Author Archives: Madeline Bell

Net trying to capture a computer

Capturing RAM from a Locked Computer

The importance of acquiring and forensically analyzing RAM has been an exciting discovery in the digital forensics world. With a growing interest in RAM analysis, many tools have been developed to capture this volatile memory. Dumpit, RAM Capturer, and WinPmem, just to name a few, are all tools that can capture the live RAM of a system. While there are many programs out there to capture and analyze RAM, it is still a new technique that has not been perfected. RAM is very delicate as it is volatile and must be handled in a certain way. Even when handled properly, there are many limitations. One of the limitations is running a RAM capture executable on a locked computer, as you cannot run executables from a locked screen. The purpose of this project is to take RAM capturing a step further and attempt to find solutions to capture RAM from a computer that is powered on and was logged in, but is now locked. Continue reading

Blogging from the GMU 2013 Computer Crime & Digital Forensics Training

Chapin Bryce, one of our interns has gone to the GMU GMU 2013 Computer Crime & Digital Forensics Training conference for the week.  While he is there, he will be blogging about the different presentations he has the pleasure of sitting in on.  For more information about the conference, visit their site: http://www.rcfg.org/gmu/ Continue reading

Router Marshal

Here at the LCDI we just finished up a project researching a program called Router Marshal. Router Marshal is a digital forensic tool, developed by ATC-NY, which is used to “automatically acquire digital forensic evidence from network devices such as routers and wireless access points. An investigator can use the Router Marshal software in the field to identify a network device, automatically acquire volatile forensic evidence from the device, and view and interpret this evidence” (Router Marshall, 2010). The software also maintains detailed logs of all activities and communications it performs with a target device. Continue reading

Cloud in blue sky

Flying High with Cloud Forensics

Cloud storage is a new upcoming technology that will pave the way for the future. No longer will people have to store data on their physical hard drives; it can now be uploaded to the web in the cloud, allowing anyone to share their data with other people and access it wherever they go. Although this might help people save time and space, it also creates more hardship for forensic investigators because criminals can upload or share data from one computer and open it up on another computer without leaving much of a trace. Not much forensic research has been done with cloud storage services, so we will be conducting this research on a few of these services. The three services we will be focusing on are Google Drive, Dropbox, and SkyDrive. Continue reading

Internet Evidence Finder: Part 2

Blog25
As we are finishing the IEF project we are coming to the realization that IEF does not parse 100% of the internet artifacts on a drive. That’s not to say the tool isn’t useful, it just the IEF should not be used by itself. This project entailed generating internet data on a fresh computer and taking detailed notes during the process. Thirty three hours later the data is ready for IEF to parse. We took the drive out of the computer, hooked it up to a write blocker and imaged the drive in an E01 format. We then ran IEF on both the drive and the E01 to see if there would be different results. The results, unsurprisingly, were identical. After comparing the results to my notes we notice there were a lot of things missing. For one, only two thirds of the artifacts we generated data for were discovered by IEF. Continue reading

Painting a Timeline with EnCase

Blog27It has been busy at the LCDI, and we have been focusing on the timeline feature in EnCase and Forensic Tool Kit. Since we have looked into Log2Timeline already, it is hard to compare these other tools that are not as focused on timeline creation as the task specific open source tool is. With that said, here are our findings on timeline capabilities of EnCase and Forensic Tool Kit. Continue reading

“Cellebrating” Cellebrite

Blog22For the past two weeks, we have all been working hard on creating the guides and tutorials for the Cellebrite UFED Physical Pro and the UFED Physical Analyzer. All of the interns have worked on Cellebrite everyday so that we could have it done by the deadline, July 1st. We also created powerpoint slides for each section and video tutorials on how to use the UFED Physical Analyzer. The only thing that we have left to do is to create the video tutorials on how to use the Cellebrite UFED Physical Pro. Continue reading

Access Point Tool Review

accesspoints

The access point project was designed when local law enforcement asked the LCDI to find and recommend a tool that could examine access points. For those who don’t know much about access points, they are devices that allow access to the network. When you connect your laptop or cell phone to a network wirelessly, you generally use an access point. The ability to examine access points can provide information about the network and devices connecting to it. When law enforcement asked us to conduct a survey on different access point examination tools, they had a list of certain criteria they wanted their tool to be able to do which included: the ability to see network details, GPS mapping functions, logging capability, plotting access points on a map, and reporting features. It was up to us here at the LCDI to find the perfect survey tool. Continue reading

LCDI and GIV IT

On June 26th, the LCDI presented a workshop at Champlain College during the Governor’s Institute of Vermont Information Technology Institute (GIV IT). At this Institute, high school students had the opportunity to gain hands on experience about the field from professionals and professors in the Information Technology sector. This year the IT Institute created tracks for the students so that they could dive deeper into the subjects they were interested in. This included strands for game design, coding and cyber security, and advanced webistry for students to explore their interests in the field. To offer a wider array of information about areas within the IT field of study and work, the LCDI presented about the world of computer and digital forensics. Continue reading

Four Apple iPhones in a row

iPhone Forensics: Part 3

iPhone Forensics Catherine Stamm The Senator Patrick Leahy Center for Digital Investigation After a few days, I created three contacts and then deleted two of them. Next I attempted to set up a VPN. It took some time, as the iPhone had a lot of trouble connecting to the server. Eventually it worked and I […]

Continue reading