While doing some research on Linux forensics, I stumbled upon an excellent paper written by Gregorio Narvaez.  The paper is titled, “Taking Advantage of  EXT3 Journaling File System in a Forensic Investigation”.  Those of you who have performed linux forensics before know that the EXT3 filesystem dealt our field a serious blow with regard to file recovery.  When a file was deleted in EXT2, the pointer to the file inode within the directory entry was removed.  This severed the link between the file name layer and the meta-data layer, but all of the block pointers within the inode were maintained.  Thus, we could fully recover deleted files, but could not tie them back to their original filenames.  When EXT3 emerged, things took a nastier turn.  Now, instead of removing the pointer to the inode when a file is deleted in EXT3, all of the block pointers within the inode are deleted.  This makes data recovery in EXT3 much, much more difficult.  Luckily, the developers threw us a bone:  the EXT3 journal keeps copies of recently modified inodes, including complete copies of previously deleted block pointers!

Continue Reading…

Master Boot Record Malware Continue Reading…

International Cyber Defense Workshop

The string of financial disasters gripping the globe over the past few years is undeniable proof of the interconnected world that we now live in.  Of course, that comes as no surprise to those of us who investigate computer crimes.  I can’t remember a case I have worked on that didn’t have an IP address (or malware) sourcing back to a foreign entity.  The same technology that has increased our productivity and enhanced our quality of life has opened our doors to anyone with an Internet connection.  While many of the voices in the security world seem to be focused on improving domestic security, a key point gets missed: security in a massively interconnected world requires international cooperation and ultimately a global solution.  As an example, the FBI and US Secret Service have been very successful in recent years proving that they can reach out and touch international cyber criminals.  This simply would not be possible without the cooperation and support of foreign governments, courts and law enforcement.  Computer crime is a global phenomenon that can’t be kept in check without international cooperation

Continue Reading…

. @ Good information on decoding Windows prefetch path hashes by Yogesh Khatri http://t.co/f4xfW42c
@chadtilbury
Chad Tilbury

I had the good fortune to attend a High Tech Crime Investigation Association meeting in Singapore last week.  Attendees were primarily from the Singapore business community and represented a good cross section of forensic disciplines.  After giving a talk on Windows Shadow Copy forensics, I sat in on chapter business that included preparation for the annual HTCIA Asia Pacific conference in Hong Kong.  I thought I would provide the details in case anyone will be nearby in December:

Fifth Annual HTCIA Asia Pacific Training Conference

December 5-7, 2011

Cliftons, Hong Kong

http://2011.htcia.org.hk/

Why Windows NTFS fixup values matter in digital forensics -> http://t.co/aK0S3aTf #DFIR
@chadtilbury
Chad Tilbury

“Companies should not be behaving like supercookie monsters, gobbling up personal, sensitive information without users’ knowledge.”

- Ed Markey, Co-Chairman of the US House Bi-Partisan Privacy Caucus, calling for a FTC investigation into the increasing use of “supercookies”.

http://markey.house.gov/index.php?option=content&task=view&id=4527&Itemid=125

FTC Asked to Investigate Supercookies

Note: This post originally appeared on the SANS Forensics blog

Daunting as it may seem, one of the most wonderful aspects of Windows forensics is its complexity.   One of the fascinating aspects of digital forensics is how we often leverage conventional operating system features to provide information peripheral to their original design.   One such feature is the Windows NTFS Index Attribute, also known as the $I30 file.  Knowing how to parse $I30 attributes provides a fantastic means to identify deleted files, including those that have been wiped or overwritten.

Continue Reading…

How big is a Zettabyte? Continue Reading…

“The computer that allowed us to stare in wonder at the world has allowed the world to stare pitilessly back at us.”

Paul Theroux from How Apple Revolutionized Our World

How Apple Revolutionized Our World