<br /> The Quarterly Magazine for Digital Forensics Practitioners<br /> AN IPOD NANO IN THIS<br /> WIN!<br /> ISSUE'S COMPETITION<br /> ISSUE 16<br /> AUGUST 2013<br /> INSIDE<br /> / Using Google Earth<br /> / Utilising REP Data<br /> / Social Network<br /> StegANOGRAPHY<br /> / THE History<br /> of Malware<br /> VM INTROSPECTION<br /> Unearthing and profiling sophisticated x64 bit kernel mode 16<br /> “bootkits” that continue to leverage holes on Windows 7<br /> 9 772042 061004<br /> Issue 16 / £14.99 TR Media<br /> / REGULARS / INTRODUCING / FROM THE LAB / Book Reviews<br /> NEWS, 360, irq, A Fresh Look at Creating New Frontiers CUDA Programming &<br /> LEGAL & more… Cryptography For Live Forensics Silence on the Wir<a title="DFM16 page 1" href="http://viewer.zmags.com/publication/e9f4a3bd?page=1"> The Quarterly Magazine for Digital Forensics Prac</a> <a title="DFM16 page 2" href="http://viewer.zmags.com/publication/e9f4a3bd?page=2"> </a> <a title="DFM16 page 3" href="http://viewer.zmags.com/publication/e9f4a3bd?page=3"> EDITORIAL O </a> <a title="DFM16 page 4" href="http://viewer.zmags.com/publication/e9f4a3bd?page=4"> </a> <a title="DFM16 page 5" href="http://viewer.zmags.com/publication/e9f4a3bd?page=5"> CONTENTS / DIGITAL FORENSICS MAGAZINE </a> <a title="DFM16 page 6" href="http://viewer.zmags.com/publication/e9f4a3bd?page=6"> / NEWS NEWS The `Cyber-Attack' threat to Londo</a> <a title="DFM16 page 7" href="http://viewer.zmags.com/publication/e9f4a3bd?page=7"> Stevenson Universirty offering free forensics MOO</a> <a title="DFM16 page 8" href="http://viewer.zmags.com/publication/e9f4a3bd?page=8"> </a> <a title="DFM16 page 9" href="http://viewer.zmags.com/publication/e9f4a3bd?page=9"> / FEATURE FIVE TIPS FOR USING GOOGLE EARTH IN </a> <a title="DFM16 page 10" href="http://viewer.zmags.com/publication/e9f4a3bd?page=10"> / FEATURE Moving temp</a> <a title="DFM16 page 11" href="http://viewer.zmags.com/publication/e9f4a3bd?page=11"> Adding Picture Edit Box / Google Earth Default </a> <a title="DFM16 page 12" href="http://viewer.zmags.com/publication/e9f4a3bd?page=12"> / FEATURE Picture before </a> <a title="DFM16 page 13" href="http://viewer.zmags.com/publication/e9f4a3bd?page=13"> Zooming Into Pictures You may have noticed </a> <a title="DFM16 page 14" href="http://viewer.zmags.com/publication/e9f4a3bd?page=14"> / FEATURE Adding HTM</a> <a title="DFM16 page 15" href="http://viewer.zmags.com/publication/e9f4a3bd?page=15"> </a> <a title="DFM16 page 16" href="http://viewer.zmags.com/publication/e9f4a3bd?page=16"> / FEATURE GOOGLE DESKTOP FORENSICS, PART 2 Digit</a> <a title="DFM16 page 17" href="http://viewer.zmags.com/publication/e9f4a3bd?page=17"> Figure 1. Misleading “No Desktop Results” Message</a> <a title="DFM16 page 18" href="http://viewer.zmags.com/publication/e9f4a3bd?page=18"> / FEATURE / Hash Functions Hash functions are pr</a> <a title="DFM16 page 19" href="http://viewer.zmags.com/publication/e9f4a3bd?page=19"> / Windows EFS Encrypting File System (EFS) is a f</a> <a title="DFM16 page 20" href="http://viewer.zmags.com/publication/e9f4a3bd?page=20"> </a> <a title="DFM16 page 21" href="http://viewer.zmags.com/publication/e9f4a3bd?page=21"> / LEGAL EDITORIAL LEGAL EDITORIAL Patent Trol</a> <a title="DFM16 page 22" href="http://viewer.zmags.com/publication/e9f4a3bd?page=22"> / LEGAL FEATURE A NEW APPROACH TO CYBERCRIME </a> <a title="DFM16 page 23" href="http://viewer.zmags.com/publication/e9f4a3bd?page=23"> / Draft Guidance from the EP/LIBE On 03 June 2013</a> <a title="DFM16 page 24" href="http://viewer.zmags.com/publication/e9f4a3bd?page=24"> vulnerabilities, due to their increased dependenc</a> <a title="DFM16 page 25" href="http://viewer.zmags.com/publication/e9f4a3bd?page=25"> approach against Cybercrime. Any need for EU acti</a> <a title="DFM16 page 26" href="http://viewer.zmags.com/publication/e9f4a3bd?page=26"> / LEGAL NEWS ALERT LEGAL NEWS ALERT Crime does</a> <a title="DFM16 page 27" href="http://viewer.zmags.com/publication/e9f4a3bd?page=27"> </a> <a title="DFM16 page 28" href="http://viewer.zmags.com/publication/e9f4a3bd?page=28"> / FEATURE SOCIAL NETWORKING STEGANOGRAPHY OPPO</a> <a title="DFM16 page 29" href="http://viewer.zmags.com/publication/e9f4a3bd?page=29"> Facebook Badoo Google+ Compressed image</a> <a title="DFM16 page 30" href="http://viewer.zmags.com/publication/e9f4a3bd?page=30"> / FEATURE Facebook and added Bob as a member </a> <a title="DFM16 page 31" href="http://viewer.zmags.com/publication/e9f4a3bd?page=31"> Facebook Google+ Features Tools us</a> <a title="DFM16 page 32" href="http://viewer.zmags.com/publication/e9f4a3bd?page=32"> / FEATURE another technique to assure secret </a> <a title="DFM16 page 33" href="http://viewer.zmags.com/publication/e9f4a3bd?page=33"> </a> <a title="DFM16 page 34" href="http://viewer.zmags.com/publication/e9f4a3bd?page=34"> / FEATURE UTILISING REPUTATION DATA TO INCREAS</a> <a title="DFM16 page 35" href="http://viewer.zmags.com/publication/e9f4a3bd?page=35"> simulated OS is analysed for changes that could i</a> <a title="DFM16 page 36" href="http://viewer.zmags.com/publication/e9f4a3bd?page=36"> / FEATURE all malware share, network communic</a> <a title="DFM16 page 37" href="http://viewer.zmags.com/publication/e9f4a3bd?page=37"> / Linux tools Grep – a command-line utility for s</a> <a title="DFM16 page 38" href="http://viewer.zmags.com/publication/e9f4a3bd?page=38"> / FEATURE information can then be used to loo</a> <a title="DFM16 page 39" href="http://viewer.zmags.com/publication/e9f4a3bd?page=39"> </a> <a title="DFM16 page 40" href="http://viewer.zmags.com/publication/e9f4a3bd?page=40"> / MEET THE PROFESSIONALS MEET THE DF PROFESSIO</a> <a title="DFM16 page 41" href="http://viewer.zmags.com/publication/e9f4a3bd?page=41"> What are your main areas of interest and research</a> <a title="DFM16 page 42" href="http://viewer.zmags.com/publication/e9f4a3bd?page=42"> </a> <a title="DFM16 page 43" href="http://viewer.zmags.com/publication/e9f4a3bd?page=43"> </a> <a title="DFM16 page 44" href="http://viewer.zmags.com/publication/e9f4a3bd?page=44"> / FEATURE IPHONE BACK-UP FILES A viable source</a> <a title="DFM16 page 45" href="http://viewer.zmags.com/publication/e9f4a3bd?page=45"> kept to a minimum by excluding data that is non-e</a> <a title="DFM16 page 46" href="http://viewer.zmags.com/publication/e9f4a3bd?page=46"> / FEATURE Information that can be found</a> <a title="DFM16 page 47" href="http://viewer.zmags.com/publication/e9f4a3bd?page=47"> sufficient format that can be interpreted or utili</a> <a title="DFM16 page 48" href="http://viewer.zmags.com/publication/e9f4a3bd?page=48"> / FEATURE would be a simple process and is li</a> <a title="DFM16 page 49" href="http://viewer.zmags.com/publication/e9f4a3bd?page=49"> Digital ForensicS / magazine BACK ISSUES </a> <a title="DFM16 page 50" href="http://viewer.zmags.com/publication/e9f4a3bd?page=50"> / LETTERS 360° HYour chance to have your say… </a> <a title="DFM16 page 51" href="http://viewer.zmags.com/publication/e9f4a3bd?page=51"> “Oh no, the suspect ran CCleaner to get rid of th</a> <a title="DFM16 page 52" href="http://viewer.zmags.com/publication/e9f4a3bd?page=52"> / FROM THE LAB VM INTROSPECTION: CREATING NEW </a> <a title="DFM16 page 53" href="http://viewer.zmags.com/publication/e9f4a3bd?page=53"> No LAVA Event </a> <a title="DFM16 page 54" href="http://viewer.zmags.com/publication/e9f4a3bd?page=54"> / FROM THE LAB The event trace immediatel</a> <a title="DFM16 page 55" href="http://viewer.zmags.com/publication/e9f4a3bd?page=55"> In our example the first thing that the Gapz d</a> <a title="DFM16 page 56" href="http://viewer.zmags.com/publication/e9f4a3bd?page=56"> / FROM THE LAB Sample File System Activit</a> <a title="DFM16 page 57" href="http://viewer.zmags.com/publication/e9f4a3bd?page=57"> </a> <a title="DFM16 page 58" href="http://viewer.zmags.com/publication/e9f4a3bd?page=58"> / FEATURE HISTORY OF MALWARE In the past three</a> <a title="DFM16 page 59" href="http://viewer.zmags.com/publication/e9f4a3bd?page=59"> of the omega sign that it wrote in certain condit</a> <a title="DFM16 page 60" href="http://viewer.zmags.com/publication/e9f4a3bd?page=60"> / FEATURE One-half or Slovak bomber was</a> <a title="DFM16 page 61" href="http://viewer.zmags.com/publication/e9f4a3bd?page=61"> Happy99 was the first mail virus. It spread </a> <a title="DFM16 page 62" href="http://viewer.zmags.com/publication/e9f4a3bd?page=62"> </a> <a title="DFM16 page 63" href="http://viewer.zmags.com/publication/e9f4a3bd?page=63"> hosts. It could spread to Windows 95, 98, Me, NT </a> <a title="DFM16 page 64" href="http://viewer.zmags.com/publication/e9f4a3bd?page=64"> / FEATURE malware needed to crash the LSAS se</a> <a title="DFM16 page 65" href="http://viewer.zmags.com/publication/e9f4a3bd?page=65"> the victim. It used an exploit in the browser to </a> <a title="DFM16 page 66" href="http://viewer.zmags.com/publication/e9f4a3bd?page=66"> / FEATURE a Siemens Step 7 controller, and th</a> <a title="DFM16 page 67" href="http://viewer.zmags.com/publication/e9f4a3bd?page=67"> </a> <a title="DFM16 page 68" href="http://viewer.zmags.com/publication/e9f4a3bd?page=68"> / NEXT ISSUE COMING SOON… A round-up of feat</a> <a title="DFM16 page 69" href="http://viewer.zmags.com/publication/e9f4a3bd?page=69"> / FEATURE DIGITAL FORENSICS CAPABILITY WORKSHO</a> <a title="DFM16 page 70" href="http://viewer.zmags.com/publication/e9f4a3bd?page=70"> / FEATURE Challenge Solution (%age Sugges</a> <a title="DFM16 page 71" href="http://viewer.zmags.com/publication/e9f4a3bd?page=71"> / REvidence Source Categories & State of the </a> <a title="DFM16 page 72" href="http://viewer.zmags.com/publication/e9f4a3bd?page=72"> / COMPETITION COMPETITION / This issue we have</a> <a title="DFM16 page 73" href="http://viewer.zmags.com/publication/e9f4a3bd?page=73"> / COMPETITION WINNERS SARC WINNERS! StegAlyze</a> <a title="DFM16 page 74" href="http://viewer.zmags.com/publication/e9f4a3bd?page=74"> </a> <a title="DFM16 page 75" href="http://viewer.zmags.com/publication/e9f4a3bd?page=75"> / FEATURE A FRESH LOOK AT CRYPTOGRAPHY Are we</a> <a title="DFM16 page 76" href="http://viewer.zmags.com/publication/e9f4a3bd?page=76"> / FEATURE Figure 1. The S</a> <a title="DFM16 page 77" href="http://viewer.zmags.com/publication/e9f4a3bd?page=77"> Figure 3. Setting or Selecting a Simple Passphras</a> <a title="DFM16 page 78" href="http://viewer.zmags.com/publication/e9f4a3bd?page=78"> / FEATURE those involved in the cryptographic</a> <a title="DFM16 page 79" href="http://viewer.zmags.com/publication/e9f4a3bd?page=79"> </a> <a title="DFM16 page 80" href="http://viewer.zmags.com/publication/e9f4a3bd?page=80"> / BOOK REVIEWS BOOK REVIEWS CUDA Programming </a> <a title="DFM16 page 81" href="http://viewer.zmags.com/publication/e9f4a3bd?page=81"> Silence on the Wire Author: Michael Zalewski Pub</a> <a title="DFM16 page 82" href="http://viewer.zmags.com/publication/e9f4a3bd?page=82"> / COLUMN IRQ Facebook Follies Fby Angus Marshall</a> <a title="DFM16 page 83" href="http://viewer.zmags.com/publication/e9f4a3bd?page=83"> </a> <a title="DFM16 page 84" href="http://viewer.zmags.com/publication/e9f4a3bd?page=84"> </a>