Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!



Call for Presentations Now Open!


dfirsummit 2017Submit your proposal here:
Deadline: January 16th at 5pm CT


The 10th Annual Digital Forensics and Incident Response Summit Call for Presentations is open through 5 pm EST on Monday, January 16, 2017. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Check out some of the DFIR Summit 2016 talks:


We are looking for Digital Forensics and Incident Response Presentations that focus on:

  • DFIR and Media Exploitation case studies hat solve a unique problem
  • New Forensic or analysis tools and techniques
  • Discussions of new artifacts related to smartphones, Windows, and Mac platforms
  • Focusing on improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New, fast forensic techniques that can extract and analyze data rapidly
  • Focus on Enterprise or scalable forensics that can analyze hundreds of systems instead of one at a time


When Cases Involve SSNs and Credit Card Data: “Sensitive Data Search and Baseline” Python Script

A key component of any investigation is the type of data exfiltrated.  If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive (  In general, social security and credit card numbers are at the top of the concern list. Since many states have encryption exemptions, a forensicator needs to know, does any media storage in the case have sensitive data in the clear?

Data can be encrypted by system administrators/DBAs or by attackers.  Attackers usually encrypt data as part of the staging process prior to data exfiltation.  Attackers commonly password protected and compressed the data as a .rar file.  With strong passwords (32+ character pass-phrases) .rar files can be difficult to almost impossible to open with normal computing power.

Using a cross platform scripting language, Python, a colleague and I created a script to search a mounted drive for clear text social security numbers and credit card data then output it to a file. Future versions will implement not only searching ASCII but hex data too, searching for date of birth, code re-usability (object oriented), and e-mail notification options. Files can be downloaded from here.

The tool can be easily used as a “sensitive data baseline” prior to a machine going into production as a quick check.

If you are interesting in learning Python with a security nexus, SANS has an excellent course called Python for Penetration Testers

Digital Forensics Case Leads: MBR Parser, VSC Toolset GUI, Memory Forensics Cheat Sheet & other goodness……

In this week’s SANS Case Leads, we have a python script for parsing the Master Boot Record, a question of USB drive serial number uniqueness, some VSC goodness and some other stuff ;-)

If you have an item you’d like to contribute to Digital Forensics Case
Leads, please send it to


  • Jamie Levy (@gleeda) posted a script that she wrote that parses the MBR in order to help find MBR infectors. Read Jamie’s Blog post. Grab the script here.
  • Jason Hale came up with a GUI front-end for Corey Harrell’s batch scripts used to rip/examine Volume Shadow Copies, called VSC Toolset
  • DEFT Linux 7.1 was released earlier this month. Read the announcement.

Good Reads:

  • Mike Ahrendt gave some insight into his experience with his Education in Digital Forensics
  • A new blog called Malware Analysis Blog has a tutorial on how to isolate your analysis VM from your host machine. Read about it here.
  • Interesting post on the digfor blog regarding the uniqueness of USB Flash drive serial numbers.
  • Harlan Carvey posted his thoughts on how specializing in sub-disciplines within Digital Forensics is not really such a good idea. Read the post titled Convergence.


  • Chad Tilbury (@chadtilbury) put together a Memory Forensics Cheat Sheet which focuses on the use of Volatility. Grab version 1.0 here.


Coming Events:

Call For Papers:

Joe Garcia is a Law Enforcement Officer with over 18 years of experience, the last 6 of which he has been assigned to conduct computer crime investigations and digital forensic examinations. He holds the GIAC GSEC Gold, GCIH & GCFA Silver and AccessData ACE certifications. You can follow Joe on Twitter at @jgarcia62

Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it’s everyday functionality.  Details in MUST Reads (upgrading this week from “Good Reads”).  Apple made big news with the launch of new tablet (this week) and new laptop offerings (last week). We bring you news of forensic tools for the Mac.  Plus, industrial espionage featuring Chinese spies paying American employees to steal intellectual property.   And, do you have naked passwords?


  • MacQuisition 2.53 from BlackBag Technologies, is a forensic acquisition tool for legacy and new Mac hardware. The new version now supports Intel i5 and i7 processing architecture, enabling it to work with the latest Mac laptops and desktops. This update also offers dual boot options for working with new Intel powered Macs as well as legacy PowerPC Macs. According to, Drew Fahey, Director of Forensics at BlackBag Technology,  “These enhancements offer Mac forensic professionals the most robust and flexible Mac imaging tool available today…” For more information about MacQuisition, such as an ovedrview video or data sheet, visit  And, don’t miss an excellent BlackBag Technology blog posting on imaging MacBook Air lap-tops.
  • Open source forensic tool The Sleuth Kit, version 3.2.1,  was just released with some new features and a host of bug fixes.
  • UPDATE: Last month, your blogger reported on a new tool by called The Hiddn Crypto Adapter. This device can encrypt plain-Jane acquisition drives and adds FIPS-compliant two-factor authentication. The device was available for demo by your blogger at the RSA Conference 2011 in San Francisco. It’s small, easy-to-use, and worked well with a Win/Lin laptop your blogger was sporting that day at RSA. Spokesperson said it works with Mac OS X, too. Worth looking into.

MUST Reads:

  • With the explosive growth of Solid State Drives( SSDs) in computers, and other computing devices like tablets and netbooks, there is some shocking news from Graeme B. Bell and Richard Boddington, two researchers at Murdoch University in Perth, Australia. According to these researchers, SSDs “have the capacity to destroy evidence catastrophically under their own volition…”  Their work is contained in a paper written for the Journal of Digital Forensics, Security, and the Law entitled, ‘Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery?’  Takeaway: Forensic professionals must deploy new approaches to SSD forensics. The current approach could miss important data in event time-lines.  Your blogger had off-the-record discussions with some in the community that may have some solutions. Watch this space for updates.
  • Ironically, SSDs may also have problems with legit data destruction. If you missed it last week, read more from this ‘Naked Security blog’ post, “SSD’s prove difficult to securely erase”. The full paper can be found here.
  • Brett Kingston is the author of The Real War Against America, on industrial espionage featuring Chinese spies paying American employees to steal intellectual property.  Brett Kingston invented a new way to manufacture fiber optic cables. The designs were stolen by insiders bribed by Chinese competitors. Brett worked with the FBI to track down and prosecute the Chinese competitors, and won a $40 million civil judgment against them.  The competitor transfered all their funds out of the reach of the Courts, and they were tipped off by their lawyers.  You can hear an interview your blogger conducted with Brett Kingstone at CyberJungle Radio;  the interview begins at about the 18:25 mark. This is an excellent segment to share with non-technical managers to help them understand the challengers of forensics and incident response.


  • London Stock Exchange, and Morgan Stanley: Added to the list of financial services companies breached by cyber criminals.  Don’t worry, they “Take security very seriously.”
  • New Hampshire local LE charge man for recording traffic stop using smart phone and voice mail
  • New Zeus account takeover attack targets users of mobile phone multi-factor authentication
  • Meanwhile, new proposed Fed Banking rules designed to fight Zues and other account takeover attacks could result in a wave of forensic and ediscovery-rich litigation
  • RSA Conference San Francisco had a full-house during a session with Aaron Turner on the legal and forensics issues with employee BYOD (Bring Your Own [mobile] Device). Aaron’s talk was jammed packed with forensic information. For example, he advised professionals to buy a fresh phone before leaving the US. Use that phone outside of the US. Before leaving the country you have traveled to, turn on the phone and flush it down the toilet. The water and the phone’s power will make data recovery very difficult. US Customs cannot inspect what they cannot get to. Read the full posting on this talk, and on the important topic of cloud computing forensics.


  • The whole idea of naked password is to encourage your users to enter stronger passwords.  Sally tastefully removes items of clothing as the password grows stronger.

Coming Events:

If you have an article to suggest for case leads please email it to

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .

Digital Forensics Case Leads: Industrial Controls Forensics, Cracking Crackberries, Mobile Forensics

While most technical and non-technical types focus on servers, desktop, and mobile phones/pads when thinking about security and forensics, an area of growing concern is industrial controls security. This was brought to light in the wake of the Stuxnet worm. The accusations continue to fly, via arm-chair forensics. Was it an attack on Iran? Or maybe an attack against India, since it seems Stuxnet may have knocked out a TV Satellite. Security honcho Bruce Schnier says we may never know.

What is certain is a growing concern over industrial controls security. According to a San Francisco Chronicle story that ran on this week: “… Liam O Murchu, a researcher with the computer security firm Symantec, used a simple air pump connected to an industrial computer to pop a balloon. The computer’s program called for the pump to stop before the balloon burst.  But O Murchu had loaded the Stuxnet worm onto the machine, which let him order the pump to keep going. That, he says, shows what can happen when bad guys gain control of industrial systems: “Imagination is the limit.”

According to an industry expert, talking on background, there have been nearly a half dozen serious cyber events in the past decade related to industrial controls security. This expert talked about the seriousness of the threats to power supplies, water systems, energy delivery systems, and a myriad of other systems, with industrial control vulnerabilities. The expert expressed concerns about how many of these industrial controls were never designed with security in mind. Making matters worse, universities are not doing enough to teach security to the next generation of controls engineers to design more secure industrial controls.

The same shortage of expertise and skills may be developing in industrial controls forensics and incident response. In a related story (see News below) the National Security Agency and the Department of Defense are going to work with the Department of Homeland Security to provide information security expertise to private industry when under attack. We have already heard in other reports about the shortage the Feds have in finding enough information security personnel.  Are there enough trained forensics and incident response professionals to go around?


  • BlackJack Forensic Tool, by Crucial Security This item was mentioned previously on the blog, but now we have more details about the Crucial Security division of defense and communications contractor Harris Corporation’s new forensic tool called BlackJack. The SANS Forensic Blog interviewed a spokesperson from Crucial Security this week about this new forensic tool. The tool is designed to speed the extraction of forensic information, and has some interesting applications for covert infiltration – exfiltration.

    BlackJack consists of two components. One component is a USB thumb drive that is designed to quickly extract targeted data from Windows and Linux computers. The second component is windows-based software that allows an examiner to pre-program the USB drive for targeted data and file types.

    BlackJack Forensic Tool
    BlackJack Forensic Tool

    With the BlackJack system, all a non-skilled team member needs to do is get physical access to the target systems. Plug in the drive, and re-boot the system. If the system boots to the USB drive (more on that in a moment), BlackJack will scan for the target materials. If it finds the materials, a red light on the device indicates that the data was found, and a copy of it is moved to the USB drive. The data is then encrypted with a key located on the Windows software back in the lab. If the target does not have the data, a green indicator light displays. That last feature could help with multiple target systems, when there is uncertainty regarding which system contains the target information.

    One challenge : Getting the target system to boot to the USB drive. Unfortunately, there are many variations in PCs to get them to boot from a USB. It might take some time to actually get the system to boot from the USB, burning valuable time. This tool might work best in a situation where the examiners can discover the make and model of the target systems in advance. According to the Crucial Security spokesperson, BlackJack only works on Windows and Linux systems. It will not work on Mac, or mobile devices.

    I have arranged for an hands-on review of the BlackJack, and that review will post here, on the SANS Forensic Blog.

  • ElcomSoft Phone Password Breaker The RIM Blackberry handsets, when used with the Blackberry Enterprise Server, are known to have very strong security. The data on the device is encrypted with strong crypto, so forensic extractions are not very useful. But, what Vladimir Katalov President of ElcomSoft has discovered is most interesting: If a user backs-up their device data to a desktop PC, the security implementation by RIM is very poor. Using the ElcomSoft tool, it is possible to break the weak encryption, and access the data that originated on the handheld device. Read all the details in this posting by Mr. Katalov.

Interesting Reads:

  • No such thing as cyberbullying – So says blogger Anil Dash, who argues that the word has been invented to help parents, school administrators, and the media duck responsibility for teaching kids civil behavior. Read his commentary here. Others have commented that there is a growing “cyberbully industry” of consultants that try to get grants and other funding due to the alarm bells sounding.
  • Peeing in a cup is so 1990s – When there’s a company that will crawl through social network to help your employer discover who you really are. Psychological profile, criminal tendencies, gratuitous use of slang popularized by drug culture, you name it. Pre-crime forensics? Read more here.
  • Fun finder or stalker tool? The website monitors social networking sites to help dudes locate gatherings of women.  But blogger Jason Stamper conducted an experiment that points out the dangers women might face when they publish all the details of their daily lives.


  • Incident response and forensics services, too? According to the “In a break with previous policy, the military now is prepared to provide cyber expertise to other government agencies and to certain private companies to counter attacks on their computer networks, the Pentagon’s cyber policy chief, Robert Butler, said Wednesday.” Read more here.
  • Free on bail – A contractor who did some work for Fannie Mae is looking at a maximum 10-year prison sentence after planting a logic bomb that would have brought down 5,000 servers had it not been discovered. Lessons about the importance of logs, segregation of duties, and keeping track of which employer is responsible for “passthrough” employees. Read more here.
  • Mobile Forensic Consultant’s Gold Mine – Explosive growth of mobile devices leads to security risks as workers use their own devices to store and transmit work data.
  • What did he know, and when did he know it? At least one IT staffer in the Lower Marion School District waxed fondly about the remote tracking capabilities on the laptops issued to students who later sued the district for spying on them. Last week, the school district settled with two families with children that went to the school. Settlement amount? $610,000. Um, exactly how expensive is good security governance, risk and compliance?


  • Creative forensics skills tricks golddigger to “fall” for own husband posing as rich guy –  And he found out where his golddigging wife was living, after she took off with their son. His scheme – posing on Facebook as someone she would find “attractive” (i.e. wealthy).  Father and son are reunited. How many forensic uses can one find by leveraging the information posted on social networking sites?

Coming Events:

Digital Forensics Case Leads for 20101021 was compiled by Ira Victor, G7799, GCFA, GPCI, GSEC, ISACA, CGEIT.  Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET.  Ira is President of Sierra-Nevada InfraGard,  and a member of High Tech Crime International Association.

Quick Look – Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under “Extract Phone Data”. However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your “favorite forensic tools” against it, I highly recommend complimenting your traditional Extract Phone Data analysis by also doing the File System Dump.

For the purposes of my testing for this blog post I am performing a forensic analysis on a 16 GB iPhone 3G Version 4.02.

Let me begin by noting that I am running a Cellebrite UFED with the Physical Analysis Option.

Version information is as follows

UFED Software Versions:


Full: UF


Reporter Version 1.8.280710

Physical Analyzer version

The UFED Physical currently supports 2455 different phones for standard processing and 1462 for physical processing. See highlights on the most current release below (Figure 1).

Current Release

Figure 1

The previous version of the Cellebrite Report Manager was somewhat limited for use in my practice as it only ran on a Windows XP environment and my lab is predominantly Windows 7 x64 based. The new/current version 1.8.2 will now operate on a Windows 7 x64 machine. Further Cellebrite has recently released their Physical Analyzer software that works on Windows 7 x64 for both physical dump files and file system dump files.

Using The Cellebrite UFED “Extract Phone Data” Option

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords

For the initial part of my testing I wanted to see just what was available with the standard “Extract Phone Data” option.

Extract Phone Data -> Apple ->

Several options are available for Apple products:

  • iPad
  • iTouch
  • iPhone 2G/3G/3GS
  • iPhone 4

I chose the selection for the “iPhone 2G/3G/3GS”

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC

I chose the “USB Flash Drive“ for a 16 GB FAT 32 formatted USB drive

Options for Extraction are:

  • Call Logs
  • Phone Book
  • SMS
  • Pictures
  • Videos
  • Audio/Music

I selected all available options except audio for my test run and extraction was completed in around 8 minutes. I moved the USB stick over to a forensics workstation running the Cellebrite Report Manager and copied it to sanitized case drive and then opened the analysis file.

The file opened quickly and presented the following initial display in the Report Manager GUI. Phone Exam Properties (Figure 2) are provided in a tabular format and include the typical cell phone specific details that I would expect to be available with a mobile phone forensics product. On the left side bar of the page is an icon driven menu that also provides information (in total) on what was collected and or is available from the collection:

  • Contacts (2951)
  • SMS (2521)
  • Calendar (0)
  • Call Log (100)
  • Images (7)
  • Audio (0)
  • Video (0)
  • Ringtone (0)

Figure 2

Selecting the contacts icon brings up the contacts display (Figure 3), all available fields are displayed in the Report Manager “spreadsheet like” GUI. Selecting any column header will resort all of the listed information in either the ascending or descending order of the selected column. This can be very handy on a phone with many contacts.

Figure 3

The SMS message page is selected by clicking the SMS icon and is displayed in tabular format with details of each selected SMS message shown in a view at the bottom of the page (Figure 4). Note that the time stamps for each message are provided. As with other tabular pages in the Cellebrite Reporter software selecting any column header in the SMS display will resort all of the listed information in either the ascending or descending order of the selected column.

Figure 4

Viewing call information in the Cellebrite Report Manager is as simple as clicking the Call Log Icon in the menu area. All 100 of the last calls made/received on the iPhone are displayed in tabular format and include as expected the type of call incoming/outgoing, phone number, time/date as well as duration of each call (Figure 5). Note: on an iPhone, if a given number exists in the phonebook on the iPhone the contact name is also displayed in the call log details. As with other tabular pages in the Cellebrite Report Manager software selecting any column header in the Calls Log display will resort all of the listed information in either the ascending or descending order of the selected column.

Figure 5

The Image page is selected by simply clicking on the Images icon in the menu area. Images may include any image on the phone such as thumbnails from the SMS message display as well as a larger copy of the image stored on the iPhone that can be displayed by clicking on the smaller picture within the SMS display on the iPhone. Other images such as those taken with the iPhone internal camera are also extracted and made available in the images display (however they are not differentiated) by the Reporter software. Images are presented in a list view but you can choose an Icon or detailed view from the toolbar (Figure 6). In order to view the image you must click on the image name or icon and a Windows Photo Viewer window is opened to display the image. It is important to note that images that were deleted on the iPhone are not recovered and made available in this extraction and EXIF information is made available by right clicking on the image while it is being viewed in the Windows Photo Viewer.

Care should be taken in viewing and interpreting the EXIF data in the Windows Photo Viewer (Figure 7) as the data displayed in the Properties Window for Origin – Date Taken represents the time and date the photo was taken and the data provided under “File” contains the path to the image on the viewing workstation (not on the iPhone) and the file time stamps represent when the file was created/accessed in the extraction process – not the time the photo was taken.

Figure 6

Figure 7

Taking A Deeper Dive – Using The Cellebrite File System Dump Option

With today’s more powerful mobile devices such as the Apple iPhone 3G collecting only the traditional “phone” data is simply not enough you need to do a deeper dive to perform a thorough forensic analysis.

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords

For the purposes of this test run I chose to select the creation of a “File System Dump” rather then just the traditional “Extract Phone Data”.

On the UFED menu

File System Dump -> Apple ->

Several choices for Apple supported mobile devices include:

  • iPad
  • iPod Touch
  • iPhone 2G/3G/3GS
  • iPhone 4
  • iPod Nano 5G

I chose the selection for the “iPhone 2G/3G/3GS”

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC

I chose the “USB Flash Drive“ for a 16 GB FAT 32 formatted USB drive

The iPhone contained a large number of songs, a few videos, photos and 11 different applications – roughly 13.1 GB of data. The extraction took a little more then 14 hours to complete. The resulting extraction resulted in 12.4 GB being written to the USB stick.

Figure 8

I copied the folder from the USB stick to a forensics workstation and then selected the respective UFED Dump file (Figure 8). This automatically opened the archived files within the UFED Physical Analyzer (Figure 9) on my Windows 7×64 server.

Figure 9

Drilling down into what information is available within the Physical Analyzer software it literally opens a “treasure trove” of potential valuable evidence not found with the traditional “Extract Phone Data” option on the Cellebrite UFED. Selecting the available Hex data and drilling down in to the application folders I was able to not only find the application user names and passwords for several applications I also found the user’s Skype chat conversations that are being stored on the iPhone – information simply not available using the traditional “Extract Phone Data Option”.

The Cellebrite Physical Analyzer Itself Is Good But Other Tools Can Enhance Your Analysis

While examining the data in hex format within the Cellebrite Physical Analyzer software is interesting and some would perhaps believe to be “enough” I prefer the automation provided by tools like those found in the “SANS SIFT Workstation” for Windows to present the evidence in a more “forensicator friendly” manner.

Create A File Set For Analysis

From within the Cellebrite Physical Analyzer software Toolbar I chose to copy the extracted data out of the Physical Analyzer to a folder on my forensic server:

Tools -> Dump Filesystem

This created a folder set in the original iPhone hierarchy and enabled me to then copy them on to a USB stick for further analysis

Some Analysis Using The SANS SIFT Workstation With The Cellebrite Physical Analyzer

Knowing that I had found Skype related data in viewing the files in the hex display of the Physical Analyzer I decided to use the tool included in the SANS SIFT Workstation called “Skype Log Parser”.  Starting up SIFT and connecting the USB stick with the copied folders from the Cellebrite Physical Analyzer allowed me to quickly run the Skype Log Parser against the collected data resulting in a clean representation of the available data in a much easier to read format then simply viewing it in Hex. Here is just a sample of the evidence found using the SIFT Workstation and Skype Log Parser (Figure 10 – 13) when run against the data extracted from the Physical Analyzer files extracted with the UFED in File Dump Mode.

Figure 10

Figure 11

Figure 12

Figure 13

Having found the tools within the SIFT Workstation able to use the data extracted from the iPhone by Cellebrite was encouraging so I decided to try another available tool on my forensics server – “NetAnalysis” against the collected data to see if a representation of the iPhones Safari browser history was available and could be processed by Net Analysis from the data structures collected by the Cellebrite UFED. As expected the NetAnalysis software was able collect the browser history from the Cellebrite extracted data structures of the iPhone Safari browser (Figure 14).

Figure 14

Taking It Up A Notch – Using FTK 3.1 To Analyze The File Dump From The UFED – Physical Analyzer Export.

I prefer to create an AD1 image of large amounts of data that will be part of a case in FTK 3.1 rather than simply add the individual files or folders directly in to an FTK case.  To create the ADI image you simply use FTK Imager (Figure 15):

File -> Create Image -> Contents of a folder -> enter source path -> Finish

Add -> complete case information form -> Image destination -> Image name

Figure 15

With the available AD1 image you can now start FTK 3.1, create a new case and add the AD1 file you just created to the new case (Figure 16) and configure your evidence refinement options (Figure 17). These are not necessary, the optimum refinement options for an iPhone but were selected simply to process this example for this blog post.

Figure 16

Figure 17

The small size of the AD1 file is processed in minutes by FTK 3.1 and you are quickly presented with the FTK Explorer and evidence tree showing the complete file structure collected by the Cellebrite UFED File System Dump (Figure 18) from the iPhone. FTK 3.1 provides the ability to view plist files and some SQLite files. Further the index search is available to search the image for your selected keywords.

Figure 18

Under the Overview Tab select the plist extension to see the power of analysis using FTK on the UFED extracted iPhone file dump. The total number of plist files found on this iPhone are 176 and they contain a wealth of potential forensic evidence.  Drilling down to the file named Bookmarks.plist we find that it contains potentially valuable data associated with the iPhone map application – complete data on a specific location saved as a bookmark in the map application (Figure 19). Other potentially valuable plist files would be the user’s speed dial list (Figure 20), network identification plist (Figure 21) that contains valuable historical network connections details,  several browser cookie plist files that reveal browser history details even if the user deleted browser history, just to name a few.

Figure 19

Figure 20

Figure 21

Figure 22

Other great potential forensic evidense can quickly be viewed using FTK and an external program such as SQLiteSpy to view the data contained within the many iPhone SQLite databases. Simply right click in the SQLite db file in the FTK tree view and select “view with external program -> SqliteSpy” (Figure 23) Here we have all of the notes the user of the iPhone stored with the Apple Notes application on the iPhone.

Figure 23

Another missing detail in using the Extract Phone Data is that it simply did not collect the calendar data from the iPhone. However the File System Dump does capture the SQL database associated with the user’s calendar application. Right click on the CalendarSqlite.db and select “view with external program ->  SQLiteSpy” to view the SQL database table containing the users calendar data. (Figure 24)

Figure 24

In conclusion: Clearly the File Dump option for the Cellebrite UFED Physical provides a wealth of potential forensics evidence for an Apple iPhone. The traditional Extract Phone Data option is significantly faster but simply can not be regarded as a thorough analysis of an Apple iPhone because of the other forensic data it may in fact contain. The Cellebrite Report Manager is great for a traditional phone analysis and the Cellebrite Physical Analyzer software provides the capability to analyze the File System Dump created with the UFED Physical for a deeper dive into the data contained on an iPhone. While the Physical Analyzer software is good with its Hex display, filtering and search capability, the file structure created is also usable by other forensic tools such as those within the SANS SIFT Workstation like the Skype Log Parser, the well known and powerful stand alone browser analysis tool from Digital Detective called Net Analysis and lastly the powerful AccessData FTK 3.1 analysis software with its point and click bookmarking and reporting capability along with additional tools like SQLiteSpy to further expand its capability.

Stop, Children, What’s That Sound?

Making Use of a Super Timeline

I won’t go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Digital Forensics Blog. What I’ve been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I’ve learned is that creating a Super Timeline is only the beginning of timeline analysis.  Because the Super Timeline method captures so many time stamps, it is likely that a Super Timeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image.  The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend is to use more tactical forensic tools to pull out specific dates and times that can then be viewed in greater detail by using the Super Timeline.  A classic forensic examination is one where an examiner is asked to determine whether someone copied information like intellectual property from a computer using methods such as email or a USB device.  The Super Timeline is an invaluable tool for this sort of examination, but you have to know where to look on the timeline to get the data of interest.  Tools that can help an examiner do this are Digital Detective’s Net Analysis and HSTEX, Harlan’s Reg Ripper and keyword searching via spreadsheet programs such as Excel.

I like the Net Analysis and HSTEX combo and I’ve been using both tools for many years.  Craig Wilson, author of these tools, was recently awarded a well deserved Forensic 4cast Lifetime Achievement Award.  An examiner can take the latest version of HSTEX and use it to extract web browser history from an image.  If it’s a Windows operating system being examined, the Internet Explorer history will be of great interest because the examiner can load the HSTEX results into Net Analysis and then filter on terms like “file” to show just file access entries or terms like “attach” to find evidence where files might be uploaded or downloaded from something such as web based email.  The examiner can then take the date and time information for specific events of interest and refer to the Super Timeline to get a clearer picture of the events that surrounded that point in time.

Harlan has been doing some great work in the area of registry forensic research and tool development. Harlan’s Reg Ripper tool is one that every examiner should have in their tool box and it’s Harlan’s tool that provides registry date and time data in the creation of a Super Timeline.  For example, using the Reg Ripper tool to determine what types of USB devices have been connected to a system allows the examiner to then search for device specific keywords on the Super Timeline.

Super Timelines are designed to be loaded up into a spreadsheet such as Microsoft Excel.  These spreadsheets can also be used to help an examiner zero in on specific events through keyword searching. Keywords such as the word “USB” can be used to help determine when a USB specific event occurred in the timeline.

One of the added bonuses that I’ve discovered from using Super Timelines is that it’s shown me new artifacts to be aware of during an examination.  For example, while examining a recent Super Timeline I saw the last accessed times being updated on .wav files for the sounds that are made when a USB device is inserted or removed.  It occurs to me that this is a valuable thing to keep in mind when trying to determine what a user did on a particular computer.  When a user interacts with an operating system GUI like Windows, certain actions can result in sound files playing and that can result in the last accessed time stamps of those files being updated.

Eric Huber leads the digital investigations team for a large multinational company. You can follow him on Twitter at @ericjhuber. His digital forensic blog is “A Fistful of Dongles” which has its own Twitter account of @AFoDBlog. This post also appears at that blog along with some additional content.  This post is part of the author’s shameless attempt at earning a SANS Lethal Forensicator RMO which the author disturbingly refers to as his “precious“.

Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This “007” edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


  • Russian spies used a mixture of high tech, low tech and old tech The techniques ranged from drive-by (ad-hoc) Wi-Fi, steganography, and burst transmissions.
  • Thomas Ryan decided to do a little experiment in social networking known as the Robin Sage affair.  His approach is fairly straight forward:  create a few profiles on sites like FaceBook, LinkedIn, MySpace, and Twitter, add a photograph and use name that you might expect to be memorable to a certain demographic.  Let the ingredients simmer for about a month and what do you get?  Apparently over 300 connections, offers of employment and dinner invitations from Congress, the Joint Chiefs and just about anyone in between.

Good Reads:

  • There is a lot of work currently being done on the Windows Forensic Environment.  Also known as WinFE or Windows FE, it is a modified version of Windows PE with the goal of being a Windows based LiveCD/DVD suitable for digital forensics and incident response.  Because the project is now quickly evolving, some of the documentation is considered out of date but it is still somewhat useful.  This slide deck from Microsoft’s Troy Larson about Windows Forensic Environment (WinFE) and this PDF from Brett Shavers provide a good overview and historical context.  Brett also posted a brief check list and a couple of videos to help you create your own WinFE ISO.  I followed his instructions and used his batch files to quickly create a functional WinFE ISO that included the SysInternals Suite, RegRipper, FTK Imager Lite, and a few other tools. If you decide to dive in and create the ISO without watching the videos, keep in mind you will need run the Windows AIK shell as admin before you run createwinfe.bat.  The batch files for creating your own WinFE image are included in a zip file available for download from the site.  Brett Shavers, Mauritz Botha, Björn Ganster, and Troy Larson have all contributed files to help create a Windows FE image.  Colin Ramsden is also contributing to the effort and though his contribution is not yet available for download, a preview of his work is available.
  • The Orion Live CD is a Ubuntu based incident response CD now available at SourceForge.  This Live CD was originally based on BackTrack 4 and was developed by John Jarocki to meet the requirements for SANS GCIH gold certification.  The paper is less than 50 pages and includes screen shots, tested platforms, and a list of added files.  You may find this post useful to gain access root access to the system.



  • Not a tool exactly, but a cheat sheet for several tools by Ed Skoudis.  Hping, Metasploit, the Meterpreter, and FGDump are all featured.
  • In keeping with the spy theme, Q would likely be satisfied with this device.  Wiebe Tech has come out with what may be the smallest USB writeblocker.  At approximately $200, it may be also be the least expensive USB writeblocker currently on the market.

Coming Events:

Digital Forensics Case Leads for 20100708 was compiled by Ray Strubinger of the Georgia Institute of Technology.  Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute’s defense-in-depth strategy. If you have an article to suggest for case leads please email it to

Digital Forensic Case Leads: Forensic 4Cast Voting is Open

Short post this week, as yours truly is under the weather. I hate colds, but they are far more miserable in the summer when the weather is beautiful.

It’s con season. Last week was SANSFire, and this week started off with the Pen Test Summit, and FIRST and in the coming weeks we’ll see the Forensics Summit (details below), Black Hat and Defcon. I love this time of year and can’t wait to see what great tools and discoveries will be released in the coming months.


  • For anyone who has ever had to dig through the registry piecing together information about various USB devices that have been plugged into a system, here’s a useful tool that will do the heavy lifting for you. That link will take you to a post that discusses the various registry artifacts in play and includes a link to the tool.
  • Mandiant has released a new version of their Web Historian. The product now parses history for Firefox versions 2 and 3, Chrome and IE 5 – 8. I haven’t had time to play with this yet, but have used the previous version. The broader browser support in this version will make it worth a look.

Good Reads:


  • The U.S. Supreme Court has ruled in favor of a California Police Chief who read the transcripts of his employee’s text messages. News of the ruling doesn’t surprise me. These were not personal devices being used to send messages, rather they were paid for by the Police Department. If you want to keep your personal messages private, use your own personal device.
  • Voting has begun for the 2010 Forensic 4Cast Awards. Last year’s awards show was great fun and this year promises to be even better with the awards taking place in conjunction with this year’s SANS What Works in Forensics and Incident Response Summit. As they say in Chicago, vote early and vote often.

Coming Events: