Friday, April 02, 2010

Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst’s workstation via firewire, USB, or eSATA. The unit is compatible with Logicube’s Dossier imager and Logicube’s second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I’ve not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be happy to do a write up.)

If you’ve ever analyzed a PDF, you’ve probably used a tool created by Didier Stevens. Didier has figured out a way to make certain PDF readers execute embedded binaries. Check out his explanation in Good Reads.

Disk encryption in various forms is becoming more common when it comes to incident response and forensics. In response to its customer’s requests, Passware has updated their flagship product to handle TrueCrypt. Their product also has support for BitLocker.

To read more:
http://blogs.sans.org/computer-forensics/2010/04/01/digital-forensics-case-leads-gear-pdfs-abuse-defeating-truecrypt/

No comments: