they support it since : Released Date: 07/08/2016 in V3.31.00
ref: http://forum.gsmhosting.com/vbb/11916061-post47.html
↧
Mobile Phone Forensics: Pin Locked Oppo smartphone
↧
General Discussion: Regripper profilelist entries
passcodeunlock wrote:
If it is about logging in to a domain, I would certainly use the domain server logs for my research and not the local workstation registry entries.Well, IMHO you CANNOT do that. <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
IF you have two data points, you cannot ignore one at your choice.
The whole idea of a complete timeline is to insert as much data points as possible from *whatever* source and:
1) see if they ALL fit into a given "scheme"
2) provide reasons why this (or that) data point is "out".
jaclaz
↧
↧
Classifieds: Wanted EnCase v7 Computer Forensics I and II student manuals
↧
Employment and Career Issues: Question about Cybrary.it!
With watery eyesand bowing I say thank you, thank you very much for help and guidance! UnallocatedClusters!
↧
General Discussion: vhdx
You can enable the Hyper-V service on a supported OS (recently did it with Server 2012 R2 Standard) and use the command line to convert the .vhdx file to .vhd. Most forensic tools supports .vhd.
https://blogs.technet.microsoft.com/cbernier/2013/08/29/converting-hyper-v-vhdx-to-vhd-file-formats-for-use-in-windows-azure/
↧
↧
Mobile Phone Forensics: Remote power on
Technically not possible if the iOS device is really shut down. Within LAN technologies is the Wake-on-LAN ethernet frame specified to awake a client if hanging on a power strip and network attached.
Before a remote power on will be possible iOS has to be changed that a shut down still stays awake for connectivity like, NFC, BT LE, GSM/LTE or WiFi.
We heard rumors that the Apple Watch 2 with Watch OS 3 later releases will be able to unlock the turned-on but locked iPhone connected to by Bluetooth by using the Watch Screen as Touch ID. But these are just rumors.
↧
Mobile Phone Forensics: UFED Enquiry about thier products !!
@JaredDM: Trust me or not but VNR (Rusolut) is best tool for NAND recovery but only if you will understand it and learn how to use it. I suggest to take a training class for VNR if you got a problems and Sasha will give you all information that you require - you will not need to send your dumps anywhere else after.
P.S
Regarding eMMC... yes - it's true that you can access eMMC over ISP even without removing it from PCB board or by ChipOff and SD but eMMC got also NAND inside as yo know and there in some situations firmware in controller also can be corrupted - only access then it's by NAND protocol.
↧
Mobile Phone Forensics: Htc chip-off question which socket adapters to choice
You will not find socket for this since this is MMP (Multichip Memory Package) - please look to it from side (not from top) ... if you require to get specification/pinout for NAND protocol as well as xRay you can check this http://www.techinsights.com/reports-and-subscriptions/open-market-reports/Report-Profile/?ReportKey=7906
↧
Mobile Phone Forensics: Is anything wrong with Cellebrite support?
UnallocatedClusters wrote:
we have received excellent support recently
Quote::
My forensic colleague and I actually remarked that Cellebrite's support was better than many companies' support we deal with regularly.
Well, my experience is the opposite.
↧
↧
Forensic Software: Sleuthkit Error
Red1 wrote:
So why would mmls think it was a Linux partition when it clearly wasn't?
mmls reports/interprets the information ("Linux (0x83)") found in a partition table entry. It a) reports the partition type code found in the entry. That code is 0x83.. Then b) looks up that code in some table, such as that presented by the Wikipedia page (https://en.wikipedia.org/wiki/Partition_type). Thats "Linux".
The contents of that partition is, as you note, a FAT16 file system.
Partition id codes have only a weak connection to actual contents of the partition. The partition id code is sometimes more an artifact of the partitioning software used to create the entry than anything else. Or, if that software allows you to set your own partition ids, of what some user thought was reasonable, or what error the user made at the time. It *might* be an artifact of some Linux partitioning tool that sets all partitions it creates to 0x83, but that's just a wide speculation.
At the end of the day, it's just a byte value, and can be set to anything (except perhaps 0, which sometimes is used to indicate an unused table entry). The question is rather: is there any software that uses the contents of this byte to make decisions about how it should intrpret the content of the partition? And for what ids does it do so?
Partition creation and file system creation are not necessarily connected. What once may have been a Linux file system, might have been reformatted as a FAT16 file system at a later point in time. That would not change the partition table entry, only the contents of the sectors allocated to that partition.
That makes it dangerous to lock on partition table id for interpretation. It might have been safe back when Microsoft was the only company doing file systems on MBR-formatted disks. Today, it could mean disaster.
So ... there's no clear error on the part of Sleuthkit/mmls: it reports what it sees. It's up to the analyst to do the anlysis of any (apparent) anomalies. It might, though, be slightly preferable to report partition type as "0x83 (Linux)", i.e. to make it clearer what information is absolute (i.e. 0x83), and what information is an interpretation (i.e. Linux).
I think all this is covered in Brian Carrier's book on file system forensics. If you haven't got a copy, I can strongly recommend getting one.
↧
General Discussion: Regripper profilelist entries
keydet89 wrote:
Fascinating.
Good way to rescurrect a thread after a month and a half without actually providing valuable input, thumbs up.
↧
Mobile Phone Forensics: Mobile extractions infecting your investigative platform?
Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.
↧
Digital Forensics Job Vacancies: Digital Forensics/eDiscovery, London, £35K to 70K
Location: London & Greater London
Base salary levels (plus exceptionally good benefits and bonus):
£35K (2 years’ experience); circa £50K (4-5 years’ experience); circa £70K (5+ years’ experience)
circa £85K+ (7+ yrs exp.)
Contact: Craig Johnson- Brimstone Consulting
Our client with a large Digital Forensic/eDiscovery Team is experiencing rapid growth and requires Digital Forensic, eDiscovery, Legal, Cyber or IT staff who have a strong IT background and passion for IT to become full Electronic Discovery Reference Model (EDRM) consultants. The prospects are exceptionally high.
For the most junior level you will ideally two years’ experience hands on of collecting and analysing data from servers/computers re fraud investigations, disputes or similar and looking to grow your career to cover the full Electronic Discovery Reference Model (EDRM) as a consultant with the required experience growing for each jump in salary.
• Manage and prioritise your own workload
• Deliver your work on time and to a high standard
• Become a crucial part of the technical eDiscovery team supporting the development of new propositions to solve our client problems
• Work directly with senior technical staff assisting with client engagements
• Developing a role within the Forensic Technology team as a whole, supporting internal development opportunities and helping to grow the practice
• Have a clear understanding of the firm’s commitment to creating a more inclusive culture
Requirements
To qualify for the role you must have:
• A minimum of a 2:1 degree obtained in a field with emphasis on technical, analytical and/or problem-solving skills and any higher qualifications a plus but not essential
• Strong quantitative and analytical skills
• Excellent verbal and written communication skills
• An ability to build relationships and liaise with clients
• Flexibility on working hours and a willingness to work on projects abroad
Required Technical Skills
• Experience with using forensic software applications (EnCase, FTK, Helix, Cellebrite and XRY) and techniques to capture electronic data from computers, external media, networks and mobile data devices
• Experience of performing computer forensic analysis in support of litigation and/or investigation
• Experience in conducting data breach or security incident investigations
• Data processing skills in electronic disclosure environments
• Understanding of evidence handling procedures and ACPO guidelines
Additional desirable (not essential) experience includes:
• Experience in scripting or programming
• Systems or email administration experience (MCSE or equivalent certification)
• Understanding of backup or archiving technologies
• Previous experience with working in an eDiscovery environment with the use of tools such as NUIX, Relativity or Clearwell
• Certifications such as ACE, GIAC Certified Incident Handler (GCIH), GIAS Certified Forensic Examiner (GCFE), EnCase Certified Examiner (EnCE) or similar.
↧
↧
Mobile Phone Forensics: Wipe an old Nokia 106.1 or Samsung GT-E1200
Try ATF nitro for NOKIA
and
BEST dongle for Samsung or Z3X box
Or the easier option would be to buy the phones new and theoretically no data should be on the phones.
↧
General Discussion: Is it possible to determine if files were copied over an RDP
passcodeunlock wrote:
You would need much more informations available for a definitely yes or a no answer. If you got just the server side, there is no way to determine if somebody copied or not your file.
Even if the file access time was modified by opening your file in an RDP session, you can't know if there was a simple "close file" at the end or a "save as..." (or copy the file content to local clipboard) before closing it.
Thinking outside the Windows kernel for a moment, I wonder if this server had some kind of Antivirus On Access Scanner or similar that maybe logged some activity around the files in question at the time? That said, even if there was something in the logs, it might not be enough to overcome whatever burden of proof you are working to, but it might give you another avenue to explore or narrow down further searches (or even show you who went rogue in the organisation?).
If this isn't a purely hypothetical question, and when the dust has settled, please point your client/employer towards Data Loss Prevention providers and Privileged Account Security vendors. If it's this much of a big deal to find out where/if/how/who exfiltrated the data, it's worth putting proper solutions in place to make it much harder for a repeat performance to occur.
↧
General Discussion: who deleted folder over lan?
I agree with pbobby and keydet89. You need the Security Event logs. If the computer is a member of a domain, the event logs may be on the domain controller. Windows does not track who deleted what files, unless they're in somebody's recycle bin, which will not be the case if it was done remotely. You have to show that somebody was logged in at the suspected time of deletion.
If they feel that a LAN admin is responsible, good luck getting the domain event logs without a court order placing all related data on hold. Time is an issue because event logs roll over. Look for other clues during the suspected time of deletion like access to USB devices, Dropbox, email, RDP, etc. Also, ask for backups!
↧
Mobile Phone Forensics: Is anything wrong with Cellebrite support?
thefuf -
You appear to be more of an expert than most people, especially in the area of Linux in my opinion, so perhaps there are few support staff that can match your level of expertise
↧
↧
Forensic Software: Encase 7/8 Support Ubuntu/ Kali lunix OS
Which file system are you using? Linux supports several. EnCase supports Ext2/3/4 and Reiser among others.
EnCE Study Guide (see page 20)
↧
General Discussion: Regripper profilelist entries
passcodeunlock wrote:
I didn't say that the workstation logs shouldn't be used at all, I would just not rely on those in the matter of trust.
My point is to use the domain server logs for start, since those are harder to compromise then some local workstation registry entries :)Well, your point is understood <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , but it is still not the right approach IMHO.
ALL data available should be retrieved, put into context and only then hypothesis should be made on what to trust, what to suspect, etc..
If you start giving "more credibility" tothis piece of data (instead of that one) it is more likely that your hypothesis will be biased.
jaclaz
↧
Forensic Software: Sleuthkit Error
Have a copy of the book (learn something new each time I read it)
You answer make a lot of sense and as I was unaware of how mmls was collecting that data specifically. I was unsure if it was an error in the tool or an alteration in the image.
Turns out the partition type code was intentionally altered. (which I confirmed through other investigation) This was the first time they did not match so it threw me off a bit.
↧