Haruyama’s New Addition to My Timeline EnScript – FileName Attribute Parsing

Takahiro Haruyama, who is well known for bringing the power of Volatility to EnScript land, made a great revision to my Timeline EnScript by adding MFT FileName Attribute parsing to it! He’s published the update on his blog. This really makes the script much more versatile and I think forensics practitioners will love the update. Right now the script only outputs the info to the HTML view, but over the next few weeks I’ll try to find some time to push it into all the output formats and give everyone an update. Great work Haruyama, thanks for adding this much needed functionality!

NYC4SEC Meetup: Advanced Photo Forensics

NYC4SEC held a great Meetup on Wednesday to discuss image analysis and photo forensics… “Thanksgiving Meet-up: Let’s carve some data!” Professor Nasir Memon from NYU Poly came to give us some expert insight into the latest techniques in photo forensics. Before I give an overview of his talk, let me just say that NYC4SEC has been the best thing to happen to the NYC forensics community in the 4.5 years I’ve been here in the city. I’ve met a lot of great people working in our field through this Meetup group, some that I knew via email and message boards beforehand and some new. It’s also nice to see the students from John Jay’s computer forensics program coming to the Meetup to learn and meet industry experts.

Dr. Memon is a brilliant guy; in the past he served on the JPEG standard design committee which you can imagine leads to some very relevant experience for photo forensics. He gave us an overview of how SmartCarving works in Adroit Photo Forensics, a tool he helped design (which is awesome!). This wasn’t a sales pitch, though. He explained how the photo fragments are located and reassembled. This was interesting, but not as interesting as the work he’s done matching digital photos to their source. Memon went through all the various artifacts that digital photo capture devices leave behind. Every digital camera has physical imperfections in its hardware that leave a trail. Ballistics experts match a bullet to a gun by firing new bullets and comparing them to those left at crime scenes. In much the same way, photo experts can link a digital photo to a camera by taking new photos with that camera and comparing the noise patterns. There are two things that could be useful with this technique. (1) Creating a catalog of patterns from different types of cameras – the problem here is that sometimes different manufacturers use the same parts in their cameras. (2) Seizing a digital camera at a crime scene and being able to prove, definitively, that it took the pictures in question. It’s more than just a match to a Make and Model – it’s like DNA for cameras! The final item that Dr. Memon discussed was the ability to detect image manipulation in an automated fashion. This plays off the same basic theory of matching a camera to a photo. Basically he can detect if a portion of a photo has different noise patterns and then discern that pieces of the photo are not original, but doctored or added.

The NYC4SEC Meetups just keep getting better! We had a great turnout and I hope to see more industry professionals at the next one!

NYC4SEC Meetup with Ovie Carroll

I just got back from the NYC4SEC Meetup held at Pace University. It was a welcome opportunity to see old colleagues and friends and meet many people in the industry with whom I’ve conversed electronically. The turnout was great – probably about 30 people – and it was definitely a success! It’s great to be able to swap war stories and share experiences with peers in the forensics world.

The speaker tonight was Ovie Carroll, Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) and an adjunct professor at George Washington University. Ovie was in town to teach the SANS Forensics 408 course and agreed to stop by and speak to our group. Ovie is a fantastically engaging speaker with a quick wit and more jokes than Steve Martin. I think it’s fare to say the crowd, which represented diverse experience levels, thoroughly enjoyed his presentation. His style of presentation really brings the audience into the conversation.

Ovie touched on a lot of things from basic knowledge on where to look for physical pieces of evidence to very specific artifacts. He showed some intelligent timeline presentation graphics and underscored the value of trace pieces of evidence by discussing a prominent case he dealt with and how they tracked the suspect down from a seemingly innocuous screenshot.

The overarching theme of his presentation was that forensic analysts have to be smarter about how they approach different problems and also how they interface with counsel or those requesting the analysis. He discussed the need to develop an investigative plan, just as one would do with non-digital evidence and investigations. This plan should involved counsel as early as possible and you should push back on those that say, “Just give me everything!” (My addition: As experts this is exactly what we get paid to do – not just to nod and go digging for everything, but to tell the client and counsel what our expert experience says they should be looking for and what its value is!!!)

There’s often a first reaction for analysts to say, “I can’t do anything with this drive yet, it’s not imaged!,” and Ovie would say that’s dead wrong. He pushed the idea of triage quite a bit, pointing out that you might not get all the benefits of a full forensic exam, but you might get just enough to have a conversation with the subject of your investigation and bring more value in the process. Triage is not going to put an end to forensic exams, it’s just another tool that gets you a few pieces quickly. The key to making this useful is that it must produce output that’s easy to understand for non-technical people, otherwise the usefulness of fast data retrieval declines rapidly.

The other pain point Ovie listed is one I’m sure everyone feels: an overwhelming amount of evidence to deal with. For law enforcement, more and more digital evidence is being seized as officers and prosecutors become more familiar with the value of digital evidence; for corporate investigators, enterprises are adding more varied devices to their technology lineups that analysts need to keep on top of. This is an issue everyone has been dealing with for a while now and Ovie, like all of the rest of us, is searching for the light at the end of the tunnel. Of course, no good digital forensics presentation would be complete without the Find All Evidence button!

Thanks to Ovie for his great presentation, to Doug Brush for organizing, to J-Michael Roberts and his wife for the delicious USB dongle-shaped cake (!!!), and to Pace University for hosting us! Joe Garcia is trying to line up some great folks from the industry for upcoming meetups. I’m sure everyone is looking forward to our next great get together, so keep an eye on the schedule and please join the Meetup group to stay informed!