SANS Digital Forensics and Incident Response Blog: Author - Paul Henry

Quick Look - Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional

...


Digital Forensics: Too Much Porn, Too Little Time

I recently had a case where one of the requirements was to determine if the PC had been used to view and or download pornographic images from the Internet. First let me say that in my view the only party that can ultimately determine if an image is pornographic is the court. That being said we agreed in the onset of the investigation that any image that clearly showed sexual organs would be the definition we would use in determining if a particular image met the client's definition of a pornographic image.

Processing the case with FTK 3.12 and both collecting images in allocated space as well as carving for images in unallocated space revealed well over 60,000 images. The client needed and answer quickly hence manually reviewing and classifying the large number of images was not an option. If you simply did a quick view of each image for just 5 seconds you would burn about 2 weeks of labor. The process needed to be automated and sooner than later. I had heard AccessData had

... Continue reading Digital Forensics: Too Much Porn, Too Little Time


Digital Forensics Practitioners Take Note: MS DLL Hijacking

DLL Hijacking Issue Gets Out Of Band Fix / Work Around From Microsoft

Though not as simple to pull-off for the bad guys as today's drive-by hacking exploits; successful exploitation requires a user first be tricked into visiting an untrusted WebDAV server in the Internet Zone and then double-click on any type of file, this enables attackers to cause a malicious file to be executed on the user's PC.

Because this is not an enabler of traditional drive-by hacking, many dismissed the severity of this vulnerability. However, given the recent publication of a Microsoft Advisory, Insecure Library Loading Could Allow Remote Code Execution, an initial work around published last week and a new tool released

...


Best Practices In Digital Evidence Collection

Evidence handling procedures are evolving

Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply "pulling the plug" as a first step in evidence collection to the adoption of methodologies to acquire evidence "Live" from a suspect computer.

The need for changes in digital evidence collection are being driven by the rapidly changing computing environment:

  • Applications are installed from removable media such as a USB stick and are then virtualized in RAM without a trace on the hard disk
  • Root kits hide within process undetected by the underlying operating system and when using local tools (binaries) - you must analyze memory with trusted

... Continue reading Best Practices In Digital Evidence Collection