<br /> The Quarterly Magazine for Digital Forensics Practitioners<br /> INSIDE<br /> / Testing Tool Capability for<br /> Social Network Forensics<br /> / First Responders<br /> / What's so Ethical<br /> About Hacking?<br /> / Mobile Devices<br /> & EVIL TWINS<br /> REVERSE<br /> ENGINEERING<br /> PERL2EXE BACK TO PERL<br /> Thijs Bosschert on a new approach to recover the full<br /> Perl source code from Perl2Exe executable files<br /> AN IPOD NANO IN<br /> THIS MONTH'S COMPETITION<br /> WIN!<br /> ISSUE 12<br /> AUGUST 2012<br /> 03<br /> 9 772042 061127<br /> Issue 12 / £14.99 TR Media<br /> / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews<br /> robservations, 360, MacForensics Lab V4 Image Forensics DiSTRIBUTED AND<br /> news, irq & more… review & How to UFED PLUS IOS Q&A CLOUD COMPUTING<br /> <br /> EDITORIAL<br /> I<br /> <a title="DFM12 page 1" href="http://viewer.zmags.com/publication/5d2b4ae7?page=1"> The Quarterly Magazine for Digital Forensics Prac</a> <a title="DFM12 page 2" href="http://viewer.zmags.com/publication/5d2b4ae7?page=2"> </a> <a title="DFM12 page 3" href="http://viewer.zmags.com/publication/5d2b4ae7?page=3"> EDITORIAL I </a> <a title="DFM12 page 4" href="http://viewer.zmags.com/publication/5d2b4ae7?page=4"> </a> <a title="DFM12 page 5" href="http://viewer.zmags.com/publication/5d2b4ae7?page=5"> CONTENTS / DIGITAL FORENSICS MAGAZINE </a> <a title="DFM12 page 6" href="http://viewer.zmags.com/publication/5d2b4ae7?page=6"> / NEWS NEWS MD5 adds iCONECT's Intuitive XERA </a> <a title="DFM12 page 7" href="http://viewer.zmags.com/publication/5d2b4ae7?page=7"> We note that GCHQ and the other agencies hav</a> <a title="DFM12 page 8" href="http://viewer.zmags.com/publication/5d2b4ae7?page=8"> </a> <a title="DFM12 page 9" href="http://viewer.zmags.com/publication/5d2b4ae7?page=9"> / FEATURE FIRST RESPONDERS & FORENSIC CAPABILI</a> <a title="DFM12 page 10" href="http://viewer.zmags.com/publication/5d2b4ae7?page=10"> / FEATURE Figure 2. Incursion Log En</a> <a title="DFM12 page 11" href="http://viewer.zmags.com/publication/5d2b4ae7?page=11"> practice in the middle of a full blown attack, an</a> <a title="DFM12 page 12" href="http://viewer.zmags.com/publication/5d2b4ae7?page=12"> / FEATURE 1 Indicative Non-erotic and non</a> <a title="DFM12 page 13" href="http://viewer.zmags.com/publication/5d2b4ae7?page=13"> </a> <a title="DFM12 page 14" href="http://viewer.zmags.com/publication/5d2b4ae7?page=14"> / ROBSERVATIONS ROBSERVATIONS Workloads are g</a> <a title="DFM12 page 15" href="http://viewer.zmags.com/publication/5d2b4ae7?page=15"> The digital world is one where you have to co</a> <a title="DFM12 page 16" href="http://viewer.zmags.com/publication/5d2b4ae7?page=16"> / LEAD FEATURE REVERSE ENGINEERING PERL2EXE BA</a> <a title="DFM12 page 17" href="http://viewer.zmags.com/publication/5d2b4ae7?page=17"> / How a Perl2Exe Generated Program Works The newl</a> <a title="DFM12 page 18" href="http://viewer.zmags.com/publication/5d2b4ae7?page=18"> / LEAD FEATURE Figure 4.</a> <a title="DFM12 page 19" href="http://viewer.zmags.com/publication/5d2b4ae7?page=19"> the line with the JNE in it and then change the t</a> <a title="DFM12 page 20" href="http://viewer.zmags.com/publication/5d2b4ae7?page=20"> / LEAD FEATURE Figure 5. OllyDbg jum</a> <a title="DFM12 page 21" href="http://viewer.zmags.com/publication/5d2b4ae7?page=21"> </a> <a title="DFM12 page 22" href="http://viewer.zmags.com/publication/5d2b4ae7?page=22"> / FEATURE MOBILE DEVICES & EVIL TWINS We all hav</a> <a title="DFM12 page 23" href="http://viewer.zmags.com/publication/5d2b4ae7?page=23"> threats that have gone unnoticed replacing the ne</a> <a title="DFM12 page 24" href="http://viewer.zmags.com/publication/5d2b4ae7?page=24"> / FEATURE Beacon frames are all well and </a> <a title="DFM12 page 25" href="http://viewer.zmags.com/publication/5d2b4ae7?page=25"> 2. Next we need to set up some tunnelling, this w</a> <a title="DFM12 page 26" href="http://viewer.zmags.com/publication/5d2b4ae7?page=26"> / LETTERS 360° Your chance to have your say… H </a> <a title="DFM12 page 27" href="http://viewer.zmags.com/publication/5d2b4ae7?page=27"> </a> <a title="DFM12 page 28" href="http://viewer.zmags.com/publication/5d2b4ae7?page=28"> </a> <a title="DFM12 page 29" href="http://viewer.zmags.com/publication/5d2b4ae7?page=29"> / LEGAL EDITORIAL LEGAL EDITORIAL Why `Copyri</a> <a title="DFM12 page 30" href="http://viewer.zmags.com/publication/5d2b4ae7?page=30"> / LEGAL FEATURE THE RISE AND FALL OF THE CASE </a> <a title="DFM12 page 31" href="http://viewer.zmags.com/publication/5d2b4ae7?page=31"> Kim Dotcom; whose original name is Kim Schmi</a> <a title="DFM12 page 32" href="http://viewer.zmags.com/publication/5d2b4ae7?page=32"> / LEGAL FEATURE was infringing on the exclusi</a> <a title="DFM12 page 33" href="http://viewer.zmags.com/publication/5d2b4ae7?page=33"> / NEXT ISSUE COMING SOON… A round-up of feat</a> <a title="DFM12 page 34" href="http://viewer.zmags.com/publication/5d2b4ae7?page=34"> / LEGAL NEWS ALERT LEGAL NEWS ALERT Google sue</a> <a title="DFM12 page 35" href="http://viewer.zmags.com/publication/5d2b4ae7?page=35"> </a> <a title="DFM12 page 36" href="http://viewer.zmags.com/publication/5d2b4ae7?page=36"> / MEET THE PROFESSIONALS MEET THE DF PROFESSIO</a> <a title="DFM12 page 37" href="http://viewer.zmags.com/publication/5d2b4ae7?page=37"> based mail clients and even communication inside </a> <a title="DFM12 page 38" href="http://viewer.zmags.com/publication/5d2b4ae7?page=38"> </a> <a title="DFM12 page 39" href="http://viewer.zmags.com/publication/5d2b4ae7?page=39"> </a> <a title="DFM12 page 40" href="http://viewer.zmags.com/publication/5d2b4ae7?page=40"> COMPETITION / This issue we have A FANTASTIC A</a> <a title="DFM12 page 41" href="http://viewer.zmags.com/publication/5d2b4ae7?page=41"> / FEATURE ETHICAL HACKING What place do hacker</a> <a title="DFM12 page 42" href="http://viewer.zmags.com/publication/5d2b4ae7?page=42"> / FEATURE Purist hackers continued to pro</a> <a title="DFM12 page 43" href="http://viewer.zmags.com/publication/5d2b4ae7?page=43"> (IIOC) on the Internet. They believed abusing chi</a> <a title="DFM12 page 44" href="http://viewer.zmags.com/publication/5d2b4ae7?page=44"> / FEATURE / Evolution of the</a> <a title="DFM12 page 45" href="http://viewer.zmags.com/publication/5d2b4ae7?page=45"> / APPLE AUTOPSY APPLE AUTOPSY The Retina Display</a> <a title="DFM12 page 46" href="http://viewer.zmags.com/publication/5d2b4ae7?page=46"> / FEATURE MAC FORENSICS LAB V4.0 If you are l</a> <a title="DFM12 page 47" href="http://viewer.zmags.com/publication/5d2b4ae7?page=47"> The browse function Mac Forensics Lab reads </a> <a title="DFM12 page 48" href="http://viewer.zmags.com/publication/5d2b4ae7?page=48"> / FEATURE The folks at SubRosaSoft also h</a> <a title="DFM12 page 49" href="http://viewer.zmags.com/publication/5d2b4ae7?page=49"> Report generation output There are other sho</a> <a title="DFM12 page 50" href="http://viewer.zmags.com/publication/5d2b4ae7?page=50"> </a> <a title="DFM12 page 51" href="http://viewer.zmags.com/publication/5d2b4ae7?page=51"> / FEATURE HANDS ON THE UFED TOUCH A new interf</a> <a title="DFM12 page 52" href="http://viewer.zmags.com/publication/5d2b4ae7?page=52"> / FEATURE Touch provides all the same functio</a> <a title="DFM12 page 53" href="http://viewer.zmags.com/publication/5d2b4ae7?page=53"> For instance, say you find a string of text me</a> <a title="DFM12 page 54" href="http://viewer.zmags.com/publication/5d2b4ae7?page=54"> / FEATURE / Additional capabi</a> <a title="DFM12 page 55" href="http://viewer.zmags.com/publication/5d2b4ae7?page=55"> / FEATURE TESTING TOOL CAPABILITY FOR SOCIAL N</a> <a title="DFM12 page 56" href="http://viewer.zmags.com/publication/5d2b4ae7?page=56"> / FEATURE Figure 1. The Tes</a> <a title="DFM12 page 57" href="http://viewer.zmags.com/publication/5d2b4ae7?page=57"> Name Description CacheBack (version 3.7.5) I</a> <a title="DFM12 page 58" href="http://viewer.zmags.com/publication/5d2b4ae7?page=58"> / FEATURE Figure 2. Compariso</a> <a title="DFM12 page 59" href="http://viewer.zmags.com/publication/5d2b4ae7?page=59"> </a> <a title="DFM12 page 60" href="http://viewer.zmags.com/publication/5d2b4ae7?page=60"> / FEATURE COVERT CHANNELS IN NETWORK PROTOCOLS</a> <a title="DFM12 page 61" href="http://viewer.zmags.com/publication/5d2b4ae7?page=61"> Figure 1 In addition the following software </a> <a title="DFM12 page 62" href="http://viewer.zmags.com/publication/5d2b4ae7?page=62"> / FEATURE Figure 2 </a> <a title="DFM12 page 63" href="http://viewer.zmags.com/publication/5d2b4ae7?page=63"> i.e. can anybody see the information flow, measure</a> <a title="DFM12 page 64" href="http://viewer.zmags.com/publication/5d2b4ae7?page=64"> / FEATURE In addition, some fields can on</a> <a title="DFM12 page 65" href="http://viewer.zmags.com/publication/5d2b4ae7?page=65"> </a> <a title="DFM12 page 66" href="http://viewer.zmags.com/publication/5d2b4ae7?page=66"> / FEATURE VIDEO IDENTIFICATION The proliferati</a> <a title="DFM12 page 67" href="http://viewer.zmags.com/publication/5d2b4ae7?page=67"> The Videntifier software can be downloaded fr</a> <a title="DFM12 page 68" href="http://viewer.zmags.com/publication/5d2b4ae7?page=68"> / FEATURE THE GPU PROCESSING SI</a> <a title="DFM12 page 69" href="http://viewer.zmags.com/publication/5d2b4ae7?page=69"> </a> <a title="DFM12 page 70" href="http://viewer.zmags.com/publication/5d2b4ae7?page=70"> / FEATURE CIRCUMVENTING SMS BASED TWO FACTOR A</a> <a title="DFM12 page 71" href="http://viewer.zmags.com/publication/5d2b4ae7?page=71"> attacks and they have been seen in the wild. Of p</a> <a title="DFM12 page 72" href="http://viewer.zmags.com/publication/5d2b4ae7?page=72"> / FEATURE / Dissecting the Attack and Malware D</a> <a title="DFM12 page 73" href="http://viewer.zmags.com/publication/5d2b4ae7?page=73"> · Attackers can inject HTML tags into HTTP respon</a> <a title="DFM12 page 74" href="http://viewer.zmags.com/publication/5d2b4ae7?page=74"> / FEATURE · Android and Symbian allow develop</a> <a title="DFM12 page 75" href="http://viewer.zmags.com/publication/5d2b4ae7?page=75"> Digital ForensicS / magazine BACK ISSUES The Quar</a> <a title="DFM12 page 76" href="http://viewer.zmags.com/publication/5d2b4ae7?page=76"> / FEATURE Q&A Electronic Discovery and Digital Fo</a> <a title="DFM12 page 77" href="http://viewer.zmags.com/publication/5d2b4ae7?page=77"> Example Feature Physical Logical iTun</a> <a title="DFM12 page 78" href="http://viewer.zmags.com/publication/5d2b4ae7?page=78"> / FEATURE Name of File Encryption Key </a> <a title="DFM12 page 79" href="http://viewer.zmags.com/publication/5d2b4ae7?page=79"> Operating System System Path Windows XP C</a> <a title="DFM12 page 80" href="http://viewer.zmags.com/publication/5d2b4ae7?page=80"> / BOOK REVIEWS BOOK REVIEWS Distributed and Cl</a> <a title="DFM12 page 81" href="http://viewer.zmags.com/publication/5d2b4ae7?page=81"> Due to their different artifacts, the book ha</a> <a title="DFM12 page 82" href="http://viewer.zmags.com/publication/5d2b4ae7?page=82"> / COLUMN IRQ Clouding the issue. Sby Angus Marsha</a> <a title="DFM12 page 83" href="http://viewer.zmags.com/publication/5d2b4ae7?page=83"> </a> <a title="DFM12 page 84" href="http://viewer.zmags.com/publication/5d2b4ae7?page=84"> </a>