Forensic Blogs

An aggregator for digital forensics blogs

by

Recovery of Data Fall Blog 1

Comic about data recovery Data Recovery Project Goal

This semester, The Leahy Center for Digital Investigation created a project to solve issues related to data recovery. This project shows that the average user often does not truly delete their data, and that it is possible to recover this data without spending money on high end tools, such as EnCase and Axiom. These are tools which range from $1,700 to $4,800 a year. The Data Recovery Team at the LCDI has researched free tools that anyone can use to recover deleted files, whether you are someone who has erased files they need or the next owners of a poorly wiped drive. 

Is data ever “deleted”?

PC hard drives often contain data known as Personally Identifiable Information, or PII. This includes names, credit card numbers, addresses and other information important to one’s personal life. This is why true data deletion is so important. The average user doesn’t understand that they’re not actually deleting their data. The fact that this data is not always deleted is what can lead to the leak of the user’s PII when they sell the drive. One can truly delete their data by using the common standards for wiping drives.  

Visual vs Actual Deletion

Many people assume that they are deleting the file when it is no longer visible (for example, after it is in the recycle bin). This is never the case. After dragging said file to the bin, the user still needs to empty it. Even when the user empties the bin, the user has not actually deleted the file. When a user drags a file to the Recycle Bin, all that does is remove the link to said file from the user. The user has hidden the data, not deleted it. It will stay available on the computer until that part of the hard drive is overwritten by other files.

Proper Data Recovery Services

To achieve proper data deletion, one needs to use common drive wiping standards, such as US DoD 5220.22-M. This standard implements a three pass system, working as follows:

First pass: Overwrite all addressable locations with binary “zeroes”. Second pass: Overwrite all addressable locations with binary “ones”. Third pass: Overwrite all addressable locations with a random bit pattern Verify the final overwrite pass.

Another common standard for deleting data is the NIST method. This method describes different types of sanitation for drives, and recommends using more than one type.

Who Cares?

Net collecting black, yellow and white squares symbolizing data.

One of the most important questions that we at the Data Recovery Team ask is: why does any of this matter? This information can serve to help the user protect their PII. Whether it is by teaching the user how to delete their data, or teaching them how to recover it. This means that a normal user could recover their data without having to spend a lot of money. We understand that sometimes accidents happen and data may get erased unintentionally. Hopefully, with the information that this project will provide, users can retrieve their own lost data. 

Be sure to look for future posts and stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI!

 

The post Recovery of Data Fall Blog 1 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Virtual Currency Investigations: Fear Not the Blockchains

At the Magnet User Summit this year, I listened to a presentation by Eric Huber, Vice President of National White Collar Crime Center (NW3C). With a broad background in digital forensic investigations, he spoke about the changing field in cryptocurrencies and blockchain analysis. He gave a brief overview on different types of cryptocurrencies and how to use them. Then he dove into how cryptocurrencies are evolving and how digital forensics needs to catch up to the changes.

Cryptocurrencies

Cryptocurrencies are a little bit more complicated than just currencies that solely run on the internet or through the cyberspace. Currencies like Ethereum and Bitcoin are purchased and are traded in cyberspace to purchase goods and services just like fiscal currencies, but because of the push back against government control, these currencies can be used to purchase illegal goods and services without being tracked easily. Cryptocurrencies are on the rise and are becoming more popular than ever. With ATMS popping up all over the world, they are becoming even more accessible.

Blockchains

Blockchains are the ledgers of cryptocurrencies. Unlike most banks and budgets, blockchains never list the total cryptocurrency that someone might have. Instead, they list who exchanged it and how much. Cryptocurrency mining is figuring out the hashes or the specific string of characters and numbers to figure out the transaction and post it directly on the ledger. After claiming that position, not only would the miner claim some cryptocurrency, but every time that section of the ledger is referenced to calculate how much an individual has of that cryptocurrency, the miner earns more cryptocurrency.

Public vs Private

Different types of cryptocurrencies have different types of blockchains. The public can openly access public blockchains, like what Ethereum and Bitcoin. Law enforcement can also subpoena them to learn who performed the possibly illegal transaction. However, there can always be more privacy. The more privacy achieved, the more complicated arresting and subpoenas become. Private blockchains involve each individual block becoming private and not available to the public. Not only is the ledger inaccessible, but law enforcement is unable to subpoena individual miners. They would only have parts of the ledger anyways.

With a developing field, digital forensics and incident response is developing blockchain analysis to track backwards after figuring out specific blocks of ledgers to figure out the specifics of transactions and more. This is the changing part of cryptocurrencies and how digital forensics needs to evolve to adapt to accommodate these changes since cryptocurrencies are not fading away anytime soon.

 

Blog written by Champlain College’s Nurit Elber.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Virtual Currency Investigations: Fear Not the Blockchains appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Magnet User Summit Experience

Thanks to Champlain College, I was able to attend this year’s Magnet User Summit. As a first year, I was concerned as to how well I would understand the topics and concepts. However, I found that I was well prepared. My internship this semester at the LCDI helped most of all, as it provided me with knowledge not just of digital forensics, but of the work environment as well. The conference was fascinating, and I was able to learn more about the ever-changing environment of ITS.

Improvise, Adapt, and Overcome

The Improvise, Adapt, Overcome: A New Mantra for Digital Forensics Professionals lecture was presented by Cindy Murphy, president of Gillware Digital Forensics. The talk focused on challenging the unwritten rules and truths of cybersecurity and digital forensics and turning to improvise, adapt, and overcome obstacles. Specifically, it challenged the rules and knowledge of imaging, firmware, and hardware. With imaging, Murphy discussed how an image that shows all zeros it is not actually empty. You’re also not getting a full forensic image from a hard drive. Murphy also mentioned the importance of investigating NAND flash memory, which is often overlooked.

With firmware, Murphy discussed how important its role is as the go-between for hardware and operating systems, and how its role is frequently underestimated. Hardware has this similar issue of being neglected in investigations. In fact, removing chips from damaged hardware to identical functioning hardware can be incredibly helpful with investigations. Most importantly, Murphy argued members of the ITS industry need to learn to keep moving forward in this ever-changing environment.

Guest Keynote on the Evolution of the Digital World

The guest keynote was presented by Ovie Carroll, director of DOJ CCIPS Cybercrime Lab, SANS instructor, and author. He reflected on the evolution of the digital world and segued into the newest innovations of the modern day and what’s to come. This included Bluetooth stones and other similar devices, which currently serve as miniature hotspots that relay information to smartphone-clad passerby and clouds. Carroll explained how clouds add value to the pre-search phase of investigations. Cloud storage is becoming more common, lessening the value in seizing hardware and increasing obtaining data before it’s deleted remotely. He also discussed the rising frequency of encrypted computers, and the importance of RAM images, encryption, and hard drive images. We were reminded and provided digital examples of Locard’s evidence transfer principals.

Discussions relating to mental health and self-confidence were brought up as well. We were reminded there’s no such thing as a full forensic investigation and that you will always miss an artifact. As a result, the investigator shouldn’t feel disheartened when their data is passed to a second pair of eyes. In fact, a collaborative approach to forensics analysis was recommended and was echoed by many in the following talks.

Powershell vs Python

The Leveraging Powershell and Python for Incident Response and Live Forensic Applications lecture was presented by Chet Hosmer, author of Python Forensics. The fundamentals, integration, and applications of both Powershell and Python were discussed. Hosmer presented Powershell as a great acquisition engine that provides digital investigators with a set of cmdlets and access to the internals Windows, Linux, and Mac desktops and cloud services. He presented Python as a relatively straight forward, understandable, and object-oriented scripting language. Its environment allows for the rapid development of new tools, deep analysis, automation, and the correlation of evidence. Hosmer then demonstrated two different integrations live. Both of these integrations allow for better solutions for incident response, live forensic investigation, and e-Discovery.

I was able to attend many other lectures as well, such as the Magnet Forensics keynote, the Panel of Corporate Forensics Experts, and the Axiom Essentials Lab. The conference covered a wide range of fascinating topics, yet provided a consistent environment that was friendly and inviting. Other participants were eager to speak with Champlain students and viewed us as  equals, sharing tips and engaging in discussion. It’s a community myself and other students are excited to participate in, and hope to again at the next conference!

 

Blog written by Champlain College first year Hayley Froio.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Magnet User Summit Experience appeared first on The Leahy Center for Digital Forensics & Cybersecurity.