watching you watching us . .

Archive for January, 2011

Fun and games with Windows FILETIME and how to efficiently detect timestamp alterations

Interesting article by Lance Mueller on Filestamps (NTFS and FAT).

” .. an examiner should be familiar how the time values are stored on NTFS volumes AND the need to examine these dates manually, since many of the common forensic tools do not display the dates with any precision beyond one second, when there is any suspicion of tampering .. ”

Lance Mueller, ForensicKB, 21 January 2011 – last access 23 January 2011 – ( Full Article )

Beyond C.S.I.: The Rise of Computational Forensics ?

Atocha, Madrid - 11 March 2004

Another fine article picked out by Bruce in the last issue of cryptogram.

Interesting story on Brandon Mayfield, in particular what happened to Mayfield. Mayfield being a Lawyer and if the Algerian hadn’t come to light, it might have proved a very interesting case. Some snippets and link to full article below:

” .. If the Shoe Print Fits

– snip –

On 6 May 2004, a Portland, Oregon, lawyer named Brandon Mayfield was arrested for his alleged involvement in the terrorist bombings of four commuter trains in Madrid. The attacks killed 191 people and injured 2000 others. But Mayfield had never been to Spain, and his passport at the time was expired. The sole evidence against him was a partial fingerprint found on a plastic bag in a van used by the bombers. The FBI’s Integrated Automated Fingerprint Identification System had identified Mayfield as a possible match, and three FBI fingerprint experts as well as an outside analyst confirmed the identification.

– snip –

The analysts knew that Mayfield had converted to Islam, was married to an Egyptian woman, and had once represented a man in a child custody case who later turned out to be part of a jihadist group. That information swayed the FBI inquiry in Mayfield’s direction.

– snip –

Spanish authorities, however, argued that the fingerprint belonged not to Mayfield but to an Algerian with a criminal record, Spanish residency, and terrorist links. They were right. It took almost three weeks from his arrest, but Mayfield was cleared of the charges and released from federal custody. The U.S. government eventually agreed to pay him US $2 million for the mistake and issued a formal apology.

– snip –

Nike Air Force 1 [sneaker] is the most often encountered at U. S. crime scenes, turning up in about 17 percent of cases.

– snip –

Pattern recognition and other computational methods can reduce the bias inherent in traditional criminal forensics

– snip –

What computational forensics—or any forensics method, really—cannot do is determine whether a suspect did or did not commit the offense. That’s a matter for a judge and jury to decide. At trial, the role of a forensics expert is to testify whether the profile drawn from the evidence matches that of the suspect or of an unrelated person.

– snip –

Among all the classical forensics methods, the committee concluded, only DNA analysis has been shown to be scientifically rigorous .. ”

Sargur N. Srihari,, December 2010 – last access 19 January 2011 – ( Full Article )


DEFT Linux 6 ready for download

DEFT 6 is based on Lubuntu with Kernel 2.6.35 (Light Ubuntu Linux) and DEFT Extra 3.0 (Windows)., 11 January 2011 – ( More Info ) – Download ISO

DEFT 6 computer and network forensic packages list:

* sleuthkit 3.2.0, collection of UNIX-based command line tools that allow you to investigate a computer
* autopsy 2.24, graphical interface to the command line digital investigation tools in The Sleuth Kit
* DFF 0.8
* dhash 2.0.1, multi hash tool
* aff lib 3.6.4, advanced forensic format
* disk utility 2.30.1, a partition manager tool
* guymager 0.5.7, a fast and most user friendly forensic imager
* dd rescue 1.14, copy data from one file or block device to another
* dcfldd, copy data from one file or block device to another with more functions
* dc3dd 7, patched version of GNU dd to include a number of features useful for computer forensics
* Xmount 0.4.4, convert on-the-fly between multiple input and output hard disk image types
* foremost 1.5.6, console program to recover files based on their headers, footers, and internal data structures
* photorec 6.11, easy carving tool
* mount manager 0.2.6, advanced and user friendly mount manager
* scalpel 1.60, carving tool
* wipe 0.21
* hex dump, combined hex and ascii dump of any file
* outguess 0.2 , a steganography tool
* ophcrack 3.3.0, Windows password recovery
* Xplico 0.6.1 DEFT edition, advanced network analyzer
* Wireshark 1.2.11, network sniffer
* ettercap 0.7.3, network sniffer
* nmap 5.21, the best network scanner
* dmraid, discover software RAID devices
* testdisk 6.11, tool to recover damaged partitions
* ghex, light gtk hex editor
* vinetto 0.6, tool to examine Thumbs.db files
* trID 2.02 DEFT edition, tool to identify file types from their binary signatures
* readpst 0.6.41, a tools to read ms-Outlook pst files
* chkrootkit, Checks for signs of rootkits on the local system
* rkhunter 1.3.4, rootkit, backdoor, sniffer and exploit scanner
* john 1.7.2, john the ripper password cracker
* catfish, file search
* galletta 1.0
* pasco 1.0
* md5sum, sha1sum, sha224sum, sha256sum, sha512sum
* md5deep, sha1deep, sha256deep
* skype log view, skype chat conversation viewer
* Xnview, viewer graphics, picture and photo files
* IE, Mozilla, Opera and Chrome cache viewer
* IE, Mozilla, Opera and Chrome history viewer
* Index.dat file analyzer
* pdfcrack, cracking tool
* fcrackzip, cracking tool
* clam, antivirus 4.15
* mc, UNIX file manager

DEFT extra 3.0: – ( More Info )


Android Forensics Application

“While security on Android phone is pretty decent, applications can (and do) share data.  We take advantage of this sharing (via ContentProviders) and extract the data for forensic purposes.”

Andrew Hoog
Open Source Android Digital Forensics Application, 1st March 2010


Eavesdropping on GSM Calls

” Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software. ”

Bruce Schneier, Schneier on Security, 5 January 2011 – ( Full Article )

I recommend subscribing to Bruce’s cryptogram newsletters, you can also visit his blog.