Node4 launches N4Secure to fight unseen security breaches and mitigate incursions before they appear

Node4, the Cloud, Data Centre and Communications specialist, today launches N4Secure, a hosted security service that offers organisations immediate, actionable intelligence on compromises, threats and potentially malicious activity to identify and mitigate issues as, or even before, they occur.

Available to Node4 customers and partners on a pay-as-you-go basis, N4Secure incorporates Security Incident and Event Management (SIEM) for sophisticated yet cost-effective threat intelligence, with intrusion detection, vulnerability management services, application penetration testing, and external vulnerability testing. Comprehensive reporting and ongoing advice and support from Node4’s expert team of cybersecurity specialists is also provided.

N4Secure has been developed in direct response to the increasing complexity of security management. Emerging attacks like cryptographic ransomware, the proliferation of mobile device access points, and trends such as BYOD, SaaS, and the Cloud are all making network architectures more difficult to secure and driving a need for businesses to take a ‘helicopter view’ of their systems.

The service applies sophisticated threat analysis and reporting (both automated and manual) directly to an organisation’s systems. Rather than remaining unaware of breaches for months, during which time critical data can be compromised, Node4’s real-time analysis ensures issues can be immediately identified and addressed within minutes. Post-attack forensics also provide insight into events once they have been handled.

Steve Nice, Security Technologist at Node4, comments: “Security is becoming exponentially harder to manage as the threat landscape grows ever more complex. Protecting an organisation in today’s expanding threat landscape can be a full-time job for any IT or security professional, but through N4Secure, Node4 can take away this burden with a unified security management service.

“N4Secure brings together world-leading security products and services into one affordable package, complimented by a level of expertise and technical understanding that is typically extraordinarily expensive and time-consuming to resource externally. And, critically, this comes with the obvious benefits of OpEx vs. CapEx expenditure, significantly lowering both the cost and the barrier to entry.”

The N4Secure service is available in three levels, Essential, Enhanced and Elite protection, with varying levels of reporting, scanning and consultancy.

For further details on the various levels of protection available, and exactly how the N4Secure service works, visit http://www.node4.co.uk/n4secure/.

(49)

Share

Cellebrite UFED 4.0 Offers New Time-Saving Workflow Capabilities

Cellebrite, leading developer and provider of mobile data forensic solutions, released the latest version of its leading mobile forensics solution – UFED 4.0. The new version offers features that improve investigative workflows and save time in both lab and field environments.

Inefficiencies such as extra layers of work process and lack of access to a full range of forensic tools often hinder efforts to obtain evidence and intelligence from mobile devices. UFED 4.0 aims to address some of these key challenges by enabling simple and effective language translation, faster and more powerful data carving, and integration of screen captures into forensic reports.

Key features of Cellebrite’s UFED 4.0 include:

  1. Efficient, Powerful Language Translation – An offline translation solution on UFED Physical/Logical Analyzer 4.0 that accurately translates both short and long words. It helps to reduce challenges associated with foreign language translation, including the need to rely on another person, or to copy/paste into an online tool. The UFED translation engine currently supports 13 languages, including English. Five of the 13 are offered free of charge with a UFED license.
  2. Updated Carving Process Enhanced automated carving from Android devices’ unallocated space offers access to much more—in some cases, double or triple the amount—of deleted data than previously allowed. While manual data carving is still an important part of the forensic validation processes, UFED 4.0 redesigned the automatic data carving functionality to present more precise deleted data by dramatically reducing false positive and duplicate results.
  3. HTML Report Viewing on UFED Touch – UFED Touch now offers the option to view an HTML report that includes general device Information and the logical extraction data on the touch screen.
  4. Web History and Web Bookmark Capabilities – Newly included for logical extractions, and therefore viewable with UFED Touch, are web history and web bookmarks. From iOS devices, the new UFED 4.0 feature extends logical extraction and preview capabilities to app data.
  5. New UFED Camera Function – A new manual evidence collection feature, UFED Camera, allows users to collect evidence by taking pictures or videos of a device’s screen. The ability to take screenshots can be important in the field, helping to substantiate documentation of what law enforcement or investigators saw on the device during an initial scroll-through. In the lab, taking screenshots can help you to validate device extraction results – to show that the evidence in an extraction file existed on the evidence device.
  6. Enhanced Dashboard and User Experience – Users can perform multiple extractions on one device without having to return to the home screen. This means that they can obtain additional logical, physical, file system, or camera capture extractions as soon as one type of extraction is complete.

For more details on these and other new and enhanced decoding and app support capabilities—including support for the new iPhone 6, iPhone 6 Plus and other Apple devices running iOS 8—take a look at the UFED 4.0 release notes at: http://releases.cellebrite.com/releases/ufed-release-notes-4-0.html.

(1130)

Share

Altium releases its TASKING ARM Cortex-M Embedded Development Tools for the Mac

Sydney, Australia – 2 October 2014 – Altium Limited, a global leader in Smart System Design Automation, 3D PCB design (Altium Designer) and embedded software development (TASKING) announces the release of its TASKING VX-toolset for ARM Cortex-M for Apple Mac computers running OS X.

web--PR_Image-_TASKING_MAC_Port_for_ARM_CompilerTraditionally embedded software development tools have been available exclusively for the Windows operating system and Altium has a long history in providing its TASKING cross compilers and debuggers for running on Windows, including its TASKING VX-toolset for ARM Cortex-M. With ARM Cortex-M based microcontrollers becoming popular in broad market consumer applications, especially with wearable electronics and electronic systems that can be controlled from the iPhone, it is apparent that embedded software engineers want to use the Mac as their development platform.

To serve this development community, Altium has developed a native OS X port of release v5.1r1 of its TASKING VX-toolset for ARM Cortex-M, bringing its C compiler suite with Eclipse based IDE and debugger to Mac computers.

“Given the growing popularity of Mac OS X and the development of ARM Cortex-M based embedded applications connecting to applications on the iPhone and iPad platforms, we’re excited to offer our TASKING Embedded Development Tools to Mac users,” said Harm-Andre Verhoef, Product Manager TASKING. “Altium’s product offering will empower embedded ARM based developments and provide Mac users with the tools to bring their embedded applications to life.”

Previously, embedded-application developers that preferred Mac computers relied on virtual machines hosting the Windows operating system within OS X in order to run an embedded cross compiler. This led to an inefficient workflow and a variety of challenges, including problems connecting a debug probe reliably to the debugger running inside the virtual machine. The native port to OS X of the TASKING compiler breaks down the barriers for developing embedded applications for Mac users, while allowing them to work efficiently in their platform of choice. Cooperation with STMicroelectronics made it possible to offer in-circuit debug capabilities with the Eclipse integrated TASKING debugger, using the USB port on the Mac to connect to the ST-LINK/V2 debug probe.

TASKING’s Viper compiler technology used in the ARM compiler ensures platform compatibility for developers on OS X and their colleagues using Windows, allowing for easy migration and collaboration. The Viper technology has an industry proven reputation of generating highly efficient and robust code for automotive applications like power train, body control, chassis control and safety critical applications, benefiting developments for broad market and industrial applications.

Key features of the TASKING VX-toolset for ARM Cortex-M for Mac OS X include:

  • Eclipse based IDE with integrated compiler and debugger
  • Highly efficient code generation, allowing for fast and compact applications
  • Support for a wide range of Cortex-M based microcontrollers from different vendors, such as STMicroelectronics, Freescale, Infineon Technologies, Silicon Labs, Spansion, Atmel and Texas Instruments
  • Integrated code analyzers for:
    • MISRA-C:1998, C:2004 and C:2012 guideline
    • CERT C secure coding standard
  • Fast and easy application development through TASKING’s award winning Software Platform technology, bringing:
    • an industry standard RTOS
    • a wide range of ready to use middleware components, such as support for CAN, USB, I2C, TCP/IP, HTTP(S), Bluetooth, file systems, graphical user interface, and touch panel control
  • Eclipse integrated Pin Mapper for assigning signals to microcontroller pins
  • In-circuit debug and programming support through ST-LINK/V2 probe (including on-board probes on starter-kits from STMicroelectronics)
  • Native support for 64-bit Intel-based Macs with Mac OS X

Developers using OS X that require certification of their embedded application for functional safety standards such as IEC 61508 and ISO 26262, benefit from TASKING’s ISO 26262 Support Program for its new ARM toolset on OS X. A manufacturer of an electronic (sub) system is responsible for obtaining certification credit and as part of the process has to assess the required level of confidence in the utilized software tools. Altium supports this through the availability of a Compiler Qualification Kit as well as optional Compiler Qualification Services.

The VX-toolset for ARM release v5.1 is available now on OS X Mavericks, and on OS X Yosemite once it is widely available. Pricing starts at USD 1,995 (€ 1,595) for the TASKING VX-toolset Standard Edition and USD 2,995 (€ 2,395) for the Premium Edition with the award winning Software Platform. Hardware debug support is available in the Professional and Premium Editions through the ST-LINK/V2 debug probe from STMicroelectronics.

(2167)

Share

Offender profiling is taking a different shape, as investigators grapple with increasingly ‘social’ criminal activity

Mobile forensics has changed the methodology when it comes to offender profiling. The frequent use of mobile devices has provided investigators with another source for profiling criminal suspects, as well as an insight into their habits and personalities.

This is not just because of the volume of user voice calls and SMS texts; the amount of rich data that can be extracted from Instant Messaging (IM) and social media applications gives forensic investigators the paint and brushes to develop a detailed picture of a suspect and a criminal case. A suspect’s social media personality can offer a more tailored overview of the character, his or her likes and dislikes and a reflection of ‘who’ they really are, beyond their alleged actions. A victim’s presence on social media can also be used to find a common link to possible suspects.

Recent research from Cellebrite found that 77 per cent of respondents believed that mobile apps were a critical data source in criminal investigations. While this clearly indicates that mobile apps offer a vital source of evidence, it’s not a suggestion that investigators should solely look at mobile-based apps when building the investigative picture – evidence should be extracted from all other items of phone-based data as well.

The widespread use of mobile apps makes them a critical data source for law enforcement, both in terms of evidence and investigative leads. The value to both prosecuting and defence counsels, in a court of law, makes the neglect of such data a potentially severe barrier to solving a case.

People now more frequently use mobile devices to access social media apps, rather than using a traditional PC or laptop. Moreover, social media data that is extracted from a suspect’s mobile device provides additional characteristics such as more accurate location-based data and time proximity to another event or situation. For example, by connecting to a specific Wi-Fi network investigators can establish presence in a certain place and at a certain time correlating it with another action, possibly, on social a network.

Criminals will use various communication channels in the course of their mobile activity. For example, a suspect could use an IM app to organise a meeting, but use SMS to contact the victim. Investigators must operate a flexible forensic practice when sourcing evidential data from mobile devices, because the various channels that criminals communicate through means that a one dimensional approach to forensic evidence gathering could lead to the omission of valuable data.

While data points such as SMS text messages and GPS locations may result in an immediate lead in a criminal case, the ‘online social identity’ of a suspect will allow investigators to delve into the personality of the suspect, which in turn could help build out the case.

This social data can be extracted through the social media apps that the suspect has downloaded on their device. Facebook posts, Tweets, ‘shares’ and ‘likes’ can all give critical information to investigators hoping to build the profile of a suspect.

A suspect’s social media identity goes beyond their ‘likes’ and ‘shares’ though; it can also include immediate locational data, such as a recent ‘check-in’ at a restaurant or a shop. Even if this locational data isn’t completely current, it will still help to paint the forensic picture of a suspect in terms of where they regularly go, who they meet with, and what they do when they’re there.

In court, social data retrieved from mobile apps is fast-becoming a major source of evidence in not only building up the profile of the suspect, but also in establishing or demolishing a witness’ credibility. While social or app-based data has become a crucial evidential component to an investigator’s case, it can also act as an important part of the prosecution or defence process in court.

Offender profiling is changing as people use more social applications to communicate with one another. This is providing investigators with another source of information to build up a complete profile of a suspected criminal, which in turn offers a more comprehensive picture of a suspect in a court of law.

The amount of data that is now being consumed and shared is opening up a number of different opportunities for mobile forensic investigators, who are in a constant battle to stay one step ahead of the increasingly connected criminal.

Yuval Ben Moshe Yuval Ben-Moshe, senior forensics technical director at Cellebrite

(977)

Share

Mobile Device Forensic Process v3.0

Cindy Murphy has updated her paper on a process for Mobile Device Evidence and Data Extraction. We at DFM are happy to help get this into the hands of Digital Forensic Investigators globally and whilst it has not been reviewed through our normal technical review process we are happy to help publicise this piece of much needed work. The article is available for download using the link below or subscribers to Digital Forensics Magazine can download the paper from the White Papers Downloads Section of the DFM Website.

Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.

Mobile Device Forensic Process v3.0

(2907)

Share

Freezing Android Phones Just Won’t Break The Ice With Forensic Investigators

Leading and available mobile forensics tools already have similar capabilities, enabling law enforcement to effectively obtain admissible evidences from mobile devices. Mobile forensics has evolved at an exponential rate over the last decade or so. The rise of the Smartphone has meant it’s had to. Forensic investigations can rely on taking fingerprints or finding DNA samples on a car seat, as well as data from digital devices, such as mobile phones.

With the correct software, operated by a trained investigator, mobile data can be extracted and analysed very quickly. It’s vital that this process isn’t a lengthy one, as investigators can sometimes be operating in life or death situations. A single device that has both the capability to extract as well as analyse mobile data is far more efficient and accurate than freezing the phone first and then processing the data in a separate computer.

The data that’s stored on a user’s mobile phone such as sent messages, browsed websites and recent calls can help investigators build a fairly accurate picture of a case. Devices such as the UFED device from Cellebrite, can not only retrieve this data but can also salvage data that’s been deleted by the user.

This can be critical to an investigation. Criminals could be mistaken for thinking that by deleting sensitive data they are removing it from the reach of the investigator.

Although digital technology has made criminal coordination easier, it has also made criminals more vulnerable to being caught. Before the age of the mobile phone, criminals would communicate via a landline telephone and, before that, through a telegram or a written letter. These methods of communication could be easily erased to avoid discovery.

Research into data extraction and analysis methods for the latest technology is of vital importance to law enforcement agencies. But, people should be aware of the technology that’s out there and at the disposal of investigators.

People should also be aware that due to the critical nature of digital forensics, taking a ‘DIY approach’ to data extraction is not the way forward. Investigators must use technology for accuracy’s sake, in addition to the fact that it saves a considerable amount of time.

Yuval Ben Moshe Yuval Ben-Moshe, senior forensics technical director at Cellebrite

(2387)

Share

Cellebrite’s Panel of Leading Industry Experts Identify Mobile Forensics Trends for 2013

Petah Tikva, Israel, January 23, 2013 – As 2013 gets underway, Cellebrite, the leading provider of mobile forensic and mobile data transfer solutions, has announced a list of top trends in mobile forensics that will shape the year ahead.

To gather this list, Cellebrite interviewed a number of prominent experts from law enforcement, corporations and universities, as well as industry analysts, familiar with mobile forensics, information security and e-discovery and the most advanced mobile forensic products available today. They highlighted the following nine trends as the most critical for investigative and legal professionals to prepare for the upcoming year:

1. BYOD impacts the forensics industry. While “Bring Your Own Device” (BYOD) seemed to infiltrate the enterprise in 2012, the mobile forensics industry will confront the impact of this growing trend in the year ahead. BYOD adoption across the enterprise means that forensics professionals will encounter a greater number of compromised phones. According to John Carney, Chief Technology Officer, Carney Forensics, “For e-discovery experts, BYOD will mean contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

2. Critical data: there’s an app for that. According to a 2012 Nielsen report, the average smartphone user has approximately 41 apps installed on a single device. “Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

3. Smarter phones mean tougher encryption. “Expect to see more encryption of data on smartphones to protect personal privacy and corporate data, which will make forensic examination more challenging,” said Eoghan Casey, founding partner at CASEITE. Password technology, too, has advanced; pattern-screen locks have hindered forensic data extraction efforts. In 2013, look for mobile forensics tools to continue to find ways to bypass a greater number of passwords and device locks, as well as address advanced encryption technology.

4. Investigators can’t put all their eggs into one mobile operating system. Though Android took 75 per cent of the market in Q3 of 2012, for mobile forensics professionals, market share isn’t everything. As Paul Henry, security and forensics analyst, vNet Security, noted, “While Android is the predominant operating system, the bulk of the bandwidth is still taking place on Apple devices, making them critical to many investigations.” In addition, despite BlackBerry’s decline in recent years, Carney said: “Their popularity for over a decade will make them an important legacy device pertinent to investigations for years to come.”

5. Windows 8 is the wildcard. Notwithstanding all the attention garnered by Android and Apple, the real wildcard for 2013 will be the rise of Microsoft in the mobile device market. While questions remain regarding how prevalent Microsoft devices will become, Cellebrite’s panel of experts predicts that the need for mobile forensic tools providing support for Windows 8 will increase in the New Year.

6. Mobile devices advance as witnesses. Look for mobile devices and the data they contain to take centre stage in both civil and criminal investigations in the year ahead. “Civil litigators are discovering that mobile device evidence is just as important as digital documents and email evidence,” said Carney. According to Heather Mahalik, mobile forensics technical lead at Basis Technology, “Now, more than ever before, e-discovery experts need comprehensive training in order to ensure the proper extraction of all relevant data from mobile devices.”

7. The regulatory and legislative landscape remains uncertain. “Lawmakers and judges are looking at cell phones much more critically than they did computers,” said Gary Kessler, associate professor, Embry-Riddle Aeronautical University and a member of the ICAC North Florida Task Force. “However, because few understand the nature of the technology, they are erring greatly on the side of caution. This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pre-trial discovery.”

8. Mobile malware’s incidence will rise. In 2013, look for malware on smartphone platforms and tablets to increase exponentially, particularly on Android devices. According to Cindy Murphy, detective, computer crimes/computer forensics, Madison Wisconsin Police Department, “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy. For law enforcement and forensics professionals, mobile malware means dealing with potentially compromised devices that may help perpetrators cover their tracks, making it increasingly difficult for investigators to meet the threshold of reasonable doubt.”

9. Data breaches via mobile will rise. “Mobile forensics vendors should resolve to provide stronger capabilities for enterprise wide smartphone investigations to support the investigation of data breaches targeting smartphones and the needs of e-discovery,” said Casey. Malware together with large-scale targeted intrusions into smartphones (targeting sensitive data) will raise enterprises’ risks for data destruction, denial of service, data theft and espionage.

“From the increasing use of mobile evidence to challenges stemming from the rise in tougher encryption methods, there are a number of areas that will demand the attention of mobile forensics professionals in the year ahead,” said Ron Serber, Cellebrite co-CEO. “As the industry continues to evolve, it will be critical for the law enforcement community, as well as the enterprise, to invest in proper training and ensure that their budgets allow them to meet the growing demand for comprehensive device analysis and data extraction.”

Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones, portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more. The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN IMEI, ICCID and IMSI information and more.

Cellebrite’s panel of experts included:
· Eoghan Casey, Founding Partner, CASEITE
· John Carney, Chief Technology Officer, Carney Forensics; Attorney at Law, Carney Law Office
· Paul Henry, Leading Security and Forensics Analyst, Principle at vNet Security; Vice President at Florida Association of Computer Crime Investigators; SANS Senior Instructor
· Gary Kessler, Associate Professor, Embry-Riddle Aeronautical University; ICAC Northern Florida Task Force
· Heather Mahalik, Mobile Forensics Technical Lead, Basis Technology; SANS Certified Instructor
· Cindy Murphy, Detective Computer Crimes/Computer Forensics, Madison Wisconsin Police Department
· Ron Serber, co-CEO, Cellebrite

http://www.cellebrite.com/collateral/WhitePaper_MF_2013_Trends.pdf

cellebrite-logo

(3036)

Share

Call for Forensic Practitioners to Beta Test new Tool

CCL-Forensics based in the UK are offering Digital Forensics Practitioners the opportunity to take part in the final beta test which is now underway, any interested practitioners wishing to be involved should register at www.ccl-forensics.com/pip.

Researchers at CCL-Forensics have developed an innovative application for presenting the data held in XML format – a common data storage format, found on a wide range of digital devices and platforms including PCs, phones and SatNavs. The development in complex data interpretation is set to significantly speed up digital forensic investigations by enhancing the presentation of evidence from a range of commonly used devices.

Although XML is a text-based format, it’s not user-friendly in its raw format, meaning digital investigators often have to manually manipulate large amounts of data to locate evidence relevant to their enquiry.  XML files can contain, for example, internet history, web searches, SatNav recent locations, social networking history – and more.

CCL-Forensics has developed “PIP” to eradicate this problem.  PIP is a software tool which parses data from XML files, using the XPath query language and presents the investigator with a results in a user-friendly, easy-to-interpret form.  This saves a considerable amount of time, and means costs to investigators are kept to a minimum.

In addition, PIP natively supports AppleTM’s property list (“plist”) file format, both in their XML and binary forms.

“An XML file shown both in its raw form and when presented using PIP”

A regularly updated library of XPath queries is included within PIP and CCL-Forensics is constantly researching opportunities for new additions to the library, however, for the advanced practitioner, PIP allows bespoke queries to be written for new data types which may be uncovered during the course of an investigation.

The team behind PIP also recognised the need for investigators to process a number of similar files simultaneously, and therefore developed a batch processing capability.

PIP was created in response to demand from Law Enforcement Agencies to streamline the presentation from the increasingly complex range of digital devices – for little additional cost to the taxpayer.

Alex Caithness, the developer of PIP says “One of the biggest frustrations of any digital examiner is the fact that their tools extract data which they have to manually interpret to turn into a reportable format. PIP is designed to eradicate this problem for XML and plist files.

These files are used in many different devices and applications – the iPhone to name just one.  Investigators are seeing a great deal more of these devices, and without a tool like PIP, they may spending time manually processing them.

This is doubly unfortunate, because they have already carried out the first step – by extracting the data.  They just now need to interpret it.  PIP does this effortlessly.”

PIP is a constantly evolving tool and the developers would welcome suggestions for future functionality.  For more information, please contact Marketing Manager Andy Holmes on +44 1789 2621200 or email aholmes@ccl-forensics.com.

 

(1848)

Share

Solid State Drives and TRIM

Here is an interesting analysis of an SSD performed and reported by Alex Golding. You can find his blog at http://dig-forensics.blogspot.com/

-----------------------------

Solid State Drives are getting increasingly more affordable and therefore increasingly more common, especially with expensive laptops having them built in.  If you’re not familiar with them; they basically use flash memory instead of magnetic disks; hence the name.  They don’t need an arm to move across the disk reading the data so the seek times are much better and therefore they read data much faster than a normal hard-disk.  They have a few different utilities  which are meant to speed up the drive, I won’t go too technical but TRIM is one of these functions and when a file is deleted the area the file is stored is wiped to allow for quicker write speeds later.
Seeing as I just bought a Solid State Drive I thought it would be a good idea to check TRIM was working:  I found a couple of utilities to get me started.  The first thing to do was to launch the Computer Management program:  This is obviously with Windows 7 as TRIM is supported by the OS without any fiddling around.  Ubuntu will require further research.  With Computer Management open you choose the drive in question and enter its properties menu.

In this case it is disk 0. The drive is only a 64gb drive due to lack of funds, its used primarily as an OS drive with the majority of programs also installed.  It doesn’t half fly though!   Remember to right-click on the Disk and not the partition.  From here navigate to the details tab and choose Hardware Id’s from the drop down menu.

_

As you can see from the screenshot there is a long list of information but the end of each entry is key, in my case there is “0006”, this refers to the firmware number.  As drives get newer all will have TRIM enabled by default but in my case it was essential to check the firmware supported it, and it does.  The next thing to do is to run a command within command prompt to determine whether its enabled within Windows 7 (It should be).  You need to launch the prompt as administrator otherwise the command won’t work.  Easiest way to do this is search for cmd in the start menu and right-click run-as administrator and press yes/continue to the UAC.   Once you have done this the following command needs to be entered:

 

fsutil behavior query disabledeletenotify

 

If it is set to 0 then TRIM commands are enabled, set to 1 and they are disabled.  So Trim is enabled.

I also came across some software which supposedly tells you if TRIM is supported by the drive but I’m unsure if it just checks the drive type so in my opinion this is a better way of checking, but if you want to have a play the software is called “CrystalDiskInfo” available here: http://crystalmark.info/software/CrystalDiskInfo/index-e.html

Anyway now for the forensic side of it all.  I took two drives, my main drive which is only 6 months old and the fastest HDD other than raptors – the F3 1TB and the c300 64GB.  The fact that the drives are different sizes doesn’t matter here as there’s plenty of space free on each drive.  I created two identical files with the word “TESTER” flooded until the file was 548KB.  I saved this to the root directory of the main partition on each drive.  I previewed the drives within EnCase with the files not deleted to ensure that they were visible as normal which they were:

SSD:


HDD:

 

As you can see they are visible.  I then removed the drives from the case and proceeded to delete both files from the drives using shift-delete to permanently delete them without entering the recycle bin.  From deleting the files to adding the drives back into encase the whole process took 30 seconds.  In this case both files were visible as deleted files:
SSD:

 

HDD:


The interesting thing was that even though the file was deleted from both, the SSD entry had the data wiped from where the file supposedly was whereas the HDD entry had the data intact.  I searched the SSD for the word TESTER. But nothing was found.  About ten minutes had passed in this time so I decided to add the devices back into encase and see if the file was still visible as a name for both. Low and behold the file had disappeared from the SSD and remained on the HDD.
SSD:

 

HDD:

This indicates that in the 30 seconds the entire file was wiped, it was interesting to see that in the first 30 seconds the file name was still visible but with no content this is almost useless.  The HDD behaved as expected as it doesn’t support TRIM.  After 10 minutes the file name was completely gone and I imagine it disappeared shortly after the device was added to EnCase.  In theory all TRIM is handled in exactly the same way as it’s a call from the operating system which handles the blocks on the drive being wiped and not like garbage collection which is initiated solely by the firmware of the drive.  It bares great significance to forensic acquisition as it’s not something that’s going to go away, it greatly improves write-speeds on SSD’s and could eventually be used on USB pen drives as they function in a very similar way.

(10264)

Share

Volatility Developer Responds

In Issue 5 of Digital Forensics Magazine, Ron Tasker discussed the subject of Volatile RAM Analysis and the use of Volatility. This prompted a letter from Marc Remmert published in Issue 6 raising concerns about the limitations of Volatility and Windows XP.

Whilst Ron responded to these concerns (his comments can be found in 360 of issue 6) DFM approached AAron Walters who is the founder of Volatile Systems, LLC and the lead developer for the Volatility Project, for his comments on the article, the comments made by Marc and Ron’s response. Unfortunately they were not received in time to be included in Issue 6. In the interests of balance we agreed to include his comments in a blog.

“Let me begin by thanking Ron for the excellent article.  I think he did a very good job explaining the importance of memory analysis and the associated challenges and base that modern digital investigators face.

It is imperative for digital investigators to realize that we are facing an adaptive human adversary and thus we can’t afford to simply rely on the rules we once learned.  Not doing the right thing because it is complicated or new, is never a justification for complacency.  It seems hard to defend the antiquated statement that “powering off the system is good” when, comparatively, it destroys more artifacts within the perspective of entire digital crime scene (RAM, disk, etc) than running a tool that samples the state of physical memory.

In Ron’s response to the comment about his article he also raises some interesting points about Open Source forensics tools. The comment’s author states that Volatility 1.3 only supports Windows XP 32-bit memory samples and contends that this a big obstacle. While the comment’s author is correct with respect to 1.3, it seems interesting that they contend their only option is to buy expensive tools or hope Volatility is updated. As the leader of the Volatility Project, I always find these statements disheartening. I’m not sure why people feel the need to complain from the sidelines as opposed to actually getting involved and contributing to the community.  It is only then that they would come to appreciate the unique flexibility and modularity of The Volatility Framework, which has allowed it to support a variety of operating systems and hardware architectures (Windows, Linux, etc).

As Ron mentioned in his reference to Dr. Schatz’s work, there are many groups out there using Volatility to support other operating systems including Windows 7. I’m even aware of groups using Volatility to analyze cell phones. Thus, the “tool-users” can sit back and wait till 1.4 (http://code.google.com/p/volatility/) is released or they take the initiative to contribute. Regardless, if that contribution is writing an article (i.e. Ron Tasker) or helping test a new operating system (i.e. Dr. Schatz), all contributions help to move the community forward.”

AAron Walters

Founder, Volatile Systems, LLC

Lead Developer, The Volatility Project

You too can have your say by adding your comments here or writing directly to DFM via 360.

(927)

Share