<br /> Digital<br /> The Quarterly Magazine for Digital Forensics Practitioners Issue 18 · February 2014<br /> WIN! an iPod Nano<br /> ForensicS<br /> / magazine<br /> BEYOND<br /> TIMELINES<br /> Anchors in Relative Time<br /> Mark Spencer takes an in-depth<br /> look at timelines, and highlights<br /> the importance of checking detail,<br /> using a recent case in Turkey to<br /> demonstrate the dangers…<br /> Latest News, 360<br /> Book Reviews, IRQ<br /> & much more inside!<br /> PLUS!<br /> Forensic Readiness<br /> Malicious use of<br /> Android Permissions<br /> Using Fuzzy Hashes for<br /> Malware Classification<br /> 18<br /> 9 772042 061004<br /> Issue 18 / £14.99 TR Media<br /> <br /> EDITORIAL<br /> I<br /> t was clear when we started the editing process<br /> <a title="DFM18 - Online page 1" href="http://viewer.zmags.com/publication/34b278a2?page=1"> Digital The Quarterly Magazine for Digital Fore</a> <a title="DFM18 - Online page 2" href="http://viewer.zmags.com/publication/34b278a2?page=2"> </a> <a title="DFM18 - Online page 3" href="http://viewer.zmags.com/publication/34b278a2?page=3"> EDITORIAL I </a> <a title="DFM18 - Online page 4" href="http://viewer.zmags.com/publication/34b278a2?page=4"> </a> <a title="DFM18 - Online page 5" href="http://viewer.zmags.com/publication/34b278a2?page=5"> 64 FEATURES 08 / Using Fuzzy Hashes for Malware </a> <a title="DFM18 - Online page 6" href="http://viewer.zmags.com/publication/34b278a2?page=6"> / NEWS NEWS NEWS / FireEye Announces Acquisiti</a> <a title="DFM18 - Online page 7" href="http://viewer.zmags.com/publication/34b278a2?page=7"> “The combination of FireEye and Mandiant will</a> <a title="DFM18 - Online page 8" href="http://viewer.zmags.com/publication/34b278a2?page=8"> / FEATURE USING FUZZY HASHES FOR MALWARE CLASS</a> <a title="DFM18 - Online page 9" href="http://viewer.zmags.com/publication/34b278a2?page=9"> Figure 1 DIY Malware Kits are easy to find on</a> <a title="DFM18 - Online page 10" href="http://viewer.zmags.com/publication/34b278a2?page=10"> / FEATURE When respectively comparing file</a> <a title="DFM18 - Online page 11" href="http://viewer.zmags.com/publication/34b278a2?page=11"> Comparing our 18 samples with sdhash resulted</a> <a title="DFM18 - Online page 12" href="http://viewer.zmags.com/publication/34b278a2?page=12"> / FEATURE Figure</a> <a title="DFM18 - Online page 13" href="http://viewer.zmags.com/publication/34b278a2?page=13"> First I ran an ssdeep comparison with a thres</a> <a title="DFM18 - Online page 14" href="http://viewer.zmags.com/publication/34b278a2?page=14"> </a> <a title="DFM18 - Online page 15" href="http://viewer.zmags.com/publication/34b278a2?page=15"> / LEAD FEATURE BEYOND TIMELINES ANCHORS IN REL</a> <a title="DFM18 - Online page 16" href="http://viewer.zmags.com/publication/34b278a2?page=16"> / LEAD FEATURE / Types of Anchors in Relative</a> <a title="DFM18 - Online page 17" href="http://viewer.zmags.com/publication/34b278a2?page=17"> $LogFile Date/Time (SI) $LogFile Action P</a> <a title="DFM18 - Online page 18" href="http://viewer.zmags.com/publication/34b278a2?page=18"> / LEAD FEATURE Figure 3. Window</a> <a title="DFM18 - Online page 19" href="http://viewer.zmags.com/publication/34b278a2?page=19"> as “HarddiskVolume6”, which Windows on the ÇYDD H</a> <a title="DFM18 - Online page 20" href="http://viewer.zmags.com/publication/34b278a2?page=20"> </a> <a title="DFM18 - Online page 21" href="http://viewer.zmags.com/publication/34b278a2?page=21"> / LEGAL EDITORIAL LEGAL EDITORIAL Thoughts on the</a> <a title="DFM18 - Online page 22" href="http://viewer.zmags.com/publication/34b278a2?page=22"> / LEGAL FEATURE E-DISCLOSURE & DE-DUPLICATION </a> <a title="DFM18 - Online page 23" href="http://viewer.zmags.com/publication/34b278a2?page=23"> / Whither WAPCo? This brings us back to the WAPCo</a> <a title="DFM18 - Online page 24" href="http://viewer.zmags.com/publication/34b278a2?page=24"> / LEGAL FEATURE Disclosure: “The second main </a> <a title="DFM18 - Online page 25" href="http://viewer.zmags.com/publication/34b278a2?page=25"> A key lesson from the landmark WAPCo matter w</a> <a title="DFM18 - Online page 26" href="http://viewer.zmags.com/publication/34b278a2?page=26"> / LEGAL EDITORIAL LEGAL NEWS A round-up of the la</a> <a title="DFM18 - Online page 27" href="http://viewer.zmags.com/publication/34b278a2?page=27"> </a> <a title="DFM18 - Online page 28" href="http://viewer.zmags.com/publication/34b278a2?page=28"> / FEATURE ANDROID SECURITY: MALICIOUS USE OF A</a> <a title="DFM18 - Online page 29" href="http://viewer.zmags.com/publication/34b278a2?page=29"> / Danger Classifications on Mobile Devices Dev</a> <a title="DFM18 - Online page 30" href="http://viewer.zmags.com/publication/34b278a2?page=30"> / FEATURE Permissions that may harm the</a> <a title="DFM18 - Online page 31" href="http://viewer.zmags.com/publication/34b278a2?page=31"> Android Malware: The Rise DOCUMENTS, and READ_EX</a> <a title="DFM18 - Online page 32" href="http://viewer.zmags.com/publication/34b278a2?page=32"> </a> <a title="DFM18 - Online page 33" href="http://viewer.zmags.com/publication/34b278a2?page=33"> / FEATURE WAKING THE SHARK 1.5 From 1997</a> <a title="DFM18 - Online page 34" href="http://viewer.zmags.com/publication/34b278a2?page=34"> / FEATURE But, there will always be the t</a> <a title="DFM18 - Online page 35" href="http://viewer.zmags.com/publication/34b278a2?page=35"> Discovery * Exposure and Exploit Comment </a> <a title="DFM18 - Online page 36" href="http://viewer.zmags.com/publication/34b278a2?page=36"> / FEATURE ABOVE ALL, LET US CONSIDER </a> <a title="DFM18 - Online page 37" href="http://viewer.zmags.com/publication/34b278a2?page=37"> </a> <a title="DFM18 - Online page 38" href="http://viewer.zmags.com/publication/34b278a2?page=38"> / FEATURE THE SHATTERED PROJECT A FORENSIC UND</a> <a title="DFM18 - Online page 39" href="http://viewer.zmags.com/publication/34b278a2?page=39"> a server might, it can still show pertinent infor</a> <a title="DFM18 - Online page 40" href="http://viewer.zmags.com/publication/34b278a2?page=40"> / FEATURE / Google Glass Case So now t</a> <a title="DFM18 - Online page 41" href="http://viewer.zmags.com/publication/34b278a2?page=41"> The files in the folder `recorded_audio' are store</a> <a title="DFM18 - Online page 42" href="http://viewer.zmags.com/publication/34b278a2?page=42"> </a> <a title="DFM18 - Online page 43" href="http://viewer.zmags.com/publication/34b278a2?page=43"> </a> <a title="DFM18 - Online page 44" href="http://viewer.zmags.com/publication/34b278a2?page=44"> / FEATURE SOLVING THE CYBER SKILLS CH</a> <a title="DFM18 - Online page 45" href="http://viewer.zmags.com/publication/34b278a2?page=45"> BT ARE BRINGING IN AROUND 500 NEW APPRENTI</a> <a title="DFM18 - Online page 46" href="http://viewer.zmags.com/publication/34b278a2?page=46"> / FEATURE TRYING TO INSPIRE GIRL</a> <a title="DFM18 - Online page 47" href="http://viewer.zmags.com/publication/34b278a2?page=47"> Digital ForensicS / magazine The Quarterly Mag</a> <a title="DFM18 - Online page 48" href="http://viewer.zmags.com/publication/34b278a2?page=48"> / INTERVIEW MEET THE PROFESSIONALS / Glyn Sno</a> <a title="DFM18 - Online page 49" href="http://viewer.zmags.com/publication/34b278a2?page=49"> Can you share some of the problems that you encou</a> <a title="DFM18 - Online page 50" href="http://viewer.zmags.com/publication/34b278a2?page=50"> / GET INVOLVED GET INVOLVED Calling all Book Revi</a> <a title="DFM18 - Online page 51" href="http://viewer.zmags.com/publication/34b278a2?page=51"> </a> <a title="DFM18 - Online page 52" href="http://viewer.zmags.com/publication/34b278a2?page=52"> / FEATURE FORENSIC IMPLICATIONS OF VEHICLE GPS</a> <a title="DFM18 - Online page 53" href="http://viewer.zmags.com/publication/34b278a2?page=53"> GPS as it was driven through different conditions</a> <a title="DFM18 - Online page 54" href="http://viewer.zmags.com/publication/34b278a2?page=54"> / FEATURE / See Also Griffin, D. (2</a> <a title="DFM18 - Online page 55" href="http://viewer.zmags.com/publication/34b278a2?page=55"> times in relation to other events. However if the</a> <a title="DFM18 - Online page 56" href="http://viewer.zmags.com/publication/34b278a2?page=56"> </a> <a title="DFM18 - Online page 57" href="http://viewer.zmags.com/publication/34b278a2?page=57"> 36 Letters, emails, tweets, connections and more…</a> <a title="DFM18 - Online page 58" href="http://viewer.zmags.com/publication/34b278a2?page=58"> / FEATURE FORENSIC READINESS: IS YOUR ORGANIZA</a> <a title="DFM18 - Online page 59" href="http://viewer.zmags.com/publication/34b278a2?page=59"> Figure 1. Digital Forensic Readiness forensicall</a> <a title="DFM18 - Online page 60" href="http://viewer.zmags.com/publication/34b278a2?page=60"> / FEATURE THE PRODUCED DIGITAL E</a> <a title="DFM18 - Online page 61" href="http://viewer.zmags.com/publication/34b278a2?page=61"> A forensic strategy is the overall plan of an</a> <a title="DFM18 - Online page 62" href="http://viewer.zmags.com/publication/34b278a2?page=62"> / FEATURE IT IS IMPORTANT THAT `NON</a> <a title="DFM18 - Online page 63" href="http://viewer.zmags.com/publication/34b278a2?page=63"> </a> <a title="DFM18 - Online page 64" href="http://viewer.zmags.com/publication/34b278a2?page=64"> / FROM THE LAB ABROAD EVIDENTIAL VIEW A recent ne</a> <a title="DFM18 - Online page 65" href="http://viewer.zmags.com/publication/34b278a2?page=65"> A COMPREHENSIVE VIEW OF MOBILE AND OTHER D</a> <a title="DFM18 - Online page 66" href="http://viewer.zmags.com/publication/34b278a2?page=66"> / FROM THE LAB </a> <a title="DFM18 - Online page 67" href="http://viewer.zmags.com/publication/34b278a2?page=67"> each storage device in turn, extracting the infor</a> <a title="DFM18 - Online page 68" href="http://viewer.zmags.com/publication/34b278a2?page=68"> </a> <a title="DFM18 - Online page 69" href="http://viewer.zmags.com/publication/34b278a2?page=69"> / COMING SOON COMING SOON… A round-up of featu</a> <a title="DFM18 - Online page 70" href="http://viewer.zmags.com/publication/34b278a2?page=70"> / FEATURE DATA ANALYTICS & FRAUD PREVENTION In</a> <a title="DFM18 - Online page 71" href="http://viewer.zmags.com/publication/34b278a2?page=71"> / NEU EU Data Protection Regulation The Data Prot</a> <a title="DFM18 - Online page 72" href="http://viewer.zmags.com/publication/34b278a2?page=72"> / FEATURE FRAUD INHERENTLY REQUIRES EFFORT</a> <a title="DFM18 - Online page 73" href="http://viewer.zmags.com/publication/34b278a2?page=73"> see this trend being reflected in the types of man</a> <a title="DFM18 - Online page 74" href="http://viewer.zmags.com/publication/34b278a2?page=74"> / FEATURE / Big Data, Cloud and Data Privacy</a> <a title="DFM18 - Online page 75" href="http://viewer.zmags.com/publication/34b278a2?page=75"> that many companies are struggling with how and w</a> <a title="DFM18 - Online page 76" href="http://viewer.zmags.com/publication/34b278a2?page=76"> / COMPETITION COMPETITION / This issue we have</a> <a title="DFM18 - Online page 77" href="http://viewer.zmags.com/publication/34b278a2?page=77"> </a> <a title="DFM18 - Online page 78" href="http://viewer.zmags.com/publication/34b278a2?page=78"> / book reviews BOOK REVIEWS PLACING THE SUSPECT B</a> <a title="DFM18 - Online page 79" href="http://viewer.zmags.com/publication/34b278a2?page=79"> ANYONE INTERESTED IN FINDING OUT HOW TO USE</a> <a title="DFM18 - Online page 80" href="http://viewer.zmags.com/publication/34b278a2?page=80"> / book reviews W arning! Thi</a> <a title="DFM18 - Online page 81" href="http://viewer.zmags.com/publication/34b278a2?page=81"> </a> <a title="DFM18 - Online page 82" href="http://viewer.zmags.com/publication/34b278a2?page=82"> / IRQ IRQ How the Regulator crippled the industry</a> <a title="DFM18 - Online page 83" href="http://viewer.zmags.com/publication/34b278a2?page=83"> </a> <a title="DFM18 - Online page 84" href="http://viewer.zmags.com/publication/34b278a2?page=84"> </a>