Hi,
I am a final year graduate in computer forensic investigation. Can I apply?
Thanks
↧
Digital Forensics Job Vacancies: Digital Forensics Specialist - London (£35-£45k)
↧
General Discussion: facebook
justtesting wrote:
hi, how do I send a non member of facebook a photo to get his ip for forensics case?
by the way I do know how to send a link, but I want it to be a photo, when pasting it to facebook "send message" it shows the link of the image.
thanks in advance.
↧
↧
General Discussion: Car Camera Forensics
In my personal experience most original manufacturer systems listed above are tied together by a network of some sort, specially in higher end vehicles.
Most US vehicles use CAN, but there many more like Byteflight, FlexRay, LIN, MOST, and even I2C, etc.. There are a bunch of ISO standards, and even open source solution for such networks, including OS (like OSEK).
The OBD interface is like trying to enjoy a digital forensics amusement park through a pin hole.
↧
Digital Forensics Job Vacancies: Computer Investigator-London
Servoca Resourcing Solutions are currently seeking an experienced Computer Investigator for a permanent role with one of our commercial clients based in London.
Duties will include but not be limited to:•The Analysis of electronic storage devices to ACPO standards, producing Witness statements for court purposes.
•Maintaining a caseload with a variety of internal and external stakeholders
•Use of forensic tools such as EnCase and FTK
•Digital forensic casework involving computers and associated devices to high standard
•Presenting evidence at court
• Producing reports and witness statements
Experience required:
•2 years experience in Digital forensics Law enforcement or corporate
•Experience in forensic tools such as EnCase, FTK, IEF etc
•Knowledge of ACPO Guidelines and the Forensic Regulators Codes of Practice and Conduct
Desirable:
•Ability to examine mobile phones
Salary: £30-£40K dependent upon experience
Location: London
Please send c.v's to SRS@Servoca.com with the reference EH/PR/3166
Servoca Resourcing Solutions is acting as an Employment Business in relation to this vacancy. We are an equal opportunity employer with a diverse workforce. We provide equal employment opportunities to all employees and applicants for employment and specialise in police recruitment skills related roles.
↧
General Discussion: ext3 $Orphan Files
athulin wrote:
This looks like zeroes everywhere. Perhaps a deleted inode, as Ext3 wipes inodes on file deletion (normally, at least)..
What do you mean exactly? The whole inode data structures? As far as I know, on file deletion ext3 marks inode and data blocks unallocated (obviously) and wipes direct or indirect block pointers, but all other inode information (MAC times, type, link count, etc) should be intact. FS looks fine and I don't have any have any problems now, but a few months ago I got some error saying that os couldn't mount /tmp directory or something (don't quite remember now), and just a few days ago my whole os crashed but afterwards it worked just fine. Also some of the files were wiped with general GNU shred utility and it renames file to zeroes before deleting, so maybe this could be a factor (but still only a few files were wiped with shred).
Anyway I will update this tomorrow because checking the whole system takes time, maybe I just really do have some general file system problems.
↧
↧
General Discussion: which sectors need Information Sec or Forensics the most ?
athulin wrote:
At present, anything dealing with payment card information is one such sector.
I agree with athulin's point having been involved with quite a number of projects (the most recent project was only last week) for fixed and wireless (GPRS/WiFi/bluetooth) card terminals at airports for tour operators etc; security, usage of terminals and transactions, storage of personal data and traceability are influenced by PCI standards etc.
I would venture to suggest a forensic analysis of infosec approach might be useful approach, too.
↧
General Discussion: Password Recovery Software
A few other items of interest with passware (in my case the forensic edition).
1. Passware tends to throw a lot of "processor utilization time" behind a cracking effort process.
I have a new PC with an i7-4770K in it.
I noticed the CPU temp was rising during the cracking effort, because I was using the stock intel CPU heatsink & fan assembly.
Granted, intel throws a pitifully basic aluminum heatsink and a basic fan at you, for your CPU's"cooling unit". (At least compared to the nice heatpipe cooling units that AMD provides as their "OEM" cooling unit assembly with their 6-core and 8-core CPUs).
I replaced the intel OEM cooler with a large "Cooler master V8" cooling unit.
Afterward the CPU temp remained low the vast majority of the time.
2. I don't know the limit to the number of simultaneous jobs you can run together at one time.
I have run 2, occasionally 3, jobs in parallel for passwords that I knew needed to be Brute forced.
When you open a new instance of passware, if one is already running, you receive a pop up stating the passware program is already running.
Then you are asked if you want to "start a new job".
You just affirm YES to the pop up and a new job is started.
Note: 2 or 3 jobs are about all I ever ran at one time.
The CPU tends to want to come close to hitting 100% utilization with 2 jobs.
With 3 jobs it does hit 100% and tends to stay there.
There are ways to limit the CPU utilization by downgrading the CPU thread's "priority" in Task mgr. Or just start each separate passware process with low priorities.
3. Batch jobs - if you have a large group of files to crack, you can have passware "search for protected files".
Then from the resulting list you can highlight the files you want to decrypt.
You are told beside each protected file that passware finds whether it is an "Instant Unprotection", like a PDF with a 40-bit encryption password.
Or whether an unknown password appears to require a "Brute force" attack.
Based on those results you could pick all the easy ones first, as in all of
the "instant unprotection" files.
Or choose all the harder "brute force" files. Then walk away and let passware just do it's thing.
Either way, passware processes each file in your list, one after another, until it finishes.
↧
Mobile Phone Forensics: Samsung SGH-i747 And. 4.1
meadowscl3 wrote:
I believe the issue I'm having is with the USB port. It appears the phone is set to charge only and I can't find the setting to remove this... Any suggestions?
Have you tried using a second cable or cleaning the contacts with compressed air & a brush?
↧
General Discussion: Car Camera Forensics
Looking at the last image, those two ICs do not look like NAND chips.
I could be totally wrong, but I do not think they are because of the packaging (shape of the case, leg placement and leg count), location on the PCB, and the surrounding items.
Now, behind the left arrow (exactly where tip ends) there is a rectangular shaped IC with a white sticker on it - that might be an EEPROM, and remotly possible, a NAND.
The one on the left of that, also with a white sticker might be a NAND, or more likely a uDiskOnChip or similar.
A top down picture would be awesome. Now I am going to spend endless hours to verify my above conjecture.
↧
↧
General Discussion: Recycle Bin with X-Ways
I am examining a Windows 7 OS installed on an SSD with X-Ways 17.3. A large number of files show the same "Record Update" date and time or are within milliseconds of same time. They are shows as "Previously Existing Files". Several of files have the exact same Created, Modified, Accessed and Record Update data and time. Can I interpret this date as the date the Recycle Bin was emptied? Is there another way to confirm it?
↧
Forensic Hardware: mSATA adapter
Sorry, it cut off my picture. I ended up buying a mSATA SSD to 2.5" SATA adapter. That one worked. The one that I bought did not fit because the gap between cables was too big for the slot in the adapter.
The picture on top is the one that worked. The small black one on the bottom didn't fit.
↧
Forensic Hardware: mSATA adapter
kbertens wrote:
Nice to have an overview like this.
OT, but IMHO well worth it, a "common hardware connections" poster:
http://sonic840.deviantart.com/art/Computer-hardware-poster-1-7-111402099
not fully updated to latest thingies. but still useful.
Warning:
The full download is a 4320x6120 .PNG, sized 24 Mb.
jaclaz
↧
General Discussion: http://www.odnoklassniki.ru/
Are you law enforcement?
↧
↧
Digital Forensics Job Vacancies: Computer Forensics - Senior Manager - Dubai - £72k to £90K
My client a global consultancy firm is looking for a Senior Manager to join their Computer Forensics team in Dubai.
You will have extensive knowledge and experience of managing large collections followed by electronic reviews to investigators and lawyers and performing computer forensic expert analysis.
Preferably you will also be experienced with the tools Nuix and Relativity plus experience in conducting cyber investigations.
You will have differentiated yourself from your peers with your ability to code, build processing systems, manage multiple matters at any one time and will have a reputation for attention to detail and quality work.
Key skills and experience include:
Computer forensic experience
Experience of managing a team and project
Strong degree in a field with emphasis on technical, analytical and/or problem solving skills
Strong work ethic
Excellent verbal and written communication skills in English
An ability to present to and build relationships with clients
Flexibility on working hours and a willingness to work on projects abroad
Strong problem solving and conceptual thinking capabilities
Qualifications
Required technical skills:
Forensic collection and expert witness skills/training, including Encase certification (or equivalent)
Programming or scripting skills (eg Enscript, VB, C#, .Net, VBA)
Ability to manage multiple large forensic collections
Proven experience in managing Big 4 engagements including take on, billing and closure
Desirable technical skills:
Network security qualifications
Experience in the use of electronic processing and review tools, including Nuix and Relativity
We would also consider applications that do not meet all the above requirements. You would ideally have all the required skills but may not exhibit all the technical skills listed.
e-mail ht@warnerswcott.com or call +44(0) 207 038 3619
↧
Forensic Software: EnCase Issues
Any ideas on how to extract emails as .pst on EnCase?
↧
General Discussion: Games Console Forensics
Hopefully this helps someone, just seen Magnet Forensics are working on "A new gaming console imager" which sounds pretty interesting to me! Web artifacts are now also supported from an Xbox following a recent release this month of IEF.
http://www.magnetforensics.com/magnet-forensics-announces-new-video-game-platform-support/
↧
General Discussion: Car Camera Forensics
I second jhup, most likely not NAND chips. Shame we don't have a shot of the board outside of the box.
Just to throw my $0.02 in, we've done some analysis on in-dash systems as well. Usually the storage devices are brought to us (we don't pull them, so I couldn't tell you where they store them), and I believe they've been from Ford or similar quality vehicles. But ours have been spinning hard drives. To throw a wrench into the whole thing though, the ones we've seen were locked, so we needed to use some firmware altering tools to unlock them to access their contents.
↧
↧
Mobile Phone Forensics: 5003.jpg and iOS file system
topsirloin wrote:
Each image within the DCIM folder appears to have another image named 5003.jpg embedded within itself in the Photodata folder.
Could you confirm the full file path? Off the top of my head, I believe the 5003.jpg file is a thumbnail of the original picture file that is mentioned within it's file path. Photodata folder contains db files/thumbnails of files located within DCIM. I have had quite a few recently (using Cellebrite & XRY) that have been extracted from the Photo stream folder, within the following location:
/private/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoStreamsData/100APPLE/<IMG_xxxx.jpg>/5003.jpg
Or something like that path, i'll check when back in office.
topsirloin wrote:
I'm finding if I need to generate a PDF image report, it is taking many times longer than usual. Is anyone else experiencing this?
Yes, now I am resorting to only providing what data the OIC has requested. Once you have opened up the Images tab at the top of PA, view the picture files via folder structure instead of the usual thumbnails/list view. Then only select the relevant folders to export, i.e. exclude predefined folders and select the obvious, i.e. DCIM (1st gen and stored pictures), chat attachment folders etc. Might save you a bit of processing time and a headache hunting through the default files installed via applications etc.
↧
Mobile Phone Forensics: Samsung SGH-i747 And. 4.1
Thanks for the information. I believe the issue is hardware related and not software.
↧
General Discussion: RAM - Code injection
Hi,
Thanks a lot for your answer.
I'll try API Monitor to see if the returned informations are usefull in this case.
I must admit that I am not too comfortable with disassembler/debugger...i'll have to work on this !
Finally I tried other ways to collect informations :
- I virtualised the system and used GMER to detect abnormalities. This confirmed the dll was malicious and let me find a suspect driver.
- using the log on boot option of autoruns, i found that the dll was charged as a service which loaded the driver...
- analysis of these files will certainly give me more clues !
Have a nice day
Thierry
↧