This news feed is supplied with permission from the Forensic Focus website.To read more on any news snippet click on its headline.
Using Geolocation Artifacts and Timeline Analysis to Solve the Case: A Digital Forensics Case Study
Date: Wednesday December 11, 2013
Time: 11:00am GMT (6:00am EST)
Duration: 60 mins
In this webinar, Jad Saliba of Magnet Forensics will take you through a fictional case study involving child luring that led to murder. You will discover how digital forensics, geolocation artifacts and timeline analysis in particular can be critical in solving cases like these and where you can look to find the artifacts. The data analyzed will include a PC image and a mobile device image, showing how both sources of evidence can provide valuable insight into what happened, where to start a search for a missing person, and the corroborating evidence to support criminal charges.
REGISTER TODAY HEREPosted: 29 November 2013
File History is a new backup service introduced in Windows 8. By default this feature is off and to turn it on, user has to select a backup location – either a network drive or external storage media. Thus, it does not allow user to use the same disk. File History backs up files of the Libraries, Desktop, Contacts and Favorites folders. There is an option to exclude any folder(s) that users don’t want to backup. Notice that File History is unable to backup your folders synced with cloud storage service(s). According to Microsoft, “File History doesn’t back up files on your PC that you have synced with SkyDrive, even if they’re in folders that File History backs up.” Once turned on, File History automatically backs up the folders after every hour by default; however this interval can be changed easily in advanced settings. In addition, at any time, user can manually run the service. File History appears as fhsvc in the Task Manager and some associated dlls are fhcfg.dll, fhcpl.dll and fhsvcctl.dll…
Read MorePosted: 27 November 2013
Every rootkit employs a wide range of masquerading techniques to prevent its detection. Anti-virus and anti-malware tools must perform what is called, in forensic terms, “live box analysis”, performing a real-time scan of a live system. No wonder rootkits can actively resist detection by either hiding themselves or messing with anti-virus software or the system kernel. This constant battle makes rootkit detection not only difficult and unreliable, but disruptive and potentially dangerous to system stability and the integrity of user data.
This paper proposes going away from live box analysis approach, and analyzing raw memory dumps offline. Authors propose a new rootkit analysis methodology based on using Windows built-in debugger, WinDbg, to analyze snapshots of the computer’s volatile memory. This paper proposes comprehensive classification of rootkits and their masquerading techniques, and demonstrates which types of rootkits can be detected with proposed analysis methodology. Some of the described algorithms can be quickly implemented by using WinDbg’s built-in scripting language. Finally, the proposed methodology is tested in real-world to detect existing rootkits…
Read MorePosted: 26 November 2013
DFRWS USA has a long history of being the foremost digital forensics research venue and has decided to hold a sister conference to bring the same opportunities to Europe. The first annual DFRWS EU conference will be held from May 7 to 9, 2014 in Amsterdam, NL.
The annual DFRWS conference allows leading digital forensics researchers from government, industry, and academia to present their work and results to fellow researchers and practitioners. Many of the most cited digital forensics papers have been presented at DFRWS and the annual challenge has spawned research in important areas. Initial results and tool prototypes are also presented during the Works in Progress and demo sessions.Posted: 26 November 2013
Apple recently released the newest version of their desktop operating system, Mac OS X Mavericks. As a free update to all supported Apple desktops and laptops, a wide adoption rate was expected, and in fact it was estimated that within the first 24 hours, 5.5% of all Mac laptops and desktops were already running the new operating system. It becomes necessary for a forensic examiner to understand how changes to the file metadata system can be used as a source of new evidence during an investigation. In this article, I would like to cover two significant changes to the metadata generated by OS X Mavericks that, if properly preserved, can be a useful source of evidence.
There is a convenient feature in OS X Mavericks, which allows you to open a document that has been saved from an email, make a change to that document (applying a signature to a PDF for example), and “Reply” to the original email from within the preview app’s share function…
Read MorePosted: 21 November 2013
Nuix, a worldwide provider of information management technologies, and ADF Solutions, the market leader in media exploitation and digital forensic triage tools, today announced they have formed a technology, sales and marketing partnership to combine their strengths in digital forensic triage, indexing and investigation.
Investigators can use ADF’s Triage-G2, Triage-Examiner and Triage-Responder applications to rapidly analyze and triage large numbers of potential evidence sources including computers and flash storage media. ADF’s software exports forensic images together with all work product for indexing and analysis in the Nuix Investigator range of applications. Investigators can then process the selected devices, gather and cross-reference intelligence, analyze the evidence and conduct collaborative investigations with multiple investigators and subject matter experts.Posted: 20 November 2013
Leading search engine companies Google and Microsoft have agreed measures to make it harder to find child abuse images online. As many as 100,000 search terms will now return no results that find illegal material, and will trigger warnings that child abuse imagery is illegal.
PM David Cameron has welcomed the move but said it must be delivered or he would bring forward new legislation. Child protection experts have warned most images are on hidden networks…
Read (BBC)Posted: 19 November 2013
Welcome to this round-up of recent posts to the Forensic Focus forums
Is it possible to establish when an image was viewed in Firefox?
A guitar pick and a sharp blade is all you need to open a NAS drive.
Forum users confer about how to identify a Paypal account name.
What are the pros and cons of ISO 17025 accreditation?
Forum members discuss improvements they’d like to see in future forensic suites.
Chip off or JTAG? Let us know in the poll.
Forum users discuss how graduates can make themselves stand out from the competition.
How vital are industrial qualifications in digital forensics?Posted: 15 November 2013