SANS Digital Forensics and Incident Response Blog: Daily Archives: Aug 12, 2009

Signed into Law: No PI License Required in N.C. for Digital Forensic Services

Signed by the governor on 0 7/24/2009, in pertinent part:

SECTION 1. G.S. 74C-3(b) is amended by adding a new subdivision to read:

(b) "Private protective services" shall not include any of the following:

17) A person engaged in (i) computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for the purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or (ii) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.

Thanks to all who tirelessly worked on behalf of digital forensic specialists. Special thanks to Ryan Johnson and Jody Westby.

See the NC Senate Bill 584

Acquiring Data from Windows Mobile Devices

During the debut of SEC563 Mobile Device Forensics last week, Eugene Libster from ManTech brought to my attention the open sourceitsutils package for extracting from Windows Mobile devices. Components of this package, psdread and pdocread, can acquire more data from Windows Mobile devices than many commercial forensic tools, but there are several issues that forensic practitioners need to understand before using these utilities on an evidentiary device.

First, acquiring data using these utilities creates files on the device, necessarily overwriting data. Specifically, an executable file named "itsutils.dll" is copied onto the device, and an error log"itsutils.log"is created on the device. Second, these tools acquire data through a hardware