Your session has expired.

Your authenticated session has expired due to inactivity. You can close this message and continue as a guest or log in again before proceeding.


    Specified user is not valid
      • Your Digital Forensics Primer: How to Divine the Truth from the Data

        Published Dec 09 2016, 9:26 PM by Lesley Carhart

        The scene unfolds: The forensics team huddles around a state of the art computer station, in a room dimly lit with blue lights. Futuristic displays show the photos recovered from the criminal’s computer. The lead detective pauses dramatically, pointing to a photo. “Enhance that!” he directs. Cue music…

        As with many other things, real-life digital forensics isn’t like television. Forensics is time-consuming, painstaking work, yet sometimes more fascinating than fiction. Let’s discuss some basics that everyone involved in law enforcement should know.

        The first thing we have to understand is what data is valuable to forensic analysts. Years ago, this was mostly limited to hard drives. Law enforcement would usually unplug and then retrieve computers at crime scenes for analysis. Modern digital forensics involves a multitude of devices, from mobile phones to car media centers to digital cameras. Many digital devices can provide clues about our behavior.

        So why don’t we want to unplug computers scheduled for forensics anymore? We have to consider what important evidence is lost when we turn off a computer. We know that computers usually have a hard drive which stores data, but they also have memory (RAM), which stores data the computer is using when it’s turned on. When we turn off a computer for more than a few seconds, data in memory is wiped clean. Memory contains all kinds of things the computer was ‘thinking about’ recently while it was in use. This ‘live data’ can include files that were deleted, viruses, passwords and files which are encrypted on the disk, and a history of what programs and files were used. So, the first reason we don’t unplug computers is so that we don’t lose the contents of gigabytes of memory.

        DigitalForensics.jpgMany agencies are now taking steps to preserve memory from computers retrieved from crime scenes. This can include running a specialized tool to retrieve important things from memory, maintaining power to the computer, or even freezing the memory to slow erasure.

        Another reason we don’t unplug computers is that full disk encryption is becoming more common. A hard drive which is encrypted can be almost impossible to read without knowing a passphrase to unlock it. If the computer isn’t kept powered on, and the passphrase isn’t retrieved before it is shut off, the only other recourse may be getting the passphrase from the machine’s owner through a judge. That’s a legal gray area.

        Now that we know which evidence we want to retrieve, let’s talk about how we retrieve the evidence!

        A critical point in collecting evidence is maintaining a clear chain of custody. As with physical evidence, this means that we record everywhere our evidence has been, who has had access to it, and what may have changed in a repeatable way that can be proven in court. When we retrieve a hard drive, we immediately make exact copies of it to analyze, then store the original disk securely. Additionally, all of our analysis of the drive must be conducted through a ‘write blocker’, an electronic device which prevents anything we do from making a change to the evidence. We carefully document everything we do.

        We can use a lot of different tools in our analysis, but we want to select ones that are recognized and admissible in court. Two popular commercial forensics suites that can retrieve and analyze disks and memory are Guidance EnCase and AccessData FTK. However, there are also many other tools that can help us. Two popular free tools to analyze what’s hidden in memory are Volatility and Mandiant Redline.

        Analyzing a device can be time-consuming and tedious. We must create an accurate timeline of everything relevant that occurred. We might have to sift through days of routine changes to the computer or thousands of documents to find an interesting one. Files might be corrupted, partially overwritten, or have missing parts that we have to painstakingly reconstruct. Although deleted files are often recoverable, hard drives can be overwritten with disk-wiping software, which may effectively make recovery impossible. We’ll run into dead ends.

        When we do find something, however, it can be more interesting than just photos or documents. The Windows Registry is full of details about the history of the computer. We might discover which wireless networks the computer was connected to or which USB drives that have been connected to it. We could recover webpages viewed in ‘private browsing mode’. We have tools to search for keywords, or images that contain nudity. On other devices, we may find different information. For instance, car computers might tell us who was in the car, and where it went.

        The devices that surround us can tell a story. When discovered, analyzed, and presented properly, these findings can have great value in a court of law.

        Interested in learning more about digital forensics? I recommend the books “Digital Forensics with Open Source Tools” by Cory Altheide and Harlan Carvey and “Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom” by Larry Daniel and Lars Daniel. Don’t be intimidated by the high price of commercial forensics tools. A great way to start using forensics tools is by downloading the free SANS SIFT Kit, a virtual machine with many free forensics tools installed. Make sure to find your local digital forensics organizations!

        Read additional blogs by Lesley Carhart here.

        Learn about Motorola Security Services here.

      • What is ‘the Cloud’? And How Secure is It?

        Published Dec 09 2016, 9:25 PM by Lesley Carhart

        A notable 34 percent of the respondents to our recent 2014 Public Safety Industry Study have moved or are considering moving data applications to a cloud-based solution over the next three years. This is a trend occurring across many industries. At the same time, current news headlines have caused discussion and doubt about the security of cloud services. So, what is ‘the cloud’, really? Is it secure or insecure? How can we properly leverage cloud services in a public safety environment?

        The term “cloud” comes from the standard symbol that network engineers have used to represent the internet for decades. On diagrams of organizations’ network devices and cabling, it’s an abstract concept which represents everything outside of the engineer’s control and sight. This abstractness has translated into the way we talk about cloud services today – we refer to ‘the cloud’ in a broad sense as some conceptual place we outsource our data for storage or processing. We might perceive internet-based services differently today if the standard symbol had been a menacing dragon, or perhaps most accurately, a question mark.

        Cloud.jpgSo what is “the cloud”, really? The first and most crucial thing to understand is that cloud services aren’t abstract at all. The cloud is essentially a term for other organizations’ computer systems. Every bit of data we send to a cloud service provider is ultimately stored in some form on real hard drives, traverses real network cabling, and is processed by real software. Cloud providers use similar technologies to those we use within our own organizations. However, they do so at an exponentially larger scale, allowing them to offer services to many organizations simultaneously and at significant bulk cost savings.

        When we think about the cloud this way, our perspective should change. “The cloud” isn’t inherently more or less secure than any other digital system. These services are tools of varying quality which we can use to cost-effectively centralize our data storage, applications or processing. They provide us access to centrally-hosted hardware and software that may be more cost- and time-effective than in-house solutions.

        This centralization does provide an opportunity for improved security. Our data can be stored in a single defensible location, with uniform security controls. Since many organizations’ networks have grown too large and too piecemeal for limited IT staff to monitor accurately, a homogenous environment can make security monitoring and management more effective, less costly, and easier to handle. In an era of budget cutbacks, this can be a big help in getting our networks under control.

        However, cloud services come with an equal amount of security risk if they’re not used properly. We must keep in mind that cloud services still reside on real computer systems.

        1. First, we need to be fully aware of what data we are sending to the cloud provider. Are we certain we want to send all of our data outside our network?
        2. Secondly, we have to evaluate the level of physical and logical data security the cloud provider offers. What security controls do they have in place? Who has access to your data? How often do they perform certified security audits and scans, and can we see the results? Are they properly insured? What are their retention and destruction policies? Since cloud providers may spread data over many systems, in certain cases we may also be concerned with which countries our data is physically stored in.
        3. Next, we need to properly monitor the security of our data. If we rely on the cloud provider’s security monitoring, we need to understand what it involves and how soon we will be notified of an attack or data breach. Preferably, we should be receiving meaningful security and access logs for our own review.
        4. Lastly, we must ensure that our data is secure as it is transmitted to and from the cloud provider. We’re transferring our sensitive data to the cloud provider, and it may be at its most vulnerable as it is transmitted between our networks. We must ensure it is properly encrypted and controlled in transit as well as at both endpoints.

        Cloud-based services can provide cost savings, centralization, and easier management and monitoring of data and applications for public safety organizations. They can also provide a standardized and defensible security platform for our data and applications. Despite this, we must carefully evaluate these services as what they actually are: off-premise computer systems which are only as secure as they are designed, implemented, and monitored to be. By understanding this and asking the right questions, we can make educated decisions about how we can best leverage cloud service providers.

        Lesley Carhart is the Incident Response Team Lead for the Motorola Solutions Security Operations Center. She has 14 years of experience in information technology, including computer networking and tactical communications. For the past five years, she has focused on security, specializing in digital forensics.

        Read past blogs by Lesley Carhart here.
        Learn more about Motorola Solutions services and solutions for
        securing and monitoring wireless networks.

      • The NIST Cybersecurity Framework, Secure Information, and Coffee

        Published Dec 09 2016, 9:23 PM by Lesley Carhart

        A fictional conversation between two officers at a local police department…

        Lt. Hannah Barry sits across from Information Assurance Officer John Tomczak and passes him coffee. “So, we read an article about Durham, New Hampshire’s police department being forced to shut down their network for days due to a computer virus. Our chief is frantic. He wants to know if the same thing could happen to us.”

        Tomczak nods sympathetically. “Scary news. So, what did you tell him?”

        “I’m not really sure what to tell him. We do think about security. We just don’t have a lot on paper.”

        Frustration flickers across the Lieutenant’s face. “I’ve looked at the NIST Cybersecurity Framework, but I’m not sure if it helps a smaller department like us.”

        CuppaJoeMoto.jpg “Okay. NIST’s framework is a tool to help implement comprehensive information security in an organization of any size,” Tomczak explains. “It divides the basic things we have to do to keep our information secure into five general functions or stages – Identify, Protect, Detect, Respond, and Recover. Each of those functions contains several categories. But, the specifics of those categories can vary based on the organization and what kind of data they’re protecting.”

        Lt. Barry considers this. “I think I follow. So what kind of things would an organization like us need to define in each function?”

        Tomczak sips his coffee. “Well, for the ‘Identify’ function, we first need to know what is in our environment. This not only includes computers and network architecture, but also how our department functions and what data is important to secure. For example, we store a lot of confidential case data that has special restrictions.”

        “Got it. You can’t secure anything without first knowing what you have to secure.”

        “Exactly. We also need to bring in our risk management officer at that stage – they have to weigh our level of security and what we stand to lose against the department functioning normally.”

        “… The next one, the ‘Protect’ function. I think we’re pretty good at that.” Lt. Barry interjects.

        Tomczak nods in agreement. “We have some good information protection processes in place already. We have an intrusion prevention system, a properly configured firewall, and antivirus. We encrypt confidential data. Our department practices good physical and network access control – some of our critical devices are on their own network. IT is also pretty good at keeping all of our computers, radio, and network equipment patched and backed up, which is really important. One area I think we could do better at is user awareness. We only require officers and staff take Information Assurance training once a year, and I think some people click through the slides without reading. A lot of phishing emails don’t get reported, and I’m not sure everybody’s using strong passwords.”

        The Lieutenant considers this. “Wow, all of that falls under ‘Protect’. What about ‘Detect’?”

        “No matter how carefully an agency secures their network, there will probably be some compromise eventually. The important thing is to know as quickly as possible. I review all of our access logs against our access control list on a regular basis. Motorola Solutions monitors security logs from our internal network and our ASTRO network. When they report an anomaly to me, I make a decision based on whether we need to move to the next function – ‘Respond’.”

        “Let me guess - that means ‘Incident Response’? That’s a familiar term for law enforcement.”

        “Same concept. We handle a security incident using the same triage and communication skills as first responders. That means we need to develop and document response plans for a few general types of security incidents. For example, denial of service attacks, website defacement, malware outbreaks, or PII leakage. Each process should include who gets notified and how soon they’re notified. We also have to detail processes to mitigate an ongoing incident as rapidly as possible. This could mean bringing infected computers offline and replacing them with spares, adding firewall rules quickly, or retrieving system images for evidence or forensic analysis. Those things can be hard to do quickly in the middle of the night.”

        “I guess it could be hard to reach the contractors in an emergency...” Lt. Barry jots some notes down. “Okay, so there was one more function – ‘Recover’. Seems like common sense.”

        “Yes and no.” Tomczak considers this for a moment. “Recovery from a security incident doesn’t just include repairing damage done, public relations, or even taking a case to court. It also means identifying and discussing ‘lessons learned’, which are as important for security as they are for any other incident response. We have to figure out what we did right and what we did wrong and modify our processes so we handle the next incident better.”

        Lt. Barry nods and closes her notes. “Sure. We always do an after-action report after a major incident; that makes sense. Thanks. I think I have enough here to start drafting a policy. It appears that I’m going to need to bring in quite a few teams as well as yours to do it.”

        “No problem, Lieutenant. Following a structured, well-documented information security policy helps us better prevent, detect, and respond to security incidents. It also may decrease our legal liability should a worst case scenario occur. Let me know how I can help.”

        Lesley Carhart is the Incident Response Team Lead for the Motorola Solutions Security Operations Center. She has 13 years of experience in information technology, including computer networking and tactical communications. For the past five years, she has focused on security, specializing in digital forensics.

        Lesley Carhart will be speaking at CircleCityCon in Indianapolis on June 14th, at 2 p.m. on “Ten Commandments of Incident Response (For Hackers)”.

        Read more about how Motorola Solutions offers several solutions for securing and monitoring wireless networks.

        Read past blogs by Lesley Carhart here.

      • 6 Lessons Learned from the Holiday Data Breaches

        Published Dec 09 2016, 9:23 PM by Lesley Carhart

        Have you been watching your credit card statements this month? The high-profile data breaches of several major retailers over the holiday shopping season caused inconvenience, disruptions and concern to millions of consumers in the U.S. and abroad. There will be speculation and debate for months about exactly how Target Corporation and Neiman Marcus’ point of sale systems were compromised, and what could have been done to prevent it. Instead, as we look to the security of our own business systems, there are a few basic lessons we should learn from these incidents:

        1. It can happen to anyone. In Q4 2013, we saw a broad spectrum of very public security incidents, from the massive breach of the retail powerhouse Target, to the successful ransom of many small organizations, including a police department, using the cutthroat Cryptolocker malware to hold their files hostage. The bottom line is that cybercriminals are smart, and they want to make money using the most effective means possible. That may be the meticulously planned breach of a large and well-secured organization, or a few hundred dollars stolen from many thousands of small businesses.
        2. PCI DSS standards should not be followed merely to pass audits. Payment system security should always be taken seriously, without exceptions, and planned thoroughly in advance of system implementation. Payment Card Industry Data Security Standard controls constitute a minimum security baseline that exists for a reason, and too many organizations comply only with bare minimum requirements. A recent Fortinet study revealed that one in five small retailers is not even PCI compliant.
        3. Security budgeting and staffing should not be reactive. Hindsight is 20/20. After a security incident, if outside forensics or security consultants must be brought in to assist, it is not unlikely they will find evidence of further compromise or previous breaches. Security monitoring, policy, and auditing should occur routinely, with the support of upper management.
        4. Attackers will find the weakest link. You may have built top-notch security into your stores’ wired networks, but those measures may be irrelevant if you have failed to secure the link from each store to your payment processor, segregate your corporate network, or secure your wireless network. Security must be considered end-to-end. In the case of point-of-sale system breaches, we often see malware installed that can snag credit card numbers while they are briefly unencrypted in the devices’ memory. However, this requires an attacker gain adequate access to the terminals.
        5. Disaster Recovery Plans are critical. In the age of social media, the rumor of a security breach can rapidly spread and cause financial damage. Along with plans for natural disasters, fires, and equipment failures, every organization should be prepared for a major security incident with a data breach recovery plan. How will impacted customers and shareholders be notified in a timely manner? Can you have adequate resources available to deal with customer concerns? Who will perform forensic analysis of compromised systems in a manner which is admissible in court? If your critical business files are tampered with or deleted, do you have backups that can be promptly restored?
        6. Offer Payment Flexibility. This most recent string of data breaches has hurt consumer confidence in traditional credit card transactions. It’s courteous (and even advantageous) for retailers to offer customers the option to use third-party payment services which securely bypass their own payment processor.

        Read more about how Motorola Solutions offers several solutions for securing and monitoring in-store wireless networks.Lesley Carhart is the Incident Response Team Lead for the Motorola Solutions Security Operations Center. She has 13 years of experience in information technology, including computer networking and tactical communications. For the past five years, she has focused on security, specializing in digital forensics.Read past blogs by Lesley Carhart here:

      • Malware: It’s All Grown Up, and You Should Care

        Published Dec 09 2016, 9:22 PM by Lesley Carhart

        Recently, the security firm ESET Ireland commissioned a study about how computer users react to antivirus warning messages on their computers. They compared the results of the survey with those from a similar survey conducted two years ago. The results showed decreasing responsiveness from users to virus warnings. For instance, the number of users who admitted to ignoring warnings to run a file or program increased a full 10 percent. This is a trend noted by multiple researchers.

        Obviously, to the information security community, this is alarming and frustrating. However, we’re also partially responsible. The news is filled with sensational stories about hacking and malware. People are tired of hearing about threats that don’t appear to affect them, so they’re paying less attention. UC Berkeley termed this phenomenon “warning fatigue”. Part of the problem are common misconceptions about what modern malware is and isn’t.

        Malware today exists for several general purposes:

        • To steal private data from infected computers. This could mean our banking information, passwords, or confidential files.
        • To allow remote access to an infected computer to a hacker. This is attractive for many reasons, including using the computer to access other systems or programs.
        • To use the computer’s resources to perform some task, often criminal. This could mean using the computer to send spam, steal copyrighted material, view ads, or attack other systems.
        • To intimidate or confuse users into providing criminals with money or personal data. This includes fake FBI warnings, fake security programs, and other ‘ransomware’.
        • To spread to other computers.

        Many people still expect a virus to cause a noticeable disruption on their computer. For most of the purposes above, it’s smarter for the author of the malware to make it invisible. Like a disease, malware will spread and survive more effectively if there aren’t any symptoms. Malware writers go to a lot of work to conceal their creations. This means there’s a constant “cat and mouse” game between the bad guys and the antivirus companies. It also means that many people believe they have a virus when their computers malfunction, but few believe it when they see no visible impact.

        Another common misconception is that malware is primarily written by bored kids or disgruntled employees. Computer crime is a billion-dollar criminal enterprise, which rivals any other organized crime organization. Some of the brightest computer science minds are employed by these organizations to write sophisticated viruses, often because they have no better employment prospects. Nation states purportedly now use malware like any other espionage tool. Hacktivist groups use malware to accomplish complex social and political agendas.

        The last misconception I’d like to touch on is those people who are positive their computers are not infected because they’re using antivirus. As we’ve discussed, there is a lot of money to be made in infecting computers. This means that finding new ways to evade the security of operating systems, antivirus, and software is also worth a lot of money. Applying updates on a regular basis, installing antivirus, and following good computer security practices decreases the risk of an infection significantly. Unfortunately, it does not completely eliminate the risk. Even experienced IT professionals should still be paying attention to the messages their security software provides.

        Malware continues to flourish in part because there continue to be vulnerable systems and complacent users. This means millions of credit card numbers and passwords stolen each year, billions of spam messages, and continual distributed attacks against websites. Instead of panicking about this, we should be routinely vigilant. Every computer user and organization has a reason to install and update antivirus. Any person’s computer can be infected, and antivirus warning messages should always be taken seriously.

        Lesley Carhart is a Senior Information Security Specialist in the Motorola Solutions Security Operations Center. She has 13 years of experience in information technology, including computer networking and tactical communications. For the past five years, she has focused on security, specializing in digital forensics.

        Read past blogs by Lesley Carhart here, including:

        Secure Yourself, Your Family and Your Organization by Securing Your Photos
        What’s Your Pa$$word? Secure Your Organization by Securing Your Accounts
        Secure Your Organization by Securing Yourself: Beware the Removable Device
        Secure Your Organization by Securing Yourself on Social Networks
        Log Monitoring and Cyberthreat Detection

      • Secure Yourself, Your Family and Your Organization by Securing Your Photos

        Published Dec 09 2016, 9:21 PM by Lesley Carhart

        How to Disable Your Camera's Geotagging

        Follow these instructions to disable geotagging on your:

        For existing photos, Windows 7 and above provide a menu option to remove EXIF metadata from photos.

        This is part four of a multi-part blog series.


        If somebody asked you where the photo above was taken, how would you figure it out? Maybe you would make an educated guess. The building reads, "Motorola Solutions", so it probably belongs to our company. The weather looks temperate; it's not in the desert. There aren't any immediately surrounding structures, so it's likely not in the middle of a city. Given these facts, and using photos and maps on the internet, you could probably figure out eventually that the building is Motorola Solutions headquarters, in Schaumburg, Illinois.

        Now, what if you were asked to figure out where the next picture was taken?


        Maybe you could deduce something about the flower, but it's impossible to say exactly where the photo was taken just by looking at it. What if you also wanted to know whose cameras took the photos, and at what time?

        The answers lie in something called "exchangeable image file format" (EXIF). EXIF metadata is hidden in many common picture formats. It includes information about the camera model used and its settings, such as aperture, time, and resolution. EXIF data may also note if a photo was edited. Although that might not mean much to us, it's useful information for professional photographers – EXIF was developed in the 1990s to help them. It is now an industry standard, used in almost all digital cameras (including mobile phones).

        Today, EXIF contains information far beyond camera settings. Most smartphones provide GPS, and can add latitude and longitude information to the photos they take (known as "geotagging"). Geotagging is intended to aid the photographer and the applications and websites he or she sends pictures to. Phones also note information about themselves, such as model, manufacturer, operating system, and serial number.

        Let's have a look at some of the EXIF information hidden inside our picture of flowers:

        • File Name: flowers.JPG
        • File Creation Date/Time: 2013:09:23 13:02:27-05:00
        • Make: Apple
        • Camera Model Name: iPhone 5
        • Orientation: Rotate 90 CW
        • GPS Position: 42 deg 3' 55.09" N, 88 deg 2' 59.21" W
        • Flash: Auto, Did not fire

        We now know the picture was taken by an iPhone at 42 3' 55.09" N, 88 2' 59.21" W, on 9/23/13. Google Maps shows us where the photo was taken - also Motorola Solutions, Schaumburg.

        Obviously, this is a big security concern. We wouldn't publicly post where our kids go to school, where a military unit is deployed, or where we live or are working on a confidential project. So why do we continue to let our cameras do it for us? Not only do we know the when and where these photos were taken, but we know which phone the photographer was using. From a hacking perspective, Jane Hacker now knows to send the owner malware for iPhone, not Android.

        Let's have a closer look at some of the EXIF metadata in our picture of the building:

        • File Name: moto.jpg
        • Create Date: 2013:09:23 12:54:27
        • Make: Motorola
        • Camera Model Name: XT907
        • Orientation: Horizontal (normal)
        • GPS Position: 42 deg 3' 46.75" N, 88 deg 2' 56.47" W
        • Light Source: Daylight

        So, this photo was taken at 42 3' 46.75" N, 88 2' 56.47" W using a Motorola XT907. A quick Google search shows us XT907 means a Droid RAZR M. Again, the GPS position is easily translated into a street address. That was easier than our detective work earlier!


        Fortunately, as awareness of the risks of location data in photos increases, providers are doing more to prevent users from accidentally exposing it. Instagram and Facebook remove EXIF data from uploaded photos. However, many other popular photo sharing and storage services don't, because photographers still use the information.

        Next time you post a photo, consider what else you're posting. Could including the location, time, or camera impact your security, or that of your organization or family? There's rarely reason to leave geotagging enabled. It provides far too much private information to anyone who sees the photo.

        Instructions for disabling geotagging on Android devices can be found here. For Apple devices, they can be found here, and for Blackberry, here. For existing photos, Windows 7 and above provide a menu option to remove EXIF metadata from photos.

        Lesley Carhart is a Senior Information Security Specialist in the Motorola Solutions Security Operations Center. She has 13 years of experience in information technology, including computer networking and tactical communications. For the past five years, she has focused on security, specializing in digital forensics.

        Read past blogs by Lesley Carhart here:

        What's Your Pa$$word? Secure Your Organization by Securing Your Accounts

        Secure Your Organization by Securing Yourself: Beware the Removable Device

        Secure Your Organization by Securing Yourself on Social Networks

        Log Monitoring and Cyberthreat Detection

      2 pages