CEIC 2012 Conference Document Discovery eDiscovery Electronic Discovery Intellectual property theft Network logs Time line analysis

CEIC 2012 Day 3 – Time Bandits (Time Line Analysis)

For the second time I had the opportunity to sit through a session taught by Rob Lee. If you have not had the chance to learn from Rob or hear him speak you are missing out. The crowds seem to follow Rob and this session was no different. Within minutes the largest session room at the conference was full and people were sitting in the back of the room.

Rob started off by talking about what forensic investigators needs to accomplish before they can be proficient in advanced time line analysis. For the second day in a row I give my quote of the day to Rob. He used the phrase “conversational forensics”. I knew exactly what he meant by that phrase before he defined it. “Conversational Forensics” means you have the ability to talk shop with someone else in this industry with ease and fluently. If you were to start talking about a case you were having issues with, would you be able to explain where you have looked within the case and have a conversation about specific prefetch files, .lnk files, or user assist files? Until you can freely converse with forensic terms, with the ability to walk or talk through a specific case, you would not have the skill set of “conversational forensics”. This tidbit is neither here nor there, but it gives you an idea of how much knowledge you really do need to perform advanced time line analysis.

To be successful with advanced time line analysis Rob believes you need to be proficient in three areas:

file system data

windows artifacts

registry keys.

When you are dealing with logs from a system or server it can feel overwhelming when you pull it up for the first time. If you have seen 2-5GB log file you know what I mean. Trying to find time stamps and files involved with your investigation is like trying to find 2-5 specific grains of sand on a beach. Since there is a vast amount of data to be sorted through it is a good idea to find a “pivot point”. This pivot point could be a point in time or event, but it will give you somewhere to start. Examples of a pivot points maybe:

Time of an incident

Network activity (specific packets leaving)

Process Activity aka Memory Analysis

Name of a File – ex: topsecret.pdf

Type of File lost or accessed

Activity – USB keys, downloads, or file wiping

With regards to file wiping, food for thought here, How do you wipe the WIPER? I ask this because Rob explained very well that anti forensics will always exist, but they cover all of there tracks. Even the most advanced adversaries can’t hide everything perfectly.

Once you have your “Pivot Point” there are several steps you can follow to make your job easier. First you need to determine the scope of your investigation, narrow your pivot points, determine best practice, filter your timeline, and finally analyze the time line. If you don’t have a time line analysis tool Rob suggested log2timeline. Just google it and you’ll find it. As a teaser he also mentioned that the new SIFT workstation may have these tools sometime soon.

Once you feel you have found your data you need to prove, or show, 4 things. The date of involvement, artifact involved, the action of the artifact, and the source of the data artifact.   This will ensure that you can explain where, what, and how this happened.

If you were looking for a breach where top secret files were loaded onto a USB drive by a current employee you can obtain certain information to start your analysis. When was this first seen and how does that line up with this users login stamps? You can than boil this down more by finding user assist entries (executable) along with USB keys. When you can determine a time where a USB was inserted and logged to the system you can look for LNK entries that show your specific files being opened.

By no means is this blog going to provide as much detail as Rob did, but it gives you an idea of the complexity of timeline analysis and the knowledge it takes to think outside the box and find that single grain of sand for your investigation.


Daniel Parsons

Computer/ Mobile Forensic Examiner

Binary Intelligence

CEIC 2012 Conference Document Discovery eDiscovery Electronic Discovery

Day 3 CEIC – “Culling all eDocs and eMail!”

EnCase is well know for being a powerful tool with regards to computer forensics. Some may even know its a powerful tool for eDiscovery, but the first session I sat through today highlighted some key features inside EnCase v. 6 that can help you with you filtering out the files, folders, documents and emails you need for your specific situation. If you are able to work this eDiscovery case with a image of a server or computer it can make your life a little easier although you can connect to your subject server or PC via network connection for instances where it is not possible.

Within Encase utilizing Conditions is where this software can make your eDiscovery run more smoothly. When you set up conditions you can pin point specific documents, files, or folders that was specific to your case.

In the bottom right pane navigate to conditions and right click to add a new folder. A point made by the session teachers was to keep your folders organized. Keeping folders unique and organized can save headaches in the future when looking for that information.

When you set up a new condition you are looking for something specific and you need to determine which tab is going to give you the results you want. Unless you know the specific file name or size you will not want to utilize those tabs. With our specific exercise we utilized the Description tab to “cull” our eDocs and eMails.

When you add the condition and choose the description tab you will need to select the operator. Selecting the operator will tell EnCase what to do with the data will input. If you want to neglect all of the system folder you would want to choose “Find” under the operator and enter something like this (see image too):









physical disk






Inserting these keyword will tell EnCase that you want it to search the Description tab for ONLY these words and exclude the rest. Once your done you double click the condition in the bottom right pan and it will run. If your like me you realize right away that this will yield way to many results, but that’s the beauty of it. You can use conditions to be a broad or narrow as you want.

If you want to narrow down the documents more you can add a second condition to find documents within certain folders. You can insert specific paths you know these documents are in. The list you add to utilize this search may look like this (see second image too):



\Program Files\

\Program Files (x86)\

\System Volume Information\


\Temporary Internet Files\





\Lost Files\

I would suggest playing with these tools and going to Guidance Software directly if you want to get more information about these tools and how to utilize the conditions more to speed your eDiscovery cases up!


Daniel Parsons

Computer/Mobile Forensic Examiner

Binary Intelligence


CEIC 2012 Conference Kindle Forensics Mobile Forensics Tablet PC forensics

CEIC 2012 Day 2 – Kindle Forensics

My 2pm session at CEIC 2012 was a surprise and treat. Mike Wilkinson from Champlain College give a rather in depth review of the Amazon Kindle and the exploits used to gain root access to its Linux system for gaining a forensic image.

Before I jump into his presentation I want to hit on a point he made about the realm of the phrase “forensically sound” or a “forensic image”. With the ever changing technology we face on a daily basis utilizing exploits is sometimes the only option. Within US laws Mike stated the fact that the word “forensically sound” isn’t used, but the work “scientific” or “scientific image” is. As a digital forensic examiner you must use tools and process that limit data changes, but within the realm of the word “scientific” you can obtain data with minor changes to the system. Does it change the validity of the evidence? Ask yourself that and you can determine if the process is okay to continue with.


The only option of gaining access to the Kindle (not Fire, not exploit is known yet) is to enter via the system update feature. When the Kindle gets an update from Amazon it receives a bunch of files and folders for the specific update. Amazon adds a signature to each folder and file to ensure that unauthorized files can not up uploaded. Since this is a Linux based tablet their are options for getting around this. Within Linux you can edit the update package to do the following (this is a rough breakdown so you get the idea)

Update 1


update/\   – This backslash tells the Linux system to not worry about the next file



As you can see you inserted you script by telling Linux to not worry about that file and continue on. (this is so high level that I suggest you follow the links below if you want to learn more). There are 10 files that need to be changed to run the script. Once this is done the script will install dropbearSSH, telnet, and busybox. Each of these programs are very small and take up very little data.

When this image is being taken from the Kindle it is done on a rootfs (virtual) to ensure that the system and OS files are not corrupted if rebooted.  Once these 3 programs are up and running and you have access to the rootfs you utilize the Linux .dd command to image the Kindle over SSH to a local computer where you can upload it into EnCase or which ever program you prefer.

We also have the option of doing chip off forensics on a kindle because its memory is a 4gb Samsung flash BGA chip. Since Binary Intelligence does chip off forensics this maybe an option for those who cant get the data this way, or have a Kindle that is broken or damaged beyond these rooting capabilities. will have the script and the step by step video available this week for review!


I hope you enjoyed this like I did!

Daniel Parsons

Computer/ Mobile Forensic Examiner

Binary Intelligence

CEIC 2012 Conference Malware

CEIC 2012 Day 2 ( Malware, keynotes, EnCE and more)

Day two is now about the hustle and bustle of getting to your registered classes before you get stuck in the nose bleeds or your seat is taken by someone on the waiting list. As a newbie I decided that I would take advantage of the review session for the EnCE test that I will be taking on Wednesday afternoon (wish me luck!). The session started out great and by the time I knew it I had two pages of notes and the 90 minute session was over. The review was simply that, a review, but it was great to take the time to write down facts about encase computer forensics that I already knew. Maybe tomorrow I will get the test done quicker and I will get back to the festivities of sessions and lecture before they end.

The keynote speaker for the day was General Richard Myers who retired from his position as a member if the joint chiefs in 2005. The speech was very interesting and focused on cyber security. The biggest take away was the need for collaboration. Not just collaboration of nation leaders, but everyone involved with security or incident response. Within this industry pride and arrogance sometimes hinders our ability to network ideas and strengths this stops the creation of faster, better and easier solutions to our everyday problems.

Rob Lee, from SANS, taught “Harbinger of Evil: The Forensic Art of Finding Malware”. This was my first time having the opportunity to hear Rob speak and he did great. We got a high level overview of best practices and detailed steps to identify and isolate the program or file that is “harboring the evil”. With out a doubt Rob gets the quote of the day at CEIC 2012.

“Don’t use your ninja moves if you don’t have to!” – Rob Lee was referring to the steps that take more advanced techniques to uncover and find malware.

The next two sessions will be posted this evening and will be on Kindle Forensics and the second is on the art of investigating hacking. If you have specific questions please let me know!


Daniel Parsons

Computer/ Mobile Forensic Examiner

Binary Intelligence

CEIC 2012 Conference Cell Phone Forensics

CEIC 2012 – Day 1

As a newer member of Binary Intelligence I have not had the opportunity to attend a digital forensic conference yet. I think it is suiting that CEIC will be my first, but it will set the bar high for those who follow. If you did not have the pleasure to attend CEIC 2012 you can follow this blog all week for updates relating to the conference and what’s going on!

Day one is all about familiarizing yourself with the conference and socializing with those within the industry. The main event wasn’t the registration, the keynote speaker, or even the first learning session, it was the amazing pool side reception put together by the conference host, Guidance Software. I must say the planner of this social event hit the head on the nail. As I turned the corner of the pathway to the pool I was greeted by a rolled out blue carpet and a sea of people who were attending this four day digital forensic conference. There were about 4 or 5 different open bars set up around the pool and 4 + buffet tables set up to eat from. The entertainment was a type of Cirque du Soleil and they set the tone of sophistication (in my opinion). The venue was the Red Rock Resort and the pool set up was amazing. It gave me a “beachy Tropicana” feel. I would have to guess there were nearly 2,000 people at this social event eating, drinking, talking digital forensic shop, networking, laughing, and simply relaxing.

I had the pleasure of sitting through a session today that focused on mobile forensic with Apple IOS systems. I chose this specific sessional over the others because of the drastic jump in mobile phone forensic work we have obtained at work. It isn’t a surprise that we have seen a spike in mobile phone cases. Binary Intelligence is one of maybe 2 or 3 companies who can do chip off forensics on iPhones, Androids, and even disposable phones.

I look forward to working up a blog post for tomorrow. It’s a full day with several sessions. If you want to hear about something specific please comment below and I will make it happen!


Daniel Parsons

Computer/Mobile Forensics Examiner

Binary Intelligence