We present a brand new package of our magazine, containing the best tutorials we gathered in the last few years. This issues are divided into three parts, each with certain topics covered. We decided to do this for your convenience. Everyone gets to browse through each part and choose which topics interest them the most, and those who are not our subscribers will enjoy lower prices for buying separate e-books - everyone wins!
Still, each part contains close to 400 pages of content and a few dozen of articles and step by step tutorials, guides and how-to’s. It total you will get over 1500 pages of tutorials! We believe you will find those issues very useful to have in your storage of choice, without the need to search through all our issues in search for that one perfect article which solves your problems.
TABLE OF CONTENT:
LEARN “HOW TO” – 101 BEST FORENSIC TUTORIALS
1. DIGITAL FORENSICS IN A NUTSHELL – Barry Kokotailo
“Before 1999, formal dedicated digital forensics toolkits did not exist. Then came the first free open source tool to perform digital forensics: The Coroners Toolkit created by Dan Farmer and Wietse Venema (http://www.porcupine.org/forensics/tct.html). This sparked a massive revolution in the science and art of digital forensics. This article will deal with the stages in a digital forensics examination, the tools used by most forensics people, and some final thoughts on the world of forensics.”
2. A PRACTICAL APPROACH TO TIMELINING – Davide Barbato
“Sometimes we need to investigate a data breach, an identity thief, a program execution or, in a more general way, we need to know what happened on a system on a specific time: to accomplish that, we need to create a timeline of the system activities so we can add context data to our investigation. As it is, timelining refers to the technique used to keep tracks of changes occurred in an operating system by creating a timeline of activities, pulled down from various data sources, as the investigation process requires.”
3. STEGANOGRAPHY: THE ART OF HIDDEN DATA IN PLAIN SIGHT – Priscilla Lopez
“Steganography is the art of hiding messages in plain sight. Different forms of steganography have been used for many years throughout history. Nowadays just about any data type can be embedded with a secret message and the common passerby wouldn’t even notice.”
4. DIGITAL IMAGE ACQUISITION – STEP BY STEP – Thomas Plunkett
“Proper digital image acquisition is key to any forensics practice. Accurate and thorough documentation along with rigorous adherence to procedures and established best practices lead to a successful acquisition process. This article will help the beginner learn what is necessary to successfully accomplish this important part of digital forensics.”
5. FTK IMAGER BASICS – Marcelo Lau & Nichols Jasper
“This article discusses a basic FTK Imager case study. In this case study a pen drive has been found with a suspect, but it appears to be empty. We will show how to image the pen drive’s file system and how the FTK tool can help us to show traces of deleted artifacts in the evidence media.”
6.INTRODUCTION TO NETWORK FORENSICS USING WIRESHARK – Dauda Sule
“Network data is highly volatile and may be easily lost if not captured in real-time; for example, if malicious code is sent to an endpoint, the source or path of the code would be difficult to discover if the traffic data was not captured as it was coming in through the network. There are various tools that can be used to capture and analyze network traffic such as NetworkMiner, tcpdump, snort, windump and Wireshark. This article introduces the use of Wireshark for network analysis.”
7. HOW TO RECOVER FILES FROM THE MEMORY DUMP, SWAP FILE AND HYBERFIL USING DATA CARVER TECHINIQUES – Carlos Dias Da Silva
“There are in the memory dump, swap and hiberfil files a lot of data can help us in a digital investigation. In these places we can find documents, web pages, pictures, executed files and other information can help us in a digital investigation.”
8. FORENSICS ON LINUX – Barry Kokotailo
“The majority of forensics examinations conducted today comprise Windows machines. Considering that the vast majority of desktops in use today are Windows based, this should not be of a surprise. However a good majority of servers and workstations are Linux based and running interesting services such as databases, web and file services. During the career span of a forensics professional you will need to perform a forensic examination of a Linux machine. This article will give you the step by step procedure in order to acquire an image, analysis, and report on the findings.”
9. HOW TO PERFORM FORENSIC ANALYSIS ON iOS OPERATING AND FILE SYSTEMS – Deivison Pinheiro Franco and Nágila Magalhães Cardoso
“With Apple Operation System (iOS) design and the large amount of storage space available, records of emails, text messages, browsing history, chat, map searching, and more are all being kept. With the amount of information available to forensic analysts on iOS, this article will cover the basics to accurately retrieve evidence from this platform and build forensically analysis when applicable. Once the image logically, via backup or physically has been obtained, files of interest will be highlighted for a forensic examiner to review.”
10. TWELVE OPEN-SOURCE LINUX FORENSIC TOOLS – Priscilla Lopez
“There are several open-source Linux forensic tool suites and tools such as Kali Linux, DEFT, HELIX, Backtrack, CAINE, Knoppix STD, FCCU, The Penguin Sleuth Kit, ADIA, DFF, SMART, and SIFT. This article will give you a brief overview of the available tool suites. Afterwards, I will show you step-bystep how to install one of the tool suites and run a practice case sample.”
11. FOUR WINDOWS XP FORENSIC ANALYSIS TIPS & TRICKS – Davide Barbato
“To an untrained eye, it could appear that Windows XP is just another Windows operating system family: It behaves completely different, and could lead to misleading conclusions if you are not familiar with XP. Think about a case in which you need to know if a user views a document or a folder, or opened a document and trashed them: Windows XP has different behavior in respect to Windows 7 and this need to be addressed.”
12. A BEGINNER’S GUIDE TO FORENSIC IMAGING – Madeline Cheah
“Are you starting on the road to a career in digital forensics? Or perhaps a student looking to get onto a course in this field? Maybe you just need a refresher after a little time away? This is a simple guide introducing you to one of the fundamentals of digital forensics, with a legislative narrative to set things in context.”
13.EXAMINING EXIF DATA IN DIGITAL PHOTOGRAPHS – Irv Schlanger
“Digital photographs have become common as a source of evidence in forensic investigations. However, pixels alone do not tell the entire story—modern digital cameras also record Global Positioning Satellite (GPS) information as well as date and clock time into photographs using metadata known as EXIF tags. One of the main tasks of a forensic investigator is to extract useful evidence from a photograph and proving this information’s authenticity. EXIF metadata in JPEG photographs can provide proof that a suspect was or was not at the scene of a crime. Because EXIF data can be altered by the very same software and techniques detailed below, law enforcement should take precautions and use established forensic practices when using metadata in investigations.”
14. COMPUTER FORENSICS WHAT, WHY AND HOW – Ahmed Neil
“Computer crimes investigations are based on evidence collection from certain areas in the computer system to be analyzed. Such as Windows Registry, File System, Log file, Internet History, Cookies, and so other potential evidential areas. For deepest concentration Windows Registry evidence Analysis will be introduced. Windows Registry is considered as one of the areas that contains valuable information about the system. It stores all hardware and software configurations, user activities, and transactions. Therefore, Windows Registry forensics is considered as a hot research field.”
15.EXAMINING GOOGLE CHROME ARTIFACTS – David Biser
“The Internet has grown by leaps and bounds over the course of its existence. There are millions upon millions of users who are browsing the Internet on a daily basis. Some of these are good, some of these are ugly and some of these are just plain old bad! Amongst those who are browsing the Internet are the good guys, who are seeking to enforce the law and conduct digital investigations in order to stop the bad things from happening on the Internet. One major program that these digital investigators can turn to in order to locate evidence is Google Chrome!”
16. STEP-BY-STEP TO ASSESS IT SYSTEM CONTROLS – Kevin M. Moker
“Risk management is a discipline that covers many areas. There is financial risk, operational risk, strategic risk, and compliance risk to name a few. Information Technology (IT) poses its own risk to the organization, but what is IT risk? Why should you care about IT risk? How do I measure IT risk? It has been said, “What gets measured, gets done.” Lets look at how to conduct an IT risk assessment from policy to assessment questions to actual compliance measurements against the information security policies. The number one goal is to be able to know if you’re in compliance with your information security policies. This is just one strategy to get there.”
17. HOW TO ANALYZE A TRAFFIC CAPTURE – Javier Nieto Arevalo
“We live in an era where the signature-based Antivirus has less sense if we want to fight against hackers who are creating customized malware only for their targets. This malware is commonly known as Advanced Permanent Threat (APT) and it’s really interesting to research where the host was infected, the connections back to the Command and Control server to get the instructions.”
18. INVESTIGAING A NIGERIAN WEBMAIL AND E-BANKING PHISHING ATTACK – Gilad Ofir & Dvir Levi
“In today’s world, as we all use email for practically everything, from talking to friends, colleagues, bosses, business partners, etc. However, like every good thing, it can be abused by spammers and hackers, and infect is. Since we all use it, it’s important to understand the security issue that rises when ones e-mail is targeted for spamming. and evaluate the damage of the malware. Sometimes it is easier to detect infected hosts in the networks if we analyze the network traffic than using an Antivirus running on the host.”
19. IPV6 SECURITY – Satinder Sandhu
“Predictions about when the world will end are as consistent as the predictions that when IPv4 internet addresses will finally run out, but some IT security professionals say that it is the least of our worries. A much bigger concern, they say, should be the security holes that will open up in many business organizations as the world moves over to internet protocol version six (IPv6). In this article we are going to discuss and execute the techniques and methodologies which can make the future of internet …. INSECURE!”
20. INTRODUCTION TO WINDOWS FORENSICS USING PARABEN P2 COMMANDER – Dauda Sule
“Microsoft Windows is the most widely used operating system both for business and personal use. Such popularity has made it one of the most targeted operating systems by malicious attackers. As a result, it is often used as a platform to access personal and work place data, or even to commit policy breaches assisting in the commission of criminal acts. Investigations that are based on electronic evidence stand a very high chance of being carried out on a system with one or the other version of Windows operating system. It is therefore one of the most important operating systems anyone going into the field of cyber forensics will need to know how to investigate.”
21. USING JUMP-LIST FEATURE OF WINDOWS 7 FOR EVENT RECONSTRUCTION – Everson Probst
“The identification and understanding of the last actions of a computer user are fundamental during a computer incident investigation. Such activity may be very simple when the assessed system presents organized and centralized registries and logs, such as in the systems based on Unix. However, Windows operating systems do not have these qualities. Therefore, the forensic examiner needs to use several features of the system to be able to reconstruct user events. This article deals with a relevant information-rich resource, the Jump-List.”
22.BUILDING SECURE NETWORK – Davide Barbato
“As the security paradigm shifted from “static” to “dynamic” defense, network companies need to adequate its security arsenal, not only about network security, but also end point protection, monitoring
and backup policies.”
23. USING PEACH TO DISCOVER VULNERABILITIES – Pedro Guillén Núñez, Josep Pi Rodríguez and Miguel Ángel de Castro
“Nowadays, software vulnerabilities are an important risk for the companies. Reverse Engineering is a useful technique but it consumes much time and effort. However, Fuzzing gives good results and can be less expensive in terms of effort. Nowadays, the best approach is using both techniques. It is known that software companies include in their development cycle Fuzzingas the main technique
in order to detect bugs.”
24. WHO IS AN EXPERT…? DAUBERT PRINCIPLE FOR EXPERT WITNESSES – Sagar Rahurkar
“Witnesses are the people or experts with valuable input in a case. It is through witnesses and documents that evidence is placed before the court. Even the genesis of documents can be proved by the witnesses. Thus, the law has to be very clear with regards to certain issues like who is a competent witness? How many witnesses are needed to prove a fact? Can a witness be compelled to answer every question posed? How can the credibility of the witnesses be tested? Whether a witness can refer to notes to refresh his memory and what are the judges standing with respect to the witnesses.”
25.HOW TO USE MIRROR DRIVE FOR BACKUP WITH ZERO-TIME RECOVERY! – Wei Deng
“The safest way to back up important data is to duplicate said data to an external storage device to achieve physically isolated protection. However, the recovery process of traditional backup software is long and tedious, and can negatively affect your business operations. With Mirror Drive technology, you can recover and replace a failed device with close to zero down time. The state-of-the-art technology first converts and compares all files, then clone only the changed data to the hard drive, providing you with a highgrade-speed to complete the Mirror Drive process.”
26. GREP AND REGEX, THE OVERLOOKED FORENSIC TOOLS – Craig S Wright
“This article takes the reader through the process of learning to use GREP and Regular Expressions (RegEx). GREP May not seem to be a tool that relates to the process of data recovery, but we will show that this is an essential tool in recovering data. If you cannot find data, how can you recover it?”
27. INVESTIGATION & eDISCOVERY OF BIG DATA -Vishnu Datt
“Data storage has been a part of our lives since our ancestors first started writing on stone tablets. The advent of the computer accelerated our ability to create data, but this brought a new challenge: Now that we can create data so quickly, how will we store it? FTP hosting on cloud-based systems work to some extent, but is that enough for the massive quantities of data we’re producing?”
28. HOW TO INDEXING DATA WITH KS – Nanni Bassetti
“One of the big problem during a computer forensics analysis is searching many keywords, strings, phrases in big data containers like hard disks or pendrives; it is possible to use tools like strings and grep but they have some limitations.”
29. SUPERVISORY CONTROL & DATA AQUSITION & INDIAN CYBER LAW – Aashish Satpute
“Attacks on these systems can cripple vital infrastructure causing widespread damage. The examples of this are plentiful. In 2011 hackers were able to access critical pumps and cause damage at the City of South Houston‟s water plant Stuxnet, which grabbed headlines for a while was also a SCADA attack, although it is thought to have been designed to target Iranian nuclear plants.”
30. UNDERTAND AND SOLVE PROBLEMS WITH NTFS PARTITION – Carlos Dias da Silva
“There are lots of kind partitions and we will dedicate this article to explain about NTFS partition in a simple way. There for, the objective this article is to show you how it works a NTFS partition and how to recovery it if was excluded or lost.”
31. DATA LOSS TO DATA RECOVERY – Shishir Rajendra
“in todays e-world we are living in, it has become very important to everyone – computer professionals as well as the layman, to keep his/her data safe. Even in any of the information security policies of various organizations, out of the three pillars – CIA, the “Availability” aspect stands out first, before the other two, that is the “Confidentiality” and the “Integrity”. Hence organizations always make it a point to have their information secured and try to abide it by the ISP (Information Security Policy).”
32. RECOVERY OF SYSTEM REGISTRY FROM WINDOWS RESTORE POINTS – Everson Probst
“The first items to be considered in a computer forensic analysis of Windows systems are the registries. However, what to do when the registries have been deleted recently? Currently, the most used alternative to solving this problem is attempting to recover files by using methods known as data carver. Nevertheless, there is a simpler and faster method that can help you in recovering these registries. It is the use of the Windows feature called System Restore.”
33. AUDITING lOGIN RElATED EVENTS INSQl SERVER – David Zahner
“In this article I will be exploring different methods of tracking and storing the login events that take place on your SQL Server as well as some ideas as to what to do with the information once gathered. With the exception of the extended events example which will only work with SQL Server 2008 and above, the other methods outlined will work with all versions and editions from SQL Server 2005 and beyond. “
34. EXTRAXTING AND USING METADATA FOR A DIGIAL FORENSIC INVESTIGATION – Marc Bleicher
„ Metadata can often contain that needle in the haystack you’re looking for during a forensics investigation; in fact it has helped me out in the past quite a few times. One particular case that stands out the most was an internal investigation I did for the company I was working for at the time. Most of the cases I dealt with in this role related to employee misconduct, which included wrongful use, inappropriate behavior, harassment, etc. In this situation, metadata was the key piece of evidence in the case of a lost smart phone. „
35. HOW TO PERFORM INVESTIGATIONS USING NUIX – Damien Van Oultryve Dydewalle
“In the world of e-discovery there is a need for a good processing engine to process large amounts of data, index text and metadata, perform in depth analysis of communication links, etc. Most email clients can perform content analysis of the email body. With Nuix, searches can be performed through all email metadata as well the attachments, and near duplicates (previous versions or drafts of documents) can easily be found.”
36. RECOVERING IE HISTORY USING PASCO IN LINUX UBUNTU 12.04 – Carlos Cajigas
“Reconstructing and examining web browsing history is a task that is required during most forensic examinations. Luckily, po- pular commercial tools have done a good job of simplifying the reconstruction process for us. While commercial tools simplify the process, the software often comes with a hefty price tag.”
37. CAPTURING INSTANT MESSAGES WITH PACKET CAPTURE TECHNOLOGIES – Nicholas Miter
“Most commercial forensic software packages focus on indexing and intelligently searching data archived in hard drives, networks, and e-mail servers. These tools work well when archived information accurately reports employee communication. This article provides a simple example of a forensic tool that captures instant messaging traffic and stores it in a Microsoft SQL Database Server. Many forensic toolkits support importing data from commercial database systems.”
38. STATIC MALVARE ANALYSIS – Ram Shmider
“When you start your journey into malware analysis you need to remember that the files or machine you are working on are infected with real live malware. With static malware analysis, you can safely gather all kind of information from a suspected file that can give you basic information about the file or files that malware uses.”
39. REVERSE ENGENEERING LARGE JAVA PROGRAMS – Colin Renouf
“The aim of this pair of articles is to convey the techniques and tools of the trade for understanding and reverse engineering large Java applications, and using JavaEE application servers as an example to understand how external interfaces and hosted JavaEE programs interact. This is a complex subject, so only the basics of application servers will be covered, but if there is more interest in the internals further articles can be produced”
40. CREATE PROFFECIONAL WEB INTRUSION ANALYSIS REPORT WITH OPEN SOURSE TOOLS – CF Fong
“During or after a web intrusion, some of the most important tasks of the first incident responders are to understand every bit of details of the web intrusion, and present it to the management for the next course of action. “
41. NTFS RECOVERY USING OPEN SOURSE TOOLS AND SCRIPTING TO RECOVER NTFS ARTIFACTS – Yves Vandermeer
“NTFS is nowadays one of the most often filesystem encountered during IT forensics. Using filesystem properties allows IT forensic experts to enhance and speed up their searches, especially on altered file systems. Beyond results generated by forensic tools, this knowledge helps to look for what should apparently be never recoverable.”
42. FORENSICS ANALYSIS WITH FTK – Omar Al Ibrahim and Majid Malaika
“Digital forensics is the process of recovering, preserving, and examining digital evidence in a way admissible in a court of law. This process is very delicate and requires deep understanding of both legal and technical aspects which includes knowing the right procedures and tools to conduct forensics analysis.”
43. DIGITAL FORENSICS 101: CASE STUDY USING FTK IMAGER – Dauda Sule
“In the information age, virtually everything we do is done through or along with electronic devices and platforms (like PCs, mobile phones, tablets, the Internet and so on). This has greatly affected how we carry on business and live our lives, as a result, getting information and trying to know what had transpired in an event involves use of these digital devices and platforms.”
44. HOW TO DETECT SYSTEM INTRUSIONS – Almantas Kakareka
“We want to detect system intrusion once attackers passed all defensive technologies in the company, such as IDS/IPS, full packet capture devices with analysts behind them, firewalls, physical security guards and all other preventive technologies and techniques. Many preventing technologies are using blacklisting most of the time, and thus that’s why they fail. Blacklisting is allowing everything by” default, and forbidding something that is considered to be maliclous. So for attackers it is a challenge to find yet another way to bypass the filter. It is so much harder to circumvent a hitelisting system.
45. MEMORY ANALY SIS USING DUMPIT AND VOLATILITY – Daniel Dieterle
“Want an easy way to grab a memory dump from a live system and search it for forensic artifacts? Look no further than DumpIt and Volatility. In this article we will see how to pull pertinent information from a memory dump and cover some basic analysis with Volatility. We will also look at a memory image infected with Stuxnet.”
46. A PRACTICAL APPROACH TO MALW ARE MEMORY FORENSICS – Monnappa K
“Memory Forensics is the analysis of the memory image taken from the running computer. In this article, we will learn how to use Memory Forensic Toolkits such as Volatility to analyze the memory artifacts with practical real life forensics scenarios. Memory forensics plays an important role in investigations and incident response.”
47. MALW ARE FORENSICS & ZEUS – Mikel gastesi, Jozef Zsolnai & Nahim Fazal
“During the course of this article you will learn all about the banking Trojan that goes by the name of Citadel. It is important to point out that the sample we are using in this article is an older version of the malware; the current version is V220.127.116.11 we will provide you with high level overview for this piece of code from its inception to its latest incarnation.”
48. DEMYSTIFYING THE MEMORY ON YOUR COMUTER – Amit Kumar Sharma
“Memory Forensics is an art of demystifying the questions that may have some traces left in the memory of a machine and thus involve the analysis of memory dumps of machine that may be a part of the crime. Earlier, memory in question used to be only on hard disks or permanent storage where attackers use to leave traces by mistake and forgot to erase their footprints, but those days are gone and attacks have become more revolutionized as attackers tries to keep everything in the volatile memory
(RAM) thereby reducing chances of being traced.”
49. WHY YOU NEED TO PERFORM MEMORY FORENSICS – Matt Mercer
“Memory forensics has risen from obscure to obligatory over the last 20 or so years. If you aren’t capturing (and analyzing) memory, then you are leaving crucial evidence behind. This article will provide an overview of memory forensics, and a walk-through of some basic techniques and tools. The
principal focus will be a Windows environment and open source or free tools to investigate user activity. So, put away your write-blockers and get ready”
50. STEP BY STEP MEMORY FORENSICS – Boonlia Prince Komal
“In this article I have attempted to take you right from the dumping of memory to the complete analysis of it. I have attempted to include whatever I, as a forensics investigator will do. I have focused only on Windows here.At places it has not been possible to include each and every thing. At such places I have taken few things in detail, few things in brief and left others to be explored by the reader himself.”
51. STEP BY STEP TO WORK WITH YOUR OWN MEMORY DUMPS – Javier Nieto Arevalo
“In our personal live or in our business live (sometimes they are joined) we hear a lot of news about security problems. Some days we can experiment these troubles in our computers or in our business networks. If your computer is alive and it is connected to the Internet, you are in risk of been attacked… You can bet you will be infected some day… Every week in the news you can check that huge companies like Google, Juniper, Adobe, and RSAeNvision… have been hacked because an advanced persistent threat (APT) was installed in their systems and their information was stolen. At this moment it’s essential to have a great team able to make a good forensics analysis in order to detect the modern malware, evaluate the damage, check out what data was thieved and learn about it in order to
avoid the same problem or another similar in the future.”
52. MEMORY FORENSICS, ANALYSIS AND TECHNIQUES – Rafael Souza
“With the evolution of technological resources and the popularity of the Internet, it has become impractical to maintain only the traditional approach, due to the large volume of information to be analyzed and the growth of digital attacks. In this context, the analysis of data stored in volatile memory comes up with new techniques, it is necessary to check the processes that were running, established connections, or even access keys encrypted volumes, without causing the loss of sensitive information to the investigation, thus allowing the recovery of important data to the computer forensics.”
53. EXTRACTING FORENSIC ARTIFACTS USING MEMORY FORENSICS – Monnappa K A
“Memory Forensics is the analysis of the memory image taken from the running computer. In this article, we will learn how to use Memory Forensic Toolkits such as Volatility to analyze the memory artifacts with practical real life forensics scenarios. Memory forensics plays an important role in investigations and incident response. It can help in extracting forensics artifacts from a computer’s memory like running process, network connections, loaded modules etc. It can also help in unpacking, rootkit detection and reverse engineering.”
54. WINDOWS MEMORY FORENSICS & MEMORY ACQUISITION – Craig S. Wright
“This article takes the reader through the process of imaging memory on a live Windows host. This is part one of a six part series and will introduce the reader to the topic before we go into the details of memory forensics. The first step in doing any memory forensics on a Windows host involves acquisition. If we do not have a sample of the memory image from a system we cannot analyze it. This sounds simple, but memory forensics is not like imaging an unmounted hard drive. Memory is powered and dynamic, and changes as we attempt to image it. This means it is not a repeatable process. Not that there is a requirement at all times for the results of a forensic process to provide the same output; in this it is not necessary to be able to repeat a process and obtain exactly the same results. It does not mean we cannot use a variable process in a forensic investigation. What it does mean is we have a set of steps that will allow us to image memory but that every time we do those the results will change.”
55. iOS MOBILE DEVICE FORENSICS – FOR BEGINNERS – NCIS Solutions Team
“What we are hoping to do is give an overview to any new mobile device forensicators on how we would run an iOS forensics task when delivering a service to a client on a particular handset. Similar techniques would also be used when exploiting media devices. For instance, if our ‘Red Team’ is tasked by a client, to run a full security assessment at their residence or business address. The techniques shown in this article can also be added and run for Android devices in the same way, as long as you have the native cable of the mobile device you want to extract data from.”
56. HOW TO PERFORM A LOGICAL ACQUISITION OF ANDROID DEVICES – Paolo Dal Checco
“When dealing with digital investigations, mobile devices are as important evidences as personal computers, but the way their examination takes place is completely different and much more complex. Reading the content of a smartphone can be challenging in some cases but recently some tools – commercial and free/open source – have been developed to help out investigators. With a little time examiners can learn how to use free tools to extract evidences from Android devices.”
57. HOW TO PERFORM LOGICAL ACQUISITION OF IOS DEVICES – Paolo Dal Checco
“During investigations, mobile devices are as important evidences as personal computers, but the way their examination takes place is completely different. Reading the content of a smartphone can be a challenge but there are methodologies and tools that can help investigators. Some of these tools are free and Open Source, mainly when it comes to logical acquisition of data.”
58. iPHONE ANALYZER: EFORENSICS FROM A TESTER’S VIEW – Cordny Nedercoorn
“A softwaretester makes a diagnosis about the quality of the software, and a forensic investigator makes a ‘forensic’ diagnosis by collecting evidence for a crime committed.
Also the system under investigation shows similarities. Both systems must be separate and not tampered with.
This article is the first of a series where I will show how I look at a particular eforensics software application as a tester and show possible risks when using it. Starting with the iPhone analyzer developed by CrypticBit.”
59. HOW TO PERFORM A FORENSIC ANALYSIS OF A SMARTPHONE WITH OXYGEN FORENSIC SUITE 2013 – Fabio Massa
“The growing technological development in the field of smartphones and mobile devices of communication, is strictly proportional to the implication of the same nature in forensic investigations in order to obtain evidential information useful to the identification and resolution of crimes, involving the use of such devices. Among many opportunities and various tools developed for this purpose, this article argued the Oxygen Forensics Suite 2013 software that allows logic forensic analysis, in some cases, even physical of numerous brands and models of mobile phone. The informations that can be restored by Oxygen are numerous and allow to reconstruct the timeline of criminogenic events. Some of these have the ability to recover phone information and sim card, contact list, missed calls / outgoing / incoming text and multimedia messages (also canceled in some cases), data, LifeBlog, GPS and XMP, Iphone Backup password-protected information Skype, Wi-Fi and IP connections and much more.”
60. THE ENEMY INSIDE THE GATES – A GUIDE TO USING TOOLS FOR NETWORK FORENSIC ANALYSIS – Phill Shade
“The presence of cybercrime and cyber terrorism is on the rapid increase as we depend more and more on computers and the Internet. These changes revel an emerging requirement for Law Enforcement and Corporate Security personnel to work together to prevent, and solve increasingly more complex cases of the computer networks being utilized for criminal and terrorist activities.”
61. STEP BY STEP ANALYSIS OF FACEBOOK AND TWITTER DATA ON ANDROID DEVICES – Massimo Barone
“A recent study published by Mashable (http://mashable.com/2013/01/29/twitter-fastest-growing- social-platform) shows that across all the social networking platforms, including Facebook and Google+, it is Twitter that holds the crown for the fastest growing number of active users. The growth of social networks is heavily influenced by the burgeoning numbers of smartphones which allow access to these platforms at any time and from any place.”
62. HOW TO PREPARE ORACLE FOR EXAMINATION IN THE FORENSIC LAB – Todd Markeley
“The Oracle database can present many opportunities for gathering important evidence, but it can also include serious obstacles for the forensic examiner.”
63. WAYS TO DETECT BIOS CLOCK ANTI-FORENSICS – David Sun
“The ultimate purpose of any forensic computer investigation is to correlate activities on a computer with real world actions by an individual. Accomplishing this can help a trier of fact decide what actually happened in a given situation.”
64. DIY REMOTE NETWORKED OS X MONITORING – Israel Torres
“Remote access to a machine (or more so machines) is status quo these days; we are creatures of convenience and if we can operate as easily from a remote location as we can at the office we’ll take it.”
65. CHROME FORENSICS HOW TO TRACE YOUR INTERNET ACCESS BEHAVIOR – Marcelo lau, Nichols Jasper
“This article describes computer forensic procedures for discovering Internet Browsing habits, and compiling computer user profiles. This paper suggests useful information regarding the type of information, and how Chrome defaults’ directories are used, and what kind of browsing information.” may be recovered from computers. Simplifying collection and some reporting tools are described.
66. HOW TO AVOID SECURITY FLAWS IN APPS USING IOS WEB VIEWS – Maria Davidenko
“iOS is considered the most secure touch OS because of its closed nature. However, that doesn’t mean that there is no place to worry about your data safety and integrity, or, to be more precise, about your user’s data safety. There are plenty of tools developers get with the iOS SDK to provide a great user experience within their apps, there are, however, few tools you may use to provide safe Internet browsing within your apps. UIWebView is one of them.”
67. DISCOVERING RECONNAISSANCE ACTIVITY THROUGH NETWORK FORENSICS – Shashank Nigam
“Port scanning is the process of analyzing a target machine’s ports in order to determine whether they are open and the types of service running on system. It also allows an attacker to fingerprint the active services and determine their versions. Such analysis forms a solid base for crafting a more focused attack before actually attacking a target.”
68. DIGITAL FORENSICS TUTORIAL: KEYWORD SEARCHES – Patrick Oulette
“When we hear people talk about forensics, we typically imagine scenes from Crime Scene Investigation (CSI) or Crime Scene Unit (CSU) shows or movies so popularized in recent years. Although glamorized and using shortened time-frames for processes involved, these shows do adequately represent standard criminal and crime scene investigative and analytical processes.However, the reality of a digital crime is a much more complex one and involves a much broader spectrum of knowledge and skills related to technologies, non-localized criminal element that may not even be human in nature, and potential theories.”
69. HOW TO FORENSIC USB DEVICES – Carlos Castro
In this article there is a description of difficulties added to computer forensic by the diversity of devices that were included at investigation scope after the creation and popularization of USB interface. The principal focus will be the investigation at Windows environment, describing some characteristics of this operational system, how it deals with USB devices and the attention points for the forensic image acquisition.
70. HOW TO PERFORM FORENSICS ON USB MASS STORAGE DEVICES PART 3 – Phil Polstra
“USB mass storage devices have become the standard for backup and transfer of files. The popularization of this media has led to challenges for forensic specialists trying to find data on fixed memory storage media instead of traditional magnetic media. This article in a multi-part series will demonstrate how to construct cheap and compact USB mass storage device forensic duplicators.”
71. HOW TO PREVENT YOUR CORPORATE ENVIRONMENT FROM BEING INTRUDED BY INFECTED USB DEVICES PART 4 – Wimpie Britz
“In today’s ever evolving computer landscape; employees are constantly bombarded by new technologies aimed at speeding up and improving the way that they conduct business. USB Devices are no exception to the rule, but can the corporate environment afford the risks associated with USB Devices.”
72. HOW TO PERFORM FORENSICS ON USB MASS STORAGE DEVICES – Phil Polstra
“USB mass storage devices have become the standard for backup and transfer of files. The popularization of this media has led to challenges for forensic specialists used to traditional magnetic media. This first article in a multi-part series will provide a necessary overview of how USB devices work at a low level.”
73. HOW TO DETECT A FILE WRITTEN TO AN USB EXTERNAL DEVICE WINDOWS FROM MRU LISTS – Carlos Dias da Silva
“Today one of the principal company asset is the digital information. The digital information can be used of a lot of methods and also can be copied using different modes. To know and to control what files were sent to out of the company is a problem nowadays and never is a little the investment to guarantee the data secure.”
74. HOW TO PERFORM FORENSICS ON USB MASS STORAGE DEVICES 4 – Phil Polstra
“USB mass storage devices have become the standard for backup and transfer of files. The popularization of this media has led to challenges for forensic specialists trying to find data on fixed memory storage media instead of traditional magnetic media. This article in a multi-part series will demonstrate how to construct a cheap and compact write blocker for USB mass storage devices.”
75. USING SYNCBEE TO SYNCHRONIZE YOUR COMPUTER WITH A PORTABLE HARD DRIVE – Chen, Jun-Cheng (Jerry)
“To avoid computer crashes and data loss, people jump on the “online backup” bandwagon to store their data to the Cloud in this data-booming era. Online backup is a good method for saving data. However, we need to be aware of problems when our data is stored in a risky remote space environment. Also note that Internet bandwidth can drastically slow down our backup time and work efficiency.”
76. HOW TO PERFORM FORENSICS ON USB MASS STORAGE DEVICES PART 5 – Phil Polstra
“USB mass storage devices have become the standard for backup and transfer of files. The popularization of this media has led to challenges for forensic specialists trying to find data on fixed memory storage media instead of traditional magnetic media. In this firth part of a multi-part series a simple and inexpensive device for bypassing some endpoint security software by allowing any USB mass storage device to present itself as an authorized (whitelisted) device is presented.”
77. HOW TO PERFORM FORENSICS ON USB MASS STORAGE DEVICES PART 6 – Phil Polstra
“USB mass storage devices have become the standard for backup and transfer of files. The popularization of this media has led to challenges for forensic specialists trying to find data on fixed memory storage media instead of traditional magnetic media. In this sixth article of a multi-part series we will examine how to leverage open source software in order to perform forensics on USB devices.”
Best Forensics Tutorials Vol. 2
DIGITAL FORENSICS TUTORIAL KEYWORD SEARCHES
by Patric Oulette
When we hear people talk about forensics, we typically imagine scenes from Crime Scene Investigation (CSI) or Crime Scene Unit (CSU) shows or movies so popularized in recent years. Although glamorized and using shortened time-frames for processes involved, these shows do adequately represent standard criminal and crime scene investigative and analytical processes.
FORENSIC VIDEO ANALYSIS – STEP BY STEP
by David Spreadborough
Through an examination of the underlying digital data, a Forensic Video Analyst is able to make the correct decisions when dealing with a piece of proprietary video.
CREATING AN INCIDENT RESPONSE PROCESS
by Vincent Beebe
In today’s technologically advanced society, our response to events is extremely important. This is never truer than when it comes to assets within a company. There are a lot of tools in place in today’s business world to monitor and protect. Unfortunately, in a lot of cases, there is no established process that defines what to do when an alert occurs...
AN OVERVIEW OF CLOUD FORENSICS
by Dejan Lukan
When discussing cloud forensics, we’re actually talking about the intersection between cloud computing and network forensic analysis. Cloud computing basically refers to a network service that we can interact with over the network; this usually means that all the work is done by a server somewhere on the Internet, which might be backed up by physical or virtual hardware. In recent years, there has been a significant increase on the use of virtualized environments, which makes it very probable that our cloud service is running somewhere in a virtualized environment.
UNDERSTANDING DOMAIN NAME SYSTEM
by Amit Kumar Sharma
Domain Name System (DNS) DNS spoofing also referred to as DNS cache poisoning in the technical world is an attack whereinjunk (customized data) is added into the Domain Name System name server’s cache database, which causes it to return incorrecdata thereby diverting the traffic to the attacker’s computer.
STEP BY STEP WALKTHROUGH TO DO THREATS AND RISKS MANAGEMENT BY ADHERING INDUSTRY STANDARDS
by Jaya Ram Kumar Pothi
Information Security Governance became more reputed in all organization right from the beginning of modern era that is now known as “Internet”. In all the organizations they have customized their practice as a Governing Operating System for easier visual management of project progress tracker. Governing Operating System commonly made with combination of existing systems like ISO27001, Lean, SOX, Six Sigma etc. In Information Security Governance the Imperative factor is Threats and risks Management.
DATA MASKING: A MUST KNOW FOR COMPUTER FORENSICS
by Cordny Nederkoorn
Data masking is a process that is used to protect the information that is stored in data management systems. It is used to prevent data corruption and to give only users with the right authorization access to the data. For computer forensics, this is interesting because it shows how a company can protect itself against external (and internal) data breaches. This article shows what data masking is by showing an example using software from Camouflage, a leading provider of enterprise-class data masking solutions for securing sensitive data.
THE APT (ADVANCED PERSISTENT THREATS) IN A NUTSHELL THE APT – OVERVIEW
by Sameera de Alwis
The APT is an utmost vital interrogation these days in the digital world or cyber interstellar of contemporary information era. The APT routinely has unconventional digital outbreak competencies and it does not mean hi-tech proficiencies always, then again well strategic, systematized and occasionally hybrid executed just like a top-secret US undercover operation 9/11 was avant-garde. In addition to aforesaid supplementary information and crossway point, the persistent outbreaks are to uphold conversant and uninterrupted access to information and cyber empowered networked systems.
INTRODUCTION TO 4G MOBILE TECHNOLOGIES: LTE (LONG TERM EVOLUTION), NETWORK ARCHITECTURE
by Bappaditya Dey
Mobile telephony standards have been gradually adopting packet switched technologies since the introduction of 2.5G GPRS networks back in the nineties. But the continuous growth in demand for data services has forced the mobile networking standardisation processes to move away from legacy circuit switched technologies and to focus primarily on implementing efficient wider bandwidth data carrying capabilities. This has finally culminated in the introduction of the all IP based Fourth Generation Long Term Evolution (4G LTE) standard by 3GPP standardisation body; and this new technology is already being deployed worldwide and going through several feature additions such as ‘LTE-Advanced’. Here in this first article of this series, we will take a look the overall architecture of a basic LTE network including the network elements and protocol stacks.
LINUX, WINDOWS & MACINTOSH:
SIMPLE WIRESHARK USAGE IN KALI LINUX
by Victor Panisa
This article introduced basic concepts of Wireshark – a sniffer tool, and how to use it.
CORRELATING CARVED DATA IN KALI
by Drew Perry
In this article Drew Perry will be investigating how the BackTrack Penetration and Security Auditing Linux distribution has evolved into Kali. He will put some of the powerful forensics tools to good use by utilizing a data carving technique and then use the results to perform open source reconnaissance. He will also be demonstrating an ownership relationship between the original data and a remote server which can help expand the scope of a forensic investigation.
RECOVERING DELETED FILES FROM A WINDOWS MACHINE WITH KALI LINUX BY USING DD_RESCUE AND FOREMOST
by Cory Miller
There are many tools that have been added in the Kali Linux suite, comparing to BackTrack, some of which can be used to preserve digital evidence as well as retrieving deleted files. Open source tools such as dd_rescue and Foremost allow you to create an image of any type of storage device such as USB, Hard Drives, and SD Cards, and retrieve deleted or corrupt files. Let Cory Miller put the theory into practice.
PASSWORD CRACKING WITH JOHN THE RIPPER IN KALI LINUX
by Alexandre Beletti
In this article Alexandre Beletti will introduce you to the basic concepts of John The Ripper, a software that can crack passwords usingvariety of different techniques.
DIGITAL EVIDENCE ACQUISITION WITH BACKTRACK
by Ayei Ibor
It has become increasingly important to have a veritable means of acquiring digital evidence needed to prove the authenticity of a case or scenario that can be admissible in court. Evidence recovery processes usually need to be presented in such a way that the same results will be obtained by a third party, assuming the same methods are employed by an investigator. Ayei Ibor will present us practical applications and a sample of evidence acquisition.
WINDOW FORENSICS ANALYSIS
by Muhammad Irfan
For any forensic investigation, the most challenging thing is the collection of information which will lead us in the right direction to solve a case successfully. If actual information is not collected, then we are not able to proceed in the right direction and sometimes the investigation will not give us any fruitful information. If an investigation is done properly, then we have the maximum chance that we can find the culprit and successfully end the case.
WINDOWS REGISTRY FORENSICS 101
by Jason Stradley
This article is meant to serve as a very basic introduction to the Windows Registry and its usefulness as a resource for certain types of forensic investigations. Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003 store configuration data in a data structure called the Registry. The Windows Registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. It is a central repository for configuration data that is stored in a hierarchical manner.
WINDOWS MEMORY FORENSICS & MEMORY ACQUISITION
by Dr Craig S. Wright, GSE, GSM, LLM, MStat
This article takes the reader through the process of imaging memory on a live Windows host. This is part one of a six part series and will introduce the reader to the topic before we go into the details of memory forensics. The first step in doing any memory forensics on a Windows host involves acquisition. If we do not have a sample of the memory image from a system we cannot analyze it. This sounds simple, but memory forensics is not like imaging an unmounted hard drive. Memory is powered and dynamic, and changes as we attempt to image it.
INTRODUCTION TO WINDOWS FORENSICS USING PARABEN P2 COMMANDER
by Dauda Sule, CISA
Microsoft Windows is the most widely used operating system both for business and personal use. Such popularity has made it one of the most targeted operating systems by malicious attackers. As a result, it is often used as a platform to access personal and work place data, or even to commit policy breaches assisting in the commission of criminal acts. Investigations that are based on electronic evidence stand a very high chance of being carried out on a system with one or the other version of Windows operating system. It is therefore one of the most important operating systems anyone going into the field of cyber forensics will need to know how to investigate.
FORENSIC APPROACH TO ANALYSIS OF FILE TIMESTAMPS IN MICROSOFT WINDOWS OPERATING SYSTEMS AND NTFS FILE SYSTEM
by Matveeva Vesta Sergeevna, Leading specialist in computer forensics, Group-IB company
All existing file browsers display 3 timestamps for every file in NTFS file system. Nowadays there are a lot of utilities that can manipulate temporal attributes to conceal the traces of file using. However, every file in NTFS has 8 timestamps that are stored in file record in MFT and are used in detecting the fact of attributes substitution. The author suggests a method of revealing original timestamps after replacement and automated variant of it in case of a set of files.
HOW TO PERFORM A BASIC AND FAST FORENSIC ANALYSIS ON MACINTOSH OPERATING SYSTEMS – A QUICK START GUIDE
by Deivison Pinheiro Franco
Computer Forensics is an area that is very Windows-centric. Many tools pay lip service to Apple’s Macintosh (Mac) platform, and others do not even recognize it at all. The few Mac tools available are either expensive or inadequate. Regardless, it is necessary for an investigator to know what to look for and where to look. This article is intended to give investigators a brief outline of what the file system and structure of a Mac looks like and to give a basic criteria on what to look for, as well as some generalized locations for where to look. It is far from a comprehensive forensic manual for Macintosh computers, but it does attempt to give an examiner relatively comfortable with Windows environments a place to start learning about Mac forensics.
HOW TO USE ENCRYPTED ITUNES BACKUPS FOR SMS HISTORY WITHOUT THE DEVICE OR JAILBREAKING
by Gouthum Karadi, CISSP,CEH, MBA
Imagine it is late Friday afternoon at Forensics, Inc. and you get a call from ABC Corp, one of your top clients. It seems that ABC had competitor XYZ cornered and agreeing to submit to a deal before a timely lunch. Yet when talks resumed after the break, XYZ began to negotiate more fiercely. The opponent began to negotiate using not only the exact tactics that ABC prepared for, but even using the exact words in some cases. How could XYZ know what ABC was planning? Someone had to have leaked the internal talking points memorandum the morning of the negotiaton.
by Bridgette Braxton
AccessData FTK Imager provides an easy way to image a hard drive that allows the investigator to create dd images, Smart images, and EnCase images. The program loads quickly, creates forensic images that allow easy previewing of the hard drives files/folders and media, mounts images for read-only view to see the contents on the original drive, exports/recovers files that have been deleted that have not been overwritten, and creates hash files using Message Digest 5 (MD5) and Secure Hash Algorithm (SHA1) that verifies the integrity of the images have not been altered or changed. FTK Imager is a free program provided by AccessData the same company that provides AccesData FTK Imager lite and it is one of the best drive imaging and evidence collection programs I have used and it’s a court-accepted digital forensic tool.
HOW TO INVESTIGATE FILES WITH FTK IMAGER
by Mark Stam
The Master File Table or MFT can be considered one of the most important files in the NTFS file system, as it keeps records of all files in a volume, the physical location of the files on the drive and file metadata. One of the most important tasks of a computer forensics expert is making file artifacts and metadata visible. Learn how in a straightforward manner, conduct the process of extracting NTFS file system data from a physical device. NTFS uses the Master File Table (MFT) as a database to keep track of files. We can use the MFT to investigate data and find detailed information about files. In this example we use FTK Imager 18.104.22.168 to find a picture (JPEG file) in Windows 7.
USING FTK IMAGER CREATE FORENSICALLY-SOUND COPIES OF DIGITAL MEDIA
by Austin Troxell
The first step in Digital Forensic examinations is to create precise duplicates of any storage media collected as potential evidence. One of the key principles of Digital Forensics is that examiners must eliminate or minimize the risk of altering any information contained on the original evidence items. Where at all possible, the analyst will make digital copies of the media to be examined and work from these duplicates, preserving the originals. The Digital Forensics examiner has numerous options for creating exact bit-stream representations of digital media, including hardware duplicators as well as various software tools that create digitally identical copies. In this article Austin Troxell focuses on the features and use of AccessData’s FTK Imager.
CREATING A FORENSIC IMAGE OF A HARD DRIVE USING FTK IMAGER AND IMAGER-LITE FROM ACCESSDATA
by Bridgette Braxton
The advancement in the world of computer forensics has provided many tools to assist incident responders perform live analysis on a computer. The capabilities of forensics tools have improved by making analysis feasible by integrating enhanced interfaces, documentation, built-in detection methods, and new ways to collect evidence. Let’s see how FTK Imager can be used in those processes and how to do it!
FTK IMAGER ON THE FLY
by Robert C DeCicco
Practicing computer forensics often times means having to jump on a plane or in a car to get someplace quickly to collect evidence. In part, response to the ofthen reactive nature of the work, agnecies and firms have developed fly away kits, mobile labs or other solutions that are prepped and ready to go and can handle a variety of environments or evidence types.What about when you’re not prepared for a collection? What about those instances where you may be only scheduled to attend a meeting or scoping exercise at a client site? Robert DeCicco will show you how FTK Imager literally saved the day when the circumstances suddenly changed.
DETECTING EVIDENCE OF INTELLECTUAL PROPERTY THEFT USING FTK® IMAGER (AND FTK® IMAGER LITE)
by Ana M. San Luis & Robert K. Johnson
In today’s world of constantly evolving technology, there arise a number of options for thieves, embittered and disgruntled employees, or naive colleagues to participate in the theft of intellectual property, whether intentional or otherwise. IP theft can cost victims their jobs, reputations, and even millions of dollars, depending on what is stolen. Experts and investigators have a number of industry and court accepted tools available at their fingertips to investigate suspicions or allegations of IP theft. Some of these tools allow forensic experts and investigators to examine live running suspect machines or media, while making little to no changes to the suspect machines or media. Two such tools are AccessData’s FTK Imager and FTK Imager Lite.
FILE RECOVERY – PART 01
by Everson Probst
One of the core activities of a computer forensic expert is the file recovery. Through recovering, it is possible to examine records deleted by users or deleted automatically by the system. This tutorial will show you how to recover files as well as the technical properties performed with FTK Imager and Recuva software. Recuva is the free software distributed by Piriform whose main function is to recover deleted files. It uses the archive system index to recover deleted files and also runs Data Carver, but in this aspect, it is not very efficient when compared to Foremost.
FILE RECOVERY – PART 02
by Everson Probst
In this tutorial you will learn how to conduct file recovery with FTK Imager and Foremost software. Foremost is the free software that has the function of recovering files based on the Data Carver method. It is capable of recovering files whose record entries are no longer found in the archive system. That makes it a very useful tool to recover older files, despite it is not capable of recovering all original properties of the recovered file.
COUNTERFORENSICS: HOW TO MISLEAD COMPUTER FORENSICS SOFTWARE
by Cordny Nederkoorn
Forensic investigators frequently use forensic software tools for their collection and analysis. However, specific software is being developed and used to thwart the use of forensic software by the forensic investigators. This is known as counterforensic software aka counterforensics
OPTICAL MEDIA DATA HIDING- TIPS, TECHNIQUES AND ISSUES"
by Paul Crowley
Data hiding is substantially different from encryption. Encryption puts the “container” with the data front and center in the examiner’s face and is a challenge. A well-executed encryption can be a serious blockade in that without the password being revealed in some manner the encrypted data is inaccessible. Unfortunately for the world of secrets, it turns out that in the face of this sort of challenge there are many, many ways of acquiring the password and gaining access to the data.
CIRCUMVENTING DIGITAL FORENSICS
by Alexander R. Tambascia, D.Sc.
This paper is to cover ways to defeat digital forensics capabilities to recover personal identifiable information (PII), confidential information and/or property intellectual property on personal computer and laptop. This paper will look at simple mechanism, encryption; that can be used to defeat common digital forensic tools and forensic investigator abilities to collect stored and deleted information.
FINDING ADVANCED MALWARE USING VOLATILITY
by Monnappa Ka
When an organization is a victim of advanced malware infection, a quick response action is required to identify the indicators associated with that malware to remediate, establish better security controls and to prevent future ones from occurring. In this article you will learn to detect advance malware infection in memory using a technique called “Memory Forensics” and you will also learn to use Memory Forensic Toolkits such as Volatility to detect advanced malware with a real case scenario.
HOW AND WHY TO INCLUDE DBAS IN INFORMATION SECURITY GOVERNANCE
by Rob Stewart
Information security has greatly increased in visibility over the past two decades. Over the last ten years governance around the policies and procedures that make up information security has grown and new more specific areas such as data governance have begun to emerge. While some industries are regulated and must comply with government legislation, most companies now understand the necessity staying ahead of the curve when protecting access to and ensuring the integrity of their data. This article will examine why and how to actively involve your DBA group in information security from conception through to implementation and discuss how a complete strategy involves more than just controlling access to information systems.
FORTIFYING THE DEFENSES: IMPLEMENTING SECURE SHELL KEY MANAGEMENT THAT WORKS
by Tatu Ylönen
In an effort to more thoroughly secure files, organizations and governments alike have instituted the use of the Secure Shell protocol. Secure Shell encrypts data as it is transmitted through the network through two encrypted keys; one of which is placed on the server and the other on the user’s machine. Not only does this protocol secure data that is being transferred within the network, but it also allows administrators to manage the systems remotely.
HOW TO INDEX DATA WITH KS
by Nanni Bassetti
This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage.
BIOMETRIC FACIAL RECOGNITION DATABASE SYSTEMS
by Robert E. Vanaman
A biometric system is effectively a pattern recognition system that operates by acquiring biometric data from an individual, and extracts a feature set from the acquired data for comparison purposes. The information needed for recognition is acquired by a sensor, and is converted into a digital format. This digitized representation of a feature, in this case a face, is then compared to a “biometric template” or a “gallery” stored in a database. This paper will delve into the Facial Recognition Database Systems (FRDBS) currently in place and cover predictions for future use, exploring the processes and methodology employed therein, specifically addressing FRDBS methodologies and techniques employed in capturing, storing, and comparing scanned images.
STEGANALYSIS: EXPLORING THE VIRTUAL STEGANOGRAPHIC LABORATORY PART 1: THE LSB-STEGANALYSIS
by Cordny Nederkoorn
Steganography is the art of obfuscation, hiding information in plain sight, while Steganalysis is the art of finding this hidden information. For computer forensics professionals, steganalysis is becoming a daily job. Different tools are available for steganalysis, with The Virtual Steganographic Laboratory being is one of these tools. This article is the first of a series where different functions of VSL will be tested and discussed.
COMPUTER FORENSICS WITH P2 COMMANDER
by Pranshu Bajpai
Computer Forensics is the methodical series of procedures and techniques used for procuring evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. Computer Forensics has frequently been listed as one of the most intriguing computer professions, however beginners may find themselves overwhelmed quickly, as practical step-by-step procedures on this subject may be hard to come by.
Best Forensics Tutorials Vol.3
STEPS TO CONDUCT NETWORK FORENSIC ANALYSIS
by Rizwan Khan, CISSP, CFCE
Prepare yourself for the perfect network forensic investigation – what are the network topologies, attacks and threats? How to gather the necessary data? And finally – how to make good use of Wireshark, Snort and Ossec – invaluable network forensic tools?
DEXTER’S FORENSICS. A NETWORK AND MEMORY ANALYSIS
by Andrei Saygo
In this article we’ll go step by step through an analysis of Dexter, the infamous password-stealing threat that targets Point of Sale (PoS) systems from a network and memory forensics point of view.
TRACKING NETWORK TRAFFIC WITH BACKTRACK DARKSTAT AND DRIFTNET
by Ayei Ibor
Monitoring a network can be done in several ways using different applications. One common way of tracking traffic that goes in and out of a network is packet sniffing. BackTrack darkstat and driftnet are the tools that allow us capture and log of live traffic that passes through our network. Nothing will escape your attention now!
SOCIAL MEDIA MINING
by Kevin Smith and Krystina Horvath
Social media allows users to share troves of data with their peers. From demographics to pictures and videos to status updates, this overabundance of social data allows users to clearly illustrate their personal lives. What is the catch? Privacy. This article will showcase the ease of social media mining and being able to hijack a social media profile along with the user’s other online accounts. In addition, this article will highlight mitigation techniques that can be taken by social media websites to lessen the frequency of hijacked profiles and nefarious social media data mining.
EFFECTIVEW PHISHING ATTACKS STEALING USER DETAILS
by Colin Renouf
Phishing is a growing means of attack to which so many people succumb. This article explains the most effective methods of convincing an unsuspecting user that an email has come from someone who can be trusted; and the methods of capturing information from them – some of which don’t necessarily involve the use of computers. Phishing is essentially a social attack. By learning the techniques used for surreptitiously stealing information from an unsuspecting user, a security professional can use the techniques in penetration testing. He can also prepare users to defend themselves against such attacks.
CLOUD COMPUTING RISK ASSESSMENT
by Bryan Soliman
Cloud Computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet. In science, Cloud Computing is a synonym for distributed computing over a network, and means the ability to run a program or application on many connected computers at the same time.
DIY: CYBER BLACK BOX DECRYPT & MODIFY TRAFFIC ON-THE-FLY
by Dennis Chow, MBA, Senior Information Security Engineer
This article demonstrates how users can still be susceptible to their secure connections being monitored or modified without their knowledge on-the-fly with a device that a malicious person can put into the network. Legitimate use cases can be for troubleshooting or basic traffic monitoring for security purposes. Other purposes can easily lead to compromised credentials or even unauthorized actions on behalf of the user. Read on to find out how you can build a DIY (Do It Yourself) Cyber Black Box that will decrypt SSL sessions and modify traffic at your will.
STEP BY STEP GUIDE TO APPLICATION SECURITY PENETRATION TESTING WEB APPLICATION SECURITY
by Abhishek Dashora
This document will guide you to penetrate the web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.
HOW TO DISABLE OR CHANGE WEB-SERVER SIGNATURE
by Mohit Raj
To know Web-server signature means to know Web-server software and its version, it means to know which software and its version is running on the server machine. Many new developed website easily show their Signature.
NMAP: NETWORK ANALYSIS TECHNIQUES – A PRAGMATIC APPROACH
by Jean Marcel and Thiago Delgado
This time Jean Marcel and Thiago Delgado will show us how to use NMAP to find vulnerabilities and scan hosts for open ports without leaving traces. We will also learn how to pick the right technique to avoid being detected and simulate fake connections to puzzle intrusion-detection systems.
THE ENEMY INSIDE THE GATES A GUIDE TO USING OPEN SOURCE TOOLS FOR NETWORK FORENSICS ANALYSIS
by Phillip D. Shade – CNX-Ethernet, PASTech, WCNA, WNAX-Forensics
Phill Shade, Certified instructor for Wireshark University, Expert and Speaker at SHARKFEST’13, internationally recognized Network Security and Forensics Expert The goal of this brief tutorial is to introduce the concepts and techniques of Network Forensics Analysis including:
- Understanding the principles of Network Forensics Analysis and situations in which to apply them to evidence analysis
- Selecting and configuring Wireshark for Network Forensics Analysis to capture and recognize traffic patterns associated with suspicious network behavior.
- Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing techniques such as Web-Browsing sessions, Emails or file transfer activities or for detailed analysis and evidentiary purposes.
- Network security principles including encryption technologies, defensive configurations of network infrastructure devices and understanding and recognizing potential network security infrastructure mis-configurations
PACKET ANALYSIS WITH WIRESHARK AND PCAP ANALYSIS TOOLS
by Eric A. Vanderburg
Almost every computer today is connected. Their communication with others takes the form of packets which can be analyzed to determine the facts of a case. Packet sniffers are also called as network analyzers as it helps in monitoring every activity that is performed over the Internet. The information from packet sniffing can be used to analyze the data packets that uncover the source of problems in the network. The important feature of packet sniffing is that it captures data that travels through the network, irrespective of the destination. A log file will be generated at the end of every operation performed by the packet sniffer and the log file will contain the information related to the packets.
USING WIRESHARK TO ANALYZE SSL CONFIGURATIONS AND CERTIFICATES
by Larry Greenblatt
With all the talk these days of internet spying and theft, people are becoming increasingly concerned with protecting their information. As Laura Chappell, the founder of Wireshark University, might say, you can have opinions from people on security, but packets don’t lie. In this article I will show you how to use some simple Wireshark display filters and settings to view SSL/TLS capabilities in browsers, the negotiated cipher suite (the asymmetric, symmetric and hashing algorithms in use for the current session) and the information stored in the certificate.
WIRESHARK FILTERS FOR NETWORK ANALYSIS
by Amandeep Kaur, CISC, CPH, CPFA
Lecturer in Information Technology Network Analysis is the process of listening to and analyzing network traffic. It offers an insight into network communication to identify performance problems, analyze application behavior, locate security breaches, and perform capacity planning. IT professionals use these processes to validate network performance and security.
CAPTURING E-MAILS AND GOOGLE IMAGE SEARCHES FROM YOUR NETWORK
by Jessica Riccio
Imagine that you are the manager of a company and receive a tip from an employee that another employee is using his computer to view images that violate the company’s computer use policy. After hearing this information, you want to decide if the allegations made against your employee are true. All you need to do is launch Wireshark and follow Jessica’s guide!
SNOOPING ON CALLS USING WIRESHARK
by Milind Bhargava
(VoIP, n.d.) – Voice over Internet Protocol, is the new fashion in market. Everyone is moving towards it. Not that I feel there is anything wrong with it. It is not really that secure. Irrespective of if you are a forensic expert or a malicious user, using a tool as simple as Wireshark can help you listen to the calls made on a network.
CARVING BINARY DATA FROM PACKET CAPTURES
by Kelly Doyle
Imagine you are an incident responder and are notified that your company’s network has been compromised for the last several weeks. Your boss tasks you with identifying what information was exfiltrated from the network. Where do you start? This article will introduce you to some of the basic concepts for finding and carving out forensic artifacts off the wire.
NETWORK BASED FILE CARVING
by Gavin Stroy
File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations.
NETWORK FORENSIC WITH WIRESHARK DISCOVERING AND ISOLATING DOS/DDOS ATTACKS
by Yoram Orzach
Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks are attempts to make a computing or network resource unavailable to its users. There are various types of DoS/DDoS attacks, some load the network to the point it is blocked for applications traffic, some load servers to that point, and some are more sophisticated and try to “confuse” the application servers with bad data. Although there are various tools for detection and prevention of these types of attacks, good old Wireshark can also be used for this purpose. In this article we will see some important features of Wireshark, were to place it for capturing data, and how to use it to identify attack patterns.
INTRODUCTION TO MOBILE FORENSICS
by Fabio Masa
The production process of the forensic evidence is divided in five main phase: the seizure, the identification, the acquisition and the examination or analysis. Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedures for all cases.
ANDROID FORENSICS AND SECURITY LESSON 1: ANDROID APPLICATION STRUCTURE
by Lorenzo Nicolodi
Thanks to the growth of the Android market in the last years, seizing an Android device is something that, sooner or later, will happen to every forensics expert. Even if some concepts are common to every mobile device, some others are specific to Android and the knowledge of them can be the turning point either to exploit commercial tools features or to develop specific tools for specific needs.
EMULATION DETECTION TECHNIQUES FOR ANDROID
by Victor Antonio and Torre Villahoz
Android is an operating system widely used in mobile systems. This past year it has been attacked by Malware, due to its proliferation of phones and tablets from many different manufacturers. There are projects like ‘Droidbox’ (sandbox for Android) that allow security researchers to dynamically analyze applications through the use of the emulator included in the SDK.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING
by Eran Goldstein
Today we are going to demonstrate a quick reverse engineering and analysis process of an android mobile application called Ingress. Ingress is a near-real time augmented reality massively multiplayer online video game. It was created by Niantic Labs, a startup within Google, for the Android based devices market. The game has a complex science fiction back story which Niantic is revealing in segments. The gameplay consists of establishing “portals” at places of public art, etc., and linking them to create virtual triangular fields over geographic areas. The progress in the game is measured by the number of Mind Units, i.e. people, nominally controlled by each faction (as illustrated on the Intel Map). The necessary links between portals may range from meters to kilometers, or to hundreds of kilometers in operations of considerable logistical complexity. International links and fields are not uncommon, as Ingress has attracted an enthusiastic following in cities worldwide amongst both young and old, to the extent that the gameplay is itself a lifestyle for some, including tattoos.
TIMELINE ANALYSIS OF LOGS IN ANDROID OS
by John Andr’e Bjørkhaug, Christoffer Hallstensen, Rebin Stenvi and Made Ziius from Gjøvik University College
In this paper we investigate into extracting logs from apps and Android system for correlation and graphically display them in the form of a timeline, while preserving the terms of forensic soundness and integrity. The paper is based on experiments done by the group members on different of devices and different applications.
STEP BY STEP ANALYSIS OF FACEBOOK AND TWITTER DATA ON ANDROID DEVICES
by Massimo Barone
The growth of social networks is heavily influenced by the burgeoning numbers of smartphones which allow access to these platforms at any time and from any place. A recent study published by Mashable shows that across all the social networking platforms, including Facebook and Google+, it is Twitter that holds the crown for the fastest growing number of active users.
HOW TO PERFORM FORENSIC ANALYSIS ON IOS OPERATING AND FILE SYSTEMS
by Deivison Pinheiro Franco and Nágila Magalhães Cardoso
With Apple Operation System (iOS) design and the large amount of storage space available, records of emails, text messages, browsing history, chat, map searching, and more are all being kept. With the amount of information available to forensic analysts on iOS, this article will cover the basics to accurately retrieve evidence from this platform and build forensically analysis when applicable. Once the image logically, via backup or physically has been obtained, files of interest will be highlighted for a forensic examiner to review.
HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES
by Deivison Pinheiro Franco and Nágila Magalhães Cardoso
iPhones collect and store a tremendous amount of evidence about a user’s activities. In many cases one could argue more evidence is collected than the user may want. Locations, messages, contacts, web surfing habits, notes, pictures and more are available on iPhones storage media, many with time stamped data. With this forensic evidence available, and more business being conducted on iPhones, forensic examiners need to be able to successfully and accurately acquire this evidence when requested by authorized authority. By utilizing proven, existing forensic techniques along with specialty tools mentioned in this paper, examiners can collect and present evidence from an iPhone. This evidence can then produce a clear report of the activities performed on the device.
STEP BY STEP GUIDE FOR IOS FORENSICS
by Nipun Jaswal
The world is crazy about apple devices, the rise of apple iOS has lead to making life of individuals stylish as well as comfortable, but high tech crimes may involve devices which run on iOS, now when this situation arises, a forensic analyst must be comfortable with carrying out forensic investigations on such devices, by doing forensic investigation of ios devices, our motive is to analyse data regarding calls, messages, logs, memory, files etc.
IOS MOBILE DEVICE FORENSICS FOR BEGINNERS
by NCIS Solutions Team
What we are hoping to do is give an overview to any new mobile device forensicators on how we would run an iOS forensics task when delivering a service to a client on a particular handset. Similar techniques would also be used when exploiting media devices. For instance, if our ‘Red Team’ is tasked by a client, to run a full security assessment at their residence or business address. The techniques shown in this article can also be added and run for Android devices in the same way, as long as you have the native cable of the mobile device you want to extract data from.
DEMYSTIFYING IOS – STEP BY STEP GUIDE FOR IPHONE HACKING
by Omkar Prakash Joshi CEH, CHFI, ECSA/LPT, ISO27001, Cyber Forensics Investigator
Nowadays, use of mobile devices has raise in this world. And most of users are using iPhones. So in this I am going to introduce jailbreaking concepts. Moreover, I will explain how to do runtime analysis on iOS applications, forensic analysis on iPhone backups, exploit iPhone devices also backdoor concepts regarding iOS devices.
WINDOWS PHONE 7/8 (WP7) DIGITAL FORENSIC INVESTIGATION PROCEDURE AND EVIDENCE RECOVERY TECHNIQUES
by Dr. Roffeh Ehud, International Law Expert in Electronic Evidence
One of the central problems involving technology and legal proceedings is the reliability of evidence presented to the court. This question is made more relevant due to the fact that rapid technological changes make previous legal precedents irrelevant. In other words, the same technology is no longer used to reinforce evidence as this is not the equivalent forensic tool used to extract digital evidence from the new device. Furthermore, the same forensic tool that was evaluated in the past and was found to be reliable with regard to the digital evidence it presents, must now undergo far reaching change in order that it be capable of copping with new technologies. This leads us to the issue as to whether the evidence presented to the court represents the actual events and/or if is it possible to rely absolutely on the evidence.
SIM CARD FORENSICS
by Apurva Rustagi
This article introduces the file-system implemented in Subscriber Identity Module (SIM) cards and the collection of data contents that might be helpful in a forensic investigation. The author, also, provides programming code that is designed to extract some of the important data such as Short Message Service (SMS) traffic and contact information from the SIM Card. A data extraction application would be written in ANSI C.
UNDERSTANDING SIM CARD FORENSICS
by Rohit Shaw
The SIM (subscriber identity module) is a fundamental component of cellular phones. It’s also known as an integrated circuit card (ICC), which is a microcontroller-based access module. It is a physical entity and can be either a subscriber identity module (SIM) or a universal integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted into another; it allows users to port identity, personal information, and service between devices. All cell phones are expected to incorporate some type of identity module eventually, in part because of this useful property.
HOW TO SECURE MICROSOFT SQL SERVER LOGINS USING INDUSTRY BEST PRACTICES
by Denny Cherry
Microsoft SQL Server is a large and fairly complex platform, like all mature database platforms. While it is a simple platform to install it unfortunately has a history of not being the most secure platform by default. Thankfully over the years Microsoft has made great strides to secure the database platform by default, but there is still plenty ofopportunity to install the platform in a less than secure environment.
HOW TO ENCRYPT CONNECTIONS TO A SQL SERVER DATABASE ENGINE
by Denny Cherry
Getting started with SSL in SQL Server can be a little bit of a daunting task as you’ll need to know how to get an SSL Certificate from your certificate authority as well as have an understanding of how SSL in general works. As we begin this article we will start by showing how to generate a CSR which will be needed to get the actual certificate.
TUNING SQL SERVER FOR SHAREPOINT
by Utsab Chattopadhyay
As DBA, we are very much responsible to ensure that SharePoint Environment of our corporations is always performing at it’s best. In this article, I will share some recommendations from my experience which will ensure that the SQL Server part of SharePoint Solutions is properly tuned for best performance.
HOW TO DESIGN DATABASES WITH OBSUCRITY IN SQL SERVER
by Grant Koeneke
There are many different ways to design and create databases. Now there are even several different platforms beyond just the Relation Database Management Systems (RDBMS). Add on top of this thought that there are many different reasons for using or not using one or many of these platforms to create a system and it can be quite confusing. A few of the tools we will be talking about in this discussion are SQL Server as an RDBMS, MongoDB as a NoSQL database platform and Redis as an in-memory database system.
HOW TO USE EXTENDED EVENTS TO IDENTIFY THE TOP CONSUMING QUERIES (IN A READTRACE STYLE)?
by Guillaume Kieffer
In this article I will focus on showing how to get the top consuming queries using a XEvent trace. Its old style equivalent would be to collect a profiler trace using SQLDiag for example and then Readtrace. All the scripts that will follow work with SQL Server 2012.
HOW TO KEEP SENSITIVE ECOMMERCE DATA IN MS SQL SERVER FROM BEING READ BY SIMPLE QUERIES
by Stephen Thomas
In this new digital era with cyber attack after cyber attack we must take counter measures to protect sensitive data in our eCommerce web sites. For those of us who use Microsoft ‘s powerful SQL server database to store our sensitive eCommerce data including but not limited to credit card information, copyrighted media, official documents, etc., we have many suitable options available to us to secure sensitive data by encryption. This article will reveal to you several encryption options available to you in SQL Server, explain the difference between them, and give some practical code examples for using them.
BLIND INJECTION – DBV5. STEP BY STEP
by Vidit Baxi
It’s a unique type of injection used by hackers when website does not respond to the queries and does not generate any error. This type of injection can be applied to the database version 5 or above 5.
SQL SERVER PERFORMANCE COUNTERS – POWERSHELL
by Chris Kitchen
The purpose of this article is to discuss at a high level a simple PowerShell application which collects useful Windows Performance Monitor Counters for highlighting potential performance issues. The article then goes on to discuss each of the counters in greater detail along with range values to look for.
SQL SERVER DATA ENCRYPTION & ACCESS
by Chris Kitchen
The purpose of this article is to discuss at a high level, some of the available options for encrypting and restricting access to data held within a Sql Server database. It describes a number of available options and also looks at some of the advantages and limitations of each from a technical perspective.