SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Forensicsball, Forensic security analysis of Google Wallet, Sprint Disables CIQ

Innovations in timeline forensics, a forensic security analysis of the Google Wallet, and Sprint disables the CarrierIQ "root kit" top this edition of Digital Case Leads.

In the 2011 Hollywood blockbuster Moneyball, Brad Pitt plays the part of the real-life Billy Bean, the manager of the Oakland A's baseball team. In the film, Brad Pitt's character and a smart geek staffer, used statistical analysis, rather than subjective observations, to put together a winning baseball team. Forensic research Jonathan Grier has applied a statistical approach to file use, to create an innovation in digital forensics. And, Elinor Mills at c|net, writes a strong, in-depth piece on CarrierIQ, the smartphone software that some have labeled an illegal "root kit" application that might reveal a treasure trove of forensic data.


*Forensic innovator Jonathan Grier has developed tools that use statistical analysis of file access data to reconstruct timelines. Many times, as a foresnicator, I am asked, "Can you tell us what data was take from our systems?" Typically, that is a non-trivial question to answer. According to Mr. Gerier, his method can be used to determine what, if data was ex filtrated from the system. Here is the abstract from his research:

"We present a method to examine a filesystem and determine if and when files were copied from it. We develop this method by stochastically modeling filesystem behavior under both routine activity and copying, and identifying emergent patterns in MAC timestamps unique to copying. These patterns are detectable even months afterwards. We have successfully used this method to investigate data exfiltration in the field. Our method presents a new approach to forensics: by looking for stochastically emergent patterns, we can detect silent activities that lack artifacts."

Read more in: Detecting data theft using stochastic forensics

* ZImperium Anti - The Android-based network vulnerability assessment app.

"Anti will map your network, scan for active devices and vulnerabilities, and will display the information accordingly: Green led signals an 'Active device', Yellow led signals "Available ports", and Red led signals "Vulnerability found". Also, each device will have an icon representing the type of the device. When finished scanning, Anti will produce an automatic report specifying which vulnerabilities you have or bad practices used, and how to fix each one of them."

Read more at the ZImperium site

* Freeware File Extension Monitor: A Windows tool for discovering which files are being created on a PC when an application is installed.

"Are you curious about which files an installation program is adding to your system, for instance? Or would you just like to know more about unexplained hard drive activity on your PC? Then run File Extension Monitor, and it immediately begins to track which files are being created. And you can take a look at its report at any time by right-clicking the program's system tray icon... [in default mode] File Extension Monitor records the date and time of any activity, the file which was created, and the process which created it.."

This tool was formerly commercial, and has been re-released as freeware.

Good Reads/Listens:

* Forensic security analysis of Google Wallet by ViaForensics.

"This analysis provides a high-level review of the data transmitted and stored by Google Wallet, with the goal of determining if any sensitive data is at risk. Security vulnerabilities in Google Wallet, if they exist, could place the consumer at risk for financial or identity theft. "

Read the entire report here.

*New tracking intensive adware zeros in on Facebook and Google users. I interviewed attorney Terry Ross of the law firm of Crowell and Moring about the potential legal fall-out. The interview begins at about 14min in this week's episode (#241) of CyberJungle Radio. You may download the file directly, or click here for other listening options. Here is the blog site mentioned in the interview.


* Excellent work by c|net's Elinor Mills on the software by CarrierIQ that some have labeled as an illegal "root kit." Read: Sprint disabling Carrier IQ on phones.

* Bloomberg BusinessWeek posted an explosive story about Chinese government and industrial espionage: China-Based Hacking of 760 Companies Shows Cyber Cold War.

* One of the firms that was mentioned in the Bloomberg BusinessWeek story, as a source of a proxy content attack, was hotel internet provider iBahn. iBahn denies it was hacked by China - but it might be, according to this news story, that iBahn has just "...not found proof of any breach on the iBahn network."

* Did Iran "cyber-hijack" a US Military Unmanned Aerial Vehicle (UAV)? US experts cautious about bold claims. Read the details and see the video here from the excellent reporting by The Christian Science Monitor. For the record, these devices are not drones. Drones are autonomous, these are remote controlled, unmanned aerial vehicles. In a related story on physical security: Satellite images reveal secret Nevada UAV site.


* New job opportunity for those with Photoshop forensics skills? US watchdog bans photoshopping in cosmetics ads. Wow, and I thought all those models had perfect faces and perfect bodies all of the time...

Coming Events:

Call For Papers:

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads[at]

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.