<br /> Digital<br /> The Quarterly Magazine for Digital Forensics Practitioners Issue 41 · November 2019<br /> ForensicS<br /> Magazine<br /> Hiding<br /> Data<br /> in NTFS<br /> Volumes<br /> PLUS<br /> Intelligent Investigation Procedures<br /> How Quantum Computing will change Forensics<br /> Professional Standards for Cyber Risk Management<br /> From the Lab: Anomaly Detection using Dynamic Analysis 9772042 061004<br /> 41<br /> Issue 41 / £14.99 TR Media<br /> <br /> Editorial<br /> W<br /> ell, it is off and running! The work to<br /> deliver the new Cyber Security Council<br /> is underway and representatives<br /> from the Cyber Security Alliance are<br /> workin<a title="DFM41 - Online page 1" href="http://viewer.zmags.com/publication/9025f0fd?page=1"> Digital The Quarterly Magazine for Digital Fore</a> <a title="DFM41 - Online page 2" href="http://viewer.zmags.com/publication/9025f0fd?page=2"> </a> <a title="DFM41 - Online page 3" href="http://viewer.zmags.com/publication/9025f0fd?page=3"> Editorial W </a> <a title="DFM41 - Online page 4" href="http://viewer.zmags.com/publication/9025f0fd?page=4"> </a> <a title="DFM41 - Online page 5" href="http://viewer.zmags.com/publication/9025f0fd?page=5"> Contents FEATURES 8 Intelligent Investigation Pr</a> <a title="DFM41 - Online page 6" href="http://viewer.zmags.com/publication/9025f0fd?page=6"> NEWS News Warnings about Critical OS Updates It </a> <a title="DFM41 - Online page 7" href="http://viewer.zmags.com/publication/9025f0fd?page=7"> to perform a forensic analysis to ensure that no </a> <a title="DFM41 - Online page 8" href="http://viewer.zmags.com/publication/9025f0fd?page=8"> FEATURE INTERMEDIATE INTELLIGENT Investigation </a> <a title="DFM41 - Online page 9" href="http://viewer.zmags.com/publication/9025f0fd?page=9"> Investigation and Intelligence The process of inv</a> <a title="DFM41 - Online page 10" href="http://viewer.zmags.com/publication/9025f0fd?page=10"> FEATURE INTERMEDIATE The Ransomware Case We re</a> <a title="DFM41 - Online page 11" href="http://viewer.zmags.com/publication/9025f0fd?page=11"> The attacker’s gained some reward, but experience</a> <a title="DFM41 - Online page 12" href="http://viewer.zmags.com/publication/9025f0fd?page=12"> FEATURE INTERMEDIATE Figur</a> <a title="DFM41 - Online page 13" href="http://viewer.zmags.com/publication/9025f0fd?page=13"> could not be trusted to deliver the decrypting ke</a> <a title="DFM41 - Online page 14" href="http://viewer.zmags.com/publication/9025f0fd?page=14"> </a> <a title="DFM41 - Online page 15" href="http://viewer.zmags.com/publication/9025f0fd?page=15"> </a> <a title="DFM41 - Online page 16" href="http://viewer.zmags.com/publication/9025f0fd?page=16"> MAIN FEATURE ADVANCED Hiding Data in NTFS Volume</a> <a title="DFM41 - Online page 17" href="http://viewer.zmags.com/publication/9025f0fd?page=17"> WinHex This article uses WinHex, a multi-purpose </a> <a title="DFM41 - Online page 18" href="http://viewer.zmags.com/publication/9025f0fd?page=18"> MAIN FEATURE ADVANCED You might be wonde</a> <a title="DFM41 - Online page 19" href="http://viewer.zmags.com/publication/9025f0fd?page=19"> I carry around a lot of data on USB sticks. </a> <a title="DFM41 - Online page 20" href="http://viewer.zmags.com/publication/9025f0fd?page=20"> MAIN FEATURE ADVANCED The Master File Table NT</a> <a title="DFM41 - Online page 21" href="http://viewer.zmags.com/publication/9025f0fd?page=21"> 6 shows the $MFT first entry, which always contain</a> <a title="DFM41 - Online page 22" href="http://viewer.zmags.com/publication/9025f0fd?page=22"> </a> <a title="DFM41 - Online page 23" href="http://viewer.zmags.com/publication/9025f0fd?page=23"> LEGAL Editorial O </a> <a title="DFM41 - Online page 24" href="http://viewer.zmags.com/publication/9025f0fd?page=24"> Scott Zimmerman explains his program of multi-ten</a> <a title="DFM41 - Online page 25" href="http://viewer.zmags.com/publication/9025f0fd?page=25"> On 17 July 2019, Capital One received an ema</a> <a title="DFM41 - Online page 26" href="http://viewer.zmags.com/publication/9025f0fd?page=26"> LEGAL FEATURE The investigation continue</a> <a title="DFM41 - Online page 27" href="http://viewer.zmags.com/publication/9025f0fd?page=27"> involves replacing the middle six digits with ast</a> <a title="DFM41 - Online page 28" href="http://viewer.zmags.com/publication/9025f0fd?page=28"> LEGAL NEWS LEGAL News Using Oracle's Virtualbox E</a> <a title="DFM41 - Online page 29" href="http://viewer.zmags.com/publication/9025f0fd?page=29"> </a> <a title="DFM41 - Online page 30" href="http://viewer.zmags.com/publication/9025f0fd?page=30"> FROM THE LAB ADVANCED Android Malware & Anoma</a> <a title="DFM41 - Online page 31" href="http://viewer.zmags.com/publication/9025f0fd?page=31"> Users may also install applications from various </a> <a title="DFM41 - Online page 32" href="http://viewer.zmags.com/publication/9025f0fd?page=32"> FROM THE LAB ADVANCED </a> <a title="DFM41 - Online page 33" href="http://viewer.zmags.com/publication/9025f0fd?page=33"> Figure 2. The OWASP Seraphimdroid Implementation </a> <a title="DFM41 - Online page 34" href="http://viewer.zmags.com/publication/9025f0fd?page=34"> FROM THE LAB ADVANCED Machine Learning Models </a> <a title="DFM41 - Online page 35" href="http://viewer.zmags.com/publication/9025f0fd?page=35"> MALWARE NAME WARNINGS BENIGN NAME WAR</a> <a title="DFM41 - Online page 36" href="http://viewer.zmags.com/publication/9025f0fd?page=36"> </a> <a title="DFM41 - Online page 37" href="http://viewer.zmags.com/publication/9025f0fd?page=37"> NEXT ISSUE NEXT Issue Continuing our aim of bring</a> <a title="DFM41 - Online page 38" href="http://viewer.zmags.com/publication/9025f0fd?page=38"> 360 36 Letters, emails, tweets, connections and m</a> <a title="DFM41 - Online page 39" href="http://viewer.zmags.com/publication/9025f0fd?page=39"> FACEBOOK At present we have a Facebook group, whi</a> <a title="DFM41 - Online page 40" href="http://viewer.zmags.com/publication/9025f0fd?page=40"> ADVERTORIAL UNIVERSITY OF WARWICK CYBER SECURITY,</a> <a title="DFM41 - Online page 41" href="http://viewer.zmags.com/publication/9025f0fd?page=41"> 41</a> <a title="DFM41 - Online page 42" href="http://viewer.zmags.com/publication/9025f0fd?page=42"> FEATURE INTERMEDIATE Ransomware: Attack Techniqu</a> <a title="DFM41 - Online page 43" href="http://viewer.zmags.com/publication/9025f0fd?page=43"> 43</a> <a title="DFM41 - Online page 44" href="http://viewer.zmags.com/publication/9025f0fd?page=44"> FEATURE INTERMEDIATE Crypto Ransomware This ty</a> <a title="DFM41 - Online page 45" href="http://viewer.zmags.com/publication/9025f0fd?page=45"> Figure 2. Machines Infected with Botnets Can Be U</a> <a title="DFM41 - Online page 46" href="http://viewer.zmags.com/publication/9025f0fd?page=46"> FEATURE INTERMEDIATE ransomware attacks for n</a> <a title="DFM41 - Online page 47" href="http://viewer.zmags.com/publication/9025f0fd?page=47"> • Privacy Badger (https://www.eff.org/ priva</a> <a title="DFM41 - Online page 48" href="http://viewer.zmags.com/publication/9025f0fd?page=48"> COMPETITION Competition Fancy winning a nifty li</a> <a title="DFM41 - Online page 49" href="http://viewer.zmags.com/publication/9025f0fd?page=49"> </a> <a title="DFM41 - Online page 50" href="http://viewer.zmags.com/publication/9025f0fd?page=50"> FEATURE ENTRY Setting Professional Standards for</a> <a title="DFM41 - Online page 51" href="http://viewer.zmags.com/publication/9025f0fd?page=51"> The systemic nature or cyber-attacks, the comple</a> <a title="DFM41 - Online page 52" href="http://viewer.zmags.com/publication/9025f0fd?page=52"> FEATURE ENTRY </a> <a title="DFM41 - Online page 53" href="http://viewer.zmags.com/publication/9025f0fd?page=53"> qualified accountants and audits of UK legal entit</a> <a title="DFM41 - Online page 54" href="http://viewer.zmags.com/publication/9025f0fd?page=54"> FEATURE ENTRY </a> <a title="DFM41 - Online page 55" href="http://viewer.zmags.com/publication/9025f0fd?page=55"> REFERENCES 1. McAfee Economic Impact of Cybercrim</a> <a title="DFM41 - Online page 56" href="http://viewer.zmags.com/publication/9025f0fd?page=56"> MAIN FEATURE ENTRY How QUANTUM COMPUTING Arise </a> <a title="DFM41 - Online page 57" href="http://viewer.zmags.com/publication/9025f0fd?page=57"> will Change DIGITAL FORENSICS is infinity, even if</a> <a title="DFM41 - Online page 58" href="http://viewer.zmags.com/publication/9025f0fd?page=58"> MAIN FEATURE ENTRY But quantum mechanics</a> <a title="DFM41 - Online page 59" href="http://viewer.zmags.com/publication/9025f0fd?page=59"> needs to know to use binary forensics tools. For </a> <a title="DFM41 - Online page 60" href="http://viewer.zmags.com/publication/9025f0fd?page=60"> MAIN FEATURE ENTRY If you really want to</a> <a title="DFM41 - Online page 61" href="http://viewer.zmags.com/publication/9025f0fd?page=61"> </a> <a title="DFM41 - Online page 62" href="http://viewer.zmags.com/publication/9025f0fd?page=62"> FEATURE INTERMEDIATE MAPPING the CYBER SUPPLY CH</a> <a title="DFM41 - Online page 63" href="http://viewer.zmags.com/publication/9025f0fd?page=63"> connectivity supports and their criticality to th</a> <a title="DFM41 - Online page 64" href="http://viewer.zmags.com/publication/9025f0fd?page=64"> FEATURE INTERMEDIATE Connectivity Describing t</a> <a title="DFM41 - Online page 65" href="http://viewer.zmags.com/publication/9025f0fd?page=65"> Figure 3. Connectivity Categorisation As part o</a> <a title="DFM41 - Online page 66" href="http://viewer.zmags.com/publication/9025f0fd?page=66"> FEATURE INTERMEDIATE Stage 1. Situational Awar</a> <a title="DFM41 - Online page 67" href="http://viewer.zmags.com/publication/9025f0fd?page=67"> Operational Process Identification – The operation</a> <a title="DFM41 - Online page 68" href="http://viewer.zmags.com/publication/9025f0fd?page=68"> MORE THAN A MAG Digital Forensics Magazine prides</a> <a title="DFM41 - Online page 69" href="http://viewer.zmags.com/publication/9025f0fd?page=69"> </a> <a title="DFM41 - Online page 70" href="http://viewer.zmags.com/publication/9025f0fd?page=70"> CONFERENCE REVIEW Conference REVIEW Your very o</a> <a title="DFM41 - Online page 71" href="http://viewer.zmags.com/publication/9025f0fd?page=71"> A key feature on the second day of the event was </a> <a title="DFM41 - Online page 72" href="http://viewer.zmags.com/publication/9025f0fd?page=72"> </a> <a title="DFM41 - Online page 73" href="http://viewer.zmags.com/publication/9025f0fd?page=73"> PRODUCT UPDATE Welcome to the new Product Update </a> <a title="DFM41 - Online page 74" href="http://viewer.zmags.com/publication/9025f0fd?page=74"> Figure 2. The Facebook Acquisition Menu · All </a> <a title="DFM41 - Online page 75" href="http://viewer.zmags.com/publication/9025f0fd?page=75"> Figure 3. The Search for Facebook ID Function </a> <a title="DFM41 - Online page 76" href="http://viewer.zmags.com/publication/9025f0fd?page=76"> BACK ISSUES BACK Issues 37 An Introduction to Op</a> <a title="DFM41 - Online page 77" href="http://viewer.zmags.com/publication/9025f0fd?page=77"> LIBRARY SUBSCRIPTIONS NOW AVAILABLE You can get</a> <a title="DFM41 - Online page 78" href="http://viewer.zmags.com/publication/9025f0fd?page=78"> IRQ IRQ Single joint expert wltm… I </a> <a title="DFM41 - Online page 79" href="http://viewer.zmags.com/publication/9025f0fd?page=79"> </a> <a title="DFM41 - Online page 80" href="http://viewer.zmags.com/publication/9025f0fd?page=80"> </a>