DCS1094 wrote:
Furthermore, it's all well and good you using the software tools but you need to be familiar with the guidelines (in UK ACPO) and possibly invest in training?
I would echo this statement. Anybody can press a button and get data from a device. But without correct handling and training any data recovered may be tainted and inadmissible.
If you are in the UK I can personally attest to the quality of training from Control-F, Kevin Mansell is a fantastic trainer and really knows his stuff.
www.controlf.net
If you are US based then Sans or Teel technologies also provide exceptionally good training, though that is feedback from friends/colleagues/acquaintances rather then personal experience.
http://www.teeltech.com/mobile-device-forensics-training/
http://www.sans.org/find-training/
Good luck.
Colin
↧
Mobile Phone Forensics: Start up , Mobile forensics as a part time job Opinions ple
↧
General Discussion: MsnMsgr.txt & ContactsLog.txt
Hi,
I have a case where I have 54 of each of the above files in a number of different directories.
1 of each file in the C:\Users\<userid>\AppData\Local\Microsoft\Messenger directory.
3 of each files in 3 different C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report<8 char hex> directories.
50 of each files in 50 different C:\Users\<userid>\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report<8 char hex> directories.
As I understand it the 'default' location for these files is the C:\Users\<userid>\AppData\Local\Microsoft\Messenger directory.
As far as I'm aware, both files contain communication logging information relating to the use of MSN Messenger (MSNM) and Windows Live Messenger (WLM).
However, I'm interested to know what the files in the Windows Error Reporting (WER) directories relate to. From having a quick look around, WER automatically collects errors when applications crash so I'm assuming these have been created when MSNM and/or WLM crashed and placed in a randomly generated(?) directory name?
The main reason for looking into these files is that an individual has been using a couple of legitimate email addresses on their laptop as well as one pretending to be someone else. What I need to do is try to find occasions when the individual has been using MSNM/WLM as one email address and very shortly afterwards has switched to the other email address.
I wrote a piece of Python code to parse the files looking for all occurrences of the email addresses I'm interested in and exported this out in the format 'full path of file';'date';'time';'email address'.
The results have proved useful but my problem is whether I can say the individual was at the keyboard all the time whenever an email address is referenced in either file. For example, if you leave yourself logged into WLM and walk away, is the ContactsLog.txt being updated or does it only get updated when you're actively using WLM? I have one instance where one email address appears active from midnight to just after 5am. Does this mean the individual was chatting away all that time or did they just go to sleep and leave their laptop on whilst logged into MSNM/WLM?
Are both the files exclusive to MSNM/WLM or would they get updated when a user logs into their email?
I also have some relevant Skype chat that overlaps the same date and time in my ContactsLog.txt file. Again I think I can work around this in as much as the individual could be chatting on Skype whilst also logged into WLM but not using it.
Any help/guidance gladly received.
Cheers,
Chris
↧
↧
Employment and Career Issues: Questions about working in Forensics.
keydet89 wrote:
It's a matter of semantics, really. From my perspective, neither "beyond all reasonable doubt" nor "undeniable proof" are absolute, and are synonymous.
For NO apparent reason <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> :
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/0810/only-a-sith-deals-with-absolutes-motifakes-demotivational-poster-1225143426.jpg
jaclaz
↧
General Discussion: Msc. Cyber Security Versus Msc. Forensics
Hey MPF,
Your reply was very instructive and give us a clear idea of the actual forensic career. Sorry for taking so much time to reply but this week was crazy for me. The course of cyber security also contain topic relevant to forensic so if someone want to have knowledge of both. I hope to meet you in person soon.
Davismu.
↧
Employment and Career Issues: Questions about working in Forensics.
Quick question:
96hz wrote:
3. What is the most rewarding aspect of your job?
Finding answers and getting it right; and helping others understand important technically complex issues.
How do you know when you've "got it right"?
This question has puzzled me for a long while. For the most part, we all work in some modicum of isolation...we're either working alone, or on a small, isolated team. What I mean by that is that, as a community, we don't share findings.
About four years ago, I was doing some host-based analysis as part of an APT engagement, and found something fascinating. Due to the logging that had been enabled on the system I was analyzing, I was able to clearly see the malware being loaded via the DLL search order vulnerability. I was sure that I was right, because I had all of the data points...the system was Windows XP, so the file system was still recording last accessed times, including when DLLs were loaded into memory. However, when I tried to describe it to other team members, I just got blank stares...most didn't even know what the DLL search order vulnerability was.
I was sure that I was right, and thought it would be a great topic to blog about, but I was told to not say anything and not share it with anyone. A couple of weeks later, something very similar was posted to the Mandiant blog (written by Nick Harbor).
Beyond that kind of validation, how do we know that we're right?
↧
↧
General Discussion: Recovering DVR video
Jaappie wrote:
HexDrugsRockNRoll wrote:
If you have the make and model of the DVR unit, you may be able to find out what format it records the video in. Then you may be able to carve.
Have you looked at the contents of these files? How large are they?
What information did these tools give you? Try running 'parted' from Terminal in your Linux OS against the image of the disk to see what info that gives you on the partitions.
The parted command showed the "Type" field as empty. But the ID of the partition is 83, which means it's linux based I believe.
The *.nvr files are about 20-100 kb each, so probably no video inside these files. The partition of the *.nvr files is also 1 GB. A little bit small for video. The unknown partition is 475GB, probably where the video is store.
It has no real brand but the DVR contains the text "H.264 8CH Digital Video Recorder" and the underside contains "HR D9008V".
Hey Jappie,
2 Things you need to consider, if the hard disks are already full in space you should know the retereiving the previously recorded videos are imposibble since they are overwritten
Another thing is, DVR is an integrated system that comes with monitors and an operating system, most DVR's won't display what they've saved unless they are placed on its original OS.
↧
Mobile Phone Forensics: Android based SD-CARD trails
So 90% of the mobile devices we recieve are without an SD card knowing that they previously had SD-CARDS which were removed by the user before handing over the phone.
Is there a technical way of proving that there was an SD card associated with the mobile deivce is most cases its an android based phone.
Cheers.
↧
General Discussion: Facebook Forensics
sirjeimz wrote:
Hi,
Is there anyway of tracking an IP Address in Facebook Chat realtime or otherwise? I have a case in that I wish to track down the IP Address of a FB User so I can locate. Is there a way? Method? to do it, through realtime or is it logged any where??
I think you can use the netstat -an while chatting with the facebook user. it should show you his IP.
↧
General Discussion: Artifacts of wiping
datendrache wrote:
I didn't see this answer yet, so here's a possibility:
There can be many possibilities(even an adequate number of monkeys pressing the "W" key <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> may be one), but if the drive has been encrypted with bitlocker (as the OP stated) and the bitlocker encrypting process does write "W"s on unallocated space (as found out by HexDrugsRockNRoll and as confirmed by the given MS technet blog) I still find it a much moreprobable possibility.
jaclaz
↧
↧
Mobile Phone Forensics: cdma2000 CSA radio test measurements
cdma2000 CSA radio test measurements
Research that may interest some FF members on the mobile forum side
http://cellsiteanalysis.blogspot.co.uk/2014/03/cdma2000-csa-radio-test-measurements.html
↧
General Discussion: facebook
Thanks John,
I did reply to your note asking for a work email address for your lab/force, rather than a GMAIL account - this type of investigative technique is not really something we would share on a forum or to speculative users. There is some advice on the other thread that you've contributed to about this topic. Sorry I can't be of further assistance at this time.
Regards,
Ross
↧
Employment and Career Issues: Questions about working in Forensics.
jhup wrote:
I believe he disagrees, as do I, on the point that the Yahoo! Group mailing list in question is credible resource.
You cannot have it both ways in an intelligent discourse. If you go down on the path of nit-picking "undeniable proof", you must be able to sustain your "credible resource".
Live by the semantics, die by the semantics.
I'm sorry if I didn't make it clear enough - I don't find any source, short of vendor-specific data, credible - which is why I then stated the following:
Quote::
But anything you find should then be verified and tested..And as for the win4n6 list - there have been times in the past where I've found either content or linked content very useful. I guess this is.. wrong..?
(I will be stealing the verb "to Kanye" though <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> )
↧
Employment and Career Issues: Job Opportunity eDiscovery Analyst - London - £45,000
eDiscovery Analyst – Global Transcription & Court Reporting Firm, London £35-45k
Our Client is a global transcription and court reporting firm that providing high-technology litigation support to government agencies, law firms and investigation teams. Our client is now looking for an eDiscovery Analyst to administer eDiscovery document processing.
Skills Required:
2+ Years’ experience within the eDiscovery/Legal Technology market
2+ Years’ experience of eDiscovery tools such as LAW, NUIX, Digital Reef or similar
2+ Years’ experience of litigation support databases e.g. Relativity, Concordance, Ringtail and other legal review databases
Experience working with SQL databases.
RCA (Relativity Certified Admin) highly advantageous but not required
A critical thinker with strong commitment to quality, solid communication and interpersonal skills
Ability to face clients, when required, for technical or consultative advice
Bachelor’s degree in computer science, mathematics, statistics or equivalent experience
Responsibilities:
Work closely with Project Managers on day-to-day tasks including project tracking, data processing, production requests, and data analysis.
Under general supervision, performs routine transactions in support of the eDiscovery team. Maintains accurate records of electronic evidence gathered and stored.
Process eDiscovery documents, Conduct verification of evidence collected.
Due to the nature of the documents handled, the successful candidate will have a criminal records check.
This position is based in Central London. The salary will be in the region of £35,000-£45,000 depending on experience. To apply contact Mark Lennard at Lewis Paige on 0207 871 9909 or email mark@lewispaige.com
↧
↧
Digital Forensics Job Vacancies: Job Opportunity eDiscovery Analyst - London - £45,000
Our Client is a global transcription and court reporting firm that providing high-technology litigation support to government agencies, law firms and investigation teams. Our client is now looking for an eDiscovery Analyst to administer eDiscovery document processing.
Skills Required
2+ Years’ experience within the eDiscovery/Legal Technology market
2+ Years’ experience of eDiscovery tools such as LAW, NUIX, Digital Reef or similar
2+ Years’ experience of litigation support databases e.g. Relativity, Concordance, Ringtail and other legal review databases
Experience working with SQL databases.
RCA (Relativity Certified Admin) highly advantageous but not required
A critical thinker with strong commitment to quality, solid communication and interpersonal skills
Ability to face clients, when required, for technical or consultative advice
Bachelor’s degree in computer science, mathematics, statistics or equivalent experience
Responsibilities:
Work closely with Project Managers on day-to-day tasks including project tracking, data processing, production requests, and data analysis.
Under general supervision, performs routine transactions in support of the eDiscovery team. Maintains accurate records of electronic evidence gathered and stored.
Process eDiscovery documents, Conduct verification of evidence collected.
Due to the nature of the documents handled, the successful candidate will have a criminal records check.
This position is based in Central London. The salary will be in the region of £35,000-£45,000 depending on experience. To apply contact Mark Lennard at Lewis Paige on 0207 871 9909 or mark@lewispaige.com
↧
Digital Forensics Job Vacancies: Project Managers and Business Developers, London
My client, a global consultancy is looking for Assistant Project Managers, Project Managers and Business Developers to support their booming London practice.
Experience within eDiscovery environment is mandatory.
Assistant Project Manager - £25-35,000 - 2-3 years experience
Project Manager - £35-50,000 - 3-6 years experience
Business Development Manager - £40,000 to £80,000 - proven success within previous role(s)
Contact ht@warnerscott.com or call Harry Taylor on 0207 038 3619
↧
General Discussion: Facebook login URL
I am working a case where I am trying to determine if the suspect logged into Facebook from the victim's computer. The computer is running Win8 and there is no browser history in anything other than IE10. Yes, I know I can't prove the suspect is the one who logged in, but to make a long story short, I am trying to see if his account logged in from this computer.
I ran IEF against my image and found urls on the date and time I am looking for. One of the urls of interest is styled "https://www.facebook.com/XXXXXXXX[i]?ajaxpipe=1&ajaxpipe_token=AXiQBPkXyo0LDZk1&quickling[version]=1137246%3B0%3B1%3B0%3B&__user=XXXXXXXX[i]&__a=1&__dyn=7n8a9EAMBlCFUSt2u6aOGUGy6zECQqbx2mbAKGiyGGEVF4YxU&__req=jsonp_3&__rev=1137246&__adt=3" This is from the WebCacheV01.dat file
I am trying to determine if this is where the suspect logged into their account, or if this was the victim merely viewing the suspect's page. Is there anything in a url, or is there a list of Facebook urls that would tell what to look for if someone logged into their Facebook account?
AccessData says there are logs kept in the temporary internet file whenever someone logs into Facebook (profile[#].htm). The information I have is from Win7, I am not finding the information where AD says it should be in Win8. Did it move in Win8?
In short, is there any way of telling by url information, if someone logged into that account?
↧
Education and Training: Cellebrite Training Pacific NW
Anyone know of any upcoming Cellebrite training in Washington or Oregon state?
↧
↧
Mobile Phone Forensics: Samsung SGH-i747 And. 4.1
I believe the issue I'm having is with the USB port. It appears the phone is set to charge only and I can't find the setting to remove this... Any suggestions?
↧
General Discussion: Car Camera Forensics
About 10 years ago my wife had an Audi that was on a long life service schedule. I had it serviced at an Audi dealer and it showed 10,000 miles to next service. (She only drove about 4,000 miles a year so 10,000 seemed about right).
Within 4 months the car had done less than 2,000 miles and the indicator was showing service due.
I booked an appointment and then went back to the Audi dealer to try and find out what was happening.
A guy came out to the car connected a laptop to the diagnostics port and started examining the data. I could see that it contained details of every time the car was started and stopped, how long the engine had been running and lots of other information.
He said that there was a fault and reset the service indicator.
What struck me was the amount of information stored on the computer of a (now) 12 year old Audi.
I believe that there must be a lot more information available on modern cars that is only being accessed and used by motor service personnel.
The problem seems to be that motor manufacturers and dealers either do not know or will not say what is in their cars.
I remember working on a kidnap case, about 6 years ago, in which a Range Rover was used. I located the on board sat nav and discovered that it was manufactured in Canada. Neither Range Rover or the sat nav manufacturer would help. In the end I resorted to the old method of taking screen shots of the head unit.
I wish you all the best with your investigation and would be interested in hearing how you progress.
↧
Digital Forensics Job Vacancies: Digital Forensics Specialist - London (£35-£45k)
Evening all.
We are looking to fill several vacancies including computer analyst(s), mobile devices analyst and cell site specialist. If you are interested please email the address on the advert.
For computer analysts we would consider a higher salary than that shown for candidates with additional skills such as but not limited to eDiscovery, Incident Response and security skills.
Thanks.
↧