Forensic Focus [ Agosto ]

Minha principal base de estudos em forense computacional, não vou citar as fontes por que no próprio corpo da mesma ja se encontra autores, websites etc etc ! (: 

Happy hacking! 

Welcome to the latest edition of the Forensic Focus newsletter, please consider forwarding to anyone interested in computer forensics. A link from your website or blog to is always appreciated and articles submitted for publication are encouraged.

In this issue:
1. News roundup
2. Computer Analysts and Experts – Making the Most of GPS Evidence
3. Generating Computer Forensic Supertimelines Under Linux: A Comprehensive Guide For Windows-Based Disk Images
4. Will Digital Forensics Crack SSD’s?
5. Evernote from a Forensic Investigation Perspective
6. This month in the Forensic Focus forums
7. Job vacancies
8. Useful resources
9. Submitting an article to Forensic Focus


Meet Magnet Forensics (formerly JADsoftware)
The company behind Internet Evidence Finder (IEF) has a brand new name!
Why? Because Magnet Forensics better explains what we do;
help our customers get to key Internet evidence as quickly and easily
as possible, so they can build the best cases.

Watch a video from our founder and CTO, Jad Saliba:
New name. Same trusted product.
Try IEF FREE for 14 days:

1. News roundup
A selection of digital forensics news items hitting the headlines this month

Take a first look at Windows 8 forensics in a webinar presented by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University. Learn about the changes in Windows 8 which forensic examiners should be aware of before this new OS is released to the public in October... (discussion at

Oxygen Software has updated Oxygen Forensic Suite 2012, the company’s flagship mobile forensic tool, adding forensic support for more Chinese-manufactured mobile phones based on Windows Mobile and the Mediatek (MTK) chipset, including fake Nokla C9i dual SIM replicas. By adding nearly models to the list of supported phones, Oxygen boosts the number of supported devices to 5,800...

JADsoftware, the company behind the industry-leading digital forensics product Internet Evidence Finder (IEF), announced on Monday that they have re-launched the company under a new name - Magnet Forensics Inc. “A lot has changed since I launched JADsoftware and first developed IEF while working as a police officer and forensic examiner,” said Jad Saliba, Founder and Chief Technology officer of Magnet Forensics. “After a couple years juggling both jobs, I realized that IEF had tremendous potential to help forensics professionals perform better investigations, so I decided to dedicate myself to developing the software full-time,” Saliba explained...

Edinburgh Napier University is launching a new part-time MSc in Advanced Security and Cybercrime. Aimed at professionals already working in computer security, the master’s course will arm students with the skills to combat a wide range of threats including phishing scams, online financial and identity theft, as well as virus and network intrusions. The new MSc is suited to developing skills in cybercrime, forensics and computer security, while allowing a student to continue in full-time employment...

Monday's Technology Review carries a glowing tribute to Apple iPhone security according to its author, Simson Garfinkel, a contributing editor who works in computer forensics and is highly regarded as a leader in digital forensics. He says Apple has passed a threshold “Today the Apple iPhone 4S and iPad 3 are trustworthy mobile computing systems that can be used for mobile payments, e-commerce, and the delivery of high-quality paid programming,” thanks to Apple’s heavy investment in iPhone security. That is where “threshold” comes in. Apple has crossed it. Even law enforcement cannot perform forensic examinations of Apple devices seized from criminals, he said...

As forensic examiners, some of the last things we want to hear are "encryption" and "enabled" in the same sentence, however that's what has been happening with the current line of Android devices. Starting with Android 3.0, devices have been shipping with the ability for the user to enable full device encryption. Fortunately for the forensic community, there are individuals steadfast to find a way to break that encryption - and have already proven how to do so. Two such researchers - Thomas Cannon and Seyton Bradford - have demonstrated successful brute force attacks against Android encryption. Thomas detailed their findings at DEF CON 2012 in his presentation "Into the Droid - Gaining Access to User Data"...

Bright Forensics, the UK based company best known for Live Forensics Courses (delivered by Nick Furneaux), is delighted to announce a new partnership with BlackBag Technologies of San Jose, CA. Bright will carry the full range of Mac Forensics solutions including Blacklight and MacQuisition, but we are particularly excited to announce the first UK based BlackBag Training courses that until now have only been available outside of the UK. The first course is scheduled for November 2012 in London...

ATC-NY's new forensics tool - Mem Marshal™ 1.0 - is a user-friendly, automated memory analysis system that assists and automates computer forensic investigations of volatile memory (RAM) images. Mem Marshal enables computer forensic investigators to analyze and effectively make use of information contained in volatile memory. Memory analysis produces important, case-relevant data for investigators that cannot be obtained from disk analysis, such as running applications, open files, and active network connections...

Computer forensic analysts worldwide use the Internet Evidence Finder tool to find Internet-related evidence on computers. In today’s digital world, we sometimes forget that the things we type online are never truly erased. And even though this information is buried deep inside a computer, the Internet Evidence Finder tool (IEF) can likely find it and help law enforcement turn Internet communication into evidence. IEF is a digital forensics software program that can search hard drives, random access memory (RAM) or other types of files for Internet-related evidence on computers...

According to a new market report published by Transparency Market Research "eDiscovery (Software and Service) Market - Global Scenario, Trends, Industry Analysis, Size, Share and Forecast, 2010 - 2017," the global e-discovery market was worth USD 3.6 billion in 2010 and is expected to reach USD 9.9 billion in 2017, growing at a CAGR of 15.4% from 2010 to 2017. In the overall global market, the U.S. is expected to maintain its lead position in terms of revenue with 73% of global e-discovery market share in 2017...

Want to say something about the news above? Please use the comments system on each item's news page.
Coming soon! Image Faster with USB 3.0
The NEW Tableau T35u USB3 Forensic IDE/SATA Bridge supports
write-blocked forensic acquisitions of both SATA and IDE
storage devices thru a Super Speed USB 3.0 host connection.
The T35u offers the ease of use, reliability, and imaging
speeds necessary to acquire today's larger and faster
hard-disk drives - in both lab and field environments.

2. Computer Analysts and Experts – Making the Most of GPS Evidence

by Professor David Last

The many companies that sell software for computer forensics have developed products for analysing satellite navigators. Police high tech crime units and independent laboratories now use this software on an industrial scale. Computer technicians conduct the analyses. This is home territory for them, since the biggest component of a vehicle satellite navigator is a computer, often running the Linux operating system, and with access via a USB connection or an SD card. The analysis software extracts addresses which it plots using tools such as Google Maps. Specialists extract similar data from satnavs built into vehicles.

But many investigating officers find the results disappointing: “it’s just a list of addresses!” Unlike CCTV, ANPR and witness evidence, there are rarely times or dates to fit into a chronology. And anyway, the addresses are simply destinations for planning routes. The defence will point out that no-one can say who entered them, or at what time on what date, or whether a route was planned to them, or whether the satnav ever went there, let alone in a specific vehicle driven by a their client!

Another problem is that the investigating officer may simply not be able to understand the data provided. What are all these addresses? Were they recorded by the device itself or input by a user? Was that inputting an intentional action? The sense of frustration is enhanced by the quality of reports generated by much commercial software. The best packages provide at least some explanation of the data they contain, the worst none at all. The technicians who conduct the analyses often have neither the time nor the training to help. This leaves the officer with the prospect of presenting and defending poorly understood data in court. Some just give up!

But the addresses may at least have intelligence value...



News -
Blog -
Articles -
Forums -
Twitter -

3. Generating Computer Forensic Supertimelines Under Linux: A Comprehensive Guide For Windows-Based Disk Images

by Richard Carbone

When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic.  What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code.

While conducting their research, they found that practical tool-based solutions existed for generating digital forensic timelines, though they each had specific limitations.  Thus, efforts were undertaken by the authors to provide an alternative timeline generation framework.  Although some in the community had already proposed the use and generation of supertimelines, all too often important data sources were being left out.  In order to rectify this, it became necessary to couple additional tools in order to provide maximum evidentiary extraction.

Even though the leading date/time extraction software, The Sleuth Kit (TSK) and Log2timeline (and timescanner) are excellent tools in their own right, they require each other in order to create supertimelines.  Whereas Log2timeline’s timescanner provides automated disk image processing capabilities, it nonetheless has certain difficulties handling specific supported file formats.  As such, the authors’ proposed framework combines the best features of TSK, Log2timeline (while avoiding timescanner), additional date/time extraction software and shell scripting to deliver an improved supertimeline generation framework.  The proposed framework is largely automated once the correct parameters have been provided to the script.  Though it does not support all the same datasets as Log2timeline, this prototype can be readily augmented to provide the same dataset functionality as Log2timeline.  The proposed prototype, although specifically written for handling Windows-based disk images, could be readily modified to support various other filesystem formats...



A wide selection of computer forensics books
available from Amazon in the US and UK:

4. Will Digital Forensics Crack SSD’s?

by Mike Sheward

Digital forensics is one of the most interesting and exciting fields of information security that you can ever be fortunate enough to work in, but not for the reasons you might expect. To those who have never been involved in an investigation, sorry to disappoint, it’s nothing like the movies or TV. There are no magical programs that can unravel the world’s strongest encryption algorithms without the need for a key, right before your eyes. Sure, there are some that will have a good go, and often be successful, but they usually require a good dollop of time and as many hints from the investigator as possible. There are, however, a multitude of processes and procedures that you must follow to ensure digital evidence is handled and processed correctly, before it can even be considered digital evidence at all. Then there’s documentation, which is usually followed by additional documentation.

Now this may sound neither interesting nor exciting, but it is, trust me. Personally, I find that the excitement comes from the significant number of challenges that you face during an investigation. One such challenge is making sure you are doing everything you can to look for evidence, while sticking to forensically sound procedures. A good example of this is when you are asked to acquire volatile evidence. You know that you are breaking the golden rule of digital forensics by interacting directly with live evidence rather than a duplicate, but you have to, otherwise additional evidence could slip away
and be lost forever.

New and evolving technologies also create new challenges for the investigator. Working with a new file system or even just a new type of file can require a change in approach or the development of a new technique. While these changes may require slight alterations to well defined procedures, it is extremely rare to have to deal with a technology that is a complete “game changer”.

The digital forensic community is currently facing one of these rare situations – the rapidly increasing popularity of solid state hard drives (SSD’s)...



Make a real contribution to the computer forensics community by writing
an article or submitting a paper for the Forensic Focus site and newsletter...

5. Evernote from a Forensic Investigation Perspective

by Stuart Clarke

Recently we have been looking at Evernote from a forensic investigation perspective, as we feel it is a great product which will grow in popularity therefore wanted to share some initial findings.

While at the 2012 CEIC conference I had a discussion with Chris Dale from the e-Disclosure Information Project about how social media and cloud computing impacts on e-Disclosure and Evernote featured in our conversation.

I will not delve into detail about what Evernote is capable of; there is a lot of material on the web, which will do a much better job on explaining the product than I.

In short, Evernote is a very clever way of taking notes electronically, which runs on a wide range of operating systems including Windows, Mac, iDevices (iPhone/iPad), Android, Blackberry, Chrome OS. Evernote is also free, however there is a premium version for users who need more storage than the free 60Mb per month offered. Evernote can be run as an application on many different devices, but for users with internet connectivity you can also take advantage of the sync functionality provided by the Evernote web service. This is the real power of Evernote, where a master copy of your data is stored in the cloud on an Evernote server and this data is synchronized with all of your devices running Evernote.

The bulk of my research and the content of this post relates to Evernote running on a Mac and iPhone device, however I expect consistency between different devices. Evernote required users to have an account, and both the account username and associated email address are stored to the device. After registering, Evernote will also generate a unique Evernote email address for you and advise you of this. This automatically generated email address contains your username. The purpose of this is so you can email notes to Evernote and they are added to your account automatically...



Specialising in digital forensics and eDiscovery, we serve
over 100,000 pages to 40,000 unique visitors each month.
Learn more about our advertising opportunities at

or purchase ads directly at


6. This month in the Forensic Focus forums

A selection of recent topics in the Forensic Focus forums

Data recovery from bitlocker encrypted drive

HELP: Android Forensics Indepth Analysis

Registry timestamps manipulation

Extremely low imaging transfer

iPhone 4S email extraction question

Nokia N95 deleted SMS recovery

Update FTK 3.1

SIFT Workstation 2.13 / ddrescue

Forensic image capturing to RAID 1 (mirrored) hard disks

Hash missing from E0X evidence files

Do you run a computer forensics or security website/blog?
Exchange links with Forensic Focus today


7. Job vacancies

A selection of vacancies posted to the Job Vacancies forum this month, a full listing can be found at

Digital Forensics Examiner - Pacific Northwest USA

Digital Forensic Manager, London, £50k - £60k

Analista informático forense (Barcelona - Spain)

Senior Digital Forensics Examiner Opening - Washington, DC

eDiscovery/CF Technician, Zurich £40K to £50K


Make a real contribution to the computer forensics community by writing
an article or submitting a paper for the Forensic Focus site and newsletter...

8. Useful resources

A monthly guide to the best computer forensics resources on the web

Articles and Blogs

Mailing lists (Forensics list)



Resource directories (software)


Please contact us through with suggestions for (non-commercial) additions to this section.

9. Submitting an article to Forensic Focus

If you would like to write an article for either the Forensic Focus newsletter or website please send a short proposal through for review, thank you.
Until next month!

Kind regards,

Jamie Morris
Forensic Focus
LinkedIn group:
Forensic Focus [ Agosto ] Forensic Focus [ Agosto ] Reviewed by Kembolle Amilkar on quinta-feira, novembro 22, 2012 Rating: 5

Nenhum comentário