Digital Editions on Mobile Devices

So, we have just learned that Zmags, our digital editions provider, has launched a plug in for the website that detects, automatically, if you are trying to access a digital edition of a magazine from a mobile device. This seems to work pretty well on both the iPad and the iPhone, but I have not tried it on any other device. However, I’m still not convinced that it’s better than using GoodReader with the full PDF. Also, currently, there is no support for authentication so only Issue 1 is available in this way anyway. If anyone has any views on digital editions for mobiles I’d love to hear them, but I’m starting to think that a custom app that is optimised for a publication is always going to win hands down. Any views?




The 10 Minute Guide to Forensics and Virtualization (Ubuntu/VBox style)

By Andrew Hoog

While virtualization is a key technology in the infrastructure of many enterprises, it is essential in the operation of a digital forensic organization.  Virtualization can be used in number ways, include:

–        Return analyst workstation to validated state for each investigation

–        Data recovery by attaching dd image of a drive as a secondary drive on a VM and running recovery software

–         Booting a dd image (similar to liveview)

–        Application and system profiling/footprinting essentially to the scientific method

–        Develop virtual appliances for specific functions (i.e. Android forensics appliance)

And these are just a few examples.  I’m sure many of you have additional uses you can share.  This brief article will share with you our experiences in this area.

Selecting a virtualization solution

There are many virtualization solutions available, including both commercial and non-commercial ones.  One of the best known is VMWare which offer a full suite of products ranging for their free VMWare Player to fully redundant enterprise solutions.  Another software giant in the virtualization game is Microsoft which offers desktop (Virtual PC) through enterprise (Hyper-V) solutions (and many in between).  On the Apple platform, there are two primary options are VMWare’ Fusion product and Parallels suite of products.  And on the Linux side, there are a number of options include KVM, Xen and VirtualBox.

After much testing, we ultimately chose VirtualBox by Oracle/Sun.  There were a number of reasons why we chose Virtual Box:

  1. KVM had serious performance issues on our computers…did not identify root cause
  2. Xen was a more significant commitment in time and energy
  3. VirtualBox has a nice GUI, performed great and has both an open source version and a commercial one.  It also provided a “headless” option allowing us to forego monitors.

Some folks could take issue with Virtual Box or at least have their own favorite and that’s fine.  But, we chose VirtualBox, are quite happy and so that’s what the rest of this article covers.  Our forensics workstations run a modified version of Ubuntu 10.04 service.  They have 8GB of RAM and a couple of multi-core processors.

VirtualBox just released an update on June 7, 2010.  The 3.2.4 release is a maintenance release but I like to see projects which are actively maintained and updated.  Additional details are available on the website.

Step by step guide

For a test project we had, we needed a Windows 2008 Server R2 64-bit.  Below are the steps you would follow on a computer running Ubuntu 10.04 Server 64-bit server (the .iso for that platform is ubuntu-10.04-server-amd64.iso):

Create blank VM

VBoxManage createvm –name Win2008SvrR2 –ostype Windows2008_64 –register

Add options, including full h/w visualization support (the online VirtualBox manual at is indispensable)

VBoxManage modifyvm Win2008SvrR2 –memory 4096 –acpi on –boot1 dvd –nic1 bridged –usb on –usbehci on –vrdp on –vrdpport 3390 –clipboard bidirectional –pae on –hwvirtex on –hwvirtexexcl on –vtxvpid on –nestedpaging on –largepages on

Setup bridged network using first Ethernet card (eth0)

VBoxManage modifyvm Win2008SvrR2 –bridgeadapter1 eth0

Add IDE controller (other options exist such as SCSI and SATA…IDE seems be the most used)

VBoxManage storagectl Win2008SvrR2 –name “IDE Controller” –add ide

Create and register hard drive (vdi)

VBoxManage createvdi -filename “/opt/vbox/HardDisks/win2008svrR2.vdi” -size 20000 -register

Attach hdd to VM

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 0 –device 0 –type hdd –medium /opt/vbox/HardDisks/win2008svrR2.vdi

Attach DVD to VM (upload your OS installation .iso to the host machine first)

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/win2008svr.iso

Start VM and install OS (recommend using screen to prevent killed session on detach)

VBoxHeadless -startvm Win2008SvrR2 -p 3390 &

Connect to new VM

Now that the new VM is booting up (and running the OS install), you need to connect to it.  To do so, you need an application which support Remote Desktop Protocol (RDP).  In Windows computers, you can run the Remote Desktop Connection/Terminal Services client but going to Start -> Run, type in mstsc and press OK.  In the Computer: section, you could type the IP address of your Ubuntu server.  The Linux and Apple platforms have similar RDP applications and the process is the same.  Complete the install of the operating system and reboot as needed.

Install VBox Additions

To enable shared folder, better video, usb support (if you downloaded/bought the PUEL edition), you need to install VBox Additions.


VBoxManage registerimage dvd ~/VBoxGuestAdditions_3.2.0.iso

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/VBoxGuestAdditions_3.2.0.iso

DVD should now be mapped on the VM.  You can remote into the VM with the direction above or determine what the IP address of the VM itself is, ensure RDP is enabled and remote into the computer directly.  From there, double click the DVD, perform the VBox Additions install and reboot.

Add shared folders

Make sure Windows guest OS is shutdown and type the following in the Ubuntu server:

VBoxManage sharedfolder add Win2008SvrR2 –name “mnt” –hostpath “/mnt” –readonly

VBoxManage sharedfolder add Win2008SvrR2 –name “ahoog” –hostpath “/home/ahoog”

Restart the VM with the following command:

VBoxHeadless -startvm Win2008SvrR2 -p 3390 &

And then connect to the VM directly as described above.  To access the new shared drives, you use UNC.  Essentially, go to Start -> Run, type \\VBoxSvr and press OK.  You will then see a list of shared folders.

Connect USB devices

If you purchased the enterprise version or are simply evaluating for PUEL (Personal Use and Evaluation License) version, you can connect USB devices.  The documentation was not clear but we determined the necessary steps.

Add usbusers group

sudo addgroup usbusers

Add each user

Then, you need to add each local user that might run VirtualBox to the userusers group:

sudo usermod -a -G usbusers ahoog


There is much more to say about forensics and virtualization.  But, alas, cases are piling up and it will have to wait until the next install of this article that will begin to cover how to use your shiny new VBox virtual machine for some of the tasks I outlined at the start of this article.   If you are interested in additional how to articles or information, check out my own blog at or feel free to contact me directly.

Andrew Hoog is a computer scientist, computer/mobile forensic researcher and Chief Investigative Officer at viaForensics. His company assists and trains law enforcement and provides innovative digital forensics solutions to corporations and attorneys. He is currently writing a book about Android Forensics and maintains the Android Forensics Wiki at



5 Reasons for Digital Forensic Examiners to Use Content Marketing

For the Issue 3 (May 2010) of Digital Forensics magazine’s newsletter, I posted a short article about content marketing, the best way to share your expertise with clients and prospects alike. Here, I want to go into more detail about each of the five points I raised.

1) The people you serve come to trust you. Content shows the thinking that drives the service, the combination of knowledge and personality that sets you apart from competitors. These days, it’s not just the product that’s valuable enough anymore. Customers are cynical about being “sold to,” and in the event that your product doesn’t quite meet expectations, it’s important to provide value in different ways so that your customers will keep the faith that the next time around, you’ll improve.

Of course, this begs the point that you know in advance what content your customers (and prospects) need. This kind of market research can come down to Internet polls, informal surveys or interviews, social media monitoring, and other means of information gathering. It can come from your most loyal customers – who are usually more familiar than anyone else with how your product or service solves their problems – and from your most coveted prospects, which may appreciate challenging you to help them. The best content is tailored to each group’s specific needs.

2) Social media make it easy to share. Whether a slide or video presentation on SlideShare or Prezi, a white paper on Scribd or DocStoc, or customer success stories on YouTube or your blog, your content is now available to a wider community.

This can be very important when you’re targeting different market segments. One of the most popular social sites for digital forensics examiners is Twitter, and to be part of this community is a good idea. But what if you’re not selling directly to examiners? What if, instead, you’re selling to law firms or banks or small businesses? You’d want to find the social sites they’re on, become part of their communities too, rather than expect them to come to yours.

Content variety is also important from the standpoint of search engine optimization. YouTube is a particularly powerful SEO, so video content tagged with those all-important keywords, embedded on your website, can potentially accomplish two things: 1) drive traffic back to your site and 2) raise your site’s search rankings.

Just make sure the keywords you choose are the ones your customers are actually using, or are likely to use. (Hint: if you’re using Google Analytics to track site performance, take a look at the searched-on keywords that brought people there.)

3) You can highlight new or underrated aspects of what you are doing. This is the “marketing” side of content marketing – what services help your market, and why?

This goes hand in hand with #2 above, but also with #1, as it helps both existing clients and prospects get to know you better. However, be careful not to “sell,” but rather to educate, to show people how the products or services solve their problems both large and small. A case study about how data recovery helped a small business recover from a breach, or about how a customer got creative and figured out how to use your software in ways you never anticipated, does the “heavy lifting” in terms of showing – not just telling – about the relevance you have to the market.

4) You can highlight problems your community or target market is facing. What do you get the most calls about? What kinds of cases do you most frequently work on, involving what types of technology?

As with #3, here it’s important to educate. Without giving up clients’ or citizens’ identities, you can talk in general terms about an interesting question involving employees’ personal digital devices in the workplace, or trends you see among victims of a certain type of crime (for example, identity theft), or even little known, but important facts about investigations, security, and so forth.

5) An ounce of prevention… show people how to protect themselves, and they’ll call you just when they really need you. That saves time and money, along with your staff’s brainpower, for true challenges!

Back to #1 and trust building. It’s easy to get frustrated with victims. “Don’t they know better?” you might complain after your password-integrity training falls on deaf ears, or the media has been covering identity theft extensively, yet you still get calls from people with drained bank accounts or maxed-out credit cards.

People hear and process information differently, so use your cases (where feasible) to improve your training. Use a series of short blogs or video entries to focus in on specific aspects of password integrity, or target identity theft education to small groups in your community – teenagers, seniors, parents, and business owners.

Talk to them using language and concepts they understand, and they’ll not only remember the information, but you’ll be the one they call when their best efforts fail.

Content marketing is well worth the time and effort put into it. If you know your subject and can present it for average people to understand, you’ll build loyalty for the long term. Do create a schedule for regular content production, do know who in your organization is most capable of producing the highest quality content, and do integrate the content into your other marketing efforts.

By Christa Miller

Christa M. Miller is a public relations strategist specializing in digital forensics and law enforcement. A trade magazine journalist for nearly a decade, she now works with clients on content strategy and creation using a mix of traditional and digital media. She resides in South Carolina, USA with her family. Visit her website at



Final Call for Papers

Final Call for Papers (Closes Friday 2 July 2010)

The 2010 Digital Forensics International Conference “Digital Forensic Cases, Tools & Techniques” September 6 & 7

The final call for papers closes 2 July for industry or academic papers examining digital forensic cases, tools and techniques.

AUT University Digital Forensic Research Laboratories is hosting two days examining the state of practice in the first week of September. Presentations are again invited from Practitioners and Researchers to bring together the best practice and innovation in the field. As Digital Forensics has differentiated from its Security and Computing roots rapid and path changing approaches are evolving that are contributing to standardisation, extraction & analysis techniques, and a better fit of the legal, managerial and IT worlds. The Digital Risk will not go away and is contextualised in the many voices of different practitioners, researchers and organisations.
You wish to be a part of these two days examining the current state of Digital Forensic practice ? – then please send in your abstract (150 words).

Presentations are accepted in three streams:

  1. Cases:LegalCases,EmployerRisk,ProfessionalPractice,Standardisation
  2. Tools:Reliability,Functionality,Testing,Development,Demonstrations
  3. Techniques: Mobile Devices, Extraction Practices, Preservation Skills, Network Forensics, Environmental Forensics, CCTV & Image, GPS

All presentations are first selected on the relevance of an abstract to one of the three streams. (email Abstract to: before 2 July, Header: ‘Abstract’)

Presentations may be requested as:

  1. PowerPointTechniquesCases
  2. ToolsDemonstration
  3. Refereed Academic Research Paper (Full Peer review process available)

Important Dates :

  • Friday 2 July – Last Day for Abstract Proposals
  • Friday 9 July – All presenters Notified of acceptance
  • Friday 23 July – Last Day for Full Papers for Referees
  • Friday 6 August – Referee Reports
  • Friday 13 August – Last day for Published Papers
  • Monday 6 & 7 September – Conference

Venue: AUT University, Faculty of Business Building, Auckland, New Zealand.



New Releases From Syngress

Syngress, by far the best publisher of digital forensics and general security books, has just released a new batch of books that are of great interest to all general forensics investigators and researchers. We have featured three of these books in our regular DFM competition as a prize for any subscriber answering the ‘really difficult’ security question posed by our editorial team. The three books up for grabs are:

  1. Virtualization and Forensics
  2. Digital Triage Forensics
  3. Digital Forensics for Network, Internet and Cloud Computing

All three topics are especially interesting as these books cover the most prevalent of emerging problems for the forensic analyst. File carving, imaging and traditional use of products, such as enCase and FTK are still right at the top of the list when it comes to ‘things the digital forensic analyst does every day’, however, it’s been recognized for a while now that cloud computing is just around the corner, and when computing power and storage moves into the cloud, forensic investigating will be very different. We’ll be relying on software services and auditing services provided by cloud utility vendors, and with the ‘international’ issues that cloud suddenly introduces, such as ‘how do you get a warrant for data that is stored in a data center in India?’ it will certainly be an interesting future.

I would strongly recommend that you read Digital Forensics for Network, Internet and Cloud Computing by Terrence V. Lillard, Clint P. Garrison, Craig A. Schiller and James Steele, as this books really does cover a plethora of issues that we’ll all have to face, maybe sooner than we think.

Also, as a special offer, Syngress has offered the Digital Triage Forensics book at half price for a limited time. The following was posted on Twitter:

“Learn from the experts who coined the term Digital Triage Forensics. Get the book for 1/2 price w/ code 31884.

Again, I’d certainly recommend this book and after reading through it (yes, I get these sent to me for review purposes so I have it on my desk as I type), it looks great. It’s written by the guys who coined the use of the word Triage in this context, so they know what they are talking about, and unlike many real technical books this one really does dig into the investigative techniques that should be used at the crime scene, including quite an interesting analysis of ‘Battlefield Crime Scenes’, where a triage approach is by far the only way to successfully approach the forensics problem.

Tony Campbell



Big problems for AT&T with Apple Data Breach

A massive breach of data security by AT&T’s has exposed some very high profile users’ email addresses and contact information from the celebrity hotlist of Apple’s select early-adopter iPad 3G users. An in-depth report by Ryan Tate (Valleywag) says, “The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.”

This is a big blow for Apple, and more so for their already rocky relationship with AT&T. With data breaches like these happening more and more frequently, maybe we’ll see the end of these ridiculous ‘exclusive’ deals we’ve been subject to in both the US and the UK, where we end up locked into AT&T or O2 (in the UK) just because we want a particular type of phone. From now on, maybe the lack of trust that this sort of data loss will undoubtedly breed, will benefit the rest of us as exclusive lock in deals with just one provider might not seem so clever. Then we all all have the privilege to choose which cellular provider we will pay to lose our personal data and leave us pen to fraud. And, as we know… it’s all about freedom of choice!




Apple iPhone 4 to be released on 24th June

I must admit, I was getting a little tired of my iPhone 3GS as it drops the network connection from time to time, and has cause a few of my audio book downloads to fail; and after getting my iPad and seeing what’s possible with the OS, I was seriously considering a different phone. However, now that Apple has announced the iPhone 4 will be available across the world (US, UK France, Germany and Japan) on the 24th June, and pre-orders can be taken with service providers from the 15th, I must admit I’m now torn. I was drawn to the Nexus 1 after a colleague showed it to me in work, notably the turn-by-turn navigation and the HD screen; it really seemed a cut above the Apple offering. However, now that I’ve seen the reviews on EnGadget of the iPhone 4, seen some screen shots of it in operation and discovered that its architecture is based on the Apple A4 processor just like my precious iPad, the HD screen and 5 Megapixel camera seem like icing on the best birthday cake ever. The operating system, previously called iPhone OS 4 has been re-branded as iOS4 (must admit I did wonder about the conflict with CISCO’s IOS operation system for switches, routers etc., so there may be a lawsuit to get through with that one) and an update for the iPad will be available as soon as the new OS is launched with the iPhone later this month.

I think the design of the new iPhone chassis looks fantastic and aligns it well with the design aesthetics of the lastest MacBooks, but the real differences come in the form of the front and rear cameras (for video calling), the Retina display (960×640 resolution), and HD video. Apple also proclaims over 100 new software improvements over OS3 in iOS4, some of which are as follows:

  • Multitasking
  • Application folders
  • Mail improvements
  • iBooks (this is an excellent book reader, and looks fantastic on the iPad)
  • 5x digital zoom on the camera
  • Tap to focus video so you can choose where to focus when shooting in HD
  • Spellchecking
  • Wireless keyboard support (so if you have one for your iPad you can use it on your phone)

This truly looks like the update all iPhone users have been waiting for, and I’m now convinced that moving to Android or (hack, spit) a Microsoft platform would be a mistake. Roll on the 24th.

Tony Campbell



Net Nanny, the Digital Economy Bill and Moving to Brazil

On Monday, Panorama (BBC current affairs programme) screened an interesting show on the new legislation for Internet policing and anti copyright theft known as the Digital Economy Bill. Keith Cottenden of CY4OR (forensics firm in the UK) ( was interviewed and talked about the pitfalls that UK citizens now face when doing innocuous things such as making copies of their CDs (maybe for your kids) or using file-sharing networks. You can see an overview of Keith’s top tips for protecting yourself at

One interesting point to bear in mind is that the culpable party in the event of someone contravening the Digital Economy Bill is actually the owner of the Internet connection – i.e. the bill payer. This means that when your kids are busy downloading movies or music from their favorite file-sharing site, using the laptop they keep tucked away in their bedroom, it’s actually the adult that pays the bill that will be facing the large fine or criminal charges. Not knowing what your kids are up to is not an excuse!

I think, as a result of this Bill, we’ll see a rise in the use of the ‘Net Nanny’ style of desktop products and it will only take a couple of well publicised cases I the media to really get the population into a mass panic. But what can you do about it?

Windows has a fairly good monitoring and control capability (from Vista onwards it was very good) so that should be your first port of call. However, most people use the administrator account on their computers, so it’s going to be tough for parents to remove their kids’ privileges from the computers that they previously had full control over. And without demoting them to a standard User account, they can simply turn the Parental Controls off if they don’t like what they are doing. The alternative is to put something in the way that blocks access to file sharing sites. Maybe a firewall that both monitors and blocks access, where you can also inspect the ‘surfing’ logs of anyone using the Internet to see what they’ve been up to. However, not many people have the time, recourses or competence to do this, so it’s really not a good solution.

I suppose time will tell when it comes to what the best solution is and it’s like many things, partly about the technology and partly about education. Will Internet users even read the Bill to know what they can and can’t do? I sincerely doubt it.

So, my advice is, if you are an investor in tech companies, find the best parental control company around and take a few shares into your portfolio. Then when the 8£&^ hits the fan and the panic buying sets in, you can cash out and move somewhere less restrictive, like Brazil.



Facebook & Social Engineering

On Thursday, March 18th, 2010 at 8:00 PM GMT the UK’s Tonight with Trevor McDonald investigated “Facing Up to Facebook”. The Tonight program is a news magazine produced by the UK’s Granada Television for the ITV network since 1999 and covers the full range of human interest led current affairs.

In this episode the program investigated the subject of social engineering and the concerns that surround the social networking site Facebook. Following on from the widely covered so-called “Facebook Murder” much in the news in the UK we have this investigative report into the dangers of online social networking and Facebook in particular.

For me this brings a couple of thoughts to my mind. The first is that this is just another electronic extension to the well-known practice of Social Engineering. The rise in social media sites such as Facebook, LinkedIn, Twitter etc. provide a wealth of information to those who want to delve in and find out more about you and has simplified much of the work involved. It was interesting that the representative from Facebook (name escapes me) talked about the 50% who had managed to configure their security settings correctly almost ignoring the other 50% who had not, until he was challenged by the reporter. Have we learned nothing from the past and the history of firewalls where we have a default of “DENY” and the user has to actively engage in what is allowed. Surely if we did this we might have more than 50% of people on Facebook configured better?

If you interested how you can investigate Facebook you can have a look at “Diary of a PDFBook” which was in Issue 1 of DFMag, this looks at a tool to investigate Facebook using a browser. You can also read John Olssen’s article on Forensic Linguistics in Issue 3 of DFMag and how this technique was used in the “Facebook” murder investigation.

Tony Campbell



Digital Forensics crossing into other specialisms

I’ve been working at editing a book review for Issue 3: and what an excellent book it is (the review is pretty good too, I may add). The reviewer could not have praised this book any more than he did and there is good reason for this. Dr John Olsson’s latest book on Forensic Linguistics is a fantastic read and really open up your eyes on what’s possible through the study of words alone. To be able to point the finger at a culprit on nothing more than the phrasing in a fake suicide note takes a lot of skill and experience, but also the understanding of the linguistic formulation of the prose, which is where John’s book really wins, is vital. John has done an article on the role of forensic linguistics in convicting the culprit in the recent terrible events that led to the death of a young girl using Facebook. He discusses the dialogue used between murderer and victim and how, with careful screening, we can discover the motivations of unseen people at the other end of a virtual connection in cyberspace. What intrigues me is the crossover here. SMS, for example, has created the need for a new language and cryptic annotation that is used mostly by teenagers today. When we, the mobile forensic examiners, extract this information, we need to make sense of it to help with the overall investigation. And how can we determine is the suspect is actually the person who sent the incriminating text? This is exactly where Dr Olsson’s skill comes in, and he’s finding himself more and more involved in computer crime investigation. We know that the Forensic Science Regulator in the UK is focusing on integrating digital forensics into the mainstream role of other forensic sciences, which I believe is a great move, allowing a lot tighter collaboration between the various branches of our profession. Dr Olsson shows the benefits in terms of this one case realating to Facebook, but I feel we need to start looking for other such stories in DFM to really show the importance of cross-field collaboration.

Tony Campbell