Archive for the ‘Forensics’ Category

So, I was reading today about the Hong Kong police using the Microsoft Cofee toolkit. Interesting stuff. Of course, there hasn’t been much data made available to the general public about Cofee (the “Computer Online Forensic Evidence Extractor” for sticklers) ,so I’m eagerly awaiting to see what it looks like.

What I find particularly interesting is whether Microsoft will specifically introduce new features to aid law enforcement in terms of access enablement. The temptation here would be to give the fuzz some type of “get around your security free” card (like people have been worried about), but I really don’t think they’re stupid enough to go there. Of course, if they’re going to rely on autoplay, then I don’t see how the toolkit is more helpful than, say, a bootable CD.

Like I say, there’s an interesting balance here, and I’m wondering which side they’ll wind up on.

Ah yes, CSI. It has something for everybody: romance, suspence, mystery, action, gore, etc… In a “taking it way to seriously” move, folks have issued statements pointing out that CSI Greg “dig the hair” Sanders neglected to follow forensic best-practices when analyzing digital evidence. The folks over at “CY4OR” have pointed out that the technique that Greg used was irresponsible and would never stand up in a court of law (I’m assuming that “CY4OR” is a ‘r33t way of saying “cipher”, but I could be wrong about that…) Anyway, according to these folks:

“Not only could this potentially damage evidence, any incriminating data that was uncovered would undoubtedly be thrown out of a court of law as the proper evidential procedures would not have been put in place. The evidential continuity would have been compromised and a criminal case could collapse.”

Yeah; what he said. As a fan of the show, I’m deeply concerned. After all, shouldn’t evidentiary procedure be the centerpiece of all entertainment? I mean, in this case it stands out particularly strong because it cuts against the grain of the hyper-realism that is the rest of CSI. After all, when a forensics specialist kicks down a door and takes on a gang of thugs in a gun-battle, you’d think there’d be at least some paperwork or something…

Yep – I agree with CY4OR – we really need to make sure that entertainment is judged against the yardstick of real-life experience. The same way that Star Trek represents the reality of modern physics, CSI should really work harder on reflecting real-life evidentiary procedures.

This is a useful document that was sent around on the forensics list today. Basically, it describes what a forensics tool must do in order for it to be recognized in a court of law. This paper is very useful; thanks to Becky Nelson for sending it around.

Interesting article about forensics, but reading between the lines, I’m curious about the “encrypted filesystem” comments made. Could it be that EFS is throwing these investigators off the scent? If so, maybe it’s time for a white-paper about how to get around EFS in a forensics context?

This is an intersting writeup about methods for doing an investigation of web browsing activity from a forensics standpoint. I would have liked to have seen the authors at least address the fact that they are likely to be working on a mirror of the disc in question. After all, if a non-trained investigator were to follow these instructions to the letter, they would likely wind up “stepping all over the crime scene” and therefore rendering their results of little use – either to HR or to law enforcement. That being said, the tools and methods they describe are very useful – for example, I’ve always wondered how to get information out the index.dat file…