Digital

The Quarterly Magazine for Digital Forensics Practitioners

Competition!

ForensicS
Win 3 brand new
books from Syngress

ISSUE 03

/ magazine
1 MAY 2010

INSIDE
/ Set up your own
Digital Forensic Lab
/ Proactive Digital
Forensics
/ Cyber Chat,
Deciphered!
/ Dissecting Malicious
Software

READING BETWEEN THE LINES

SPAM BEWARE!
Dr Tim Watson shows us how to perform
forensic analysis on email headers

02

9 772042 061103
Issue 3 / £11.99 TR Media

/ REGULARS / PRODUCT REVIEW / Book Reviews / WRITERS

LEGAL NEWS, 360, OUR VERDICT ON KATANA Forensic LINGUISTICS BUDDING AUTHORS
IRQ… AND MORE IPHONE FORENSICS E-DISCOVERY CHECK OUT PAGE 81!

DF3_OFC_Cover - Online.indd 1 30/4/10 17:53:00


Fight Crime. Unravel Incidents one byte at a time.
SANS, the most trusted
source for computer
security training, features
a curriculum of digital
forensic courses for anyone
who is new to the field
as well as for seasoned
professionals. Learn from
true industry experts and
experience forensics in a
hands-on, immersion style
environment.
SANS Forensic
Curriculum
SANS forensic line-up features
courses both for those who are new
to the field as well as for seasoned
professionals. Come learn from true
industry experts and experience
forensics in a hands-on, immersion
style environment. By the time
you complete a course, you will be
able to put your knowledge to work
when you get back to the office.
Receive 10% off
of any SANS forensics
course when you register by
1 June 2010 at
http://computer-forensics.
sans.org . Make sure to use
the promo code DFM610
when registering.
Forensics_Ad_4-10_EMEA.indd
DF3_IFC_Ad.indd 2 1 4/26/10 17:53:31
FORENSICS TRAINING
http://computer-forensics.sans.org
FORENSICS 408:
Computer Forensic Essentials
Master Windows-based computer forensics.
Learn essential investigation techniques.
FORENSICS 508:
Computer Forensic Investigations
and Incident Response
Upgrade your forensic skills. Learn to investigate and respond to
the advanced persistent threat and hackers hired by organzied crime.
FORENSICS 558:
Network Forensics
Recover and Analyze Evidence from Network-based
Devices such as Web Proxies, Firewalls, IDS, and Routers:
“No hard drive? No problem!”
FORENSICS 563:
Mobile Device Forensics
Criminals be warned:
Anything you text will be used against you.
FORENSICS 610:
Reverse-Engineering Malware:
Hands-On Analysis Tools & Techniques
Malware Analysis, Tools, and Techniques:
Turn malware inside-out
Upcoming Events and Online Courses
SANSFIRE 2010 • Baltimore MD • June 6 - 14
Forensics and Incident Response Summit • Washington, DC • 8 – 15 July
SANS Secure Europe - Amsterdam 2010 • Amsterdam, Netherlands • 21 June – 3 July
vLive! • FOR408: Computer Forensics Essentials • 8 June – 21 August
European Digital Forensics & Incident Response Summit • London • 8 – 9 September
30/4/10 9:53 AM

EDITORIAL
W
ell we have another feature
packed issue for you, with a look
at some interesting areas of the
Digital Forensics profession and how
using associated disciplines can help
to build a broader base of evidence
for any investigation. We hope by
introducing some of the topics and
related fields of investigation, your own
investigations and research can benefit from what you read.
During the period since we released Issue 2 we have made
some changes that we think you will like. We have reduced the
price considerably and made modifications to the website to
make it easier for you to navigate. We will continue to make
improvements and add features as you, the reader, provides
feedback to us via ‘360’ with How you think we can improve or
what you would like to see.
We have also started the Digital Forensics Magazine ‘Blog’
(http://trmediacms.com/blog) and already those of you
who have expressed an interest in ‘Blogging’ have started
to provide thought provoking blogs. This, along with the
LinkedIn DFMag Group, will allow us to join up the Global
DFMag community for the sharing of ideas, problems or just
getting to know your peers. Anyone who has not yet joined
the group, just search for Digital Forensics Magazine on
LinkedIn and ask to join.
I had an interesting dialogue with Chris Hargreaves of
Cranfield University that I thought I would share with you,
regarding the naming conventions of Digital, Computer or
Cybercrime Forensics. At Digital Forensics Magazine we took
the view early on that Digital Forensics was the correct term,
mainly for the very reasons stated in his article for Forensic
Focus (What is this field called anyway?). Our reasoning was
not from an academic standpoint but more from a desire
to use a name that actually reflects what is happening and
be as inclusive as possible. I take the view that Cybercrime
Forensics is a particular area within Digital Forensics, as it
deals with crime within Cyberspace and as such provides a
boundary to the area under investigation. To me and with
respect to the poor use of the English Language, I have
always found the use of the term Computer Forensics to
exclude those additional areas like Mobile Phone, SatNav,
CellSite Forensics etc. and as such is again a definition of a
boundary or area within Digital Forensics.
I will stop now and let you get on with reading the many and
varied articles we have selected for Issue 3, and remember if
there is a topic you would like to see appear in the magazine,
or would like to have a go at writing an article, we would love
to hear from you.
/ ROY ISBELL
DF3_03_Editorial.indd 3
/ EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
www.digitalforensicsmagazine.com
Editorial Board
Sharon Campbell, Tony Campbell, Roy Isbell, Dr Tim Watson,
Moira Carroll, Alastair Clement, Angus Marshall
Acquisitions
Roy Isbell, Tony Campbell
Editorial
Sharon Campbell
News Desk
Matt Isbell
Sales & Marketing
Matthew Rahman
Production and Design
Matt Dettmar (Loud Vision Ltd)
Contributing Authors
Bill Dean, Tom Slovenski, Angus Marshall, Scott Zimmerman,
Tim Watson, Mark Rasch, Christa Miller, Jim Wingate, Barry Hood,
Ian Kennedy, John Olssen, Paul Tew and Steve Shillingford
Technical Reviewers
Tony Campbell, Roy Isbell, Dr Tim Watson, Moira Carroll-Mayer,
Peter Jones and Joshua Talbot
Contact Digital Forensics Magazine
Editorial
Contributions to the magazine are always welcome; if you are
interested in writing for Digital Forensics Magazine or would
like to be on our technical review panel, please contact us on
editorial@digitalforensicsmagazine.com
Alternatively you could telephone us on:
Phone: +44 (0) 203 2393666
News
If you have an interesting news items that you’d like us to cover,
please contact us on: news@digitalforensicsmagazine.com
Advertising
If you are interested in advertising in Digital Forensics Magazine
or would like a copy of our media kit, contact the marketing team
on: marketing@digitalforensicsmagazine.com.
Subscriptions
For all subscription enquiries, please visit our website at
www.digitalforensicsmagazines.com and click on subscriptions.
For institutional subscriptions please contact our marketing
department on marketing@digitalforensicsmagazine.com.
Feedback
Feedback or letters to the Digital Forensics Magazine editor
should be sent to 360@digitalforensicsmagazine.com.
Copyright and Trademarks
Trademarked names may appear in this magazine. Rather than
use a trademark symbol with every occurrence of a trademarked
name, we use the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement
of the trademark.
Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
allowing the creation of carbon neutral publications.
30/4/10 18:23:26
 Reviewing the latest
sports highlights

Attending a Review
Seminar online

Put your time to better use. In pursuit of your (ISC)²®

certification, attend an Official (ISC)² CBK® Review Seminar
live online, in person or on site. You’ll ready yourself for an
(ISC)² exam by refreshing your knowledge in information
security. You’ll also send a message to peers and current
employers that you’re in this game for real.
Learn more at www.isc2.org/reviewseminar

Look for an (ISC)2 Authorized Education Provider.

DF3_04_Ad.indd 4 30/4/10 17:54:17

 / CONTENTS

CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 03

REGULARS
/ NEWS 06
12
/ 360° 09
/ COMPETITION 36
/ PRODUCT REVIEW 60
/ BOOK REVIEWS 78
/ IRQ 82

FEATURES
/ INTERPRETING EMAIL HEADERS 12
Tim Watson explans how vulnerable email protocols
can be abused and how to catch those who do it
/ PROACTIVE COMPUTER FORENSICS 19
Scott Zimmerman discusses how to gather and store

38
event-related information appropriately
/ THE FACEBOOK MURDER 24
John Olsson illustrates how text messaging can be
used for ill-means by linguistic masterminds
/ A DIGITAL FORENSICS LAB BY ANY OTHER NAME 30
Digital forensics laboratories may once have been
specialized, but increasing case complexity demands
broader capabilities across disciplines 30
/ DISSECTING MALICIOUS MALWARE 45
Modern malware is more sophisticated than it used to
be and can easily mislead the investigator...
/ MODELLING FOR OPERATIONAL FORENSICS 52
Barry Hood shows how modelling paradigms can be
used to guide a simple psychosocial forensic analysis
/ IT’S NOT ABOUT PREVENTION 57
Steve Shillingford explains why there is an urgent
need for preparedness in cybersecurity
/ TIME FOR FORENSICS 67
73
Paul Tew discusses how to understand and effectively
investigate digital time stamps
/ INTRODUCTION TO STENOGRAPHY 73
Jim Wingate shows us how to uncover hidden information

LEGAL
/ THE FOURTH AMENDMENT 38
Mark Rasch highlights how technological developments
have overtaken the Fourth Amendment
24

DF3_05_Contents.indd 5 30/4/10 18:24:12

 / NEWS

NEWS
Academics & Practitioners Discuss Digital Forensics
Skills & Training

A second Digital Forensics Workshop

hosted by the Security Panel of
the Information Technologists
Company (www.wcit.org.uk)
and sponsored by SANs and
DF Magazine was held in
London at the Information
Technologists’ Hall on the
19th March 2010, to discuss
the skills and training needed
by the modern day Digital
Forensics Practitioner.
Following on from the 1st workshop held in October 2009,
this first workshop looked at the “Qualifications” of Digital
Forensics Practitioners; one of 5 key areas (Qualifications,
Standards, Approved Products, Certified Labs and Procedures)
identified from the first workshop. Representatives attended
the workshop from various Industry, Government, Training
organisations and Special Interest groups including the
Forensic Science Society, Office of Cyber Security (OCS)
and Skills for Justice who are the Sector Skills Council and
Standards Setting Body for the Justice sector in the UK who
were also representing the UK Forensic Science Regulator.
The discussions concluded that many groups were looking at Home Office Publish Cyber Crime Strategy
qualifications and training for Digital Forensics Practitioners,
but these were often in isolation and focussed either on a
certain discipline such as Penetration Testing or identifying The Home Secretary presented the UK’s
which vendor courses were needed to meet a particular job National Cyber Crime Strategy to Parliament in
description. Identifying what were the key core skills required March this year. This follows the publication
for all disciplines both focussed and transferable, whilst at previously of the National Security Strategy,
the same time providing for career progression, provided for the Cyber Security Strategy and the Digital Britain
considerable debate and discussion by those attending. Report in June 2009.
To maintain momentum and gain consensus both nationally The 38-page document sets out the Home Office approach
and internationally, identification of existing groups, along to tackling Cyber Crime and provides the reader with a logical
with a route to both accredit courses and certify individuals, approach to understanding what the problem is and how it is
will be required. An agreed career structure to include those to be tackled, ending up with a table of 23 areas where action
who attend either vendor specific courses or those who study, will be taken.
teach and research digital forensics in the various academic Whichever Government is returned after the general
institutions is a lofty ideal and will meet with resistance from election one aspect is clear, there will be a significant cut
those organisations who look to serve their own self interests. in spending to reduce the budget deficit brought on by the
This is an interesting and much needed piece of work and one recent recession. A key plank in this will be the exploitation
that DF Magazine will follow with interest. of providing services online and in doing so will expose the
DF Magazine has already agreed to assist in researching providers of those services to increasing threats from the
what we see is a key area for the industry, so keep an eye on online criminal world. Against this backdrop of spending
the DF Magazine website (www.digitalforensicsmagazine.com) cuts, there is a realisation that a problem exists, is growing
and have your say. exponentially and has the potential to affect everyone.

6 Digital / ForensicS

DF3_06-07_News.indd 6 30/4/10 17:54:50


Fortunately the strategy takes a broad view of what is
required and looks at the wide range of crime committed
online, both financially and non-financially motivated and
it considers the potential impact on all aspects of online
interaction both now and in the future. What is refreshing
for a Government Strategy paper is that it provides clear
statements of action to be taken and is not couched in terms
that leave the interpretation to the reader of what might
happen, or the establishment of various committees to
decipher the strategy and propose a way forward, that only
invites delay in implementation.
The strategy whilst being UK focussed recognises that we
cannot do this alone and contains 4 action areas dedicated
to developing international collaboration on law enforcement
working practices, effectiveness of investigatory powers,
standards of international legislation and support of CEOP in
the wider international community.
For the Digital Forensics community it clearly spells
out that this will be a focus and expanding area and is
singled out as one of the 9 strands of activity focussed on
improving law enforcements response to cyber crime. In
order to achieve all that the strategy aspires to, significant
numbers of trained DF investigative and research resources,
DF3_06-07_News.indd 7
/ NEWS ROUND-UP
Europe goes to War against Cyber Crime
An International Forum is set to take place in Lille, France
in the next few months to discuss the various issues found
in Cyber Crime today. 1500 experts in the field from about
23 different countries will meet to discuss topics such as
virus attacks, fraud, identity theft and data privacy, among
many others.
A main topic of discussion will be the increase in privacy
issues as a result of the increased use of sites such as
Facebook and YouTube within Europe.
Unfortunately it will be some time before Europe can fully
combat cyber crime, as there is no cyber security agency in
place to govern the various nations.
Browser Security Broken by UK Company
Two leading Internet browsers have been successfully broken
by a UK Information Security company. Both Firefox and Safari
were broken during the course of a competition to test browser
insecurity, held in Vancouver, Canada. MWR InfoSecurity,
based in Basingstoke, UK, was responsible for illustrating
the various vulnerabilities in both browsers, the technical
director, Martyn Ruks explained how “the continued presence
of security vulnerabilities in browser software is being
overlooked by companies worldwide…”
Ruks adds, “Seldom are security models constructed or tested
to withstand attacks launched against the user’s web browser.”
The current state of browser security is so severe that an
attacker can, under the right conditions, take full control of
a system.
Report claims social networking drives
cyber attack strategies
A just-released study generated by Blue Coat Systems has
stated that hackers are changing their methods, as online user
behaviour adapts.
The current rise in the use of social networking sites such
as twitter and facebook has pushed hackers to develop more
sophisticated and complex attacks.
Using its WebPulse security service, Blue Coat Systems
generated the report describing that hackers are adopting
new methods including faster malware lifecycles and search
engine manipulation among other strategies. The average
malware lifecycle has dropped to just two hours in 2009 from
seven hours in 2007.
Chris Larsen, senior malware researcher at Blue Coat, said
that, “The web is growing too fast in all directions for human
raters or even web crawlers to manage. It is turning into a war
of machines, and the best defenses are able to leverage the
strength-in-numbers principle to protect users.”
at all levels, will be required, sadly no specific action point
addresses this critical success factor. All the good words
and plans come to little, if at the grass roots level there are
not enough skilled and competent investigators who can
investigate and prosecute online crime. But then we would
say that wouldn’t we…?
30/4/10 17:54:51
 Cell
site
analysis

Computer
forensics

Audio
visual

Questioned
documents

Mobile
phone
forensics

Understanding the digital picture

MP3 players, mobile phones, laptops,
Blackberries, SatNavs, printers, CCTV,
digital cameras and more.
These are the tools of a modern society,
painting a digital picture of our everyday
lives in images, emails and text. What
can they tell us about someone’s
behaviour and movements? How can
we combine and present this evidence
to support reliable verdicts in criminal
and civil proceedings?
As part of the UK’s largest independent For the complete picture visit
provider of forensics services, our digital www.digital.lgcforensics.com
and document investigators take a
holistic approach that draws on a whole LGC Forensics
range of innovative and traditional Tel: +44 (0)844 2641 999
Email: d&df@lgcforensics.com
methods to reveal high quality digital
and documentary evidence that will
PLEASE QUOTE REF: DFM0410
stand up in court. Using the latest
IN ANY CONTACT
forensic techniques, we will work
closely with you to establish the facts,
applying years of forensics experience
and understanding to uncover and
follow all potential lines of inquiry.

© LGC Limited, 2010. All rights reserved. 2456/OR/0210

DF3_08_Ad.indd
LGC_Digital 8 - CB2.indd 1
A4 Ads-v5 30/4/10 13:07:45
07/04/2010 17:55:16
 360°
Your chance to have your say …
O
ur readership continues to grow Internationally with
Taiwan recently being added to the list of countries where
DFM is being published. In addition to 360, we have also
established other outlets for your thoughts and comments. The
DFM Blog is gathering momentum and new bloggers are being
added all the time along with a DFMag LinkedIn Group to help
spread the word, which with our Twitter feed is developing a
significant following for the Magazine. We continue to get many
letters of support and as we grow as a community we hope to
provide a platform for you all to have your say about the Digital
Forensics Community and how we develop our craft. Our thanks
to all our readers and visitors to the website who take the time
to let us know what you think and how we might improve. This is
your magazine, so we want to hear from you with ideas, articles
or just comments, both good and bad.
Send your letters and feedback to:
360@digitalforensicsmagazine.com
Print version
I am a subscriber to both the digital version and the print
version of your magazine and I just wondered when the print
copies were due to be posted? Many Thanks
John Lacey
Hello John, Thanks for bearing with us, (that includes
everyone who was waiting for the print version of Issue 2) we
delayed the print run of Issue 2 until we were certain that the
online version was running and all was correct with the new
platform. Moving forward we plan to have the print version
available at the same time as the online version. Have you
read the online version? If so what did you think?
Many thanks for the details about when to expect the print version.
So far I have only had a quick flick through, as soon as I get time I
am planning on reading all the articles. But from what I have seen
it continues with all the features that were good from issue 1. I like
the way that it presents and discusses new features/techniques
in the Digital Forensics World while also having articles that are
not so technical. I also like the book section towards the end. I had
been looking for a while for a magazine about Digital Forensics so I
was pleased to find this one, please keep up the good work.
DF3_09-10_360.indd 9
/ GOING GLOBAL
Having read issue 2, I firmly believe that this is a must-have
magazine if you are in this field. As this discipline starts to
take shape here in South Africa, I believe this publication
will be a key source for me personally to use as a reference
tool for my suggestions towards our national certification
program. Articles are written such that people, irrespective
of their specialist knowledge or lack thereof, are able to
follow and glean valuable hints. Furthermore, your decision
to be an internationally focused magazine will reap benefits
in the long run as our global village shrinks by the day.
To this point, any country specific legislation articles will
be welcomed as I have jurisdictional responsibility for my
organization in 18 African countries and 21 other countries
across the globe.
Caldon Thomson
Head: Information Security Assurance and Forensic Auditing
Standard Bank: Group Internal Audit
Hello Caldon thank you for your letter and welcome to the
Global DFM community. Your comments reinforce what we
were being told very early on when we started DFM, in that
there is an International requirement for the magazine. We
have passed on your comments regarding the country specific
legislation to our Legal Editor and will look for those specific
legal news snippets that affect DF Practitioners around the
world. We would be very interested to hear more about your
National Certification Program as this is an area that is being
closely looked at, we hope to have an article about this in issue
4 which will highlight some of the work being done. This work
if adopted might just become an international benchmark for
DF Practitioners.
I included the above email correspondence to deal with the
delay our readers experienced in getting the print version for
Issue 2. As we work to get our processes streamlined we will
be looking to make sure that the print version is available and
delivered the same day as the online version. It is probably
going to be Issue 4 before we get this correct, however all who
receive the print version will see an improvement from Issue 3.
Thank you John for your additional feedback!
Computer Forensic Tools Survey
Congratulations on the mag – great stuff! By way of
introduction, I’m an independent computer forensic
practitioner in Sydney, Australia, having previously worked
for the largest commercial computer forensic team in the
30/4/10 17:55:39
 / LETTERS
country (Deloitte Forensic) and prior to that, the Australian
Federal Police. I’m writing to let you know about our Computer
Forensic Tools Survey which we’ve launched through our web
site and which may be of interest to you and your readers:
The survey asks CF examiners about the tools they use –
what they’re using, what features they find most valuable
and how they’d like to see tools change and improve in the
future. Every respondent will receive a complimentary copy
of the final report and one will even receive a $250 gift card
from Amazon. The survey closes on March 21 and every
participant will receive an electronic copy of the report.
So far the responses have been very interesting. The more
responses we get, the more valuable the results will be
for the whole computer forensic community, so I’d really
appreciate the opportunity to invite your readers members
to participate and have their say.
Nick Klein
We received this letter from Nick and quickly got in touch and
included his survey on our website before it closed. We hope
to get a report on the findings from Nick to include in the
magazine or on the website as soon as it is published. This is
just one of the ways that we are able to react and help the DF
community globally. Thanks for getting in touch Nick and do let
us have the results as soon as they are compiled into the report.
Live Hacking
Congratulations for the continued growth and success by
Digital Forensic Magazine. I received a message about Live
Hacking book review on LinkedIn and after that I checked
DFM blog. I appreciate the reviewer’s opinion but I need to
highlight the following:
 
1. The book that you received was the pre-launch version and it
has been edited dramatically after receiving the initial feedback.
2.The current version, which is available at online stores, is
not the version that DFM received and reviewed.
3.The provide information in the review may mislead the audience.
Ethical Hacking or Hacking is not something that you can
transfer it by a book or technical papers. I tried to create a
foundation to educate people in ethical hacking and beside
that I had two other public domain projects such as Live
Hacking CD & Live Hacking channel at YouTube (http://
www.youtube.com/livehacking ). I tried to transfer my little
knowledge in an easy way and I had good responses as well.
You can find good & bad reviews at Amazon.com and the
video testimonials at livehacing.com. I would appreciate it if
you would take the proper actions.
Dr Ali Jahangiri
Hello Dr Jahangiri, thank you for your email. We are starting to
put all our book reviews up on the blog, probably one a week,
so if you have a newer better version of your book, send it over,
we’ll send it to our reviewer and get him to take another look.
If we post a new review, we’ll happily supersede the previous
one with an updated, more upbeat review. There are many
10
DF3_09-10_360.indd 10
books around on hacking, some good, some bad and some
indifferent. I don’t agree with you that you can’t teach hacking
in a book though, as I’ve read some great works over the last
10 years. However, if you want to send your new one through to
me, we’ll take a look and see how it stacks up. If you’d like some
of your other stuff reviewed that’s a different discussion.
Forensic Modelling
Firstly, let me congratulate you on Digital Forensics Magazine.
It’s great to finally have a magazine dedicated to the field I
have spent the last ten years of my life working in: keep up
the great work! One thing I’d like to focus on is that I found
the first part of Dr Barry Hood’s article on forensic modeling
very interesting in the February 2010 issue. I am looking
forward to the second part of his article in Issue 3 as the
methodology that he’s describing, although abstract, enables
its application in real-world investigations. However, I’d like
to see it taken further into a real methodology that can be
taught to professional investigators rather than simply the
general, largely academic model that it currently is. I was also
wondering if there has been any trialing of the method in a
professional capacity or is it simply a piece of research? If
possible, I would like to speak with Dr Hood as I may be able
to make some suggestions of how this might be applied in a
practical investigation.
Bob Ronson
Thanks for your letter. It makes all our hard work worthwhile
when we hear our readers are getting value from our
publication. With regards to Dr Hood’s article, this is a piece
of academic research that he is progressing, modeling a
whole range of security related disciplines, with forensic
investigations being just one of the set. I’m more than sure
that Dr Hood would be willing to speak with you regarding
your real world experience and especially if you are willing to
try out the methodology and help him with his research. He is
working on turning this research (once complete) into book
format and providing a handbook of investigation techniques
that can apply in the real world. So, just drop us an email at
editorial@digitalforensicsmagazine.com and we’ll connect
you guys together. Who know, we might even commission an
article from you on the results if it all works out.
Digital / ForensicS
30/4/10 17:55:39
DF3_11_Ad.indd 11 30/4/10 17:56:09
 / LEAD FEATURE

YOU HAVE MAIL

EMAIL DECEPTION AND HOW TO DETECT IT

Find out how vulnerable email protocols can be abused and how to catch those who do it
by Tim Watson

/ INTERMEDIATE

E
mail started life as a novelty and has risen to
become a necessity. But the speed, flexibility
and low costs of email communication have
been turned into a weapon. From spam to spear
phishing, your inbox can place you one click away
from disaster. In fact, you don’t even need to click to
be in danger. How can you tell the good from the bad,
the genuine from the fake? How is a deceptive email
constructed and how can it be spotted? Let’s find out.
As with any form of defence, knowledge is power.
The main weakness exploited by those who send
malicious emails is the weakness of ignorance. The
fact that the vast majority of users do not have a clue
how emails work, how they are constructed and how
they get from source to destination, is both a credit to
the design of the email system, which provides a simple
and reliable communication method, with no need for the
user to understand the machinery and an opportunity for
those who do understand the system to perform nefarious,
electronic sleight of hand to deceive the trusting masses of
email users who embrace its magic.
To understand the dangers and the ways to reduce
them, we need to peek behind the curtains and discover
the secrets of the processes and protocols that make up the
modern email system. By understanding how emails work,
we will be able to spot the weak points and to discover the

Figure 1

12 Digital / ForensicS

DF3_12-17_Interpreting Email Headers.indd 12 30/4/10 18:45:08

 trail of clues left by those who seek to abuse the system for
their own advantage. We will start by following the typical
journey of an email from composition to the point at which it
is read at its destination.
In simple terms, an email is composed in a mail client such
as Mozilla Thunderbird or Outlook Express, sent to a mail
server (e.g. Sendmail), which then forwards it through other
mail servers until it reaches the destination mail server. To be
precise, if the sender and receiver use the same mail server
then there will only be one mail server involved and if the
email is sent to diverse recipients then there will be several
destination mail servers. After the email has arrived,
the recipient can use a mail client to download
and read the email. If you explore the various
standards and documentation relating to email you
will discover that there are further components
defined, such as mail submission agents, mail
delivery agents and mail access agents. You’ll also
see that clients are often called mail user agents
(MUAs) and that mail servers are called mail
transfer agents (MTAs) (see Figure 1).
For the purposes of this article, we need to
explore the format of emails, the client and
server programs that process them and the
protocols used to transport them. There is also
another area that provides an attacker with
a wealth of opportunities and that is HTML,
commonly found within emails and often used
to mislead and compromise victims, but, since
the topic is vast and not specific to emails,
it will not be covered here. The interested
reader is directed to the many resources on
the Web to do with Web-based attacks, drive-
by downloads, cross-site scripting etc. I have
to admit that there is a certain, delicious
irony in directing readers to HTML pages to
discover more about HTML attacks.
As well as looking at how attackers can
exploit emails to deceive victims, we are
DF3_12-17_Interpreting Email Headers.indd 13
also interested in how to detect their deception and how to
determine the identity of the attacker. Again, the limitations
of space prevent us from covering a number of useful avenues
of investigation. These include the various attribution
techniques that rely on the details contained in the network
packets associated with sending and receiving emails and the
evidence contained in the machines running mail servers. Our
investigation will be based solely on the information available
from an email retrieved by a mail client.
/ EMAIL MESSAGE FORMAT
An email message is contained in an envelope. The envelope
is defined in RFC 5321 document (you can find this and other
RFCs at http://www.ietf.org/rfc.html) that describes the
Simple Mail Transfer Protocol (SMTP) and, just like a standard
mail envelope, it tells the mail system where to deliver it. We’ll
look more closely at the envelope later but for now we will
concentrate on the message itself.
A typical email, as viewed by a user, is shown in Figure 2.
The mail client shows which mail folder is being viewed, a list
of email subject lines, usually in date order, and a preview
pane that displays the contents of the currently selected
email. However, this is often only a selected part of the email.
The actual email source can be viewed (using CTRL+U or
choosing ‘view message source’ in a menu) and doing so will
reveal the full email as received by the mail client. RFC 5322
and RFC 2045 together provide an authoritative description of
the format of an email message.
THE MAIN WEAKNESS
EXPLOITED BY THOSE WHO SEND
MALICIOUS EMAILS IS THE
WEAKNESS OF IGNORANCE
If we look at the simplified source of the email from Figure 2
(shown in Listing 1) we can see that it is made up of different
logical sections. The overall message is divided into two: first
come the email headers and then, after a blank line, is the
message body. The body itself is typically divided into parts: a
plaintext version, an HTML version and any attachments. You
can see that one of the headers defines the string of characters
“b1_5fc6d29ab...” that will be used in this email as a boundary
to separate the different parts of the body. Each part is
preceded by a blank line, then a line that starts
with two dashes, followed by the boundary
string. The mail client understands
this message format and uses the
headers to show who sent the email,
its subject and when it was sent, and it
chooses whether to display the plaintext
or HTML version of the contents, depending on the
preference of the user. It may be that the user gets no choice
and only gets to see the HTML version.
This is where we get our first surprise. All of this information
is completely under the control of the sender. While the details
13
30/4/10 18:45:17
 / LEAD FEATURE

/ Listing 1
From: “Digital Forensics Magazine”
<digitalforensicsmagazine@mailer.emsg-live.co.uk>
To: “Digital Forensics Magazine” <tw@mydomain.co.uk>
Date: Tue, 23 Mar 2010 10:15:09 +0000
Sender: digitalforensicsmagazine@mailer.emsg-live.co.uk
Reply-to: Digital Forensics Magazine <marketing@
digitalforensicsmagazine.com>
Subject: New Subscription Prices from Digital Forensics Magazine
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”b1_5fc6d29ab134767240d462b85f431cfa”
Message-Id: <20100323101540.527637DCB1B@.com>

--b1_5fc6d29ab134767240d462b85f431cfa
Content-Type: text/plain; charset = “utf-8”
Content-Transfer-Encoding: 8bit

Price Change Special ++ Price Change Special …

Please visit the following URL in your web browser to unsubscribe

http://clicks.emsg-live.co.uk/profile/S-10768@7354432@1 Figure 2

Don’t forget to forward this email to people who you think will
find Digital Forensics Magazine of interest
Add us to your contact list to make sure you can receive future
emails safely
--b1_5fc6d29ab134767240d462b85f431cfa
Content-Type: text/html; charset = “utf-8”
Content-Transfer-Encoding: 8bit
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/
xhtml1-transitional.dtd”>
...
<h2 class=”style1” align=”left” style=”font-family:Arial,
Arial, Helvetica, sans-serif;
font-weight: normal; font-size: 16px; margin: 0px; padding:
0px;”>
Price Change Special ++ Price Change Special … <br>
</h2>
...
<p>Please click <a class=”notifire_unsubscribe”
href=”http://clicks.emsg-live.co.uk/ profile/S-
10768@7354432@1”>here</a> to unsubscribe.
</p>
of the sender and recipient are ‘on’ the envelope, the envelope
is removed by the mail server and it’s only the contents of the
message that are sent to the user receiving the email. The
message headers that state who the email is from, who it’s to,
when it was sent and the entire message body can all be made
up by the sender and do not have to relate to the information
on the envelope. I can construct an envelope to your email
address today, but when you receive the email I can make it
appear that it was sent to anyone I like, from anyone I like, at
any date I like and with any contents I like. We’ll see how to do
this shortly. For now, it is enough to worry that the weakness
in the global email system just revealed, means that you can
never trust another email unless you view the source. Oh, and
you’d also better worry about someone sending a forged email
to your boss, or your partner, that appears to come from you.
While HTML-based attacks are beyond the scope of this
article, it is worth noting that the email shown in Listing 1
contains a common, hidden extra. If you look closely you’ll see
that the plaintext section ends with the words, “Add us to your
contact list to make sure you can receive future emails safely”,
whereas the HTML version has an extra bit of code after this
text, as follows:

<p><strong>Don’t forget to forward this email to <img src=”http://clicks.emsg-live.co.uk/email/S-

people who you think will find Digital Forensics Magazine
10768@@7354432@1yu9A.jpg” alt=”open” />
of interest</strong><br>
Add us to your contact list to make sure you can receive
future emails safely This code tells your email client to load an image from the
</p> “clicks.emsg-live.co.uk” website. It is used to track details
...
about the email when it is read. Even if you don’t click on
the email, if it is displayed in your preview pane as an HTML
<img src=”http://clicks.emsg-live.co.uk/email/S- message it will retrieve this image. When it does so, the
10768@@7354432@1yu9A.jpg” alt=”open” /> website you have just accessed can log details such as the
</body>
</html>
date and time of access, the IP address of the source of the
request and the HTTP request headers that show details about
--b1_5fc6d29ab134767240d462b85f431cfa-- your computer’s software. With a different image included in
each email, this allows the sender to monitor each recipient

14 Digital / ForensicS

DF3_12-17_Interpreting Email Headers.indd 14 30/4/10 17:56:32

 / Listing 2
$ nc mail.mydomain.co.uk 25
220 mail.mydomain.co.uk ESMTP Sendmail 8.13.6/8.13.6;
Mon, 5 Apr 2010 20:35:15 +0100 (BST)

EHLO mailer.emsg-live.co.uk
250- mail.mydomain.co.uk Hello me.mydomain.co.uk [146.
XXX.XX.XXX], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 16000000
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

Figure 3
every time they view the email (unless, like me, you don’t
open the HTML version of emails). In the hands of a malicious
sender, this ability to make the receiver automatically access
an arbitrary web server and download an image of the
attacker’s choosing is obviously very dangerous. Of course,
if you are communicating with a suspected criminal by email,
the same technique can be used to help trace them.
We will return to the message content when we explore the
message headers but, for now, we need to understand how to
construct and how to send a forged email.
/ SIMPLE MAIL TRANSFER PROTOCOL
When your email client sends an email it does so by
communicating with a mail server using the Simple Mail
Transfer Protocol (SMTP). The details of this protocol can be
found in RFC 5321. Although it is recommended that mail user
agents don’t talk to mail transfer agents directly, but rather
that they use a mail submission agent as described in RFC
4409, both MTAs and MSAs use the same SMTP protocol and
it is still normal for mail clients to talk directly to MTAs.
Your mail client typically connects to the mail server using
TCP port 25 and receives an identification message from the
server. The client then says ‘hello’ (actually, ‘EHLO’, which
stands for extended hello) and the server responds with a list
of services available. The client will then send the envelope
details, saying where to send the email and whom it’s from,
and then the email data is transferred from client to server.
This data includes the message headers and the message
content and it is all treated as just ‘data’ by the mail server.
Your mail client will include several headers in the email to
show which mail client you are using, the sender’s email
address, the date and time etc.
However, there is no need to use a conventional mail client.
If you use a low-level network tool such as netcat (http://
netcat.sourceforge.net/), it’s possible to directly control the
information passed to the server. The command-line output in
MAIL FROM:<digitalforensicsmagazine@mailer.emsg-live.
co.uk>
250 2.1.0 <digitalforensicsmagazine@mailer.emsg-live.
co.uk>... Sender ok
RCPT TO:<tw@victim.co.uk>
250 2.1.5 <tw@victim.co.uk>... Recipient ok
DATA
354 Enter mail, end with “.” on a line by itself
From: “Digital Forensics Magazine”
<digitalforensicsmagazine@mailer.emsg-live.co.uk>
To: Tim Watson <tw@victim.co.uk>
Cc: Bank of England <cashier@bankofengland.co.uk>
Date: Tue, 23 Mar 2010 10:15:10 +0000
Sender: digitalforensicsmagazine@mailer.emsg-live.co.uk
Reply-to: Digital Forensics Magazine <marketing@
digitalforensicsmagazine.com>
Subject: New Subscription Prices from Digital Forensics
Magazine
Message-Id: <20100323101540.527637DCB1C@mailer.emsg-
live.co.uk>
Dear Tim,
Thanks for setting up your direct debit. We will take loads
of money from your bank account every month. If you would
prefer us not to then please cancel this by visiting http://
evilwebsite.com/sucker
Thanks,
Digital Forensics Team
250 2.0.0 o35JZFxs008825 Message accepted for delivery
QUIT
221 2.0.0 mail.mydomain.co.uk closing connection
Listing 2 is a dialogue between my “attacker’s machine” and
a mail server and Figure 3 shows the email as it appears to
the receiver after it has been sent. I have highlighted in bold
the parts of this dialogue that were added by me; the rest is
produced by the server.
You’ll notice that there was no authentication needed. As
long as I’m accessing the mail server from the same domain
it will happily accept commands from me. You’ll also notice

15

DF3_12-17_Interpreting Email Headers.indd 15 30/4/10 17:56:32

 / LEAD FEATURE
that it was perfectly comfortable accepting an obviously
forged “MAIL FROM:” command and that it didn’t attempt to
check for consistency between the envelope and the message
headers. This isn’t a badly configured home-user mail server;
it is a real mail server in a large organisation and is typical of
most current mail servers in use today.
So, how can we spot when we are being deceived by email?
The answer is in the headers.
/ EMAIL HEADERS
If we look at the message source of our forged email and focus
on the headers we can see that something isn’t right:
From - Mon Apr 05 20:42:30 2010
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <digitalforensicsmagazine@mailer.emsg-live.co.uk>
Received: from mailer.emsg-live.co.uk (me.mydomain.co.uk [146.
XXX.XX.XXX])
by mail.mydomain.co.uk (8.13.6/8.13.6) with ESMTP id
o35JZFxs008825
for <tw@victim.co.uk>; Mon, 5 Apr 2010 20:35:32 +0100 (BST)
From: “Digital Forensics Magazine” <digitalforensicsmagazine@
mailer.emsg-live.co.uk>
To: Tim Watson <tw@victim.co.uk>
Cc: Bank of England <cashier@bankofengland.co.uk>
Date: Tue, 23 Mar 2010 10:15:10 +0000
Sender: digitalforensicsmagazine@mailer.emsg-live.co.uk
Reply-to: Digital Forensics Magazine <marketing@
digitalforensicsmagazine.com>
Subject: New Subscription Prices from Digital Forensics Magazine
Message-Id: <20100323101540.527637DCB1C@mailer.emsg-live.co.uk>
The headers from “From:” downwards are the ones supplied
by the attacker. The three headers at the top are added by the
mail client and show when the email was received and what
its status is (“X-Mozilla-Status: 0001” means that it has been
read, further details of the status flags can be found at http://
mxr.mozilla.org/comm-central/source/mailnews/base/public/
nsMsgMessageFlags.idl#45). The most interesting header and
the one that gives the game away is the “Received:” header. It
says it is from “mailer.emsg-live.co.uk” but then, in brackets, it
shows that it actually came from “me.mydomain.co.uk” and it
helpfully gives the IP address of the machine it was sent from
in square brackets (this IP address has been obscured in this
article to protect the guilty). We can also see, from the same
header, that the time it was actually sent was not the time that
was specified in the “Date:” header lower down.
Each mail server that handles the email will add its own
“Received:” header above the previous ones and it is this
trail of headers that can be used to trace an email back to
its source. However, one word of warning: a sophisticated
attacker can manipulate this trail by inserting false
“Received:” headers to make it look as though the email came
from somewhere it didn’t. As RFC 5321 states:
“SMTP mail is inherently insecure in that it is feasible for
even fairly casual users to negotiate directly with receiving
16
DF3_12-17_Interpreting Email Headers.indd 16
/ The long arm of the law
There are a number of considerations when attempting to
send deceptive emails. Moira Carroll-Meyer discusses some
of the possible charges that spring to mind when considering
spamming someone:
United Kingdom
1. The Fraud Act 2006, Section 2 fraud by false representation,
where a person makes any representation of fact or law
expressly or impliedly which they know to be untrue or
misleading with the intention of inducing another to do or
refrain from doing something which causes or risks loss by
another. The thing lost or at risk of loss must be money or
real or intangible property and the loss may be permanent or
merely temporary.
2. The Computer Misuse Act 1990, where the pre-condition of
the hacking offence is knowledge of lack of proper authority,
therefore to impersonate someone/an organisation, e.g.
President Obama and the Whitehouse, imputes the requisite
knowledge (unless, presumably, the sender is insane, below
the mental age of criminal responsibility doli incapax, ten
years of age, or is actually under ten; re this last see caveats
in the literature on effect of Section 34, Crime and Disorder
Act 2008). Knowledge that the use of passwords, identifiers,
usernames etc. is unauthorised will have the same effect.
3. Protection from Harassment Act 1997 could apply where
more than one letter is sent. The harm caused may be ‘merely’
psychological and requires no intent on the part of the sender.
The Act creates two offences: stalking and harassment. It is
the latter that is most relevant here.
United States
1. US Federal Code 1028. Fraud and related activity in
connection with (misuse or forgery of ) identification
documents, authentication features and information. This
appears to correspond to the hacking offence under the UK
Computer Misuse Act 1990.
Additionally, companies employ acceptable use regulations.
Penalties range from being denied service to being reported to
authorities and prosecution, see for example AT&T Acceptable
Use Policy.
The above is by no means a comprehensive list. Most
countries have pertinent/equivalent laws, mostly differing
in some way and masses of US material, for example, is
unconsidered and just as important in the UK, taking into
account the global jurisdiction claimed by the US and indeed
some other countries.
The best advice is to ensure that every deceptive email
states clearly at the top and again at the end that it is part
of an exercise and unintended to be taken seriously by any
recipient or any other person.
and relaying SMTP servers and create messages that
will trick a naive recipient into believing that they came
from somewhere else. Constructing such a message so
that the “spoofed” behaviour cannot be detected by
an expert is somewhat more difficult, but not sufficiently
so as to be a deterrent to someone who is determined
and knowledgeable.”
So, it would appear that detecting and attributing malicious
emails is a hopeless task. Luckily for us, those who aim to
Digital / ForensicS
30/4/10 17:56:32
 deceive us are normally not that clever. Here are the headers
from the last three malicious emails that I have received. See
if you can spot the errors and see if you can work out where
they came from:
Return-path: <secure-alert@alliance-leicester.co.uk>
Envelope-to: tw@victim.co.uk
Delivery-date: Wed, 31 Mar 2010 19:44:56 +0100
Received: from [121.10.121.80] (helo=Hostmail)
by inmx06.plus.net with esmtp (PlusNet MXCore v2.00) id
1Nx2uN-0005DO-Fp
for tw@victim.co.uk; Wed, 31 Mar 2010 19:44:56 +0100
Received: from User [61.137.93.80] by Hostmail with ESMTP
(SMTPD-8.21) id A32628218; Wed, 31 Mar 2010 22:58:46 +0800
From: “Alliance & Leicester Security Alert”<secure-alert@alliance-
leicester.co.uk>
Date: Wed, 31 Mar 2010 16:59:39 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251”
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <201003312259158.SM03620@User>
To:
Subject: Alliance & Leicester: Notification of Irregular Account
Activity On Your Account
Return-path: <apache@server.hardtec.srv.br>
Envelope-to: tw@victim.co.uk
Delivery-date: Thu, 01 Apr 2010 14:15:37 +0100
Received: from [187.0.211.213] (helo=server.hardtec.srv.br)
by pih-inmx09.plus.net with esmtp (PlusNet MXCore v2.00) id
1NxKFE-0006Wc-4I
for tw@victim.co.uk; Thu, 01 Apr 2010 14:15:36 +0100
Received: from server.hardtec.srv.br (unknown [127.0.0.1])
by server.hardtec.srv.br (Postfix) with ESMTP id 2E3E6D93054
for <tw@victim.co.uk>; Thu, 1 Apr 2010 13:11:05 +0000 (UTC)
Received: by server.hardtec.srv.br (Postfix, from userid 48)
id 0454D710AFF9; Thu, 1 Apr 2010 13:08:11 +0000 (UTC)
To: tw@victim.co.uk
From: Halifax Bank <info@halifax.co.uk>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <20100401130811.0454D710AFF9@server.hardtec.srv.br>
Date: Thu, 1 Apr 2010 10:08:11 -0300 (BRT)
Subject: Halifax Online Team Account Notification
Return-path: <xzznrg@yahoo.com>
Envelope-to: tw@victim.co.uk
Delivery-date: Mon, 05 Apr 2010 07:39:24 +0100
Received: from [95.168.183.140] (helo=srv.multimedyahosting.com)
by inmx04.plus.net with esmtp (PlusNet MXCore v2.00) id 1Nyfy0-
0004Vc-A7
DF3_12-17_Interpreting Email Headers.indd 17
for tw@victim.co.uk; Mon, 05 Apr 2010 07:39:24 +0100
Received: (qmail 18101 invoked from network); 5 Apr 2010 09:40:47
+0300
Received: from unknown (HELO User) (190.254.17.41)
by softdnserror with SMTP; 5 Apr 2010 09:40:47 +0300
Reply-To: xzznrg@yahoo.com
From: PayPal<xzznrg@yahoo.com>
Date: Mon, 5 Apr 2010 01:39:15 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”----=_NextPart_000_009E_01C2A9A6.023CCCD0”
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <E1Nyfy0-0004Vc-A7@inmx04.plus.net>
To:
Subject: Notification of Limited Account Access
Luckily for us, those who
aim to deceive us are
normally not that clever
You can see that we have IP addresses (the “whois”
command is useful for finding out about IP address
allocation and there are online services that offer to geo-
locate IP addresses), domain names, details about the
mail clients used, timezone details in the date header etc.
There’s even a clue as to how the middle machine has
been exploited (the return path is an apache webserver
email address, which suggests that the webserver was
attacked). And before you rush off to catch these dastardly
digital deadbeats, remember that, in almost all cases,
malicious email is sent from the compromised machines of
innocent victims.
There is much more to explore in the hidden world of email.
Topics such as greylisting, Sender Policy Framework (SPF) and
DomainKeys Identified Mail (DKIM) all provide techniques for
protection, further avenues for exploitation and opportunities
to both trap and trace the unwary. To find out more I would
normally suggest that you drop me an email but, on second
thoughts, perhaps that’s unwise! /
/ Author Bio
Dr Tim Watson is the head of the
Department of Computer Technology at
De Montfort University and the leader
of its computer forensics and security
group. With more than twenty years’
experience in the computing industry and
in academia, he has been involved with
a wide range of computer systems on several high-profile
projects and has acted as a consultant for some of the largest
telecoms, power and oil companies. Tim is a regular media
commentator on computer forensics and security.
17
30/4/10 17:56:33
DF3_18_Ad.indd 18 30/4/10 17:56:54

PROACTIVE COMPUTER
FORENSICS
THE SECOND PART IN SCOTT ZIMMERMAN’S SERIES ON PLANNING AND PREPARATION
In the first article we covered the reasoning behind Proactive Computer Forensics.
To recap, continuously gathering and storing event-related information appropriately –
before an incident occurs – can pay dividends in an investigation
/ INTERMEDIATE
Though the article uses excerpts from US and UK law, readers
are encouraged to use the two provided links to acquire their
own (published, freely-available) copies of the US and UK
statutes in their entirety.
I
f there is a chance that a forensic investigation could
result in prosecution, the evidence gathering process
should include events, actions and other data points that
are related to specific legal statutes. As a guide to identifying
these events, we will examine two pieces of legislation: the
Computer Fraud & Abuse Act from the US and the Computer
Misuse Act 1990 from the UK.
/ The Computer Fraud & Abuse Act
The Federal statute that covers computer intrusions in the
United States is US Criminal Code, Title 18, Section 1030 -
Fraud and Related Activity in Connection with Computers.
Also known as the Computer Fraud and Abuse Act, 18 USC
Section 1030 can be found in its entirety at the United States
Department of Justice web site: http://www.usdoj.gov/
criminal/cybercrime/1030NEW.html.
The entire code is fairly lengthy – about six printed pages –
but certain portions of the code will be of great interest to those
involved with computer crime and forensic investigation. In the
interest of space and relevance we will not cover the entire code
in detail. The relevant sections will be addressed in the order
that they appear in the body of the code.
Section 1030(a)(4)
[Whoever] knowingly and with intent to defraud, accesses
a protected computer without authorization, or exceeds
authorized access, and by means of such conduct furthers
the intended fraud and obtains anything of value, unless the
object of the fraud and the thing obtained consists only of
the use of the computer and the value of such use is not more
than $5,000 in any one-year period;
This covers an intruder who gains access and steals data,
trade secrets, proprietary software, commercial software,
etc. that is worth more than $5,000. If the intruder breaks in,
DF3_19-22_Proactive Computer Forensics.indd 19
/ FEATURE
creates an account for himself, and immediately logs out, the
amount of damage from that specific incident might not reach
the required level of $5,000, but we will soon see that there
are other factors involved in the damage calculations.
1030(a)(5)(A)(i)
…knowingly causes the transmission of a program,
information, code, or command, and as a result of such
conduct, intentionally causes damage without authorization,
to a protected computer;
A good example of item (A) is the intentional and
malicious transmission of Trojan horses, viruses, and other
malware: the sender has knowingly transmitted a program
with the intent to cause damage to a protected computer.
However, a buffer overflow exploit would also fit the
description, since the exploit itself is “information, code,
or command” – actually all three – and is intended to cause
an unauthorized effect. Whether this effect constitutes
‘damage’ will depend on the nature of the script and the
overall robustness of the system.
CERTAIN PORTIONS OF THE CODE
WILL BE OF GREAT INTEREST
TO THOSE INVOLVED WITH
COMPUTER CRIME AND
FORENSIC INVESTIGATION
1030(a)(5)(A)(ii)
…intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly
causes damage; or
1030(a)(5)(A)(iii)
intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage
19
30/4/10 17:57:49
 / FEATURE

Items (ii) and (iii) are very similar. In fact, the only difference
is the use of the word recklessly in (ii). Why draw the
distinction? Both (ii) and (iii) contain intentional access to
a protected computer without authorization, which means
that the intruder achieved some level of compromise and has
gained access the system. Anything that the intruder does –
malicious or otherwise – after this point will fall into one of
two categories: acts that were committed intentionally, or acts
that were committed recklessly.
An act committed recklessly means that the intruder did
something he did not intend to do, possibly through haste
or carelessness: for example, he might have mistyped
a command, killed the wrong process, or deleted a file
accidentally. As a result, the damage caused was not wholly
intentional, and this intruder’s actions would fall under (ii).
However, if the act was committed intentionally, and the
intruder accomplished exactly what he intended to do - such
as rm -rf /database – the offense is covered by (iii).
1030(a)(5)(B)
by conduct described in clause (i), (ii), or (iii) of subparagraph
(A), caused (or, in the case of an attempted offense, would, if
completed, have caused):
This clause is very interesting: it states that an intruder
does not have to be successful in his endeavor; the attempt
to cause damage is enough to warrant prosecution. As a
result, any evidence related to attempted but unsuccessful
activity can be valuable. This may include (but is not limited
to) failed login attempts, denied attempts to access specific
files, and applications which have been run or which
someone tried to run.
If an intruder compromises a machine and does not do
any damage – meaning he left the system in the same state
he found it – the organization that owns the machine will
still need to conduct a thorough investigation. Even if the
intruder left a polite note for the system administrators
stating that he did no damage, should the administrator take
the note at face value? One sincerely hopes he will not; after
all, if someone is ethically challenged enough to compromise
someone else’s system, how can the system administrator be
expected to believe this someone would tell the truth in the
note? A reasonable and prudent individual would be quite
skeptical of this.
1030(e)(1)
the term “computer” means an electronic, magnetic, optical,
electrochemical, or other high speed data processing
device performing logical, arithmetic, or storage functions,
and includes any data storage facility or communications
facility directly related to or operating in conjunction with
such device, but such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or
other similar device;
This clause is useful because it expands the area of
concern beyond that of the typical desktop computer or
server. Firewalls, switches, routers, wireless access points,
centralized storage – such as SANs – as well as PDAs and
Smartphone’s all fit the definition laid out above. As a result,
event information concerning these devices may be quite
useful and should be captured.

1030(a)(6)
knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through
which a computer may be accessed without authorization, if

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the
United States;

An example of this sort of offense would be an intruder

who compromises a server used to process online credit card
transactions, creates a privileged account, and then distributes
the username/password pair to his friends via text/SMS so they
all can gain access. In this case the intruder would be charged
under section (B) because the trafficking of the username and
password affected a computer used for interstate commerce.

1030(d)(11)
the term ‘loss’ includes any reasonable cost to any victim,
including the cost of responding to an offense, conducting
a damage assessment, and restoring the data, program,
system, or information to its condition prior to the offense,
and any revenue lost, cost incurred, or other consequential
damages incurred because of interruption of service; and

20

DF3_19-22_Proactive Computer Forensics.indd 20 30/4/10 17:57:49

 / Computer Misuse Act (1990)
Where the US has the Computer Fraud & Abuse Act, the UK
has the Computer Misuse Act (1990). This statute may be
viewed in its entirety here: www.opsi.gov.uk/acts/acts1990/
UKpga_19900018_en_1.htm
As with the US code, we will focus on particularly
relevant clauses. Section 1 of the Computer Misuse Act
begins as follows:
1. Unauthorised access to computer material
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent
to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to
perform the function that that is the case.
Note that no distinction is drawn between using an attack
tool – e.g. inducing a buffer overflow – and using a standard
authentication mechanism – e.g. a web site login page – in
order to access the computer. The statute covers normal
logins, access to web pages and databases, and all other
forms of access. As we see in parts (a) and (b), intent is a
significant part of the equation.
If an individual uses an attack tool to obtain access, he
cannot make a strong case that he did not know what he was
doing was unauthorized, and it becomes readily apparent
that there was some specific intent involved. But what if Bob
DF3_19-22_Proactive Computer Forensics.indd 21
gives his password to his co-worker Ian? Ian may access a
resource under the misapprehension that he is permitted to
do so. Suppose Ian surreptitiously watches Bob log in and
appropriates his password – what then?
This area becomes a bit tricky because the unauthorized
actions do not appear to be unusual: in the logs, they will look
like everyday, permissible activity. However, this information
can be used in a number of situations:
• It appears that Bob logged in on Monday morning when
he was actually on holiday climbing Mount Kilimanjaro;
this is suspicious activity, even though the authentication
was successful.
• It appears that Bob logged in from an IP address belonging
to a competitor, or from one in a foreign country; this is
suspicious as well, especially if Bob is not travelling.
• It appears that Bob logged in at 0230 on a weekend; this is
also unusual and warrants some follow-up.
An act committed recklessly
means that the intruder did
something he did not intend
to do, possibly through
haste or carelessness
These events may turn out to be mundane, but without
effective information gathering and storage, corroboration
may be difficult.
(2) The intent a person has to have to commit an offence
under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
This section – similar to what we saw in 18 USC 1030 – does
not directly distinguish between intentional and unintentional
acts. In other words, a person who accessed system A cannot
state that he is innocent because he actually wanted to access
system B: the target is immaterial.
It also does not distinguish among reasons for gaining illicit
access. An individual who without authorization accessed a
system will be guilty of the same offense regardless of his
motivation for gaining the access.
This section may appear to contradict the previous one:
please be assured it does not. The law is concerned primarily
with the intent to commit the offense: once that has been
established, the specific motivation behind the intent is of
secondary importance and neither diminishes nor excuses the
primary intent.
2. Unauthorised access with intent to commit or facilitate
commission of further offences
We will skip items (1) and (2).
21
30/4/10 17:57:50
 / FEATURE

(3) It is immaterial for the purposes of this section whether the
further offence is to be committed on the same occasion as
the unauthorised access offence or on any future occasion.
(4) A person may be guilty of an offence under this section
even though the facts are such that the commission of the
further offence is impossible.
An example of an action fitting clause (3) is that of an
intruder who gains unauthorized access to a system – e.g.
using a compromised account – and then creates a privileged
account for himself before logging out. This would allow him
to log back in later without the potential for raising alerts by
re-using the compromised account.
For clause (4) we may consider the same intruder who creates
the privileged account – or made some other modification to the
system to allow access – and then promptly forgets the password
or access method. The facts are now that the intruder cannot use
the access method he set up for himself, but that is immaterial
to determining guilt: he still made the system modifications with
the intent of furthering the original offense(s).
/ What does all this mean?
We’ve looked at some interesting legal statutes, and we’ve
associated them with some activities commonly uncovered
during forensic investigations. But to what end?
Here is why: we now have a better idea of the kinds of activities
that should be monitored in a Proactive Computer Forensics
Expo:Layout 1
effort. This list includes, but is not limited to the following:
• Account creations and deletions
• Strange login activity, e.g. multiple failures, successes at
odd hours or from unusual sources
• Unusual application behaviour
• Failed attempts to access data or other resources
• Failed attempts to run programs, scripts, or commands,
especially those which grant or require privileges
• Unexplained reboots or other strange system behaviour
In short, we want to learn who is doing what on a given system.
It may help to remember the five W’s used by journalists: Who,
What, When, Where, and Why. Later in the series we will discuss
technical means for gathering this information.
In the next issue we will examine US and UK evidentiary
requirements to learn what must be done to maintain the
integrity of evidence. /
/ Author Bio
Scott C. Zimmerman, CISSP has been an
Information Security consultant, presenter,
and trusted advisor since 1995. He has
been researching legal issues in computer
forensics part-time for nearly ten years,
and is working to bridge the gap between
law and technology in this area.
10/03/2010 12:42 Page 2

Investigator
the
Investigator Investigator
the the
Investigator
the
4 March 2009 November/December 2009 January 2010 February 2010
www.the-investigator.co.uk www.the-investigator.co.uk www.the-investigator.co.uk www.the-investigator.co.uk

ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS

Exclusive First issue DIGITAL Location,

NPIA REVOLUTION Location,

Investigator
Interview Location
the March 2010
www.the-investigator.co.uk

Embracing
Mobile and No PrideESSENTIAL READING FOR TODAY’S INVESTIGATORS
After Columbo Computer in Prejudice
SIO register signals
new era for detectives
Forensics
Also inside this issue:
The science behind
Geographic Profiling
Also inside this issue:
Combatting hate crime
Also inside this issue:
1 year old in March
PLUS: Boiler room fraud - Tattoo forensics - TICS Volume Crime Conference Review - Digital Forensics Conference Review The Rosimeiri Boxall Case • Analysis • Ne�ng a Human Trafficker • News I the
• Cash in transit robberies • Witness nvestigator
imtimidation • Witness care Investigator
the

Payphone Sex Offender Case Study - Future Digital Standards • Inves�ga�ng Road Traffic Incidents Conference • Cold Case Conference • Forensics • Cold Case Conference • Sexual abuse case study DIGITAL
Investigative interview questions - CCTV research REVOLUTION

Embracing
No Pride Mobile and
in Prejudice Computer
Combatting hate crime Forensics

Investigator
the
Investigator
the
February 2010 June 2009
www.the-investigator.co.uk www.the-investigator.co.uk

Investigator
the
Investigator
the

CID IN CRISIS?

ESSENTIAL READING FOR TODAY’S INVESTIGATORS ESSENTIAL READING FOR TODAY’S INVESTIGATORS

Unlocking
the secrets of
Puzzle
over lack Exclusive CPS interview
Shannon Mathews of UK detectives

Investigator
the

Exclusive
NPIA
Interview
Investigator
the

ESSENTIAL READING FOR TODAY’S INVESTIGATORS

Investigator
the

Lights!
Camera!
1 year old in March Action!
I I
Brought to book ‘CSI effect’ could
Criminal harm investigations
Conference special report
Investigation
Uncovered
I I

Investigator Investigator
the the
Investigator Investigator
the the

No Pride
I
Investigator I

Exclusive First issue Location, Street

Unlocking
NPIA Location,
Location Search

in Prejudice
I I I I

After Columbo The science behind

Effective
use of house
Child’s Play
New ways
of interviewing
the secrets of
Combatting hate crime Shannon Mathews
SIO register signals Also inside this issue:
new era for detectives
Geographic Profiling to house inquiries child abuse vic�ms
• Exclusive Jon Stoddart interview • Joining Forces • Forensics •
• Jigsaw Murder • Proceeds of Crime • Interviewing Conference •

Also inside this issue: Also inside this issue:

• Cash in transit robberies • Witness imtimidation • Witness care Also inside this issue: W I N a 8 m b i Po d N a n o w i t h ca m e ra NATIONAL ANPR CO-ORDINATOR INTERVIEW
• Forensics • Cold Case Conference • Sexual abuse case study Offender informa�on - Vet forensics - Case studies - Legal training
• Exclusive Jon Stoddart interview • Joining Forces • Forensics •
• Jigsaw Murder • Proceeds of Crime • Interviewing Conference •

Investigator
the December Update 2009
www.the-investigator.co.uk

The Investigator
ESSENTIAL READING FOR TODAY’S INVESTIGATORS

Street
Search

Effective essential reading for today’s investigators

use of house
to house inquiries
Also inside this issue:
Major Crime Conference Report - Forensic Bloodstain Evidence
Opera�on Badminton - Inves�ga�ve Interviewing Conference - News
www.the-investigator.co.uk
The Investigator is an exciting digital magazine and website aimed at practitioners and academics in the
field of investigative practice from the UK, Australia, New Zealand, Europe and US.

22

DF3_19-22_Proactive Computer Forensics.indd 22 30/4/10 17:57:53

MD5 Investigator full page ad:Layout 1 31/3/10 15:47 Page 1

MD5 are recognised as one of the leading digital

forensic specialists delivering mobile phone and
computer solutions to Corporate, Legal and Law
Enforcement/Government Agencies. Working within
a law enforcement security vetted building, our
highly skilled forensic investigators have over 50 mobile phone and computer forensic specialists

years collective experience.

Mobile Phone Examinations

> Expert Service for all handset models.

> Competitive, fixed price service.

> Specialists in ‘Chip Removal Process.’

> Able to bypass iPhone passcode and

Blackberry security codes.
> All examinations compliant with
ACPO and RIPA guidelines.

Computer Forensics
> State of the art, fully equipped computer forensics lab
in a security vetted building.
> Expert examination service
to support backlogs and
outsourcing requirements.
> Ex law enforcement
investigators.
> Fully compliant with ACPO
standards (presently
working towards
ISO 17025).
> Developers of unique
forensic software
including VFC and Forensic Analyser.

For more information call:

01924 220999
or e-mail: sales@md5.uk.com

www.md5.uk.com URS CERTIFICATE NO. 26889 URS CERTIFICATE NO. 26889

DF3_23_Ad.indd 23 30/4/10 17:58:21

 / FEATURE

THE FACEBOOK MURDER:

A LINGUISTIC MASTER
CRIMINAL
These days, online chatrooms are causing much concern with regard to the safety of our children.
However, is there a way to spot potential problems by reading between the words people use?
by John Olsson

/ entry

A
t just after 7pm on 25th October 2009, Ashleigh Hall,
a popular, vivacious teenager with a wide circle of
friends left her home in Durham for the last time. She
was looking forward to meeting her date for the evening,
ostensibly a teenager by the name of Peter Cartwright. They
had met on the social networking site, Facebook. ‘Peter’ was
presumably too young to drive and so could not meet her in
person, but his father would be passing nearby on his way
home from work, as ‘Peter’ explained in a text:
Me dad’s on his way babe he said excuse the state of him lol
He’s been at work lol he doesn’t have to come in and meet
your mum does he lol he’ll be a mess probably lol x
the clutches of Merseyside Police’s offender monitoring
system and headed to the north east. Chapman, presumably
as eager to meet Ashleigh as she was to meet his ‘son’, had
almost sent her the following text:
You’ll be safe with me when would you like me to come for you?
However, this text remained in the ‘Unsent’ folder of
his mobile phone. I will refer to this text again later in this
article. Instead of the ‘you’ll be safe’ text, Chapman sent the
following, in his role as the ‘young Peter’:
Oh should take him 20 mins or so with sat nav x

The bit about having to meet Ashleigh’s mum amused the
young girl. She replied:
Okaii babe and no he doesnt lol and its okaii haha x x
A little later, sure enough Peter’s ‘dad’ texted as follows:
Hi hun its pete’s dad are you sure you dont mind me picking
you up? Pete is really looking foreward to seeing you and yes
its ok for you to stay
The elated Ashleigh replied:
Okaii babe x and haha mad u babe x x
While waiting, she also texted:
Cnt wait to meet u babe, lyk u loads babe x x x
Unaware that Ashleigh was actually waiting on the street,
Chapman then texted:

Ashleigh, excited by her forthcoming date, saw nothing
wrong with this. She immediately replied:
No its fine i dnt mind i trust him so i trust u and thank u
At the same time she sent a text to ‘young’ Peter:
How long will it take him to get here babe x x
What Ashleigh did not know was that the dad and ‘Peter’
were one and the same individual. Hidden behind the mask
of electronic anonymity was Peter Chapman, a 33-year old
convicted rapist and multiple sex-offender who had escaped
He just rang to say He’s round the corner so go outside x
Quite why Peter ‘senior’ would phone Peter ‘junior’ so that he
could text Ashleigh, rather than text her himself is not known:
impractical though it undoubtedly was, it probably inspired
confidence in Ashleigh, who almost immediately replied:
Hes here babe x x
So convincing was Chapman’s ruse that Ashleigh had now
totally fallen for the story that she was dealing with two people,
and that it was the ‘father’ whose car she was going to get into.

24 Digital / ForensicS

DF3_24-28_Linguistic Forensics.indd 24 30/4/10 17:58:41

 Once in Chapman’s vehicle, Ashleigh then began texting a with whom she regularly texted. However, officers were
close friend. She and her friend spent the next half hour or so suspicious about the time lapse between these messages
exchanging texts about the television programme, X Factor: and the earlier ones.
I began by looking at Chapman’s style of language use.
X-factor woop woop who do u think will go x x It was immediately apparent that he had several distinct
styles of texting. For example, in his texts to females of his
I liked tht ollie he was realli gd i thought, his dancin was mint acquaintance, Mr Chapman uses a number of abbreviations,
haha x x such as the –in abbreviation for the ending –ing, e.g. ignorin,
livin, changin, comin, shoppin.
There was then a long interlude before two texts were On the other hand when he is attempting to sell a laptop
received from Ashleigh’s phone: computer he writes the ending in full, e.g. charging. When
writing to a female he asks if he should go to her or if she
Haha thts great tht programme i watch it all the will cum in to him, but when writing about the computer he
time haha :p x x spells the word conventionally, stating that it comes with
a carry bag. When texting other co‑texters he usually
Haha ur mad u, ur bloody uses my as a possessive pronoun, but me as a
addicted to tht u, i blame possessive pronoun when texting Ashleigh as the
nick haha :p x x allegedly ‘young’ Peter.
When pretending to be ‘Peter’s’ father
After this no more in communicating with Ashleigh no
texts were received abbreviations are used, and the full
from the phone. –ing inflection is used, e.g. picking,
Ashleigh’s mother looking, seeing. Also, usually
believed Ashleigh was
spending the night with a
girlfriend. That is what Ashleigh
told her and she had no reason
to disbelieve it. Ashleigh’s
friend, who was in the
know, had seen the
supposed photograph
of young ‘Peter’ and
had also been taken in by
it. When she didn’t receive
any more texts that evening she
presumed that Ashleigh had arrived
at the house of young ‘Peter’ and that
everything was fine.
The following day Chapman was stopped
in his car, by local police. The vehicle
registration number had come up on the police
computer – lack of insurance. Moreover, it
appeared the driver was wanted for failing to
notify a change of an address, a requirement of
all sex offenders. After being taken to Durham
police station Chapman volunteered that he
had killed someone the previous night. However, he
claimed that he had accidentally smothered Ashleigh. He
was initially charged with manslaughter.
Ashleigh’s texts were sent to the Forensic Linguistics
Institute for analysis. We also received those of several of
Ashleigh’s friends, and those of Chapman himself – both in his
own character and those of the assumed ‘young Peter’. The
aim was to determine whether Chapman had sent the last few
texts from Ashleigh’s phone.
These texts, the last two quoted above, had roused no
suspicions on the part of Ashleigh’s best friend, someone

DF3_24-28_Linguistic Forensics.indd 25 30/4/10 17:58:44

 / FEATURE

Q text measurements Word length average No of words No of chars

Haha thts great tht… 4.33 15 65
Haha ur mad u 4 17 68
AVERAGES 4.17 16 66.5
Table 1

Known text measurements to friend Word length average No of words No of chars

Did u give tht lad my number lol x x 3.6 10 36
Haha how cum u were gonna give him my number lol x x 4 13 52
Haha ur mad u x x 2.83 6 17
X-factor woop woop who do u think will go x x 4.09 11 45
I lyk them all at the minute lol x x 3.6 10 36
I liked tht ollie he was realli gd i thought, his dancin was mint haha x x 4.35 17 74
AVERAGES 3.75 11.17 43.33
Table 2

yeah is his preferred form of affirmation, but in this text he uses
yes in its conventional form. In my view, this text is intended
to convey a conservative use of language, such as one might
associate with an older male. On the other hand when the
allegedly ‘younger’ Peter is communicating with Ashleigh,
abbreviations are used, e.g. wanna, yeah, bout, comin.
One of the texts in Mr Chapman’s phone addressed to Ashleigh
was the ‘unsent’ text I referred to earlier. This text reads:
You’ll be safe with me when would you like me to come for you?
I believe this shows a
highly linguistically aware
individual in the sense of
someone who is able to
assess the potential impact
of what they write
It can be noted that this text is entirely conventional in style.
For example, both ‘come’ and ‘when’ are written in full. As
seen from Mr Chapman’s other texts he habitually writes ‘wen’
rather than ‘when’. In my view, this is clearly a text designed
to convey to the reader that the sender is a conservative user
of language, something that is often associated with an older
texter. I suggest that using conventional language may have
some of the effect that a ‘posh’ or ‘educated’ accent used to.
The receiver of such a text – just as the person listening to the
‘educated’ accent – is intended to feel that the speaker, or in
this case texter, is a safe, establishment‑like figure.
Equally significant is the fact that this text was not sent.
I believe this shows a highly linguistically aware individual
in the sense of someone who is able to assess the potential
impact of what they write, on a particular recipient. In the
context of a strange man, purportedly the father of a young
boy about to date a girl for the first time, the word ‘safe’
could have been misconstrued by the recipient. It is clearly
an inappropriate word to use in the context, since it could
have motivated the recipient, in this case a young female,
to wonder why the issue of safety was a concern when, as is
evident from her own texts, she had no such concerns. Her
previous text, in fact, had read:
No its fine i dnt mind i trust him so i trust u and thank u
Hence, it is clear that Chapman is a sophisticated user
of the texting medium: he modifies his style depending
on his recipient and the message, and is able – apparently
very rapidly – to determine that a particular text might be
construed to his disadvantage. It is also apparent that he can
imitate both older and younger text users. His age at the time
was only 32.
But Chapman was more than a successful disguise artist.
After all, almost anybody can wear a disguise, but can they
wear a disguise that would convince those who know the
person whose identity is being assumed? This applies as much
to language as to a physical disguise: to assume a disguised
‘voice’ and to be able to maintain it is not something most of
us can do. It actually requires acute observation of language,
and an understanding of how linguistics works.
Chapman was able to pick up many of Ashleigh’s features in
his short period of contact with his victim –
The use of haha: Haha….haha – He always uses ‘hehe’
The abbreviation of that: thts that – He never abbreviates ‘that’
The abbreviation of your, you’re: ur – He always uses ‘your’
The two x’s spaced apart, x x: haha: p x x – He uses one ‘x’
The lack of apostrophe: thts – He sometimes uses apostrophes
The above illustrates Chapman’s outstanding powers of
linguistic observation. How long did he have to observe these
features? Probably less than 10 minutes. It would probably
take most linguists that amount of time to note down the

26 Digital / ForensicS

DF3_24-28_Linguistic Forensics.indd 26 30/4/10 17:58:44

 features, and Chapman is working under real pressure. Having
by now presumably killed Ashleigh he is sitting in his car,
perhaps having driven a short distance away from the scene,
and is trying to buy time. At all costs he does not want a
search party tonight.
Having said all of this, the reader may be wondering why I
considered the language of the last two texts to be, not the
language of Ashleigh Hall, the victim, but of Peter Chapman,
the murderer? After all, the style was Ashleigh’s and not
Chapman’s. How could I demonstrate this?
When I looked at Ashleigh’s other texts to her close friend,
one thing was very striking. Here are some examples:
Haha ur mad u x x
I lyk them all at the minute lol x x
Did u give tht lad my number lol x x
What is interesting about these examples is their brevity.
The average length of texts sent to her best friend was 49
characters. The average length of the last two texts was 66.5.
This is no small point. We have two young girls who regularly
text each other. They practically live in each other’s houses.
They know virtually everything about each other that there is
to know, more than their parents could probably ever imagine.
They do not need to send each other lengthy communications.
DF3_24-28_Linguistic Forensics.indd 27
Chapman is a sophisticated
user of the texting medium:
he modifies his style
depending on his recipient
and the message
Not only do Ashleigh’s usual texts to her friend consist of
fewer characters, they also consist of fewer words, and
these words are significantly shorter than those found in the
questioned texts.
There are two other points worth mentioning. First,
note the content of one of the messages: Haha thts great
tht programme i watch it all the time haha. This message
contains ‘haha’ at the beginning and the end. At the Forensic
Linguistics Institute we hold a corpus of over 5000 messages
from over 100 users. It is updated constantly. Not one of the
messages in our corpus has ‘haha’ at the beginning and the
end. Secondly, this message purports to be from one close
friend to another. Yet the writer is telling her friend, who
knows almost as much about her as she does herself – such
is the nature and intensity of teenage friendships – that she
watches a certain programme all the time. If it were true that
27
30/4/10 17:58:45
 / FEATURE
Chapman was a plausible
author of the questioned
texts. He was able to disguise
his style, to adopt different
styles and to enter deep into
youth culture
Ashleigh watched that particular programme ‘all the time’
she would not have to tell her close friend this. It would be
completely unnecessary to do so – linguists refer to this as
‘given’ information. Also, I suggest that the use of ‘haha’
twice in each text is suspicious. In my view it attempts to
portray the writer as being in a state of excessive enjoyment,
but in reality it verges on the artificial. It is also suspicious
that not only do these two texts contain two instances of
‘haha’ each, but also the end ‘haha’ is followed by a smiley.
It seems to me that either the second ‘haha’ is unnecessary
or the smiley is unnecessary. Teenagers are nothing if not
economical in their use of texting language, especially with
someone with whom they communicate frequently.
For these reasons I considered that Chapman was a
plausible author of the questioned texts. He was able to
disguise his style, to adopt different styles and to enter deep
into youth culture. However, he did not understand the basic
mechanisms of close female relationships – or perhaps close
28
DF3_24-28_Linguistic Forensics.indd 28
relationships at all. He did not understand that young people
often text each other just to show solidarity against the
uncomprehending adult world, that almost all of their texts
contain only the barest information about where they are,
what they are doing and when they will meet. Everything else
that happens in their lives they most likely discuss on their
mobile phones or in person. Unfortunately, in this instance the
skill of the predator outwitted even an intelligent young lady
who was probably as aware as anyone else of the dangers of
communicating with an unknown person across the internet:
so well had he woven his own web of deceit. By the time she
stepped into Chapman’s car, Ashleigh probably already felt
that she knew ‘young Peter’ and was confident that she would
be meeting him soon. /
/ Author Bio
Dr John Olsson founded the Forensic
Linguistics Institute in 1994. He holds
postgraduate degrees in Linguistics from
several British universities including
a PhD. His specialty is authorship and
the analysis of written and spoken
discourse. He has worked on over 350 
cases in all areas of crime throughout the UK, including
high profile investigations into homicide, drug and people
trafficking, witness intimidation, etc., and has appeared as
both a prosecution and a defence witness on many occasions.
His most notable civil case was the plagiarism allegation
surrounding the Da Vinci code.
Digital / ForensicS
30/4/10 17:58:46
 / FUTURE ISSUES

COMING SOON…
Some of the great content coming up in Issue 4, out 1st August 2010

W
e are already busy planning and acquiring articles for
future issues of Digital Forensics Magazine and here is just
a taster of what is in store in Issue 4:

/ Psychosocial Forensics
Dr Barry Hood takes a look at Operational Forensics rather
than just Computer or Digital Forensics. Whereas the latter is
concerned with the gathering of evidence for prosecution or
disciplinary action the former is more concerned with gathering
evidence for the purpose of correction and improvement.

/ Detecting a Commercial Grade Spyware that

is Polymorphic
Bill Dean provides an article that describes a methodology/
procedure for detecting a commercial grade spyware, that is
polymorphic and undetected by any utilities because it is
commercially sold.

/ Mobile Phone Analyser Comparison

Originally planned for Issue 3 Peter Jones compares the
Mobile Phone Analyser MSAB’s XACT with CelleBrite’s Physical
Analyser – these solutions are now the most popular solutions
in the arsenal of a mobile phone forensic lab.

/ “Netflow” Forensics
Another in-depth piece by George Bailey. This time on the
challenges and benefits of using netflow data in digital
forensic investigations. Suggestions are provided in order
to increase the value of using netflow data as a source of
supporting evidence in digital forensic investigations

/ Do You Have an Interesting and Informative

Article you would like to Share? NEXT ISSUE PUBLISHED
Do you have an interesting case study, research paper, tool or
technique that you think our readers would be interested in? AUGUST 2010
Find out how to submit your work on page 81.

/ Features on the Website

We are looking for authors who would be prepared to
contribute short articles on the DFMag website. These articles
are limited in word count and not as extensively reviewed
as our feature articles. We are looking to provide up to the
minute information, news and interesting articles that would
be of interest to the readers of DFMag and the visitors to the
web site. If you do not have the time to contribute a feature
article, but would like to write a piece for the web, contact
acquisitions@digitalforensics magazine.com

Note: DFMag may change the planned content of future issues without notice. 29

DF3_29_Next Issue.indd 29 30/4/10 17:59:11

 / FEATURE

A DIGITAL FORENSICS LAB

BY ANY OTHER NAME
Digital forensics laboratories may once have been specialized, but increasing case complexity
demands broader capabilities across disciplines
By Christa Miller, Todd G. Shipley and Warren G. Kruse II

/ ENTRY

T
he fundamental mission of a digital forensics
laboratory – the legally defensible collection,
preservation, and analysis of evidence—may be
the same, but budget, staffing and governance drive how
different labs accomplish this task.
A digital forensics laboratory might handle one or more of
the following functions:

• Computer Forensics
• Video Forensics
• Forensic Audio
• Image Analysis
• Mobile Device Forensics
• Incident Response
• e-Discovery/Litigation Support
• Data Recovery

Law enforcement and non-law enforcement labs often handle

these areas differently. Law enforcement labs focus on collecting
digital evidence that supports criminal allegations. If they find
exculpatory information that is also reported by the examiner, but
is not necessarily the examination’s focus (as it is for examiners

/ From Computer Forensics to

Digital Forensics
The shift from the term “computer forensics” to “digital
forensics” started about six years ago, when mobile phones
started to become popular. Over time, wireless hard drives,
Flash memory or “thumb” drives, and other small devices also
became sources of evidence. Now, because incident responders
and forensic examiners have become used to collecting data
from many sources, they’re likely to have the hardware and
software necessary to obtain data from multiple storage media.
Lab space may be carved out for storage and acquisition of
mobile devices, as well as the hardware used to acquire their
data. Although more of the newer phones are USB-compatible,
older models and many others are not – demanding the storage
of dozens of power and adapter cables, drivers to make them
compatible with forensic machines. Often a separate computer
is utilized for phone forensics to avoid conflict with software
and drivers. Analysis uses software just as a hard drive does; it
is thus performed on the same type of forensic workstations.

30 Digital / ForensicS

DF3_30-34_DF Lab.indd 30 30/4/10 17:59:31

 working criminal defense cases). Law enforcement examiners
look for evidence in data areas under the user’s control, as well
as in unallocated space not under the user’s control.
Civil examiners focus on litigation support, which is
not something law enforcement examiners are generally
concerned with. Litigation requires most of the recovered
information to come from user-controlled areas of the
storage media. This can be accomplished through a variety
of methods, which are considered specifically as sound
computer forensic practices.
Thus the actions of both law enforcement and non-
law enforcement laboratories can be similar in tools and
methodology, but these actions can occur differently for
reasons related to their ultimate purpose and use by the court.
DF3_30-34_DF Lab.indd 31
/ Warning!
Examiners who specialize in incident response need to
be aware of any laws regarding privacy of personal data.
International companies are required to comply with the
laws of the country where the data is stored. Accessing data
remotely could compromise an investigation and put the
examiner at potential legal risk.
Because tools and methodology are similar, however, both
types of labs face similar challenges. First, the proliferation of
smaller-sized, yet larger-capacity media means that forensic
examiners increasingly find themselves handling complex
cases that overlap each of the eight sub-disciplines.
31
30/4/10 17:59:32
 / FEATURE
Additionally, large data sets continue to be a problem.
As the volume of digital evidence grows, so does the
requirement for sufficient space to archive the cases until
they are adjudicated. Finally, with each function a laboratory
handles, a different skill set is required—as well as toolkits
to accomplish the job.
/ How labs support forensic professionals
Skill sets were noted in a February podcast at Bank
Information Security, during which Rob Lee, a director at
MANDIANT, told interviewer Tom Field: “The cases that we’re
now experiencing require forensic professionals to be able to
be comfortable with doing forensics across multiple machines,
across different environments and give different case types
all the way up to where you could be investigating advanced
hackers that are moving within your organization.”
Indeed, within corporate environments, digital forensic
examiners tend to be generalists rather than specialists: they
deal with both inside and outside threats, with regulatory
issues, with civil lawsuits. Even though the forensic work
across disciplines may be the same, some differences
exist. Incident response, for instance, might be called “data
mapping” when applied to regulatory matters.
Also different can be specific areas of focus. An examiner who
deals mainly with outside threats may focus on servers, routers,
switches and firewalls, while an examiner dealing with inside
threats is more likely to focus on authorized user access.
Ultimately, however, each examiner’s job is still to find
the source of information. To that end, the generalist does
not have to know how to configure switches or routers, but
knowing what those pieces of equipment do are helpful.
Likewise, it is not necessary to be a programmer to follow
source code, but understanding programming can be
very beneficial.
The lab may also be
structured for workflow,
with one workstation set
up for imaging, another
for analysis
Thus the forensic lab, whatever its mission, must be able
to support this variety of examiners and their examinations in
a way that protects the integrity of both stored and collected
data. Even if a case never sees the light of a courtroom,
data collection, preservation and analysis must adhere to
standards almost as strict as those for a criminal case.
Gathering digital evidence for civil cases doesn’t follow
standards as stringent as for criminal cases, but there is
still a chain of custody and security issues. A lab might be
imaging the PCs of chief executive or chief financial officers at
large corporations. These people are custodians of sensitive
information—the company’s ‘crown jewels’ of trade secrets
and intellectual property, and/or customers’ private data.
32
DF3_30-34_DF Lab.indd 32
/ Digital Forensic Lab Security
Before any lab can start to handle evidence, it must be
appropriately secured. Perimeter security to the building
where the lab is housed must include alarm systems and some
form of key access. Then, security must increase; with more
access restrictions the closer one moves to the lab.
Ideally, the lab will have separate alarm systems for the
building perimeter, the forensic lab, and the evidence room. The
lab and evidence room should also have multifactor security,
such as both card key and biometric access. That way, only lab
people have access to the lab and only evidence people have
access to the evidence. However, to improve both security and
convenience for people who have both kinds of access, the
evidence room should be adjacent to or inside of the lab.
Examiners must also ensure that data cannot be accidentally
lost. In one lab, every floor tile was grounded and made of
static-free material. Worktops were static dissipating too. It
wasn’t a clean room – just a forensic lab – but it worked with
bare hard drives pulled from the computer. Even when the
drives were in an ESI box or static-free packaging, it was an
additional precaution. The tiles didn’t cost much more than
regular floor tiles, and even though it cost more to have the
electrician connect and ground each one, it was still cheaper
than the raised floor in a typical data center.
It was also cheaper than data loss would have been. And it
added an extra layer of credibility when clients and prospects
toured the facility.
/ Lab function and location
Labs typically consist of forensic workstations, which may
comprise of one tower used for imaging and/or a tower or
laptop used for analysis. The lab may also be structured for
workflow, with one workstation set up for imaging, another
for analysis, and so forth. In either case, the imaging box
must feature either a software or hardware write blocker,
and computer(s) used for analysis may feature a variety of
software used to perform it.
Toolkits can be challenging for labs of any size and
persuasion because modern operating systems and
applications are so complex, and so is the array of tools made
to examine them. There is no one perfect tool; each has its
own strength, and together they provide a toolbox.
Some focus on post-acquisition data analysis, and some
focus on incident response. This is the difference between
products like EnCase Enterprise and EnCase Forensic, which
amounts to the way each tool acquires and analyzes data—
from a local hard drive attached to a write blocker, or from a
networked computer that would lose data if powered down.
Because the larger and more comprehensive tools can’t
do everything, many small companies develop tools to solve
individual problems like how to decipher a particular file type.
Thus labs must obtain and maintain thousands of dollars worth
of software and hardware tools, then track software and software
versions and validate the software manufacturer’s claims.
Additionally, labs need some ability to archive collected
drive images. Historically this has been to CD or DVD, but
as data sets have grown, hard drives have begun to be used
as a storage medium. Now even smaller laboratories have
networks with large NAS storage in multi-terabytes.
Digital / ForensicS
30/4/10 17:59:32
 A centralized laboratory is important for digital forensics,
but a lab involved with incident response should be mobile,
because of the potential for data loss when hard drives are
pulled. Incident response is done mainly at the client’s location
so mobile data centers must be truly portable. Examiners can’t
assume that monitors, keyboards and mice will be available,
and when they have to leave at a moment’s notice, they may
end up checking the equipment as luggage. Therefore, they
need mobile solutions that fit inside a suitcase. It may also
be wise to obtain a software tool with remote features so the
examiner can determine whether travel is needed.
The key is to figure out where the majority of work will be
done. Sometimes an examiner may do both: triage on-site,
then analysis at the lab. At this point, space considerations
must be taken into account.
So must the examiner’s level of expertise. In the United
States, some of the field triage work in law enforcement is
turned over to detectives and uniformed police officers that
have some limited knowledge of digital evidence. This is
especially true of probation and parole officers who must
ensure that sex offenders, identity thieves, and other convicts
comply with the terms of their release from prison. It would be
time and labor-intensive to confiscate all home computers or
set up monitoring software on each computer to accomplish
compliance checks. Field triage allows the officer to ascertain
whether a computer stores material in possible violation of
the probationer/parolee’s terms of release.
This kind of work melds incident response with computer
forensics in a law enforcement environment, but at such a
basic level that professional forensic examiners sometimes
argue against such “push button” forensics. Yet “push button”
forensics reduces professional examiners’ workload, enabling
DF3_30-34_DF Lab.indd 33
prosecutors to secure convictions via “low hanging fruit” and
saving the more in-depth analysis for bigger cases involving
large-scale criminal activity.
The “push button” forensics debate is not just about
professional expertise; it’s also about labs themselves, their
ability to support digital evidence analysis. Law enforcement
and private sector organizations are similar in that some have
in-house digital forensics labs, and some outsource: corporations
to partner vendors and law enforcement to regional labs. The
sheer magnitude of digital evidence today complicates the
average lab’s ability to respond to the amount of data submitted.
A centralized laboratory
is important for digital
forensics, but a lab involved
with incident response
should be mobile
/ Lab limitations
Whether in law enforcement or private sector, digital forensics
labs are typically limited only by budget and, as a corollary,
space. Larger organizations may be seen as best equipped, but
as digital evidence has started to turn up in most every legal
proceeding—civil or criminal—smaller organizations have found
they need to devote at least some resources to digital forensics.
The alternative, outsourcing to a regional lab or another
firm, frequently means long wait times (up to several months
or even close to a year for criminal cases). It also means
reliance on a third party for all digital evidence. If that lab’s
/ Expert Tip: Money-Savers
Very small labs that lack the resources of larger labs often
struggle to keep evidence secure, to find good but inexpensive
tools and to maximize their time in the lab.
Part-time forensic examiners may find it beneficial to have
one imaging computer and one forensic analysis computer. An
imaging machine can be built using new parts in surplus old
machines from city government or local schools. This can save
money for an out-of-the-box analysis workstation.
In the United States, conventional wisdom among law
enforcement is that only hardware write-blockers can provide
true forensic protection. But hardware write-blockers are
expensive, and smaller agencies may find them prohibitively so.
Instead, they may benefit from the Federal Bureau
of Investigation’s free-to-law-enforcement Advanced
Computer Examination Support (ACES). ACES allow a direct
SATA connection from suspect to forensic drives, with no
degradation of speed during data transfers. More information
is available at www.acesle.org/.
Finally, labs in facilities with limited space should focus on
“security by behavior.” This should involve a combination of
detailed standard operating procedures and training for non-
forensic personnel, on how digital evidence is to be treated. A
good standard is SWGDE’s Best Practices for Computer Forensics,
available at http://www.swgde.org/documents/swgde2006/
Best_Practices_for_Computer_Forensics%20July06.pdf
33
30/4/10 17:59:33
 / FEATURE
budget is cut or the firm is absorbed or goes out of business,
that leaves the contracting agency or company without a way
to analyze digital evidence.
Civil litigation can complicate the process through the
massive amounts of data collected in litigation hold requests.
This extends the processing time (and cost) for not only the
examiners, but also the attorneys reviewing the material.
When small law enforcement agencies set up a lab, they
frequently christen one officer “the computer guy” and
provide a small workspace—a cubicle, office space, or even
a closet—with a forensic workstation used both to image
and analyze hard drives. Software and hardware are acquired
piecemeal after the required training is complete, and these
labs rely on as many free tools as they can.
Still, as was pointed out in Law Technology News in
February, small law firms undertaking e-discovery and
computer forensics are beholden to the same legal
defensibility standards as larger firms with more resources.
Likewise law enforcement agencies, where “the computer
guy” may even be part-time. Recent case law has also
required firms under litigation holds to collect all data relevant
to the pending case. For a small firm this expands the amount
of data that they must process and maintain.
At this point, lab security can become problematic. The
smaller agency may not have the resources to protect digital
evidence to its fullest extent (see Boxout 2). Personnel
may not be trained in how to store the evidence long term,
so smaller labs are more at risk for potential data loss or
alteration, however inadvertent.
Whether law enforcement or non-law enforcement, digital
forensics labs face very similar challenges when it comes
to supporting professional examiners. Adequate work and
storage space, toolkits and equipment, and security depend
/ Space Considerations:
Present and Future Use
Space considerations are more important than they may be
given credit for. It’s easy to walk into an empty office and think
that the space won’t all be necessary. But after security and
equipment have been installed, often, the lab does use the
space in its entirety.
It’s also important to plan for future expansion. A one-
thousand-square-foot lab and evidence room may be more
than enough, but when the organization gets busy and starts to
hire more people, expansion is not as easy as taking over more
office space – because security may then be compromised.
An example: labs located in office spaces on opposite sides
of a level, or worse, labs located on different floors. The labs
in one office were secure, but the employees were using a
common-access elevator to go between them.
Two offices situated back to back can be ideal, if future
expansion could be achieved by taking out a non-load-bearing
wall, or cutting in a door.
These issues are important to consider even if the expansion
is temporary, such as with a smaller lab working one very
large or high profile case. Examiners in such cases may be
bringing in a huge amount of data, much more than with their
usual workload, and will need to store it.
34
DF3_30-34_DF Lab.indd 34
/ Top Fact!
Inconsistent standards
applied internationally
Digital forensic examiners working for both law enforcement and
private interests must therefore be able to prove that they did
not tamper with or plant evidence. In the United Kingdom, labs
are required to conform to the Association of Chief Police Officers
(ACPO)’s Guide for Computer-Based Electronic Evidence. Defense
experts must also follow an expert witness program.
However, in the United States, no such overarching standards
exist. Labs may seek and achieve accreditation by the American
Society of Crime Laboratory Directors (ASCLD), but this is not
required. Other standards have been promoted, notably by
the Scientific Working Group on Digital Evidence (SWGDE), the
International Organization on Computer Evidence (IOCE), and
the National Institute for Science and Technology (NIST). The
National Institute of Justice (NIJ) has also published a series of
publications on the basics of understanding digital evidence
collection, investigation and presentation in court.
In general, as long as they are equipped with commonly accepted
forensic software and write-blocking capabilities, and their
examiners receive minimal training, labs in the U.S. meet basic
requirements in an industry with no particular set standards.
on existing resources including funds. Rapid technological
advances and legal requirements complicate labs’ efforts to
stay up to date, especially if they are small. /
ADDITIONAL READING
Warren Kruse and Jay Heiser, “Computer Forensics: Incident
Response Essentials,” Addison Wesley, 2001
Hank Wolfe, “Setting up an Electronic Evidence Forensics
Laboratory,” Computers & Security 22:8, 2003, available online
at: http://www.compseconline.com/hottopics/hottopic_Feb04/
settingupaforensicsunit.pdf
/ Author Bio
Christa M. Miller is a writer and public
relations consultant who specializes in
digital forensics and law enforcement.
She has had more than 100 articles
published in US trade magazines while as
a consultant, she works with clients such
as Vere Software, Continuum Worldwide,
Teel Technologies and the International High Tech Crime
Investigation Association.
Todd G. Shipley, CFCE, CFE, is president and CEO of Vere
Software. Previously a Senior Detective Sergeant managing the
Reno Police Department’s Financial and Computer Crimes Unit,
he also served as Director of Systems Security and High Tech
Crime Prevention Training.
Warren G. Kruse II, CISSP, CFCE has conducted computer forensics
examinations globally in support of numerous cases, from civil
disputes to criminal prosecutions at the federal level. He is a
frequent lecturer on computer forensics, incident response, and
cybercrime, and is the coauthor of “Computer Forensics: Incident
Response Essentials”, published by Addison Wesley.
Digital / ForensicS
30/4/10 17:59:33
AD9117b 19/01/2010 12:49 Page 1

Forensic Computing
12-month student placements

Undergraduates: Postgraduates:
August 2010–July 2011 June 2010–May 2011

Shape your future

To find out more visit dmu.ac.uk/technology or contact us:
Technology Placement Unit
T: (0116) 257 7465/66
E: placementunitech@dmu.ac.uk AD9117B

DF3_35_Ad.indd 35 30/4/10 18:00:10

 / COMPETITION

COMPETITION
/ 3 SYNGRESS BOOKS to Win with
Digital Forensics Magazine Issue 3

/ Question TERMS AND CONDITIONS

The technique used by hackers for gaining access to
information through physical impersonation or trickery is
known as:
A. SOCIAL NETWORKING
B. SOCIAL ENGINEERING
C. SOCIAL MANIPULATION
/ To Enter
To enter the competition all you need to do is send an
email to competition@digitalforensicsmagazine.com writing
Syngress Comp in the subject line, including your name
address and telephone number with your entry.
This competition is open to anyone aged 18 or over, except
for employees of TR Media Limited and their immediate
families. Only one entry is permitted per person. Entries
can be submitted by email only and should be sent to
competition@digitalforensicsmagazine.com. TR Media shall
not be responsible for technical errors in telecommunication
networks, Internet access or otherwise, preventing entry to this
competition. Closing date for all entries is on 30th June 2010 at
9.30am. Any entries received after that time will not be included.
The first correct entry, chosen at random by the DFM team, will
be notified by email on Monday 12/07/2010. The winner will
be announced in Issue 4 of the magazine and on the Digital
Forensics Magazine website. Submitting your entry constitutes
your consent for us to use your name for editorial or publicity
purposes, should you be the winner. TR Media reserves the
right to change or withdraw the competition and/or prize at any
time. By entering the competition, entrants are deemed to have
accepted these terms and conditions.

Virtualized environments can make forensics
investigation more difficult. Technological
advances in virtualization tools essentially make
removable media a PC that can be carried around
in a pocket or around a neck. Running operating
systems and applications this way leaves very
little trace on the host system. Virtualization and
Forensics explores all the newest methods for
virtualized environments and the implications
they have on the world of forensics. The book
begins by explaining the different types of
virtualization, then how virtualization affects
the basic forensic process. It describes common
methods to find virtualization artifacts on dead
drives, live analysis and identify virtual activities
that affect the examination process of virtualized
environments. Finally, it will address virtualization
issues such as security, data retention policies,
and where the world of virtualization is headed.
Digital Triage Forensics (DTF) is a procedural
model for the investigation of Digital Crime
Scenes including both Traditional Crime Scenes
and the more complex Battlefield Crime Scenes.
The United States Army and other traditional
Police agencies use this model for current Digital
Forensic Applications. The tool, training, and
techniques from this practice are being brought
to the public in this book for the first time. Now
Corporations, Law Enforcement, and Consultants
can benefit from the unique perspectives of the
experts who coined “Digital Triage Forensics”.
The field of digital and computer forensics has
revolved around the information stored in volatile
and non-volatile memory. Traditional forensics
focused on imaging the hard drive and using
special tools to analyze the image from a forensics
perspective. That works great if you know where
the evidence is, or you have a limited scope of
systems to analyze. With the push towards cloud
computing, applications and data are now stored
in data centers located throughout the world. In
addition, with the popularity of wireless hotspots,
evidence is now a moving target and in some
cases the forensic analysis needs to be conducted
directly on the network. With technology moving
to the “cloud” there needs to be an innovative new
way to identify and analyze network traffic. This
book focuses on this transition between systems
through the “cloud” and to the user’s hard drive.

36 Digital / ForensicS

DF3_36_Competition.indd 36 30/4/10 18:00:41

 / LEGAL EDITORIAL

LEGAL EDITORIAL
Welcome again to DFM’s legal section
by Moira Carroll-Mayer

H
ello to old friends and newcomers alike from the Legal
section of Digital Forensics Magazine. In this the 3rd
issue we present a timely article on cyber searches and
forensics by Mark D. Rasch. Rasch tackles the thorny issue
of cyber forensic procedures and the construction of search
warrants for the benefit of the state or its agents in light of
the Fourth Amendment rights granted by the US Constitution.
Rasch’s searing commentary uncovers blatant overriding of
probable cause and precise specification requirements for
warrants so that general searches and warrants become the
unconstitutional norm in cyber forensics. His observations
are all the more pertinent in the encroaching cloud environ-
ment, where according to many commentators, citizens’ rights
to the protection of duly obtained warrants and the right to
challenge enabled through due notice are hazarded to an
extent never before possible. In tandem however, with their
loss, the possibility of challenge to the widespread overriding
of citizens rights by cyber investigators is being opened up
as an increasingly informed and consequently less inhibited
judiciary finds its voice. The State v. Bellar, 231 Or.App. 80, 217
P.3d 1094 (Sept. 30, 2009) exemplifies this movement, where
it was held that a search occurs when the government invades
a protected privacy or possessory interest of the defendant
such as might exist in the cloud. More broadly Rasch’s dis-
cussion is contemporaneous with related arguments on the
effectiveness of the Electronics Communications Privacy Act
and proposals for a new Cloud Computing Advancement Act. to extend and refine Bellar while from India we have news,
The gloves are clearly coming off and digital investigators had among other things, of a novel Tribunal for appealing actions
better be prepared for a fight, better still to avoid one, with during digital search and seizure as well as the consequences
the knowledge to navigate the state’s, the citizens’ and their for suspects. That immutable and ubiquitous phenomena
own rights in cyberspacial search and seizure. e-disclosure/e-discovery finds us in Singapore, which
Also presented in Issue 3 is the second of a highly country investigators will be delighted to hear has brought its
informative four part serial by Scott Zimmerman, framework more or less into line with that of the US and UK.
which considers the practicalities of computer forensic Finally, to put minds at rest, rumours of a split between US
investigations. The second instalment looks in detail at the Circuit Courts on e-discovery are put to rest in coverage of the
components of the chief US and UK legislation, respectively latest and greatest case on the subject, Rimkus v Cammarta
the Computer Fraud & Abuse Act and the Computer Misuse 2010 WL 645253 (S.D. Tex. Feb. 19, 2010). /
Act 1990, prescribing the characteristics of actions and levels
of intent that should be identifiable before investigation and
prosecution are embarked upon. The article is indispensable / AUTHOR BIO
to anyone seeking a pocket guide to the actions and intent to Moira Carroll-Mayer, Digital Forensics Magazine’s Legal Editor,
look out for when considering investigation and prosecution is a lecturer in Procedural and Substantive Law of Forensic
within the jurisdiction of the UK or US. Computing with published articles on Communication Ethics,
Not least are this issue’s News Alerts; undesignedly Identity Management & the Implications for Criminal Justice,
the Ethical Implications of Nanotechnology, and Digital
complementing the lead article by Rasch, from the Netherlands, Crime & Forensic Science in Cyberspace. Moira is currently
we report startling changes to the conduct of digital search conducting research into the ethical and legal implications of
and seizure by government agencies, similarly from the US we advanced autonomous weapons systems.
draw attention to Re Rothstein Rosenfeldt Adler which promises

37

DF3_37_Legal Editorial.indd 37 30/4/10 18:00:59

 / LEGAL FEATURE

THE FOURTH
AMENDMENT
CYBERSEARCHES, PARTICULARITY AND COMPUTER FORENSICS

The right of persons to be secure in their persons, places, houses and effects against
unreasonable searches and seizures is protected from governmental intrusion under the
Fourth Amendment to the United States Constitution, however, neither Fourth Amendment
jurisprudence or computer forensics, have kept pace with technological developments
by Mark D. Rasch
/ INTERMEDIATE

B
efore the government may search for or seize any
items to which a reasonable expectation of privacy
attaches, the government must obtain a warrant from
a neutral and detached magistrate, “particularly describing
the place to be searched, and the persons or things to be
seized.” U.S. Const., Amend. IV. This paper will discuss
how one can craft both a warrant and a forensic procedure
that will meet the Constitutional requirements that law
enforcement agents seize only that which is expressly
covered by the warrant, and for which probable cause has
been established specifying that the precise items seized are
more likely than not, evidence of a crime.

/ The Particular Requirement

A few brief caveats should be observed at the outset. First, the
Fourth Amendment both by its terms and by developed law
apply only to “searches and seizures” either conducted by, or
in some instances, for the benefit of “state actors” – generally
the government. Thus, a purely “private” search, like that
conducted by a company on its employees, contractors or
people on its facilities (and not conducted for the benefit of the
government) would not be subject to the Fourth Amendment
warrant requirements. This would be true even if the purpose
of the search by the private actor was to find evidence of
wrongdoing or even criminality, and even if the private actor
later decided to turn over the results of his or her search to
the police. However, the Fourth Amendment applies to many
searches by government actors who are not law enforcement
agents – where the government is an employer or regulator. To
make things more complicated, even when law enforcement
conduct searches, many of them may not require warrants.
Thus, certain searches (even searches of computers and
computer data) may not require a warrant if, for example they
are conducted at an international border, if the person has
exposed the information to public view, if there is an emergency
or other exigent circumstance, or if either the owner or a person
in lawful control of the information consents to the search.

38 Digital / ForensicS

DF3_38-41_4th Amendment.indd 38 30/4/10 18:01:17

 Assuming that there is to be a governmental search for
electronic evidence, and that the Fourth Amendment applies,
the Constitution requires not only a showing of probable
cause, but also a specification of what is to be searched, and
what is to be seized. The purpose of this requirement is to
prevent general searches and general warrants.
A general search is when law enforcement agents, armed
with a warrant showing probable cause to search for one
thing (or without any warrant at all) conduct a search as if
no warrant existed. For example, in a search at a motel room
for a dead body, a law enforcement agent would have a hard
time justifying opening a desk drawer or a small suitcase
(absent evidence of dismemberment!) Even if the warrant
itself is specific about what is to be searched and seized, the
agents executing the warrant must adhere to the scope of the
warrant, else the search be deemed a “general search” and
therefore illegal. In addition, the warrant itself cannot be a
“general warrant” authorizing the agent to search anywhere
for a particular thing, or in a particular place for “any evidence
DF3_38-41_4th Amendment.indd 39
of crime.” In the words of the Fourth Amendment, the warrant
must specify both the place to be searched AND the thing or
things to be seized.
/ Search & Seizure
In the ordinary world, police armed with a warrant, search
a suspect’s house, car, office, garage, whatever and look
for the thing or things covered in the warrant. A search of
a car for a full-barrelled shotgun would permit a scouring
of the passenger compartment and trunk (and possibly
engine compartment and undercarriage) but probably not
the glove compartment, which could not possibly house a
shotgun. A search for papers related to, say tax fraud would
permit searches of desks, file cabinets, and even under
the bed – anywhere papers might exist. In searching for
such tax fraud records, the officers executing the warrant
would be permitted to examine ANY documents at least in
a cursory fashion to see if they are covered by the warrant.
Tax records, receipts, financial records, checks and the
like are all fair game, but even things like diary entries,
news clippings, children’s homework, and similar records
can at least be looked at briefly (how do you know that a
file labelled ‘children’s homework’ really contains that and
only that.) Once the examination is complete, the agent
may then “seize” or take the items covered by the warrant,
and must leave those that are not covered. If the agent
sees something during the course of the search that is
immediately obvious as evidence of a crime – even a
crime not specified in the warrant – say a dead body, or
child pornography, the agent is permitted to seize that
item, provided that the item is either in “plain view” or
that the agent was lawfully in the place to observe the
item. So, in the “real” world, the agents acting pursuant
to a warrant may search, examine, then seize subject to
the conditions above.
Typical home computers
now contain terabytes of
information. The kinds of
information they contain may
run from the banal to the
most intimate information
The digital world – partly due to concerns related to digital
forensics – is completely different. First, the presence of a
computer or computer system almost by definition is taken to
imply that there will be relevant information on that system.
In a case involving drug dealing, or fraud, or even murder
or kidnapping, it is reasonable to consider that a targets
computer might have evidence relevant to the crime – even if
there is no concrete evidence that the target ever used that
computer in furtherance of the crime. The target could have
used a computer to stalk the victim, investigate the crime,
communicate with others about the crime, or the computer
39
30/4/10 18:01:18
 / LEGAL FEATURE

could simply show the target’s whereabouts and login

activities. This is because the computer is more than just a
file cabinet of documents. It is a record of communications,
investigations, documentation, modifications, etc. The
computer is likely to be a treasure trove of possible relevant
information – and possibly “involved” in the commission of
the crime itself. Thus, while the law requires some probable
cause (that it is more likely than not) that the computer
contains evidence of a crime, as a practical matter most courts
simply require evidence that the suspect may have committed
a crime or have participated in one, or have had evidence
related to a crime AND that the suspect owns a computer, a
smartphone, etc. Only the barest scintilla of evidence that the
target may have used the computer is required to authorize
a search of that computer. Accordingly the basic principle
of “particularity” – that there be some credible evidence
that a computer – or more accurately a particular computer
– contains evidence of a crime for which probable cause
has been established before a search may be authorized
is frequently ignored. To avoid this problem, those seeking
warrants should specify WHY they believe that the evidence
is likely to be found in a computer, and why they believe that
the computer is likely to be found at the place they want
authorization to search.
Concerns about the preservation of electronic evidence
and its presentation in court (digital forensics) play a
huge part in the problem of overbreadth. If the cops have
a warrant for a target’s tax returns and financial records,
nobody would consider taking an entire file cabinet simply to the seizure, since they generally cannot demonstrate the
because it had a 1040 tax forms in it. Moreover, nobody existence of privileged records without access to the items
would consider taking a child’s diary, a record collection, seized. Second, it permits – and indeed encourages – the
a stack of videotapes, a bunch of CD’s and DVD’s, every warrant to be executed in a way that does not simply involve
telephone bill, copies of every book on the bookshelf, every seizure of the “relevant” matters. If a single file is covered by a
magazine piled up near the bed, every recipe in the kitchen, warrant, then the entire drive is seized.
every photo album, slide show, home movie, every medical The entire drive is seized not only for the purposes of
record and bill, every letter written to counsel, letters to chain of custody and proving that files have not been altered,
grandma, or the like. The agent would restrict his seizure to but also because of the need to preserve records for which
the financial records and things related to them. probable cause has not yet been established, but which may
be later on. Thus, if a single file is covered by the warrant
The Constitution requires not (say a tax return) the metadata about that file – who created
it, when it was created, who accessed it and when, when was
only a showing of probable it altered or modified, whether it was transmitted to others,
cause, but also a specification etc. – is potentially relevant to the investigation. The only
way to be sure that the metadata is also seized is to seize
of what is to be searched the drive that contains the data. The same is true for files
that may be in RAM or other volatile memory, files that may
In the digital world, the seizing agent would take “all be corrupted or deleted, files that have been mislabelled
electronic media” – as if the media itself was what was (either deliberately or inadvertently) or files that may be
of evidentiary value. Thus, the warrant would typically hidden or encrypted. Indeed, even if a computer is examined
specify taking “all computers” or “thumb drives” or “all on site and no files covered by the warrant are found, the
CD’s or DVD’s” or other recordable media. Concerns about nature of electronic evidence may dictate that the computer
“originality,” documentary preservation and chain of custody is seized anyway.
generally lead to the seizure of the “original” computer, or In the “real” world, there is a search for relevant
the “original” hard drive – as if there is some magic about the information, and then a seizure only of the items specifically
nature of the electronic medium. This action does two things. covered by a warrant. In the electronic world, the more
First, it deprives the “owner” of the use of their computer or typical case is to seize a computer if it is in any way relevant
the ability to assert relevant defences or privileges relating to what the case is about, and then search it offsite. But

40 Digital / ForensicS

DF3_38-41_4th Amendment.indd 40 30/4/10 18:01:18

 in that case, what exactly has been “lawfully seized?” The
entire computer? Or merely the files that specifically relate
to the crime under investigation? If, during the course of
a search of an office for tax records, the police find a dead
body or a cache of drugs, under what is called the “plain
view” doctrine, they are permitted to seize and examine both
the body and the drugs because these items are in plain
view and are readily apparent to be evidence of an unrelated
crime. How does that work for forensic investigators when
tools can be calibrated to either find or fail to find certain
items? In a search of a hard drive for tax records, should
the examiner be looking at the contents of .gif, .jpg, and
.bmp files for child pornography? Is the mere fact that
relevant documents can be altered to have any file extension
sufficient to permit examination of seemingly unrelated
file types? Text search strings can be written broadly or
narrowly to uncover only directly relevant information
or every possible relevant information. How do these
strategies comport with the “particularity” requirement
of the Constitution when every correspondence, every
communication, every relationship, every document, every
tax and financial record, every song and video and book of
the suspect is already sitting in a police evidence vault?
Typically courts, prosecutors and law enforcement
agencies deal with the particularity requirement at the
time they apply for a search warrant. The law enforcement
agencies, with the assistance of the prosecutor will write
relatively detailed evidence handling procedures into the
affidavit in support of the warrant, or as an attachment to
the warrant. The issuing magistrate will then specify not
only what can be seized, but also how it can be examined –
typically by adopting the procedure proposed by the police
and prosecutor. But the judges don’t understand forensics.
They don’t know what can and cannot be done forensically.
The forensic procedures typically will explain why a search
must be conducted broadly – why everything must be seized,
and why the minutia of every file must be examined and
examined in detail for “forensic purposes.” The person’s
whose computer is being seized has no opportunity to
challenge the warrant at the time of issuance, and only a
limited chance to challenge the execution of the warrant as
what the law terms a “general warrant.”
For example, in a typical case, law enforcement officials
will argue that they must be permitted to seize the “original
computer” with the hard drive intact. While there are some
forensic reasons for this, the truth is that the all-important
“original” drive will likely be imaged immediately and
tucked away in an evidence vault, and all examinations will
be conducted on the imaged drive rather than the original.
The physical computer is seized as well. In some cases,
fingerprints or other forensic information may be gleaned
from the physical hardware, but in many cases there is no
evidentiary imperative for seizing the physical device. The
same is true for whether the investigators should leave
copies of what they have seized. Should the subject of
the search be left with an imaged hard drive so they can
continue to conduct whatever legitimate business they have?
DF3_38-41_4th Amendment.indd 41
If the drive contains material that is unlawful (e.g., child
pornography, obscene materials) or information that would
further an on-going crime (drug dealer contacts) then the
answer is no! But what about other cases? There is no cookie
cutter “one size fits all” answer.
Typical home computers now contain terabytes of
information. The kinds of information they contain may
run from the banal to the most intimate information. It can
include children’s school schedules, personal financial
records, intimate correspondence, records of political
affiliations and thoughts. Examination of a hard drive can
allow the investigator insight into the users likes and dislikes,
purchasing habits, reading habits, and viewing habits. It
can establish exactly what they were doing at virtually every
minute of the day for days, weeks, months or years in the
past. Typically, only a small portion of this information is
relevant to the direct subject of a criminal investigation, but
the entirety of the drive is seized and examined in its most
detailed minutia. Forensic tools cannot only be used to invade
privacy, but also to protect it. It is the job of the forensic
investigator to educate courts, prosecutors and others, not
only about the ways forensic tools can examine records,
but the ways they can be used to discover only relevant
information, and thereby to protect privacy. The goal of a
search is not only to find relevant evidence, but also to do
so in a way that comports with Constitutional protections.
A detailed and appropriate search plan, together with the
reasons why the plan is necessary, should be submitted to
the Court for approval. If the investigator needs or wants
to go beyond this plan, absent some emergency or exigent
circumstance, further judicial approval should be obtained.
Electronic searches have sometimes been likened to
“fishing expeditions.” A search warrant is, in a sense a fishing
license – authorization to conduct the fishing expedition. But
even the license has limits, and it is the job of the forensic
investigator to know and abide by these limits. /
/ Author Bio
Mark D. Rasch, Esq. is the co-founder
and Principal at SecureITExperts, Inc.,
a premier information security and
privacy consulting company. He is a
lawyer, and a recognized expert in the
areas of protecting critical data and
complying with laws, regulations and
policies related to data protection, privacy, incident response
and criminal law. He has worked for several technology
companies, including FTI Consulting, Solutionary, Inc., and
SAIC and was for almost 10 years the founder and head of the
United States Department of Justice’s Computer Crime Unit,
responsible for investigation and prosecution of computer and
high-technology crimes, including the investigations of Kevin
Poulesn, Kevin Mitnick and the prosecution of Robert Tappan
Morris. He has taught courses in law and technology at Utica
College, James Madison University, the University of Fairfax,
the Washington College of Law at the American University, at
George Washington University, at Catholic University School
of Law and has lectured at Stanford University and Harvard
University and Harvard Law School.
41
30/4/10 18:01:19
 / LEGAL NEWS ALERT
LEGAL NEWS ALERT
Take Care Not to Rip that Silver Lining:
Fourth Amendment Rights in the Cloud
Case law indicates that cloud forensics in the US or affecting
US entities are subject to rights against unlawful searches
and seizures guaranteed by the Fourth Amendment to the US
Constitution stating;
‘ The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches
and seizures, shall not be violated, and no Warrants shall
issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be
searched, and the persons or things to be seized.’
In the State v Smith, 327 Or 366, 372-73, 963 P2d 642
(1998) it was held that implied privacy interests are generally
circumscribed by the space in which they exist, that is to
say by the private space of a person. However notions of
private space and of what might amount to an invasion of it
contrary to the Fourth Amendment were widened in the State
v Meredith, 337 Or 299, 304, 96 P3d 342 (2004) where it was
held the absence of a physical or sensory invasion of a private
space does not necessarily defeat a claim that government
conduct constitutes a search. The State v. Bellar, 231 Or.
App. 80, 217 P.3d 1094 (Sept. 30, 2009) went much further
specifically referring to protected privacy or possessory
interests in the cloud;
‘Nor are a person’s privacy rights in electronically stored
personal information lost because that data is retained in
a medium owned by another... I suspect that most citizens
would regard that data as no less confidential or private
because it was stored on a server owned by someone else.
Our precedents suggest that the existence of a protected
privacy interest in private information is not determined by
ownership of the storage medium for that information’.  the Supreme Court of Singapore for the Discovery and
42
DF3_42-43_Legal News.indd 42
/ All Change in the
Netherlands
On January 8th 2010 the Netherlands Competition Authority
(NMa) released its draft proposal document entitled ‘NMa
Procedure Relating to Analogue and Digital Investigations’.
Despite NMa calls for consultation with market parties and
regulators it is widely anticipated that the proposals within the
document will be implemented. The focus of the proposals is
upon investigation of suspected violations of the Competition
Act and/or the energy and transport Acts and in effect will apply
to investigations under all laws that grant the NMa investigative
powers. When implemented these proposals will replace the
current ‘Procedure in relation to the Inspection and Copying
of Digital Data and Documents 2007’ and will address the
investigation of analogue and digital data.
The proposals take into account a 2009 Hague District
Court finding (The Hague, October 13, 2008, LJN: BH2647)
against ‘fishing expeditions’ by the Authority during dawn
raids. Accordingly wherever an investigated party claims
that examination of digital data is beyond the scope of the
investigators’ authority that party will have the right to be
present throughout the examination.
Additionally the proposals introduce the ‘sealed envelope’
procedure from EU case law to safeguard legally privileged
documents during authority dawn raids (see T-125/03 and
T-253/03, Akzo Nobel Chemicals Ltd ([2007] ECR II-03525). In
particular during a dawn raid a suspect may refuse to allow
investigators access to documents which sh/e considers
confidential. Any such documents must be placed within a
sealed envelope and must not be read by investigators unless
a decision has been adopted to allow such disclosure. Any such
decision can be appealed to the court. The proposed changes
are expected to come into force towards the middle of 2010.
Investigators should keep their eye on Re Rothstein
Rosenfeldt Adler (go to http://cases.bms11.com/Documents/
FL76/09-34791/ECF_DOC_439_5690052.pdf ) a motion filed
on the 15th March 2010 for reconsideration on privilege and
privacy grounds of an order compelling Qtask, a virtual office
for lawyers, to turn over information and provide access to a
Trustee in bankruptcy. The substance of the motion provides
lush legal and technical argument against the feasibility of
such an order and associated investigations in the cloud.
E-Discovery in Singapore: On a Par with the UK and US
Those who previously might have balked at the difficulties
of electronic disclosure/discovery in Singapore will
be emboldened by Practice Direction No 3 of 2009 of
Digital / ForensicS
30/4/10 18:01:37
 Inspection of Electronically Stored Information (go to
http://app.supremecourt.gov.sg/data/doc/ManagePage/
temp/4nuc3c45i15f0f45uffl1b55/practice_direction_no.3_
of_2009.pdf ). The Practice Direction takes the best from
the UK Rules on Civil Procedure and the US Federal Rules of
Evidence. It embodies a comprehensive, coherent description
of what one must do in order to fulfill the requirements relating
to applications for the inspection and discovery of electronic
documents in Singapore. The Practice Direction affects all
applications filed on or after the 1st October 2009.
Some News from India
Over the years due to growing misuse and abuse of
computers the Information Technology (IT) Act 2000, the legal
framework for transactions carried out electronically required
strengthening. Accordingly the Information Technology
(Amendment) Act, 2008 was introduced in October 2009. This
Act among other things provides for cyber crimes such as
publicizing sexually explicit material in electronic form, video
voyeurism, cyber terrorism, breach of confidentiality, leaking
of data by intermediaries and e-commerce frauds.
Interestingly India has a special tribunal for disputes arising
from the prosecution of cyber crime under the Act known as
the Cyber Regulations Appellate Tribunal (CRAT). The Tribunal
is particularly concerned to ensure democratic rights such
as freedom of speech, expression and association are not
unnecessarily obstructed by efforts within the criminal justice
regime. The Information Technology (Amendment) Act itself
is careful, for example, to avoid unwarranted ISP liability for
the activities of users. Section 79 provides a defence for those
which can demonstrate that they were unaware, for example,
of offensive content emanating through their service.
The Government of India has also established the Indian
Computer Emergency Response Team (CERT-In) for providing
early security warnings and effective incident response. It
operates 24 hours a day throughout the year issuing early
warning alerts and advice.  
Investigations in India are bedeviled by the almost
innumerable languages there. Many, for example, Bodo,
Dogri, Maithili, Nepali Bangla, Konkani, Kashmiri, Sindhi,
Manipuri and Santali are now available under the Technology
Development for Indian Languages (TDIL) programme.
TDIL software enabling detailed language processing is
available at http://www.ildc.gov.in. TDIL was initiated by the
Government of India’s Department of Information Technology
(DIT); available to everyone it may prove invaluable for
digital forensics investigators. The DIT has launched another
major programme of potential aid to investigators in
DF3_42-43_Legal News.indd 43
/ Scheindlin v. Rosenthal
on E-Discovery? No, IT’s
Consensus in US Courts
Don’t be led up the garden path by reports of disharmony
between Judge Scheindlin in Pension Comm of the Univ. of
Montreal Pension Plan v. Banc of America. Sec., LLC, No. 05
Civ. 9016, 2010 WL 184312 (SDNY. Jan, 15, 2010) and Judge
Rosenthal in Rimkus v Cammarta 2010 WL 645253 (S.D.
Tex. Feb. 19, 2010). The findings of both reflect the common
sense/humane recommendations of the Sedona conference;
perceived disharmony is a consequence of differing facts and
the geographical locations of the Circuits within which the
judges preside. In Rimkus intentional spoliation of evidence
was proven whereas there was no finding of intent or bad faith
in Pension Committee, but the facts established half-hearted,
grossly negligent actions by a plaintiff verging upon bad faith.
The antidote to confusion is knowledge of the eleven US
Circuits and their differing approaches to e-discovery. Judge
Scheindlin sits in New York within the Second Circuit while Judge
Rosenthal sits in Texas within the Fifth Circuit. The differences in
approach of the Circuits are briefly summarised: Those following
Judge Rosenthal and the Fifth Circuit are the Seventh, Eighth,
Tenth, Eleventh and District of Colombia; these follow majority
rule and intentional destruction of evidence, or bad faith, must
be proven prior to an adverse inference instruction sanction
being imposed by the court. The Second Circuit where Judge
Scheindlin sits accepts that gross negligence alone, without
proof of intent or bad faith, may suffice for imposition of the
court’s adverse inference instruction. The Third Circuit applies a
hybrid balancing act taking into account the degree of fault and
prejudice demonstrated. The First, Fourth, and Ninth Circuits
hold that bad faith is not essential to imposing severe sanctions
if there is severe prejudice to a party, however in reality findings
there frequently stress the presence of bad faith. Since lower
courts have no discretion to depart from the Circuit Courts
decisions affecting them the differing approaches to spoliation
are perpetuated in the lower courts. The findings in Pension
Committee and Rimkus v Cammarta accept that necessarily
imperfect human beings are under examination and take
account of the inevitability of loss or destruction in large scale
preservation and discovery exercises. In the end investigators
are directed to the Sedona recommendations filtered through the
wisdom of Scheindlin and Rosenthal and jurisdictional nuances.
honing a professional edge. This programme, the National
Rollout Plan to aggregate language software tools, is
available through the Indian Language Data Centre (ILDC) in
association with the Centre for the Development of Advanced
Computing. Word processing, presentation preparation,
spread sheet preparation, web page design and messaging
are among some of the multilingual capabilities enabled by
the programme. Wonderfully this is all free of charge. For
those with money to spend Quillpad is a commercial provider
of language software solutions addressing the Indian
languages; it is available at http://quillpad.in/clients.html.
43
30/4/10 18:01:37
AD9117a 19/01/2010 14:20 Page 1

Shape your future

Forensic Computing MSc Forensic Computing BSc Honours

Computer Security MSc Computer Security BSc Honours

To find out more visit dmu.ac.uk/technology or contact us:

T: (0116) 257 7456
E: technology@dmu.ac.uk AD9117A

DF3_44_Ad.indd 44 30/4/10 18:02:03

 / FEATURE

PLAYING WITH FIRE:

DISSECTING MALICIOUS
SOFTWARE
CURRENT AND NEW TRENDS IN ANALYISING MALWARE BEHAVIOUR

Modern malware is more sophisticated than it used to be and can easily mislead the investigator
by Ian Kennedy

/ EXPERT

M
ention the word ‘malware’ in a word association game
and few people would think to respond with ‘weapon’.
Malware is nearly always a means to an end in a
much bigger picture. This could be the sale of information
obtained, access to the compromised system or even the
denial of access for the right price. Visualising the computer
as the battlefield1 and a network or computer system as a
region or country then a malware attack becomes an offensive
campaign against targeted systems. Continuing with this
analogy, strategic decisions relating to how the campaign is
fought become the overall design and execution of a malware
attack. Decisions about how individual battles are fought are
tactical in nature and equate to the techniques used in the
construction and execution of malware tasks. In the midst of
this are the forensic practitioners and security researchers.
Their job is to be the weapons analysts and to reverse
engineer these virulent and at times quasi-conscious weapons
to understand their capabilities and behaviour.
It is difficult to imagine undertaking any offensive campaign
without a range of tactical weapons, each suited to different
tasks. The attacker can use a full selection of arsenal including

/ Can I use VMware to

study malware?
Sure, but be mindful of the fact that much of today’s malware
is emulator and debugger aware. Typically, malware inspects
the environment where it is about to unpack and checks for
signs of a non-native environment. The first sign of something
suspicious and it invariably exits immediately without
unpacking its code. Turning this around, this has a possible
benefit for the user as it suggests you can install tools such as
an emulator and a debugger to prevent malware from running.
Longer term though, as virtualization becomes more common
on a desktop it is likely that such environmental checks will no
longer be a valid indicator of an instrumented system.

45

DF3_45-51_Dissecting Malicious Software.indd 45 30/4/10 18:02:25

 / FEATURE

keyloggers, screen loggers, email redirectors, web Trojans,

hostname lookup attacks, proxy attacks and rootkits to name
a few. Each is suited to a different objective and each will
often contain its own counter-detection measures. To start
your campaign you need a weapons supplier.

/ DESCENDING UNDERGROUND
Buying weapons on the Black Market is not new. They are there
to serve your every need, for a price. Recently appearing in the
news2, Zeus is an example of a DIY kit for building your own
customised malware. With your freshly built malware it’s not
enough to simply locate it on a couple of websites and hope for
passing surfers to get infected. You need to get it distributed to Figure 2
machines with identified vulnerabilities that can begin making
you money quickly. That’s where an Exploitation Pack comes in.
You can expect to pay around $100-250 to get your customised
malware installed onto around 1,000 machines in the UK. Three
widely used systems are Fiesta, Firepack and Sploit3. Now you
need somewhere to store all your harvested data and manage
your malware distribution. Anonymous ‘bulletproof’ servers offer
a variety of packages and typically cost around $150 per month
for hosting, with discounts for larger quantities.

/ ENTER THE WEAPONS ANALYST

With my practitioner hat on, I am principally motivated by the
need to determine the events leading up to a limited set of
circumstances when analyzing malware. I need to determine
if the suspicious binary discovered on a computer is the cause
of a given activity. There are two broad approaches taken to
address this question of causality: static and dynamic analysis.
Buying weapons on the Black
Market is not new. They are
there to serve your every
need, for a price
In the static world the malware is lifeless, but not completely
harmless as careless handling can be problematic. We must
also remember though, that even our tools can be mislead
in this exercise by the tactics of the malware author, leading
to differing results between tools. Hence, as with computer
Figure 1
Figure 3
forensics, cross checking with more than one tool can increase
confidence in what you are seeing is accurate. With this
knowledge, we can safely commence our autopsy and dissect
the specimen.
Online scanners are freely available to help us rapidly scan
our suspicious binary in an attempt to identify it. Despite the
ease of doing this, we have to stop and consider any legal
issues involved, such as privacy and cross-border movement
of data. This is especially important in the case of sensitive
and government clients for whom we are conducting the
investigation. With any legal issues resolved, we can don our
gloves and surgical mask and submit our suspicious binary
(previously identified by our AV scanner unhelpfully as simply
‘Worm.Win32.Gen’) to online scanner sites such as VirusTotal4
and Jotti’s malware scanner5.
It is important to remember that a vendor’s online scanner
tool operates differently to its desktop product and so the
precision is not the same. This becomes apparent when we
examine how such online tools have identified the binary. The
lack of consensus on even the name of the binary may give
rise to doubts of what we are dealing with.
Not defeated, we turn to our preferred hex editor tools and
examine the ‘Magic Number’ of this file; we see that it is ‘MZP’.
This indicates that the file is an executable file produced with
Delphi. Knowing that a typical executable file contains varying
amounts of string-based data we next apply that ever-useful
Unix tool called ‘strings’ which has been ported to run in a
Windows environment 6. The ‘BinText’ tool7 offers powerful
string filtering and searching options. It will also denote both
the file and memory offset of a string. Examining the output

46 Digital / ForensicS

DF3_45-51_Dissecting Malicious Software.indd 46 30/4/10 18:02:26

 from BinText we see the text ‘.aspack’, see Fig 1. This suggests
the file may be packed using the compression tool ASPack8.
Sure enough, further on in the file (beyond that shown in Figure
1), there is little readable text, aside from references to API
function names such as ‘URLDownloadToFileA’. Tackling this
problem by attempting to unpack the code is covered shortly.
Figure 4
DF3_45-51_Dissecting Malicious Software.indd 47
Just before we try to manipulate the code to unpack it,
we may find it useful to examine its module dependencies.
Malware will typically utilize the victim’s own Windows API
code to achieve its goals. The ‘Dependency Walker’9 allows
us to examine which libraries and functions are called by the
binary. Fig 2 indicates that our suspicious binary accesses
‘WININET.DLL’ which provides Internet functionality. One such
function called is the ‘InternetWriteFile’.
/ STEALTHY MALWARE
Malware writers are crafty. Like any military organisation,
secrecy is key to protecting your assets. To this end, a variety
of obfuscation techniques are used to try and prevent prying
eyes from seeing what’s happening under the hood. The first
of these are packers.
Malware writers are
crafty. Like any military
organisation, secrecy is key
to protecting your assets
Most packers operate only on Windows portable executable
(PE) files and Dynamic Link Libraries (DLLs). Packers come
in four broad varieties. The first of these, ‘crypters’, will
gladly encrypt a malware file’s content such that it will only
decrypt portions of the malware in memory at any given time,
frustrating any efforts to gain a full and unencrypted sample
for analysis. Not surprisingly, crypters such as Yoda’s Crypter10
and PolyCrypt PE11 are popular choices for obfuscating code12.
This technique means that host-based detection technologies
cannot inspect the binary prior to it being loaded from disk
into memory. The second type of packer is the more traditional
‘compressor’ such as UPX. These do little more than compress
the file’s content without such trickery. Thirdly, ‘bundlers’
such as PEBundle13 on the other hand, will produce a single
packed file like a Zip container but will happily unpack files
to RAM it needs to access, without extracting them to disk.
Finally, ‘protectors’ such as Armadillo14 and Temida15 provide
obfuscation through compression and licensing management
capabilities for products found in the commercial arena.
Applying PEiD16 to our suspicious binary, we identify the use
of the packer ‘ASPack 2.12’ that our strings analysis suggested
earlier, fig 3.
The typical packer will reorganise the headers in the file, rewrite
the import table and set a new Original Entry Point (OEP). The end
result is a PE binary containing within one of its sections a second,
hidden binary image, like Russian dolls. When executed, the visible
binary unpacks the inner binary, updates its own import table
and finally makes a jump to the memory address of the unpacked
binary. Thus, the malware is brought to life.
Disassemblers are programs designed to extract the
assembly language of a target binary file and study the
design and flow of the code. In our analogy, this gives us the
blueprints for the weapon’s behaviour. The tool of choice
for many security researchers is IDA Pro17. Tools such as this
47
30/4/10 18:02:27
 / FEATURE
Figure 5
allow us to unpack (in some cases) and examine how the code
would execute at the OpCode level, but require time and skill
to use. Fortunately, there are tools available to unpack the
packed code for us, enabling us to re-examine the strings and
other resources used by the code.
Using ‘AspackDie’18 we can unpack the malware from its
armour to a regular executable file. Loading this back into
BinText we find references to online banking sites and the
words ‘conta’, ‘senha’, ‘gitos do cart’ which (with the help of
Google) in Portuguese mean ‘account’, ‘password’ and ‘card
digits’, see Fig 5.
Another obfuscation
technique is the destruction
of the Interrupt Access
Table (IAT)
To avoid being unpacked, crypter packers have been known
to insert ‘junk’ code when packing a binary to confuse a
decompiler. Other tricks include redirecting or mutating original
instructions with equivalent instruction codes to prevent
memory dumps taking place. Even CRC checks are made by the
extracted code to check the integrity of how it was extracted.
Given the challenges of static disassembly, you might think
that simply running the code and monitoring its behaviour
live would alleviate such problems. However, practitioners
who seek to reverse engineer the code also face a relatively
new and ingenious trick. Malware is now circulating that use
VMProtectors19. This advanced technique effectively runs the
malware code inside a mini virtual machine that is unpacked
into memory first when the binary is executed. Each byte of
the op-codes and operands forming the malware payload are
randomly generated to form ‘bytecode’ when the malware is
packed into the VMProtector. No two generated instances of the
same malware will produce the same bytecodes. A practitioner
running this type of malware will only see the virtual machine
code and not the malware inside a debugger environment.
Another obfuscation technique is the destruction of the
Interrupt Access Table (IAT). This table stores all the memory
48
DF3_45-51_Dissecting Malicious Software.indd 48
/ Weapons catalogue
Malware classification used to be simple. These days much
of what is in the wild is a Darwinian blend of threats covering
multiple attack vectors. Again returning to our military
analogy, this is akin to a flanking offensive tactic. A blended
threat might, for example, launch a Denial of Service (DoS),
install a backdoor and overwrite local system files in one
attack. Multiple delivery mechanisms could be used too to
increase the success of gaining access. So a worm may arrive
by both email and a file sharing mechanism. The following list,
based upon definitions provided by VirusList52 identifies the
elements of these blended threats:
Worms
Typically, do not require human interaction to operate
and are classified by the propagation and/or installation
method employed. Examples of these include email, Instant
Messaging, IRC and peer-to-peer file sharing mechanisms.
Viruses
Generally require human interaction to be initiated and are
classified according to their area of operation. This can be
either the file system, boot sector, macro or scripting areas.
Trojans
Classified by their action, this group of malware will typically
act as the mechanism for delivery of some other item such as
Backdoors, Droppers (unpacking it’s payload), Downloader
(sourcing it’s payload from online), Proxies (using a victim to
hide Internet activity) and Spies (to monitor keystrokes and
screen activity).
DoS/DDoS
Rendering the victim machine to the role of a pawn, when
instructed it obediently commences a repeated request to a
designated server.
Exploits
What you might consider ‘opportunist’ malware that is
embedded with code targeted at unpatched systems
containing vulnerabilities. A JPG file, for example, can contain
code to exploit a buffer overrun when viewed53.
Nukers
Exploiting vulnerabilities on the victim host, the system is
attacked and made to cause fatal errors.
addresses where an executable may find the standard
routines provided by the Windows Application Programming
Interface (API). Malware employing this technique can
avert detection by making calls to the API routines directly
by memory address rather than name. In this way, the
practitioner never sees the calls made to the API.
In moving to dynamic analysis, we are arming the weapon.
In our analogy we are positioning the weapon in an artificial
desert town then retreating to our viewing bunkers. Thus, not
wanting to liberate malware on our forensic workstation we
typically turn to the use of emulators to virtualize a machine,
creating that artificial town in which to detonate our weapon.
These days, however, malware is smarter than it used to be
(more on this in a later) as before detonation it will check its
environment is real. I guess those mannequin dummies in our
artificial town are no substitute for real people.
Digital / ForensicS
30/4/10 18:02:27
 In this virtual realm, we install the monitoring tools of our
choice. In doing so we seek to instrument the usual areas such
as file, registry, network and process activity. Process Monitor20
wraps up into one tool what used to split across several tools.
Wireshark21 allows us to monitor network traffic filtered by
protocol. In analyzing malware we seek to emulate the Internet
by setting up a second machine on our test LAN as a web server
and using fake DNS. In doing this we illicit a response from the
malware when the website addresses found during our static
analysis are resolved via local DNS to our internal web server.
Debuggers are programs that allow us to execute a binary in
a controlled fashion, tracing step-by-step the execution path
followed. Given the malware is being executed in a restricted
manner, it is still essential to do this step on an expendable
and isolated machine. Executing our binary in the debugger
OllyDbg22 we are greeted with the message that the entry
point is ‘outside’ the code area, confirming our suspicions that
the OEP has been shifted.
A sophisticated defence tactic used by malware is a technique
known as ‘Dynamic code replacement’. A malware binary is
executed and partially unpacks code that starts a second,
benign process. The unpacked code then allocates memory
within the domain of this new process, typically by calling the
‘writeProcessMemory’ API. The remainder of the malware’s code
is then unpacked into the domain of the new process. Finally, the
entry point is then reset to point to the start of the malware code,
completely skipping the logic of the benign process. This is like
building the Trojan horse within the castle walls.
/ CURRENT RESEARCH TRENDS
Reaching beyond the confines of a specific investigation,
the academic community is exploring a number of exciting
approaches to malware analysis.
On a static level it is possible to compare suspicious
binaries with known samples. Two groups23 24 borrow a
concept from biology known as phylogenetics which studies
the evolutionary relationship among various groups of
organisms. The basic principle is to cluster calls made to
similar or identical functions within a pair of binaries. This
approach becomes ineffective for malware that obfuscates its
code and calls to API functions.
In a move similar to that which helps trace stolen money,
tainting19 25 26 is a technique used to mark data, as it
propagates through the execution paths of malware.
The hooking of both kernel and application level APIs are
used24 26 27 to monitor calls to API functions through callback
functions. One project known as Mazalyzer28 is built upon the
Microsoft research project, Detours29. Their approach seeks to
overcome the challenges of stealthy malware by monitoring for
suspicious process startup activity. The creation of a second
process is deemed suspicious as dynamic code injection is
legitimately used in benign applications such as Skype30, but
does not normally attempt to start a second process.
/ EMULATION AND DEBUGGING
As a security researcher you seek to have a controlled
environment to study your malware. There are a variety of
DF3_45-51_Dissecting Malicious Software.indd 49
software emulation technologies to choose or build upon such
as CWSandbox31, QEMU32, User Mode Linux (UML)33, LiveView34,
Norman35, Bochs36 and VMWare37. Firing up your malware in one
of these virtual environments allows you to both manipulate the
inputs given to the malware and instrument its behaviour while
filtering out unwanted noise from other system activity. On their
own though, these emulation tools are not enough to defeat
most malware and at times may be unsuitable as the malware
detects their presence.
If you consider the deployment of malware as the use of a
weapon, then the effectiveness of that weapon is in jeopardy
if your enemy discovers how your weapon operates and where
the effectiveness of that
weapon is in jeopardy if your
enemy discovers how your
weapon operates
its weaknesses lie. Thus intelligence is a critical element to the
effectiveness of your weapon. So one of the typical behavioural
characteristics of malware is reconnaissance. Before a victim’s
machine is probed to identify vulnerabilities, a separate ‘reccy’
is run to look for the telltale signs of an emulated environment.
These include manufacturer device identifier strings such
as ‘vmnet1’, which is reported for systems hosting VMWare
containing a network interface. A typical response to such a
discovery is to exit the process immediately. More sophisticated
binaries will only unpack enough code to make these checks first
to check it’s safe to come out of hiding in the packed file. The
ScoobyNG38 tool uses shell scripts to identify vendor strings.
Sticking with VMWare as an example, other clues include
the presence of the key ‘vmscsi’ in the Windows registry and
driver files such as ‘buslogic.sys and ‘vmscsi.sys’ on the disk.
Emulators and debuggers will also make subtle changes
to the kernel memory layout of the emulated machine. Thus
a simple check of the address of a standard API routine such
as ‘createProcess’ will indicate the system is not running on
native hardware. Even the titles of open windows and live
processes can be checked.
/ Malware Forensics
Malware Forensics: Investigating and Analyzing Malicious Code
Authors: James Aquilina, Eoghan Casey, Cameron Malin
Publisher: Syngress
ISBN-10: 159749268X
ISBN-13: 978-1597492683
This book details methodologies for the collection and analysis
of volatile data and artifacts in the context of a malware
investigation. Practical in its approach, tools are cited throughout
the book along with a discussion of the legal issues involved,
which include UK and cross-border issues, which is critical given
the nature of malware. The book forms an excellent starting
point from which to study malware before moving on to more
comprehensive, multiple path methodologies.
49
30/4/10 18:02:27
 / FEATURE
A common side effect of using an emulator is that certain CPU
operations are not fully supported in the emulated environment39
40
. It is of little surprise then that malware authors use this to their
advantage as an indicator of an emulated system. Some malware
will even measure the speed of execution of certain instructions
to check for emulators and debuggers39.
To tackle these problem hardware emulators such as
JoeBox41 and Ether42 (which both use emulation techniques
based upon Intel-VT) have been developed. Tools based upon
Ether have outperformed the unpacking tools Renovo and
PolyUnpack as well as the sandbox tools Anubis and Norman.
/ MULTIPLE PATH ANALYSIS
Almost all executable code
will make decisions directing
program flow down one
branch or another
Executing a malware binary to perform dynamic analysis, be
it on an emulated or native machine, present the practitioner
and security researcher with another problem: how do we
know we have seen the entire capabilities of the binary?
Almost all executable code will make decisions directing
program flow down one branch or another. Executing a
temporal virus such as Conficker.B will behave differently both
before and after a given date.
To address this, approaches have been developed25 43 that
allow a malware sample to be executed and halted when a
decision instruction is encountered. A snapshot is then taken
of the system and the process is allowed to continue. When
the branch is exhausted (or after a sufficient time has passed),
the system is rolled back to the snapshot and the data
manipulated so that another branch is explored.
/ ONLINE ANALYSIS
Some research projects have developed into online analysis
tools available for use by practitioners and researchers alike.
Going beyond a simple virus scan of a submitted sample, these
tools virtualize a given sample and monitor its behaviour.
Anubis44 (developed from TTAnalyze45) and CWSandbox are well-
established projects. Commercial solutions include ThreatExpert46
(a tool maintained by PCTools) and Norman Sandbox35.
/ CONCLUSION
As we emerge from this dark underworld, we must reflect on
the impact of our findings. There is much information that
can be gleaned from the tools at our disposal. However, for
the forensic practitioner there is on balance, more we do not
know about a given sample of malware than what we do know.
It is simply not enough to change a few conditions and run
the malware, as this typically will not induce the malware to
perform to it’s full capability. Even for the security researcher,
equipped with the skills and time to reverse engineer code,
it is a huge challenge to achieve a full understanding of a
malware binary employing new obfuscation techniques, in the
50
DF3_45-51_Dissecting Malicious Software.indd 50
short time frame between arrest and charge of a suspect in a
criminal investigation. It seems that modern malware not only
comes in sophisticated armored tanks these days, but even
checks nobody’s watching before firing. /
REFERENCES
1. Fernandez J, M., Bureau P. Optimising malware. Conference
Proceedings of the IEEE International Performance, Computing, and
Communications Conference 2006 01/01;2006:577-86.
2. BBC News : Two held in global PC fraud probe [Internet] [cited
2009 11/21/2009]. Available from: http://news.bbc.co.uk/1/hi/
england/manchester/8366504.stm.
3. Erasmus J. Anatomy of a malware attack. Network Security 2009
1;2009(1):4-7.
4. VirusTotal - Free Online Virus and Malware Scan [Internet] [cited
2009 11/17/2009]. Available from: http://www.virustotal.com/.
5. Jotti's malware scan [Internet] [cited 2009 11/17/2009]. Available
from: http://virusscan.jotti.org/en.
6. Sysinternals utility - Strings [Internet] [cited 2009 11/22/2009].
Available from: http://technet.microsoft.com/en-gb/sysinternals/
bb897439.aspx.
7. Foundstone Free Tools [Internet] [cited 2009 11/28/2009]. Available
from: http://www.foundstone.com/us/resources/proddesc/bintext.htm.
8. ASPACK SOFTWARE - Best Choice Compression and Protection
Tools for Software Developers [Internet] [cited 2009 11/28/2009].
Available from: http://www.aspack.com/.
9. Dependency Walker (depends.exe) Home Page [Internet] [cited 2009
11/28/2009]. Available from: http://www.dependencywalker.com/.
10. Yoda's Crypter [Internet] [cited 2009 11/17]. Available from:
http://yodap.sourceforge.net/.
11. PolyCrypt PE [Internet] [cited 2009 11/17/2009]. Available from:
http://www.jlabsoftware.com/.
12. Yan W, Zhang Z, Ansari N. Revealing packed malware. IEEE
Security & Privacy 2008 09/01;6(5):65-9.
13. PECompact Executable Compressor [Internet] [cited 2009
11/17/2009]. Available from: http://www.bitsum.com/pecompact.php.
14. Silicon Realms / SoftwarePassport / Armadillo - The Home of
SoftwarePassport [Internet] [cited 2009 11/17/2009]. Available from:
http://www.siliconrealms.com/index.html.
15. Oreans Technology : Software Security Defined. [Internet] [cited
2009 11/17/2009]. Available from: http://www.oreans.com/.
16. PEiD - Packer, Crypter and Compiler detection [Internet]. Available
from: http://www.peid.info/.
17. IDA Pro Disassembler - multi-processor, windows hosted
disassembler and debugger [Internet] [cited 2009 11/22/2009].
Available from: http://www.hex-rays.com/idapro/.
18. Aaron's Homepage- include AspackDie [Internet] [cited
2009 11/28/2009]. Available from: http://209.85.229.132/
search?q=cache:zOGmZUZCz2wJ:www.exetools.com/unpackers.htm
+aspackdie&cd=2&hl=en&ct=clnk&gl=uk.
19. Sharif M, Lanzi A, Giffin J, Wenke Lee. Automatic reverse
engineering of malware emulators. Security and Privacy, 2009 30th
IEEE Symposium on 2009:94-109.
20. Process Monitor [Internet] [cited 2009 11/28/2009]. Available from:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
21. Wireshark · Go deep. [Internet] [cited 2009 11/28/2009]. Available
from: http://www.wireshark.org/.
Digital / ForensicS
30/4/10 18:02:28
 22. OllyDbg v1.10 [Internet] [cited 2009 11/22/2009]. Available from:
http://www.ollydbg.de.
23. Digital genome mapping–advanced binary malware analysis.
Virus bulletin conference; 2004. .
24. Wagener G, State R, Dulaunoy A. Malware behaviour analysis.
Journal in Computer Virology 2008 11/01;4(4):279-87.
25. Moser A, Kruegel C, Kirda E. Exploring multiple execution paths
for malware analysis. Proceedings - IEEE Symposium on Security and
Privacy 2007 01/01:231-45.
26. Scalable, behavior-based malware clustering. Network and
distributed system security symposium (NDSS); 2009. .
27. Inoue D, Yoshioka K, Eto M, Hoshizawa Y, Nakao K. Malware
behavior analysis in isolated miniature network for revealing
malware's network activity. IEEE International Conference on
Communications 2008 01/01:1715-21.
28. Liu L, Chen S. Malyzer: Defeating anti-detection for application-
level malware analysis; applied cryptography and network security,
7th international conference, ACNS 2009, paris-rocquencourt, france,
june 2-5, 2009. proceedings. 2009;5536:201-18.
29. Detours - Microsoft Research [Internet] [cited 2009 11/22/2009].
Available from: http://research.microsoft.com/en-us/projects/detours/.
30. Skype uncovered [Internet] [cited 2009 11/18]. Available from:
http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-
CCR_Fabrice_Skype.pdf.
31. CWSandbox [Internet] [cited 2009 11/22/2009]. Available from:
http://www.cwsandbox.org/.
32. QEMU [Internet] [cited 2009 11/22/2009]. Available from: http://
www.nongnu.org/qemu/about.html.
33. Dike J. User mode linux Upper Saddle River, NJ: Prentice
Hall; 2006. id: 1; change_time="2007-06-28T03:04:24Z"
price_time="2009-10-04T19:36:27Z" edition_info="(pbk. : alk.
paper)" language="eng" physical_description_text="p. cm."
lcc_number="QA76.76" dewey_decimal_normalized="5.432"
dewey_decimal="005.4/32"; Includes bibliographical references
and index.; .
34. Live View [Internet] [cited 2009 11/22/2009]. Available from:
http://liveview.sourceforge.net/.
35. Norman | Norman SandBox® [Internet] [cited 2009 11/22/2009].
Available from: http://www.norman.com/technology/norman_
sandbox/en-us.
36. bochs: The Open Source IA-32 Emulation Project (Home Page)
[Internet] [cited 2009 11/22/2009]. Available from: http://bochs.
sourceforge.net/.
37. VMware Business Infrastructure Virtualization: Beyond Virtual
Machines & Servers [Internet] [cited 2009 11/22/2009]. Available
from: http://www.vmware.com/.
38. ScoopyNG [Internet] [cited 2009 11/22/2009]. Available from:
http://www.trapkit.de/research/vmm/scoopyng/index.html.
39. Chen X, Andersen J, Mao ZM, Bailey M, Nazario J. Towards an
understanding of anti-virtualization and anti-debugging behavior
in modern malware. Dependable Systems and Networks with FTCS
and DCC, 2008 DSN 2008 IEEE International Conference on 2008
06/24:177.
40. Testing CPU emulators. Proceedings of the eighteenth international
symposium on software testing and analysis - ISSTA '09; 2009. id: 1;
isbn: print 9781605583389; publication_type: full_text.
41. Joebox a secure Sandbox Application for Windows to analyse the
DF3_45-51_Dissecting Malicious Software.indd 51
Behaviour of Malware [Internet] [cited 2009 11/22/2009]. Available
from: http://joebox.org/#.
42. Ether: Malware analysis via hardware virtualization
extensions. Proceedings of the 15th ACM conference on computer
and communications security - CCS '08; 2008. id: 1; isbn: print
9781595938107; publication_type: full_text.
43. Purui S, Lingyun Y, Dengguo F. Exploring malware behaviors
based on environment constitution. Proceedings - 2008 International
Conference on Computational Intelligence and Security, CIS 2008
2008 01/01;1:320-5.
44. A View on Current Malware Behaviors [Internet] [cited 2009
11/5/2009]. Available from: http://www.usenix.org/events/leet09/
tech/full_papers/bayer/bayer_html/.
45. Bayer U, Kruegel C, Kirda E. TTAnalyze: A tool for analyzing
malware 2006.
46. ThreatExpert - Submit Your Sample Online [Internet] [cited 2009
11/22/2009]. Available from: http://www.threatexpert.com/submit.aspx.
47. BBC NEWS | Technology | Millions tricked by 'scareware' [Internet]
[cited 2009 11/29/2009]. Available from: http://news.bbc.co.uk/1/
hi/8313678.stm.
48. APWG Phising Activity Trends Report - First Half 2009 [Internet].
Available from: http://www.antiphishing.org/reports/apwg_report_
h1_2009.pdf.
49. Websense Security Labs report - State of Internet Security, Q1-
Q2 2009 - Websense Features [Internet] [cited 2009 11/29/2009].
Available from: http://community.websense.com/blogs/websense-
features/archive/2009/09/15/websense-security-labs-report-state-
of-internet-security-q1-q2-2009.aspx.
50. China accused over global computer spy ring | World news | The
Guardian [Internet] [cited 2009 11/22/2009]. Available from: http://www.
guardian.co.uk/world/2009/mar/30/china-dalai-lama-spying-computers.
51. Germany accuses China of industrial espionage | World news | The
Guardian [Internet] [cited 2009 11/22/2009]. Available from: http://www.
guardian.co.uk/world/2009/jul/22/germany-china-industrial-espionage.
52. Viruslist.com - Information About Viruses, Hackers and Spam
[Internet] [cited 2009 11/29/2009]. Available from: http://www.
viruslist.com/.
53. Microsoft Security Bulletin MS04-028: Buffer Overrun in JPEG
Processing (GDI+) Could Allow Code Execution (833987) [Internet]
[cited 2009 11/29/2009]. Available from: http://www.microsoft.com/
technet/security/bulletin/ms04-028.mspx.
/ Author Bio
Ian Kennedy is employed as a Consultant
by Control Risks. Operating both in and out
of his base in London, Ian has undertaken
forensic investigative work in a variety
of jurisdictions around the world. With a
background in computer forensics within
law enforcement and C++ programming,
Ian continues to take an active interest in contributing to both
further and higher education programmes through his various
roles as an Associate Lecturer for the Open University, his
visiting lecturers given to a number of Universities and his
work as a part-time tutor for a local further education college.
Currently following a Doctorate in malware research, his
research interests focus on malware behavior.
51
30/4/10 18:02:28
 / FEATURE
MODELLING FOR
OPERATIONAL FORENSICS
PART 2: ILLUSTRATIVE USE OF MODELLING PARADIGMS
In part 1 of this article (DFM Issue 2) we looked at a number of modelling paradigms. In part 2
we will use a sample analysis to illustrate how these techniques can be used to guide a simple
psychosocial forensic analysis
by Dr Barry Hood
/ INTERMEDIATE
W
e will illustrate the process of modelling to investigate and
analyse a generic incident rather than a specific one. We
will take the situation of having an undesirable condition
identified and then attempting to uncover a root cause of that
condition with the emphasis on identifying psychosocial condi-
tions rather than digital. The approach can apply to the latter as
well as the former as it is a domain independent approach.
Figure 1. Undesirable Condition
Figure 2. How replaced by Action A by Agent X
Figure 3. Why replaced by Trust condition
52
DF3_52-55_Forensic Modelling Part 2.indd 52
We start in Figure 1 with a single Petri Net place node
representing the undesirable condition (a round node) i.e. a
security breach or compromise. Then as any condition either is
an assumption or arises as a result of an action, we naturally ask
the question – how does this condition arise? It arises as a result
of some action A performed by some agent X, (a box node) with
an arrow connecting the two, to indicate that the condition can
arise as a result of the action. This situation is thus represented in
Figure 2. We can now ask why this action took place, looking for a
condition that would enable the action to take place.
As we want to look at the psychosocial aspects of forensic
analysis rather than the digital aspects as a possible answer
to this question – That agent X was trusted and thus able to
carry out action A without hindrance. Figure 3 represents this
new situation.
In order to take the analysis further we need a model of
organisational trust. Figure 4 shows such a trust model from
Figure 4 of the MERIT work on insider threats see [MERIT08].
Now produce a translation of that model into our Petri Nets
model. As a final act add the relevant security zones to the
model representing the involved agencies – the Insider and
the Organisation to give Figure 5.
Trust represented by the ‘Trusted’ node in Figure 5 inhibits
monitoring activities as represented by the arrows with the
unorthodox heads. This in turn means that no behavioural
precursors are discovered, even when they are generated by
the insider’s general actions prior to the compromise action
A. This enables the perception of low risk to become true
through the passage of time, so enabling the insider to be
even more trusted, which only serves to increase the level
to which they are ‘trusted’. And so on round the loop. The
behavioural precursors would be revealed by psychosocial
forensics and the technical precursors by digital forensics
after the fact and by behavioural monitoring and technical
monitoring respectively, before the fact. The former could be
done by staff awareness and reporting programmes. The latter
could be achieved through intrusion detection and auditing.
Figure 6 shows Petri nets representation of the targeted
monitoring solution in [MERIT08]. Here the trust in the insider
Digital / ForensicS
30/4/10 18:03:27
 Figure 4. Influence Diagram of Trust Trap from MERIT

Figure 5. Petri Net version of Trust Trap Model

does not control the use of targeted monitoring for specific

precursors. When this targeted monitoring throws up some of The key point is that the
these specific precursors, then this forces the more detailed
monitoring into action, cancelling the inhibiting effect of the
self-reinforcing loop
trust condition. The targeting could consist of the monitoring caused by the initial
specific precursors of specific roles in the organisations that have
a particular potential for causing damage. The key point is that
trust can be broken by
the self-reinforcing loop caused by the initial trust can be broken the countermeasures
by the countermeasures preventing the trap. On the other hand
overbearing use of monitoring is not present, unless called for by
preventing the trap
the situation, as indicated by the target monitoring.
In building the above model we are performing a Profiling can be seen as a form of psychosocial hypothesis
reconstruction of the psychosocial crime scene in a like formation. This profiling can then be extended to profile social
manner to reconstructing the physical and digital crime situations, attempting for example to characterise the kind
scenes. Part of crime scene investigation is hypothesis of opportunity the attacker would need to cause the incident
formation to guide the search for evidence at the scene. under investigation.

53

DF3_52-55_Forensic Modelling Part 2.indd 53 30/4/10 18:03:28

 / FEATURE

Although the example is a very small one it illustrates the

process of question and answer through the development of a
model, rather than just the accumulation of data. This approach,
although relevant to all forensic analysis is particularly important
in psychosocial forensics where there is not a lot of data to collect
by comparison to the digital case. The value of a model-based
approach is that at the end of the analysis there is something,
the model, to go forward to the next analysis, which can provide
a jumping off point for that analysis. This leads to a possible new
step in the forensic process, when viable and relevant models
are present, that of model validation that is not normally part of a
forensic investigation.
We have taken a psychosocial example to model in this
paper rather than a digital or physical one but the approach
is equally applicable to those other two areas. The choice of a
psychosocial context was to explicitly show that the approach Figure 6. Targeted Monitoring Countermeasures
is not tied to the technical aspects of forensic analysis.
Figure 5 and Figure 6 show the relevance of security zones A Person presents precursor Behaviour in relation to an
Attack. Managers trust Persons. The trusting allows this
DISCOVERING THESE precursor behaving to exist.
How do we use these conceptual models for forensic work?
RELATIONSHIPS CAN SUGGEST Again as in the case of Petri Nets we are looking for causes. The
FORMS OF INFORMATION TO answer is to follow the relationship concept chains, just as in
the Petri Nets case we follow the condition action chains. So for
INVESTIGATE THAT WOULD example, we can go from behaviour to data on hard disk via the
NOT OTHERWISE HAVE BEEN documents the person has used. Discovering these relationships
can suggest forms of information to investigate that would not
INVESTIGATED otherwise have been investigated. Conceptual models are able
to provide models other than just for the logical perspective and
in relation to Petri Net models. They show the boundary and thus enable forensic analysis to move consistently between the
context of the various agents concerns and control. different perspectives as required. This is particularly relevant to
In Figure 7 we see a simple conceptual model version of the operational forensics and its need to cover more than the logical
insider threat Petri Net model above. If we link this to the other i.e. digital, aspects of an incident. To get the full benefit the
conceptual models such as those shown in part 1, we can see conceptual model needs incorporating into the net model.
where precursor behaviour might leave manifest evidence of its
presence. From this the nature of the targeted monitoring can be / Summary
determined along with any forensic activity this could involve. In these two parts we have introduced a number of modelling
One of the features of ORM is its ability to be verbalized and so methods that could be used to guide aspects of forensic
be communicated to others who may not comprehend the formal analysis, as well as suggesting a new arena of forensic analysis.
models. Thus Figure 7 can be rendered in the following verbal form: The use of Petri nets in this area is not new as can be seen by

Figure 7. Conceptual Model of Attack Precursor Behaviour

54 Digital / ForensicS

DF3_52-55_Forensic Modelling Part 2.indd 54 30/4/10 18:03:29

 Figure 8. Multiple Models
looking at [Stephenson04], however, the manner in which the
Petri nets and the many extensions used are radically different.
The use of Petri nets in digital forensics also aligns with the
approach to investigation presented in [Carrier04].
This article has also illustrated how the system dynamics
models of [MERIT08] can be modelled in a more intuitive
action-condition model that gives a better handle of the
countermeasures and how they fit with the original situation.
The inherently aggregation oriented basis of the system
dynamics models is very good at the high levels but not so
good in determining detailed countermeasures.
Security zones, although useful for policy development,
seem less useful in forensic analysis (at least digital analysis)
where the complexity may overwhelm the model. Having said
that the identification of a large attack surface through the
identification of many entry and exit points is valuable for
operational forensics when such a large attack surface is itself
at the root of the incident.
The work in this article goes beyond just analysis and
looks to the development of solutions as well. This ability to
discover solutions is also part of operational forensics, as the
final bullet point in the introduction states. The modelling
approaches documented here have the potential for meeting
this requirement. The ideal situation would be that the above
or equivalent methods where used for requirements and
design, giving forensic analysis readymade models to work
with, thus saving time and effort. This could be particularly
important where the incident involved has large ramifications
and speed or accuracy of analysis, is of the essence. Such
modelling approaches have been the author’s pursuit for the
last few years in relation to wider security analysis.
We can see that the various paradigms guide both the
reasoning process and embed the results of analysis for further
use. The models represent a logical context in which the
forensic work can be placed. Because psychosocial forensics
would not produce data that is relevance to a prosecution its
direct usefulness is restricted to the operational context, in
which improving the system is the motive. We believe in fact,
that Petri net models enable the requirements for effectiveness
and efficacy to be met in a way that other approaches do not.
DF3_52-55_Forensic Modelling Part 2.indd 55
Figure 8(a) shows the integration of Conceptual models
(ORM) with Petri Nets and System Dynamics as proposed in
[Tulinayo09]. Figure 8(b) show this extended, to accommodate
the security zones from this article. This two-part article has
not looked at System Dynamics models, but these are used
in [MERIT08] to derive quantitative models for the insider
threats, so are already known to fit in.
The ability not only to be able to move from context to
context but from paradigm to paradigm, supported by models,
is much more important for operational forensics than it is
for digital forensics which has a much more limited remit.
[Tulinayo09] shows how some of the integration can be done
and we have shown here how security zones occur naturally in
the other models.
REFERENCES
Carrier04, Event-based Digital Forensic Investigation Framework, B.D.
Carrier and E.H. Spafford, Purdue University 2004
MERIT08, The “Big Picture” of Insider Sabotage Across U.S. Critical
Infrastructures, Technical Report CMU/SEI-2008-TR-=009, Andrew P
Moore, Dawn M. Cappelli, Randell F. Trzeciak, Software Engineering
Institute, Carnegie Mellon , May 2008
Stephenson04, The Application of Formal Methods to Root Cause
Analysis of Digital Incidents, Peter Stephenson, International Journal
of Digital Evidence, Fall 2004 Volume 3, Issue 1
Tulinayo09, Integrating System Dynamics with Object-Role
Modelling and Petri Nets, P. F. Tulinayo, S.J.B.A Hoppenbrouwers,
Patrick and H.A.E. Proper, Technical Paper, ICIS, Radboud University
Nijmegen, 2009
/ Author Bio
Dr Barry M. Hood, a mathematician by
training, has been in IT for more than 35
years covering all aspects of the software
lifecycle, including extensive involvement
with development methods. Security
became his exclusive activity more than
15 years ago; some 10 years after his first
involvement with the subject.
55
30/4/10 18:03:30
 Maximise
Prioritise
Visualise

Call IntaForensics on 0845 0092600 for a demo and

to discuss how Lima’s end-to-end forensic case
management can work for you

tel: 0845 0092600

fax: 0845 0092601
email: limasales@intaforensics.com
web: www.intaforensics.com

DF3_56_Ad.indd 56 30/4/10 18:03:59

 / FEATURE

IT’S NOT ABOUT

PREVENTION
THE NEED FOR PREPAREDNESS IN CYBERSECURITY

Companies that prepare for failure will ultimately be more secure

in the long run when an attack occurs
by Steve Shillingford
/ INTERMEDIATE

O HIPAA, GLBA, Basel II, SOX,

rganizations that provide services into the network

FISMA, GRC, FERPA, PCI,

security ecosystem often feel an acute obligation to
scare customers into buying products. Let’s start with

CALEA, Insider threats,

some requisite fear-mongering:

Data leakage, Identity theft, Gumblar/Conficker/

Botnets, Social network attacks, XSS, CSRF,
SQL injection, DNS rebinding/poisoning, TJX,
Heartland Payment, IM/P2P leaks…
/ Are you scared yet?
It is unfortunate that a standard tactic used to encourage the
over-deployment of security tools is to refer to the latest, most
“fashionable” breach technique to illustrate the need for YAST
(Yet Another Security Tool). But do we really need to continue
to spend countless billions on technology that never lives
up to its hype? Does anyone really believe that any tool can
provide 100% protection against any threat? Logic will tell you
that you can’t “out-anticipate” the bad guys, so why settle for
a false sense of security?
Despite this basic truth, most organizations are
overleveraged on prevention that will ultimately fail. And
yes—attacks will occur. The systems that organizations put
in place will fail. In fact, even as the government puts money
and human capital in to cyber-security, the focus is all wrong.
According to one government analyst firm, Input, U.S. spending
on cyber-security will grow at a compound rate of 8.1 percent a
year between 2009 and 2014, outpacing general IT spending.
Most importantly, researchers at Input predict that most of this
spending will be on preventative measures in the form of real-
time monitoring and control of computer networks, with less
emphasis on audits to identify breaches after they happen.
This is not to say that we should not deploy preventative
tools in our networks. We should. However, we need to
exercise much more humility in our efforts. Do we really
believe that the problem with existing security is that our
“locks, alarms, and keys” are insufficient? The data suggests
we have a problem of strategy, not technology. Instead of
simply focusing on what hasn’t worked – focusing all our
efforts on building better ways to prevent the bad guys from
accessing our systems, we need to concentrate on methods
and tactics that have worked in other facets of our world,
namely the real world. This isn’t simply another word for
“defense in depth” or “layered security”. Rather, it is thinking
DESPITE THIS BASIC TRUTH,
MOST ORGANIZATIONS ARE
OVERLEVERAGED ON PREVENTION
THAT WILL ULTIMATELY FAIL. AND
YES – ATTACKS WILL OCCUR
about security in a more circumspect manner, and focusing on
preparation, not just prevention.
The current state of cyber-security is yet another example
of not paying attention to logic. It is logically and practically
impossible to prevent every “bad” thing from happening
to your network. To advertise anything to the contrary
presupposes that we can “out-guess”, “out-anticipate”, or
otherwise “predict” how cyber-criminals will plan their future

57

DF3_57-59_The Need for Preparedness.indd 57 30/4/10 18:04:33

 / FEATURE

attacks. It seems illogical that industry pundits continue to

miss this point. Bottom line: it is necessary to prepare for
failure. If failure is not built into your security plan, then your
organization will suffer the consequences—lost revenue,
customer trust and brand reputation.
What’s missing is the incident response, or network
forensic, element. Imagine the FBI trying to solve a bank
robbery without video surveillance? Why do we think networks
are different? If this has worked so well in the physical world,
why not deploy the same tactics to our cyber-world?
Recently, the results of a network forensics survey was
conducted to identify the extent of security breaches and
determine if organizations had built failure into their security Figure 1. Survey respondents answer how likely would it be to
plan. The survey found that a number of companies have experience a security incidents in the next 36 months
recently experienced a significant network security breach or
expect one within the next 36 months.
While many survey respondents believed incident response is
necessary, most did not have the capabilities to determine the
full scope of an incident when it occurs. This is daunting, given
that 75 percent of the respondents believe that an attack will
have a significant impact on their company brand and reputation.
More than 200 individuals participated in the survey.
All belonged to organizations with at least 1,000 network
nodes and either managed or were directly involved in the
maintenance of their organization’s computer networks.
Highlights of the findings include:

• More than 85 percent of respondents have either had a
major network incident in the past 36 months or expect to
have a major incident in the coming 36 months.
• Over 75 percent of the survey participants agreed that major
92 percent of respondents
believe that it is important
to have network forensics
capabilities that can
capture and record all
network traffic
security incidents would have or have had a significant impact
on the company’s brand and reputation.
• Nearly half of the respondents say that when an attack
occurs, it can take two to ten or more days to determine
the full scope of the incident. These facts are telling and
directly contradict the report from Input. Instead of focusing
exclusively on building higher walls and better locks, our
industry should take a page out of the real (physical) world
and start to think differently about how we battle today’s most
pressing national security threat.
• 92 percent of respondents believe that it is important to
have network forensics capabilities that can capture and
record all network traffic; yet only 28 percent were very
familiar with network forensic solutions.
• While 76 percent feel they need to do more, and their
Figure 2. Survey respondents answer how long it takes to
understand an security inciden
organization would benefit from more incident response tools,
about half of the respondents spend less than 25 percent of
their overall security budget on incident response and a quarter
do not have an effective incident response plan in place.
Heartland, T-Mobile, Merrill Lynch and American Express
are just a few companies that have been under attack and
have experienced an impact to brand reputation and trust.
This is more evidence that a breach is inevitable and can
happen at organizations one would expect to maintain
strong security practices.
While most organizations implement security strategies that
target prevention of a cyber attack, those same organizations
fail to understand the three pillars of an effective security
strategy: prevention, detection and incident response.
Prevention. We know prevention is not a 100 percent
guarantee. Recent security breaches at T-Mobile, Heartland
Payment Systems, TJX Companies, Lexis Nexis, Twitter, Visa
and MasterCard provide proof that prevention is not an
absolute. We can also use common sense to reason that there
are endless potential attack vectors within a network; and
portraying ourselves as capable of anticipating all of these,
with perfect accuracy, is to say that we can become omniscient
in our deployments. Does anyone really believe this?
Most organizations implement many products and services
to prevent a security incident. Network intrusion applications,

58

DF3_57-59_The Need for Preparedness.indd 58 30/4/10 18:04:34

 application firewalls, unified threat management, data and
information leak prevention, antivirus software, content
monitoring and filtering, etc., are all terms well known by
your IT security staff. But what happens when a hacker is
successful at breaking through your “secure” system? A quick
glance at a newspaper can give you many examples.
Detection. When a breach occurs, what happens next? The
ability to address security incidents as they happen is a critical
strategy that organizations fail to implement, even though the
cost of such failure is tremendous.
A recent report found that the average cost to remediate
a compromised health care record is $211. Here’s a costly
example; the University of North Carolina recently disclosed a
breach of 160,000 records. Based on $211 per record, the cost
to remediate would be nearly $34 million. In addition, the cost
to remediate the TJX breach was estimated between $250 and
$300 million, based on $3 per compromised record.
Network forensics / incident response. The third pillar is quite
simple: when something unexpected happens, we should
have planned our reaction. With a comprehensive incident
response plan, you simply “rewind the tape.” Like a bank that
has just been robbed (because despite the guards, alarms,
and locks, they still deploy cameras), network forensics
provides organizations a rewind feature to quickly identify what
happened to specific files, data, etc., and take immediate steps
to resolve the situation. Reduced exposure, evolving security
measures, and ultimately having a way to review an attack and
make sure it can’t happen again, is just good practice. It is the
same reason law enforcement agencies have forensics teams
to conduct criminal investigations. New York City has arguably
one of the most comprehensive incident response teams for
terrorist attacks; why do we think network security is any
different from security in the physical world?
Active network forensics levels the playing field by allowing
network administrators to “see” attacks, understand their root
cause, and then fortify the network to prevent further exposure
and possible recurrence. Unlike slow, simple network data
capture devices that require tedious analysis of sample data
by skilled security administrators, active network forensics
appliances enable effective interrogation of any event, even on
today’s high-speed networks. They can easily isolate specific
events and then assemble a complete picture of what occurred,
enabling a swift and effective response by network personnel,
even those with only modest security skills.
Most large organizations are just starting to realize that
despite “good security”, an attack will occur. At this point,
many need to decide if they will continue to do what they’ve
been doing for years, or if they are going to focus on the
three pillars of security and build failure into their strategy.
A culture shift within companies needs to occur. We cannot
continue to do the same thing we’ve always done and expect
different results. Quite simply, that is the definition of insanity.
It is obvious that security incidents will continue to occur.
Companies that prepare for failure will ultimately be more
secure in the long run when an attack occurs. /
DF3_57-59_The Need for Preparedness.indd 59
Active network forensics
levels the playing field
by allowing network
administrators to “see”
attacks, understand their
root cause, and then
fortify the network
REFERENCES
CIO Canada Staff, Top cybercrook targets for 2008, ComputerWorld,
March 11, 2008 http://www.computerworld.com/s/article/9067799/
Top_cybercrook_targets_for_2008?taxonomyId=17&intsrc=kc
top&taxonomyName=security
INPUT, the authority on government business, provides market
intelligence, analysis, consulting, and events and training to
help companies develop government business and public sector
organizations achieve their objectives. www.input.com
Grant Gross, Study: US gov’t cybersecurity spending to
grow significantly
Cybersecurity spending will be double that of spending on all IT
projects, Input says, IDG News Service, October 23,2009
Survey was conducted by Solera Networks www.soleranetworks.
com and Trusted Strategies and results were released October 2009
Jaikumar Vijayan, Heartland breach shows why compliance is not
enough, January 6, 2010, Computerworld
Marguerite Reardon, T-Mobile investigates possible security breach,
CNET, June 8, 2009
Department of Justice, Consumer Protection & Antitrust, Notice of
Security Breach http://doj.nh.gov/consumer/breaches.html
Data Loss DB, Open Security Foundation http://datalossdb.org/
incidents/110-major-card-processor-breached-losing-millions-of-
credit-card-numbers
Larry Walsh, Medical Record Breaches Cost $211 Each to
Remediate, October 26,2009, SecureChannel Larry Walsh, Medical
Record Breaches Cost $211 Each to Remediate, October 26,2009,
SecureChannel
/ Author Bio
Steve Shillingford is the president and
CEO of Solera Networks. He has more than
15 years of experience in sales, operations
and management in technology
companies. He joined Solera
Networks in early 2007 from Oracle
Corporation, where he was responsible for
some of the largest deals in the company during his tenure, all
in the Rocky Mountain region. He was named top salesperson
within Oracle in 2005 for his success in growing the
company’s presence in the region and his consistently strong
performance in meeting revenue objectives. Prior to joining
Oracle in 2000, Steve had held several sales and operational
management positions at Novell over the preceding seven
years. Steve holds a B.S. with honors in Psychology from
Brigham Young University.
59
30/4/10 18:04:34
 / PRODUCT REVIEW
PRODUCT REVIEW
Product Purpose: A Macintosh based forensics tool
designed to analyze iPhones
Product Name & Version Number: Lantern 1.0.4.0 –
From Katana Forensics
Price: 295.66 Euro ($399 USD)
As of the end of 2009, the Apple iPhone had grown to almost
18% of the total smartphone market worldwide after only 2.5
years on the market. In the United States the market share for
the iPhone is now over 30 percent, slightly behind Blackberry’s
42 percent. Regardless of the sector or geographic location,
it is likely that every digital forensics firm has been asked to
and has likely struggled to effectively analyze an iPhone from
either a complexity or cost perspective.
There are currently various methods and software
applications that have rushed to the market to address this
need. Some methods require controversial modifications
(“jailbreaking”) of the phone to extract the information to
analyze, some products have added the iPhone to their
supported phones, and others have been developed
specifically for the iPhone.
L
antern by Katana Forensics was written specifically
for OS X. This choice in application development
architecture provides some implied advantages when
Figure 1
60
DF3_60-62_Product Review.indd 60
analyzing iPhones. Some examples are using the same native
applications such as Preview and Quicktime, which are used
natively on the iPhone. Rather than developing from scratch
or adding plugins to review information from the iPhone,
Lantern simply leverages the native applications available in a
very natural and seamless method. When using the Lantern, it
poses the same deceivingly simplistic characteristics as other
OS X applications (See Figure 1).
A copy of the Lantern software is available from http://
katanaforensics.com/katana-forensics-store/ and is a
relatively small download. If you choose to “test drive” the
software before purchasing, Lantern can be obtained as a
free trial with limited capabilities. As with the majority of
/ EXIF DATA
iPhones provide potentially valuable EXIF data in the form
of the latitude and longitude coordinates of the location the
picture was taken. Suspect: “I was not at the victim’s house
on the night the incident occurred” Investigator: “Really? Here
is a picture that you took of yourself and the other suspects
performing keg stands that we discovered on your iPhone.
The EXIF data from the pictures indicate that the pictures
were taken between 22 and 45 minutes before the incident. In
addition, latitude and longitude from the picture provides the
coordinates for the victims home.”
Digital / ForensicS
30/4/10 18:04:58
 applications that install on OS X, the installation could not
be simpler. Simply mount the downloaded DMG file and copy / REVIEW IN BRIEF
the Lantern application to your chosen Applications folder, Contacts
desktop, or to your dock. Katana Forensics
In working with other cell phone forensics software and http://katanaforensics.com
iPhone acquisition methods, my first positive impression was info@katanaforensics.com
+1 877 820 6191
the acquisition process. It could not be any simpler: attach Katana Forensics, LLC, PO Box 86
the suspect iPhone, choose acquire, and follow the wizard. Easton, MD 21601
The acquisition process will start and provide you with a very
informative progress status screen and will even notify you Requirements
Intel Mac – Mac Mini or other Intel Mac
before the process begins if you do not have adequate disk OS X 10.4 to 10.6+
space to perform the acquisition. For clarification Lantern does Min. 2GB RAM
not perform a physical acquisition of the iPhone, it performs
a logical acquisition of the device that is equivalent to the Pros
Simplicity of Use
information that is backed up to iTunes. Therefore, the iPhone Fast Acquisitions
itself is not changed or altered; the data is acquired logically Price
and hashed with MD5 for verification. Reporting
The basic features provided by Lantern are as expected:
Cons
call logs, contacts, messages, notes, calendar, photos, etc. Global searching not available
However, the organization and presentation of the information No “Bookmarking” of information
is very intuitive and easy to analyze. As an example the contacts Due to logical acquisition only, deleted information is not available
information is provided in a very digestible method, as you
Verdict
scroll through the contacts it provides all of the information The Lantern 1.0.4.0 forensics software from Katana Forensics
assigned to that person and a picture that may be associated meets a growing need for iPhone forensics analysis providing
with the contact. This is only one example of the simplicity of a clean and simple interface at a very competitive price point.
the methods in which Lantern presents the data.

Figure 2

61

DF3_60-62_Product Review.indd 61 30/4/10 18:04:59

 / PRODUCT REVIEW
Figure 3
Below is a brief summary of the features of Lantern:
• Call logs provide the standard incoming, outgoing, and
call duration information. However, Lantern also provides
potentially valuable information such as whether or not a
voicemail was left and whether a call was cancelled or failed.
• The voicemail information includes the standard date,
duration, sender, etc. Additional features of great value are
denoting whether or not the voicemail has been heard, the
date the voicemail was deleted, and the ability to listen to the
voicemail from the application.
• The messages provide the expected information along with
MMS support with a preview of the file.
• Notes with the expected creation and modification times.
• Calendar entries with the expected information.
• Internet information such as bookmarks and Internet
Histories with visit times and counts.
• The Media tab provides all available media files with the file
location, all associated metadata, and the ability to launch the
media file for review from within the application.
• The Photos tab is another very impressive method to view
pictures (See Figure 2). The Lantern application logically
structures all of the files in the left hand window with the
option to preview the picture. On the right hand side of the
screen you are provided with the wealth of EXIF data forensics
investigators have discovered from pictures taken with
iPhones. A great feature of Lantern is that all EXIF data from
each picture is provided.
• The dictionary data provided by Lantern is another potential
source of valuable information. Some compare the iPhone
dictionary to a “keylogger” of some sorts as it maintains the
words that are often typed on the iPhone.
• Map data with information bookmarked, queries, latitude,
longitude, and even routes are provided.
• VoiceMemos are available with the ability to play them from
the Lantern interface.
• On the “Info” screen of the Lantern application, there is an
area labelled “Open Artifact Directories”. This feature has
great potential depending on the applications installed on
the iPhone. As “there is an app for that”, Lantern provides
the ability to analyze the information from these third party
apps. This area provides the acquired iPhone directory and
62
DF3_60-62_Product Review.indd 62
/ OSX
In the past, the development of a forensics product specific to
the OS X operating system may hinder the sales of the product
in the digital forensics marketplace. There are a couple of items
that are changing the role of Apple computers in forensic labs.
Since Apple moved to the Intel processor family, many forensics
shops actually use Apple Macintosh hardware and run Windows
natively with Apple’s bootcamp, within a virtual machine, or
both. In addition, with Apple’s market share now over 12%,
forensics labs are routinely investigating OS X and often choose
to do so with the Macintosh. With these aspects in play, most
digital forensics shops have Apple as an investigative platform.
With lantern, many of us will now have a reason to use the OS X
side of our bootcamp partition more often.
file structure to facilitate deeper analysis of the third party
apps. Application data, Plists, SQL Lite databases, and other
information created and used by the third party applications
can be analyzed using this feature.
Once you have used Lantern to logically acquire the iPhone
and have analyzed the data with the smooth interface, the
reporting option facilitates the ability to produce the report
in any format imaginable (word, xml, pdf, rtf, html, csv, etc.).
The reporting option provides you with the category of
information you would like to report on (see Figure 3). In our
testing, Lantern does not provide the capability to bookmark
information, therefore all information from the category chosen
is exported and this might be a concern for some users.
The digital forensics field is one of complexities and we
require many different applications to successfully complete
our investigations. It is refreshing to encounter a niche
application that can simplify our investigations. If you have had
issues with iPhone investigations in the past, or are frustrated
with the cost or complexity of other tools and methods, Lantern
from Katana Forensics maybe the forensics tool for you.
/ Post Review Note:
The following was posted by Katana Forensics on Forensic Focus
“Katana Forensics has announced that Lantern can support all
generations of iPhones and the new iPad, to include iPhone
OS 3.2. Lantern will also release a new version that will contain
improved acquisitions, additional exporting features and hashing
of all images. The future development roadmap will contain
parsing of backup files from Mac and PC, and Bookmarking”.
/ Author Bio
Bill Dean is the Director of Computer
Forensics for Sword & Shield Enterprise
Security. He has more than 13 years
of experience in the technical field, in
roles such as programmer, systems
support, enterprise systems design
and engineering, virtualisation, digital
forensics, and information security. Bill is a frequent speaker
and published author on the topics of digital forensics and
electronic discovery for numerous legal associations.
Digital / ForensicS
30/4/10 18:05:00
 UNIVERSITY
VACANCIES
Digital Forensic Vacancies at International Universities
The Defiance College, Ohio, USA
Defiance College seeks an enthusiastic, challenge-hungry,
full-time faculty member to develop, refine, and teach
courses in the rapidly-growing undergraduate Digital
Forensic Science (DFS) major, starting in FA10. The successful
candidate would be responsible for instruction in courses on
computer fundamentals (hardware, software, networking,
and operating systems), computer and small-scale digital
device forensics, information security, network forensics,
network intrusion detection, and the legal, ethical, and
professional issues associated with the digital forensics
field. Other responsibilities may include providing training
to local law enforcement agencies, developing select hybrid
delivery courses, and participating in the development of a
DFS graduate program.
/ Qualifications Required
Candidates must have a graduate degree, a strong affinity
for student mentorship and community service, and be
able to guide students through successful engagement
learning opportunities in a robust hands-on curriculum.
The ideal candidate would have an earned doctorate in
computer, digital or cyber forensics; computer security;
or a related field.
DF3_63_Job Ads.indd 63
/ Skills Required
Significant digital forensics work experience, teaching
experience, and industry certifications (e.g., CFCE, CCE,
EnCE, ACE, GCFA, DFCP, CEH, SSCP, CISSP) will improve the
candidate’s competitiveness.
/ Remuneration
Appointment is anticipated at the Assistant/Associate
Professor level, the rank and compensation being determined
based on qualifications of the candidate.
/ Additional Info
Located in the city of Defiance in northwest Ohio, Defiance
College is an independent, coeducational, liberal arts-based
institution. It has been named for three consecutive years to
the President’s Higher Education Community Service Honor
Roll with Distinction, was named as one of 81 institutions
in the Princeton Review’s “Colleges With a Conscience”
publication, and recently received the Community Engagement
Classification from the Carnegie Foundation. Defiance College
is listed among the top tier of baccalaureate colleges in the
Midwest in the 2008 edition of U.S. News and World Report’s
Best Colleges. ( www.defiance.edu)
Please apply via the college website.
63
30/4/10 18:05:28
 Digital
ForensicS
/ magazine
Digital Forensics magazine keeps you up to date on all the latest
developments in the world of computer and cyber forensics.

The magazine covers the following topics areas:

/ Cyber terrorism
/ Law from the UK and rest of the world
/ Management issues
/ Investigation technologies and procedures
/ Tools and techniques
/ Hardware, software and network forensics
/ Mobile devices
/ Training
/ eDiscovery
/ Book/product reviews

CHECK OUT
digitalforensicsmagazine.com
for all the latest news and views on the world
of digital forensics (special feature articles are
available for registered users).

SPREAD THE WORD

www.digitalforensicsmagazine.com/subscribe

DF3_64_Subs Ad.indd 64 30/4/10 18:05:49

 MEET THE DF
PROFESSIONALS
Thomas J. Slovenski – Cellular Forensics LLC
Interviewer: Roy Isbell
How did you get into the world of Digital Forensics?
It was in 2007 that I was reading an article on the subject of Mobile
Phone Data Recovery and it struck me that mobile phones were the
‘future’. I could see computers literally evolving into mobile phones
and the impact these mobile devices could have in someone’s life. I
immediately sought training on the subject and travelled to Indiana
where Mobile Forensics Expert, Professor Rick Mislan of Purdue
University, taught me.  After my first 5 minutes of training, I was
hooked and sought to acquire as much information that I could
on the subject and soon had many private investigation networks
and associations inviting me to speak on this new and exciting
technology and how it applied to their cases.
 
How did you go from the investigation of mobile phones to
mobile spyware discovery?
In 2008, I began to receive numerous calls and emails inquiring if
I knew how to determine if a cell phone was ‘bugged’.  I searched
all over the web and could not find one person who specialized
in mobile spyware examinations. To make matters even harder,
I could not find any company that was addressing this ever
growing and pressing threat.  So I started looking for the answers
myself.  Soon after, I was referred to a P.I. in Scotland by the name
of Ian Sweeney, who was doing his own ‘spyware examinations’.
Ian was very gracious and literally tutored me over the
Internet in what to look for and what tests to perform on a
phone.  Then as time went by, I found a small company in
the USA that was developing their own proprietary malware
scanning software.  With all the knowledge I had gained, I
started offering mobile spyware examinations and became
the first one in the USA to do so. Then, at the persistence of
Rick Mislan, I became the first to train other investigators
internationally on how to find mobile spyware in any of the over
3000 models of cell phones out there. I am proud to say that
my class is not only the first of its kind, but also the very first to
offer exclusive training manuals including a proprietary 72-page
manual dealing exclusively with the iPhone and spyware.
How did the Specialist Network you established come about?
Earlier this year I identified a need for my graduates to be
able to stay abreast of all the newest spyware and technology
that threatened mobile security.  It was from this need that I
started the Mobile Security Specialists Network.  Now, every
graduate of my spyware class is added to this exclusive and
private network made up of other graduates and my own
special group of international spyware experts.
DF3_65_Meet the Professionals.indd 65
With the emergence of many tools to assist the investigator
how do you validate their usefulness?
I can only speak in regards to the Mobile Forensics side
of things; I let the manufacturers worry about their own
validations. If little or no validation is available, that is what I
will testify to on the stand.
 
How do you see Mobile Forensics evolving and integrating
with related disciplines in Digital Forensics?
As long as there are ‘digital’ devices and criminals, there will
always be the need for eDiscovery, malware analysis and other
related fields. Let’s face it; at least 95% of all crimes committed
have a cell phone involved in them in some form or another.
 
What do you think is the future for mobile phones and
Digital Forensics?
With mobile phones slated to eventually take the computer’s
place in many a person’s life, the threat of spyware will be
ever present and ever increasing.  To be able to find and/
or prevent an attack will be very beneficial for those who
have the knowledge, experience and ability to combat this
onslaught. This is the future. As I tell
my audiences, “your cell phone will be
your laptop on your hip tomorrow”.
/ INTERVIEWEE Bio
Thomas J. Slovenski (Tom) graduated in
1986 from Bob Jones University (South
Carolina) with a 4 year Bachelor of Arts
Degree in ‘Bible’. After starting out being
a minister he got hooked in policing and
later into Digital Forensics. Whilst a Police
Officer and Detective, Tom became a Senior
Investigator of Internal Affairs for 5 law enforcement divisions in a
large metropolitan county in South Carolina.  In 2002, he started
“Elite Investigations of South Carolina, LLC” and specialised in
domestic investigations and hard to locate individuals.
In 2007 Tom received training in mobile phone data recovery
and coined the term: “Cellular Forensics”. Tom changed the
name of his company in 2008 to “Cellular Forensics, LLC” and
specialised entirely in mobile forensics and mobile spyware
discovery.  He now trains other professionals in mobile spyware
discovery with students from all over North America and abroad.
Tom started the “Mobile Security Specialists Network”, a group
of international experts devoted to mobile spyware discovery
and eradication with members residing in UK, Japan and the
USA. Tom can be contacted at: tom@cellularforensics.com.
65
30/4/10 18:45:34
Blade Ad Final.qxd 8/10/09 13:20 Page 1

BLADE
F O R E N S I C D AT A R E C O V E R Y

BLADE is a Windows-based, advanced professional forensic data recovery solution

designed by Digital Detective Group. It supports professional module plug-ins which
give it advanced data recovery and analysis capabilities. The power and flexibility
of the tool can be expanded as new modules become available.
BLADE supports all of the major forensic image formats and is more than
just a data recovery tool. The professional modules have in-built data validation
and interpretation routines to assist with accurate data recovery.
The software has been designed for fast/accurate forensic data recovery. Not
only is it highly effective in the pre-analysis stage of a forensic examination, it
can be quickly configured to recover bespoke data formats.
With the addition of professional modules, BLADE can recover data which is
not extracted by other forensic tools.

P R O F E S S I O N A L R E C OV E RY M O D U L E S

Live and Deleted Outlook Express (v5-6) Email Messages

(including attachments)
Live and Deleted AOL (Personal Filing Cabinet) Email Messages
(including attachments)
Live and Deleted Windows Link Files

K E Y F E AT U R E S

Regular Expression High Speed Advanced Carving

Supports Headers, Data Landmarks & Footers
User Created/Customiseable Data Recovery Profiles
Professional Modules for Advanced/Specialised Data Recovery
Variable Input Block Size, Sector Boundary Options
Multithreaded for fast searching and recovery
Forensic Audit Logging

SUPPORTS

Single/Segmented Unix/Linux DD/Raw Image Files

EnCase® (v1-6) Compressed/Uncompressed Image Files
SMART/Expert Witness Compressed/Uncompressed image Files
AccessData® FTK Image Files
Physical/Logical disk access

W W W . B L AD E F O R E N S I C S . C O M
Digital Detective Group, PO Box 698, Folkestone, Kent, CT20 9FW.
Telephone: 0845 224 8892

DF3_66_Ad.indd 66 30/4/10 18:06:32


TIME FOR
FORENSICS
THE IMPLICATIONS FOR FORENSICS OF TIME STAMPS
Enabling you to understand and effectively investigate digital time stamps
by Paul Tew
/ ENTRY
W
hether it is the ability of trees to shed their leaves
every autumn, the diurnal flowers that open for just
an hour a day or the bat that navigates by measuring
the time it takes an echo to reach it’s ear, it seems that
there is something innately built in to the very essence of
life on Earth that makes it able to measure the passage of
time in some form or another. It comes as no surprise then,
that mankind has sought to mark the passage of time in
order to understand the world around him and to exploit the
resources that nature offers.
DF3_67-71_Time for Forensics.indd 67
/ FEATURE
/ MEASURING TIME
The progress of time is a constant that needs to be placed
into discrete units in order to make sense of it. The passage
of the sun through the sky marks a convenient 1 day period
for example which can determine when to rise, find food
and eventually go back to sleep. Our ancient ancestors
would have had no need to define a second as accurately as
9,192,631,770 oscillations of an atom of Caesium, as we do.
Today, the measurement of time falls into two broad
categories, rotational time and atomic time. Rotational time
67
30/4/10 18:06:57
 / FEATURE
Figure 1. Ambiguous Time
As you approach the poles
and latitude increases, the
differential between the
length of a day in the winter
and the day in the summer
increases too
as the name suggests, is in synchronisation with the rotation
of the Earth and includes the now outdated Greenwich Mean
Time (GMT). Atomic time is the new kid on the block (having
been introduced around 1955) and apart from relativistic
effects, is largely independent of the Earth’s influence.
Interestingly now that we have an accurate measurement,
we find that the Earth is slowing down due principally to the
/ WARNING –
Inaccurate time stamps
A time stamp recorded on digital media is like any other data
an can be changed by both mistake or malicious intent.
In Unix based systems the GNU tool touch will alter file times
and in Windows timestomp.exe from the metasploit project
will do the same thing.
Antivirus programs will regularly change-accessed times for files.
A good analyst will never take time stamps for granted and
will seek to verify them whenever possible. For example,
looking at the times embedded in a Word document will help
to authenticate the file times.
68
DF3_67-71_Time for Forensics.indd 68
effect of the tides. This means that in GMT, a second is getting
slightly longer each year. In fact, it transpires that the Earth is
slowing down by about 1 second every 18 months or so.
Now we have a situation where there is a time standard that
is slowing down and a time standard that ticks at a constant
rate. How do we reconcile these two models? The answer will
be familiar to computer forensic analysts because they refer
to the standard, all the time; it is of course, UTC. Coordinated
Universal Time or UTC is a standard that ticks at the same rate
as the atomic clocks, but is updated periodically by inserting a
leap second so that it accords with rotational time.
This is an important point for analysts; strictly speaking
GMT and UTC are not the same. It is common practice in
computer circles to use the two terms interchangeably.
For example RFC 822 (eMail Messages) states “GMT is
permitted as a reference to Universal Time”. Yet as we have
seen, the difference can be up to 1 second. For practical
purposes this might not seem too big a difference but the
analyst might need to bear this fact in mind if ever the
semantic point is being made in a courtroom and they
don’t know the difference, it could have the potential to
undermine their credibility.
/ TIME ZONES
If you and I stand East and West of each other then our
perception of when the sun is directly overhead will differ
as the Earth rotates. The difference in this perception of the
midday point varies with the difference in distance, in fact,
if at the equator we are about 1670 kilometres apart (15
degrees of longitude) then the difference will be 1 hour. This
wasn’t a problem until the advent of the railways and the
need to publish timetables. In the UK in 1840 ‘Railway Time’
standardised all the local times into a single time zone (which
Digital / ForensicS
30/4/10 18:06:59
 then went on to become GMT). This eventually occurred in
every country in the world with the railways being behind the
thrust for change and with each country adopting their own
time zone. Large countries, especially those that have a great
East to West distance have adopted several time zones. Russia
for example, has a total of 11 separate time zones.
From the perspective of the forensic analyst, time zones
don’t cause too great a problem as most tools can interpret
time zones and present the local time as the user would
have seen it.
/ DAYLIGHT SAVINGS TIME
In 1784 Benjamin Franklin calculated that the city of Paris
could save the equivalent of $200 million in candle wax alone
if the citizens were to rise and go to bed an hour earlier in
the summer. He argued that this would accord much better
with normal human activity. Picking up on these ideas the
MP William Willet campaigned for most of his political life to
get the UK to institute daylight savings time (DST). The USA
however were the first to put DST into place and the UK only
followed in 1916 because the savings in the public purse
would help the war effort (and probably because Germany had
already done it).
Today, countries are free to decide whether they want
to institute DST. As you approach the poles and latitude
increases, the differential between the length of a day in the
winter and the day in the summer increases too. The need
to put DST in place becomes stronger the further from the
equator a country is.
From an analyst’s point of view, DST creates a small if
somewhat intractable problem. At the end of DST when the
clocks go back there is (usually but not always) a period
of 1 hour in which the local time is repeated. Converting
from UTC to local time is not a problem but converting from
local time to UTC is. Consider a UK (Europe/London time
/ Representing time
ISO 8601
Depending on your locale and understanding, the date
12/02/10 could mean 12th February 2010, the 2nd December
2010 or the 10th February 2012 and that assumes the two
figure year has been interpreted correctly.
To prevent ambiguity the ISO 8601 standard was developed
to provide a uniform and consistent representation of time.
This standard expects the four-figure year to be followed by
the month, hours, minutes and seconds (two characters each).
This is the representation used in this article, so 2010-02-12
00:00:00 is the first second of the 12th February 2010. This
representation can be compressed so that 20100212000000
represent the same time.
zone) local time of 2010-10-31 01:30:29; was this recorded
before the clocks were changed from British Summer
Time (01:00:00 UTC) or after? Which is the right offset to
apply to get to UTC? The choices are either -60 minutes
or 0 minutes. Times with this problem are referred to as
ambiguous times. The puzzle posed by ambiguous times
is compounded by the fact that most forensic tools do
not identify ambiguous times for file systems that record
local time, the most notable of these is the FAT file system.
Nearly all the tools I am aware of will automatically make
one conversion without offering the other.
/ RECORDING TIME
All times recorded on data systems must have the following
elements:
• A start time (known as the epoch date).
• A resolution, which determines the accuracy or the ‘tick’ rate.
• A bit size that determines the capacity of the time stamp.

/ The Affect of Relativity

on Time – The Twin Paradox
Whilst time is a constant to the observer, it can move at
different rates relative to an outside observer. A number of
factors might have a bearing on this perception of another
person’s time; these include inertial frame reference (speed)
and gravitational force.
In a classic thought experiment you could consider a pair of
twins, one who remains on Earth and one who takes a journey
in a spaceship and returns back to Earth only to discover that
their sibling was considerably older than them, yet the clocks
for both of them were seen to be ticking at exactly the same
rate. A similar effect can occur when one observer is close to
a large gravitational object and the other is not. In relativistic
terms the clock that is close to the large mass is running
slower than the clock that is free of gravity.
These effects explain why there are a number of atomic
times. Some take their frame of reference from the Earth
whilst others like TCB might be referenced from the Centre
of the Solar System (useful for predicting the motion of the
planets to a high degree of accuracy).

69

DF3_67-71_Time for Forensics.indd 69 30/4/10 18:06:59

 / FEATURE
/ More info
SANS Internet storm Centre
http://isc.sans.org/
A good source for a variety of statistics, for both current and
historical malware. You can even query the dataset.
TrendLabs Malware blog
http://blog.trendmicro.com/
A regularly updated blog keeping you current on the threats in
the wild, with screenshots of malware activity.
ThreatExpert
http://threatexpert.com/
As well as the online analysis facility, you will find a threat
map that indicates the origins of current threats.
The combination of these factors determines the effective
start and end date for that time stamp. Lets take an example; in
the C programming language the standard time stamp is named
‘time_t’. The majority of definitions for time_t are as a 32-bit
signed integer, although the 64-bit version is beginning to make
an appearance. For now we will stick with the 32-bit variety.
time_t has an epoch time of 1970-01-01 00:00:00 and a resolution
of 1 second. Because it is signed, the possible values range from
-2,147,483,648 to 2,147,483,647 that equate to a time stamp
range of 1901-12-13 20:45:52 through to 2038-01-19 03:14:07.
Forget the Y2K bug, any operating systems or programs written in
C or C++ are likely to have a bit of a headache in January 2038.
/ TIME ON COMPUTER SYSTEMS
Most computer systems these days contain a real time clock
or RTC (sometimes called a hardware or BIOS clock). This clock
has it’s own power supply in the form of a lithium battery.
Generally the sole purpose of this clock is to provide a time
signal for the machine as it boots up, thereafter the operating
system maintains it’s own system clock that is updated using
interrupts to the CPU. At intervals and on shutting the system
down, the system clock updates the RTC.
The RTC can be set to any time in any time zone and does
not have to be correct; indeed, it is not uncommon to find that
a Windows XP machine has been set to Pacific Standard Time,
some 8 hours behind UTC (and that is without DST being taken
into consideration) because the user accepted all the default
settings when the system was set up. This issue of incorrectly
set RTCs whether it has been done accidentally or on purpose,
can be a real problem for forensic analysts because any
resultant time stamps recorded to disk or held in memory will
replicate the error.
Another problem is that the RTC is usually a quartz crystal
clock and can suffer from inaccuracies due to temperature or
other conditions. This difference with actual time is known as
‘skew’ and is exacerbated if a machine is kept in storage for a
long time before examination.
/ TIME SETTINGS IN LINUX
In Linux it is a trivial matter to set the real time clock to either
UTC or local time. The location of the indicator as to which
70
DF3_67-71_Time for Forensics.indd 70
Figure 2. TimeLord
time is used can vary depending on the distribution, but on
Ubuntu the setting can be found in the /etc/default/rcS text
file. The line ‘UTC=yes’ or ‘UTC=no’ tells you what you need to
know. On other systems you might find the same setting in the
file /etc/sysconfig/clock.
Skew is dealt with in the Linux environment by a file named
‘adjtime’ which maintains a list of the adjustments that have
been made to the RTC, it can usually be found in the /etc/ or
/var/lib/hwclock/ directory. The appropriate adjustment is
calculated and the file is updated when setting the RTC and
system clock from an external source.
The time zone setting is to be found in the file /etc/
localtime which is either a copy of, or a link to, a file in the
/usr/share/zoneinfo directory. These files are compiled
timezone files so you won’t be able to read them with a text
editor, rather, you will have to reverse engineer them or use
the tool zdump to read them.
/ TIME SETTINGS IN WINDOWS
Windows generally assumes the real time clock is set to
local time. However, up to Windows XP it was possible to
/ How to check that a RTC
(BIOS clock) time from a
static computer is correct:
• Remove any hard drives and power the machine up. Take
a reading of the RTC from the BIOS and a reading from an
accurate local clock at the same time (I tend to take a photo).
• Establish the offset that was last applied to the RTC to return
it to UTC. This is a combination of TimeZone and DST settings
that were last applied. The information can be obtained from
an analysis of the disk(s). Apply this offset to the RTC time.
• If possible calculate the skew of the RTC and apply that to
the period between last power-up and examination (adjtime
file). Update the RTC time with this skew.
• Apply the offset in your local time zone (and DST) to the
local time you took in step 1.
• Both times should now be in UTC and can be directly compared.
• Any difference should be applied to all times obtained from
the machine.
Digital / ForensicS
30/4/10 18:07:00
 Time Stamp Epoch Resolution Bit Size

time_t (Unix time) 1970-01-01 00:00:00 1 sec 32 or 64

Windows Filetime (NTFS time) 1601-01-01 00:00:00 100ns 64

FAT Created time (DOS) 1980-01-01 00:00:00 10ms 40*

FAT Last Modified time 1980-01-01 00:00:00 2 sec 32*

FAT Last Accessed time 1980-01-01 1 day 16*

HFS and HFS+ times (Apple)** 1904-01-01 00:00:00 1 sec 32

UUID - Time based version 1582-10-15 00:00:00*** 100ns 60

Some common types of stamp

* These times have some redundancy (not all bit values are used) so the end date is earlier than the theoretical maximum.
** HFS records local time, HFS+ records UTC.
*** The epoch date for UUID time stamps is set as the first day of the Gregorian calendar.

set the real time clock to UTC with the RealTimeIsUniversal

name set to a value of 1 in the ControlSet[nnn]\Control\
TimeZoneInformation key in the SYSTEM registry hive, where
[nnn] is the current control set.
This same key contains a wealth of information about the
current time zone setting too. The setting in ActiveBias will
reveal the last offset (in minutes) that was applied to the
system clock to convert local time to UTC. Be aware that this is
a signed 32-bit integer so any values over 0x80000000 will be
negated using two’s complement.

/ COMPARING OTHER TIME SOURCES

It is useful to be able to independently confirm the time
settings on a machine wherever possible. There are a number
of techniques that we can use here, but they all come down
to tracking down time stamps created by a remote machine or
server and verifying them on the local machine. An example
might be a web page in the cache of a web browser (usually
the most fertile ground for this kind of investigation). An
auction site web page is ideal because it nearly always has
a time stamp embedded within it to let you know how much
bidding time you have left. Compare this time with the created
time of the file within the cache and you should find that it
is within a few seconds. Of course a good analyst won’t rely
on one source and will look for others to help confirm any
hypothesis regarding the local time of the machine. Other
sources might include server log files or any others that you
might care to think of. / Author Bio
Paul started his working life as a surveyor
/ CONCLUSION spending 3 years in the Royal Artillery
before going to work with his father
It is easy to be seduced by the seeming accuracy of time in their civil engineering company.
stamps but as we have seen there are many factors at play. Disillusioned with the less than lawful
It is incumbent on the analyst to identify and compensate practices he was seeing in the industry
for any errors particularly where a persons liberty is at he joined the Nottinghamshire Police
in 1985 immediately following the miner’s strike. In the
stake. You wouldn’t want to be the analyst who sanctioned intervening time he has spent 8 years as a police law trainer
the application for a search warrant on the address of an and 5 years as a computer forensic analyst. Paul is also an
innocent person because they were in the unfortunate associate lecturer with the Open University lecturing on their
position of having picked up a dynamic IP address that an postgraduate M889 Computer Forensics and Investigations
course. Paul has given presentations on computer forensics
hour earlier was assigned to a paedophile and all because to the BCS, the University of Bergen and Universities in and
you had misinterpreted the daylight savings time now around Nottingham.
would you? /

71

DF3_67-71_Time for Forensics.indd 71 30/4/10 18:46:20

 Mobile Development
from Apress
The largest catalog of quality books for
Android and iPhone developers
www.apress.com/mobile

DF3_72_Ad.indd 72
Ad_A4_DigitalForensics_Apress.indd 1 30/4/10
4/22/10 18:07:28
7:22 PM

DIGITAL
STEGANOGRAPHY
AN INTRODUCTION TO THE PRACTICE OF DIGITAL INFORMATION HIDING
Learn why digital steganography is one of the biggest threats to forensics
investigations and why it’s only a matter of time…
by James E. Wingate
/ ENTRY
T
hroughout history man has sought ways to
communicate secretly. One of the earliest recorded
methods for doing this was the use of wax tablets by
the ancient Greeks.
In 480BC, Demaratus used wax tablets in an attempt to
warn King Leonidas of Sparta that King Xerxes I planned
to lead his army into Greece prior to the historic Battle of
Thermopylae. Because the danger of being discovered was
great, Demaratus hid his warning by scraping the wax off
the tablets and scribing his message directly onto the wood.
Then he recoated the tablets with wax and sent the tablets
via messenger to Leonidas. Interestingly, when the tablets
were delivered, no one could figure out why they had received
wax tablets with nothing written on them. According to The
Histories written by Herodotus, widely acclaimed as the
Father of History, Queen Gorgo, Leonidas’ wife is purported
to have said, “If they would scrape the wax off the tablet,
they would be sure to find the writing upon the wood.” Thus,
the warning was delivered, but the Spartans got massacred
at Thermopylae in one of history’s greatest last stands as
depicted in the movie “300” starring Gerard Butler.
Demaratus’ use of wax tablets is one of the earliest and
most widely referenced uses of information hiding, a practice
that has become known as steganography.
DF3_73-76_Intro to Steganography.indd 73
/ FEATURE
/ What is Steganography?
Steganography is derived from the Greek words “steganos”,
which means, “covered” or “protected” and “graphein” which
means “writing.” When the two words are combined, the
result is literally “covered writing” or “protected writing.”
Essentially, steganography is a means of communicating
secretly, or covertly. Over the years the art of Information
Hiding has presented itself in many ways, for example:
• The Chinese hid secret messages on slips of paper and
baked them in moon cakes
• Mary, Queen of Scots, hid encrypted information in the
bunghole of beer barrels
• Gaspar Schott hid information in musical symbols used to
write sheet music
• George Washington used invisible ink to communicate secretly
• Microdots, the size of a period, were used in World War II to
conceal information1
For a comprehensive history of secret communication from
Ancient Times to the present, the interested reader should
read The Code Breakers by David Kahn2.
In the Internet era, steganography has evolved from to a
digital form of information hiding. Accordingly, when talking or
73
30/4/10 18:07:47
 / FEATURE
Figure 1 . Basic Steganography Model
DIGITAL STEGANOGRAPHY IS
ESSENTIALLY ABOUT HIDING A
FILE IN, OR APPENDING A FILE
TO, ANOTHER FILE, CALLED THE
CARRIER FILE
writing about steganography today, it is generally presumed
the speaker or writer is referring to digital steganography.
Digital steganography is essentially about hiding a file in,
or appending a file to, another file, called the carrier file, such
that the carrier file is not altered enough to raise suspicion
that something may be hidden within it or appended to it. A
basic Steganography model can be seen at Figure 1.
There are a number of techniques used for information hiding
for example a technique called spam mimicry where information
is hidden by disguising it as spam (www.spammimic.com) or
disguising the information as a nonsensical but often humorous
one-act play as does Sam’s Big Playmaker.
A technique exists where hiding information in the
unused fields of communication protocols such as IPv4
and IPv6. Using a tool called v00d00n3t (VooDooNet) you
can hide information in unused IPv6 fields encapsulated
in IPv4 packets, this was introduced at DEFCON in 2006.
74
DF3_73-76_Intro to Steganography.indd 74
The tool effectively creates a tunnel for funnelling hidden
information through current generation network security
appliances because most have yet to be programmed to
inspect IPv6 packets.
Another very new technique emerging is the ability to
hide information in digitized voice streams generated by
the growing number of Voice over Internet Protocol (VoIP)
systems being deployed. Modifying the low order bits of
digitized voice signals ever so slightly hides information in a
way that the hidden information does not affect the quality
of the digitized voice signal.
/ Why Use Steganography?
A frequently asked question is “Why would anyone want to
go to the trouble of using steganography to hide information
when they can use cryptography to encrypt it?” The
primary reason is because cryptography is an overt form of
information hiding, or information protection. The fact that
information has been encrypted is easily detected which can
lead to attempts to decrypt the information, some of which
might be successful.
However, the main reason steganography is appealing
is because it is a covert form of information hiding, or
information protection, that conceals the very fact the
information even exists! As an added measure of security,
information can be encrypted before being hidden as
Digital / ForensicS
30/4/10 18:07:50
 Figure 2. Advanced Steganography Model
illustrated in Figure 2. For this reason, steganography is often
referred to as the Dark Cousin of cryptography.
Another reason to use steganography is simply because
it is so readily available. It is estimated that there are well
over 1,000 digital steganography applications available on
web sites across the Internet. Most of the applications are
available as freeware or shareware.
While the word steganography might not pop into the head
of the average user, the words “information hiding” probably
would. Entering those words in a Google search yields over
eight million links, many of which lead the user to web sites
containing steganographic applications. For example, the
interested reader can visit www.stegoarchive.com where over
100 steganographic applications can be found.
These applications are not only easy to find, they are easy
to download, install, and use. It does not take an expert
computer user to use the applications because they come
equipped with the familiar drag-and-drop or wizard interface
that the majority of users have learned to use as a basic
computer skill.
/ Who Uses Steganography?
Insiders, paedophiles, drug traffickers and terrorists, to
name a few. Anyone who wants to cover their digital tracks
could use steganography as a counter forensic investigation
technique. Human Nature 101 taught us that people doing
DF3_73-76_Intro to Steganography.indd 75
IT IS ESTIMATED THAT THERE
ARE WELL OVER 1,000 DIGITAL
STEGANOGRAPHY APPLICATIONS
AVAILABLE ON WEB SITES
ACROSS THE INTERNET
bad things and fear getting caught and doing time in the
‘Cross-Bar’ hotel will attempt to hide what they are doing.
Insiders with access to sensitive information such as
protected health information, or PHI, and personally
identifiable information, or PII, or large quantities of
intellectual property can use steganography to exfiltrate (i.e.,
steal) information. These days, most insiders have access
to large quantities of sensitive information. They can easily
steal the information by hiding it inside seemingly innocuous
looking images and then upload the images to a web site
or send the images to themselves, or a co-conspirator, as
an email attachment. Who would suspect pictures of a
vacation to the beach, mountains, etc. would contain hidden
information? No one would.
A common means of distributing child pornography
is to use steganography to embed the images inside of
other images and then upload the images to a web site.
75
30/4/10 18:07:54
 / FEATURE
For example, who would suspect that pictures of a train
collection for sale on eBay would contain child pornography?
No one would.
Narcotics traffickers can use steganography to conceal
information about their drug deals. In a case from the not
too distant past, the notorious Colombian drug trafficker,
Juan Carlos Ramirez Abadia, was arrested in Brazil. It had
been discovered he was using pictures of Hello Kitty to
send messages to his minions about cocaine shipments
between countries.
Finally, there are the terrorists. Steganography is a perfect
tool for members of terrorist cells to communicate covertly
and is being used on several Jihadist web sites. In fact,
the February, 2007 edition of Technical Mujahid, a training
manual for Jihadis, contains an article that encourages
extremists to download a copy of the software program
Secrets of the Mujahideen. As previously mentioned,
steganography is being increasingly used as an anti-
forensics tool to make it even more difficult, and in most
cases impossible, for law enforcement digital forensics
examiners to recover digital evidence.
Steganography is a
perfect tool for members
of terrorist cells to
communicate covertly
/ How Many Are Using Steganography?
No one really knows. Obviously, everyone isn’t using it but
it is equally obvious that some are using it. The answer lies
somewhere in between no one and everyone.
Steganography presents an interesting paradox. It is difficult
to convince people to be concerned about something they
cannot see. However, electricity is a glaring exception to that;
we can’t see it but we sure know it’s there and have learned to
treat it with proper respect or risk injury or even death.
Because there is no large body of empirical evidence that
steganography is being used, most digital forensic examiners
and network security managers don’t believe it is being used.
Accordingly, they are not sufficiently concerned enough to
acquire and employ tools to detect its use.
It must be noted, however, that if only one insider used
steganography, they might use it to steal the crown jewels. It
is conceivable that this could cause a company to go out of
business. Thus, while the risk may be perceived to be low to
non-existent, the impact can be disastrous; even fatal.
/ Future of Steganography
Certainly, as the capabilities of network security tools, such
as Data Loss Prevention systems, continues to improve, the
appeal of using steganography to steal sensitive information
will continue to grow. We have reached a point where
information is more valuable than money or at least as
valuable as money. The issue with money is that once spent,
it is gone. However, information can be sold, and resold, many
76
DF3_73-76_Intro to Steganography.indd 76
/ MORE INFO
Information Hiding – Techniques for Steganography & Digital
Watermarking – Katzenbeisser, Petitcolas, © 2000 Archtec
House Inc, ISBN 1-58053-035-4
Information Hiding – Steganography & Watermarking Attacks
& Countermeasures – Johnson, Duric & Jajodia, © 2001 Kluwer
Academic Publishers, ISBN 0-7923-7204-2
Steganography in Digital Media: Principles, Algorithms &
Applications – Jessica Fridrich, © 2009 Cambridge University
Press ISBN-13 978-0521190190
times on the burgeoning black market for practically any kind
of information anyone wants to sell.
It would be instructive to remember Willie Sutton’s
philosophy about banks. Willie was a prolific bank robber
who stole more than two million dollars from over 100 banks
between the late 1920s until his final arrest in 1952. When
asked why he robbed banks, Willie reportedly said “Because
that’s where the money is.”
So today we could ask cyber criminals a similar question.
Why do they rob networks. The answer would surely be
“Because that’s where the information is.”
Use of steganography to steal information or otherwise
conceal evidence of criminal activity will continue to grow.
However, it will not be detected until more examiners and
security managers’ start looking for it.
To state the obvious, “that which is not looked for will never
be found”. /
REFERENCES
1. Gregory Kipper, Investigator’s Guide to Steganography, Auerbach
Publications, October 2003, ISBN 978-0-8493-2433-8
2. David Kahn, Simon & Schuster; 2nd Revised Edition (6th Oct 1997)
ISBN 978-0684831305
3. Sams Big Playmaker, HYPERLINK “http://www.scramdisk.clara.net/
play/playmaker.html” www.scramdisk.clara.net/play/playmaker.html,
Last Modified 10 Feb 2000. Copyright SecurStar GmbH, 2000
/ Author Bio
James E. Wingate, CISSP-ISSEP, CISM, CHP,
CHSS, is Director of the Steganography
Analysis and Research Center (SARC) and
Vice President of Backbone Security. He is
leading efforts to develop state-of-the-art
digital steganalysis tools for use by digital
forensics examiners and network security
personnel in the public and private sectors. He is a member
of HTCC and HTCIA and regularly gives presentations on the
use of digital steganography to conceal evidence of criminal
activity at major conferences across the United States. He
retired from the US Air Force after more than 24 years of service
as a Communications and Information officer. He holds a B.S.
in Computer Science from Louisiana Tech University, Ruston,
Louisiana, and an M.S. in Computer Engineering from the
University of South Florida, Tampa, Florida.
Digital / ForensicS
30/4/10 18:07:54
DF3_77_Ad.indd
DF1_OFC_Cover -77
Online.indd 1 30/4/10 5:01:08
29/10/09 18:08:15
pm
 / BOOK REVIEWS
BOOK REVIEWS
E-discovery: Creating and Managing and
Enterprise Program – A Technical Guide to
Digital Investigation and Litigation Support
Author: Karen A. Schuler
Publisher: Syngress
Date of Publication: 2009
Price: £41.99 (UK), $72.95 (USA)
ISBN: 978-1597492966
Reviewer: Andrew Edney
Before I start the review of E-discovery: Creating and
Managing and Enterprise Program – A Technical Guide to
Digital Investigation and Litigation Support, I think it fair
to mention that this isn’t a new book. It was published
back in November 2008 and although that’s not a long
time ago, it’s quite a while in book terms, but the content
is still relevant!
Published by Syngress and written by Karen Schuler, along
with eleven contributing authors, this incredibly long titled
book sits at a little over 300 pages, and there is quite a lot
packed into those pages as well; no large fonts used here!
The book is aimed at those people who would like to learn
a valuable E-discovery lesson from forensic professionals,
including how to build a discovery response team, hone your
various skills and learn best practices.
The book is split into 10 chapters that include managing
information and records, creating a response team, data
collection techniques, file structures and more.
Each chapter is well laid out, with clear screenshots when
required, with additional sidebars giving you notes, tips,
tools and traps. Each chapter also has a solutions fast track
to remind you what you just read and learnt, along with a
frequently asked questions section. This is quite useful but to
be honest it could have done without the letters FAQ as a large
watermark throughout each of those pages as it can really
distract your reading.
78
DF3_78-79_Book Reviews.indd 78
I found the book to be an interesting read, although it is
unlikely to be something you may read cover to cover. It’s
more likely that you will focus on certain chapters, and that is
probably why you would buy the book. To be honest, in parts
the book tries too hard to be everything to everyone, and
whilst it’s useful to have a lot of information in a single book,
sometimes to only have a few paragraphs on a topic isn’t
enough, and perhaps it would have been better served trying
to focus on a few areas rather than trying to do it all. Also, if
like me you are based in the UK, this book is very US focussed
and so you should consider that before you buy it.
Forensic Linguistics: An introduction to
language, crime and the law
Author: John Olsson
Publisher: Continuum
Date of Publication: 30 June 2008
Price: £39.13 (UK), $43.72 (USA)
ISBN: 978-0826461094
Reviewer: John Forrester
John Olsson’s latest book on Forensic Linguistics could well
have been dry and difficult to read, as it was intended as the
premier academic textbook for use in undergraduate and
postgraduate university courses. However, being a linguist,
John has made sure this didn’t happen and has written a
textbook for the rest of us. While Forensic Linguistics will
certainly fulfill the obligation to the universities, it’s such a
fascinating subject, conveyed so brilliantly, that this book
reaches out to audiences that even Mr. Olsson may not have
intended.
As a computer and technology geek, and someone who
loves to read thrillers, Mr. Olsson’s book immediately
touches a variety of my own hot buttons. The chapter on
author profiling, for example, delves into the intrigue of
Digital / ForensicS
30/4/10 18:08:33
 the anthrax scare that haunted US citizens just after the
9/11 attacks in 2001, and most importantly what the role of
linguistics was in that enquiry.
Chapter 8 focuses on detecting plagiarism in text and is very
interesting as there are many automated systems in use today
by universities that are wholly inadequate for that purpose.
The role of the linguist in determining rephrasing of texts in
mosaic plagiarism is vital and maybe some of the software
developers of systems, such as Turnitin, could learn from the
statistical techniques being employed here by the linguist.
Applying the principles in this book to computer and mobile
phone forensic investigations will undoubtedly help solve
many cases where digital evidence in itself is not enough
and providence of communication is important to determine.
This book is a must read for anyone with a vague interest
in communications, language, mobile forensics, or criminal
investigation. Highly recommended.
Cisco Router and Switch Forensics:
investigating and Analyzing Malicious
Network Activity
Author: Dale Liu, et al.
Publisher: Syngress
Date of Publication: 28 April 2009
Price: £35.99 (UK), $59.95 (USA)
ISBN: 978-1597494182
Reviewer: Tom Lazarus
This is a very specialized field of study, so to be honest, I was
impressed that Syngress even published a book on this topic
as it’s so niche. However, it does a great job, pulling together
expert opinion and techniques from a plethora of authors (Dale
Liu has no less than 10 contributing authors, all experts in their
own right) not only covering the technical aspects of forensics
on network equipment, but also putting forensics in context
DF3_78-79_Book Reviews.indd 79
with regard to these devices, i.e. “where forensics fits within the
entire process of an investigation, from incident response and
data collection to preparing a report and legal testimony.”
The book is arranged into 13 chapters following a good
introduction and overview to the topic. Chapters 1 and 2 properly
set the scene for the analyst, describing what digital forensics
is all about, then discussing methods for data analysis on a
single PC as well as in an enterprise, then they go on to look
at some of the pitfalls forensic analysis face today, such as
encryption and virtual machines. Chapter 2 looks into some of
the myriad problems an investigator will face when seizing data
and explains some of the processes and procedures needed
to maintain the chain of evidence. This introduction is a good
overview and refresher, but I’d not recommend that it’s the
only source an administrator would use to determine if they
are fully ready for a forensic investigation. Reading Casey’s
“Digital Forensics and investigation” is probably the best start a
potential analyst could have. Chapter 3 takes us into the world
of the network administrator and discusses some of the typical
threats from social engineering you might face and how social
networking sites can help determine where the attacks might
be coming from. Chapters 4 and 5 discuss the first response,
what the analyst should do when he or she first appears at the
scene of the investigation, detailing how to construct a useful
network diagram to use as the blueprint map for the forthcoming
investigation. Chapter 6 is a primer on Cisco IOS that is necessary
before proceeding to subsequent chapter 7 and chapter 8, where
we get a glimpse into the mindset of the attacker and how the
investigator would go about collecting non-volatile information
from a router. Chapter 9 follows on with a discussion about
volatile data held on the router and how best to get it off. This
is always one of the biggest headaches for the digital forensics
investigator, and this chapter does a great job of walking you
through using tools, such as Wireshark, the Boston Network
Simulator and RAT (Router Audit Tool). Chapters 10 and 11 are
an introduction to the Cisco IOS on network switches and how
you would go about performing forensic analysis (non-volatile
and volatile analysis) on those devices. Much of this information
is a repeat of the router forensics previously covered, but there
are subtle differences that are well explained. Finally, the book
concludes with chapters 12 and 13 where the authors discuss the
preparation of your analyst’s report, then the final stage of the
forensics process: getting ready for expert testimony in court.
All in all this is a well rounded book, good value for money
and gives a great insight into performing network forensics
on all kinds of Cisco IOS enabled devices. As with any
good forensics book, it also looks at the preparation and
report admission process that DFM readers know is just as
important as the technical stuff. Well worth the money and
recommended purchase.
79
30/4/10 18:08:33
 Digital
ForensicS
/ magazine

PLACE YOUR ADS HERE

email: marketing@digitalforensicsmagazine.com

DF3_80_Advertise Ad.indd 80 30/4/10 18:08:52

 CALLING ALL
RESEARCHERS &
PRACTITIONERS
If you are a practitioner or researcher working in the field of Digital Forensics
then we want to hear from you…
/ Academic
If you are a researcher, academic or student of digital
forensics, we would like to hear about your work. One of the
key aims of Digital Forensics Magazine is to bridge the gap
between the researcher and the practitioner. We provide a
platform where your research can reach the widest possible
audience, far greater than that of an academic journal. By
showcasing your work in Digital Forensics Magazine you will
be able to find like-minded parties who are interested in your
research, maybe for collaboration projects or indeed for a
route to market.
/ Practitioners
For those of you living and breathing in the professional
world of Digital Forensics we would love to hear from you.
It is a well-known fact that some of the best learning comes
from “on-the-job” experience and we want you to share that
experience with your peers. Whether it is a complete case
study of an investigation (obfuscated where required) or a tool
for extracting information from a website, you can guarantee
that your fellow practitioners will want to hear about it.
Providing these articles are a great way to let our community
DF3_81_Call for Authors.indd 81
know where further work is required, again fostering
collaboration between industry and academia.
We also want to let the wider community know what
problems practitioners are facing. You can do this by writing
to 360@digitalforensicsmagazine.com (details on the website)
and we’ll do our best to get an ‘expert’ to get back to you.
/ Submissions
If you would like to submit an article to DFM you can do this
by sending an email to editorial@digitalforensicsmagazine.
com with your details and a 250-word abstract explaining
what the subject is and how you will cover it. You should also
include why you think it will make a good article, and what
target audience it addresses.
Digital Forensics Magazine bridges the
gap between the researcher and the
practitioner… It is a well-known fact that
some of the best learning comes from
“on the job” experiences
81
30/4/10 18:09:12
 / COLUMN
IRQ
Angus Marshall interrupts your
train of thought with some general musings on
security, forensics and the world around us
O
n the 1st of March this year it seems that a batch of
Sony Playstation 3 consoles took it upon themselves
to decide that it was the 29th of February. Not a huge
problem, you might say – after all, it’s only a games console.
It’s not as if planes were dropping out of the sky, nuclear reac-
tors going into meltdown or inter-continental ballistic missiles
deciding to launch themselves, is it? Well, no. In this case it
wasn’t a huge problem for society, but it could have been.
For the owners of those consoles, the potential impact if
the problem hadn’t sorted itself out the following day could
have been quite significant. Many of them had spent a lot of
time and money playing online games and acquiring virtual
assets – all of which disappeared during the date problem.
There was the potential for a real financial loss due to loss of
intangible property. If more systems had been affected or the
problem hadn’t cured itself, Sony could have been facing a
class-action lawsuit.
That, however, is the least of my worries. The bug that caused
this is typical of the sort of thing we worried about in the late
1990s when the dreaded “millennium bug” had the doom
and gloom merchants predicting TEOTWAWKI. I, myself, spent
many months in training centres around the UK delivering
courses on how to adapt software to get round the problem.
The government spent millions on the Y2k taskforce and, on 1st
January 2000 – pretty much nothing of interest happened at all.
Maybe it was because of all the effort put into it, or maybe we
misunderstood how date-dependent systems were using data.
One critical thing that has been forgotten in the intervening
years though is the Y2k compliance guarantee that all software
and hardware vendors were supposed to provide. Paraphrasing,
it stated that products would “work correctly in the year 2000
and all future dates”. Leaving aside the issues that Unix system
32 bit clocks will roll over in 2038, the compliance guarantee
is an interesting statement – and one that seems to have
completely disappeared from products since the year 2000.
Does it matter? Why am I making such a fuss about it?
Well – back in the dim and distant past, when I taught people
how to program, I used to include coverage of algorithms and
how to implement them, including things like all the rules for
converting from seconds, since some arbitrary point in time
into human-understandable date and time formats. Since
82
DF3_82_IRQ.indd 82
then, of course, dinosaurs no longer roam the earth and
programming has moved on to a model where most code is
dependent on objects/modules/units/libraries provided by
some third party. The “skill” now lies mainly in figuring out
which bits of other people’s code to reuse in order to achieve
the right results – but this means that the programmer can
never be entirely sure that the underlying code is actually
doing the right thing the right way all the time.
Can you imagine what would happen if someone was asked
to investigate an attempted intrusion into a network and found
that their tools started reporting that the events in question
happened variously on 1st March 2010, 29th February 2010, and
33rd Octember 1877? The only option would be to assume that
all the tools were faulty until proven otherwise and fall back on
old-fashioned methods using low level tools and interpretation
of hex dumps – if the skills to do this still exist. Worse yet, it
would have to be assumed that the tools had always been
faulty and that could open the floodgates to appeals and
accusations of wrongful conviction galore.
In forensic work, where someone may end up in gaol and
on a register of offenders as a result of evidence produced by
software, knowing that the software consistently produces
correct results seems a pretty fundamental requirement –
but if we don’t know how the software is doing what it does,
or that it is doing it consistently, can we, as responsible
professionals, really rely on the results?
We need to make sure that our tools are doing not just the
right things, but ideally doing them in the right way – and that
they will continue doing just that for as long as we need them
to. We cannot continue to rely on commercial offerings in the
hope that the vendors are doing the right thing. We need more
than guarantees. We need proof and we need it now. /
/ Author Bio
Angus Marshall is an independent digital forensics practitioner,
author and researcher, currently working on the ‘fitness for purpose’
challenge. In a past life he was an academic course leader in Digital
Forensics & Forensic Computing and still retains strong links with
academia, professional bodies and regulators. He can be contacted
through his company, n-gate ltd. (http://www.n-gate.net).
Digital / ForensicS
30/4/10 18:09:32
DF3_IBC_Ad.indd 83
Cisco Router and Switch Forensics
ISBN 9781597494182
£35.99, €42.95, $59.95
Mac OS, iPod and iPhone Forensic
Analysis DVD Toolkit
Visit the BRAND NEW www.syngress.com
ISBN 9781597492973
£41.99, €49.95, $69.95
to purchase these or other great Syngress titles!
30/4/10 18:09:53
Windows Forensic Analysis
DVD Toolkit, 2e
ISBN 9781597494229
£34.99, €51.95, $69.95
Now Available!
Malware Forensics
ISBN 9781597492683
£41.99, €49.95, $69.95
Cutting Edge Content in Digital Security
DF3_OBC_Ad.indd 84
2010

Ma
April

2010y
Virtualization and Forensics Phone Forensic Analysis
By Diane Barrett, Greg Kipper By Sean Morrissey
9781597495578 9781597495554
$59.95/£32.99/€40.95 $69.95/£37.99/€47.95
Ma
Order Today!

AvaiNow
2010y

lable
!
Windows Forensic Analysis Digital Forensics for Network,
DVD Toolkit, 2nd Edition Internet, and Cloud Computing
By Harlan Carvey By Clint P Garrison

Visit the BRAND NEW www.syngress.com

9781597494229 9781597495370

to purchase these or other great Syngress titles!

$69.95/£37.99/€47.95 $69.95/£37.99/€47.95
Cutting Edge Content in Digital Security

30/4/10 18:24:52