Blog

In this issue of Case Leads we go around the globe to cover telematics app development from Ford at CES Las Vegas; to Russia for new tools that allow investigators to access files users try to keep encrypted; an anti-forensic tool that tries to hide details from memory forensic tools; the insider fraud threat; and a number of landmark court rulings in the US that impact digital investigators.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

• Have an investigation where the target puts a crypto-protected PC in hibernate? Now the team at ElcomSoft has a $300 app can get to the data well And, the ElcomSoft blog posting mentioned in the segment.
• E-Investigations of Texas announces a new computer forensics software tool that can search multiple partitions on multiple hard drives within a single case, export the email containers, and extract individual emails from the containers in a single step. In a statement, the company says that the process allows investigators to provide more accurate results to its clients in less time.
• Anti-forensics tool:'Dementia' wipes tracks that many Windows forensics memory tools focus on
• Oxygen Forensic Suite 2013 Roots Android 4.x Smartphones

Good Reading and Listening

• Our fearless SANS Forensics Leader, Rob Lee ,says its not new types of attacks that concern him for 2013. It's the old ones that continue to impact organizations. How can organizations learn from past incidents and respond in 2013? The bulk of the cases he investigates are external breaches, not insider cases, says Lee. When analyzing the incidents and reporting back to technical teams or executives, he's often faced with the question, "How do we stop this?" Read and listen to Rob Lee in this segment from BankInfoSecurity.com .
• Marc Weber Tobias, is an attorney and investigator. He appeared on CyberJungle Radio to talk about insider fraud (Disclosure: your Case Leads contributor this week is the host of CyberJungle Radio. Listen to the interview segment here via Flash player, or download the segment here. The interview with Mr. Tobias begins about 15:30 into the program. Mr. Tobias wrote two columns recently on this topic for Forbes.com:

How Do You Spot The Thief Inside Your Company?

A Snitch In Time Can Save Employers a Lot of Money

News:

• From CES 2013 in Las Vegas: Ford launches app developer program for Sync AppLink at CES. Apps need to be approved by Ford for safety while a user might be driving. Will Ford approve automotive forensic tools that leverage the API for investigative purposes?
• Landmark court decision on the admissibility of social media communications: A Brooklyn Protester Pleads Guilty After His Twitter Posts Sink His Case.
• In another landmark decision, a Federal Judge found that the Defendant had a duty to preserve audio recordings of calls that had been destroyed under the company's retention policy once the Defendant found out that the Plaintiff was filing an unemployment claim. Read more at the BowtieLaw Blog.
• Attention incident responders: A new Java 0-day vulnerability has been discovered, and is already being exploited in the wild. Read more at the TheNextWeb news site.
• U.S. nuclear lab removes Chinese tech over security fears. Some experts say we should be more fearful of the poor overall security of this equipment, not built-in backdoors.
• Write Gambling Software, Refuse To Build In Secret Backdoors The Feds Demand Your Install, Go to Prison.

• Microsoft hopes to patent an 'inconspicuous mode' for smartphones

Coming Events:

• SANS Security East 2013- New Orleans, LA - Jan 16 - 23, 2013
• InfraGard Sierra Nevada - Reno, NV, Jan 17th. Rafel Los, will speak on a landmark ruling on insiders using their work computer to escalate their access. In a new ruling, that person cannot be prosecuted for "hacking" crimes. Email jeffrey.williams5[at]ic.fbi.gov for details.
• Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics- Orlando, FL - Jan 28 - 30, 2013
• SANS Delhi 2013- New Delhi, India - Feb 11 - 22, 2013
• SANS Secure Singapore 2013- Singapore, Singapore - Feb 25 - Mar 2, 2013
• RSA Conference 2013- San Francisco, CA - Feb 28 - Mar 01, 2013
• The Second International Conference on Cyber Security, Cyber Warfare and Digital Forensic- Kuala Lumpur, Malaysia - Mar 4 - 6, 2013
• SANS 2013- Orlando, FL - Mar 8 - 15, 2013
• IMF 2013 - 7th International Conference on IT Security Incident Management & IT Forensics- Mar 12 - 14, 2013
• CTIN 2013 Digital Forensics Conference- Seattle, WA - Mar 13 - 15, 2013
• SANS Secure Canberra 2013- Canberra, Australia - Mar 18 - 23, 2013
• SANS Monterey 2013- Monterey, CA - Mar 22 - 27, 2013
• SANS Northern Virginia 2013- Reston, VA - Apr 8 - 13, 2013
• SANS Cyber Guardian 2013- Baltimore, MD - Apr 15 - 20, 2013
• SANS Secure Europr 2013- Amsterdam, Netherlands - Apr 15 - 27, 2013
• SANS CDK Seoul 2013- Seoul, Korea, Republic of - Apr 22 - 27, 2013
• SANS Security West 2013- San Diego, CA - May 9 - 14, 2013
• SANS Austin 2013- Austin, TX - May 19 - 24, 2013
• International Workshop on Cyber Crime- San Francisco, CA - May 24, 2013
• Techno Security and Forensics Investigation Conference- Myrtle Beach, SC - Jun 2 - 5, 2013
• Mobile Forensics World- Myrtle Beach, SC - Jun 2 - 5, 2013
• SANS Malaysia @ MCMC 2013- Jun 3 - 8, 2013
• ADFSL 2013 Conference on Digital Forensics, Security and Law- Richmond, VA - Jun 10 - 12, 2013
• FIRST Conference- Bangkok, Thailand - Jun 16 - 21, 2013
• The 1st ACM Workshop on Information Hiding and Multimedia Security- Jun 17 - 19, 2013
• Shakacon V- Honolulu, Hawaii - Jun 25 - 28, 2013
• SANS Digital Forensics and Incident Response Summit 2013- Austin, TX - Jul 9 - 10, 2013
• 28th IFIP TC-11 SEC 2013 International Information Security and Privacy ConferenceAuckland, New Zealand - Jul 8 - 10, 2013
• Symposium On Usable Privacy and SecurityNewcastle, United Kingdom - Jul 24 - 26, 2013

Call For Papers:

• ICDCS Workshop on Network Forensics, Security and Privacy- Due Jan 15, 2013
• The 1st ACM Workshop on Information Hiding and Multimedia Security- Due Jan 25, 2013
• Regional Computer Forensics Group- Due Jan 31, 2013
• Shakacon V- Due Feb 1, 2013
• International Workshop on Cyber Crime- Due Feb 15, 2013
• ADFSL 2013 Conference on Digital Forensics, Security and Law- Due Feb 19, 2013

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.