Computer Forensics

Initial thoughts on Microsoft’s LE only forensics tool (COFEE) are not very becoming.  It was leaked to the Internet via a torrent file, details in the following article:

Of course, the tool is now widely available from other sources and while some are saying that the tool is useless to regular Internet users, there are others who disagree. It certainly won’t take long for a detailed analysis to appear.

via COFEE Forensic Tool Leaks To What.cd, Admins Ban It | TorrentFreak.

This is a very important lesson to head.  I don’t believe it happens in most cases but as a society, we cannot lock up innocent people.  Approaching computer forensics as a scientific discipline and remaining impartial and unbiased is a moral and professional obligation of all computer forensic examiners:

Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it’s your reputation that’s stolen.

Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they’ll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.

via AP IMPACT: Framed for child porn — by a PC virus by AP: Yahoo! Tech.

The warnings to banks and other corporations about the threat posed from insiders have been heralded for years.  A recent study found that:

70 percent of financial institutions saying they have experienced a case of data theft by one of their employees in the past 12 months

This is obviously a huge deal.  The article points out that the thefts occur most often with full-time employees who often had every intention of repaying the stolen assets.

The study also found that

nearly half of the banks in the Actimize survey say they are losing 1 to 4 percent of their total revenues to insider fraud

and the biggest challenges to meeting the threat are:

1. cost/expense (67 percent),
   
2. data availability/access (55.77 percent),
   
3. availability of tools (46 percent),
   
4. general resources/priorities (46 percent).

The good news for the banks and corporation is that we provide a very cost effective, innovative service which directly addresses this threat.  Find out more by contacting us…it will make a difference at your bank or company.

via Bankers Gone Bad: Financial Crisis Making The Threat Worse – DarkReading.

We come across many individual computers infected with keyloggers, spyware and the like.  It is often a game changer in a divorce case and certainly has broader implications as noted below.  If you are a corporate IT manager, anti-virus/spyware protection software is not enough.  A unified strategy is needed to protect your company’s confidential data.

He allegedly sent the spyware to the woman’s Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital’s pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

via Misdirected spyware infects Ohio hospital – hospital, keylogger, medical records, privacy – CIO.

I have been warning executives for years now that it is a simple matter for a foreign government to “examine” you laptop when you enter or leave their country when in fact they quickly imaging the drive and give your intellectual property your competition in their country.  Its quite easy to do and very few people use hard drive encryption.

But to really protect yourself, consider using a technology like TrueCrypt which has a “plausible deniability” feature allowing you to have two encrypted drive passwords.  The first is a throw away with a fully functional OS (i.e. Windows XP) but no sensitive data.  The other, of course, is your daily use computer.

Oh, and if you think is stops at your computer, just send me your iPhone or Android phone for a few hours!

Senior executives in US IT companies have been advised by the US Government to follow extremely strict policies for visits to China which extend far beyond standard software protection.

The policies encourage them to leave their standard IT equipment at home and to buy separate gear only for use in China.

via Safety first for IT executives in China – Software – Technology – News – CRN Australia.

Ahhh, the joys of not listening to the court.  This is a big case in Chicago and employment related forensics is a key component.  Make sure you have your acceptable use and termination policies well documented and make sure they are followed.

On Tuesday, Goldberg said he will give Crecos seven days to comply with his August order and allow the Huron forensics team back into his office or face a fine of $1,000 per day for each day of non-compliance. The order goes into effect Wednesday.

via Headhunter facing fines in Motorola firing suit — chicagotribune.com.

I think most forensic examiners are watching solid state storage closely to see how it will change our techniques.  The Apple iPhone and Android devices to date have brought in new file systems, wear-leveling that requires piecing larges files back together and more.  But a bit more disconcerting is the developed of SSD firmware that actively cleans up “dirty” blocks on a drive to increase performance.  If this firmware merely marks the page as unused, that would likely be OK.  But if the firmware, during free cycles, actively clears that data in unused pages/blocks, it could have a huge impact on the forensic recovery of data.  Original article below:

virtually all SSD manufacturers have incorporated, or soon will incorporate, garbage collection schemes into their drives’ firmware that actively seek out and remove the garbage data.

via OCZ and Indilinx Collaborate On New SSD Garbage Collection Scheme – HotHardware.

the difference between a hard drive forensic “image” and a hard drive “ghost” image.

Ghosts and Forensic Images.

Seven Deadly Sins of Home Office Security

via Seven Deadly Sins of Home Office Security.

I just noticed new versions of The Sleuth Kit (TSK) and Autopsy Forensic Browser were released.  Both  updates are bug fixes only.  As usual, hats off to Brian Carrier for maintaing such a great, open source package.