Klein & Co. is proud to have been invited by the SANS Institute to mentor the SANS 508 training course on Advanced Computer Forensic Analysis and Incident Response commencing in Sydney on 16 March 2012.

This course will help you start to become a master of advanced incident response and computer forensics tools (mostly open source) and techniques to investigate data breach intrusions, tech-savvy rogue employees, advanced persistent threat and complex digital forensic cases.

The format is a mixture of online self-study and weekly class tutorials where your mentors Nick Klein and Jason Solomon will lead you through the more difficult aspects of the course, provide real world examples of the skills you'll learn and prepare you for your GCFA examination.

All attendees will receive a copy of F-Response Tactical. Register before 15 Feb 2012 to also save $500 off the course fees.

For more information and to register, please visit the course registration page or contact us.

Computer forensic timeline analysis has come a long way in recent years. I was first introduced to “super timelines” by Rob Lee in the SANS 508 course in 2010 and have been a big fan of the tools and methodology since then.

By using fls and log2timeline to extract file system and other temporal data, a computer forensic investigator can effectively reconstruct many system and user activities on a computer system. However one challenge this creates is efficiently analysing the mass of data that’s extracted.

I’ve been looking at various methods to solve this and have found Splunk to be one the of most powerful. I'm pleased to present the results of this work today at Ruxcon 2011.

This blog provides a summary of the process of creating a super timeline and analysing it in Splunk, plus the files you'll need to customise Splunk to analyse timeline data.

The slides from my presentation are also available here. Slides from SANS 508 course are provided with permission from SANS.

The 3rd annual eCrime Symposium was held in Canberra on 8 and 9 November under the title Ctrl, Alt, Del: Resetting the Agenda.

I was pleased to moderate the panel session on Malware and Data Breaches which prompted some interesting discussion on the wide range of attacks against individuals, companies and governments over the last few years and issues ranging from the extent of attacks targeting "low hanging fruit" to new approaches to defending against more proficient attackers and media reporting of advanced persistent threars.

Thank you to Alastair MacGibbon and Nigel Phair for inviting me to present and I look forward to next year's event.

More information can be found here.

What started as a small computer forensic practice continues to develop and grow, thanks to a steady stream of diverse, fascinating and challenging investigations from a growing number of satisfied clients.

We pride ourselves on delivering the highest quality of computer forensic services, with practitioners who have solid technical skills, deep expertise, the utmost integrity and professionalism and are well trained in the latest computer forensic tools and techniques.

If you have the skills and experience to be the next valuable member of our growing team, please submit your expression of interest and CV to This e-mail address is being protected from spambots. You need JavaScript enabled to view it

We recently undertook an interesting investigation of mobile phone spying software called FlexiSpy, which we found was capable of logging calls, capturing SMS messages, listening on calls and tracking GPS coordinates. It was fascinating to see how easily the program can be installed and used, but how difficult it can be to detect. Our work was featured on Channel 9's A Current Affair programme.

I recently had a situation where I had to mount a split raw forensic image (acquired using dd) on my Mac without my normal forensic tools. It wasn't a straight forward process, but after some Googling and testing I found a neat solution, so thought I'd properly document the process for other Mac loving forensicators. It even works for split Expert Witness / EnCase / E01 image files. Very handy!

Among the interesting facets of this case is the magistrate's critical comments regarding the plaintiff's treatment of electronic evidence "having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

While every situation is different, collecting electronic evidence in a forensically sound manner should be the first stage of a forensic process. It's often also the quickest and cheapest. Failure to do so can not only bring the integrity of the evidence into question, but significantly reduce it's forensic value in proving (or disproving) the facts in a case.

Read Brian Krebs' analysis of the case here.

As a leading investigator of data breaches across Australia and New Zealand through our
close partnership with Vectra Corporation, we're pleased to be presenting some of our findings
on attack trends and predictions at next month's AusCERT conference on the Gold Coast.

You can see a sneak peak on our presentation at this recent Computerworld article. For more
information on the conference, visit the AusCERT 2011 conference website.

Klein & Co. are proud to support the SANS Institute and their outstanding, vendor independent computer forensic training courses. Directed by world class 'forensicator' and nice guy Rob Lee, these courses are an excellent balance of forensic theory, hands on exercises and practical advice for using your newly acquired knowledge on the job.

SANS have kindly extended a 10% discount on their upcoming Brisbane and Sydney training events for Klein & Co. visitors who register with the discount code KleinCo. The offer is open to anyone, but places are limited so don't delay.

One of the most common cases we investigate at Klein & Co. is the misappropriation of confidential information by employees. These cases inevitably focus on the actions of the employees and the damage occasioning the company from whom the information was taken.

However in an apparent first in the US, the Securities and Exchange Commission (SEC) recently stepped into one such case, fining two former employees of a brokerage firm who "violated customer privacy rules by improperly transferring customer records to another firm". The former head of compliance was also fined for failing to "ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information".

InformationWeek published this interesting article on the case.

Through our partnership with Vectra Corporation, a leading team of IT security and PCI DSS specialists, our computer forensic investigators perform the majority of credit card data breach investigations across Australia and New Zealand.

We've definitely seen an increase in the number of breaches over the last year, with many cases still occurring because fundamental security measures are falling short; card data stored unencrypted, servers missing critical patches and use of default code and security settings leaving systems open to basic attacks like SQL injection.

I recently discussed the issue with ZDNet.

This recent paper by Graeme Bell and Richard Boddington of Perth's Murdoch University provide some valuable information for forensic examiners on how solid state disk (SSD) drives delete unused areas of the 'disk' independently from the operating systems or applications of the computers to which they're connected.

Some have suggested this will cause serious problems for computer forensic examiners, who will no longer be able to leverage data recovered from unallocated disk space. While I agree that in some cases this will be an issue, it's important to remember that electronic evidence can be derived from a wide range of data sources, many of which aren't effected by the behaviour of the SSD.

This article from the SMH has some interesting thoughts on the subject.

Nick will be running a series of "Cyber Cafe" sessions on the topic of "What are the things a forensic examiner will need after a data loss incident in your company?"

Designed to be both informative and interactive, these sessions will walk through a typical scenario involving the disclosure of sensitive or confidential information and discuss the critical actions required for a successful incident response.

Nick will also be moderating the separate panel session at the e-Crime Symposium on Data Breaches.

For more information, please visit: www.internetevents.com.au/upcoming-events

We find that the most important factor in the effective use of electronic evidence by legal practitioner's is how well they're briefed to understand
the evidence; what does it mean and what does it prove.

This presentation will describe, in simple terms, what electronic evidence
might exist and what value it could provide legal practitioners in some of
the most common computer forensic scenarios, including:

• the authenticity of email
• analysing user activity
• reconstructing Internet usage
• the hidden value of document metadata

For more information, please visit: www.cle.unsw.edu.au

Sooner or later, most IT folks will be asked to do some form of investigation, whether it's looking into misuse of email or the Internet, investigating a system compromise or even a rogue employee stealing company secrets. Most will have the technical skills and interest to help, but can easily get caught in the minefield of technical, legal and procedural traps that computer forensic investigations entail.

Based on the philosophy that it's always good to learn from mistakes - especially someone else's - this presentation will be full of war stories and practical advice to help you get results while staying well clear of trouble.

For more information, please visit: www.ruxcon.org.au