Tuesday, April 20, 2010

Forensic 4cast and Me

The most recent Forensic 4cast podcast is up with a brand new format. Lee has decided to test out a panel format where he brings together people from the digital forensic community to discuss the topics of the day.

This episode included a panel that consisted of Lee, Tom Yarrish, Joe Garcia and myself. Give it a listen and let Lee know what you think about the new format. I'm grateful to Lee for the opportunity and I hope I did a good job for him. I have to admit that I was a bit vexed when I heard the podcast after the fact because the sound quality from my phone wasn't remotely as good as the other panelists. I already have a proper Skype certified phone on order from Newegg so that I can use it with Skype next time and not sound like the panelist who is calling from the outer reaches of Absurdistan.

Lee has also released the much anticipated presentation on Volume Shadow Copies that he was due to give at the SANS EU Forensic Summit. That summit was delayed because of, as Chad Tilbury puts it, the Krakatoa eruption in Iceland. Chad made the Krakatoa reference on Twitter this week and I've been laughing about it ever since. It's yet another reason why I like socializing with my fellow digital forensic examiners on Twitter. Chad is a very sharp fellow and one of the primary SANS digital forensics instructors.

As Lee was nice enough to mention at the end of the podcast, I will be presenting on the topic of Adobe Flash Cookies at this year's CEIC conference. Kristinn Gudjonsson and I have been working on an article to submit to an academic journal and I have crafted an overview of the research for the presentation. The presentation won't cover much of the content in the article because there just won't be enough time to do that, but it will provide examiners with enough of an understanding of these artifacts to start using them in their digital examinations. I'm looking forward to CEIC this year as there are a lot of amazing presentations such as Rob Lee's Super Timeline Analysis Lab. I also think it's a moral imperative that I have an Bacon N' Eggs burger at LBS Burger.

I started this research project independently late last year and it turns out Kristinn had also been working on parsing these artifacts as part of his larger log2timeline research. He posted about them on the SANS Forensic blog earlier this year and that's when we discovered that we had been working on the same subject. We essentially had a "you got chocolate in my peanut butter" moment and decided to work together on putting together a paper that we hope will be useful to the community. Kristinn is certainly the brains behind the operation given his very robust technical background. I never would have been able to fully parse these artifacts on my own because I don't have the deep technical knowledge that Kristinn has so I'm lucky he posted on the SANS Forensic blog when he did and that he's generous with his time and knowledge.

One of the reasons I mentioned Chad earlier in this post is that he also did some research on Adobe Flash Cookies and posted about it on the SANS Forensic blog.


  1. Eric, after you do your CEIC presentation on Flash Cookies, will you be sharing it online at all? Unfortunately I won't be at CEIC, but I'm interested in examining them as alternative sources of evidence.

  2. They're certainly interesting artifacts and they're important part of web browser investigations. Once Flash 10.1 is released, I suspect they'll also factor into mobile device forensics.

    I can't remember if Guidance releases presentations to the public after CEIC. Regardless, my presentation slides aren't going to do anyone much good since I have designed the slides to be visual aides for my presentation rather than a stand alone work.

    My primary responsibility is to those who pay the money to attend the conference and my class. I don't like presentations where people just read slides at me so I made sure my presentation wasn't one like that.

    All that said, Kristinn and I are working on a paper for publication with a journal. Hopefully, we'll be able to post the paper on Kristinn's website, but that will depend on what author's rights we retain after publication. The ultimate goal is to share what we learn with the digital forensics community so we'll do that one way or another.

  3. Thanks for the the vote of confidence Eric. I started the blog on the advice of my friend Chris Pogue. He thought it would be nice to have a blog out there written from the angle of someone who was new to forensics. I have received nothing but support from people in the field so I definitely encourage people to get involved if they want to learn. Anything I do contribute to ITB will likely be along the same lines. I don't have anything technical to add at this point, but I can speak to the difficulty of breaking into the field and the ease at which many of our "superstars" can be approached. I would love to read your research paper as I already have a question.

    What's in flash cookies that you can't already get from timeline/supertimeline analysis and browser history? I only ask out of shear ignorance because I have no idea what is in a flash cookie or where to find one for that matter.

  4. From a timeline perspective, Flash cookies are just another source of metadata to plug into your timeline.

    What I'll be teaching in the class is that there are some general areas of interest in regards to Flash cookies. The presence of a cookie itself is an important bit of information. The metadata of the cookie provides more information. What really caught my attention when I started my research was how the contents of the cookies could really be beneficial. You can find information such as usernames, search queries, IP addresses, etc

  5. After looking at an early version of Eric's presentation, I really encourage everyone to try to see him speak at CEIC. Eric and Kristinn have really pushed the boundaries on Local Shared Objects (Flash Cookies). Forensic investigators need to have this on their radar because this is really just the tip of the iceberg. With HTML5 DOM storage coming of age and giving up to 5 MB of local storage per domain, the trend is for sites to store more and more (potentially useful) data locally.

  6. I came across this today and thought about your Adobe Flash research. Although not directly related to forensics, I think the comments made by Microsoft's exec about Flash are really just an example of how ubiquitous it is. Some good statements that are timely given your work on the subject.


  7. I hadn't read that about Microsoft yet. Thanks for passing that along, Crosser. It's been a rough week or so for Adobe. A potential bright spot is that Google might be siding with Adobe at least for the time being. http://bit.ly/amVo8z

    It looks like Flash 10.1 is going to drop this month. http://bit.ly/ao4vwi