If you are visually impaired or blind, you can visit the PDF version by Pressing CONTROL + ALT + 4
<br /> Digital<br /> The Quarterly Magazine for Digital Forensics Practitioners<br /> Competition!<br /> ForensicS<br /> Books, books and<br /> yet more books…<br /> ISSUE 06<br /> / magazine 1 FEBRUARY 2011<br /> INSIDE<br /> / Scott Zimmerman ON<br /> Search & Seizure<br /> / Wi-Fi Forensics<br /> / Criminal Profiling<br /> / Operational Forensics<br /> on the Mac<br /> CYBER SECURITY<br /> SITUATIONAL AWARENESS<br /> Ian Murphy looks at how Digital Forensics techniques 01<br /> & tools are used as a result of Situational Awareness<br /> 9 772042 061110<br /> Issue 6 / £11.99 TR Media<br /> / REGULARS / INTRODUCING / Book Reviews / FROM THE LAB<br /> LEGAL NEWS, 360, ROB LEE'S brand new <a title="DFM Issue 6 page 1" href="http://viewer.zmags.com/publication/0f2a83ed?page=1"> Digital The Quarterly Magazine for Digital Fore</a> <a title="DFM Issue 6 page 2" href="http://viewer.zmags.com/publication/0f2a83ed?page=2"> Shape your future Forensic Computing MSc Fo</a> <a title="DFM Issue 6 page 3" href="http://viewer.zmags.com/publication/0f2a83ed?page=3"> EDITORIAL T </a> <a title="DFM Issue 6 page 4" href="http://viewer.zmags.com/publication/0f2a83ed?page=4"> Reviewing the latest sports highlights </a> <a title="DFM Issue 6 page 5" href="http://viewer.zmags.com/publication/0f2a83ed?page=5"> CONTENTS / DIGITAL FORENSICS MAGAZINE </a> <a title="DFM Issue 6 page 6" href="http://viewer.zmags.com/publication/0f2a83ed?page=6"> / NEWS NEWS F3 Conference This yea</a> <a title="DFM Issue 6 page 7" href="http://viewer.zmags.com/publication/0f2a83ed?page=7"> made to begin closing its services over time. The</a> <a title="DFM Issue 6 page 8" href="http://viewer.zmags.com/publication/0f2a83ed?page=8"> Mobile Development from Apress The lar</a> <a title="DFM Issue 6 page 9" href="http://viewer.zmags.com/publication/0f2a83ed?page=9"> 360° HGet Involved aving receiv</a> <a title="DFM Issue 6 page 10" href="http://viewer.zmags.com/publication/0f2a83ed?page=10"> / LETTERS Comment on RAM Capture Article I agr</a> <a title="DFM Issue 6 page 11" href="http://viewer.zmags.com/publication/0f2a83ed?page=11"> / FEATURE ON TRIAL – IMAGING TOOL PERFORMANCE </a> <a title="DFM Issue 6 page 12" href="http://viewer.zmags.com/publication/0f2a83ed?page=12"> / FEATURE Requirements Description DI-RM-</a> <a title="DFM Issue 6 page 13" href="http://viewer.zmags.com/publication/0f2a83ed?page=13"> Functionalities FTK Imager Version 2.9.0 </a> <a title="DFM Issue 6 page 14" href="http://viewer.zmags.com/publication/0f2a83ed?page=14"> Cell site analysis Computer forensics Audio vi</a> <a title="DFM Issue 6 page 15" href="http://viewer.zmags.com/publication/0f2a83ed?page=15"> / ROBSERVATIONS ROBSERVATIONS Challenge: What </a> <a title="DFM Issue 6 page 16" href="http://viewer.zmags.com/publication/0f2a83ed?page=16"> / FEATURE NETFLOW FORENSICS Innocent or Guil</a> <a title="DFM Issue 6 page 17" href="http://viewer.zmags.com/publication/0f2a83ed?page=17"> Internet Protocol (IP) address, or search for all</a> <a title="DFM Issue 6 page 18" href="http://viewer.zmags.com/publication/0f2a83ed?page=18"> / FEATURE </a> <a title="DFM Issue 6 page 19" href="http://viewer.zmags.com/publication/0f2a83ed?page=19"> </a> <a title="DFM Issue 6 page 20" href="http://viewer.zmags.com/publication/0f2a83ed?page=20"> / FEATURE an external IP address, service or </a> <a title="DFM Issue 6 page 21" href="http://viewer.zmags.com/publication/0f2a83ed?page=21"> COMPETITION / This issue we have four great books</a> <a title="DFM Issue 6 page 22" href="http://viewer.zmags.com/publication/0f2a83ed?page=22"> / FEATURE CYBER SECURITY SITUATIONAL AWARENES</a> <a title="DFM Issue 6 page 23" href="http://viewer.zmags.com/publication/0f2a83ed?page=23"> Being able to provide this “view from the bri</a> <a title="DFM Issue 6 page 24" href="http://viewer.zmags.com/publication/0f2a83ed?page=24"> / FEATURE / Data Fusion So what is data fusion?</a> <a title="DFM Issue 6 page 25" href="http://viewer.zmags.com/publication/0f2a83ed?page=25"> Figure 2 – Data Fusion Level table. An int</a> <a title="DFM Issue 6 page 26" href="http://viewer.zmags.com/publication/0f2a83ed?page=26"> / FEATURE </a> <a title="DFM Issue 6 page 27" href="http://viewer.zmags.com/publication/0f2a83ed?page=27"> / LEGAL EDITORIAL LEGAL EDITORIAL Welcome aga</a> <a title="DFM Issue 6 page 28" href="http://viewer.zmags.com/publication/0f2a83ed?page=28"> / LEGAL FEATURE PREPARING FOR SEARCH & SEIZURE</a> <a title="DFM Issue 6 page 29" href="http://viewer.zmags.com/publication/0f2a83ed?page=29"> From the victim's point of view, this is the leas</a> <a title="DFM Issue 6 page 30" href="http://viewer.zmags.com/publication/0f2a83ed?page=30"> / LEGAL FEATURE Note that the third colu</a> <a title="DFM Issue 6 page 31" href="http://viewer.zmags.com/publication/0f2a83ed?page=31"> A journaling filesystem records commands destined </a> <a title="DFM Issue 6 page 32" href="http://viewer.zmags.com/publication/0f2a83ed?page=32"> / LEGAL NEWS ALERT LEGAL NEWS ALERT A View fro</a> <a title="DFM Issue 6 page 33" href="http://viewer.zmags.com/publication/0f2a83ed?page=33"> Expert Witnesses May be About to Lose Immunity fr</a> <a title="DFM Issue 6 page 34" href="http://viewer.zmags.com/publication/0f2a83ed?page=34"> / FEATURE WIFI FORENSICS Wireless Forensic In</a> <a title="DFM Issue 6 page 35" href="http://viewer.zmags.com/publication/0f2a83ed?page=35"> · rogue access points – access points that do</a> <a title="DFM Issue 6 page 36" href="http://viewer.zmags.com/publication/0f2a83ed?page=36"> / FEATURE · How many clients where communicat</a> <a title="DFM Issue 6 page 37" href="http://viewer.zmags.com/publication/0f2a83ed?page=37"> Forensic Computing 12-month stu</a> <a title="DFM Issue 6 page 38" href="http://viewer.zmags.com/publication/0f2a83ed?page=38"> </a> <a title="DFM Issue 6 page 39" href="http://viewer.zmags.com/publication/0f2a83ed?page=39"> Ready for the Cloud access HTTPS web console, </a> <a title="DFM Issue 6 page 40" href="http://viewer.zmags.com/publication/0f2a83ed?page=40"> / FEATURE COMBAT FORENSICS – AN UNMET NEED M</a> <a title="DFM Issue 6 page 41" href="http://viewer.zmags.com/publication/0f2a83ed?page=41"> Nation state activity is very different from</a> <a title="DFM Issue 6 page 42" href="http://viewer.zmags.com/publication/0f2a83ed?page=42"> / FEATURE and on-going information security t</a> <a title="DFM Issue 6 page 43" href="http://viewer.zmags.com/publication/0f2a83ed?page=43"> the US. Federal law enforcement typically has mor</a> <a title="DFM Issue 6 page 44" href="http://viewer.zmags.com/publication/0f2a83ed?page=44"> / MEET THE PROFESSIONALS MEET THE DF PROFESSIO</a> <a title="DFM Issue 6 page 45" href="http://viewer.zmags.com/publication/0f2a83ed?page=45"> How do you see the future of your research as it </a> <a title="DFM Issue 6 page 46" href="http://viewer.zmags.com/publication/0f2a83ed?page=46"> Digital ForensicS / magazine Digital Forensics m</a> <a title="DFM Issue 6 page 47" href="http://viewer.zmags.com/publication/0f2a83ed?page=47"> / FEATURE WARPS – A FRAMEWORK FOR TIMELY INFOR</a> <a title="DFM Issue 6 page 48" href="http://viewer.zmags.com/publication/0f2a83ed?page=48"> / FEATURE Internet incident in the previous y</a> <a title="DFM Issue 6 page 49" href="http://viewer.zmags.com/publication/0f2a83ed?page=49"> have been instances where the security patches th</a> <a title="DFM Issue 6 page 50" href="http://viewer.zmags.com/publication/0f2a83ed?page=50"> / FEATURE service that they might exchange da</a> <a title="DFM Issue 6 page 51" href="http://viewer.zmags.com/publication/0f2a83ed?page=51"> / APPLE AUTOPSY APPLE AUTOPSY Welcome to our n</a> <a title="DFM Issue 6 page 52" href="http://viewer.zmags.com/publication/0f2a83ed?page=52"> / FEATURE MAC OS X NETWORK PRIMER With the co</a> <a title="DFM Issue 6 page 53" href="http://viewer.zmags.com/publication/0f2a83ed?page=53"> but this magic is just DDNS and some caching on t</a> <a title="DFM Issue 6 page 54" href="http://viewer.zmags.com/publication/0f2a83ed?page=54"> / FEATURE Figure 1. Simple Serv</a> <a title="DFM Issue 6 page 55" href="http://viewer.zmags.com/publication/0f2a83ed?page=55"> online web store. Although the application needs </a> <a title="DFM Issue 6 page 56" href="http://viewer.zmags.com/publication/0f2a83ed?page=56"> / FEATURE FINDING A ROOTKIT & HIDDEN PROCESS W</a> <a title="DFM Issue 6 page 57" href="http://viewer.zmags.com/publication/0f2a83ed?page=57"> (first 512 bytes) of a system boot disk, such that</a> <a title="DFM Issue 6 page 58" href="http://viewer.zmags.com/publication/0f2a83ed?page=58"> / FEATURE Figure 4. </a> <a title="DFM Issue 6 page 59" href="http://viewer.zmags.com/publication/0f2a83ed?page=59"> IPSpooferExtreme.exe process is still running. In</a> <a title="DFM Issue 6 page 60" href="http://viewer.zmags.com/publication/0f2a83ed?page=60"> / FEATURE thinking it is loading a device dri</a> <a title="DFM Issue 6 page 61" href="http://viewer.zmags.com/publication/0f2a83ed?page=61"> the PID's are set to 0. These processes have been</a> <a title="DFM Issue 6 page 62" href="http://viewer.zmags.com/publication/0f2a83ed?page=62"> / FEATURE Figure 15. Sus</a> <a title="DFM Issue 6 page 63" href="http://viewer.zmags.com/publication/0f2a83ed?page=63"> / FEATURE CRIMINAL PROFILING ALL PHASES OF A C</a> <a title="DFM Issue 6 page 64" href="http://viewer.zmags.com/publication/0f2a83ed?page=64"> / FEATURE / The Process to Choose a Target This</a> <a title="DFM Issue 6 page 65" href="http://viewer.zmags.com/publication/0f2a83ed?page=65"> In the case of a mass attack, there is probably n</a> <a title="DFM Issue 6 page 66" href="http://viewer.zmags.com/publication/0f2a83ed?page=66"> / FEATURE tools can be detected through monit</a> <a title="DFM Issue 6 page 67" href="http://viewer.zmags.com/publication/0f2a83ed?page=67"> BLADE FORENSIC DATA RECOVERY BLADE is a Wind</a> <a title="DFM Issue 6 page 68" href="http://viewer.zmags.com/publication/0f2a83ed?page=68"> / NEXT ISSUE COMING SOON… A roundup of featu</a> <a title="DFM Issue 6 page 69" href="http://viewer.zmags.com/publication/0f2a83ed?page=69"> / FEATURE STEGANOGRAPHY APPLICATION ARTIFACT D</a> <a title="DFM Issue 6 page 70" href="http://viewer.zmags.com/publication/0f2a83ed?page=70"> / FEATURE appending a file beyond the end-of-fi</a> <a title="DFM Issue 6 page 71" href="http://viewer.zmags.com/publication/0f2a83ed?page=71"> Figure 1: Steganography application In the c</a> <a title="DFM Issue 6 page 72" href="http://viewer.zmags.com/publication/0f2a83ed?page=72"> / FEATURE Essentially, the difference bet</a> <a title="DFM Issue 6 page 73" href="http://viewer.zmags.com/publication/0f2a83ed?page=73"> Digital ForensicS / magazine BACK ISSUES Issue </a> <a title="DFM Issue 6 page 74" href="http://viewer.zmags.com/publication/0f2a83ed?page=74"> / FEATURE DEALING WITH DIGITAL EVIDENCE BACKLO</a> <a title="DFM Issue 6 page 75" href="http://viewer.zmags.com/publication/0f2a83ed?page=75"> on the specifics, including tactics and methods, o</a> <a title="DFM Issue 6 page 76" href="http://viewer.zmags.com/publication/0f2a83ed?page=76"> / FEATURE some lower-level work to field inves</a> <a title="DFM Issue 6 page 77" href="http://viewer.zmags.com/publication/0f2a83ed?page=77"> the evidence. Time becomes of the essence to coll</a> <a title="DFM Issue 6 page 78" href="http://viewer.zmags.com/publication/0f2a83ed?page=78"> / BOOK REVIEWS BOOK REVIEWS Dissecting the Hac</a> <a title="DFM Issue 6 page 79" href="http://viewer.zmags.com/publication/0f2a83ed?page=79"> introduces why I believe the book is excellent va</a> <a title="DFM Issue 6 page 80" href="http://viewer.zmags.com/publication/0f2a83ed?page=80"> MD5 are recognised as one of the leading digital </a> <a title="DFM Issue 6 page 81" href="http://viewer.zmags.com/publication/0f2a83ed?page=81"> / GET INVOLVED GET INVOLVED / Authors As we c</a> <a title="DFM Issue 6 page 82" href="http://viewer.zmags.com/publication/0f2a83ed?page=82"> / COLUMN IRQ Opinions and conflicts and standards</a> <a title="DFM Issue 6 page 83" href="http://viewer.zmags.com/publication/0f2a83ed?page=83"> BLADE FORENSIC DATA RECOVERY BLADE is a Wind</a> <a title="DFM Issue 6 page 84" href="http://viewer.zmags.com/publication/0f2a83ed?page=84"> Digital Forensics for an Evolving World May 201</a>