Geoff Black's Forensic Gremlins | Everything that gives you fits in Digital Forensics and E-Discovery

March 4, 2011 by Geoff

Thunderbolt Ripe for Forensics

USB3 is a nice-to-have option for portable forensics as it is becoming more mainstream in external hard drives. With a raw performance of 4 Gbps (more like 3 Gbps after overhead, and I’m not counting the “SuperSpeed” 5 Gbps implementation), it’s a nice alternative to eSATA as it’s included on more and more laptops that still don’t have eSATA. There have been some awesome USB3 devices demoed recently, like the new Patriot Supersonic Magnum. I personally can’t wait to have 128 GB of storage that drops 200 MB/s speeds in my pocket (there’s probably a good joke in that statement somewhere).

I’ve been very pleased with eSATA in my lab for the past couple years, and I’m not ready to make any changes just yet, but boy did Thunderbolt (née Light Peak) take me by surprise. I’m quite certain I read something last year about Light Peak, but I didn’t get the impression it was going to show up this soon. I’m sure Apple fanboys are very excited about the thought of this being present on new MacBook Pros, because it out-specs any other removable storage tech for laptops out there. I’m excited that other vendors will be forced to pick it up now that Apple has implemented it (not that I don’t like Apple products, but they’re generally not my first choice due to various limitations). The designers of Thunderbolt plan for the bandwidth to reach 100 Gbps in the next ten years. Of note, the latest spec of DisplayPort is already humming at 17 Gbps, but DisplayPort is solely used for video; Thunderbolt will be extremely versatile in its uses. If you work in forensics and you’re not gushingly excited by faster transfer rates for external storage, I might have to ship you a defibrillator.

February 21, 2011 by Geoff

Corporate E-Discovery Forum on Social Media

A few weeks ago I had a unique opportunity to attend the Corporate E-Discovery Forum’s (CEDF) New York Forum. The CEDF is a non-profit organization that hosts and guides gatherings for its members, consisting of over 200 corporations and 400 individual participants, to encourage collaboration on E-Discovery issues. The forums give members the opportunity to discuss document retention policies and enterprise content management practices, litigation holds, preservation, collection, processing of electronically-stored information, cost and risk management, best practices to avoid spoliation and sanctions, and understanding plaintiffs’ strategies. Although vendors participate in the forums, they contribute equally with other members based on their experience (no sales pitches allowed).

Although there was a large turnout, I was pleasantly surprised at the level of interaction achieved in the sessions. Board members Nicholas Bunin, Jeri Head, and Patrick Gibson did a great job introducing sessions and spurring conversation. The board places great emphasis on active communication as opposed to having a single presenter talking at the crowd.

This recent forum was all about social media – Facebook, LinkedIn, Twitter – in corporate environments. Social media has obviously been around for quite some time, but in the corporate environment, policy makers are just getting comfortable with its use for business purposes. As a user, my first instinct is to question why this causes a problem; as a corporate investigator, I can tell you that social media can cause significant problems in the workplace and creates a whole new medium in which violations can occur. There are myriad new legal guidelines emerging around how corporations should regulate these tools in light of the current legal landscape. Regulatory agencies have also recently had their say on the diligent monitoring that must occur in the financial industry in relation to social media.

The forum had four main sessions during the day: Social Media and Reducing Risk, Practical Guide for Corporations to the Identification, Collection and Production of Social Media, Social Media Policy, and Social Media Dialog with Judges. While the guidelines of the organization prohibit sharing of content outside of the forum, I’ll just say that the day was well spent and I learned quite a bit. The next forum theme will be Cloud Technology, and will take place at the San Francisco Forum in June. The Corporate E-Discovery Forum would love to have new members participate and contribute to the discussions, and welcomes technical practitioners as well. If you’re a member of a corporate E-Discovery team, whether legal or tech, I’d highly encourage you join and participate!

December 20, 2010 by Geoff

Lenovo Shipping Intel AMT with Web Server Enabled?

Intel AMT is a really great technology for IT administrators – you can push updates even when the box is turned off, get console access via serial over LAN, and a helpdesk tech can view and interact with a user’s active session to help them with issues. AMT comes with an enterprise access model that presents a REST interface, configurable with encryption and Kerberos authentication, for interaction with enterprise IT management tools which is great for central management. It also ships with an embedded web server that would typically be used in small business models. The previous link has some decent screenshots of the web interface.

Michael Herf makes a comment about AMT not only being present on his new Thinkpad, but also having the built-in web server active out of the box. This is kind of scary considering (if I’m reading this correctly) that in some Lenovo boxes the default password was “admin” (check out page 8 in the link). AMT does store logs of activity: “Persistent event logs, stored in dedicated memory (not on the hard drive) so the information is available anytime. IT technicians can now access the list of events that occurred even before a hardware or software problem was noticed, including events that occurred before a PC connected to the network.”

How many IR folks have looked at AMT logs before or even knew they were present? I’d love to know if there’s any useful content for investigations getting recorded in these. Perhaps they require configuration ahead of time to trap relevant data. Please let me know if you’ve had the occasion to use AMT logs in this capacity!

November 21, 2010 by Geoff

Haruyama’s New Addition to My Timeline EnScript – FileName Attribute Parsing

Takahiro Haruyama, who is well known for bringing the power of Volatility to EnScript land, made a great revision to my Timeline EnScript by adding MFT FileName Attribute parsing to it! He’s published the update on his blog. This really makes the script much more versatile and I think forensics practitioners will love the update. Right now the script only outputs the info to the HTML view, but over the next few weeks I’ll try to find some time to push it into all the output formats and give everyone an update. Great work Haruyama, thanks for adding this much needed functionality!