J Wolfgang Goerlich's thoughts on Information Security
iOS Forensic website

By wolfgang. 2 August 2011 05:12

The iPhone Forensics book by Jonathan Zdziarski (NerveGas) is getting a little long in the tooth. The material covers iOS 2.x and Apple is now well into iOS 4.x, with 5.x on the horizon. The book is on iPhones and, of course, the iPad revolution is well underway. Where to now?

I see that Zdziarski launched an iOS Forensic Research website with up-to-date information. The site and its toolset are aimed at law enforcement and the military. He is also hosting a series of workshops (Advanced iOS Imaging and Investigation L-1) which cover a variety of forensics techniques on iPhones, iPods, and iPads. Here's hoping the site is extended to corporate InfoSec professionals.



iPhone Forensics book

By wolfgang. 2 October 2008 08:06

iPhone forensics guru Jonathan Zdziarski (NerveGas) has a book out with O'Reilly. "With iPhone use increasing in business networks, IT and security professionals face a serious challenge: these devices store an enormous amount of information. If your staff conducts business with iPhones, you need to know how to recover, analyze, and securely destroy sensitive data. iPhone Forensics supplies the knowledge necessary to conduct complete and highly specialized forensic analysis of the iPhone, iPhone 3G, and iPod Touch."

Amazon.com has the iPhone Forensics book online.



Detecting information leakage in Windows Server

By wolfgang. 22 October 2004 15:29

Information leakage can occur when people with access to sensitive information copy the information to an insecure location. For example, a company’s financials may be stored on a file server. This server has restricted CIFS share permissions and restricted NTFS file system permissions. An employee with access copies these financials down and burns them to a CD. As there are no permissions or restrictions on the CD, anyone now has access to this sensitive information.

Detective controls exist in Windows Server and Windows XP to catch these types of situations.


Simply setup SACL (system access control lists) permissions on the file server. Right-click the folder, choose Properties, click the Security tab and then click Advanced. On the Advanced dialog, click the Auditing tab and then click Edit. I recommend checking "List Folder / Read Data", "Create Files / Write Data", "Create Folders / Append Data", and "Delete Subfolders and Files". This will generate events in the Security logs when files are accessed. For example:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: DOMAIN\username
Object Open:
 Object Server: Security
 Object Type: File
 Object Name: \Device\HarddiskVolume20\Share\Sensitive Files\Financials.xls
 Handle ID: 20492
 Operation ID: {0,1917999625}
 Process ID: 4
 Image File Name:
 Primary User Name: SERVER$
 Primary Domain: DOMAIN
 Primary Logon ID: (0x0,0x3E7)
 Client User Name: username
 Client Domain: DOMAIN
 Client Logon ID: (0x0,0x6CEC6800)
 Accesses: ReadData (or ListDirectory)


The event log will now tell you when files are opened, copied, or modified by employees. Now watch the Window desktops to see what they are doing with these files.

The registry contains a wealth of information on external storage devices. Monitor the following keys to see if external devices are being attached.

Floppy disks – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\FDC]   
Firewire Devices– [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\sbp2]
USB - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\usbstor]

Monitor other registry keys to see what programs are being run. In particular, look for bulk copy utilities, backup programs, FTP clients, CD burners, and so on. Open the user’s registry file (ntuser.dat) and browse to:


This UserAssist key will have several entries that represent recently used programs. Each entry is encoded (rot13) and formatted as follows: GUID, Index, ACTION, Session key, Number of times the app has executed, date time last executed.  The section you want is the action. Specifically, the UEME_RUNPAT<executable> entries. (See this page for more details on UserAssist: http://personal-computer-tutor.com/abc3/v29/vic29.htm)


In summary, enable SACL auditing on the Windows Servers and be prepared to spot-check Windows XP clients. By combining server-side auditing and client-side forensics, you will be able to curtail information disclosure.


Forensics | Security Information Management | Systems Engineering

    Log in