Archive for the ‘User Artifacts’ Category


Digital Smoke: The Art of Incident Response Part I, by Al Lewis

December 10, 2010

The following article is one in a series of articles I am writing on Incident Response, titled, “Digital Smoke, the Art of Incident Response”. This series was condensed into an article published in the July-December 2009 issue of the Informant Magazine. However, due to size constraints the series of articles was never published nor completed. Therefore, I will deconstruct the article and publish the series, as was originally intended, to this blog. The main components will include, the Threat Environment, Defining Response and its characteristics, Response Strategies, and Responding to a Live Macintosh Computer. The first installation in this series addresses the Threat Environment.


Law enforcement officers seek to locate the proverbial “smoking gun” as a means to close each investigation. The”smoking gun” is the one item that proves, without a doubt, the party responsible for the crime. In the cyber world, the computer is analogous to the gun. Therefore, forensic examiners have naturally focused their considerable skills on possessing the computer. Possession of the computer does not necessarily equate to possession of information critical to the investigation. Unlike the gun, where ballistics can tie a bullet to a specific gun barrel, there is information on a computer that cannot be attributed to the computer (or even discovered) once the computer is powered off, or in some cases, once the state of the system is altered. Therefore, forensic examiners must not look to the physical possession of the computer as the investigative goal. Rather these examiners must seek the data, specifically the active and volatile data rather than seeking mere possession.

Traditional Methodology

The traditional method of minimizing loss of data and possessing the computer has been for the examiner to pull the power plug from the actively running machine. In doing so, the examiner does not unnecessarily alter data on the computer. Additionally, the examiner, or responder (as is often the case) need not possess any special skills when seizing a computer. The ability to deploy untrained personnel to a scene containing computers is critical to many organizations in that there are far more incidents with computers than most have the trained personnel to respond. The need for response and lack of properly trained personnel has been a major impetus in policy development concerning incident response (a topic that will be addressed in a later installment).

As vital as possessing the computer is to the forensic process, pulling the plug on a running computer is no longer a sustainable preference. In fact, given the modern threat environment, pulling the plug on a running system that is not actively destroying data borders on malfeasance. The data that is lost when pulling the plug can be the difference between catching the criminal of having him walk free. Similarly, pulling the plug may destroy exculpatory information, such as processes running on the system that the owner was unaware of and/or had no control over.


Moore’s Law (Webster’s Online Dictionary, 2010) provides the most easily recognized definition for the rapid pace at which technology changes. Simply stated technology (although Moore was referring specifically to processor chip technology) doubles every 18-24 months. The rapid change of technology is problematic for law enforcement and forensic professionals alike. There is a symbiotic relationship between technology implementation and security exploits. As new technologies are implemented new security vulnerabilities are discovered. “According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it’s compromised by malware, on average” (Loney, 2004). It is important to note that the relationship of technology to vulnerability is not one-to-one, rather it is one-to-many. “As I see the kind of threat today, there is so much more malware out in the environment. There is so much more expertise behind the top attack vectors than we have seen in many years leading up to this point” (Bordwine, 2010). The proliferation of malware, combined with poorly written applications make the environment rife with danger. The fact that numerous exploits can exist for a single technology makes it extremely difficult for law enforcement, security or forensic professionals to keep pace.

The User

Today’s computer users can be characterized by the following: they have computers that are more powerful than the computers used to put a man on the moon, they have no computer security training, they use 3-4 applications, have multiple computing devices, freely publish personal information through a wide variety of data repositories using technologies they do not understand, and are connected to the Internet via a high speed connection. In essence today’s computer users are easy targets.

Threat Actors

There are seven categories of threat actors, Advanced Warfare States, Industrial States, Organized Criminal Groups, Developing States, Terrorist, Hacker Groups and Individuals. Hacking groups and Individuals focus their attacks primarily on product vulnerabilities, whereas the remaining groups are characterized by targeted attacks. Although each Threat Actor classification has its own objectives and all warrant further discussion, this paper will address the criminal element of as a whole.

The Cyber Criminal

The modern criminal has an opportunity previously unimaginable, a worldwide playground. Criminals are opportunistic and like all predators, they will seek the easy target. In the cyber world, that easy target is the vast majority of users on the Internet. The fact that smart phones and wireless devices have become ubiquitous has only emboldened today’s criminal, as they represent more ways to exploit both the user and the technology.

Motives. According to Britz (2004), there are six motives for the modern cyber criminal; boredom, intellectual challenge, revenge, sexual gratification, economic and political. The six motives of the cyber criminal are not necessarily mutually exclusive. Threat actors have demonstrated the ability to leverage various motives to recruit and exploit those needed to achieve their goals. An example of cross pollination of motives is obtaining the services of a disgruntled employee to gain access to systems from which data can then be obtained for monetary gain.

Methods. As mentioned previously, there are two main categories of exploitation, however, there are an unlimited number of methods to implement the type of attack. Generally the methodologies for cyber attack can be divided into three distinct groups; social engineering, technical exploitation and  physical disruption and/or a combination of the three.

Adaptation. Historically all criminals adapt to new environments with surprising rapidity, however, none compare to the modern cyber criminal. One reason for the cyber criminal’s amorphous nature lies within the creation of the Internet as a whole. The Internet was created to share information and some of its most influential contributors started as hackers. The pioneers of the Internet demonstrated inherent weaknesses within the Internet itself but largely were not criminally motivated, rather the emphasis was to bend technology to their will, thus creating new capabilities and technologies in the process. The technologically minded with less pure motives began to see the possibilities of the Internet as a way to safely commit criminal acts. For example a bank robber, prior to the Internet had to physically go into a bank and steal money; a very risky adventure to say the least. However, the same crime, conducted electronically can not only be safer but have an exponentially higher payoff as more locations can be exploited. In the end, the exploitation of technology has created not only its own criminal element, it has also created an entire black market economy, one that has matured from a product-based economy to a service-based economy (Berinato, 2007).

A Connected World


As human beings we have an undeniable need for social interaction. The need for people to be apart of a group has driven social networking sites become the favored communication medium for millions world-wide. The need for interaction combined with the speed and convenience of the Internet has paved the way for a world in which all can be connected. Although the idea of a connected world resonates with our very nature, it can also be exploited by those with less honorable intentions.

Today’s workforce and family style has become preoccupied and mobile. The separate from family, the increased pressures of the workplace and the need for interaction has driven technology to toward mobility and convenience. The invention and subsequent proliferation of wireless networks has become the epicenter of modern connectivity. However, convenience and speed are not without a price. The price for the speed and convenient access to others is a failed security model. In fact it is often touted by security professionals that there is no such thing as a secure network, let alone a secure wireless network.

Online Data Repositories

The need for connectivity has created the demand for access. A mobile world is of no value if a person cannot access their data. Therefore, data has become geographically disassociated from the owner. This creates a problem for law enforcement and the forensic professional in that it is increasingly difficult to collect and collate all the data associated with a person. Similarly, this remote data repository model has granted a potential safe haven for criminals to anonymously store information while providing data centers with millions of records of data waiting to be harvested.

Network Shares

Network shares are an issue for law enforcement and forensic professionals if they fail to recognize them on a running system. A network share can contain some or all of the relevant information pertaining to a crime and will not be accessible once the computer is powered off. Therefore, law enforcement and forensic professionals must be cognizant of the potential data sources contained in network shares.



There are many applications focused on providing the data owner with security. However, applications that secure data can be used by criminals in an attempt to prevent attribution. The most common forms of security applications are encryption, steganography and biometrics. Encryption is denying access to information through use of encoding information, rendering it unreadable to anyone without the correct decode key. Biometrics is similar to encryption whereas it focuses on denying access to the information, in this case, through use of biometric verification. Steganography is different in that its focus is on hiding the data. Steganography typically uses audio and/or images to hide data by inserting it into areas that cannot be heard normally or that the naked eye cannot differentiate (often referred to as the “least significant bit”. Regardless, of the security application, these tools present significant challenges to law enforcement and forensic professionals, as they were designed specifically to deny access or hide information from anyone but the owner.



Anti-forensics refers to the practice of circumventing successful forensic processes. There are many forms of anti-forensics, however, it is critical to understand that anti-forensics is more of a mindset than a particular tool. Although there are tools to wipe data, insert false data and even specifically target data, anti-forensics in and of itself supersedes the application layer. Law enforcement and forensic professionals are the target of anti-forensics and as such as susceptible to booby-trapped computer systems, command aliases aimed at destroying data and the removal of user and operating system artifacts, creating a virtual minefield for the responder. Therefore, anti-forensics must be a consideration with regards to any on scene scenario.



Traditionally the computer housed the majority of data. Floppy diskettes and the occasional CD-ROM were routinely seized with a computer as they were co-located with the computer. However, the environment has changed significantly. Today, data physically resides on smart phones, USB Flash drives, laptop and tablet computers, Personal Digital Assistants (PDAs), Netbooks and a variety of other hardware devices. Unlike the desktop computer, these devices were built with mobility in mind. Therefore, the responder need be very diligent in locating any device that contained electronically stored media. As for law enforcement, these types of devices must be explicitly stated within the warrant and should be a routine part of a subject interview.

The Responder

The Responder, for the purpose of this paper, is the first person on scene where there is a running computer. The actions of the responder are critical to any investigation involving a live computer. However, the difficulties many organizations face is their inundation of response to which there is a live computer. In face of overwhelming incidents, it is not practical for many organizations to train and educate enough responders to expertly handle the variety of scenarios they are likely to face. In addition to lack of training and budget, there are surprising few tools capable of handling the complex live environments posed in the majority of responses. Therefore, the responder as a whole can be characterized as under trained, overworked and lacking the necessary tools to perform optimally in a live response scenario.


The modern threat environment is more complex and dangerous than ever. The lack of recognition and subsequent adaptation pertaining to the evolved threat can have devastating consequences. The traditional method of pulling the plug will get the “gun”, or computer in this case, but unfortunately, in today’s investigations, the “smoke” (volatile data) can be more important than the gun. Herein lies the art of incident response and when done correctly, the “smoke” may end up blowing right back in the criminal’s face.


Berinato, S. (2007). Hacker Economics 1: Malware as a Service. CIO Magazine. Retrieved October 11, 2007 from

Bordwine, J. (2010). The STAND Cybersecurity. Washington Technology. Retrieved December 7, 2010, from

Britz, M. (2004). Computer Forensics and Cyber Crime, An Introduction. Pearson Education Inc., Upper Saddle River, NJ. Pearson and Prentice Hall.

Lewis, A. (2009, July-December). Digital Smoke: The Art of Incident Response. The Informant, 6(2), 26-27.

Loney, M. (2004). Study: Unpatched PCs Compromised in 20 Minutes. CNet News. Retrieved December 7, 2010, from

Webster’s Online Dictionary (2010). Speciality Expressions: Moore’s Law. Retrieved December 6, 2010, from cx=partner-pub-0939450753529744%3Av0qd01-tdlq&cof=FORID%3A9&ie=UTF-8&q=Moore%27s+Law&sa=Search#922


Proprietary Embedded Data

December 10, 2009

This is a case study using a specific piece of software – Adobe Photoshop Album.  While some examiners may encounter this software in a case, focusing on the software itself is not the intent of this paper.  This would severely limit the scope, audience and overall value of this document.  Rather this is intended to demonstrate a methodology to recognizing and carving out useable data structures from within a proprietary object or file. 

In some ways, I view methodology the same way I view “cop instinct”.  What I mean by this is that sometimes, based on real world experience, training, and a host of personal observations, a correct conclusion can be formulated before the facts can be articulated.  In other words, it’s impossible to train for instinct by enumerating a number of steps you must go through every time.  Similarly, it’s impossible to train methodology by giving a clear cut step by step process.  Certainly a step by step process and training will give a foundation for examiners and it will clearly begin to develop the experience one needs to be able to have that “cop instinct” or know where to go based on methodology. 

Analogies tend to break down eventually, and in this case this one breaks down here:  In the law enforcement world, if “cop instinct” is misjudged, at best there’s an opportunity lost (for an arrest or stopping a violent situation before it escalates), and at worst it means injury or a law suit.  Fortunately with computer forensics, if methodology is misjudged, we can try a different path since we’re working on an image not the original evidence.

I am not intending to portray myself as infallible; I’m trying to demonstrate that persistence, experience, and a documented, repeatable (even if not graceful) methodology are invaluable for a Computer Forensic Examiner – sometimes more invaluable than any tool in their expensive tool chest.

Publishing this paper is ultimately meant to show the fact that data was recognized within a proprietary file structure (a tn.4.cache file in this case), the data was known to include contraband, and data was carved out to make viewing easier (or indeed possible) by non-technical agents and/or prosecutors.  Even proprietary software tends to use known data structures for their proven reliability and efficiency.  This paper reminds the experienced examiner that their most trusted tool is still a raw hex viewer/editor holstered somewhere on their belt next to a magazine filled to capacity with their methodology.

The complete document is available here:  Carving Data Structures from Files – Case Study Adobe Photoshop Album


Google Browser Toolbar Artifacts

December 10, 2009

Browser toolbars, specifically the Google Browser Toolbar, may leave behind artifacts relevant to a case.  I looked closely at one such artifact and wrote up my findings based on my own testing.  The artifact was a file titled “google%2E.web.w”.  Though not everyone will come across this file in their forensic analysis, the file was relevant to an active case.  I have not encountered this particular file in previous exams (I don’t use or install browser toolbars so I have not seen this file on my own system either).  The system used to test the behavior of this file had to match closely to the suspect’s OS and therefore it was tested on Windows Vista pre-SP1.  I have not done testing on this file’s behavior with earlier versions of Windows.

The complete paper is available here:  Google Toolbar Search Artifacts