The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.


Sof-Elk (Horizontal)

We are excited to announce the release of an all-new version of the free SOF-ELK®, or Security Operation and Forensics ELK virtual machine. Now based on the new version of the Elastic Stack, SOF-ELK is a complete rebuild that is faster and more effortless than its predecessors, making forensic and security data analysis easier than ever.


Since its introduction about five years ago, there have been more than 10,000 downloads of SOF-ELK around the world by computer forensic investigators and information security operations personnel in the government, law enforcement and commercial sectors. The SOF-ELK platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingestion and enrichment component, and the Kibana dashboard frontend.


SOF-ELK was always designed to help minimize the typically long and involved setup process the ELK stack requires by delivering a pre-built virtual appliance that can be downloaded in a ready-to-use state. It can consume various source data types (numerous log types as well as NetFlow), parses out the most critical data fields, and presents it on several stock dashboards. Users can also build custom data visualizations that suit their own investigative or operational requirements (and because of the fully open source nature of the project, can choose to contribute those custom builds back to the primary code repository). Learn more about the SOF-ELK distribution.


The new version of SOF-ELK has been rebuilt from the ground up to take advantage of the new version of the Elastic Stack software and uses all of the Elastic Stack’s components. This required a total rebuild of all dashboards and supporting scripts. Simply download this distribution, turn it on, feed it some data and begin analysis. It’s that easy.


The SANS team has performed extensive testing of this distribution of the SOF-ELK platform. The new version’s most immediate benefits are its speed and refreshed browser interface. This is faster and easier to use and can visualize massive amounts of data through the dashboards. We also expect faster development cycles. Here are some more changes in the new SOF-ELK:


  • Supports the latest updates on the kernel and all CentOS packages.
  • Includes new parsers from upstream and community contributions.
  • Rebuilt and revalidated all Logstash parsers against latest syntax
  • Better handles dynamic (boot-time) memory allocation for Elasticsearch.
  • Rebuilt all Kibana dashboards to handle updated index mappings and field names
  • IPv6 addresses can now be handled as IPs instead of strings
  • Features many under-the hood changes that will make our roadmap much smoother in the future

The SOF-ELK platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in SANS SEC555, SIEM with Tactical Analysis. Additional course integrations are being actively worked at this time and considered for future versions. However, SOF-ELK was always designed as a free resource for the digital forensic and broader information security communities at large – a ready-to-use appliance that teams can use without having to invest the many hours into deploying, configuring, and maintaining an Elastic Stack instance. We hope you check out the latest version of the SOF-ELK distribution.SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations


SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operations

  • When: Tuesday, March 5th, 2019 at 1:00 PM EST 
  • Conducted by Phil Hagen
  • Register now


There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this webcast, we will explore SOF-ELKs use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the projects GitHub repository.

Three Steps to Communicate Threat Intelligence to Executives.

As the community of security professionals matures there is a merging of the intel community, the incident response professionals, and security operations. One struggle folks have is how to make the threat intelligence actionable for the business. You have the large data from Recorded Future, yet, how do you apply the data in a practical way and communicate to the business?

The answer is keep it short and to the point and in the risk language, they use.  Bring solutions, not problems to the table. An executives greatest challenge is time. They want smart people who can make the day to day decisions to protect the company from attacks, in order for them to address large strategic topics.

In addition, the business media channels are talking about the security problems.  Just browse to The Wall Street Journal and see the latest cyber security news posts. That is good for our profession, so we need to be proactive. How do we be proactive? There are four steps that need to be done.

The first is know what is a business differentiator for the company.  Ask the executives what makes this organization competitive. Why is it different? Ask how might that difference be vulnerable to cyber-attack?

The second step is to do the analysis. Be proactive, being situationally aware, Recorded Future can provide access to that data. Not only knowing the threats, but how they apply to the organization. What part of the kill chain does the attack occur? Does it already map to an attacker campaign?

I’ll give a fictitious example.  You are an analyst at a power company. Reading the latest blogs on exploits and attacks you see a media release of a new type of malware attacking the power grid.  You know from business discussions that power production is critical for the business.  Is the threat, “the new malware” a risk to the organization?

Using Recorded Future, search for the first time the malware was mentioned in the score card.  In the case below of the Furtim malware, Recorded Future data shows blogs from a few years ago and a Virus Total post too. So much for the vendor hype that this is a new threat.

Ask yourself, does the organization have mitigations and controls in place to stop the threat, in this case at this point in time, the organizations anti-virus does detect the malware. Are there any other controls in place? Are there mitigations in place?  Maybe there is an IPS signature in place. If not, then run the attack in a test environment, build blue team solutions. Begin tracking the attack indicators and possible campaign by mapping the attack to the kill chain for the organization.

The third step is to communicate. Executives understand risk, so explaining the threat in terms of risk is effective and if there is not a control in place find one and communicate when it will be implemented.  Below is a canned example:

Dear All,

I’d like to make you aware of an item, in case you are asked about it. It involves a business concern, the power grid.  It appears there are a couple articles on the internet about a malware sample called Furtim, getting more media attention.

 One of the articles becoming popular is found here:

The article makes a few points to gain media attention. 

Such as:

  • “sophisticated malware campaign specifically targeting at least one European energy company”
  • “potentially shut down an energy grid “
  • “The sample appears to be targeting facilities that not only have software security in place, but physical security as well “

So I took a look to see if we are protected or if there are gaps in the organization.  What the authors forget to mention is that for the infect to work, other gaps are needed.  For example, the sophisticated malware, in the article is a “final payload” and needs to use another common malware to infect a computer before it can be harmful.  After researching the Furtim malware and with the virus total results found here the information shows Anti-virus detects the common malware as part of the infection chain.  Granted the malware can be re-coded but based on the current information I have today, this is a low risk to the organizations environment.  I’ll continue to monitor logs for specific connections out from our network that are related to command and control.

If you have questions, please feel free to contact me.

 In General, follow the three steps to apply threat intelligence. One, know the organization you are defending, what drives it? Two, be technically proactive, do the research, analyze the attack data and map it to the kill chain.  Three, communicate risk and solutions.  For more information about practical threat intelligence see Rob M. Lee’s blog and enroll in the SANS Threat Intelligence class.

DFIR Summit 2016 – Call for Papers Now Open


The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas.

The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.

Call for Presentations- Now Open
More information 

The 9th Annual Digital Forensics and Incident Response Summit Call for Presentations is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Deadline to submit is December 18th, 2015.

Summit Dates: June 23 & 24, 2016
Post-Summit Training Course Dates: June 25-30, 2016

Submit now 

SANS Survey of Digital Forensics and Incident Response #DFIR

More than 450 participants completed the SANS 2013 Digital Forensics Survey, conducted online during April
and May 2013. A primary goal of this survey was to identify the nontraditional areas where digital forensics
techniques are used.  The survey can be downloaded HERE.

A webcast introducing the Survey earlier this month can be found here:

The survey written by Paul Henry, Jacob Williams, and Benjamin Wright.

In the survey 54% of respondents indicated their digital forensics capabilities are reasonably effective.
Although the majority of their investigations still take place on company-issued computers and laptops
and internal networks and systems, participants also conduct forensic investigations on virtual and cloudbased
systems and other unconventional endpoints. When it comes to investigating these new media types,
participants are nearly equally divided among several challenges inherent to such investigations—including a
lack of specialized tools, standards and training, and visibility into potential incidents.

A chief finding of the survey was that participants identified deficiencies in standards, tools and training
as the fundamental challenges to investigating incidents involving the cloud, mobile devices and other
unconventional endpoints.

As organizations adopt bring-your-own-device (BYOD) policies and cloud (particularly “public cloud”)
technologies, they should ensure that the policies cover digital forensics and incident response (DFIR) in
these and other emerging technologies. IT professionals should also engage the advice of their legal teams
or consultants so that the policies actually achieve the desired outcomes and protections, while avoiding
undesired ones. For instance, some incident response (IR) teams routinely reload compromised workstations
without obtaining forensic disk images or memory captures. Although accomplishing the IR goals of
containment and eradication, this method undermines the value of evidence that may be required for
subsequent legal action.

Forensic investigations of so-called “new” computing devices and media are increasing, affecting enterprise
governance (and society in general) more than ever before. Increasingly, these investigations involve
technologies such as cloud computing and mobile devices.

To assess the current state of forensic investigations and emerging trends, the SANS Institute conducted this
online survey of digital forensics practitioners. The results, summarized in this whitepaper, will help forensic
professionals and their clients better prepare for future investigations and allocate resources, while helping
guide educators and forensic tools vendors.

The survey can be downloaded HERE.


Paul A. Henry: Paul Henry  is one of the world’s foremost global information security and computer forensic experts with more than 20 years’ experience managing security initiatives for Global 2000 enterprises and government organizations worldwide.Paul is a principle at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security. Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world’s most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense’s Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia. Paul is frequently cited by major and trade print publications as an expert in computer forensics, technical security topics, and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, firewall architectures, security architectures, and managed security services.

Ben Wright: Benjamin Wright  is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With over 25 years in private law practice, he has advised many organizations, large and small, private sector and public sector, on privacy, computer security, e-mail discovery and records management and been quoted in publications around the globe, from the Wall Street Journal to the Sydney Morning Herald. He teaches the law of data security and investigations at the SANS Institute. Wright maintains a matrix of popular blogs accessible at Wright graduated from Georgetown University Law Center in 1984. Russian banking authorities recently tapped him for advice on the law of technology and electronic payments.

Jacob Williams: Jacob Williams  a principal consultant at CSRgroup Computer Security Consultants, has over a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Before joining CSRgroup, he worked with various government agencies in information security roles. Jake is a two-time victor at the annual DC3 Digital Forensics Challenge.

Report Writing for Digital Forensics: Part II

This blog post is a second edition and follow-up to Intro to Report Writing for Digital Forensics., which you’ve taken the time to review, digest, and dissect. How the digital forensic practitioner presents  digital evidence to his/her intended audience (Regardless, of why we are preparing a digital forensic report), establishes proficiency of the digital forensic examination.  Let’s take it even a step further, how will you present your findings? Effectively reporting what you found during your forensic examination will aid you in presenting your report and the digital evidence to whomever your intended audience will be, which ultimately may be a jury in a criminal or civil proceeding. In this blog post, we are going to tackle some more report writing issues.  Remember, YMMV depending on what hat you wear in digital forensics and who you will be reporting the findings to from your digital forensic examination. So how can you be effective at completing your forensic report and presenting your findings? Depending on where you fall as a digital forensic examiner/analyst, you have to win in the field to win in the courtroom! This is your time as the examiner/analyst (Maybe expert witness?) to tell a story (Are you creating a timeline or super-timeline during your forensic analysis?) of the digital evidence or even lack thereof and how it relates to the details of the case. This is your time to shine and communicate your work product to your audience! Stick to the facts and be straight-forward with the evidence.

If you fail to effectively report your findings, your analysis will quickly be forgotten as your reader is left to draw their own conclusion or worse, turn elsewhere for the answer. Your forensic report should be a balance of technical detail, presented in a simplistic fashion, and tailored for your audience. Avoid link dumping or, “I used ABC automated forensics tool, exported SAM registry hive, exported all e-mail & pictures, and burned the report to a CD”. How much of that data is relevant to the case? Recently, Benjamin Wright, Esq. wrote a great article titled, “Investigators: How To Write A Report and Store Digital Evidence“. Benjamin states, “As an educational exercise, I have developed a prototype, online investigation report and evidence container.   Part check-list, part demonstration, this prototype could be useful for many kinds of non-criminal investigations. Using the Zoho online notebook application, I created the prototype as a teaching tool for my SANS course on the law of investigations.” Take some time to read his blog article and take a look at the Zoho online notebook if you haven’t. As Benjamin points out this could be a useful tool in non-criminal investigations.

When you are preparing your report your first section as I discussed in Part I, will be an “Overview/Case Summary”. In this section, remember you are defining your role handling the digital evidence and why a forensic examination is being conducted. This is an abstract/synopsis of your forensic examination and straight-forward.You will include the technical details in the “Findings and Report (Forensic Analysis)”. In some cases, a case summary may be sufficient for what your client/prosecutor/attorney is requesting. It is also good to keep a detailed forensic report for your records (per your department/company policy) in anticipation of legal proceedings. Your case summary should be written to the level where the non-technical reader will grasp and understand your findings. Lars Daniel with Guardian Digital Forensics blogged about presenting technical data to a non-technical audience here and here. Corey Harrell has a good blog post here on the Digital Forensic Investigation process. I mention this because you have to know where you are to get where you are going with your investigation and reporting is an integral part of this process.

Secondly, we discussed, “Forensic Acquisition & Exam Preparation”

Can you explain the forensic acquisition process in layman’s terms to your audience?

Figure 1

Source: Guardian Digital Forensics (Reprinted with Permission)

Next, we discussed, “Findings and Report (Forensic Analysis)

What about webpage and browser artifacts that you just recovered for an internal investigation on your corporate network?

Figure 2

Source: Guardian Digital Forensics (Reprinted with Permission)

How about the deleted document containing sensitive data, that you were able to carve out of unallocated space?

Figure 3

Source: Guardian Digital Forensics (Reprinted with Permission)

Lastly, we discussed formulating the “Conclusion”.

These are basic processes during the forensic examination. Explaining certain forensic terminology in a non-technical manner can be difficult even for the most seasoned examiner. Remember, find out who your intended audience will be that will be reading your forensic report. A case summary or abstract may be sufficient if that is what your client/audience expects. Depending on what form of case you are involved in, I would strongly recommend completing a formal & complete forensic report at least for internal documentation and reference. An engagement/incident response/criminal matter could go to court at any time for any number of reasons. Seek advice from your legal department/attorney/district attorney on retention policies & requirements for your company/agency.

Resources: Forensic FocusSample Reports and Links

NASA’s Glenn Research Center: Guide to Research and Report Writing


Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned

This week’s Digital Forensic Case Leads is chock full of forensics nuggets. Links to great forensics tools for encryption detection and memory extraction, plus a how-to for breaking/auditing the OS X Keychain. You will also find an analysis of the Samsung v. Apple patent case from a digital forensics perspective, with IP Attorney Ben Langlotz. And, as our headline promises, news and analysis on the latest alleged attacks by “Anonymous” and their affiliates. Your reporter this week explains how BOTH the Anon group AND the Fed’s denials, could both be true.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads [at symbol here]



  • AccessData Group just released a new version of their forensics and investigation tool for mobile devices, MPE+. According the AccessData: ” In addition to greatly improving mobile device investigations, MPE+ is the first solution designed to facilitate mobile device discovery for litigation support personnel. With the most intuitive interface on the market and new visualization capabilities, investigators and e-discovery practitioners alike will be able to address mobile device data with more efficiency.”  This version supports the physical imaging on Samsung Galaxy S2 devices and supports 4800 other mobile devices. Other noteable features include carving SQLite databases from iOS and Android devices for user deleted data, and a “Social Analyzer” that compares SMS, emails, MMS and call logs.  Contact the people at AccessData Group to find out more.
  • Magnet Forensics (formerly JADsoftware) has a interesting free forensic investigation tool: Encrypted Disk Detector (EDD). According to the company,  “EDD is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes… EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.”
  • MemGator: Another free digital forensics tool According to the developer, E5h Forensic Solutions, MemGattor, “is a memory file interrogation tool that automates the extraction of data from a memory file and compiles a report for the investigator…Data can be extracted in relation to memory details, processes, network connections, malware detection, passwords & encryption keys and the registry.”


Good Reads/Listens:

  • DarkMarket: Cyberthieves, Cybercops and You. From the publisher: “In this fascinating and compelling book, Misha Glenny, author of the international best seller McMafia, explores the three fundamental threats facing us in the twenty-first century: cybercrime, cyberwarfare and cyberindustrial espionage. Governments and the private sector are losing billions of dollars each year fighting an ever-morphing, often invisible and often supersmart new breed of criminal: the hacker.”  Due to be released in paperback next month.
  • Breaking into the OS X keychain. From the author of the posting: “There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability…As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves.”   As we know, most users don’t those type of steps. Read the how-to here.
  • Digital Forensic and InfoSec Lessons from Apple v Samsung patent case. Listen to this CyberJungleRadio conversation with Patent expert Ben Langlotz, starting at about 14:30min. There are some very surprising areas of digital forensics discussed by Mr. Langlotz.



Anti-Sec, an off-shoot of the cyber gang known as Anonymous, claimed credit late Monday for obtaining a data base of over 12million Apple iOS UDID (Unique Device Identifier).  UDIDs are “burned” into every iPhone/iPad/iPodTouch device.  The group’s web site claims that the reason they took this data was slap against the Federal Government (“The Feds”) and the activities by NSA Chief, Gen. Keith Alexander to recruit hackers at Las Vegas’ DefCon conference last month. They want to show that the Feds don’t have the interests of the citizens at heart, but rather they think the Feds main goal is tracking the activities of average citizens — a claim Gen. Alexander very publicly refuted in Las Vegas.  On Wednesday, the FBI released a statement that refutes the claim that the attackers gained access to an FBI computer for this data.  Parsing the statement from the FBI, and the alleged attackers, it is possible that the information came from the systems of an anti-cybercrime non-profit that was founded by a former FBI agent. The group, The NCFTA, or National Cyber Forensics and Training Alliance, has, according the ForbesMagazine, a legal arrangement with the government allows it to hand over information to the FBI.

From Elinor Mills and Greg Sandoval at C| “The U.S. Secret Service is looking into claims that someone stole presidential nominee Mitt Romney’s income tax returns and is threatening to release them if he doesn’t pay up.  Secret Service spokesman George Ogilvie told CNET today that the agency is investigating, but had no further comment.”

Discount eCommerce site Groupon threatens to sue small business merchants. According to a report at, some businesses that participate as Groupon merchants are not getting paid by Groupon. This cash flow problem is driving merchants to notify the company they will not honor Groupon-coupons until they’re paid.Groupon is threatening legal action against the merchants if they suspend providing services to Groupon users as agreed. A classic contract case, but who’s truly in breach? AND — is there a digital smoking gun? Were orders to slow down or holding back payments transmitted via email, chats, text or other digital means? Have there been internal discussions around responding to merchant complaints about slow payment?

Did diligent email forensics investigation help Samsung to mitigate spoliation? In an intellectual property case that pits Apple against Samsung. We won’t get into the IP details in this space…but rather the issue of digital spoliation. Last month, Apple won a motion for adverse inference jury instruction because Samsung failed to properly preserve email discovery evidence. And as of this writing, Samsung won a copy-cat motion, claiming Apple failed to preserve relevant emails. So now, the jury will not hear that both Apple and Samsung may have destroyed email evidence.


Levity, or For the LULZ?

The Tutu Has Been Donned
The Tutu Has Been Donned

Coming Events:

Call For Papers:


by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

New version of Nmap, 60TB hard drives on the way, attacker trends, & a dissected web attack

This week’s edition of Case Leads features updates to a popular network scanning tool and another application which may be useful in gaining access to encrypted documents.  We also have an article detailing a recent attack against a website and a couple of papers that look at attack trends.  There’s news that hard drives could approach 60TB and a report that a popular paste site will change its approach in how it manages sensitive content.

As always, if you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to


  • Nmap 6 has been released. In addition to improvements in web scanning, overall scanning speed and the scripting engine, this popular scanner now fully supports IPv6.
  • Passware released Passware Kit Forensic 11.7 which includes memory capture and analysis for recovering various types of encryption keys. The software acquires the memory image over the Firewire port and focuses on identifying artifacts which enables the decryption of numerous types of files and storage.

Good Reads:

  • Dissecting a Hacktivist Attack. Imperva has a write up that explains the compromise of through the use of RFI (Remote File Inclusion.)
  • Email attack trends for Q1 2012. Based on data collected by FireEye for the first quarter of 2012, an organization is more likely to be attacked during the middle of the week than on weekends.
  • Advances in technology could push hard drive capacities to 30 – 60TB in a few years. By 2016, technology such as Heat Assisted Magnetic Recording (HAMR) should help double the areal density of drives making it possible to produce 3.5-inch drives up to 60TB and laptop drives in the 10 – 20TB range.



Coming Events:

Call For Papers:


Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to

Digital Forensics Case Leads for 20120525 was compiled by Ray Strubinger. Ray regularly leads digital forensics and incident response efforts and when the incidents permit, he is involved in aspects of information security ranging from Data Loss Prevention to Risk Analysis.

Investigators: How to Write a Report and Store Digital Evidence

A wise investigator assumes an attitude of professionally skepticism.  She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.

Consider for example one of the most famous and thorough investigations in American history.  The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting.   However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire.   Norman was known to have brandished such a pistol at that place and time.   It appears that Norman fired shortly before the guardsmen fired.  So the official investigation appears to have been wrong on account of compelling evidence that emerged four decades after the fact.

In many cases, a professional investigator needs to remember that her investigative work and report will not and should not be the final word on a matter.   The investigator’s job is to collect and analyze evidence, recognizing that rarely will the investigator possess all of the possible evidence.  Someone else will be the final judge and jury.

As an educational exercise, I have developed a prototype, online investigation report and evidence container.   Part check-list, part demonstration, this prototype could be useful for many kinds of non-criminal investigations.   Using the Zoho online notebook application, I created the prototype as a teaching tool for my SANS course on the law of investigations.

The prototype report gives instructions on the skeptical attitude the investigator should adopt.   It reminds the investigator to evaluate any biases or conflicts of interest she may possess.   It includes an optional banner for protecting attorney-client confidentiality and attorney work product.  It provides the investigator a means for storing embedded evidence (written text, plus audio, video or other files) and for affirming that the stored evidence accurately reflects what the investigator collected.

An interactive, published report from the prototype appears here:

Obviously many investigators who might want to use a report like this in Zoho would not want to publish the report openly for all to see.   Zoho allows the report to be shared (read-only or read/write) selectively, with people possessing the right credentials.

In the prototype, I signed the report with a webcam electronic signature.

I secured the stored evidence, and associated it with my webcam signature, using the log-on ID and password to my Zoho account.   Further, Zoho allows me to secure my account (and prevent tampering with the report) by limiting which IP addresses can access it and by providing me a report on which IP addresses accessed at which time.  Zoho keeps a detailed history of revisions, which could be helpful if question arose about whether someone tampered with the report after it was finalized.

Zoho allows the people with whom I selectively share a report to make their own, independent copies of it.  These independent copies could deter me from making undetected changes to my report after I finalize it.

I am interested in feedback.  What do you think?  If anyone would like to help me make an iPad, iPhone or Android app like this, please let me know!

–Benjamin Wright
Mr. Wright teaches the law of investigations at the SANS Institute.

Quick Look – Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under “Extract Phone Data”. However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your “favorite forensic tools” against it, I highly recommend complimenting your traditional Extract Phone Data analysis by also doing the File System Dump.

For the purposes of my testing for this blog post I am performing a forensic analysis on a 16 GB iPhone 3G Version 4.02.

Let me begin by noting that I am running a Cellebrite UFED with the Physical Analysis Option.

Version information is as follows

UFED Software Versions:


Full: UF


Reporter Version 1.8.280710

Physical Analyzer version

The UFED Physical currently supports 2455 different phones for standard processing and 1462 for physical processing. See highlights on the most current release below (Figure 1).

Current Release

Figure 1

The previous version of the Cellebrite Report Manager was somewhat limited for use in my practice as it only ran on a Windows XP environment and my lab is predominantly Windows 7 x64 based. The new/current version 1.8.2 will now operate on a Windows 7 x64 machine. Further Cellebrite has recently released their Physical Analyzer software that works on Windows 7 x64 for both physical dump files and file system dump files.

Using The Cellebrite UFED “Extract Phone Data” Option

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords

For the initial part of my testing I wanted to see just what was available with the standard “Extract Phone Data” option.

Extract Phone Data -> Apple ->

Several options are available for Apple products:

  • iPad
  • iTouch
  • iPhone 2G/3G/3GS
  • iPhone 4

I chose the selection for the “iPhone 2G/3G/3GS”

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC

I chose the “USB Flash Drive“ for a 16 GB FAT 32 formatted USB drive

Options for Extraction are:

  • Call Logs
  • Phone Book
  • SMS
  • Pictures
  • Videos
  • Audio/Music

I selected all available options except audio for my test run and extraction was completed in around 8 minutes. I moved the USB stick over to a forensics workstation running the Cellebrite Report Manager and copied it to sanitized case drive and then opened the analysis file.

The file opened quickly and presented the following initial display in the Report Manager GUI. Phone Exam Properties (Figure 2) are provided in a tabular format and include the typical cell phone specific details that I would expect to be available with a mobile phone forensics product. On the left side bar of the page is an icon driven menu that also provides information (in total) on what was collected and or is available from the collection:

  • Contacts (2951)
  • SMS (2521)
  • Calendar (0)
  • Call Log (100)
  • Images (7)
  • Audio (0)
  • Video (0)
  • Ringtone (0)

Figure 2

Selecting the contacts icon brings up the contacts display (Figure 3), all available fields are displayed in the Report Manager “spreadsheet like” GUI. Selecting any column header will resort all of the listed information in either the ascending or descending order of the selected column. This can be very handy on a phone with many contacts.

Figure 3

The SMS message page is selected by clicking the SMS icon and is displayed in tabular format with details of each selected SMS message shown in a view at the bottom of the page (Figure 4). Note that the time stamps for each message are provided. As with other tabular pages in the Cellebrite Reporter software selecting any column header in the SMS display will resort all of the listed information in either the ascending or descending order of the selected column.

Figure 4

Viewing call information in the Cellebrite Report Manager is as simple as clicking the Call Log Icon in the menu area. All 100 of the last calls made/received on the iPhone are displayed in tabular format and include as expected the type of call incoming/outgoing, phone number, time/date as well as duration of each call (Figure 5). Note: on an iPhone, if a given number exists in the phonebook on the iPhone the contact name is also displayed in the call log details. As with other tabular pages in the Cellebrite Report Manager software selecting any column header in the Calls Log display will resort all of the listed information in either the ascending or descending order of the selected column.

Figure 5

The Image page is selected by simply clicking on the Images icon in the menu area. Images may include any image on the phone such as thumbnails from the SMS message display as well as a larger copy of the image stored on the iPhone that can be displayed by clicking on the smaller picture within the SMS display on the iPhone. Other images such as those taken with the iPhone internal camera are also extracted and made available in the images display (however they are not differentiated) by the Reporter software. Images are presented in a list view but you can choose an Icon or detailed view from the toolbar (Figure 6). In order to view the image you must click on the image name or icon and a Windows Photo Viewer window is opened to display the image. It is important to note that images that were deleted on the iPhone are not recovered and made available in this extraction and EXIF information is made available by right clicking on the image while it is being viewed in the Windows Photo Viewer.

Care should be taken in viewing and interpreting the EXIF data in the Windows Photo Viewer (Figure 7) as the data displayed in the Properties Window for Origin – Date Taken represents the time and date the photo was taken and the data provided under “File” contains the path to the image on the viewing workstation (not on the iPhone) and the file time stamps represent when the file was created/accessed in the extraction process – not the time the photo was taken.

Figure 6

Figure 7

Taking A Deeper Dive – Using The Cellebrite File System Dump Option

With today’s more powerful mobile devices such as the Apple iPhone 3G collecting only the traditional “phone” data is simply not enough you need to do a deeper dive to perform a thorough forensic analysis.

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords

For the purposes of this test run I chose to select the creation of a “File System Dump” rather then just the traditional “Extract Phone Data”.

On the UFED menu

File System Dump -> Apple ->

Several choices for Apple supported mobile devices include:

  • iPad
  • iPod Touch
  • iPhone 2G/3G/3GS
  • iPhone 4
  • iPod Nano 5G

I chose the selection for the “iPhone 2G/3G/3GS”

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC

I chose the “USB Flash Drive“ for a 16 GB FAT 32 formatted USB drive

The iPhone contained a large number of songs, a few videos, photos and 11 different applications – roughly 13.1 GB of data. The extraction took a little more then 14 hours to complete. The resulting extraction resulted in 12.4 GB being written to the USB stick.

Figure 8

I copied the folder from the USB stick to a forensics workstation and then selected the respective UFED Dump file (Figure 8). This automatically opened the archived files within the UFED Physical Analyzer (Figure 9) on my Windows 7×64 server.

Figure 9

Drilling down into what information is available within the Physical Analyzer software it literally opens a “treasure trove” of potential valuable evidence not found with the traditional “Extract Phone Data” option on the Cellebrite UFED. Selecting the available Hex data and drilling down in to the application folders I was able to not only find the application user names and passwords for several applications I also found the user’s Skype chat conversations that are being stored on the iPhone – information simply not available using the traditional “Extract Phone Data Option”.

The Cellebrite Physical Analyzer Itself Is Good But Other Tools Can Enhance Your Analysis

While examining the data in hex format within the Cellebrite Physical Analyzer software is interesting and some would perhaps believe to be “enough” I prefer the automation provided by tools like those found in the “SANS SIFT Workstation” for Windows to present the evidence in a more “forensicator friendly” manner.

Create A File Set For Analysis

From within the Cellebrite Physical Analyzer software Toolbar I chose to copy the extracted data out of the Physical Analyzer to a folder on my forensic server:

Tools -> Dump Filesystem

This created a folder set in the original iPhone hierarchy and enabled me to then copy them on to a USB stick for further analysis

Some Analysis Using The SANS SIFT Workstation With The Cellebrite Physical Analyzer

Knowing that I had found Skype related data in viewing the files in the hex display of the Physical Analyzer I decided to use the tool included in the SANS SIFT Workstation called “Skype Log Parser”.  Starting up SIFT and connecting the USB stick with the copied folders from the Cellebrite Physical Analyzer allowed me to quickly run the Skype Log Parser against the collected data resulting in a clean representation of the available data in a much easier to read format then simply viewing it in Hex. Here is just a sample of the evidence found using the SIFT Workstation and Skype Log Parser (Figure 10 – 13) when run against the data extracted from the Physical Analyzer files extracted with the UFED in File Dump Mode.

Figure 10

Figure 11

Figure 12

Figure 13

Having found the tools within the SIFT Workstation able to use the data extracted from the iPhone by Cellebrite was encouraging so I decided to try another available tool on my forensics server – “NetAnalysis” against the collected data to see if a representation of the iPhones Safari browser history was available and could be processed by Net Analysis from the data structures collected by the Cellebrite UFED. As expected the NetAnalysis software was able collect the browser history from the Cellebrite extracted data structures of the iPhone Safari browser (Figure 14).

Figure 14

Taking It Up A Notch – Using FTK 3.1 To Analyze The File Dump From The UFED – Physical Analyzer Export.

I prefer to create an AD1 image of large amounts of data that will be part of a case in FTK 3.1 rather than simply add the individual files or folders directly in to an FTK case.  To create the ADI image you simply use FTK Imager (Figure 15):

File -> Create Image -> Contents of a folder -> enter source path -> Finish

Add -> complete case information form -> Image destination -> Image name

Figure 15

With the available AD1 image you can now start FTK 3.1, create a new case and add the AD1 file you just created to the new case (Figure 16) and configure your evidence refinement options (Figure 17). These are not necessary, the optimum refinement options for an iPhone but were selected simply to process this example for this blog post.

Figure 16

Figure 17

The small size of the AD1 file is processed in minutes by FTK 3.1 and you are quickly presented with the FTK Explorer and evidence tree showing the complete file structure collected by the Cellebrite UFED File System Dump (Figure 18) from the iPhone. FTK 3.1 provides the ability to view plist files and some SQLite files. Further the index search is available to search the image for your selected keywords.

Figure 18

Under the Overview Tab select the plist extension to see the power of analysis using FTK on the UFED extracted iPhone file dump. The total number of plist files found on this iPhone are 176 and they contain a wealth of potential forensic evidence.  Drilling down to the file named Bookmarks.plist we find that it contains potentially valuable data associated with the iPhone map application – complete data on a specific location saved as a bookmark in the map application (Figure 19). Other potentially valuable plist files would be the user’s speed dial list (Figure 20), network identification plist (Figure 21) that contains valuable historical network connections details,  several browser cookie plist files that reveal browser history details even if the user deleted browser history, just to name a few.

Figure 19

Figure 20

Figure 21

Figure 22

Other great potential forensic evidense can quickly be viewed using FTK and an external program such as SQLiteSpy to view the data contained within the many iPhone SQLite databases. Simply right click in the SQLite db file in the FTK tree view and select “view with external program -> SqliteSpy” (Figure 23) Here we have all of the notes the user of the iPhone stored with the Apple Notes application on the iPhone.

Figure 23

Another missing detail in using the Extract Phone Data is that it simply did not collect the calendar data from the iPhone. However the File System Dump does capture the SQL database associated with the user’s calendar application. Right click on the CalendarSqlite.db and select “view with external program ->  SQLiteSpy” to view the SQL database table containing the users calendar data. (Figure 24)

Figure 24

In conclusion: Clearly the File Dump option for the Cellebrite UFED Physical provides a wealth of potential forensics evidence for an Apple iPhone. The traditional Extract Phone Data option is significantly faster but simply can not be regarded as a thorough analysis of an Apple iPhone because of the other forensic data it may in fact contain. The Cellebrite Report Manager is great for a traditional phone analysis and the Cellebrite Physical Analyzer software provides the capability to analyze the File System Dump created with the UFED Physical for a deeper dive into the data contained on an iPhone. While the Physical Analyzer software is good with its Hex display, filtering and search capability, the file structure created is also usable by other forensic tools such as those within the SANS SIFT Workstation like the Skype Log Parser, the well known and powerful stand alone browser analysis tool from Digital Detective called Net Analysis and lastly the powerful AccessData FTK 3.1 analysis software with its point and click bookmarking and reporting capability along with additional tools like SQLiteSpy to further expand its capability.