptable in today’s regulatory environment.

If corporate information is moved to personal accounts in contradiction to corporate policies, you’re dead in the water as far the boss is concerned. Apart from disciplinary action for the individual, their employer could be looking at investigation from regulatory bodies possibly resulting in severe fines. So when seeking to improve work/life balance, don’t just think convenience, think risk, he says.

Improved Chip-Off data recovery for BlackBerry® devices

Forensic Telecommunications Services Ltd. (FTS) is pleased to announce a further increase in the BlackBerry models supported by its innovative ‘Chip-Off’ procedure.

FTS has developed an advanced data extraction method which is able to bypass encryption and retrieve the physical memory from BlackBerry smartphone devices. Currently this is the only known means to deal with devices locked with a handset passcode.

Utilising the latest laboratory tools and software developments FTS can now examine models such as the BlackBerry Bold 9790 and 9900, and Curve 9360. The Chip-Off process is accredited to ISO17025:2005 standards and these new devices join a long list of RIM handsets from which FTS has successfully completed data recovery.

Below is a list demonstrating the types of data recovered following Chip-Off extractions on BlackBerry hardware. There is also the possibility of uncovering deleted files in many circumstances. The decoding of this data is achieved using bespoke FTS techniques and not third party software solutions:

Telephony data; User content; Screening for 3rd party applications and recovery of user data relating to them; Ascertaining the SMS, BBM and Email deletion frequency; Recovery of non active BlackBerry Messenger data and cached data; The decompression of text strings in excess of 35 characters; Recovery of MSN chat logs.

FTS undertake a significant number of Chip-Off examinations where other techniques are not available or do not yield enough data or where the device is heavily damaged, in many cases uncovering valuable information that has contributed to a criminal conviction.

Further, representatives of the National Technical Assistance Centre (NTAC) have examined our processes and stated that they were identical to that performed by NTAC and more robust than others which NTAC have seen across the country.

/Issue 13 of Digital Forensics Magazine Due Out November.

Continuing our aim of bringing you new and interesting articles from the world of Digital Forensics, Issue 13 is shaping up to be another good mix of research and practical advice, here is just a taste of some of the articles being looked at.

The team at DFM reserves the right to change the planned content of any issue, at any time.

SSD's & Digital Forensics

This feature article by James Wiebe will present some new thoughts on how data may be hidden on hard drives. Covering old concepts first, (such as Host Protected Areas), the author will present alternative methods for hiding information on hard drives, such as in supervisory areas. These areas are never visible through standard drive commands, and are also are not visible to any operating system. The article will also discuss hypothetical examples of how drives may be 'tampered' by sophisticated bad guys in order to provide facade characteristics to a forensic investigator.

Database Specific Forensics

In this article David Litchfield looks at the collection, collation and analysis of evidence from a compromised Oracle database server showing how the what, how, why as well as how time and cost of a breach investigation can both be dramatically reduced using a particular framework and tool, the article will look at the science behind the tool and the problem it is solving.

Human Forensics: Tactical Interviewing for Forensic Examiners

Accessing this information demands more than a write blocker and a laptop, and techniques used must work both on those anxious to recall all they can, and those with something to hide. The Police have the skills to tackle this issue, but as they are not involved in the majority of incidents, this is a capability forensic practitioners would benefit from acquiring. This article will introduce readers to the PEACE system of tactical interviewing used by the UK Police and other enforcement agencies and show how it can be applied.

Mobile Malware

The mobile phone is considered by many as a necessity with practically every handbag and pocket hiding these modern miracles of technology. Jamie Blasco takes a look at how malware on smartphones is used by criminals to make money; they steal information, contact details, emails, personal data or even financial information; they hijack browser sessions, interfering with online banking transactions and circumventing one time password (OTP) security procedures; even certain apps can have a malicious undertone for example sending SMS messages to premium rate numbers.

The Wild West of Social Media Collection

In this article Gina Gallup takes a look at how Social media/webmail are still part of the Wild West as far as forensic collections and electronic discovery are concerned. This article will look at how to standardize and de-duplicate various formats; how to search and filter entries if they can't be uploaded to a traditional platform, and what authorizations you need to collect information.

Video Identification

The proliferation of video material that can be downloaded from the Internet has resulted in child abuse and terrorism cases becoming even more complex and time-consuming to investigate. Dr Richard Leary, MBE, a former West Midlands Police officer and one of the original Directors who set up the Jill Dando Institute looks at the current challenges faced by investigators and introduces VIdentifier the efficient and easy-to-use video identification system.

Tarantula Uncovered

We asked the folks at Tarantula to provide us with an in depth, step-by-step guide on how to use the Tarantula equipment. The tutorial will cover the following; Setup, Connection to device under investigation, Extraction of Data, Analysis of data and an additional section on the Tarantula case management software included as part of the package.

/From the DFM Team

Get Involved!

Do you have an interesting and informative article that you think our readers would like to read?

Whether you are a researcher, student, academic or practitioner in Digtial Forensics, we would love to hear about your work. One of the key aims of Digital Forensics Magazine is to bridge the gap between the researcher and the practitioner. Whether its a case study, piece of cutting edge research or a new forensic tool or technique, you can guarantee that your fellow Digital Forensic peers will want to hear about it.

If you would like to submit an article to DFM, send us an email with the 250-word abstract, or visit our submissions page.

Bloggers Wanted!

Are you currently conducting an interesting piece of research?

Do you regularly review new forensic tools and technologies?

If so, then you are just the person we need!

We are currently recruiting a new team of Bloggers to enrich the Digital Forensic Magazine Blog.

If you would like to be considered as a contributor to the Blog, please email us with your name, your blog topic title and a 100-word abstract. We will then contact you if we like the sound of your submission!

Digital Forensics Magazine - Subscribe Now!

/Issue 12 of Digital Forensics Magazine Out Now!!!

DFM Issue 12

Issue 12 was released this month and yet again it is packed full of interesting articles and news from the Digital Forensics industry. This issues feature article comes from Thijs Bosschert, who tells us all about reverse engineering of PERL2EXE back to PERL.

First Responders & Forensic Capabilities

John Walker investigates why we must look to first response and digital forensics to protect and defend our enterprise and global operations. This article reviews the practicalities of defending against Cyber Evasions, and Invasions and considers where operational and professional responsibilities lie.

Reverse engineering Perl2Exe back to Perl

Perl2Exe is a program that converts Perl source code to standalone Windows executable files, which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. Thijs Bosschert describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier.

Mobile Devices & Public Space

In this article Andy Swift looks at the numerous impacts of mobile devices being used in public airspace and the workplace respectively, with a focus on their exploitability and common issues associated with these technologies, the article includes research undertaken from recent experiments over the past few months.

What's So Ethical About Hacking?

In this article David Hewitt looks at the definition 'ethical hacking' and discusses whether it is appropriate or confusing; in addition he reviews the history of pen testing / hacking and what it's place is in industry today

Covert Channels Part II

Stealing information, command and control servers talking to bots and battle damage assessment are all uses for covert channels. In the second of this series of articles our own news editor Matthew Isbell takes a look at covert channels and tests their suitability for use.

Video Identification

The proliferation of video material that can be downloaded from the Internet has resulted in child abuse and terrorism cases becoming even more complex and time-consuming to investigate. Dr Richard Leary, MBE, a former West Midlands Police officer and one of the original Directors who set up the Jill Dando Institute looks at the current challenges faced by investigators and introduces VIdentifier the efficient and easy-to-use video identification system.

Circumventing SMS Based Two Factor Authentication

Malware is impacting the security and integrity of the World Wide Web especially for banks and financial institutions. In this article Aditya K Sood and Richard J Enbody detail and investigation into a new exploitation technique used by malware to circumvent “SMS Based 2 Factor Authentication”.

Testing Tool Capability for Social Network Forensics

Social Networking Services have become the people Internet service of choice building relationship networks with personalised meanings. This presents challenges for the Digital Forensics Examiner especially with extraction tool capabilities differing markedly when extracting evidence from Social Networking Sites. In this article Jung Son and Brian Cusack tests some of the tools.

Plus all our usual features "Apple Autopsy", "360", "IRQ" and "Robservations" "Legal news and alerts".

Subscribe now to ensure you don't miss all these great articles.

Digital Forensics Magazine and the DFM Logo are trademarks of TR Media Ltd.
TR Media Ltd, The Old Dairy, Brewer Street Dairy Business Park, Bletchingley, Surrey, RH1 4QP, UK