<br /> Digital<br /> The Quarterly Magazine for Digital Forensics Practitioners Issue 35 · May 2018<br /> ForensicS<br /> Magazine<br /> REPORT<br /> Forensics Europe Expo<br /> Intelligence & Investigations<br /> for the Internet of Things<br /> DFM Sponsored Seminar<br /> Seeing<br /> What<br /> Isn't There<br /> Flash Memory Amnesia & Digital Forensics<br /> PLUS<br /> IoT 4n6<br /> Standardising IoT Security<br /> Mitigating the Nightmare of APTs<br /> From the Lab: Data Hiding in Slack Space Issue 35 / £14.99 TR Media<br /> 9 772042 061004 35<br /> <br /> Editorial<br /> I<br /> have mentioned in past editorials that the UK Cyber<br /> Security Profession is not only under scrutiny, but that<br /> <a title="DFM35 - Online page 1" href="http://viewer.zmags.com/publication/dd10c339?page=1"> Digital The Quarterly Magazine for Digital Fore</a> <a title="DFM35 - Online page 2" href="http://viewer.zmags.com/publication/dd10c339?page=2"> </a> <a title="DFM35 - Online page 3" href="http://viewer.zmags.com/publication/dd10c339?page=3"> Editorial I </a> <a title="DFM35 - Online page 4" href="http://viewer.zmags.com/publication/dd10c339?page=4"> </a> <a title="DFM35 - Online page 5" href="http://viewer.zmags.com/publication/dd10c339?page=5"> Contents FEATURES 8 Ransomware is an Unsustainab</a> <a title="DFM35 - Online page 6" href="http://viewer.zmags.com/publication/dd10c339?page=6"> NEWS News Cyber Defenders Compete More than 130 </a> <a title="DFM35 - Online page 7" href="http://viewer.zmags.com/publication/dd10c339?page=7"> We can encourage their children's critical thinki</a> <a title="DFM35 - Online page 8" href="http://viewer.zmags.com/publication/dd10c339?page=8"> FEATURE INTERMEDIATE Ransomware is An Unsustaina</a> <a title="DFM35 - Online page 9" href="http://viewer.zmags.com/publication/dd10c339?page=9"> The business model for Ransomware is a simple ext</a> <a title="DFM35 - Online page 10" href="http://viewer.zmags.com/publication/dd10c339?page=10"> FEATURE INTERMEDIATE </a> <a title="DFM35 - Online page 11" href="http://viewer.zmags.com/publication/dd10c339?page=11"> One of the challenges doing research into trust m</a> <a title="DFM35 - Online page 12" href="http://viewer.zmags.com/publication/dd10c339?page=12"> FEATURE INTERMEDIATE MALWARE STARTING DEMA</a> <a title="DFM35 - Online page 13" href="http://viewer.zmags.com/publication/dd10c339?page=13"> </a> <a title="DFM35 - Online page 14" href="http://viewer.zmags.com/publication/dd10c339?page=14"> MAIN FEATURE ADVANCED Seeing What Isn't There Ci</a> <a title="DFM35 - Online page 15" href="http://viewer.zmags.com/publication/dd10c339?page=15"> While forensic tools and hex editors might show a</a> <a title="DFM35 - Online page 16" href="http://viewer.zmags.com/publication/dd10c339?page=16"> MAIN FEATURE ADVANCED A Closer Look at Flash M</a> <a title="DFM35 - Online page 17" href="http://viewer.zmags.com/publication/dd10c339?page=17"> A Guide to Flash Memory Self-Corrosion To work ar</a> <a title="DFM35 - Online page 18" href="http://viewer.zmags.com/publication/dd10c339?page=18"> MAIN FEATURE ADVANCED In the forensics w</a> <a title="DFM35 - Online page 19" href="http://viewer.zmags.com/publication/dd10c339?page=19"> </a> <a title="DFM35 - Online page 20" href="http://viewer.zmags.com/publication/dd10c339?page=20"> </a> <a title="DFM35 - Online page 21" href="http://viewer.zmags.com/publication/dd10c339?page=21"> LEGAL Editorial · Causation is “the causing or pr</a> <a title="DFM35 - Online page 22" href="http://viewer.zmags.com/publication/dd10c339?page=22"> Scott Zimmerman takes a look at the recent Cambri</a> <a title="DFM35 - Online page 23" href="http://viewer.zmags.com/publication/dd10c339?page=23"> Finding Evidence of Data Transfer(s) Setting asid</a> <a title="DFM35 - Online page 24" href="http://viewer.zmags.com/publication/dd10c339?page=24"> LEGAL FEATURE “… At the request of the UK Inf</a> <a title="DFM35 - Online page 25" href="http://viewer.zmags.com/publication/dd10c339?page=25"> agreement. Conducting these audits and assessment</a> <a title="DFM35 - Online page 26" href="http://viewer.zmags.com/publication/dd10c339?page=26"> LEGAL NEWS LEGAL News Is Bitcoin linked with Chil</a> <a title="DFM35 - Online page 27" href="http://viewer.zmags.com/publication/dd10c339?page=27"> </a> <a title="DFM35 - Online page 28" href="http://viewer.zmags.com/publication/dd10c339?page=28"> FROM THE LAB ADVANCED Data Hiding in Slack Space</a> <a title="DFM35 - Online page 29" href="http://viewer.zmags.com/publication/dd10c339?page=29"> is written as full clusters. Let's say, for insta</a> <a title="DFM35 - Online page 30" href="http://viewer.zmags.com/publication/dd10c339?page=30"> FROM THE LAB ADVANCED bytesInCluster = b</a> <a title="DFM35 - Online page 31" href="http://viewer.zmags.com/publication/dd10c339?page=31"> 1 2 3 4 5 6 7 81 </a> <a title="DFM35 - Online page 32" href="http://viewer.zmags.com/publication/dd10c339?page=32"> FROM THE LAB ADVANCED Extending Slacker One of</a> <a title="DFM35 - Online page 33" href="http://viewer.zmags.com/publication/dd10c339?page=33"> </a> <a title="DFM35 - Online page 34" href="http://viewer.zmags.com/publication/dd10c339?page=34"> FEATURE ADVANCED IoT 4n6 Jessica Hyde investigat</a> <a title="DFM35 - Online page 35" href="http://viewer.zmags.com/publication/dd10c339?page=35"> 35</a> <a title="DFM35 - Online page 36" href="http://viewer.zmags.com/publication/dd10c339?page=36"> FEATURE ADVANCED Fitbit Profiles provide </a> <a title="DFM35 - Online page 37" href="http://viewer.zmags.com/publication/dd10c339?page=37"> Depending on the version of the app and typ</a> <a title="DFM35 - Online page 38" href="http://viewer.zmags.com/publication/dd10c339?page=38"> FEATURE ADVANCED Figure 2</a> <a title="DFM35 - Online page 39" href="http://viewer.zmags.com/publication/dd10c339?page=39"> </a> <a title="DFM35 - Online page 40" href="http://viewer.zmags.com/publication/dd10c339?page=40"> ADVERTORIAL UNIVERSITY OF WARWICK CYBER SECURITY,</a> <a title="DFM35 - Online page 41" href="http://viewer.zmags.com/publication/dd10c339?page=41"> 41</a> <a title="DFM35 - Online page 42" href="http://viewer.zmags.com/publication/dd10c339?page=42"> T he Forensics Europe E</a> <a title="DFM35 - Online page 43" href="http://viewer.zmags.com/publication/dd10c339?page=43"> It was also our intention to include speake</a> <a title="DFM35 - Online page 44" href="http://viewer.zmags.com/publication/dd10c339?page=44"> FEATURE INTERMEDIATE Standardising IoT Security</a> <a title="DFM35 - Online page 45" href="http://viewer.zmags.com/publication/dd10c339?page=45"> Insecure IoT is not only threatening the resilien</a> <a title="DFM35 - Online page 46" href="http://viewer.zmags.com/publication/dd10c339?page=46"> FEATURE INTERMEDIATE F</a> <a title="DFM35 - Online page 47" href="http://viewer.zmags.com/publication/dd10c339?page=47"> Figure 2. IoT Security Domains Can a Baseline f</a> <a title="DFM35 - Online page 48" href="http://viewer.zmags.com/publication/dd10c339?page=48"> FEATURE INTERMEDIATE </a> <a title="DFM35 - Online page 49" href="http://viewer.zmags.com/publication/dd10c339?page=49"> REFERENCES 1. OECD, The Next Production Revolutio</a> <a title="DFM35 - Online page 50" href="http://viewer.zmags.com/publication/dd10c339?page=50"> MORE THAN A MAG Digital Forensics Magazine prides</a> <a title="DFM35 - Online page 51" href="http://viewer.zmags.com/publication/dd10c339?page=51"> </a> <a title="DFM35 - Online page 52" href="http://viewer.zmags.com/publication/dd10c339?page=52"> FEATURE ENTRY The Daubert Standard Chuck Easttom</a> <a title="DFM35 - Online page 53" href="http://viewer.zmags.com/publication/dd10c339?page=53"> are no formal requirements for practicing Digital</a> <a title="DFM35 - Online page 54" href="http://viewer.zmags.com/publication/dd10c339?page=54"> FEATURE ENTRY & Rogers, 2015; Oliver, 2016) w</a> <a title="DFM35 - Online page 55" href="http://viewer.zmags.com/publication/dd10c339?page=55"> federal court are based on the expert using a too</a> <a title="DFM35 - Online page 56" href="http://viewer.zmags.com/publication/dd10c339?page=56"> FEATURE ENTRY The specific nature of the </a> <a title="DFM35 - Online page 57" href="http://viewer.zmags.com/publication/dd10c339?page=57"> </a> <a title="DFM35 - Online page 58" href="http://viewer.zmags.com/publication/dd10c339?page=58"> COMPETITION Competition Fancy winning a nifty li</a> <a title="DFM35 - Online page 59" href="http://viewer.zmags.com/publication/dd10c339?page=59"> </a> <a title="DFM35 - Online page 60" href="http://viewer.zmags.com/publication/dd10c339?page=60"> FEATURE INTERMEDIATE Mitigating the Nightmare o</a> <a title="DFM35 - Online page 61" href="http://viewer.zmags.com/publication/dd10c339?page=61"> Well-resourced APTs often employ a silo like</a> <a title="DFM35 - Online page 62" href="http://viewer.zmags.com/publication/dd10c339?page=62"> FEATURE INTERMEDIATE financial, political, int</a> <a title="DFM35 - Online page 63" href="http://viewer.zmags.com/publication/dd10c339?page=63"> </a> <a title="DFM35 - Online page 64" href="http://viewer.zmags.com/publication/dd10c339?page=64"> FEATURE INTERMEDIATE A-</a> <a title="DFM35 - Online page 65" href="http://viewer.zmags.com/publication/dd10c339?page=65"> In general, public records provide an excell</a> <a title="DFM35 - Online page 66" href="http://viewer.zmags.com/publication/dd10c339?page=66"> FEATURE INTERMEDIATE </a> <a title="DFM35 - Online page 67" href="http://viewer.zmags.com/publication/dd10c339?page=67"> </a> <a title="DFM35 - Online page 68" href="http://viewer.zmags.com/publication/dd10c339?page=68"> FEATURE INTERMEDIATE Mi</a> <a title="DFM35 - Online page 69" href="http://viewer.zmags.com/publication/dd10c339?page=69"> many organizations use one or more SIEMs, working</a> <a title="DFM35 - Online page 70" href="http://viewer.zmags.com/publication/dd10c339?page=70"> 360 36 Letters, emails, tweets, connections and m</a> <a title="DFM35 - Online page 71" href="http://viewer.zmags.com/publication/dd10c339?page=71"> TWITTER We are regularly tweeting tools, tips and</a> <a title="DFM35 - Online page 72" href="http://viewer.zmags.com/publication/dd10c339?page=72"> </a> <a title="DFM35 - Online page 73" href="http://viewer.zmags.com/publication/dd10c339?page=73"> NEXT ISSUE NEXT Issue Continuing our aim of bring</a> <a title="DFM35 - Online page 74" href="http://viewer.zmags.com/publication/dd10c339?page=74"> </a> <a title="DFM35 - Online page 75" href="http://viewer.zmags.com/publication/dd10c339?page=75"> BOOK Reviews I n our day to day li</a> <a title="DFM35 - Online page 76" href="http://viewer.zmags.com/publication/dd10c339?page=76"> The emphatic importance of preserving evidence. D</a> <a title="DFM35 - Online page 77" href="http://viewer.zmags.com/publication/dd10c339?page=77"> BACK ISSUES BACK Issues Digital The Quarterly M</a> <a title="DFM35 - Online page 78" href="http://viewer.zmags.com/publication/dd10c339?page=78"> IRQ IRQ The Business of Crime. R </a> <a title="DFM35 - Online page 79" href="http://viewer.zmags.com/publication/dd10c339?page=79"> </a> <a title="DFM35 - Online page 80" href="http://viewer.zmags.com/publication/dd10c339?page=80"> </a>