jaclaz wrote:
Size 591,740 bytes?
It must be a very low-end iPad ....
!!!
Yes jaclaz, yes. <img src="images/smiles/icon_lol.gif" alt="Laughing" title="Laughing" />
↧
Mobile Phone Forensics: ipad A1337 jailbreaked , but no data recovery !!
↧
General Discussion: Evidence from Raspberry Pi
jmichaels05 wrote:
Hello.
I am generally curious to know if anybody has acquired evidence from non-volatile memory from a raspberry pi and determine how the raspberry pi was utilized.
Any feedback would be great, thanks!
Are you aware that the Raspberry Pi's non-volitile is just a SD or micro SD card? Most are running a linux flavor, but IoT for Windows is also available. I hope that helps.
↧
↧
Forensic Software: HDD Wiping
I recently downloaded a free tool called DBAN, google it.
It has all the top commercial wiping tools in one package that is bootable.
You can throw the software onto a DVD or USB and boot it when you turn on your PC. It's a very useful tool which consists of 5-6 different extensive wiping procedures that you can choose from.
It's very easy to use and has DOD Verified wiping methods in there that can come in handy. Then there's other one's that just completely wipe the hard-drive but can take some time.
↧
Digital Forensics Job Vacancies: Digital Evidence Investigator - Oxfordshire £28,150-£34,489
https://thamesvalleypolice.tal.net/vx/appcentre-External/brand-3/candidate/so/pm/6/pl/1/opp/1302-Digital-Evidence-Investigator/en-GB
↧
General Discussion: Garmin navigators 2
Dear all,
I am analyzing a garmin navigator. In the gpx folder are 20 track. I am opening them but they represent the same way in the same day.
I need to explain it to the judge.
I would like know better about these file.
↧
↧
General Discussion: CF or SD Card Recovery?
jaclaz wrote:
Any "mass storage device" is "recovered" each single time you read successfully a single byte from it. <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
jaclazSo basically, say I give you some sort of memory card, whether it be a CF or SD card. When you return it to me, I would like to know if that specific card has been recovered in anyway, to see if you've tried to recover content from that drive. <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
↧
Forensic Software: UFED offline Maps?
dandaman_24 wrote:
Navigate to the UFED DL page and look for the file called BSS ID DB (Oct. 2016).
Still cant find it, CTRL+F and type in BSS ID.
IT'S NOT THERE!
HALHP MEH!
↧
Forensic Software: UFED offline Maps?
Perhaps it is restricted on your license. contact support they should be able to help you.
↧
Mobile Phone Forensics: Recovered Deleted iMessages - No contact names?
Thanks also John
I have recently uploaded one more blog post regarding processing WAL files.
I know some people advocate a technique (for those without access to forensic software) which involves investigaing the database both with the WAL file present and after deleting/renaming the WAL file.
This technique is very dangerous and gives a false sense of security. There are usually many copies of the same database page in a WAL with each page being a different revision history. Using the technique proposed will only get the last version of a given page (in the DB) from before the WAL was created the most recent version of the page from the WAL - all previous copies of this page will be missed.
The article at the link below explains in basic terms how WALs work and gives a step by step example (that you can try with something like the firefox plugin) that shows how to create a very simple test DB, delete a record and then show how, and why, the delete/rename technique does not work and should be avoided if at all possible.
I hope you find it interesting.
http://sandersonforensics.com/forum/content.php?275-How-NOT-to-examine-SQLite-WAL-files
↧
↧
Mobile Phone Forensics: Write blocker on smartphones?
Mobile acquisition tools are actually run on the device itself (the tools load client APIs to the device, or install small code into the device's RAM during boot (bootloaders), etc) - if these were write blocked it would be impossible. these are developed in such a way where they don't actually write to the memory chips or device, but need to be allowed to install themselves within there ; many also require device settings to be changed (turn of passcode, turn on USB debugging, turn on developer options, etc).
↧
Digital Forensics Job Vacancies: Digital Forensics and Incident Response Analyst Vacancy - UK
We are further expanding our DFIR teams within the EMEA (Europe, Middle East and Africa) region, and as such are looking for an experienced digital forensic and incident response analyst based in the UK, to work from our offices in Marlborough, Wiltshire. Applicants must have practical experience of computer forensics investigations in either a Law Enforcement / Military or corporate setting, and must have an aptitude and willingness to learn.
Applicants will be measured against the following criteria:
Requirements:
Minimum of 2 years practical experience in Computer Forensic investigations
Analytical experience of Windows based systems, experience with Linux desirable
Experience in both live and offline acquisition techniques
Ability to convey technical information to non-technical people, both in print and verbally
An aptitude and willingness to learn
The ability to work as part of a team but be relied upon to complete work independently
Desirable:
Understanding of network intrusion based investigations
Understanding of general system and network security
Scripting/programming knowledge
CISSP or equivalent qualification
As a Digital Forensics and Incident Response Analyst, you would have a responsibility for the following:
The acquisition, and subsequent forensic analysis of, data from a wide range of servers and workstations using industry standard methodologies
Writing reports detailing the evidence identified during the analysis and describing its implications
Responding to security incidents in organisations of varying sizes
As part of this role, candidates can expect to travel internationally as well as domestically
To find out more about this position please click here or following the link below
https://www.securityclearedjobs.com/job/801814135/digital-forensics-and-incident-response-analyst-vacancy-uk-based/
↧
General Discussion: Evidence of attempt to access Windows shared drive
Hi Folks,
Just a thought, event log or may be if there is some kind of monitoring for the network log.
If its only one attempt them it wont be flagged by SIEM but if there is continuous request for something which is not present must get flagged.
↧
Forensic Software: HDD Wiping
Just fill with zeros from the first to the end sector of the HDD and create a hash of the zeroed drive at the end. The program doing it is not important.
I use an older Tableau TD2 for wiping drives, with logs and hash generated, but I would not see any difference in the results if the same thing is done with a software like hddguru's wipe tool in a documented session.
↧
↧
General Discussion: CF or SD Card Recovery?
To make it short, there is no way to detect from the card itself if it was read for regular usage, or it was read for "recovery".
↧
Forensic Software: EFS Encryption
I have a USB hard drive that has a bunch of EFS encrypted files (.msg, .zip etc).
I'm not 100% sure what OS made them but I suspect Win 7 as the data all has modified dates of November 2012. The original computer that created/encrypted the files is not available, all I have access to is the drive and the person who owns the data.
All the usual cracking tools want the certificate from the MFT to open the files but that's not possible in this case. Is there any method to simply start a brute force attempt and then leave it running?
↧
Digital Forensics Job Vacancies: eDiscovery Consultant - 7Safe (London)
7Safe, a PA Group Company have an opportunity for an experienced eDiscovery consultant to join our current team based in London. 7Safe work with a wide range of blue-chip, global clients providing them with a range of leading-edge information management and information security services. Within 7Safe, our eDiscovery team are always involved in high-profile litigation and regulatory cases, deploying the latest technologies and our insights to support our legal and commercial clients around the world. We are committed to investing in our people’s development and we are looking for someone who has some experience in eDiscovery and is now looking to develop their career and eDiscovery skills to the next level.
What 7Safe/PA can offer you:
•interesting and complicated eDiscovery cases, both small and large for you to develop and hone your skills with
•opportunity to work alongside and with a dedicated team of eDiscovery and forensic experts, as well as other high-quality consulting experts from within PA Consulting Group
•an adaptable career development and training plan that can be moulded to your needs and the needs of the team
•a transparent career path where your advancement is measured objectively, enabling you to achieve your full potential
The role:
We are looking for talented and ambitious individuals who have a track record of delivering eDiscovery projects, ideally with experience of leading eDiscovery projects from data acquisition to production
The responsibilities:
•leading 7Safe eDiscovery jobs and manage all client expectations and communications
•project management of the technical IT elements of the EDRM model for clients
•quality and timeliness of client project deliverables (within agreed budgets)
•develops and contributes technical advice for the purpose of proposal writing and thought leadership.
Technical skills and experience required:
•kCura RCA qualified, or scheduled to sit RCA exam within next 6 months
•minimum two/three years’ experience using professional eDiscovery tools, such as Nuix*, Relativity*, Recommind, Ringtail, Nexidia*, on litigation and/or regulatory assignments for law firms or in-house Counsel
•excellent communication and service management skills
•understanding of the principles of information management and information governance
•Script writing/SQL developer (optional)
We recognise that diversity is strength and that the differences between people add value to our organisation. PA is committed to equality and diversity and positively welcomes applications from suitably qualified candidates from all backgrounds, regardless of sex, sexual orientation, disability, ethnicity, religion or age
↧
Mobile Phone Forensics: USB-C upgrade your lab
USB-C is here to stay. If you upgrade your lab with power adapters don't miss the standalone Apple 87W power adapter (MacBook Pro 15" Touch Bar), see here
http://www.apple.com/ch-de/shop/product/MNF82Z/A/apple-87w-usb%E2%80%91c-power-adapter?afid=p231%7Ccamref%3AihX8&cid=AOS-CH-Aff-PHG
14,5V times 6 amps - you get it
↧
↧
Mobile Phone Forensics: Micro SD Card Error
I sounds to me that the card may have gone bad. Check to see if it's showing any actual capacity in computer management > drive management.
↧
Forensic Software: Guidance EnCase Vulnerabilities
Quote::
Vulnerability overview/description:
-----------------------------------
1) Denial of Service
Several manipulated hard disk images cause Encase Forensic Imager to crash. A suspect manipulating the hard drive could potentially hinder an investigator from using Encase Forensic Imager for creating hard disk images. Encase Forensic (v7) has been tested and found to be affected as well.
2) Heap-based buffer overflow
Using a manipulated ReiserFS image an attacker can overwrite heap memory on the investigator's machine. Because of several restrictions SEC Consult was unable to create an exploit that works reliably within a reasonable timeframe. However, as with most heap-based buffer overflow vulnerabilities it is possible that an attacker could gain arbitrary code execution nevertheless.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20161128-0_Guidance_Software_Encase_DoS_heap_buffer_overflow_vulnerabilities_v10.txt
↧
Mobile Phone Forensics: AGF Fulldoor Location Forensics
For research purposes we define indoor and outdoor combined as fulldoor. Actually there is a lack of location finding continuity between LoLTE (Location over LTE) and indoor LTE-WLAN interworking for the LLL (Last Living Location) in law-enforced emergency processes.
Operators implementing both technologies e.g. for WiFi calling can deliver realtime cell site parameters based on the SRS (Sounding Reference Signal) and the paging-based TAI (Tracking Area Identity) out of there OSS (Operation Support System) and traffic balancing parameters. Diameter is the key protocol to master AVP (Attribute Value Pairs) and also MPLS (Multi Protocol Label Switching) for All-IP routing. What we miss is AGF (Advanced Gyro Forensics).
By advanced we define Gyro and GPS combined realtime forensics.
Who knows - based on Android/Tizen - AGF?
Any advice very much appreciated
↧