computer forensics Archives

September 20, 2018 by LCDI

Beyond Digital Forensics

Introduction

When I first found out I was going to attend OpenText Enfuse 2018, I wondered how my major and minor would fit into the conference. I’m a computer information technology major and have a minor in cybersecurity. I was going to a conference marketed towards digital forensics. I assumed I would have a hard time finding things relevant to my field of studies. Still, I was excited to be exposed to the digital forensics industry. I was counting down the days until the conference started. I didn’t realize the true value in attending Enfuse until I got there.

opentext

More Than Just Digital Forensics I attended a session called “CyberSecurity Challenges in Healthcare and Life Sciences.” I thought it would help me understand more about my minor and apply what I’ve been learning in my classes/coursework to real life situations. One presenter was Edward J. McAndrew, who runs an incident response team. The other was Brian A Coleman, who supports internal forensic investigations for the company Pfizer. The two brought in great perspectives on new threats that are happening in the industry. When asked who we should worry about, they replied, “anyone with heartbeat.” Threats constantly happen both inside and outside of the company. This presentation gave an update on the industry rather than demonstrating a new skill or tool like the other sessions. McAndrew and Coleman explained the latest security threats. Threats such as extortion, cyber fraud, phishing attacks and espionage, all of which affect companies on a daily basis. They also addressed the results of these threats, and the importance of protecting data like health information. If data is breached, it breaks dozens of policies and agreements, such as HIPAA. These breaches could get companies in a lot of trouble. At the end of their presentation, McAndrew and Coleman talked about new laws and policies that are being introduced as a result of these attacks. This presentation was an in depth overview of the cyber security industry, which applies to my own course of study and will help me in my future career. It is important for everyone in the technology industry to understand the challenges we face every day of threats and attacks. Companies also need to be ready for them in order to prevent devastating loss. This presentation proved to me that now more than ever, we need to be aware of cyber threats in this world so we can take actions to prevent them. It was an amazing experience to hear professionals talk about things that are currently happening in the industry. I walked away from this session feeling more knowledgeable on an unfamiliar topic. Conclusion

Not only was I able to attend awesome cyber security sessions, I was also able to get my feet wet in the digital forensics industry and network with other professionals. I will be forever grateful to Champlain College and OpenText for allowing me to attend such an incredible conference. It gave me opportunities to build my professional network and catch up on the newest technologies in the fields I’m pursuing. It opened my eyes to what this technology has to offer, and I hope to attend this conference again one day!

To learn more about the LCDI or our projects. Follow us on our Facebook and Twitter pages or send an email to lcdi@champlain.edu!

The post Beyond Digital Forensics appeared first on The Leahy Center for Digital Investigation.

August 21, 2017 by Chad Tilbury

SANS FOR500 vs. FOR508

UPDATE: I am excited to announce that SANS FOR408 is now FOR500. Over the last few years, we have continued to add more technical content to the class while ageing out some of the more basic material. While the class still provides an excellent framework for conducting Windows forensic analysis, the course difficulty level has shifted to the SANS “5” level. It gives us the freedom to teach some of the more complex forensic artifacts and techniques while still staying true to keeping it a “foundational” forensics course. See for yourself: FOR500.pdf

Rob Lee put together a webcast discussing some of the class updates and changes: https://www.sans.org/webcasts/103377

With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.

I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”

Digital Forensics Tips blog: A look at how the SANS computer forensics courses 408, 508 and 610 fit together |buff.ly/ZlZqwH #DFIR

— Chad Tilbury (@chadtilbury) May 23, 2013

April 26, 2017 by LCDI

Application Analysis: Conclusion

Introduction:

To close out our list of Web Apps, we finished up on Discord. It has been an interesting experience for us to work with the three diverse apps over the last semester. Our analysis on Discord brought our research to a close. Seeing several key similarities with our first application Slack, it was an ideal application to close out our research for the side by side comparison.

Our Process:

With our final app, we utilized similar testing methods to Slack; we created a set of Test Channels and generated user data. After that was done, our team made a clone of the Virtual Machine, then deleted Discord on the original and promptly analyzed the images. In our findings, we noticed very similar behavior in storage of cached images when compared with Slack, although the content they each stored varied greatly. To read more about this topic, check our report which will be published soon.

In comparison of these apps, Dropbox was the most straightforward. However, it lacked the robustness of the other Web Apps as it lacked the expansiveness of XML. The app did not change much from the front end in terms of design. For the User Data, Dropbox’s local sql database provided information of what files were found on the Machine, along with deleted files visible in the cache. In contrast, Slack and Discord were two sides of the same coin. They both featured a strong use of XML to manage their styles, and featured images of user profiles and stored the urls of certain cached images. Discord did end up having one major difference. We were able to find bits of the messages amongst Win7enterpriseTest1\C\Users\User\AppData\Roaming\discord\Cache in messages?limit=50. We’ll have a deeper indepth look at this in our final report.

Analysis: Discord Artifacts

Going into Discord, we expected to find close to nothing on the local files of the web application, but after getting a closer look, we found out we couldn’t be more wrong. Discord has a strong security statement stating that they take the reasonable steps to ensure a user’s information is protected.

Application

The uses of caching and SQLite formatting allowed us to recover artifacts such as the aforementioned chat logs to the images and files uploaded. Interestingly, one of Discords more interesting features is its database’s storage of frequently used Emojis. In comparison, the Business Web Applications tried to stick to the bare minimum and focus on the bare bones such as only having time stamps and ID values. Dropbox’s Local Database primarily focused on this with it having extensive storage on File information, though it was lacking in the niches of Discord, which, as mentioned before, even stored emoji usage. A more extensive comparison can be found in our Final Report.

Conclusion:

With increased integration of platforms such as Discord, Dropbox and Slack, there will be an increased need for privacy. Implementation without security will continue to allow various security flaws to exist. However, it must be remembered that with the need for Security comes the need of usability. To remain a strong web application with a following, an ease of use, and efficiency must be maintained.

Through the process, our group learned a lot and got deeper insights on Web App Forensics. We hope this Blog can hold you over before the final report drops. Stay tuned!

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Application Analysis: Conclusion appeared first on The Leahy Center for Digital Investigation.