Well, I love it when other people write our sales and marketing materials for us.  This is one important component of value in our driveForensics service:

To begin with, there are some inadvertent pitfalls to avoid. The root of the problem is that most HR and IT personnel, while good at what they do, are not trained in computer forensics and the steps necessary to build a case through computer evidence. Oftentimes, building a case against a former employee rests on proving that he or she copied or deleted certain confidential company information. An overzealous company representative trying to find evidence of misconduct can actually do more harm than good, including inadvertently altering the evidence.

via Legal Technology – An Employee Leaves, Does Your Data Follow?.

“Are my employees Daylighting?”

“viaFORENSICS can help you answer this question and a much…much… more using powerful digital forensic tools that produce court defensible results…”
Contact us today to learn more…  sales@viaforensics.com

The Rough Economy Has Some Employees Are Daylighting To Make Ends Meet – KTVI.

]]> http://viaforensics.com/computer-forensic-ediscovery-glossary/the-rough-economy-has-some-employees-are-daylighting-to-make-ends-meet-ktvi.html/feed/ 0 http://viaforensics.com/computer-forensic-ediscovery-glossary/what-is-adp1.html http://viaforensics.com/computer-forensic-ediscovery-glossary/what-is-adp1.html#comments Thu, 19 Feb 2009 17:38:22 +0000 ahoog http://chicago-ediscovery.com/?p=536

The Android Developer Phone (ADP or ADP1) is a version of the G1/HTC Dream for developers and engineers.  Some differences from the retail version include a slightly different look and feel, root access, unlokced SIM and an special bootloader (to name a few).  Here is a nice write up (with pictures) on the ADP1.

The International Mobile Subscriber Identity (IMSI) is an 18-20 digit number uniquely identifying each SIM card.  The information can be used to identify, track or clone a subscriber and is sent as rarely as possible.  Instead,  a randomly generated Temporary Mobile Subscriber Identity (TMSI) is used whenever possible.

The first 3 digits of the IMSI represent the Mobile Country Code followed by 2-3 digits for the Mobile Network Code.  The remaining digits are the Mobile Station Identification Number (MSIN) assigned by the network provider.

Scientific Working Group on Digital Evidence (SWGDE) is a government and law enforcement only that “brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as ensuring quality and consistency within the forensic community.”

In their Best Practices for Computer Forensics, they  have a section on “Forensic Analysis/Examination of Non-Traditional Computer Technologies” which I think is important as it addresses situations that ultimately do arise.

International Mobile Equipment Identifier (IMEI) is a code uniquely identifying the a GSM cell phone on the network generally displayed on a phone beneath the battery. They can have 15 (14 decimal digits plus a check digit) or 16 (IMEISV) digits and encoded in the number are the origin, model, and serial number of the device.  Devices generally report their IMEI number by typing *#06# on the phone.

tableau-parm is a utility which runs on Linux for interaction with Tableau’s forensic write blockers.  If you use Tableau’s products and don’t run on Windows, you can use this utility to query information from the write blocker (i.e. hard drive information, HPA, DCO, etc.) and even remove HPA/DCO.  The Windows version of the utility by Tableau is called Tableau Disk Monitor.  If you use their hardware, ensure the firmware is up to date with Tableau Firmware Update.

Sample Output

Below is sample out from the T35e connected to a WD SATA hard drive:

wintermute:/home/ahoog# tableau-parm /dev/sdd
## Bridge Information ##
chan_index: 0×00
chan_type: SATA
writes_permitted: FALSE
declare_write_blocked: TRUE
declare_write_errors: TRUE
bridge_serial: 000ECC020035C00F
bridge_vendor: Tableau
bridge_model: T35e
firmware_date: Nov  6 2008
firmware_time: 14:22:38

## Drive Information ##
drive_vendor:
drive_model: WDC WD2500JD-55HBB1
drive_serial:      WD-WCAL73972498
drive_revision: 08.02D08

## Drive HPA/DCO/Security Information ##
security_in_use: FALSE
security_support: TRUE
hpa_in_use: FALSE
hpa_support: TRUE
dco_in_use: FALSE
dco_support: TRUE
drive_capacity: 488397168
hpa_capacity: 488397168
dco_capacity: 488397168

Exifprobe is a utility to read EXIF information from digital image files.  I compiles and runs easily on Linux. From the website:

“Exifprobe reads image files produced by digital cameras (including several so-called “raw” file formats) and reports the structure of the files and the auxilliary data and metadata contained within them. In addition to TIFF, JPEG, and EXIF, the program understands several formats which may contain “raw” camera data, including MRW, CIFF/CRW, JP2/JPEG2000, RAF, and X3F, as well as most most TIFF-derived “raw” formats, including DNG, ORF, CR2, NEF, K25/KDC/DCR, and PEF.”

Sample output is available in our exif definition.

Exchangeable Image File Format (EXIF) is a standard for storing information (or metadata) with an digital image, generally one from a digital camera.  EXIF can contain valuable information about an image, in some cases it will even store the GPS coordinates of where the picture was taken.

Concerns over verifiability of EXIF data

While EXIF data can be extremely useful, a forensic analysts must not assume this data is accurate.  This information can be easily manipulated or modified.  For instance, the time on the camera can be easily changed.  Or the GPS device may be inaccurate.  Also, there are widely available programs which will allow you to view and update the EXIF information.  In the easly  iPhone 2.x releases, the GPS data (also known as a geotag, geocode or geolocation) was missing the degree of seconds, making it impossible to point point the exact location.

Sample output

For reference, the following is the EXIF information recovered from a .jpg that was carved from a file system:

FileType = JPEG
FileSize = 145653
JPEG.APP0           = @2:16
JPEG.APP0.Version       = 1.1
JPEG.APP0.Units         = ‘dots/inch’
JPEG.APP0.Xdensity      = 96
JPEG.APP0.Ydensity      = 96
JPEG.APP0.XThumbnail    = 0
JPEG.APP0.YThumbnail    = 0
JPEG.APP1           = @20:10454
JPEG.APP1.Ifd0.Make                        = ‘Canon’
JPEG.APP1.Ifd0.Model                       = ‘Canon PowerShot SD900′
JPEG.APP1.Ifd0.Orientation                 = 1 = ‘0,0 is top left’
JPEG.APP1.Ifd0.XResolution                 = 180
JPEG.APP1.Ifd0.YResolution                 = 180
JPEG.APP1.Ifd0.ResolutionUnit              = 2 = ‘pixels per inch’
JPEG.APP1.Ifd0.DateTime                    = ‘2008:05:31 09:42:15′
JPEG.APP1.Ifd0.YCbCrPositioning            = 1 = ‘centered’
JPEG.APP1.Ifd0.TAG_0×1001                  = 3648
JPEG.APP1.Ifd0.TAG_0×1002                  = 2736
JPEG.APP1.Ifd0.ExifIFDPointer              = @308
JPEG.APP1.Ifd0.CustomRendered              = 0 = ‘Normal’
JPEG.APP1.Ifd0.ExposureMode                = 0 = ‘Auto’
JPEG.APP1.Ifd0.WhiteBalance                = 0 = ‘Auto’
JPEG.APP1.Ifd0.DigitalZoomRatio            = 1
JPEG.APP1.Ifd0.SceneCaptureType            = 0 = ‘Standard’
JPEG.APP1.Ifd0.Exif.ExposureTime                = 0.00625 sec
JPEG.APP1.Ifd0.Exif.FNumber                     = 8 APEX = ‘f16.0′
JPEG.APP1.Ifd0.Exif.Version                     = ‘0220′
JPEG.APP1.Ifd0.Exif.DateTimeOriginal            = ‘2008:05:31 09:42:15′
JPEG.APP1.Ifd0.Exif.DateTimeDigitized           = ‘2008:05:31 09:42:15′
JPEG.APP1.Ifd0.Exif.ComponentsConfiguration     = 1,2,3,0 = ‘YCbCr’
JPEG.APP1.Ifd0.Exif.CompressedBitsPerPixel      = 5
JPEG.APP1.Ifd0.Exif.ShutterSpeedValue           = 7.3125 APEX = ‘0.00629098 sec’JPEG.APP1.Ifd0.Exif.ApertureValue               = 6 APEX = ‘f8.0′
JPEG.APP1.Ifd0.Exif.ExposureBiasValue           = 0 APEX
JPEG.APP1.Ifd0.Exif.MaxApertureValue            = 2.96875 APEX = ‘f2.8′
JPEG.APP1.Ifd0.Exif.MeteringMode                = 5 = ‘Pattern’
JPEG.APP1.Ifd0.Exif.Flash                       = 24 = ‘no flash – auto’
JPEG.APP1.Ifd0.Exif.FocalLength                 = 7.7 mm
JPEG.APP1.Ifd0.Exif.MakerNote                   = @718:2372    # UNDEFINED
JPEG.APP1.Ifd0.Exif.UserComment                 = @3090:264 = ” # CC=’undefined’    # UNDEFINED
JPEG.APP1.Ifd0.Exif.FlashPixVersion             = ‘0100′
JPEG.APP1.Ifd0.Exif.ColorSpace                  = 1 = ’sRGB’
JPEG.APP1.Ifd0.Exif.PixelXDimension             = 3648
JPEG.APP1.Ifd0.Exif.PixelYDimension             = 2736
JPEG.APP1.Ifd0.Exif.FocalPlaneXResolution       = 12710.8
JPEG.APP1.Ifd0.Exif.FocalPlaneYResolution       = 12725.6
JPEG.APP1.Ifd0.Exif.FocalPlaneResolutionUnit    = 2 = ‘pixels per inch’
JPEG.APP1.Ifd0.Exif.SensingMethod               = 2 = ‘One-chip color area sensor’
JPEG.APP1.Ifd0.Exif.FileSource                  = 3 = ‘DSC’
JPEG.APP1.Ifd0.Exif.MakerNote.Offset                    = @718
JPEG.APP1.Ifd0.Exif.MakerNote.Length                    = 2372
JPEG.APP1.Ifd0.Exif.MakerNote.Scheme                    = ‘Plain IFD’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings            = ‘45 entries’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.01_MacroMode               = 3026 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.02_SelfTimer               = 0 = ‘off’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.03_Quality                 = 0 = ‘unknown’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.04_FlashMode               = 0 = ‘flash did not fire’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.05_ContinuousMode          = 92 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.06_Unknown                 = 2
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.07_FocusMode               = 0 = ‘One Shot AF’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.08_Unknown                 = 5
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.09_Unknown                 = 5
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.10_ImageSize               = 0 = ‘Large’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.11_EasyShootMode           = 0 = ‘Full Auto’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.12_DigitalZoom             = 4 = ‘(2 * ZoomedResBase) / ZoomedResValue**’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.13_Contrast                = 65535 = ‘Low’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.14_Saturation              = 1 = ‘High’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.15_Sharpness               = 0 = ‘Normal’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.16_ISO                     = 0/0 = ‘Use Exif ISOSpeedRating’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.17_MeteringMode            = 0 = ‘Default’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.18_FocusType               = 0 = ‘Manual’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.19_AFPositionSelected      = 0 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.20_ExposureMode            = 0 = ‘Easy Shooting’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.21_Unknown                 = 15
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.22_LensType                = 3
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.23_FocalLength_long        = 1 units
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.24_FocalLength_short       = 16390 units
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.25_FocalUnits*             = 0 unit per mm
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.26_Unknown                 = 32767
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.27_Unknown                 = 65535
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.28_FlashActivity           = 0×5a3c = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.29_FlashDetails            = 0×1e14 = ‘external E-TTL,Internal flash**,2nd-curtain sync used,FP sync enabled’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.30_Unknown                 = 1000
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.31_Unknown                 = 95
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.32_FocusMode               = 192 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.33_undefined               = 0xffff/65535
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.34_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.35_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.36_ZoomedResValue**        = 0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.37_ZoomedResBase**         = 0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.38_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.39_undefined               = 0xffff/65535
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.40_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.41_undefined               = 0xe40/3648
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.42_ColorTone**             = 0xe40/3648
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.43_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.44_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.45_undefined               = 0xffff/65535
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo                 = ‘4 entries’
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.00_unknown                = 0
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.01_FocalLength            = 32767
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.02_FocalPlaneXSize        = 32767
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.03_FocalPlaneYSize        = 0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0003                = 0,2,7700,294
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo                  = ‘33 entries’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.01_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.02_ISO                          = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.03_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.04_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.05_Unknown                      = 0×4468
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.06_ExposureCompensation**       = 65523
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.07_WhiteBalance                 = 160 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.08_Unknown                      = 0×125293
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.09_SequenceNumber               = 192
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.10_Unknown                      = 0xea234JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.11_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.12_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.13_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.14_AFPositionUsed               = 0 = ‘MF’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.15_FlashBias                    = 0 = ‘0 EV’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.16_AutoExposureBracketing**     = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.17_AEBracketValue**             = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.18_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.19_FocusDistanceMax**           = 0 mm
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.20_FocusDistanceMin**           = 0 mm
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.21_ApertureValue**              = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.22_ExposureTime**               = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.23_Undefined                    = 0×11
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.24_BulbDuration**               = 73
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.25_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.26_Undefined                    = 0xb9185JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.27_AutoRotate**                 = 231
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.28_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.29_SelfTimer2**                 = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.30_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.31_Undefined                    = 0xfa250JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.32_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.33_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_000000                = 0,0,0,0,0,0
JPEG.APP1.Ifd0.Exif.MakerNote.ImageType                 = ”
JPEG.APP1.Ifd0.Exif.MakerNote.FirmwareVersion           = ‘EG’
JPEG.APP1.Ifd0.Exif.MakerNote.ImageNumber               = 1003599
JPEG.APP1.Ifd0.Exif.MakerNote.OwnerName                 = ‘on 1.00′
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X000D                = 0,0,24313856 … ,2031616 (148)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0010                = 25755648
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_000000                = 0,9,0,770,11057 … ,0 (19)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0026                = 0,0,0,0,0 … ,41 (48)JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0013                = 41,16,0,0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0018                = 04,00,00,00,00,00,00,00,00,00 … ,00 (256)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0019                = 1
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001C                = 0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001D                = 0,0,0,0,0 … ,0 (16)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001E                = 16777984
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001F                = 0,0,0,0,0 … ,0 (69)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0022                = 0,0,0,0,0 … ,0 (208)JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0023                = 0,0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0024                = 0,8,0,0,0 … ,0 (78)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0025                = 00,00,00,00,00,00,00,00,00,00 … ,00 (14)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0027                = 0,4
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0028                = 00,00,00,00,00,00,00,00,00,00 … ,df (16)
JPEG.APP1.Ifd1.Compression                 = 6 = ‘Exif/old JPEG’
JPEG.APP1.Ifd1.XResolution                 = 180
JPEG.APP1.Ifd1.YResolution                 = 180
JPEG.APP1.Ifd1.ResolutionUnit              = 2 = ‘pixels per inch’
JPEG.APP1.Ifd1.JPEGInterchangeFormat       = @3464
JPEG.APP1.Ifd1.JPEGInterchangeFormatLength = 7012
# Start of JPEG baseline DCT compressed primary image [985x739<=3648x2736] length 145653 at offset 0/0
#   End of JPEG primary image data at offset 0×238f4/145652
# Start of JPEG baseline DCT compressed reduced-resolution image [160x120] length 7012 (IFD 1) at offset 0xd88/3464
#   End of JPEG reduced-resolution image data at offset 0×28eb/10475
NumberOfImages = 2
FileFormat = JPEG/APP0/JFIF/APP1/TIFF/EXIF # with MakerNote (Canon [1])

Scalpel is an open source file carving utility like foremost but with an emphasis on speed and efficiency. When analyzing a 15GB dd image, scalpel took just under 2 minutes while foremost took nearly 15 minutes. Foremost carved more files however most were invalid (this is anecdotal and may not always be the case!). Here is the full description from the scalpel website:

“Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. Scalpel resulted from a complete rewrite of foremost 0.69 a popular open source file carver, to enhance performance and decrease memory usage.”

See also

• Foremost
• Difference between foremost and scalpel