|eForensics Magazine 2018 02 USB Forensics.pdf|
Welcome to the newest issue of eForensics Magazine! This time we focused on USB Forensics - inside you will find three excellent articles on the topic, as well as a host of other pieces covering different fields, like expert testimony, browser forensics, and using Agile for forensic investigations.
The issue opens with a joint press release from Magnet Forensics and Child Rescue Coalition about a new initiative to combat child sexual exploitation crimes, followed by an interview with Jad Saliba, Magnet Forensics’ CTO, about the details of the project.
Then we start with this month’s series on USB forensics - all practical, all forensics-focused. Out of the three articles in this section, one is about protocols and procedures when handling evidence extracted from USB devices, one is on USB artifacts in Windows 10, and one talks about the usage of anti-forensics for USB-related evidence. Do check them all!
We stay with the evidence-centered topics for two more articles. The first one, by Ryan Duquette, discusses using Magnet AXIOM Cloud in an investigation, and the second, by Philemon Hini, goes through various browsers and how to conduct forensic analysis on browser artifacts.
Next, we have a mini section on expert testimony. We will be continuing this topic in further issues, however, this month we are starting with some general tips and tricks for the expert witness, and we take a deep look into the Daubert Challenge.
To wrap up, we have a guide by Luiz Borges to using Agile methodologies, with focus on Kanban, in forensic investigations, and a case study presenting the possibilities of automated inspection of cargo X-Ray images.
We hope you enjoy the issue - let us know any comments you might have, we would love to hear your feedback.
As always, many, many thanks to our reviewers and proofreaders - you went above and beyond this month, and your help is invaluable to us. Thank you!
Enjoy your reading,
and the eForensics Magazine
Table of contents
CHILD RESCUE COALITION AND MAGNET FORENSICS PARTNER TO COMBAT GROWING CHILD SEXUAL EXPLOITATION CRIMES
Press Release & Interview with Jad Saliba
Boca Raton, Fl., April 16, 2018 Child Rescue Coalition (CRC), a nonprofit organization dedicated to combating the sexual exploitation of children, today announced its partnership with Magnet Forensics, a global leader in the development of digital investigation software. The partnership will further enable child exploitation investigators’ efforts to better identify and convict perpetrators and use technology to rescue and protect children.
PRECAUTIONS FOR SECURITY WITH USB FORENSICS
by Dr. Nancy M Landreville
Extraction and collection of data in forensics requires careful adherence to chain-of-custody protocols to ensure acceptance of the evidence. Various tools are available for collection, however, the use of these tools does not ensure viable collection. Measures to retain extracted evidence must be fastidiously handled with care.
TRACING USB DEVICE ARTEFACTS ON WINDOWS 10 FOR FORENSIC PURPOSES
by Florence Love Nkosi
The use of Universal Serial Bus (USB) devices has grown to become a norm in today’s world; from sharing files across platforms to storage purposes. USB devices utilise USB connections to connect to a computer. Technically, USB devices can be categorised as Mass Storage Class (MSC), Media Transfer protocol (MTP) and Picture Transfer Protocol (PTP) (Chetry & Swasti, 2015). USB flash drives fall under the MSC class and are commonly used to store and transfer data. They are conveniently small in physical size but have varying storage capacity, ranging from 512MB to 2TB (The Verge, 2017). However, they have also become a major security concern.
THE USB TRAIL: ANTI-FORENSICS AND ANTI-ANTI-FORENSICS BITTER ROMANCE
by Chidi Obumneme
USB Mass Storage devices come in several small sizes, capable of usage as attack tools against any group or organization. To this effect, researchers from Ben-Gurion University in Israel have discovered 29 ways USB devices can be used to attack and compromise computer systems. Likewise, the Insider Threat is a very great security risk posed to groups and organizations largely because of their privileged access to sensitive or proprietary information. These Insider Threats can leverage on their positions and decide to Exfiltrate Company Trade Secrets and sensitive information with the aim of selling same to competing organizations.
Exfiltration of proprietary data via USB Mass Storage devices proves a certain way to conduct this form of attack. Since every attacker’s aim is to cover every track of some form of misdeed, it is therefore the duty of the Digital Forensics Analyst to prove that such attack took effect, which is therefore the crux of this article – to prove the conduction of an attack using the USB device despite attempts by the attacker to clean up their tracks by employing anti-forensics techniques.
INTO THE CLOUDS WITH MAGNET AXIOM CLOUD
by Ryan Duquette
In a traditional digital forensic investigation, an examiner usually has access to a user’s computer, mobile device or other digital device capable of storing data. Files such as pictures, emails, Internet history, operating system artifacts and much more are saved to the computer’s/mobile device’s drive. Computer Forensic Examiners can analyze this data and provide a scientific and impartial report.
BROWSER FORENSICS: THE EVIDENCE COULD BE IN THE BROWSER
by Philemon Hini
At the end of this article, readers should have gained the fundamental knowledge and skills to conduct forensic analysis on web browsers.
MASTERING THE DAUBERT CHALLENGE
by Doug Carner CCFE,CPP,CFHI
Discovery and depositions are complete. You have honed your narrative and rebuffed an unfavorable settlement. You have planned for nearly every contingency and are leaving nothing to chance. Jury selection begins tomorrow and your opening statement is well rehearsed. Then the unthinkable happens.
EXPERT TESTIMONY TIPS
by Gerard Johansen
An often-overlooked aspect to the role the of Digital Forensic Examiner is the possibility that they may be called to testify to their findings at a legal proceeding. Of the many stressors in a Digital Forensic Examiner’s career, the possibility of speaking for hours in a courtroom or during a deposition most likely ranks high. Further compounding the anxiety of testifying is the possibility of having to explain highly technical concepts to laypeople whose only exposure to high technology may be social media platforms or mobile device games. While testifying may be anxiety producing, there are several actions examiners can take before and during the legal proceedings that will help them better prepare themselves to excel at presenting highly technical evidence.
AGILE METHODOLOGY - A NEW WAY OF DOING FORENSIC INVESTIGATION
by Luiz Borges
My main goal is to show how it is possible to maximize investigative deliveries using agile methodologies so that the same results are obtained faster, more successfully and using the same amount of available resources.
This idea of using alternative tools instead of the traditional model, has come up recently and suggestions are very welcome. After all, we all work together for the same purpose: to combat cybercrime.
COMANCHE COUNTER TERRORISM NETWORKS: AUTOMATED INSPECTION OF X-RAY CARGO IMAGES
by Wilbert McClay
The Port of Oakland randomly screens millions of cargo containers every day using the SAIC VACIS (Vehicle and Cargo Imaging System) for random threats from weapons and ammunitions, human trafficking, counterfeit items, and drugs. The SAIC VACIS X-Ray Systems scans cargo containers randomly for threats utilizing statistical analysis to find threats. Furthermore, “the Port of Oakland loads and discharges more than 99% of the containerized goods moving through Northern California, the nation's fourth largest metropolitan area. Oakland's cargo volume makes it the fifth busiest container port in the United States, and ranks San Francisco Bay among the three principal Pacific Coast gateways for U.S. containerized cargoes, along with San Pedro Bay in southern California and Puget Sound in the Pacific Northwest. About 75.82% of Oakland's trade is with Asia. Europe accounts for 13.52%, Australia/New Zealand and Oceania about 5.25% and other foreign economies about 5.38%. About 0.2% of Oakland's trade is domestic (Hawaii and Guam) and military cargo. California's three major container ports carry approximately 50% on the nation's total container cargo volume”.
|eForensics Magazine 2018 02 USB Forensics.pdf|