Passcovery wrote:
We carried out almost the same testing for Office (details). It was long ago but the situation hasn't changed in principle. If visitors are interested in it, we can carry out tests again.
Yes, I believe that independenttests would be useful.
With all due respect <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , the same tests published by the vendor of the one or the other tool may or may not be as much relevant.
jaclaz
↧
General Discussion: Password Recovery Software
↧
Mobile Phone Forensics: Telit x180 cdma phone deleted sms messages
Project-A-Phone ICD-8000
↧
↧
Mobile Phone Forensics: Chip Off Services
If jtag not supported just send a note to Octopus or Riff Team to support it
or
Root Huawei, get mmssms.db database and decode data.
That's it.
↧
General Discussion: Example Exchange .EDB files
Does anyone know where I can get a few example Microsoft Exchange Server database files to run some tests on (.EDB files).
Ideally I could get a few files from different versions of Exchange, but for the moment anything will do.
↧
General Discussion: Msc. Cyber Security Versus Msc. Forensics
Davismu,
My reason for going for the DMU MSc in Cyber Security is due to the fact that I am fed up of how in the recent year anyone with a degree in computing (or a non computer related degree. I know people in the industry who have degrees in Archaeology, chemistry, Artificial Intelligence etc etc) or a little computer related knowledge wants to get into Computer Forensics, and how a lot of companies chose to recruit graduates over experienced practitioners purely based on how much money they can save on salary. In a company I was working in recently I witnessed 4 people being recruited into Mobile phone forensics just because they knew people in the company and these people had absolutely no experience or knowledge of Forensics at all.
I see this industry having a lot of very experience individuals who make an actual contribution to this field. however, at the same time I see a lot of people in this industry who have no experience who have been lured into the field because it has been glorified by some american TV series.
And the amount of Forensics companies that have opened in the recent years in unbelievable. Soon there will be more forensic investigators and companies then there are cases.
Yes I know a lot of you are thinking "but if you are good you shouldn't have to worry about competition specially from graduates". Believe me I do not worry about the competition I just don't want to be employed by a company then spend my entire time training the graduates!!!! which has happened to me recently.
The field for me has started to stagnate slowly. I want out and after digital forensics me next passion in Cyber Security so that is where I am heading now.
Regards
MPF
↧
↧
General Discussion: Password Recovery Software
jaclaz wrote:
there is the risk of either some spam posts (like the one henrydcruz posted earlier)Now removed, please (everyone) don't hesitate to notify me of this kind of thing if you notice it - as much as I'd like to, I can't check every post <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
jaclaz wrote:
hence the need for "full disclosure" when a post comes from someone connected to the Authors of a Commercial tool.
This is absolutely correct - "full disclosure" is always required and appreciated in these cases.
↧
General Discussion: About windows8 last written times in DeviceClasses directory
kanon,
kanon wrote:
I've got a situation where the last written times in the DeviceClasses directory are earlier than the device installed date in the setupapi.dev.log file.
For the sake of clarity, what you're asking about is not a "directory"...it's a Registry key.
kanon wrote:
In windows7 case, I've got the last written times as a below directory,
SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
But in this case, the last written times in the DeviceClasses directory has the date earlier than the device installed date in the setupapi.dev.log file.
And It seems that the value of the last written times in the USBSTOR directory is right.
I've done some research on this, and it seems to be the case for some Windows 8 computer I look at.
Please tell me which one is correct, DeviceClasses or USBSTOR ?
I guess the question is, "correct" with respect to what? What is it you're trying to show?
Something else to consider, if you're trying to do determine the last (or first) time a device was connected to a system, is that you may not be looking at the right data points, and perhaps not considering other conditions. Anyway, it's hard to tell, as it's not abundantly clear what you're trying to demonstrate.
↧
General Discussion: Deleted data and guilt?
http://www.theguardian.com/world/2014/mar/24/mh370-investigators-review-missing-plane-pilots-flight-simulator-records
Quote::
The software, currently a focus for investigators, would have allowed him to practice landing at more than 33,000 airports, on aircraft carriers, oil rigs, frigates, which pitch and roll with the waves, and helipads atop buildings.
Quote::
Given the large amount of cheap memory loaded onto modern computers, it's unlikely Zaharie would have had to erase his flight data for technical reasons – so it remains unclear why some of the data was erased on February 3.
"Today storage capacity is not a problem for a computer running simulators," said Fernando Nunez Correas, a simulation software developer using some of the same components as Zaharie.
Erasing data may have been part of a regular maintenance routine or done to help improve the simulator's performance, flight simulator users say.For NO apparent reason <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> , "Experts say ...."<img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> :
http://www.dedoimedo.com/computers/experts.html
jaclaz
↧
Employment and Career Issues: Questions about working in Forensics.
jhall236 wrote:
Questions:
1. What tools do you use most often?
It really depends on the type of work I'm doing. For digital analysis of Windows systems, TSK tools (mmls, fls, blkls now and again...), LogParser, Perl, and a lot of my own scripts/home-rolled tools and processes. Much of the analysis work I do involves determining when and how something happened, so timeline analysis is a great way for me to address the goals of my analysis.
jhall236 wrote:
2. What credible resources such as publications, forums, societies or Internet groups would you suggest to a new graduate?
None. My recommendation would be to start with whatever internal training you can get as part of your job...going to online resources is going to simply inundate you with information...one of the things I hear from folks is, "...there's so much to learn, I don't know where to start...".
If you don't have employment lined up, pick someplace to start, and focus there initially. So many folks, including seasoned professionals, seem to immediately go to the deep end and quickly get in over their heads. If you don't know what to focus on, seek out a mentor.
jhall236 wrote:
3. What is the most rewarding aspect of your job?
Finding stuff other folks haven't seen, or haven't admitted to seeing. Finding undeniable proof that a bad guy did what they were accused of (and denied), or finding undeniable proof that exonerates someone.
jhall236 wrote:
4. What personality traits and academic background are important for today’s digital forensics investigators?
I don't think that academic background plays a huge role, other than getting someone "in". Someone can be a history major and be innately curious and passionate about the work, and do a much better job (and have more fun doing it) than someone with a degree that applies more directly/appropriately to the work.
Something that many analysts seem to have great difficulty doing is putting their egos aside and asking for assistance. I've had analysts tell me that they'd rather "noodle" through something for 3 months or more, so that they could get it themselves, rather than ask for help. I've seen others spend more time than they needed to trying to figure something out when they could've simply asked.
Seek out trusted relationships in the field. No one of us knows everything, and the only way to learn is to explore and ask questions. Also, be prepared to give back...if you find something new, share it. Don't use excuses to hide. Sure, others may have seen it before...but more than likely, they haven't said anything either, so the majority of the field has little knowledge of it. You may have a new variant, which could be significant.
jhall236 wrote:
5. Is it prudent to specialize in one or two tools/devices or be a “jack of all trades” investigator?
Yes. There a number of skills that one needs in this field, but it also important to have a degree of specialization in an area that applies directly to what you're doing, such as knowing the ins and outs of a particular tool, device or data source.
HTH
↧
↧
Mobile Phone Forensics: Nokia Lumia920 forensic problem
DCS1094 wrote:
I believe it may be possible to obtain a physical image using JTAG method(s)?
I've done a Lumia 925 recently. The 920 has similar hardware, so should be doable.
↧
Digital Forensics Job Vacancies: Senior Processing Engineer - London - £37-41,000
My client is a global consulting firm looking to further grow their eDiscovery team.
They are looking for a Senior Processing Engineer to perform data intake and processing activities necessary to delivery eDiscovery solutions.
The main responsibilities will include the intake of data and the following extraction and processing activities.
Candidate Requirements:
4-7 years’ experience in a litigation support environment working with electronic discovery systems in terabyte-sized matters
4+ years’ experience with relational database such as SQL Server
Understanding of digital evidence handling and computer forensics principles and practices
Proficiency with data management services (loading images to a network, burning CDs/DVDs, loading data into database applications, conducting database inquiries, and developing reports for project teams).
Well-developed understanding of advanced electronic discovery practices, procedures, and processes (metadata and text extraction, native file to image conversion, OCR processing, and output to document review applications)
Experience with litigation support software such as EnCase, Nuix, LAW 5.0, IPRO, Wave Trident, and Clearwell. Good communication skills with the ability to communicate technical concepts to non-technical personnel in a clear manner.
Service-oriented, willing to work additional hours as necessary including weekends.
Able to manage multiple projects and work under stressful conditions and time deadlines.
Strong analytical and problem solving skills and demonstrated ability to work independently and in a team environment.
Solid understanding of all Microsoft Office applications and operating systems.
2:1 degree in Computer Science or related field strongly preferred
To find out more call Harry Taylor 0207 038 3619 or e-mail ht@warnerscott.com
↧
Classifieds: XRY XACT FOR SALE
Dropped to £1500
↧
General Discussion: Car Camera Forensics
Just to be clear. On which screen are the camera's shown?
I've seen navigation systems with the possibility to attach a camera. I would search for snapshots/video's on the navigation system if that's the case.
↧
↧
General Discussion: Password Recovery Software
bsc.Smith19 wrote:
Does anyone know of anyway to decrypt the original password?
Do you want to decrypt that password or get access to the actual VBA module?
I have a couple possible method for the second, but not for the first.
http://blog.nig.gl/post/63428658404/excel-vba-password-protection-is-useless
http://davidbugden.com/?p=16
(for the latter method with an Excel 2007 file, open it in Excel and save it in 2003 format)
There is also a freeware tool that does the same as the above:
http://www.excel-tool.com/vbarecovery.html
There are however Commercial tools capable of decrypting the VBA passwords, example:
http://www.rixler.com/eng/vba_password_recovery.htm
jaclaz
↧
Mobile Phone Forensics: Chip Off Services
vkc21 wrote:
The client has provided the gmail address, but they can not remember the correct password. As a side note, normally gmail has a secundary e-mail address to send the forgotten password, hasn't it?
I do understand how the "recovery phone number" is the locked phone (nice CATCH22 <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> ) but the alternate e-mail should be there, at least this is what I have as option when asking for help in logging in on my gmail account:
Enter your recovery email address
Enter your recovery phone number
jaclaz
↧
General Discussion: Link file, Volume serial number and external USB
Lucio wrote:
I have a link file that reports the Volume Serial Number of an external drive (E: removable). I am trying to understand as much information regarding what kind of device was (brand, model, etc).
I have read a lot of material regarding how to associate USBSTORE[sic] with mounted device but it's not clear how can I prove the connection between a link file and a removable drive if every time the user plugs in a removable device the system assigns the letter E....
Lucio wrote:
Is the Volume Serial Number stored somewhere in the registry?
On XP, no. On Win7, you can extract the VSN from key names found beneath the EMDMgmt key, found in the Software hive.
What you can do, however, is create a timeline of system activity that incorporates:
- file system metadata, particularly that of the LNK file in question
- Registry key LastWrite times (System hive in particular, although adding the Software hive may prove useful; you'll also need to incorporate the NTUSER.DAT from the user profile in quiestion)
- Event Logs
Once you get this timeline set up, you shouldn't have any trouble nailing down the specifics about the device (make, model, S/N) that you're looking for.
HTH. Let me know if there's anything I can do to assist. Most of the tools you'll need, and the process, are covered in the timeline analysis chapter of "Windows Forensic Analysis Toolkit 3/e".
↧
Employment and Career Issues: Questions about working in Forensics.
Chris_Ed wrote:
Can this ever be 100% true? I think "beyond all reasonable doubt" is a more acceptable term. :)
It's a matter of semantics, really. From my perspective, neither "beyond all reasonable doubt" nor "undeniable proof" are absolute, and are synonymous.
Any thoughts on the content?
↧
↧
Employment and Career Issues: I have been offered an interview opportunity with Deloitte
Nirnias wrote:
I am just trying to prepare for the interview...And that's commendable...and you should definitely prepare.
However, here's something else to consider in your preparation...
I left military service in 1997, and engaged in the out-processing classes...resume writing, interview prep, etc. The first thing I found during the first few minutes of my first interview...and something that has been reinforced with every interview I've ever had...is that the vast majority of people (including HR) never took the same classes I did!
My point is that most hiring managers, HR reps, and interviewers have no idea how to conduct on interview, let alone one focused on a particular skill set.
Some other things I've encountered...
- During an interview at a tech company, the question came up about buffer overflows; as I was explaining what a "buffer overflow" was, when I mentioned "EIP", two of the interviewers got into their own discussion, which went on for about 20 min...during which, I honestly don't think that they would've noticed had I left.
- I've been in interviews where someone would walk into the room for no other reason than they saw someone sitting there, and interrupt the process.
- I interviewed at MicroStrategy several years ago; the interview process was for me to see four people, for an hour each. With each one, the process was 40 min for a brain teaser, followed by 20 min of interaction. The purpose of the brain teaser was to see how well I could "think outside the box" and innovate. All four of the interviewers admitted to using the same puzzle that was used on them during their interview process...so much for innovation.
- I've been to a number of interviews where, after checking in with HR and the hiring manager, I was handed off to folks who had no idea that I would be there, and the first time that they'd seen my resume was while I was standing in their doorway.
- I was once asked during an interview what my "best hack" was. I thought that this was an odd question...in part because I was interviewing for an IR position. Also, the company I was interviewing with was like most companies...they have NDAs with their clients; you'd think that someone would know better than to ask a question that couldn't be answered without violating an NDA.
Again, I'm not suggesting that you don't prepare. What I am suggesting is that you also be prepared for the unexpected. <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
↧
Mobile Phone Forensics: iOS Spotlight search - reliability
I have two non jail broken iOS devices - iPad Mini and iPad 3rd gen. Both are on iOS v6.
I have used some common forensic tools such as Cellebrite PA, MPE+, XRY and Oxygen to read the devices and I am unable to extract the emails (regular problem with no physical extraction support).
The item is subject to review and I have been supplied with a keyword list to narrow down the criteria than photograph 3500+ emails. However, on using Spotlight to conduct the review the search has returned differing numbers of results for the same term. I have tested this over and over and it keeps changing. Does anyone know why or if any testing has been done to show how spotlight works or returns results?
Thank you
Rich
↧
Mobile Phone Forensics: Samsung SGH-i747 And. 4.1
I have a GSM Samsung SGH-i747 with Android 4.1. The device will not connect with my Cellebrite UFED (setting changed as prompted). Has anyone had a similar problem?
↧