nightworker wrote:
if you mean bad blocks as bad sectors you can access hard drive smart which is list of bad sectors with Pc3000 or other smart tools you can access and edit some of bad sectors
Well, it is IMHO not really handy to store data that only a PC-3000 can (maybe) access.
jaclaz
↧
General Discussion: Hiding data in bad blocks?
↧
Education and Training: Part of my Master thesis
omajiman wrote:
.... to carry out intrusion analysis from logs generated from honeypot and network as well as from the network traffic.
Which actual kind of data you have?
omajiman wrote:
I am also trying to provide a mathematical model for the timestamps and timeline generated, to predict the trends of invasion and intrusion. but i do not know which mathematical model to use.
The usual approach is - based on HUGE amounts of data available - to try applying several different models and see which one creates a "pattern" more similar to the actual data.
I don't think there is a "pre-made" specific mathematical model (or if there is one, it would seriously undermine the "research" aspect of the thesis).
I mean, what is the actual "new" findings that you expect or are looking for?
jaclaz
↧
↧
Digital Forensics Job Vacancies: Electronic Discovery Software Engineering Consultant: London
We are looking for a talented computer forensic graduate to join the in house development team in an innovative Electronic Discovery and Computer Forensics practice at Hobs Legal Docs.
The ideal candidate will demonstrate a genuine passion (and maybe even obsession!) with programming, problem solving and technology. We develop a wide range of programs and tools for Electronic Discovery ranging from SQL scripts to complex web applications and everything in between. This includes developing our own tools from the ground up as well as extending existing software using .NET, Java and REST APIs and developing web applications using HTML5, CSS and Javascript.
We are looking for a graduate who is interested in a career in Electronic Discovery and Computer Forensics, but really enjoys making software, and can contribute to our agile development process. Although this is mainly a development role there will also be an opportunity to gain experience working on Electronic Discovery projects and interacting with clients, as we believe it’s important for all our developers to understand the domain they are working in.
Electronic Discovery is a niche but ever expanding industry and we cover the full spectrum at Hobs. We are not just a software development company and have a strong understanding of eDiscovery and what it is the clients want which we try to reflect in the software we are developing. We are very responsive to our clients and you will find yourself working on numerous products and solutions. This variability means that we need somebody who can plan effectively and think on their feet, being able to very quickly respond to changes. From day 1, we’ll encourage you to make a major contribution to the team - getting stuck in, as well as coming up with ideas on how we can do things better, smarter and faster.
We need a self-starter who is driven, committed and looking to contribute both personally and as part of a team. We value experience and have the following requirements:
• Experience programming in an object orientated language is a must, preferably C# or Java although any language is useful.
• Experience using databases is a also must, preferably using T-SQL, although again any variant of SQL is useful.
• Web development is not essential although experience with modern web technogies would be beneficial.
• Communicating within the team and to external clients is important so you will need to be clear and concise with your correspondence. You will need to be able to gather requirements and explain technical solutions to those less technical.
If this sounds interesting, and you’re a recent graduate with at least a 2:1 degree in a computing or sciences degree with a strong technical component and an interest in new technologies, then please send a CV and covering letter, demonstrating your passion and skills, to careers (at) hobslegaldocs.com with “eDiscovery Software Development Consultant” in the subject line.
↧
Digital Forensics Job Vacancies: Network Forensics and Analytics – London
VP Network Security Engineer – Network Forensics and Analytics – London
Description
Cybersecurity is chartered with managing and directing cyber security programs encompassing design, implementation, analytics, threats, monitoring, response, and investigation across the organization. Our core services are focused on assuring the security of the computing environment, protecting customer and employee information and compliance with regulatory requirements globally. This is accomplished through strong information risk governance, active collaboration with business risk managers and providing high quality security solutions and services which improve the organization's overall risk posture.
As a Cybersecurity Engineer you will be responsible for driving the development and implementation of solutions designed to identify and prevent network threats. Your day to day responsibilities will be the engineering and oversight of a network forensics and analytics platform, ensuring its ongoing stability and optimized threat detection for the environment.
Qualifications
To be considered for this role you should have extensive security platform administration or engineering experience within large-scale or global enterprises combined with a proven background within an engineering role designing or implementing complex Cyber Security or network solutions.
• Significant prior IT experience with a strong understanding of security, engineering processes and network analytics
• Experience in security incident and event monitoring processes, solutions, and technology implementations.
• Experience with large scale networks including architecture and security risks
• Knowledge of network packet analysis concepts and products (ie. Wireshark, tcpdump, Netscout, Netwitness, Solera, Wildpackets)
• Strong knowledge of common protocols and standards (TCP/IP, SSL/TLS, HTTP, DNS, etc)
• Strong knowledge of common file format structures (PE, JPG, ZIP, ELF, etc)
• Strong administration and operational knowledge of enterprise Linux platforms
• Experience with scripting languages preferred (Python, Perl, Shell, etc)
• Ability to support and liaise with business process owners to incorporate threat management products and provisions into their processes.
• Must be able to work collaboratively with other areas to advocate information security solutions.
• Must possess a high degree of initiative, motivation, and problem-solving skills.
• Must be able to understand and devise working solutions to problems that involve trade-offs between security, cost containment and timeliness of service.
To apply for the position please visit Cyber Security Jobs
↧
Legal Issues: Daubert Standard and Open Source/Proprietary Tools
athulin wrote:
What test exactly are you referring to? Don't see any test of either of those two products on their site? What am I missing?
https://www.cyberfetch.org/groups/community/test-results-digital-data-acquisition-tool-asr-data-smart-version-2010-11-03
https://www.cyberfetch.org/groups/community/test-results-digital-data-acquisition-tool-paladin-206
https://www.cyberfetch.org/groups/community/test-results-digital-data-acquisition-tool-paladin-30
https://www.cyberfetch.org/groups/community/test-results-digital-data-acquisition-tool-paladin-40
↧
↧
Education and Training: Part of my Master thesis
omajiman wrote:
What i meant was that since i am collecting evidence from honeypot and network and since it involves both evidence from the network(traffic) and the system(syslog), the clock synchronization might not be similar since some may be UTC or NTP. I trying to model clock synchronization of both devices, to check some variance(backward or forward) in clock time. and use the timestamps model for predicting the progress of intrusion.
Hmmm.
I don't know.
I still believe that in order to do "proper" transactions the "system" would be synchronized to the NTP time (which actually is UTC), whether records in logs would be expressed in UTC, local time or "whatever else" should be just a matter of conversion (like with a different epoch).
Very small time differences (by very small I mean under 1 second or so) are AFAICR "below" the "accuracy" of the most common MS Operating Systems NTP synchronization services, at least the good MS guys have a disclaimer about this:
http://support.microsoft.com/kb/939322/en-us
jaclaz
↧
Digital Forensics Job Vacancies: Graduate Digital Forensic Jobs, UK wide £20-30K
I am working with a number of clients in London and across the UK looking to hire Digital Forensic graduates. Some roles are pure Digital Forensics and others are more eDiscovery focussed.
In most cases you will have a 2.1 or better or at least a 2.2 (with some experience) in either Digital Forensics or Computer Science.
-You will also have good SQL and relational database skills
-Experience with object-oriented programming, specifically .NET or Java
-Ideally some experience with programming, specifically Python, ASP.NET or PHP
You will have experience of various forensics packages e.g. Encase etc. and any eDiscovery for the roles requiring it will be a bonus.
You will have excellent communication skills and problem solving skills generally.
↧
Forensic Hardware: HDD dock allowing simultaneous access from two computers ?
Thank you for your answers.
So, there doesn't seem being such hardware to gain simultaneous eSata or USB access to the same drive from two different machines. <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" />
Quote::
For instance, you're carving files on Linux and want to check some of the already carved files on Windows without having to copy them to some USB key.
I have to better explain this: the carving is still going on and will last more hours or days. But you need some files very quickly and to test the already carved files, you need some software which only runs on Windows.
So yes, I mean really simultaneous access to not have to copy the files, this access could possibly read-only from the computer running Windows.
Beause the carving must still be running, a hardware switch is not the solution.
With a mechanical hard drive, I'm aware that this is very intensive for the spindle.
Exactly like if you're merging the stripes of two RAID-0 drives, two thirds were done and you're eager to have a glance at the reassembled drive to see if the result already contains some valid files.
Quote::
I wonder if besides network access, NAS or running Windows applications on Linux through Wine, there is on the market some dock to which you can simply connect a second USB or eSata wire to access the same drive simultaneously.
So to gain simultaneous access, would a solution be using a NAS or maybe something like QEMU?
↧
General Discussion: Article re SQL joins
Afternoon all
I have recently uploaded an article/bog to my web site re different
SQL joins (or more specifically SQLite joins). While this article uses
The Forensic Browser for SQLite as the query engine, the concepts
discussed are relevant (and mainly discuss hash matching) for anyone
who has large tables of data that they want to filter/compare. The SQL
can of course be used in any SQL query engine.
http://sandersonforensics.com/forum/content.php?203-Basic-SQL-Joins
Cheers
Paul
↧
↧
Mobile Phone Forensics: Nokia Lumia 610
I know this is an old thread, but what size soldering tip did people use to solder wires/molex on to the board.
I need to purchase a new tip and was wondering what the best size would be.
Thanks
↧
Digital Forensics Job Vacancies: Asst Director, Incident Response, Stroz Friedberg, London
Job Title: Assistant Director of Incident Response
Department: Incident Response (IR)
Location: London
Reports to: Director of Incident Response
Job Type: Full-Time
Position Overview
Support and provide leadership within the cyber response practice and across incident response engagements, malware analysis in support of incident response engagements and numerous other assignments relating to advancing the cyber reponse practice given at the direction of Director of Incident Response and Executive Managing Director in charge of Incident Response. Responsible for supporting the development of IR tools, development of IR and cyber security protocols, maintainence of a malware analysis laboratory, information and intelligence sharing across cyber response practice as well as training and mentoring the forensics staff on IR-related matters.
Essential Job Functions
• Investigate network intrusions and other cyber security breaches to determine the cause and extent of the breach.
• Create a curriculum and conduct in-house training sessions, individualized if needed, for IR staff, to ensure appropriate development of skills and continued innovation.
• Represent SF in targeted industry events, seminars and speaking engagements, contributing to substantive article and whitepaper writing as well as enhancing the firm’s market position as a provider of premium services within the incident response space.
• Support and maintain a malware analysis laboratory that includes malware analysis, development of a robust malware repository and IR proprietary tools.
• Research, develop, and recommend hardware and software needed for Incident Response and develop policies and procedures to analyze malware.
• Assist in the development and delivery of malware security awareness communications both internally and to external firm clients and collaboration with SF Marketing on collateral and thought leadership content.
• Participate in technical meetings and working groups to address issues related to malware security, vulnerabilities, and issues of cyber security and preparedness.
• Collaborate with Director of Incident Response and leader of cyber practice at executive management level as well as other forensic personnel to facilitate an effective malware program.
• Prepare, write, and present reports and briefings and oversee reports generated by the other forensic team members.
• Thoroughly investigate instances of malicious code to determine attack vector and payload.
• Conduct reverse-engineering for known and suspected malware files, when needed
• Develop high performance, false positive free, signature based malware detection schemes.
• Participates in special forensic projects as required, including collection, preservation of electronic evidence
• Preserve and analyze data from electronic data sources, including laptop and desktop computers, servers, and mobile devices
• Preserve, harvest, and process electronic data according to the firm’s policies and practices on an as necessary basis.
Requirements
• 4-5+ years experience with reverse engineering software binaries
• Strong verbal and written communication skills
• Well-developed analytic, qualitative, and quantitative reasoning skills and demonstrated creative problem solving abilities
• Strong work ethic and motivation with a demonstrated history of ability to lead a team and develop talent.
• Proficiency with forensic techniques and the most commonly used forensic toolsets, such as dtSearch, EnCase, and FTK Suite
• Demonstrated ability in establishing a malware analysis laboratory
• Experienced with reverse engineering tools such as IDA Pro, OllyDbg, and other similar toolsets
• Documented ability to reverse engineer undocumented binary software
• Strong shell, C, C++ and/or Java programming skills and proficiency in Assembler languages
• In-depth understanding of operating system kernels, advanced protection mechanisms, device drivers, and/or compilers
• Proficiency with MS Office Applications, and familiarity with Windows, Macintosh and Linux operating systems
• Must be able to work collaboratively across agencies and physical locations
• Familiarity with computer system hardware and software installation and troubleshooting
• Ability to anticipate and respond to changing priorities, and operate effectively in a dynamic demand-based environment, requiring extreme flexibility and responsiveness to client matters and needs
• Significant travel, evening and weekend hours should be anticipated.
Education & Work Experience Required
BS Computer Science, Computer Engineering, Computer Information Systems, OR Computer Systems Engineering. Must have a minimum of 8 years experience or equivalent education and experience.
Note: This job description is intended to describe the general nature and level of work being performed by employees in this position. It is not intended to be an exhaustive list of all responsibilities, duties, and skills required for this position; other duties outside of normal responsibilities may be performed as necessary to meet the needs of the organization.
Background Investigation Notice: Offers of employment are contingent upon our receipt of references consistent with our expectations, the results of pre-employment background checks, and execution upon an employee’s arrival of our confidentiality and non-compete agreement.
Stroz Friedberg is an equal opportunity employer.
To find out more please visit our website at www.strozfriedberg.com or apply to the position on the Careers Section of our website.
↧
Forensic Hardware: Which RAID storages for self-employed and small companies ?
Hi,
When I finish the data recovery for some RAID system, I'm often asked which better storage for the future.
The fact is that self-employed people and small companies are often frustrated after their RAID failed, as they had hoped in some security for their data when they purchased such storage, either NAS or USB attached storage.
The price of a data recovery for such storage is commonly higher than thus for a single hard drive.
My experience is :
- Most storages that non-specialists purchase use cheap hard drives that are not "enterprise-grade". For instance the WD MyBook Studio uses WD Green drives. The Netgear ReadyNAS Duo uses Seagate Barracuda drives.
- The way data are stored is often poorly documented and to perform a data recovery you have to guess and hack.
- Some systems use "proprietary RAID", like the X-RAID for the Netgear ReadyNAS Duo
- Some NAS use the ext3 filesystem which makes data recovery impossible or very uncertain because the files with their names can only be recovered from the journal.
This is for instance the case with the Netgear ReadyNAS Duo.
- Some storages, especially those for Mac users use the HFS+ file system, which limits the number of available data recovery tools available on the market, although things are improving. For instance, I've seen HFS+ being used by Buffalo and Western Digital.
- RAID 5 can mean more reliability but also more expensive data recovery if a problem occurs.
Just the fact from connecting all drives can be a problem depending on the motherboard.
My preference is to save on several single hard drives and have personal discipline.
RAID 1 also appears me a good choice, but you have to care from the beginning about the file system used, so that you're ready for a possible data recovery.
When possible, I prefer to purchase the drives independantly from the storage.
So, here's my little survey about NAS and RAID storages :
1) Which brands, line of products, models do you recommand and for which reason (build quality, reliability, file system used, a.s.o.) ?
2) Which brands, line of products, models would you avoid and for which reason ?
3) Are there using (true) RAID-1 ?
4) Which file system do they use ?
5) Do they accept normal drives or only low powered ones?
Thanks for sharing your experience.
↧
Mobile Phone Forensics: Nokia Lumia 630
I saw a post on the GSM hosting form recently for this model and the product manager for Advanced Turbo Flasher replied along the lines that you can follow this guide and when you get to step 3 you click read instead of write http://forum.gsmhosting.com/vbb/10504974-post8.html
I'm assuming you will need to download the related files to the handset (as seen in step 2) from here http://forum.gsmhosting.com/vbb/f609/all-nokia-lumia-android-dead-boot-repair-files-added-lumia-830-a-1830880/
I have never tried this method with the ATF box, I'm more of a fan of the RIFF box. Maybe the files downloaded in the link above will include a picture of the JTAG points for the Lumia 630 so you could use the RIFF instead possibly.
↧
↧
Digital Forensics Job Vacancies: eDiscovery - Data Collection - Zurich
Our client, a boutique eDiscovery services firm, is looking for an eDiscovery Data Collection professional to join their team in Zurich.
The position is located on-site in Zurich in the eDiscovery Technical Services (eDTS) department of a
large Swiss banking client.
eDTS is a specialist unit in the Corporate IT function of the bank, supporting complex civil litigation an
regulatory and internal investigations by collecting and processing electronically stored information
(ESI).
The successful candidate will have a strong background in IT operations/support and will be
responsible as part of the team for extracting data directly from the internal client systems and
collaborating with IT teams globally.
Responsibilities:
Working on eDiscovery cases allocated by the eDiscovery Services Manager, specifically collecting ESI for those cases and tracking progress of such case requests, in collaboration with other eDTS team members and cross-divisional client IT teams
Working effectively with the client’s existing enterprise application, operating systems and network infrastructure to collect and manage ESI
Adhering to and supporting the implementation of established best practice processes for handling ESI
Creating required documentation and indices to report on the collection of ESI from various data sources
Performing quality control according to defined processes, from data receipt to delivery
Contributing to continuous process improvement by actively giving feedback
Supporting eDiscovery Service Manager in managing change
Requirements:
Bachelor's degree in IT
At least 1 year’s experience in IT support/operations
Good understanding of different operating systems (Linux, MAC, Windows), preferably including shell commands and scripting languages
Experience with server based database systems such as SQL Server, Oracle or equivalent
Ability to learn and apply technical know-how to resolve issues relating to extraction of data from enterprise systems and conversion of data types
High level of customer-orientation and commitment to deliver highest quality service
Contact ht@warnerscott.com or call 0207 038 3617
↧
General Discussion: Article re SQL joins
Thanks both
Doing lots of work with the Browser at the moment and a side effect of that is lots of work on SQL queries as I help customers (not that most need it as the visual query design makes most queries and joins easy).
I have another article up my sleeve that shows off some of the power of SQL (I think I mentioned it to you at the conference Alex). It's abit more complex so i am working through it trying to simplify as much as I can.
↧
General Discussion: Mac OS X Journal File Analyzer Tool(Tool name : HPJA)
Hello~
We should try to implement the Journal file analysis tool for Mac OS X at this time.
The tool name is HPJA(HFS Plus Journal Analyzer).
We tried to show a meaningful information by analyzing the information in the Journal File to the user.
I would like to know your thoughts about the tool.
Finally, know where the location of the Journal log in Mac OS X?
(We found the fsck file.)
I would like many comments.
Thank you ~
↧
Mobile Phone Forensics: Automotive key registration system
If I am allowed to ask this question , what kind of data do you expect to be recorded on the device?
jaclaz
↧
↧
Forensic Hardware: HDD dock allowing simultaneous access from two computers ?
Zul22 wrote:
@jaclaz: Thank you a lot for sharing your experience and thoughts, this is much interesting. Regards.You are welcome <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
Keep us posted with the results of your experiments.
jaclaz
↧
Legal Issues: Daubert Standard and Open Source/Proprietary Tools
jhup wrote:
I felt my response in the other thread was a reasonable answer considering it provided two answers to questions that came up in the thread, and a solution to the original post. Indeed, it did not need the editorial <img src="images/smiles/icon_redface.gif" alt="Embarassed" title="Embarassed" /> .Maybe there has been a misunderstanding <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> , I made the note NOT to criticize the contents of your referenced post (which I actually appreciated personally <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> ), on the contrary I wanted to highlight how even non-constructive criticism may be interesting and/or appreciated.
jaclaz
↧
General Discussion: Hiding data in bad blocks?
aditya5 wrote:
jaclaz
I think you didnt read my whole things above, ...
Naah, rest assured I read it thoroughly.
The (smart?) part I introduced in my hypothetical scenario (otherwise identical to your reported case) was that of replacing the label of the 500 Gb disk with one ("fake" or original removed from another disk) for a 250 Gb disk instead of "scratching" the old label, this way, I doubt that anyone would have gone through checking the device.
If you prefer, I (cleverly?) found a way to nullify you point #1:
aditya5 wrote:
.... but in my case it was done intentionally because of following 2 reasons:
1. The label on the Hard Disk was scratched to hide the capacity of Hdd, model and made which was suspicious.
2. Why the suspect only disabled that head of the partition where the OS was installed.
....
jaclaz
↧