SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Massive eDisco Penalty, Dodd-Frank Law and Digital Forensics, It's Not Business, It's Personal

Legal, regulatory matters, and threats to Law Enforcement and members of the US armed forces top this edition of Digital Case Leads. An appeals court uphold a massive penalty against a company for not properly retaining electronically stored information (ESI). If the offending party doesn't cough up over $1,000,000 in penalties, a senior exec from the firm could be placed behind bars. And, while most executives, and members of the general public, think that the Dodd-Frank law was only to regulate financial services...the reality is that it covers ALL public companies. This law has significant digital forensic elements. One seasoned Chief Information Security Officer (CISO) recommends a new approach to incident response and breach prevention: a counter-intelligence response. And, just about every end user is using one or more services or products from The Google. A new book breaks down the data The Google might be holder for your next case.


*New Commercial Device Breaks Into Windows Accounts: Paraben Corporation announces the release of Windows Breaker, a Windows account password recovery tool. Designed with IT professionals and law enforcement in mind, this USB based tool contains software designed to bypass Windows account passwords. "It is always nice to know you have a backup just in case someone has forgotten their password. This is a perfect easy-to-use tool that I can have my HR department use to gain access to one of our corporate machines." said Amber Schroader, CEO of Paraben Corporation. Paraben claims that Windows Breaker is the first commercial Windows password recovery tool that comes on a USB drive ready for use by even the most novice computer users. Although the SANS Computer Forensic Blog has not demod the product yet, products like these do require the computer's bios to be adjusted to boot first to a USB drive. Trying to use this tool on an older PC might leave one SOL.

* Free Open Source Tools To Break Into Windows: There are many free open source tools to break into a Windows computer. For example, the Offline Windows Password and Registry Editor will do the trick. Version available as bootable USB or CD. The CD version would be just the trick when working with an older PC. Scroll down on the lower panel of this page and look for Download.

* Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tool. A new version was released today.

Good Reads/Listens:

* Just about every computer users today uses some service or product from The Google. The Google has amassed the largest database of information about computer users in the history of IT, according to the author of Search and Destroy: Why You Can't Trust Google Inc. This SANS Forensics blogger was sent a review copy. The book reads like an Uzi machine gun, with one documented statement about The Google after another, and another. The picture that is drawn is of a very large data collector, or every type of data The Google can collect. The author makes documented claims about The Google's collection of other's intellectual property. The book chronicles the many ways that The Google collects data, that this forensicator couldn't help but think about how relevant that data would be in many digital forensic cases. Indeed, this forensicator is working on a case now, and the data at The Google has been brought into the case. Reading this book will help digital forensic pros in their thinking about where to go for critical elements in an investigation.

?* The Scientific Working Group on Digital Evidence (SWGDE) is pleased to announce the publication of two very important documents to assist agencies with incorporating crucial quality assurance procedures into their digital forensic laboratories: the model Quality Assurance Manual and Standard Operating Procedures Manual for public use. These two manuals were developed in response to the needs of digital forensic laboratories that don't have the resources for in-house development of quality assurance programs. They provide for off-the-shelf, easily tailored documents that can be utilized to begin to establish quality standards in the performance of digital forensic examinations. Although initially developed for a one-person laboratory, they are written so a lab of any size can utilize them. SWGDE acknowledges the invaluable contribution to Forensic Science by ASCLD/LAB and the ISO/IEC standards bodies, and specifically, has drawn on their guidelines and practices in the development of these manuals. These manuals are very much an initial DRAFT release and SWGDE recognizes that modifications will be desired, if not required. However, it was decided best to release them in DRAFT form as it is important to SWGDE to gain community participation and acceptance in such a large endeavor. These manuals are living documents and as such, will be updated on a continual basis. To view or download the manuals, please visit the SWGDE Documents web site at Comments from the digital forensic community are greatly appreciated and where applicable will be incorporated into the manual. SWGDE requests your comments be sent to secretary -at- and include: page number, section number, specific sentence and suggested wording change.

*$1m Fine Upheld for Botching eDiscovery : Debra Logan, VP and Distinguished Fellow with Gartner, gave a seminar on civil litigation and forensics at the Gartner Security Summit 2011 held last week near Washington, DC. Debra Logan is an energetic and passionate researcher on eDiscovery, digital law, and the steps businesses need to take to protect themselves from costly digital data errors that can occur as a result of litigation. You may listen to a 12min interview with Ms. Logan, where she discusses this landmark case. Here are the links mentioned in the interview — The Victor Stanley 2 Case and Fulbright & Jaworski's, 7th Annual Litigation Trends Survey Report on litigation, arbitration and cost management issues.

* Digital Forensics and the New Dodd-Frank Law: The Gartner Security Summit 2011 had a number of seminars on regulatory compliance related laws, many of them hosted by Gartner VP, John Bace. One of the new laws discussed this year is the so-called Dodd-Frank Law. This massive law regulates public company, not just financial services, as is popularly thought. The Dodd-Frank Law has provisions that can have a profound impact on digital forensics. John Bace discusses the digital forensic impact of this law in this 4min audio interview. He discusses the whistleblower provisions that could pay IT staff millions, in this 10min segment.

* A Radically Simple Way To Fight Advanced CyberAttacks: The Gartner Security Summit 2011 featured a fascinating panel entitled "When Advanced Threat Go Mainstream: Seven Defense Measures Against Escalating Threats." The panel featured T-Mobile USA's Chief Security Officer, Bill Boni. Bill talks about a strategic shift in fighting Advanced Threats. Listen to the conversation with Bill Boni(~10minutes). Bill Boni is the author of this book mentioned in the interview - Netspionage: The Global Threat to Information.


* It's not business, it's personal: Personal cloud accounts of Arizona Law Enforcement members breached.... officers' personal info posted online. The data dump allegedly contains names, addresses, Social Security numbers, online dating account details, voicemails, chat logs and even "seductive girlfriend pictures," all of which belong to about a dozen Arizona LE officers. Mathew Benson, a spokesman for Arizona Governor Jan Brewer said the breach didn't penetrate the states computer, but attacked personal accounts. Thank you Captain Obvious. Details in this news story from Arizona.

* Attackers Pilfer Data from Military Personnel by Targeting Magazine Publisher: Gannett Government Media family of websites suffered a cyber attack that resulted in the attacker(s) gaining unauthorized access to files containing information of some of our users. The information in those files included first and last name, userID, password, email address, the internal number we assigned to the account, and, if provided, ZIP code, duty status, paygrade, and branch of service. Details in an announcement Gannett made this week.

* Do work emails enjoy spousal privilege? That was the claim one defendant made in this interesting case.

* A compelling digital forensics case? Officials: West Virginia Mine Operator Kept Two Sets Of Safety Records. Mine owner Massey Energy kept two sets of records that chronicled safety problems. One internal set of production reports detailed those problems and how they delayed coal production. But the other records, which are reviewed by federal mine safety inspectors and required by federal law, failed to mention the same safety hazards. Some of the hazards that were not disclosed are identical to those believed to have contributed to the explosion. Read more in this NRP story, and ~4min audio segment.

* Doh! The IRS fails another security audit , this time an audit reveals the agency is not properly scanning databases for known vulnerabilities.


* From fellow SANS Blogger Greg Pendergast: The author of this comic grossly underestimated how long it takes to "run EnCase." Check it out. This one seems so timely with the Lulz/Anon wars.

Coming Events:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads[at]

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.


Posted June 30, 2011 at 8:36 PM | Permalink | Reply


The link to Debra Logan's talk is broken.