Data Matching for Financial Transactions

November 25, 2008 — 585

UK law enforcement agencies are stepping up the use of data matching to trap money launderers and terrorist finance operations using information gleaned from the Suspicious Activity Reports (SARs) which banks and other financial institutions are required to file.

The development is revealed in the latest report on SARs activity from the Serious Organised Crime Agency, which said that the acquisition of further data matching tools by the UK Financial Intelligence Unit (UKFIU) will enable the bulk export and import of data and “allow a better, more timely and proactive service to be provided to law enforcement”.

The annual report issued on behalf of the SARs Regime Committee insisted that the activity meets the requirements of the Data Protecction Act.

But it revealed the intention to widen its scope and invite suggestions for data matching exercises “from a wide range of bodies, beyond the traditional law enforcement community. The UKFIU will select the data sets to match on a case by case basis.”

It urged “reporters”, including accountants, financial advisers, money changers and others as well as the banks and financial institutions, to provide “full and correct data [in the datasets used for matching and in the information submitted in SARs] to assist with this and ensure the effectiveness of such exercises”.

The vast majority of reporters now file SARs electronically, and the committee has dropped plans to require this from the remaining handful using paper methods.

The UKFIU has launched a procurement process to increase the use of IT to enhance activity in a “SARs transformation” process due to be rolled out next year

Source

Posted in Forensics, UK Law. Tags: . No Comments »

Progressive disk size limitations.

November 24, 2008 — 585

PC-XT limit                                                                10MB

FAT12 – {Floppy or DOS 1 HDD)                          16MB

FAT16 (DOS 3, 1 sector/cluster)                            32MB

Interrupt 13 (Hardware)                                            528MB

FAT16 (DOS4+)                                                       2048MB

BIOS limitation (8 bit head max out @256)           4024MB

Int 13 + LBA limitation                                              8096MB

Ext Int 13+LBA                                                          137GB

Win XP FAT32 Limitation                                        32 GB            

Posted in Forensics. No Comments »

Lectures: Evidence and Procedure

November 23, 2008 — 585

Lectures on Evidence and Procedure

Lecture 1: Legislation and Procedures: Civil and Criminal Laws

Lecture 2: Evidence, Exhibits, and Chain of Custody

Lecture 3: Legislation and Procedures: Search and Seizure

Lecture 4: Legislation and Procedures: Planing an Investigation and Ethics

Lecture 5: Evidence and Procedure: Court Systems

Lecture 6: Evidence and Procedure Practical

Tags: , , ,
Posted in Forensics, UK Law. Tags: , . No Comments »

Link File

November 22, 2008 — 585

Link Files, also known as shortcut files, have the extension LNK and are most commonly found in the “recent” folder in the users profile. A user can double click on these and it will open document it points to.

Other LNK files can be found in the System Restore and office folders. Link files are very useful as they contain a wealth of data other files.

Every time a file is opened, be it a word document, a text file, or a picture, LNK file is created, with the name of the file and placed in the “Recent” folder of the users profile.  This link file has 4 dates in the MFT (Created, Last Written/File Modified, Accessed, Entry Modified/MFT entry modified).

For example if the Word Document “Hello.DOC” was opened on 1st Jan 2008 then the hello.doc.lnk is created, as it has just been created its four dates would all be 1st Jan 2008.

While this information is not particular exciting, that data WITHIN the LNK file is.

Inside the LNK file are the following fields:

  1. Creation date of the file it points to
  2. Access date of the file it points to
  3. Modified data of the file it points to
  4. File path of the file it points to
  5. Size of the file it points to.

There are also other fields, but these are not relevant at this point.

Therefore if the word document “Hello.DOC”, was created on 1 June 2007, modified on 1st Oct 2007, and then accessed 1st Jan 2008 – all of that information would be stored within the LNK, as would its location.

Even if a file has never been on the computer where the link file was, e.g a file on a server, or a removable media, then the LNK file will still retain this information.

This allows a forensics investigator to gain information about files that were never on the computer they are examining.

 

 

 

 

 

 

 

 

Tags: , ,
Posted in Forensics. No Comments »

FTK offers to buy EnCase

November 6, 2008 — 585

AccessData the owners of FTK have offered to buy Guidance Software, the makers of EnCase.

Over the past year Guidance Software’s (GUID) shares have fell from $15 to a low of $2, making it vulnerable to take over, and last month (October)  Access Data asked the Guidance board if they could purchase Guidance at $4.50 a share, the offer was refused, and AccessData are now going to approach the share holders directly.

Is this a good thing?

AccessData has slightly different approach to forensics than Guidance, and as such their tools, FTK and EnCase are different. Both have heir pros and cons, but if the pros of both tools could be combined together then computer forensics staff around the world would have access to a single brilliant tool. Well, that’s the theory.

The reality is probably somewhat different. When Guidance became a public company their attitude changed, those who have worked with Encase for a long time have a stark difference in their pricing, support, and overall interaction between clients and the company. Overall the company is now “share holder centric” and less customer friendly, this is, of course, a natural progression from a small 2 man company to the world’s definitive forensic software provider.

AccessData has, perhaps to the annoyance of their CFO, remained far more friendly, and easier to communicate with. No doubt helped by their FTK 2.0 disaster.

AccessData have, for years, had a very good indexing engine, and even now in EnCase 6.11 its nowhere near as good as FTK 1.1. For this reason, AccessData present a challenge to Guidance, and no doubt drive on their R&D team.

If AccessData did merge with Guidance, then the end result would be single dominant forensics company, with no real competition, a monopoly. Which, in the long term, cannot be good for the industry.

 

 

Posted in Forensics. Tags: . No Comments »

What is unallocated space?

September 6, 2008 — 585

What is unallocated space?

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.

Examples.

If the operating system writes a file to a certain space on the hard drive that part is now “allocated” to the file, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to “allocated” and becomes unallocated. This means that  new files can now be re-written to that location.

On a standard, working computer, files can only be written to the unallocated space.

If a new drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data

Working Example

Blank Drive

A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.

If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB)  allocated space and 99% unallocated (495 GB)

If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.

What happens when a file is deleted?

If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space. 

However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:

There is 10 GB of allocated space and 490 GB of unallocated space.

Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.

Until new files are written to the hard drive this movie file will remain deleted but still  recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.

Unallocated space can only be accessed by specialist tools, and now directly from Windows. Such tools include:

R-Studio, WinHex, EnCase, FTK,

 

 

 

 

 

 

 

 

 

 

Posted in File System, Forensics. Tags: . No Comments »

Computer Forensic University Courses

August 30, 2008 — 585

Following on from the previous post on Computer Forensics Courses, below is a list of the current university courses with places available, in the UK. (Correct at the time of publishing)

Attached is spreadsheet highlighting the position of the universities providing Computer Forensics courses according to the Guardian League Table. Another useful resource for University league tables is the Times

Books

For those going starting on a computer forensics course, with the intention of going into the industry, the following books may be of interest:

Digital Evidence and Computer Crime by Eoghan Casey. A good book, though dated now, the author writes well and so its easy to read.

Malware Forensics – another book by Eoghan Casey, but one that focuses on “malware”. Good for those studying the Trojan defence and who want to go into a law enforcement/criminal work, not really for those in the civil sector, unless they have a very specific case they want to investigate.

A good resource on file system -  for the students who want to know what is going at the low level – is File System Forensic Analysis

Courses

A60 – Anglia Ruskin University: 0845 2713333
Information Security and Forensic Computing 3   DEG FT GG4N C

B22 – University of Bedfordshire: 0800 013 0925
Computer Security and Forensics 3   DEG FT GF44 D

B50 – Bournemouth University: 01202 524111
Forensic Computing and Security 4   DEG SW G550 -
Software Systems Framework 3   DEG FT G603 -

B56 – The University of Bradford: 0800 073 1225
Computer Systems Administration (4 years) 4   DEG SW G531 -

B80 – University of the West of England, Bristol: 0117 32 83333
Forensic Computing 3   DEG FT GF54 -

C10 – Canterbury Christ Church University: 01227 782900
Forensic Computing 3   DEG FT FG45 -
Forensic Computing ”International Only” 4   DEG FT FG4M -

C25 – Birmingham City University (was UCE Birmingham): 0121 331 6777
Forensic Computing 3   DEG FT FG44 -

C30 – University of Central Lancashire: 01772 201201
Forensic Computing 3   DEG FT GF44 U

C85 – Coventry University: 02476 791 791
Digital Forensics and System Security 4   DEG SW G550 -
Ethical Hacking and Network Security 4   DEG SW GG45 -

D26 – De Montfort University: 08459 454647
Forensic Computing 4   DEG SW FG45 Y

D39 – University of Derby: 01332 621300
Computer Forensics and Security 4   DEG SW G550 -
Computer Networks and Forensic Studies 3   DEG FT GF44 -
Computing Management and Forensic Studies 3   DEG FT GF4K -

H60 – The University of Huddersfield: 01484 472777
Secure and Forensic Computing 3   DEG FT G603 -

K84 – Kingston University: 0844 855 2177
Forensic Science and Web Development 4   DEG SW FG4K -
Cyber Security – Computer Forensics with Maths 3   DEG FT G4G1 -
Cyber Security – Computer Forensics with Stats 3   DEG FT G4G3 -
Cyber Security – Comp Forensics w Maths inc yr 0 5   DEG SW G4GA K
Cyber Security – Comp Forensics w Stats inc yr 0 5   DEG SW G4GB K
Cyber Security – Computer Forensics with Maths 4   DEG SW G4GC -
Cyber Security – Comp Forensics w Maths inc yr 0 4   DEG FT G4GD K
Cyber Security – Computer Forensics with Stats 4   DEG SW G4GH -
Cyber Security – CompForensics w Stats inc yr 0 4   DEG FT G4GJ K
Cyber Security – Computer Forensics with Bus 3   DEG FT G4N1 -
Strategic Inn w Cyber Sec – Comp Frns (Int only) 4   DEG FT G596 K
Cyber Sec – Comp Forensics w Maths (Intntl only) 4   DEG FT G5GC K
Cyber Security – Comp Forensics/Stats (Int only) 4   DEG FT G5GH K
Cyber Sec – Comp Forensics/Strategic Innovation 4   DEG FT G5N2 K
Cyber Security – CompForensics w Bus (int only) 4   DEG FT G5NB K
Cyber Sec – Comp Forensics/Strategic Innovation 3   DEG FT G5NF -
Cyber Security – Comp Forensics/Strategic Innov 4   DEG SW G5NG -

L51 – Liverpool John Moores University: 0500 564565
Computer Forensics 4   DEG SW G550 -

M40 – The Manchester Metropolitan University: 0800 915 0668
Forensic Computing 4   DEG SW G550 -
Forensic Computing 3   DEG FT G551 -
Forensic Computing (Foundation) 4   DEG FT G552 -

M80 – Middlesex University: 020 8411 6565
Forensic Computing with Foundation Year 4   DEG FT GF5K H

N07 – Napier University: 08452 606040
Computer Security – Forensics 3   DEG FT GG56 -

N37 – University of Wales, Newport: 01633 435000
Forensic Computing 3   DEG FT G550 -

P80 – University of Portsmouth: 023 9284 8000
Security Technology 3   DEG FT L435 -

S21 – Sheffield Hallam University: 0845 147 3503
Forensic and Security Technologies 3   DEG FT G550 -
Forensic and Security Technologies 2   DEG FT G551 -

S72 – Staffordshire University: 0800 590 830
Forensic Computing 2   HND FT 44FG -
Digital Interactive Television Production 3   DEG FT EP23 -
Forensic Computing 3   DEG FT FG44 -
Forensic Computing 4   DEG FT FGK4 -
Forensic Computing (Bridge) 2   DEG FT G552 -
Forensic Computing and Forensic Engineering 3   DEG FT GF94 -
Computer Graphics and Forensic Computing 3   DEG FT GG49 -
Business and Forensic Computing 3   DEG FT GG59 -
Forensic Computing – Applied Statistics 3   DEG FT GG5H -
Computer Games Programming and Forensic Comp 3   DEG FT GG69 -
Forensic Computing and Mathematics 3   DEG FT GG91 -
Forensic Computing and Internet Technology 3   DEG FT GG94 -
Forensic Computing and Information Systems 3   DEG FT GG95 -
Forensic Computing and Software Engineering 3   DEG FT GG96 -
Forensic Computing and Network Engineering 3   DEG FT GG9K -
Forensic Computing and Web Media Technology 3   DEG FT GGXL -
Forensic Computing and Mechanical Engineering 3   DEG FT GH93 -
Forensic Computing and Mobile Communications 3   DEG FT GH96 -
Forensic Computing and Robotics Technology 3   DEG FT GH9P -
Forensic Computing and Music Technology 3   DEG FT GJ99 -
Forensic Computing and Sports Technology 3   DEG FT GJ9X -
Automotive Technology and Forensic Computing 3   DEG FT HG39 -
Aeronautical Technology and Forensic Computing 3   DEG FT HG49 -
Broadcasting Technology and Forensic Computing 3   DEG FT HG69 -
Electronics and Forensic Computing 3   DEG FT HGP9 -
Electronic Commerce and Forensic Computing 3   DEG FT NG19 -
Computer Games Design and Forensic Computing 3   DEG FT WG29 -
Film Production Technology and Forensic Comp 3   DEG FT WG69 -
Design Technology and Forensic Computing 3   DEG FT WGF9 -

S84 – University of Sunderland: 0191 515 3000
Forensic Computing 3   DEG FT FG45 -

Posted in Forensics. Tags: , . 1 Comment »

Computer Forensic Courses in the UK

August 19, 2008 — 585

Below is a list of BSc and MSc University courses in the UK, in no particular order. These are not recommendations, merely a list of courses.

University of Central Lancashire: BSc

http://www.uclan.ac.uk/facs/destech/compute/courses/crse50/crse50.htm

Newcastle College: Foundation Degree

http://www.ncl-coll.ac.uk/course-information.aspx?courseid=8069

Glamorgan: BSc

http://www.glam.ac.uk/coursedetails/685/51

Northumbria BSc

http://northumbria.ac.uk/?view=CourseDetail&code=UUSCFO1

University of the West of Engalnd: BSc

http://courses.uwe.ac.uk/gf54/2008

Bedfordshire MSc

http://www.beds.ac.uk/courses/bysubject/cominfsys/msc-comforsec

Kingston University: BSc

http://www.kingston.ac.uk/cybersecuritycomputerforensics/

University of Westminter: BSc

http://www.wmin.ac.uk/cscs/page-1278

Liverpool John Moores University: BSc

http://www.ljmu.ac.uk/StudyLJMU/Courses/87382.htm

University of Glasgow: BSc

http://www.hatii.arts.gla.ac.uk/CFED/index.htm

University of Derby: BSc

http://www.derby.ac.uk/computer-forensics-and-security-bsc-hons

Royal Holloway

http://www.isg.rhul.ac.uk/cert/structure

University of London: MSc

http://www.uel.ac.uk/programmes/scot/postgraduate/iscf.htm

Strathclyde University: MSc/PgDip

http://www.strath.ac.uk/cis/courses/forensic/

Open University: Post Grad Module

http://www3.open.ac.uk/courses/bin/p12.dll?C01M889

Glamorgan: MSc

http://www.glam.ac.uk/courses/685/549

Cranfield: MSc

http://www.cranfield.ac.uk/dcmt/forensicssecurity/index.jsp

Posted in Forensics. No Comments »

Computer Forensics: Defintion

August 9, 2008 — 585

Computer forensics is a branch of forensic science (though is often not dealt with as such, and is rarely held to the same standards, as a pure science such as DNA analysis.

Computer forensics, relates to legal evidence found in computers and other storage systems – e.g mobile phones, back up tapes, firewalls, and network logs.

The field of Computer Forensics also has sub branches within it such as Firewall Forensics, and Mobile Device Forensics.

There are many reasons to employ the techniques of computer forensics:

  • In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
  • To recover data in the event of a hardware or software failure.
  • To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
  • To gather evidence against an employee that an organization wishes to terminate.
  • To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

Wiki Article

Posted in Forensics. Tags: , . No Comments »

ACPO Guidlines

August 9, 2008 — 585

Below are the principles that computer forensic experts in both the police and private sector follow, these come from the ACPO Guidelines.

These principles cover the imaging of the hard drives.

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

ACPO Guidelines

Part 35 of the Civil Procedure Rules defines how an expert witness (e.g computer forensics expert) should give evidence in court, produce reports, and what evidence should be given for civil cases

Posted in Guides. Tags: , . No Comments »