The Newberry Group Blog RSS Feed

Social Media in the Cyber Security Space

Ryan Steinbach — Tue, 11 Jun 2013 10:26:00 GMT

Last fall, I started as an intern at the Newberry Group with objectives of assessing the impact of growing a social media presence, developing a strategy for social media use and executing on that strategy. After nine months, my team and I accomplished these objectives and learned a great deal about the cyber security digital community in the process.

In my relatively short, but deep dive into social media strategy and development over the last two and a half years, I’ve witnessed how different the digital communities can be. The cyber security digital community is particularly fascinating. My team found that cyber security professionals tend to fall into two buckets when it comes to social media. There are those who embrace social media due to their above average understanding of its utility, and there are those who avoid it at all costs due to their above average understanding of the risks associated with it.

This creates an interesting obstacle when engaging with the cyber security digital community. The space expects a sophisticated level of engagement, yet can also feel fragmented and reserved. It seems most companies have accepted that they need to be present on social media but there are huge disparities in utilization. Some online presences are merely place holders while others are hosting weekly webinars.

My team at Newberry decided the greatest value was between these two extremes. We saw opportunities for talent sourcing, service promotion, and partnership development, but we also needed to be realistic about the amount of capacity we could commit to these efforts. The value is there to be had, but only with the people and buy-in to capture it effectively.

We knew we didn’t have the capacity to be active in every space or create a large amount of unique content so we focused our efforts on building out the spaces we felt had the most value and created a content strategy that balanced quality and thought leadership with consistency and practicality.

Creating a social media policy also became a critical element of our strategy. The greatest enemy of engagement is uncertainty and, in a space as sensitive as the cyber security community, assessing the appropriateness of a 140 character tweet will likely lead to abandonment. We want to be as explicit as possible about our internal expectations for social media because we believe it will remove that uncertainty and foster greater internal engagement.

The development of a social media strategy and policy that balanced value with capacity is the product of what has become my biggest take away from my time at Newberry. I’ve learned that the benefits of social media do not appear over night. Early wins can be few and far between. But, sustainable and consistent execution of social media builds equity in a digital community that eventually translates into real company value.

This kind of sustainability requires a hard look at where a company can be most effective and then tailoring that to the company’s internal capacity. Instead of leaving social media to the intern as many companies do, my team decided early on that there was no point in me doing any of the day-to-day social media work. Instead, I focused on strategy and setting up Newberry’s internal structure – things that once set in place can be utilized with minimal maintenance.

I’m confident that as I leave Newberry my work will be appreciated, not missed. I’ve helped give Newberry the tools to continue to build value in the cyber security digital community on their own. While this was not part of the three original objectives I had going into the internship, I believe it is by far the most valuable and can serve as an example to others in the space.

Click here for more information.

Developing Effective Peer Relationships

Christopher Steinbach — Tue, 14 May 2013 11:20:00 GMT

Being “Action Oriented”, having “Career Ambition”, being excellent at fostering a “Boss Relationship”, maintaining “Customer Focus”, and excelling at “Directing Others” are critical to growing into a management role and being effective in that role. However, these vital competencies can often get in the way as one moves from being an effective manager to becoming an effective leader. Career growth early in one’s profession often is dependent on being effective “up and down”. Building trust and credibility with clients and bosses (up), and effectively directing those junior to you (down) to achieve superior results is of paramount importance. However, as one’s responsibility begin to expand to support scale within an organization it is imperative that individuals begin to work “across” and foster effective peer relationships. Learning to work “across” is in fact the essence of organizational leadership. Leaders are able to achieve positive results for the organization even when they do not have direct power and control over all resources involved in the activity. Leaders are able to work through influence; trading on mutual respect and goals, share credit and rewards, and build and grow trust. This highly valued ability leads to a more efficient use of time and resources by easing the exchange of ideas and talent across the organization. Managers direct their people. Leaders make the whole organization better. Certainly this requires putting one’s ego on the back-burner but the rewards for those that do are huge. You become recognized for being someone that can work and be effective well beyond your direct span of control for the good of the organization. How do you make this transition? Fortunately, Lombardo & Eichinger and others offer some suggestions:

Practice #1: Curb your Competitive Nature. If peers see you as excessively competitive, they will work to cut you out of the loop and sabotage your efforts to work across organizational boundaries. Always offer an explanation for your thinking and invite others to explain their point of view. Resist “staking out a position” and focus on generating a variety of possibilities. Invite, and accept, criticism of your ideas.

Practice #2: Separate working smoothly with peers from personal relationships. Remember, you are not forming friendships, you are avoiding “one-upsmanship” and the “not invented here” phenomenon in all your organizational interactions. You are keeping your ego and pride in check for the good of the organization. That is the reputation you seek to build. You don’t have to “Like” everyone.

Practice #3: Avoid the water cooler banter. If a peer does not play fair, avoid talking about it with others. Talking about conflicts with others will often backfires on you by undermining the trust you are attempting to build with other peers. Confront the peer directly, privately, and politely and give them a chance to save face. Explain the unfair situation and its impact on you. Even if you don’t totally accept what is said, you have set the stage for an improved relationship going forward. More importantly, you will reinforce your reputation as a person who can be trusted even when there is a conflict.

Practice #4: Keep a balanced Scorecard. Watch out for “winning” too much. Look for appropriate opportunities to grant concessions you can live with even if they are not what you wanted ideally. You want to foster a desire in others to work with you again and again. If you are seen as leader who has a strong point of view but is willing to cooperate and compromise with others that favor will be returned when it matters most. You will create an army of influential peers who are all to ready to support your position because you supported theirs in the past even when you did not totally agree.

Make no mistake; learning to achieve results through influence alone is a tough skill to master for ambitious people. However, the fact remains that those who leave positive impressions get more things done more efficiently than those who leave cold impersonal impressions. Learning how to build and sustain peer relationships is the cornerstone for developing organizational agility. I look forward to discussing this this vital skill next time.

Click here for more information.

Social Engineering through Social Networking: Defending Your Organization

Steven Carney — Tue, 16 Apr 2013 12:15:00 GMT

Human beings are the weakest link in data protection. Social networking has made this weakest link, even weaker. Social engineering continues to be one of the most leveraged attack vectors for targeting an organization’s electronic data or IT systems. Historically, a social engineering attempt would consist of an unsolicited phone call or e-mail. Attackers would attempt to obtain reconnaissance-related information from an unsuspecting employee or get them to click a link, or download an e-mail attachment, that would introduce malware to the system, potentially allowing backdoor access to the network. As users have become more educated on information security, they have learned not to open attachments or click links from individuals they do not know or trust. However, with the continued growing popularity of social networking, potential attackers can perform a more targeted social engineering attack that exponentially increases their level of possible success.

One piece of information typically found in social networking profiles is employment information. A quick search on LinkedIn or Facebook can reveal a list of potential social engineering targets for just about any organization. By using the information found in the target’s profile, the attacker can craft an e-mail that looks legitimate and includes an attachment or link containing malicious software. If an attacker determines the target worthy, they may even establish a false profile reflecting similar interests and befriend the employee, allowing them to eventually introduce the malware through an e-mail or link.

Since it is not feasible to control and monitor what employees put on their personal social networking profiles, how can an organization appropriately defend against this type of attack?

1. User Education: This has been, and always will be, the most effective tool for combating social engineering. In addition to the typical IT security training provided by most organizations today, users should be educated on what company information is appropriate for disclosure on social networking sites and how this information could be used to exploit them. Employees should understand that individuals they make contact with online should not be considered a trusted contact. E-mail attachments or hyperlinks from these online contacts should not be accessed from company-owned computers.

2. Policy and Procedures: Organizations should prohibit employees from using, or listing, their company e-mail addresses on social networking sites. If the social networking sites are a means for networking or marketing and part of official job duties, then look at establishing a generic e-mail account with increased security restrictions that the employee can utilize. This will allow the employee to identify any contact that is made through the site and treat it as untrusted.

3. Security Infrastructure: A reputable web proxy with malware scanning capabilities should be utilized to scan web traffic for potential malware. URL filtering should be enabled and sites that contain known malicious code or malware blocked. Social networking sites should also be restricted for users that do not have a business purpose for visiting them. URL filters typically have groups of sites that are categorized and updated to make this process easy. Finally, a spam filter device or service should be used to scan inbound e-mail for malware and filter unwanted e-mail. Some spam filtering devices also have the capability to scan outbound e-mail for sensitive information such as social security or credit card numbers; this is commonly referred to as Data Loss Prevention (DLP).

With employees advertising more personal information on social networking sites, we can expect to see a continued increase in targeted social engineering attacks. As with any security threat; a layered defense strategy is the best defense against social engineering attacks.

Click here for more information.

Making Quality Decisions

Christopher Steinbach — Tue, 12 Mar 2013 09:22:00 GMT

You have worked hard to become a confident decision maker, even in the face of ambiguity. How do you ensure that you hit the target more often than not and, more importantly, get closer and closer to the bull’s-eye over time? You must practice. Making good decisions requires the right amount of patience, humility, and ice cold nerve to step up and make the call. As I discussed last month; no one is right all the time, it’s being more right than wrong over time that matters. You must develop a highly refined sense for the right amount of data, analysis, intuition, wisdom, experience, and judgment required for each decision opportunity. Michael Lombardo and Robert Eichinger and others have proposed some ways to refine that “6th Sense” that is so recognizable in people renowned for their decision quality. A few of my favorites include:

Practice One: Know your biases. We all have them; attitudes, beliefs, opinions, prejudices, favorite solutions or ways of doing things. The key is to not let them influence your cold objective point of view. Before you make any significant decision, step away. Examine your motives; look at your past decisions; talk through the consequences of various decisions with a trusted third party. Look for patterns. Do I see every problem as a nail demanding a hammer as a solution? A great decision maker is constantly, humbly, examining the source of his intuition and challenging himself to recognize each problem as new while eliminating his own prejudices and biases. Much of what we learn is relevant to the next problem, but a lot is not. Work to know yourself first, then the problem, and then decide.

Practice Two: Holster your gun and sleep on it. Life is a balance between waiting, and doing. Clearly in business a premium is placed on doing over waiting. However, decision quality can often be greatly improved with just a small amount of additional data and/or reflection. Challenge yourself to gather one more piece of data relevant to a meaningful “Why?” question. Let the subconscious brain aid your efforts. Get a good night’s sleep and get back to it in the morning.

Practice Three: Understand the difference between “Thinking”, “Understanding”, and “Knowing” when defining a problem. Do you ever represent (or more accurately, misrepresent) as fact your personal assumptions or the opinions of others using the expression “I know that…”? I personally believe this common tendency of people, to mischaracterize personal thoughts and the conjecture of others as “known” facts, is the leading cause of poor decision making. There is a very simple formula to get out of this trap: When you “think” something (created between your own two ears), seek validation from a credible third party or obtain first-hand knowledge of the critical facts. When you “understand” something from a credible third party, seek first-hand knowledge of the critical facts. Only when you “know” the critical facts through direct first-hand exposure - - act.

So quality decision making is born first of self-knowledge. Being humble enough to examine our motives and tendencies as a starting point and building a framework of the problem through careful consideration and seeking to understand cause and effect; asking “Why?” a lot, as we discussed last month. The final step is to have the patience to seek relevant data and most importantly having the guts to seek first-hand knowledge of the most critical facts. In doing so, you elevate your perspective and attain that “6th Sense” for the right call. You will become recognized as someone who is willing to own their decisions and the basis upon which they are made. And that is the first building block for effective peer relationships and effective team building, which are the essence of leadership. I look forward to discussing those skills next time.

Click here for more information.

Dealing with Ambiguity

Chris Steinbach — Tue, 12 Feb 2013 09:04:00 GMT

How does one survive - - and thrive - - in this modern world? In my experience, it starts with learning how to effectively deal with ambiguity. This critical skill, which I introduced at the end of my last post, is important because; congressional leaders are unable to make tough budget decisions; good people can sometimes do bad things while bad people can also do amazingly good things (consider Lance Armstrong); Getting great at anything runs straight through being awful at it; The solution for today’s problem may not be the solution for tomorrow’s problem. In fact, for 90% of business it’s not clear what the problem even is, let alone what the solution could be; the only constant is change. We live in a “grey” ambiguous modern world.

Let’s be honest. Most of us would prefer to be 100% sure - - about everything! We prefer to know everything that is going on around us because it makes us feel like we are in control. Most of us get really uncomfortable if we can’t wrap up everything we start into nice neat packages with a bow on top. Unfortunately, the cold truth is that success and rewards go to those who develop the ability to make more good decisions than bad in less time than the other guy, using impartial information and few if any precedents or examples of how similar problems were solved before.

Please note that I did not say “make only good decisions...” I said “make more good decisions than bad...” All successful people today have learned to live comfortably in the “Grey Space” by cultivating a well-developed tolerance for errors and mistakes - - both for ourselves and others - - and absorbing the heat and criticism that might follow.

Make no mistake, this is a tough but extremely valuable skill to learn and develop. In the words of English Statesman George Savile - - “He that leaveth nothing to chance will do few ill things, but will do very few things.” And we all know that “doing very few things” just won’t cut it in today’s world of work - - and especially not in a dynamic, energetic, and empowered culture like we have here at Newberry Group. We must learn to thrive and act effectively in the “Grey Space”. So how do we learn and develop this tough skill and effectively deal with ambiguity? Michael Lombardo and Robert Eichinger propose some of the following in their book “For Your Improvement”:

Practice One: “Incrementalism”. Research indicates that we do not grasp the essence of a new problem until the second or third attempt at solving it. Plan on making a series of small decisions, get feedback, correct course, and get a little more data moving forward until you have solved the problem. Start small so you can recover quickly and build confidence that you can “handle the heat” and course correct. You will not build this confidence if you start with “the” problem.

Practice Two: Recognize your Perfectionism for what it is - a roadblock to success. Perfectionism is born of an obsessive need to collect more information than the other guy, thus limiting your personal risk. Try to decrease your need for data and your need to be right a little every week. Pick small decisions and try to act on them with little or no data at all, trusting your gut. As discussed before, the real test in the world of business is who can make a good decision on limited or no data in a reasonable time frame. That takes practice so start with the small stuff - - you will likely be surprised how often you are right. (And if you find that you’re not more right than wrong, you need to read next month’s blog :).)

Practice Three: Ask “Why?” a lot. Evidence from decision-making research makes it clear that the better your problem definition, the better chance you have at finding the solution quickly. Focus on causes, not fixes. http://www.isixsigma.com/dictionary/5-whys/

Practice Four: Develop a philosophical stance toward failure/criticism. Learn to crave feedback. The faster and more frequent the feedback on small problems the faster and greater our learning. Teach yourself by letting others “off the hook” when a mistake is made by focusing on what we can learn from the mistake, not the consequence. In doing so, you will bolster your own ability to handle failure and criticism.

Practice Five: Become Process focused, not results focused. To work well in uncertain times means that you must recognize first and foremost that your work is never done. If the only constant is “change” then that constant will demand that you jump from incomplete project to incomplete project. You must alter your internal reward structure so that you feel good about moving things forward incrementally instead of finishing it. In taking this approach, you will not only cease to be easily frustrated, you will also find that the critical few things that need to be finished – in the sea of insignificant many things - will be. Trust that “through the process” the results desired will be derived from completing the critical few, not everything you start.

Working to develop your ability to deal with ambiguity will give you the will to confidently act when information is limited. But like every well-developed competency, its over-use can become a weakness if relied upon too often or worse, exclusively. A complete person or a complete organization fosters complementary competencies that provide balance and assure that strengths don’t become weaknesses. One of the strongest complementary competencies for those that are comfortable with ambiguity is a strong sense for what is, and is not, a quality decision. Developing this critical competency in our culture will be the topic next month!

Click here for more information.

Building Culture through a Common Language

Christopher J. Steinbach — Mon, 17 Dec 2012 08:16:00 GMT

In today's intensely competitive environment it is critical that organizations establish and sustain a corporate culture that reinforces the behaviors most important to maintaining a distinct competitive advantage. The cornerstone of corporate culture is effective communication but how do you ensure that all are receiving the same message when you are talking about something as "soft" as organizational or individual behaviors? When we say "patience", or "perseverance", or "compassion" what do these words mean in the context of the workplace and how do we ensure that all hear the same meaning? Well, you have to establish a common language for the discussion of these "soft" skills, these competencies. By establishing that common language, all are clear on which "behaviors" individuals are expected to be competent and in turn are valued by the organization for their contribution to organizational effectiveness and competitive advantage.
Fortunately, considerable research has been done over the years with respect to those behaviors most likely to lead organizations and people down the path toward success. This research has produced a number of useful behavioral frameworks, taxonomies, of desired and undesirable behaviors in individuals and organizations. I was fortunate enough to be exposed to one of the more popular and widely used behavioral taxonomies early in my professional career, the Leadership Architect, developed by Mike Lombardo and Bob Eichinger. The Leadership Architect defines 67 competencies found in the most successful people and organizations. In fact, I was certified in the use of this tool for facilitating organizational development and culture building, and as a tool to promote individual professional growth and development. However, the art in successfully using such tools is in clearly determining and communicating which of the many "desirable" behaviors are most important to a particular organization at a particular place in time.
In this series I will introduce those competencies most vital to Newberry's success over the next 36 to 60 months. I will endeavor to explain the competency, it's relevance to our business today and offer suggestions on developing or becoming more skilled in the desired competency. It is my desire to contribute to the development of our own cultural framework for success by starting the dialogue about how our behaviors will shape our future success. It is important to remember that as the market evolves so should the competencies of the organization. What is important today may not be important tomorrow. Which leads us to our first competency - - Dealing with Ambiguity; and our first developmental lesson.....chat soon. :-)
Click here for more information.

5 Tips for Building a Cyber Security Career

Phillip Justice, Jr. — Mon, 19 Nov 2012 09:57:00 GMT

The cyber security field is rapidly expanding to deal with the accelerated risks of changing technology and now is a great time to make the move into a security career. However, not only do you need the qualifications, but also an analytical mindset and good communication skills to effectively convey your expertise to the wide range of customers. Cyber security experts are always chasing an elusive problem and you have to think outside the box quite a bit to find that advanced persistent threat. Here are five tips on how to build your successful career:

1. Develop a Solid IT Foundation

In the case of cyber security, it's really beneficial to have a strong background in information technology. A lot of universities have modified curriculum to provide security focused-degrees. Previously you might have been restricted to computer science or information technology, but now there are actual degrees tailored around computer security. These programs are often sponsored by entities that are focused on cyber security and want to help build the workforce. For example, currently the U.S. government has a shortfall of cyber security professionals. So they have started working with universities to establish these programs to help grow the cyber security field and fill the jobs that they know will be out there.

2. Get Certifications and Training

Certifications are necessary because they establish a foundation. They identify the individuals that have put in the time and effort to understand the fundamentals of cyber security. The CISSP certification is a well-known and internationally recognized security certification and is a great starting point. But with all the different domains of expertise within the security field, you should hone your craft and acquire certifications for your specific area.

3. Use Your Past Military Experience

Today, information technology in the military is no different than it is in the corporate world. There are disciplines within the military that focus on IT and cyber security, so veterans have an opportunity to directly transfer their experience from military service into commercial cyber security work.

4. Use Your Existing IT Career

If you've been in IT for a long time and you have a strong background, you have most likely been exposed to security issues. In all reality, you probably have a level of experience that would qualify you to easily transition and adjust to cyber security work without having to start from the ground up. Talk to your peers or managers about what security opportunities are available to you. Also take some personal initiative to start working on a certification in your area of interest.

5. Build Up Practical Experience

At the end of the day, just like in any field, you need the qualifications and the practical experience. And you have to work your way up. Unless you have a lot of applicable experience, expect to start at the bottom and prove yourself so that you have the evidence to put in your resume. Certifications are great because they establish a foundation through the training, but practical experience is just as important. If you don't have the experience, be forthcoming about it, but also have the wherewithal to press forward with developing your career.

Are there jobs out there?

There is a wide range of cyber-related jobs and almost every industry will have availability whether it's on the commercial side or federal side. In some cases, a cyber opportunity might be there, it just might be coupled with 2 or 3 other roles at the same time; You might be the cyber expert and the IT guru. Newer fields within information technology or security, such as cloud security, mobile security, digital forensics, and malware analysis, are all hot domains so you'll see a lot of opportunities advertised. However, no area in cyber security has lost momentum. Cyber security as a whole is a hot industry to be in, and I predict it to be so for the next couple of decades. It's not slowing down.

Click here for more information.

October is National Cyber Security Awareness Month (#NCSAM)

Newberry Marketing Team — Mon, 15 Oct 2012 17:55:00 GMT

We’re one of the official champions of National Cyber Security Awareness Month (NCSAM) and there’s still time to get involved! National Cyber Security Awareness Month is a campaign focusing on the need for improved online safety and security for all Americans. The National Cyber Security Alliance has sponsored National Cyber Security Awareness Month every October since its founding in 2003.

This year’s theme is “Our Shared Responsibility.” So how can you help?

1. Share Tips and Resources with Your Friends and Family

The National Cyber Security Alliance (NCSA) website is full of tips on how to protect your personal information, teach online safety, and keep your business safe online. Would you know what to do if your accounts were hacked? Do you need resources to help teach cyber security in your classroom? Does your small business have a Cyber Security Plan?
Find resources and tips on www.staysafeonline.org.

2. Attend An Event and Share It!

Organizations all across the United States are hosting cyber-related events to help raise awareness.

Find an event in your area on the Events page: www.staysafeonline.org/ncsam/events
Stay at your computer and check out these FREE Webcasts from SANS:
Securing The Human
Oct 16th and Oct 30th
Register on their website: http://www.securingthehuman.org/blog/2012/09/06/three-security-awareness-webcasts-for-oct/

Newberry Group is proud to be a part of National Cyber Security Awareness Month. Anyone can help raise awareness in their community, let’s continue to help others stay safe online!

To learn more about the National Cyber Security Alliance, visit www.staysafeonline.org.

Click here for more information.

Understanding the ‘Why?’ in B2B Social Media

Ryan Steinbach — Thu, 20 Sep 2012 12:40:00 GMT

Last January I came across this post by Brad Friedman, Build Your Social Media Schedule For 2012. He explains that while more and more business are getting into social media marketing, many get into it for the wrong reasons. I came across this post while skimming through an abyss of opinions on ‘Social media resolutions for 2012.’ What caught my attention was this:

Start with the – "Why?"

Intrigued, I went back and took the time to reflect on what Brad had to say. Early in the post, he gets right to the source of most ineffective social media marketing.

Are you involved with social media to boost your ego?

…do you just want to promote yourself or your product all the time?

Did you join…because ‘Everyone I know is on …?’

Brad encourages us to evaluate ‘why’ – our motivations for using social media. Unfortunately, not much has changed in the last 9 months. As more research supports the benefits of social media in business, more companies are joining social networks, creating blogs, and hiring social media staff. Although no manager will admit it, their motivations are often as unjustified and misaligned as the questions listed above, and with no consideration of the information security implications. In order to reap the benefits of social media and use it in a way that is safe for the company and its employees, a more comprehensive approach is required.

This begins with an evaluation of the business model, value chain, and internal as well as external communication channels. Understanding the information security risks of social media use and, more importantly, how to mitigate these risks is also a critical yet often overlooked step. Once the institutional framework is in place, a company can begin identifying opportunities for social media, developing metrics for evaluating performance, and, finally, implementing social media into business operations. Even if a social media strategy is working for competitors, it doesn’t mean that strategy, or even social media in general, is going to be effective.

The staff at Newberry Group understands this and has given me the opportunity to research and prove an opportunity for social media in their business model. As a social media intern, I’ll be developing a business case for social media use at the Newberry Group. I’m excited by this opportunity, not only because I have a deep interest in B2B social media development but also, because I believe my role is a fundamental step that every business should take, even if it is already engaging social media.

I hope to share some of my work and findings in subsequent blog posts over the next few months. If you have any thoughts on, contributions to, or questions about my work, please do not hesitate to email me: rsteinbach@thenewberrygroup.com or shoot me a tweet: @R_Steinbach (note: tweets are my own and in no way reflect the views or opinions of Newberry Group)

Click here for more information.

5 Tips to Get Your Data and Computer Storm-Ready

Breanna Cooke & Nicholas Trifiletti, contributor — Fri, 31 Aug 2012 12:19:00 GMT

Hurricane season is upon the southern United States and now is a good time to make sure your data and computer is prepared for an emergency too. Here are some tips to get you started:

Backup your data with an online backup service - There are many online backup services to choose from. This article by PC magazine does a great job of outlining the different options available.
Copy your User folder (the folder named "Username") to an external hard drive – This will ensure that all of your documents, photos, videos, music, desktop, and application data such as email archives and application preferences are saved. For the ultimate backup, consider making a "snapshot" of your entire computer with a program such as Acronis True Image (PC) or Carbon Copy Cloner (Mac). The "snapshot" will allow you to boot from that hard drive if you had to completely restore your files.
Use a battery backup + surge protector – If you use a desktop computer, a battery backup will provide some buffer time for you to save your files when there is a power outage. Most battery backups also give you the benefit of a surge protector.
Plug your cable modem’s coaxial cable into a surge protector – If you use a cable modem and your computer is directly connected to it via an ethernet cord, be sure to plug the coaxial cable into the battery backup. This will help prevent power surges being transferred from the cable, through the ethernet cord, and on into your computer.
Unplug your computer when not in use during a storm – The most certain way to avoid power surge damage is to simply unplug your computer from its power cord.

Click here for more information.

Why do Nigerian scammers say they are from Nigeria?

Diane McClain — Wed, 11 Jul 2012 09:49:00 GMT

Far-fetched tales of West African riches strike most as comical. So why do Nigerian scammers say that they are from Nigeria? Why so little imagination? Why don’t Nigerian scammers claim to be from Turkey, or Portugal, or Switzerland? Stupidity is an unsatisfactory answer: The scam requires skill in manipulation, considerable inventiveness and mastery of a language that is non-native for a majority of Nigerians.

We’ve all seen some form of this "too good to be true" chopped up English type of technique designed to part us from a significant amount of money. However, the initial reaction of a scam-savvy person is just what the attackers are looking for. This scam method relies on a vast numbers game and is examined in Cormac Herley’s whitepaper, Why Do Nigerian Scammers Say They Are From Nigeria?. A researcher at Microsoft, Herley’s analysis delves into the numbers that make these scams work and the gullibility of the victims. Make no mistake, these scammers are smart and they know what they’re doing.

Attacks are seldom free.

Malicious software can accomplish many things but few programs output cash. At the interface between the digital and physical worlds, effort must be spent. Turning digital contraband into goods and cash is not always easily automated. For example, credentials may be stolen by the millions, but emptying bank accounts requires recruiting and managing mules. The end game of many attacks require per-target effort. Thus when cost is non-zero each potential target represents an investment decision to the attacker. He invests effort in the hopes of a payoff. Therefore, he must "qualify" his victims prior to expending significant amounts of resources (time and money) to attain the prize.

Who is a target and how are they chosen?

There are several models of human behavior that illustrate the theory that when large numbers of communications are cast to random recipients, there is a direct relationship to the number of viable targets harvested. The attacker is looking for people gullible enough to respond to the communication. These people make the "short list" and the attacker continues to nurture these targets until all false positives have been eliminated and there are only true positives left. True positives represent a tiny subset of the initial list of random recipients. In addition to a high gullibility trait, true positives must also have money and an absence of any factors that would prevent them from following through all the way to sending the money.

Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. These are the communication recipients who respond. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. Therefore, shrewd recipients are in a sense, helping the scammers by inadvertently classifying themselves as non-viable targets merely by the absence of their response.

So how does this approach answer the question in Herley’s title? His answer: By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select and tilt the odds in his favor.

So what…?

You say, "I don’t fall for these Nigerian scams so this won’t affect me." That’s great… AND keep in mind all that was discussed in this article was only one type of scam. There are millions more scams relying on the same gullibility factors of human behavior with the same end game. We are the weakest link.

Read the full whitepaper by Cormac Herley here:
http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf

Click here for more information.

June is National Internet Safety Month

Breanna Cooke — Fri, 22 Jun 2012 10:38:00 GMT

Like wearing a bike helmet, staying safe on the Internet is all about taking the right precautions. In celebration of National Internet Safety month, we’re directing you to some resources from the National Cyber Security Alliance’s (NCSA) website. The National Cyber Security Alliance is a non-profit organization that collaborates with the government, corporate, non-profit and academic sectors to empower citizens to use the Internet securely and safely. Visit their site, www.staysafeonline.org, for more information and resources.

Tip Sheets from the NCSA

The NCSA has put together some tip sheets that are great reminders and can help facilitate Internet safety discussions with your family. Some of the sheets include:

Online Gaming Safety – Tips for Parents: Most video games are connected to the Internet whether they are played through an Internet browser or a computer or gaming console. NCSA gives steps on how you can help keep your child’s information safe and be an informed parent.
Mobile Device Safety Tip Sheet: With apps that access your location, public wi-fi hotspots, and text messages with suspicious links, mobile safety is just as important as on the home computer. These tips serve as a good reminder about how to safely manage your mobile devices.
Safe Social Networking Tip Sheet: Taking time to set your privacy settings and being conscious of the personal information you share is what helps keeps social media enjoyable. Go over these tips with your family so that everyone is on the same page about what information should be shared and how to keep accounts secure.
For more tip sheets, visit www.staysafeonline.org/tools-resources/tip-sheets

Free Security Checkups

NCSA has provided a list of security vendors who offer free online security checkups. Most of these will search for viruses and spyware and will help you keep a clean machine. Check out the list of vendors here: www.staysafeonline.org/tools-resources/free-security-check-ups

Also, check out the Microsoft Computer Safety Index survey. The survey will ask you some questions about your online habits, then will walk you through some steps to check the settings on your computer. (For PC only)

Click here for more information.

Your Digital Footprint: What can you control?

Valerie Root — Wed, 09 May 2012 09:59:00 GMT

Do you know how much of your private information is available to strangers?

We may be in a digital world but that doesn’t mean that we shouldn’t take precautions with our information. Many of us do not realize how much of our personal information is available to outsiders and how it contributes to our digital footprint.

What is a Digital Footprint?

Your Digital Footprint is the information about you or from you (activities, comments, public records) that can be accessed via a digital environment.*

The 3 Main Sources of Information

Our personal information is available from a variety of sources and much is out of our control: we don’t have any say in who can access our information.

1. Public Records

The Freedom of Information Act was first enacted in 1966 by President Lyndon B. Johnson and supplemented by President Bill Clinton with the Electronic Freedom of Information Act Amendments in 1996.** Some of the information available to anyone as a public record includes:

Census records
Consumer protection information
Court dockets
Criminal records
Government spending reports
Legislation minutes
Professional and business licenses
Real estate appraisal records
Sex offender registration files
Voter registration

2. Web Searches

Have you ever Googled yourself? Almost anyone can be found online. Someone can find information about you through:

Simple search by name, e-mail or phone number (it gives thousands of results!)
Companies that help you look up anyone if you can provide some basic information. Many of the results will come back as free searches and then they offer more in-depth information for a fee.
Companies who maintain massive databases that troll public and government websites for information and sell it to anyone willing to pay.

3. Social Websites

Do you have a Facebook, Google+ or LinkedIn account? Even with extensive privacy settings, there is no guarantee that the information you share won’t get into the wrong hands. A simple status update about being away from home can be an open invitation for a thief. Some of the information you may have shared includes:

Home address and phone number
Dates for vacation and travel
Photos or “check-ins” of where you are
Names of your family members

What do you want your Digital Footprint to be?

Take steps to protect yourself and the information that you can actually control. Privacy controls are an important component when interacting with online resources. Regularly reviewing and setting your privacy controls helps limit what is available to the general public. Not everyone will look at the pictures, posts, blogs, likes/dislikes or comments without evil intent. Being aware of what you are putting online and who might see it is the best step in protecting yourself.

* http://en.wikipedia.org/wiki/Digital_footprint
** http://en.wikipedia.org/wiki/Public_records

Click here for more information.

Identifying and Reporting Suspicious E-mail

Jerry Kennedy — Wed, 18 Apr 2012 15:45:00 GMT

If you are like me, you receive the occasional e-mail that just doesn’t look quite right. It may be from an anxious individual looking for your help to move their recent monetary windfall out of their impoverished country. Or it’s from someone who has a “can’t miss” investment opportunity that just needs some additional capital. Or it’s from someone who is simply looking for a sales quote for a business that just doesn’t look right. While I am sure that none of us have taken that bait, we shouldn’t ignore these suspicious e-mails. We should be reporting them to the Defense Security Service (DSS) and the Federal Bureau of Investigation (FBI).

How do I know if it’s suspicious?

Most of us understand that phishing is the act of someone trying to elicit personal information from you so they can exploit you or IT systems/accounts that you have access to. However, what if these e-mails do not ask for anything other than your simple response? Many of the examples above only ask you to respond and, if you do, they will “send you further information.” Once you respond and essentially confirm your e-mail address is active, these devious folks commonly do a number of things. They do as they promise and send a response back that is typically malware or spyware that infects your computer or network. They also typically sell your e-mail address to hackers or spammers who inflict their own damage to your systems.

What does DSS and the FBI do?

The DSS and FBI depend heavily on leads and information from the general public. It is rare for Federal investigation cases to be initiated by the DSS or the FBI. The sources of many of their investigations stem from reports from the general public. To aid in their data collections, we can forward suspected e-mails to them. DSS and the FBI then track these to the source, compile it with other data on file, and determine if an investigation is required.

Should I report everything?

It is important to keep in mind that not all unsolicited e-mail is malicious. Legitimate companies often send mass e-mails hoping to gather customers. And those lengthy “Terms and Conditions” that we all ignore when signing up for an online service or purchasing software often gives the recipient authority to use your e-mail address as they see fit. Always remember that you should never open any attachments that come from unknown or unexpected recipients.

How do I report suspicious e-mails?

Seek the advice of your company’s Security Officer or IT Department on how to handle and report malicious e-mails.
OR
Visit the FBI website for instructions: http://www.fbi.gov/scams-safety/e-scams

Click here for more information.

SANS Presentation Webcast Posted

cmdLabs Staff — Sat, 17 Dec 2011 23:01:00 GMT

Eoghan Casey delivered the presentation “Expert Briefing: Mobile Device Forensics Essentials” on behalf of cmdLabs at the SANS WhatWorks in Forensics and Incident Response Summit on July 8. SANS has made this presentation available via webcast at the following URL:

https://www.sans.org/webcasts/show.php?webcastid=92648

If you have any comments or suggestions regarding the presentation or anything else, please shoot us an e-mail at contact@cmdlabs.com.
Click here for more information.

Salvaging Digital Video Fragments

Eoghan Casey — Sat, 17 Dec 2011 15:11:00 GMT

Digital video is becoming a more common form of digital evidence with the increasing prevalence of video in computers, mobile devices and cameras. Digital cameras can create high quality videos, most smart phones can create videos, and the iPad2 has two cameras that can create videos. The videos created by such digital devices can be stored on removable storage media and on the devices themselves. Frequent creation and deletion of videos on these kinds of devices can result in fragments of deleted video clips that most file carving tools cannot salvage. In addition, when dealing with Flash memory dumps acquired from mobile devices, data at the physical level is often fragmented. Specialized methods and tools are needed to salvage deleted video fragments as demonstrated in this article using the contents of Flash memory acquired from a Motorola V3 (RAZR) mobile device.

File Carving Limitations

Most file carving tools require a known file header in order to salvage deleted data. For instance, to recover a deleted 3gp file, most carving tools look for the file headers such as the following.

Hex view of 3gp header in the Motorola V3 Flash memory dump

If the file is fragmented or the header is missing, the file carving approach will not salvage the deleted video successfully. In this example, a file carving tool that searched the Motorola V3 memory dump for several 3gp header signatures found two files in as shown in the audit log:

05/24/2011, 11:26:35
QuickTime 3GP (3gp), header: ftypisom
QuickTime 3GP (3gp), header: ftyp3gp
QuickTime 3GP (3gp), header: ftypmmp4
Default file size: 1024 KB
Maximum file size: 100 times (individual file type definition defaults sizes respected)

E:\Physical GSM Motorola V3 RAZR\Flex Partition 1140000-1fe0000.bin
Scope: 000000 - E9FFFF
Extensive byte-level search

9D0E80 - AD0E7F: 00001.3gp
B888F0 - C888EF: 00002.3gp

05/24/2011, 11:26:35
2 file headers were found. 2 files were retrieved.

However, the salvaged files were invalid because the original files were fragmented. Furthermore, the names and directory paths of these files were not obtained using this method, demonstrating a further limitation of file carving.

Salvaging Video Fragments

When video files are fragmented, it is necessary to consider the video file format in more detail. Fortunately, many digital video formats have a structure that can be used to find and salvage individual frames. A frame is a discrete section of the video that can have a timecode or sequence number and other characteristics that can be useful for salvaging digital video clips.

The defraser tool can be used to identify frames for several video formats in a forensic duplicate of any piece of storage media, including a removable storage card, computer hard drive and Flash dump from a mobile device. The following screenshot shows defraser used to detect video related data in the Motorola V3 memory dump.

Defraser showing video related data in the Motorola V3 memory dump

Although the defraser tool does not automatically piece together the frames into a video that can be played, it does make the frames available for manual reconstruction. With some effort, defraser may be used to combine fragmented frames into a valid video file that can be played.

As with file carving methods that rely on header signatures, the carving methods employed by defraser do not provide the filenames and directory path of salvaged video data in the context of the original file system.

File System Reconstruction

Ultimately, the most effective approach to extracting digital video files from acquired digital evidence such as a Flash memory dump from mobile device is to reconstruct the logical arrangement of data. On mobile devices, this logical structure involves the flash abstraction layer and file system. Using mobile device forensic tools such as Cellebrite Physical and XRY, it is possible to reconstruct and review logical file structure of a Flash memory dump as shown below with a 3gp video stored in an MMS related file in the Motorola V3 memory dump. Note that different tools may interpret the logical structure differently and show more files and folders, clearly demonstrating the importance of validating the results of forensic examination tools.

XRY/XACT showing the logical file system in the Motorola V3 memory dump

Cellebrite Physical showing the logical file system in the Motorola V3 memory dump

Extracting the MMS file using such a mobile device forensic tool and extracting the video content as discussed in the “Delving into Mobile Device File Systems” blog post results in a 3gp file that can be played using VLC media player.

Playing salvaged digital video using VLC Player

Examination of Salvaged Video

After salvaging digital video files it is important to review the resulting data closely for potential anomalies. For instance, using MediaInfo [http://mediainfo.sourceforge.net/en] to extract metadata from video files shows details related to its creation and format. The following screenshot shows metadata from a 3gp video extracted from the Motorola V3 memory dump, revealing that the embedded date-time stamp was set to an incorrect date.

Metadata within a 3gp video displayed using MediaInfo

In addition, reviewing individual frames within a salvaged video file can reveal anomalies such as portions of two unrelated videos being combined into one salvage file. The following screenshot shows frames extracted from a 3gp file using DCCI Video Validator [http://video-validator.sourceforge.net/] revealing footage from two unrelated video files.

Frames extracted from digital video using DCCI Video Validator

Conclusions

When a video file is fragmented or the header of a video file is overwritten, carving methods that rely on header signatures and contiguous files will not salvage video files successfully and may even incorrectly combine unrelated video fragments into a single file or fail to detect the presence of video content altogether. However, using specialized tools such as defraser, a digital investigator may be able to salvage fragments of video files and piece them together into a valid video file. This process of reconstructing video fragments is time consuming and error prone, particularly when dealing with numerous video files on a single piece of storage media or mobile device. Therefore, whenever feasible, it is preferable to reconstruct the logical arrangement of data to extract the complete content of video files. Whichever method is most effective for salvaging digital video, it is important to examine the results closely to ensure the accuracy and completeness of the resulting videos. Such a review includes inspecting embedded metadata for anomalies and reviewing keyframes for possible fragments of unrelated video footage.

Click here for more information.

Newberry Group Website Launch

Chris Steinbach — Fri, 25 Nov 2011 16:41:00 GMT

It is with great pleasure and pride that I announce the redesigned Newberry Group website, a project more than a year in the making. Our new website will showcase our portfolio as it continues to grow and diversify, and highlight the exceptional contribution our fellow employee-owners make to our Nation, our clients, our communities, and our company. As you know, being a Newberry Employee Owner (NEO) isn’t like being an average employee at an average company. At Newberry we have the unique opportunity to create long term wealth for ourselves and our colleagues, as owners, through the Newberry Group ESOP.

We tried to encompass the spirit of Newberry, the Signature Experience, in this website, our public face to the world. People often ask me, “What is the Signature Experience?” The answer is that it’s different for everyone. For our clients it means an excellent and consistent delivery they can trust. In the marketplace, it means finding an excellent and trusted partner, as well as an extremely focused and tough competitor. For our employee-owners, it means an inspiring workplace where personal and professional development are valued and encouraged. The Signature Experience seeks to enhance and enrich the lives of our employee-owners, our clients, and our communities.

Newberry is an agile and evolutionary company that is far different today than it was a year ago, and will continue to mature into a far different company a year from now than it is today. Our employee-owners strive for more, refusing to remain static, embracing the kind of change that creates a unique and rewarding Signature Experience for all who come to know us and our company. I believe our new website embodies that spirit and tells that story.

Click here for more information.

Winner of DFRWS2011 Forensics Challenge Announced

Eoghan Casey — Wed, 09 Nov 2011 13:13:00 GMT

This year Eoghan Casey worked with Tim Vidas at Carnegie Mellon University and Matthew Geiger at CERT to create the DFRWS Forensics Challenge in an effort to advance forensic analysis of Android mobile devices. The winners of the challenge were Ivo Pooters, Steffen Moorrees and Pascal Arends from Fox-IT. Their submission provides a suite of utilities written in Python for extracting information from data acquired from Flash memory on Android devices. Complete results are posted on the DFRWS Web site.

The scenarios for the DFRWS 2011 Forensics Challenge were two seemingly unrelated crimes that turned out to be tightly linked with each other. The first scenario was a suspicious death and the goal of the investigation was to determine whether the victim killed himself or was murdered. The second scenario was an intellectual property theft case and the goal of the investigation was to document any evidence that intellectual property was stolen and to support termination of the suspected insider.

An interesting outcome of the challenge was that using dd to acquire data from the Android device in Scenario 1 did not copy the important information in out-of-band (OOB) areas of the YAFFS2 file system. As a result, it was not possible to reconstruct the file system. However, contestants were still able to carve out usable content from this data.

The winning submission provides a technical analysis of data structures found in memory dump from Android mobile devices and provides an Android analysis toolkit that extracts specific items and formats them in a report. Using this toolkit to perform a forensic examination of a full NAND dump of a YAFFS2 file system (such as in Scenario 2 of the DFRWS 2011 Forensics Challenge) first requires the file system to be mounted under Linux as an emulated Flash device (using nandsim).

A sample of the information extracted by the winners from the SQLite database located on the Android device in Scenario 2 (mtd8\data\com.android.providers.telephony\databases\mmssms.db) is provided here:

Address	date/time (UTC)	read	type	body
shandra@cheerful.com	05/06/2011 01:34:55 AM	True	in	(Nearby! Coming for my beer) Hey Yob, I am closing in on Fat Heads. See ya soon.
sms.dynadel@gmail.com	05/06/2011 05:53:30 PM	True	in	Reminder, planned IT outage this weekend. This maintenance window will start at 3 PM today and continue for approx 48 hours.
sms.dynadel@gmail.com	05/06/2011 05:55:16 PM	True	in	This effects external services such as website, email, webmail, and the ftp server. Use the secondary email access and helpdesk # for emergencies
shandra@cheerful.com	05/07/2011 11:39:16 PM	True	in	(Save me!) If Luke asks, I’m going out with you to dinner, OK? I just can’t face Mr. Smooth tonight. Shandra
6245	05/07/2011 11:44:27 PM	True	out	Sure thing. Do you know where the wine loft is?
6245	05/07/2011 11:54:37 PM	True	out	I ran into some friends at the double wide, meetup at 8:30 or so?
6245	05/07/2011 11:56:53 PM	True	out	Or you can walk down Carson and join us

Much more information was extracted from both Android devices as detailed in the reports, which include an impressive graphical reconstruction of events.

Click here for more information.

SQLite for Digital Forensic Practitioners

cmdLabs Staff — Tue, 08 Nov 2011 16:37:00 GMT

An increasing number of programs are employing SQLite to store data that can be of relevance in an investigation. Forensic practitioners who become familiar with SQLite and learn how to interpret these files will be in a better position to obtain the most usable information from available digital evidence. We cover this and other useful forensic techniques in our Mobile Device Forensics course (SANS SEC563).

Backup files from an iPhone or iPod Touch provide an excellent example of SQLite databases that digital forensic examiners can exploit with relative ease, provided they are not encrypted. Data backed up from an iPhone using iTunes such as call logs, contacts, multimedia, and other files are, by default, stored in SQLite database files under “~/Library/Application/Support/MobileSync/Backup” Mac. On Windows XP these backup files are stored in the user’s profile under “C:\Documents and Settings\[userprofile]\Application Data\Apple Computer\MobileSync\Backup” and Windows Vista has a “Roaming” subfolder in this path.

SQLite databases can be examined using a command line tool like sqlite3.exe or with a GUI tool like SQLite Database Browser shown here with the call log backed up from an iPhone.

The dates are in Unix string format and can be converted using Perl as shown here:

$ perl -e "print scalar(gmtime(1247848584))"
Fri Jul 17 16:36:24 2009

The use of SQLite databases gives forensic practitioners the ability to query the available data directly using the SQL database language. Although a full treatment of SQL is beyond the scope of this discussion, simple examples are provided here to get you started.

C:\>sqlite3.exe E:\iPhoneBackup\call_history.db
SQLite version 3.6.16
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
_SqliteDatabaseProperties call
sqlite> select * from call WHERE address like '%868%';
2|+186835xxxxx|1247848584|60|4|-1
3|+186835xxxxx|1247853361|0|5|-1
4|+186835xxxxx|1247854453|0|5|-1
9|+186831xxxxx|1247895923|60|4|-1
10|+186835xxxxx|1247936960|60|5|-1
11|+186835xxxxx|1247941792|0|4|-1
12|+186835xxxxx|1247941827|0|4|-1
13|+186835xxxxx|1247941920|0|4|-1
14|+186835xxxxx|1247942844|0|4|-1
16|+186835xxxxx|1248015352|60|4|-1
17|+186835xxxxx|1248015674|0|4|-1
18|+186835xxxxx|1248016092|0|5|-1
26|+186835xxxxx|1248177103|0|5|3

The Symbian operating system for mobile devices also makes use of SQLite databases, and other computer applications store investigatively useful information in SQLite databases, including Firefox 3 and Skype. For instance, the moz_places table in the places.sqlite file from Firefox 3 is shown below.

This file can also be queried using SQL, as shown here being queried for all URLs containing the cmdLabs web site.

C:\tools>sqlite3 E:\firefox\places.sqlite
SQLite version 3.6.16
Enter ".help" for instructions
Enter SQL statements terminated with a ";"

sqlite> .tables
moz_anno_attributes  moz_favicons         moz_keywords
moz_annos            moz_historyvisits    moz_places
moz_bookmarks        moz_inputhistory
moz_bookmarks_roots  moz_items_annos

sqlite> select * from moz_places WHERE url like '%cmdlabs%';
621|http://www.cmdlabs.com/|Home|moc.sbaldmc.www.|1|0|1||2000
622|http://www.cmdlabs.com/page11/page11.html|Blog|moc.sbaldmc.www.|1|0|0||100
623|http://www.cmdlabs.com/services/services.html|Services|moc.sbaldmc.www.|1|0|0||100
624|http://www.cmdlabs.com/services/services/services-4.html|Training and Education|moc.sbaldmc.www.|1|0|0||100

Programs like Firefox that maintain usage records in these databases may leave remnants of deleted items that may be recoverable from unallocated disk space as detailed in Murilo Tito Pereira’s article “Forensic analysis of the Firefox 3 internet history and recovery of deleted SQLite records” (www.digitalinvestigation.net).

Click here for more information.

Delving into Mobile Device File Systems

Christopher Daywalt — Tue, 08 Nov 2011 16:02:00 GMT

Mobile device forensics tools have come a long way in the past year, giving us access to more data on a wider range of devices. Even when a full copy of physical memory is not possible, for many devices the complete logical file system can be acquired. Although this generally does not include deleted items, it can still provide access to substantial digital evidence including MMS messages, IM fragments, and Web browsing history.

However, even when a tool can acquire the entire file system from a mobile device, it may not be able to display items of interest like MMS messages. In such situations, the forensic examiner must locate the desired information within the file system and interpret it themselves.

This is one of the main reasons why it is important for practitioners to have an understanding of the underlying technology, and not be overly reliant on automated tools.

Locating MMS Data

A good example of when a tool can acquire but not display evidence of interest came up in a recent case involving MMS messages on a Verizon LG phone. Although the commonly used tool called Cellebrite could acquire data from the mobile device, including a copy of the file system, it did not present MMS messages in the output report. As a result, the investigating agency was only able to view the incriminating evidence through the device itself by performing a manual “scroll” examination.

Until cmdLabs came along to help…

By examining the file system acquire using Cellebrite, we found MMS messages in the “mms” folder on the LG device. For the sake of illustration, this file system location is shown using BitPim.

The MMSMsg.db file contains metadata associated with the messages, and the PDU files contain the original file name as well as the actual data of the pictures and videos in the message. The header of one PDU file is shown here, revealing some Synchronized Multimedia Integration Language (SMIL) tags and the original file name on the device (0920091201a.3g2).

Even after the original video file is deleted from the device, a copy remains in the MMS message.

Extracting MMS Data

The media portion of the PDU message file can be extracted using simple file carving techniques. Although you could remove the file header manually using a hex editor, it is more effective to use a file carving tool like Foremost. By automating the file carving process, your process is repeatable. In addition, Foremost generates an audit log that can be useful for forensic documentation purposes.

The file header (a.k.a. signature) of the 3gp videos from an LG VX series device is “ftyp3g2a” preceded by 4 bytes. The configuration entry for the Foremost file carving tool is shown here:

3gp	y	4000000	????\x66\x74\x79\x70\x33\x67\x32\x61

Using a configuration file that contains the above signature, the command ‘foremost -c foremost.conf MMS*‘ will extract the 3gp video content from PDU files acquired from an LG device. The resulting videos will be saved in the default Foremost output directory and can be played using Quicktime as shown here.

For those forensic practitioners who are interested in learning more about mobile device forensics and related data recovery techniques, cmdLabs is teaching the SANS Mobile Device Forensic course (SEC 563) in New Orleans from January 11–15, 2010 and again in San Antonio from January 25–29, 2010.

Click here for more information.

Handbook of Digital Forensics and Investigation Released

Eoghan Casey — Tue, 08 Nov 2011 15:56:00 GMT

At long last and with the help of many talented experts, I have put together a new Handbook. This book provides an advanced reference for conducting digital investigations and performing forensic examinations. The first part of the book provides comprehensive methodologies and practical tips from experienced practitioners in the areas of forensic analysis, electronic discovery and intrusion investigation. The second part of the book delves into technical aspects of digital evidence on computers, networks, and embedded systems. The technologies covered include Windows, UNIX, and Macintosh computers, cellular telephones and other mobile devices, networks and mobile telecommunications technology.

The Network Investigations chapter written by cmdLabs personnel is available in PDF form upon request.

F-Response is giving a copy of the Handbook with purchase of their tool:

Buy F-Response, Get a copy of The Handbook of Digital Forensics and Investigation

My deepest thanks to the contributors: Cory Altheide (Mandiant) – Christopher Daywalt (cmdLabs) – Andrea de Donno (Lepta) – Dario Forte (DFLabs) – James Holley (Ernst & Young) – Andy Johnson (University of Maryland, Baltimore County) – Ronald van der Knijff (Netherlands Forensic Institute) – Anthony Kokocinski (CSC) – Paul Luehr (Stroz Friedberg) – Terrance Maguire (cmdLabs) – Ryan Pittman (US Army) – Curtis Rose (Curtis W. Rose & Associates) – Joseph Schwerha (TraceEvidence) – Dave Shaver (US Army) – Jessica Reust Smith (Stroz Friedberg).

Click here for more information.

The Pitfalls of File Initialization for Forensic Analysts

Eoghan Casey — Tue, 08 Nov 2011 15:48:00 GMT

File initialization is a normal Windows file system behavior that can create problems for forensic analysts. We have encountered file initialization behaviors in a number of cases and find that it creates significant confusion if the underlying cause is not understood. In several cases, incomplete file initialization was misinterpret as backdating, and in another matter it hampered data salvaging efforts.

File Initialization

File initialization is a process that Microsoft Windows uses when creating a new file system entry. Basically, when a new file is being created, an appropriate amount of unallocated space is reserved for the data that will be stored in the new file. Under certain circumstances, the storage space reserved for the new file may not be used in its entirety, or at all.

When only a portion of the disk space that was reserved for a new file is used to store data associated with that file, this leaves a discrepancy between the logical file size and the actual amount of data stored in the file. As a result, you can have a file that appears to have a logical size larger than the actual amount of data stored for that file. The space between the end of valid data and the end of file is called uninitialized space.

“In NTFS, there are two important concepts of file length: the End of File (EOF) marker and the Valid Data Length (VDL). The EOF indicates the actual length of the file. The VDL identifies the length of valid data on disk. Any reads between VDL and EOF automatically return 0 in order to preserve the C2 object reuse requirement.” (Microsoft fsutil documentation)

Uninitialized space is similar in concept to file slack except that it is contained within the logical file size. Unlike file slack which is no longer associated with a file, data in uninitialized space is in a kind of limbo, trapped at the end of an allocated file but not actually part of that file.

Figure: Diagram of file with a logical size that is larger than its valid data length, leaving uninitialized space

The effect of file initialization behaviors are most easily demonstrated on Windows XP with fsutil as shown here. First, we create a new file that can contain 1024 bytes:?

C:\Test>fsutil file createnew cmdLabs-setvaliddata 1024

    File C:\Test\cmdLabs-setvaliddata is created

Then we set the valid data length of the new file to 1000 bytes, which leaves 24 bytes unused at the end of the file.

C:\Test>fsutil file setvaliddata cmdLabs-setvaliddata 1000?

    Valid data length is changed

NTFS captures the difference between logical file size and valid data length in two MFT fields as shown here:

Figure:MFT entry with logical size and valid data length viewed using X-Ways Forensics

Salvaging Data from File System Limbo

The significance of this from a forensic analysis standpoint is that a file with a valid data length smaller than the logical file size can contain data associated with two files: data associated with the new file (VDL bytes), and data from the old file in uninitialized space (logical file size – VDL bytes).

From a forensic analysis perspective, this uninitialized space can be beneficial. While various disk cleaning utilities can be configured to wipe file slack, they generally do not touch data in uninitialized space. As a result, deleted data can remain in uninitialized space indefinitely, even despite data destruction efforts, and can be salvaged by forensic analysts.

However, this arrangement of data can create complications for forensic analysts, particularly when dealing with larger files that have substantial amounts of uninitialized space. For instance, when carving for certain file types, it is common to export unallocated space. However, any data in uninitialized space will not be included in unallocated space. Similarly, when performing keyword searches, a forensic analyst could incorrectly attribute a hit in the uninitialized space with the new file.

In one case, several approaches were employed in an effort to salvage video fragments:

examined deleted video files still referenced by file system
performed file carving on unallocated space only
processed file slack only for fragments of video files

None of these approaches recovered videos from a time period of interest. It was not until we conducted a forensic analysis of uninitialized space that additional video fragment were found.

Misinterpreting Normal File System Behavior as Backdating?

Another complication from a forensic analysis standpoint arises when the file creation process is interrupted before the contents of the file is written to disk, because the new file system entry will point to a cluster that still contains data associated with an older file. When this occurs and a date can be associated with the older file, forensic analysts might think that a newer file was overwritten by an older one. This phenomenon can be misinterpreted as evidence of backdating.

As an example, consider a newly created file that has not been initialized and has not had any associated data saved to disk as shown here using fsutil:

C:\Test>fsutil file createnew cmdLabs-creatnew 1024

            File C:\Test\cmdLabs-creatnew is created

When a file is initialized but the associated contents was not written to disk, the initialized file system entry may point to a cluster that contains old data as shown below using EnCase. By default, EnCase shows uninitialized space in blue text. The cluster that was allocated to the new file “cmdLabs-createnew” contains older data (folder entries of files from earlier in January).

Figure: EnCase showing folder entries from early January in the cluster allocated to the new initialized file system entry

This situation can be misinterpreted as backdating if the forensic analyst assumes that the clock had to be set back to the old date when the file contents was saved to disk.

Click here for more information.

Advances in Windows Mobile Forensics

Eoghan Casey — Tue, 08 Nov 2011 15:30:00 GMT

Recent research into important file formats on Windows Mobile devices has led to a breakthrough in mobile device forensics. Our improved understanding of the proprietary Microsoft embedded database format enables us to recover all available data from files such as cemail.vol, including deleted items.

The papers and associated tools detailing these advances in Windows Mobile forensic analysis are published in the Journal of Digital Investigation [http://www.journals.elsevier.com/digital-investigation/#description]. The most recent special issue on forensic analysis of embedded systems contains two papers: Introduction to Windows Mobile Forensics and Windows Mobile Advanced Forensics.

Introduction to Windows Mobile Forensics by Eoghan Casey, Michael Bann and John Doyle covers the fundamentals of Windows Mobile systems, embedded database formats and tools for acquiring and examining these systems in a forensic context. A table from this paper is provided here, listing potentially useful sources of evidence on Windows Mobile devices.

Windows Mobile Advanced Forensics by Coert Klaver from the Netherlands Forensic Institute provides in-depth technical details about embedded database formats and tools for acquiring and examining this information. The author developed tools for interpreting data in embedded databases acquired from Windows Mobile devices, including deleted items.

An upcoming issues of the Journal of Digital Investigation contains the paper Windows Mobile Advanced Forensics: An Alternative to Existing Tools by Cpt. Frédérick Rehault from the French National Gendarmerie. The author developed custom boot loaders and file parsing tools to extract the maximum amount of information available from Windows Mobile devices. A small sample of the very detailed output from one customized tool is provided below, showing interpreted fields extracted from a text message in cemail.vol along with the location of associated content in the file system.

[ MESSAGE ] <<<< VISIBLE >>>>

    Message Class : : IPM.SMStext

    Message Flag (1:Read; 0:Unread) : 0x00000028

    Subject : Love you too. Cant wait to see you tomorrow!

    Msg Status : 0x00040000 : SMS

    Delivery Time 2009-05-15 04:53:54

    Sender Email Address : 14435551212

    Sender Name : 14435551212

    Last Modification Date 2009-05-15 04:53:55

    Recipient Info: address & name : t£ lT SMS14105551212Steven…
     
    -- Message Content Location --

    NORMALLY Stored in "\Windows\Messaging\ 453a000a xxxxxxxx.mpb "

The tool also extracts the raw database record as shown here with all of the internal database fields:

*************************************************************

        [ DEBUG ]: Found RECORD HEADER at Offset 0x000b7e9c

[ DEBUG ]: hRecord = 0x00000a47 [ DEBUG ]: hDBHandle = 0x00000060 [ DEBUG ]: DataRecordSize = 0x00b8 [ DEBUG ]: CompDataRecordSize = 0x009e [ DEBUG ]: Nb Props found = 12 [ DEBUG ]: Flag = 0x4000 : Data might be compressed

00000000 45 0a 00 3a a0 00 00 00 0f 00 00 31 28 00 00 00 |E..:.......1(...| 00000010 00 00 b0 25 58 00 4c 00 6f 00 76 00 65 00 20 00 |...%X.L.o.v.e. .| 00000020 79 00 6f 00 75 00 20 00 74 00 6f 00 6f 00 2e 00 |y.o.u. .t.o.o...| 00000030 20 00 43 00 61 00 6e 00 74 00 20 00 77 00 61 00 | .C.a.n.t. .w.a.| 00000040 69 00 74 00 20 00 74 00 6f 00 20 00 73 00 65 00 |i.t. .t.o. .s.e.| 00000050 65 00 20 00 79 00 6f 00 75 00 20 00 74 00 6f 00 |e. .y.o.u. .t.o.| 00000060 6d 00 6f 00 72 00 72 00 6f 00 77 00 21 00 34 00 |m.o.r.r.o.w.!.4.| 00000070 00 00 04 00 00 9d b0 25 19 d5 c9 01 16 00 31 00 |.......%......1.| 00000080 34 00 34 00 33 00 35 00 35 00 35 00 31 00 32 00 |4.4.3.5.5.5.1.2.| 00000090 31 00 32 00 16 00 31 00 34 00 34 00 33 00 35 00 |1.2…1.4.4.3.5.| 000000a0 35 00 35 00 31 00 32 00 31 00 32 00 80 33 49 26 |5.5.1.2.1.2..3I&| 000000b0 19 d5 c9 01 47 0a 00 3b |....G..;|


        + List of properties in record:

        -- PropID[ 0 ] = 0x80050013 UI4 : 0x3a000a45

        -- PropID[ 1 ] = 0x80110013 UI4 : 0x000000a0

        -- PropID[ 2 ] = 0x001a0013 UI4 : 0x3100000f

        -- PropID[ 3 ] = 0x0e070013 UI4 : 0x00000028

        -- PropID[ 4 ] = 0x003d001f LPWSTR :

        -- PropID[ 5 ] = 0x0037001f LPWSTR : Love you too. Cant wait to see you tomorrow!

        -- PropID[ 6 ] = 0x0e170013 UI4 : 0x00040000

        -- PropID[ 7 ] = 0x0e060040 FILETIME 0x1c9d51925b09d00

        -- PropID[ 8 ] = 0x0c1f001f LPWSTR : 14435551212

        -- PropID[ 9 ] = 0x0c1a001f LPWSTR : 14435551212

        -- PropID[ 10 ] = 0x30080040 FILETIME 0x1c9d51926493380

        -- PropID[ 11 ] = 0x80010013 UI4 : 0x3b000a47

cmdLabs covers forensic analysis of Windows Mobile and other mobile devices in the course we develop and teach for SANS (FOR563 – Mobile Device Forensics [http://www.sans.org/security-training/mobile-device-forensics-4896-tid]).

Click here for more information.

Winner of the DFRWS2010 Forensic Challenge Announced

Eoghan Casey — Tue, 08 Nov 2011 15:11:00 GMT

This year Eoghan Casey collaborated with the Netherlands Forensic Institute to create the DFRWS Forensic Challenge in an effort to advance forensic analysis of Flash memory in mobile devices. The winner of the challenge was Solal Jacob who used the open source Digital Forensic Framework, and provides some new modules specifically for parsing memory dumps of Sony Ericsson K800i devices. Complete results are posted on the DFRWS Web site.

The scenario for the DFRWS2010 Forensic Challenge involves an arms dealer named Monsieur Victor (a.k.a. “The General”) who was apprehended in the Netherlands and threw Sony Ericsson K800i in a nearby canal. The Netherlands Forensic Institute acquired data from NAND and NOR chips in the water damaged mobile device using Memory toolkit. The goal of the challenge is to recover leads relating to front companies, bank accounts and cohorts.

The winning submission provides a technical analysis of data structures found in memory dump from a Sony Ericsson K800i mobile device and provides DFF plug-ins that recover wear-leveling tables, enabling a forensic analyst to reconstruct the flash abstraction layer as shown here.

Once the desired state of memory has been reconstructed, the DFF tool can be used to interpret the partition table and file systems on the mobile device as shown here.

The resulting logical view show metadata associated with files and folders, including deleted items.

In addition, digital photographs recovered from mobile device memory can be previewed using the DFF as shown here.

An interesting outcome of the challenge was that several contestants were able to extract substantial amounts of information from the physical memory dumps without understanding the logical arrangement of blocks or the file system. The implication is that, once full physical dumps of NAND and/or NOR memory are obtained from a mobile device, simple text extraction and file carving techniques can provide significant amounts of useful information, including deleted data.

A logical acquisition created using Microsystemation’s XRY mobile device forensic tool is now available to facilitate further development such as interpretation of foreign characters. As an example, the logical view of SMS messages on the device used in the DFRWS2010 Forensic Challenge is shown here.

Click here for more information.

Digital Evidence & Computer Crime, 3rd Edition Released

Eoghan Casey — Tue, 08 Nov 2011 14:47:00 GMT

After six years of work, the expanded and updated third edition of Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet is now complete. The 800 printed pages and one online chapter cover the methods and tools relevant to incident responders, forensic analysts, police and lawyers.

This book is divided into five parts, beginning with the fundamental concepts and legal issues relating to digital evidence and computer crime in Part 1 (Digital Forensics: Chapters 1 – 5). Part 2 of this text (Digital Investigations: Chapters 6 – 9) covers investigative aspects of digital evidence and computer crime. Part 3 of this text (Apprehending Offenders: Chapters 10 – 14) deals with specific types of investigations with a focus on apprehending offenders, including Violent Crime in Chapter 10, Sex Offenders on the Internet in Chapter 12 and Investigating Computer Intrusions in Chapter 13. Part 4 of this book (Computer Forensics: Chapters 15 – 20) begins by introducing basic Forensic Science concepts in the context of a single computer, and goes on to apply these concepts in updated chapters dedicated to networked Windows, Unix, and Macintosh computers and mobile devices. Part 5 (Network Forensics: Chapters 21 – 25) covers computer networks from an investigative perspective, focusing specifically on the Internet and performing forensic analysis on network logs and traffic.

This material provides the foundation for the more advanced companion text, the Handbook of Digital Forensics and Investigation.

Many thanks to Susan Brenner, Christopher Daywalt, Monique Mattei Ferraro, Bert-Jaap Koops, Terrance Maguire, Mike McGrath, Tessa Robinson, Bradley Schatz, Ben Turnbull and Brent Turvey for their excellent contributions to this textbook.
Click here for more information.

Geolocational Log Analysis: Think Globally, Act Locally (with code)

Brian Baskin — Tue, 08 Nov 2011 14:45:00 GMT

In many network environments the administrators and security engineers have an understanding of the full geographical scope and reach of their network. While some corporations have a global audience and expect traffic from the far reaches of the world, others are more localized and target a specific small region.

A health care provider for Alaska would monitor its network connections to ensure that network connections are limited to its main source of users, i.e. those in Alaska. An insurance company in St. Louis will see mostly traffic from IP addresses in Missouri, but Illinois as well, due to the city being on the state line. Occasionally, administrators may notice connections being made from Hawaii, Bermuda, or Italy, signifying users who are on vacation but are still wired in to their work. However, a long-term series of connections from a Eircom subscriber, Ireland’s largest ISP, should spark interest to the network administrator of a Seattle tax firm.

While anonymous web connections from global addresses are common, specific attention should be paid to such addresses being used to access password-protected areas of a corporation. This could include remote file access, VPN and web-based corporate email.

In such cases the logs from these applications, usually supplied in plain text or W3C format, contain details about transactions to include the remote IP address and the account name being authorized. In reviewing logs from various incident responses cmdLabs has found details to show that a short log review made on a daily basis could help smaller corporations determine quickly if a user account was compromised and accessed from a remote location.

For example, the log sample below from a Cisco ASA tracks VPN connections. The user “cmdLabs\bbaskin” was accessed via the IP address of 159.134.100.100 on 2 April, 2011, an IP that was traced back to Ireland. A few hours later the same account was accessed from an IP address in Austria.

Apr 2 21:53:37 192.168.1.1 Apr 02 2011 21: 53:08: %ASA-6-302013: Built outbound TCP connection 7823 for inside:10.10.10.50/389 (10.10.10.50/389) to NP Identity Ifc:192.168.1.1/1047 (192.168.1.1/1047)

    Apr 2 21:53:37 192.168.1.1 Apr 02 2011 21: 53:08: %ASA-6-1

    04: AAA user authentication Successful : server = 10.10.10.50 : user = cmdLabs\bbaskin

    Apr 2 21:53:37 192.168.1.1 Apr 02 2011 21: 53:08: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = cmdLabs\bbaskin

    Apr 2 21:53:37 192.168.1.1 Apr 02 2011 21: 53:08: %ASA-6-113008: AAA transaction status ACCEPT : user = cmdLabs\bbaskin

    Apr 2 21:53:37 192.168.1.1 Apr 02 2011 21: 53:08: %ASA-6-734001: DAP: User cmdLabs\bbaskin, Addr 159.134.100.100, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

For this small set of data it is trivial to query each IP address to determine its country of origin, netblock owner, and other details that would highlight unauthorized access. The problem arises when you have hundreds of thousands of such transactions in your daily log files. One service that cmdLabs uses regularly is the IP to ASN WHOIS server run by Team Cymru. This server provides quick and easy access to country codes for a given IP address. However, it has two limitations: it requires Internet-access which is not readily available from a forensic workstation and to process a large bulk of IPs you have to use their Netcat process which only returns ASNs and not country codes. To overcome these limitations I’ve developed a simple solution that could process hundreds of thousands of IP addresses to determine country codes. This solution is a small Python script called IP2CC that takes an IP address as input and outputs the originating country code for that IP. This solution requires three components:

The free country code database located at http://www.maxmind.com/app/geolitecountry (updated monthly)
Python API module to access this database located at http://code.google.com/p/pygeoip/
The IP2CC.py script. Downloadable at the end of this blog post.

The script allows for input to be given via the command line, stdin, or an input file. In normal use it will simply output the country code. With the –c or -t option the output will contain both the IP and country code in either a comma-separated version (CSV) or tab-separated (TSV) output, respectively.

Python ip2cc.py –i <ip> -f <input file> [-c] [-t]
        > python ip2cc.py -i 11.11.11.11

        US
        > python ip2cc.py -i 22.22.22.22 -c

        22.22.22.22,US
        > echo 33.33.33.33 | python ip2cc.py

        US

> python ip2cc.py -f IP.txt -c 14.48.7.101,AU 12.51.21.19,US 10.61.14.9,Internal

In one use, we’ll eliminate known intranet/extranet IP addresses and run the resulting list through IP2CC to produce a master list of foreign accesses. This script will run in Linux and OSX in conjunction with the native OS command line tools. For a Windows environment you will find additional capabilities by installing the necessary GnuWin32 components. For example, when reviewing a NCSA-formatted log with the IP address in the first field:

D:\> type in051611.log | egrep –v “^192” | gawk “{print $1}” | python ip2cc.py -t | egrep –v “US|Internal” | gawk -F\t "{print $1}" | sort | uniq > DailyForeignIPs.txt

        D:\> for /F %i in (DailyForeignIPs.txt) do grep “%i” in051611.log >> DailyForeignConnections.txt

The first command above will save a simple text listing of all unique foreign IP addresses into a file for processing. The second line takes each IP address from that resulting file and compares it back against the logs to extract all lines that include its presence. The resulting DailyForeignConnections.txt can then be quickly reviewed to determine if any accounts were accessed from a foreign IP address.

Dealing with the VPN logs shown earlier, we’ll change our command line a bit. Using the standard Cisco log file index as a source we can see that the log id of 734001 will show us the remote IP address of a user login. We’ll search the log for that id and then parse out the IP address in the 15th field. An additional hindrance is that the IP address is appended with a comma, which we’ll remove with the ‘tr’ command.

D:\> type asavpn-051611.log | findstr "734001" | gawk “$15 !~ /^192/ {print $15}” | tr -d "," | python ip2cc.py –t | egrep –v “US|Internal” | sort | uniq > DailyVPNForeignIPs.txt

This is ultimately just a very simple Python script. In-house, we use it as a mere function within larger processes, but its simplicity allows for it to be used in a variety of result-tuning processes. Customization is easy. At times I’ll make an offshoot of the script to process input from `uniq` command with the `-c` count option occasionally. The `uniq –c` adds a new column that specifies the total number of instances of that IP address which is useful when evaluating the persistence of a single IP amongst thousands. A few small changes to the Python will allow you to read this count and add it to the CSV output for easy integration into a spreadsheet.

Usage of a tool like IP2CC is a first step to opening an administrators eyes to traffic beyond their network. A good administrator or security engineer should monitor not only the traffic that flows across their network but also the perceived traffic that flows from a network’s outer nodes to the Internet. Monitoring for your company’s existence in spam black-lists, a malware rating on services like Web of Trust, and other indicators can give clues that an infection or intrusion may be underway within your network. We’ll discuss these points, and others, in a future blog post.

Downloads:

IP2CC Python Source Code v1.0 [ip2cc.zip]

Click here for more information.

Deeply Embedded Metadata

Mon, 01 Jan 0001 00:00:00 GMT

Click here for more information.