One caveat though…. I have not read WFA 1/e, so I cannot compare what differences may exist between the two books.  With that said, read on…..

Traditional Digital Forensics methodology was to pull the plug from the back of a PC and conduct a “Dead Box” examination.  Chapter 1 covers Live Response to a scene, where that thought process may not be the best course of action anymore.   It also covers what evidence in memory to collect first before it disappears (volatile data), as well as analyzing that data using the command line.

Chapter 2 (Data Analysis) essentially guides you into taking data that you collected during your Live Response and understanding what it is telling you.  Harlan points out that a lot of times “unusual” or “suspicious activity” that an examiner is seeing is due to their lack of familiarity with how the system operates.

Chapter 3 takes the reader through the tools, such as win32dd & memoryze, and the techniques to conducting an analysis of physical memory (RAM).  He also details examining the Hibernation File as part of memory analysis.  For an investigation where the responder/examiner was unable to get a “memory dump” from the system prior to shutdown (see “Dead Box” exam reference above), this can be a good source of information (That’s right, I am looking at you fellow LEO’s out there).

Moving on, Chapter 4 covers Registry Analysis.   Harlan breaks down the structure of the Registry hive files and what information is contained within those files for the reader.  It also introduces the reader to Registry analysis using tools that Harlan wrote- RegRipper and Rip/RipXP.  Also of note in this chapter is the tracking of USB devices and User activity.

File Analysis is up in Chapter 5.  This chapter is very useful if you are an incident responder.  Harlan discusses the use and understanding event logs, as well as helping you understand how timestamps for files are modified.  The examination of the Recycle Bin, as well as Restore Points and Volume Shadow Copies are discussed also.

Chapter 6 goes into static & dynamic analysis of suspicious files, as well as the need to conduct them in a virtualized environment or a stand alone workstation.  You wouldn’t want to conduct an analysis of a possibly malicious file on a production system and risk infecting “mission critical” systems.  Also covered, is the use of tools like RegShot, Process Monitor and File Monitor for file analysis (as well as others).  The static and dynamic file analysis portion of this chapter reminded me of Day 1 of the SANS Reverse Engineering Malware course, where these techniques are fleshed out in more detail.  This part of the chapter is a good start for an examiner who has not been able to attend that course.

Chapter 7 defines Rootkits, the dangers that they pose on a system and various software solutions to detect & eliminate them.

Chapter 8 essentially goes on to bring everything together that you learned in the previous chapters through the use of case studies.  In my opinion chapters like this one are crucial, as it gives the reader/examiner another perspective at which to conduct or fine tune their own exams through the experience of another (the author).

Chapter 9 ends this book with Reporting and Tools.  Reporting is crucial to any investigation.  If you cannot convey the steps that you took during an investigation to someone who does not have a technical background, it could lead to less than desirable results.  Just imagine testifying in a court proceeding and if you fail to explain (in a human understandable way) what you did to the housewife, plumber, librarian (you get the point) sitting on the jury, you may harm the prosecutor/defense attorney’s case.  You may also harm your credibility for that matter.  The tools listed in this chapter are freely available to use.  I’m sure Harlan didn’t have the budget to grab copies of commercially available tools.  Remember, the free tools are just as good as the commercial ones is you take the time to learn how to use them.

This book is a wonderful resource for any forensic examiner to have on their bookshelf.  Thanks to Harlan for writing this for the Digital Forensics community.  I know a lot of time & research must go into writing a book such as this and there isn’t a ton of money to be made from it.

I look forward to WFA 3/e and it’s coverage of the Windows 7 Operating System.

Joe

Top Online Resources for Digital Forensics:

1- Windows Incident Response blog (http://windowsir.blogspot.com):   Hands down, one of the most informative blogs covering both forensics & incident response.  It is authored by Harlan Carvey.

2- The SANS Computer Forensics & Incident Response blog (http://computer-forensics.sans.org/blog): This blog is maintained by a host of authors and has new material being posted regularly from some of the top examiners in the field.

3- Apple Examiner (http://appleexaminer.com):  A great resource for all things Mac Forensics.  Lots of great Mac Forensics news & how-to’s posted here.  Maintained by Ryan Kubasiak.

4- A Fistful of Dongles (http://www.ericjhuber.com):  Eric Huber’s blog, which has some great interviews with some of the heavyweights in the field of Digital Forensics, as well as some excellent insight into Information Security & Incident Response.

5- Journey Into Incident Response (http://journeyintoir.blogspot.com): Site maintained by Corey Harrell, with lots of great information on Timelines, batch scripting, triage and even a post on how to get the most out of your DF & IR news feeds.

6-  Forensic Methods blog (http://forensicmethods.com): Chad Tilbury’s blog with lots of great informational posts and links, as well as some book and product reviews.

7-  Zeltser.com (http://blog.zeltser.com): Lenny Zeltser’s blog that covers topics such as Malware analysis, Forensics and Incident Response.  Lenny also posts a list of his 5 favorite security reads each week.

8-  The Digital Standard (http://thedigitalstandard.blogspot.com): Chris (Beefcake!!!) Pogue’s blog.  Chris’ has lots of great posts regarding “Sniper Forensics”, which deal with getting the information you are looking for that is relevant to your examination rather than wasting time getting (and reporting on) the dreaded “Everything”.

9-  Forensics Wiki (http://www.forensicswiki.org/wiki/Main_Page): A Creative Commons wiki dedicated to Digital Forensics.  Lots of information regarding File Systems, File Analysis, Tools and How-To’s among other things.

10-  ForensicKB (http://www.forensickb.com): ForensicKB is a great resource for users of EnCase (which I happen to be).  Maintained by Lance Mueller, there are lots of great how-to’s to help you get the most out of EnCase.  Lance even has a 4-part tutorial on EnScript concepts.

Top Offiline Resources:

1-  SANS Digital Forensics & Incident Response Summit/DoD CyberCrime Conference/CEIC/AD Users Conference: These conferences are a great opportunity to hear about cutting edge techniques, as well as get a chance to network with others in the community.

2-  A Local/Regional DFIR Group:  I am fortunate to have NYC4SEC in my backyard.  Groups like this are a great way of discussing current trends & techniques, and also great networking opportunities.  One just got started recently in Northern Virginia (NoVA Forensics Meetup) and one is getting underway in Boston.

3-  Security Conferences (Insert DefCon/Shmoocon/Any SOURCE con/B-Sides here): Every time I attend a security conference, I always pick up some nugget or two that may help me in future exams/investigations.

4-  Books: There are a ton of excellent books on the subject of DFIR.  Here is a start: http://www.amazon.com/Digital-Forensics-Reads/lm/R1C3BRA0RPR9JE/ref=cm_lm_byauthor_title_full

5-  Your co-workers:  Hopefully, you are as lucky as I am to work with a talented bunch of Forensicators.  The ability to bounce things off of another examiner can help you fine tune your examinations.  It will also give you all a chance to learn from each others experience.

Hope this helps!

Joe

Make sure to check out Tim’s blog: http://securitybraindump.blogspot.com/

Visit www.cdfs.org for more information.

Joe

Let’s look at the Chapters in this book:

Chapter One (Registry Analysis)- Here is where the Windows Registry is explained.  What it is, why analyzing it can be important to a digital forensic examiner and its nomenclature.

Chapter Two (Tools)- In this chapter, Harlan goes over some tools that an examiner can use while working on their cases and for conducting research.  Tools like Regshot, Autoruns and Process Monitor from Microsoft Sysinternals, F-Response, and Harlan’s own RegRipper (which should be in every examiner’s toolkit).

Chapter Three (Case Studies- The System)- For this chapter, Harlan highlights various Registry artifacts that deal with the computer system itself.  Topics such as USB devices that were connected to a system, file system settings and wireless networks that a system has connected to, to name a few.

Chapter Four (Case Studies- The User)- Finally, in this chapter Harlan goes over some key Registry artifacts that help show User activity on a system and how it ties into the information gained back in Chapter Three (like using the Mount Points 2 artifact to assist in creating a timeline of when a device was connected to a system).  In both Chapter Three & Four, he draws from his experiences in the field during various Incident Handling engagements.

The DVD that accompanies this book contains a few goodies.  A few of which are PDF’s that cover topics such as how to tell if a CD image was burned by the user, an explanation of the ACMRU & UserAssist keys and how to locate shares on a Windows image.  These are great reference materials to an examiner.  A copy of RegRipper is also included on the DVD.  By the time of this review though, an update version is available at http://code.google.com/p/winforensicaanalysis/downloads/list.

Two complaints I’ve heard or read about this book have been, “For the price of this book, I can’t believe this book is only 200 pages and doesn’t have a list of every registry key” and “man, those large graphics use up a lot of page space”.  I would like to address these one at a time.

First, there are many keys that can/do hold a wealth of information.   Unfortunately, from Windows version to Windows version, these locations and the information held within them may and do change.  I agree with the approach Harlan took with this.  He gave the readers the keys that haven’t changed much or if they did it was with the benefit of providing additional information with each passing version of Windows.  There are plenty of resources on the Internet that have additional Registry key information (The Forensics Wiki, The SANS DFIR Blog, ForensicArtifacts.com, etc…).  If you are only interested in lists, go to those sites and find them.  The best part about Harlan’s writing is that it is to the point.  No fluff in this book.  I know that I do not have the time to waste when trying to learn something.  If that is what you are looking for, then I’d recommend that you buy a novel.

Second, I was happy to see larger graphics in this book.  I have read a bunch of technical books that contain small images that make it hard to get the authors point, especially when dealing with directories and files.  Each of the images provided in this book make it comfortable enough for the reader to follow along and not to guess as to what the author was speaking about.  I cannot comment on the quality of the graphics on the Kindle version of this book since I did not have it available to me.

As far as Cons for this book, the one I’d have to go with was the poor editing.  There are quite a few grammatical and spelling mistakes that were glaring enough that they should have been picked up before this book went to print.  I lay that blame on the Publisher, not on the Author.

Overall, some may think the price point of $69.99 (originally) was a bit steep.  It is worth the price tag to gain the knowledge that Harlan has put into this book.  If I did not luck out and get this on sale, I would have paid full price.  Trust me, you will find yourself going back and highlighting sections of this book for later use in your exams.

Thanks to Harlan for another fine effort!

Joe

Apple has gone and updated iOS to fix a security issue relating to PDF’s.  The vulnerability had to do with how iOS Mobile Safari handles fonts that are embedded into PDF’s.  iOS version 4.2.9 covers CDMA iPhone 4′s, while version 4.3.4 covers the iPhone 4 (GSM), iPhone 3GS, iPad & iPad 2 and iPod Touch 3rd & 4th Generation.

So fire up your iTunes & get a patchin’

Joe

BeenVerified is one of the many information gathering websites that offer “Background Checks” to it’s customers.  Essentially, BeenVerified aggregates information from public records & publicly available sources.  To get started on the site, you enter in a First and Last Name, as well as a State and hit “Search”.  You can also leave the “All States” option to get broader search results.

Now in the above image you can see that it lists the names they have matching the one that you have entered, along with a hometown and possible relative.  I used “John Doe” as name search criteria in this example.  Depending on the information available to Been Verified, a person may have more than one hometown and relative listed.  The site’s results are pretty accurate, which I found when running myself as well as the names of friends.  When you click on the “That’s The One” button, you’ll be asked to enter your information into a popup form.

You will then arrive at a screen which gives you two options: Pay $19.95 for one background check or sign up for a 7-day free trial.  The 7-day free trial gives you unrestricted information & unlimited searches.  That is a lot of information gathering that can be accomplished against you, your family, a business partner or even employees which can then be used in targeted Social Engineering attacks.

Now that we see what is available from BeenVerified, let’s move on to opting out of having your personal information (or your family, friends, co-workers, employees, etc.) being returned in BeenVerified’s search results.  Follow the directions below:

- First if you find yourself listed in the search results, right click on the link for your name and choose “Copy Link Location” or “Copy Link Address” (or however your browser of choice labels that option in the popup menu).

- Then open up your mail application of choice and create an email to “support@beenverified.com”.  Also, make sure to CC yourself in the email.

- Next, make the subject “Site Removal”.

- In the body of the email, first paste the link for your name that you copied earlier.

- Finally, add your name as it is spelled in the search result that you found and list all fo the cities and states that were associated with the listing.

Within a few minutes of sending this email, you should receive an automated response with a ticket number with a message telling you that your request is being worked on.  You will then receive a follow up email that confirms that your information has been removed from search results on the site.  In my case, I received confirmation within an hour or so of the initial response.  I have heard from a couple of sources that they received their confirmation email a day or so later.

One thing to keep in mind is that they are constantly collecting data, so it is possible your information may end up on their site in the future.  So the obvious thing to do is check back from time to time and if need be, follow the above steps again to have you information removed.

Thanks to my co-worker Donna for pointing this site out to me!

Joe

In this episode, I talk about a Federal court case involving a major challenge to the Fifth Amendment.  I discuss the recent WTF moment with Dropbox and we say hello Google+, Google’s new Social Networking service.

Show Notes: 

- Challenge to the Fifth Amendment in Colorado Federal Court:

Post on EFF.org: https://www.eff.org/press/archives/2011/07/08

Post on CNET: http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-that-laptop/

- Dropbox changes in Terms of Service causes uproar:

My blog post here on the matter: http://www.cybercrime101.com/asta-la-vista-dropbox/

New Dropbox ToS as of July 6, 2011: https://www.dropbox.com/terms

10 Alternative File Sharing/Hosting services: http://techpp.com/2010/07/05/dropbox-alternatives-sync-files-online/ (Thanks to JadedSecurity)

Google unveils it’s new Social Networking service, Google+:

Google+ hompage: https://plus.google.com/up/start/?continue=https://plus.google.com/&type=st&gpcaz=c484afe6

XKCD’s take on Google+: http://xkcd.com/918/

Upcoming Conferences:

Security BSides LasVegas: August 3-4, 2011

DefCon19: August 4-7, 2011

HTCIA International Conference: September 12-14, 2011 Indian Wells, CA

Joe

Don’t know if you perused through your inboxes this morning, but you should have received an email from Dropbox letting you know that they changed their Terms of Service (TOS).  The email should have looked a little something like this:

Dropbox TOS Change 7/15/2011

So as I know, most users probably just hit the delete button and didn’t think twice about it.  You might have thought “Dropbox just probably added some new features that changed their TOS in some small way, right?”.

WRONG!!!  They added this little tidbit:

Dropbox TOS Change

 
So basically what this means is that whenever you upload a document, photo, video, audio or anything for that matter, you are giving them permission to distribute, display or make a derivative of that file however they wish, as they feel necessary for their service (whatever that means). Oh, and they don’t need to compensate you in anyway for it either.

Most of you should be picking your jaws up off of the floor right now.

Did they really think that no one would actually read this. I slept in a bit late this morning and awoke to a flood of emails, tweets and other masses of information regarding this. Services like Dropbox should know that the Information Security community is quite vigilant. We live to check up on things that affect our security and freedoms

This goes far beyond their compliance with Law Enforcement requests to have access to your data, which in itself caused an uproar against Dropbox. At least with a Law Enforcement request (Subpoena or Search Warrant), their is a checks and balances system in place, which they will just say Ok to. Being an LEO myself I cannot just call or email Dropbox and tell them to give me access to anyone’s files willy nilly. I have to prepare a Subpoena request or a Search Warrant application, which then gets reviewed by a law clerk or Assistant District Attorney. It then gets brought before a Judge or similar legal authority who ultimately decides if this request should be granted in the form of a Subpoena or Search Warrant. This keeps a rogue LEO from just gaining access to your data.

So my recommendation is to delete you Dropbox account as soon as you are done reading this and worry about finding an alternative later.

Joe