(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    21 posts categorized "Digital Forensics"

    09 June 2009

    US Cybercrime site

    US Department of Justice Computer Crime and Intellectual Property site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution.

    Posted by on 09 June 2009 at 04:57 PM in Current Affairs, Digital Forensics, Fraud, ID theft, Insider Risk, Legal, Slade, Training | | Comments (0) | TrackBack (0)

    Expectations for Computer Security Incident Response

    RFC 2350 is a 1998 version of what incident response teams should and shouldn't be and do.

    Also, CERT.ORG has advice and step-by step instructions on creating a computer security incident response team.

    Posted by on 09 June 2009 at 04:44 PM in Availability, Confidentiality, Digital Forensics, Disaster Recovery, Events, Integrity, Network Security, Operations Security, Slade, Training | | Comments (0) | TrackBack (0)

    29 March 2009

    GhostNet

    The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage.  Some items of this were given in a story in the New York Times.  There is also related work in a report out of Cambridge (full report in PDF)(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

    Posted by on 29 March 2009 at 06:46 PM in Confidentiality, Current Affairs, Digital Forensics, Events, Integrity, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Secure Software, Slade, Training, Web/Tech | | Comments (0) | TrackBack (0)

    24 March 2009

    Computer Re-use Optimisation Project

    In the course of operations, recycling of old computers is an issue.  The confidentiality dangers of object reuse are reasonably well known.  However, when the time comes to get rid of a bunch of old (and rather toxic, if just dumped) computer equipment, where can you send them to best effect?  The Computer Re-use Optimisation Project (CROP) lists a number of organizations and institutions, in a number of different areas of the world, that take, refurbish, and give computers to worthy causes.

    Posted by on 24 March 2009 at 11:12 PM in Digital Forensics, IT Security, Operations Security, Privacy, Slade, Training | | Comments (0) | TrackBack (0)

    19 March 2009

    Secure data erasure

    For all the trouble we have to take to protect, backup, and maintain our data, when we want to get rid of it, it turns out to be remarkably difficult.  Do we delete  Overwriting delete?  Overwrite 40 times?  Overwrite 40 times including all the slack space?  Degauss?  Get out the thermite?

    This site presents a faster and easier option.  There is software, and also a paper (possibly self-serving ...) explaining the option, and why it is very often good enough.

    Posted by on 19 March 2009 at 09:16 PM in Confidentiality, Digital Forensics, Events, IT Security, Legal, Operations Security, Privacy, Risk, Slade, Training | | Comments (2) | TrackBack (0)

    27 January 2009

    A Mistaken Conviction Based on Digital Forensics – Part 2 – The Trial, Day 1

    <p>Department of Homeland Security Daily Open Source Infrastructure Report</p>

    During the pretrial examination we learned that there appeared to be sufficient basis to have excluded the forensic evidence yet that did not happen.  Let us see what happened during the trial which allowed the forensic evidence for the prosecution to be presented to the court and considered by the jury during its deliberations which resulted in Julie Amero’s conviction on all counts.

    Before we do however, let us take a brief look at the community’s perspective of the crime and how that might have influenced their deliberation to some degree.             Unfortunately, the Norwich Bulletin has deleted virtually all of their entries regarding Julie.  Some believe that is the result of change of ownership twice over and others suggest that it was intentional.  You see, according to many reports the Norwich Bulletin tried and convicted Julie many times over.  However, relative to the digital forensic evidence, that is not really germane. 

    On the other hand, an understanding of the community’s perspective helps to understand how the jury could reach the conclusion that it did.  According to Detective Mark Lounsbury, a computer crimes officer at the Norwich Police Department and testified as an expert witness for the prosecution, some of the parents whose children were exposed to the porn demanded aggressive police action.  Generally speaking, the community was also in a bit of an uproar and became impatient as it took more than two years (26 months) to bring the case to trial.  In the eyes of many, that was far too long.

    The trial began on January 3, 2007 in a quite normal manner including a reduction in the number of charges from ten to four without explanation.  In each charge she was accused of “willfully and unlawfully causing a child under the age of sixteen years to be placed in such a situation that the morals of said child were likely to be impaired”, Connecticut General Statute 53-21 (a)(1), which provides for a maximum period of imprisonment of 10 years for each charge or, the potential of 40 years in prison if convicted.

    The first witness for the prosecution was Scott Fain, Principal of Kelly Middle School in Norwich Connecticut where the event occurred.  While Mr. Fain is used by the prosecution to set the stage, his testimony is meaningless relative to the issue of forensics.  In addition, upon close examination it becomes clear that he has nothing of value to contribute.  Next was Matthew Napp, the teacher which Julie was substituting for.  His testimony was of value only to the extent that he established that very few students could see his monitor from their seats.  My one concern from a pure trial perspective and establishing reasonable doubt is the possibility that Mr. Fain in fact did view questionable images on occasion.  The defense attorney never pursued that line of questioning.  Clearly, the prosecutor anticipated it and tried to make it clear that Mr. Fain had not done so.  None-the-less, an effective line of questioning by the defense might have raised a bit of a cloud of doubt.

    The third witness was in the classroom for a portion of the day when the deaf student she assists was in class.  During the period of time that she was present nothing unusual occurred. The next witness is Robert Hartz, information services manager for the Norwich Public School System.  One would have expected to learn a lot more than they did from Mr. Hartz.  It does appear that he is knowledgeable in the field of IT but it is clear that the prosecutor was not familiar with the IT arena and how to build a more effective foundation to his case.  However, you might want to note that he establishes, or seems to establish that initial access to some sites of question occurred while the deaf student aide was present and she stated that Julie did not leave the room during that period and that student’s did not access the teacher’s computer during that time frame (9:00am—10:00am).

    At this point it should be noted that at least two individuals have accessed the computer in question, one who should have known best that hard drive image preservation should have taken place before any examination.  How do we know whether the system time was in fact in error and later corrected?   Also note, that the references in the firewall log point to a much later time period.  During cross examination it is established that he did not look for any adware or spyware.  Also note through redirect it was established that more than likely the computer was not removed from service until some date after the 19th, more than likely the 21st, but perhaps the 22nd.  This is one great chain of custody!

    Now we get into the timely police investigation which commenced on October 27th, 2004, some 8 days past the date of purported criminal activity.  Decision making is swift in Norwich.  Is there any doubt as to why Julie could not get any assistance the day of the event?  Ah, but those details come later during Julie’s testimony.  Let us review the testimony of Sergeant Michael Belair, Norwich Police Department.  When all is said and done, Sergeant Belair seized the computer from the principal’s office, spoke to the principal and a few others, obtained copies of the lists prepared by Mr. Hartz, viewed a few of the sites on a police computer and saw questionable images but did not recall what acts if any were being performed.  From a forensic perspective all we have learned is that a “trusted” chain of custody began some eight days after the event.

    We now hear from the first student.  His testimony is marginal at best, not truly useful to anyone, and with his testimony the first day of trial ends.

    Upon completion, what of value has been learned relative to a forensic investigation?  The computer was used for at least one full day after the event and was accessed by the IT manager as well.  It is very possible that it remained in use for two or more days and then secured in the principal’s office not more than 3 days after the event.  It was not secured by law enforcement until October 27th.  Clearly, an effective defense could have established a basis for not allowing the forensic evidence to be entered into evidence.  Was this done or attempted?  More to come on day two of this three day trial.

    Should you wish to read an alternative analysis you can read the Fuzzy Thoughts web site or download the copy I made in chronological order which I find much easier reading.

     

    Posted by on 27 January 2009 at 10:16 AM in Digital Forensics, Hacking, IT Security, Johnston, Legal, Malware, Network Security | | Comments (0) | TrackBack (0)

    24 January 2009

    A Mistaken Conviction Based on Digital Forensics – Part 1.5 – On Good Morning America


    The dilemma of Julie Amero will be told on Good Morning America, ABC, on Tuesday, January 27th, 2009 between 8-9am EST I am told.  Julie and the lead forensic analyst Alex Eckelberry were interviewed as well, I believe, as others.

    Some interesting events occurred during the taping and the Julie Amero team agreed that they would not be discussed until after the showing.  Watch it with me and let us see what is being told by the mass media.

    I am working on Part 2 - The Trial and plan to have it ready to post that same day.

    Posted by on 24 January 2009 at 06:52 AM in Digital Forensics, Hacking, IT Security, Johnston, Malware, Network Security | | Comments (0) | TrackBack (0)

    15 January 2009

    A Mistaken Conviction Based on Digital Forensics – Part 1 – Pretrial

    Most of us watch criminal cases in movies and on television where forensic evidence ices a conviction and exonerates the innocent.  How is it possible that someone can be convicted based on forensic evidence when they were not guilty?  Let’s examine a modern day case where this occurred:

    ·         The event took place on October 19th, 2004

    ·         The accused was tried and convicted on January 3-5, 2007

    ·         The sentencing was scheduled for eight weeks later, March 2nd, 2007, then delayed until

    o   March 29th, 2007 which was postponed on March 28th, 2007 until

    o   April 26th, 2007 and finally heard on

    o   June 6th, 2007, a motion for a new trial having been submitted the preceding day by the defense.

    ·         A new trial was ordered on June 6th, 2007

    ·         On November 21, 2008 the case was finally disposed of, but justice was not served, with a plea agreement of $100.00 fine and loss of her state teacher’s license.

    Taking a look at the case from 50,000 feet, or perhaps higher, the accused encountered a “pornographic” popup storm on her computer in the classroom.  Her failure to turn off the monitor or take other sufficient action to preclude her students from viewing the popups resulted in her being charged with “risk of injury to minor” tenfold.  Forensic evidence developed by law enforcement indicated that the accused willingly chose to view these images and neglected to protect her students.  While the defense had a competent forensics examination witness, he was not allowed to testify.  She was convicted but sentencing never took place as the court was convinced of flaws in the prosecution’s presentation which possibly mislead the jury and ordered a new trial.  After waiting 18 months a plea agreement was reached and the case concluded.

    For those not familiar with the case the accused was Julie Amero and an Internet search on her name will keep you busy for weeks, perhaps months, with the results offered.  A check of Google today produces more than 65,000 responses.  I have maintained a daily Google search for more than a year which provides only “new” entries found on the web.  There continue to be new postings almost daily but unfortunately most are exploitation rather than having content meaningful to her case.  I will endeavor to provide a meaningful report from the forensic perspective including related trial procedural errors.  I have been close to the case for one year and aided in her defense post conviction.

    Obviously, much of what I write will be based on personal experience and/or observation trying to maintain focus upon those actions/events which contributed to the original conviction as well as the actions taken to have the conviction set aside and a new trial ordered by the court.  Some of you may wish to see nuts and bolts, soup to nuts detail.  Immediately, I offer you a copy of the trial transcript.  As you might guess, it is sizeable, 1.8 MB in PDF format.  Later, I will provide other detail but, at the moment, I do not want to get off topic.

    From the beginning this case was a forensic nightmare.  The PC was running Windows 98 with an anti-virus which had expired some four months prior to the event.  Julie was quite computer illiterate barely knowing how to communicate with her husband via eMail.  However, attendance was taken on each teacher’s classroom PC and was uploaded periodically to the local server.  Substitutes are not provided logon IDs; rather, a staff member completes the logon and instructs the substitute not to logoff or turn off the computer.  At least once when Julie left the classroom she found several students at her PC giggling when she returned.  Assistance was sought but none was ever forthcoming.  The PC remained in the classroom being used for a few days after the incident before it was taken out of use and later a “forensic” image taken.

    To a competent defense attorney the details above should be sufficient to have all of any forensic evidence thrown out of court; in fact never allowed to be presented, rather stopped during pre-trial discussions.  However, this did not happen.  In “Part II – The Trial” I will examine what happened.  Should you choose to read the transcript immediately, please withhold any questions regarding the trial until that segment is posted.  On the other hand, please post any questions or comments about this segment and I will endeavor to respond promptly when appropriate.

    Posted by on 15 January 2009 at 06:40 AM in Digital Forensics, IT Security, Johnston, Legal, Malware, Risk, Secure Software | | Comments (0) | TrackBack (0)

    13 January 2009

    Mitre/SANS Top 25 Programming Errors

    The OWASP Top Ten has some more competition.

    Based on the SANS Top 20 attack vectors and MITRE's Common Weakness Enumeration (CWE), this document presents detailed descriptions of the top 25 programming errors along with guidance for mitigation.  The errors are also cross referenced against related CWE items, as well as the Common Attack Pattern Enumeration and Classification (CAPEC) structure.

    Posted by on 13 January 2009 at 06:22 PM in Confidentiality, Current Affairs, Digital Forensics, Events, Hacking, Integrity, IT Security, Malware, Operations Security, Secure Software, Slade, Software Development, Training | | Comments (0) | TrackBack (0)

    11 January 2009

    Rootkit detection and protection products and sites

    The term "rootkit" is a difficult one to define, or at least fix a definition on.  Originally it referred to a script, set of scripts, or package of modified system programs (thus "kit") used for gaining or keeping unauthorized root permissions (or equivalent supervisory powers) on a compromised system. Recently, media usage has expanded this definition to include any software that can hide software or processes on a system, but this usage is vague and likely to lead to confusion.

    Antirootkit.com doesn't have an awful lot of information on the site, but it does have a list of rootkit detection software.  There are brief descriptions of the products.  Be careful of the download links: they can be misleading in terms of what you are actually getting.

    Sophos has always been a solid antivirus company, so there is no reason to think that their anti-rootkit product is any less.

    GMER is a Polish anti-rootkit program (Windows only) available for free download.

    McAfee Rootkit Detective (originally from Avert) is available for download, but the McAfee site makes sure you know it is a beta product, and requires knowledgeable application and use.

    Panda tends to oversell their products, but their anti-rootkit is also available for download.

    As usual with most Trend Micro products, RootkitBuster sounds fairly agressive.

    F-Secure's BlackLight Rootkit Elimination Technology is well-regarded in the anti-malware research community.  It is available in their complete product, but can also be downloaded separately as a utility.  F-Secure also provides a little bit of rootkit explanation.

    Posted by on 11 January 2009 at 02:57 PM in Digital Forensics, Events, Hacking, IT Security, Malware, Slade, Training | | Comments (0) | TrackBack (0)

    « Previous | Next »

    Recent Contributors

    Past Contributors