SANS Digital Forensics and Incident Response Blog

Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators

Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct criminal acts using BitCoin? * A bevy of encryption tools *And, could a forensicator leverage a Mac OS X bug to recover encrypted data, even after the user applies a new patch to "fix" the bug?

If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.

Good Reads/Listens:

  • Law Enforcement Fearful of BitCoin? Read a confidential report that has been leaked, including how users are deploying anti-forensics techniques
  • Viewing child porn not necessarily possession, [New York] court rules
  • DFIR Analysis: Is the latest 'Twitter Breach' really older pwnd accounts from Q3'11 attack? From the ESET Blog.
  • CyberJungleRadio. From the floor of The Expert Witness Expert Witness Conference 2012, your Case Leads reporter talked with the Hon. Paul Chertoff about a judge's view of a digital forensicator on the stand as an expert witness. You may download the file directly — the interview with Judge Chertoff begins at about 13min. Or, you may go to the listening options page and browse for other ways to hear the show, including links to iTunes.

Tools:

  • libbde: Library and tools to support the BitLocker Drive Encryption (BDE) encrypted volumes
  • libvshadow: Library and tools to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
  • VanishCrypt — Virtual Encryption Tool, alternative to TruCrypt to create encrypted virtual drives
  • Data Recovery FOSS Style - How to perform data recovery in Linux
  • The Steganography Analyzer Field Scanner, or StegAlyzerFS, is a digital forensic examination tool designed for field triage on suspect computers to detect the presence or use of digital steganography to conceal information of criminal activity. Read more here.
  • ITWeb: "The new FTK 4 is pretty much the same set of tools that we are used to seeing from AccessData - until you add the company's exciting new modules, Cerberus and Visualization. Now, it's a whole different ballgame." Read more here.

News:

  • BYOD stirs up legal problems. From ITWorld.
  • Microsoft: Macs 'not safe from malware, attacks will increase.' From ZDNET.
  • Patch out for #OSX 0day crypto bug. But, forensicators can still recover passwords from patched systems. Also from ZDNet.
  • Syrian Government Pushing Malware To Activists Via Skype. From TechWeekEurope.
  • Religious sites 'riskier than porn for viruses.' From Aussie 9 News.
  • Clayton High's principal resigns amid Facebook mystery

Levity:

Coming Events:

Call For Papers:

 

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.