Digital Forensics Magazine May 2012 Newsletter
The Latest News and Offerings from the DFM Team

Is this email not displaying properly?
View it in your browser.

Welcome to the May edition of the Digital Forensics Magazine Newsletter. Issue 11 has been released and is one of our best issues to date.

In this months newsletter we bring you details of what's inside Issue 11, the latest news, a brand new tool from Guidance Software and much more!

Pragmatic Defence - Pharos CSSA Platform

/In The News

Belkasoft Evidence Center Offers Tighter Integration with Guidance Software’s EnCase

Belkasoft announces tighter integration of its flagship forensic tool, Belkasoft Evidence Center, with Guidance Software EnCase, the industry-standard all-in-one computer investigation solution. Supporting the latest version of EnCase 7, users of EnCase software can easily access and analyze data obtained or carved by Belkasoft Evidence Center.

Belkasoft announces tighter integration of its flagship forensic tool, Belkasoft Evidence Center, with Guidance Software EnCase, the industry-standard all-in-one computer investigation solution. Supporting the latest version of EnCase 7, users of EnCase software can easily access and analyze data obtained or carved by Belkasoft Evidence Center.

In addition, the new release adds support for *nix and MacOS file systems, enabling Belkasoft users to analyze disks and disk images from a wider range of PCs than ever. The support for file systems used in Windows, *nix and MacOS computers in a single tool is unique to Belkasoft Evidence Center, making it stand out as a single most comprehensive forensic analysis tool.

Thanks to the integration of Belkasoft Evidence Center with the Encase family of forensic products, Encase users will gain the ability to access information collected by Belkasoft from suspects’ computers. The newly available free “BelkasoftDataImport” plugin allows EnCase users to seamlessly access information collected by Belkasoft Evidence Center. With the integration of the two powerful forensic products, Encase users gain access to powerful data search and carving abilities provided by Belkasoft product.

"We have been working with Guidance on our integration", said Yuri Gubanov, Belkasoft CEO. "Through this process the integration between EnCase and Belkasoft Evidence Center became stronger and I am confident the EnCase community will gain great benefits by making use of both solutions together."

"We are pleased to see Belkasoft has taken advantage of the ability to integrate custom modules into the EnCase Evidence Processor" said Steve Salinas, Senior Product Marketing Manager with Guidance Software. "This is a great example of how modular approach to integration can be beneficial not only to a solution provider but to the EnCase community as a whole."

CyberMD advert

Alternative app marketplaces prove profitable for cybercriminals

25 fake smartphone applications generate costly Premium rate SMS

Reaserchers at the Avast antivirus labs in Prague have discovered a new batch of fake alternative marketplaces for downloading smartphone apps that trick users into sending premium rate SMS messages. Using a varant of the Android:FakeInst family, the new marketplaces hosted at,, and are aimed at defrauding users looking for smartphone screen savers and games.

“All of these sites were registered just a week ago, so it looks like they were supposed to serve only as a malware platform,” explains Ondrej Vlcek, CTO of AVAST Software, “Accessing these URL’s via a browser generates an error message but using a smart phone prompts the user to install a downloader with a huge range of permissions including the ability to trigger premium rate SMS messages.”

Although the sites target Russian speakers, the fake downloader generates premium rate SMS based on the users country and contains numbers for 60 different countries in an AES encrypted XML file distributed with the application.

Whether the premium rate SMS service providers are complicite in this attempt to defruad smart phone customers is hard to guage. However, Mr. Vlcek belives that Avast! is still the only anti-malware product to detect this new generation of premium SMS scamming applications.

Ondrej Vlcek warns, “Never trust weird looking alternative markets and always check the app permissions. If you’ve downloaded a game or screensaver that asks for SMS and Phone calls permissions, then you are likely to receive an unpleasent surpise in your next phone bill.“

Metropolitan Police Roll Out Radio Tactics’ ACESO Mobile Phone Data Extraction Capability

Radio Tactics has announced the roll out of its specialist ACESO mobile device data extraction solution into Metropolitan Police Service boroughs across the metropolis, as part of a wider partnership to collaborate on technology to solve crime.

Hailed as one of the most comprehensive and evidentially-sound mobile phone forensics products within the law enforcement sector, ACESO is transforming the way mobile phones that are suspected of being used in criminal activity are examined and interrogated. Police forces throughout the UK are relying on ACESO’s fast, accurate capture of handset data, which can be retrieved within minutes, ensuring officers can act on information held on a device while a suspect is still in custody. The deployment is expected to substantially reduce the costs associated with traditional, outsourced evidential processing methods, which can lead to months of delays, particularly for low level criminal cases.

The Metropolitan Police Service (MPS) has invested in the ACESO Kiosk data extraction solution, which comprises an intuitive, fully-guided touchscreen desktop data acquisition tool, designed exclusively for frontline law enforcement operators and which will be rolled out for use by dedicated officers across 16 London boroughs participating in tackling street crime and burglary in the coming weeks.

The MPS ACESO deployment also includes a bespoke package of specialist training programmes, which will be held for over 300 Met personnel, leading to a powerful in-house training resource led by the MPS Directorate of Forensic Services that will equip teams with a highly skilled, 24/7 mobile device interrogation capability.

Indeed, Radio Tactic’ CEO, Andy Gill has pointed to the success of other UK police forces that have adopted a similar ACESO deployment model and who have now seen a substantial reduction in the burden of mobile phone forensic processing on the criminal justice system.

/New Technology from Guidance Software

Tableau TD2

Introducing the brand new Tableau TD2 1:2 Forensic Duplicator

Speed? Flexibility? Ease of use?

You need the Tableau TD2 Forensic Duplicator!

Do you need to forensically image a drive, at transfer rates approaching 9GB/min? Do you need two copies of that drive, in the same time as one?

Better still, do you need that drive image in an .e01 file format, for dropping directly into Guidance Software's award-winning EnCase Forensic software?

Then look no further than the Tableau TD2, Guidance Software's second-generation forensic duplicator. TD2 gives you the option to make 1:2 "twin" copies of suspect drives, with zero performance penalty. In the field, or in the lab, TD2 can copy, verify, format, wipe, hash (MD5 or SHA-1), unlock an HPA or remove a DCO. With optional Protocol Modules, TD2 can image from IDE, SATA, SAS, SCSI and USB2.0 suspect drives (no laptop required).

TD2 isn't just compact, rugged and feature-rich; its easily upgradable firmware allows you to future-proof your forensic investigations. Coming soon, TD2 will support ExFAT drive volumes, for the newest 3TB & 4TB drives (and, TD2 is field-upgradable to EnCase v7's .ex01, supporting 256-bit AES encryption).

Available now! For more information, please visit:

/From the DFM Team

Get Involved!

Do you have an interesting and informative article that you think our readers would like to read?

Whether you are a researcher, student, academic or practitioner in Digtial Forensics, we would love to hear about your work. One of the key aims of Digital Forensics Magazine is to bridge the gap between the researcher and the practitioner. Whether its a case study, piece of cutting edge research or a new forensic tool or technique, you can guarantee that your fellow Digital Forensic peers will want to hear about it.

If you would like to submit an article to DFM, send us an email with the 250-word abstract, or visit our submissions page.

Bloggers Wanted!

Are you currently conducting an interesting piece of research?

Do you regularly review new forensic tools and technologies?

If so, then you are just the person we need!

We are currently recruiting a new team of Bloggers to enrich the Digital Forensic Magazine Blog.

If you would like to be considered as a contributor to the Blog, please email us with your name, your blog topic title and a 100-word abstract. We will then contact you if we like the sound of your submission!

/Issue 11 of Digital Forensics Magazine Out Now!!!

DFM Issue 11

After a long build-up, Issue 11 of Digital Forensics Magazine has finally been released. The feature article for Issue 11 is all about a brand new and innovative method of tracking data theft - Stochastic Forensics.

Stochastic Forensics

A new approach to forensics lets you reconstruct activity, even if it leaves no artifacts. By Jonathan Grier

"You must find out if Roger walked off with our data.” This mandate, handed to me by my (very nervous) client, was all I had to work with as I walked into my office Monday morning. My client, a large company headquartered in Manhattan, was very concerned about Roger (not his real name), a high level employee who had recently been forced to leave the company. Days after Roger’s ousting, rumors began to circulate that, before leaving, he walked off with data which was potentially very, very damaging to them; damaging enough to put them into a fit of panic. My task was to find out of if these rumors were true.

Let Me In

An outline of how incident responders can get into a locked system by Glenn Edwards

In the field of Incident Response (IR), time is of the essence and a locked system may cause an investigation to become delayed, or even worse, over. For the purpose of this paper, a locked system should be considered either a live or a dead system that requires authentication on the Operating System (OS) level. Over the years there have been a few tricks to get around this type of restraint, however, some methods are not maintained by the community, do not work because of system updates, or the responder is simply not aware of them.

The intent of this article is to inform the IR community of current techniques available to overcome these types of situations while also providing a brief technical overview of what each technique involves. Although this paper includes techniques that will also work on Macintosh and Linux platforms, the primary focus of this paper will be unlocking a Windows system. Windows is still the most dominant platform on the market and is what an incident responder is most likely to encounter.

WPS Insecurities & False Prophets - A look at the security of WiFi Protected Setup (WPS)

There has been a lot of conversation throughout the start of this year among the security community about what WPS is and how it has provided hackers world wide with a simple and effective way to gain access to previously “secure” WiFi networks. Andy Swift takes a closer look at the WPS technology itself, the protocols that make it up and what it’s fundamental issues mean for individuals and organisations alike.

Image Forensics

The challenge when dealing with large quantities of forensically acquired data, of quickly identifying relationships whilst augmenting with open and closed source intelligence sources is daunting. This is particularly true if your goal is to abstract the data to allow forensics investigators to work with the information rather than learning specific forensic tools or data formats.

Ollie Whitehouse takes the reader through how Recx solved the problem of allowing intuitive data access, visualization and relationship identification specifically in the case of photographic image forensics. The article will first review the metadata embedded within an image; before looking at how to first extract and finally visualize and link the data with other sources.

Chinese Cell Phones & Digital Forensics

In this article, we explain why investigators need to understand the macro trends in the cell phone industry driving the incorporation of more Chinese chipsets in phones and the challenges that they present to examiners. We also lift the lid on Tarantula, a new analysis system developed to analyze problematic Chinese “white box” cell phones and, increasingly, the legitimate branded phones based on Chinese chipsets.

Plus all our usual features "Apple Autopsy", "360", "IRQ" and "Robservations" "Legal news and alerts".

Subscribe now to ensure you don't miss all these great articles.

Digital Forensics Magazine and the DFM Logo are trademarks of TR Media Ltd.
TR Media Ltd, The Old Dairy, Brewer Street Dairy Business Park, Bletchingley, Surrey, RH1 4QP, UK