Tabeer wrote:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate"
It's given as the number of seconds since January 1, 1970.
To convert that number into a readable date/time just paste the decimal value in the field "UNIX TimeStamp:" of Unix Time Conversion online tool.
Yep, the original post was more regarding the InstallTime values, which appears to be new in Win10.
InstallDate has been around a while.
If you want to automate the parsing of the two values use my updated winnt_cv regripper plugin
winnt_cv
↧
General Discussion: Windows 10 Install time registry key
↧
Forensic Software: Image recognition / matching tools
Tried fuzzy hashing?
↧
↧
Mobile Phone Forensics: Apple iPhone 5 & 6 Encrypted Backup
UnallocatedClusters wrote:
PB10,
If you are referring to an iTunes' encryption password that is in place on the iPhones, then here are some options:
1) Elcomsoft Phone Breaker Forensic Edition (https://www.elcomsoft.com/eppb.html) US $799.00
2) Compelson MobilEdit Forensic Express (http://www.mobiledit.com/online-store/forensic-express) US $1,200.00
OPTION 1: Elcomsoft Phone Breaker ("EPB") can be used to crack the iTunes encryption password of mobile backups of the iPhones. So, you could use EPB to download iCloud stored mobile backups of both phones (assuming you have the AppleIDs and Passwords for the phones) and then use EPB to crack the iTunes encryption password.
OPTION 2: Alternatively, you could use the latest version of iTunes to make a mobile backup of each iPhone which would be found here: C:\Users\*USER ACCOUNT NAME*\AppData\Roaming\Apple Computer\MobileSync\Backup\.........
Then once you have mobile backups created, you could use EPB to crack the iTunes password. You will need to test option 2 as iTunes might prevent the creation of a mobile backup without inputting the iTunes encryption password.
OPTION 3: Compelson MobilEdit Forensic Express can be used to crack the iTunes password of the iPhones directly (not the mobile backups of the phones).
Other items to look at:
If you have the MacBook or Windows computer of the phone owner, use a tool such as Passmark's OSForensics to create an index and "dictionary" file of the computer itself. The "dictionary" file can then be fed into Elcomsoft's Phone Breaker to aid in cracking the iTunes encryption password.
Yes, it is the iTunes encryption password. I have attempted elcomsoft for any 'weak' passcodes, 4-6 digits, alphanumeric. Obviously, the longer the password, the longer the brute force attempt will take.
Unfortunately there are only mobile phones involved, no computers (to create a dictionary file).
Hopefully the owner will cough up the password, in the meantime i was looking at different avenues (such as jailbreaking the device). Would this give me direct access to the database files as the device would no longer be 'locked' down.
↧
Mobile Phone Forensics: UFED Physical Analyzer
UFED PA 3.9 is several years old.
This is a product that gets updated almost every month and it is highly recommended to use the updated versions to get more data that is constantly being added.
Ron Serber
↧
General Discussion: DVR recovery WFS0.4
i have DVR from "HD iDVR". which i cant mount, first sector says WFS0.4. i tried hx-recovery, it shows many files with dates, but i dont have the license... im thinking switch the evidence hdd with clean hdd, record some sample file, and get the signature and carve. is there any other way??
↧
↧
Mobile Phone Forensics: Samsung Galaxy S6 Edge (SM-G925F) Chip Off?
Hi guys, i have to bypass the lockscreen (pattern lock).
After installation of oxygen forensic detective u would create a “Samsung Android dump” of a Samsung S6 Edge+ (Type SM-928F). All drivers were successfully installed (showed in device manager).
First I choose the option “Physical data acquisition –Samsung Android dump”.
On next screen I selected the device, Samsung S6 Edge + (Type SM-G928F)
Then I started the device, press power home and volume down + volume up button to enter the download mode.
Then I connect the device successfull to the computer. The device was detected.
So I would upload the forensic recovery image to the device. I got a error message on smartphone and a program-crash-message.
Is there a solution for this problem, maybe bypass the frp lock?
Here are the phone-details in download mode:
I try to install a forensic partition i got a error message. There is a frp lock. Is there a solution?
Thanks in forward.
andre
↧
Digital Forensics Job Vacancies: Digital Evidence Investigator - Oxfordshire £28,150-£34,489
Closing on Sunday
↧
Digital Forensics Job Vacancies: HTCU Technical Supervisor role circa £36,484 - Oxfordshire
Closing Sunday
↧
Forensic Software: Image recognition / matching tools
Is Python OK?
https://github.com/beeftornado/duplicate-image-finder
https://github.com/JohannesBuchner/imagehash
https://github.com/mk-fg/image-deduplication-tool
There is this thingy here also:
http://freepicturesolutions.com/free-duplicate-photo-finder.html
And this (old but good) one:
https://tn123.org/simimages/
Commercial (but affordable):
http://www.mindgems.com/products/VS-Duplicate-Image-Finder/VSDIF-About.htm
jaclaz
↧
↧
General Discussion: DVR recovery WFS0.4
I did a manual recovery of WFS0.4 with a simple hex editor under linux, since no software was able doing it.
↧
Mobile Phone Forensics: UFED Physical Analyzer
If you want answers, you should ask your question publicly, without revealing your real data. This way you could get more accurate answers from different people and not rely on single person's PM, which can be right or wrong.
As for the PA version, I don't think any LE would use actively this outdated version, but if you ask your question, I might have the answer for you.
↧
Mobile Phone Forensics: Apple iPhone 5 & 6 Encrypted Backup
wotsits wrote:
I assume you are not in LE? Jailbreaking a phone would make your evidence highly questionable.
This is true, modifying an evidence is the last resort and needs approval from the LE leader in charge or a judge's request to do so.
When jailbraking a phone, there are uncontrolled operations happening in the background. No matter how well you document the process, there could be things which you won't ever know about, for example a script installing spyware/malware or compromising the user data in any other way.
The policy which should be followed is to extract (forensically documented) the relevant data without ANY modifications of the original content.
↧
Mobile Phone Forensics: Write blocker on smartphones?
If there would be a FF most active user prize, you would certainly be one of the winner candidates
↧
↧
General Discussion: Return of seized devices
@jaclaz: I won't post informations about a case here, I sent you a PM.
↧
Mobile Phone Forensics: UFED Enquiry about thier products !!
Dr.wonder wrote:
In fact the UFED series prices may cost $10,000 or more? It depend on which country areyou in.
for ship details you can contact ur local seller. <img src="images/smiles/icon_biggrin.gif" alt="Very Happy" title="Very Happy" />
http://www.forensicfocus.com/Forums/viewtopic/t=14931/
Quote::
1. UFED Ultimate Kit + UFED Camera Kit. Licence expired October 2017. All cables and adapters included. Mint condition. Asking price 4,000 Euro
↧
General Discussion: Return of seized devices
I sent in PM the name of the company who did the report for my analysis. Writing such names here would be considered hidden advertising.
I didn't write any sensitive informations about the hardware not even in the PM, that wouldn't be very professional either...
I never wrote that I created the technical report of the disk, I did the analysis for the court.
The OP was hijacked with mostly useless comments on specific samples, which lead nowhere. Let's just drop dead the whole thing.
@redcat: the link you provided is dead
↧
General Discussion: Forensic who deleted files in fileserver without Auditing
The server is windows 2008, and the workstation is windows 7/8/10, yes there is no specific events in the security log because audit policy is not "enabled", can we do undelete for server to see the deleted files/folder?,
If we can do laptop or desktop auditing if will cause too much time for checking the artifactis about accessing network shares.
Thanks for helping me.
↧
↧
General Discussion: NDX5 disk signature ?
Where was this SSD used before ?
If it was used in a surveillance system, you could have on the SSD a closed format raw recording.
↧
General Discussion: DVR recovery WFS0.4
Many multi-channel DVR's can't be recovered with simple file carving because they fragment the various channels into a single stream. Even if you knew the signatures, you'd likely be recovering chunks of data from multiple cameras into a single file.
I've got a guy here I work with that specializes in just these cases. He actually has his own software he writes and modifies for each case. Let me know if you need help with it.
↧
General Discussion: Return of seized devices
passcodeunlock wrote:
@redcat: the link you provided is dead :)
For some strange reasons the board software "wants" an ending slash:
http://www.forensicfocus.com/Forums/viewtopic/p=6585902/
jaclaz
↧