Mobile Devices Are Spy Devices

The recent news items relating to the ability of smart phones to monitor the location of their users are another fine illustration of how these devices are essentially almost perfect spy devices. Leo Laporte of TWiT has been pointing this out for quite some time now and he’s spot on. They have cameras, microphones, and GPS technology which means they can see and hear what is around you along with knowing exactly where “around you” actually is at any given moment. This technology is coming to an investigation near you like it did for the New York City Special Commissioner of Investigation who had an investigation that dealt with FlexiSpy.

So this means that we should work hard to keep these devices out of our environments, right? Wrong. It’s our job as security professionals to securely enable new technology that will help our businesses meet their objectives. Smart phones are part of our society and are increasingly part of the business world. As I have previously discussed, standing athwart technology yelling stop isn’t a viable option or a particularly wise career choice for those of us in the security world. We should not only be facilitating the use of this technology, but also encouraging our businesses to adopt it where we see it could meet a critical business need such as improved communication, collaboration, and product development.

How can mobile devices facilitate product development? The more we have people inside our business such as engineering and marketing people marinating in mobile technology as part of their daily personal and professional lives, the more these people will come up with innovative ways to use the technology to deliver products and services that people want to purchase. As security professionals, we should be encouraging our businesses to securely adopt new technology that helps meet their objectives. In the case of mobile devices, the people who are creating these devices as well as third parties are working to create solutions that will allow this technology to be securely integrated into businesses environments.

DFRWS 2011 Forensics Challenge

Speaking of mobile devices, the 2011 DFRWS forensics challenge has been posted on the DFRWS website. This year the challenge revolves around Android forensics. If you are interested in learning more about Android forensics, Andrew Hoog will have his book out on the subject very soon.

SANS New Jersey 2011

I recently had the pleasure of teaching FOR408 Computer Forensic Investigations - Windows In-Depth at SANS NJ 2011 in Morristown, New Jersey. We had a great class people who all came from various positions in the private sector security world. That allowed me  focus on life in the private sector digital forensics and investigations world since that was the role that most of the students would be returning to after class. One of the things I really enjoy about teaching others is that I always end up learning new things from the people I teach. For example, one of the students saw something in one of the Firefox SQLite artifacts that didn’t make sense to any of us. Some of us dug into it after class and we figured out how RSS feeds manifest themselves in Firefox. I’ll craft a blog post on what we found and get it posted soon.

You can read a nice write up of the class here from one of the students. It was very kind of him to take the time to do this and it’s always gratifying to have a student get so much out of class. This group really impressed me with how well they did on the Day 6 exercise. I know most of these folks didn’t have a strong understanding of digital forensics when they started the week and that’s why they were in class. They did a fantastic job and it really manifested itself on the final day. Well done team!

Symantec Buys Clearwell

The only thing that surprised me about the recently announced acquisition of Clearwell by Symantec is that something like this didn’t happen sooner. Many of us have been expecting companies like Symantec and McAfee to get into the eDisco and digital forensics markets through the M&A process. I still keep expecting that someone to snap up Access Data Group especially now that they offer a more end to end eDisco process through their recent merger with CT Summation.

Give me 64 Bits or Give Me Death

It’s increasingly clear to me that we’re at the tail end of the 32-bit era for digital forensics. Yes, we will continue to examine 32-bit systems for many years to come. However, the memory limits that are imposed by 32-bit operating systems coupled with memory requirements to make our comprehensive forensic suites like EnCase and FTK work well mean it doesn’t make much sense to build a forensics computer with a 32-bit operating system. Sure, you can do forensics in a 32-bit host environment, but why would you want to? It’s better to have a 64-bit system with a considerable amount of RAM especially given how cheap RAM is these days. Ultimately, I  think we’ll see companies like Guidance Software and Access Data Group phase out 32-bit support in future releases of their tools as the community abandons 32-bit operating systems for their examination platforms.

2011 Forensic 4cast Awards

Lee Whitfield has tabulated the nominations and posted the official ballot for the 2011 Forensic 4cast Awards. You can find the ballot here and the results will be announced at the 2011 SANS Forensics Summit in Austin.

A Fistful of Dongles was nominated for Best Digital Forensic Blog which is both surprising and humbling. Thank you very much to those who took the time to nominate the blog for this award. This blog has been a tremendous amount of fun to do and it’s flattering that others find it useful. Good luck to all of the nominees!

SANS@Night at SANS New Jersey 2011

A benefit of attending major SANS conferences like the annual SANSFIRE and Network Security training events is the opportunity to attend the various SANS@Night presentations in the evenings. Students can also experience this with some of the smaller SANS training events through a program that SANS calls “Community of Interest in Network Security” (COINS). One such event will be held during SANS New Jersey 2011.

Andrea Hogan at SANS has asked me to pass along this information to those who might be interested in attending.

SANS invites you to be our guest for our COINS (Community of Interest in Network Security) SANS@Night event in Morristown, NJ on Thursday, May 12^th.
Join us for an informative presentation where you will get the opportunity to mingle with other members of your local security community and SANS attendees.  SANS will provide complimentary snacks and beverages.
Yori Kvitchko will deliver his exciting presentation, “Staying Ahead of the Storm: An InfosSec Forecast”.
There is no cost to attend this event, but we do need you to register at:
(http://www.sans.org/new-jersey-2011-cs/special.php).
Complimentary SANS@Night Event Details
Date:                 Thursday, May 12, 2011
Time:                 6:30pm - 8:30pm
Location:          Hyatt Morristown at Headquarters Plaza
Morristown, NJ, USA 07960
Seating is limited so RSVP today at: (http://www.sans.org/new-jersey-2011-cs/special.php)
For more information on the reception or our training events please contact me at ahogan@sans.org.

Andrea has also told me that Bonnie Diehl will also be at this event and will be providing an overview of the SANS Technology Institute. I’ll be at this event and I look forward to being able to potentially meet some of the readers of the blog in person.

Augmented Reality: An Interview With Joseph Rampolla

One of the nice benefits of publishing this blog is that it has allowed me to talk to a variety of fascinating people who I normally might not have met.  Joe Rampolla is one of those people.  Joe and I were having a discussion about digital forensics when at the end of the conversation he asked me if I had ever heard of augmented reality. I had to admit that I knew nothing about it. Joe proceeded to amaze me with his level of knowledge on the subject and I was intrigued with the potential for both good and evil that this technology brings with it. I asked him if he would be interested in doing an interview for the blog and he readily accepted. As Joe will illustrate for you during the course of this interview, augmented reality has the potential to fundamentally change how we interact with each other and the world around us.

Professional Biography of Joseph Rampolla

Joseph Rampolla has been a law enforcement officer for sixteen years. In 1994 he received a Masters of Arts degree in Criminal Justice from John Jay College in New York City. Joseph holds a Bachelor of Arts degree in Law & Society from Ramapo College of New Jersey. He became a police officer in 1995 and currently holds the rank of Lieutenant for the Park Ridge Police Department. He has supervised numerous criminal investigations within the department and oversees the Detective Bureau. In 2003 he was assigned to a regional computer crimes task force. He has successfully completed training offered by county, state and federal agencies as well as leading technology companies with a focus in the areas of computer forensics, Internet child exploitation, cyber-bullying, cyber counter-terrorism, human trafficking, and Peer-to-Peer file sharing investigations. He is a member of the HTCIA, HTCC, and IACIS where he has earned the classification of Certified Forensic Computer Examiner (CFCE) and AccessData Certified Examiner (ACE). Joseph enjoys teaching the topics of cyber crimes, augmented reality / virtual worlds, cyber-bullying and advanced undercover Internet Relay Chat (IRC) investigations. He has taught International law enforcement at Microsoft in Redmond WA, in the Ontario Canadian Providence, and taught cybercrime topics to all levels of law enforcement for the National Internet Crimes Against Children Task Force. Joseph was the co-creator of the Internet Safety DVD Series – Point of No Return which featured the cyber-bullying video “Sticks and Stones” and the predator video “The Web.”

AFoD: You and I had an interesting discussion recently where you educated me on the topic of augmented reality. I found our conversation so fascinating that I had to get you to do an interview for the blog. Let's start with the basic question. What is augmented reality?

JR: Augmented Reality is taking digital or computer generated images and overlaying them over a real-time environment.  The best way people would relate to Augmented Reality, better known as AR, is by thinking of a fighter pilot.  We have all seen the view or Heads Up Display (HUD) of a pilots view that shows a digital overlay that shows an artificial horizon, the digital altitude, digital speed, and a host of pilot dashboard information seen looking out the cockpit window.  Another example would be the artificial first down marker that helps football TV viewers know how far the offensive team needs to go to get a first down.  We know that the yellow line is not really on the field, but once the digital overlay is placed into the live environment, it assists millions of viewers in a real time environment to enhance our viewing experience.  These examples are primitive compared to new exploding uses of a technology that has been around for quite a while.  The high quality of cameras, huge data and bandwidth pipes, along with the powerful computing power of smart phones has created the perfect storm.

AFoD: Why is augmented reality something that technical investigators need to be concerned about in regards to smart phones?

JR: There are a number of reasons why technical investigators need to be concerned about smart phones.  We are moving to a dominated mobile platform period (which will continue to increase in time).  All of your social networking and communication platforms will have a mobile presence.   The following types of investigations to name a few: Child pornography, cyberbullying / sexting, harassment, stalking, corporate espionage, digital piracy, terrorism, gang recruitment - will all move to a ubiquitous mobile platform.  The amount of mobile apps coming out each day is staggering.  The Android and iPhone smartphones are increasing in use which forces technical investigators to shift their focus to mobile forensics and concentrate on the mobile application programming interface (API).  A digital forensic shift in value is moving from the home PCs to mobile smartphones.  These smartphones give the user all the access they need to check email, text, check and post to social networking sites which will reduce the manhours of home PC use in my opinion.  This premise means more digital evidence nuggets will be on smartphones then on home PCs.  If technical investigators do not get ramped up on mobile forensic trends, they will find themselves reading by candlelight and writing with an ink and quill.  I find myself more reliant upon my smartphone then my home PC.  It is more critical for me to backup data and apps on my Droid then thinking about my mobileless home clunker.

AFoD: Can you give us some examples of how augmented reality would manifest itself in a way that would be relevant to an investigation? Just how are the bad guys using this technology?

JR: Because this technology is finally gaining traction, the better question will be "Just how WILL the bad guys use this technology."  The technology needs to become mainstreamed first and be ubiquitous before truly being utilized by perverts, crooks, criminals and terrorists.
This technology is poised to explode into mainstream society but has not done so yet.  It is currently being used in marketing and advertising realms at this moment but that should change very soon.  Companies like Viewdle and Polar Rose (which was recently acquired by Apple) are beta testing Augmented Reality and facial recognition.  As Augmented Reality facial recognition technology blends with social networking mediums, we will see issues of stalking, identity theft, harassment and other criminal uses.   The porn industry is investing large sums of money into augmented reality which will naturally pave the way for child pornography uses.  Wherever society finds pornography, child pornography is not too far behind.   Currently the porn industry has AR markers that can be held up to a web cam and show the viewer being surrounded by porn video clips.  This gives the viewer the experience of feeling like they are in the pornography and to give the illusion that they are part of the experience as opposed to being a remote viewer of the "action."  Imagine a scenario where a virtual avatar or character could sit at your kitchen table if you were wearing augmented reality glasses.  The glasses would show a digital depiction of that avatar sitting in front of you which could conspire on how to commit a criminal act while the person who is controlling the avatar could be safely out of reach of the US government.  This raises serious concerns for US National Security and US Law Enforcement.  Virtual criminal packages could be left in public areas and could only be detected by someone that is part of that Augmented Reality / virtual network.   The iPhone has an app called Tagdis.  You can write virtual graffiti on a public building or police station.  This virtual graffiti can only been seen with the use of the smartphone app.  Criminals, drug dealers, or other miscreants could leave virtual markings or clues for other criminals in virtual space and a person unaware of that digital space would pass by that location with no knowledge of the virtual message.
Digital investigators need to be aware that a new digital space will emerge with important evidence that will be related to future crimes and societal digital markings.  Digital investigators will need to focus on the remnants of evidence that will be left on smartphones and other electronic devices.  AR will change how we and society sees things just as we forget that invisible signals and beams are flying through our atmosphere and environment right under our naked eye.

AFoD: This is amazing stuff, Joe.  Before we dive into this further, can you recommend any resources on the web that might offer a visual illustration of what you are talking about?

JR:

Facial Recognition:

http://www.youtube.com/watch?v=0QBLKBYrgvk

http://www.youtube.com/watch?v=x0FasRTTk4k

Turn People into experts with Augmented Reality:

http://www.youtube.com/watch?v=P9KPJlA5yds

Augmented Reality HUD display - Vehicles

http://www.youtube.com/watch?v=REXer_yW6S8

Topps Baseball Cards

http://www.youtube.com/watch?v=I7jm-AsY0lU

Augmented Reality Pornography

http://www.youtube.com/watch?v=5GXuS1N1SSM

Planefinder AR

http://www.youtube.com/watch?v=b64xvlOvdlM&feature=related

AFoD: We're really just at the starting point of something very big with all of this, aren't we? I'm struck by how this could be used for some very positive things as well as for some deeply evil acts.  Do you have any concerns about this technology from a cyberbullying standpoint? For example, I can see how instead of just writing something nasty about some poor girl on a bathroom wall, you could now write those things on her virtually through this technology including how she can be located or contacted.

JR: You raise some very good points.  There is definitely the ability to use this technology for cyberbullying or dissing people through public virtual postings.  I got a better one for you.  People start to advertise their virtual ads over the virtual space in times square.  I put a big virtual banner for Guess Jeans in virtual space over the JCPenny real billboard in Times Square.  Am I violating any advertising cybersquatting laws? (maybe cybersquatting is the wrong word on this one) Who knows.  I am sure the lawyers will come out of the woodwork on this one.

When it comes to cyberbullying I guess the issue will be could you anonymously put stuff in a virtual realm without being traced.  I guess this depends on what open virtual networks are created and how can a user anonymize their posting without a trail leading back to the person that posted it.  Will throw away smartphones be accessible to the public to pull this off?  Will nefarious people post virtual misinformation in the virtual realm to create confusion, spread lies / rumors.  It will be interesting to see where things move with this technology and how the business model takes it.  Advertising agencies are the leader in this area at the moment and the porn industry is investing a lot of money too.  I have more questions than answers unfortunately.

AFoD: As you look forward to the future, how do you think this technology will impact our culture from a social standpoint as well as how we conduct business?

JR: Augmented Reality will be a game changer.  It will have a huge impact on a culture in many different ways.  For starters, it will be embedded in social networking sites.  Social proximity networks will thrive with augmented reality because geolocation will change the way our society and culture sees technology.  People will utilize the scanning of people with smartphones and tie in to a person’s social networking profile.  Kids and adults will scan people in their live environment to identify each other and will reveal who we are and give glimpses as to our posts, our blogs, our profiles, and where we go in our daily lives.  People will voluntarily allow open networks to thrive and share real time information.  The scariness begins when closed networks begin to form.  Closed networks of criminal organizations, predator networks and secret societies will share information about law enforcement, adolescents, and other nefarious groups that share common criminal goals.  Stalking, identity theft, terrorism networks and beyond will put this amazing technology for bad purposes will eventually rear its ugly head.  Markerters, advertisers, and commercial applications will boom.  It will become integrated with our thirst for realtime information and aid in what items we buy, the groups we want to be a part of, and even groups that we are unaware of that want to know more about us.  This creates a slippery slope where many users are unaware of other users real intentions of why they want this information about us.  Think of the child predator groups that will form to trade information of unsuspected children who post their geolocations without a true understanding that they may be in harms way. Augmented Reality applications tied into devices such as the AR Parrot (remote helicopter) will create drone devices that can spy in hotel windows or spy on innocent victims.  There does not always have to be nefarious purpose to utilize this technology but eventually lawmakers will have to reconsider stronger privacy laws to protect society.  The long term effects will become apparent as the technology goes mainstream.  Society will never be the same as AR unfolds before our eyes.  Society will enjoy it but also can be repulsed as AR crimes began to take hold in our communities and our society.

AFoD: If you could gather all of the people who are going to be planning, developing, and marketing augmented reality applications into one room, what would you tell them? It sounds like a proper Uncle Ben speech is in order at a minimum.

JR: If I could gather all the stakeholders regarding AR into one room my message would be clear and simple.  The Wright Brothers took their first powered flight for 12 seconds in 1903.  Little did they know that their innovative efforts would pave the wave for Stealth Bombers and planes used as missiles in the 9/11 attacks.  I have had the pleasure to speak to many brilliant AR creators and developers who are benevolent and kind and want to have a positive impact with technology on our society.  I ask them to wear an "evil cap" also when developing new innovations and to think about the downside to this amazing technology.  Most developers would have no reason to think like a bad guy since it does achieve their final goal or complete their project.  Think of how criminals and miscreants can create harm and danger when developing AR.  Let’s not make it so easy for criminal elements to capitalize on this technology and get input from law enforcement, psychologists, child protective specialists, and other important disciplines while advancing technology.  I think it is important for all sectors of society to work with AR developers to create safe applications while limiting the knowledge of those with bad intentions.  It’s like having the formula for a potential atomic bomb and posting it on every blog in the world.  We must do everything in our capability not to release that dangerous blueprint to the wrong set of eyes.  Some could argue that it will get out anyway so why bother.  I would rather know that AR innovators took every precaution to safeguard this technology while utilizing this incredible innovation that will change our society like never before.

AFoD: What should lawmakers being doing at this point to address issues pertaining to augmented reality?

JR: Obviously lawmakers and the Criminal Justice System need to be up to speed on AR.  The next 12 months will be a good indicator on how this technology rolls out and advances.  As I mentioned previously, social proximity networks will become more popular as you can geographically see other "live & realtime" users within your immediate region.  I checked in with my FourSquare account the other day at Newark Airport and saw 63 other users check in around me (at that moment).  I could see their pictures, their posting, and a host of information they allowed me to view.  I could have easily stalked some of the FourSquare users since I knew what they looked like and what terminal they were sitting at as they awaited their flight.  As I viewed the other places they checked in and analyzed their friends, I could clearly profile their lives.  Some were young college students, others were struggling musicians, and some were successful white collar workers.  I saw their likes and dislikes and could easily approach them and capitalize on their unknowing "book of knowledge" they projected into cyberspace.  I couldn't help to think of the shrieking sound of "Danger Will Robinson...Danger."

AFoD: What else would you like people to know about augmented reality?

JR: Augmented Reality is a wonderful technology that could do so many good things.  I don't want to seem like an alarmist but having our heads in the sand is not productive either.  I want to work with developers in finding ways to use this technology to track bad guys and help law enforcement protect society.  Think of a wide scale emergency where Augmented Reality apps can lead a person to safety or alert them to dangers areas is an important arena.  Let’s imagine that there was a Hazmat spill in an urban setting.   Users with AR equipped smartphones could be alerted to the dangerous toxic cloud and use the AR app to evacuate the area.  Emergency crews could use AR to find victims or routes that will assist their rescue attempts while limiting their exposure to harmful gases.  AR can be used for an enormous amount of positive uses.  I don't want people to miss that point as I get out my message.  I want to work with developers and law enforcement officials to find positive ways to enhance our profession and safeguard our citizens.   I sometimes get blank stares from developers because when they hear that I am in law enforcement they don't understand why I am concerned or even involved with AR.  The AR concept is so new, many do not look down the road to understand its full capabilities.  I hope to raise awareness through lectures, presentations, and an upcoming book on Augmented Reality and the double edge sword it brings to the technological evolution.

Forensic 4cast EnCase 7 Interview

Lee and I interviewed Steve Salinas and Ashley Stockdale from Guidance Software about EnCase Version 7. I think Lee may have set an all time podcasting production record when he was able to get the podcast edited and posted in about three hours after we did the interview. EnCase is my primary file system digital forensics tool so I’m very excited to see what is in store for EnCase V7. Steve and Ashley were excellent interview subjects and did a fine job explaining what we can expect in the new version. Steve and some others have also been working hard to hit the road and talk to the community about V7. You can find a schedule of the presentations Guidance is giving all across the world at their website. If you are an existing user, you can also register for a preview of the software. I’ll be at the NYC sneak peak that will be held this coming Friday.

FTK News

According to Access Data, we can expect to see FTK version 3.3 released on Monday. It reportedly will provide some additional functionality to deal with iOS forensics in conjunction with MPE. Lee Reiber has provided some  information about the new version through Twitter. I’m also starting to hear rumblings about FTK Version 4 and I’ll bring you more information as I learn more.

Raptor 2.0

Forward Discovery has released Raptor 2.0 which is a nice live Linux distro that can be used for acquisition purposes. Their website also includes instructions on how to create a Raptor 2.0 USB.

Sleuth Kit and Open Source Digital Forensics Conference

The Sleuth Kit and Open Source Digital Forensics Conference will be held on June 14th.  Presenters at this conference will include Harlan Carvey, Cory Altheide, and Jon Stewart. Cory and Harlan will also have their open source forensics book released shortly.

Digital Forensics Search

Corey Harrell over at Journey Into Incident Response has crafted what he is calling the Digital Forensic Search using a variety of sources of information in the digital forensics world. This is a fantastic service that Corey has provided the community and he has an excellent blog that I recommend people follow.

Book Reviews

I enjoy reading and writing book reviews. It’s an art that I’m still learning and one of the people who I enjoy the most when it comes to book reviews is Richard Bejtlich. I’ve decided to add a book review list to the blog. You can find it to the right and it contains the RSS feeds of book reviewers who I follow. Right now it just contains my Amazon review feed and Richard’s. Let me know if you have some others that you like and I’ll add them to the list if I like their work. 

I recently reviewed Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats by Will Gragido and John Pirc.  You can find that review here. As you can see from the review, I absolutely loved this book and I think you will also. Let me know if you agree. Better yet, leave some feedback for everyone on Amazon if you read the book.

Mobile Malware

I ran across an interesting article recently about a variant of Zeus that is targeting mobile devices. It’s another good illustration of why we can’t ignore what is going on in the mobile device space. It’s going to be increasingly difficult for those who are working in security to ignore the mobile device world.  These devices are going to play an increasingly key role in modern criminal and intelligence gathering behavior. I’m working on an interview about mobile devices and augmented reality that has been an incredibly eye opening exercise for me. I hope to get it posted soon.

Twitageddon

I decided to make my semi-private @ericjhuber Twitter account “private”. While I’m not under any illusions that anything I post in a protected Twitter account is actually private, I decided it didn’t make any sense to offer out that account to the public along with my @AFoDBlog account. I had hundreds of people following the @ericjhuber account who I didn’t know and who followed me because they were curious about digital forensics and information security. I always felt bad when I’d tweet about things not related to digital forensics and cybercrime and felt pressure to be “on” with that account. I’ve decided to just use that account to socialize with digital forensics people and others who I know and who interact with me. I’ll continue to use the @AFoDBlog account as my public account where I tweet about digital forensics, information security, cybercrime, and the like. You can also talk with me and others at the blog’s Facebook page.

Thus, if you find that you suddenly aren’t following the @ericjhuber account, please don’t be offended. I drastically pared down the amount of people following that account to only to people who I actually knew and who interacted with me on a regular basis about things not just related to digital forensics.

An Interview with Shafik Punja

I’ve been wanting to do an interview with Shafik Punja for quite some time now. Shafik  is particularly well known for his work in the mobile device space with an emphasis on Blackberry forensics. He is one of the people who I call when I get stuck on a mobile device problem. He’s an extraordinarily sharp fellow and is very willing to share his knowledge. He’s an asset to the digital forensics community and a credit to the Calgary Police Service.

Professional Biography of Shafik Punja

A police officer with the Calgary Police Service for over 15 years, Mr. Punja has been working in digital forensics since 2003, and has conducted digital forensic examinations on a wide variety of digital data storage devices and operating systems. In 2005, Mr. Punja began researching and developing analytical techniques for mobile devices and smart phone platforms, and has become an expert in the analysis BlackBerry, among other devices. Mr. Punja has been qualified in the Canadian legal system as an expert in the area of digital forensics, and has been a guest instructor for the Technological Crimes Learning Institute (TCLI) at the Canadian Police College, in Ottawa, Ontario.

AFoD: How did you get involved in digital forensics?

SP: Well, it all started back in about Sept 2000.  I had never owned a computer (well maybe if you count the Commodore 64 back in the 1980s) with a high speed internet connection, until my wife said we should get one so we could communicate with her parents back home.

I was familiar with office productivity applications, and knew what Windows was and had friends that had a computer with Windows 98 with productivity suite, which I used.  But my first real experience at handling a computer came when my wife and I purchased one, and  also got our first high speed internet connection - all in the same day!  At that time the PC that we bought was a mid line machine, 900MHz AMD processor, with 512 MB RAM, and 32MB video card running Windows ME.

During this time I had about 5 years on as a police officer with my agency and was working uniform patrol, with my life centered around shift work.  I also have a passion for online gaming, so after my night shifts, to unwind I would play my share of PC video games.  This eventually wore off after about 4-5 months. I still played but not as extensively and started learning about my computer.  So what's the first thing I did?  Well I read the motherboard manual for our computer front to back and learned what a BIOS was.   I learned how to do BIOS upgrades, which were frowned upon.  I also discovered that I did not have a software firewall so I did some research on firewalls and discovered Zone Alarm which I promptly installed.

Pretty much that launched my interest into learning about the Internet, how it worked, protocols, firewall basics, and learning about data mining or open source intelligence gathering.  It was stunning to discover how much information could be found online about persons, places or things if you just looked hard enough. 
Eventually in 2001, I made a convincing argument to my Inspector at that time, who allowed me to take an distance learning course from the Canadian Police College called Internet Searching Techniques Basic.  I sailed through this course as everything that was contained in the student manual I had already learned on my own.  So it was a nice way to validate self taught knowledge.

I was still in patrol working shifts so I took another distance course offered by the University of Calgary, called Computer Crime Investigations and Computer Forensic Training.  This computer based training course taught me the basics of digital evidence preservation, hash values, hard drive structure, clusters, sectors, and MBR etc.  I finished this course and wanted to learn more! 

So with that in mind, in 2002, I transferred from patrol to a public relations unit, which took me away from shift work and back to a normal lifestyle.  Between 2002 and late 2003 I obtained my A+ certification and my CISSP certification (both on my own dime) and went to Ottawa (covered by agency and the RCMP) to take the basic 3 week Electronic Search and Seizure Course at the Canadian Police College.  I also finished the Intermediate and Advanced Internet Searching Techniques. 

In between I managed to muck around with Linux and teach myself the basics of Linux command line, dual booting Windows and Linux.  Hacking my own root password because I locked myself out of the local user account on the box, breaking the software on both Linux and Windows causing several re-installs and upgrades from Windows 98 to 2000 to eventually XP Pro.

I was lucky that I had an Inspector and a Staff Sergeant that supported my career aspirations.  They both knew that I had a desire to get into the Technological Crimes Unit (TCU) and do digital forensics. They realized that although I was doing a really good job where I was currently assigned, I belonged in another area. In November 2003 I was seconded into TCU and must have done a decent enough job that in March 2004 my transfer was made permanent.  

Since then I haven’t looked back. I have found a career in digital forensics to be the most rewarding, satisfying and challenging work, and would never consider anything else.  Every day there is a new challenge to learn and overcome; the quest for new knowledge and discovery.  And of course there is also the look on the face of the investigators when they ask how did you do that or how did you figure that out....and I just smile...elementary my dear...well you know the rest...:)

AFoD: Did you learn anything during your days working as a patrol officer that helped you become a better forensic examiner?

SP: Hmmm...interesting question Eric.  I have had to give this some serious thought.  My memories about my patrol days can essentially be divided into 2 categories.  Good partners and crappy partners.  It seems that my crappy partners were always bent on never wanting to really investigate anything, or never completing what they started and the left overs falling into my lap to finish up.  Seeking advice from them I realized was like pulling teeth. What this category of partners did teach me is what I would not do with any partner that I was either training out or working with.

Now to the good partners.  They taught me to become meticulous, and tenacious in what I was investigating.  They never offered any advice - rather they worked with me to complete the investigations; I was encouraged to trust my instinct and keep detailed notes about my investigative actions on any file that I was the primary investigator on.

One of the most important things I learned was to interview everyone and anyone that I came into contact with: witnesses, victim's, suspects and accused.  This taught me to appreciate how to extract, confirm and verify details. Every interaction with a member of the public, regardless of their position or reasoning for coming into contact with the police, was an opportunity to practice verbal skills, and experience the non-verbal mannerisms displayed by persons from diverse backgrounds.

So how does that apply to digital forensics?  Well, it’s the investigative mindset.  You see patrol work is primarily responsive policing.  Typically front line patrol officers are reactive policing resources.  They start off the initial investigation by being first responders on a scene. And after, they might continue to carry the case through to its resolution - whether is laying charges, or closing the file without charges depending upon the nature of the information.  In my case I was lucky enough to pick up investigative files and have an opportunity to work in an investigations unit, seconded temporarily from patrol for about 1 year.  I really enjoyed this and knew then that I wanted to investigate things.  I just didn’t know which direction my policing career would take to get me to investigations.

When I realized that technology and crime were the direction that policing was going back in 2001, I started to understand how to use the Internet to search out details about subjects I was pursuing.  And finally ending up working in the Technological Crimes Team (TCT) gave me that ability to assist with criminal investigations that have a technical component.  So having an interest in doing investigations, learned during my patrol days certainly has helped me when I deal with investigators that come seeking help from TCT and me.

AFoD: You've developed a reputation of being a leading practitioner and researcher in the area of mobile device forensics. What captured your interest about mobile device forensics and how did you develop your abilities in that area?

SP: Eric...you have an interesting perspective.  I honestly don’t feel that I have this reputation or am a leading practitioner of mobile device forensics.  But I am truly humbled and appreciative of your opinion.
What captured my interest in this area resulted from getting requests for extracting data from cell phones, blackberry and other pda devices.  This started around 2004 just after i got into tech crime. I remember speaking with my, then unit supervisor (now retired) and telling him that mobile devices are going to be the next big wave in forensics.

This precipitated finding software to do extractions of such devices such as manufacturer specific tools (PST), SIM Card software like SIMCon, BitPim, mobilEdit!, Oxygen Forensic (when they were all free); reading Svein Willassein's invaluable papers and not to mention Eoghan Casey, whom I recall as documenting in one his early digital forensics books on cell phone forensics and sim card analysis. 
Within a matter of months the TCT for the Calgary Police Service had gone from knowing very little about cell phone and sim card forensics to having a basic working grasp on how to extract the data.  Our trouble at that time was finding proper analytical tools that could parse the content.  Pretty much there was only Paraben, which in its older toolkit had PDA Seizure and Cell Phone Seizure, which is now combined into an integrated product called Paraben Device Seizure (PDS).

One of the ways in which I developed my abilities was to learn as much as I could about cell phone data extraction and analysis.  What information did the mobile device store versus the sim card?  What was the best method of processing an on state device versus an off state device? Short of Faraday shielding, I learned that Airplane Mode (or its equivalent) was a good method in radio isolating a device.

I also adapted concepts from general computer forensics and applied them in standard operating procedures for mobile device analysis, like device date/time verification against actual, manual verification of data extracted against the handset, photographic capture/documentation of any data not extracted, and following the concepts of most forensically sound process to the least forensically sound process.

It wasn’t until the late summer of August 2006 that I took my first real cell phone analysis course taught by the infamous John Thackray, who was at that time an instructor for Micro Systemation (XRY).  That course essentially grounded all the concepts that were self taught and verified that what I had learned through all the forums, white papers and numerous other electronic and print sources was correct.  In essence I had followed sound practice and methodology as best as one could with the tools that existed.

In December of 2007 a mentor and very good friend of mine, encouraged me to write a small article on cell phone forensics based on what I had learned.  Well that article turned into a white paper that I co-authored with Rick Mislan in SSDFJ.  It was my first attempt at documenting general mobile device concepts and analysis procedures.  What I didn’t know was that this was just the start.

Not soon after, whilst I was doing some guest instruction at the Canadian Police College in Ottawa, several questions were posed about the structure of the BlackBerry IPD file.  It was then that I realized there really was not a single source document that talked about BlackBerry forensics, the BES, or even a detailed overview of the IPD structure.  This realization spawned another research project with several LE colleagues and culminated in a presentation at MFW 2009 on BlackBerry Forensics.

In summary exposure to an overwhelming number of devices since 2004, lots of self based learning through white papers, guidance from colleagues and peers, and determination allowed me to develop my abilities. 

AFoD: You've engaged in a considerable amount of research in the area of Blackberry forensics. What's the current state of digital forensics tools and methods for Blackberries?

SP: Eric, I have been doing Blackberry forensics for the last 6-7 years now.  I remember starting to see BlackBerry devices as early as 2004.  From that time onward, I have not observed any one entity or commercial group really tackle the logical data extraction and parsing for this device.
One of the earliest methods of analyzing blackberry data was to "mount" the backup IPD file inside a BlackBerry simulator through a virtual USB connection.  In 2004 really no tools supported parsing the IPD structure.  Then through the forums ABC Amber BlackBerry Converter was being mentioned as the best solution, with a low cost. 

It essentially did what no "forensic" tool could do at that time and even up to recently.  Between 2004 and up to 2010 we have the following state of BlackBerry forensics:

1. The developer and creator of the ABC Amber BlackBerry Converter appears nowhere to be found.  My last communication from him was received at the end of September 2010.  Any attempts to purchase the software fail.

2. None of the major forensic vendors either on the computer side or the mobile device side have really taken the time to properly decode the BlackBerry IPD file structure. 

2a. EnCase as of now at version 6.18 still does not support the decoding of this file.  There are two third party scripts that do a decent job of parsing the IPD.

2b. FTK 3.2 just started supported parsing of the IPD file but only decodes a certain number of databases.

2c. Paraben Device Seizure, Oxygen Forensic Software, UFED Physical Analyzer Pro only support parsing a select number of databases within the IPD file.

3. There is a distinct lack of a standalone product which can properly read, decode and display the parsed data to the investigator at a decent price.

I know that my own research along with that done by my colleagues has determined that not all the data present within the IPD structure is being parsed.  Part of the reason I believe, is due to the fact that very poor documentation exists on its structure.  So this requires some significant time and effort, where the generated test data that is decoded needs to be validated against not only the device that generated the IPD file but also across different OS versions.

Here is a list of commercial software that supports parsing of an IPD file created with either BlackBerry Desktop Manager or UFED Physical.

1. Cellebrite Physical Analyzer Pro Software

2. EnCase Script by 42 LLC available for free from their website

3. FTK 3.2 - ensure that compound files are checked off otherwise it wont work

4. BK Forensics, Cell Phone Analyzer

5. Oxygen Forensic Suite Analyst Version

6. Paraben Device Seizure

Free tools that will parse IPD files to varying degrees:

1. IPDdump

2. MagicBerry

Beyond the tools, there is no BlackBerry Forensics book.  This smart phone device has been around longer than the iPhone and Android devices and yet there are numerous whitepapers and 2 books on iPhone Forensics, and a forthcoming book on Android Forensics. I approached both O'Reilly and Syngress about publishing the research conducted in 2009 as a book.  Unfortunately neither publisher expressed interest in the manual.  Thankfully around September 2010 a well respected peer and colleague approached me about publishing this research to which he has taken on securing an editor, who has already reviewed the manual.  I hope to have the 2009 research published finally by the end of 2011.

AFoD: That's great news, Shafik. The community could really use a good book on Blackberry forensics. You're also involved in a tool development project for Blackberry forensics.  Can you tell us more about that effort?

SP: My research colleague and myself and have been involved in understanding how to deconstruct the blackberry IPD file and parse the user data. Unfortunately there is very little documentation on it. The technical article provided by RIM only outlines the header data and how to understand the basic structure of the data record block.  It does not provide the structure for example, for call records and call record variations (incoming, outgoing, missed).

So obviously we will have to develop our own documentation on how to decode the values and parse out as much data as is retained within the IPD file. I would love to talk to you about the tool.  However at this time, we’re just trying to find ways to bring new capabilities to the market that will enhance the search for data on the BlackBerry.

AFoD: Got it. You could tell me, but you'd have to kill me. A common theme that I see on the digital forensics email lists is confusion over what tools work best for mobile device forensics.  What sort of tools are you finding the most useful for your examinations?

SP: The tools that I find the most useful for my examinations at the current time are:

1. Cellebrite - good general purpose tool
2. .XRY Complete - good general purpose tool
3. Lantern - iPhone specific
4. Secure View 2 - good general-purpose tool
- Both Cellebrite and .XRY support certain models for physical level analysis; they dont do every phone in that manner. 

Flasher Boxes
1. UFS/Tornado - good for physical level binary dumps of specific supported models of cell phones

For iPhone Backup Files:
1. Mobile Sync Browser (Windows and Mac)
2. Juice Phone (Mac)
3. iPhone Backup Extractor (there are 2 apps with the same name made by different companies, unrelated to each other)
3a - iPhone Backup Extractor- (Windows, Mac and Linux)
3b iPhone Backup Extractor - (Mac)
4. iTwin - (Windows)

iPhone (NOT Forensic Tools)
1. Phone View (Mac)
2. iPhone Explorer (Windows, Mac)

Photographic
1. Fernico ZRT

SQLite Database Analysis
1. SQLite Personal Expert - Free verison (Windows)
2. SQLite 2009 Pro (Windows)
3. SQLite Spy (Windows)
4. Base (Mac)
5. Froq (Mac)
6. SQLite Database Browser (Mac, Windows, Linux)

BlackBerry IPD Parsing
1. ABC Amber BlackBerry Converter
2. UFED Physical Analyzer Pro
3. 42 LLC EnScript for IPD Parsing in EnCase
4. Paraben Devices Seizure - only for IPD parsing as last resort
5. Magic Berry (Windows)
6. IPDdump (Windows, Linux, Mac)

Cell Phone/Smart Phone Binary File Analysis
1. UFED Physical Analyzer Pro

Data Carving Cell Phone Files
1. Phone Image Carver
2. FTK 1.81.6
3. EnCase

Now this looks like a lot of tools that I have listed.  And yes I have used each and every one of them depending upon what I needed to do.  The tools that my agency has in its arsenal are also dependent both on our software budget and the types of mobile devices that we encounter.  As you well know that no one tool does it all.  So its good to have several toolkits that attempt to cover the most number of devices that you are encountering.

AFoD: What sort of advice would you give to someone who is already proficient in traditional computer forensics such as Windows forensic analysis, but wants to become proficient in mobile device forensics?

SP: Traditional computer forensic skills provide an excellent foundation for mobile device forensics. Several things to consider though are the following:
· Mobile device forensics is not static forensics in that you cannot "write-protect" a mobile device currently
· Every user action on a live device can cause unintentional changes to memory - this is unavoidable, try to minimize this impact by doing some research about the device ahead prior to analysis
· Mobile devices can be susceptible to remote manipulation or wiping if they are not isolated from all wireless connections
· If you end up altering data on the device due to "fat-finger syndrome" - document it!!!
· There is no all-in-one solution that does every single device that gets everything from the device
· There are different levels of analysis as identified in the tool classification system white-paper by Sam Brothers: Manual Extraction (capture contents of device display), Logical Extraction (file system only), Physical Extraction (hex dump), Chip Read, and Micro Read.
· As you move along this continuum, the methods become more technical and the tools become more expensive
· Don't forget to utilize traditional computer forensic tools in data carving or data parsing (iLooKIX, EnCase, FTK, WinHex, ProDiscover etc)

AFoD: Do you have particular books, blogs, training programs, and the like that you can recommend?

SP: Books
Just like there is no all in one tool for mobile devices, there is no all in one book for mobile devices. There are platform specific books that one can purchase specifically for iOS devices, Android and hopefully soon to be BlackBerry. :)
1. iPhone Forensics - Jonathan Zdziarski
2. Mac OS X, iPod and iPhone Forensic Analysis - Ryan Kubasiak
3. iOS Forensic Analysis - Sean Morrissey
4. iPhone and iOS Forensics -  Andrew Hoog, Katie Strzempka - release date June 2011
5. Android Forensics - Andrew Hoog - release date June 2011

Blogs and Forensic Groups
1. Mobile Telephone Evidence
2. Mobile Device Forensics
3. Mobile Forensics Central - operated by Teel Technologies
4. viaForensics
5. OS X Forensics Blog
6. Mobile Forensics Inc
7. Katana Forensics Blog
8. E-Evidence - contains a large repository of links, papers etc
9. Yahoo Cell Phone Forensic Groups - need yahoo account
10. SANS Forensic Blog
11. Small Scale Digital Device Forensics Journal
The above list is certainly not exhaustive. I encourage any of the readers to examine these links to find more.

Training Classes
1. Teel Technologies
2. viaForensics
3. MFI - Mobile Forensics Inc
4. SANS Mobile Device Forensics 563
5. Cellebrite
6. XRY Microsystemation
7. Katana Forensics - specific to iOS Forensics
8. BK Forensics
9. Canadian Police College - Cell Phone Seizure and Analysis Course
10. Search.org - has basic 101 type classes on cell phone seizure and analysis

Again, the list above is not exhaustive - it contains both vendor specific and vendor neutral training. Gear your training to what you are encountering in the lab, if it all possible.  Much of the basic level knowledge can be acquired also by reading the many white-papers and resources that are available through the links.

As one of my esteemed and learned colleagues always says: "No man is an island".  This means that having a wealth of forums and groups that you can participate in will help you as well, especially if you’re stuck.  You can’t know it all or be expected to know it all.  However, what I would expect analyst to know is the basic tenets/foundational principles for digital forensics, which can be learned from the online resources. One last thing: there have been updates to both Cellebrite and XRY products regarding BlackBerry IPD file parsing. Cellebrite 2.0 can parse more of the IPD file than its 1.x predecessor. XRY 5.4 will now parse an imported IPD file under the BlackBerry/RIM profile.  Although its a little unclear on how to do this unless you read the release notes.

AFoD:  As you look out over the next five years or so, what do you think mobile device forensics is going to look like given all of the innovation that we've seen not only from companies like Apple, Motorola, and the rest but from the companies that provide tools and training for mobile device forensics?

SP: Given the inevitable convergence of mobile platforms with the traditional operating systems, like iOS for example, the distinction between traditional computer forensics and mobile device forensics will not be so cut and dried.  In both type of digital forensics there is the common theme or element of live forensics.

Further, the use of solid state drives (that contain nand memory components) on desktop and laptop hardware, is already present in mobile platforms and their tablet cousins. This means that smart mobile and tablet devices will exceed the 64GB storage capacity in no time.  Examination of such devices will take almost as long as traditional data storage devices.  So don’t expect it to be quick and easy like it was several years ago pre 2007 where you could do at least 2 -3 phones a day through logical level analysis.

I think that flasher box and chip level analysis is going to become not only more affordable, and will become another widely used option for data extraction from almost any device that uses nand chips.  This will allow for recovery of deleted artifacts, but on the other hand this analytical method will require more training and will be considered an advanced method for analysis.  We might also find the Cellebrites and XRY's add in parsing capability for these binary dumps into their toolkits.

Consider that Teel Technologies is already doing flasher box and chip level extraction research and development in order to provide quality training, knowing that digital forensic techniques for mobile devices are going to this level.

Now some readers might be thinking, why is going to such a lower level for data extraction required?  The logical (or allocated) data might sometimes be not enough.  As it was in one important case that I worked on, where the binary level reads done by Cellebrite Physical was critical.  With Ron Seber's (Co-CEO of Cellebrite) assistance, I was able to decode and recover deleted pictures, text messages, contacts and call history from the nand memory chip of a Samsung device.

Another thing for the reader to note is the integration of mobile device artifact extraction and analysis within the traditional digital forensic tools.  Examples are EnCase and Access Data's FTK 3.x product.  They have already been doing this for the last several years, but are adding more capacity.  The MPE+ product for Access Data (developed in conjunction with MFI) is, I feel, another toolkit for the analyst that might be worthy to possess. 

With the ability of mobile device platforms, specifically becoming like the operating systems that we are familiar with, we can leverage tools like CacheBack (SiQuest Corporation) for analysis of Internet history, web pages, and Facebook Chat recovery.

And lastly we have already seen platform specific analytical tools like Lantern (Katana Forensics) developed specifically for iOS devices.  I don’t doubt that you will likely see one for the Android and BlackBerry devices as well. 

The only challenge will be this:  How much budget money does one have to be able to have a wide array of tools?  It is an accepted fact that the more tools you have at your disposal the more likely you are to be able to successfully analyze a device or a fixed system.  Software and hardware tools that allow us to do our jobs can be expensive, just like the training required in this area.

AFoD: What can we expect to see from you in the next year or so?

SP: I hope to have the 2009 research published and ready for MFW 2011.  If all goes well look for the book in Myrtle Beach for its opening debut. After that the book will only be available as a hard copy from the publishing arm of SiQuest Corporation. Or alternately if you take a Teel Technologies BlackBerry Forensics Class, it will be provided as part of the class content in the future.

Expect more R n D being done on smart phone devices in general.  This includes chip read methods, and analysis.  I am assisting where needed on this project, which is being led by my learned, esteemed colleague and very good friend Detective Bob Elder from Victoria Police Department (Victoria, BC.).  Both Bob and myself have our own private sector companies that do R n D as well as training.  We are lucky that our respective agencies have allowed us the privilege of doing this.  It benefits our LE agencies as well as us especially when it comes to expertise and qualifications.

The intent behind this method is to address any data storage device that uses NAND storage flash memory.  If we can remove the chip, read it and apply the correct flash translation layer algorithms then we can recover the data.

There are a number of mobile forensics training courses that are being offered by Teel Technologies from the basic 101 type classes to the advanced classes for the BlackBerry, iPhone and Android platforms.  For those readers that are interested, check out www.teeltech.com.  Teel has Mobile Forensics Central database repository where examiners can make query mobile devices to see which tools work with which devices. 

Teel also has a specially designed Advanced BlackBerry Forensics training course that was first given to the members of the US FDA back in January 2011.  I designed this course based on the work that I have done in this area over the last 6 years.  The course content consists of 10 chapters/modules, with over 500 pages of material, which includes concepts on OS 5 and OS 6 and BlackBerry Messenger data extraction and parsing.

Also keep an eye out for CacheBack (developed by John Bradley of SiQuest Corporation).  This is an excellent Internet history, web page reconstruction and Facebook Chat recovery tool.  I have observed this tool mature from its 2.x version to a much more stable and faster 3.5.x release where it now supports parsing of Safari, Firefox and Google Chrome artifacts from a Mac OS X system.  It simply amazes me how quickly John is able to release updates to his product and respond to any bugs or issues with CacheBack.  I know that when I have identified something, he usually has an update release within 48 hours.  I see that as dedication and commitment to one's clients.

The BlackBerry research will continue onward in conjunction with my very close friend and research colleague, Sheran Gunasekera.  He has a very informative blog which contains scattered thoughts on security, and also includes forensics.

Overall, I'm very excited about all the research and tools coming out this year.  The BlackBerry is no longer the blackbox system that it used to be.  My hope is that other examiners are able to benefit from my research and tackle forensic examinations of the device with a little more ease.

A Little of Everything

I’m working on a variety of interviews and I hope to get the first one out shortly.  It’s an interview with Shafik Punja that is focused on mobile device forensics. This interview will be of particular interest to those who are interested in Blackberry forensics.

To The Cloud

I found out from David Klopp’s Twitter feed that the Amazon Cloud Player service has gone live. Couple this with services such as Apple’s iDisk and Dropbox and it’s a good illustration that this sort of cloud service is going to be increasingly embraced by consumers. This means it will be an important aspect of live response in digital forensics. The data that is relevant to your investigation might very well not be on the actual hard disk when you go to seize a computer and you could miss it if you aren’t careful in how you plan the acquisition phase of your investigation.

As I’ve said before, “The Cloud” isn’t anything new, but it’s increasingly popular at the consumer level because of the convergence of technologies such as virtualization, inexpensive hardware, and inexpensive high speed broadband access. It’s certainly not a fad and it’s something that is here to stay so we have to take it into account when planning our investigations. It’s just one more aspect of how live response is important in digital forensics.

A Fragmented Community

The invaluable David Kovar put up an excellent piece on his blog about the fragmentation of the digital forensics community that has prompted a series of discussions pretty much everywhere you look in the community such as Twitter, email list servs, and other blogs. In other words, the discussion spawned by the blog post nicely illustrated David’s point.

The way I handle the fragmentation is to leverage the various social networking and email technologies that are available to me. I have all of my email list servs going into a Gmail account which gives me a sort of comprehensive email experience that creates a unified digital forensics list serv for me.  My primary form of interaction with the community other than email has been through Twitter. I have found crafting my own Twitter digital forensics community (based on who I follow and who follows me) to be a great way to quickly get curated news that is of interest to me as a digital forensics practitioner.  David Klopp’s Tweet about the Amazon Cloud Service is a good example. Would I have heard about the service eventually? I certainly would have, but I heard about it quicker because I follow David’s Twitter feed.  The fact that this sort of information comes from someone who I have chosen to trust enough to follow also means that new items come with a certain level of credibility. If another digital forensics person like David finds something interesting, there is an good chance that I’ll also find it interesting.

I also find it increasingly important to make it out to digital forensics conferences such as CEIC and the SANS Forensic Summit so that I can meet people face to face. There really is something about placing a face to a Twitter handle and it’s a nice way to build relationships that you can enjoy in the future both professionally and socially.

Is the Sky Falling?

Craig Ball put up a thought provoking post on the potential end of digital forensics due to data set sizes.  While I don’t agree with Craig that we’re at risk of the demise of digital forensics because of this issue, I do agree that this problem will prove to be transformational for the digital forensics community. As the old saying goes, necessity is the mother of invention and these data set sizes have contributed to innovation in tools and processes such as how we handle triage issues. Like Craig, I’ve seen the demise of digital forensics predicted with almost predictable frequency over the years. The fact is that what we do is the convergence of technology and law. There will always be a need for technology to be examined for legal purposes in some manner. While I can’t predict what the digital forensics world will look like a decade from now, I’m confident there will still be a digital forensics world at that time.

The Underground Economy of Stolen Intellectual Property

I ran across this article while experimenting with Flipboard a couple days ago. This VentureBeat article is based on research by McAfee and SAIC and talks about how the criminal element is profiting from the theft of corporate intellectual property. This makes perfect sense to me given that we have actors such as nation states who are already working hard to steal and exploit commercial intellectual property. If you are an intelligence agency with a laundry list of information that you are tasked with obtaining, why not just pay for it if the opportunity presents itself? If you are the criminal element, you’re going to exploit any profitable market that you can especially if it’s one that is lucrative and has a low risk of detection and prosecution. This is as good of an illustration as any of why I’m not concerned about the end of digital forensics.

So Nice I Bought It Twice

So I bought another copy of Harlan’s Windows Forensic’s book so I could put it on my shiny new iPad2 via Amazon’s Kindle application. I already had the physical version, but I decided it was worth it to just get a Kindle copy so that I could access it on my iPad while doing forensics work. I love being able to quickly search my reference books while doing an exam. It’s also nice to have the book open on the iPad rather than on an exam computer itself so that I don’t loose any screen real estate that I need for my examination tools. Digital forensics is very much an open book job. There is so much to know that it’s important to have access to other people to ask questions and reference materials to look up information. Having material like Harlan’s book available to me through electronic means is very useful.

Please Don’t Steal My Stuff

I recently found one of my blog posts entirely reposted on someone else’s website without providing any sort of attribution.  This is very bad behavior and everything on this website is protected by copyright.  I’m pursing my legal options and that’s something you can just expect to happen if you do the same. If you really like my work, it would be much nicer if you’d just nominate me for a Forensic 4cast award rather than stealing it and passing it off as your own work.

Best. Presentation. Title. Ever.

This distinction goes to Braden Civins for his “Fire Down Below: How the Underwear Bomber Revealed the U.S. Counterterrorism Community as Hemmed in by the Seams of Legislative Ambiguity” for the upcoming 2011 SATSA conference.

COINS-EH

SANS has issued a promotional code for the Computer Forensic Investigations - Windows In-Depth class that I’ll be teaching at SANS New Jersey 2011 in May. Use the code COINS-EH for a ten percent discount on the class. If you are a state or local law enforcement officer, you can use the code locallaw50 for a fifty percent discount.

Windows Registry Analysis

I posted my five star review of Harlan’s Windows Registry Forensics book on Amazon. The executive summary is that if you couple the book with his previous Windows Forensic Analysis, 2nd Edition, you get Windows Forensic Analysis: The Director’s Cut. It’s a fine book and will make for a great addition to your digital forensics library. I’ve added it to my “Learn Digital Forensics” Amazon guide.

Digital Forensics Framework

Version 1.0.0 of the Digital Forensics Framework has been released. I wasn’t even aware that there was a Digital Forensics Framework until I read on my Twitter feed this week that this version had been released. It looks fascinating and I’m looking forward to downloading it and seeing what it can do.

EnCase Version 7

The Guidance Software marketing machine has been spinning up in support of the next version of EnCase. Guidance is offering sneak peaks at a variety of locations around the world over the next couple months. I’m going to try and make the event that will be held in NYC on April 15th. Joseph Shaw attended one of these sessions recently and put out a considerable amount of great information on his Twitter feed.

Must. Watch. The. Footy.

Okay, so you can stop reading at this point if you came here, oddly enough, expecting just to read about digital forensics. I know I have quite a few international readers as well as quite a few people in England who read the blog so I’m going to engage in some wanton self-indulgence and talk a bit about football. It won’t be something you’ll have to endure on a regular basis, I promise.

For whatever reason, I’ve recently fallen under the spell of English Premiere League football. Since I played both as a full back and a goalkeeper competitively during school, I think it was a latent and pre-existing condition that has been inflamed by some of my English digital forensics friends. To be frank, I place the blame squarely on the heads of Simon Steggles and Lee Whitfield of Disklabs because of they tend to Tweet while watching their favorite teams play. I resisted as long as I could, but after becoming curious about what all of the fuss was that caused them to Tweet so much about it, I became hooked.

Here’s why I am bringing this out on the blog. I’m very curious about how people come to support their favorite football club.  I figure in England, it’s just like it is here in the United States when it comes to NFL football. I love the NFL and I’m a Chicago Bears fan. I’ll be a Bears fan for life and that’s partially because of family and geography. I’d love to hear from my English readers to see if it’s the same for them when it came to picking their favorite club. I’d especially like to hear from are the people outside of England who have a favorite English football club that they support and how they came to pick that club. Feel free to respond via my email that you can find on the right hand side of the blog.

Personally, I think if you are new to watching a league like the EPL, you can’t just arbitrarily pick a team. Well, you can, but it’s just not something I can see myself doing. I think you have to have a team pick you. It’s also apparent to me that the wonderful promotion and relegation system means if you are an international fan and are serious about picking a club to support, you have a limited number of teams realistically available.  Fox Soccer has offers a small number of EPL games each week and if your team gets relegated, you are unlikely to be able to see their games on television until they get promoted again. Thus, if you are serious about being able to watch and support your club, you’re going to want to select one that has a low chance of being relegated. Let me know if you disagree and why.

408 With Eric

The unstoppable Lee Whitfield had me on Forensic 4cast yet again last weekend. As I mentioned on the podcast, I’ll be teaching SANS FOR408 Computer Forensic Investigations - Windows In-Depth at SANS New Jersey 2011. The class will be held from May 9th through the 14th at the Hyatt Morristown. SANS has secured a group discount for the rooms so the price is very reasonable and the location is great. It’s in the downtown Morristown area and is close to many great places to eat after class. The location is also very close to a train station if you want to go into NYC.

Ryan Kubasiak

I finally had the pleasure of not only meeting Ryan at the last Northeast HTCIA chapter meeting, but listening to him put on a two hour presentation on all things Apple forensic.  Ryan is an amazing talent in this area of digital forensics and does a great job teaching about Apple forensics. If you ever have a chance to hear him present, I highly recommend it. He’s also the person behind the Apple Examiner website which is, oddly enough, dedicated to Apple digital forensics. I’ve added the RSS feed for that site to the AFoD Blog roll so you can see whenever new content is added.

Podcast List

I’ve converted the podcast list for the blog to track the RSS feeds for the various podcasts that I listen to and recommend to others.

AFoD Facebook Page

I admit it. I caved. I finally went ahead and created a Facebook page for the blog. As much as I like Twitter, I know that Facebook is where everyone is these days even if I don’t necessarily care for it. I have to admit it has been nice to interact with everyone through a social networking method that gives me more than 140 characters to work with when I want to write something.

Behold! The Future?

The last blog post resulted in quite a few discussions with a variety of interesting people. Several other bloggers such as Harlan Carvey, Lenny Zeltzer, and David Sullivan picked up on the post and discussed it in their own blogs. One of the conversations that planted a seed in my mind was one that I had with Jake Jacobson. You probably don’t know Jake, but I’m working on fixing that. He’s one of the two people who I am currently interviewing for the blog. Jake is a digital forensics leader for a government digital forensics lab.  He has a tremendous amount of experience in the field and I enjoy talking to him because of his insight into a variety of topics in digital forensics.

In our conversation, Jake posited that the Motorola Atrix might be a vision of the future of mobile computing. As I discussed it with him and thought about it more after our conversation, I think he’s correct. While I’m not necessarily predicting the demise of the laptop computer, I think we’re approaching a time where the traditional laptop device is going to be deemphasized at least in the consumer market. What I find fascinating about the Atrix is that it’s the first dockable 4G smartphone that I’m aware of being marketed by a major manufacturer. The Atrix dock allows the user to connect their phone to an HD monitor as well as a keyboard and mouse. Essentially, it’s smart phone that can be a least partially used in a manner of a traditional dockable laptop computer. However, it’s not necessarily being marketed as a replacement for a laptop computer. In fact, it has a Lapdock that allows the device to connect to a laptop. However, it’s easy to see that as time and technology march on, these sort of devices could start replacing laptops in at least some circumstances.

One of the major divides with computing devices is the ability to consume content and the ability to create content. Traditional desktop and laptop devices are able to create content as well as consume it.  Mobile devices like smart phones and tablet computers are primarily designed to consume content. As these devices become more powerful, they will increasingly be able to create content. However, it’s not just processing power that is a barrier to content creation. The user interface is also a key issue.  Even if your smart phone was capable of content creation, do you really want to do it on a four inch touchscreen? That’s not a design that is conducive to long or complicated content creation sessions. However, if you could dock your smart phone into a docking station and use a mouse, keyboard, and monitor (which may also be touchscreen capable), the user interface experience is no longer a barrier.

So then I wonder about disk space. Technological advances continue to drive the price of storage technology down all the while increasing what can be stored on ever shrinking storage devices. Even now there is a significant amount of storage capacity on smart phones through the use of high capacity microSD cards. I think that as wireless bandwidth becomes cheaper, faster, and more reliable, we’ll see increased use of cloud based storage solutions that can be used for content creation rather than just content storage. In the future, I doubt we’ll need terabytes of storage on a mobile device to be able to use terabytes of data for content creation purposes on that same device.

While I‘m still not predicting the demise of the laptop computer, I suspect the future of mobility in computing lies with smart phones rather than laptops. Even the laptops are becoming more mobile. It’s more likely that the future of laptop computing will look more like the Macbook Air and less like the traditional laptops we see in many homes and corporate environments today.

I’m convinced we are going to see smart phones being increasingly used for financial transactions especially in the retail world. There are a couple of other technological twists for smart phones that I want to bring to your attention before I continue on. We’re already at the point where you can use your smart phone as an airline boarding pass. The user simply has to have an email send to their smart phone which includes a QR Code that can be scanned by a gate agent. It’s not a terribly difficult solution for the airlines to implement, but it shows how these devices can be use to replace older technology such as printed boarding pass.  The other interesting twist is that Google has announced that it now supports two-step authentication for Google accounts. This method provides the option to use a smart phone in the authentication process.

I think this is the sort of thing that we’re going to see in relation to using smart phones to facilitate credit card transactions. It could start out as using a smart phone to authenticate a transaction involving a physical credit card. In that sort of scenario, the physical credit card is still handed to the retail clerk or scanned into a card reader. However, the transaction does not complete until an authentication message is sent to the smart phone and validated by the user using, for example, some sort of password.  This would require a very reliable wireless network before it would be adopted by the public. The last thing you want is to be standing in line at Target with a half dozen impatient people behind you staring at you as you fumble with your phone trying to get it to authenticate your transaction, but being unable to do so because of poor network connectivity.

With a reliable wireless network (there’s a Six Sigma project in someone’s future), you could eliminate the physical credit card from the process. Banks could also potentially eliminate persistent credit card numbers which could greatly reduce their exposure to certain forms of credit card fraud. Maybe we end up with a scenario where a smart phone credit card application is linked to the bank through a our reliable wireless network. When a purchase is to be made, that application communicates with the bank and issues a one time temporary credit card number for that particular transaction. That one time number is transmitted to the retailer through something like a QR Code that is scanned by the retailer from the phone. Further authentication can be built into the process by requiring some sort of biometric authentication (let’s just imagine a future without passwords while were speculating) from the user before the transaction can be completed.

This could also be used as a protection against the various credential stealing money laundering bits of malware that are active in the wild currently. So Zeus steals your bank account information, but when the money is set to be removed from your account and sent to a money mule, an authentication message is sent to your smart phone alerting you to the transaction.

There Is No Alternative

This past week I learned that a research group has reported that smart phones are outselling personal computers. It’s further confirmation to me that we’ve moved out of the era of computer forensics and into era of digital forensics. Computer forensics, of course, will continue to play an important part of what we do as a community, but the mobile device era is firmly and undeniably in place. Every now and again I still see examiners comment on some of the digital forensics list servs how they hate working on phones. I have to restrain myself from asking how they feel about obsolescence. 

We’re at the point where being able to perform mobile device forensics is increasingly becoming a mandatory skill for a digital forensics examiner. While I’m not amazed at how ubiquitous these devices have become, I will admit to a certain level of awe when I see just how powerful these devices are and what they are capable of doing. We haven’t been in the smartphone era for all that long and we’re already seeing mobile devices such as the forthcoming Droid Bionic that will have relatively powerful multi-core processors.

With great power comes great vulnerability. Gone are the days when you could use a mobile device without worrying about malicious actors working to compromise your phone and your data. There are already numerous vendors who are offering anti-virus protection for mobile devices. There are hundreds of thousands of applications available for mobile devices and even applications created by reputable vendors can expose users to risk. For example, viaForensics recently released the results of their research that showed vulnerabilities in the applications of many high profile companies including financial firms.

Mobile devices are going to be an issue for examiners regardless of their role or industry. For traditional digital forensics investigations and eDiscovery, devices like smart phones are a treasure trove of information such as text messages, email, geolocation data,  address books, pictures, and movies.  I recently attended a webinar that illustrated the convergence of mobile device forensics and analytical software. This presentation illustrated how an examiner could use a mobile device forensics tool such as Cellebrite to harvest information from a smart phone and then feed it into a visual analytical tool made by i2 to to assist an investigator in establishing links between people.

The incident response and penetration testing world will need to rapidly adjust to the mobile device era given how the criminal element will be increasingly targeting these devices. There have been numerous stories in the press talking about the convergence of mobile devices and electronic crime. I even read a recent article that reported that smart phones could eventually work as credit cards. It’s clear to me that mobile devices are going to be a key element of financial crime in the future. People are increasingly using mobile devices for routine banking. If it hasn’t happened already, it’s only a matter of time before we see Zeus style malware infecting mobile devices for the purpose of harvesting banking credentials. These credentials can then be used to transfer money out of a victim’s account to be laundered through money mules before the victim realizes what has occurred. Brian Krebs has done some excellent reporting in the area of not only electronic crime, but money mules in particular.

Forensic 4cast Awards

Lee Whitfield announced this week that the nominations are open for the 2011 Forensic 4cast awards. You can submit your nominations at the Forensic 4cast website.  If you think about it, you should send Lee a nice note (or donation) thanking him for doing this for the community.  He puts in a tremendous amount of effort into this at his own expense. 

Book Reviews

I’ve been making more of an effort to write up reviews for some of the books that I’ve been reading. You can find my reviews at my Amazon profile here. I haven’t been posting my reviews to the blog because I’m normally backed up on content (a nice problem to have) and it’s easy enough for you to read what I post on the Amazon site.

AFoD Interviews

The interviews have received a great response and I think you all for the positive feedback both public and private. I have two more that I’m working on as I write this and I hope to have them up relatively soon. If you are interested in seeing a particular person interviewed, please feel free to let me know.

Cyber Crime 101 Podcast

Joe Garcia had me on the Cyber Crime 101 podcast this past week. We talked about life after law enforcement for digital forensics examiners. We also talked a bit about the issue of law enforcement only tools. I’m a fan of Joe’s podcasts because I always seem to learn something new when I listen to them. For example, this podcast taught me that Virustotal now has browser addons for Firefox and Chrome.