SANS Digital Forensics and Incident Response Blog: Author - Ira Victor

Did Las Vegas Police Fumble Critical Digital Forensics in High Profile Shooting Case?

While in a re-certification class at SANS Network Security, a local news story catches my attention. It's a coroner's inquest into the death of Erik Scott, who was shot here in July outside a Costco store by officers of the Las Vegas Metropolitan Police (LVMP) after a store employee spotted Scott's firearm, which he had a permit to carry.

There's limited time while we drink from the SANS fire hose to absorb the day's news events. But I picked up the following from an op-ed piece by Scott's father in the Las Vegas Sun. The dead man's family is harshly critical the investigative process, and not without justification, if William Scott's account is accurate.

The elder Scott says the investigation has been entirely internal, conducted by LVMP. Scott is an aerospace journalist who notes that if an airline pilot has an accident that results in a

...


Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more

The DefCon conference ended on Sunday, and this year's edition of the "World's Largest Hacker Conference" (as many call it) didn't disappoint. We have news and coverage from a forensic and incident response viewpoint, including news about the Wikileaks incident you might not have seen elsewhere. Blackberry is getting hammered on security, well that's what many headlines read. We have a different take. Web tracking and privacy is getting a higher profile, what are the forensic implications? Many home and business networks are "protected" by popular router/firewalls for sale at big box electronics stores. New research reveals breach mechanisms that have forensic and incident response implications. The truth slowly is revealed, along with peoples' private parts, about images from the Whole Body Scanners. And, in the Levity Section: DefCon18 Social engineering contest a hit at DefCon.

Good Reads / Good Audio:

  • "I know what happened with

... Continue reading Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...


Digital Forensics Case Leads: ZeusTracker; Legal Hold Software; Port Control as a Forensic Tool

The Zeus banking Trojan continues to siphon cash from businesses' bank accounts. Attackers compromise networks and computers then lie in wait until accounts are accessed, at which point authentication may be hijacked allowing attackers to submit transactions. The credentials match, even two-factor systems are being defeated. At last count, attackers made over $120 million in unauthorized transactions in Q3 2009 (source: FDIC).

Multi-factor and out-of-band authentication will not cure the ill if the customers' machines are owned by the attackers. Per transaction authentication is needed (probably digitally signed and with MAC). If you are working as an incident responder, it may be helpful to know some of the currently active command and control systems connected to Zeus. Here is a handy list, provided by ZeusTracker (note: SSL certificate errors may pop-up,

...


RSA 2010 - Digital Forensic Analyst Notebook

The RSA Security Conference was held this week in San Francisco. The conference is jammed packed with sessions, whiteboarding events, demonstrations, and more. Here are my observations and interview sound bites. I was covering RSA San Francisco 2010 as a forensic analyst and co-host of The CyberJungle, a weekly live news and talk program on security, privacy, and the law.

Digital forensics is still the non-sexy topic at RSA Security. There were no dedicated forensics tracks for this conference. But computer forensics were mentioned now and then in session talks, although many times by the audience more than the speakers.

Smart Grid Forensics
For example, there was an industry panel on electric smart grid security standards. The panelists in this session did not have forensics on their agenda, but a member of the audience did. Gerry Brown is an independent forensics consultant.

...