Blog: Category - USB Device Analysis

In this week's SANS Case Leads, we have a python script for parsing the Master Boot Record, a question of USB drive serial number uniqueness, some VSC goodness and some other stuff ;-)

If you have an item you'd like to contribute to Digital Forensics Case
Leads, please send it to caseleads@sans.org

Tools:

• Jamie Levy (@gleeda) posted a script that she wrote that parses the MBR in order to help find MBR infectors. Read Jamie's Blog post. Grab the script here.


• Jason Hale came up with a GUI front-end for Corey Harrell's batch scripts used to rip/examine Volume Shadow Copies, called VSC Toolset


• DEFT Linux 7.1 was released earlier this month. Read the

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it's everyday functionality. Details in MUST Reads (upgrading this week from "Good Reads"). Apple made big news with the launch of new tablet (this week) and new laptop offerings (last week). We bring you news of forensic tools for the Mac. Plus, industrial espionage featuring Chinese spies paying American employees to steal intellectual property. And, do you have naked passwords?

Tools:

• MacQuisition 2.53 from BlackBag Technologies, is a forensic acquisition tool for legacy and new Mac hardware. The new version now supports Intel i5 and i7 processing architecture, enabling it to work with the latest Mac laptops and desktops. This update also offers dual boot options for working with new Intel powered Macs as well as legacy PowerPC Macs.

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: "... Liam O Murchu, a researcher with the computer security firm Symantec, used a

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional

Making Use of a Super Timeline

I won't go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Digital Forensics Blog. What I've been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I've learned is that creating a Super Timeline is only the beginning of timeline analysis. Because the Super Timeline method captures so many time stamps, it islikely that a SuperTimeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image.The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend