by Christa Miller, Forensic Focus
The oldest of the trio of Techno Security and Digital Forensics Conferences, the Myrtle Beach event marked its 21st year this June 2-5. More than 900 people representing the Americas, Europe, Asia, and Africa converged on the Marriott Grande Dunes resort for three days packed with lectures, hands-on labs, vendor exhibitions, and networking. Receptions on both Monday and Tuesday nights were well attended, with conference-goers lining up on the hotel’s outdoor patio for refreshments.
About 95 speakers presented more than 100 session topics ranging from digital forensics and incident response to information security; from investigations to ediscovery; and audit/risk management. Forensic Focus recaps session highlights below.
Day 1: DVR Analysis, Cloud Investigations, AI-Enabled Image Recognition, Modern-Day Acquisition, and Telegram Forensics
The conference kicked off at noon on Sunday. Jimmy Schoering, CTO at DME Forensics, began by sharing two case studies in which digital video recorder (DVR) evidence was needed for homicide investigations.
Schoering detailed his testing process including documenting baseline dates, times, and log entries, then using test data to determine how date/time changes would be reflected in the logs. He also discussed how to establish what’s on the DVR, including using frame-level metadata to show overlaps, overwrites, and time changes, and how answering “how and where” might help answer “who and why.”
In addition, Schoering covered how the subtle differences in the written report’s language that could be used in testimony at trial. Showing that the DVR wasn’t in service and recorded no data, for instance, is very different from showing simply that video couldn’t be recovered due to being overwritten.
Cloud investigations have historically been one of the trickiest for many investigators to implement owing to thorny legal questions. That was reflected at the start of a talk by Magnet Forensics’ Trey Amick, who spoke about when and why to include evidence from the cloud in investigations.
Why is it important? For one thing, only 2 weeks’ worth of Facebook Messenger conversations are stored on a person’s device; the rest remain cached in the cloud. Pixel smartphone owners are offered unlimited Google Photos storage. Cloud-based data can still provide evidence, even if suspects destroy their phones to prevent evidence collection.
Amick described different acquisition methods, including having subjects do their own Google Takeout, using the passwords or tokens stored within the device to search (assuming either a search warrant or other legal authority to do so), and conducting a “plain view” search using publicly available data such as tweets (commonly known as open source intelligence or OSINT).
In most cases, however, it’s wise to authenticate the collected data by serving the provider with a search warrant. Amick cautioned that this can take time, but is worth it to validate the evidence by matching key data points.
Next up was BlackBag Technologies’ Director of Training, Matt McFadden, who presented on how to leverage deep machine learning to triage pictures and videos. McFadden described how media categorization can go beyond skin tone — and the “AI buzzword” — to obtain results faster and more efficiently by making the computer do most of the heavy lifting.
This is especially important when it comes to identifying unknown images — in other words, images not already in Project VIC, Innocent Images, or other databases — that can indicate production and/or new victims. Even in cases that don’t involve child exploitation, newly identified images can be run against data from old cases, potentially helping to develop leads.
McFadden stressed that human eye verification is still needed, and that once identified or located, images need to be investigated further: examiners must analyze filenames, storage locations, timelines, permissions, media source(s), and file types, as well as determining who else has access to the computer and/or browser cache. He called this the difference between simply clearing and investigating case backlogs.
McFadden’s presentation was followed by Dr. Bradley Schatz of Schatz Forensic, makers of Evimetry. Schatz offered a roadmap to what’s changed in forensic acquisition of modern evidence, beginning with numerous challenges that all act to slow acquisition speeds. To meet these challenges, Schatz argued for a rethinking of acquisition workflow methodology: Advanced Forensics File Format (AFF4).
While Schatz will be publishing the results of his emerging work in July at the Digital Forensics Research Workshop (DFRWS) in Portland, Oregon, he provided an overview in this session. AFF4 offers an advantage over triage in that it not only reduces latency, but can speed up acquisitions at the same time that it supports both live analysis and metadata collection.
In other words, AFF4 reduces delays by allowing analysis and acquisition to be accomplished at the same time. Its nonlinear acquisition strategy turns triage into forensically reproducible activity by ensuring all files, metadata, etc. have all necessary NTFS timestamps. In this way, analysis/processing during acquisition gives answers hours and days earlier per device.
If you’re interested in learning more, the AFF4 code is available in the pyaff4 Github.
Day 1’s final presentation in the digital forensics track came from Yuri Gubanov, CEO/Founder of Belkasoft, who covered Telegram Messenger investigation on mobile devices.
Describing how Telegram was created with security in mind — features include secret chats, time-limited messages, end-to-end encryption, and even notifications about screenshot taking of secret chats — Gubanov discussed forensics of the Telegram app on both rooted Android and jailbroken iOS devices (as well as ADB and iTunes backups).
In addition to database structures and artifacts available on both platforms, Gubanov discussed SQLite forensics: finding additional artifacts in freelists, write ahead logs (WALs) or (in older Android versions) journals, and unallocated space.
Sessions were followed by a reception in the exhibit hall, where more than 55 exhibitors joined the conference. The informal gathering saw longtime conference attendees joined by new faces, and was a good opportunity for many to catch up with old friends and make new ones.
Day 2: Keynote; Forensics on Drones, Chromebooks, and the Internet of Things
Monday’s sessions kicked off with a fast-paced keynote by Sherri Davidoff, founder and CEO of LMG Security and BrightWise, on “Emerging Threats and How to Counter Them.” Citing statistics showing that the average data breach costs $3.9 million, Davidoff described how small businesses, local governments, and schools can be devastated by banking trojans, ransomware, and cryptojacking.
In large part, this is owing to a multitude of factors, from poor implementation of security tools to criminals’ sophistication. Organizational issues like high turnover and fear of legal repercussions factor in, too.
These issues have been perhaps never more critical than now. With 30 billion IoT devices estimated to be online globally by 2020, Davidoff cautioned that the potential goes far beyond simply using IoT devices to power internet outages, as the Mirai botnet did in 2016. She predicted an uptick in cryptojacking, which could potentially allow criminals to lock and ransom building access, cameras, and other physical security measures.
Davidoff’s position is to take a similar approach as in healthcare: assume your organization is breached unless proven otherwise. One of her most important takeaways, therefore, is the need for smarter spending, i.e. refocusing from “big, fancy equipment” to organization and communication. That includes:
- Overcoming embarrassment and fears around duty-to-notify laws (and the associated potential for financial repercussions).
- Better process between legal, IT, and other departments.
- Refocusing from restoring operations to investigations — finding out how attackers got in a network, what data they got, how long they’ve been in, and whether they’re still there.
- Spending on proactive vs. reactive strategies, such as threat hunting.
- Less glamorous but effective preventive measures such as regular, rapid system patching, 24/7 monitoring that includes tests on weekends and holidays, email filtering with attachment restrictions, employee phishing training, strong passwords and two-factor authentication (2FA), the use of virtual private networks (VPNs), and more.
- If your organization is affected by ransomware, Davidoff shared her “Ransomware Dos & Don’ts (available as an article on LinkedIn).
Just as criminals build relationships to distribute their wares, Davidoff further stressed, so does anyone involved with security. Information sharing, backed up by laws and regulations that encourage openness, is also key.
Following the keynote, the day’s first digital forensics track session focused on visualizing unmanned aerial system (UAS) forensic data. David Kovar and Greg Dominguez of Unmanned and Robotics Systems Analysis (URSA) focused on the need for visualized data to contextualize drones and the environment in which they’re found.
UASs are complex — involving multiple pieces of hardware, as well as variables like the weather, battery power, the human operator, and data at rest and in motion across these pieces — so forensic examiners need to investigate a full range of paper trails and data from multiple sources to help contextualize your findings and the actions you took on scene. The end goal: understand (and potentially present to attorneys) what the operator(s) were looking at and why the drone was there.
Jessica Hyde, Director of Forensics at Magnet Forensics, then offered research on Google Chrome operating systems and Chromebooks. The devices’ cost-effectiveness, easy availability, low maintenance requirements, and relative security means more people and organizations are purchasing them.
Hyde’s presentation described various details around the ChromeOS integrated media player and file manager, as well as its ability to run any app from the Google Play store via built-in Android emulation. Perhaps most importantly, while Chromebook evidence can indeed be obtained via cloud acquisition or Google Takeout, the devices also can support a hard drive and store data locally.
Hyde stressed that challenges — and research opportunities — abound, including imaging, encryption, and what artifacts are possible to obtain for analysis. (Hint: artifacts are Chromium OS-based and in addition to browser-related ones, could include Linux shell artifacts like .bash_history.) In addition, Google Takeout only comprises browser history, not current/last tabs/sessions, cache or downloads that can prove nefarious intent.
Want to start on your own research? Hindsight, made by Ryan Benson, supports Chromium browser forensics; support for Chrome OS paths is included.
The afternoon’s sessions began with a panel discussion on forensic certifications: why to get them, which ones to get, and in what order. Jared Coseglia, founder and CEO of TRU Staffing Partners, moderated the discussion between Stroz Friedberg’s Nathan Mousselli and Special Counsel’s Doug Brush. Describing a “full ecosystem” of core, advanced, proactive, and managerial-level certifications, the panel discussed:
- Exploring the different options that can lead down various competency pathways, and time and monetary requirements — including obtaining certifications on your own time and expense.
- How disciplines like privacy, e-discovery, or cybersecurity generally lack Bachelor’s-level degrees, which can pose a challenge to those seeking a clearly defined career path.
- Tool-specific certifications mean that individuals can become as “billable” as possible, making it possible for employers to leverage them more quickly.
- Different verticals might assign different levels of importance to different certifications depending on the types of work — mobile vs. hard disk vs. network forensics, etc.
- Certification maintenance depends on where you are and where you’re going in your career: from defensive to offensive security, for example, or from incident response on local networks, to AWS or other cloud-based environments.
- Obtaining training may require some creativity. For example, Brush persuaded his employer to sponsor classes for free in return for a free seat. He credited active community involvement in helping his staff to obtain their certifications, too.
Following the panel, Mike Raggo, chief security officer at 802Secure, presented on IoT wireless network forensics. Having presented at both RSA and DEFCON, Raggo described research on IoT cameras, USB ports, and smartwatches.
Raggo’s presentation echoed Davidoff’s keynote in discussing how IoT risks impact more than infosec and IT: facilities, retail, operations, building automation etc. can all be affected by data center disruption, data loss and credential theft, and IP theft or espionage. IoT breaches can also impact emergency response to fires, pathogens, floods, or simple power outages.
For example, a point of sale (POS) device in one organization were discovered to have Bluetooth radios installed, while Raggo cited research showing that 50 percent of organizations have at least one spy camera undetected by network security products currently in place.
Day 3: CCleaner Research, Emoji Artifacts, Malware Analysis, Private Browsing, and Identifying Darknet Suspects
Starting Techno’s third day was Kathy Helenek, of Digital Intelligence, who questioned whether a suspect’s use of CCleaner is really the end of forensic investigations as we know them. Her research compared forensic artifacts from systems that deployed both normal and “secure” deletion processes with CCleaner.
What she found: with a few exceptions and even surprises, CCleaner’s Secure Delete indeed does what it claims. While she was able to recover numerous registry artifacts, shell items, metadata, and files following “normal” deletion, in most cases, “secure” deletion replaced alphabetic characters with Z’s and numeric characters with 0’s.
Helenek stressed to check artifact locations and validate if you see CCleaner has been run. Consider alternative ways, such as the use of volume shadow copies, carving, or syncs from Google or other devices to obtain the data, since tools are unlikely to see it. If the disk’s free space isn’t wiped, you may be able to recover some data files.
Helenek’s research involved using several tools written by Eric Zimmerman: in particular, Registry Explorer and Jump List Parser. Further testing is needed on roaming profiles and SQLite databases’ free pages.
Following Helenek’s presentation, Preston Farley, a Special Investigator with the Federal Aviation Administration (FAA), presented research on the forensic implications of emojis. Notably, when parsing private or text messages, social media posts and comments, email, and in some cases even usernames and passwords, you may encounter rendered — and unrendered — emoji, or the pictographic symbols used to denote emotions and in some cases, replace alphanumeric characters.
Courts struggle to address emoji. However, because many people communicate in emoji and Unicode’s emoji set grows every year, Farley’s presentation brought to light two different issues with interpreting emojis: a technical layer, and a social layer.
- On a technical level, Unicode support suggests, but doesn’t define, an emoji’s appearance; a “grinning face with smiling eyes” may look very different across Apple, Google, MS, Samsung, LG, HTC, Twitter, FB, Mozilla, Emoji One and others. Additionally, the Unicode Private User Area enables private parties to create their own emojis (often associated with proprietary logos), making it possible to use emojis no one else is familiar with.
- On a social level, people use emojis to communicate high level ideas without language mastery when they’re less literate or communicating across languages and cultures. However, what means one thing in one community can mean something totally different elsewhere — emojis are open to interpretation. This has obvious implications for investigators seeking to prove intent.
Farley argued that emoji support is currently a “huge void” among forensic tools, a gap that needs to be filled. Tools such as PyMoji.py can help, but broad support is needed: because the tools rely on operating systems, if emojis aren’t rendered on the system, they won’t be in the forensic tool, either.
Luiz Borges and Wilson Cordeiro, consultants with Brazilian firm TechBiz Forense Digital, presented “Malware Analysis and Reverse Engineering for Dummies,” including how to set goals: to data mine what happened and locate all infected machines/files; to determine what it does, how to detect it, how to contain/measure damage, and develop signatures to proactively hunt; host-based signatures detect infections on computers, network-based signatures; figure out how malware works.
The two fundamental approaches that Borges and Cordeiro covered were:
- basic / static: examining malware without running it
- dynamic analysis, running it (safely on an environment without risk of damage to system or network)
Other parts of the process include checking the executable’s libraries and functions once found, then using Process Explorer to see everything (including memory) running and consuming resources on the system. Likewise, when running the malware, use Procmon to identify every process plus changes being made on the system.
Borges and Cordeiro also demonstrated how to use Lightshot to take system snapshots to compare any filesystem changes. This kind of research, they stressed, is constant because just as you learn about one piece of malware, adversaries respond with new variants. Keep learning!
Forensic analysis of private browsing mode activity was the subject of a presentation by Joe Walsh, MCJ Program Director and Instructor of Criminal Justice/Computer Science at DeSales University. Contrary to marketing messages about the ability to browse without leaving traces, internet service providers (ISPs) still log what you’re doing, and are accessible to investigators with the proper legal authority.
Walsh’s research tested six browsers tested in six separate virtual machines using exactly the same activity, including searches, clicks, in-depth site visits, video watching, social media activity, etc. At the conclusion of each stage of research, Walsh captured RAM, which turned out to be key to his findings: while little browsing data was found on the hard drive, all browsers left some activity in RAM.
Therefore, while conventional wisdom dictate turning off the computer during a seizure, you should plan to modify your best practices to capture RAM before turning off the machine. Otherwise, a suspect’s attorney can mount a credible defense that the RAM you didn’t capture could have proven their client’s innocence, potentially leading to exoneration.
Walsh’s plans for future research include macOS, TAILS (The Amnesiac Incognito Live System, whose OS boots off a flash drive on computers with no hard drive), and mobile devices.
Also on the web-browsing continuum, Dr. Gareth Owenson, of Searchlight Security, spoke about how law enforcement can “hack” to identify darknet suspects.
After describing how Tor works to protect its users’ anonymity through a network of relay points, as well as how its “onion layers” work for encryption, Owenson described routes to deanonymization, with a focus on identifying users rather than sites.
This is possible through, as in many other criminal investigations, following the money: although most darknet transactions happen in cryptocurrency like Bitcoin, these aren’t actually anonymous because users want to turn it into cash to spend. Additionally, users often rely solely on Tor security, and don’t layer it with their own opsec (operational security).
Owenson showed how Searchlight’s Cerberus platform intercepted private messages between users revealing identifying information — Bitcoin wallet, email, home address, name — and how it can target MAC and IP addresses, along with user IDs (UIDs), to target users who are downloading or distributing illicit images.
Day 4: Forensic Identification of Fake Photos, Windows 10 Timeline Analysis, and Wearable Device Forensics
Techno’s final sessions took place on Wednesday morning. First in the digital forensics track: at a time when faked images and videos are feared to have alarming political, social, economic, and religious impacts in societies worldwide, Chet Hosmer, founder and technical author at Python Forensics, presented on the forensic identification of fake photos.
In contrast to steganography, fake photo research isn’t about hiding random data in a single pixel within an image. Rather, it’s about using algorithms to identify how images are merged, using anomalies that occur during the process of merging. The focus has shifted, too, from identifying illicit content, to protecting legitimate content.
To that end, Hosmer demonstrated the proof of concept Fake Image Analysis Testing Script (FIATS) core Python open source script, showing how anomalous integrations with a subject’s background are marked (as pixellations).
By looking at each pixel as a cell making up a grid, it’s possible to look at a single pixel as a center point in certain parts of an image, then look at that point and its surrounding pixels to see anomalous transitions. Applied to video, the FIATS technology performs this operation frame by frame to detect manipulation. Hosmer’s team is currently working on applying the technology to “deep fake” analysis.
Next, Spyder Forensics founder and CEO Rob Attoe presented on Windows ® 10 timeline analysis. An “immersive” browser of user activity across all devices — Office files interacted with, websites visited, graphics viewed, games played, etc. — the Windows 10 timeline offers up to 30 days of activity history for each account across devices where the user logged in. That includes OneDrive ® synchronization from each device.
Some of the takeaways from Attoe’s talk include debunking the “malware put it there” defense by recording how long the user interacted with a given file, as well as wherever the mouse or keyboard is active in a particular window and whether content was copied and pasted.
Attoe covered timeline, cloud account, and synchronization settings (including when group policies may be set in a corporate environment), as well as SQLite databases like activitiescache.db and timestamps such as lastmodifiedtime, expirationtime, createdincloud, starttime, enditime, and lastmodifiedonclient.
The conference’s final digital forensics presentation came from Nicole Odom, Forensic Scientist Trainee at the Virginia Department of Forensic Science. “Go-Go Gadget, Smartwatch” described Odom’s investigation of wearable devices and their forensic value in both connected and standalone states.
As smartwatches grow in popularity thanks to users’ interest in their convenience in tracking fitness activity and other tasks, Odom sought to understand interactions between wearables, phones, and cellular networks; what kind of probative evidence each might store; and locations of user data and artifacts.
One of the most interesting parts of the presentation was Odom’s description of her persistence in testing different methodologies to find the most viable, minimally invasive processes. By combining commercial tools, developer tools such as Tizen Studio SDB, and even constructing her own cables, Odom showed that a willingness to experiment (and document the outcomes) is often as important as the results.
Odom was also able to use her research to contribute to open source tools, and to develop her own: Gear Gadget is a data extraction tool for Samsung Gear S3 wearables. It’s available for download here and a GUI-based version is planned. Odom also contributed to the Artifact Genome Project.
The team’s research was presented at the 71st Annual American Academy of Forensic Sciences meeting in February 2019. Their paper will be published in an upcoming issue of Journal of Forensic Science. Future research will explore mounting wearables to PC, logfile and timeline artifact analysis, deciphering fitness data, advanced acquisition, Apple Watch encryption, and the use of Elcomsoft’s iOS Forensic Toolkit for wearables.
Future Techno Security & Digital Investigations events will take place September 30 – October 2nd in San Antonio, Texas; March 9-11 in San Diego, California; and May 31 – June 3 in Myrtle Beach. Find out more here.