Forensic 4cast Awards – Open to All

This is an important update on the Forensic 4cast Awards.

SANS have announced that both the Forensic Challenge Awards and the Forensic 4Cast Awards will be open to anyone that wishes to attend. This will be the case whether or not you are a delegate for the summit.

This is superb news and I’d like to say a huge thankyou to SANS for making this possible. If you’re going to be in the DC area on July 8 2010 please make sure to stop by and attend the awards. If you can’t be in DC for the awards, I would first ask “WHY NOT?” but then I’d console you and tell you not worry too much as SANS are also pushing the awards out by simulcast. We’ll have the link for you closer to the time but that is awesome. This means that you have no excuse to not attend in some capacity.

I’ve also been informed of the possibility of food (this is yet to be confirmed though). Even if the entertainment of the awards doesn’t entice you to come the food should!

This should be an exceptional event as there all kinds of people will be there, from Rob Lee, to Harlan Carvey, to Mark McKinnon. Its your chance to meet these pillars our our community and to commiserate them when someone else wins their awards

The times for the awards are:

• 630 PM Forensic Challenge Awards
• 730 PM Forensic 4Cast Awards

The events will be held at:

Fairmont Washington DC
2401 M Street, NW
Washington, DC 20037

Now, on to the next item of business… anyone out there willing to perform a song or two for the awards?

Forensic 4cast Awards 2010 – Voting is Open

The nominations have been taken and counted and now we have narrowed down the fields to just a few for voting. You will notice that the ‘Blog Article’ entry has not made the cut. This is because so many people nominated different articles that no two nominations were the same. I know this is the risk of running nominations and I may change the format next year.

You will also notice that the categories will have two, three, or four nominees. This is because the nominations were so close. We didn’t want to pick and choose so we’ve just left it all up to you.

Finally. We’ve decided to take the ‘Lifetime Achievement’ award off. We will still be presenting an award for this but it will be at the discretion of Forensic 4cast. This is likely to be the case for this category from now on.

Anyway, as before we’ve asked that you give your name and email address just so that we can stop people from spamming.

Voting will close on July 6 2010. That’s only three weeks so get voting!

Lessons from Data Recovery – Part 1 (Repost)

I originally posted this entry over on the Disklabs computer forensic forum (http://www.computer-forensics.co.uk/computer-forensics-forums/forum.php) but also thought a lot of people would benefit from it being repeated here too.

I’ve been working at Disklabs for a few weeks now. I’ve mostly been confined to the digital forensics lab but I’ve been able to poke my head out from time to time and see what the data recovery department are up to. I’m happy for this opportunity as it has taught me some interesting things that are useful for computer forensics, and some things that are potentially dangerous.

Over the next few weeks I’ll be posting articles about how data recovery has the potential to impact computer forensics in ways that few have thought possible.

A scenario occurred recently in which an employee left a company on less than gracious terms. The next day the employee’s former colleagues showed up for work and realised that the file server was inoperable. Upon closer inspection they found that all of the server’s drives were blank. Forensic analysis was conducted and nothing was found. If the drive had been wiped it had been done so with undetectable software. The forensic investigator, and the tools at his disposal, had failed to provide an adequate answer.

What would you do in a situation like this? I imagine that my report would be very sparse and contain very little information at all. You could look at wiping software artefacts, such as the sequence of bytes used, in order to determine if this individual had maliciously wiped the data from the drive but, failing this, what other avenues of investigation could be followed?

One of the first things I learned after starting at Disklabs was that each hard drive contains certain information that is not stored on the platters, but on the system area of the drive. The two items that I found to be of most interest are the number of times the drive has been powered on and the number of hours that the drive has been active. This may not seem like a huge finding but the implications are awesome.

Going back to our scenario the hard disk drives were turned over to a data recovery expert who was able to unequivocally state that the drive had only been powered on a handful of times and only had only been in operation for a few hours. What does this means in terms of this investigation? We can draw one of two conclusions either the drives had been replaced as a result of drive failure or they were replaced as a deliberate act intended to deceive. As it turns out the IT department of this company stated that the original drives should still be in operation inside the file server and that the information provided by the data recovery expert contradicted their own opinions.

The original drives were recovered from the former employee’s home a few days later.

My short time at Disklabs has proven to me that we need to educate ourselves on these matters. How can we offer opinion or facts in our reports if we haven’t covered every possibility?

Episode 28 – Xerox This!

This week we’re joined by Eric Huber (@ericjhuber) from ‘A Fistful of Dongles‘, Tom Yarrish (@CDTDelta), and Martin Fisher (@armorguy) from the ‘Southern Fried Security‘ podcast.

In this episode we discuss the Gizmodo/Apple situation, the death of privacy, forensicating photocopiers, more on schools spying on students, and a potentially dangerous exploit that could put digital forensic investigations at risk.

Facebook Video

I know we’ve only done two episodes so a phrase such as “a break for the norm” doesn’t seem to apply.

Simon has been quite busy this week so we’ve not had time to do a full podcast yet, but we’ll do one before the week is out and have it up here by the start of next week. This is why I need more volunteers for being on the show, the more the merrier.

I’m on training next week so please bare with us, things will return to ‘normal’ soon.

Also, thanks to Ovie and Bret at Cyberspeak for ‘not’ plugging us.

This video is best viewed as part of the podcast in iTunes – remember to set the ‘View’ to ‘Actual Size’.