NOPA Slides June 2011
I gave a presentation to the New Orleans Paralegal Association for their June 2011 meeting. The presentation was on differences between reality and crime genre movies and television shows like NCIS, CSI, Numb3rs, etc. The presentation contains a number of video clips from such shows, and has some information explaining where they were right, where they were wrong, and some of the problems with changing technology making previously impossible things possible.
*UPDATE* – One of my slides pokes fun at the “GUI Interface in Visual Basic” to track an IP address, and invalid IP addresses. This morning’s update to the long running BOFH ‘comic’ took a moment to poke fun at some of these same topics.
“Yes, but if you like we can use our television script based IT skills to determine who damaged these computers?”
“Well… yes, if you think it will work?” the Boss burbles.
“You bet. We’ll have it sorted inside the hour. Or 16 minutes if we don’t stop for adverts.”
“So you want me to run up a GUI interface using visual basic to track the killer’s IP Address?” the PFY asks.
“Yes do that – although we already know the first number in the address is 324 dot something.”
“Ah, so it’s from downtown,” the PFY nods knowingly.
Slide 9 Video – Utter nonsense
Slide 11 Video – Numb3rs IPv4
Slide 13 Video – Gaming Consoles & Spreadsheets
Slide 16 Video – NCIS Steganography
Slide 18 Video – Elements song; encoding lyrics into MP3
Slide 19 Video – Original vs Hidden comparison
Slide 21 Video – Fried phone
Slide 23 Video – Stuxnet
Slide 25 Video – You can always unplug
DC3 2010
DC3 2k10 is here again, and team NSSAL will be participating again this year. I was a little disappointed in our overall ranked performance last year, but the challenge numbers are a little misleading. The 2008 challenge was composed of discrete components, whereas 2009 was an investigation – we solved the investigation, but there is only so much time you can spend beating a dead horse for more points once a case is solved.
I’m pleased to say this year our team will have fewer distractions and we’ll even all be in the same city this go around. I’m due to pick up the challenge data this weekend, but first appearances seem to indicate 2010 will be closer in format to 2008. Obviously, with the DC3 I cannot comment about the challenge itself until the end, but I hope to have another good write up on our entry when everything is over in December.
AAFS 2010 – Changes in Approach to Scalability in Digital Forensic Analysis
This year I attended the American Academy of Forensic Sciences (“AAFS”) conference in Seattle and presented in the digital and multimedia section. The following post is a summary of the oral presentation along with my slide set.
For those who do not know, I hold an M.S. in computer science with concentration in Information Assurance. I am presently a Ph.D. student in Engineering and Applied Sciences at the University of New Orleans. I expect to be ABD by fall of this year when I start law school as a J.D. student. Professionally, I work for a litigation support vendor in New Orleans dealing primarily with the civil side of digital forensics, eDiscovery, and other related areas. I have a somewhat unique perspective on the field by having one foot in academia and the other in industry.
One cannot begin a discussion of future trends and the need for new approaches without first examining the current state. At present the field has three main phases of practice: acquisition, analysis, reporting. Acquisition originated in dead acquisition where the data storage medium, such as a hard drive, is imaged byte-for-byte to produce an exact duplicate when the system is powered off. The duplicate is hashed for later verification after analysis is complete. In a more modern twist, Live analysis involves acquiring data from a system while it is still running. Live acquisition allows for preserving more ephemeral data such as memory dumps, active network connections, logged on users, running programs, etc which would otherwise be lost in powering the system down for dead acquisition. Live acquisition risks the triggering of anti-forensics tools, malicious commands from still logged in users, and damaging the system state. Continue reading
Wikileaks – NeoNazi Forum Dumps
Wikileaks has data from several Neo Nazi forums. The information includes user lists, private message histories, forum posts, etc. I’ve been pouring over the data since yesterday. They seem to be using SMF and phpBB primarily between the sites – some with modified fields. I’m currently looking at the communication patterns for the private messages. When I analyzed the user lists, I found a good number of overlap users between the sites – users who were members of multiple websites. What I’m doing now is cross referencing the private messages to and from the individuals with multiple memberships. I’m hoping this reveals who the significant actors are, what individuals form subgroups, and how different subgroups are linked between the sites through the multiple membership users.
This is all very preliminary, but should make for some fascinating observations later. After I am done with the communication patterns, I’m going to take a look at word frequencies in the forum posts. I might make one of those weighted word clouds, those always make for intriguing eye candy.
Westboro Baptist Church
In a strange turn of events, news outlets are reporting Anonymous, the same ‘group’ (or loose association depending on who you listen to) responsible for the HB Gary fiasco is now threatening the Westboro Baptist Church. Or is it? Suspicions are surfacing the threat was posted by Westboro Baptist Church itself. I have an interesting observation regarding the & symbol.
First, this is the press release by ‘anonymous’ which contains some peculiar uses of the & as illustrated below.
Note the significant use of & – Westboro Baptist Church is a fascinating group to me. I feel they represent a test of our dedication to free speech, the first amendment’s Gethsemane so to speak. Something about the post sounds like the WBC. For as long as it remains up, look at WBC’s reply. Very curious. Anonymous posted a reply to the WBC reply, note the difference in word usage.
Now look at this sentence:
You have condemned the men and women who serve, fight, and perish in the armed forces of your nation; you have prayed for and celebrated the deaths of young children, who are without fault; you have stood outside the United States National Holocaust Museum, condemning the men, women, and children who, despite their innocence, were annihilated by a tyrannical embodiment of fascism and unsubstantiated repugnance.
Note the super-run-on-super-comma sentence structure with two semi-colons. This is the same type of sentence structure used by WBC. There has been some research in the past to identify unique aspects of an individual’s writing style for author identification. I’m not overly impressed by its application in general because anyone who is aware of it can alter their writing style to suit. However, if you are not aware of it you can be betrayed by your own writing style. It is contended in the anonymous second reply that WBC has left their ports open to collect IPs for legal action. That would be an interesting outcome.
Personally, I think the “Operation Westboro” call to arms sounds remarkably like Westboro Baptist Church themselves, and any evidence of a WBC honey pot only strengthens that view.