Hey all. I'm a third year Digital Forensics Student currently looking at the area of Social Discovery and evidence recovery from social networking sites such as Facebook and twitter. For my assignment I am required to develop a tutorial in some particular area of digital forensics. I am looking closely at this area because I think its new and relevant today. The problem I am having is I cannot find any good free tools to work with.
My idea is to set up a few social networking accounts and create a scenario that may involve something such as a suspicious death. I want to be able to have evidence on these accounts that something suspicious may have been going on between the account holders, and I want to be able to reach a fairly straightforward conclusion from the evidence I recover.
I am looking for any helpful advice. I have applied for some free trial versions of software such as x1 social discovery, which seems to have the best rep on the web. I have not received any reply from two requests, probably because I'm a student. I have loked a software from Afentis Forensics, but it does not seem very good on first try. (Poor interface and structure)
I would welcome any recommendations on tools or any ideas on other tools I could use such as FTK, which may work for this.
I am also eager to find out exactly what kind of information you can recover from facebook/twitter other than posts, images, videos and chat history.
Is there anything more in depth that can be recovered ?
Are there any other tools I should be looking at ?
Are there any other folders/locations/files that I should be looking at ?
Sorry, that's quite a long post.
I intend to use a windows laptop for this assignment and perhaps an android and apple phone .
Thank you for your advice
↧
Education and Training: Social Discovery Project help
↧
Education and Training: tumblr forensics - beta testers
Hello Cath,
I followed the link and sent you a message using the contact form. However, after clikcing "send" I did not get any message saying thanks for your message, etc. Instead I just got an error message below asking me if I really want to leave life chat.
Looks to me that your contact form needs some "improvment"
Can you confirm that you have received my message ?
Thanks in advance
Daniel
↧
↧
Mobile Phone Forensics: Need help with timestamps
Have you tried contacting the vendor?
You may get "an" answer quicker via sources such as this forum, but you will get "the" answer if you contact the vendor. If you're using a licensed version of their product, I'm not clear as to why contacting them would be an issue.
↧
General Discussion: Forensic acquisition of a Secure Boot enabled system
ridders wrote:
Jaclaz,
Thank you for your response, I should have mentioned in my first post, what the result is from booting from USB or CD. The result is the following:
If I attempt to boot from USB, I get the error "Setup Warning: Boot failure", this then returns to the boot device selection page.
Or if I attempt to boot from CD, I get the error "Image failed to verify with *ACCESS DENIED*. Press any key to continue", this proceeds to another page which presents "Failed to start loader.efi (14) not found".Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , but itmay depend on WHATyou attempt to booting from CD/DVD or USB.
You need to boot *something* that also uses a Secureboot compatible bootloader/bootmanager.
If the BIOS/UEFI is really "locked down" I guess that you are stuck. <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" />
What you need is a forensic sound Linux live CD compatible with Secureboot or "merge" this:
http://www.911cd.net/forums//index.php?showtopic=25269
with WinFE:
http://reboot.pro/topic/19036-mini-winfe/
of course you will need to experiment on a test machine.
The Fedora is one of the "approved" Linuxes, cannot say if any specifically "forensic" distro exists with these.
Additionally and really "rare", but JFYI:
http://www.forensicfocus.com/Forums/viewtopic/t=9426/
http://www.forensicfocus.com/Forums/viewtopic/t=8383/
http://www.forensicfocus.com/Forums/viewtopic/t=7907/
jaclaz
↧
General Discussion: Meaning of lost filenames and dates
IMHO.
docflied wrote:
"The directory DIR was used to store numerous files believed to contain X, Y and Z file types.
This is "vague" and not entirely accurate "believed" by WHOM, and WHY?
Also the sentence may make sense ONLY if the "numerous files" are "container" files, such as .zip or .rar or similar.
docflied wrote:
Files are : meaningfullname1 to meaningfullname10
The above files were known to have been present in the directory. File system timestamps indicate that they were last accessed around HH:NN on D Month Year and deleted around HH:NN on D Month Year.
Investigators have attempted carving these files from free space on the system to determine their contents, however the files were unrecoverable. Some of these files may have been present for legitimate purposes.
This is most probably the result of finding traces of activity and/or fragments of directory listings, nothing "strange" in that.
docflied wrote:
This directory was also used to store malicious files : meaningfullname11 to meaningfullname16K. Due to the files metadata having been overwritten, the initial date of their presence and their deletion date are unknown"
This is more "strange".
Have the actual files been recovered?
If yes, including their filenames (but without any metadata) <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> ?
Or the filenames have been recovered (but not the files)?
If this latter,[i]to play devil's advocate, I can make a file named:
virus_that_will_destroy_the_internet.exe
with inside it just a plain "Hello World!".
If - by any chance - a "real" virus with that exact filename actually exists, that does not automatically mean that the file on my computer is necessarily malicious or the same file.
As always, though I do understand how privacy (or whatever) reasons prevent you to post the EXACT contents of the report, this way there is a concrete risk that what you posted is not accurate in the sense that it is a partial (and "simplified" or "dumbified") version of the report and the observation I made above only apply to the posted version and not on the "real thing".
jaclaz
↧
↧
General Discussion: XBOX Live
Hi everyone.
As part of my final year project at university, I am investigating games consoles and performing a forensic analysis of the XBOX 360.
I have purchased some downloadable content as part of an experiment. Presently I have found the content purchased (Untold Stories bundle for Resident Evil 5) and using siggggggy, the gamertag of the XBOX Live account that is registered to the console. However, I would also like to recover my bank details that were used to make the purchase. Can anyone please tell me if this is possible and if it is, how it could be done?
Thanks
Chris.
↧
Employment and Career Issues: Interview question about preserving metadata
I am not sure what you mean by "in house tools," but I am assuming that you mean tools on site (forensic tools) and not tools literally in your actually house. I am also assuming by media, you mean physical media, like a physical spindle hard drive and not a local volume like the C: drive in windows.
To your first question on preserving metadata, I am assuming all you mean is you don't want to alter the file or its contents. For that you usually use something called a write blocker, you connect that to your hard drive so that it is read only. That way nothing is ever written to it, preserving both the metadata and the content. I believe Encase does have a software module write blocker, but what you usually want is a hardware write block (reason being that the bios can still write to the drive when you use a software write blocker). If you are doing forensics work on the drive (this is to say you must interact and possibly change what is on the drive), it is just as you said you will probably be making a copy through a write blocked drive with thing like encase or dd_rescue, before processing it with encase, xways, ftk, or whatever the company uses.
Chain of custody, to my understanding is just a form you fill out so there is documentation on your evidence. You just want to document every move you make; however you company wants. That said I am still a student and a total noob i this topic, so take it with a grain of salt.
Also totally feel your eagerness, looking for jobs/internships myself. Hope this helps. Good luck with the interview.
↧
Forensic Software: Single File/Folder Acquisition not with FTK
I hate to say this as it costs money, but if you already have encase...wny not take a look at encase portable as well for portable acquisition? My second question is why ftk imager in the first place, encase got a free imager? Its not as complete as ftk's free imager, but if all you need is imaging and not parsing or searching it may be something worth checking out.
Link to guidance's imager:
https://www.guidancesoftware.com/products/Pages/Product-Forms/Forensic-Imager-download.aspx
You are right that proprietary forensics softwares tend to be the standard, but from what I know the court decides if you an "expert witness" and if your evidence is "forensically sound." For example, if your software has a bug for the particular evidence that you acquired, the evidence is still discarded. Manually parsed evidence is something the only evidence you can acquire in some cases (just a nature of an industry that is always changing), software just makes these automated processes faster and possible more free of human errors (debatable topic).
Yeah you definitely need to educate them, a good starting point may be that these forensic softwares just do automatically what can be done manually and that they are still subject to bugs and other limitations.
Hope that helps
↧
Digital Forensics Job Vacancies: Hi Tech Forensic Investigator job opportunity based London
Hi,
Could you please inbox me some more details/contact information for this role?
Regards,
Chris
↧
↧
Digital Forensics Job Vacancies: Digital Forensics Specialist - London (£35-£45k)
Hi,
I am a computer forensics graduate from 2011 and spent a year placement working on Mobile Phone forensics. It was a few years ago, however I would welcome the opportunity to get back in to the forensics industry.
Would I be eligible to apply with just 1 year mobile forensics experience?
Cheers,
Chris
↧
Forensic Software: Single File/Folder Acquisition not with FTK
If "someone's" are sticklers about "Forensic Software platforms", I would take the AD1 with FTK Imager, and when you get back home you can export the files out. You get the appropriate metadata, and you can 'justify' FTK Imager, over XCOPY or COPY.
It's the "I read it on the airplane magazine" syndrome with the software requirements...
laughingman_nicoli wrote:
1. I'm on site and need to acquire one single file with all its meta data intact that resides on a virtual server in another state via a go-to meeting.
2. In my lab I have full EnCase to view the data later.
3. I have FTK Imager and I understand I can't view ad1's in EnCase. I have a good Robocopy script (though I tried this and it wasn't working I think do to the paths and such).
So, what are the options out there for acquiring single file/folders to view in EnCase?
↧
Mobile Phone Forensics: Need help with timestamps
The timestamps of the Incoming messages should be accurate as this is provided by the network. As I understand it the message was sent at x time in a timezone which is GMT+3. The time shown is the time sent in that timezone. So a message sent at 1700hrs GMT+3 was sent at 1400hrs GMT and so on.
The outgoing message timestamp is most likely unreliable and in addition seldom will it record anything other than GMT+0, if it includes a timezone at all. This timestamp is pulled from the device clock and should be relied upon with the utmost caution and only after validation with call data records from the network provider.
GMT - UTC - Essentially the same thing.
↧
General Discussion: 32+TB Live Image
I am dealing with a server that has an OS Raid and Data Storage Raid (24-32TB - still waiting on client to confirm). For the purpose of this project, I only need to a logical image of the storage raid, but I don't want to deal with recompiling the raid or being locked down to tools that can support the images of single drives (to reconstruct the RAID).
With that said, I was thinking about doing a live image of the data storage partition using FTK Imager Lite. This would give me a single DD image (yes, a very large dd image) of the storage array.
Has anyone ever done a live image this large before? Has anyone run into any complications when imaging a large data source with FTK Imager Lite (such as memory issues, etc.)?
Thanks for the info. Much appreciated.
↧
↧
Mobile Phone Forensics: SIM Card question re: MSISDN
topsirloin wrote:
Has anyone come across a similar situation like this? Any other way to confirm a phone number on a BB10 device?
This might help:
http://supportforums.blackberry.com/t5/BlackBerry-Z10/How-to-edit-MY-NUMBER/td-p/2224467
I have examined a handful of BB 10 devices recently & with only Cellebrite supporting minimal data from the handset in a recent release, unless you can manually find the option, a logical data extraction via a client does not provide much general handset information from BB 10 devices.
topsirloin wrote:
And also, does anyone have a technical explanation on why WIND Mobile SIMs aren't populated with any MSISDN entries? Are there other carriers that follow this practice?
I am not that familiar with WIND mobile, however some Network Providers simply do not store the telephone number in EF_MSISDN location within the SIM Card's file system. This is quite common with Vodafone believe it or not. I also see a lot of Lebara Mobile SIM Card's, which also do not always store a valid MSISDN (because they also use Vodafone's network). Whenever I have a SIM Card which is not storing the phone number, I just advise the OIC to speak to their relevant Telecommunications Intel Unit that can obtain billing data or/and the phone number attributed to the SIM Card, by using the ICCID & IMSI numbers (on items where the phone number cannot be obtained via other methods).
↧
General Discussion: Windows 7 MBR system unable to view Windows 8 GPT HDD
acarr31 wrote:
...
The next step was identifying if the write blocker was the root cause of the issue. The same scenarios were tested out with an Ultrabay II write blocker (a bit older than the Ultrabay 3d) and the Ultrabay II write blocker did not have an issue seeing the partitions. Also, the Windows 8 GPT OS drive was connected to the Ultrabay 3D with read/write enabled and the Windows 7 system was then able to provide logical access.
The same tests were conducted using an Ultrabay 3d write-blocker connected to a Windows 8 exam system and the error did not occur.
Due to the results of these tests it is the conclusion of the Digital Intelligence tech support staff that the error in access is caused by Windows 7 itself taking issue with the communication of the Ultrabay 3d to Windows 7 that the drive is write-protected.
....
First thing thank you for "finalizing" the thread and reporting in such great the tests performed and the end result.
Allow me however to have a slightly different opinion, ifthere is a culprit it is the actual Ultrabay 3D (or it's firmware).
With all due respect for the good Digital Intelligence guys <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , we are talking of Windows 7 (please read as the probably most used OS on forensics machines) and it playing not well with the specific model of write blocker when examining a UEFI/GPT Windows 8 disk (please read as soon to be among the most common piece of evidence that one might need to examine).
I mean, it's not like (say) BeOS is not compatible with the Ultrabay 3d when examining Solaris 9 disks <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> .
On the other hand *something* has definitely changed between Windows 7 and Windows 8, and I suspect that the behaviour noted/noticed here:
http://reboot.pro/topic/18953-is-winfe-forensically-sound/
about different version of WinFE behaving slightly different when it comes to setting volumes as "read only" is *somehow* connected to the issue you found with the write blocker.
So, putting anyway the blame on the good MS guys is not completely wrong. <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
In any case, the good news are that the older thingy worked fine, so that we can use properly the "legacy" adjective for the Ultrabay II:
http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/legacy-is-not-a-pejorative.html
jaclaz
↧
Classifieds: Logicube Forensic Falcon (FASTEST) Imager for sale (20GB pm)
pmed! thanks.
↧
Digital Forensics Job Vacancies: Computer Investigator-London
Hi,
When is the closing date for applications to this role?
↧
↧
Education and Training: Cyber crime training
Cybercrime is a pretty wide ranging catagory. If you were able to specify a certain area of interest you might be able to get more targeted answers. Someone that works CP cases would have much different training than someone that worked fraud, however they both may have had similar training as far as online investigations, search engines, skip tracing and such.
↧
Employment and Career Issues: Opportunities in Australia
Thanks - Have pm'd you and sent you gmail
↧
Digital Forensics Job Vacancies: Cyber forensics advisor
Job title: Cyber forensics advisor
Location: UK, London
Rewards: Excellent salary and benefits
Start date: ASAP
Working within a team, you will assist in delivering forensic and intelligence services to support the business internally and externally.
Candidates are required to demonstrate expertise in:
• Forensics and intelligence
• UK and Foreign jurisdictions best practice
• Operating with large complex global businesses
• Communicating at all levels across a global business
• Analysis and reporting
The role also requires a candidate with excellent attention to detail, ability to work in complex and challenging environments and desire to be recognised as a specialist.
This is an excellent opportunity to be considered to work for a global organisation with a reputation for the highest standards.
BeecherMadden is an equal opportunities recruiter, and considers candidates for our clients based on merit only.
Contact: Sarah Birrell (recruiter, recruitment delivery team)
Email: sarah.birrell@beechermadden.com
Phone: 0207 3827 980
www.beechermadden.com
↧