I previously wrote about online GPS Forensic references and wanted to put them to use.  I had a suspicion that my girlfriend has been seeing another man.  When she was at work I grabbed her GPS (Garmin Nuvi 205) and connected it via USB (don’t forget a write blocker).  For Garmin models, the file you want to look for is “Current.gpx”

Once I copied Current.gpx, I installed Google Earth.  Earth actually imports several different GPS data/location files. Earth parsed all the recent destinations entered into the GPS and loads them as waypoints.  It makes it very convenient to find out where someone has been, where they might live (home location), etc.  Think about all the applications i.e. rental car GPS units.

***If you don’t want to use Earth you can open the gpx file in a text editor (simple XML).  You’ll be looking at lat/longitude coordinates that you can plot yourself.

There’s a new GPS forensics community starting up here: http://www.gpsforensics.org/  Some additional information can be found here: http://www.forensicswiki.org/wiki/GPS

I’m going to examine my Garmin 200W this evening.  It looks like a simple text editor will reveal raw trip data including waypoints, date & time stamps, latitude & longitude coordinates and elevations.

The Windows page/swap file usually contains very recent information of a user’s activity.  Data is usually overwritten fairly quickly  — depending on how “busy” the system is.  The page file can store potentially sensitive and incriminating evidence.  The legality of admitting evidence found in a page/swap file is still sketchy in the judicial system. However, it’s always a good idea to play it safe.

If you don’t mind a slightly longer shutdown / restart time you can have your system write zero’s to the page file.  This is disabled by default.

Start -> Run -> regedit

Change the following key from a 0 to 1

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown

*The Microsoft KB article can be found here: http://support.microsoft.com/kb/314834

I attended a recent eDiscovery seminar. I wanted to poll the audience and get your thoughts on this subject. I was advised that you should not document your forensics process (criminal matters) because it then becomes discoverable and could be used against you in a court of law. Example: Let’s assume you have a documented forensics process that spells out you always have a cup of decaf coffee before examining a suspect’s machine. If you begin examining a suspect’s machine and forget to have that cup of decaf coffee you’ve now just made a gaping hole for the defense to use against you. Say goodbye to your credibility, Mr. Expert Witness no more.

On the other hand you must have a documented eDiscovery process (civil litigation). eDiscovery requires that your process is defensible and repeatable. You will need to be able to reproduce your eDiscovery process if called upon. However, there are no stipulations on how granular your process documentation must be. I would not recommend to spell out so many steps in your process that could leave you open for scrutiny. A generally broad eDiscovery process or flow that is published should suffice.

Please share your views below.

Would you like to store personal data on an employer owned computer?  Does your employer have a policy about what can be stored on their machine?

To protect yourself from employer remote software/inventory scans (as well as a ton of other encrypted related uses) download TrueCrypt:

http://www.truecrypt.org/

It will allow you to create an encrypted container.  So lets say you need 1GB for your mp3’s.   This program will make a 1GB file  and when you put in your password that file becomes another hard drive on your computer.   Then when you’re done or turn off the computer that extra hard drive goes away until you mount it again using your password.

Think of this as a FREE encrypted virtual thumb drive — (as long as you have a tough password)

Read the rest of this entry »