Once again, SANS has invited us back to present the awards at the 2012 Forensic Summit in Austin on June 26 and 27.

This year we have streamlined things a little and taken the total number of awards down to 10. We have also changed the names of most of the awards. We no proclaim the winner as “Best…” but rather “…of the year”.

Nominations will close on March 31 and voting will open the next day.

Thanks for your participation.

To the eventual nominees:

Please make every effort to get to the summit so that you can collect the award in person, should you win. The event, as a whole, is worth attending regardless. The speakers are fantastic and there is plenty of opportunity to learn and network.

It also guarantees that you’ll receive your award, as well as any other goodies that may come as part of winning.

It is quickly approaching the awards season. Yes the Oscars, the Grammies, the Golden Globes, and others will be held in the coming months but, most importantly, we will soon be accepting nominations for the Forensic 4cast Awards.

Once again SANS has been kind enough to host the event at the Forensic Summit (held at the Omni Hotel in Austin June 26-27 2012) and my new employer, Digital Discovery, is going to furnish the awards themselves.

For the last two years I have pretty much handled the event myself. This has made the awards ceremony… interesting at times. For this reason I’m asking for some volunteers to assist this year. If you’re going to be attending (and you should be) and you think you could help in any way please let me know via the “Contact Us” page.

I look forward to hearing from you.

Lee

I’m doing an imaging job in the Dallas area. The client wants me to image four servers, three of which are business critical and can’t be out of use between 6am and 7pm.

So, these servers are so old that they make Ken Pryor look like a teenager…

At first I tried using FTK Imager (portable version) but that ended up crashing one of the servers (yikes). Thankfully the crash was over night and it was back up in time for the start of the working day.

Next I tried DCFLDD. This worked for two of the servers (bearing in mind that I had to do this over USB 1.1). This was painstakingly slow but it worked. However, the other two servers were simply unable to cope with being imaged. They would continually lock up or lose connectivity to the USB drives.

I tried netcat. No dice.

I exhausted all of my practical possibilities.

Finally we all decided to take the servers offline tonight and tomorrow night. We were going to image a 2TB server with SATA drives (yes, they had both IDE and SATA in their servers, as well as SCSI). If a boot disc wasn’t going to work I was going to have to image SATA drives (simple enough) and SCSI drives (shoot me in the head) with a Tableau write-blocker. My SATA write-blocker has eSATA so that would go pretty quick, but my SCSI write-blocker is USB. So, a bunch of SCSI drives to image, one at a time mind you. Then would come the painstaking effort of reassembling the RAID in some software tool.

I could see what was going to happen. I was going to spend every evening from now until next week sitting in a cold server room imaging SCSI drives. I was going to cry.

Thankfully the lab is armed with a copy of F-Response – Consultant Edition.

After a little tinkering I was able to plug a laptop into the network and mount the drives from the problematic servers. Within a couple of hours the worst of the two servers was completely imaged and the largest of the servers was in progress.

Tonight I am sat at home in the company of my gorgeous wife wrapping presents for the kids instead of  sitting in front of a laptop watching a status bar crawl, very slowly, across the screen.

Thanks F-Response.

No, I’m not off to another conference. This time we’re playing for keeps.

Later in the month I am moving, with my family, to Texas where I’ll be taking a new position as Director of Forensics.

As many of you know my wife is American and we’ve lived here for nine years. In that time so much has happened. We’ve had three wonderful children, I’ve been through university and started a career, Forensic 4cast was born, and so much more. We’ll be sad to say goodbye to all of our friends in England but we are certainly excited to start afresh in Texas.

Make no mistake, I am not leaving Disklabs for any other reason than the fact that we’re going state-side. If we were going to stay here I would be staying with Disklabs. They are a good group of hard-working people (well, except for Simon Steggles of course). Without their assistance and kindness I very much doubt that Siena (our one-year-old) would have survived to be here today.

So what does this mean for 4cast? Well, not much really. I need to purchase new equipment once we get to the US so it might be a few weeks before we’re ready to start again but the good news is that our new time zone will make it so much easier to record. I will no longer be confined by the 5-8 hour gap between the US and the UK. Because of this I plan on recording more often. I’m also planning on knocking down the episode time to just 30 minutes (apparently there’s too much ‘waffle’ and not enough substance on the show).

So, keep a look out because Forensic 4cast will be back soon and it’ll be better than ever… and certainly much better than Cyberspeak

In the mean time, I’m still looking for people to post small items between episodes. Good tips, news, or anything relevant to the content of the show. If you’re interested please get in touch.

A few weeks ago I recorded a segment with Jon Bentley (one of the hosts) on password cracking and it airs tonite.

For those of you who can’t see it I’ll do what I can to post something on here.

If nothing else it should provide some good photoshopping opportunities (I’m looking at you J).

The Computer Misuse Act (1990) is the law that deals primarily with “hacking” offences. Twenty years ago this was probably fine because groups like Anonymous didn’t exist, probably because the internet wasn’t around in the form we know today. The fact that the law is now 21 years old, and that there has been no legitimate successor, is astonishing.

The most shocking thing is the potential sentence for those offenders in the UK. Here we have people that have maliciously attacked companies costing millions, and potentially billions, of lost revenue. So, what is the maximum sentence that can be given for these offences under CMA90? Well, the law states that the sentence has to be given by a magistrate’s court. This means a maximum sentence of two years imprisonment or a £5,000 fine. Yes, that’s all. The offence is considered so low that a jury isn’t even called.

I have not been able to find a single example of anyone ever having received the maximum sentence for any offence brought under CMA90.

Where’s the deterrent? These people are released, if the magistrates decide to even send them to prison, and typically walk into high-paying security jobs.

Technology moves so quickly and I understand the pressure on politicians to keep up with everything but these people are suspected of causing chaos, disruption and significant financial loss. The limits of this law need to be addressed now.

For more information about CDFS please visit http://www.cdfs.org

Also, if you’re wondering what Rob was talking about towards the end, here’s the video in question: http://www.youtube.com/watch?v=kA565OyOkLM

WARNING!

I can not be held responsible for your own personal well-being if you choose to watch this.

Whenever you click on a link in G+ you are redirected to a URL that looks like this:

http://www.google.com/url?sa=z&n=1309767169313&url=http%3A%2F%2Fdilbert.com%2Fstrips%2Fcomic%2F2009-10-04%2F&usg=EazZfazk8jxAKAEECZZ_4OneRqs.

You are then quickly redirected to the linked site.

Obviously you can see the original link URL (the Dilbert one) but you’ll also see a Unix time stamp in the URL “1309767169313″. This is the date and time (in GMT) that you clicked on the link, not the date and time that the link was posted. This is also saved in the history of your browser.

This could add value to forensic investigations. That is, until Google changes it.

UPDATE

The time stamp is generate server side. This means it is another way to detect BIOS clock changes. Suh-weet!

Listen to the first ladies of forensics discuss how they got into the field, as well as the challenges and perks of working in the field as a member of the fairer sex.

Sadly I forgot to put something in the episode about the LinkedIn Group. If you are a female forensicator please join the group “Women in Digital Forensics” http://www.linkedin.com/groups?home=&gid=3766181&trk=anet_ug_hm. I joined it and am now an honorary woman. Not sure how I feel about that particular moniker…

*The original file had a small problem that I have now fixed.