http://www.iacsp.com Digital Device Security and Forensics Feed http://www.iacsp.com/digdev_sec.php By Eamon P. Doherty Ph.D. Susteen is the name of a company that produces a digital forensics toolkit that allows counter terrorism professionals a method of seizing a variety of data from a large selection of commonly available cell phones. Modern cell phones often contain email, SMS text messages, Internet URLs, and a list of contacts and their phone numbers. Some cell phones with built in fish eye cameras may also contain pictures of places that terrorists may have surveilled before an operation. Susteen's Secure View version 2.0 (see figure 1.0) is a digital forensic tool that law enforcement and intelligence professionals may use to quickly extract and examine a variety of the previously discussed data from a cell phone that they are lawfully in possession of. Secure View's main menu allows investigators a convenient means of selecting the internal memory, the SIM card, or the external memory card for seizure and examination. The phone book and the call log are two items that when linked together can help the investigator produce a picture of the suspect's network of associates. The call log can show how often the suspect spoke to various people and for what duration. The frequency of a contact as well as the duration of the call can suggest who the major players are in a terrorist plot. Law enforcement personnel may not have the time to manually produce a map of contacts from the suspect's cell phone if they are to act quickly and prevent the potential loss of life and property. That is why cell phone investigators need a tool such as Susteen's new Secure View version 2.0 with the svProbe automated graphing feature. Since I am both a computer scientist and a certified computer examiner (CCE), I decided to test the data collection feature of Secure View as well as the new automated graphing feature called svProbe. I selected what I considered to be an exemplar of a typical modern American cell phone. The data collection process took about five minutes. I was able to seize the pictures, call logs, phone book, and messages. Within another five minutes I was able to use a new feature of the software called svProbe which allowed me to create a graph with each phone contact in the book and display the frequency of contact for each person (see figure 2 above). I also found it easy to create a bar graph that visually displayed a timeline of activity between any range of dates and times. Many law enforcement professionals and academics said that they felt that this forensic toolkit and technical support plan were within their budget and competitively priced as compared to other cell phone forensic tools. Sun, 15 Nov 2009 12:34:00 +0000 http://www.iacsp.com/digdev_sec.php By Dr. Eamon P. Doherty Introduction: This article describes the attempted recovery from a failing hard disc drive that which was actually benign data, but the situation described is one that could well be encountered in a criminal or a terrorism investigation. Recently, one of my associates, Don Purdy, had a laptop hard drive that he suspected was failing, although it was still bootable.  Don contacted the computer manufacturer, who provided a script to run chkdsk on bootup.  Chkdsk ran and hung.  Thereafter chkdsk ran and hung on every bootup, thus making the disk drive functionally unbootable. What We Did: Don and I took advantage of the situation to setup the hard disc drive to simulate a forensic examination of a terrorist's hard drive.  The first step was to connect a write blocker and USB drive enclosure.  We found that the drive was still accessible and took the easy route (big mistake) by dropping and dragging entire folders onto a 1 TB external drive.  Many files were immovable and prompted a response which delayed the activity and caused the process to stop.  Within one hour, the drive was no longer accessible and no more data could be recovered.  The drive by then was making a clicking sound about every two to four seconds. Our next strategy was to implement the "freezer trick."  I put the hard drive in a plastic bag and placed it in the freezer for two hours.  After I removed the drive, we put it in the drive enclosure and connected the write blocker.  Don and I connected this to the USB port and were pleased to note that the clicking sounds were gone and the drive appeared to work again.  Next we used Access Data's Forensic Toolkit (FTK) Imager to copy every used and unused byte of information on the entire drive.  This process took about 90 minutes.  We should have then been able to use the data carving utility and recover all the pictures, documents, and spreadsheets on the drive.  However, all the clusters contained only zeroes because the drive was too damaged and the toolkit could not recover the data. What We Should Have Done:  The big lesson we learned was that we should have imaged the contents of the entire hard drive first with FTK Imager while the drive was still functioning.  From there we could have used the data carving function to recover the files.  Alternately, we might have used a Logic Cube to copy the failing drive's image to a good drive, and continued with the good drive. Further Steps We Might Have Taken: We might have, for a price, taken the failed drive to an organization with clean-room disc-drive repair capability. Had this been a real case, the drive would most likely have gone to the FBI computer forensics labs where they would have probably taken the platters from the drive and placed them in the exact same type of hard drive.  Then recovery would have been routine.       Don Purdy, Dr. Doherty, and a class of Visiting Cybercrime Students from South Korea Examining a Computer Mon, 21 Dec 2009 18:25:00 +0000 http://www.iacsp.com/digdev_sec.php By Dr. Eamon P. Doherty It is important to have the technical ability as well as the proper tools to be able to seize evidence from a cell phone or a digital camera. However; it is more important to have the right to seize someone’s cell phone or digital camera in the workplace. People who own their own digital camera or cell phone may violate a policy in the workplace but an employer may not necessarily have the right to take the device and search it. It is therefore very important for chief information officers in a school, company, or law enforcement office to first check with the general counsel that they have the right to seize and search digital devices from guests, employees, or suspects. It is often recommended that guests and employees of a government facility or company are notified upon entrance of the cell phone policy which may be posted and distributed to people. This policy may say that if a person uses a camera phone, digital camera, or other device to record or photograph proprietary data or photograph people who have an expectation of privacy, then one forfeits his or her expectation of privacy and the security department may seize and examine the device. Having an equally enforced policy regarding the proper and prohibited usages of a digital device and the penalties for non-compliance can save a company or agency expensive litagation and bad press for violating someone’s civil rights. Mon, 25 Jan 2010 16:27:00 +0000 http://www.iacsp.com/digdev_sec.php?mnid=7 I have been asking many academics in England, the Far East, and in the United States about both the present methods of teaching cell phone forensics and computer forensics and how that may change. In 2008, there was generally more money available for corporate security professionals and academics to fly to remote locations, book a hotel, and take a week long class. However; in the last two years there has been a shakeup in the financial community that has caused companies to lose business and cut their expenses. Training seems to be one of the first things that are cut. This is very unfortunate because computer and cell phone forensic experts need to constantly update their training and perform digital evidence examinations in order to keep their certifications current. Yoel Piney of PSE&G is a digital evidence investigator who needs to have the latest training in computer and cell phone forensic software but cannot spare the time or expense to fly, book a hotel, and take a class in another state. Yoel and other digital investigators have engaged in a new trend in education. Tue, 16 Feb 2010 17:23:00 +0000 http://www.iacsp.com/digdev_sec.php?mnid=8 Perhaps you are a security contractor who is employed at an airport and observed some suspicious behavior from a traveler or group of travelers. He or she may be taking pictures with his or her cell phone and may even be counting paces from entrances or exits. Such behavior may be part of some pre-event surveillance where a loner or group are planning to place a bomb and calculating distances as well as passenger traffic flows. Your standard operating procedures may be to place a call to a dispatcher, request assistance, and engage the subject in conversation. Another member of your private contractor team may arrive and ask for the person's name and home address. Since many new hand held devices such as the Blackberry Bold have Internet capability, you may use a search engine to look up the person in question and see where they live or  if they belong to any social networking sites or blogs that discuss violence and terrorism. Wed, 26 May 2010 14:43:00 +0000