<br /> The Quarterly Magazine for Digital Forensics Practitioners<br /> A STEGALYZER USB<br /> WIN!<br /> FROM SARC<br /> ISSUE 15<br /> MAY 2013<br /> INSIDE<br /> / Cryptographic<br /> Key Recovery<br /> / Tunnelling Out:<br /> Data Extraction<br /> / Fuzzing Risks in<br /> Software Tools<br /> / Timeline Creation<br /> & Review<br /> GOOGLE<br /> DESKTOP FORENSICS<br /> 15<br /> 9 772042 061004<br /> Google desktop use in Digital Forensic examinations Issue 15 / £14.99 TR Media<br /> / REGULARS / INTRODUCING / FROM THE LAB / Book Reviews<br /> NEWS, 360, irq, Registry Recon – StegAlyzer: DETECTING Windows Forensic<br /> LEGAL & more… HOW IT WAS DEVELOPED Steganography IN THE FIELD Analysis Toolkit<br /> <br /> EDITORIAL<br /> W<br /> <a title="DFM15 page 1" href="http://viewer.zmags.com/publication/6dcf3162?page=1"> The Quarterly Magazine for Digital Forensics Prac</a> <a title="DFM15 page 2" href="http://viewer.zmags.com/publication/6dcf3162?page=2"> </a> <a title="DFM15 page 3" href="http://viewer.zmags.com/publication/6dcf3162?page=3"> EDITORIAL W </a> <a title="DFM15 page 4" href="http://viewer.zmags.com/publication/6dcf3162?page=4"> </a> <a title="DFM15 page 5" href="http://viewer.zmags.com/publication/6dcf3162?page=5"> CONTENTS / DIGITAL FORENSICS MAGAZINE </a> <a title="DFM15 page 6" href="http://viewer.zmags.com/publication/6dcf3162?page=6"> / NEWS NEWS DC3 Digital Forensics Challen</a> <a title="DFM15 page 7" href="http://viewer.zmags.com/publication/6dcf3162?page=7"> UK Royal Military Police cuts digital forensics c</a> <a title="DFM15 page 8" href="http://viewer.zmags.com/publication/6dcf3162?page=8"> </a> <a title="DFM15 page 9" href="http://viewer.zmags.com/publication/6dcf3162?page=9"> / FEATURE CRYPTOGRAPHIC KEY RECOVERY Andy Swif</a> <a title="DFM15 page 10" href="http://viewer.zmags.com/publication/6dcf3162?page=10"> / FEATURE Now, this type of attack is a</a> <a title="DFM15 page 11" href="http://viewer.zmags.com/publication/6dcf3162?page=11"> 1) Some data to encrypt 2)An encryption algorithm</a> <a title="DFM15 page 12" href="http://viewer.zmags.com/publication/6dcf3162?page=12"> / FEATURE from the Internet, however one thin</a> <a title="DFM15 page 13" href="http://viewer.zmags.com/publication/6dcf3162?page=13"> a number of parameters such as the target platfor</a> <a title="DFM15 page 14" href="http://viewer.zmags.com/publication/6dcf3162?page=14"> / FEATURE We should be able to identify m</a> <a title="DFM15 page 15" href="http://viewer.zmags.com/publication/6dcf3162?page=15"> </a> <a title="DFM15 page 16" href="http://viewer.zmags.com/publication/6dcf3162?page=16"> / LEAD FEATURE GOOGLE DESKTOP FORENSICS Digital </a> <a title="DFM15 page 17" href="http://viewer.zmags.com/publication/6dcf3162?page=17"> / How Does Google Desktop Work? Google Desktop cr</a> <a title="DFM15 page 18" href="http://viewer.zmags.com/publication/6dcf3162?page=18"> / LEAD FEATURE Google Desktop creates a r</a> <a title="DFM15 page 19" href="http://viewer.zmags.com/publication/6dcf3162?page=19"> The amount of time that Google Desktop inde</a> <a title="DFM15 page 20" href="http://viewer.zmags.com/publication/6dcf3162?page=20"> / LEAD FEATURE indexed, as well as a link to </a> <a title="DFM15 page 21" href="http://viewer.zmags.com/publication/6dcf3162?page=21"> indexed for some reason. An initial theory was th</a> <a title="DFM15 page 22" href="http://viewer.zmags.com/publication/6dcf3162?page=22"> </a> <a title="DFM15 page 23" href="http://viewer.zmags.com/publication/6dcf3162?page=23"> / LEGAL EDITORIAL LEGAL EDITORIAL Thoughts on </a> <a title="DFM15 page 24" href="http://viewer.zmags.com/publication/6dcf3162?page=24"> / LEGAL FEATURE INSIDE THAILAND'S COMPUTER CRI</a> <a title="DFM15 page 25" href="http://viewer.zmags.com/publication/6dcf3162?page=25"> “Computer System” means a piece of equipment </a> <a title="DFM15 page 26" href="http://viewer.zmags.com/publication/6dcf3162?page=26"> / LEGAL FEATURE A DENIAL OF SERVICE (DOS) ATTAC</a> <a title="DFM15 page 27" href="http://viewer.zmags.com/publication/6dcf3162?page=27"> to legitimate user requests. A Distributed DoS (D</a> <a title="DFM15 page 28" href="http://viewer.zmags.com/publication/6dcf3162?page=28"> / LEGAL NEWS ALERT LEGAL NEWS ALERT Google set</a> <a title="DFM15 page 29" href="http://viewer.zmags.com/publication/6dcf3162?page=29"> </a> <a title="DFM15 page 30" href="http://viewer.zmags.com/publication/6dcf3162?page=30"> / FEATURE FUZZING RISKS IN SOFTWARE TOOLS Bug</a> <a title="DFM15 page 31" href="http://viewer.zmags.com/publication/6dcf3162?page=31"> to create malformed data structures through metho</a> <a title="DFM15 page 32" href="http://viewer.zmags.com/publication/6dcf3162?page=32"> / FEATURE Acceptance Result </a> <a title="DFM15 page 33" href="http://viewer.zmags.com/publication/6dcf3162?page=33"> / Anti-forensic Actions The widespread adoption a</a> <a title="DFM15 page 34" href="http://viewer.zmags.com/publication/6dcf3162?page=34"> / FEATURE (see Figure 1). The question then a</a> <a title="DFM15 page 35" href="http://viewer.zmags.com/publication/6dcf3162?page=35"> amount of processing time and has been prevented </a> <a title="DFM15 page 36" href="http://viewer.zmags.com/publication/6dcf3162?page=36"> </a> <a title="DFM15 page 37" href="http://viewer.zmags.com/publication/6dcf3162?page=37"> / FEATURE NOT FOR PROFIT CERTIFICATI</a> <a title="DFM15 page 38" href="http://viewer.zmags.com/publication/6dcf3162?page=38"> / FEATURE / Penetration Testing The foundation </a> <a title="DFM15 page 39" href="http://viewer.zmags.com/publication/6dcf3162?page=39"> </a> <a title="DFM15 page 40" href="http://viewer.zmags.com/publication/6dcf3162?page=40"> / MEET THE PROFESSIONALS MEET THE DF PROFESSI</a> <a title="DFM15 page 41" href="http://viewer.zmags.com/publication/6dcf3162?page=41"> How do you see the future of your research? I can</a> <a title="DFM15 page 42" href="http://viewer.zmags.com/publication/6dcf3162?page=42"> </a> <a title="DFM15 page 43" href="http://viewer.zmags.com/publication/6dcf3162?page=43"> </a> <a title="DFM15 page 44" href="http://viewer.zmags.com/publication/6dcf3162?page=44"> / FEATURE THE GREAT ESCAPE – WE'RE TUNNELLING </a> <a title="DFM15 page 45" href="http://viewer.zmags.com/publication/6dcf3162?page=45"> Every network administrator will be aware of </a> <a title="DFM15 page 46" href="http://viewer.zmags.com/publication/6dcf3162?page=46"> / FEATURE Remotebox$ stunnel stunnel.conf </a> <a title="DFM15 page 47" href="http://viewer.zmags.com/publication/6dcf3162?page=47"> This sets the ID to 1980 (a great decade) and</a> <a title="DFM15 page 48" href="http://viewer.zmags.com/publication/6dcf3162?page=48"> / FEATURE Although these transforms are</a> <a title="DFM15 page 49" href="http://viewer.zmags.com/publication/6dcf3162?page=49"> / COMPETITION COMPETITION / Win one of Two SARC </a> <a title="DFM15 page 50" href="http://viewer.zmags.com/publication/6dcf3162?page=50"> / LETTERS 360° HYour chance to have your say… </a> <a title="DFM15 page 51" href="http://viewer.zmags.com/publication/6dcf3162?page=51"> LinkedIn The DFM LinkedIn Group now has grown pas</a> <a title="DFM15 page 52" href="http://viewer.zmags.com/publication/6dcf3162?page=52"> Digital ForensicS / magazine BACK ISSUES The Quar</a> <a title="DFM15 page 53" href="http://viewer.zmags.com/publication/6dcf3162?page=53"> / FROM THE LAB DETECTING STEGANOGRAPHY IN THE </a> <a title="DFM15 page 54" href="http://viewer.zmags.com/publication/6dcf3162?page=54"> / FROM THE LAB InPlainV</a> <a title="DFM15 page 55" href="http://viewer.zmags.com/publication/6dcf3162?page=55"> </a> <a title="DFM15 page 56" href="http://viewer.zmags.com/publication/6dcf3162?page=56"> / FROM THE LAB / How Does StegAlyzerFS Work? St</a> <a title="DFM15 page 57" href="http://viewer.zmags.com/publication/6dcf3162?page=57"> there are a large number of compressed files or ar</a> <a title="DFM15 page 58" href="http://viewer.zmags.com/publication/6dcf3162?page=58"> </a> <a title="DFM15 page 59" href="http://viewer.zmags.com/publication/6dcf3162?page=59"> / FEATURE EVERYTHING TIME This article will ex</a> <a title="DFM15 page 60" href="http://viewer.zmags.com/publication/6dcf3162?page=60"> / FEATURE / THE SANS SIFT WORKSTATION The SANS S</a> <a title="DFM15 page 61" href="http://viewer.zmags.com/publication/6dcf3162?page=61"> Figure 3. Example of Interactive Chart Displaying</a> <a title="DFM15 page 62" href="http://viewer.zmags.com/publication/6dcf3162?page=62"> / FEATURE Fi</a> <a title="DFM15 page 63" href="http://viewer.zmags.com/publication/6dcf3162?page=63"> filtering. Filters may be created for common fields</a> <a title="DFM15 page 64" href="http://viewer.zmags.com/publication/6dcf3162?page=64"> / FEATURE LAUNCHING ECENTRE European Commission </a> <a title="DFM15 page 65" href="http://viewer.zmags.com/publication/6dcf3162?page=65"> The major ECENTRE project tasks include: · Devel</a> <a title="DFM15 page 66" href="http://viewer.zmags.com/publication/6dcf3162?page=66"> </a> <a title="DFM15 page 67" href="http://viewer.zmags.com/publication/6dcf3162?page=67"> / FEATURE RAISING THE BAR IN WINDOWS REGISTRY </a> <a title="DFM15 page 68" href="http://viewer.zmags.com/publication/6dcf3162?page=68"> / FEATURE Recon Vie</a> <a title="DFM15 page 69" href="http://viewer.zmags.com/publication/6dcf3162?page=69"> using some sample Windows 7 Registry keys. Please</a> <a title="DFM15 page 70" href="http://viewer.zmags.com/publication/6dcf3162?page=70"> / FEATURE USBOblivion / Reg</a> <a title="DFM15 page 71" href="http://viewer.zmags.com/publication/6dcf3162?page=71"> COMING SOON… A round-up of features and article</a> <a title="DFM15 page 72" href="http://viewer.zmags.com/publication/6dcf3162?page=72"> / PRODUCT REVIEW FAW – FORENSICS ACQUISITION </a> <a title="DFM15 page 73" href="http://viewer.zmags.com/publication/6dcf3162?page=73"> / Acquisition The program allows acquiring a whol</a> <a title="DFM15 page 74" href="http://viewer.zmags.com/publication/6dcf3162?page=74"> / PRODUCT REVIEW · The star</a> <a title="DFM15 page 75" href="http://viewer.zmags.com/publication/6dcf3162?page=75"> </a> <a title="DFM15 page 76" href="http://viewer.zmags.com/publication/6dcf3162?page=76"> / PRODUCT REVIEW NUIX INVESTIGATOR 4.2 W </a> <a title="DFM15 page 77" href="http://viewer.zmags.com/publication/6dcf3162?page=77"> Figure 2 / Investigative Interface Once the dat</a> <a title="DFM15 page 78" href="http://viewer.zmags.com/publication/6dcf3162?page=78"> / PRODUCT REVIEW / Case Subsetting As I mention</a> <a title="DFM15 page 79" href="http://viewer.zmags.com/publication/6dcf3162?page=79"> </a> <a title="DFM15 page 80" href="http://viewer.zmags.com/publication/6dcf3162?page=80"> / BOOK REVIEWS BOOK REVIEWS Hacking the Human </a> <a title="DFM15 page 81" href="http://viewer.zmags.com/publication/6dcf3162?page=81"> The book begins with a review of basic fore</a> <a title="DFM15 page 82" href="http://viewer.zmags.com/publication/6dcf3162?page=82"> / COLUMN IRQ A rose by any uvver name… Tby Angus</a> <a title="DFM15 page 83" href="http://viewer.zmags.com/publication/6dcf3162?page=83"> </a> <a title="DFM15 page 84" href="http://viewer.zmags.com/publication/6dcf3162?page=84"> </a>