Thanks for your detailed answer. The "a copy is a copy as long as the MD5 hash matches" is a good point. Otherwise your cost in hard drive space would be really high. The other point to consider that I didn't mention is that you shouldn't have the untouched copy and the working copy on the same drive.
↧
General Discussion: digital evidence preservation
↧
Digital Forensics Job Vacancies: IT Security Technical Analyst - Wiltshire
Job Purpose:
We are recruiting an experienced IT Security Analyst with strong Windows/Wintel environments experience. You will deliver activities to support IT security projects, resolve day to day IT security operational problems, conduct auditing, analysis and remediation of penetration tests, and security testing of both business applications and infrastructure.
You will also provide technical support and security expertise to the IT Security Operations Manager and ensure cost effective, industry best practice security standards and technologies are implemented across the business.
Responsibilities:
This is what we need you to do:
• Actively monitor and respond to security events. Conduct security event and trend analysis to support the production of reports and statistics.
• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements.
• Design, coordinate and oversee security testing procedures and audits to verify the security of systems, networks and applications and manage the remediation of identified risks for example PCI DSS.
• Communicate with technical and non-technical audiences at various levels.
• Provide technical security advice to projects, ensuring appropriate controls are in place to protect the business.
• Understanding and use of popular tools, e.g. metasploit, nmap, Nessus.
• Conceptual understanding of social engineering techniques such as phone pre-texting or e-mail phishing.
• Document, amend, and implement security principles policies based on best practices.
• Maintain a technical reference knowledgebase.
• Keep abreast of security advisories and alerts, information on security trends and practices, and laws and regulations.
• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about risk.
• Manage security projects and provide expert guidance on security matters for other IT projects.
• Assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans.
Experience:
• A minimum of 3 years IT experience, within an IT security role.
• Expert knowledge of security issues, techniques and implications across computer platforms.
• Understanding and experience of PCI DSS, ISO27001 or other similar compliance standards.
• Knowledge of security-specific architecture methodology.
• Knowledge of the ITIL framework.
Key Competencies:
This is what we need you to have:
• Experience of supporting Security investigations, including evidence gathering and IT forensics analysis.
• Have a good level of knowledge across a number of information security technologies, including Firewalls, IDS/IPS, DLP, End Point Security, Data Encryption, Web/Email filtering, Anti-virus, Penetration Testing, Forensic Investigation, and SIEM.
• Experience of supporting Penetration Testing, Vulnerability Assessments and Risk Assessments using best practice risk management methodologies.
• A good understanding of best practice security controls for market leading technologies (e.g. Cisco, SQL, Wintel).
• Experience of working with risk management methodologies
• Have strong experience with securing Windows environments.
• Strong conceptual thinking and communication skills.
• Ability to work well under minimal supervision.
• Team-oriented interpersonal skills, with the ability to communicate effectively with a broad range of people and roles, including vendors, IT and business personnel.
• Good understanding of technology and process optimization techniques in standardisation, consolidation, simplification and automation and appetite for continuous improvement.
• Comfortable working outside of core working hours when necessary to complete tasks.
• Able to travel to world-wide sites across the enterprise.
Qualifications:
• Professional security management certification, such as a Systems Security Certified Practitioner (SSCP), Certified Information Systems Security Professional (CISSP), Computer Hacking Forensic Investigator (CHFI), or other similar credentials is desirable.
• Microsoft Certification (MCP, MCSA, MSCE, etc.) is desirable.
• Awareness and experience in supporting Firewalls, Web filtering, Data Loss Prevention, SIEM is desirable.
• Formal training and Certification in ITIL and Prince 2 is desirable.
To apply for the position please visit Cyber Security Jobs
↧
↧
General Discussion: how to discover wich user was logged into the system
Yes it's true and infatti all Skype dialogues are concerning only one user account but i'd link e to know il in win7 (in wich ew ha e more logs) the re si the chance to discover each user log in....
Any idea?
↧
General Discussion: Recover deleted folders from five 4 TB drives in RAID-5
Zul22 wrote:
Concerning DMDE, I'm not sure how to chain the "Construct RAID" step with the data recovery step. Is this easy?
I am not sure to understand the question.
There is a "Raid costructor" that builds the "virtual RAID" from single disks, this is"before" *any* action, i.e. it is the preliminary step that you have to carry in order to have a "source" to be analyzed.
The tricky part is often to determine the parameters and the disk order (this greatly depends also on the documentation available for the "original" hardware), the good thing of such a virtual assembly is that you can make "random" attempts with different parameters/disk order/etc.
jaclaz
↧
Digital Forensics Job Vacancies: Forensic Evidence Specialist - Cleveland (Medina, OH)
Vestige Digital Investigations is currently seeking a highly-motivated and responsible individual to fill this entry-level forensic position. Hardware technical skills a must, troubleshooting skills a must. Ability to travel locally on-site to client sites and periodically to other locations (minimal foreign travel, but available should the opportunity arise) as-needed. To apply at our website, click on the following link: http://www.vestigeltd.com/all-job-postings?view=posting&id=6.
Code: Evidence_Specialist
Posted On: Saturday, 15 November 2014
Department: Analyst / Investigations
Location: Cleveland
Vestige Digital Investigations - Cleveland
23 Public Square, Ste. 250, Medina, OH 44256
Education: 4 Year Degree
Travel: 50% Local Travel - on-site to client locations
↧
↧
Mobile Phone Forensics: SQLite: Identify Date column in SQLite db table
Unfortunately It's a bit more complicated than that
Dates can be stored in a number of formats as per the sqlite spec
See section 2
further an application can choose to store a date in any other format it chooses.
Chrome dates, Unix 10 & 13 digit dates, IOS NSdates and Micorsoft 64 bit file times are all common. But If I chose to save a date as a float recording the number of half seconds since my birthday then there is absolutely nothing stopping me doing so.
That said - I think it not unreasonable to start with the defaults above, and use the functions at the page below along with anything you have in your java toolkit to convert them.
https://www.sqlite.org/lang_datefunc.html
As to dynamically understanding what a date column is assuming an SWT table doesn't have a fomat that prescribes this. You could try the column name to see if that gives a clue (could easily fail) or you could iterate though all the columns in your table convert every row and see if the converted date made sense - note not just the conversion but given the type of data is it sensible (if the table stores your class mates date of births and you get a date that decodes correctly to some time in 1901 then it is not sensible).
BTW this is posted without having a clue what a swt table is
Oh - and just because a SQLite table is defined as an integer - it doesn't mean you can't store a float, or even text, in it - see type affinity in that first page above.
Finally there is a load of information about different time formats in the article "A Brief History of of Timestamps" on my web site here - http://sandersonforensics.com/forum/content.php?137-articles
↧
Forensic Software: CEH and CHFI, pls advice
Hi guys, has anyone in the house done CEH or CHFI exams?
Is any of them compulsory for entry level job in computer forensics when you already have MSc in Forensic Computing and ACE? Pls advise, thanks
↧
Mobile Phone Forensics: LiME: Nexus 5 - Compile error
I'm trying to make a forensic image of the volatile memory (RAM) of the LG Nexus 5 with LiME.
I followed the instructions (1.4) but when i try to locate /proc/config.gz on the device (via ADB), the file does not exists.
Edit: Problem above is solved. (Used the .defconfig from the hammerhead kernel).
New problem: When trying to execute 'make ARCH=arm CROSS_COMPILE=$CC_PATH/arm-eabi- modules_prepare', error raised: 'make: *** No rule to make target ‘modules_prepare’. Stop’.
Maybe someone got a solution to this or know other methods to acquire an image of the RAM?
Thanks in advance.
↧
Education and Training: CEH and CHFI certification; pls advice
Hi guys, has anyone in the house done CEH or CHFI exams?
Is any of them compulsory for entry level job in computer forensics when you already have MSc in Forensic Computing and ACE? Pls advise, thanks
↧
↧
General Discussion: how to discover wich user was logged into the system
Yes...it's really true. Infatct timeline analysis and internet activity are related only to one user but i tried to discover from system.evtx traces of user log in ...without solution .
Process winlogon.exe in win7 seems to start each profile at pc startup ,indipendently from the real user login....
Thames for all
↧
General Discussion: New Role - Cell Site Role - London 60k Maxfield Search
Cell Site Specialist – London £60,000: Digital Forensics Specialist, Cell Site Specialist, Cell site Investigations, Digital Forensic Investigations.
A new Cell Site Specialist position working with a leading forensics specialist organisation based in London currently looking for a Cell site Specialist to join their experienced team.
The right candidate will need to have a solid background in working with various law enforcement or similar contacts previously and strong working knowledge of network surveying data using the relevant industry tools and set-ups. An experienced forensic investigations specialist / digital investigations specialist would suit this role well.
When needed the right candidate will need to attend cases and various court hearings to provide collected findings etc and have experience in doing so. A background of digital investigations or cell site analysis work in a law enforcement or forces / internal set-up previously would be highly advantageous for this position.
This is a great chance for an experience Digital Investigations Consultant / Digital investigations specialist - Cell Site analyst to join an industry leading forensics and investigations specialist with a strong brand name and presence. My client can offer the right candidate excellent long term career progression and the opportunity to work on new cases from their extensive portfolio of government and enforcement contacts as well as many others. With new funding my client are looking to expand due to an influx in workload and this position has arisen as a result.
This is one of several positions we are currently working on in the Computer Forensics, Mobile Forensics, Computer investigations space.
Get in contact this week for a full overview of current clients and positions in this space or visit: www.maxfieldsearch.co.uk for more forensic positions.
Give us a call or Email a CV today for application.
Cell Site Specialist – London £60,000:
Cell Site Analyst, Cell Site Investigations, Cell Site, Call Site, Forensic Investigations, Forensic Software, EnCase, Computer Forensics, Forensic Investigations, Forensics specialist, Digital Forensics, Digital Investigations, Cell Site Analyst, Cell Site Investigations, Cell Site, Call Site, Forensic Investigations, Forensic Software, EnCase, Computer Forensics, Forensic Investigations, Forensics specialist, Digital Forensics, Digital Investigations, Digital Forensics Specialist, Cell Site Specialist, Cell site Investigations, Digital Forensic Investigations.
↧
Digital Forensics Job Vacancies: Internet Security Investigator/Analyst - Hampshire
Internet Security Investigator/Analyst
Type: Permanent
Location: Winchester, Hampshire UK
Salary: Competitive
Our client is looking for a detail-oriented Internet Security Investigator/Analyst. You'll work with a team of InfoSec enthusiasts, tech geeks and security evangelists to provide reactive and proactive support to our partners. You’ll do this by helping add to our amazing level of proprietary insight.
Key Responsibilities:
• We work in a fast paced, team-oriented environment across multiple time zones. We are fuelled by a passion for making the world better, as well as gallons of coffee
• You’ll be required to work out of our office in sunny Winchester, England
Essential Skills:
• Minimum of 2 years experience as an LE investigator or IT security analyst
• Demonstrated basic programming skills, such as shell scripting, perl, python or C++
• Demonstrated knowledge of operating system concepts, database queries, malware analysis, network and application security principles and network protocols
• Skilled in technical and non-technical writing. Above average verbal and written communication skills
• Well-developed analytical and problem solving skills
• Effective prioritisation and time management skills
• Ability to shift focus to higher, breaking priorities without concern
• Demonstrated track record of teamwork and collaboration
Desirable Skills:
• Comfortable presenting in front of large audiences
To view this job in more detail and to apply please visit Cyber Security Jobs
↧
Employment and Career Issues: Looking for a graduate job
Hi I've just noticed your post, if you visit our site www.CyberSecurityJobsite.com and upload your CV then companies will then be able to contact you directly about job opportunities. In addition to that you can also apply for jobs and set up job alerts so each night you will receive jobs matching your criteria.
If you have any questions please let me know, your skills are in big demand currently.
↧
↧
Mobile Phone Forensics: Facebook database (BlackBerry)
I did a physical extraction using Cellebrite of a BlackBerry 9300.
Physical Analyzer made a nice parsing, but unfortunately, i can't find the databases it fetched its informations from.
I looked in every folder of the file system. Can't find anything. I search on google, nothing on that subject. I tried a FileSystem extraction and it doesn't find anything on facebook.
It looks like it parsed the chat and the wall post. I want to know where all of this is coming from to validate.
Thanks in advance for your help!
↧
General Discussion: Block index out of bounds
Sterling_m wrote:
I've been sent a hard drive for analysis. The content of the hard drive is several folders, each folder contains an .e01 image.
That is, you have multiple image files for a single hard drive? Sounds odd. Unless you have separate images of each partition.
Me, I'd ask the sender for clarification.
Quote::
None of the images are mountable in FTK or Encase, instead an error pops up when trying to mount them "Please select a valid image file"
And how did you receive these files? On a disk? If EnCase doesn't accept them as images, they probably have been damaged.
[Quote]When trying to export the images, they each result in a message that says "(filepath) Block index out of bounds."[.quote]
Don't understand. How can you export anything if EnCase etc won't accept the images in the first place? Export what from where?
Are the image files on a hard drive? Is *that* hard drive damaged? Run whatever file system checking program you have -- fsck or chkdsk or ... -- before you try anything else.
Quote::
Does anyone have suggestions for how to fix this without the original drives? Is it possible to hexedit in the correct drive size into the e01 (assuming that is the cause of the issue)?
First determine what the problem is. You need the sender to provide you with an inventory, and preferably separate hash sums of each of those files you have. If they don't match ...
Alternatively, return the images: you can't read them, so there's something wrong. Could be the sender messed his end of the business up. (Can you verify that the .exx files are EWF files -- use file(1) or something?)
↧
General Discussion: Recover deleted folders from five 4 TB drives in RAID-5
Zul22 wrote:
Which DMDE, can you directly browse the virtual RAID if the file system is valid or do you have to perform a full data recovery (i.e. full analysis of the virtual RAID) before you can see the folders and files ?
Sure (IF the filesystem is recognized and it is basically "sound") you can browse the filesystem contents "as they are" (i.e. not including deleted folders/files and/or incorrect entries, etc.).
Zul22 wrote:
Concerning DMDE, I wonder if the ext4 recovery permits quick recovery of deleted files using the journal, like extundelete does, or if I will have to scan the whole 16TB virtual RAID image. Any idea ?
No ideas.
I don't think I ever used it on a "Ext4" filesystem, on NTFS it reads/analyzes the $MFT for delete files/folders/etc. only when you do a "Virtual reconstruction" of the filesystem, on "normal" sized volumes it takes but a bunch of seconds to this search/reconstruction.
Just like I was tempted to answer to the previous question <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> , why don't you simplytry it?
I mean, you can get the Freeware version for free, it has a few limitations, but the behaviour is I believe essentially the same as the "Full" program, and you can abort the "Virtual reconstruction" if you see it takes too long.
jaclaz
↧
Mobile Phone Forensics: Nokia Lumia 630
jay_bo wrote:
*** EDIT ***
I have downloaded the file for Nokia Lumia 630 (RM-976), it has provided me with test points needed to read the eMMC directly.
Can you please provide a link or a picture? Thx.
↧
↧
Mobile Phone Forensics: forensic software for old Nokia - S40
Dear All,
I would like to know if there are some tools/techniques that are able to recover deleted sms from an old Nokia 2610 with Symbian S40 v 04.90.
Thanks a lot
regards
Silvestro
↧
Mobile Phone Forensics: Read file and directories from Android raw image.
Thank you
But I would like to know the basics for doing so, if there any unix commands of the way of processing dd
↧
General Discussion: Recover deleted folders from five 4 TB drives in RAID-5
Zul22 wrote:
For ext2/3/4 file systems, it's practically impossible to recover the folders structure with the right names, because of the way the deletion is done in the file system.
I thought that if you deleted a directory you could recover all its contents including the names (not the name of the directory itself though) since the directory index is stored as a file. Does the filesystem driver traverse and delete the entries inside the directories as well?
↧