Archive for category: Cyber Forensics

In several forensic investigation cases, Kivu has analyzed iOS backup files as a method of obtaining evidence of text messages or other data from an iOS device, usually when an iOS device is not readily available or as a means of cross-correlating evidence.

These backups are often made to the custodian’s computer when they connect their iOS device to a computer to charge it or sync it with iTunes. When they connect their iPod touch, iPhone, or iPad to their computer, certain files and settings on their device are automatically backed up. As such, they are locally stored on the custodian’s computer and can be extracted and parsed for further analysis.

In a recent case, the backups were extracted from the custodian’s laptop, which was provided to Kivu. The backups pertained to two iPhone devices. Kivu forensically extracted the backups from the custodian’s laptop and was able to parse the backups and uncover text message data that came from both the custodian’s current iPhone and the prior one, which was no longer in her possession.

Here’s how the text messages were retrieved

Within the “Backup” directory under MobileSync, there is a subdirectory named for the unique device identifier (UDID) of the device for a full backup. The UDID is a 40-character hexadecimal string that identifies the device [example: 5b8791c14e926cc9220073aefcedd2b831c843b1]. Sometimes, the UDID will have a timestamp appended to it that indicates the date and time that the backup was made. For example, a directory named 5b8791c14e926cc9220073aefcedd2b831c843b1-20150506 122733 indicates that the iOS device was backed up on May 6, 2015 at 12:27:33 PM.

Within the UDID directory, there are numerous files with a similar naming convention as the UDID directory without a file extension. These filenames are actually SHA1 hash values of files from the device. When backing up an iOS device through iTunes, iTunes computes a SHA1 hash value of the file’s path. Below is a chart detailing several common SHA1 file names for files pulled from an iOS in the course of an iTunes backup.

Since text messages are often of interest, it’s important to note the SHA1 hash value assigned to sms.db. This is the database file that holds text message data, including sender, recipient, and content of messages.


About Kivu

Kivu is a nationally recognized leader for security assessments and breach response services.  For more information about collecting forensic data from Apple devices, please contact Kivu.

Airline boarding passes are full of personal data that you might not want total strangers to know. Many travelers simply toss their used boarding passes in the trash, or leave them in the pocket of the seat in front of them when they fly, unaware that the information stored in their boarding pass barcode could leave them open to identity theft. While some airlines, like Southwest, scramble the information on the barcode, others, like United, currently do not.

Recently, Kivu was asked by KPIX-TV in San Francisco to help research the type of information that a data thief could glean from a typical commercial airline-boarding pass. Kivu was provided with three sample boarding passes. The specific information available from each boarding pass barcode depended on the airline. Kivu looked at barcodes for three major airlines – United Airlines, Southwest Airlines, and Virgin America. Here’s what we uncovered.

Barcodes are technically easy to decipher. With a good scanner app, information that is not available in plain text on a boarding pass can be uncovered. There are several different types of barcodes that one can find on a variety of items. Boarding pass barcodes are encoded as PDF417 barcodes. This barcode type contains multiple modes to represent text, numeric, and binary data.

If a customer purchases a flight using a Frequent Flier account or with Frequent Flier miles, (depending on the airline), their personal frequent flyer information is displayed when the barcode is scanned. If the customer did not purchase or reserve the flight using Frequent Flier miles, that information is not available by scanning the barcode.

For example, with her permission we decoded the QR Code and identified the Frequent Flyer number used by a recent traveler on United Airlines. With this information, we were able to log on to the passenger’s United Airlines account. We then knew her address, personal email, and telephone number. Going further, we knew when her next flights were scheduled and had the option to cancel them or change her seat. We also knew her date of birth, middle name, and the username for her account. Lastly, we could access her Miles Rewards and have them transferred to our own personal account in the form of cash.

All of this easily available information leaves travelers open for further data hacks. If we wanted to try to get into her personal bank account, this information would have provided a great start.

Less data is available if a passenger is not using a Frequent Flyer number. Still, a data thief could learn from a boarding pass barcode the passenger’s name, where they flew, the date and the airline.

For airline passengers, this should be a wakeup call
. One solution to this problem is to keep your boarding pass on your phone rather than print a copy.

Kivu’s forensic investigators are experienced in protecting organizations against compromise of data, theft of trade secrets and unauthorized access to data. Author, Katherine Delude, is a Digital Forensic Analyst at Kivu Consulting in San Francisco, California. For more information, please contact Kivu.

Data quality is not a glamourous subject. It is not the type of topic that headlines a conference or becomes front-page news. It is more typically suited for help guides and reference manuals that few individuals relish reading. However, organizations that acknowledge the importance of data quality and have strong data quality programs significantly reduce privacy and security risks. They also lower the potential costs associated with data breaches, the legal risks, and potential size of business interruptions.

Data quality issues start when information is created. This includes incorrect information, data entry errors, and inaccurate document conversion such as conversion of text contained within image files (e.g., a screen shot from a patient management system). Data quality issues also arise as data is being processed, transferred or stored.

1. Build a foundation of knowledge and fluency about data.

“Understanding data” means moving deeper than simply understanding that a database stores records or that a file contains information. Knowledge of data means taking the time to understand that data exists in different layers and structures and can be readily transformed. Additionally, data can be defined as discreet elements (e.g., a data element that stores date time information) and have assigned roles and restrictions. Investment in the language of data can improve control over data and enable better decisions on information security and privacy.

2. Don’t leave data design and quality decisions to the development team or an IT group.

This could place data at significant risk including possible loss, misuse and insecurity. Development teams are often provided with high-level requirement such as “design a secure form to collect user data”. While this directive may appear clear, privacy and security risks reside in the implementation of this directive. To achieve better security and privacy, more attention must be directed to clarify the method of data form collection, transmission and storage of data. Further validations should be provided so that data is corrected before it is stored.

3. Articulate security and privacy concepts in terms that assist developers integrate better security.

Regulations and policies concerning privacy and information security often address data from a systems perspective. Terms such as “protect the perimeter” articulate protection of a network and the systems and data within the network. “Protect the perimeter” does not clearly translate design into a more secure system.

Developers and analysts work with data in the context of business and user requirements. Developers also work under tight budget constraints and significant systems complexity where one requirement may consist of several steps. As security and privacy requirements continue to mature, understanding the needs and workflow of developers will facilitate better “baked in” security and privacy.

4. Extend security and privacy requirements to how data is created, changed, stored, transmitted and deleted.

Security requirements typically speak at a high level and leave a substantial gap in clarity with respect to data. As an example, a business may have a requirement where social security numbers (SSNs) are encrypted at rest. At the same time, the company may display SSNs in a web application where the SSNs are partially hidden by form design but otherwise are present and unprotected.

5. Embed security analysis into the QA process.

Security testing is often the purview of InfoSec groups and external consultants who evaluate software that exists in an operations environment (also referred to DevOps or Production). This includes the use of tools and the knowledge to locate and remediate vulnerabilities. The pitfall with this approach to security testing is that vulnerabilities are not identified before software is released. Using tools such as Seeker (which analyzes software for vulnerabilities during the QA process) can improve overall application security by reducing the number of possible vulnerabilities in software design.

CASE: Data at Risk (by Design)

Organizations are at increased risk of security incidents due to un-defined or poorly specified software requirements. One such example is inadequate articulation of secure password storage. Poor design is initiated when developers or an IT group receive a directive to secure user passwords. However, securing passwords can mean many things including:

Accountability for data design, use and quality should exist across an organization. With less of a technical divide, organizations can improve the conversation on how to better protect data with the appropriate use of security to balance risk and cost. Attention to detail at the bottom (the data level) may also deliver secondary benefits such as cleaner customer data, reduction in time to resolve customer issues, or better disaster recovery.

The misnomer of HIPAA compliant software is prevalent in the health care industry. Too often, HIPAA-regulated entities rely on vendor controls and claims of compliance as a substitute for their own HIPAA security programs. While the vendor software itself may meet the requirements of HIPAA compliance for the discrete functions it performs, the truth of the matter is that no software or system that handles Protected Health Information (PHI) is HIPAA compliant until it has undergone a risk assessment by the regulated entity to determine the efficacy of its security controls in the user’s environment.

Adherence to HIPAA required risk management processes and industry-best practices should protect organizations from attacks. HIPAA requires that both covered entities and business associates maintain a security management process to implement policies and procedures to prevent, detect, contain, and correct security violations. The foundational step in the security management process is the risk assessment, which requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity.

HIPAA compliant risk assessment

NIST Special Publication 800-66 identifies a protocol organizations may use for conducting a HIPAA compliant risk assessment. 800-66 generally identifies nine steps an organization should take in this regard. Significantly, the first two steps of the risk assessment process should be read together to identify all information systems containing PHI and ensure that all PHI created, maintained, or transmitted by the system is being maintained appropriately and that security controls are applied.

In the context of third party software and systems, the risk assessment process should be used to identify hidden repositories of PHI where unintended business functions or improper implementation cause PHI to be located outside of an organization’s secure environment. If third party software and systems are not identified within the scope of a risk assessment, and a disclosure or audit occurs, the government may impose penalties for not conducting a thorough risk assessment. Additionally, there is potential for third party lawsuits if a disclosure results. In a data breach dispute, the argument usually boils down to whether the controls the organization had in place were reasonable to protect PHI. In many cases, the plaintiffs use HIPAA as a standard of care, so that if an organization was not in compliance, the plaintiffs will argue the organization did not take reasonable steps to protect PHI.

While not conducting an accurate and thorough risk assessment may result in regulatory enforcement or litigation risk, failing to identify hidden repositories of PHI may also result in other HIPAA violations. If data is stored outside of its intended repository, it is unlikely that an appropriate data classification and associated security controls have been applied to the hidden repository. The result is that it is unlikely the HIPAA regulated entity is meeting the required technical implementation specifications of the HIPAA Security Rule with regard to the information contained in the hidden repository. In such situations it is unlikely that an organization has appropriate access and audit controls in place on systems that are not intended to store PHI.

Common vulnerabilities in electronic medical record (EMR) software

Software is developed for a specific purpose, such as managing patient information or insurance billing. Software’s core functionality is created during the development cycle, and security may be incorporated into the development process, or it may be an afterthought. Security is optimal when it exists within a software application and the environment where the application is hosted.

A recent recent data breach investigation

In a recent data breach investigation, Kivu encountered an integrated EMR software solution that stored patient records, including social security numbers (“SSNs”), on a Windows server. While the EMR application had protected access with unique credentials assigned to users, the server itself was accessible to all employees with domain credentials. The EMR software offered complete practice management capability in a single offering (such as patient management, prescriptions ordering and tracking, patient communications and billing).

The EMR software and the server housing the EMR software lacked appropriate controls to secure PHI. The presence of EMR login credentials in text-searchable files potentially negated the use of encryption for the EMR database. Unsecured directories provided the opportunity for any user to browse the server and potentially locate files containing patient data.

The audit capabilities of the EMR software were limited to the EMR database. As a result, externally stored files with patient data were outside the reach of the EMR software. PHI could have been exfiltrated without leaving evidence of file activity. For example, on a Windows computer, a hacker could use a Robocopy command to copy files, and the use of this command would leave no evidence of file access.

Using sophisticated search tools employing data pattern recognition, Kivu was able to identify numerous instances of PHI on the compromised server. The client was surprised by the result because they believed the EMR system was secure and HIPPA compliant. This was a painful lesson in the numerous (and dangerous) ways that sensitive data can leak from an otherwise secure system.

Kivu is a nationwide technology firm specializing in the forensic response to data breaches and proactive IT security compliance. Headquartered in San Francisco with offices in Los Angeles, New York and Washington DC, Kivu handles assignments throughout the US and is a pre-approved cyber forensics vendor for leading North American insurance carriers.

For more information about HIPPA data leakage and HIPAA compliant risk assessments, please read the full paper: Forensic Analysis Reveals Data Leaks in HIPAA Compliant Software or contact Kivu.

Some of the worst and most costly data breaches occur because an organisation doesn’t know what and how much data they have stored, says Winston Krone Managing Director, Kivu Consulting. In many cases, businesses have simply been unaware that they hold sensitive data such as healthcare or financial information, and “…haven’t purged data, they haven’t taken it off line; they’ve treated old data…as being necessary to be instantly accessible,” Krone, a computer forensics expert, argues in an interview for Hiscox Global Insight.

What’s in an email?

Part 1
A particular area of exposure, Krone says – and this is particularly the case for professional services companies – is with the storage of unstructured data such as email. “It’s been the driver in many of the most expensive data breaches. The most common is email or a file server where you have attachments, spreadsheets, word documents. In a lot of these cases you don’t know what you’ve got. You may not even know that someone has sent you an attachment with a thousand names, dates of birth, social security.”

Krone adds: “Trying to determine how many mail boxes have been raided [following a breach] can be the work of weeks and then determining what data is inside those mail boxes can take 30-40 days. This pushes up the response time [and] the response costs.”

For many businesses, even if an attempted data breach is unsuccessful, the impact can be just as bad as a successful breach, explains Krone. “In most cases the attackers are stopped or seen. But the real problem for us, and it’s probably a problem in half our cases, is that the organisation was not logging or monitoring its own system sufficiently to allow us to disprove the hack. Unless we can prove what they did and what they’ve taken…that will be a defacto data breach with enormous costs and implications to the organisation.”

Given that it’s virtually impossible to protect against a data breach happening, however, Krone says that the best risk management happens well before a breach. “If you haven’t set up in advance your system so it’s recording evidence, so it’s logging evidence, data of who is coming in, where they’re coming in, what they’re doing, what they’re taking out of your system – you can’t go back in time and work that one out. That’s a crucial preparation to put in advance.” A good incident response plan is also important, Krone adds, as well as having a good understanding of what data an organisation holds.

Insurance sector can drive better risk management

The growth in cyber insurance is also playing a role in improving awareness of the cyber threat. “Just having the discussion about cyber insurance has required organisations to rethink their risk and how they’re mitigating these problems,” says Krone. “We see a huge difference between companies who have a cyber risk policy – or at least have gone down the road in deciding whether they should have one – and those who haven’t thought about it. It’s a huge educator and the more enlightened insurers are asking companies to really answer some deep questions. It’s a great way for disparate groups [in an organisation] – legal, risk management, HR, IT – to come together when they think about cyber insurance.”

Data choice

In such a fast changing environment however, where data breaches hitting the news become ever more significant in scale, Krone says that the real differentiator between good and bad businesses from an information security perspective, will be the way in which they deal with their data. “If you look at the example of financial institutions and healthcare – two [sectors] that are very regulated in the US and have got their act together – [a business] is either going to take [its] data and start heavily encrypting it and segregating it and making sure that nobody can get into it, or they’re going to take their data and say we’re not in the data storage business; we’re going to put it off to security accredited vendors. It’s really a question of whether smaller organisations are going to have the means and the budget to go down those two different roads.”

We make a multitude of assumptions every day, at times without giving them much thought. Assumptions are a part of our daily lives and how we interpret the world around us. They also impact our decisions, large and small.

Digital forensics is based on science, not magic. It’s not just pushing a button or running a tool and getting results. In forensics and e-discovery cases, assumptions can lead to mistakes, duplication of work and/or deliverables, and tension between you and a client.

Why do we make assumptions? It’s easy; it’s safe. It’s a habit derived from familiarity and performed out of safety. We’ve done or seen this before, so this must be what will happen. We expect or predict certain outcomes based on what has happened in the past. It serves as a form of protecting ourselves or in some cases, placing us in control of a situation. It’s a way of convincing ourselves that how we act or what do or say is right.

In his book The Seven Habits of Highly Effective People, Stephen Covey discusses paradigms, or how we see and interpret the world around us. Paradigms are often the basis of assumptions. Covey explains that these come from conditioning and habit, and that they influence our actions and behaviors. He observes that “we simply assume that the way we see things is the way they really are or the way they should be” (Covey 32).

Below are several types of assumptions and scenarios that arise often in forensics and e-discovery cases:

1) Access
Do you have access to the device or account you are collecting? Do you have the credentials? The presence of encryption or password protection on a device can hinder forensic preservation in some cases. For instance, if a custodian has their Apple device encrypted with FileVault, you will need to provide the pass phrase in order to decrypt the drive and image it with a tool such as MacQuisition. This also pertains to encryption or passcodes on other devices.

2) Visibility
Do your forensic tools parse the data properly? What types of files are present on your device? Are they operating system-specific files – only viewable on a Macintosh, Windows, or Linux operating system? Do you have the necessary tools to view and/or convert them if you need to provide them to a client? Will you need third party tools to parse or analyze certain types of files? Does a newer version of your tool parse your data in a way that an older version did not? Newer versions of forensic tools can support and collect more models of phones and parse more file systems. For example, EnCase 7 accurately parses the file and folder structure of Windows 8/8.1 devices, but EnCase 6 shows the F: partition, which contains much of the operating system and user data, as unallocated clusters and does not accurately parse the folder structure.

3) Authorization
Do you have authorization – legal or otherwise – to perform a collection, examination, and/or analysis? In civil litigation matters, no collection or analysis can be done until permission is granted by the attorneys or ultimate client. In criminal cases, this is typically applied via a search warrant. In child exploitation cases, do you have legal authorization to collect or seize devices? Do you have legal authorization to view pictures?

4) Authenticity/Accuracy
How do you know your data has not changed during the forensic preservation and/or replication processes? This is where hashes and verifying file integrity are important. If providing counts of files, how do you know you’ve accounted for everything on a system or within a data set? If providing native files, are you providing them to a client in a readable format?
– – – – – – – – – – – – – – – – – – – – – – – – – –
In confronting the dangers of assumptions, here are a few techniques that I have found useful in my personal and professional lives:

-Pull yourself back from the situation and ask yourself “why?” Why are you feeling like this? Why are you thinking this way? What is causing you to feel this way? Why are you jumping to this conclusion?

Try to do this not as a form of rationalizing or justifying your own behavior but as a means of understanding how and why you tend to make assumptions. Use this as a starting point to become more aware of your own thought process and to curb these habits.

-If unsure about something, ask before going forward (or perhaps making a statement or decision that could land you in hot water). This applies to personal and professional matters. Clarify issues with a client or project manager ahead of time.

Covey, Steven R. The Seven Habits of Highly Effective People. New York: Simon & Schuster, 2004.

Kivu’s digital forensic professionals are seeing an ever-increasing number of Apple devices being used within organizations. Our forensic professionals have extensive Apple experience and have provided expert testimony on a number of legal cases involving Apple devices.

The Challenges of Collecting Data

Mac computers are known for having a secure delete function built into the system. This allows a user to overwrite the computer’s free space 1 time, 7 times or 35 times, making it impossible for forensic examiners to recover deleted data.

Mac computers also come with a built in encryption feature called “File Vault.” If the user enables File Vault, examiners cannot image or access the contents of the computer until the encryption is bypassed, either with the user’s password or by extensive workarounds involving memory analysis to extract possible passwords. Some vendors claim to decrypt File Vault passwords, but the cost of this method is very high and may not provide the needed results.

iOS devices, such as iPhones and iPads, also present imaging challenges. Physical images are bit for bit copies of a device, which includes deleted data. Physical acquisition of certain iPhone models is not possible, due to Apple’s encryption. To bypass the encryption, an examiner would need to “jailbreak the device.” This is a risky approach, since jail breaking a device could lead to destroying current evidence and making the device unusable and inaccessible.

If physical acquisition of a certain iOS model is not possible and jail breaking is not feasible, a logical acquisition may suffice. The primary issue with logical data acquisition is that certain data cannot be extracted for analysis, including: deleted data, emails, cache files, and geo-locations. This, of course, causes a major issue for forensic examiners.

Apple Forensic Tools

The digital forensic professionals at Kivu Consulting are experts in forensically imaging and preserving Apple device data. Our forensic analysts are trained and certified in the industry leading tools used to image and analyze Apple devices, such as MacQuisition, Encase, Cellebrite, FTK Imager and Black Light.

For Mac computers, MacQuisition allows for live data acquisitions, targeted data collections, and forensic imaging. This tool can acquire over 185 different Macintosh computer models and provides a built in write-blocker to maintain data preservation.

Kivu uses tools such as Encase, FTK Imager and Black Light to analyze Macintosh forensic images, as well as image and analyze iOS mobile devices. Our forensic experts hold the Encase Certified Examiner and Certified Black Light Examiner certifications, offered by Encase and Black Bag Technologies.

Selected Kivu Engagements and Expert Testimony

About Kivu

Kivu Consulting combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide.  Author, Thomas Langer, EnCE, CEH, is an Associate Director in Kivu’s Washington DC office. For more information about malware trends and what your company can do to better protect its environment and data, please contact Kivu.

Most computer compromises aren’t discovered until after an attack—sometimes days or weeks later. Shutting down a computer may halt malware activity, but it could have negative and unforeseen consequences. For example, it could become difficult to retrace information infiltrated by a hacker or botnet. This is particularly important if significant time has transpired between an attack and discovery of malware.

During a forensic investigation, there should be a balance between rushing to remove malware and understanding the scope of the malware infestation in order to find a solution that deters future attacks.

What is Malware?

Malware is software that is designed for illicit and potentially illegal purposes. Malware may be a single software program or a collection of programs used to accomplish tasks such as:

How Does Malware Infection Occur?

The Internet has opened the door to broad distribution of malware. It is possible for malware to originate from sources such as email, instant messaging, or infected file downloads. Malware can also spread through USB devices or connectivity to public WiFi hotspots.

The most complex malware tools may use a combination of distribution methods to infiltrate an organization. For example, an email may contain a hyperlink to a website that causes “dropper” software to download. The dropper software performs reconnaissance of its host computer and transmits results out to another computer on the Internet. The second computer analyzes the reconnaissance results and sends back malware that is customized to the host computer.

What are Common Types of Malware?

Virus software refers to software that inserts malicious code into a computer and has the capability of spreading to other computers. The ability to propagate is a requirement for malware to be classified as a virus or worm.

Worms are a type of malware that propagate across networks. A worm finds its way by reading network addresses or email contact lists and then copying itself to identified addresses. Worms may have specific capabilities, such as file encryption or installation of certain software, including remote access software.

Trojan Horse.
This type of malware enables unauthorized access to a victim computer. Unauthorized access could result in theft of data or a computer that becomes part of a denial-of-service (DDoS) attack. Unlike viruses or worms, Trojan horse software does not spread to other computers.

Rootkits refers to malware that takes control of a host computer and is designed to evade detection. Rootkits accomplish evasion through tactics, such as hiding in protected directories or running hidden process names on DLL’s (Dynamic Link Libraries) as legitimate files, without the computer or user noticing an abnormality. Rootkits may defend themselves from deletion and may have the ability to re-spawn after deletion. Most notably, rootkits have the potential to operate in stealth mode for extensive periods of time and to communicate to external computers, often transmitting collected data from a victim computer.

The purpose of spyware is to collect data from a victim computer. Spyware may exist as malware that is installed on a host computer or embedded within a browser. Spyware may collect data over an extensive time period without the victim ever knowing the extent of the spying activity. Spyware may collect keyboard strokes, take screenshots of user activity, or utilize built-in cameras to record video.

Browser Hijacker.
This malware takes control of a user’s browser settings and changes the default home page and search engine. Browser hijacking software may disable search engine removal features and have the ability to re-generate after deletion. There may also be persistent, unwanted toolbars that attach to a browser.

Adware refers to software that has integrated advertising, particularly freeware software. Adware displays advertisements within the freeware product and transmits collected data back to a controlling party (e.g., an advertising distributor). A software creator may utilize advertisements to earn advertising revenue.

Ransomware is malware that encrypts part or all of a host computer. Encryption locks a victim out of important files or a computer until a ransom demand is paid, possibly in the form of bitcoins. If the ransom is paid, the victim has no guarantee that the ransomware will de-crypt the computer.

Investigating Malware

When a malware infection is suspected, care should be taken to investigate and collect evidence where possible while performing radiation to remove the malware infection. The following guidelines should be considered when malware is suspected. If a forensics team is involved with the investigation, the following points will be addressed by forensics examiners.

For more information about malware infection and forensic investigation, please contact Kivu.

One of the most popular email programs used today is Gmail.  Kivu initiated a project to determine the most efficient and defensible process to collect Gmail account information. This blog post is the second in a series of articles that evaluate Gmail collection options for computer forensic purposes.

A common email client that can be incorporated into a forensic email collection is (shock horror) Microsoft Outlook. Outlook is included in the Microsoft Office package, and for many years it was king of email clients for the business environment. As the popularity of mobile phones and web-based clients increased, however, Microsoft Outlook’s use has declined.

We will be using the latest version, Outlook 2013, for our collection of forensic data. While not usually seen as a part of the forensic investigator’s tool kit, Microsoft Outlook has some interesting attributes that can be verified in use, and tested as to its output. You just need to know what you’re doing and (as in all forensic work) be able to confirm the veracity of the data.

Outlook has an option for IMAP setup that allows automatic testing of account credentials. Outlook will send an email from the account to the account to ensure that the account credentials are correct. Outlook 2010 has the ability to disable this test, but in Outlook 2013 the option is greyed out, and the test email is sent automatically. If account intrusion needs to to be kept to a minimum, it is good to keep this in mind.

How to Use Microsoft Outlook for Gmail Collection, Step-by-Step

Change Microsoft Outlook Settings

To start your Gmail collection, check that the settings in the target Gmail account are set to IMAP. Then, open up the email account settings, either though Outlook or though the . Selecting … in the Email tab will prompt you for the service you wish to set up. Check , click on , and then select . Click again.

Unlike GM Vault, which we evaluated in the first article on this topic, a bit more work is needed to ensure a smooth email collection. In addition to User Name and Password, Outlook requests both the incoming and outgoing servers for the IMAP account.

User Information
Your Name:

(Top Level Email Name) (Collection Gmail address) IMAP (Collection Gmail address) (Collection Gmail password)

Click on to open up Internet email settings. Under check the box for and use the same setting for your incoming mail server. Click on the tab and change the server port numbers to for incoming and for outgoing. Select for the encryption type for both, and set the server timeout to . These are Google’s recommended settings for using the Outlook client for Gmail accounts.

Start Gmail Collection

Go to the tab and click on the drop down list for and select Define Send/Receive Groups…. In the pop-up window, select the and click on the right hand side of the window. Check all boxes and select If you want to collect only specific folders, use the to select the folders you to collect. Click and click again. Then you can either select the drop down menu or use the short cut key (F9).

Track Gmail Collection

Once the collection has started, there are a few options and settings that can help minimize intrusion and track the collection – again, crucial steps if you are hoping to achieve a forensically sound collection. – whenever you select a new email, the previous email is marked as read. To change this setting, go into reading pane options either via the or the tab and click on the drop down menu. In the options screen . Now, Outlook will not mark the emails you view as read when you look through them.

For tracking, to ensure that you have reviewed the correct number of emails, you’ll need to tell Outlook to show all items in a folder rather than just the unread items. Unfortunately, this can only be done folder by folder. Right click on a folder and select . Select the option then click . Repeat with all of the folders that you are collecting. If a folder does not show a number, there are 0 emails in the folder. Compare the folder numbers with the counts you can view online at: Once all of the folder counts match, the collection is finished.

Working with Offline Email Storage

Outlook uses an Off-line Storage Table (OST) format to store emails from POP, IMAP and other web- based email accounts offline when the Internet is not available. When the sever access is resumed, the accounts are synced to the cloud storage. Outlook also uses Personal Storage Tables (PST) files to back up and transfer email files and accounts. While some forensic processing tools can extract data from OST files, almost all of them can extract the data from PST files. PST files can also be opened up on any computer with Outlook.

To export the collected PST files, select , and then . Browse to where you want the file to be saved. Select so all items will be exported. Once the PST has been backed up and you have verified that the item count is correct, you can remove the account from the account settings and undo any options changed in the Gmail account. Then, inform your client that they can now access their email and should consider changing their password.

Following are the Pros and Cons of Using Microsoft Outlook for Forensic Investigation:


• The wide availability of Outlook
• Once all options are set, processing is simple and quick
• Native PST export


• Options are expansive and sometimes unintuitive
• Can be intrusive – Outlook sends test emails during setup and may mark unread mail as read

About Kivu

Kivu is a licensed California private investigations firm, which combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Author, Thomas Larsen, is a data analyst in Kivu’s San Francisco office. For more information about how to retrieve and store Gmail messages for forensic investigation, please contact Kivu.

Within the past year, Kivu has seen several malware trends emerging, including exploitation in widely used software applications (Heartbleed, Bash, and Shellshock), cycles of ransomware and destructive malware (Master boot wiper, HD wiper), and an increase of rootkits, botnets and traditional drive-by malware. In 2015, we expect to see new malware trends, including an increase in social engineering (attack the weakest link), exploitation of identified security flaws in newly developed mobile payment applications, exploitation of cloud SharePoint systems, and the continuation of exploitation of traditional Point of Sale (POS) credit card systems. Kivu also expects an increase in exploit kits for all types of mobile devices and traditional devices that contain diverse functionality.

Following is what Kivu recommends that companies do to help secure their systems and data.

Protecting Your Computer Environment Against Malware

To protect your environment, Kivu recommends a strength-in-depth approach, coupled with segmentation of sensitive data. Segmenting your network environment adds an additional security layer by separating your sensitive traffic from other regular network traffic. Servers with PHI, PII or PCI should be segmented from the backbone and WAN. A separate firewall should protect this segmented data.

Ensure that your firewall is fine-tuned, hardened, and that vital security logs are maintained for at least 2-3 months. Conduct regular external and internal vulnerability network scans to test your security perimeters and detect vulnerabilities. Remediate these security flaws within a timely manner.

Perimeter protection devices require regular maintenance and monitoring. Ensure that your ingress/egress protection devices (IDS/IPS) are monitoring real time to detect malicious network traffic.

Be sure to maintain and update your software and system applications on a regular basis to eliminate security flaws and loopholes. Verify that all security applications within your environment are fine-tuned and hardened and that security logs are maintained. Review your security logs on a regular basis to ensure that logging is enabled and that valid data is being captured and preserved for an extended time period without being overwritten.

Remote Access Considerations

Kivu recommends limiting and controlling remote access within your environment with two-factor authentication. Create a strong password policy that includes changing passwords frequently and eliminating default passwords for systems and software applications that are public facing.

For outsourced IT services, make sure your data security is in compliance with the latest standards and policies. Maintain and verify on a regular basis that all 3rd party vendors follow outlined security policies and procedures. Eliminate account and password sharing and ensure that all 3rd party vendors use defined and unique accounts for remote access.

Securing Vulnerable Data

Protecting your data is not only the responsibility of Information Security; it is everyone’s responsibility to do their part to keep your environment safe and secure. Encrypt, protect and maintain your critical data. Upgrade older systems when possible and verify that sensitive data is encrypted during transmission and data storage. Manage and verify data protection with all 3rd party vendors.

About Kivu

Kivu is a licensed California private investigations firm, which combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Author, Thomas Langer, EnCE, CEH, is an Associate Director in Kivu’s Washington DC office. For more information about malware trends and what your company can do to better protect its environment and data, please contact Kivu.

Social media has become a notable source of potential forensic evidence, with social media giant Facebook being a primary source of interest. With over 1.35 billion monthly active users as of September 30, 2014 [1], Facebook is considered the largest social networking platform.

Kivu is finding that forensic collection of Facebook (and other sources of social media evidence) can be a significant challenge because of these factors:

1. Facebook content is not a set of static files, but rather a collection of rendered database content and active programmatic scripts. It’s an interactive application delivered to users via a web-browser. Each page of delivered Facebook content is uniquely created for a user on a specific device and browser.  Ignoring the authentication and legal evidentiary issues, screen prints or PDF printouts of Facebook web pages often do not suffice for collecting this type of information – they simply miss parts of what would have been visible to the user – including, interestingly the unique ads that were tailored to the specific user because of their preferences and prior viewing habits.

2. Most forensic collection tools have limitations in the capture of active Internet content, and this includes Facebook. Specialized tools, such as X1 Social Discovery and PageFreezer, can record and preserve Internet content, but gaps remain in the use of such tools. The forensic collection process must adapt to address the gaps (e.g., X1 Social Discovery does not capture all forms of video).

Below are guidelines that we at Kivu have developed for collecting Facebook account content as forensic evidence:

1. – Determine whether or not the custodian has provided their Facebook account credentials. If no credentials have been provided, the investigation is a “public collection” – that is, the collection needs to be based on what a Facebook user who is not “friends” with the target individual (or friends with any of the target individual’s friends, depending on how the target individual has set up their privacy settings) can access. If credentials have been provided, it is considered a “private collection, ” and the investigator will need to confirm the scope of the collection with attorneys or the client, including what content to collect.

2. – Verifying an online presence through a collection tool as well as a web browser is a good way to validate the presence of the target account.

4. – (e.g. the entire account or just photos).

5. – which tool or combination of tools will be most effective? Make sure that that your tool of choice can access and view the target profile. The tool X-1 Social Discovery, for example, uses the Facebool API to collect information from Facebook. The Facebook API is documented and provides a foundation for consistent collection versus a custom-built application that may not be entirely validated. Further, Facebook collections from other sources such as cached Google pages provide a method of cross-validating the data targeted for collection.

a. If are of importance and there is a large volume of photos to be collected, a batch script that can export all photos of interest can speed up the collection process. One method of doing so is a mouse recording tool.

b. do not render properly while being downloaded for preservation, aeven when using forensic capture tools such as X-1 Social Discovery. If videos are an integral part of an investigation, the investigator will need to capture videos in their native format in addition to testing any forensic collection tool. It should be noted that there are tools such as to download the videos, and these tools in combination with forensic collection tools such as X-1 Social Discovery provide the capability to authenticate and preserve video-based evidence.

7. – If there are several hundred photos to collect, determine whether all photos can be collected. Identify whether an automated screen capture method is needed.


Kivu is a licensed California private investigations firm, which combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Author Katherine Delude is a Digital Forensic Analyst in Kivu’s San Francisco office. To learn more about forensically preserving Facebook content, please contact Kivu.

[1] Accessed 11 December 2014.