As we are entering a new financial year in the UK, many of you will be starting to plan your budgets and training schedules for 2012/13.

We are pleased to announce the dates for the following NetAnalysis Foundation Courses.  This is an ideal opportunity for you or your staff to gain valuable training and certification in the use of NetAnalysis / HstEx within a forensic environment. 

This course will teach you how to get the most out of our software. 

	The time zone lesson was excellent and really made me think.  I wish I had known that before I came on the course.  It is such an important subject to cover.

	Really good all round course, not mundanely product specific…  Good teaching style.

	This is one of the best courses I have attended.  I will certainly recommend it to my everyone.

	Practical exercises helped a lot to instil the content…  The whole course was very relevant to my daily tasks within HTCU…  I will definitely be back for the advanced course.

Places are limited allocated on a first come, first served basis and are filling up fast; so contact us now to avoid disappointment.

There are a number of seats still available on the following courses which are being held at Learning Tree International in London:

·         26^th – 27^th April 2012 – NetAnalysis Foundation Level Course

·         30^th – 31^st May 2012 – NetAnalysis Foundation Level Course

·         21^st – 22^nd June 2012 – NetAnalysis Foundation Level Course

For our many users outside of the UK, we are planning to run a number of courses in US and Canada later this year and will publish details on our web site.

To book your place on a course or to obtain further information, please contact us on 0845 224 8892, or drop us an email at our sales address.

For further information regarding our training courses, please visit the following links:

• Digital Detective Training Home
• NetAnalysis Foundation Course Training

We are pleased to announce the release of Blade v1.9.

This release of Blade™ brings a number of fixes and some great new features.  This is the first release of Blade™ to have evaluation capabilities which allow the user to test and evaluate our software for 30  days. When Blade™ is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.

The following list contains a summary of the new features:

• Support for Advanced Forensic Format (AFF®)
• Hiberfil.sys converter – supports XP, Vista, Windows 7 32 and 64bit
• Accurate hiberfil.sys memory mapping, not just Xpress block decompression
• Hiberfil.sys slack recovery
• Codepage setting for enhanced multi-language support
• SQLite database recovery
• 30  Day evaluation version of Blade™ Professional
• New recovery profile parameters for more advanced and accurate data recovery
• Support for Logicube Forensic Dossier®
• Support for OMA DRM Content Format for Discrete Media Profile (DCF)

We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.

Downloads and Full Release Information

• Blade v1.9 Release Notes

• Blade v1.9 Change Log
• Blade v1.9 Software Download

 

Author: Paul Andrews, Head of Digital Forensics, Digital Detective Group

One of the growth areas in digital forensics is the use of USB dongles for the licencing of software.  Every single practitioner now finds themselves managing a veritable menagerie of tiny USB devices, just to enable them to carry out their day-to-day work. 

Of course, where dongles for core forensic software are concerned, most people will possess their own NetAnalysis, EnCase or FTK dongles and these will be jealously guarded, with practitioners unwilling to let their prized (and in some cases, very expensive) hardware leave their sight.  But what about some of the lesser used, but no less valuable, licencing dongles out there?  At the moment, most labs will resound to the cries of “who’s got the X dongle? I need it to do Y”.  Several minutes of frantic searching and head scratching then ensues, until someone remembers that they borrowed it to use in the imaging lab for five minutes, two weeks ago. 

One solution to this problem is a dongle server (figure 1).

 Figure 1

This little piece of kit may look like an ordinary powered USB hub, but it can do so much more.  The dongle server runs its own operating system, which manages each USB port separately.  When a dongle is plugged into a USB port, the operating system is then able to present this dongle to the attached network.  Using client software installed on remote workstations, practitioners are then able to grab the use of this dongle via the network, and use it as if it were plugged into their own machine.  The use of the dongle is exclusive to the person that has taken ownership of it, but they are able to surrender control at any time, and the next user can take on the use of the licence.  Each USB port is independently configurable to allow only certain users or IP addresses to make use of the licence(s).

Figure 2

This means that all of your ‘we use this once in a blue moon’ licencing dongles can be stored in one location, and accessible to all of your staff via your forensic network.  The port area of the dongle server is lockable, meaning that no-one is able to remove dongles without the key; and if you use the rack-mounting kit, the dongle server can even go in your server rack for further security. 

Figure 3

If working practices allow, the dongle server can be accessed over the Internet, meaning that on-site working doesn’t have to involve carrying around thousands of pounds worth of dongles.  A remote worker can also have temporary access to a dongle when required.  The server works with all the common forensic dongles such as Feitian, Aladdin HASP, SafeNet and Wibu CodeMeter.  This means that even your core forensic function dongles can be kept securely locked away, safe from loss or damage.

Main Benefits

• Easily share any licensing dongle via the local area network
• Lock away expensive dongles to prevent theft
• Easily share, and provide dongle access to remote workers
• Easily share licensing dongles in the office without having to constantly plug/unplug and throw them around

This would be an ideal purchase for small offices that cannot afford to buy licences for everyone, particularly for expensive software which may not be used every day.

We are currently selling the MyUTN-80 for £698, + VAT and shipping.  Please feel free to contact us on 0845 224 8892 (or +44 (0) 203 384 3587) to discuss any questions you may have about the functionality of the kit or to place an order.

As a small company providing forensic software to both corporate, and law enforcement customers, we strive to provide first class support for our software.  To assist us in achieving this goal, we have taken a number of steps to improve the support we provide, in particular, we wanted to help our customers quickly find the answers to their questions.

We are pleased to announce the launch of our new, and much improved, Knowledge Base.  Each software product now has its own unique space which is fully searchable and full of rich, dynamic content such as technical articles, RSS feeds, blog posts, FAQ, Problem Solving and Tutorials.  Each knowledge base article can be easily exported in PDF and is easily viewable within a web browser or mobile device. 

Take a look for yourself – to get started, here are the main Product Spaces for NetAnalysis, HstEx and Blade:

• NetAnalysis Knowledge Base – Home Page
• HstEx Knowledge Base – Home Page
• Blade Knowledge Base – Home Page

Author: Paul Andrews, Head of Digital Forensics, Digital Detective Group

A frequent question when dealing with browser forensics is ‘Does the Hit Count value mean that the user visited site ‘x’, on ‘y’ occasions?’ Most browsers record a ‘Hit Count’ value in one or more of the files they use to track browser activity, and it is important that an analyst understands any potential pitfalls associated with the accuracy, or otherwise, of this value.

We recently received a support request from an analyst who was analysing Internet Explorer data. They had found a record relating to a Bing Images search, which showed a hit count of 911. The particular search string was significant, and very damning had it actually been used 911 times. The analyst wanted to know if the hit count value could be relied upon.

The following experiment was carried out in order to establish how this surprisingly high hit count value could have been generated. In order to obtain a data set which contained as little extraneous data as possible, a brand new VMWare virtual machine was created. The machine was setup from the Microsoft Windows XP SP3 installation disc, which installed Internet Explorer v 6.0.2900.5512.xpsp.080413-2111 by default. Two user accounts were created on the machine – one to be used as an Admin account, for installing software etc; and the other to be used as the ‘browsing’ account. This separation of the accounts further assisted with minimising the possibility of any unwanted data being present within the ‘browsing’ account. Using the Admin account, the version of Internet Explorer in use on the virtual machine was upgraded to IE v 8.0.6001.18702. The ‘browsing’ account was then used for the first time. Starting Internet Explorer immediately directed the user to the MSN homepage. The address ‘www.bing.com’ was typed into the address bar, which led to the Bing search engine homepage. The ‘Images’ tab was clicked. This Auto Suggested a search criterion of ‘Beautiful Britain’, as can be seen in the figure below:

Figure 1

The term ‘aston martin’ was then typed into the search box, as shown below:

Figure 2

None of the images were clicked or zoomed, nor was the result screen scrolled. Internet Explorer was closed, and the browsing account logged off. The Admin account was used to extract the browser data for processing in NetAnalysis. The below image shows some of the results. Both of these entries are from Master History INDEX.DAT files:

Figure 3

As can be seen, both entries show a hit count of 5. Both of these pages were visited only once, so it is immediately apparent that the hit count value maintained by Internet Explorer may not be an accurate count of how many times a particular page has been visited. However, this still did not explain how Internet Explorer had produced a hit count of 911.

The virtual machine was started again, and the browsing account logged on. The previous steps were repeated; typing ‘www.bing.com’ into the URL bar; visiting the Bing homepage; and clicking on the ‘Images’ tab. Once again, Bing Auto Suggested the search criterion of ‘Beautiful Britain’, and displayed the same thumbnail results page. The search criterion ‘aston martin’ was again typed into the search box and the same thumbnail results page was produced. None of the images were clicked or zoomed. The results page was scrolled using the side scroll bar, which generated more thumbnails as it went. Internet Explorer was closed, and the browsing account logged off. The Admin account was used to extract the browser data for processing in NetAnalysis. The below image shows some of the results. Both of these entries are again from Master History INDEX.DAT files:

Figure 4

As can be seen, the ‘Beautiful Britain’ search now has a hit count of 13 – it is not at all clear how Internet Explorer determined this figure. Moreover, the ‘aston martin’ search now shows a hit count of 511. This page was not visited 511 times, nor were 511 of the thumbnail images clicked. The contents of the INDEX.DAT for the local cache folders (Content.IE5) were checked to see how many records were held relating to thumbnails that had been cached. The results were as follows:

Figure 5

So it does not even appear that there are 511 thumbnails held in the local cache. The result page was scrolled quickly, so the user did not see a large proportion of the thumbnail images.

In conclusion, it is apparent that the ‘Hit Count’ maintained by Internet Explorer cannot be relied upon. Although this experiment involved a quite specific process relating solely to image searches carried out on one particular search engine, the disparity between results and reality makes it clear that unquestioning acceptance of what Internet Explorer is recording as a ‘Hit Count’ could lead to significant errors if presented in evidence.

To complete the experiment, two further identical Virtual Machines were created. On one, the Google Chrome browser (v 15.0.874.106 m) was installed and used. On the other, the Mozilla Firefox browser (v 8.0) was installed and used. The same steps were repeated: typing ‘www.bing.com’ into the URL bar; visiting the Bing homepage; and clicking on the ‘Images’ tab. The results from these processes are shown below:

Chrome:

Figure 6

Firefox:

Figure 7

It is apparent that both of these browsers seem to maintain a more accurate ‘Hit Count’.

Digital Detective Group is pleased to announce the launch of their all new NetAnalysis™ Foundation training course.

NetAnalysis™ is one of the most highly regarded and accepted software tools for browser forensic analysis.  It is widely used in both public and private sectors and has become the industry leading software for the recovery and analysis of browser related artefacts.

The NetAnalysis ™ Foundation training course will run at Learning Tree International, Euston House, 24 Eversholt Street, London, NW1 1AD on the following dates, with further dates being scheduled throughout the year.

This 2-day course is competitively priced at just £830 + VAT per place.  To book a place or to check availability, please contact us on 0845 224 8892 (or our email address: sales (at) digital-detective.co.uk).

• NetAnalysis Foundation Course Flyer
• NetAnalysis Foundation Course Syllabus
• Learning Tree London