Monday, June 2, 2014

CEIC 2014

A little over a week ago I had the opportunity to attend Guidance Software's Computer and Enterprise Investigations Conference (CEIC). I attended a number of sessions including Field Triage and RAM Analysis, Defrag Forensics, Vehicle System Forensics, Examining Volume Shadow Copies, APT Attacks Exposed, and Advanced Decryption, but the two that stuck with me the most were Analysis & Correlation of Mac Logs and SSD Forensics.

I would definitely consider myself a Windows person with little experience with Mac. Sarah Edwards gave a great presentation on Analysis & Correlation of Mac Logs. The presentation touched upon where you could find basic logs, system logs, audit logs, volume information, network information, location data, user activity, backup data, software data, system information, printing data, temporal changes, and Bluetooth information. I now have a list of places to start when examining a Mac computer because of this presentation.

This year was my second time going to the SSD Forensics session. The presentation, presented by Jeff Hedlesky from Guidance Software, Chris Bross from DriveSavers, and David Sun and Leo Costello from S34A, explained some problems that arise with SSD. Problem 1 is that hashing is made more difficult with SSDs. When LBA is used to image a HDD it includes unallocated space, but with SSDs, the data that is in the LBA can change under certain situations. Below is a slide from the presentation that explains Problem 1. 

 Problem 1 Explanation
Problem 2 is that data is now in areas that have not previously existed such as the Overprovisioning area which is data moved outside of the LBA. Below is a slide from the presentation that explains Problem 2.

Problem 2 Explanation
This got me thinking about ReFS on a SSD. It has the possibility of being much more efficient with a SSD than a HDD and could have even been designed with SSDs in mind. I am saying this because of the way it deals with its file table. When changes are made to the drive, the file table is copied and the changes are added to it, and the old copy of the file table is pushed into unallocated space. In the case of SSD, TRIM would run and take care of the extra copies, but on a HDD they just stay there waiting to be overwritten. This of course would need to be tested with a SSD to confirm that ReFS runs properly on it and that it does in fact dispose of the extra file table copies.

Thank you Champlain College and Guidance Software for giving me the opportunity to attend CEIC.

Sources:
Analysis and Correlation of Mac Logs, by Sarah Edwards
CEIC 2014 Advancements in SSD Forensics, by Jeff Hedlesky, David Sun, Chris Bross, Leo Costello