LITIGATION SUPPORT TIP OF THE NIGHT

Marco Pontello of Italy has posted a nifty utility to his web site which will assist you with identifying file types from their binary signatures. The utility operates in the same fashion as the hex editor described in the Tip of the Night for February 1, 2016 but will automatically provide you with the file types of groups of files saved to a folder.

Download the zip file posted to http://mark0.net/soft-trid-e.html - see the link for the Win32 option at the bottom of the page. Extract the contents to a folder on your C drive, and then also download the file listed as 'TrIDDefs.TRD package, 891KB ZIP (6673 file types, 13/03/16)' at the bottom of the page, and unzip it to the same folder.

In the folder with the TrID data, press CTRL + SHFT right click and choose the option for 'Open Command window here'. Type in 'trid' and the file path to the folder with the data you want to analyze. For example

C:\Users\SeanKOShea\Documents\tips\TrID\TrID>trid C:\Users\SeanKOShea\Documents\test\*

The file path should not have any spaces in it. At the end of the file path add in a forward slash and an asterisk at the end. As shown in this screen grab, TrID will list the programs that open each type of file.

Even better if you are dealing with a folder full of files which are missing file extensions, you can use TrID to automatically add the correct file extensions. Just add the command -ce after the file path:

C:\Users\SeanKOShea\Documents\tips\TrID\TrID>trid C:\Users\SeanKOShea\Documents\test\* -ce

HAPPY ST. PATRICK'S DAY!!

Back on February 16, 2016 I reported about the big news the United States District Court for the Central District of California made by issuing an order requiring Apple to devise a means of getting around the encryption on an iPhone belong to one of the terrorists in the attacks in San Bernardino, CA. Yesterday, Judge James Orenstein of the U.S. District Court for the Eastern District of New York, issued a decision denying a motion by the Government requiring Apple to bypass the passcode security on an iPhone 5s running iOS 7. The court held that the same statute relied upon in the C.D. Cal. case, the All Writs Act, could not be invoked in this case because Congress had considered legislation that would achieve the same result, but hadn't actually passed it.

Orders under the All Writs Act have to consider three factors:

1. The closeness of Apple to the criminal act.

2. The burden to Apple of complying.

3. The necessity of imposing the burden on Apple.

Specifically with regards to the third factor, the Court considered an admission by the Government that Homeland Security had the ability to override the passcode and access and copy record records on it. The testimony of a DHS expert in another case (from 2015) was cited by the Court to point out the existence of an IP Box technology that while new and finicky, was successful at bypassing passcodes on some Apple devices. Because there was conflicting evidence about the Government's own capabilities, Judge Orenstein held that it was not necessary to order Apple to assist.

The matter the court ruled upon concerned a device belonging to a defendant charged with the drug trafficking. The opinion mentions in 70 other instances, in which Apple stated it could unlock the phone if an order was issued requiring it to do so. Apple faces a dozen pending cases in which it objects to the Goverment's request to bypass a passcode.

Judge Orenstein also states that the Communications Assistance for Law Enforcement Act (CALEA) absolves a company like Apple from providing the assistance the Government demands in the present case. For the purposes of that Act, the Court held that Apple should be classified as a information service provider and not a telecommunications carrier. The Act specifies that the former does not have the same requirement to provide assistance to government investigations that the latter does.

The encryption software does not constitute an act by Apple to thwart the Goverment from conducting is investigation. The Court distinguished Apple from telephone utilities that supplied the Government with information from pen registers. Apple is not heavily regulated and does not have a duty to serve the public. Pen registers were regularly employed by telephone companies to help detect fraud and for billing purposes. Circumventing passcodes is not something Apple would do in the normal course of its busineess. Pen registers were not difficult to install, but desigining a means to get around its encryptioin software would divert personnel, hardware and software, and the Court points out that the cumulative burden of complying with Government orders would effect Apple's normal business operations.

There's another option in addition to the methods described in the Tip of the Night for February 26, 2016 for data wiping or sanitization. Secure Erase just makes one pass, writing either a 1 or 0, but takes place within the drive excluding the possibility that anything will be missed, and operating more quickly than other methods of data sanitization. The methods referenced two nights ago are block erase techniques that use installed software to overwrite data. These methods can be vulnerable to malware. Secure Erase is firmware, software that is embedded in hardware. It's another option in addition to the Format Drive command in a data storage system. However Secure Erase can only function on an entire drive, not an individual folder.

Secure Erase does not work with SCSI hard drives. The enhanced version of Secure Erase makes multiple passes in its overwriting process using predetermined data patterns set by the manufacturer of the drive, and includes reallocated disk sectors, or those no longer used because they had errors. Secure Erase can wipe 100 GB of data in a few hours with greater security, than block erase techniques which take 1 or 2 days and offer a weaker guarantee that data can't be recovered. The enchanced version of Secure Erase works even faster.

You an use freeware provided by the University of California, San Diego's Center for Memory and Recording Research to run the internal secure erase command of a drive. Note that it will not work with either SCSI or USB drives, only SATA or ATA drive. See the Litigation Support Tip of the Night for January 22, 2016.