Forensic Blogs

An aggregator for digital forensics blogs

September 20, 2019 by LCDI

Exploring Axiom 3.0 and the Child Protection System at MUS 2019

Introduction:

This past April, I had the opportunity to attend the Magnet User Summit 2019 as a representative of Champlain College. This year marked my first year attending a conference in addition to being a first-year student. I couldn’t be more grateful for this opportunity, and I consider myself lucky to have networked with industry professionals and learn from them as an undergraduate student.

Session Review:

Child Exploitation: Collaboration to combat online child sexual exploitation

One of my favorite session from this year’s conference was “Child Exploitation: Collaboration to combat online child sexual exploitation”. Bill Wiltse and Patrick Beaver, two professionals from Child Rescue Coalition, presented the session. Wiltse and Beaver gave a compelling presentation on how people use Magnet Forensics’ new launch of the Axiom 3.0 in collaboration of the release of the new site to help catch sex offenders.

The new site is CPS, also known as Child Protection System. This originally started in 2004, but redone as of 2019. CPS site monitors nine systems that sex offenders frequent and what happens if that they bring all the data back and put in a joint centralized data. It then examines the results and stories it in a document as evidence. On average 20-30 million records go into this database a day. CPS is a centralized database of all the targeted sex offenders in a region. In 2010 it was discovered that this database is so trustworthy, law enforcement officers use it as the sole basis for search warrants, its original purpose.

Axiom comes into play here as it highlights IP addresses using key words linked to child exploitation. This program can detect how many files are on a predator’s computer, the profile make-up of the victims, and intent to distribute or cause physical harm.  

Conclusion:

My biggest takeaway from this session was how useful Axiom is with the centralized database to catch sex offenders. Both professionals highlighted how this database is constantly providing useful information to law enforcement to make decisions about threats.

MUS provided me with opportunities to broaden my understanding of the digital forensic and cybersecurity industries. I also got to connect with others who are just as passionate about these fields as I am. Even more, I was able to explore and experience Nashville with my friends! I’d like to thank Magnet Forensics and Champlain College for affording me the opportunity to attend Magnet User Summit 2019. I can only hope to attend another conference next year!

 

Blog written by Champlain College first year Angel Gallien.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Exploring Axiom 3.0 and the Child Protection System at MUS 2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

Read the original at: The Leahy Center for Digital Forensics & CybersecurityFiled Under: Digital Forensics, Uncategorized Tagged With: Champforensics, Champlain College, child protection system, conference, Events, Law, LCDI, Magnet, Magnet Forensics, Networking

September 20, 2019 by LCDI

Magnet User Summit Experience

Thanks to Champlain College, I was able to attend this year’s Magnet User Summit. As a first year, I was concerned as to how well I would understand the topics and concepts. However, I found that I was well prepared. My internship this semester at the LCDI helped most of all, as it provided me with knowledge not just of digital forensics, but of the work environment as well. The conference was fascinating, and I was able to learn more about the ever-changing environment of ITS.

Improvise, Adapt, and Overcome

The Improvise, Adapt, Overcome: A New Mantra for Digital Forensics Professionals lecture was presented by Cindy Murphy, president of Gillware Digital Forensics. The talk focused on challenging the unwritten rules and truths of cybersecurity and digital forensics and turning to improvise, adapt, and overcome obstacles. Specifically, it challenged the rules and knowledge of imaging, firmware, and hardware. With imaging, Murphy discussed how an image that shows all zeros it is not actually empty. You’re also not getting a full forensic image from a hard drive. Murphy also mentioned the importance of investigating NAND flash memory, which is often overlooked.

With firmware, Murphy discussed how important its role is as the go-between for hardware and operating systems, and how its role is frequently underestimated. Hardware has this similar issue of being neglected in investigations. In fact, removing chips from damaged hardware to identical functioning hardware can be incredibly helpful with investigations. Most importantly, Murphy argued members of the ITS industry need to learn to keep moving forward in this ever-changing environment.

Guest Keynote on the Evolution of the Digital World

The guest keynote was presented by Ovie Carroll, director of DOJ CCIPS Cybercrime Lab, SANS instructor, and author. He reflected on the evolution of the digital world and segued into the newest innovations of the modern day and what’s to come. This included Bluetooth stones and other similar devices, which currently serve as miniature hotspots that relay information to smartphone-clad passerby and clouds. Carroll explained how clouds add value to the pre-search phase of investigations. Cloud storage is becoming more common, lessening the value in seizing hardware and increasing obtaining data before it’s deleted remotely. He also discussed the rising frequency of encrypted computers, and the importance of RAM images, encryption, and hard drive images. We were reminded and provided digital examples of Locard’s evidence transfer principals.

Discussions relating to mental health and self-confidence were brought up as well. We were reminded there’s no such thing as a full forensic investigation and that you will always miss an artifact. As a result, the investigator shouldn’t feel disheartened when their data is passed to a second pair of eyes. In fact, a collaborative approach to forensics analysis was recommended and was echoed by many in the following talks.

Powershell vs Python

The Leveraging Powershell and Python for Incident Response and Live Forensic Applications lecture was presented by Chet Hosmer, author of Python Forensics. The fundamentals, integration, and applications of both Powershell and Python were discussed. Hosmer presented Powershell as a great acquisition engine that provides digital investigators with a set of cmdlets and access to the internals Windows, Linux, and Mac desktops and cloud services. He presented Python as a relatively straight forward, understandable, and object-oriented scripting language. Its environment allows for the rapid development of new tools, deep analysis, automation, and the correlation of evidence. Hosmer then demonstrated two different integrations live. Both of these integrations allow for better solutions for incident response, live forensic investigation, and e-Discovery.

I was able to attend many other lectures as well, such as the Magnet Forensics keynote, the Panel of Corporate Forensics Experts, and the Axiom Essentials Lab. The conference covered a wide range of fascinating topics, yet provided a consistent environment that was friendly and inviting. Other participants were eager to speak with Champlain students and viewed us as  equals, sharing tips and engaging in discussion. It’s a community myself and other students are excited to participate in, and hope to again at the next conference!

 

Blog written by Champlain College first year Hayley Froio.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Magnet User Summit Experience appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

Read the original at: The Leahy Center for Digital Forensics & CybersecurityFiled Under: Digital Forensics, Uncategorized Tagged With: Champforensics, Champlain College, conference, Digital forensics, Events, LCDI, Magnet Forensics, powershell, Public Appearance, Python

April 25, 2019 by LCDI

Elcomsoft Tool Evaluation Blog 3

More Evaluations & Final Report! Recently we’ve focused on evaluating more Elcomsoft applications as well as putting together our final report. We continued to use the same scoring criteria from our previous blog to test these tools. The applications we tested include Advanced PDF Password Recovery, Proactive System Password Recovery, Advanced Archive Password Recovery, Elcomsoft System Recovery, Elcomsoft Cloud eXplorer, Elcomsoft Internet Password Breaker, and Distributed Password Recovery. Advanced PDF Password Recovery: Advanced PDF Password Recovery is another helpful program by Elcomsoft and can decrypt any password protected PDF files. This program is nearly identical to Advanced Archive Password Recovery in the way it looks and operates. The only notable difference about the two tools is that Advanced PDF Password Recovery has a few more attack options. These are: brute force, mask, dictionary, plain-text, winzip recovery, and password from keys. Similar to Advanced Archive Password Recovery, the user will have to read through the available manual to understand all the functions and attacks.

(interface of Advanced PDF Password Recovery)

Once the user has input the encrypted PDF into the program, it will get to work. Depending on the type of attack and the set specifications, it can take a fair amount of time to finish. The program will get the password and decrypt the document as long as the password fits within the set parameters.   We have tested this program with multiple passwords ranging in length character types, and we have come to a conclusion about the program. We give this tool a score of 5. The program is completely functional and will get the task done; however, in order to be certain of which attack to use, as well as the capabilities of the program, the user will want to reference the help manual and a few online tutorials to fully understand the tool. Because this application is almost identical to Advanced Archive Password Recovery, it seems appropriate they should receive the same score. They are both well-made tools, but could use improvement in the same areas. Proactive System Password Recovery:

Using the same scale, we would rate Proactive System Password Recovery a 3. This tool is simple to use and its tasks can be performed with the touch of a button. There are five different sections of information to find and use on the program. The sections include main menu, advanced features, revelation, misc, and Recover PWL. Each section has a unique purpose and finds different information.

We accessed this information easily. The tool does everything on its own since it just takes the information from the system. With administrator access, the use can do more  with the tool. They can decrypt some of the information found from the system like hashes, passwords, and more. The information will all save to a file to reference later which shows all the information captured from each tool.

Advanced Archive Password Recovery:

Advanced Archive Password Recovery is a useful program that can obtain the password of encrypted ZIP and RAR files. After spending some time evaluating, we’ve become familiar with the ins and outs of this tool. The interface of the program reminded us of the Advanced Office Password Recovery program, also distributed by Elcomsoft, but with fewer options for types of attacks. These attack choices include brute force, dictionary, mask, and key search. Since each of these attacks usually takes a significant amount of time, the user will have options to narrow down the specifications a bit in ways such as password length, range options (i.e. lower-case, upper-case, numbers, symbols, etc.), and dictionary types.

(interface of Advanced Archive Password Recovery)

To break the encryption, the user will need to choose the specific ZIP or RAR file and then specify how the attack should approach the file. Once the process has started, the tool will notify the user how long it will take until all the password possibilities have been exhausted. 

After testing this program with multiple password protected files, we have decided to give the program a 5. The tool will definitely retrieve the password as long as the user inputs the correct specifications and uses it on either a ZIP or RAR files. The program interface and tool options are clustered and someone with no experience in the field would most likely not know how to run the program. They would need to browse the manual to understand the process and it would take a significant amount of time studying the program to understand all the available features in the tool. Overall, however, the tool works well and isn’t too complex to the point where it is not usable with a bit of extra spare time to understand it.

Elcomsoft System Recovery:

Following the same evaluation process, we would rate Elcomsoft System Recovery a 5. This tool requires some work that will take experience. However, the interface is easy to read and understand. In order to download the system files, the user has to create a partition of a drive for a USB to download the files to. After, the user can open the tool, navigate throughout the wizard, and create the ESR bootable disk on the USB. The tool will download a copy image of the files.

Once everything is copied onto the USB, it’s safe to remove and power down the computer completely. The USB needs to be plugged back into the computer which then needs to be powered on again. The user needs to quickly gain access to the BIOS screen which will pop-up the Elcomsoft version of the BIOS screen from the USB. From there, the user will have multiple options of what to do with the system files. Under the CMD.EXE, they can change the local user account, dump password hashes, dump domain cached credentials, backup SAM (where you can change computer passwords to get access to computer systems as though they are yours), and restore SAM (in case something goes wrong) and SAM editor.

Elcomsoft Cloud eXplorer:

After testing Elcomsoft Cloud eXplorer, we believe this program is everything anyone could ask for in a tool like this. Upon opening, the user will be greeted with a clean looking program with hardly any options and zero clutter. The user’s only options (besides changing the settings and checking the help manual) are to add a Google snapshot or to download a Google Drive file. Upon selecting either of these choices, the user will be asked to enter the Google account information or a Google Token to gain access to the info. If that’s successful, the program will allow them to choose what they want to download from the account, including the drive, computer, and deleted and shared files.

(interface of Elcomsoft Cloud eXplorer)

The important thing to note about this program is that its job is not to figure out the password to the Google Account. It assumes the user has the password already and simply wants to download the files from the account.

After all of that is done and the download location has been selected, all the files can be viewed. Everything is presented in an organized file format so the user can find exactly what they are looking for. We’ve used this program for multiple Google accounts and it completes the task at a relatively fast pace every time. Seeing as the program is extremely simple and how well it functions, we give this tool a score of 1. We feel most anyone would be able to use it on their first attempt without any assistance and that there isn’t a better program out there to download Google Drive files and Google Snapshots. This is one of Elcomsoft’s best products we’ve tested so far and is worthy of earning a coveted score of 1.

Elcomsoft Internet Password Breaker:

Using the above scale, we would rate Elcomsoft Internet Password Breaker a 3. This tool does everything really simply. The user can open a PST file, Web Browsers or Mail. The web Browsers work for Internet Explorer, Microsoft Edge, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and Yandex Browser. For mail accounts, the tool uses OE News Accounts, OE Mail Accounts, OE Identities, Outlook accounts, Thunderbird, W[L]M Mail Accounts and W[L]M News Accounts.

We accessed this information by using different account information on Microsoft Edge and Google Chrome. While using one of the accounts, we found that one can lead to more than one username and password. It is possible that any username or passwords saved to an account in Google can access any saved passwords . The passwords are easy to extract. We pressed ‘Web Passwords’ and choose which web browser we used and got all the information for the accounts, as long as the passwords were saved to the browser.

It is easy to access individual passwords and export the passwords into a file with a click of a button as well. Recovery of usernames and passwords are easy if the tool has access from the web browser. It is most useful when downloaded onto a computer to access or recover passwords. This tool is user-friendly and effective with some prior knowledge of its purpose and capabilities.

Distributed Password Recovery:

Distributed Password Recovery is a very unique password cracking tool in that it supports many different types of file formats instead of just a single program. Due to its elaborate looking setup, the user might be intimidated by the program. There are many options available including tasks, agents, connection, messages, and dictionaries. Most of these tabs won’t be necessary in the password restoration process. If the user wishes to learn all of the functions, they can refer to a manual installed on the program.

(interface of Distributed Password Recovery)

To start the process, the user will import the file they want cracked and have a list of attacks they may want to use: dictionary, mask, or brute force. Once they’ve chosen an attack, the process begins, and it will inform the user how long the tests will take. Then it will let the user know whether it was able to recover the password or not. This is where we faced an issue with the program. From what we can see, there is no way to view the recovered password. We have read through the manual, watched tutorials, read online materials; however, despite all of our best efforts, we can’t figure out how to access the cracked document.

We couldn’t get the program to function properly and many of its unnecessary features require reading through the manual. As a result, we are giving this tool a score of 13. On the surface, it may not look too bad, but we haven’t found any other program from Elcomsoft as complex and difficult as this one. We will continue to try to figure out more about how to use this program. At this point, however, we’ll stick with this score, given the password seems unattainable. Conclusion Elcomsoft has produced an array of quality tools that all impress us as we continue to individually test them. They all prove to be useful in some capacity and luckily none of them are too complex. With a little bit of reading and research, we have been able to figure out just about every component. In the upcoming weeks, we will see if there are any other tools we think would be crucial to evaluate. We will also focus on getting our final report to near completion. Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to see other important information pertaining to our project!

 

The post Elcomsoft Tool Evaluation Blog 3 appeared first on The Leahy Center for Digital Investigation.

Read the original at: The Leahy Center for Digital InvestigationFiled Under: Digital Forensics, Uncategorized Tagged With: Blog Post, Champforensics, Champlain College, Digital forensics, Elcomsoft, LCDI, password recovery, Tool Evaluation, tools

  • 1
  • 2
  • 3
  • …
  • 6
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)