SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: SMS botnet has ripples into mobile forensics; New iOS forensic tool; New USB encryption tool; Record a cop, go to jail? Free RSA Expo Pass and Free Beer!

This week's case leads features a new SMS botnet attack that has ripples into mobile forensics; Guidance Software releases an iOS forensics tool; an in-depth legal analysis of a recent ruling that could encourage lawyers to sue businesses due to downstream liability, and these lawsuits could involve considerable e-discovery; SIFT wins forensic award; PLUS get a free RSA Expo pass, free homebrew beer, and a chance to win a Honeycomb Android Tablet for your forensic testing!

Hey, is that an SMS botnet in the perp's pocket? At last weekend's Shmoocon 2011, Georgia Weidman gave a talk about how the most popular smartphone platforms can be silently seized by an attacker(s). There are potentially significant computer forensic repercussions. With the explosive growth of smartphone use, mobile forensics is a growing area for data capture and analysis. Many times, if the user of a smartphone has the device in his possession when certain messages were sent, investigators typically assume the user sent that message. But what if SMS messages are going in and out as a proxy for someone else? You may download proof-of-concept code and slides from Georgia's Shmoocon 2011 talk. The CyberJungle had the first radio interview with Georgia Weidman following Shmoocon. You may download a podcast of that episode. The interview starts at about the 20:20 mark.


  • Guidance Software announced a new forensic tool last week for the Apple iOS devices, giving digital investigators another commercial option when performing forensic analysis and e-discovery on these popular mobile devices. According to a November survey of 1,641 business information technology buyers, corporate use of tablets is set to double in just the next three months. Despite the flood of new tablets hitting the market, iOS devices remain the overwhelming choice of business buyers today. Guidance Software says that the frenzy on both the consumer and corporate fronts is accelerating the demand for these types of tools. "As we do digital investigations, we're encountering more Apple devices including iPads and iPhones," said Detective Andy Kleinick, Officer-in-Charge, LAPD, Computer Crimes Unit. Andrew Hay, senior security analyst, Enterprise Security Program for The 451 Group said, "Few organizations allow the connection of personal computers to a corporate network but, for some reason, many are fine with allowing employees to bring personal smart phones into the office - some going so far as to allow Wi-Fi-capable devices to connect to the corporate wireless network." Hay went on to say, "With this new support for iPhone and iPad, Guidance Software can help analysts using its products to overlay traditional forensic and incident response strategies to one of the most prolific mobile device architectures in use today." My take: I have yet to test this tool, but I have used iBackupBot, a free and easy-to-use shareware/nagware tool that allows an investigator to view and analyze the iOS backup files that reside on the computers that end users use to manage their iOS devices. With iBackupBot, the investigator can view and analyze the iTunes backup files, and quickly identify the relevant files of interest. iBackupBot allows the investigator to view the device's databases, images, SMS messages, notes, address book, call history calendar, and more. And, the application allows the export of the data to CSV files for easier creation of charts for use in reports. iBackupBot is a Microsoft Windows application, and therefore is more useful for forensic labs where Windows is still the predominate operating system.
  • Many times when working on a case, it would be advantageous to encrypt case information or certain evidence. That's why this product caught my attention:

Two-Factor Crypto for Any USB DriveTwo-Factor Crypto for Any USB Drive

The Hiddn Crypto Adapter (I presume it is pronounced "hidden"). According to a spokesman for the company, High Density Devices, this keypad style peripheral will encrypt all types of USB storage media and add two-factor authentication. One of the challenges of encrypted a USB drive is: where does one store the encryption key? If it's on drive, then the data is not truly secure. That is why the popular encrypted drives have a separate mechanism to store the key, and a means to power that mechanism built into the drive. In part, that is what drives the cost of those drives to be much higher than off-the-shelf drives we typically use for evidence or other case data. With the Hiddn Crypto Adapter one no longer has purchase dedicated encrypted drives. The device costs $465 according to the company spokesman. If you have a drive, and a USB adapter, you can encrypt it, and secure the key with a smart card. The manufacturer claims the device is FIPS 140-2 Level 3, Common Criteria EAL4+ certified, and that it supporst AES-256 encryption. My take: I plan to review this tool as part of my coverage of RSA 2011 in San Francisco. High Density Devices can be found at RSA booth #2545.

Good Reads:

  • Our own Hal Pomeranz in his role as surge staff for Mandiant, has an interesting post and a couple tools for recovering deleted files from EXT3 file systems by using the indirect block pointers.
  • In a potential windfall to attorneys that sue businesses - California Appeals court has ruled that businesses can be held strictly liable for actions done by their affiliates (and sub-affiliates).


  • Data retention law does not help law enforcement fight crime, study reveals.
  • Some Private Investigators are attempting to regulate computer forensics pros, state-by-state. Their efforts suffering a stinging defeat in the State of Virginia last week.
  • Brad Garnett has written a review of Harlan Carvey's Windows Registry Forensics book.
  • Record a cop, go to jail — Two Chicago residents who recorded their interactions with the police are facing felony charges... one is in jail... and their cases are drawing attention to an eavesdropping law that may be obsolete in the age of smart phones with audio and video recording capabilities.
  • Last May, the Dow plummeted in seconds. Fat-finger error, or something more sinister?
  • A proposal is making its way through Congress for a law that would clarify the rights of Americans returning home from abroad only to have their digital devices seized by customs agents. My take — for the time being, consider the U.S. border a hostile zone for case data on your laptop and portable drives.
  • The U.S. Department of Defense Cyber Crime Center's annual DC3 Challenge is underway. Sign up and compete, you'll improve your skills and further the art and science in the process.


Coming Events:

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of The CyberJungle radio program, the news and talk each week on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime Investigator's Association. Follow Ira's security and forensics tweets: @ira_victor .