Saturday, December 25, 2010

Computer Forensic Source: Merry Christmas and A Happy New Year

Merry Christmas! Hopefully, you've enjoyed a great Christmas with family and friends. God bless the men & women in our military, law enforcement, emergency personnel, and others that are serving their country or community!
2010 has been a great year for the Computer Forensic Source blog and I thank you for following the blog and providing feedback, which motivates me to keep the forensic content fresh. The tweets, comments, CFS blog references and links are appreciated [Keep those coming] :)
I'm excited about 2011 and thank each of you for a great 2010 and your continued support into the new year. The most viewed CFS blog post this year was my SANS Computer Forensics and Incident Response blog article on Intro to Report Writing in Digital Forensics. There will be a part II that is in queue, and just needs to be edited, so stay tuned. If you have any feedback regarding the CFS blog, please send e-mail to info-at-computerforensicsource-dot-com.

Thursday, December 16, 2010

Computer Forensic Book Review: Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit

I recently finished reading Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit by (Ryan Kubasiak and Sean Morrissey) and was somewhat surprised to find there were no reviews on Amazon. I've submitted my Amazon review and I’m sharing it here with you on my blog.

The book introduces the reader to the Mac OS X operating system and common Apple hardware (i.e. iPods, iPhones, iMacs, etc.) out there today. The intended audience is digital forensic investigators, security professionals, and law enforcement. If you've read a Syngress digital forensics book such as Harlan Carvey’s Windows Forensic Analysis, Second Edition, you are familiar with how these books encourage a hands-on learning approach through exercises and the use of specific forensic tools. This book follows the same path and, like Carvey’s book, offers a DVD filled with exercises, images, and tools for the DIY forensicator.
The authors provide an excellent overview of the Macintosh operating system and include topics such as disk partitioning and Apple Disk images (DMG). For example, chapter 4 is dedicated to the HFS+ file system used by Macintosh computers and drills down to disk level file system forensics. While Brian Carrier's File System Forensic Analysis book touches on Apple partitions, the Mac OS X iPod, and iPhone Forensic Analysis DVD Toolkit book dives even more deeply into the file system structure and nomenclature.
This book demystifies topics such as FileVault (Apple's answer to file encryption) and  Time Machine. It includes content on decrypting FileVault and restoring files from a Time Machine backup. The authors draw on their extensive experience and research to provide best practices, tips, and tricks for preserving and forensically acquiring data from Mac file systems. The authors extensively cover email, Safari based internet artifacts, chat logs, photos, videos, documents, .plists, and other valuable forensic evidence that can be recovered from a Macintosh.
The authors provide an extensive tool set with the accompanying DVD that includes both proprietary and open source tools that can be used to acquire and analyze devices such as Apple computers, iPhone and iPods. The Appendix is full of How-To's that deal with such issues as Bootcamp and virtualization, setting up a Macintosh computer for forensic use, and capturing volatile data on a Mac when conducting digital forensic triage on-scene of an incident.
If you are a digital forensic practitioner and want to learn Macintosh forensics, I highly recommend this book. Now is the time to become familiar with Macintosh and iOS forensics. If you have not had to image or analyze a Macintosh yet, you will. This book makes a great addition to your computer forensic library and is a resource for conducting Macintosh forensic examinations. If the authors pursue a 2nd edition of the book, I'd like to see more information on iOS devices (Note: Late appears there is a book in the works iOS Forensic Analysis: for iPhone, iPad and iPod Touch), iDisk ("data from the cloud"), plists, low-level disk forensics, and maybe a chapter on tying it all together for the investigator/examiner when responding to an incident.
So if you are debating whether or not to add this book to your computer forensic reading library, Chapter 4: HFS Plus File System and Chapter 7: Acquiring Forensic Images are invaluable for an investigator/examiner; from Catalog Files in the HFS Plus File System, to imaging an iPod from your forensically configured Macintosh. This book will be an immediate reference tool for me when I’m performing Macintosh digital forensics.

Author's Note: As I stated initially in this blog post, I was disappointed to not see any reviews on Amazon for this book. If you read a book, whether you enjoyed the book or it was a painstaking process, share that information with others. Write a blog post (contact me and I'd be more than happy to share your book review with the forensic community via CFS blog) or publish a book review online. Remember, the community needs you 

Friday, December 3, 2010

Computer Forensics: Thoughts on sharing & forensic nuggets

This is just a quick late Friday afternoon entry to my blog. A common denominator and recurring theme, that seems to be the focal point of many presentations/meetings that I've had the opportunity to attend recently, is sharing and collaboration amongst practitioners in the digital forensics community.
As I discussed here, Harlan Carvey delivered an excellent keynote during the WACCI Conference on this very topic. I also see a solid trend in the law enforcement community to share more information with trusted partners outside of the law enforcement community.
Personally, I like the idea that Harlan brought up and that was discussed at the WACCI Conference this year. Whatever means is used to exchange and share information, it has to be a two-way street. If you are taking information from the well of knowledge, but not delivering anything to further the community or the knowledge-base than you should not to be allowed to continue to participate in the exchange of information within that group.
Sharing information and intel is good, but as we've seen with the WikiLeaks controversy recently, a physical security mentality has to be applied to information security. Do we know who has accessed across the entire organization? Are the credentials to access being controlled and monitored at all times? Do we know where is located at all times and its route of travel across the computer/network infrastructure?
Yesterday, I had the opportunity to sit down with some great practitioners from law enforcement, corporate IR, small business executives, consultants, and e-disco folks at the Indy Digital Forensics Association meeting. We had a great turnout yesterday and will be proceeding in forming an ASDFED chapter. One of the positive things I seen regarding ASDFED is its transparency and not just limited to one side of our adversarial system. I'm looking forward to it, as it will bring law enforcement, attorneys, examiners, incident responders, corporate investigators, small businesses, etc. together to contribute and share information.

* Updating log2timelime on SIFT workstation in this week's SANS Digital Forensics Case Leads
on the SANS Computer Forensics Blog. Speaking of the SANS Digital Forensics Blog and if you missed my last blog post, you should check out the new & improved SANS Computer Forensics Blog.

* Windows 7 Recycle Bin EnScript

* A Bit More On Timelines and Stuff- Harlan discusses noise & data reduction in timeline analysis. Of interest when dealing with truncated timelines, checkout Go-OO, which was mentioned on Ken Pryor's blog here.

Here are a few historical items that I've bookmarked through the years and came across this afternoon while doing some research:

*Bypassing a Windows login password in order to boot a virtual machine
*Windows Oddities
*ShellBags Registry Forensics

Thank you for those of you that follow and continue to read my blog (much appreciated). Traffic up over 54% for the last 30 days. Drop me a comment, email, or follow me on Twitter. My twitter feed is set to private so if you send me a follow request and I don't approve, drop me an e-mail info-at-computerforensicsource-dot-com.

Monday, November 22, 2010

Computer Forensics: Caffeine-Induced Monday Ramblings

I just wanted to take a few minutes to share a few items I think are newsworthy. First, the new & improved SANS Computer Forensics Blog has been updated. Check it out at (Hats off to Rob Lee and the web development team at SANS). The SANS Forensics blog has a new look with this enhancement as well. The SANS Forensics blog has had an awesome amount of traffic today, so if you have trouble loading the site or the blog, please keep that in mind.

Some of you will remember the recent SANS blog reader's survey. A lot of the comments and feedback that that were sent in by the forensics community during this survey were shared with the blog team and with SANS Institute. A lot of these suggestions were used and integrated into the new SANS Computer Forensics webpage and blog, so thank you readers! Look for some good things on the SANS blog in the near future based on feedback from the reader's survey.

Open Source Digital Forensics- Brian Carrier's new and improved OSDF site is now live. Brian discussed this at the WACCI conference. This brings to mind, there is always discussion about "court approved" forensic tools. I encourage you to read Brian Carrier's white paper here (PDF) on open source forensic tools.

Certification, Licensing, and Accreditation in Digital Forensics- Eric Huber shares some good information on getting certified, saying no to digital forensic licensing, and accreditation. Make sure you read the comments! Good information  Eric!

* Harlan Carvey shares some registry information here that was posted by a member of the Win4n6 Yahoo Group! If you do not follow and share with this group, you should.

* NIJ (National Institute of Justice) releases their computer forensic tool testing reports. A great page for reference, especially when you may to defend/validate your tool on the witness stand. great resource by Matt Churchill and Joe Garcia. Have an artifact you'd like to share? Submit it through

* Andrew Hoog with ViaForensics posted his iPhone Forensics White Paper here.

* Ken Pryor, fellow SANS blog author, has started his own blog here.

* Checkout Ira Victor's (fellow SANS blog author) The CyberJungle- The News and Talk on Security, Privacy, and The Law

* This week's Digital Forensic Case Leads was posted this morning here, delivered by Ray Davidson.

* In the podcasts, it is great to see Ovie back behind the mic delivering CyberSpeak. Please send Ovie e-mail and tell him how much CyberSpeak rocks!

December should be awesome on the forensic podcast front! From the rumor mill, an "Inside the CyberCrime 4cast Speak" podcast is in the works, which will bring 4 podcasts together for one big show!! It'll be interesting to see how this one develops. Stay tuned...

Thursday, October 28, 2010

SANS Forensics Blog Reader's Survey Results

Thank you to all of our readers that took the time to complete our blog reader's survey. Your participation was very much appreciated and we will use this information to better serve our our readers and the forensic community. Our blog has been successful because of you and it is important that we share the results with you. Not every question was answered by everyone that took the survey, so we had a tangible 111 responses (thank you).

Here are the results:

Wednesday, October 20, 2010

WACCI Digital Forensic Goodness: (We're Not Worthy! Edition)

From the WACCI 2010 conference, this YouTube video sums up my WACCI experience! I was fortunate enough to attend this conference this past week, just as MIRCon was going on. Fellow SANS blog author Gregory Pendergast attended MIRCon and delivered some awesome, fresh content on that conference on the SANS Digital Forensics blog. Also fellow SANS blog author Ken Pryor is delivering some "WACCI Fu" on the SANS Digital Forensics blog with some good details and recap of the conference. You can also follow some of the "public" tweets.
This blog entry is not going to be a conclusive summary, but rather sharing my perspective and a few experiences from last week.
First off, I had the opportunity to mingle and converse with Ovie Carroll, Mark McKinnon, Harlan CarveyRob Lee, Gary Kessler, Ken Pryor, and many other LEOs and forensic professionals in the community. It was good to finally put faces with a name and make new friends. A big thank you to Cindy Murphy (lethal forensicator), President of WACCI-West and others for putting on a great conference. As Cindy stated to me, "It ROCKED" and I could not agree more! If you attended this conference and did not come away excited, you are in the wrong profession! It was a refreshing week and the atmosphere @ WACCI was one of camaraderie (LE & private sector) and of learning and networking.
Ovie delivered a great keynote discussing "online recons", search signatures, data correlation, etc. What I took most from Ovie's keynote was the importance of a "phased approach and employing triage" versus traditional "deadbox" forensics. The size of hard drives and the data that hard drives can store is growing exponentially and forensic practitioners must begin employing data triage with cases. 
Directly following Ovie's keynote, Harlan Carvey delivered his keynote covering collaboration between the private sector and law enforcement. First, Harlan is a great public speaker and delivered a great keynote. Harlan went commando (no powerpoint) and lead a great discussion-style approach. Some of the issues brought up were in relationship to a vetting/screening process to establish credibility to the data and to the user/author. Checkout Harlan's blog for his WACCI experience and more information on collaboration among the digital forensics community.
Tuesday evening, I attended the WACCI Awards Banquet & Dinner and it was good to see some great LE forensic examiners and teams recognized.

Breakout I: Perl & Regular Expressions in Forensic Exams delivered by Fergus Toolan of the UCD School of Computer Science and Informatics. Fergus delivered a great breakout session and walked the group through writing a Perl script to use in our forensic examinations (Thank you Fergus).

Breakout II: Live RAM Analysis by Rick McQuown: Rick brought a lot of energy and shared some of his findings in the area of Live RAM Analysis. Checkout Rick's website (Enscript included).

Breakout III: Intellectual Property Theft Investigations- Stealing The Show- MPAA: A lof of great information on what the MPAA is doing to combat movie piracy. This was definitely a good takeaway.

Keynote Speaker: Gary Kessler- Gary is a very good public speaker and educator. If you want to know file systems, Gary is your reference! In 2009, I was fortunate to be one of Gary's students through Champlain College's CCE bootcamp course. Gary's talk featured an array of information where he discussed the evolution of computers, information/data security, and the state of cyber warfare. It was a very informative and well received morning keynote.

Breakout IV: DFCP and DFCA Certifications and Why the Digital Forensic Certification Board Exists by Sam Guttman- From the sessions that I attended during WACCI, this one generated a lot of discussion. I really enjoyed Sam's presentation, which was geared towards obtaining feedback from practitioners in the community as to the DFCB process. There was support for what DFCB was trying to accomplish by leveling the playing field amongst examiners/analysts, but is DFCB the answer? One examiner felt IACIS will eventually be the standard with the CFCE certification opening up to those outside of the law enforcement community in the near future. Some were concerned about the DFCB creating a brand name and marketing itself to those in the forensics community. It will be interesting to follow the direction that DFCB proceeds in the near future. Deciding on what certification will be the standard for digital forensics is our responsibility. Now is the time to be involved and be an advocate for our profession!

Breakout V: Into The Shadows: Taking a Walk Through the Windows Volume Shadow Copy with Mark McKinnon (Shadow Warrior)- Shadow Warrior Mark McKinnon shed some interesting light on the VSC service and difference files. Wait for it...yes, there is a tool that Mark McKinnon and fellow Shadow Warrior Lee Whitfield will be releasing called, Shadow Analyzer or Shadow Analyser (depending on what side of the Atlantic you reside). Mark demonstrated Shadow Analyzer's (beta version) capabilities and what features are under development. Mark also demo'd Drive Prophet. In my opinion, Drive Prophet is a must in your digital forensic toolkit. Drive Prophet is a information collection tool that reports on critical areas of a machine, assisting the investigator/examiner on how to proceed with the digital evidence. Do you need to complete a full forensic examination? Are you on-scene and need to focus your investigation/exam on something else? Drive Prophet was designed to be a road-map for the investigator/examiner, outlining critical information important to your digital forensic examination.

Breakout VI: Incident Response: Stories from the Field- Mark Lachniet (GCFA Gold)- Mark captured everyone with his high-level of energy and delivered some great pointers/how to's to those in the front-lines of Incident Response. While I do not have an incident response background, Mark's talk was very interesting, informative, and made me thirsty for more knowledge in corporate incident response. Looking at it from the law enforcement perspective, I realized that corporate incident responders are the soliders on the front-lines defending their respective networks daily from internal and external attacks! This is an area that law enforcement really needs to grow in and educate responders/examiners/analysts. My advice to LE is to find out who your IR folks are within your respective communities and get to know these folks! If they've reached out to you....listen. If not, reach out to them! You will learn from them, which ties directly into sharing information, just as Harlan outlined in his keynote on Tuesday morning.


Keynote Speaker: Brian Carrier

Just as WACCI kicked off with back to back keynotes by Ovie Carroll and Harlan Carvey, the final day was no different. Back to back keynotes by Brian Carrier and Rob Lee. I had the pleasure of meeting Brian Carrier just prior to his keynote and was totally pumped! Brian Carrier? What can I say... the guy lives in "Brian's bubble" and is genius! Brian's talk focused on Open Source Digital Forensics.
Some noteworthy items:
-The Sleuth Kit 3.2 should be out very soon. Some long terms goal of TSK are application-level open framework, registry analysis, internet history viewers, text extraction, etc.
-Autopsy 3.0 is in development with the first release by the end of the year.
-AFF4 coming soon and will be able to store multiple disk images in a single file!

Rob Lee's keynote was no different! If you have sat through one of Rob's SANS Forensics courses either in the classroom or via On-Demand, you know how much Rob has a passion for teaching and advocating for digital forensics! Rob is a great friend and it is always good to hear him speak. This time was no different! Rob's talk focused on Super Timeline Analysis! The key piece of information that I took away from Rob's talk was that we (the digital forensic community) have to move past what the forensic tool outputs (i.e. timestamp anomalies)! $STANDARD_INFORMATION vs $FILE_NAME

The afternoon breakouts were just prior to Closing Remarks for the conference. The two that I attended (see below) were both good talks.

Breakout VII: HDD Operation and Physical Recovery by Scott Holewinski of Gillware, Inc.
Scott discussed provided tips for handling failing hard drives and some insight to the future of hard drives, including pros v cons of solid-state hard drives.
Breakout VIII: An IP Address Leads to a Haystack: What to look for in a corporate environment by Jeremy Charles.
Applying what I took away from Mark Lachniet's breakout from Thursday with Jeremy Charles' talk, I now have a better understanding and respect for the daily challenges of the corporate incident responder/investigator.

Overall, WACCI was a fast-paced, full week of learning, networking, and sharing! I was able to make new friends and catch-up with old (or put a face with a name). I commend Lethal Forensicator Cindy Murphy and everyone @ WACCI that worked tirelessly to generate a top-notch conference! The "WACCI Buzz" seems to have spread. We seen a return of CyberSpeak (Ovie had the option of either delivering a podcast or retiring with Luby N. to drink martinis and give tango lessons). I guess that means CyberSpeak will be around! There also been an influx in people contributing (see the blogs, forensic mailing lists, etc.). David Kovar's AnalyzeMFT also has been getting updated (thank you David). I had the opportunity to catch up with two good friends, David Kovar and Ken Pryor, on Friday evening for dinner, while returning from the WACCI conference. It was good to see David again and discuss a lot of exciting things that are happening in the digital forensic oasis!

Friday, September 24, 2010

SANS Digital Forensics Blog Reader's Survey

The contributors to the SANS Digital Forensics Blog want to say “thank you,” and to get some feedback from you on the future direction of the blog. Please take a few minutes to complete our reader survey.
The blog has seen a 606% increase in traffic over the last year (Thank You!!), logging over 255,000 unique visits, and 67% of those being new visitors! Those are some great numbers that we are very proud of and we continue to strive to be a leading contributor to the digital forensics community.

Continue Reading

Thursday, August 26, 2010

Intro to Report Writing for Digital Forensics

So you’ve just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report...

Continue Reading

Thursday, August 12, 2010

> 140 characters & 4cast plug

I've neglected my duties to the blog readers recently. I've been very busy with training, research items, and a digital forensic project, so I haven't had much time recently to update the blog. I'm currently working on a SANS blog post and that should be complete very soon and will be posted here as well.
This Sunday, August 15, 2010 @3pm Eastern, please show your support to the Forensic 4cast, which will be LIVE! Yes, LIVE! Lee Whitfield of Forensic 4cast is working really hard to make this a great event, so what can you do?  Visit  this Sunday, August 15, 2010 @ 3:00pm Eastern. Lee has a forensic guru lined up and I'm sure other great stuff setup for the LIVE show! You can watch the podcast live here! Follow @4cast on Twitter for the latest show information.

Tuesday, August 3, 2010

Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit

Continue Reading

Author's Note: Part III in this series we will take a closer look at the artifacts that IEF is reporting and what we can do to validate our findings.

Sunday, July 11, 2010

Forensic 4cast Awards: "The Digital Forensic Oscars"

The Forensic 4cast Awards were presented this past week on Thursday, July 8, 2010 at the SANS Forensics and Incident Response Summit by Lee Whitfield. A job well done by Lee Whitfield for putting together the 2nd annual Forensic 4cast awards. Lee presented these awards in fashion in front of a live audience. Checkout SANS webcast archive to view the award ceremony. Congratulations to all the winners! It is an honor to be part of such a great community and a member of the SANS Computer Forensics Blog team and the winner of the 2010 Forensic 4cast Awards in the "Best Digital Forensics Blog" category.

Outstanding Contribution to Digital Forensics – Individual
Rob Lee (Congratulations Rob!)
Outstanding Contribution to Digital Forensics – Company
Best Digital Forensics Blog
Best Digital Forensics Book
Windows Forensic Analysis 2E
Best Digital Forensic Podcast
Inside the Core (Awesome Dave! Congratulations!)
Best Computer Forensic Hardware
Tableau T8
Best Computer Forensic Software
FTK Imager
Best Phone Forensic Hardware
Cellebrite UFED
Best Phone Forensic Software
Digital Forensic Investigator of the Year
Nick Furneaux
Lifetime Achievement
Craig Wilson

Monday, June 28, 2010

SANS DF/IR Summit, Forensic 4cast Awards, Forensic Focus Survey & more

Several items that caught my attention in the computer forensic 'blog-o-sphere' recently:

Monday, June 21, 2010

Computer Forensic Examiners: PI Licensing Requirement Revisited

My recent blog entry on SANS Computer Forensics blog.

Forensic 4cast Awards 2010

The 2010 Forensic 4cast Awards (the future Digital Forensic Awards) will be part of the 2010 DC SANS Forensic Summit this year. Cast your vote now! Voting ends July 6, 2010!

If you've missed it, here are the nominations:

  •  Guidance Software
  •  SANS
  •  F-Response (Agile Risk Management)

  •  Windows Incident Response
  •  SANS
  •  Happy as a Monkey

  •  H




Saturday, June 19, 2010

Computer Forensic Source: Refreshed, refocused, and remixed!!

Refocusing! I've changed the layout and design of the blog to better reflect a new direction. I plan to use the blog as a platform to share my thoughts on present news and research in the community, tool reviews, examiner tips, and the lighter side of computer forensics. Speaking of the lighter side of computer forensics, you should checkout Happy As A Monkey's blog and a shout-out to Eric Huber's Fistful of Dongles. Eric is always delivering something fresh and insightful! Stay tuned...

Thursday, May 20, 2010

The 2010 Digital Forensics and Incident Response Summit

SANS Institute has posted the 2010 Washington DC DF & IR Summit dates.

Summit Dates: July 8 - 9, 2010
Post Summit Course Dates: July 10 - 15, 2010
Summit Venue:
Fairmont Washington DC
2401 M Street, NW
Washington, DC 20037
Phone: (202) 429-2400
Fax: (202) 457-5010
Website: Fairmont Hotel Web Site

Monday, February 8, 2010

Internet Evidence Finder (IEF): interview with Jad Saliba of

Editor’s note: Brad Garnett recently had an opportunity to interview Jad Saliba, of JADSoftware about how he got started in computer forensics and about some of his company’s products. Please note that JADSoftware has offered a discount to readers, see the details below.

Q: You have developed several software tools that can assist computer forensic professionals during the analysis phase of a forensic exam. Tools like Internet Evidence Finder (IEF), FChat (FCT), Encrypted Disk Detector (EDD), and Facebook® JPG Finder (FJF) are all great for the forensic examiner’s toolkit. We are going to focus on IEF. Explain how IEF is used during media analysis and its capabilities/limitations.

Thursday, January 7, 2010

GIAC Adds GCFA to The List of ANSI/ISO/IEC 17024 Accredited Credentials

BETHESDA, Md., Jan. 7 /PRNewswire/ -- The Global Information Assurance Certification (GIAC) program, a SANS Institute affiliate, announced today that the GIAC Certified Forensics Analyst (GCFA), GIAC Certified Intrusion Analyst (GCIA) and GIAC Certified Incident Handler (GCIH) have been accredited under the ANSI/ISO/IEC 17024 Personnel Certification program. GIAC is leading the way in the information security industry with five ANSI accredited credentials