SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Tracking Takes Center Stage - Photos, Vehicles, and Phones

Photo forensics tops the news in this edition of Digital Case Leads. Valdimir Katalov, CEO of ElcomSoft is interviewed about his team's discovery that the implementation of many of the digital signature systems used by Canon and Nikon are faulty. His team demonstrated that they could forge "authentic" digital photos. How many courts rely upon the integrity of digital photos in accident investigations, other civil cases, and in criminal investigations? A new study shows that most cloud services providers don't really take security very seriously, despite the claims most of them make. And, multiple stories on vehicle tracking, people tracking, and a new book on how on security and privacy around the data of the biggest trackers of them all (no, NOT the NSA), "The Google." Next week is the Computer and Enterprise Investigations Conference (CEIC) in sunny Orlando Florida, and the AccessData Forensic User's conference is sunnier Las Vegas, Nevada.


  • AccessData Forensic Users Conference is being held next week in Las Vegas (see details below in events). One of the products to be features is AD Triage (short for AccessData Triage? The site does not clarify). According to the company, This new, forensics software on a USB stick, allows field forensics pros to forensically acquire data from live and powered down computers.
  • Incident Response Tool: Varonis Systems Inc., announced Version 5.6 of its Data Governance Suite this week. According to Varonis, the software enables a complete metadata framework for the governance of unstructured data on file servers, NAS devices and semi-structured data on SharePoint and Exchange servers. Varonis helps organizations to automatically audit and manage data access control, identify and classify data owners. When these digital assets are misused they become a tremendous liability (as was the case with WikiLeaks). According to the company, "data auditing, classification, ownership identification and access control are now in the same place that search was 10 years ago — representing more than 80 percent of the world's data and doubling every 18 months (Source: Gartner), there is simply too much unstructured data to manage manually." Find out more at

Good Reads/Listens:

  • This looks like a good read, and it received positive reviews: Search and Destroy: Why You Can't Trust Google Inc. Based upon the reviews, the author details the mountains of data Google collects. If one knows what Google has, one knows what to write in a subpoena or a law enforcement request. The book is currently sold out.
  • According to Websense, there is a new trend where cyber criminals are spreading malware by taking advantage of Google's Image search rankings. The attack involves poisoned pictures being displayed in Google's image search results which when clicked redirects a user to a malicious site. Excellent, detailed write up.
  • The CyberJungle Radio show interviewed The CEO of ElcomSoft on their discovery that the "trusted," digitally signed, metadata on Canon and Nikon cameras can be forged. Valuable information on the potential inadmissibility of photos and photo metadata. Here is a link to that show, the interview segment begins at about the 14:30 mark and it's about 10 minutes in length.


  • Incident Responder/Forensicator Full Employment "Best" Practice? Ponemon Study: The overwhelming majority of cloud service providers admit to not protecting data on their network, and admit to not conducting security testing of applications before they are rolled out with customer data.
  • The main stream media continues to run stories on the huge volumes of data that Google and Apple collect. This commentary from stands out: Apple, Google Take Over Big Brother Role.
  • Sony sued for PlayStation Network data breach: This is probably one of many suits related to the SonyPSN breach.
  • UK Law Enforcement is using software that can map nearly every move that suspects and their associates make in the digital world. The software, according to the story, gathers information from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs. Geotime is also used by the US Government, according to the story. Read more in this UTV story.
  • Ford Motor will use Google's new Prediction API to predict driver habits to maximize hybrid and electric car efficiency. The company's goal is to use cloud-based storage and computing to collect and process information about how drivers use their vehicles, where they go, and when they travel. Accessing those resources over a wireless network, a vehicle could automatically change how it performs, according to Ford. Question: Will Ford offer a mash-up with Geotime so the data can be combined with social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs?
  • Levity:

Coming Events:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads[at]

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.