Blog

This week brings us a new version of log2timeline, Cindy Murphy explaining how we're all like dogs (it's not a bad thing, I swear), and Kyle Maxwell wading into the murky semantic waters of APT, cyberwar, and hackers. Just to tweak Kyle, I'll dub that part cybersemantics. You can also learn what Facebook turns over to law enforcement when subpoenaed, and find out how one hacker got himself "busted" (you'll get the joke later) by his own GPS data.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

• Kristinn Gudjonsson has released log2timeline v0.63, which features a new output module as well as bug fixes.
• AccessData released Forensic Toolkit (FTK) v4.0.1, which includes processing speed improvements, new PDF and registry processing options, and a number of other bug fixes and enhancements, according to the product release notes ^(PDF).
• Guidance Software announced the release of the Tableau TD2 Forensic 1:2 Duplicator. This new forensic imaging tool offers "twinning" capabilities and "speeds up to 9GB/min."

Good Reads:

• Prey Drive - Guest post by Cindy Murphy on A Fistful of Dongles - Cindy extends Eric Huber's "Border Collie" analogy to creatively explore how the world of dogs can inform how we approach both our careers and our work. But you'll have to read for yourself to find out what you may have in common with a hunting dog.
• Semantic change: APT, Cyberwar, and Hacking - Kyle Maxwell has some interesting thoughts on the words we use. I tend to agree with him, especially regarding the phrase APT (it really does need to die). Others will disagree on one or more points. But the more important point, I think, is that we need to mindful and careful of the words we use to describe things. They have meanings, both denotations and connotations, and sometimes need to be re-evaluated. There was nothing wrong, originally, with the phrase Advanced Persistent Threat (APT). But no matter how you might rage over the loss of that original intent, it is still lost to the FUD and misinformation of the marketing machines. And perhaps, more importantly, as Kyle points out, the phrase no longer serves a purpose. It is no longer needed.

News:

• Can police still search electronic devices after case? - Utica Observer-Dispatch (UticaOD.com) - This New York case questions whether police may legally search electronic evidence again after a case has concluded. A man who was serving a 6-month sentence on child pornography charges requested his digital camera be returned in early 2010, after his case had concluded. Police performed a last minute search of the device and found evidence that the man had recorded himself molesting a 10-year-old boy. He is now serving an 18-year prison sentence. His lawyer has appealed, contending that police needed a new search warrant for the search, as the case to which the prior warrant applied had already been concluded. The prosecutor contends that the camera was still being held pursuant to a search warrant, and that a new warrant was therefore not required. The prosecutor went on to argue that the police have an obligation to ensure they do not give back contraband, and that police were therefore obligated to search the camera prior to returning it.
• Medicaid hacked: Utah Department of Health has 181,000 records compromsied, including 25,000 SSNs.
• Anonymous hacks UK government sites over 'draconian surveillance' - Yes, it's news, I suppose. But shame on you, ZDNet, for using the word "hack" to describe a denial of service attack. Just for the sake of a headline.
• Even worse than SOPA: New CISPA cybersecurity bill will censor the Web - RT.com - This article contends that the Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523) currently making its way through the United States House of Representatives goes even further than the SOPA and PIPA bills in the authority it would give to the U.S. government to monitor and block internet communications, "as long as the government believes they have reason to suspect wrongdoing." The article itself is light on substance, and its heavy use of the word "censor" rings of FUD to me (though I haven't studied the bill), but it may be worth a look as a starting point. For a generally more balanced and comprehensive overview, check out Kyle Maxwell's "Cyberintelligence legislation: not just CISPA" over on his Overhack blog.
• Here's what Facebook sends the cops in response to a subpoena - ZDNet - The title is pretty self explanatory, but it's interesting to see that what Law Enforcement gets is pretty much everything, in a surprisingly tidy report. It's disturbing, though, that the Boston Police thought nothing of releasing the document in full, without consideration of the collateral privacy damage done to people other than the criminal. I'm sure that was unintentional, but they presumably did redact other case evidence. Props to The Boston Phoenix for making an effort at their own redaction before running the original story.

Levity:

• FBI track Anonymous hacker using his girlfriend's boobs - The Hacker News - "The FBI swooped on Higinio O Ochoa III after he posted the snap, which included a gloating message to his online victims.He took the picture on his iPhone and posted it on Twitter without realising it contained GPS data pointing directly to his house." This could arguably have been filed under the News header, but it's too funny for that.
• The FE Side: CSI doesn't show all the coffee... - Girl, Unallocated blog -

Coming Events:

• SANS Northern Virginia 2012, Reston, VA - April 15 - 20, 2012
• DFIROnline Meetup - Online - April 19, 2012, 2000 (8:00pm) EST/EDT
• 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '12) - San Jose, CA - April 24th, 2012
• SANS Cyber Guardian 2012 - Baltimore, MD - April 30 - May 7, 2012
• SANS AppSec 2012: Summit & Training-Las Vegas, NV - April 24 - May 2, 2012
• 7th ACM Symposium on Information, Computer and Communications Security - Seoul, South Korea - May 1 - 3, 2012
• SANS Secure Europe 2012 Amsterdam - Amsterdam, Netherlands - May 5 - 19, 2012
• AccessData User's Conference - Las Vegas, NV - May 08 - 10, 2012
• SANS Security West 2012 - San Diego, CA - May 10 - 18, 2012
• 14th Information Hiding Conference - Berleley, CA - May 15 - 18, 2012
• IEEE Symposium on Security & Privacy - San Francisco, CA - May 20 - 23, 2012
• Computer Enterprise and Investigation Conference - Summerlin, NV - May 21 - 24, 2012
• SANS Brisbane 2012 - Brisbane, Australia - May 21 - 26, 2012
• 2012 ADFSL Conference on Digital Forensics, Security and Law - Richmond, VA - May 30 - 31, 2012
• Techno Security 2012 Myrtle Beach, SC - June 03 - 06, 2012
• Mobile Forensics Conference - Myrtle Beach, SC - June 03 - 06, 2012
• 27th IFIP International Information Security and Privacy Conference - Heraklion, Crete, Greece - June 04 - 06, 2012
• Audio Engineering Society Audio Forensics - Denver, CO - June 14 - 16, 2012
• RVAsec - Richmond, VA - June 16, 2012
• 24th Annual FIRST Conference - Malta - June 17 - 22, 2012
• Sans Forensics and Incident Response Summit - Austin, TX - June 20 - 27, 2012
• SANS Canberra 2012 - Canberra, Australia - July 2 - 10, 2012
• SANSFIRE 2012 - Washington, DC - July 6 - 15, 2012
• Symposium On Usable Privacy and Security (SOUPS 2012) - Washington, DC - July 11 - 13, 2012

Call For Papers:

 

• 7th USENIX Workshop on Hot Topics in Security (HotSec '12) - Due May 07, 2012
• 7th IEEE LCN Workshop on Security In Communication Networks - Due May 12, 2012
• Grrcon - Due June 01, 2012
• Applied Computer Security Applications Conference - Due Jun 01, 2012
• 4th International Conference on Digital Forensics & Cyber Crime - Due Jun 01, 2012
• IEEE International Workshop on Information Security and Forensics - Due Jun 24, 2012
• 2012 secau Security Congress - Due Sep 30, 2012

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

Digital Forensics Case Leads for 20120416 was compiled by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Greg also contributes book and product reviews to Digital Forensics Magazine and InfoSecReviews.com.