Wednesday, November 13, 2013

Daily Blog #143: PFIC Day 1 Morning Sessions

Hello Reader,
          I'm attending PFIC and trying to be a good attendee and attend all the sessions when I'm not running our for call. I thought I would pass on my notes on these sessions and then post the slides they are associated with for those of you who couldn't make it.

8am Session - Amber talking about trends in mobile forensics

Shows real data from kids cell phones, its a form of punishment
Windows phone acquisition is limited to local device data, cloud storage is currently out of reach
To acquire a windows phone you need to install an app from the marketplace

9am session - James Wiebe - remote forensic acquisition

a review of what we now know about nsa capabiltities via snowden
Beyond the front end server most providers pass decrypted traffic between their nodes
apologizes that this is a talk focused on a product cru is selling but wants to try to educate beyond it
I think Eric Zimmerman needs to get a ditto and test it to see if their speed claims match up to what he's seen
Ditto is an embedded linux system, but they don't use the ntfs-3g fuse driver and thus avoid the performance penalty we saw in our testing
Optional battery allows it to run for 7 hours of imaging, thats cool
They've implemented lightgrep into their embedded device and are using it for carving, I would assume they are using it for searching as well. Remote live triage is the goal.
Currently on sale for $1,649 from forensiccomputers.com, not a low cost option

Just a note here, surface is my go to device to take with me for conference notes now.

10:30am session "eDiscovery Overview for Forensic Examiners"

Data mining and mapping against email to find patterns or criteria to find interesting/relevant data.
Case law shown about various expert rulings in how experts were used
Review of challenges in defending ediscovery searches
Review of challenges in attacking ediscovery searches
I had to leave the session at this point to take a client call. 

11:30am session Google Glass Forensics

Start with glass v1
Review of what google glass is/does
Review of the hardware and specifications
Showed glass v2
walking through future glass apps and forensic data implications
Introduction of 'shattered' an open source forensic project from champlain
Current version scrapes user accessible data, next version will root the device for physical images and more data
showing how images are saved and timestamped
photos have exif
two thumbnails are also generated, filename meaning is unknown
adds an entry to usagestats
shattered script file 'logcat.txt' also shows a picture was taken, the timestamp of the log should match the name of the image taken and the exif data
Calls are also logged to these logs
map requests and cached direction information are stored
bluetooth logging includes mac addresses of devices connected to
wifi logging of access points and mac addresses in range
each glass activation and method of activation is logged
example images will be posted soon to allow testing and research

more to come as a I sit through the 2:30pm session!