Are you looking to further your career through professional development? Currently we have over 60 courses advertised within the Digital Forensic market place.
To see the latest courses available please [url=goo.gl/pqLiRq]click here[/url] or follow the link below
goo.gl/pqLiRq
↧
Digital Forensics Job Vacancies: Digital Forensic Training Courses
↧
General Discussion: Amateur (IT Department) Investigators
I spent the earlier part of my career doing IT techy dogsbody stuff, working my way up. I remember a situation where we needed a director's laptop looking at as we were aware that there was pornography on there in some quantity and HR wanted all the facts, particularly if any IIOC was present, before turning it over to LE if necessary. I knew enough and had enough clout by then to stop anybody taking it upon themselves to 'have a quick look', but it took some doing. I then fabricated an issue with the laptop so I could take it into my custody (no CoC done though) and then locked it in our backup tape safe until a properly qualified consultant came on site - he wasn't allowed to take the laptop offsite as it was a defence company.
I persuaded the IT director that putting the consultant into a meeting room for the week that everybody walked past was a bad idea and instead found him an empty out of the way office with a lockable door that he could work from. He was nice enough to show me a few things that he was doing as I had a bit of interest in CF by that point, and I can credit that experience with putting the idea in my head that it was a really interesting field that I might want to specialise in one day, though it took another 6 or 7 years before I started my first job as a Forensic Analyst. And sure enough the director was pretty smutty and was travelling to the Far East to do very bad things but nothing that required LE involvement, to HR's immense relief, and the director was strongly advised to keep that stuff on his home computer. I then got a member of staff to flash a clean image onto his laptop
I was working for a different IT company a few years later when I decided to take the plunge and go back to uni to learn about Digital Forensics. I will always remember sitting down with the owner of the company and explaining how grateful I was for everything but I had taken the decision to follow a long held dream and train in Digital Forensics. He evidently took personal offence at this as his manner immediately changed and he coldly informed me that he didn't think I was technically experienced enough to be any good at it, would probably fail my degree, and that there was no demand for those skills anyway as he would just get his cleverest engineers to 'do the forensics' if it was ever needed. I smiled and said thanks again and walked away.
In the years since I have encountered similar attitudes when I have been trying to work with IT 'leaders' who don't understand why specialists are needed, and had to patiently explain that their engineers could find themselves in the box trying to explain the unexplainable with no notes, or even worse, could find themselves inadvertently committing criminal/regulatory offences and so on. Most 3rd line engineers don't need that additional stress in their lives...
↧
↧
General Discussion: delete file in safe way ?
benfindlay wrote:
I've taken a quick look over the at sample posted in the link you provided and the following observations jumped straight out at me:
...
Good.
I happened to remember that the VSS Microsoft Virtual Disk Driver allows to create virtual disks of a given sector size, so I quickly made one and tested the effect on a file "size.dat" enlarged by fsz.exe.
The limit is 3776 bytes, 3777 gets the "dignity" of occupying a cluster:
Code::
fsz size.dat 3775
OKMyFragmenter v1.2, 2008 J.C. Kessels
0 clusters, 1 fragments.
Finished, 1 files processed.
Next...
Premere un tasto per continuare . . .
fsz size.dat 3776
OKMyFragmenter v1.2, 2008 J.C. Kessels
0 clusters, 1 fragments.
Finished, 1 files processed.
Next...
Premere un tasto per continuare . . .
fsz size.dat 3777
OKMyFragmenter v1.2, 2008 J.C. Kessels
Extent 1: Lcn=5005, Vcn=0, NextVcn=1
1 clusters, 1 fragments.
Finished, 1 files processed.
Next...
As seen in the mentioned thread this size may vary of a few bytes depending on the actual method that is used to write the file and on the length of the filename, for file size0123.dat the limit is 3768.
jaclaz
↧
General Discussion: $MFT Resident data
Only to keep things as together as possible, just tested 4096 bytes sector see here:
https://www.forensicfocus.com/Forums/viewtopic/p=6587693/#6587693
Quote::
.... I quickly made one and tested the effect on a file "size.dat" enlarged by fsz.exe.
The limit is 3776 bytes, 3777 gets the "dignity" of occupying a cluster:
...
this size may vary of a few bytes depending on the actual method that is used to write the file and on the length of the filename, for file size0123.dat the limit is 3768.
jaclaz
↧
Mobile Phone Forensics: Sophisticated Call Spoofing case
A 19-year-old teen conducted a large number of bomb threats to Jewish institutions using sophisticated spoofing tech elements to hide including Wi-Fi misuse. Read here about an exceptional case of how to hide behind multi-layer which was close to perfect. Only by making mistakes of the suspect the case broke up by the Lahav 433 unit (Israeli Police) and the FBI.
http://www.thedailybeast.com/articles/2017/03/23/the-slip-up-that-caught-the-jewish-center-bomb-caller.html
↧
↧
General Discussion: delete file in safe way ?
mscotgrove wrote:
In my (fairly quiet) data recovery world I have seen a single 0x1000 MFT disk. I cannot remember if the disk was physically 0x1000 or physical 0x200
It was almost certainly 4096 bytes/sector physical.
"Traditional" or "512n" or "512 native" disks are 512 bytes physical AND expose a 512 bytes sector size."Advanced Format" or "512e" disks are 4096 bytes physical BUT expose a 512 bytes sector size."Large sectored" or "4k native" disks are 4096 bytes physical AND expose a 4096 bytes sector size.
There is not AFAIK any device that is 512 bytes physical but exposes 4096 bytes.
An interesting (strange) case JFYI is what happened here:
http://www.msfn.org/board/topic/173642-mkprilog-batch-to-access-a-same-disk-under-two-different-interfaces/
http://www.msfn.org/board/topic/173265-formatting-an-external-drive-using-different-interfaces/
where an AF disk changed exposed size when in an external case it was connected to either USB or eSATA connector.
jaclaz
↧
Mobile Phone Forensics: Sophisticated Call Spoofing case
droopy wrote:
Spoofing a number must be illegal as it is an identity problem.
Moreover, China has recently ordered ALL people to present a valid ID or passport or document to revalidate their mobile numbers. Else, they will suspend the mobile.
In this case, using SpoofCard must be illegal as you change your real identity and affect another identity. Service must be down.
droopy wrote:
I mean, a mobile phone number or landline, must be equal to a car license plate.
If you replace or cheat it, you are generating a modification of the real identity which must be illegal.
China recently have improved their regulations on this field to improve security.I wouldn't take China as an example of legality or of "fair" laws, anyway.
And since this happened in Israel and the kid was targeting US (and Australia and New Zealand) Jewish institutions, I doubt that the new policy in China could have affected the case.
BTW in most countries (since day one) you need to provide a valid ID when you get a SIM card, or a "throwaway" phone but AFAICT the controls on the authenticity of the ID are - to say the least - superficial.
And you can still get one (for free) from the Internet, example:
http://www.giffgaffeuropa.com/en/freesim
In that case you need a valid postal address but I believe that it wouldn't be that difficult to manage to get one delivered under a fake name/address in more than a few countries <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> and there are of course several sites that allegedly sell "anonymous" GSM cards.
However, you may have noticed thatno mobile number (nor landline) was involved, like you know:
Quote::
The FBI sent a subpoena to the company that runs the service, New Jersey-based TelTech, in the hope of obtaining the caller’s real number. But that phone number turned out to be a disposable Google Voice line established under an alias.
jaclaz
↧
Mobile Phone Forensics: SAMSUNG TAB 4, ANDROID VERSION 5.1.1
asdqwe123 - the most common pattern for what the OP asked
↧
General Discussion: Visual Chain of Evidence
What a great answers!! Im very happy! I searched a lot on the web, but nothing found what is usefull. i will try this.
Thanks a lot!
↧
↧
Digital Forensics Job Vacancies: Digital Forensic Contract 2-3m+ mainland Europe £negotiable
Our client has an urgent requirement for a Digital Forensics Collections candidate willing to travel and stay in mainland Europe during the week.
Initially gauged at 2-3m this could be extended longer based on workflow
All travel, top star hotels and subsistence is paid on top of day rate.
You will ideally be immediately available.
You can come from enforcement od Consultancy/vendor
You will have experience with Forensic tools such at EnCase/FTK etc.
This is not a graduate opportunity you will probably have a min of 2 years experience ideally more.
↧
Mobile Phone Forensics: Sophisticated Call Spoofing case
trewmte is right in his analysis.
Voice biometrics aka VoicePrint will solve the problem theoretically - but not in real live. As long as OTT applications out of messengers (to chat is the new black for years) dominate the field, the problem is not solvable.
But voice-based services are on decline as they require a dual-availability and do not offer a delay time to reflect the content or bundle/sort out immediate emotions, to text-based chat is already today a common tool of extortion, duress and threats.
↧
Mobile Phone Forensics: iPhone image location
The CPLAssets directory indicates that these photos originated from iCloud. (may have been backed up to this device)
The variation you are seeing is likely from the different file size options to save the photo. (thumbnail,small, medium, actual size)
As it says in the excellent BlackBag blog, photos originating from the device's camera will reside in DCIM directory.
On a new device we see the images auto indexed with filename IMG_0001.JPG increasing by 1 with each photo taken.
In Magnet Axiom I see variations in the 'Original Date/Time' category and Created Date/Time when examining photos that have been transferred to the device. Helps differentiate if a photo may have come from a different mobile device.
-J
↧
General Discussion: delete file in safe way ?
Only if you search FF for posts of the mentioned account you will get an impression of the person behind this account. In theory there is no problem - but in reality there is.
FF has a problem. But nobody seems to care.
↧
↧
General Discussion: $MFT Resident data
pbobby wrote:
Haven't read the thread - maybe someone already commented.
I ran a challenge for my workmates on MFT resident data; I was able to fit just under 4k in JPG data in an MFT record.
It's because I made a disk that had 4k sectors instead of 512 bytes per sector.
Which is EXACTLY the topic of the LAST post before yours (which you may have actually read, even if you didn't read the entire thread)."just under 4k" is "obvious" since the $MFT record is 4096 bytes in size on a 4096 sectored disk, a more accurate size number (like it was 720-736 for the 1024 record on "normal" 512 bytes) has been just reported as being between 3768 and 3776 bytes.
jaclaz
↧
General Discussion: delete file in safe way ?
benfindlay wrote:
Also (meaning absolutely no disrespect to anyone here whatsoever), let's factor in the language barrier here.
Possibly a doublelanguage barrier since Rolf is from Switzerland, and seemingly not a native English speaking.
Anyway, just in case <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> :
jaclaz
↧
Mobile Phone Forensics: Experience using TWRP/CWM to get Physical dumps Oxy??
mcman wrote:
Grab the latest version of Magnet ACQUIRE, we just added TWRP right into it so it might help walk you through it.
https://www.magnetforensics.com/magnet-acquire/
You'll have to grab the correct recovery image yourself but you can load it right into ACQUIRE. Make sure you follow the instructions properly and know the risks as this is a riskier acquisition than your standard backup.
Also you should be able to load our images into any other tool, doesn't have to be AXIOM/IEF. We don't create any proprietary formats so you should be able to dump it into Oxygen again afterwards if you want.
Hope that helps,
Jamie McQuaid
Magnet Forensics
Thank you, I just requested the community ACQUIRE to look at, I am waiting for confirmation.
↧
Mobile Phone Forensics: Different hash values if contents never changed?
Biandris wrote:
... so I cannot find an explanation to why the hashes would be different. Could someone please explain?
And any explanation from people not involved can only be indicative. We don't even know what OS the phone runs.
You are best placed to answer the question yourself.
Simply take the two images, and compare them, byte by byte.
That may give you a) a single byte that has changed, b) a chunk of contiguous bytes that changed, c) lots of random changes everywhere.
Depending on what you find, research the possible sources for the change. a) would be the simplest -- it could something as simple as a time indication that has been updated, or a counter of number of times the phone has been powered on.
When you have done that, you know.
What's important is not so much who manufactured the phone (Nokia), but what software platform it uses (Symbian? Windows Phone? MeeGo? Android?) Open source environments are likely to be easier to research than closed source platforms.
↧
↧
Digital Forensics Job Vacancies: Instructor/Trainer for Guidance Software in Slough, UK
COMPANY OVERVIEW: At Guidance, we exist to turn chaos and the unknown into order and the known—so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure. Makers of EnCase®, the gold standard in digital investigations and endpoint data security, Guidance provides a mission-critical foundation of applications that have been deployed on an estimated 25 million endpoints and work in concert with other leading enterprise technologies from companies such as Cisco, Intel, Box, Dropbox, Blue Coat Systems, and LogRhythm. Our field-tested and court-proven solutions are used with confidence by more than 70 of the Fortune 100 and hundreds of agencies worldwide. Get to know us at guidancesoftware.com.
SUMMARY: The Instructor Trainer I is responsible for delivering classroom instruction to the Guidance Software Inc. customer base. This position provides complex instruction on the use of Guidance Software’s software and hardware products, and also on the general skills and techniques used in digital investigations. This position delivers training through various modalities, including but not limited to live classroom instruction, recorded video instruction, and live, internet based instruction.
ESSENTIAL FUNCTIONS:
• To deliver effective instruction, through various modes, in the following areas:
• The EnCase forensic Methodology
• The installation and in depth use of EnCase Forensic Software
• The installation and use of all GSI software and hardware products
• The makeup and investigation of common computer file systems
• The makeup and investigation of computer operating systems
• The makeup and investigation of computer networks
• To support the design and develop course materials in the training curriculum.
• To support the design and develop of technical forum and conference presentation
material.
• Ability to teach material that is engaging and motivating in accordance with assigned
course schedule.
• Establish and follow meaningful learning objectives.
• Provide assistance and engage in other duties and projects not specifically associated with
providing course instruction, to include but not limited to, administering and maintaining
classroom computers, networks, instructional hardware and general classroom upkeep.
• Provide assistance and engage in other duties and projects not specifically associated with
providing course instruction.
• Ability to review and evaluate course materials and make appropriate recommendations
and update course material as needed.
• Assist and support training material development using company styles, standards, and
development tools.
• Keep abreast of current materials, technologies, methodologies and incorporate into
training materials.
ESSENTIAL REQUIREMENTS:
• Advanced knowledge in computer forensics and/or electronic discovery, and/or network security and intrusion investigations. Advanced course study or curriculum development experience may be considered for this requirement.
• A proficient user of EnCase
• EnCE Certification at time of, or within 6 months of assuming the position.
• In depth knowledge of Company’s software and hardware offerings.
• Display ability to conduct training on a minimum of 40% of Training Course Catalog within
12 months of employment.
• Excellent organization and project management skills.
• Strong verbal and written communication and presentation skills.
• Ability to develop complex, technical training materials.
• Being prepared to travel other facilities to assist with the delivery of course material.
DESIRED SKILLS:
• Minimum 3 years in conducting digital investigations in the areas of computer forensics or
electronic discovery or network intrusion investigations.
• CISSP certification
• CEH Certification
• CompTIA A+
• Other industry recognized digital forensic or cybersecurity certification
Company is an Equal Opportunity Employer (EOE). Company provides equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran or disabled status.
Click on the link below to apply online:
https://app.jobvite.com/j?aj=opWQ4fwZ&s=email
↧
General Discussion: Direct copy files from remote server to another server
Hi guys,
so i need to transfer all kinds of log files and interesting documents from a remote server to another remote server without writing on the servers im taking the information from.
im logging to the servers via ssh, and i thought of transfering the files through scp
i dont have experience with this so i figured i could use some help.
Main goal is to transfer logfile , and commands outputs (netstat for example) directly to the other server.
im planning on writing a python script, but first i wanted suggestions regarding the information transport method i should make.
↧
Mobile Phone Forensics: Galaxy SM-G925F Running 6.0.1
TaZmaniak wrote:
By default, Android 6 Marshmallow encryption is mandatory for most new devices which make a physical dump (using the TWRP method for example) of these mobile devices useless since you will end with an encrypted dump which cannot (yet) be decrypted.
This is NOT true and correct information - while new produced devices witch uses Marshmallow are mostly encrypted by default (you can turn if off in Settings but nobody care this) then pure 6.0 don't got any requirements for encryption at all. In fact S6 (G920F) or S6 Edge (G925F) are not encrypted by default at all - as many of older phones too - there are many tablets which got 6.x upgrade and nobody force users to encrypt it.
So you can easily make dump using UFED or Oxygen and then analyse it - of course you will get KNOX triggered and cannot access it. This of course reflect to Android up to 6.0.1. If Android version is higher you can still make chip off , read them and then put chip back and give working phone to client. Here are short videos showing such process:
Galaxy S6 G920F chip preparation / read / analyse in UFED
Galaxy S6 UFS IC movie - chip back into phone board
P.S
There is still an option working on 6.0 exactly version to make BF attack but this is totally different approach.
↧