[How To] Forensic Data Recovery in Linux - tsk_recover

This week we will talk about The Sleuth Kit, and specifically the tool tsk_recover. tsk_recover is a useful tool for allocated and unallocated file recovery. tsk_recover is a good quick solution, but in terms of performance, other tools tend to carve data better. I recommend using this in conjunction with other tools in an automated processing chain.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed/MS6zruRaxyA' frameborder='0' allowfullscreen></iframe></div></div></div>

~1 min read

No More Ransom - Detecting and unlocking ransomware without paying

Data is valuable. Ransomware takes advantage of the financial or sentimental value of our data, as well as the fact that most homes and organizations do not have adequate data backup solutions in place.

Once a computer is infected with ransomware, individual files are normally encrypted and users are asked to pay a ransom to unlock their data. If the victim pays, the data may or may not be unlocked. Ransomware started off like most viruses, targeting average computer users opportunistically. Ransomware groups, however, started targeting hospitals, police organizations and others.

<div class="separator" style="clear: both; text-align: center;">Use nomoreransom.org to unlock your data</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">So what can you do if you are infected with ransomware? Internet vendors and law enforcement have come together to create No More Ransom. This website gives users information about current types of ransomware, download unlocking tools (for free), provides prevention information and even has a tool to analyze your encrypted files and recommends which unlocking tool to use.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">The Problem</div><div class="separator" style="clear: both; text-align: left;">Ransomware is possible because people do not have backups in place.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">The Solution</div><div class="separator" style="clear: both; text-align: left;">Backups.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">If you have an extra hard-drive that you are not using, or even another computer that is often on, CrashPlan is a pretty straightforward backup solution that is free if you save data to your own computers.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">Note: DropBox or similar are not good backup solutions because they constantly sync changes. If ransomware infects your systems, the changes may be synced to your cloud storage. With a backup solution like CrashPlan, 1) backup is not instantaneous and 2) CrashPlan keeps track of prior versions of data. So if encrypted files were backed up, you can still restore prior versions. Best of all, CrashPlan provides end-to-end encryption (if enabled).</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div>


<div class="alignleft"> </div>

1 min read

[How To] Forensic Data Recovery in Windows - Photorec

This week we will show how to use Photorec to recover data form a suspect disk image. Photorec supports the recovery of many different file types, but we will focus on jpg image recovery. Photorec works in Windows, Mac and Linux and is a useful tool for automating data recovery on suspect disk images.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed//PTbgDEhqx1k' frameborder='0' allowfullscreen></iframe></div></div>

~1 min read

Warning to Forensic Investigators: USB KILLER

This single is informational for digital forensic investigators and first responders. Be aware of the ‘USB Killer’. Very basically, it’s a USB device that contains a high-voltage capacitor that charges up from the USB power supply, then releases a large charge directly into the USB data bus potentially destroying the motherboard.
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"></td></tr><tr><td class="tr-caption" style="text-align: center;">USB Killer device from USB Kill [https://www.usbkill.com]</td></tr></tbody></table>The device itself is made for ‘penetration testers’ to test the physical security of a system. The device shown is from USB Kill, but such a device would be trivial to create using any USB device and a high-voltage capacitor - like so.

Here are some comments on Reddit about whether a suspect would be liable if the police seize one of these and fry the investigation computer / write blocker.

This device is not to be confused with the USB Kill Switch, that checks if devices are added or removed and shuts the system down. The USB Killer focused on physical damage.

Unfortunately, I’ve not seen more information on forensic forums about these type of devices. SANS and Forensic Focus have some short articles on it. The device looks like a normal USB stick. Be sure to check any USB devices before imaging. <div class="alignleft"> </div>

~1 min read

[How To] Forensic Acquisition in Windows - FTK Imager

In this video we show how to do a forensic acquisition of a suspect disk using FTK Imager in Windows.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed/TkG4JqUcx_U' frameborder='0' allowfullscreen></iframe></div></div></div>

~1 min read

Paid Graduate Positions Available: Digital Investigations in Internet of Things

The Legal Informatics and Forensic Science (LIFS) Institute in the College of International Studies at Hallym University, South Korea, currently has openings for full-time researchers at the Masters, Ph.D. and Postdoctoral levels.

These positions deal with Internet of Things (IoT) digital forensic investigations. The following skills are necessary:
  • Programming skills (any language)
  • Ability to plan and carry out research
  • Ability to work with a team

The following skills are preferred but not required:
  • Knowledge of embedded systems
  • Embedded system programming experience
  • Computer / Network administration experience
  • Competency in Linux / Unix systems
  • Knowledge of Digital Forensic Investigation techniques (esp. acquisition)

These positions include a full scholarship as well as a monthly living stipend. Candidates should be willing to relocate to Chuncheon, South Korea.

To apply for the Master’s and Ph.D. positions, please do the following:
  1. Send an email with your CV and links to any research papers you have published to [email protected] with the subject “IoT Graduate Application”.
  2. Apply for a graduate position with Hallym University [http://bit.ly/20Fvvi4] by November 10th, 2016.
    • Download the application files [http://bit.ly/2eWHVSM]
    • Complete the basic application files
    • Mail the application files to [email protected] and CC [email protected]
    • Other documents can be provided later (such as passport info, diploma, etc.)
    • No Visa will be issued until certified copies of supporting documents are provided.

To apply for a Post-doctoratein Digital Forensic Investigation of IoT Devices, please do the following:
  1. Send an email with your CV and links to any research papers you have published to [email protected] with the subject “IoT Postgraduate Application”.
    • Candidates must have already completed a PhD degree.
1 min read