SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this particular flaw on Wednesday and now the forensic investigation begins. Gizmodo claims that a large number of records could have been breached, including information about high profile people in The White House, major corporations and military officials. It looks like too many of these high profile users are ignoring the warnings of information security pros that iPads/iPhones/Androids/Palm are consumer devices for playing entertainment content and sending texts to your BFF and should not to be used as business devices.

Will we see lawsuits due to this breach? We will see other security flaws in the iPhone/iPad result in litigation? It certainly appears to be a juicy target for attackers and attorneys alike.

In other news, Paraben, the forensic firm out of Utah, announces the release of two new email forensic tools. A new open source tool can help organizations be proactive about incident response. New developments in the Linux kernel might help speed forensic experts in the field. What kind of discovery orders will we see from BP cases? SANS Forensic Summit preview interview - Sniper Forensics: One Shot, One Kill. And more....


  • Can smart managers use data loss prevention (DLP) as a valuable digital forensic, incident response tool? Blogger John Sawyer says 'Yes we can!' It's worth looking at the OpenDLP tool, as an open source approach to DLP and a preemptive forensic tool.
  • Paraben announced a new version of P2 eXplorer Free that removes the old version's registration requirement. Paraben's P2 eXplorer allows you to mount your forensic image (or almost any drive image for that matter) and explore it as though it were a drive on your machine while preserving the forensic nature of your evidence. This means that an image isn't just mounted to view logical files, it is mounted as the actual bitstream image, preserving unallocated, slack and deleted data. According to a statement by Paraben, many people who have downloaded P2 eXplorer are running it in demo mode and do not realize they needed to register the product to be able to mount EnCase, FTK, Smart, Raw and other supported image formats. So, they've removed the registration requirement so any examiner can take advantage of all of P2 eXplorer's features. You can download your free copy of the latest release of P2 eXplorer Free here.
  • Paraben Corp also announced this week the release of both Paraben's E-mail Examiner 6.0 and Paraben's Network E-mail Examiner 3.1. According to the Utah-based company, the release includes feature enhancements to both tools including a "Batch Processing Wizards." Again, according to the firm, the new wizard allows an examiner to look at mail archives and automatically have them exported into a variety of mail formats including PST.

Other updates to the tools are listed below each tool name below:

E-mail Examiner 6.0

-New User Interface

-New OST Support

-New support for Windows 7 x64 & Vista x64

-New Batch Processing Wizard

-New Multi-threading

-New Case Manager

-New Searching with Logical Expressions

-New Dongle License Option

Network E-mail Examiner 3.1

-New support for Windows 7 x64 & Vista x64

-Bookmark Options for All Properties of Messages and Bookmarking of Multiple Files.

-New Batch Processing Wizard

-New Hashing Wizard

-Improvements in GroupWise Processing

-Updated Investigator Report

-Improvements with Exchange Processing

-Changes CSV Output and Updated

-Improved Display of Foreign Characters in E-mail Message Bodies

-Enhanced Exporting Options for PST

Interestig Reads/Vids:

  • Next spill for BP to worry about: File discovery ; by Roumiana Deltcheva at the Messaging Architects blog.
  • Microsoft Takes on Security And Privacy Concerns In New IE8 TV Ads . Is this in response to attacks on MSFT products, or the growing concerns about Facebook/Google privacy, or both?
  • "Google Wi-Fi audit reveals criminal intent by the company" Read the report here by the organization Google hired to look into the matter.



Coming Events:

Digital Forensics Case Leads for 20100415 was compiled by Ira Victor, G17799, GCFA, GPCI, GSEC, ISACA, CGEIT. Ira Victor is an analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.