Spring 2013 - Computer Forensics At Champlain College

12DECEMBER201110 Open SourceTools to Try1. Wireshark2. Cain & Abel3. Backtrack4. Truecrypt5. Metasploit6. OSSEC7. Nmap8. Nessus9. OpenVas10. SnortUpcoming Events:• DFIR OnlineQ&AFebruary 21, 2013 8:00pm ESTDave Klieman – Windows Log FileAnalysis in Depth• SC Magazine AwardsFebruary 26, 2013 7:30pm PSTInterContinental San Francisco, CA• RSA ConferenceFebruary 25-March 1, 2013San Francisco, CASpring 2013Volume 2, Issue 2The Senator Patrick Leahy Center for Digital Investigation is pleasedto announce that the Computer and Digital Forensic programs atChamplain College have been nominated as the Best CyberSecurityprograms in the United States of America.Champlain College is a finalist for the Professional Awards in the categoryof Best Cyber Security Higher Education Program in the country. According tothe SC Magazine, this award is given to the “best cyber security undergraduateor higher education program that currently has a cyber-security degree program.“Qualification for finalists is based on the quality of instruction, programs andhow well these prepare students for the marketplace.” Champlain College is theonly small private school nominated with Computer and Digital Forensic B.S andM.S degree programs. The Senator Patrick Leahy Center for DigitalInvestigation has also helped sponsor this event and is sending a team ofChamplain College representatives to the awards ceremony.Winners will be announced at the dinner and award ceremony held at theInterContinental in San Francisco, CA February 26 th at 7:30pm PST.The Senator Patrick Leahy Center for DigitalInvestigation (LCDI) is a world-class laboratorydesigned to international standards, focused onestablishing and assisting with public andprivate sector initiatives surroundingcybercrime, digital forensics, and informationassurance. As a leader in Digital Forensics inhigher education, Champlain College offersstudents an opportunity to learn more whileparticipating in “real lab work” at both theundergraduate and graduate levels.• FVTC ICAC – InvestigativeTechniques TrainingFebruary 25 th – March 1 st , 2013Hosted by The LCDI atChamplain College LakesideCampus• DFIR OnlineMarch 21, 2013 8:00pm ESTDavid Cowen – Exploiting NTFS foranti-anti forensicsYear-to-Date Metrics• Completed 19 data recoveryjobs for Champlain Collegefaculty, staff, and students• Examined over 21 terabytesof data.• Conducted over 3000 hoursof Research & Development• Completed 10 ForensicInvestigation cases for clientsoutside of ChamplainCollege.• Staffed by 5 Student Internsand 17 Student EmployeesData RecoveryFor More Information Click HereHave you ever deleted a file by mistake?Has your hard drive ever stopped working? Didthe computer repair shop tell you they couldn’thelp get your data back? If you answered YES toany of the above, then you need to bring yourdigital device to the professionals. Let our worldclassteam discuss your options with clear andmeasurable results. The LCDI does a number ofdata recovery jobs for the Champlain College ISDepartment’s Help Desk. Our expertise in datarecovery assists the Help Desk expedite jobs,and the LCDI offers this service to alldepartments, faculty, staff, and students atChamplain College. If you have lost data, comesee us and let our team work on your problem.LCDI175 Lakeside Avenue, 300ABurlington, VT 05401802-865-5744 officeLCDI Spring 2013Editor: Joseph Williams | Designer: Bonnie Bohan

LCDI’s Project in the Spotlight:Private Browsing ForensicsAnonymity is consistently correlated with internet use. On the internet,individuals can pose as someone else or do things they normally wouldn’t. Feelinganonymous is important to most people using web browsers for a number ofreasons, whether it is increased security for online banking or trying to cover upsomething they did. Private browsing features on popular web browsers provideusers with the feeling of anonymity. Users utilize these features to feel safer whileonline. Our private browsing project here at the LCDI will help us understand exactlyhow these private browsing functions work. We will be comparing Google Chrome,Internet Explorer, and Mozilla Firefox to see features and differences. This will be aninteresting project to follow because you will be able to see how your favoritebrowser compares to the competitors and gain a better understanding of privatebrowsing features.FirefoxTrevin MoweryTrevin Mowery is a senior from Swanton, Vermont majoringin Computer and Digital Forensics at Champlain College. Trevinworks as a Student Worker at LCDI, where he is involved with casework. Currently, Trevin is working on two cases.Outside of the LCDI, Trevin is a member of ChamplainCollege Digital Forensics Association. Trevin is also currentlyemployed at IBM, where he is a machine operator in themanufacturing department.Trevin chose to pursue a degree in Digital Forensicsbecause he has always been interested in computers and lawenforcement. He saw this field of study particularly interestingbecause he will be able to bring those interests together. Trevin is anAccessData Certified Examiner. After Champlain, Trevin wants towork for a forensic consulting firm to gain experience and eventuallywork for the FBI.-------------------------------------------------------------------------------------The private browsing feature of modern browsers has two primary uses. Thefirst is to hide your internet usage on a personal computer. Since temporary filesare downloaded, just not kept, the data will not have been overwritten on the driveand there will still be some references to your browsing in the registry, but someonewill have to be experienced or knowledgeable and have prolonged access to yourhardware to find anything. In essence, you can go about your activities on yourpersonal computer without having to worry about someone finding out your activitiesif they use your computer.The second use of private browsing is for accessing confidential accounts ona public computer. Now, we do not mean it will protect a user in a cyber cafe (orsimilar environment), as the issue there is the actual transmitted data, not localstorage, which will still be able to be picked up by packet sniffers. However, if yougo to use a public terminal (like at a library) or go to access something at a friend’shouse, you can go about your business without having to worry about leavingbehind open accounts or offline data from sensitive webpages. Unfortunately, itdoes not mean you are "safe" by any means, because the real security concern ona public terminal is a key logger or other recording device reporting your activities,not your browser.David ThomasDavid Thomas is a freshman from Manchester, CT majoringin Computer and Digital Forensics at Champlain College. Davidworks as a Student Worker at LCDI, where he is involved in research.Currently, David is working on Autopsy 3, which is an open sourceforensics suite that is being compared to EnCase, the currentstandard.Outside the LCDI, David is a member of the EquestrianClub, D&D Club, League of Legends Club, and Ski and Ride club.David picked Champlain College because he wants to workin intelligence and the skills he will learn in his major aboutinformation gathering and gaining access to protected systems isexactly what David will need. He would like to do more work ininformation recovery/gathering both physically and remotely. AfterChamplain, David wants to work in intelligence for the department ofdefense or another government agency.Safari-------------------------------------------------------------------------------------The students on the sidebar are conducting the research for the privatebrowsing project. So far, they have been generating data for the Chrome browser.Generating a variety of data on Chrome’s incognito mode will help them analyzehow effective the private browsing mode is and what is left by the browser. Afteranalyzing the data, we can then compare that data with data generated usingnormal browser functions; and use this to compare between the three differentbrowsers.Private browsing can be useful for hiding your internet activity while browsing.When you want extra security on browsers for banks, online shopping, and personalinformation, users can enable this feature. At this point in time, determining howuseful these private browsing is limited. However, as this project progresses, theteam will hopefully be able to determine the usefulness for private browsing.ChromeChristina EspritChristina Esprit is a junior from Naples, FL majoring inComputer & Digital Forensics at Champlain College. Christina worksas a Student Volunteer at LCDI, where she is involved in a researchproject on windows 8. Currently, Christina is working on the VMwareproject, comparing event logs from windows 8 and windows 7operating systems.Outside of LCDI, Christina works at the Office of Diversity.She is also a member of DFA, as well as the Women in technologyand CCA clubs. Christina has held positions at Resource (ComputerDeconstruction Assistant), The Ritz Carlton Hotel (Volunteer PastryKitchen Assistant), and as a Navigant Consultant in London(Volunteer Office Assistant).She picked her major because she was interested incomputers and law. She looked for a major that combined the twosubjects, and after researching her options she came up with digitalforensics. After graduating, Christina would like to work for the FBI inthe cybercrime unit. Christina holds certifications in completing thestudent ambassador program, level 2 certificates in nutritional dietsand health foods, level 2 certificates in food safety, and a certificateand medal for completing junior chef academy. She would like towork more with encase and FTK.LCDI Spring 2013Editor: Joseph Williams | Designer: Bonnie Bohan

Q&AWith LCDI’s Technical Writer,Carolyn CoteCarolyn Cote is a freshman from Uxbridge,Massachusetts majoring in Professional Writingat Champlain College. Carolyn works as aStudent Worker at LCDI, where she is involvedas a technical writer. Currently Carolyn isworking on revising the standard operatingguidelines.Q: Intro about you:I’m Carolyn Cote. I’m a freshman here atChamplain College studying professionalwriting, and I work here at the LCDI as atechnical writer.Q: Projects you have worked on at LCDIand/or stuff you do at LCDI:I work as a technical writer meaning I polish upwritten works such as emails, blog posts, anddocuments sent out or published by the LCDI.Current Projects at LCDITimelineLead: Christine CaseyTeam Members: Kyle Porto & Olivia HatalskyThe purpose of this project is to evaluate how the tool log2timeline works. We set up a testcomputer with a brand new operating system and then generated traffic on the computerby logging in and out, browsing web pages, downloading programs, and creatingdocuments. We recorded all of our activity into a spreadsheet including the date, time, andwhat was done. After, we imaged the test computer’s hard drive using EnCase. The imagewas copied into a SIFT Workstation virtual machine and mounted. Once the image wasmounted, it was used to create a Super Timeline with the tool log2timeline. The results ofthe Super Timeline were then compared to the spreadsheet and analyzed.Tool Validation - TapewormLead: Ethan FleisherTeam Members: Julie Desautels, Chapin Bryce, and Jacob PriestTAPEWORM, short for TASC Pre-processing Exploitation & Workflow Managementsystem, is an open source forensic software suite. The idea behind TAPEWORM was tocreate a software program that combines multiple open source forensic tools in a systemthat is user friendly, free, and easy to set up and run. The interns at the LCDI devoted theentire summer and first month of the school year to making this idea a reality. The productitself is a 64 bit Xubuntu-based Virtual Machine. The two programmers created a customGUI, written in the Python programming language, which ties together the different opensource tools and allows the user to run them all at once. The product was officiallyreleased in October at the Open Source Digital Forensics Conference, which took place inChantilly, Virginia.Q: What would be your dream job aftergraduation?My dream is to be a music journalistspecializing in alternative and independentmusic.Q: What’s your favorite part about workingat the Leahy Center?I learn something new every time I work on aproject. Everything is really cutting edge andfascinating.Q: What is your favorite thing to do outsideof class and work?I love music. I sing, and I need to go to at leasta concert a month in order to stay sane.Android ForensicsLead: Maegan KatzTeam Members: Olivia Hatalsky & David LeberfingerSmart phones have become a part of many people’s everyday lives because of their abilityto perform so many functions, such as: sending text messages and emails, browsing theinternet, taking pictures and videos, and downloading and using applications. Currently,Android is the number one smartphone platform. With such a large share of the market, itis important to understand how to perform forensics on Android devices.The main purpose of this project is to learn more about Android forensics, allowing formore successful analyses of mobile devices. Android OS is widely used, so it is importantto understand how to work with it forensically. This means understanding the structure ofthe phones being used, as well as understanding the Android Operating System and thefile system. The main tool being used for research is a Cellebrite UFED Physical Pro. Thepurpose of using this tool is to better understand what its capabilities are when workingwith an Android phone. This also allows us to work through any technical issues before thetool is applied to a real case.Q: What is the biggest challenge you havefaced in your majorI had a few doubts about my own ability thefirst few weeks, but I’m becoming a strongerwriter as a result of the program here and mydedication to becoming the type of writer Iwant to be.Q: Where would you like to intern in thefuture?Interning at Alternative Press in Ohio would beamazing. They’re an alternative rock magazineI’ve been reading for four years.Q: How did you get started in digitalforensics?I wanted a job where I could write for moneyand have some interest in my subject matter. Iwas at the job fair and two nice boys at theLCDI table called me over and told me to applybecause they needed someone to edit theircomputer talk. It was a good decision on mypart to take them up on that.Life as a CDF Major – David Leberfinger ‘16Coming to Champlain College as a Computer and Digital Forensics freshmanhas been a rewarding and fascinating experience. When I arrived on campusin August, I knew little about digital forensics and was unsure if it wasfor me. However, in the time I have been here I have learned so much. At first,I was drawn to the digital forensics program by my head and my heart: my love of technology andthe knowledge that a job in a technology driven field would be stable and pay well. My priorknowledge of technology has given me an advantage, but the courses and professors areinformative and helpful enough that anyone, regardless of prior knowledge, can excel. Throughoutthe past semester, in my classes and at my job at the Senator Patrick Leahy Center for DigitalInvestigation (LCDI), I have learned more about the digital forensics field and it is now clear to methat I want to stay in the digital forensics field. While my classes have taught me about the laws andthe methodology behind digital forensics, my job at the LCDI has been the most rewarding part ofmy education. At the LCDI, I have received hands on experience with the tools that I will be usinglater in life, in the workforce. Together my classes and my job have meshed together to form anamazing education that I believe is second to none.LCDI SPRING 2013Editor: Joseph Williams | Designer: Bonnie Bohan

OSForensicsLead: Colby LahaieTeam Members: Kyle Porto & David LeberfingerOSForensics has a number of unique features which are making the discovery of relevantforensic data even faster. Some of these features include high-performance deep file searchingand indexing, e-mail and e-mail archive searching, and the ability to analyze recent systemactivity and active memory. OSForensics can build and let you view an events timeline, whichshows you the context and time of activities. You can even recover data and files that have beendeleted by users. We are going to be testing and comparing OSForensics to EnCase v7, one ofthe most widely used tools in the computer forensics field.Other ProjectsLead: VariousTeam Members: VariousFor a full list of all the LCDI’s projects, to view past projects, or to stay up to date on our currentprojects, please visit our website.5 Tips for Stopping Malware1. Make sure you have an Antivirus, Firewall, and Antispyware installed.2. Stay away from illegal/questionable sites.3. Be alert to what is going on with your computer. Any unusual activity is the first sign of trouble.4. Set your Internet browser so that you are notified anytime a program attempts to download.5. Do not click on anything you do not know or trust.Student Team Modelhttp://lcdi.champlain.eduhttp://www.facebook.com/LeahyCDIhttps://twitter.com/@champforensichttp://computerforensics.champlain.edu/contact-info-computer-forensicsLCDI - Senator Patrick LeahyCenter for Digital InvestigationChamplain CollegePhone: (802) 865-5744Email: LCDI@champlain.eduAddress: 175 Lakeside Avenue,300A Burlington, VT 05401The Senator Patrick LeahyCenter for DigitalInvestigation is leading theway in forensic educationand training in the Vermontarea.Champlain College studentswho work at The LCDI gethands on experienceworking and researchingcases from start tocompletion. Our studentswork in a “Student TeamModel,” where a ChamplainCollege fourth or third yearstudent leads a team ofstudents working on casesat The LCDI.The LCDI is open to allChamplain College studentswho need a place get helpon forensic projects.Our faculty, staffand studentsare here to help!Editor: Joseph Williams | Designer: Bonnie BohanLCDI SPRING 2013