HAKIN9 EXTRA 4/12

Overview on Cloud Forensics
By Federico Filacchione
There’s not a single law. Preserving the chain of custody means that you’ve to comply with specific laws, regarding a specific country. But in a cloud perspective there’s no single country. A huge network of data centers means a huge network of jurisdictions. So could be very complex to interact with some countries that don’t have modern computer crime laws.

All Present and Accounted for?
By Amy Cox
Like a HPA it is not removed during a regular wipe or format. Though unlike the HPA it is created by the manufacturer and at the time of writing I am not aware of a way to create a DCO artificially after the drive is sold. That notwithstanding they can still be located and their contents copied to ensure they contain nothing of significance. Another difference between the two is that unlike the HPA which isn’t hidden from the BIOS, this function even tells the BIOS that the disk is the smaller size.

A Forensic Look Inside NAS
By Dmitry Kisselev
Standard packages under a GNU general public license (e.g. apache, vsftpd and samba) are used by storage manufacture to package NAS functionality into the box. These packages’ main purpose is to provide an administrative interface for the user’s customized configuration as well as provide feature rich network data sharing capabilities. Often times, CIFS/SMB, NFS, FTP, AFS, WebDAV protocols are bundled with in NAS. It’s important to note that this type of feature is the main differentiator for NAS devices. Every one of the protocols and administrative interfaces generate traces, logs and other useful information for forensic analysis and investigation.

Linux and Disk Forensics: A General Approach
By Nilesh Kumar
Complete description of tools and their uses are out of scope of this article, we’ll be just using them for our forensics, as you may get a fair idea about them during our process. We shall be using BackTrack(BT) for our analysis. You could pretty much use any distro available as all have mostly common necessary tools. You could use any normal Linux flavors such as Fedora, RedHat, Ubuntu as well, but the advantage of using distros like BT is that they already have a fair collection of these tools, otherwise you may need to install them.

Comparison of Android and BlackBerry Forensic Techniques
By Yury Chemerkin
Logical methods manage with non-deleted data are accessible on the storage. The point is that previous case is about “simple” data type(format), while SQL db files as all-in-one file may keep deleted data in the database. While recovery of the deleted data requires special tools and techniques, it is possible to recover deleted data from a logical acquisition. Physical techniques as techniques aimed to gain deleted data without relying on the file system itself to access the data, so it is missed too. Let’s gain the main logical acquisition differences between two kind platform throughout way to data store, developers API and tools, free and paid investigation tools, logs, backup some more and others tricks.

Data Hiding Techniques
By Uğur EKEN
In NTFS file system meta data category information is stored into Master File Table entries and their attributes. Each default entry and attribute contains descriptive information about the files and directories. As I previously mentioned this information includes file and directory locations, permissions and MAC(Modified, Accessed, Created) timestamps[Carrier, 2005]. In this category Alternative Data Streams are one of the common areas data hiding techniques can be implemented in NTFS file system.

A Needle in a Haystack
By Tony Rodrigues
Note, also, that we will use SHA1 as hash algorithm. We use –a option to enter the filename we will search. The Needle.pl will write to standard output (stdout) all hashes calculated. We can also use –t option and request hash calculation just for a specific size. Even though, the most usual usage will be just passing –a option, redirecting the output to a file.

DEFTCON 2012 Report
By Ruggero Rissone
Yes, one of the main problem in Digital Forensics is that available tools are often expensive commercial software and dedicated to specific aspects in the landscape of cybercrimes. Deft could be executed on every x86 architecture (future plans could be the support for SPARC architecture) and could be installed on a limited hardware; one typical application is a forensic duplicator realized with DEFT installed on a Netbook (a commercial one could cost more than 1000$, i.e. Tableau TD1 Forensic Duplicator).

Corporate Facebook Account Login Forensics and U.S. Law
By Dave Saunders
The problem with this approach is that IP adresses can be spoofed or proxies can be used to disguise locations. Facebook acknowledges: ”

Forensic Tools – Free and Paid
By Jerry Hatchett
“Which software should I buy, EnCase or FTK?” As someone who’s been practicing digital forensics for a long time, I can’t count the number of times I’ve fielded that very question from an eager young forensicator. (“Forensicator” is an industry word; the dictionaries haven’t caught up yet.) I remember asking it myself. I remember researching it to the nines myself. I remember my choice, and I remember how quickly I learned that the question of which forensic tool is “best” is a question that never gets answered. Want to know why?