Daily Blog #143: PFIC Day 1 Morning Sessions

PFIC Day 1 Morning Sessions by David Cowen - HECF Blog

Hello Reader,
          I'm attending PFIC and trying to be a good attendee and attend all the sessions when I'm not running our for call. I thought I would pass on my notes on these sessions and then post the slides they are associated with for those of you who couldn't make it.

8am Session - Amber talking about trends in mobile forensics

Shows real data from kids cell phones, its a form of punishment.

Windows phone acquisition is limited to local device data, cloud storage is currently out of reach.

To acquire a windows phone you need to install an app from the marketplace.

9am session - James Wiebe - remote forensic acquisition

a review of what we now know about nsa capabiltities via snowden.

Beyond the front end server most providers pass decrypted traffic between their nodes
apologizes that this is a talk focused on a product cru is selling but wants to try to educate beyond it
I think Eric Zimmerman needs to get a ditto and test it to see if their speed claims match up to what he's seen.

Ditto is an embedded linux system, but they don't use the ntfs-3g fuse driver and thus avoid the performance penalty we saw in our testing.

Optional battery allows it to run for 7 hours of imaging, thats cool.

They've implemented lightgrep into their embedded device and are using it for carving, I would assume they are using it for searching as well. Remote live triage is the goal.

Currently on sale for $1,649 from forensiccomputers.com, not a low cost option.

Just a note here, surface is my go to device to take with me for conference notes now.

10:30am session "eDiscovery Overview for Forensic Examiners"

Data mining and mapping against email to find patterns or criteria to find interesting/relevant data.

Case law shown about various expert rulings in how experts were used.

Review of challenges in defending ediscovery searches.

Review of challenges in attacking ediscovery searches.

I had to leave the session at this point to take a client call. 

11:30am session Google Glass Forensics

Start with glass v1.

Review of what google glass is/does.

Review of the hardware and specifications.

Showed glass v2.

walking through future glass apps and forensic data implications.

Introduction of 'shattered' an open source forensic project from champlain.

Current version scrapes user accessible data, next version will root the device for physical images and more data.

showing how images are saved and timestamped.

photos have exif.

two thumbnails are also generated, filename meaning is unknown.

adds an entry to usagestats.

shattered script file 'logcat.txt' also shows a picture was taken, the timestamp of the log should match the name of the image taken and the exif data.

Calls are also logged to these logs.

map requests and cached direction information are stored.

bluetooth logging includes mac addresses of devices connected to.

wifi logging of access points and mac addresses in range.

each glass activation and method of activation is logged.

example images will be posted soon to allow testing and research.

more to come as a I sit through the 2:30pm session!

Also Read: 

Post a Comment