Blog | Jon Rajewski

Emerging Science – Cyber Shadows – Rajewski Interviewed

Jon Rajewski November 7, 2011 computer forensics, cybercrime, in the news

On November 2, 2011Vermont Public Television (VPT) aired “Cyber Shadows”, an episode for there Emerging Science series which is focused on highlighting scientific and technology topics. I had the pleasure of being interviewed for this show and wanted to quickly document it here.

Here is the blurb from the VPT Emerging Science website

As the popularity of social media grows, so does the interest in mining online data for a variety of uses. Today, our digital “fingerprints” can be traced in ways most of us never imagined — for market research, criminal investigations and more. A handful of Vermont scientists are busy analyzing our online behavior as a tool for spotting trends and, ultimately, measuring our emotional well-being.

The research discussed by others in the video was remarkable. I’m very grateful for having the opportunity to contribute to an amazing show.

Partition Table Parsing – v.winning

Jon Rajewski November 1, 2011 file system forensics

I had a few minutes before a dinner event and I did what most geeks would do. I embarked Melissa Augustines Partition Table challenge.

As it turnes out, I won 🙂

digital computer forensics is a science jonathan rajewski

I strongly recommend that you try to solve the challenge. With all of the MBR Malware showing back on the horizon it’s important for you to have these skills mastered.

Digital Forensics is a Science was Honored as "Blog of the Week" by DFI News Newsletter

Jon Rajewski October 29, 2011 award

Today I was sitting at my desk grading the “Preservation Report” assignment from my Introduction to Digital Forensic class when an email came in from a former colleague from Protiviti wishing me congratulations. I immediately found myself thinking, “what“?

DFI News – October 28, 2011 – Blog of the Week

“Digital Forensics is a Science” was honored by DFI News Newsletter as the October 28th Blog of the Week. The blog post that got DFI’s attention was regarding Google shifting from unsecured to secured Google searching and that will impact digital forensics. Here is a link to that blog post.

Thank you for reading!

Champlain College Center for Digital Investigation (C3DI) mentioned in Seven Days Newspaper

Jon Rajewski October 27, 2011 in the news

Seven Days, a Vermont based newspaper highlighted the Champlain College Center for Digital Investigation in this week’s paper.

Photo of the Seven Days Article

Staff Writer Ken Picard wrote a longer Blog entry on the Center which can be located here or http://7d.blogs.com/blurt/2011/10/champlain-colleges-center-for-digital-investigation-now-open-for-business.html.

Full Disclosure – I’m a Co-Director at the C3DI with Mike Wilkinson, another Professor of Digital Forensics at Champlain College. We’ve been working very hard to turn this facility into a premier forensic laboratory where students can gain amazing experience outside of the classroom. If you have any questions about the lab or it’s services please contact c3di@champlain.edu.

Google search results going secure, what does this mean for forensics?

Jon Rajewski October 25, 2011 computer forensics, cryptology, google

If you run a search on Google.com, your Internet search is likely recorded and logged in several places. Digital forensic examiners leverage this feature in digital forensic exams. Investigators can serve Google with the appropriate legal paperwork to determine a specific users searches while they were logged into Google. The latter is hard to obtain and the former is a standard practice in digital forensic exams.

If you’re logged into Google all search results will soon be encrypted. That means that Internet browsers will treat those transactions like any other https communication – they won’t cache. So finding Google searches “screenshots” like “how do I get around my employers internet blocking software” in an employment technology misuse case won’t be possible.. Well it could, if you can obtain the Google Web History logs that cache every Google search a user makes – but as noted above you will likely need consent and/or legal authorization similar to a search warrant.

Edit:
That said, you should still be able to recover the Google Search Query in the browser records – For example here is a test I just ran from the new https://google.com link:

Happy Forensicating!

Book Review – Worm

Jon Rajewski October 11, 2011 Book Review, cybercrime

On a recent plane trip back from Las Vegas I read the book titled “Worm” by Mark Bowden.

Rather than elaborate on detail surrounding the specific content, I wanted to share with you some quick observations to help you decide whether to read the book or not.

I’m still very afraid of Conficker
This book is great for experts and non-technical people interested in how Conficker was and is actively being dealt with. The book describes the technical nature of Conficker in easy to understand terms all while keeping enough information/topics/background included to keep those with more experience engaged
The Cabal (aka The Conficker Working Group aka X-Men) are amazing. These individuals work as a team to combat the largest/most sophisticated botnet ever publicly disclosed
Some members of the Cabal used personal credit cards to help purchase domains that would help fight Conficker variants from downloading new updates/instructions – This was very noble and amazing thing
There is still a very large need to have a formal collaboration system in place to deal with these cyber threats. The book describes how experts from across the world collaborated via listserve and phone calls. While this was effective at the time (the Cabal were able to formulate a plan and execute it), but I don’t think it’s a sustainable model. The NCFTA was mentioned in the text as an entity that could help with collaboration. My concern is what if the author of Conficker gaines the ability to invoke a distributed denial of service on the internet – those trying to collaborate are dispersed across the world — things could get very difficult quickly. Having a centralized entity established as a nexus to collaborate with stakeholders during a large scale cyber investigation just “makes sense”
The book included copies of email communications and summaries of meetings/phone conversations. This was very helpful to me because it helps me better understand how these “mutants” (read the book to understand why I used the term) came to the decisions they did. It also provides a documented “timeline” that allows for a “lessons learned” opportunity. The Department of Homeland Security posted a lessons learned document that can be reviewed via this blog post.

Overall I would give this book a 3.5 out of 5 stars. There were some very distracting typographical errors but not so much that it took away from the context of the book. The research and presentation was excellent. Interviews of all of the key players was done and some technical history was properly inserted to give the reader enough background to understand what was being discussed. In closing – I recommend reading this book to better understand the process of how the best of the best investigate cyber events. There are a few digital forensic/cyber investigation books that take this approach – and in my opinion we need more.

Cyber Security Evaluation Tool Released by DHS

Jon Rajewski September 29, 2011 cybercrime, DFIR

The Department of Homeland Security has released CSET (Fact Sheet)

The Cyber Security Evaluation Tool (CSET) which provides users with a systematic and repeatable approach for assessing the cybersecurity posture of their industrial control system networks. This tool also includes both high-level and detailed questions applicable to all industrial control systems (ICS). CSET was developed under the direction of the Department of Homeland Security (DHS) Control Systems Security Program (CSSP).

I just downloaded the tool and already find it a bit cumbersome because you need to have Windows – The ISO has windows .exe – but I’m assuming DHS decided to deploy a version that will benefit most companies that only run windows.

So I fired up my baseline Windows 7 VM for some testing. Here are my initial thoughts:

1) You need Java installed to run the application.
2) Point and click Assessment!

3) When you click Create a new assessment you are prompted with a nice disclaimer that reiterates the tools intended use — “this is just part of the puzzle” of ensuring your network is secure etc.

4) This is not a penetration testing tool. In my opinion, it is focused on policy development/assessment. This article somewhat mislead me by saying “CSET is actually a software application that compares the network infrastructure of the user with industry rules. It then lists recommendations that should help enhance the safeguarding of the enterprises cyber structure.”

5) The tool is a great guide that allows a user to answer specific questions that are in-line with the standards — then the tool creates a nice PDF/RTF report summarizing the assessment with recommendations to secure the network. This is not a “point and click” assessment as I initially thought when I opened the application, its actually an in depth tool that requires much more time and thought to ensure you are answering the questions properly.

6) As you continue to use the tool, you are presented a list of detailed options with MEANINGFUL help files. Clearly those that designed the front end of the application took into account the audience of users. Nice job.

All-in-all this is an interesting approach to educate IT professionals on what it takes to be compliant with international/government IT standards. I hope to hear followup from DHS on how many organizations this actually helps. Great work!

This also sparks another idea.. I submitted a paper for the 2012 CEIC conference. If my paper is accepted, this tool gives me a good idea. Stay tuned 🙂

Tougher penalties for cyber crime

Jon Rajewski September 8, 2011 cybercrime

In light of the recent tweet by Vermont Senator Patrick Leahy (@SenatorLeahy) about how Congress must work together to fight threats to our cybersecurity AND the recent testimony before Senate Judiciary Committee of Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez there may be some very interesting breakthroughs on the horizon with regard to maximum penalties for cybercrime. I’ve had the pleasure of working many of these cases in the past and feel that enhanced federal sentencing guidelines with aggravating circumstances to the Computer Fraud and Abuse Act (CFAA) could possibly keep those found guilty from committing additional crimes. It could also deter those contemplating committing those crimes all together.

This also brings up another topic, which was mentioned in a previous blog post about how Mikko Hypponen (@mikkohypponen) suggests a global response / legal framework to respond / prosecute cyber criminals who use the global nature of the internet and jurisdictional boundaries to thwart prosecution. Not implying that it’s not happening now, because I know that it is, but there is an ever-growing need for US and international law enforcement agencies to work together to detect and investigate cybercrime.

There is also a huge onus on the corporate world to collaborate as well.

Considering that the US government is not the only entity in the crosshairs of cyber criminals, it’s critical for those being attacked to collaborate with those who can help. A “bleep” on one company RADAR doesn’t become a trend (or a recognized problem) unless the rest of the organizations getting hit by the same group of cyber criminals report it. Collaboration is key!

To complicate matters, for those that work in a large corporate (or government) entity, if poor communication exists between those defending/working/securing the network – it’s possible that you won’t even know you were hit by cyber criminals for up to a year. And, when you do realize it, the hack becomes public knowledge due to regulatory or ethical reasons – stock prices could fall immediately. Here are two recent examples Sony and News Corp.

Even to complicate, complicate matters – if your organization doesn’t have the proper policy to respond to cyber attacks, then you could be in a terrible position and end up losing even more resources/dollars/time/ intellectual property.

I started going into a few directions in this blog post, but to sum things up:

New legislation could impose harsher penalties for cyber criminals
It’s important to see the “global” or “high level” or “out of the box/company” perspective on past/current/future cyber crime events
Don’t wait for legislation to implement a policy to require you to report cyber attacks
If you fail to implement an effective cyber attack response plan in a proactive way – it could literally cost you many dollars/resources/etc in the very near future.

Google offers new data source to digital forensic examiners

Jon Rajewski August 31, 2011 computer forensics, google

Google launched its new offline version of Gmail/Calendar/Docs. This means that examiners might be able to recover a local copy of Gmail artifacts easier. I look forward to see some research on this. Perhaps I can find a student or 10 to do some research in the next few weeks.

Here is a direct link to the Offline Google Gmail app

Amazing TED talk on why we do what we do

Jon Rajewski August 30, 2011 cybercrime, TED

A colleague, Mike Wilkinson, just shared video that he showed to his Freshmen class today. I invite you all to watch this video which shows Mikko Hypponen giving a great presentation on DFIR.

Heck, if you’re a professional in the DFIR arena, this might help remind you why you do what you do. If not, I’m sure there is something here that you’ll find inspirational 🙂

Page 5 of 6
←
1
...
4
5
6
→