In this issue of Case Leads we go around the globe to cover telematics app development from Ford at CES Las Vegas; to Russia for new tools that allow investigators to access files users try to keep encrypted; an anti-forensic tool that tries to hide details from memory forensic tools; the insider fraud threat; and a number of landmark court rulings in the US that impact digital investigators.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

Tools:

• Have an investigation where the target puts a crypto-protected PC in hibernate? Now the team at ElcomSoft has a $300 app can get to the data well And, the

...

The Paraben Forensics Innovator's Conference was held last week in Park City, Utah. Your SANS Digital Forensic blogger attended the event, along with over 300 fellow, forensicators and lawyers. With information security events like BlackHat, and DefCon drawing thousands, this is yet another small event that has many advantages over the larger conferences.

At these smaller conferences you really get a chance to spend time with the same people. At PFIC, one of the attendees I met had an interesting incident at the office, and we were able to spend the time to discuss the case. And, these smaller events allow for more comparing of notes from different sessions over lunch. It's so much more difficult to get to really know someone at large conferences, with so many sessions and so many vendor events. Even the lunch events are like an army chow line at the large

...

The 25th High Technology Investigators Conference was held last week near Palm Springs California last week. Your SANS Forensic blogger attended the event, along with over 500 fellow lethal, and aspiring lethal, forensicators. Information security events like BlackHat, DefCon and RSA drawing thousands. It's more difficult to really get to know one's colleagues at those large events, since many times you never see the same person in two different sessions. But, at an event like HTCIA's, you really get a chance to talk and interact with other forensicators, compare notes on a previous talk, and you can probably sit next to a speakers during a lunch break.

One of the speakers attendees did interact with with The SANS Institute's very own Rob Lee. Rob Lee taught a number of sessions on

...

 

Hostile Forensics

Hello everybody to my first Blog post both here at SANS. I've released a whitepaper that may be of interest to people in the forensic community, and wanted to both share it with you and get feedback and criticism on it. Seeing a few great presentations today here at DefCon, namely by Christopher Cleary, Michael "theprez98" Schearer, and Wesley McGrew motivated me to get off my duff and finish this thing.

- Mark Lachniet

Overview

Due to recent developments in counter-forensic technologies such as strong encryption, it may
soon be necessary for forensic analysts to use system penetration or "hacking" techniques in order to
obtain forensic evidence, a process here referred to as "Hostile Forensics". This issue is not one that
has been adequately discussed in the forensic community at large, and as such there has been very little
planning or public collaboration to discuss issues and define ...

I know nothing. That's the only conclusion I can draw from my four years in the field thus far. Every time I work on a new case I learn something. Most of the time these are little morsels of forensicating goodness but occasionally these things are so immense that I believe that my findings are worthy of sharing with the world. Of course, then I log on to the SANS Digialt Forensics Blog and find that someone else has typically beaten me to it.

As many of you may already know I have spent some months investigating and analysing volume shadow copies (difference files) in Windows 7 and Vista. The result of this is that I have found how these files are structured and can manuallydissect these files to find valuable data. I have shared these findings on both my website and in several presentations. Now my question to you is this:What would have happened if I hadn't shared my findings? Stretching further, in what state would digital forensics be if people like Rob Lee, Harlan

...