Archives For November 2011

A year after release, the Malware Analyst’s Cookbook continues to elicit uniformly high praise from the security community.  It is one of those rare books that only come around once every few years.  The breadth of information covered is staggering, and it makes an excellent reference to return to as your skills develop.  If I could make one recommendation, I would encourage readers to not wait to read the last four chapters of the book.

The last quarter of the book covers memory forensic analysis, and it is the definitive resource currently available on the subject (either online or in print).   Continue Reading…

New version of Mac Memory Reader released. Any progress on Mac Volatility support? (via @) |
Chad Tilbury


Update: Corey Altheide recommended the Volafox project for Mac OS X memory analysis:

Geolocation is booming and so are the artifacts left behind by the multitude of services adding this feature.  But just how likely are you to find geolocation artifacts during a digital forensics examination?    If you are reviewing mobile devices (including laptops), the simple answer is: very likely.  The Pew Internet and American Life Project recently released the results of their 2011 study on mobile and social geolocation services.   As expected, smartphone owners topped the list of users most likely to use geosocial and location-based services.  With over 400 million smartphones estimated to be sold in 2011, the percentages can only go up.  Interestingly, almost 30% of non-smartphone users also indicated they use geolocation services.

Geolocation Service Usage

I was happy to see Pew asked respondents about their geolocation preferences.  Many services do not have a one-time “use my location” feature or encourage users to save their location sharing settings long-term (see Twitter  instructions below).  This fire-and-forget approach can result in more interesting artifacts as users no longer consider the possibility that their location is being tagged to an action.

Continue Reading…

My article on geo-location artifacts was chosen as the cover story in Digital Forensics Magazine for this quarter (Issue 9, November 2011).  It has been some time since I have written anything for published media, and the process was intriguing.  It definitely gives me new respect for journalists that pound out print articles two at a time.

Geo-location forensics has been a focus of my research for a while, and I am fascinated with how much information our devices record about our activities and how little we collectively seem to care.  You can record my browsing habits all day long, but once you start tracking my physical location, it feels so much more like spying.  Hence the title, Big Brother Forensics.   As smartphones and mobile devices near 75% of personal computer sales, geo-tracking capabilities will become even more pervasive, and even more lucrative to marketers.  Importantly, devices can be geo-located and store location artifacts even if they do not contain a GPS capability.  This includes laptops, netbooks, and older smartphones.  Many of the most popular applications today, like Twitter, store information that can be used to pinpoint a device’s location, even if the user has not opted into sharing his/her location.  This is great for forensic analysts, but consider the ramifications when malware authors begin to take advantage of this.

Continue Reading…

While doing some research on Linux forensics, I stumbled upon an excellent paper written by Gregorio Narvaez.  The paper is titled, “Taking Advantage of  EXT3 Journaling File System in a Forensic Investigation”.  Those of you who have performed linux forensics before know that the EXT3 filesystem dealt our field a serious blow with regard to file recovery.  When a file was deleted in EXT2, the pointer to the file inode within the directory entry was removed.  This severed the link between the file name layer and the meta-data layer, but all of the block pointers within the inode were maintained.  Thus, we could fully recover deleted files, but could not tie them back to their original filenames.  When EXT3 emerged, things took a nastier turn.  Now, instead of removing the pointer to the inode when a file is deleted in EXT3, all of the block pointers within the inode are deleted.  This makes data recovery in EXT3 much, much more difficult.  Luckily, the developers threw us a bone:  the EXT3 journal keeps copies of recently modified inodes, including complete copies of previously deleted block pointers!

Continue Reading…