Ride The Lightning

THE FORENSIC TOOLBOX AND SPYWARE

2008-07-25T09:54:55-04:00

From the point of view of the cynical computer forensics examiner, all husbands and wives are cheating on each other – and often spying on each other as well. Spyware has become increasing devious, hard to locate and document. I am taking the unusual step of including here a lengthy post that recently appeared on several of the forensics lists, because it underscore several things that we all need to keep in mind:

1) The claims of spyware makers are often bogus, in spite of their website hype.
2) No one tool, even a good one such as Gargoyle (which we use often) is an all purpose solution.
3) It pays to keep an eye open for new or different forensics tools. The story below illustrates how a very cheap product found what a more venerable and far more expensive product could not.

**************************

Please pardon the cross-posting. I have had a situation that has rekindled the issues concerning eBlaster. First, Spectorsoft sent an email advertising the new version 6 of eBlaster with the claims that it cannot be detected by any anti-spyware or anti-virus software tools. Second, I came into possession of a drive image suspected of containing an installation of eBlaster, and I was tasked to help confirm or deny this allegation.

I have Wetstone Technologies' Gargoyle, so I started with that. Gargoyle found one remote access program and one anti-forensics program, but no eBlaster. Nonetheless, the default hotkey combination for eBlaster(ctrl-shft-alt-T) brought up the password entry field on the screen proving that eBlaster was indeed present. Then I downloaded a trial version of a $29 program named Spyware Doctor. Within 10 minutes Spyware Doctor identified 15 items on the drive related to eBlaster, including Registry keys and dll files.

I phoned Wetstone to inquire why a $29 app found what their $1500 app could not. They explained that eBlaster is polymorphic, it changes configurations (and the resulting hashes also change). Since Gargoyle identifies files based on a hash database, it may or may not identify polymorphic files, even though the Gargoyle documentation specifically states it will identify eBlaster version 5. Wetstone recommended using a heuristically-oriented app (like Spyware Doctor).

My next step was to contact Spectorsoft and inquire about what to do with the new version 6, which they assured me was undetectable via heuristics or anything else. The hotkey combination trick will still verify the presence of the program. It is possible, however, that the hotkey combination will have been changed by the person who installed program, or perhaps the hotkey combination has become corrupt and won't open the password entry field. Failure of the hotkey combo to bring up the PW entry field does not definitively prove the absence of a Spectorsoft program.

Spectorsoft told me to have on hand a CD with the installation files for all 3 of their products, eBlaster, Spector, and Spector Pro. These installation programs can only be downloaded from their website if a licensed copy of the program is purchased. Since versions are unimportant, these purchased files won't go out of date anytime soon.

If a machine is suspected of having one of these programs installed, just insert the CD and fire off the setup application. When the setup begins, select the advanced button. If the suspected program is installed, the password field will appear on the screen. Spectorsoft told me this is proof-positive that the suspect app is installed on the computer. You law enforcement guys/gals can then get a subpoena to get Spectorsoft to help you extract the password and log in to get all the pertinent info. Us PI's can only capture a screenshot and pray a court will grant us the same courtesy, but we might be forced to be satisfied with proving the program is there.

BTW, the eBlaster setup only identifies the presence of eBlaster, the Spector setup only identifies the presence of Spector, etc. Version numbers are irrelevant. So, you might want to run all three setups to verify the presence or absence of Spectorsoft programs.

Louis M. Schlesinger, LPI, CCE, ACE, CFC, CIFI, WCSI CyForensics, cyforensics@cox.net www.cyforensics.com

Thanks Louis, for the permission to repost this – and a hat tip to Dan Fuller for passing the posting along.

E-mail: snelson@senseient.com Phone: 703-359-0700

2008 SOCHA-GELBMANN EDD SURVEY

2008-07-23T09:06:25-04:00

Though the full Socha-Gelbmann EDD Survey has not yet been released, there is a sneak preview on the EDD Update blog at http://commonscold.typepad.com/eddupdate/2008/07/2008-socha-gelb.html.

Be mindful that this survey is largely a guide to the “whales” of the industry, and that the whales themselves provide the information upon which the results are predicated. The authors are careful to note “Anyone who makes buying decisions primarily on these rankings or any other generalized rankings is a fool.” I can’t top that statement. I certainly agree with it and commend the authors for stating the point so plainly.

Many smaller boutique firms (Sensei included) choose not to participate in this survey, some because they wish to hold their corporate data private and some because they recognize that they are essentially “little fish” who cannot compete with the whales. This in no way denigrates the quality of their services, as Mr. Socha and Gelbmann have been quick to recognize.

Still, this is a well-respected survey, as evidenced by all of our Inboxes being flooded by the whales lauding themselves in press releases citing their position within the survey! An expanded version of survey results will be published in the August edition of Law Technology News.

E-mail: snelson@senseient.com Phone: 703-359-0700

AHOY MATEY! ELECTRONIC EVIDENCE ABOARD SHIP

2008-07-21T08:30:00-04:00

I regret to say that I am no longer aboard ship. Alas, I must now make my own cocktails, prepare my own meals and make my own bed. I preferred being onboard, all things considered. And, of course, I miss the Wheel of Fortune, which spun sweetly for me - to the tune of $3000, though I charitably gave some back – and shared with the three guys who were with me so they could lose at the tables. The Bank of Mama was very popular.

We had the honor of dining with the Captain of the Royal Caribbean’s Grandeur of the Seas, Jim Olson, who very kindly invited us to take a tour of the bridge. In case you were wondering, this is where the electronic evidence part comes in. Now, we knew that facial recognition technology was used every time one gets on or off the ship, and we knew there were some cameras in the public areas but we really didn’t appreciate the full extent of the surveillance. According to the Captain, ALL public areas of the ships are under camera watch – and with a few mouse clicks, he moved from place to place, finally amusing us by showing us ourselves peering at the monitor on the bridge.

Doing what we do for a living, we naturally inquired if these images were viewing or recording (recording was the correct answer) and how long the images are kept (a total of FOUR years, rather to our surprise). Should someone report that something was stolen from their cabin, the security force has both the identification from the room key as well as the hall camera images to investigate. One can see how this would discourage anyone criminally minded among the crew, to put it mildly.

Grinning at each other, John and I were remembering how often we had seen the “Love and Marriage” game show aboard ship. One of the questions is invariably: “Where is the most unusual place you’ve ever made love?” Many times, the answer involves intimacy somewhere aboard the ship in a public area. So, be forewarned – security may not come to “break it up” but you may be leaving quite a flamboyant piece of electronic evidence around for some four years. Not that we were, at any time, considering any intimate adventures in public areas, but our mantra for the voyage was “what happens in our stateroom stays in our stateroom.”

E-mail: snelson@senseient.com Phone: 703-359-0700

A PEACH OF AN EDD RESOURCE FROM ORANGE LEGAL TECHNOLOGIES

2008-07-11T07:34:00-04:00

Folks involved in electronic evidence are always scrambling to keep up with EDD developments. My friend Rob Robinson recently passed along a new resource, “Unfiltered Orange” from the OrangeLT.com website that takes advantage of news aggregation tools and technologies to provide an “unfiltered” look at electronic discovery centric news harvested from the Internet. Some of the tools used include Word Press, Twitter, OutTwit and Google Alerts, all designed to help people keep abreast of EDD related developments. This is, of course, a vendor site, but the company is to be commended for keeping its news sources neutral. Provide something of value and users will appreciate it and remember you for it. Nice public service, good marketing tool, highly innovative – I’d expect nothing less from Rob!

Check out your options for using this service at http://www.orangelt.com/news-events/unfiltered-orange/.

Note to readers: Even as you read this, John and I will be in our “happy place” on a cruise ship headed for Canada. I am quite unapologetically taking a week off to do a whole lot of nothing. Enjoy the radio silence – Ride the Lightning will be back on July 21st.

E-mail: snelson@senseient.com Phone: 703-359-0700

THE “HOPE” STATE (R.I.) EXEMPTS COMPUTER FORENSICS FROM PI LAWS

2008-07-09T07:20:00-04:00

How fitting that Rhode Island, whose state motto is simply “Hope,” has provided exactly that to computer forensics specialists frustrated by states which try to shoehorn computer forensics into their PI licensing structure. On June 30, 2008, Rhode Island’s new law specifically exempts from its PI statute, “an individual employed as a computer forensics specialist who holds professional certification as a computer examiner.”

Way to go Rhode Island!

Thanks to Nicole Kolinski for passing this along. The new law may be found at http://www.rilin.state.ri.us/BillText08/SenateText08/S2873A.pdf

E-mail: snelson@senseient.com Phone: 703-359-0700

THE JUDICIAL ROCK STARS OF ELECTRONIC EVIDENCE

2008-07-07T10:12:05-04:00

John and I often chuckle about the “rock star” status of certain judges who are known to have a deep and abiding interest in ESI. When they issue an opinion, the news spreads like wildfire across the Net – and their words are gobbled up by devotees, as all of us who lecture about electronic evidence scramble to update our PowerPoints.

Jason Krause, one of my favorite ABA writers, has written an excellent piece on this phenomenon, entitled “Rockin’ Out the E-Law.” Highlighted are “headliners” we all know, U.S. District Judge Shira Scheindlin, U.S. Magistrate Judge Paul Grimm, U.S. Magistrate Judge John Facciola, U.S. Magistrate Judge David Waxse, U.S. Magistrate Judge James Francis and U.S. District Judge Rudi Brewster.

As Craig Ball (something of a rock star in the ESI world himself) says “Anytime these judges write an opinion, it’s treated like a papal encyclical . . . they really influence other judges, who act like these are the rock stars of their profession.”

Anyway, if you’re one of the groupies, it’s a fun and informative read. Great job Jason.
Hat tip to Rod Coggin for passing this story along. The article may be found at http://www.abajournal.com/magazine/rockin_out_the_e_law/

E-mail: snelson@senseient.com Phone: 703-359-0700

SINCE I’VE BEEN BANGING ON TEXAS . . .

2008-07-03T08:35:00-04:00

Thanks to those readers who wrote and are also upset with the requirement in some states that computer forensics technologists obtain PI licenses to practice their profession. As one reader pointed out, there is a valuable link worthy of mention.

The now notorious Texas Private Security Bureau (see yesterday’s post for details) has just published opinions it issued from 2006-June 2008 in response to questions it has received. Many professions are apparently conceivably included in this very self-interested and protectionist law. The opinions may be found at http://www.txdps.state.tx.us/psb/docs/psb_opin_sum.pdf.

Do not read it without something harmless to punch nearby.

E-mail: snelson@senseient.com Phone: 703-359-0700

COMPUTER REPAIRMEN: DON’T MESS WITH TEXAS!

2008-07-02T13:38:06-04:00

As readers of this blog know, I go ballistic when states require computer forensics technologists to get PI licenses. These two disciplines are apples and oranges. I’ve no objection to the licensing, so long as it is carefully thought out and not protectionist, but computer forensics bears only the most tenuous relationship to private investigation. Texas has long been in my crosshairs for having such a law, but apparently the law is even more ridiculous than I thought.

According to the Institute for Justice, the Texas law would place many functions normally associated with computer repair under the PI law, requiring IT professionals to shut down, get a criminal justice degree, or complete a three-year apprenticeship under a licensed PI. If the government deems any of their actions to be part of an “investigation,” violators are subject to criminal penalties of up to one year in jail and a $4,000 fine, in addition to civil penalties of up to $10,000. So an IT person being asked to investigate a security breach, which will inevitably result in the collection of electronic evidence, now must hold a PI license. Ditto if they are asked to review the e-mail of someone suspected of sexual harassment. There are so many things IT companies do that could be construed as an “investigation” that the law becomes simply silly on its face.

I salute the Institute of Justice for filing suit against the Texas Private Security Board, which regulates PIs (and apparently, non PIs as well). Hey guys, love your lawsuit, but how about adding computer forensic technologists to your list of plaintiffs?

Going to Texas? Bring your passport and get your shots. It’s a whole other country.

Further information is available at http://www.ij.org/first_amendment/tx_computer_repair/index.html

E-mail: snelson@senseient.com Phone: 703-359-0700

POOL PARTY! THANKS TO GOOGLE EARTH

2008-06-30T16:51:03-04:00

The electronic evidence in this case certainly proved to be entertaining - and very new age. During June, police in Britain have been receiving reports of massive trespassing from homeowners who own pools and have returned home to find the debris from teen pool parties. It turned out that the teens were using Google Earth to identify desirable homes with large pools and then arranging their parties using Facebook and Bebo, leaving digital evidence of their misdeeds behind.

Given the British climate, homes with large pools are a rarity, but the enterprising teens have scoped them out. The new craze is called “dipping” – parties have been arranged at most homes while owners were away on holiday and once while they were sleeping (they woke up to in shock to behold scantily clad, beer-infused teenaged invaders taking over their pool).

In case you wondered, the dress code is formal dress (right up until skinny dipping becomes de rigueur) and it is BYOB (Bring Your Own Bike) – fast getaways being essential.

E-mail: snelson@senseient.com Phone: 703-359-0700

MICHIGAN GETS IT WRONG: COMPUTER FORENSICS AND SAM SPADE

2008-06-25T17:05:49-04:00

How does this keep happening? Michigan has now joined a handful of other states in requiring that computer forensics technologists have PI licenses. It is no surprise that the PI lobby WANTS to horn in on the money in computer forensics, but where are the experts who can/should be testifying before state legislatures telling them how ridiculous these laws are before they get enacted?

You don’t need to be a PI to analyze blood, bullets, or nearly anything else. There is almost no correlation between the two professions. Computer forensics is (or should be) a true science, having nothing whatever to do with the old world detective work of a Sam Spade. Should the profession be licensed? Quite possibly – but not under the PI laws. Moreover, as this sort of work is more and more national and international, inconsistent state laws make no sense whatsoever and are a huge headache for law firms and their clients.

In Michigan, you can now receive up to a four-year prison term and a $25,000 fine for engaging in computer forensics without a PI license. C’mon guys. Did anyone really look at this law and think through the implications?

The unfortunate consequence of these laws is that folks in Michigan no longer have the opportunity to select the expert of their choice anywhere in the country. Moreover, it is very likely that outsiders will seek to collaborate with PIs in Michigan as a “front” to sidestep the law. The whole law smacks of protectionism – and of the power of the PI lobby to enact a law which tries to put a square peg in a round hole.

Silly, dead silly. For the record, if any readers become aware of bills being introduced in a state, please pass the information along – John and I are happy to write (and to get our friends to write) in protest. We are even willing to appear before legislative committees if necessary.

Sidebar note: I must note the excellent and informative post of my friend Jim Calloway, who picked John’s brain about an inexpensive way to document cell phone contents yesterday and turned the results into a humorous and informative post in one of our favorite blogs, the aptly named Jim Calloway’s Law Practice Tips Blog. The post may be found at http://jimcalloway.typepad.com/lawpracticetips/2008/06/preserving-mobi.html

E-mail: snelson@senseient.com Phone: 703-359-0700