Category Archives: In the News

Digital Forensics Capability Analysis

Posted on by

The ICT KTN, on behalf of the Forensic Science Special Interest Group (FSSIG), is conducting a survey of the UK’s Digital Forensics Capability. This work is being managed by Angus Marshall, of n-gate ltd., to whom any initial queries should be directed. The project team also includes the CyberSecurity Centre at De Montfort University.

To download this survey please visit the following links:

Word format
PDF format

Background

Traditional Digital Forensics activities involve the recovery and investigation of material found in digital devices. Such data is at rest on static devices such as hard drives and in solid-state memory on camcorders, mobile phones, GPS navigation devices etc. The market for this activity was driven by Law Enforcement and other public sector organisations, hence it was necessary for all activities to be conducted in line with UK evidential criteria so that it was admissible in a court of law.

Our digital age has seen requirements evolve. With the ubiquitous use of email came a requirement for a new field of expertise – that known as “e-discovery”. E-discovery refers to discovery in civil litigation, which deals with the exchange of information in electronic format (electronically stored information or ESI). This data is subject to local rules and processes and is often reviewed for privilege and relevance before being turned over to opposing counsel, where the burden of proof rests on the balance of probability.

However our digital evolution has not remained static. The growth of cyberspace, the trend towards mobile devices (BYOD) and cloud services has seen data take on a far more transitory nature, and the physical location of data at rest can be difficult if not impossible to determine. Data is versioned, distributed and stored across differing networks, devices, borders and boundaries.

The traditional digital forensics practice of imaging and extracting information from disparate physical devices no longer suffices for incident investigation in cyberspace. There is an increasing requirement from businesses in the private sector, and emerging capabilities are required to keep pace so that these requirements can be met.

The team will produce a report detailing the current stakeholders, existing capabilities and challenges. This will enable the identification of areas in which there are capability gaps. Attention will then be paid to how these gaps may be reduced and any specific challenges which will need to be overcome in order to do so. Further, a glossary of terms of key digital forensics concepts with simple definitions will be produced to assist with knowledge transfer both within and outside of the FoSci community.

Your involvement

You can assist with this first stage of the survey by completing the attached questionnaire and returning it to DFCA@n-gate.net no later than Monday, 4th March please. All responses will be treated in strictest confidence and your answers will be anonymised before they are included in the report(s).

Digital Forensics Capability Analysis – Questionnaire

If you are willing to assist with this phase of the project, please complete and return to DFCA@n-gate.net by Monday 4th March 2013

1) What do you understand by the term “Digital Forensics”. (one or two sentence answer)

2) In which context do you use digital forensics (e.g. law enforcement, civil law, criminal law, private sector, internal investigation, information security)

3) What types of technology do you deal with in the context of digital forensics ?

4a) What is the single greatest DF challenge you, personally,  face in your everyday activities ?

4b) How do you think this challenge could be addressed ?

4c) What is the single greatest DF challenge that your organisation faces in its everyday activities ?

4d) How do you think this challenge could be addressed ?

5a ) What challenges do you think you will face in the near (1-2 years) and medium-term (2-5 years) future ?

5b) How do you think these challenges could be addressed ?

6) When you are looking for solution to digital forensics problems, who do you turn to for

a) off-the shelf solutions ?

b) bespoke solutions/product customisation ?

7) Who would you consider to be the key people or organisations relevant to your experience and usage of digital forensics ?

8) What other innovations, relating to technology, services or any other issues affecting digital forensics, do you think would be beneficial ?

9) May we contact you again for more information ?

(If “Yes”, please also provide your name and a contact phone number or email)

 

SIG Forensic Science

Forensic Science Special Interest Group

For more information about the FSSIG, and to get involved in the community, please see https://connect.innovateuk.org/web/forensics

(%count%)

(11659)

Share

Cellebrite’s Panel of Leading Industry Experts Identify Mobile Forensics Trends for 2013

Posted on by

Petah Tikva, Israel, January 23, 2013 – As 2013 gets underway, Cellebrite, the leading provider of mobile forensic and mobile data transfer solutions, has announced a list of top trends in mobile forensics that will shape the year ahead.

To gather this list, Cellebrite interviewed a number of prominent experts from law enforcement, corporations and universities, as well as industry analysts, familiar with mobile forensics, information security and e-discovery and the most advanced mobile forensic products available today. They highlighted the following nine trends as the most critical for investigative and legal professionals to prepare for the upcoming year:

1. BYOD impacts the forensics industry. While “Bring Your Own Device” (BYOD) seemed to infiltrate the enterprise in 2012, the mobile forensics industry will confront the impact of this growing trend in the year ahead. BYOD adoption across the enterprise means that forensics professionals will encounter a greater number of compromised phones. According to John Carney, Chief Technology Officer, Carney Forensics, “For e-discovery experts, BYOD will mean contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

2. Critical data: there’s an app for that. According to a 2012 Nielsen report, the average smartphone user has approximately 41 apps installed on a single device. “Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

3. Smarter phones mean tougher encryption. “Expect to see more encryption of data on smartphones to protect personal privacy and corporate data, which will make forensic examination more challenging,” said Eoghan Casey, founding partner at CASEITE. Password technology, too, has advanced; pattern-screen locks have hindered forensic data extraction efforts. In 2013, look for mobile forensics tools to continue to find ways to bypass a greater number of passwords and device locks, as well as address advanced encryption technology.

4. Investigators can’t put all their eggs into one mobile operating system. Though Android took 75 per cent of the market in Q3 of 2012, for mobile forensics professionals, market share isn’t everything. As Paul Henry, security and forensics analyst, vNet Security, noted, “While Android is the predominant operating system, the bulk of the bandwidth is still taking place on Apple devices, making them critical to many investigations.” In addition, despite BlackBerry’s decline in recent years, Carney said: “Their popularity for over a decade will make them an important legacy device pertinent to investigations for years to come.”

5. Windows 8 is the wildcard. Notwithstanding all the attention garnered by Android and Apple, the real wildcard for 2013 will be the rise of Microsoft in the mobile device market. While questions remain regarding how prevalent Microsoft devices will become, Cellebrite’s panel of experts predicts that the need for mobile forensic tools providing support for Windows 8 will increase in the New Year.

6. Mobile devices advance as witnesses. Look for mobile devices and the data they contain to take centre stage in both civil and criminal investigations in the year ahead. “Civil litigators are discovering that mobile device evidence is just as important as digital documents and email evidence,” said Carney. According to Heather Mahalik, mobile forensics technical lead at Basis Technology, “Now, more than ever before, e-discovery experts need comprehensive training in order to ensure the proper extraction of all relevant data from mobile devices.”

7. The regulatory and legislative landscape remains uncertain. “Lawmakers and judges are looking at cell phones much more critically than they did computers,” said Gary Kessler, associate professor, Embry-Riddle Aeronautical University and a member of the ICAC North Florida Task Force. “However, because few understand the nature of the technology, they are erring greatly on the side of caution. This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pre-trial discovery.”

8. Mobile malware’s incidence will rise. In 2013, look for malware on smartphone platforms and tablets to increase exponentially, particularly on Android devices. According to Cindy Murphy, detective, computer crimes/computer forensics, Madison Wisconsin Police Department, “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy. For law enforcement and forensics professionals, mobile malware means dealing with potentially compromised devices that may help perpetrators cover their tracks, making it increasingly difficult for investigators to meet the threshold of reasonable doubt.”

9. Data breaches via mobile will rise. “Mobile forensics vendors should resolve to provide stronger capabilities for enterprise wide smartphone investigations to support the investigation of data breaches targeting smartphones and the needs of e-discovery,” said Casey. Malware together with large-scale targeted intrusions into smartphones (targeting sensitive data) will raise enterprises’ risks for data destruction, denial of service, data theft and espionage.

“From the increasing use of mobile evidence to challenges stemming from the rise in tougher encryption methods, there are a number of areas that will demand the attention of mobile forensics professionals in the year ahead,” said Ron Serber, Cellebrite co-CEO. “As the industry continues to evolve, it will be critical for the law enforcement community, as well as the enterprise, to invest in proper training and ensure that their budgets allow them to meet the growing demand for comprehensive device analysis and data extraction.”

Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones, portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more. The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN IMEI, ICCID and IMSI information and more.

Cellebrite’s panel of experts included:
· Eoghan Casey, Founding Partner, CASEITE
· John Carney, Chief Technology Officer, Carney Forensics; Attorney at Law, Carney Law Office
· Paul Henry, Leading Security and Forensics Analyst, Principle at vNet Security; Vice President at Florida Association of Computer Crime Investigators; SANS Senior Instructor
· Gary Kessler, Associate Professor, Embry-Riddle Aeronautical University; ICAC Northern Florida Task Force
· Heather Mahalik, Mobile Forensics Technical Lead, Basis Technology; SANS Certified Instructor
· Cindy Murphy, Detective Computer Crimes/Computer Forensics, Madison Wisconsin Police Department
· Ron Serber, co-CEO, Cellebrite

http://www.cellebrite.com/collateral/WhitePaper_MF_2013_Trends.pdf

cellebrite-logo

(3106)

Share

Call for Forensic Practitioners to Beta Test new Tool

Posted on by

CCL-Forensics based in the UK are offering Digital Forensics Practitioners the opportunity to take part in the final beta test which is now underway, any interested practitioners wishing to be involved should register at www.ccl-forensics.com/pip.

Researchers at CCL-Forensics have developed an innovative application for presenting the data held in XML format – a common data storage format, found on a wide range of digital devices and platforms including PCs, phones and SatNavs. The development in complex data interpretation is set to significantly speed up digital forensic investigations by enhancing the presentation of evidence from a range of commonly used devices.

Although XML is a text-based format, it’s not user-friendly in its raw format, meaning digital investigators often have to manually manipulate large amounts of data to locate evidence relevant to their enquiry.  XML files can contain, for example, internet history, web searches, SatNav recent locations, social networking history – and more.

CCL-Forensics has developed “PIP” to eradicate this problem.  PIP is a software tool which parses data from XML files, using the XPath query language and presents the investigator with a results in a user-friendly, easy-to-interpret form.  This saves a considerable amount of time, and means costs to investigators are kept to a minimum.

In addition, PIP natively supports AppleTM’s property list (“plist”) file format, both in their XML and binary forms.

“An XML file shown both in its raw form and when presented using PIP”

A regularly updated library of XPath queries is included within PIP and CCL-Forensics is constantly researching opportunities for new additions to the library, however, for the advanced practitioner, PIP allows bespoke queries to be written for new data types which may be uncovered during the course of an investigation.

The team behind PIP also recognised the need for investigators to process a number of similar files simultaneously, and therefore developed a batch processing capability.

PIP was created in response to demand from Law Enforcement Agencies to streamline the presentation from the increasingly complex range of digital devices – for little additional cost to the taxpayer.

Alex Caithness, the developer of PIP says “One of the biggest frustrations of any digital examiner is the fact that their tools extract data which they have to manually interpret to turn into a reportable format. PIP is designed to eradicate this problem for XML and plist files.

These files are used in many different devices and applications – the iPhone to name just one.  Investigators are seeing a great deal more of these devices, and without a tool like PIP, they may spending time manually processing them.

This is doubly unfortunate, because they have already carried out the first step – by extracting the data.  They just now need to interpret it.  PIP does this effortlessly.”

PIP is a constantly evolving tool and the developers would welcome suggestions for future functionality.  For more information, please contact Marketing Manager Andy Holmes on +44 1789 2621200 or email aholmes@ccl-forensics.com.

 

(1866)

Share

The first annual (ISC)² Security Congress

Posted on by

(ISC)² Security Congress – Collocated with the ASIS International 57th Annual Seminar and Exhibits – September 19th – 22nd, Orlando, Florida

The first annual (ISC)² Security Congress offers invaluable education to all levels of information security professionals, not just (ISC)² members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC)² and ASIS International have teamed up to bring you the largest security conference in the world, with five days of education and networking opportunities. Don’t miss out. Register today! To make your selection from over 200 conference sessions, free education and special pricing on official CISSP and CSSLP Intensive education. For more information, please visit:
www.isc2.org/congress2011

(747)

Share

A View from the Canadian Rockies or What Not to Present as Evidence of Online Paedophilia: R. v. Morelli, 2010 SCC 8, [2010] 1 S.C.R. 253

Posted on by

Don’t like what you see, tempted to jump to an ‘obvious’ conclusion-then don’t. Mr Urbain Morelli, an enthusiast of adult and child pornography, was at home when the computer technician came a calling. The technician noticed a webcam plugged into a VCR and pointed toward the man’s three-year-old daughter who was playing with toys nearby in a play pen. There were several links to adult and child pornography sites in the taskbar’s ‘favorites’ list of Mr. Morelli’s computer. When the technician returned the toys had been put away, the webcam was pointed in a different direction, the hard drive reformatted and the offending icons removed. The technician reported his concerns to a social worker, who told the Royal Canadian Mounted Police and a search warrant was issued. Appealing in the Canadian Supreme Court Mr. Morelli maintained his rights were violated when police searched his computer.  Finding in his favor the Supreme Court noted that the technician saw suspicious links but had not seen pornographic images of children on the computer. In addition information used to obtain the warrant failed to mention that the child was fully clothed, there had been no signs of physical abuse evident to the technician and that there was only one living area in the home.  All in all the court found that a selective presentation of facts portrayed a less objective and more villainous picture than would have been the case had all the material information been presented.  The court heard it was plausible to suppose Mr. Morelli was using his VCR and webcam to videotape his daughter at play for posterity’s sake, not for purposes connected with child pornography. The suspiciously labeled links in were insufficient to characterize a person as an habitual child pornography offender. Since the majority of pornographic material observed was adult this suggested that the accused did not have a pronounced interest in child pornography.

(826)

Share

What on Earth Next: Malta Gets a Prosecuted Pirate and the Right to a Lawyer

Posted on by

2010 saw momentous legal upheaval in Malta. A judgment by a Maltese Magistrates’ Court on 30 September 2010 for the first time there convicted a seller of computer hardware with distributing pirated Microsoft software. The guilty party received a large fine and two years probation. Computer hardware and other related apparatus seized by the Police during their investigations was confiscated. The Business Software Alliance (BSA), global representative of the software industry, welcomed the judgment as ‘a very important step in the fight against software copyright theft’ in Malta. The judgement is ‘proof that Malta is making great efforts to combat the escalating problem of piracy on the island’ according to Georg Herrnleben, BSA Director. In 2010, too, suspects in Malta were granted the marvellous novelty of a lawyer during police questioning. The right, long common to most in the civilised world, had for years languished in the Criminal Code articles 355AT, 355AU, 255AZ and sub-articles 2, 3 and 4 of article 355AX of article 74. What with all that and the emergence of a prosecuted pirate the island’s reputation as a Mecca for digital forensics experts may be about to take wing.

(723)

Share

Battling Cyber Threats

Posted on by

Today, virtually every area of life depends on a cyber infrastructure that is vulnerable to attack. According to a recent report by the Center for Strategic & International Studies, sensitive U.S. military and civilian networks have been “deeply penetrated, multiple times, by other nation-states,” and hackers employed by terrorist and criminal organizations are a constant and serious menace. In an August 2010 survey by Symantec, of 1580 private businesses in industries such as energy, banking, health care, and other areas of critical infrastructure, more than half reported politically motivated cyber attacks, averaging 10 attacks in the past 5 years.

Computer security experts say the United States faces a radical shortage of highly skilled cybersecurity professionals who can prevent and combat such attacks. One federal official has estimated that there are only 1000 cybersecurity experts in the United States who have the deep technical knowledge required to safeguard national security; tens of thousands are needed, he believes. 

Read on at Science Careers (05/12/10)

(1134)

Share

New Windows zero-day flaw bypasses UAC

Posted on by

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

Read on at Naked Security (01/12/10).

(738)

Share

Scientists ‘hack’ quantum cryptography

Posted on by

Computer Scientists from Norway have perfected a method of attacking quantum cryptography systems using lasers allowing them to listen to communications while being completely undetected.

Quantum cryptography is most commonly used to securely transfer keys and was considered to be un-hackable, as any attempt to attack the system and measure quantum data will disturb it. The system then detects this, ensuring the communications remain secure.

The team of scientists from three academic institutions in Norway developed a technique that remotely controls the photon detector. In effect, the use of the laser blinds the photon detector. Using a stronger pulse of lasers, data can then be transmitted without detection as the pulse is not a quantum process.

A report, published by the scientists, explains how, theoretically, anyone could implement the attack by using ‘off-the-shelf’ components.

Various quantum cryptography developers have been made aware of the vulnerability and ID Quantique have corroborated with the researchers to make an undisclosed countermeasure.

(687)

Share

Lawyers losing cases while struggling with large quantities of Digital Evidence

Posted on by

In today’s modern age, digitally stored evidence is of the highest importance when it comes to legal processes. A survey published by Symantec Corp has shown that many legal companies spanning the EMEA (Europe, Middle East and Asia) region are losing cases, due to the fact that they cannot manage the immense amounts of evidence that is stored on digital media.

Over half of the responses to the survey showed that the problem was identifying and recovering the evidence and that this had caused delays and sanctions as well as the previously mentioned ‘lost’ cases.

Whilst highlighting that many cases are being lost, the report does show that the ability to identify, collect and process the digital evidence from within millions of different pieces of electronic information has had an encouraging effect on many cases.

Joel Tobias, MD of global forensic services firm CY4OR, (www.cy4or.co.uk) stated that –

“It comes as no surprise that lawyers are facing penalties and losing cases after falling down at the challenge of processing digital information. This is a serious problem for legal professionals as 98 per cent of those surveyed said that the digital evidence identified during e-disclosure was vital to the success of legal matters.”

Joel went on to say how “Digital information needs to be handled with care and all electronic data should be treated as evidence. We’ve seen examples of firms that have used internal IT personnel to gather data for e-disclosure, when they have no understanding of digital forensics. Both areas of expertise rely on the controlled investigation of electronic data and as such are inextricably linked. The legal profession needs to be aware of this synergy, to avoid fines and lost cases. Professionals who are involved in e-disclosure should have a sound understanding of digital forensics and vice versa, to ensure a just and consistent approach.”

It is clear that there is a need for organisations to ensure that they are “Forensically Ready” and have staff trained to gather data in a way that is forensically sound.

The survey was conducted in August 2010, throughout the EMEA region and involved an estimated 5000 lawyers.

(1452)

Share