Friday, May 20, 2011

Mobile Devices Are Spy Devices

The recent news items relating to the ability of smart phones to monitor the location of their users are another fine illustration of how these devices are essentially almost perfect spy devices. Leo Laporte of TWiT has been pointing this out for quite some time now and he’s spot on. They have cameras, microphones, and GPS technology which means they can see and hear what is around you along with knowing exactly where “around you” actually is at any given moment. This technology is coming to an investigation near you like it did for the New York City Special Commissioner of Investigation who had an investigation that dealt with FlexiSpy.

So this means that we should work hard to keep these devices out of our environments, right? Wrong. It’s our job as security professionals to securely enable new technology that will help our businesses meet their objectives. Smart phones are part of our society and are increasingly part of the business world. As I have previously discussed, standing athwart technology yelling stop isn’t a viable option or a particularly wise career choice for those of us in the security world. We should not only be facilitating the use of this technology, but also encouraging our businesses to adopt it where we see it could meet a critical business need such as improved communication, collaboration, and product development.

How can mobile devices facilitate product development? The more we have people inside our business such as engineering and marketing people marinating in mobile technology as part of their daily personal and professional lives, the more these people will come up with innovative ways to use the technology to deliver products and services that people want to purchase. As security professionals, we should be encouraging our businesses to securely adopt new technology that helps meet their objectives. In the case of mobile devices, the people who are creating these devices as well as third parties are working to create solutions that will allow this technology to be securely integrated into businesses environments.

DFRWS 2011 Forensics Challenge

Speaking of mobile devices, the 2011 DFRWS forensics challenge has been posted on the DFRWS website. This year the challenge revolves around Android forensics. If you are interested in learning more about Android forensics, Andrew Hoog will have his book out on the subject very soon.

SANS New Jersey 2011

I recently had the pleasure of teaching FOR408 Computer Forensic Investigations - Windows In-Depth at SANS NJ 2011 in Morristown, New Jersey. We had a great class people who all came from various positions in the private sector security world. That allowed me  focus on life in the private sector digital forensics and investigations world since that was the role that most of the students would be returning to after class. One of the things I really enjoy about teaching others is that I always end up learning new things from the people I teach. For example, one of the students saw something in one of the Firefox SQLite artifacts that didn’t make sense to any of us. Some of us dug into it after class and we figured out how RSS feeds manifest themselves in Firefox. I’ll craft a blog post on what we found and get it posted soon.

You can read a nice write up of the class here from one of the students. It was very kind of him to take the time to do this and it’s always gratifying to have a student get so much out of class. This group really impressed me with how well they did on the Day 6 exercise. I know most of these folks didn’t have a strong understanding of digital forensics when they started the week and that’s why they were in class. They did a fantastic job and it really manifested itself on the final day. Well done team!

Symantec Buys Clearwell

The only thing that surprised me about the recently announced acquisition of Clearwell by Symantec is that something like this didn’t happen sooner. Many of us have been expecting companies like Symantec and McAfee to get into the eDisco and digital forensics markets through the M&A process. I still keep expecting that someone to snap up Access Data Group especially now that they offer a more end to end eDisco process through their recent merger with CT Summation.

Give me 64 Bits or Give Me Death

It’s increasingly clear to me that we’re at the tail end of the 32-bit era for digital forensics. Yes, we will continue to examine 32-bit systems for many years to come. However, the memory limits that are imposed by 32-bit operating systems coupled with memory requirements to make our comprehensive forensic suites like EnCase and FTK work well mean it doesn’t make much sense to build a forensics computer with a 32-bit operating system. Sure, you can do forensics in a 32-bit host environment, but why would you want to? It’s better to have a 64-bit system with a considerable amount of RAM especially given how cheap RAM is these days. Ultimately, I  think we’ll see companies like Guidance Software and Access Data Group phase out 32-bit support in future releases of their tools as the community abandons 32-bit operating systems for their examination platforms.