Saturday, December 25, 2010

Computer Forensic Source: Merry Christmas and A Happy New Year

Merry Christmas! Hopefully, you've enjoyed a great Christmas with family and friends. God bless the men & women in our military, law enforcement, emergency personnel, and others that are serving their country or community!
2010 has been a great year for the Computer Forensic Source blog and I thank you for following the blog and providing feedback, which motivates me to keep the forensic content fresh. The tweets, comments, CFS blog references and links are appreciated [Keep those coming] :)
I'm excited about 2011 and thank each of you for a great 2010 and your continued support into the new year. The most viewed CFS blog post this year was my SANS Computer Forensics and Incident Response blog article on Intro to Report Writing in Digital Forensics. There will be a part II that is in queue, and just needs to be edited, so stay tuned. If you have any feedback regarding the CFS blog, please send e-mail to info-at-computerforensicsource-dot-com.

Thursday, December 16, 2010

Computer Forensic Book Review: Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit


I recently finished reading Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit by (Ryan Kubasiak and Sean Morrissey) and was somewhat surprised to find there were no reviews on Amazon. I've submitted my Amazon review and I’m sharing it here with you on my blog.

The book introduces the reader to the Mac OS X operating system and common Apple hardware (i.e. iPods, iPhones, iMacs, etc.) out there today. The intended audience is digital forensic investigators, security professionals, and law enforcement. If you've read a Syngress digital forensics book such as Harlan Carvey’s Windows Forensic Analysis, Second Edition, you are familiar with how these books encourage a hands-on learning approach through exercises and the use of specific forensic tools. This book follows the same path and, like Carvey’s book, offers a DVD filled with exercises, images, and tools for the DIY forensicator.
The authors provide an excellent overview of the Macintosh operating system and include topics such as disk partitioning and Apple Disk images (DMG). For example, chapter 4 is dedicated to the HFS+ file system used by Macintosh computers and drills down to disk level file system forensics. While Brian Carrier's File System Forensic Analysis book touches on Apple partitions, the Mac OS X iPod, and iPhone Forensic Analysis DVD Toolkit book dives even more deeply into the file system structure and nomenclature.
This book demystifies topics such as FileVault (Apple's answer to file encryption) and  Time Machine. It includes content on decrypting FileVault and restoring files from a Time Machine backup. The authors draw on their extensive experience and research to provide best practices, tips, and tricks for preserving and forensically acquiring data from Mac file systems. The authors extensively cover email, Safari based internet artifacts, chat logs, photos, videos, documents, .plists, and other valuable forensic evidence that can be recovered from a Macintosh.
The authors provide an extensive tool set with the accompanying DVD that includes both proprietary and open source tools that can be used to acquire and analyze devices such as Apple computers, iPhone and iPods. The Appendix is full of How-To's that deal with such issues as Bootcamp and virtualization, setting up a Macintosh computer for forensic use, and capturing volatile data on a Mac when conducting digital forensic triage on-scene of an incident.
If you are a digital forensic practitioner and want to learn Macintosh forensics, I highly recommend this book. Now is the time to become familiar with Macintosh and iOS forensics. If you have not had to image or analyze a Macintosh yet, you will. This book makes a great addition to your computer forensic library and is a resource for conducting Macintosh forensic examinations. If the authors pursue a 2nd edition of the book, I'd like to see more information on iOS devices (Note: Late breaking...it appears there is a book in the works iOS Forensic Analysis: for iPhone, iPad and iPod Touch), iDisk ("data from the cloud"), plists, low-level disk forensics, and maybe a chapter on tying it all together for the investigator/examiner when responding to an incident.
So if you are debating whether or not to add this book to your computer forensic reading library, Chapter 4: HFS Plus File System and Chapter 7: Acquiring Forensic Images are invaluable for an investigator/examiner; from Catalog Files in the HFS Plus File System, to imaging an iPod from your forensically configured Macintosh. This book will be an immediate reference tool for me when I’m performing Macintosh digital forensics.

Author's Note: As I stated initially in this blog post, I was disappointed to not see any reviews on Amazon for this book. If you read a book, whether you enjoyed the book or it was a painstaking process, share that information with others. Write a blog post (contact me and I'd be more than happy to share your book review with the forensic community via CFS blog) or publish a book review online. Remember, the community needs you 

Friday, December 3, 2010

Computer Forensics: Thoughts on sharing & forensic nuggets

This is just a quick late Friday afternoon entry to my blog. A common denominator and recurring theme, that seems to be the focal point of many presentations/meetings that I've had the opportunity to attend recently, is sharing and collaboration amongst practitioners in the digital forensics community.
As I discussed here, Harlan Carvey delivered an excellent keynote during the WACCI Conference on this very topic. I also see a solid trend in the law enforcement community to share more information with trusted partners outside of the law enforcement community.
Personally, I like the idea that Harlan brought up and that was discussed at the WACCI Conference this year. Whatever means is used to exchange and share information, it has to be a two-way street. If you are taking information from the well of knowledge, but not delivering anything to further the community or the knowledge-base than you should not to be allowed to continue to participate in the exchange of information within that group.
Sharing information and intel is good, but as we've seen with the WikiLeaks controversy recently, a physical security mentality has to be applied to information security. Do we know who has accessed file.xyz across the entire organization? Are the credentials to access file.xyz being controlled and monitored at all times? Do we know where file.xyz is located at all times and its route of travel across the computer/network infrastructure?
Yesterday, I had the opportunity to sit down with some great practitioners from law enforcement, corporate IR, small business executives, consultants, and e-disco folks at the Indy Digital Forensics Association meeting. We had a great turnout yesterday and will be proceeding in forming an ASDFED chapter. One of the positive things I seen regarding ASDFED is its transparency and not just limited to one side of our adversarial system. I'm looking forward to it, as it will bring law enforcement, attorneys, examiners, incident responders, corporate investigators, small businesses, etc. together to contribute and share information.

* Updating log2timelime on SIFT workstation in this week's SANS Digital Forensics Case Leads
on the SANS Computer Forensics Blog. Speaking of the SANS Digital Forensics Blog and if you missed my last blog post, you should check out the new & improved SANS Computer Forensics Blog.

* Windows 7 Recycle Bin EnScript

* A Bit More On Timelines and Stuff- Harlan discusses noise & data reduction in timeline analysis. Of interest when dealing with truncated timelines, checkout Go-OO, which was mentioned on Ken Pryor's blog here.

Here are a few historical items that I've bookmarked through the years and came across this afternoon while doing some research:

*Bypassing a Windows login password in order to boot a virtual machine
*Windows Oddities
*ShellBags Registry Forensics

Thank you for those of you that follow and continue to read my blog (much appreciated). Traffic up over 54% for the last 30 days. Drop me a comment, email, or follow me on Twitter. My twitter feed is set to private so if you send me a follow request and I don't approve, drop me an e-mail info-at-computerforensicsource-dot-com.