History of Encryption Continue Reading…

Excellent guide to Windows 8 forensic artifacts. Nice work @! http://t.co/pY0l3IlE
@chadtilbury
Chad Tilbury

 

UPDATE:  A new version of the Windows 8 Forensic Guide can be found here:  http://propellerheadforensics.com/

One of the fun things I have been working on is the huge revision of the SANS Forensics 508: Advanced Forensics and Incident Response material.  Rob Lee has spent the last ten years building and updating what has become one of the most well-known and respected digital forensics training courses.  The golden age of hacking is in full swing and a whole host of new threats have emerged, including state-sponsored espionage (aka APT), hactivism, client-side attacks, and crimeware.  Digital forensic investigations have never been more in demand.  However, computer intrusion and malware investigations require a very different skill set than the cases seen by the average forensic examiner.  Rob saw a great opportunity to update the FOR508 course to train this next generation of forensic professionals.  I estimate that at least 60-70% of the course and nearly every exercise  is new within the last year.  My specific part in the course is writing the new memory forensics day.  My forensic experience dates to the late 1990s, and I can’t remember any other advance in the field that has so fundamentally shifted the balance from the bad guys to the good guys.  Memory forensics is now a mature discipline and we have a wonderful array of  tools available, allowing us to analyze everything from raw memory files to hibernation files to crash dumps to live memory audits.   Memory analysis is a game changing skill and we spend a significant part of the new 508 course learning and incorporating the results of that analysis into the broader forensic process.

Continue Reading…

Leveraging the Application Compatibility Cache in ForensicInvestigations (Whitepaper) | http://t.co/O2PFBjm9 #DFIR
@chadtilbury
Chad Tilbury

 

UPDATE: A new Registry Ripper plugin, appcompatcache.pl, was written by Harlan Carvey based on this research.

UPDATE 2: The Volatility memory analysis framework now has a plugin, shimcache.py, for finding and parsing the Application Compatibility Cache from a memory image.

Application Specific Geo-location

Web applications can often leave their own geo-location clues similar to those found via the mapping services.  While mapping artifacts are largely consistent, geo-artifacts created by applications are more haphazard.  Thus the number of available artifacts can be as numerous as the applications using geo-location services.  To illustrate this, we will analyze the artifacts left by two popular location-aware applications: Flickr and Twitter.

Mobile Flickr Geo-artifacts

Flickr Location

Continue Reading…

Understanding Browser Artifacts

Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence.  Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information.  There is no easier place to look to identify sites visited by a specific user at a specific time.  Browser history is so useful, a critical shortcoming is often ignored; with today’s dynamic web pages, the vast number of web page requests go unrecorded.  When a user visits a website, a multitude of requests are completed in the background to retrieve images and advertisements, populate web analytics, and load content from third parties.  The content retrieved from these requests is stored within the cache, and an entry within the cache database is created.  While the browser history database may only show the page visited, the cache holds most of the components retrieved to dynamically build that page.

Most browser-based geo-location artifacts are not stored within the browser history.  Looking back at the HTML5 standard, this makes perfect sense.  The fact that the API is JavaScript dependent is the first clue.  Also, the multiple steps and asynchronous nature of a geographical lookup indicate a lot is going on behind the scenes when that initial web page is accessed.  Luckily, data collected from the host must be passed to a geo-location service and those interactions are often recorded within the browser cache.  When content is cached, the URLs associated with the web request are also stored.  It is within these requests that we can mine geo-location parameters and coordinates passed to third parties such as Google Maps.

Continue Reading…

Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.  In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this post was originally published.

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data.   Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics.  In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations.  With it, we now have the potential to answer who, what, when, why, and where.

Continue Reading…

Handy TechNet article describing each of the services installed in the Windows Server & Wkstn family: http://t.co/q8EaTaHX
@mikepilkington
Mike Pilkington
Excellent paper on recovering network packets from free space. Interesting implications for geolocation | http://t.co/5hv2I83H #DFIR
@chadtilbury
Chad Tilbury

Biggest Security Breaches of All Time Continue Reading…