Digital Forensics Tips

I recently had the opportunity to beta test the soon to be released SANS 585 Smartphone Forensics course and I wanted to share some thoughts about the course content and the labs. The course page on the SANS website ( http://www.sans.org/event/for585-advanced-smartphone-mobile-device-forensics/course/advanced-smartphone-mobile-device-forensics ) provides an accurate overview of each day’s topics so I’ll focus more on thoughts and opinions than lists. Overview The course starts with an overview of cellular technology and networks and quickly moves on to explore advanced topics. The jump from the basics into topics like wear leveling, garbage collection and so on is an earmark of a SANS forensics course, which is one of the reasons why I love these courses so much. The refresher of the basics is nice, but the integration of advanced issues – which is where many of us need the help – is nothing short of awesome. Throughout all five days, the course provides full-page examples that demonst...

In April of this year, I saw a thread on Forensicfocus.com discussing a new smart phone app called “Burner” which lets users purchase disposable phone numbers for short-term use. The application has some very practical uses for online activity – such as selling items on Craigslist – but it also has some obvious implications for anybody performing digital forensics work. At this moment, none of the commercial mobile device forensics tools I have available to me parsed the data from the burner application. I’m sure that will change if the app continues to grow in popularity. I recently had an opportunity to install Burner on my iPhone 5 and examine the artifacts left on the phone after I used it. I also wrote a Python script to parse information from the burner.sqlite file and generate a HTML report. I’ve affectionately named the script ‘Oven Mitt’. Burner leaves quite a bit of data intact on the device. Additionally, a lot of what it does cover up can be acquired by other mea...

I recently encountered a Rand McNally Intelliroute TND 720 GPS unit and none of the commercial forensic tools had the ability to acquire data from the device so I imaged the device and poked around for any interesting data files. I found a file called DestHistory.txt which obviously peaked my interested. I opened the file in notepad and while it contained a lot of unusual characters it also contained multiple recent destinations sandwiched in between those characters. I wrote a small python script which takes the contents of the DestHistory.txt and parses it into both a HTML report and a KML file which can be opened in Google Earth. The tool is called rmparse and can be download here . The project was fairly straight forward. The only hiccup was that the DestHistory.txt is in Unicode format so when my script parsed the file there was a null between every character. I tried a standard B = A.replace( “ “, “”) command but had no luck. I ended up using a B = A.replace(“\x00”, “”) command a...

June was a fairly busy month as I knocked out my GISP and CEH. The GISP required no extra study on my part as I had just finished my CISSP exam and it’s basically an open book CISSP. The GISP questions were more technical than the CISSP versions which honestly made the test easier. Well, that and the open books 🙂 The CEH is fairly straightforward with a lot of tool specific questions, port related questions and scenarios which test your basic network security knowledge. The CEH was a nice one to get out of the way and the GWAPT should be the next one on my list. I just finished going through the SANS SEC 542 course in the On-Demand format and will now start spending some time with the course exercises and creating my index. If anyone has any specific questions on my GISP or CEH prep please feel free to ask. On another note I recently encountered a Rand McNally GPS unit which no commercial forensic tool I had access to was able to parse. I wrote a small python script which parsed the d...