My Road to Digital Forensics Excellence

CEIC Day 2 – The Lectures

Posted by Paul Bobby on May 19, 2009

Overcoming the Trojan Virus Defense

“A Trojan virus downloaded those files without my clients knowledge or approval”. This session will discuss some of the aspects of this defense … techniques to combat these claims.

In the Corporate world of investigations, this particular defense does not come up often – in fact the employee almost always confesses. One time ‘it came up’, and the approach I took essentially mirrored that which was presented today. From that investigation onwards I have always conducted a malware analysis of the machine under exam, to provide the investigator (HR, Ethics) with proactive knowledge in the event the employee attempts to use this defense.
The best comment made during this session was by one member of the audience, paraphrased “If the malware defense is likely, do your best to prove it. If you cannot prove it, then the only thing left must be deliberate action on the part of the enduser”. Kind of like a forensics Occams’ Razor.
Cool, Custom, Out of the Ordinary Uses of EnCase
No session description in the official program, sounds like a filler to me. There is a similar session entitled Encase Tips and Tricks, but I decided against this – I’ve plenty of tricks to share myself. And besides, cool uses of Encase sounds … well, cool.
This session was, unfortunately, epic fail. To me, using Encase in an out of the ordinary way would be to use it to discover plagiarism, solving world hunger or keeping track of my iTunes collection across my home network. Instead, the session became a tips and tricks class. We discussed VFS, PDE, software write blocking, snapshot to DB functionality, conditions, and the all-time favorite, The File Mounter Enscript. I tell ya, that thing is going to be on Howie’s gravestone.
Still, I learnt a couple of cool tricks I hadn’t know about, for example you can Bookmark conditions so that you don’t have to recreate them (they can be ‘run’ from the bookmarks display also). Secondly, reconstructing the contents of a web page in Records is now improved in that EnCase attempts to find the necessary graphics within the parsed cache. Furthermore the Doc view can be highlighed and then bookmarked as an Image, retaining those highlights. Nice.
Building a Mega-eDiscovery Infrastructure

Take an up close look at a company’s quest for eDiscovery and capacity plan for 55,000 employees.

Interesting discussion on how Liberty Mutual addressed their eDiscovery needs by choosing the Guidance Software product, and how their unique network configuration was dealt with. It appears that they use Guidance against the workstation population, but for servers and other devices with enormous $MFT files that need to be pre-parsed, they handle it differently. Robocopy was mentioned as the tool used to connect to a UNC and make a local copy of data prior to applying the eDiscovery product.
One thing I learnt (since my eDiscovery involvement is purely academic at this point) is that non-searchable data, such as PDF and TIFF are handled through OCR. The searches are then conducted against the OCR data.
Digital Forensics – Vista SP1 & Windows 2008

..evidentiary items either unique to Vista and Windows 2008, or much changed from previous versions of Windows

Pretty good round-up of all the artifacts you expect to find when conducting a review of a Vista SP1 system or a Windows Server 2008 system. According to the presenter, both are equivalent in that they are running ‘the same engine’.
Learnt something about BitLocker. If Bitlocker is disabled, the drive is not decrypted, but the key to the volume is written to the hard drive ‘in the clear’. Therefore if you put this drive in another Vista system, you can see the contents of the drive just fine. Wow. By the way, the $MFTMirror data run points to the cluster containing this key (whether in the clear or not).
Something else, LNK files and NTFS reparse points (symbolic links, hard links and junctions) are different in that the former is considered a shell extension to explorer.exe and the latter is a feature of the filesystem.
Finally, the pagefile can be encrypted – not enabled by default however. The key is auto-generated at powerup, and lost when shutdown. Therefore the pagefile becomes an encrypted blob using a one-time password. Interesting.
Unfortunately this presentation was also ‘not as intended’, and the lab not set up correctly. This is the third one for me that suffered clerical cockups. Can’t people get things together?
The saddest thing about this session was when the audience were asked the question “who has done an investigation of a Vista system”. I think 2 people raised their hands. Just goes to show – XP really is the OS of choice still.
Oh by the way, Leonard Nimoy rocked.


One Response to “CEIC Day 2 – The Lectures”

  1. H. Carvey said

    Interesting comments. I’ve stopped even trying to go to a number of conferences, largely due to seeing too many times what you saw with respect to the less positive comments.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: