Tuesday, March 30, 2010

A Little Clarification

In my last post, I mentioned tool specific certifications.  Specifically the EnCE for Encase and the ACE for  Forensic Tool Kit (FTK)

I got a couple of emails and a comment or two, so I thought I would elaborate a little so there might not be any misunderstanding.

I suppose that you can get a certification in Microsoft Word and never learn grammar or learn to be a good writer.  In that case you would only be learning how the program functions and nothing about how to produce a good written product.

In the forensic world that would equate to tools like F-Response or an acquisition tool like Linen.  You can learn to use the tools to acquire evidence and never learn to handle evidence or to analyze evidence.

To take it a step further, you can get your A+ certification and not be able to actually repair a computer.  I know, I have employed some A+ certified technicians in the past who could not actually fix anything.  Not to say this is true of all A+ certified folks, but the ones I have had contact with did not reflect the level of expertise you would expect from someone certified in computer repair.

You can get a Network + certification and not really know how to design and implement a network.

The same holds true for forensic tool certifications.  You can certainly get a EnCE or ACE  and not know how to handle a full forensic examination from start to finish.

One of the issues is that for the EnCE for instance, you can buy the study guide and it comes with a crippled version of Encase.  The exercises you do with the practice copy of Encase are not very broad or even terribly relevant beyond learning what you need to know to pass the certification exam.

Tool certifications focus on how the tool handles a task and by necessity have to be limited to the functionality of that tool.  While the EnCE study guide does a fairly good job of explaining the underlying workings of what the tool is doing, it is not a comprehensive experience or education in computer forensics.

The critical parts of digital forensics is understanding the laws that pertain to the field, professional ethics, evidence handling and preservation, analysis skills and the ability to write clear reports of what you did.

All of that should support the likelihood that what you have done during your acquisition, preservation, analysis and reporting on a piece of evidence will be contested in a court of law, either civil or criminal.

So while I think that having an EnCE or an ACE is a good thing, it is not a critical thing; Don't think that I believe they are a waste of time or money.  Having an EnCE  or ACE can certainly be a good item on your CV when you go to get a job or when you go to court.  Many employers today prefer that you have one of these certifications.

I have attended Encase training in the past and found it to be excellent.  However, it was narrowly focused on the tool with some explanation of digital forensics mixed in.  Not the other way around.  So while they may touch on forensic principals in their certifications, they are not broad enough to be an overall digital forensics certification. Nor do I believe they are intended to be.
Reblog this post [with Zemanta]

Monday, March 29, 2010

Why I Got My Digital Forensic Certified Practitioner

I have written about certifications on this blog before and others have commented as well.  For the most part, I do not value most of the current certifications all that highly.  Some are better than others.  Some folks disagree with me on my views regarding certifications and that is to be expected. 

However, I did apply for and receive my Digital Forensic Certified Practitioner (DFCP), from the Digital Forensics Certification Board as a Founder.

Why do I believe this certification will prove to be of high value to digital forensic practitioners?

The following four points are from the DFCB web site:

1. The Digital Forensics Certification Board (DFCB) professional certifications are truly independent and community driven.
2. The DFCB certification program was developed with National Institute of Justice (NIJ) funding. The terms for the development of this certification program by consensus were followed.
3. The DFCB will eventually be applying for recognition by the Forensic Specialties Accreditation Board (FSAB), which is currently recognized by the American Academy of Forensic Sciences.
4. The DFCB is connected to the National Center for Forensic Science at the University of Central Florida.

While there are vendor neutral certifications out there like the Certified Computer Examiner (CCE), which is a good one, although not as comprehensive as the DFCP is going to be once it is open to non-founder applicants.  SANS Institute also offers a very good certification program which I think is bolstered by their extensive and well put together training programs.  I have a huge amount of respect for Rob Lee and his excellent group of instructors.

The EnCE and the ACE certifications are vendor specific, being from Guidance Software and Access Data, respectively, and only certify that a person can use their tools.

I will probably get around to getting my EnCE at the CEIC conference this year since I am speaking there and the test is available at the conference.   While I think that vendor certifications are limited in value, for the low cost, why not? 

The most important item above is number 3.  Accreditation by the FSAB is going to be a critical step in this certification becoming the de-facto standard for digital forensic certifications.

Other positives about the DFCB, in my opinion, is that it is neutral and independent from any money making body, vendor or testing service.

Also, if you read the key domains of knowledge, it is very comprehensive in its coverage of what must be known as a digital forensic examiner.
Reblog this post [with Zemanta]

Saturday, March 20, 2010

Attorneys are from Mars, Computer Forensics People are from Pluto

Men Are From Mars, Women Are From VenusImage by Larry He's So Fine via Flickr
We have been doing quite a few e-discovery collections over the past couple of years and there is a recurring theme to each of them; There is a definite communication barrier between attorneys and us computer forensic types.

Attorneys use words such as  mens rea, voir dire, habius corpus and in camera.  Our vocabulary includes words like bit stream copy, logical acquisition, active file collection and MD5 hash values.

Ever read the book, Men are from Mars, Women are from Venus?  Having a conversation with my wife many times goes like this:

"I know that is what I said.  But that is not what I meant!"

The problem is that she says one thing and I hear something entirely different.  That is a lot like talking to attorneys.  Attorneys are from Mars and computer geeks are from Pluto.  Well, we would be if it was still a planet.

It seems that the hardest thing to do is gather information before the collection that is accurate and means the same thing to both parties.

When an attorney says to me, "I want a copy of the hard drive."  I hear, okay, you want a bit stream forensic image of the entire physical hard drive.  Not a problem.  At least, not a problem until we find out they meant that they wanted a copy of the all of the logical files on the hard drive.  Wait a minute? What the heck is a logical file?  Can a file be illogical?  My wife certainly can, and that is one of her many endearing qualities.

When we computer forensic types think about hard drive and partitions and files, we tend to think in two realms: physical and logical.

So what's the difference anyway?

When the operating system on a computer shows you, the user, partitions, directories and files located on a physical hard drive, it shows you a logical representation of the physical data on that hard drive.  Each operating system has its own little quirks in how it likes to store, arrange and show the files it manages.

Even what most people consider to be their hard drives when they see in their file browser items like C or D or some other drive letter is a logical representation.  That C you see is not a physical hard drive.  It is a partition on a physical hard drive.  Now, of course if your hard drive only has one partition, you could say that Drive C is the physical hard drive, but you would still only be referring to the logical representation of the hard drive.  The nickname, so to speak, that the operating system gives the partition on the physical hard drive. Otherwise you would see something like hda0 or sda1.  That is what the drive would look like at a lower and not so friendly level.

The operating system shows nicknames you so you can have an idea of where your files are, using friendly names.

An easy way to think about how drive letters work is to think real names and nicknames.  My real name is Lawrence.  Let's call that my physical name.  My nickname is Larry.  Let's call that my logical name.  I can answer to either one equally well, but since, me as an operating system, represents my physical self as my logical name Larry, you don't need to know my real name to yell at me or ask me a question.

When you are browsing around in your computer, you will not see files that are deleted.  These are still there on the physical hard drive, but are not included in the logical representation that the operating system shows you. That is because, being ever so helpful, the operating system assumes that since you deleted the files, you don't want to see them anymore.  That is how many people get surprised when a forensic examination exposes all those nasty little porn files you thought were gone when you deleted them and then emptied your recycle bin.

Back to physical and logical.  The other helpful thing your operating system does is show you how much space is left on the hard drive. (I am using the logical representation here, since most of us normally think of a drive letter as a hard drive, even if it is incorrect.  It is more convenient.)

When you examine your hard drive in Windows for example, it might show you that you have 500 gigabytes in total space, followed by 75 gigabytes used and 425 gigabytes free.

Now if you asked for a copy of the whole hard drive, you were probably thinking you want a copy of that logical 75 gigabytes, not the whole physical 500 gigabytes.  It is rare in an e-discovery collection to want the whole 500 gigabytes of the physical drive.  Why?

1. Most discovery requests don't include deleted files.
2. E-discovery processing is danged expensive and is charged by the gigabyte in most cases.  Why pay any more than you have to for processing?
3. Getting to what you REALLY mean; you want all the user files from that physical 500 gigabyte drive and that logical 75 gigabytes.

So, if the collection order specifies all the user files from the entire hard drive, I got that.  No problem, you will end up with an actual collection far smaller that even the logical 75 gigabytes.

If the order specifies the entire hard drive, I am going to think; Okay, forensic bit stream copy time.  You will get the entire 500 gigabytes.

I am going to write more on this blog about the technical stuff in plain English and try to bridge the communication gap between us and the non-technical people we serve.
Reblog this post [with Zemanta]

Friday, March 12, 2010

A couple of phishing scams

Here are a couple of new phishing scams that hit my email this morning.

Like anything, a little attention to details will help to avoid these.  Of course, why the South African government would want to give me a tax refund is ridiculous to start with.

Below is the faked email from the South African Revenue Service

And here is the faked web page:

Now if you bother to click on any of the links in the left column, none of them work. However, if you are careless and click on the bank logos so you can get your refund, you get faked pages for the banks asking for what else?; Your bank log in information.

Again, none of the site links work.  Once your personal information has been captured, it doesn't matter since the damage has been done.

Another dead giveaway is the web address:

As you can see, the real sars.gov.za URL is appended to the phisher's site URL to make it appear like it is going to a legitimate site.

Here is the second one I got this morning:

Looks kind of sort of legit on the surface.  Until you open the attached word document that is.

Outside of the normal clues to a phishing scan, namely the poor English, a couple of nice touches are included:

Using gmail as the return email address.  Like Google has to use their own free email service.  If you notice, in the email address:
that foreign is misspelled, that is another clue to a scam.

And the little bit at the end about keeping it confidential.  Don't tell your friends and family!  Probably because they will tell you that you are getting scammed.

Any time you get something from someone who is not in your address list, be careful what you click on!
Reblog this post [with Zemanta]