Wednesday, October 10, 2012

Quick Check-in

Hello everyone. I'm back for yet another blog post after a long absence. I wanted to post a great big giant THANK YOU to all the great open source forensic projects out there. You all are my heroes and I truly appreciate all that you make available to the digital forensics community.

I've been very busy as of late working on a case I was hired for and recently concluded. I wish I could tell about it as it's kind of interesting. Unfortunately, the most interesting parts are the things I really can't talk about. I'll just call it an employee misuse of company computer situation and leave it at that.

Among other things, the employee in question was using his company owned laptop to surf various types of porn, as well as using MS Word to do a little amateur porn story authoring. There were allegations of some financial misdeeds as well and I recovered a large number of files to help them conduct their investigation.

I relied in no small part on the knowledge I've gained from such books as the Windows Forensic Analysis series and Digital Forensics with Open Source Tools in working this case. Furthermore, I stand grateful to all the free and open source tool authors out there whose work benefited me greatly. Such awesome programs as Log2Timeline, RegRipper, the Sleuth Kit and the SANS SIFT Workstation virtual machine were huge help to me in this and most all my other cases.

The super awesome Volatility Framework crew has been rocking the proverbial house this month with their Month of Volatility Plugins. First, Volatility 2.2 was released at the beginning of this month and they're releasing tons of new plugins all month long. The blog posts at the official Volatility Labs blog accompanying these releases are just incredible. A great thank you and salute in no particular order to AAron, Jamie (Gleeda), MHL, Andrew and everyone else involved for using your talents to produce one of the greatest software projects ever and an amazing blog.

I've had the opportunity to do some public speaking lately and find I'm really enjoying it. Public speaking used to make me quite nervous, but I'm pretty comfortable with it these days. I've spoken to one group on protecting your home computer from malware, etc, while I did a training session on Identity Theft this week for a local bank. In both cases, I decided not to use Powerpoint or other visual aids. I believe it was Harlan Carvey at the WACCI conference a couple years ago who called the Powerpoint-free presentation "going commando." I liked that term and I enjoyed his presentation that day. It's fun to speak and interact with the crowd and I find I do a better job of that when I'm not using visual aids to distract me. Besides, I'm terrible at making PP slides anyway, so I'm better off going commando for that reason as well.

That's all I've got for now. Now that I've got a little more free time, I have a couple forensics related projects I hope to get started on. I hope to be back with new blogs posts about them "soon."


  1. Ken,

    In your post, you mentioned that you used several tools...can you elaborate on *how* you used those tools, so that other might see the benefit, through your example?

    For example, that Log2timeline and RegRipper were beneficial to so? Which RR plugins did you find most beneficial? Where there plugins that you would've liked to have had, but didn't? Was there something missing from the tools you used...was the system you were examining Windows 7, and if so, how did you parse the Jump Lists?

    Thanks for an enlightening post.

  2. Hi Harlan, thanks for stopping by!

    RegRipper was a big help to me in several ways. I found what turned out to be a crucial mistake on the subjects part. He had gone to some lengths to clean up after himself before turning in the computer. He had been given 24 hours notice to turn it in, so he went to work.
    Going by prefetch and the RR ntuser output, I found when ccleaner had been run and used to wipe folders, which I suspected when I found unallocated folders with "Z"'s and "."'s for their names. Unfortunately for him, he ran ccleaner and custom wiped before he deleted his user account an hour later. I found the event log where he had deleted his account from another employee's non-passworded account, but that was after his file wiping activities. Had he deleted his account and then used ccleaner to wipe free space, I wouldn't have found much I suppose.
    Regarding Jump Lists, I used TZWorks Jump List parser to look at the JL's.
    I used the SIFT workstation and L2T during timelining. RegRipper was run from Windows.