Finding the Needle in the Lawful Intercept Haystack

Modern encryption techniques have resulted in Law Enforcement and Intelligence Agencies losing the benefits that came from carrying out Lawful Intercept activities. Indeed the time required to investigate a lawful intercept PCAP file for relevant and useful information is now such that should any artefact be found, it is almost certainly found long after the time when the information could have been at its most useful.

Communications channels have gone way beyond the simple calls and text messages of the past. The proliferation of messaging apps (WhatsApp, Signal, Telegram etc.), the ability to send messages via social media platforms (Facebook, Nextdoor, Instagram etc.) and the use of video communication platforms (FaceTime, Zoom etc.) has resulted in a very complex environment to investigate and analyse when looking for that particular artefact that will break the case, or that specific piece of intelligence that will lead the investigators to where they need to go, and this is before you add the problem that all investigators have when these communications are encrypted.

Additional information and intelligence you may want to know is which websites have been visited, when, with what frequency, for how long, etc. Another thing that Wireshark won’t do for you here, but a good LEA workflow will, is categorise each website into a category; is it Ads, Shopping, Food, Travel, Furniture, Pornography, Social Networking, Political Ideology, Terrorism, etc.

What is required is a tool that examines the lawful intercept network data (most likely a PCAP) and synthesises the output into a clear website profiling view. When that kind of analysis takes seconds and can be immediately reflected from a large collection of PCAPs, then we’re really cooking on gas. 

Today Lawful Intercept of data services can still be an effective tool against communication apps. What is being said is lost to unbreakable encryption, but that is not what is often needed to progress an investigation. Each call leaves a digital footprint in the packet captures, and that is clearly visible to the right tool, regardless of if that app is WhatsApp or some obscure dialler you have never heard of. Some of these applications are quite challenging to ‘fingerprint’ within the network noise, but the right application of machine learning can classify these applications with high confidence. 

If you would like to find out more about how to find that Needle in the Lawful Intercept Haystack and work in Law Enforcement or Intelligence, then subscribe to Digital Forensics Magazine and read the full article, and join Sandvine for a Live Demonstration of Digital Witness.

Digital Witness Webinar Registration (



Protect Your Business From State-Sponsored Attacks

It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs. The result; a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right. After all, each appliance needs and produces its own unique type of coffee.  And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralized Coffee Management) system is essential.

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety.  The result is more management systems than the average household’s coffee machines.

Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.

The Dark Side

And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.

But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.

The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.

So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest).  No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.

Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.

Can we still protect critical infrastructure from attack in the digital age?

If malware is the Cyber-terrorist weapon of the 21st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.

So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it

According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”

The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” – and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!

So my advice is, as George Orwell wrote in “1984” –  “If you want to keep a secret, you must also hide it from yourself.”

Calum Macleod Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.



Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)

[Author’s Note: Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this series was originally published.]

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data. Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations. With it, we now have the potential to answer who, what, when, why,and where.

The trend towards mobile computing is unmistakable, with laptop computers outselling desktops for several years. Forrester Research estimates tablets, netbooks, and laptops to be 73% of computer sales in 2011. While an increasing number of smartphones contain Global Positioning System (GPS) radios, the technology has been slower to be adapted to mobile computers. However, devices can be geo-located and store location artifacts even if they do not contain a GPS capability. In fact, in urban locales and particularly indoors, GPS can be highly unreliable. Technologies like WiFi network positioning and cell tower triangulation often augment or replace GPS. If a device is connected to the Internet and has access to GPS, a cellular modem, or a wireless network card, geo-location data in some form is likely already being generated and stored. This capability has sparked a creative gold rush, with an ever-increasing number of software applications racing to become “location aware”. At stake is a slice of the $billion mobile marketing industry. Envision walking by a restaurant and being alerted to a half price lunch special via your mobile device; or arriving at a conference and immediately pinpointing the bars and restaurants where your contacts are located. These applications exist and digital forensic examiners can use the data generated to pinpoint the location of a device at a specific time.

This is an update to an article previously published in Digital Forensics Magazine and is posted on and cross posted from the Authors blog by agreement. You can read the rest of the 1st installment here:




Solid State Drives and TRIM

Here is an interesting analysis of an SSD performed and reported by Alex Golding. You can find his blog at


Solid State Drives are getting increasingly more affordable and therefore increasingly more common, especially with expensive laptops having them built in.  If you’re not familiar with them; they basically use flash memory instead of magnetic disks; hence the name.  They don’t need an arm to move across the disk reading the data so the seek times are much better and therefore they read data much faster than a normal hard-disk.  They have a few different utilities  which are meant to speed up the drive, I won’t go too technical but TRIM is one of these functions and when a file is deleted the area the file is stored is wiped to allow for quicker write speeds later.
Seeing as I just bought a Solid State Drive I thought it would be a good idea to check TRIM was working:  I found a couple of utilities to get me started.  The first thing to do was to launch the Computer Management program:  This is obviously with Windows 7 as TRIM is supported by the OS without any fiddling around.  Ubuntu will require further research.  With Computer Management open you choose the drive in question and enter its properties menu.

In this case it is disk 0. The drive is only a 64gb drive due to lack of funds, its used primarily as an OS drive with the majority of programs also installed.  It doesn’t half fly though!   Remember to right-click on the Disk and not the partition.  From here navigate to the details tab and choose Hardware Id’s from the drop down menu.


As you can see from the screenshot there is a long list of information but the end of each entry is key, in my case there is “0006”, this refers to the firmware number.  As drives get newer all will have TRIM enabled by default but in my case it was essential to check the firmware supported it, and it does.  The next thing to do is to run a command within command prompt to determine whether its enabled within Windows 7 (It should be).  You need to launch the prompt as administrator otherwise the command won’t work.  Easiest way to do this is search for cmd in the start menu and right-click run-as administrator and press yes/continue to the UAC.   Once you have done this the following command needs to be entered:


fsutil behavior query disabledeletenotify


If it is set to 0 then TRIM commands are enabled, set to 1 and they are disabled.  So Trim is enabled.

I also came across some software which supposedly tells you if TRIM is supported by the drive but I’m unsure if it just checks the drive type so in my opinion this is a better way of checking, but if you want to have a play the software is called “CrystalDiskInfo” available here:

Anyway now for the forensic side of it all.  I took two drives, my main drive which is only 6 months old and the fastest HDD other than raptors – the F3 1TB and the c300 64GB.  The fact that the drives are different sizes doesn’t matter here as there’s plenty of space free on each drive.  I created two identical files with the word “TESTER” flooded until the file was 548KB.  I saved this to the root directory of the main partition on each drive.  I previewed the drives within EnCase with the files not deleted to ensure that they were visible as normal which they were:




As you can see they are visible.  I then removed the drives from the case and proceeded to delete both files from the drives using shift-delete to permanently delete them without entering the recycle bin.  From deleting the files to adding the drives back into encase the whole process took 30 seconds.  In this case both files were visible as deleted files:



The interesting thing was that even though the file was deleted from both, the SSD entry had the data wiped from where the file supposedly was whereas the HDD entry had the data intact.  I searched the SSD for the word TESTER. But nothing was found.  About ten minutes had passed in this time so I decided to add the devices back into encase and see if the file was still visible as a name for both. Low and behold the file had disappeared from the SSD and remained on the HDD.



This indicates that in the 30 seconds the entire file was wiped, it was interesting to see that in the first 30 seconds the file name was still visible but with no content this is almost useless.  The HDD behaved as expected as it doesn’t support TRIM.  After 10 minutes the file name was completely gone and I imagine it disappeared shortly after the device was added to EnCase.  In theory all TRIM is handled in exactly the same way as it’s a call from the operating system which handles the blocks on the drive being wiped and not like garbage collection which is initiated solely by the firmware of the drive.  It bares great significance to forensic acquisition as it’s not something that’s going to go away, it greatly improves write-speeds on SSD’s and could eventually be used on USB pen drives as they function in a very similar way.



New iPhone Forenics White Paper

Are you looking for the best mobile forensics tool for iPhone Forensics? Well, a good place to start is viaForensics’ updated (and free) iPhone Forensics white paper at:

The white paper is geared towards forensic examiners and includes plenty of screenshots, comments and other useful information.

Why do we provide this white paper for free? Well, all of us are struggling with the influx of mobile devices. By reviewing each of the tools, we not only provide a service to the forensics community but we have great dialogue with the development companies and we hope it leads to improvements in their software (a.k.a make our jobs easier). We’ve observed great strides in the software since 2009 and if the community at large shares their feedback, we can make things better.

So check it out…and by all mean, please let us know what you think, where we can improve the tool or any other suggestions you have. And stay tuned for more updates. We are working on our Android Forensics white paper (as well as Syngress books on both iPhone and Android forensics) and since we’re clearly not busy enough, we might kick off a series with DFM on Forensics and Programming.

Andrew Hoog
Chief Investigative Officer
tel: +1 312-878-1100



The Future of Cybercrime Forensics

Dr. Ali Jahangiri

Cybercrime Forensic investigation is a complicated science with its own history, implications and future. It is not sufficient merely to consider it a branch of criminology, or the study of cyber criminal behavior, or research into the relationship between the causes of tech related crime and social policies. For cyber criminals, their knowledge and their crimes are bound together. The possible suspects are rich in knowledge and technical skills. They have mastered the technology better than the technology’s creators, and they know how to use technology against technology.

A multidisciplinary approach is required to fully foresee the future of cybercrime forensics. It requires a team of specialists from different disciplines within the IT industry and related industrial and social segments such as telecom and law. However, in this article the author looks at the future of cybercrime forensics based on his knowledge and experience in this field.

Cybercrime Forensics for Governments

Cybercrime forensics at the governmental level will be more complicated in the future. Governments will need to turn more to their national security organisations to hunt down cyber criminals. In addition, they will need to invent anti-forensic tools and methods to keep their activities and information assets secret.

Cyberspace security and computer related technologies will be a real challenge for governments. The platforms and protocols for computer related technologies may have both domestic and international uses. Therefore, it will be difficult for governments to reach an agreement for international cyber security policies.

At the same time, some countries are the technology owners and this intellectual property ownership will give them an advantage compared to other countries without such a privilege. The technology ownership issue will force the other countries to utilise the open source platforms to develop their own customised operating systems and software.

Cybercrime Forensics for Corporates

Currently a few companies have dominated the cybercrime forensic markets. These are the pioneers in cybercrime forensics and analysis. They have the tools and the solutions for cyber forensic investigation. They train law enforcement agencies to use their tools and solutions and some of them even have special tools just for governmental use.

There are also many small companies with one or two consultant partners who are either retired law enforcement officers or former IT professionals from Fortune 500 companies. These people use their contacts and credentials to achieve some market share. However, in the future, cybercrime forensics at the corporate level will be diversified to education and certain specialties and products. It will be difficult for small companies to build a team with the right core competencies. In addition, due to security clearance requirements and national security interests, most of these companies will only practice in their country of origin.

Furthermore, information security standards such as ISO27001 and ITIL will be implemented more in medium to enterprise size companies. Realistically, only these companies can afford the cost of compliance implementation. Therefore, it will be necessary for them to have proper incident response procedures and the corresponding cyber forensic investigation capabilities. These companies may well have their own cyber forensic investigation units.

Cybercrime Forensics in Professional Institutions

Cybercrime forensics is a new battleground for professional institutions. Currently, there is no real internationally recognised authority to govern cybercrime forensics practices, regulations and certification. Therefore, professional institutions are offering cybercrime forensic investigation training programs, certifications and conferences. Currently, some of these institutions are forming alliances (as trade and training partners) to achieve their sales targets. In the future, it is likely that these institutions will start to attack each other to gain market share.

Cybercrime Forensics in Universities

It is sad to note that more and more often information technology advances are coming from industry rather than universities. Within IT, a few companies dominate the industry and therefore the innovations. It will be the same for cybercrime forensics; the companies with market share have the money for research and development. The main issue with academic institutions is their approach, which is slow and traditional compared to the faster speed of development and implementation found in industry.

Furthermore, the training programs in universities are not aligned with the current job market and industry needs. The university students have a lack of practical knowledge compared to the IT professionals who are in the industry (and possibly without academic studies). This is the major reason why students choose further training to achieve professional certification and so distinguish themselves from other graduates.

Cybercrime Forensics in the Media

There will be more magazines, websites and blogs specialising in cybercrime forensics and analysis. They will be the voice of the industry with the power to review, promote and criticise books, products, solutions and training programs. They will sell advertising and help vendors sell their products. Whoever has more marketing budget and better relations will be the most successful in the cybercrime forensics industry. Nevertheless, there will be one or two magazines and websites that will remain independent, but they will find it difficult to survive in such a tough market.

Cybercrime Forensics and Technical Trends

The market will be divided to four main segments with specialised service providers for each segment. The segments are: Microsoft Windows related products, UNIX & Linux related products, Apple related products and computer network & telecom related products.

The solution providers will create more comprehensive tools and solutions to gain better market share. They will transform their solutions into a set of tools for non-IT professionals. They will also try to make their tools web based, for remote forensic investigations.

The open source community will be active for the UNIX & Linux platforms to accrue required legislation to accredit the open source tools in the various countries and judicial systems.

Apple created a giant market for those who want to develop Apple device related tools and solutions. This will be a new era for the professionals who are working in cybercrime forensics.

Cloud computing, cellular networks, WiMax and virtualization will be the other areas of the interest for study and product development. It is obvious that everything is merging towards IT and cyberspace plays an important role in the near future. This will lead governments and authorities to pursue other methods of intelligence gathering, such as web and data mining, to protect their interests.

This will lead to the biggest privacy issue in history. All the data communication, of all users, will be logged at the carrier level. Then the authorities will use data mining tools to identify suspicious behavior of a particular user or users in their own or an allies’ territory. All this information will be saved in massive databases and then the commercial, financial and personal information, in addition to the communication records and social behaviors, will be linked together.

All this will ultimately lead to a new chapter in the history of cybercrime forensics, namely Applied Artificial Intelligence in Cybercrime Forensics.



Cell Phone Evidence Extraction

Due to popular demand Detective Cindy Murphy has released her paper on a process for Cellular Evidence and Data Extraction. We at DFM are happy to help get this into the hands of Digital Forensic Investigators globally and whilst it has not been reviewed through our normal technical review process we are happy to help publicise this piece of much needed work. The article is available for download using the link below or subscribers to Digital Forensics Magazine can download the paper from the White Papers Downloads Section of the DFM Website.

Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.

Cell Phone Evidence Extraction Process Development 1.8
Mobile Device Forensic Process v3.0



5 Reasons for Digital Forensic Examiners to Use Content Marketing

For the Issue 3 (May 2010) of Digital Forensics magazine’s newsletter, I posted a short article about content marketing, the best way to share your expertise with clients and prospects alike. Here, I want to go into more detail about each of the five points I raised.

1) The people you serve come to trust you. Content shows the thinking that drives the service, the combination of knowledge and personality that sets you apart from competitors. These days, it’s not just the product that’s valuable enough anymore. Customers are cynical about being “sold to,” and in the event that your product doesn’t quite meet expectations, it’s important to provide value in different ways so that your customers will keep the faith that the next time around, you’ll improve.

Of course, this begs the point that you know in advance what content your customers (and prospects) need. This kind of market research can come down to Internet polls, informal surveys or interviews, social media monitoring, and other means of information gathering. It can come from your most loyal customers – who are usually more familiar than anyone else with how your product or service solves their problems – and from your most coveted prospects, which may appreciate challenging you to help them. The best content is tailored to each group’s specific needs.

2) Social media make it easy to share. Whether a slide or video presentation on SlideShare or Prezi, a white paper on Scribd or DocStoc, or customer success stories on YouTube or your blog, your content is now available to a wider community.

This can be very important when you’re targeting different market segments. One of the most popular social sites for digital forensics examiners is Twitter, and to be part of this community is a good idea. But what if you’re not selling directly to examiners? What if, instead, you’re selling to law firms or banks or small businesses? You’d want to find the social sites they’re on, become part of their communities too, rather than expect them to come to yours.

Content variety is also important from the standpoint of search engine optimization. YouTube is a particularly powerful SEO, so video content tagged with those all-important keywords, embedded on your website, can potentially accomplish two things: 1) drive traffic back to your site and 2) raise your site’s search rankings.

Just make sure the keywords you choose are the ones your customers are actually using, or are likely to use. (Hint: if you’re using Google Analytics to track site performance, take a look at the searched-on keywords that brought people there.)

3) You can highlight new or underrated aspects of what you are doing. This is the “marketing” side of content marketing – what services help your market, and why?

This goes hand in hand with #2 above, but also with #1, as it helps both existing clients and prospects get to know you better. However, be careful not to “sell,” but rather to educate, to show people how the products or services solve their problems both large and small. A case study about how data recovery helped a small business recover from a breach, or about how a customer got creative and figured out how to use your software in ways you never anticipated, does the “heavy lifting” in terms of showing – not just telling – about the relevance you have to the market.

4) You can highlight problems your community or target market is facing. What do you get the most calls about? What kinds of cases do you most frequently work on, involving what types of technology?

As with #3, here it’s important to educate. Without giving up clients’ or citizens’ identities, you can talk in general terms about an interesting question involving employees’ personal digital devices in the workplace, or trends you see among victims of a certain type of crime (for example, identity theft), or even little known, but important facts about investigations, security, and so forth.

5) An ounce of prevention… show people how to protect themselves, and they’ll call you just when they really need you. That saves time and money, along with your staff’s brainpower, for true challenges!

Back to #1 and trust building. It’s easy to get frustrated with victims. “Don’t they know better?” you might complain after your password-integrity training falls on deaf ears, or the media has been covering identity theft extensively, yet you still get calls from people with drained bank accounts or maxed-out credit cards.

People hear and process information differently, so use your cases (where feasible) to improve your training. Use a series of short blogs or video entries to focus in on specific aspects of password integrity, or target identity theft education to small groups in your community – teenagers, seniors, parents, and business owners.

Talk to them using language and concepts they understand, and they’ll not only remember the information, but you’ll be the one they call when their best efforts fail.

Content marketing is well worth the time and effort put into it. If you know your subject and can present it for average people to understand, you’ll build loyalty for the long term. Do create a schedule for regular content production, do know who in your organization is most capable of producing the highest quality content, and do integrate the content into your other marketing efforts.

By Christa Miller

Christa M. Miller is a public relations strategist specializing in digital forensics and law enforcement. A trade magazine journalist for nearly a decade, she now works with clients on content strategy and creation using a mix of traditional and digital media. She resides in South Carolina, USA with her family. Visit her website at