Forensic Blogs

An aggregator for digital forensics blogs

by

Leahy Center Student Showcase: Liam DiFalco

Introduction to the Leahy Center Student Showcase

The Leahy Center for Digital Forensics & Cybersecurity employs students from a wide array of different states, backgrounds, and skillsets. Through this diversity, we can constantly challenge our status quo and stay at the cutting edge of forensic research. Above this, however, we are able to build a fantastic, inclusive community, one that allows anyone to foster their love for digital forensics and cybersecurity into workable skills and make meaningful connections in the workplace. We would like to shine a spotlight on those who help make the Leahy Center the place it is. The student interns that work at the Leahy Center are not only learning the skills they need for a future in digital forensics, but also contribute fresh perspectives and work to make the Leahy Center a lively place.

Our first student is Liam DiFalco, a high school student from Burlington High School. Working with college students and trained professionals is intimidating, so we took a look into how Liam interacts with the Leahy Center to further his education. Thank you, Liam, for allowing us to interview you!

#1: Liam DiFalco

Editor: “Hey Liam, how’s it going?”

Liam: “Pretty good.”

Editor: “So tell us a little about yourself. Where are you from? What do you do, what are your interests?”

Liam: “Well I live in Burlington, Vermont, but I was born in Bristol. I go to school at Burlington High School, and I have interests in computers and cars. In fact, building cars is a hobby of mine. I’m trying to get Digital Forensics as my major going to Champlain College.”

Editor: “Living in Burlington, how easy is it for you to pursue those interests in data recovery and computer stuff?”

Liam: “Well, I mean, it’s certainly not as populated a state as, say, California. There’s not as many tools or resources as there are in very populated cities, but living in Burlington, it’s nice to have access to the Leahy Center and all of these tools, as well as people that know what they’re doing to help teach you how to use them.”

Editor: “How did you hear about the Leahy Center?”

Liam: “Well, I actually have a relative who works in this building, so I’ve been here several times. I’ve seen this place as I go back and forth, and I ask, “What do they do? It looks really impressive.” It wasn’t until last summer, when I heard about DFCS Academy, where I was like, “OK, I want to do this so I can get more involved with whatever is going on over here,” and I learned more about digital forensics and cybersecurity in those two weeks than I have in my entire life.”

Experience at the Leahy Center

Editor: “Speaking of your experience here, what kind of things are you doing? What kinds of projects are you working on?”

Liam: “Even though it’s been a few weeks, I’m still getting a hold of everything that I need to be learning, including using VMWare, learning the lingo, and learning all the different tools I need to use. It’s still pretty fascinating to me. I could spend days on end in that lab, searching through a drive or just doing research on what I need to do. It’s just interesting, there’s so much I could learn from it.”

“I learned more about digital forensics and cybersecurity in those two weeks than I have in my entire life.”

Editor: “Can you go into a bit more detail on the different tools that are available to you here that you might not have access to elsewhere?”

Liam: “Just in data recovery, there’s Axiom, EnCase, all the VMWare tools, thousands of dollars worth of software that I would never be able to use at my house. There are 3-D printers, powerful and expensive computers, write blockers, different kinds of forensic tools that I can delve into, it’s a trove of tools you can use to stop cyber-crime and learn something.”

Editor: “Talk to us about the community here. What is it like working on projects with the people who are on your shift with you?”

Liam: “Working with the people in my group, the data recovery group, is pretty good. They’re very independent. They know what they’re doing. It’s interesting to see and watch what they’re doing through the Trello boards different blog posts we have. During my first couple of days here, I was pretty intimidated. I was a little bit shorter than everyone else, I didn’t really know anybody, but everybody here is extremely friendly, extremely kind. “

Balancing School and Work

Editor: “How does the stuff you’re doing in high school tie in with the stuff you’re doing here at the Leahy Center? Is there any interconnected material between both of them?”

Liam: “Well, surprisingly, yes and no. In almost every class I can bring up something that I learned about here. This is a weird example, but when I’m talking to students about deleting files on your phone or computer, they don’t understand the concept that it’s still there, it’s still gonna be there. It’s kind of interesting to see how much more I know about this stuff than them and seeing all the stuff they know about that I don’t.”

Editor: “You seem pretty driven in your work here. You’re still going to school, how are you balancing coming here and doing your work at the Leahy Center while also being a high school student?”

Liam: “Well, I contacted my advisers through the school. We managed to get it so I could have fewer shifts here, two-hour shifts instead of three or four, and only come into school before or after my shifts. I had my classes picked out for the day to balance this and school. I feel this could be more important than just getting the credits to graduate.”

Wrapping Up

Editor: “Where do you see yourself in the future after college, after you take these classes at Champlain? How do you feel your experience here helps you with that?”

Liam: “Well, I hope to see myself getting into a fairly decent job after college, ideally within the first few months, maybe working with the Leahy Center or a private firm. I don’t know the path that’s waiting for me after college. With this job, it could be anything, from a small business to a firm or corporation, but I hope to be able to use these skills to my advantage every single day.”

Editor: “Fantastic. I just have one more question for you: how do you like it here?”

Liam: “If I had to come up with one word, I would say it’s very comfortable here. I feel like this is the place where I’m supposed to be during the day. I’m relaxed, people around me know what they’re doing, and I’m learning what I’m doing. I don’t feel like I’m stressed out coming here, or glad that I’m leaving; I’m kind of sad when I leave. I think it’s a pretty great place.”

Editor: “Cool, well it was nice talking to you!”

Liam: “Yeah, thank you!”

*As of 11/20/19 Liam has accepted to the Computer & Digital Forensics program at Champlain College and will be attending as a full-time student in the fall of 2020.

All Photos by Deja Miller, ‘22 // Marketing

Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!

 

The post Leahy Center Student Showcase: Liam DiFalco appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Recovery of Data Fall Blog 1

Comic about data recovery Data Recovery Project Goal

This semester, The Leahy Center for Digital Investigation created a project to solve issues related to data recovery. This project shows that the average user often does not truly delete their data, and that it is possible to recover this data without spending money on high end tools, such as EnCase and Axiom. These are tools which range from $1,700 to $4,800 a year. The Data Recovery Team at the LCDI has researched free tools that anyone can use to recover deleted files, whether you are someone who has erased files they need or the next owners of a poorly wiped drive. 

Is data ever “deleted”?

PC hard drives often contain data known as Personally Identifiable Information, or PII. This includes names, credit card numbers, addresses and other information important to one’s personal life. This is why true data deletion is so important. The average user doesn’t understand that they’re not actually deleting their data. The fact that this data is not always deleted is what can lead to the leak of the user’s PII when they sell the drive. One can truly delete their data by using the common standards for wiping drives.  

Visual vs Actual Deletion

Many people assume that they are deleting the file when it is no longer visible (for example, after it is in the recycle bin). This is never the case. After dragging said file to the bin, the user still needs to empty it. Even when the user empties the bin, the user has not actually deleted the file. When a user drags a file to the Recycle Bin, all that does is remove the link to said file from the user. The user has hidden the data, not deleted it. It will stay available on the computer until that part of the hard drive is overwritten by other files.

Proper Data Recovery Services

To achieve proper data deletion, one needs to use common drive wiping standards, such as US DoD 5220.22-M. This standard implements a three pass system, working as follows:

First pass: Overwrite all addressable locations with binary “zeroes”. Second pass: Overwrite all addressable locations with binary “ones”. Third pass: Overwrite all addressable locations with a random bit pattern Verify the final overwrite pass.

Another common standard for deleting data is the NIST method. This method describes different types of sanitation for drives, and recommends using more than one type.

Who Cares?

Net collecting black, yellow and white squares symbolizing data.

One of the most important questions that we at the Data Recovery Team ask is: why does any of this matter? This information can serve to help the user protect their PII. Whether it is by teaching the user how to delete their data, or teaching them how to recover it. This means that a normal user could recover their data without having to spend a lot of money. We understand that sometimes accidents happen and data may get erased unintentionally. Hopefully, with the information that this project will provide, users can retrieve their own lost data. 

Be sure to look for future posts and stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI!

 

The post Recovery of Data Fall Blog 1 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Data Recovery Blog 2

Putting Hard Drives to the Test

At the LCDI, we believe your data is important, and surely most would agree. The pictures of your family vacation are important, but what about your passwords? The hard drives that are in most computers store your data, leaving it open for anyone with the proper knowledge to find it and use it if not disposed of properly. This is not a new problem, as online computer news articles from almost 20 years ago described past experiences of people who purchased old hard drives and discovered the data of the last user.

The foundation of our goal is to ensure an understanding of deleting and storing data. Through our research, we have found free and available data recovery programs and sleuth kits to check data drives. Our investigation required a set of samples to test our techniques and programs. We bought a myriad of used hard drives from all over the internet. These previously belonged to other people, so it’s likely that remnants of the past user are still on them. The majority of online sources claim the drives they sell are clean “wiped”, but we’ll put that to the test. How clean can a hard drive be and what do these standards look like?

Using Sleuth Kits to Recover Data

In our last blog post, we explored the National Institute of Standards and Technology and the Department of Defense’s deletion standards which would be a clear indicator of security. The drives we purchased allow us to explore the effectiveness of each method compared to each other. After we’ve used the wiping standards, we must test the ease at which someone could recover the deleted data. In the lab, we have been busy looking at the Sleuth Kit tools to get that job done. The software we use is freeware and open ware, ensuring availability without special permission or a fee.

We have gone through a variety of software already, including Autopsy and Wise Data Recovery, two professionally used Sleuth Kits.

Autopsy examining deleted files

In the above image, we have pulled up a sample image file in Autopsy. In this sample, the previous user had deleted 10 images. The tool used a computer image file to carve data present but unlabeled, which we could then review.  The image file we loaded contained the deleted files. Although the computer preserved the data of the file, it lost the links for the file system to access it. These deleted files turned out to be various jpgs of different colors and text. The tool carved the data left within the computer and presented it to us similarly to the sample image below.

Wise Data Recovery loading files

Though this program is not as in depth as Autopsy, Wise Data Recovery was still able to get a good amount of information. This program allowed us to scan the Local C Drive, and we were able to load the files into the program for research and investigation.

These programs are used in professional settings and are free to download. However, the question arises: if these are available to everyone, what does that mean for your data? Anyone who has a computer and a way to attach your drive could snoop through your old data, which is the exact reason we work to share this information. What’s more alarming is these two programs don’t show the full extent of the files that could collect your data. There is no way to be sure that the next person will not have the ability to collect your data, or even how much they could gleam from the drive. 

Exploring Physical Drives and Virtual Machines

The recovery of data is very accessible and it should be taken into account when deleting data. In the coming weeks, we look forward to working with the physical drives and exploring the techniques and depth of data that can be extrapolated from something as small as a picture.

To stay updated with our progress, check out our Twitter, Instagram, and Facebook.

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Investigation.