Asiacrypt in Vietnam last week just finished but you find the sessions worth watching on youtube. Attribute Based Encryption faces difficulties in key distribution and escrow. The U.S. proposed after the Snowden revelation key escrow scenarios.
https://www.youtube.com/watch?v=fho4X6v0_4g
↧
Forensic Software: ABE Attribute Based Encryption
↧
General Discussion: Forensic who deleted files in fileserver without Auditing
Maybe you should look through NTFS artifacts. In my opinion, NTFS artifacts can help you.
↧
↧
Mobile Phone Forensics: Apple iPhone 5 & 6 Encrypted Backup
passcodeunlock wrote:
wotsits wrote:
I assume you are not in LE? Jailbreaking a phone would make your evidence highly questionable.
This is true, modifying an evidence is the last resort and needs approval from the LE leader in charge or a judge's request to do so.
When jailbraking a phone, there are uncontrolled operations happening in the background. No matter how well you document the process, there could be things which you won't ever know about, for example a script installing spyware/malware or compromising the user data in any other way.
The policy which should be followed is to extract (forensically documented) the relevant data without ANY modifications of the original content.
Do agree with this, and jailbreaking would only be carried out as a last resort, with the obvious authorization. The same goes for rooting a device. In terms of recovering data without ANY modifications, that is a different debate entirely. Even forensic software has to upload agents etc.
However, the point of the initial question was to see IF anyone has been successful obtaining the iTunes encryption passcode by jailbreaking, or if anyone has recovered data from encrypted backup devices this way. Yes the data can be recovered manually, but what if there is deleted data which may be crucial to the case?
↧
General Discussion: NDX5 disk signature ?
komatsu wrote:
Thanks for the useful info guys.
I've run another HexEditor here and at LBA 0
SYMGUARD
is showing?
What is this? A Symantec product but I've Googled and nothing shows up?
Make a copy of this LBA0 sector.
Upload it on any free hosting site.
Post a link to it.
This way we will be able to see if it is actually a MBR, and if it is which type of partitions it shows.
Windows will of course find any partition but if their ID's are not within the "range" of "known ones" it will see them as unformatted because the filesystem recognizer won't be used at all.
jaclaz
↧
General Discussion: need best software to perform PC forensic !!
qassam22222 wrote:
as an alt. for belkasoft ?
No
↧
↧
General Discussion: Event log says something was disabled by a user...
You should add a note about it being a (stupid) Windows 10 OS.
jaclaz
↧
Classifieds: SALE: UFED Ultimate + Camera, FTK 6, ADTriage, Tableau TD3
Please check your PM
↧
Classifieds: If you sell an item CHECK your PM's
Just a note for the people who sell items whether it is a user who signs up just to sell, or a regular member.
Check your PM's, inbox, private messages.
You hear stories of people wondering why they get no response and you look in your own outbox, the message was never read.
↧
General Discussion: Recycle Bin issue
What version was the previous OS?
↧
↧
Mobile Phone Forensics: Mobile Forensics IRC channel
tupperWAREZIt is great nickname. <img src="images/smiles/icon_lol.gif" alt="Laughing" title="Laughing" />
↧
General Discussion: need best software to perform PC forensic !!
passcodeunlock wrote:
Different products from different vendors always got pros and cons, depending on your specific needs. There is no such thing like best software to perform PC forensics!
okay man so what u recommend ?
xway with belkasoft and what else ?? i need a clear answer please im establish new lab for pc forensic
give me all softwar names i need to buy them
↧
General Discussion: Forensic who deleted files in fileserver without Auditing
Add your servers physical drive yo your case
open recyclebin folder
and take windows sid of who deleted specific file
↧
Forensic Software: Alternative Tool for .PST Review
As with the previous messages I would also recommend Intella, especially due to the options available for exporting in different naming conventions and file types.
One thing to be aware of with regard to the PI version is that it is a one year electronic version, tied to a particular workstation and won't run in VM.
The actual 10GB dongle based version is around $900.
All depends whether this is a one-off requirement for you or not.
↧
↧
Mobile Phone Forensics: How to open belkasoft acquired data?
HI guys can I need your help? i am using belkasoft acquisition tool. After acquiring data from andoird fone alcatel model OT 4330E. with an extension file of .ab. Where can i open this file with the extension .ab? Thank you for your help.
↧
General Discussion: Input on new infosec podcast - Cyber Security Interviews
I recently launched a podcast called Cyber Security Interviews (https://cybersecurityinterviews.com). Cyber Security Interviews is a weekly podcast where I interview top cyber security professionals and peers. I will discover what motivates them, explore their journey in cyber security, and discuss where they think the industry is going. The show lets listeners learn from the experts' stories and hear their opinions on what works (and doesn't) in cyber security.
So far, I have recorded episodes with Chris Pogue, Dave Cowen, Lenny Zeltzer, Nick Percoco, Rob Lee, Darren Hayes, and Morgan Wright. I tended to lean heavily on DF/IR out of the gate, because that's who I mostly know within my direct professional circle. However, I want to get more of the offensive security folks on the show.
I would appreciate any early feedback and thoughts from this community. Are there people you would like to hear on the show? Are there any questions/topics you would like to hear asked of the guests? What do people think of the format, run-time, and audio quality?
My goal is to make this a security community effort and don't want it to be too heavy from my perspective only. Please let me know your thoughts:.
Various links to show content:
Website: https://www.cybersecurityinterviews.com
iTunes: http://bit.ly/csistitch
Stitcher: http://bit.ly/csistitch
Google: http://bit.ly/csigplay
↧
Mobile Phone Forensics: Mobile Forensics IRC channel
Igor_Michailov wrote:
tupperWAREZ It is great nickname. :lol:Thanks! <img src="images/smiles/icon_lol.gif" alt="Laughing" title="Laughing" /> Check out the chan!
↧
Forensic Software: EFS Encryption
TinyBrain wrote:
I recommend Kali and creddump7 described here
https://labs.neohapsis.com/2014/07/01/cached-domain-credentials-in-vista7-aka-why-full-drive-encryption-is-important/
(the other alternatives I described before failed)
Yep, but if there is no access to the actual Windows install that created the files there is nothing to "dump".
I guess that in this case nothing but a specific tool can - maybe - manage to find a way to unencrypt:
https://www.elcomsoft.com/aefsdr.html
jaclaz
↧
↧
General Discussion: need best software to perform PC forensic !!
jpickens wrote:
Look at the list of Forensic Focus Partners on the right side of this page. Many of them are quality tools for various jobs.
Also try SC Magazine's review on forensic software. They review tools often and with good detail usually.
okay i'll choose blackbag and encase and xway
↧
General Discussion: NDX5 disk signature ?
thanks jaclaz.
Symantec seem have removed the very tool I need from their site!
https://support.symantec.com/en_US/article.TECH223783.html
↧
Forensic Software: Alternative Tool for .PST Review
One important item to watch out for: Maintaining Parent-Child relationships
Please make sure that whatever review tool you are using maintains email and attachment parent-child relationships when you create production documents.
This is critical when applying privileged and responsive tags to families of documents.
Most "forensic tools" will create a unique Document ID for each email and/or email attachment but use the following numbering scheme (which breaks up Parent-Child relationships):
DOCID 0001: Email #1
DOCID 0002: Email #2
DOCID 0003: Email #3
DOCID 0004: Attachment to Email #1
DOCID 0005: Attachment to Email #2
DOCID 0006: Attachment to Email #3
The problem with the above DOCID number sequence is that production Bates numbers should actually follow this (thus maintaining the correct Parent-Child sequence:
DOCID 0001: Email #1
DOCID 0004: Attachment to Email #1
DOCID 0002: Email #2
DOCID 0005: Attachment to Email #2
DOCID 0003: Email #3
DOCID 0006: Attachment to Email #3
Opposing counsel will definitely raise an issue if produced email attachments do not follow the correct parent email.
** You should be particularly careful to make sure that you have PROPIGATED PRIVILEGE TAGS across families. If an attorney tagged Email #1 above as Privileged, most tools will NOT automatically assign a Privileged tag to Email #1's attachment, which is very bad. If an attorney tags a parent email as privileged then they will want all attachments to that privileged tagged email marked privileged and withheld as well.
You should create a privilege log of all Parent-Children documents marked Privileged and provide that to your attorney to review and produce. A privilege log will include usually the Production Bates Number, To/From/CC/Subject/File name and the Privilege claim. Do NOT include the privileged content in the log obviously.
Conversely, if an attorney marks a parent email as responsive-produce, they typically also want to produce all children attachments.
** A great QC search/step to run is to see if there are any conflicting tags BEFORE sending out the final production set. Conflicting tags would be a "responsive/produce" parent email and a privilege/withhold email attachment. These conflicts need to be worked out by the attorneys and fixed before production.
I recommend that you tag and create a small production set and test if the Parent-Child numbering is being created correctly.
You will also want to confirm the delivery specification before you make a production. An example of a delivery specification can be found here: https://www.sec.gov/divisions/enforce/datadeliverystandards.pdf
In the linked specification, you will see delivery fields defined in Addendum A along with references to the Parent-Child relationships:
FIRSTBATES example = EDC0000001 First Bates number of native file document/email
LASTBATES example = EDC0000001 Last Bates number of native file document/email
**The LASTBATES field should be populated for single page documents/emails.
ATTACHRANGE example = EDC0000001 - EDC0000015 Bates number of the first page of the parent document to the Bates number of the last page of the last attachment “child” document
BEGATTACH example = EDC0000001 First Bates number of attachment range
ENDATTACH example = EDC0000015 Last Bates number of attachment range
PARENT_BATES example = EDC0000001 First Bates number of parent document/Email
**This PARENT_BATES field should be populated in each record representing an attachment “child” document
CHILD_BATES example = EDC0000002; EDC0000014 First Bates number of “child” attachment(s); can be more than one Bates number listed depending on the number of attachments
**The CHILD_BATES field should be populated in each record representing a “parent” document
If you need more help, please send me a PM.
Regards,
Larry
↧