I recently contacted Digital Intelligence to confirm that their FRED computers, specifically the Intel X99 Chipset, could handle 10 TB drives. The answer was “We don’t know, but it should.” Not the answer I wanted to hear, especially since I’d already been told that updating this particular FRED from its factory Windows 8.1 to Windows 10 could downgrade the front USB 3.0 ports to 2.0 due to lack of driver support. So with my return guarantee from my vendor in hand, I ordered the 10 TB Seagate IronWolf NAS SATA 6Gb/s NCQ 256MB Cache 3.5-Inch Internal Hard Drive (ST10000VN0004).

First off, the 10 TB drive works in the FRED with the Intel X99 Chipset. Windows, of course, binaries it down to 9.3 TB. Performed a quick NTFS file system format, and promptly ran Crystal Disk Mark on it. Please note that I’m using the Hot Swap Bays, which are connected via USB 3.0, not SATA. Here are the results:

10TB

surpriseThere appears to be a growing number of e-discovery middle men in the industry.  Be careful of who you trust!  I have recently met many people who have no experience in the digital forensics and electronic discovery fields.  Neither do they have an information technology background.  Many of them do not even have any legal training.  One client recently told me that he came back to us because the people they were dealing with “sounded scammy.”  He was correct in that classification.

What is currently happening in the industry is that a potential client would call a nationally known brand for electronic discovery or digital forensics services.  This national brand will send the client a slick sales sheet and explain, via phone script, of the vast variety of professional services which are offered.  Mind you, this is a salesperson who usually has never forensically acquired a digital device before.  If the client knows a little about what he/she wants, then the client may be graced by a technical sales representative, who may actually have some ED/DF experience.  This sales rep will further expatiate on how their quality surpasses all others, especially local vendors who are not qualified to service their needs.

Once the client signs a binding contract with them, the exorbitant national brand prices rear their ugly heads.  Acquisition usually is subcontracted out to the same local vendor which the sales rep had stated was not qualified to service the client.  This image is then ported over to their national offices, adding additional time and expense.  Response time for search term requests is usually much, much longer from a national brand than a local vendor.

When it comes to a deposition or court testimony, a slew of challenges come into play.  This is a result of that national brand farming out its work, creating issues with chain of custody, 3rd party affidavits, and multi-party subpoenas.

Not all national brands are bad, and sometimes, it may even be necessary due to the volume of the work involved.  However, for the vast majority of law firms, this type of work normally is and stays local; for that, I see no advantage of using a national brand.  And neither did that client.  Buyer beware!  (whoever thought that 4 years of Latin in high school would come in handy one day?)

cage2

http://www.usatoday.com/story/news/politics/2014/01/14/roberts-gates-on-presidents/4475369/

Near the end of this article in USA Today, former Secretary of Defense Robert Gates mentioned that the President of the United States, Secretary of Defense, and Secretary of State all must use electro-magnetically protected tents in foreign lands to provide “a setting secure from surveillance.”  These tents are known as Faraday cages.  A Faraday cage “is a metallic enclosure that prevents the entry or escape of an electromagnetic field (EMF). * In most circumstances, a fine copper mesh is shaped into an enclosure to form a simple Faraday cage. For the President and his staff, the Faraday cage will prevent people from intercepting any electronic signals emanating from computers and telecommunications devices (such as wireless phones, tablets, etc.).  For digital forensic purposes, we use a Faraday cage to prevent a wireless phone from transmitting and receiving cellular signals, which is paramount in any case to avoid spoliation.

Some burning issues with smartphones and the law are about to come to a head.  Currently, most law enforcement has been trained to take possession of your smartphone without a search warrant.

http://www.usatoday.com/story/news/nation/2013/09/09/your-cellphone-private-or-not/2788945/

Windows 8 is upon us, and that means all those open source tools we’ve used in the past are that much harder to set up to use.  UEFI, which replaces the BIOS (a lot more to it than that, but a sufficient explanation for our purposes here), has a feature called “Secure Boot” which is activated by default.  When Secure Boot is activated, booting from open-source operating system CDs, DVDs, and USB flash drives is not possible without first going into the UEFI of each computer to be used and deactivating Secure Boot.

DEFT 7.2 was released a couple of weeks ago.  Some highlights of this release:

  • Option to use DEFT as a virtual appliance based on Vmware 5 with USB3 support
  • Kernel 3.0.0-26
  • Autopsy 3 beta 5 (using Wine – please note that you need minimum 1GB ram)
  • Log2tmeline 0.65
  • Guymager 0.6.12-1
  • Vmfs support
  • Some mirror fixes

http://www.deftlinux.net/

 

Also, YUMI 0.0.7.8 was released last week.  You will have to un-install any previous versions of DEFT through the YUMI interface, then install DEFT 7.2 through the same interface.  It takes about 25 minutes total.  A quick note about installation – you will have to manually browse for the DEFT 7.2 .iso file (put in *.* under file name) as YUMI wants to install version 7.1, not 7.2.  I’ve tested it, and YUMI will boot DEFT 7.2 without any problems.  I’m actually using DEFT 7.2 from YUMI to simultaneously image 3 drives on our portable forensics box via Guymager right now as I’m typing.

http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

DEFT 7.1 is my current “Live CD” of choice. Based on Ubuntu, DEFT is constantly updated to include the newest drivers (it even installed my 3rd party ExpressCard USB 3.0 port), allows commands to be executed to customize the kernel before starting the GUI, and has almost every open source tool that I use for digital forensics. My only complaints were how long it took to load and the response time once it was in the GUI. These complaints were directly connected to DEFT running on a DVD; the OS had to constantly task back and forth from the DVD, which made it crawl sometimes. So, I went on a hunt to install it onto a flash drive, thinking it would be a long and arduous task. I thought wrong.  Pendrivelinux.com already had installers built to run Linux distributions straight off a flash drive. And one of those distributions was DEFT 7.1. Not only that, but there was one called Your Universal Multiboot Installer (YUMI) that allowed me to choose from multiple builds at startup.

Installation onto the USB flash drive took just a few minutes, and now my boot-up time in DEFT 7.1 is 5 times faster.  Plus, the GUI never intermittently crawls like it used to on DVD.  In addition, I can also choose from other builds I installed onto the flash drive, such as BackTrack, Clonezilla, and a number of others.  I don’t even boot off my hard drive anymore – I just use YUMI installed on my USB flash drive.  I highly recommend this for digital forensics, penetration testing, anti-virus cleaning, data recovery, and too much else to name.

http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

As a digital forensics examiner, I find myself imaging between multiple operating systems across multiple platforms.  Unfortunately, the file systems native to each major operating system are all not fully-compatible with each other, with the exception of FAT32 and exFAT.

FAT32 limitations are 2TB for drive size and 4GB per file, the latter of which is pretty significant since I usually don’t split my images.  exFAT does not have a file size limit (well, 16 EB, but I digress).

After doing some research and testing, I found that Ubuntu, along with other Linux flavors, actually does handle exFAT with the Filesystem in Userspace (FUSE) package.  Considering Ubuntu is the operating system used for DEFT and many other forensic Live CDs, this is significant. Here are the instructions to add exFAT support to Ubuntu*:

You can mount an exFAT filesystem using the fuse-exfat package, by running the following commands (in a terminal):

1. Add the repository:  sudo add-apt-repository ppa:relan/exfat
2. Update the package list:  sudo apt-get update
3. Install the exFAT package:  sudo apt-get install fuse-exfat
4. Create the mount folder:  sudo mkdir /media/exfat
5. Find your exFAT partition id:  sudo blkid (or sudo fdisk -l to get an expansive list)
6. Mount the filesystem (replace sdc1 with your exFAT partition id):  sudo mount -t exfat /dev/sdc1 /media/exfat
7. Read and write to /media/exfat
8. When you are done, unmount the filesystem:  sudo umount /media/exfat

I’ve confirmed that an exFAT-formatted 2 TB hard drive on a dock can be read and written from Ubuntu (DEFT 7.1) to OS X (10.7 Lion) to Windows 7 (64-bit), all with successful results. I hope this information is helpful to someone else besides myself.

*substantial information from http://stackoverflow.com/questions/6537878/how-to-mount-a-exfat-partition-in-ubuntu-11-04
_________________
Marc Yu
Chief Forensic Examiner
PensacolaForensics.com