Thanks Bolo.
But I am looking for info like this
https://sturmflut.github.io/mediatek/2015/07/04/mediatek-details-partitions-and-preloader/
↧
Mobile Phone Forensics: MediaTek Download Mode
↧
General Discussion: Return of seized devices
wotsits wrote:
Once a write blocker is used on a drive it cannot be undone (I believe), and this is normally one of the first steps in an examination.
So basically any computer or drive that is examined is ruined prior to being returned to the ownerAre you kidding? <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
The WHOLE point of using a write blocker is to (hopefully) make NO MODIFICATION WHATSOEVER to the device.
The issue may be (it is) with "intrusive" procedures, such as chip-off.
I also wonder about the newish "waterproof/water resistant" mobile phones, if a phone needs to be opened to (say) JTAG connect (which in itself it is not a "destructive" operation or however of very limited impact), who will re-certify the device re-assembly?
Consider how it can happen that a poor, innocent, chap may well erroneously have his phone seized, and - besides having been deprived of part of his "digital life" for several months, he is later returned the device half-@§§edly re-assembled.
Same goes for recent Mac's and Surfaces, if the investigator - for whatever reason - needs to actually open it, who is going to reassemble it (and procure the needed spare parts?
We are used to talk about suspects implying (most of the times) that they are actually guilty, but what about the innocent ones?
jaclaz
↧
↧
Mobile Phone Forensics: GT-S5611V Swisscom unlock
Finally unlocksolutionscanada.net was able to unlock the simlock on this device
↧
Forensic Software: File carving software
UnallocatedClusters wrote:
Forensic Explorer by GetData has performed very well on file carving from my personal experience.
Forensic Explorer impressed me a lot; it's very quick.
EnCase works really well and supports a lot of file types but it's pretty slow.
↧
General Discussion: Evidence of attempt to access Windows shared drive
pbobby wrote:
I know of no artifact - if the connection attempt would always fail.
To be certain I would do a test and snapshot your system.
Depending on your logging, you may find activity in your event logs.
This is interesting...I'm curious as to what level of logging would need to be in place, and then what evidence would there be of the attempt?
Thanks.
↧
↧
Forensic Software: HDD Wiping
Ok, so I have been using encase as well, but how about when you need to present a proof that the drive was actually wiped? Will encase log will be sufficient? Will it be court acceptable?
↧
Mobile Phone Forensics: Htc chip-off question which socket adapters to choice
EMCP 529 you will find after you will separate them ;))) If you need a photo after cutting them we already done few and I can put some photos here
↧
Mobile Phone Forensics: Write blocker on smartphones?
They can be used with SSD
With phones better ask a real question on a needed task, generally speaking using write blockers with phones is not common.
↧
General Discussion: Return of seized devices
If somebody is innocent and had losses because of any kind of mistake, I'm pretty sure LE can't just say "Sorry, bye!". This is not a technical issues, it is more or less a game of the lawyers.
↧
↧
General Discussion: Windows 10 Install time registry key
I've updated the winnt_cv regripper plugin and pushed it to my github.
I've created a pull request with the developer so hopefully it'll be absorbed into the official repo.
In the meantime you can get it here
↧
Classifieds: EnCase 6 Dongle for sale
EnCase 6 Hasp Dongle - License Key for Guidance Software's EnCase Forensic
http://www.ebay.com/itm/EnCase-6-Hasp-Dongle-License-Key-for-Guidance-Softwares-EnCase-Forensic-/182373470179
↧
Mobile Phone Forensics: Take advantage of “Integrated Calling” to know whom suspect
A new feature in iOS 10 is “Integrated Calling”. An integrated call from Chat App like Naver LINE or Skype or FB Messenger can be answered directly from the lock screen and from the home screen when you receive it. On the iOS lock screen, you see the familiar ‘Slide to answer’ option for answering an in-coming call. On your home screen, you see the two Accept and Decline buttons you normally see for a network call.
This new feature is very convenient for users and also a very good news to forensic guys. It’s activated in default. Take a look at screenshots below and you will know what I mean. The Chat App voice call records showed up in the iPhone Call History!!!
You guys could take a look at my blog to see what's going on.
http://www.cnblogs.com/pieces0310/p/6128994.html
↧
General Discussion: USB Storage Timestamp Registry Anomaly
honor_the_data wrote:
Are any of you aware of any Windows operations/Laptop operations that do batch updates USB registry keys? I'm wondering if there is something going on with the computers at this organization that is causing this, because my forensics machine, which is not joined to the domain, does not have similar issues going on in the registry.
Yes, it's been known for some time that there are times when a Windows update will occur, and for some reason, all of these time stamps are set to the same time.
This is why on Windows 7 (Vista and above, actually), you have to use more than the USBStor key LastWrite times to determine when the devices were connected.
↧
↧
General Discussion: Return of seized devices
passcodeunlock wrote:
If somebody is innocent and had losses because of any kind of mistake, I'm pretty sure LE can't just say "Sorry, bye!". This is not a technical issues, it is more or less a game of the lawyers.
Which is VERY different from "In this case the LE and the innocent victim agree to a deal, usually the innocent ones make pretty big money".
You hire a lawyer and possibly you can sue for indemnification and - maybe - you get back a fraction of the damages.
jaclaz
↧
General Discussion: does windows sever 2003 log who is open office 2003 file ??
qassam22222 wrote:
hello there ......
i shared an word file ( office 2003 ) for all i mean all users on my server can see this file !!
my problem is : is there anyway to find out who view my file at a specific time
does the word has logging features ??
note : i didnt enable my server logging :(
No, but it's entirely possible, depending upon if the client systems are Windows and what versions of Windows, that the fact that they opened the file will exist in their NTUSER.DAT Registry hive.
Also, which version of Word was the document opened in? If an older version, that uses OLE format for Office/MSWord documents, you _might_ have some information embedded in the document itself. Maybe.
↧
Mobile Phone Forensics: Phone unlocking problem solved ...
It is an unusual way.
↧
General Discussion: Windows 10 Install time registry key
Yep Values, Key and Subkeys remain as per previous versions, just the addition of the new value; both should match just are in different date formats
↧
↧
Forensic Software: HDD Wiping
JaredDM wrote:
For a few of our more security conscious customers, we do the three pass DoD, even though we all know it is completely unnecessary.Wheeew! <img src="images/smiles/icon_biggrin.gif" alt="Very Happy" title="Very Happy" />
jaclaz
↧
Mobile Phone Forensics: ipad A1337 jailbreaked , but no data recovery !!
that's what i get when i try to read it via FTK :
i dont know what is this !!
↧
General Discussion: does windows sever 2003 log who is open office 2003 file ??
passcodeunlock wrote:
With Windows 2003 Server you could check the file's Last Accessed Time.
And maybe you could get the "when", but never the "who".
jaclaz
↧