<br /> The Quarterly Magazine for Digital Forensics Practitioners<br /> INSIDE<br /> / Cracking MS-CHAP2: How Secure is Your VPN?<br /> / First Responders CSIRT & Forensics<br /> / Creating A Virtual Forensics Lab<br /> / Cloud-Based Honeypots<br /> DIGITAL<br /> FORENSICS<br /> & THE FRAUD TRIANGLE<br /> Nick Miter on how forensic software applications<br /> predict fraud and corruption using heuristics<br /> A COPY OF BELKASOFT<br /> THE 2012 EVIDENCE CENTRE<br /> WIN!<br /> ISSUE 13<br /> NOVEMBER 2012<br /> 04<br /> 9 772042 061127<br /> Issue 13 / £14.99 TR Media<br /> / REGULARS / FROM THE LAB / INTRODUCING / Book Reviews<br /> robservations, 360, Underneath the Hood Developing a Tool to Digital Evidence &<br /> news, irq & more… of Lit I View v5.0 Speed Disk Scanning Computer Crime<br /> <br /> EDITORIAL<br /> F<br /> <a title="DFM13 page 1" href="http://viewer.zmags.com/publication/cc7baf6a?page=1"> The Quarterly Magazine for Digital Forensics Prac</a> <a title="DFM13 page 2" href="http://viewer.zmags.com/publication/cc7baf6a?page=2"> </a> <a title="DFM13 page 3" href="http://viewer.zmags.com/publication/cc7baf6a?page=3"> EDITORIAL F </a> <a title="DFM13 page 4" href="http://viewer.zmags.com/publication/cc7baf6a?page=4"> </a> <a title="DFM13 page 5" href="http://viewer.zmags.com/publication/cc7baf6a?page=5"> CONTENTS / DIGITAL FORENSICS MAGAZINE DIGITAL </a> <a title="DFM13 page 6" href="http://viewer.zmags.com/publication/cc7baf6a?page=6"> / NEWS NEWS launch of Cyber Security Centre ha</a> <a title="DFM13 page 7" href="http://viewer.zmags.com/publication/cc7baf6a?page=7"> EDEC Digital Forensics Releases Tarantula 2.0 E</a> <a title="DFM13 page 8" href="http://viewer.zmags.com/publication/cc7baf6a?page=8"> </a> <a title="DFM13 page 9" href="http://viewer.zmags.com/publication/cc7baf6a?page=9"> / FEATURE CRACKING MS-CHAP2 – HOW SECURE IS YO</a> <a title="DFM13 page 10" href="http://viewer.zmags.com/publication/cc7baf6a?page=10"> / FEATURE Figure 1 </a> <a title="DFM13 page 11" href="http://viewer.zmags.com/publication/cc7baf6a?page=11"> hash is divided up into three DES encryption oper</a> <a title="DFM13 page 12" href="http://viewer.zmags.com/publication/cc7baf6a?page=12"> / FEATURE Figure 3 FOLL</a> <a title="DFM13 page 13" href="http://viewer.zmags.com/publication/cc7baf6a?page=13"> </a> <a title="DFM13 page 14" href="http://viewer.zmags.com/publication/cc7baf6a?page=14"> / LETTERS 360° HYour chance to have your say… </a> <a title="DFM13 page 15" href="http://viewer.zmags.com/publication/cc7baf6a?page=15"> LinkedIn The DFM LinkedIn Group now has grown pas</a> <a title="DFM13 page 16" href="http://viewer.zmags.com/publication/cc7baf6a?page=16"> </a> <a title="DFM13 page 17" href="http://viewer.zmags.com/publication/cc7baf6a?page=17"> / LEAD FEATURE DIGITAL FORENSICS & THE FRAUD T</a> <a title="DFM13 page 18" href="http://viewer.zmags.com/publication/cc7baf6a?page=18"> / LEAD FEATURE Figure 2. Th</a> <a title="DFM13 page 19" href="http://viewer.zmags.com/publication/cc7baf6a?page=19"> Figure 6. Email with multiple authors A sy</a> <a title="DFM13 page 20" href="http://viewer.zmags.com/publication/cc7baf6a?page=20"> / LEAD FEATURE component higher than the seco</a> <a title="DFM13 page 21" href="http://viewer.zmags.com/publication/cc7baf6a?page=21"> </a> <a title="DFM13 page 22" href="http://viewer.zmags.com/publication/cc7baf6a?page=22"> / FEATURE C SED LOUD-BA HONEYPOTS Int</a> <a title="DFM13 page 23" href="http://viewer.zmags.com/publication/cc7baf6a?page=23"> · Cost of purchasing new hardware or acquiring o</a> <a title="DFM13 page 24" href="http://viewer.zmags.com/publication/cc7baf6a?page=24"> / FEATURE Real-time Logs </a> <a title="DFM13 page 25" href="http://viewer.zmags.com/publication/cc7baf6a?page=25"> Rank Username No of Uses 1 root 2</a> <a title="DFM13 page 26" href="http://viewer.zmags.com/publication/cc7baf6a?page=26"> / FEATURE Hea</a> <a title="DFM13 page 27" href="http://viewer.zmags.com/publication/cc7baf6a?page=27"> </a> <a title="DFM13 page 28" href="http://viewer.zmags.com/publication/cc7baf6a?page=28"> </a> <a title="DFM13 page 29" href="http://viewer.zmags.com/publication/cc7baf6a?page=29"> / LEGAL EDITORIAL LEGAL EDITORIAL Apple's Sett</a> <a title="DFM13 page 30" href="http://viewer.zmags.com/publication/cc7baf6a?page=30"> / LEGAL FEATURE INTRODUCTION TO INTELLECTUAL PRO</a> <a title="DFM13 page 31" href="http://viewer.zmags.com/publication/cc7baf6a?page=31"> In a practical sense, this means that copyrig</a> <a title="DFM13 page 32" href="http://viewer.zmags.com/publication/cc7baf6a?page=32"> / LEGAL FEATURE trademark for internal use or</a> <a title="DFM13 page 33" href="http://viewer.zmags.com/publication/cc7baf6a?page=33"> </a> <a title="DFM13 page 34" href="http://viewer.zmags.com/publication/cc7baf6a?page=34"> / LEGAL NEWS ALERT LEGAL NEWS ALERT Effort to </a> <a title="DFM13 page 35" href="http://viewer.zmags.com/publication/cc7baf6a?page=35"> </a> <a title="DFM13 page 36" href="http://viewer.zmags.com/publication/cc7baf6a?page=36"> / MEET THE PROFESSIONALS MEET THE DF PROFESSI</a> <a title="DFM13 page 37" href="http://viewer.zmags.com/publication/cc7baf6a?page=37"> watching the landscape change, awareness grow and</a> <a title="DFM13 page 38" href="http://viewer.zmags.com/publication/cc7baf6a?page=38"> / ROBSERVATIONS ROBSERVATIONS Renaissance in </a> <a title="DFM13 page 39" href="http://viewer.zmags.com/publication/cc7baf6a?page=39"> / COMPETITION COMPETITION / WIN A Belkasoft Ev</a> <a title="DFM13 page 40" href="http://viewer.zmags.com/publication/cc7baf6a?page=40"> / FEATURE FIRST RESPONDERS CSIRT & FORENSICS W</a> <a title="DFM13 page 41" href="http://viewer.zmags.com/publication/cc7baf6a?page=41"> / ISO 27001 The ISO Standard relevant areas of in</a> <a title="DFM13 page 42" href="http://viewer.zmags.com/publication/cc7baf6a?page=42"> </a> <a title="DFM13 page 43" href="http://viewer.zmags.com/publication/cc7baf6a?page=43"> </a> <a title="DFM13 page 44" href="http://viewer.zmags.com/publication/cc7baf6a?page=44"> / FEATURE CREATING A VIRTUAL FORENSICS LAB This </a> <a title="DFM13 page 45" href="http://viewer.zmags.com/publication/cc7baf6a?page=45"> Figure 1. SMS-based Two-Factor Authentication in </a> <a title="DFM13 page 46" href="http://viewer.zmags.com/publication/cc7baf6a?page=46"> / FEATURE The first role is nothing new in</a> <a title="DFM13 page 47" href="http://viewer.zmags.com/publication/cc7baf6a?page=47"> numerous expansion slots for eSATA, Firewire,</a> <a title="DFM13 page 48" href="http://viewer.zmags.com/publication/cc7baf6a?page=48"> </a> <a title="DFM13 page 49" href="http://viewer.zmags.com/publication/cc7baf6a?page=49"> / APPLE AUTOPSY APPLE AUTOPSY Steve Jobs – One Y</a> <a title="DFM13 page 50" href="http://viewer.zmags.com/publication/cc7baf6a?page=50"> / FEATURE IMPROVING SECURITY MONITORING ANALYT</a> <a title="DFM13 page 51" href="http://viewer.zmags.com/publication/cc7baf6a?page=51"> Figure 1. Netflow v Metadata DPI technology </a> <a title="DFM13 page 52" href="http://viewer.zmags.com/publication/cc7baf6a?page=52"> / FEATURE behaviour. Searching and alerting b</a> <a title="DFM13 page 53" href="http://viewer.zmags.com/publication/cc7baf6a?page=53"> Deep Secure Network Diagram / Example of a Deep </a> <a title="DFM13 page 54" href="http://viewer.zmags.com/publication/cc7baf6a?page=54"> / FEATURE C</a> <a title="DFM13 page 55" href="http://viewer.zmags.com/publication/cc7baf6a?page=55"> </a> <a title="DFM13 page 56" href="http://viewer.zmags.com/publication/cc7baf6a?page=56"> </a> <a title="DFM13 page 57" href="http://viewer.zmags.com/publication/cc7baf6a?page=57"> / FEATURE UNDERNEATH THE HOOD OF LIT I VIEW V5</a> <a title="DFM13 page 58" href="http://viewer.zmags.com/publication/cc7baf6a?page=58"> / FEATURE Figure 2. Globa</a> <a title="DFM13 page 59" href="http://viewer.zmags.com/publication/cc7baf6a?page=59"> many countries at the same some moment. The provi</a> <a title="DFM13 page 60" href="http://viewer.zmags.com/publication/cc7baf6a?page=60"> / FEATURE Fi</a> <a title="DFM13 page 61" href="http://viewer.zmags.com/publication/cc7baf6a?page=61"> Figure 6. Multi-language search functionality </a> <a title="DFM13 page 62" href="http://viewer.zmags.com/publication/cc7baf6a?page=62"> / FEATURE Figure</a> <a title="DFM13 page 63" href="http://viewer.zmags.com/publication/cc7baf6a?page=63"> Figure 9. ART module set-up in LiV5 </a> <a title="DFM13 page 64" href="http://viewer.zmags.com/publication/cc7baf6a?page=64"> / FEATURE DEVELOPING A TOOL TO SPEED DISK SCANNI</a> <a title="DFM13 page 65" href="http://viewer.zmags.com/publication/cc7baf6a?page=65"> computer system that contains an 80GB hard drive,</a> <a title="DFM13 page 66" href="http://viewer.zmags.com/publication/cc7baf6a?page=66"> / FEATURE testing that showed an optimal trad</a> <a title="DFM13 page 67" href="http://viewer.zmags.com/publication/cc7baf6a?page=67"> comprise three hard drives, shown as fixed disk in</a> <a title="DFM13 page 68" href="http://viewer.zmags.com/publication/cc7baf6a?page=68"> / FEATURE by using software enabled write blo</a> <a title="DFM13 page 69" href="http://viewer.zmags.com/publication/cc7baf6a?page=69"> Test Subject </a> <a title="DFM13 page 70" href="http://viewer.zmags.com/publication/cc7baf6a?page=70"> Digital ForensicS / magazine BACK ISSUES The Quar</a> <a title="DFM13 page 71" href="http://viewer.zmags.com/publication/cc7baf6a?page=71"> / FEATURE C'MON BABY HEAR THE NOISE Certification</a> <a title="DFM13 page 72" href="http://viewer.zmags.com/publication/cc7baf6a?page=72"> / FEATURE 1) Too much information: We all suf</a> <a title="DFM13 page 73" href="http://viewer.zmags.com/publication/cc7baf6a?page=73"> / NEXT ISSUE COMING SOON… A round-up of feat</a> <a title="DFM13 page 74" href="http://viewer.zmags.com/publication/cc7baf6a?page=74"> / FEATURE COVERT CHANNELS IN NETWORK PROTOCOLS</a> <a title="DFM13 page 75" href="http://viewer.zmags.com/publication/cc7baf6a?page=75"> output in the terminal after an example packet is</a> <a title="DFM13 page 76" href="http://viewer.zmags.com/publication/cc7baf6a?page=76"> / FEATURE number would appear to be the only </a> <a title="DFM13 page 77" href="http://viewer.zmags.com/publication/cc7baf6a?page=77"> / UDP Storage Channel (Experimental) – Source </a> <a title="DFM13 page 78" href="http://viewer.zmags.com/publication/cc7baf6a?page=78"> / FEATURE response between them and so there </a> <a title="DFM13 page 79" href="http://viewer.zmags.com/publication/cc7baf6a?page=79"> such as the fact that the TCP ACK and TCP SEQ.N c</a> <a title="DFM13 page 80" href="http://viewer.zmags.com/publication/cc7baf6a?page=80"> / BOOK REVIEWS BOOK REVIEWS Windows Forensic A</a> <a title="DFM13 page 81" href="http://viewer.zmags.com/publication/cc7baf6a?page=81"> It begins with digital forensic principles an</a> <a title="DFM13 page 82" href="http://viewer.zmags.com/publication/cc7baf6a?page=82"> / COLUMN IRQ If it ain't broke why fix it? Iby Ang</a> <a title="DFM13 page 83" href="http://viewer.zmags.com/publication/cc7baf6a?page=83"> </a> <a title="DFM13 page 84" href="http://viewer.zmags.com/publication/cc7baf6a?page=84"> </a>