Currently Reading…

File System Forensic AnalysisFile System Forensic Analysis Cover

by Brian Carrier

I just started reading File System Forensic Analysis by Brian Carrier. This book appears on the recommended reading list of multiple blogs, websites, podcasts, and forum posts both for great information for those in the digital forensics field but also as a must read for anyone preparing for the GCFA or GCFE exam.

The book was published in 2005 but is still extremely relevant to the forensic world today.

Brian Carrier is the author of Autopsy and The Sleuth Kit forensic tools and as it is stated in the forward of this book, “a household name in the digital forensics community”.

I am looking forward to reading this book and although having only read the first chapter so far this book is very readable and should contain information for both the experienced examiner as well as those new to the world of digital forensics.

You can purchase the book in both print or Kindle format on Amazon Here.

Cloning Drives with Bad Sectors

I picked up an old Toshiba 2.5″ 40Gb laptop hard drive to use for practice cloning and analyzing drives with some free or low-cost forensic tools.  After connecting the drive to the WiebeTech Forensic UltraDock I was quickly able to see that the drive had 5 bad sectors. I attempted to acquire the clone of the drive utilizing FTK Imager on two different occasions but after waiting for several hours on each attempt the clone would  “freeze” after approximately 24.7Gb of the image had been acquired. I then attempted to clone the drive utilizing dcfldd within the SIFT 3.0 workstation and received the same results. A little online research and I learned about ddrescue as an option for achieving a clone of a drive with bad sectors. Continue reading

WiebeTech Forensic UltraDock v5.5 and VMWare Workstation 12.5

I am currently running my forensic workstation as a virtual machine within VMware Workstation 12.5.  I chose to do this for multiple reasons, some of which include snapshots to roll back the workstation, ability to test different forensic tools, test OSs for the workstation (Windows vs Linux), etc. Not to mention the cost associated with VMWare Workstation compared to having several machines running different OSs as well as the portability of it all

So far this setup has worked well as test bed for the start of my expedition.  There have been a few performance hurdles but nothing that a little patience wouldn’t take care of.  However today I ran into an issue that, although I was able to overcome is disappointing to say the least. Continue reading

Currently Reading…

basicsofdigitalforensicscoverThe Basics of Digital Forensics

by John Sammons

I am currently reading The Basics of Digital Forensics: The primer for Getting Started in Digital Forensics by John Sammons.

Just as the name implies this is a very basic introduction to digital forensics but is still an entertaining and quick read.

You can get your copy of this book from Amazon Here.

Note: The second edition of this book is available at Amazon Here


Security Tokens on XenDesktop

The use of USB Security Tokens with XenDesktop 5.6 FP1 poses some interesting challenges.  In this configuration XenDesktop was run on both Wyse Thin Clients as well as via Citrix Receiver on a PC.  The XenDesktop image would detect the USB token, a SafeNet iKey 2032; however the SafeNet application would not detect that the token was installed or read the certificate that was installed on the certificate.

After much research and testing of ideas proposed on websites regarding the way that the SafeNet application was installed or the disabling of the SmartCard service the resolution ended up being a resolution originally implemented in XenDesktop 3.0.

The following registry key needs to be changed for third party applications to access the USB Security Tokens or SmartCards.

  1. Open Regedit
  2. Browse to HKLM\Software\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
  3. Change the vale of the Flag key to “0″
  4. Restart the workstation

This change immediately resolved the issue with the SafeNet iKey 2032 token being accessed by the SafeNet Authentication Client.

Citrix Support Article:

CHM Files in Windows 7

The release of Microsoft Security Update 896358 prevented Windows 7 users from being able to open CHM Help files that are stored in network locations. To allow CHM files stored in network locations to be accessed from Windows 7 machines on the network the following registry change has to be made. Continue reading

Digital Forensic Certifications

A multitude of certifications exist related to digital forensics, incident response, and security. The quest to obtain some of those certifications is one focus of this blog.

Deciding on the correct certifications can often be a daunting task.  Michael Leclair over at the Digital Forensic Survival Podcast published Episode 22 regarding some of the certifications available and which ones to look into further depending on your own personal area of focus.

One of the certifications that Michael talks about is the SANS GIAC Certified Forensic Examiner (GCFE).  Although there are pros and cons to all certifications this one is at the top of my list right now.  Michael made some great points concerning tools specific certifications vs tool agnostic certifications.

You can find out more about the GCFE certification here.

Head on over to the Digital Forensic Survival Podcast website to listen to Episode 22 as well as check out the other episodes for some interesting information.

Let us embark…

Welcome to the start of the Forensic Expedition blog. This blog was created to chronical my journey through obtaining not only various digital forensics certifications but chronical the growth of my knowledge and experience in the realm of digital forensics.

I chose the name Forensic Expedition for several reasons. The Oxford dictionary defines Expedition as:

  1. a journey or voyage undertaken by a group of people with a particular purpose, especially that of exploration, scientific research, or war.
  2. promptness or speed in doing something

These are both great definitions for how I see my journey into the digital forensics world.  Not only am I embarking on a new journey but it is a journey of scientific research and learning in a field that requires exactness and promptness.

It is my hope that this blog will be beneficial to both those getting started and wanting to obtain certifications in the field as well as those that are already active in the arena.

Although I have a Bachelor of Science in Security and Forensics from Kaplan University I currently get limited day to day exposure to digital forensics. I am currently the Citrix Administrator for a financial institution located in Texas and my primary focus is on Citrix VDI as well as information security.

With my passion being in the security and forensics realm I am gradually working to steer my path more towards the forensics world and hope to accomplish that by not only obtaining various certifications but also through lab practice and utilizing forensic techniques more often in my daily job.

I hope you can join me on this expedition and find the journey not only entertaining but beneficial.