TomTom forensics
The guys at GPSForensics.org are posting more and more info on their webpage regarding this very new and challenging field within IT forensics. Their latest is a very practical document on TomTom forensics.
WORM and hashing
Two interesting and IMO partly related postings were made in the previous days: Sandisk made a press-release about their new write-once-read-many (WORM) storage card, and Jesse Kornblum wrote a blog posting about updates and new features for his hashing tools.
Gmail account protection
How many cases have you done that involved possible unauthorized access to a webmail account? Probably quite a bit, if your client base and caseload is a bit similar to ours. Remember, this isn’t just about the average home user whose Hotmail account got hacked by guessing the secret question; there are numerous examples of people who (for a variety of reasons) use their personal webmail occassionaly or on a regular basis for receiving and sending workrelated e-mail.
These cases are often hard to solve: there are of course some tricks with using ‘digital traps’ to catch the person who is viewing the inbox, but such mechanisms don’t always work in the current world of spam-protection. And if you are doing bad things, you might be looking out for traps 
The webmail providers are often very reluctant to provide any information on when and from where an account was accessed, even when the requester is the owner of the account.
Inverse keylogger
If you (like we once did) get a case where you have to explain ‘random mouse movements and keyboard inputs’, you might want to check for the following device:
http://www.thinkgeek.com/gadgets/electronic/a11e/
It should not be too hard to notice (who would miss some sort of PCB connected to their USB port… 
), maybe they should try and put some more effort into hiding it. Real keyloggers, like the ones from KeyGhost are far harder to detect…
Anyway, this device was not the cause in our case, nevertheless a fun thing to stumble upon (thanks to TB).
Literally make history with Firefox 3
I reckon most people will have seen the news that there is a new major release of ‘the other’ web browser, Mozilla Firefox (no browser wars please ). The release of version 3 of this web browser was hyped up with an attempt to make it to the Guinness Book of Records, with a world record for the highest number of software downloads in 24 hours. “Make history with Firefox” was the slogan, but I will take a look at a way to literally make history with Firefox 3. Browser history, that is.
Read more
Show me your software and I will tell you…
I while back I overheard a conversation where someone was making a firm statement about vendor based certification: “If you don’t visit the regularly held Guidance Software training sessions, you can’t be a proper forensic examiner nor do a proper forensic investigation”. Excuse me?
Microsoft exchanged speed for forensic readiness ?
With the new OS from Microsoft called Vista, many businesses will be surprised to hear that in this new OS access times on the filesystem will be disabled by default.
Why Microsoft did this is not clear to me, maybe to gain some extra speed on the filesystem? The filesystem used by Vista is NTFS, and with NTFS files have three times, called MAC times. Modified, last Accessed and Created. The accessed time is usually updated everytime the file is opened or accessed by the OS. In the current release of Vista this is turned off by default.
It is however a registry setting, so to improve forensic readiness businesses can alter 1 registry key when they rollout Vista to enable accessed times again. The registry key can be found on
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
The key is a reg_dword, and a value of 1 means no last accessed time updates, and a value of 0 means last accessed times will be updated.