ArcPoint Newsletter, January 2022

DF Industry Happenings

Happy New Year! Something about a new year brings out renewed energy. Here at ArcPoint, our energy is endless. We are excited to be guests for the Cyber Social Hub live Hubcast in the month of January. The Hubcast will be a departure from talking about the Digital Forensics world and be an opportunity for ArcPoint to lift the curtain and tell you a little bit more about who we are. No topic is off limits; and we expect to have a few laughs at our own expense. Hope you all will tune in!

Team ArcPoint is looking forward to the annual Gasparilla Pirate Fest in Tampa, Florida. During this annual re-enactment of Tampa’s historic pirate invasion, Jose Gaspar parades his flotilla of ships - filled with swashbuckling pirates - through the streets of Tampa; it's quite the spectacular sight! When they dock at the Tampa Convention Center, the Mayor of Tampa surrenders the Key to the City to the Captain of Ye Mystic Krewe of Gasparilla.

Next month, the DFIR community does not disappoint with multiple events. Mark your calendars for the HackCON-IT-SECPRO virtual conference. The national Norwegian cyber security conference HackCon was established in 2005 by a network of Norwegian security experts. Their goal was to teach practical cyber security courses and lead conferences, as well as be a place to discuss and plan for future challenges within the cyber security community. This conference is for professionals who are genuinely concerned about IT security and who want to increase their skills to tackle current and future IT-security challenges.

The National Sheriffs’ Association Winter Conference is being held in Washington, DC from February 5-8, 2022. At the NSA Winter Conference, high-level leadership from federal agencies, members of Congress, and very active sheriffs come together to explore current legislation, learn about relevant topics, and explore trending technologies and products.

ArcPoint Company and Product News

We are happy to announce that ATRIO™ has been finalized and will be released this month! We concluded Phase II Testing; and our first orders have shipped. We are eager to hear success stories from customers who have evolved their DF workflow into the future with this streamlined solution that saves your most valuable resource- time!

Now that our first product has been released, we are gearing up for an ambitious 2022. We are working hard to incorporate mobile support into ATRIO™. We have three new products in our pipeline that are currently in the prototyping and development phase. Our vision is to create scalable solutions that evolve and complement our customers’ current operations and DF labs by reducing technical barriers in the DF field and by delivering faster results.

ArcPoint is proud to announce its partnership with PCi Tec. ArcPoint products are now available to purchase through PCi Tec. PCi Tec is a women-owned and operated small business located out of Virginia. PCi Tec has been providing innovative IT solutions and services to various markets and organizations since its inception. PCi Tec stands ready to assist government and non-government customers in achieving their mission. PCi Tec has several agency BPA and IDIQ contracts. PCi Tec recognizes the importance of contracting vehicles. They offer GWACs, BPAs, IDIQs, as well as agency-specific contracts. These contracting vehicles help our customers acquire and streamline procurement solutions.

ArcPoint Presents: Unallocated Space

This month we hosted Jason Hogan on our Podcast. In the episode, Jason discussed his experience as a Lieutenant Colonel in the U.S. Army for U.S. Cyber Command with offensive and defensive cyber operations and its relation to the digital forensics and the incident response community. We talked through the importance of the DoD Skills Bridge Program for those exiting the military and how to apply your skillset to the commercial sector. If you missed the episode, no worries, it is on our YouTube channel, hosted on Spotify, and Google Podcast. Join us this month, February 17th, with our new guest Heather Mahalik. We will be discussing "Roadmap for Digital Forensic Research." Heather is an advocate for the digital forensics and incident response community. She gives back by researching new mobile updates, validating new tools, teaching new analysis techniques at SANS Institute, and providing additional resources in her blog. Check it out on our YouTube channel and podcast platforms. Don't forget to subscribe and give us a thumbs up while enjoying the podcast.

Welcome to the Team!

This month we welcomed a new team member to the ArcPoint Family!

Patrick Carey is the new Customer Engagement Manager at ArcPoint. He attended West Virginia University and studied business. He has over 15 years of federal sales experience, including more than a decade in federal digital forensics sales. His understanding of the national space and customer helps his clients accomplish their mission.

Check out our Blog

Once a month, ArcPoint releases a blog to help individuals within the community grow and expand their skillsets. Our content is intended to be used as a refresher for experienced examiners and help individuals just getting started to expand their skillsets to make investigations easier. Check out Basic iOS Triage on our website.

Want a Demo? Just Ask!

ATRIO™ is an all-in-one digital forensics hardware/software solution that performs full physical imaging and data exploitation. It is designed to be intuitive and easy to use. Output is immediately accessible in a universally-compatible, non-proprietary format and can be viewed on any computer. There are no additional software programs, dongles, or other peripherals required to operate ATRIO™. Interested in getting demo? Sign up on the ArcPoint website.

Monthly Tech Tip

If you ever need to identify the operating system of a forensic image - have no fear it's only two commands away. Identifying the OS of the target device from a forensic image is an important first step. It will determine what artifacts you will search for and which tools you will use to perform those tasks.

To find out what OS we are working with, we will use the open-source tools “mmls” and “fsstat”. Below are the steps we will take.

First, we will use the command “mmls” to display the layout of the physical disk. The results will show the individual partitions and their corresponding start and end offsets. Here we can see that the disk contains a NTFS/exFAT partition at offset 2048; that is the one we are interested in.

$ mmls E01Name

The next step is identifying the file system and the OS contained within using the “fsstat” command. The command will be “fsstat -o 2048 E01Name”, where the ‘-o’ tells the program to look at the file system at offset 2048 within the given image.

$ fsstat -0 2048 E01name

There we have it, the OS is Windows XP! Along with the OS information, it also gives you additional tidbits that can be used later in your investigation like volume serial number, MFT information, and cluster range.

Hope this helps!