ArcPoint Newsletter, May 2022

DF Industry Happenings

The month of May was full of in-person and virtual conferences! The ArcPoint Team attended three conferences this month; the Technology Innovation Days, The Techno Security & Digital Forensics Conference, and SOFIC. In addition, our team showcased our flagship product, ATRIOTM, and gave users a sneak peek at what is coming for release.

ArcPoint held a networking event that allowed users to view Tampa’s Riverwalk and the University of Tampa while getting hands-on demos of our products. This event was held to gather information about critical value-added features end-users seek in their DFIR toolkit. We had a successful event and are filtering in those features in our next update.

Next month, the ArcPoint Team will be attending the National Law Enforcement Training for Child Exploitation in Atlanta, Georgia. We look forward to meeting end-users and other key partners to train on how to use ATRIOTM with existing workflows to improve and streamline these processes.

The Cyber Social Hub will be hosting a live webinar on July 13, 2022, at 2:00 PM with Cesar Quezada. This free event requires individuals interested to register here on the website. Cesar Quezada is an experienced technical professional with over ten years experience in digital forensics, military intelligence, and computer systems administration. He supports the DoD in conducting forensic examinations and is currently a Cyber Security Company Company Commander in the Virginia Army National Guard. He has achieved a Master’s Degree in Computer Forensics and numerous forensic and technical certifications. Cesar joined the military to give back to the community and help make this country safer. His path to DFIR wasn’t conventional, and he believes that applies to many practitioners. But one common trait among practitioners that he believes is that we all have the desire to help make this world a safer place.

He has experienced two overseas deployments to war zones. One in uniform as a military officer and one as a DoD contractor, so he knows the difficulties of getting the right people trained and equipped. He believes in empowering more people by giving them the knowledge, tools, and technology to help in that cause, so working with ArcPoint absolutely fits that bill.

ArcPoint Company and Product News

The ArcPoint Team has been busy making improvements and adding features requested by our end-users. We’ve added two early access features that allow users to review reports in the dashboard and a pre-analysis report. ATRIOTM will automatically perform an initial analysis and report on the files and file system whenever a source drive is plugged in. These reports contain file count, 30 largest files, and additional source drive details that can be used to triage the drive quickly. These reports are created regardless if ATRIOTM performs any other function.

This month, ArcPoint’s hard-charging development team finalized the production of the FTP server and reporting capability. The ATRIOTM Dashboard is a web page that can be accessed via the browser to view the current progress of ATRIO’s jobs. The dashboard will show important information like drive count, current tasks, image progress, and more. The charts and graphs are interactive and will provide additional data once the mouse hovers over each component. In addition, users can now access extracted files in real-time without waiting for ATRIOTM to complete its processing!

Report Dashboard

In addition to those features, ATRIOTM now features real-time AI reports on the ATRIOTM dashboard. To help users make quick, informed decisions on the collected evidence, ATRIOTM augments with developmental open-source Artificial Intelligence features in computer vision and natural language processing. Users can instruct ATRIOTM to carry out object detection on photos, natural language translations, and audio and document word extraction. These features are continuously being improved! ATRIOTM AI Assist now includes 27 different object classes, and the ArcPoint Team has also enhanced our handgun detection class this month for improved accuracy!

ArcPoint Presents: Unallocated Space

Copy of Podcast Announcement 07

This month we host Jennifer Salvadori, Event Director for the Techno Security & Digital Forensics Conference, an extremely well-rounded trade show/events professional. Jennifer keenly understands what makes an event run smoothly from start to finish, from exhibit sales to onsite logistics. Her experience in the events industry spans nearly 30 years.

Before entering the events industry, Jennifer seriously considered joining the police academy. Growing up in a military family, Jennifer was raised with a strong value system and commitment to truth and justice. Jennifer’s passion to “help get the bad guys,” combined with her event industry experience, makes her the perfect choice for being the “face of Techno” for over seven years. Her outgoing personality, dedicated approach, and devotion to the brand are apparent to all she meets. Jennifer will be giving us the background of why the Techno Security & Digital Forensics Conference was started, how she got involved with the conference initially, the impact the show has had on the DFIR industry, and challenges faced behind the scenes, and what the future holds for this tradeshow. Watch it here now!

Next month we host Jamie Levy! Jamie Levy is a senior researcher and developer of the Volatility Framework. She is also the Director of R&D at Huntress. Before this, Jamie was Director of EDR Content at Tanium, where she helped build out DFIR content for the Threat Response module and various other security and DFIR-related R&D efforts. In addition, she has worked on multiple R&D projects and forensic cases while previously working at Guidance Software, Inc, Verizon Terremark, and SecureWorks.

Jamie has taught Computer Forensics and Computer Science classes at Queens College (CUNY) and John Jay College (CUNY). She has a Master’s in Forensic Computing from John Jay College and is an avid contributor to the open-source Computer Forensics community.

Jamie has authored peer-reviewed conference publications and presented at conferences (OMFW, CEIC, IEEE ICC, EnFuse, ACSAC, NYBA, OSDFCon) on the topics of memory, network, and malware analysis. Jamie is a well-respected member of the DFIR community, sits on the board of directors for the Volatility Foundation, and has served on the program committee for such conferences as DFRWS, BSidesNYC, and IWCMC Security Conference (among others). Jamie is also a trainer on the topics of Digital Forensics and Incident Response, as well as Memory Forensics.

Jamie shares her story about the DFIR community and how her interest in Memory Forensics has provided her fulfillment through giving back to individuals just starting or looking to take a deeper look into memory forensics. As an expert in the community with a working from home position, Jamie offers up incredible tips for balance! She shares how she schedules breaks throughout the day with calendar blocks, personal hobbies, and firm start-to-end cut-offs to help her unwind.

This episode of Unallocated Space will be available on our YouTube Channel on June 16. So, please subscribe to our channel and follow us on social media to stay updated with the latest episodes, product developments, and company news.

Check out our Blog

Once a month, ArcPoint releases a blog to help individuals within the community grow and expand their skillsets. Our content is intended to be a refresher for experienced examiners and help individuals just getting started to expand their skillsets to make investigations easier. Check out Comparison of iOS: Encrypted vs. Unencrypted on our website. This blog looks at a few free resources available for iOS examinations to compare encrypted and unencrypted data.

Want a Demo? Just Ask!

ATRIO™ is an all-in-one digital forensics hardware/software solution that performs full physical imaging and data exploitation. It is designed to be intuitive and easy to use. Output is immediately accessible in a universally-compatible, non-proprietary format and can be viewed on any computer. There are no additional software programs, dongles, or other peripherals required to operate ATRIO™. Interested in getting demo? Sign up on the ArcPoint website.

Monthly Tech Tip

Last month we showed how you can search for a specific file name within an image using fls. If the file is found within the file system, fls will output the path and its inode number. This month we want to show how to extract the file using its inode number with icat, which is another tool within Sleuthkit that opens an image and copies out a file to the standard output. 

Below is the output we obtained from using fls to find the file “Sightings2005.xls”. The “r/r” shows that this is a regular file and the following number is the inode address, which in our case is 154612-128-5.

Image 1-1

Knowing the inode number, we use the icat command to search the HD01.E01 image starting at offset 1001472 for the file with an inode address of 154612-128-5. We then redirect from standard output to a file with the same name as the original file. 

& icat -0 1001472 HD1.E01 154612-128-5 > Sightings2005.xls

Image 2-1

Voila! Once icat finds the file and creates the output, we can find the file in our directory. Once opened we confirmed with the customer that this was indeed the correct file.

Image 3-1

While there are many limitations to this process, it does give an investigator another path to find and extract files of interest to a case, especially if you are waiting for the full processing of an image/drive to be completed. In our case, it confirmed that the file existed and gave us an immediate deliverable to the customer.



Related posts

Search Comparison of iOS backups: Encrypted vs Unencrypted
Acquire Evidence Using LIBEWF Search