Computer and Enterprise Investigations Conference 2013 Exhibit Hall in Orlando, Fla. At the Computer and Enterprise Investigations Conference in Orlando, Fla., a number of vendors in computer forensics, cybersecurity, and e-discovery released new products, which make CEIC an annual event for Law Technology News to attend.
Cellebrite's UFED series of mobile forensic devices got a new stand-alone application, called UFED Link Analysis. The Link Analysis tool is designed to visualize data extracted from mobile devices. With the stand-alone application, an investigator can see key relationships and important behavior among the authors of messages such as the number of messages transmitted and methods used to send and receive messages, all gathered from multiple phones.
Link Analysis ingests data from one or more mobile devices. The tool can ingest .xml files exported from Cellebrite's UFED Physical Analyzer or UFED Logical Analyzer as well as data from logical file systems and image files for analysis. The application draws graphs of mutual links between devices, lists events in chronological order, identifies multiple suspects on a single map, saves snapshots of data and project-related information, and writes custom reports that can add data and pictures collected during an investigation.
Cellebrite's new tool can visualize links between senders and receivers who exchange telephone calls, text messages, email messages, and chats. It also:
• Groups senders and receivers by their associations.
• Filters data by date, time, category, and event.
• Stores data extracted from file systems and physical media.
• Exports data to advanced link analysis tools such as Penlink, i2 Analyst's Notebook, and Palantir.
CEIC 2013 attendees saw the debut of a new indexing engine for DFLabs PTK Forensics 3.0. The engine runs pre-processing actions on imported evidence to facilitate investigations. It supports pre-indexing and allocated and unallocated slack space analysis, string and metadata extractions, file signature analysis, file hashing, and automatic data carving to recover data from file fragments or undifferentiated data blocks (raw data). Other new features in PTK Forensics include:
• Support for multiple, simultaneous users and granular user permissions.
• Advance reporting system with bookmarks, partition details, and timelines.
• The case management engine has been revamped with the incorporation of the DFLabs Digital Investigation Manager module to manage case notes, events, and maintain chains of custody to evidence.
The Forensic Store is making WDR Forensic Solution's "Simple Seizure Tool for Forensic" available to the U.S. market. The tool is a USB boot device that runs Windows PE 3.1, runs a program on the target machine, and collects a disk or partition image at the push of a button. The tool supports PATA, SATA, eSATA, SCSI, SAS, USB, and Firewire (IEEE 1394) drives. To support drives connected to special devices such as a proprietary controller or adapter, a technician can install the necessary drivers in the Windows PE environment.
The Seizure Tool supports imaging data in Guidance Software's E01 evidence file format and in DD format. Also, MD5 or SHA256 Hash can be used to verify the original image. All operations are recorded in a log file. After the image is acquired, plug the tool into a computer, touch a button, and the image is copied to the connected PC.
GetData Forensics Pty Ltd debuted Forensic Explorer (starting at $1,000) at CEIC. Forensic Explorer is computer forensics analysis software that is designed to give investigators a cost-effective alternative to current forensic tools.
Already known in the forensic community for Mount Image Pro and Recover My Files software, GetData's new product analyzes all common forensic image formats, including Guidance Software's Ex01 and Lx01 and AccessData's AD1 image files as well as more than 300 file types. It can also examine FAT, NTFS, HFS and EXT file systems. GetData has modules to analyze email, registry files, and bookmarks. Forensic Explorer also integrates dtSearch keyword indexing technology and Digital Metaphors Report Builder for automated reporting, supports a scripting language, and many aspects of the program such as menus, columns, and filters can be customized.
In April HBGary, a subsidiary of ManTech International Corp., unveiled its malware analysis product for virtual desktop infrastructures, called Active Defense (version 1.3). The product is designed to help organizations detect zero-day, root kits, and other malware in virtual machine environents. Active Defense provides live, runtime memory analysis of guest operating system sessions with minimal impact on the underlying host server.
Systools Sofware released its MailXaminer software at CEIC. MailXaminer supports multiple email formats such as Outlook (.pst), Exchange Mailbox store (.edb), Mozilla Thunderbird (.mbox) as well as Apple Mac Outlook and Eudora file formats. The tool can search message bodies, contact fields, and attachments and filter results to narrow a document review. Once email evidence is found, the content can be exported to .eml, .msg formats or PDF, HTML documents. Other features include:
• View multiple email formats in one interface.
• Import emails to selected files.
• Simple Mail Transport Protocol access to mailboxes.
• Recover corrupted email messages.
• Duplicate identification and removal.
CEIC COOL PRODUCT AWARD
FireEye Inc.'s File Malware Protection System (File MPS) was my answer to "What's the coolest thing you saw at CEIC?" The product was released at RSA and is designed to analyze network file shares to identify and quarantine malware brought in by partners, associates, and other legal professionals. The system finds malware that may bypass firewalls, intrusion protection systems, and antivirus software. Tools such as web mail and file storage, removeable media, and online file transfer can introduce malware, which can spread to file shares and move like wildfire.
The File MPS appliances (File MPS 5300, File MPS 8300) analyze file shares with a Virtual Execution or VX engine, which can detect zero-day malicious code embedded in file types such as PDF, Office documents, vCards, .zip and .rar archives, as well as multimedia files such as QuickTime and MP3. FireEye's file security product can work on identified malware in a protection-mode that quarantines bad code in a proprietary virtal machine for analysis or the product can work in analysis-mode only, which monitors the identified malware in place.
In protection-mode, the File MPS creates a dynamic execution environment for known and unknown malware that satisfies the National Institute of Standards and Technology's "Security and Privacy Controls for Federal Information Systems and Organizations" (SP 800-53, Rev. 4), Control 44 Detonation Chambers. Other product features include:
• Integrates with FireEye's anti-virus suite and supports third-party anti-virus software.
• Scheduled and on-demand scanning of CIFS-compatible file shares.
• Supports custom rule importation to analyze file threats specific to the organization.
FireEye claims you can deploy the File MPS appliances in under 30 minutes. The appliances do not require tuning or the installation of client software on file sharing computers. Coolness, however, comes at a price. The File MPS starts at $54,950.
A browser or device that allows javascript is required to view this content.
Attorney Sean Doherty is LTN's technology editor.You must be signed in to comment on an articleSign In or Subscribe">
No comments:
Post a Comment