“…..According to a new study by Cyber-Ark, many employees leaving their jobs aren’t above adding a little something to their separation packages: Confidential corporate data. Of the 600 financial sector workers surveyed on Wall Street and London’s Canary Wharf who lost or left a job last year, 41 percent admitted to taking confidential company data with them. Exactly half, 50 percent, said they would steal company information if they were fired tomorrow, and 39 percent said they would download it if they felt their job was at risk. Nearly a third, 28 percent, would use the information to negotiate their next position. The most commonly stolen data: Customer contact lists that could be leveraged at a new job.“

“Hackers have released an application designed to thwart a Microsoft-packaged forensic toolkit used by law enforcement agencies to examine a suspect’s hard drive during a raid. The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE……..

This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine. According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks……..”

A recent web post found here and here is an article titled “Who’s Been Viewing Your Gmail?” This article explains that Gmail includes a feature which will display the recent activity of your Gmail account. Near the very bottom of your Gmail screen is the word “Details.” This is what it looks like:

When you click on Details, you get this:

This shows that my Gmail has been accessed from two different IP addresses. That’s OK for me, this is consistent with my own Gmail activity. However, in other circumstances, the activity might indicate unauthorized access to your Gmail. 

A VERY useful little tool.

“Weaponizing Apple’s iPod Touch“

In this case, the weaponized iPod Touch is being used by the forces of good, not evil. A network security expert loaded hacking tools on the device:

“It fits behind a coffee machine, inside a desk drawer, or in your pocket, and it doesn’t arouse suspicion if you walk into a bank or office tapping away on it — and that’s why a security expert has turned an iPod Touch into a full-blown hacking tool………Apple’s seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device…..”

“……I started taking a look into how I could use historical information derived from an acquired image to perform geolocation…….during the course of an exam, you may determine that the system was used to connect to multiple wireless access points (WAPs)…….”

He goes on to explain that you may be able to recover from the Registry the MAC address of that WAP. You may be thinking, OK, how does that MAC address translate to an actual location, AKA geolocation?

There is a database being used today by devices like the iPhone that contains that kind of information – the Skyhook Wireless database. And it is possible, just possible, that the MAC address which was recovered from the Registry is in that database. So you might just end up with an actual, physical location of that wireless access point!

And,

The Palm Pre Operating System

Wkikpedia: “Palm webOS is a smartphone platform, powered by Linux, and developed by Palm. The Palm Pre smartphone is the first device to launch with webOS, and both were introduced to the public at the Consumer Electronics Show in Las Vegas on January 8, 2009. The Palm Pre and webOS were released on June 6, 2009. The webOS features significant online social network and Web 2.0 integration.”

“Palm publishes a webOS software development kit called Mojo, which was released July 20, 2009. Developer mode can be accessed from the launcher screen of the Pre by typing the phrase “upupdowndownleftrightleftrightbastart” (well-known as the Konami code). webOS has a built-in application catalog, and APIs for extending JavaScript in order to access hardware features of the device.[6] Although many of the pre-loaded applications available on webOS are based on the original PIM applications available on Palm OS, webOS is a completely new platform using Linux.”

“Technological change is never easy. Or quick. Or perfect. Just look at the New York City Police Department. The NYPD made unfortunate news this week when the New York Post reported that New York City had signed a nearly $1 million contract with a vendor to purchase thousands of new manual and electric typewriters during the next three years. The NYPD’s typewriter needs, noted the article, accounted for the bulk of the contract.”

“According to the Post article, NYPD cops “still use typewriters to fill out property and evidence vouchers, which are printed on carbon-paper forms. There are typewriters in every police precinct, including one in every detective squad.” (The NYPD “is working on software to eliminate the old machines,” a police representative told the Post.)“

“The researchers say that social networks leak information through a combination of HTTPheader information — the Referer header and the Request-URI — and cookies sent to third-party aggregators such as Google (NSDQ:GOOG)’s DoubleClick, Google Analytics, and Omniture, among others.

 As a consequence of this leakage, third-party aggregators can potentially link social network identifiers to past and future Web site visits, thereby identifying a person and his or her online activities.

 ”The ability to link information across traversals on the Internet coupled with the wide range of daily actions performed by hundreds of millions of user on the Internet raises privacy issues, particularly to the extent users may not understand the consequences of having their PII [personally identifiable information] available to aggregators,” the study states.

 The study notes that while the privacy policies of the third-party aggregators typically declare the sharing of non-indentifying information, they don’t make it clear that an identity can often be derived from supposedly non-identifying information.

 ”What we are clearly trying to establish with this work is that these third party companies are receiving information about us from online social networks,” said Wills in a phone interview. “When you or I create an account on an online social network, there’s a unique identifier that’s always associated with your account. That account number is being passed along to these third party aggregators. And along with the cookies these aggregators are already maintaining, they now can link that cookie to a social network identifier.”

Last month, a court decision stated an IP address was NOT personally identifiable information because they identify computers, not users. It looks to me like the social network account identifier definitely IS personally identifiable information.

“The New Zealand Police force has launched a new virtual evidence tool as they celebrate the 25th anniversary of their e-Crime Lab. The Environment for Virtualised Evidence (EVE) application was launched at an event in Wellington today.EVE, created by the New Zealand Police Electronic Crime Group, consists of a combination of off-the-shelf software and custom development. Delivered through a web interface, EVE allows investigators to examine a seized computer or storage device, using search tools or a virtual representation of the device to keep it forensically safe and not put evidence at risk. Digital forensic examiners faced with a complex inquiry can spend weeks delving into a computer to find the traces of evidence required for a successful prosecution, Police say. Further, with the proliferation of computers and storage devices such as mobile phones and PDAs the number of devices seized outweighs the availability of forensic specialists to analyse them. In New Zealand, detectives typically had to wait four to six months for the results of computer forensic analysis, Police say.”

AND

“EVE, which cost around $500,000, allows functions normally completed by forensic specialists to be shifted to investigators, who are better placed to know what is relevant to an investigation. EVE is also available across New Zealand over the Police network.”

So, a system available over the police network via web access…..and it allows detectives to perform some of the work normally completed by the digital forensics expert. Sounds awesome to me!

CELLPHONES vs. SMARTPHONES

Are there really any mobile phones out there any more that don’t have some kind of “advanced” features such as slots for “micro” memory cards, or text messaging, etc? Sure, there are a few. However, the amount of STORAGE in the average mobile phone has increased dramatically. The amount of stored data will be a major issue:

“….the average storage and capabilities of phones has been increasing. In the past two years I’ve seen the average size of a phone examination (what we archive following  completion of the job) increase from 50-150 megabytes to more than half a gigabyte. That doesn’t sound like much, but when you consider the bulk of phones are still the smaller, older phones, this means anything newer has an average content size of a gigabyte or more, especially when considering the memory card. New HTC handsets (such as the Touch HD for example) can accept MicroSDHC card upto 32GB.”

AND

“While the basics remain the same, standard mobile phone content may be the same, but the way it is stored is changing. SMS messages can be stored on memory cards on a number of handsets. When you think of the size of commercially available memory cards (as previously mentioned), the amount of messages that can be stored in this manner is massive. If a handset is examined and the memory card is not treated correctly, this kind of content can easily be missed.”

BASICS

In addition to increased storage and capability issues, what about the basic procedures used by examiners? One such procedure is the use of a Faraday bag to shield the mobile phone from incoming communications, thereby preserving the integrity of the evidence. But could this basic procedure actually damage the investigation?

“For road traffic accidents, using containiment bag methodology for seized or recovered switch ON cellphones can be problematical because location data can be lost by isolation in a containment field whether that be mobile network data and/or where GPS data.”

AND

“Many of the high-end, sophisticated smart phones like Blackberry may have security policies in place whereby a prolonged absence from the radio network can force a lock and/or data wipe.”

How many mobile devices contain GPS data? What about “remote wipe” capability? It looks to me like a lot of new tools and new processing procedures are needed, and needed right now.