SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: SQLite changes may impact your processes

I don't know if it's the time of year, the heat or what, but there's been so much going on over the last couple weeks that this post almost didn't make it out. Gasp! Thanks to the efforts of Ira Victor and Mark McKinnon (yay crowd-sourcing), we pulled it off. Speaking of crowd-sourcing, this post is meant to be a weekly round-up of things we've found that may be of interest to digital forensics and incident response practitioners, as such, please drop us a line at caseleads@sans.org if you have an item that you feel should be included in the weekly post. We appreciate it.

Tools:

  • Paraben's P2 Explorer is a great little free tool that mounts a variety of popular disk image formats, allowing the investigator to easily run a variety of tools against the mounted file system (e.g. anti-virus/malware scans).
  • Digital Assembly released version 2.2 of Adroit Photo Forensics 2010, a tool specifically aimed at recovery of digital images, including those that are fragmented and in unallocated space. Perhaps more interesting is news that Nasir Memon can apply similar "smart carving" techniques to other file types, such as Microsoft Office files.
  • F-Response now supports Android.

Good Reads:

News:

  • Mark McKinnon wrote in noting that SQLite, has released version 3.7.0. A quick read through the release notes indicates that the major change with this version is added support for Write-Ahead Logging (WAL), something that should improve performance. Why is this of interest to forensics practitioners? First, lots of products store forensically interesting data in SQLite databases, second, and perhaps more importantly, one of the properties of WAL databases is that they cannot generally be opened from read-only media because even ordinary reads in WAL mode require recovery-like operations." This may affect the way you recover that forensically interesting information from SQLite databases as they will likely have to be copied to read-write enabled media before they can be processed. Thanks for the heads up Mark.
  • Blog contributor, Ira Victor, sent in a story about the state of Utah "investigating the origins of a 29-page list of personally identifying information belonging to more than a thousand people the leakers say are illegal immigrants receiving benefits from the taxpayers." (www.cnn.com/2010/POLITICS/07/16/utah.immigrant.list/). Victor raises some interesting questions, including: What was the data access policy — who had access to this data and for what purpose? And should there be a set of ethical guidelines by the security community for ethical whistle blowing (if that's what the leakers were trying to do) where electronically stored information is involved?
  • For readers attending Defcon next week, Victor pointed out our own Jeff Bryner (pOwnlabs) will give a talked called Google Toolbar: The NARC Within. Victor adds, "Meanwhile, Google gets a patent on technology that monitors on your mouse movements as it relates to search results. What kind of interesting network forensic information can be gathered from these technologies?"

    Victor is the host of the The CyberJungle radio show and will be covering some portions of BlackHat and Defcon on the show so check it out.

Levity:

  • Completely unrelated to forensics, but nonetheless entertaining and uplifting: Double Rainbow
  • And if you made it through that, you have to check this out. Double Rainbow Song. My kids insist I play it at least once a day.

Coming Events:

Digital Forensics Case Leads for 20100722 was compiled by Dave Hull with significant contributions from Mark McKinnon and Ira Victor. Many hands make light work, thanks guys. If you have an article to suggest for case leads please email it to caseleads@sans.org.