Excellent - thanks very much. I can see something which will definitely help the case!!!
↧
Forensic Software: BMC Viewer??
↧
General Discussion: Forensic acquisition of a Secure Boot enabled system
Rampage wrote:
you need the USB flashdrive version as the CD won't boot if secure boot is enabled.
My guessis that this depends on the specific BIOS/UEFI implementation of the machine, there are reports of people having "happily" booted from CD/DVD with Secureboot enabled (of course media that contain Secureboot compatible loaders) and people that were even "stuck in a loop" when downgrading from Windows 8 to Windows 7.
The "standard" (EFI/UEFI) consists of 2180 pages, and it represents IMHO a non-standard <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> :
http://www.forensicfocus.com/Forums/viewtopic/t=11276/
jaclaz
↧
↧
Mobile Phone Forensics: best software to clone mobile device physically (clone)
I am relatively new to Mobile Forensics however I may be able to shed some light. As far as i'm concerned the closest you will get to 'bit to bit' physical imaging would be performing a physical extraction on the mobile device. A physical extraction will dump the raw data from the partitions on the device.
The biggest issue here is whether or not the phone in question is supported for physical extraction. I personally use AccessData's MPE+. With MPE+ there are only a handful of devices that are supported for physical extraction. The same goes for other leading software (cellebrite, paraben, oxygen forensics, etc.). So I suggest consulting the supported devices list for any software you are interested in as a starting point and move from there. Hopefully that helped a little bit.
Dan
↧
General Discussion: 32+TB Live Image
n00bcfe wrote:
With that said, I was thinking about doing a live image of the data storage partition using FTK Imager Lite. This would give me a single DD image (yes, a very large dd image) of the storage array.
I assume you have evaluated the possibility of not imaging the entire partition.
Will the partition change as you image it, that is, is the data storage functionality 'live' also? If it is, you risk getting an inconsistencies between the early part of the image and the late part. You may need to consider that as a possible source of ambiguity. Of course, if the file system allows you to do snapshot (as in ZFS; Shadow Copy in Windows), use it if you can. (But make sure you know how it works, and how it affects the storage first.)
You better also plan for failure and recovery -- expect at least two failures during the imaging. That is, plan for having to resume from at least two failures. And don't image without having talked it through with whoever 'owns' the storage solution. You're going to stress the disks, and if there is a HDD failure ... everyone involved needs to be ready for it. It might work fine, but if the RAID isn't entirely sound, you may get a RAID failure. What happens then? Will the RAID screech to a full stop, or will it continue to operate in degraded mode? Will you be allowed to continue imaging in degraded mode, or will the RAID need to be resilvered first?
Do a risk inventory: what unwanted events are lurking in this particular task, how will they affect your job, and how do you need to meet them if they should occur? Murphy's law is the only thing that should never be assumed to fail.
↧
Mobile Phone Forensics: cache.cell /cache.wifi
Greetings,
I am relatively new to mobile forensics, and I am currently doing some testing with AccessData's Mobile Phone Examiner Plus (MPE+).I am interested in finding location information from my test a GSM Samsung Galaxy S III (SCH-R30C running android 4.3). The test phone had previously been factory reset and I personally brought phone around the area to connect it to open Wi-Fi hotspots. I connected to 5 Wi-Fi networks total. During my little trip around town I had GPS enabled on the phone and all location services enabled.
After my little trip I used MPE+ to perform a physical extraction on the phone. Using MPE+ to browse through the extracted data I was able to locate the "wpa_supplicant.conf" file. This file had listed the 5 networks that I connected to on my little trip.
This is where my trouble starts. After locating the Wi-Fi networks I had connected I shifted my focus to finding other location artifacts on the test phone. After conducting extensive research the consensus was that the cache.cell/cache.wifi files would contain the information I was looking for. After browsing to the file path where those files should be located (data/com.google.android.locations/files), it was found that the files did not exist. This confused me but I chalked this up to the fact that the phone had recently been factory reset and may not have generated enough info to require the creation of those files. I also examined CachedGeoposition.db/GelocationPermissions.db under com.android.browser\app_geolocation. Both of these files were 0KB in size and contained no data.
So next I examined physically extracted data from a Droid 3. This Droid 3 was my personal phone that I had been using for over 2 years so I was confident I would find location information on there. Well it turns out, after browsing to the expected location (data/com.google.android.locations/files) of the files, that they are not there. This really puzzled me as I know the phone has generated a mass amount of location information over the few years I had it.
My questions are (in no order):
1. Is there something else I need to do to ensure that location data is logged on the phone? (i.e perform a certain action on the phone/ use an app that triggers a location request)
2. Are there other locations where this data is stored?
Any advice is much appreciated.
Dan
↧
↧
Forensic Software: Kerio FDB
Yes. They are Firebird databases, Kerio uses them for "light" installations without much data. Otherwise the data is stored in SQL Server for most of their products.
You can get a ODBC driver or a GUI to view them from http://www.firebirdsql.org/
↧
Mobile Phone Forensics: Issue with Pictures in Moments Apple 5s
Currently using Cellebrite UFED Classic and Physical Analyzer v. 3.9.5.192.
I performed a file system extraction via the UFED Classic on an iPhone 5s. The trouble I'm running into is that a particular photo appears in the iPhone's "Moments" view on a date in 2011, however Cellebrite does not seem to contain a creation date within the AFC. The Backup service has a creation date of 2013. It does not appear that the picture was taken on this iPhone. It also appears as though the picture was received via a sync from iTunes. My question is this: Why is it that the photo appears on the device's camera roll with a date in 2011, but there is no record of the photo and that year within the forensic image?
Any help would be much appreciated!
↧
General Discussion: Grep
It is also important to have some details about the source document. Is it plain ASCII text, a PDF file, UTF-16. Does the text have line breaks in sensible places? How big are the file(s)?
↧
Mobile Phone Forensics: best software to clone mobile device physically (clone)
A full bit to bit copy of the mobile phone is achieved only when you read the entire phone memory chip. This capability is not trivial and requires a much more advanced approach than most of the tools use.
Not every tool that declares a physical extraction support means that it support the extraction of the phone memory chip. There is no tool that can read the memory chip from all phones.
Generally, the capability to extract a full bit to bit copy of the phone memory comes with a solution to bypass a locked device.
Ron Serber
↧
↧
Forensic Software: Kerio FDB
The FDB files are the Exchange equivalent of OST I'm told. I have all the individual .eml files from the server and from backup archives, this is the last piece from the actual computer. I likely don't need them but I like to be thorough and get all available information.
I will look at the Firebird links, thanks for the pointer gents
↧
General Discussion: 32+TB Live Image
Is the server running in a virualised environment? What about obtaining a VHD snaphot instead of a logical acquisition.
↧
Mobile Phone Forensics: Accessdata MPE+ SIM Card SMS Report BUG or Option??
Yes belive me MPE+ (--) is really slower than others, and then bring us this really problems that make us feel stupid in Court House...
Support tell us to continue to be stupid, "All the others forensic software are wrong, we are certain"
Today i'm remaking more then 20 reports that i made yesterday with that stupid MPE+ tool.
And yes I'm using another forensic tool (10 times cheaper 10 times faster...)
↧
General Discussion: XBOX Live
Chris55728 wrote:
From what I recall, the XBOX hard drive has a 'security sector' at the beginning of the hard drive which contains the hard drive make and model which is connected to the console that the drive comes with. Attempts to duplicate this, by making a clone, fail. I'm sure someone has managed to get around this by now but I've not seen anything that would indicate this.
In the "game scene" there are programs to alter the hard disk firmware (on selected make/model only) and write a security sector to it.
Like:
http://www.se7ensins.com/forums/threads/how-to-create-a-xbox-360-hard-drive-from-scratch-western-digital-only.897465/
though how much forensic "sound" (or actually "useful") this procedure might be, is entirely to be seen.
jaclaz
↧
↧
Digital Forensics Job Vacancies: Australia - malware analyst - subcontract
hi,ecophobia:
a little more detail I want to know
1.which kind does work belong to, Forensics or Anti-Virus or other
2.which platform will be the mainly work platform(win / linux / mac / android /ios/ etc)
3.will analysics tools developing become one important part of the work
thanks
↧
General Discussion: Grep
Dndschultz wrote:
I'll try the "town.?{1,36}arson"
As your requirement was 'within six words of'', you must also try ut with 'arson' in front of 'town'.
Just be aware that 36 characters is not the same as six words.
↧
Mobile Phone Forensics: Need help with timestamps
keydet89 wrote:
Have you tried contacting the vendor?
You may get "an" answer quicker via sources such as this forum, but you will get "the" answer if you contact the vendor. If you're using a licensed version of their product, I'm not clear as to why contacting them would be an issue.RonS is the vendor in this case as he's highly placed in Cellebrite <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
↧
Digital Forensics Job Vacancies: eForensic Employment - Cheshire Constabulary
Cheshire Constabulary are recruiting for eForensic Investigator, Examiner and Technician posts at Police Headquarters, Winsford, Cheshire.
The link the the current jobs portal can be found here.
Regards.
Andy
↧
↧
General Discussion: Grep
Reconnoitre uses Lightgrep so this is what I am most familiar with, although Lightgrep is PRCE compatible grep. You *may* need to change the below to "Encase grep".
Given that you can't do "within x words of" and are limited to "within x characters" you may want to give some thought as to what characters are allowed between arson and town.
I am by no means a grep expert but AIUI the named character class "." used above will search for any character, or rather any byte so you might want to modify your search to include on asciie character a-z, A-Z, 0-9 etc. this may or may not result in a lot of spurious hits
Lightgrep has two named character classes
\s whjich is ascii white space, tab, linefeed, formfeed, eol and space
\w which is a-zAZ09_
So in Lighgrep the search would become
town[\w\s]{1,36}arson (I have missed out hall as it is superfluous to your requirements)
Of course restricting in this way may result in a match that contains some sort of control characters that do not fall into the character|whitespace specification - you need to decide what is acceptable <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
↧
Digital Forensics Job Vacancies: eDiscovery Role-IT or Computer Forensic graduates 2.1 +
Please include the vacancy location in your post's subject line as per the forum rules, thank you.
↧
Mobile Phone Forensics: HELP! iPhone 5 - iOS 7
NO EPILOG does not extract data from the phone instead it carves data from databases. As stated in my post if you have access to the sms.db there is a possibility to recover deleted messages.
I do not work for CCL and in no way am I saying EPILOG is the best product to use. We do use EPILOG at my work place and we get really good results with it, we use it as another tool to verify our results from .xry and UFED.
Regards
MPF
↧