2010-03-14T06:54:01Z http://blog.computerforensicsblog.com/comments/atom.aspx Quick Blogcast tag:blog.computerforensicsblog.com,2009-12-13:2643374 Steve Burgess 2009-12-14T05:00:23Z 2009-12-14T05:00:23Z That is most certainly an accurate statement. Except it hasn't been done so much in a widespread way so far.<br> tag:blog.computerforensicsblog.com,2009-12-13:2643370 Steve Burgess 2009-12-14T04:59:01Z 2009-12-14T04:59:01Z Monique, thanks for your thoughtful comments!<br><br>Regarding people having more data: <br>It doesn't make that much sense that people would have more data just because they have bigger hard drives, it's true. However, I've been doing data recoveries for 25 years and it seems that it is true. The average hard drive I see has gone from 10MB to 100GB, and over all that time, they seem to usually be from 1/2 to 2/3 full. Like people's spending seems to expand to fit their incomes, people's data seems to expand to fit their storage. A lot of it's photos &amp; music. A lot of the photos could be actionable evidence. Not so much the music unless your are the RIAA or its ilk.<br><br>I agree with you that a million images don't need to be closely examined when a couple hundred will do. My concern is how effective antiforensics (or privacy) tools may become with ridding a person's computer of them.<br><br>Whether computer forensics firms and e-discovery firms merge is a question of great personal interest to me. I suppose it depends on how a company looks at its business model. A company may decide that its core competency is storage and documentation vs investigation. From this perspective, they're two very different business models and we'd expect to see more collaborations than mergers. <br>On the other hand, if a firm looks at the model as litigation support, it might be more likely to want to do both. I know e-discovery companies that dabble with computer forensics, and of course computer forensics involves more than a little e-discovery. I think we'll have a mix of both types of firms - one-stop shops and collaborating but divergent companies in each field. tag:blog.computerforensicsblog.com,2009-12-13:2642621 miketimoff http://www.iphoneservicesdepot.com 2009-12-13T21:53:08Z 2009-12-13T21:53:08Z iPhone is a very good hackers' target. tag:blog.computerforensicsblog.com,2009-12-11:2637868 monique http://www.techforensicexperts.com 2009-12-12T02:43:43Z 2009-12-12T02:43:43Z Great article, Steve! I agree with most of what you said, but I don't agree with people having all that much more data. Sure, storage sizes will be enormous, but how many emails are people going to get over the time they keep the same computer? After all, people will hold on to their hardware for the same amount of time. That, to me, translates into about the same, maybe more data. If there is a big jump in the amount of data stored, I think it'll be mostly non-useful files (depending upon what you're looking for, of course) like movies, music, and pictures. <br> <br>Huge caches of pictures and videos are, of course, a big deal in child exploitation investigations. I think a pretty compelling argument can be made that it isn't necessary to view each and every image/video because there's no greater penalty if you have, say, 1,000 images versus 1 million or 1 trillion images. (That being said, at the US federal level there are some charging decisions affected by the number of images, but again, the practicality of looking at a million or trillion images, documenting each, submitting each as evidence verges on the ridiculous.)<br> <br>That's my two cents. Thanks again for the article. What do you see happening as far as computer forensics firms merging with e-discovery? Will there be happy marriages or will the two co-exist/compete?<br> <br>Thanks!<br>Monique Ferraro tag:blog.computerforensicsblog.com,2009-12-10:2634331 Steve Burgess 2009-12-11T02:08:24Z 2009-12-11T02:08:24Z <span class="Apple-style-span" style="white-space: pre-wrap; -webkit-border-horizontal-spacing: 3px; -webkit-border-vertical-spacing: 3px; "><span class="Apple-style-span" style="font-size: small;">Indeed, Mr. Munin's Fire! Reminds me of the old phrase, "beyond the 7th wave."</span></span> tag:blog.computerforensicsblog.com,2009-12-10:2634325 Steve Burgess 2009-12-11T02:05:17Z 2009-12-11T02:05:17Z <span class="Apple-style-span" style="font-size: medium; ">I can see that you would be upset! Connecticut's attorney general and its Insurance Commissioner Thomas Sullivan are both planning investigations into the incident and why it took so long for Health Net to come forth with the information. WIll they force Health Net as an organization or individuals within it to take responsibility and will their action s allow individuals to be paid back? I do not know. Furthermore, these agencies' actions may be only on behalf of citizens of the Nutmeg State. Those in other states may have to get their own agencies to look into it as well.</span> tag:blog.computerforensicsblog.com,2009-12-09:2631307 Eric 2009-12-10T02:56:34Z 2009-12-10T02:56:34Z It is worth noting that the mention of the proxy specifically calls out the widespread meme regarding "hiding behind seven proxies." It's a bit of jargon covering some internet folklore regarding the amount of indirection required to remain safe from detection when committing various kinds of shenanigans. As with all memes, this one has numerous variations and parodies. tag:blog.computerforensicsblog.com,2009-12-09:2629835 James L 2009-12-09T18:25:41Z 2009-12-09T18:25:41Z I am very upset that individuals responsible at Health Net allowed important information that could harm millions of people to be "misplaced" then they allowed six months to pass without reporting it. My checking account was violated and money was stolen and my familys life was upside down for weeks. Question, Is anybody going to have to answer for there lack of judgement and / or security? tag:blog.computerforensicsblog.com,2009-12-01:2605667 Steve B 2009-12-01T17:52:56Z 2009-12-01T17:52:56Z <div>Good question Monique. And the answer is an unequivocal "maybe."</div><div>As I haven't personally dealt with either of these pieces of malware, I'm going from the reports I have read.&nbsp;</div><div><br></div><div>The first piece of malware discussed (Win32/RansomSMS.AH) blocks Internet access, through what process I do not know. Not knowing what file, files, registry entries or whatever else have been modified, I do not know that the given data would have been backed up.&nbsp;</div><div>So seems to me that there's a good chance a restoral from backup might not solve the problem.&nbsp;</div><div>If it is a complete disk image taken from just before the infection, I'd expect it to work, but the existence of such an image for the average user (or even the advanced forensic guru) seems unlikely.</div><div><br></div><div>As for the earlier GPcode.ak, I'd say restoring from a backup of the affected files would probably work fine...as long as the old files weren't erased by a new backup. Fortunately the new, encrypted files have a different name so as long as old files aren't deleted with a new backup, the old files with their original names ought to still be available to be restored.</div><div><br></div><div>Thanks for the thoughtful question. Btw - I'm impressed with how fast your site loads.</div><div><br></div><div>Cheers, &nbsp;Steve</div> tag:blog.computerforensicsblog.com,2009-12-01:2605129 monique ferraro http://www.techforensicexperts.com 2009-12-01T14:47:09Z 2009-12-01T14:47:09Z Thanks for the information! One question- wouldn't regularly backing up your data effectively thwart the hacker's efforts?<br />Best,<br />Monique Ferraro