Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!




This is going to be a series of blog posts due to the limited amount of free time I have to allocate to the proper research and writing of an all-inclusive blog post on iOS 11. More work is needed to make sure nothing drastic is missing or different and to dive deeper into the artifacts that others have reported to me as currently being unsupported by tools.

From what I have seen thus far, I am relieved that iOS 11 artifacts look very similar to iOS 10. This is good news for forensicators who see iOS devices and have adapted to the challenges that iOS 10 brought. Prior to writing this, I was referred to a blog post on iOS 11,that was an interesting read (thanks Mike). I suggest you also check it out as it pinpoints what is new in iOS 11 in regards to features:

Understanding what the OS is capable of doing helps us determine what we need to look for from a forensic standpoint. From what I have seen so far, the major artifact paths have not changed for iOS 11. Key artifacts for normal phone usage appear to be in the same locations:
– Contacts- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
– Calls-/private/var/mobile/Library/CallHistoryDB/CallHistory.storedata
– SMS – /private/var/mobile/Library/sms.db
– Maps – /private/var/mobile/Applications/ – Still missing? Refer to my blog post from Dec.

When I test an update to a smartphone OS, I normally start with basic user activity (create a new contact, place some calls, send messages, ask for directions, etc.) and then I dump my phone and see what the tools can do. For this test, I created both encrypted and unencrypted iTunes backups, used PA Methods 1 and 2 and did a logical extraction with Oxygen Detective. What I found is that not all tools parsed the data in the same manner, which is to be expected. (I also plan to test more methods and tools as time allows and for my FOR585 course updates.)
To get this post done in a timely manner, I found one item that has always been parsed and jumped out as “missing” or not completely supported.


iMessages and SMS in iOS 11 were the first items that jumped out as “something is off…” and I was right. I sent test messages and could not locate them in the tools as easily as I have done in the past. I normally sort by date, because I know when I send something. Up until this release of iOS, we could rely on our tools to parse the sms.db and parse it well. The tools consistently parsed the message, to/from, timestamps, attachments and even deleted messages from this database. Things have changed with iOS11 and it doesn’t seem that our tools have caught up yet, at least not to the same level they were parsing older iOS versions.

One of the most frustrating things I find is that the tools need access to different dumps in order to parse the data (as correctly as it could for this version). For example, Oxygen didn’t provide access to the sms.db for manual parsing, nor did it parse it for examination when the tools was provided and iTunes backup. This had nothing to do with encryption, because the passcode was known and was provided. UFED isn’t the same as PA Method 1 and 2 (you have heard this from me before), but it’s confusing because most don’t know the difference. This is what it looked like when I imported the iOS 11 backup into Oxygen. Believe me, there are more than 3 SMS/iMessages on my iPhone.


However, I when I dumped my iPhone logically using Oxygen Detective, it parsed the SMS and provided access to the sms.db. When I say “parsed” the sms.db, I am not referring to timestamp issues at all, those will be addressed in a bit. Here is what my device looked like when I dumped it and parsed it in Oxygen.


Spot the differences in the messages? Yep, you now see 48,853 more! Crazy… all because the data was extracted a different way. I also tested adding in the PA, Method 1 image and those message numbers were different, but the sms.db was available and parsed. You really have to dump these devices in different ways to get the data!

Bottom line – add the sms.db to something you need to manually examine for iOS 11 to ensure your tool is grabbing everything and parsing it. The rest of this blog is going to focus on just that – parsing the sms.db in regards to changes found in iOS 11.

Let’s take a look at what is the same (comparing iOS 11 to iOS 10):
• SMS and iMessages are still stored in the sms.db
• Multiple tables in this database are required for parsing/joining the messages correctly
What is different (comparing iOS 11 to iOS 10):
• Additional tables appear to be used?
• The timestamp is different for iOS 11 – SOMETIMES!

Here is what I found (so far). The tools are hit or miss. Some tools are parsing the data, but storing the messages in a different location, others are parsing the message content, but not the timestamp… you catch my drift… What I recommend? Go straight to the database and take a look to make sure the tool(s) you rely on are not missing or misinterpreting the messages (wait… didn’t I just say that – YES, I did.)
The timestamp fields for the sms.db are all over the place now. What I am seeing is that the length of the Mac Absolute value varies between two formats and both of these formats can be stored in the same column. This is why the tools are struggling to parse these dates. Additionally, the tables in the sms.db differ in how they are storing the timestamp. So, if your tool is parsing it correctly, excellent – but still take a look at the tables.
Here are some examples of what this mess looks like. The column below is from the chat table in the sms.db. Notice how it has the traditional Mac Absolute value (number of seconds since 01/01/2001), while others are a 18 digit Mac Absolute values and some are 0 (sent messages).


Additionally, I was seeing some that were 19 digits that were not appended with 00s at the end. The “conv start date” on the left column is from the messages table in sms.db and this timestamp has not changed. As expected, your tools handle this one nicely. The table on the right column is from the chat_message_join table, and this caused a little havoc as well due to the variety of timestamps in the column. Converting this wasn’t fun! Thanks Lee for your help here. You, my friend, ROCK!


When I first ran my SQL query, I noticed this one pesky date that wasn’t converting. This is because it was the timestamp highlighted above and I needed to beef up my query to handle this. If you see a date that looks like the one below, something is up and you aren’t asking for the data to be rendered correctly. The query below will handle this for you.


Don’t believe me that this causes issues yet, take a look at how it looked in one tool.


The dates and times are not parsed correctly. I found that the dates and times appear to be consistent when the tools are parsing the 9 digit Mac Absolute timestamps from specific tables. Otherwise, expect to have to do this yourself. Here is where it was correct, but this wasn’t the case for all of my messages sent using iOS 11.


If you need a sanity check, I always like to use the Epoch Converter that I got for free from BlackBag to make sure I am not losing my mind when dealing with these timestamps. Below, you can see it was parsing it correctly (Cocoa/Webkit Date). Also, I love that it gives you both localtime and UTC.


This leads me to the good news -below is the query that will handle this for you. This query is a beast and “should” parse all sms and iMessages from the sms.db REGARDLESS of the iOS version, but only columns that I deemed interesting. (Note that I state should, because this has only been run across a few databases and you should report any issues back to me so they can be fixed.) Take this query and copy and paste it into your tool of choice. Here, I used the DB Browser for SQLite because it’s free. I limited some columns to the ones I care about the most, so you should make sure this query isn’t missing any columns that may be relevant to your investigation.

chat.chat_identifier AS “Other Party”,
datetime( + 978307200,’unixepoch’,’localtime’) AS “conv start date”,
case when LENGTH(chat_message_join.message_date)=18 then
when LENGTH(chat_message_join.message_date)=9 then
datetime(chat_message_join.message_date +978307200,’unixepoch’,’localtime’)
else ‘N/A’
END AS “conversation start date”,
datetime(message.date_read + 978307200,’unixepoch’,’localtime’) AS “date read”,
message.is_read AS “1=Incoming, 0=Outgoing”,
case when LENGTH(chat.last_read_message_timestamp)=18 then
when LENGTH(chat.last_read_message_timestamp)=9 then
datetime(chat.last_read_message_timestamp +978307200,’unixepoch’,’localtime’)
else ‘N/A’
END AS “last date read”,
left join chat_message_join on chat_message_join.message_id=message.ROWID
left join chat on chat.ROWID=chat_message_join.chat_id
left join attachment on attachment.ROWID=chat_message_join.chat_id
order by message.date_read desc

Here is a snippet of what this beauty looks like. (Note: this screenshot was taken prior to me joining attachments – aka MMS).


I always stress that you cannot rely on the tools to be perfect. They are great and they get us to a certain point, but then you have to be ready to roll up your sleeves and dive in.
What’s next – applications, the image/video files that apparently aren’t parsing correctly, interesting databases and plists new to iOS 11 and the pesky maps. That one is still driving me crazy! Stay tuned for more iOS 11 blogs and an upcoming one on Android 7 and 8.
Thanks to Lee, Tony, Mike and Sarah for keeping me sane, sending reference material, testing stuff and helping me sort these timestamps out. Like parenting, sometimes forensicating “takes a village” too.

Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

forensics_coin (1)Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Now, the institute is expanding the opportunity for students to earn these highly coveted tokens in each of the SANS DFIR courses.

Thanks to an effort led by curriculum lead Rob Lee & the SANS DFIR faculty, students can now win specific SANS Lethal Forensicator Coins designed to go with each of the DFIR course themes. These coins are tailored to be icons and the precious prizes to be won by students as a proof and symbol of their mastery in a specific digital forensics specialty.

New DFIR course challenge coins available now:

500FOR500: Windows Forensic Analysis

“Ex Umbra in Solem”: From the Shadows into the Light
In today’s digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. And the forces of evil unceasingly develop new ways to hide their activities, forcing us to continually improve our skills to counter them.

508FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting

“Non Potestis Celare”: You  cannot hide
The most successful incident response teams are evolving rapidly due to near-daily interaction with adversaries. New tools and techniques are being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

610FOR610: Reverse-Engineering Malware

“R.E.M”: Reverse-Engineering Master

Today,  attackers are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering Malware (R.E.M) Analysis Masters can isolate the most appropriate Indicators of Compromise (IOCs) to stop & identify malware.

585FOR585: Advanced Smartphone Forensics

“Omnis Tactus Vestigium Relinquit”:  Every contact leaves a trace
Knowing how to recover all of the data residing on the smartphone is now an expectation in the digital forensics field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and you know how to uncover them.

572FOR572: Advanced Network Forensics Analysis

“Malum Loquitur, Bonum Auscultat”: Evil must talk, so good must listen

Network Forensic professionals are hunters with great visibility, who can find a target among a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl’s watchful, unwavering eye, seeking its prey under the cover of darkness. No matter how crafty an adversary may be, their communications will allow the hunter to find, identify, and ultimately eliminate their presence.

518FOR518: Mac Forensics

“Impera magis. Aliter cogita”: Command more and think differently.

Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

FOR578_coinFOR578: Cyber Threat Intelligence

“Hominem unius libri timeo”: I fear the man of one book.

FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

FOR526_coinFOR526: Memory Forensics In-Depth

“Cur mihi oculi dolent?” Why do my eyes hurt?

Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.


Netwars DFIR Netwars

Staying up-to-date with the latest challenges in the digital forensics field demand analytical skills that cannot be gained by just reading a textbook. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can test their skills with DFIR Netwars.

New DFIR Challenge coin back design:

BackThe challenges for each course are held on the last day. Students must successfully overcome a number of obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions and hands-on scenarios have been created by SANS’ top instructors – digital forensics practitioners, subject matter experts, experienced teachers and professional leaders in their own right. At the end of the challenge, the instructor announces the winner(s) who are awarded the coins at the end of the 6th day of class and winners are later on listed on the SANS Institute’s virtual wall of Lethal Forensicator Coin Holders.


History of the SANS Challenge coins:

The coin – more precisely, Round Metal Object (RMO) – was initially created to recognize students who demonstrate exceptional talent, contributions, or who serve as leaders in the digital forensics profession and community. The coin is meant to be an honor; it is also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity and continually strive to further not only their knowledge but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community and are typically leaders in the digital forensics and incident response community.

Those who are awarded the Lethal Forensicator are also bestowed special privileges and recognition, including participation in the so-called and well-regarded “coin check” challenge and response.

“Coin check” Challenge:

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders do produce their coin, the challenger must by the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you’ve “accidentally” initiated a coin check. And, there are no exceptions to the rules!)

Coin checks aside, there are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student and winning the classroom challenges. Each GOLD GCFA, GREM, GCFE member that has written a published white paper that has furthered the field of research in the Digital Forensics field receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate at a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools or service.

For more information on our SANS DFIR courses, please visit our Forensics Courses list. And to read more about the coin and the history of the term “Forensicator,” check out our Community – Lethal Forensicator Coin page.

Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned

This week’s Digital Forensic Case Leads is chock full of forensics nuggets. Links to great forensics tools for encryption detection and memory extraction, plus a how-to for breaking/auditing the OS X Keychain. You will also find an analysis of the Samsung v. Apple patent case from a digital forensics perspective, with IP Attorney Ben Langlotz. And, as our headline promises, news and analysis on the latest alleged attacks by “Anonymous” and their affiliates. Your reporter this week explains how BOTH the Anon group AND the Fed’s denials, could both be true.

If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads [at symbol here]



  • AccessData Group just released a new version of their forensics and investigation tool for mobile devices, MPE+. According the AccessData: ” In addition to greatly improving mobile device investigations, MPE+ is the first solution designed to facilitate mobile device discovery for litigation support personnel. With the most intuitive interface on the market and new visualization capabilities, investigators and e-discovery practitioners alike will be able to address mobile device data with more efficiency.”  This version supports the physical imaging on Samsung Galaxy S2 devices and supports 4800 other mobile devices. Other noteable features include carving SQLite databases from iOS and Android devices for user deleted data, and a “Social Analyzer” that compares SMS, emails, MMS and call logs.  Contact the people at AccessData Group to find out more.
  • Magnet Forensics (formerly JADsoftware) has a interesting free forensic investigation tool: Encrypted Disk Detector (EDD). According to the company,  “EDD is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP®, or Bitlocker® encrypted volumes… EDD is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.”
  • MemGator: Another free digital forensics tool According to the developer, E5h Forensic Solutions, MemGattor, “is a memory file interrogation tool that automates the extraction of data from a memory file and compiles a report for the investigator…Data can be extracted in relation to memory details, processes, network connections, malware detection, passwords & encryption keys and the registry.”


Good Reads/Listens:

  • DarkMarket: Cyberthieves, Cybercops and You. From the publisher: “In this fascinating and compelling book, Misha Glenny, author of the international best seller McMafia, explores the three fundamental threats facing us in the twenty-first century: cybercrime, cyberwarfare and cyberindustrial espionage. Governments and the private sector are losing billions of dollars each year fighting an ever-morphing, often invisible and often supersmart new breed of criminal: the hacker.”  Due to be released in paperback next month.
  • Breaking into the OS X keychain. From the author of the posting: “There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability…As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves.”   As we know, most users don’t those type of steps. Read the how-to here.
  • Digital Forensic and InfoSec Lessons from Apple v Samsung patent case. Listen to this CyberJungleRadio conversation with Patent expert Ben Langlotz, starting at about 14:30min. There are some very surprising areas of digital forensics discussed by Mr. Langlotz.



Anti-Sec, an off-shoot of the cyber gang known as Anonymous, claimed credit late Monday for obtaining a data base of over 12million Apple iOS UDID (Unique Device Identifier).  UDIDs are “burned” into every iPhone/iPad/iPodTouch device.  The group’s web site claims that the reason they took this data was slap against the Federal Government (“The Feds”) and the activities by NSA Chief, Gen. Keith Alexander to recruit hackers at Las Vegas’ DefCon conference last month. They want to show that the Feds don’t have the interests of the citizens at heart, but rather they think the Feds main goal is tracking the activities of average citizens — a claim Gen. Alexander very publicly refuted in Las Vegas.  On Wednesday, the FBI released a statement that refutes the claim that the attackers gained access to an FBI computer for this data.  Parsing the statement from the FBI, and the alleged attackers, it is possible that the information came from the systems of an anti-cybercrime non-profit that was founded by a former FBI agent. The group, The NCFTA, or National Cyber Forensics and Training Alliance, has, according the ForbesMagazine, a legal arrangement with the government allows it to hand over information to the FBI.

From Elinor Mills and Greg Sandoval at C| “The U.S. Secret Service is looking into claims that someone stole presidential nominee Mitt Romney’s income tax returns and is threatening to release them if he doesn’t pay up.  Secret Service spokesman George Ogilvie told CNET today that the agency is investigating, but had no further comment.”

Discount eCommerce site Groupon threatens to sue small business merchants. According to a report at, some businesses that participate as Groupon merchants are not getting paid by Groupon. This cash flow problem is driving merchants to notify the company they will not honor Groupon-coupons until they’re paid.Groupon is threatening legal action against the merchants if they suspend providing services to Groupon users as agreed. A classic contract case, but who’s truly in breach? AND — is there a digital smoking gun? Were orders to slow down or holding back payments transmitted via email, chats, text or other digital means? Have there been internal discussions around responding to merchant complaints about slow payment?

Did diligent email forensics investigation help Samsung to mitigate spoliation? In an intellectual property case that pits Apple against Samsung. We won’t get into the IP details in this space…but rather the issue of digital spoliation. Last month, Apple won a motion for adverse inference jury instruction because Samsung failed to properly preserve email discovery evidence. And as of this writing, Samsung won a copy-cat motion, claiming Apple failed to preserve relevant emails. So now, the jury will not hear that both Apple and Samsung may have destroyed email evidence.


Levity, or For the LULZ?

The Tutu Has Been Donned
The Tutu Has Been Donned

Coming Events:

Call For Papers:


by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

8 Articles for Learning Android Mobile Malware Analysis

Online attackers are paying increased attention to mobile devices. At the moment, the biggest mobile threat vector seems to take the form of trojan applications designed to run on a mobile phone and containing unwanted “features.” If you come across a malicious program of that nature, how can you analyze it? This quick post notes several articles and tools that focus on examining inner-workings of Android mobile applications.

If you can recommend other free tools, references and tutorials for learning Android mobile malware analysis, please leave a comment.

Lenny Zeltser focuses on safeguarding customers’ IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.

Open Source Android Digital Forensics Application

For some time now, I’ve spent most of my R&D time on Android Forensics.  Gartner predicts that Android will be the #2 smart phone platform by 2012, exceeding the iPhone and leaving only Nokia/Symbia in front.  With an estimated 95 million devices on the market by that time, forensic examiners will inevitably begin to run across them (if you have not already).

The techniques we’ve developed will provide a full forensic image of supported Android devices.  With the introduction of a new file system (YAFFS2) and a host of other new challenges, our community has considerable work to do to more deeply understand the device.

In an effort to give back to the community, we have released our logical Android Forensic application as open source.  You can download it on Google Code and additional details are on my blog.

Application Architecture

The application was developed with a generic architecture which will allow other programmers to easily add support for new applications and data sources.  Currently, we pull the following information in CSV files on the SD Card:

  • Browser history
  • Call logs
  • Contact Methods (email, phones, etc.)
  • Organizations (companies that contacts are in)
  • People (the individual people)
  • SMS

While security on Android phone is pretty decent, applications can (and do) share data.  We take advantage of this sharing (via ContentProviders) and extract the data for forensic purposes.

Browser History Example

However, we have found ways to extract far more information.  Take, for example, the browser.  Currently, it exposes the visited websites via a ContentProvider.  By querying the application’s Content Provider, we can now supply the devices web history.  We are confident that significantly more information can be extracted from the device.  As such, we hope that this release will forensics folks who have Java experience to join our project.  Also, since we have released the code under GPLv3, you not only have full access to the source code but if large commerical entities use our code, they are legally bound to provide their enhancements back to the project (for a recent ruling on this, see A Big Victory for F/OSS: Jacobsen v. Katzer is Settled).

How to install

If you have an Android device (or run the emulator from the SDK), you can install the application (an .apk file).  To do this, you can either download the application online and install directly however you need to enable the Settings -> Application Settings -> Unknown sources option (until we sign the .apk which we hope to do soon).

An alternate method (and my preference) is to install using the Android Debug Bridge (adb).  To do this, you must first install the Android SDK on your workstation.  For Windows, you need to install the USB drivers and on Linux you must tweak udev but there are plenty of online tutorials about this.  You also need to enable USB Debugging on the phone, which you can do under Settings -> Application Settings -> Development -> USB Debugging.

Download the AndroidForensics.apk from Google Code and save it to c:\af.  Connect the Android device to your computer via USB and do the following from a cmd prompt:

List devices

C:\af>adb devices
List of devices attached
HT91YGZ08111    device

Install application

C:\af>adb install AndroidForensics.apk
419 KB/s (20138 bytes in 0.046s)
pkg: /data/local/tmp/AndroidForensics.apk

On phone, run viaForensics application and click capture

You will receive a message when the application completes

Copy CSV files to computer

C:\af>adb pull /sdcard/forensics c:\af
pull: building file list…
pull: /sdcard/forensics/20100225.0915.SMS.csv -> c:\af/20100225.0915.SMS.csv
pull: /sdcard/forensics/20100225.0915.People.csv -> c:\af/20100225.0915.People.csv
pull: /sdcard/forensics/20100225.0915.Organizations.csv -> c:\af/20100225.0915.Organizations.csv
pull: /sdcard/forensics/20100225.0915.ContactMethods.csv -> c:\af/20100225.0915.ContactMethods.csv
pull: /sdcard/forensics/20100225.0915.CallLogCalls.csv -> c:\af/20100225.0915.CallLogCalls.csv
pull: /sdcard/forensics/20100225.0915.Browser.csv -> c:\af/20100225.0915.Browser.csv
6 files pulled. 0 files skipped.
30 KB/s (38729 bytes in 1.249s)


We have considerably more work to do on the application but it has been tested on the G1, T-Mobile myTouch, Motorola Droid and a number of Android virtual devices.  We hope the community will not only find this application useful but that they will join us in expanding the functionality.

Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm. He divides his energies between investigations, research and training about the computer and mobile forensic discipline. He writes computer/mobile forensic how-to guides, is interviewed on radio programs and lectures and trains both corporations and law enforcement agencies. As the foremost expert in Android Forensics, he leads expert level training courses, speaks frequently at conferences and is writing a book on Android forensics.

Facebook Forensics

by Jeff Bryner

Like most, I recently read the story of the EMT who posted a grisly picture to Facebook via his mobile phone. This got me thinking about social network forensics. I just happened to have joined Facebook (am I the last one?) and being of forensic mind… this post.

The issue that brings forensics into the case? The claim is that his post is by accident and was unintentional.

Now Facebook has a long history of privacy misunderstandings, and being a brand new user I can attest that it’s nearly impossible at first glance to determine the privacy of the items you post. Is my looking at a potential ‘friend’ going to trigger an alert to them? If I look at their photos to see if I remember them does that alert my entire universe? What the heck is a poke?

Here’s what I discovered about the current process to post a photo on Facebook using my own Symbian phone.

First you must register your mobile phone number on Facebook, so subsequent messages from you show up on your account.  You do this by sending a MMS message to, and receiving a confirmation text message from Facebook (32665/fbook on the keypad). This results in a status change on your Facebook account “Jeff activated Facebook Mobile.”

After registering, sending a picture to via a MMS message creates a ‘mobile uploads’ photo album with a time-stamp. The subject of the MMS message becomes the picture caption and the picture is added to the album.

Normally, new albums you create are automatically shared to everyone. The auto-created ‘mobile uploads’ photo album however, wasn’t automatically shared to anyone. Even friends can’t see the album, much less any pictures within it. To share you either need to post it on your ‘wall’ or change the privacy settings of the album via the path: Facebook->Profile->Photos->Album Privacy.

So given this process what would we look for in forensics to help determine if this was indeed an accident?

  1. Was he registered to use his mobile account on Facebook prior to the date in question?
  2. If not, then he would have had to go to extraordinary lengths to register, upload a picture and share it to the world.

  3. Was his ‘mobile uploads’ album shared prior to this event?
  4. If not, then again he would have had to explicitly share it. If it was shared prior to this event then any picture sent from his mobile would be public.

  5. Are there other pictures on his mobile?
  6. If not, then taking one is in itself a unique event. If there are other pictures on his mobile are the names similar? Could there be reasonable confusion about which photo is what?

  7. Was there some other event happening that initiated the send?
  8. It’s not clear whether the photo was sent during the emergency response, or after. If it was sent during the response it would seem extraordinary to take the time out of your duties to send a photo. Then again, was there some other personal event occurring in his life that warranted a quick time-out to send a photo like a child’s birthday earlier in the day, etc? If it was sent as a batch of photos during say a weekly upload to Facebook, then it may be part of his routine.

  9. Is the process of uploading pictures using a Symbian as I’ve done different than using a Samsung, or iPhone, or Blackberry, or Windows Mobile?
  10. Is the process for today’s mobile pictures the same as when this event occurred?

It would seem that to properly answer the claim of ‘accident’ a forensic analysis of the time line and the details of his personal technology in conjunction with a review of his routine on Facebook would be in order.

With the explosion of social networking sites is there a need for a new forensic framework? One not so much focused on recovering deleted files or operating system artifacts, but centering on:

  • Determining the strength of relationships
  • Analyzing the intent of actions given the pattern of use on a social networking site
  • Determining the likelihood of observable events being related
  • Uncovering past relationships
  • Archiving site privacy settings/policies
  • Forensic patterns of intra-social networking applications?

What do you think? Comments?

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis.

CSI Stick – So who has a copy of your phone?

Most people I know will not loan out their phone, but they will leave it lying around. The standard responses to this are “my screen is locked” and “I am only gone for a few minutes“. These were never particularly good excuses, but now they have gotten worse.

Paraben has released a tool it calls the CSI stick, Cellular Seizure Investigation Stick, in order to simplify the acquisition process for mobile devices. The device is inexpensive, compact and simple, these are its strengths. The problem is that this provides a means to simply capture the data from other people’s phones quickly without being a forensic expert. In fact, the device can capture:

CSI Stick from Paraben
CSI Stick from Paraben
  • Phone-book entries
  • Call Logs and Related Records
  • Photographs taken with the camera in the Phone
  • Text Messages (SMS) – sent and received
  • Multimedia Messages (MMS)
  • And this is only a small sample…

While devices such as this are a boon for forensic teams, they have their problems. Think how easy it is to:

  • Check your spouse’s phone
  • See what your boss/co-worker has been up to,
  • Just image a phone at a conference for the heck of it…

While these are great devices – it all comes to how and why they are used.

The question to ask is – where is your mobile phone now?

Craig Wright, GFCA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.

Hex Dumping Flash From a Mobile

Most mobile phone manufacturers sell or provide tools allowing for the management of data. There are some exceptions with the very low cost devices. The problem that arises is that few of these tools are forensically sound. Hence the need for an alternative, hex dumps from a flasher.

Model: UN-0412100 Flasher by Twister
A Hex dump of the device is a physical acquisition of the device’s memory. In the majority of devices available this will necessitate the use of a “flasher” or “twister” device. These are specialist support tools that are designed for the repair and servicing of mobile devices. The benefit to the forensic examiner is that these devices allow for the dumping of the device’s memory. These are called “flashers” as they enable the manipulation of the flash memory on the device.
A number of specialist software offerings have been developed that can analyze a hex dump or “flash file” in order to produce a report or extract data from the image. Some of the better known products include:
  • Pandora’s Box for Nokia
    • hex dump analysis
    • Date and Time Decoding
    • PDU encoding/decoding
    • Hex conversion functions
  • Cell Phone Analyzer (CPA).

Flashers allow one to capture a phone’s memory (the Flash) as an image. This image may then be examined in the same way any computer image would be examined. When securing a mobile phone, always obtain the PIN code for the SIM if possible. Also record the make, model, colour and condition of the device. Other areas to note include:

  • IMEI, SIM card number
  • Hardware/Software Used
  • Data recovered

The forensic process is highly dependent on the make and model of the device. Any process should include an attempt to obtain the following:

  • Call Logs, Phonebook
  • Calendar
  • Text, Audio, Video
  • Messages sent/received
  • Internet cache, settings
  • Hex dump of the devices filesystem

Where possible, a hex dump of the system is the most important thing to obtain. With this information, a standard forensic analysis may be conducted and in many cases the filesystem can be checked for known malware signatures. On newer phones such as the iPhone and Mio A701, the GPS logs can provide information about the movement of the device.

Craig Wright (GFCA Gold #0265) is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.