Digital forensics workshop with Simon Biles

by Gwenyth Rooijackers

A group of 8 persons gathered on Wednesday the 25th of April to start off the conference with Simon Biles’ workshop on digital forensics. As life moves more and more into the digital world, so does crime. Simon Biles gave us a short introduction to a key part in this rather new area of prosecution.

The day started with a look at the life in digital forensics. Along with a couple of insights into the emotional aspects of being an expert witness in digital forensics, we looked at the handling of evidence and guidelines by the Association of Police Officers.

In the scenario set up for the workshop, we were acting for the prosecution. The case regarded a group of people accused of stealing cars, creating new VINs, copying keys etc. After a raid on the garage only a 1 GB USB-drive was recovered. We are here to examine this USB-drive.

Before even having lunch, Biles guides us through imaging the content of the drive without making any changes to the drive itself (i.e. the evidence), mounting the image to access stored information and a browse through the partitions of the drive. We also had a look at the deleted files (including the file evil_plans.txt revealing the plans of the criminals 🙂 ).

In the afternoon we were introduced to Autopsy. This programme allows us to get a quick, automated overview of the examinations we did manually before noon.

To round up the workshop, there was a nice discussion with questions to the speaker. Thank you for today, Simon!

Want to learn more about digital forensics? Biles recommended Forensic Computing: A Practitioner’s Guide by Anthony Sammes and Brian Jenkinson for an introduction to digital forensics or File System Forensic Analysis by Brian Carrier for an introduction to file systems.

Just some stats

This year we have tried to make better use of the FLOSSUK YouTube channel. The first stage of that was to ensure that conference videos appear as quickly as possible online (we would love to stream but there are complications in doing that which we still have yet to overcome).

We also wanted to make sure we check the statistics and to try and engage  people with more notification of the videos and unique events at the conference. This was greatly helped when we unveiled the KDE Slimbook at our Spring Conference (YouTube playlist) which garnered a number of views. However all the videos this year have received a bump in their popularity. Let me show you some of the stats before I give a brief analysis.

I have placed them next to the 2016 figures. Note that we are only just under half way though 2017, though if the video viewing habits follow previous years our greatest percentage of views is in the first 4 months.

2017: Watch Time (so far)

 

2016: Watch Time

2017: Average View (so far)

2016: Average View

2017: Total Views (so far)

2016: Total Views

2017: Likes, Dislikes and Comments (so far)

2016: Likes, Dislikes and Comments

2017: Shares, Playlists, Subscribers (so far)

2016: Shares, Playlists, Subscribers

So what are the numbers telling us?

Well we have generally had a positive time. As a warning we have to note that some of the numbers are skewed by the unveiling we had of the KDE Slimbook. This gave us some disproportionate effects, not all positive, as the following screen grab shows.

So the unveiling takes the majority of our stats (about 58%) which we must take into account. However it was a conscious decision to use this form of promotion and therefore can be seen as part of the overall plan as well as serendipity.

A quick run of what we can see of 5 months versus the previous year:

  • We have 1,299 hours (77,999 minutes) more watch time, which is 520 hours more without the Slimbook;
  • The watch time is lower this is due to the Slimbook being shorter than the average videos;
  • Total views is 26,000 more, or 3,000 more sans Slimbook;
  • Likes is 188 vs 11 or 64 vs 11 (Slimbook);
  • Dislikes, well we had none of these but the Slimbook has granted us more negativity by exposure;
  • We also have positive engagement with 22 comments, 3 not on the Slimbook;
  • We have x9 as many shares and a number of these had nothing to do with the Slimbook;
  • There are 100 extra videos in playlists. Bit of a confusing stat as we didn’t add 100 videos, it is more that we also organised the channel better to have videos in playlists and this has been beneficial;
  • We have 80% more Subscribers, which is great.

So the addition of the very popular video has been hugely beneficial but the numbers also show that the positive promotion, organisation and engagement has shown a good return.

We are always interested to hear feedback, suggestions or just your general thoughts, so please drop us a comment.

Amendment 1

I rather foolishly forgot to thank some people when I first did this article that I would like to correct.

  • Tom Bloor did an excellent job of videoing, editing and rendering all of the video files all in his free time. Thanks Tom, great work and really appreciated.
  • The speakers have always put a lot of effort into presenting talks and contributing to the community, thanks to all the speakers who we are able to meet, listen to and present to others. You rock.

Why Powershell?

by: Finn Kempers

I attended the Powershell course at FLOSSUK Spring Conference 2017. These are my day notes.

Introduction

Windows scripting cmd environment was awful. Python is needlessly complicated. Perl jokes. Shell script is simple. Data flow efficiency is required which good UNIX environments have. Microsoft realised they needed this themselves, which is why Powershell is made. Microsoft are adding bash and SSH (presumably into PowerShell). Office 365 or GUI can manage PowerShell. Registered Microsoft trademark. Scripting language, both usable and powerful.

Covered

Shell basics. Variables, Date & Time, Environment, Files, Scripts and script editors, logic, data and objects, writing scripts, and where next?
Written in mind for researchers handling data.

Commandlets

Command forms:

  • “verb-noun”. Example: “get-childitem”. This makes the commands fairly self-documentative.
  • Write-host “Hello World” (similar to echo)
  • [get-]help write-host (similar to -h or man on linux, man works too as an alias in Powershell)

Variables

Allows to reference values that can change. They will assume values however by typing for example “[float] $a=4”, it will specifically store a variable as a single point floating value. The type of a variable can be verified with “$VARIABLE.getType()”.

  • $a=4 assumed int
  • $b=7.2 assumed float
  • $name=”James”
  • $city=(“X”,”Y”)
  • $Filofax=$null

Still need to use dollar unlike shell script.

Hashes

Perl like to to key value pairs, also called a dictionary. Allows for lookups.

Environment

Get-childitem env:\ list all environment variables, or get a certain username by adding get-childitem env:\username. Typing $username shows username itself.
Environment is inherited from parent process. See Powerpoint for example commands. Environment variable in a child will only be what it is defined in the child, exiting to parent will make it use what it was defined in parent again, as it always has on linux and windows, but before on windows didn’t really access to.

  • Redirection and the pipe:
    • Symbols “>” “<” and “|”
      • It is basically straight up Unix, see the Powerpoint for the example.

Thoughts

Learning PowerShell is very useful for Unix people, because it is basically a Unix environment for Windows and offers great CV opportunity and is a possible new leader in shell environments to take on the current world.

  • “Hello world” | out-file (-append) C:\blah\hello.txt (write file, will overwrite unless appended)
  • Get-content C:\blah\hello.txt (will ping back “hello world” by reading, note also the capitalisation on commands like get-content is optional, “cat” is an alias to “get-content”)
  • $myfilecontents=get-content “filepath” and “$myfilecontent | out-file “filepath” will work on the content in the memory of a computer. Useful for big computers with lots of memory.

Scripts are only touched on here but are useful for frequent use and such. Cmlets can be scripts too, such make your own script that runs after invoking “make-dinner” if one makes such. MSDN has useful articles on learning PowerShell, simple search engine common sense to learning it. http://www.powersearchingwithgoogle.com/ can be used well with PowerShell too and useful. PowerShell is basically a ripoff for the best of Unix environments.

Rich object models, office integration and so on are features only available, when running on Windows. If running on a non-Linux OS, it is basically just a shell.

“foreach ( $file in gci . ){write-host -ForeGroundColor Cyan $file.FullName }” changes text colour. You can however click in windows the PowerShell icon on the window and click properties to change various settings too.

Also available is the Windows PowerShell Integrated Scripting Environment (ISE), which is a environment for making Powershell scripts.

Powershell gives easy scalable power that a lot of unix sysadmins will be familiar with. CSV’s can be imported into PowerShell rather nicely, see 11.3 in the Powershell.pdf.

The latter half of the tutorial was essentially chit chat, bending Powershell in a variety of ways to sate our various curiosities and discussing various technologies, though none hugely relevant to the topic itself. It is worth researching the topic of doing complex custom objects in Powershell:

Notes

Files are provided including the Powerpoint and in PDF form in the drive folder this is located in. It provides also a Powershell.pdf which is a workbook for people to try out. The workbook is also available from:

This is all property of the University of Edinburgh. Under the same site available is a Unix course available too.

About

Finn Kempers is currently studying web technologies at Lancaster and Morecambe College and as an intern developing in Perl, Javascript and Web Frameworks at Shadowcat Systems Limited.

[Note: The views and opinions represented in this review are those of the author and the author alone. FLOSSUK is not responsible for any opinions, comments or values expressed by the author. If you have any concern regarding what has been written you may contact the council at council@flossuk.org.]