SANS Digital Forensics and Incident Response Blog: Category - Email Investigations

Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that


pdymail: Yahoo! mail in memory

I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!

pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.

The good thing about web2.0 with it's AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn't leave much behind on the disk, it leaves tons in memory.

Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against

Destruction of adverse documents

It is an offence to destroy any document that is or may be used as evidence in an ongoing or potential judicial proceeding in most western (at least the common law) jurisdictions. An organization must not destroy documents on the foundation that the evidence is unfavorable. The penalties for the destruction of documents suspected to possibly be subject to litigation may perhaps end in a charge of obstruction to justice. This makes the determination of deleted material that has been destroyed following a litigation hold situation a key goal of the forensic investigator.

Adverse inferences are often upheld in litigation if a party cannot produce the required documents. There is also the hazard of reputation damage. In British American Tobacco Australia Services Limited v Roxanne Joy Cowell for the estate of Rolah Ann McCabe [2002] VSCA 197 the Judge in first instance seriously denounced BAT for the methodical destruction of a large number of records. Documents that may hold

... Continue reading Destruction of adverse documents

PTK: Evidence adding and Indexing

At the moment the output formats used in computer forensics for the support of media duplication are mainly three:

? dd (RAW image) - the best and most utilized format
? Encase format (EWF) - closed format now widely supported by the CF products
? AFF Lib Format- very complete but still expanding

PTK can recognize the above listed formats. Usually, a media copy can be made from a single file or on split files. PTK is able to recognize the split image situation and, given the first chunk, automatically import the additional files. No log files or other types of data are allowed inside the evidence directory (i.e. file.e01, file.e02, file.log is not permitted). Through TSK, PTK automatically recognizes every partition


How math can help with forensics

Data mining, text mining and network association are all statistical tools that have come into their own as the shear quantity of available computational power increases. True, you do not need to have a strong basis in math to use these programs, but math can help determine where they may be used.

Text data mining takes the standard associative keyword based search techniques and increases their effectiveness through the ability to map associations with other words and to create visual representations of the data. This allows an investigator to drill down into previously undetermined associations and also allows the investigator to analyze immense amounts of data. One of the problems in the past has been in how to represent this data.

This is where visualisation technologies come to play. These allow the investigator to uncover previously hidden relationships in the data. More importantly, the visualisation techniques that are available today make the reporting

... Continue reading How math can help with forensics