Tuesday, April 20, 2010

Forensic 4cast and Me

The most recent Forensic 4cast podcast is up with a brand new format. Lee has decided to test out a panel format where he brings together people from the digital forensic community to discuss the topics of the day.

This episode included a panel that consisted of Lee, Tom Yarrish, Joe Garcia and myself. Give it a listen and let Lee know what you think about the new format. I'm grateful to Lee for the opportunity and I hope I did a good job for him. I have to admit that I was a bit vexed when I heard the podcast after the fact because the sound quality from my phone wasn't remotely as good as the other panelists. I already have a proper Skype certified phone on order from Newegg so that I can use it with Skype next time and not sound like the panelist who is calling from the outer reaches of Absurdistan.

Lee has also released the much anticipated presentation on Volume Shadow Copies that he was due to give at the SANS EU Forensic Summit. That summit was delayed because of, as Chad Tilbury puts it, the Krakatoa eruption in Iceland. Chad made the Krakatoa reference on Twitter this week and I've been laughing about it ever since. It's yet another reason why I like socializing with my fellow digital forensic examiners on Twitter. Chad is a very sharp fellow and one of the primary SANS digital forensics instructors.

As Lee was nice enough to mention at the end of the podcast, I will be presenting on the topic of Adobe Flash Cookies at this year's CEIC conference. Kristinn Gudjonsson and I have been working on an article to submit to an academic journal and I have crafted an overview of the research for the presentation. The presentation won't cover much of the content in the article because there just won't be enough time to do that, but it will provide examiners with enough of an understanding of these artifacts to start using them in their digital examinations. I'm looking forward to CEIC this year as there are a lot of amazing presentations such as Rob Lee's Super Timeline Analysis Lab. I also think it's a moral imperative that I have an Bacon N' Eggs burger at LBS Burger.

I started this research project independently late last year and it turns out Kristinn had also been working on parsing these artifacts as part of his larger log2timeline research. He posted about them on the SANS Forensic blog earlier this year and that's when we discovered that we had been working on the same subject. We essentially had a "you got chocolate in my peanut butter" moment and decided to work together on putting together a paper that we hope will be useful to the community. Kristinn is certainly the brains behind the operation given his very robust technical background. I never would have been able to fully parse these artifacts on my own because I don't have the deep technical knowledge that Kristinn has so I'm lucky he posted on the SANS Forensic blog when he did and that he's generous with his time and knowledge.

One of the reasons I mentioned Chad earlier in this post is that he also did some research on Adobe Flash Cookies and posted about it on the SANS Forensic blog.