I have decided to create the Forensic 4cast Magazine. This will be a quarterly digital-only magazine that discusses various topics from the fields of digital forensics and incident response. The magazine will be completely free for anyone to read/download on several different platforms including iOS and Android. I also hope to make it a good mix of text and video, with a bit of interactivity thrown in.

My aim is to get the first issue published no later then June but, in order to meet that target, I’m going to need your help. Obviously I can not write all of the content for a magazine by myself so I’m asking for assistance from you. If you have something to say, I want to hear it. At this point I have not ruled out anything (except for the suggestion of  a “Lee” photoshopping section). I have a few suggestions but please feel free to add your own:

• Case Studies
• Research
• Events
• Book Reviews
• Software Reviews
• Hardware Reviews
• Interviews
• Interesting Artifacts
• Hints and Tips
• News

These are just a few of my own suggestions, but you are going to be reading this publication. You tell me what things you’d like to see.

If you’re interested in submitting an article, a calendar event, some news, a suggestion, or something else of interest please contact me at lee@forensic4cast.com. Please note that I’m happy to have either new submissions or maybe something that may have been published elsewhere. As long as you retain the copyright, I’m happy to consider it for the magazine.

Just to give you a taster of how the magazine will look I’ve included some demo screens:

Having said that, I recently rekindled my love affair with linux, well, Ubuntu. I was looking for a Windows solution to a specific problem only to find that I would have to spend a good sum of money in attempting to solve the issue. As I was researching a solution I found that linux was equipped to deal with the situation at no cost and a small learning curve. My only issue was that I didn’t want to repartition my hard drive. I kinda have things set up the way I like them.

Enter Wubi (http://www.ubuntu.com/download/ubuntu/windows-installer).

Wubi is short for “Windows Ubuntu Installer”. You download the software inside Windows and run the installer. There is no partitioning, and the installation is quick and painless. Now, when you reboot, you are presented with an option to boot Windows or Ubuntu. This is all handled by the Windows loader, not a single mention of grub anywhere.

Once loaded you are presented with a complete installation of Ubuntu. But where is it installed?

I booted back into Windows and did some digging. In the directory “C:\ubuntu\disks” I found two files. One of which was named “root.disk”. I decided to throw caution to the wind and throw the file into FTK Imager as an image file…

It worked!

Before me I saw the complete Ext3 file system for my Ubuntu installation. Outstanding, but also a little scary. Still a little something to watch for when conducting your next investigation.

There is also something similar for linux called “lubi”. But I’m not sure I could bring myself to use a product with that particular name.

Kristinn Gudjonsson

“Kristinn is long overdue for some public recognition for his log2timeline tool work. Log2timeline was a breakthrough for the digital forensics community and it made the creation of timelines quick and easy for all digital forensics examiners. Kristinn’s tool has made what was previously a very tedious manual process easy to create for examiners of all skill levels. His contribution to the community has been invaluable and should be recognized.”

“His contributions have been astounding.”

“Kristinn is a unsung hero in digital forensics. I mean… he can move half-way across the world without anyone knowing… Kristinn has unselfishly given so much to the digital forensic community. Log2timeline says it all!!”

Cindy Murphy

“I’m nominating Cindy Murphy because she’s always been consistently one of the brightest, most helpful and kindest members of the community, often going out of her way to help those who ask. This past year she completed her MSc, the culmination of which was a needed dissertation for investigators of child pornography; she has already been invited to present it both at conferences and in a noted textbook. In addition, Cindy teaches digital forensics part time, continues to contribute to the field of mobile device forensics, and is a Board member of the Consortium of Digital Forensics Specialists — all while continuing full time casework.”

“It’s about time you have a female forensicator nominated for this award! Detective Cindy Murphy from Madison, WI Police Department has over 13 years of experience in digital forensics. She has worked tirelessly over those years, not only full time on criminal case work, but also as an extremely active member of the digital forensics community. She has collaborated with NIST on various documetns and projects, shares policy, procedure, and go-by documents that she has developed with the community, she teaches Digital Forensics part time at MATC, presents her work and research at numerous conferences, serves on the boards of WACCI and CDFS, writes and reviews articles and white papers, contributes to podcasts and blogs, etc. She is a well known and respected figure in the DF community, and also just earned her Master’s in Forensic Computing & Cybercrime from University College in Dublin, Ireland. She’d be a great candidate for your Digital Forensic Examiner of the Year!”

“She made Lee go a bright shade of red at the DoD conference. Anyone who does that deserves an award” The person who wrote this has since been banned from nominating/voting

Corey Harrell

“Corey’s work over the past year, not only in exposing VSCs to the masses of examiners, but also in documenting exploit artifacts and the process he used to expose them, have been significant and valuable contributions.”

“He has contributed to the community greatly last year, and continues to add value.”

“His commitment to the field is fantastic. His blog is an excellent resource and he continues to produce exceptional work from his research.”

You can post your votes here: Forensic 4cast Awards

Computer Forensic Hardware Tool of the Year

• Tableau TD2
• BlackBag Macquisition
• Hardcopy 3P

Digital Forensic Article of the Year

• Digital Forensics SIFT’ing: Cheating Timelines with log2timeline – David Nides
• Brief overview of 4 NFATs – Erika Noerenberg
• Fragmentation of the digital forensics community – David Kovar

Phone Forensic Software Tool of the Year

• Cellebrite Physical Analyzer
• XRY
• Lantern Lite

Digital Forensic Podcast of the Year

• Cybercrime 101
• Cyberspeak
• Digital Detectives Podcast

Digital Forensic Book of the Year

• Digital Forensics With Open Source Tools – Cory Altheide & Harlan Carvey
• Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry – Harlan Carvey
• Malware Analyst’s Cookbook: Tools and techniques for Fighting Malicious Code – Michael Hale Ligh, Steven Adair, Blake Hartstein, & Matthew Richard

Computer Forensic Software Tool of the Year

• log2timeline
• Blackbag Blacklight
• Registry Decoder

Digital Forensic Blog of the Year

• A Fistful of Dongles – Eric Huber
• Girl, Unallocated – Melia Kelley
• Journey into Incident Response – Corey Harrel

Phone Forensic Hardware Tool of the Year

• Cellebrite UFED
• XRY
• MPE+ Field Tablet

Digital Forensic Organization of the Year

• Consortium of Digital Forensic Specialists
• Google Forensic and Incident Response Team
• Verizon Investigative Response

Digital Forensic Examiner of the Year

• Kristinn Gudjonsson
• Cindy Murphy
• Corey Harrell

You can cast your votes here: Forensic 4cast awards 

This week I had a dilemma. At work we have a license for Cellebrite Physical Analyzer (excellent software) but we needed to have the ability to obtain physical images of several iOS devices at several locations at once. We needed to act quickly and as cost-effectively as possible.

It was, at this point, that I was put on to Lantern Lite Imager.

You may be familiar with Lantern. It is used to analyze iOS devices and has a nice little feature that displays everything in a timeline. Very good software.

Lantern Lite Imager, unlike its older brother, is free software that uses the bootloader from the redsn0w jailbreak in order to obtain a full physical image of the iPhone 4 and earlier, and the original iPad. Not only does it obtain a full physical image but it also brute-forces any passcode on the device and decrypts the image.

There are only two negatives that I have discovered:

Even if you already know the passcode there is nowhere to enter it. The software MUST crack the passcode.

Speed. While the software can image the devices quickly it does not decrypt on-the-fly like Cellebrite does. This means that you have to wait for the image to acquire and then wait again for the image to decrypt.

Aside from that, the software is brilliant and I recommend it to anyone… as long as you have a Mac. If you don’t, why not?

Second, I’m now in the SANS mentoring program. This means that I’ll be teaching Forensics 408: Computer Forensic Investigations – Windows In-Depth on a weekly basis starting on Tuesday April 17. The classes will run from 6 – 8 pm each Tuesday for 10 weeks. The classes will be held at Digital Discovery’s offices at 8131 LJB Freeway.

Whether you are new to forensics or you are a seasoned veteran, this course has something to offer you.

What’s more, if you enter the code MGIAC12 when registering you will receive a free attempt at the GCFE exam.

Mentor classes somewhat different that the large classes taught at conferences as they are small groups where participation is strongly encouraged. It also means that everyone in the class has direct access to the mentor if they have questions or concerns.

You can find more information, and register for the class, here: http://www.sans.org/info/99971

If you’re interested in sending multiple employees you may be entitled to a discount. If that is the case please contact mentor@sans.org

If you live in the Dallas area and you’re looking for a great class please look into joining us.

Third, GO TEAM PODCAST! OK, it isn’t a great slogan but Ovie Carroll will be teaching the 408 class at SANS 2012 in Orlando Florida, March 25-30. The extremely cool thing is that I’m going to be his teaching assistant. Ovie is a great guy and his teaching style is very warm and friendly. If you want to take the class you can register here: https://www.sans.org/registration/register.php?conferenceid=24458

Once again, SANS has invited us back to present the awards at the 2012 Forensic Summit in Austin on June 26 and 27.

This year we have streamlined things a little and taken the total number of awards down to 10. We have also changed the names of most of the awards. We no proclaim the winner as “Best…” but rather “…of the year”.

Nominations will close on March 31 and voting will open the next day.

Thanks for your participation.

To the eventual nominees:

Please make every effort to get to the summit so that you can collect the award in person, should you win. The event, as a whole, is worth attending regardless. The speakers are fantastic and there is plenty of opportunity to learn and network.

It also guarantees that you’ll receive your award, as well as any other goodies that may come as part of winning.

It is quickly approaching the awards season. Yes the Oscars, the Grammies, the Golden Globes, and others will be held in the coming months but, most importantly, we will soon be accepting nominations for the Forensic 4cast Awards.

Once again SANS has been kind enough to host the event at the Forensic Summit (held at the Omni Hotel in Austin June 26-27 2012) and my new employer, Digital Discovery, is going to furnish the awards themselves.

For the last two years I have pretty much handled the event myself. This has made the awards ceremony… interesting at times. For this reason I’m asking for some volunteers to assist this year. If you’re going to be attending (and you should be) and you think you could help in any way please let me know via the “Contact Us” page.

I look forward to hearing from you.

Lee

I’m doing an imaging job in the Dallas area. The client wants me to image four servers, three of which are business critical and can’t be out of use between 6am and 7pm.

So, these servers are so old that they make Ken Pryor look like a teenager…

At first I tried using FTK Imager (portable version) but that ended up crashing one of the servers (yikes). Thankfully the crash was over night and it was back up in time for the start of the working day.

Next I tried DCFLDD. This worked for two of the servers (bearing in mind that I had to do this over USB 1.1). This was painstakingly slow but it worked. However, the other two servers were simply unable to cope with being imaged. They would continually lock up or lose connectivity to the USB drives.

I tried netcat. No dice.

I exhausted all of my practical possibilities.

Finally we all decided to take the servers offline tonight and tomorrow night. We were going to image a 2TB server with SATA drives (yes, they had both IDE and SATA in their servers, as well as SCSI). If a boot disc wasn’t going to work I was going to have to image SATA drives (simple enough) and SCSI drives (shoot me in the head) with a Tableau write-blocker. My SATA write-blocker has eSATA so that would go pretty quick, but my SCSI write-blocker is USB. So, a bunch of SCSI drives to image, one at a time mind you. Then would come the painstaking effort of reassembling the RAID in some software tool.

I could see what was going to happen. I was going to spend every evening from now until next week sitting in a cold server room imaging SCSI drives. I was going to cry.

Thankfully the lab is armed with a copy of F-Response – Consultant Edition.

After a little tinkering I was able to plug a laptop into the network and mount the drives from the problematic servers. Within a couple of hours the worst of the two servers was completely imaged and the largest of the servers was in progress.

Tonight I am sat at home in the company of my gorgeous wife wrapping presents for the kids instead of  sitting in front of a laptop watching a status bar crawl, very slowly, across the screen.

Thanks F-Response.