Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it. Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments. I have used it for everything from remote imaging to fast forensic triage to live memory analysis. F-Response is vendor-neutral and tool independent, essentially opening up a network pipe to remote devices and allowing the freedom of using nearly any tool in your kit. The product is so good, I really wouldn’t blame them for just sitting back and counting their money. Luckily, counting money gets boring fast, so instead the folks at F-Response have kept innovating and adding value. Their latest additions are new “Connector” tools: Database, Cloud, and Email.
Archives For Computer Forensics
Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources. The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics. I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly. That said, the topics covered do not fit within the classical definition of network forensics. A more apt title might be Mastering Incident Response Forensics and Investigations.
This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing. The authors blended dense material with relevant examples and insightful and engaging text boxes. Some of my favorite “side” topics were:
- “Cross-platform Forensic Artifacts”
- “Registry Research”, illustrating the use of Procmon for application footprinting
- “Time is of the Essence”, explaining fast forensics using event logs and the registry
The book begins with four chapters familiarizing the reader with Windows networking. While this may slow down those hungry for forensics topics, they are replete with information. Windows domains, hacking methodology, and Windows credentials are all described in these early chapters. Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise. While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks. It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…
UPDATE: A new version of the Windows 8 Forensic Guide can be found here: http://propellerheadforensics.com/
Application Specific Geo-location
Web applications can often leave their own geo-location clues similar to those found via the mapping services. While mapping artifacts are largely consistent, geo-artifacts created by applications are more haphazard. Thus the number of available artifacts can be as numerous as the applications using geo-location services. To illustrate this, we will analyze the artifacts left by two popular location-aware applications: Flickr and Twitter.
Mobile Flickr Geo-artifacts
Understanding Browser Artifacts
Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence. Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information. There is no easier place to look to identify sites visited by a specific user at a specific time. Browser history is so useful, a critical shortcoming is often ignored; with today’s dynamic web pages, the vast number of web page requests go unrecorded. When a user visits a website, a multitude of requests are completed in the background to retrieve images and advertisements, populate web analytics, and load content from third parties. The content retrieved from these requests is stored within the cache, and an entry within the cache database is created. While the browser history database may only show the page visited, the cache holds most of the components retrieved to dynamically build that page.
Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats. In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this post was originally published.
One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data. Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations. With it, we now have the potential to answer who, what, when, why, and where.
Geolocation is booming and so are the artifacts left behind by the multitude of services adding this feature. But just how likely are you to find geolocation artifacts during a digital forensics examination? If you are reviewing mobile devices (including laptops), the simple answer is: very likely. The Pew Internet and American Life Project recently released the results of their 2011 study on mobile and social geolocation services. As expected, smartphone owners topped the list of users most likely to use geosocial and location-based services. With over 400 million smartphones estimated to be sold in 2011, the percentages can only go up. Interestingly, almost 30% of non-smartphone users also indicated they use geolocation services.
I was happy to see Pew asked respondents about their geolocation preferences. Many services do not have a one-time “use my location” feature or encourage users to save their location sharing settings long-term (see Twitter instructions below). This fire-and-forget approach can result in more interesting artifacts as users no longer consider the possibility that their location is being tagged to an action.
My article on geo-location artifacts was chosen as the cover story in Digital Forensics Magazine for this quarter (Issue 9, November 2011). It has been some time since I have written anything for published media, and the process was intriguing. It definitely gives me new respect for journalists that pound out print articles two at a time.
Geo-location forensics has been a focus of my research for a while, and I am fascinated with how much information our devices record about our activities and how little we collectively seem to care. You can record my browsing habits all day long, but once you start tracking my physical location, it feels so much more like spying. Hence the title, Big Brother Forensics. As smartphones and mobile devices near 75% of personal computer sales, geo-tracking capabilities will become even more pervasive, and even more lucrative to marketers. Importantly, devices can be geo-located and store location artifacts even if they do not contain a GPS capability. This includes laptops, netbooks, and older smartphones. Many of the most popular applications today, like Twitter, store information that can be used to pinpoint a device’s location, even if the user has not opted into sharing his/her location. This is great for forensic analysts, but consider the ramifications when malware authors begin to take advantage of this.