SANS Digital Forensics and Incident Response Blog

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst's workstation via firewire, USB, or eSATA. The unit is compatible with Logicube's Dossier imager and Logicube's second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I've not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be happy to do a write up.)

If you've ever analyzed a PDF, you've probably used a tool created by Didier Stevens. Didier has figured out a way to make certain PDF readers execute embedded binaries. Check out his explanation in Good Reads.

Disk encryption in various forms is becoming more common when it comes to incident response and forensics. In response to its customer's requests, Passware has updated their flagship product to handle TrueCrypt. Their product also has support for BitLocker.

Tools:

• Paraben Forensics has a free Windows utility, P2 eXplorer v2.0, for mounting various types of forensic images available at http://www.paraben.com/catalog/product_info.php?products_id=268
• Passware has released a new version of their Passware Kit Forensic product which they claim is able to defeat TrueCrypt encrypted hard drives without conducting a brute force attack. http://www.lostpassword.com/kit-forensic.htm
• Logicube released the MPFS (Massive Portable Forensic Storage) which is capable of providing 8TB of storage.
• Logicube released the NETConnect which allows multiple investigators read-only access to a single copy of an image as well as providing a means to transfer images to network storage.

Good Reads:

• Didier Stevens figured out a vulnerability-free technique to make a PDF execute an embedded binary http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
• Robert-Jan Mora and Bas Kloet have released a paper on using statistical sampling techniques in digital forensics in order to alleviate the backlog of existing casework. Yes, we posted this one earlier this week, but it's worth another look: Digital Forensic Sampling.

News:

• Cyber criminal gets 20 years for stealing credit card numbers.
• EU police to collaborate with industry on digital forensics training.

Levity:

• Ordering a pizza in the not too distant future.
• One reason you shouldn't put a cat on a leash.

Coming Events:

• 2010 European Digital Forensics and Incident Response Summit, 19-20 April, London
• Computer Forensics Essentials (FOR 408) at SANS Community Nashville, 3-7 May
• Mobile Forensics World, 5-8 May, Chicago IL
• Computer Forensics Essentials (FOR 408) & Mobile Device Forensics (FOR 563) at SANS Security West, 7-15 May San Diego
• CEIC — Computer and Enterprise Investigators Conference, 24-27 May, Summerlin NV
• SANS WhatWorks in Forensics and Incident Response 2010: Washington, DC, Jul 8-15
• DFRWS 2010, 2-4 August, Portland OR
• Wisconsin Association of Computer Crime Investigators Conference 12-15 October, Madison WI
• eDiscovery Summit, 18-20 October, Atlanta GA

Digital Forensics Case Leads for 20100401 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy.