I've been sent a hard drive for analysis. The content of the hard drive is several folders, each folder contains an .e01 image.
None of the images are mountable in FTK or Encase, instead an error pops up when trying to mount them "Please select a valid image file"
When trying to export the images, they each result in a message that says "(filepath) Block index out of bounds."
I have a feeling that this is related the the .e01 file expecting the image size to be (X) but in reality it is not, thus causing the invalid image / out of bounds errors.
Does anyone have suggestions for how to fix this without the original drives? Is it possible to hexedit in the correct drive size into the e01 (assuming that is the cause of the issue)?
↧
General Discussion: Block index out of bounds
↧
Forensic Hardware: Which RAID storages for self-employed and small companies ?
I read today a comment - If data is not in three different places, then it will be lost'. A bit extreme, but actually can be true.
A RAID could well be one of those places.
Another place should be offsite.
Backups should be automatic
Subject to security, data volume etc, Cloud should be considered as one of the three places.
I agree with Jaclaz that NTFS should be considered as there are many good recovery tools
↧
↧
Education and Training: Can anyone help me understand this? (Mac Forensics)
Hi, I don't usually ask for help on my first post but anyway, I'm new to Mac forensics and this bit of evidence was on the DiskUtility.log though I don't actually understand what it's telling me
2011-12-02 22:10:02 +0000: Disk Utility started.
2011-12-02 22:11:03 +0000: Attach Image originals.dmg
2011-12-02 22:11:04 +0000: Initializing
2011-12-02 22:11:06 +0000: Attaching
2011-12-02 22:11:07 +0000: Mounting
2011-12-02 22:11:07 +0000: Attaching
2011-12-02 22:11:07 +0000: Finishing
2011-12-02 22:11:08 +0000: Unable to attach originals.dmg. (no
mountable file systems)
2011-12-02 22:11:08 +0000:
2011-12-02 22:11:43 +0000: Preparing to erase : banknotes
2011-12-02 22:11:43 +0000: Partition Scheme: GUID Partition Table
2011-12-02 22:11:43 +0000: 1 volume will be created
2011-12-02 22:11:43 +0000: Name : banknotes
2011-12-02 22:11:43 +0000: Size : 104.9 MB
2011-12-02 22:11:43 +0000: Filesystem : Mac OS Extended (Journaled)
2011-12-02 22:11:43 +0000: Unmounting disk
2011-12-02 22:11:43 +0000: Creating partition map
2011-12-02 22:11:44 +0000: Waiting for disks to reappear
2011-12-02 22:11:44 +0000: Formatting disk1s1 as Mac OS Extended
(Journaled) with name banknotes
2011-12-02 22:11:44 +0000: Erase complete.
2011-12-02 22:11:44 +0000:
originals.dmg was made in terminal with a predetermined size of 100mb (-size 100) if this helps.
Thank you for any advice given!
↧
Digital Forensics Job Vacancies: Digital Forensics Investigator Vacancy - Kidderminster
We are currently recruiting for a Digital Forensics Investigator to join our growing team, based in Kidderminster in the midlands. Please contact me for further information.
www.encription.co.uk
↧
General Discussion: How to parse the ebdxxxxxx.log files
Also, before I forget, these might be useful (for future needs):
http://msdn.microsoft.com/en-us/library/gg294069(v=exchg.10).aspx
http://forensic-proof.com/wp-content/uploads/2011/07/Extensible-Storage-Engine-ESE-Database-File-EDB-format.pdf
jaclaz
↧
↧
General Discussion: Creation of temporary files "~$" in Windows 8.1
UnallocatedClusters wrote:
Basically, one can state that these ~$ sign files creation dates correspond with the time that a user opened up the corresponding Word file.
Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
And it is very likely that you can also find (in full or "traces of") the corresponding "normally named" .docx file.
UnallocatedClusters wrote:
Actually, can one go further to state that the creation dates of ~$ files are reasonable evidence of the corresponding program being run in the absense of other supporting evidence? In other words, I always look to Windows event log files, prefetch files, MAC dates surrounding the program executable, and registry entries related to the program I am analyzing usage history for.
To me they are.
In the sense that surely whenever a file is opened in Word such a file is created, whilst there is no reason why any other artifact should be shown in the Windows Event logs or - for that matters - anywhere else.
I mean, let's say that a (mad) user starts the Word program monday morning when he gets to his office PC and then never closes it, nor switches the PC off until friday evening.
Which other traces of the usage of the program during the week (unless Word for whatever reasons crashes and is restarted) could you find (if not these ~$xxxx.docx files)?
jaclaz
↧
Digital Forensics Job Vacancies: Malware & Forensics Investigator - London
Malware & Forensics Investigator; Information/Cyber Security
Salary: £50,000 - £55,000
Location: Central London
A fantastic opportunity has arisen to join the Forensics investigations team of a globally renowned blue chip organisation. The role will focus on conducting forensics investigations into Information Security incidents. These will mainly focus on malware detection.
Applicants should meet the following criteria:
Experience of investigating malware security threats
Previous experience as a Forensics Analyst
Experience of investigating cyber threats
The ability to analyse network traffic and investigate threats
Responsibilities;
Investigate security incidents such malware & phishing
Investigate Information Security incidents using Forensics investigation tools
Undertake detailed Forensic investigations, report findings and develop tools to mitigate future risk
Work closely with senior leadership teams to develop and implement controls
Monitor on-going cyber threat issues
Design systems to combat future threats
Analyse data to identify threats
To apply for this position please visit Cyber Security Jobs
↧
Digital Forensics Job Vacancies: Cell Site Analyst-Staffordshire
Servoca Resourcing Solutions are currently recruiting for a Cell Site Analyst to join an expanding team based in Staffordshire with a leading provider in all areas of Digital Forensics working in sectors and on behalf of clients such as Police, Criminal Justice, Civil Litigation, Corporate or Individuals.
Experience required:
•Cell Site Analysis
•Field Surveys
•Use of various Cell Site Analysis tools
•Excellent Report writing skills
•Court Room experience preferred
•Experienced in the Installation and Provisioning of Cellular Networks
Salary: £28-£40k
Location: Staffordshire
Contract: Permanent
Please apply via the following link:
http://www.servoca-police.com/police-jobs-details.asp?police-job=30214
Servoca Resourcing Solutions is acting as an Employment Business in relation to this vacancy. We are an equal opportunity employer with a diverse workforce. We provide equal employment opportunities to all employees and applicants for employment and specialise in police recruitment skills related roles.
↧
Digital Forensics Job Vacancies: Head of Digital Forensic, London £150K-£300K
ScottBurkeman wrote:
Head of Digital Forensic - £150000-£300000, London
Our client, a global consulting firm is seeking to appoint a Director/Partner level professional to head up its digital forensic practice in London. This is initially a UK focussed role, but will soon grow to include a international remit. You will provide strategic leadership to the department, managing team across Investigations, eDiscovery and Data Analytics. You will have substantial input in driving the business forward, liaising with the senior management team and assisting operationally in this well established department.
We are looking for talented professionals with the strategic vision and gravitas to lead a reputable and high performing forensic practice. This is rare and unique opportunity within the market.
Please contact Scott for more information on 020 7038 3615 or email sb@warnerscott.com
Warner Scott Recruitment
Direct Tel: +44 (0) 20 7038 3615
Fax: +44 (0) 20 7681 1174
Email: sb @ warnerscott.com
Web: www.warnerscott.com
620 Linen Hall,162-168 Regent Street,
London W1B 5TG
Warner Scott are acting a recruitment consultancy in respect to this vacancy
↧
↧
General Discussion: Hiding data in bad blocks?
C.R.S. wrote:
This required a highly unusual hard drive geometry, to put it this way.Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
Which should mean - at least in theory - a very slow drive or one in which head usage is not leveled <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> .
A reference to "zigzag" (if needed):
http://hddscan.com/doc/HDD_Tracks_and_Zones.html
jaclaz
↧
Forensic Hardware: Which RAID storages for self-employed and small companies ?
RAID 10 in a rack-mount NAS with ext4, JFS, ZFS or XFS for the data areas.
There are some very inexpensive, yet fully functional solutions out there.
↧
Mobile Phone Forensics: Samsung Galaxy S5
I have an S5 where I am trying to extract text message through MPE (also tried Oxygen Forensics). I turned on USB debugging, allowed third party apps, turned off app verification, and allowed the ADB connection with my Windows 8.1 workstation. I can see the device when I run the ADB device command that comes with the Android SDK. However, neither MPE nor Oxygen will connect to the device.
Anyone have any thoughts on what is going on?
↧
General Discussion: external 2 bay raid enclosure recommendations
For putting together an analyst's flightcase, I am looking for recommendations for a (relatively cheap) external 2 bay raid enclosure to fit 2.5 inch disks. There are several on the market, I've been looking at this one from Syba for instance which fits my basic requirements:
http://www.amazon.com/Syba-Dual-2-5-Inch-Enclosure-SY-ENC25024/dp/B0081II3FW
However if the forum members have specific recommendations I would really appreciate hearing them.
many thanks
↧
↧
Education and Training: Student attempting to validate Adroit Photo v2013 1st time
What do you not understand about this NIST document?
http://www.cftt.nist.gov/CFTT-Booklet-Revised-02012012.pdf
You get the basic concept, but don't understand tool validation? Can you elaborate?
All those resources and no one handed you the answer? Imagine that. What did you try as a Google search? Google Search: "validate forensic software"
Do the following first few hits not help?
http://www.dfinews.com/articles/2011/03/validation-forensic-tools-and-software-quick-guide-digital-forensic-examiner
http://www.dfrws.org/2009/proceedings/p12-guo.pdf
http://www.scribd.com/doc/116013745/5/Validation-of-Digital-Forensics-Tools
http://forensics.marshall.edu/Digital/Pubs-Soft/FTK%20Imagev251IVV.pdf
http://www.dfinews.com/articles/2011/12/validating-proprietary-digital-forensic-tools-case-open-source
If this is the last step in getting your degree and you are unable to validate your tools you stand very little chance of getting a job.
↧
Digital Forensics Job Vacancies: Hi Tech Officer, West Yorkshire Police
HI Tech Officer
Protected Services Crime
Calder Park, Wakefield
Salary £24,036 - £28,389 (Progression Scheme)
West Yorkshire Police are looking to recruit a Hi Tech Officer to join a specialised team based in Wakefield. Your main duties will include the interrogation of electronic based equipment to obtain evidence in accordance with Force and National policy in support of operational policing activity.
You will be responsible for providing professional advice and guidance to Investigating Officers in relation to seizing electronic evidence and where necessary accompanying them to assist with the seizures. You will be expected to work with a minimum of supervision and promote or improve the effectiveness of the team.
The ideal candidate will be educated to degree level in a related subject (Computer Studies or Computer Forensics) or will have equivalent experience and training.
As a Hi Tech Officer you will require a strong physical and emotional resilience to deal with abusive and offensive images, and must be able to pass the core courses in relation to the recovery and analysis of digital evidence. You will come with a sound knowledge and expertise of common operating systems and applications with an aptitude for problem solving in a methodical and orderly manner.
In addition, you must be prepared to travel for business purposes and participate in a stand-by rota.
Selection will take the form of a panel interview and a practical test.
The successful candidate will be subject to personal and financial vetting checks prior to appointment.
This role is suitable for job share.
The online application form and role profile may be accessed through the following link
https://static.wcn.co.uk/company/wyp/external_search_engine.html
Post reference Number: XCC703
Closing date: 30 November 2014
↧
Digital Forensics Job Vacancies: Senior Digital Forensic Analyst, circa £40K (outside London)
Our client has an urgent requirement for a Senior Digital Forensics Consultant.
You can come from law enforcement, vendor/consultancy or in-house position
Expected:
-You will ideally have 5 years+ experience in Computer Forensics
-You will be familiar with the most used tools e.g. Encase, FTK etc
-Good understanding of ACPO
-Good understanding of various OS (Operating Systems)
Ideal:
Some scripting skills in one or more of: SQL, Python
Good relational database knowledge
↧
Mobile Phone Forensics: Samsung Galaxy S5
Go to the path
C:/Users/$YourUserName$/.android/
Look for a file named 'adb_usb.ini'
If there is not one there then create one with notepad.
Be sure the VID of the driver is in the file using notepad
e.g. mine currently reads
0x2207
0x18D1
This has helped me remedy troublesome devices in the past.
Also try the universal ADB driver from here, its awesome
http://rootjunkysdl.com/?device=Android%20Drivers
↧
↧
General Discussion: Identifying PHI and PII - keyword lists and regexp
When I dwell into a new cultural sub-category, I like to get samples of known data.
That is, in your case I would get a database of personally identifiable information (PII) as they are structured in the target system and extract key words from that.
I would do the same for protected health information (PHI), and anything else covered by Health Insurance Portability and Accountability Act (HIPAA).
It is easier and much better results, in my opinion to use a sample of known data to find similar data than to attempt and guess.
↧
Education and Training: Question
Yes, I am interested in getting some certifications. I think It would be easy way for me to attend at the institutions if they does offers an interpreter service or equal access either. I think I would like to attend at the institutions and able to understand the equipments and practicals in person instead of reading a book and avoid confusion due to my deafness and disabilities.
I am new to the specialization within digital forensics but I appreciate if you can lead me to the link and I can read them myself. So I was told by my professors I would work in the digital forensic field however I can't do anything outside of the organizations for criminal justice career but it is ridiculous. I know I can do anything except hear.
Looking forward to your response soon.
↧
Digital Forensics Job Vacancies: Cyber Technical Security Investigator - Guildford
Cyber Technical Security Investigator
Type: Permanent
Location: Guildford
Clearance: Must have or be willing to gain DV
Salary: Competitive
We are looking for Technical Security Investigators who can analyse the security of complex systems and investigate incidents where security has failed. You will need to employ a range of techniques including aspects of penetration testing, reverse engineering and digital forensics. You will need to know when off-the-shelf tools are appropriate and also identify opportunities for novel solutions. You will have a methodical approach but be able to effectively filter information and focus quickly on data which yields the most value.
Key Responsibilities:
• Respond to client requests, anticipating and meeting client problems and needs using innovative approaches when applicable
• Deliver high quality work to meet client expectations and project deadlines
• Contribute to all aspects of technical security
• Share knowledge with colleagues and assist team members with their objectives
• Respond to, and resolve, technical issues
• Work alongside clients or directly for client personnel
• Report progress to manager, highlighting issues before they become a problem
Essential Skills:
• Knowledge of security applications, processes or defects in one or more of the following: Desktop Operating Systems, Mobile, SCADA and Industrial Control, Embedded Systems
• Innovative and analytical in your approach to solving problems including the ability to break apart technical or software systems into component parts and understand how they operate at a deep level. This might be evidenced by a hobby in fixing or modifying electronics or software. You will be able to recognise when one approach to solving a problem is not working and be able to identify alternatives
• You will have an excellent academic record and be at least Degree-level qualified in Engineering, Mathematics or Science from a good university backed up with strong A-levels or equivalent
• Excellent technical presentation skills, both written and verbal, with the ability to communicate the impact and importance of detailed technical information to a non-technical audience
• Capable of working to strict deadlines and prioritising work appropriately
• Self-motivated and motivates others keeping morale and performance high
• Flexible approach to hours, dress (smart or casual to suit client environment) work location and tasks to meet client needs
To find out more about the position and to apply please visit Cyber Security Jobs
↧