Wednesday, March 30, 2011

A Little of Everything

I’m working on a variety of interviews and I hope to get the first one out shortly.  It’s an interview with Shafik Punja that is focused on mobile device forensics. This interview will be of particular interest to those who are interested in Blackberry forensics.

To The Cloud

I found out from David Klopp’s Twitter feed that the Amazon Cloud Player service has gone live. Couple this with services such as Apple’s iDisk and Dropbox and it’s a good illustration that this sort of cloud service is going to be increasingly embraced by consumers. This means it will be an important aspect of live response in digital forensics. The data that is relevant to your investigation might very well not be on the actual hard disk when you go to seize a computer and you could miss it if you aren’t careful in how you plan the acquisition phase of your investigation.

As I’ve said before, “The Cloud” isn’t anything new, but it’s increasingly popular at the consumer level because of the convergence of technologies such as virtualization, inexpensive hardware, and inexpensive high speed broadband access. It’s certainly not a fad and it’s something that is here to stay so we have to take it into account when planning our investigations. It’s just one more aspect of how live response is important in digital forensics.

A Fragmented Community

The invaluable David Kovar put up an excellent piece on his blog about the fragmentation of the digital forensics community that has prompted a series of discussions pretty much everywhere you look in the community such as Twitter, email list servs, and other blogs. In other words, the discussion spawned by the blog post nicely illustrated David’s point.

The way I handle the fragmentation is to leverage the various social networking and email technologies that are available to me. I have all of my email list servs going into a Gmail account which gives me a sort of comprehensive email experience that creates a unified digital forensics list serv for me.  My primary form of interaction with the community other than email has been through Twitter. I have found crafting my own Twitter digital forensics community (based on who I follow and who follows me) to be a great way to quickly get curated news that is of interest to me as a digital forensics practitioner.  David Klopp’s Tweet about the Amazon Cloud Service is a good example. Would I have heard about the service eventually? I certainly would have, but I heard about it quicker because I follow David’s Twitter feed.  The fact that this sort of information comes from someone who I have chosen to trust enough to follow also means that new items come with a certain level of credibility. If another digital forensics person like David finds something interesting, there is an good chance that I’ll also find it interesting.

I also find it increasingly important to make it out to digital forensics conferences such as CEIC and the SANS Forensic Summit so that I can meet people face to face. There really is something about placing a face to a Twitter handle and it’s a nice way to build relationships that you can enjoy in the future both professionally and socially.

Is the Sky Falling?

Craig Ball put up a thought provoking post on the potential end of digital forensics due to data set sizes.  While I don’t agree with Craig that we’re at risk of the demise of digital forensics because of this issue, I do agree that this problem will prove to be transformational for the digital forensics community. As the old saying goes, necessity is the mother of invention and these data set sizes have contributed to innovation in tools and processes such as how we handle triage issues. Like Craig, I’ve seen the demise of digital forensics predicted with almost predictable frequency over the years. The fact is that what we do is the convergence of technology and law. There will always be a need for technology to be examined for legal purposes in some manner. While I can’t predict what the digital forensics world will look like a decade from now, I’m confident there will still be a digital forensics world at that time.

The Underground Economy of Stolen Intellectual Property

I ran across this article while experimenting with Flipboard a couple days ago. This VentureBeat article is based on research by McAfee and SAIC and talks about how the criminal element is profiting from the theft of corporate intellectual property. This makes perfect sense to me given that we have actors such as nation states who are already working hard to steal and exploit commercial intellectual property. If you are an intelligence agency with a laundry list of information that you are tasked with obtaining, why not just pay for it if the opportunity presents itself? If you are the criminal element, you’re going to exploit any profitable market that you can especially if it’s one that is lucrative and has a low risk of detection and prosecution. This is as good of an illustration as any of why I’m not concerned about the end of digital forensics.

So Nice I Bought It Twice

So I bought another copy of Harlan’s Windows Forensic’s book so I could put it on my shiny new iPad2 via Amazon’s Kindle application. I already had the physical version, but I decided it was worth it to just get a Kindle copy so that I could access it on my iPad while doing forensics work. I love being able to quickly search my reference books while doing an exam. It’s also nice to have the book open on the iPad rather than on an exam computer itself so that I don’t loose any screen real estate that I need for my examination tools. Digital forensics is very much an open book job. There is so much to know that it’s important to have access to other people to ask questions and reference materials to look up information. Having material like Harlan’s book available to me through electronic means is very useful.

Please Don’t Steal My Stuff

I recently found one of my blog posts entirely reposted on someone else’s website without providing any sort of attribution.  This is very bad behavior and everything on this website is protected by copyright.  I’m pursing my legal options and that’s something you can just expect to happen if you do the same. If you really like my work, it would be much nicer if you’d just nominate me for a Forensic 4cast award rather than stealing it and passing it off as your own work.

Best. Presentation. Title. Ever.

This distinction goes to Braden Civins for his “Fire Down Below: How the Underwear Bomber Revealed the U.S. Counterterrorism Community as Hemmed in by the Seams of Legislative Ambiguity” for the upcoming 2011 SATSA conference.