We have just written a free tool to parse GigaTribe chat logs and output the results into a friendly tab separated values (tsv) file, which can be opened using Excel to allow sorting, filtering and all of the other analytical goodies that Excel brings to the party.

Simply export the chat logs from your forensic application of choice to a folder somewhere and point “GigaView” at the folder. It’s very rapid and puts the output in a .tsv file in the same folder.

You can download a copy of this free tool from our Forensic Tools page.

Are your clients adequately prepared when security incidents occur?

At the QCC London office this morning, a small group of information security experts and corporate lawyers discussed the need for forensic preparedness, the considerations, process to follow and the pitfalls that surround legal cases involving investigations and digital forensics.

The group heard from the Information Security Officer of a major international bank about his experience of security incident investigations and the need for organisations to have a plan in place and run tests on a regular basis to keep strategies and processes up to date. “It does not make financial sense to have an in-house forensic investigator when you may only have one or two cases a year. It is significantly better to have a retainer with an external firm of forensic experts who adhere to best practice principles, have the expertise, credibility and in-depth knowledge required to present evidence to a tribunal or Court” he said. “Third party investigations provide an independence from internal company politics and add a level of integrity to the results which can help greatly when these are subject to a vigorous and robust examination by other side”.

John Douglas, QCC Forensic Laboratory Manager, explained the forensic process in more depth and the importance of keeping the evidence ‘sound’. One of the key success factors to managing any incident is setting up relationships with vendors long before they are needed. This ensures that when things go wrong, time is not lost trying to find the right person to call to resolve the issue. The buy in of board members to the process is also significant here. This will help ensure that management are not too focussed on the possible reputational loss arising from the incident and that the incident is handled properly. The dilemma arising between the conflicting need to restore information to get the business running again versus the need to investigate the cause to ensure it wont be repeated was also analysed in some depth.

The breakfast discussion continued around best practice and ended with a great question and answer session looking at some specific case studies. This was our first breakfast briefing, with a great selection of food and coffee ensuring that the early morning meeting started the day on the right foot.

The next briefing will be on “Forensics in the Cloud” on the 14th of October 2010. If you’d like to attend, drop us a note to ‘contact@qccis.com’.

I’ve made a few updates to CaseNotes to fix a couple of niggling bugs. The first was an inability to display the AM/PM characters correctly in Hangul for Korean users. Rather than try to sort this out for each and every possible language/format combination, I’ve hard coded it to now record the timestamp in 24 hour format regardless of your regional settings. The date remains as it was.

I also had requests to solve an issue regarding unsaved changes. It seems that when a case is closed for whatever reason, if there are unsaved changes then there is only the option to save them; ‘yes’ or ‘no’. Several users asked that a ‘cancel’ option be added to make this process a little more flexible – this has been done.

Lastly, I’ve made a few changes to the way that files are saved and backups are created to reduce the possibility of header data being lost. This includes better feedback to indicate that CaseNotes is busy, so that the save will complete without interruption. To this end, I’ve added a new feature to validate the backup files for a case. With the case file open, choose ‘Validate Case File Backups’ and each of the backup files for your case will be opened and their integrity checked – a report will be displayed on screen and this will be written to the audit log too.

I’m making progress with the new user checklist tab, but coding the editor is proving problematic – watch this space!

I’ve been going through the contact details for everyone that I have and sorting out those of you who have said you’d be happy to beta test the next software version. I hope to get an email out to you soon giving you some information about timings and what I need to be tested. I’m especially interested in those of you working in languages other than English and with double-byte character sets.

Speak to you soon.

Following a few requests, VideoTriage has been updated to add a text based audit log file to its output.

The log file will record the root folder processed, along with each filename, the playback rate and screen capture interval. Helpfully, when the long filenames typically associated with peer-to-peer networks are encountered, VT will rename these by shortening and adding in #TRUNC# to the filename to indicate it has been truncated. This is also logged in the log file.

If you have any additional requests, drop me a line at “contact” at qcc dot co dot uk.

QCC Information Security is proud to announce our continued certification to the ISO27001 standard for Information Security Management. As you would imagine, we take information security very seriously and are constantly monitoring our own systems to ensure that they are as robust and effective as possible. We are totally committed to maintaining our ISO27001 accredited status now and in the future.

Early in 2007 we took a decision to invest in a project to build an ISO standard compliant Information Security Management System (ISMS) that would satisfy three core objectives: To provide an effective system for managing information on behalf of others; to ensure best practice and consistency throughout the organisation in managing information, and to demonstrate to customers, in a verifiable and industry recognised manner, that their information is protected within QCC, in turn helping them to meet demands for regulatory compliance and governance relating to information security.

Neil Hare-Brown, CEO, commented: I am very pleased that we continue to meet the accreditation requirements of this important certification. We have always taken our responsibilities for securing sensitive information seriously, especially where customer data is concerned. Becoming and retaining ISO27001 certification is a major endorsement of our procedures and clearly demonstrates QCC's ongoing commitment in this area, as well as positioning QCC as a compliant supplier to aid customers in meeting the challenge of increasing governance in information security.

I’ve finally had a bit of time to fix a few annoying anomalies with CaseNotes that have been causing a few headaches for users.

This is an incremental release, so there isn’t any new functionality – just bug fixes. A list of the fixes is shown below:

Case file backups only made during explicit user initiated saves

In previous versions, every time CaseNotes was closed, or whenever your case’s metadata changed, CaseNotes would save your case file. Hardcoded into the program if ‘make backups’ is selected, was the function to make a backup copy of your case file. If the case file had some level of corruption present, it means that after three saves, all of your backups would now be corrupt too. Not great, so I’ve removed this function and cut it back so that backups are only created when you explicitly click the save button (or select the save menu option).

Backup copies now stored in a dedicated sub-folder

This means backup files are easier to identify and can be themselves backed up nightly or whenever.

Number of case file backups increased from 3 to 10

To add more resilience to the backup process, there will be ten unique backup files stored in the backup folder, up from the existing three.

Greater assistance for the corrupt case file 'password' issue

This is the one problem that affected users more than any other. If the header becomes corrupt, CaseNotes assumes the file is encrypted – to explain:

What happens when CaseNotes opens a case file is that it reads the file sig (cnote or cnotr) – if the first five bytes are neither of these then CaseNotes assumes that the file is encrypted, as the file sig would be unreadable in this case. So it prompts you for the password. The usual reason that this problem occurs is if you open the case file from two separate instances of CaseNotes simultaneously. It’s very important that you only ever have one copy of each case file open at any one time. You can have as many copies of CaseNotes running as you like, but they must all be for different cases.

Anytime you have a problem, you should immediately close CaseNotes and make additional copies of the backup files before proceeding. I’ve implemented a change which prompts with the steps to follow whenever a password prompt is delivered, this should allow users to rescue the situation before all of the backup files are lost by save actions.

New menu item to reset screen position data to fix maximised windows

Occasionally, CaseNotes will loose its screen position settings and disappear off the screen unless in full screen or minimised mode. I’ve created a new menu item which allows the screen data to be reset, so that CaseNotes can be restored to a normal screen position.

Fix for Open File dialog not recognising .Notes files in Windows 7

This was pretty simple to fix and required a small code change to account for new syntax for the Windows 7 open file dialog.

New dedicated 32 & 64 bit versions

I’ve now created two distinct versions of the software, so if you’re running a 64 bit operating system, you’ve got a version of CaseNotes which will interact with your system correctly.

Future enhancements

There’s a lot more on the horizon for CaseNotes – the next version should include user customisable check lists and workflow templates allowing you to use CaseNotes as a prompt for major steps in your investigations dependant upon case type, and to provide boiler plate text for various note types. I’m hoping this should be released around August and will send an email out to those who have downloaded the app and indicated I can contact them. If you’ve indicated you’d be happy to beta test, then you may get an email a bit sooner!

We have been working long and hard on a new way of risk modelling that allows for assets and asset groups to form a structure that is representative of the operational risk tree for a generic organisation. Enter PIPS (People, Information, Property, Systems).

The PIPS tree (really more a root system) is a structured collection of risk model templates. These templates have been pre-configured using the Yo-Yo risk modelling technique in Blackthorn RITA.

Each model template, for instance a generic application or building has undergone an Exposure Analysis and Cover Analysis by a subject matter expert. We have used ISO 27000 as our basis for this generic analysis.

Users are now able to ‘clone’ the templates from the PIPS template tree and graft them into their own production PIPS tree with a simple drag-drop action. Then they simply give the asset a value and the risk exposure/cover is immediately calculated.

The really great thing about PIPS is that the functionality of Blackthorn RITA enables calculated risk totals to be rolled up the tree, aggregating values at each common node. The result is an accurate calculation of risk at the top which represents the total risk for the organisation.

As with all risk models, Blackthorn RITA enables risk assessors to constantly review the risk models in using a vulnerability & controls-based approach. With empirical data cross-correlated from reactive activities this gives an unparalleled accuracy in real-time operational risk management.

After a long break, CaseNotes is finally getting some much needed care and attention. The next release, due out in a few weeks time, mainly consists of bug fixes. Items being addressed include:

• additional resilience to prevent false ‘password’ requests from corrupt case files
• enhanced backup regime to provide more backup copies of your case files
• 64 bit support (hopefully printing!)
• fixes to a few annoying issues when running on Windows 7
• renaming of a few controls to better reflect their true function

CaseNotes is used globally by more than 5,000 forensic analysts from more than 25 countries, from large corporations and national law enforcement units through to sole practitioners. No matter who or where you are, we are committed to keeping CaseNotes free and will provide updated functionality in the coming months. We appreciate your support and look forward to providing you with new versions of CaseNotes in the future.

A new study shows that the quality of passwords remains a significant vulnerability for online users and their important business and personal information. The frustrating this is that it is so easy to improve the protection, in some cases significantly through the selection and use of strong passwords.

More about this study can be found here.

QCC Information Security today launched a totally revamped website, giving casual visitors and long term clients alike a focussed resource aimed at providing both at-a-glance descriptions of our services and useful information about all the aspects of information security we are involved in.

The new look combined with ultra fast and ultra reliable hosting mean that finding information about the company, downloading useful forensic tools or gaining access to the Blackthorn support portal become much easier for all concerned.

John Douglas, QCC Technical Director commented: “This new website combines simple navigation with an ease of maintenance, allowing us to provide more information in a timely manner to better support all of our clients, both existing and those who are considering us for the first time.”

Clever use of coded authentication means an end to cumbersome ‘captcha’ windows when sending requests or downloading software. All part of the commitment to customers that QCC is renowned for.