Sanitized somehow misses the real issue internally. But there are plenty of ideas on the street. Forensics of AI, VR, cars, IoT, secure messaging, satellite hacking, GPS MITM, 5G Forensics...
↧
General Discussion: Connecting industry with academia a bit more
↧
General Discussion: All Win10 Memory Images do not work - Redline/Volatility
Hello guys,
I had the same problem.
My solution was to read the Windows 10 memory dump, using a Kali Linux distribution. It worked like a charm, without any kind of fork.
I spent whole day running in Windows and receiving errors, but using in Linux, everything was fine and I could read my dumps!
Regards!
↧
↧
General Discussion: People often OVERestimate forensic capabilities
RolfGutmann wrote:
No problem. Today the trust is in the report, the investigators name and sign not from interest. Machines are more accurate then humans, but you have to limit their capabilities to interpret.
The question is: Where is human better than machine in forensics?
Do you have an AI-based forensics suite I don't know about?
In the U.S., an expert has to qualify in court based on his/her credentials. We don't have any established law that would explain how to qualify a program to "testify".
The role of a forensic examiner/expert is not just to find artifacts but to explain them to law enforcement, attorneys, and eventually a courtroom/jury. A whiz-bang AI/ML-based forensics suite isn't going to do that.
AI could be useful in some circumstances. For example, we could train a program to estimate the age of a person in a photograph using photographs of people whose ages are known then apply that to photos of suspected child pornography where the age of the victim is not known.
I'm not worried about being replaced by AI.
-tracedf
↧
Forensic Software: Digital Mobile Radio
In a case DMR is in use which is based on IDs to get access. As security is high we struggle to intercept their com. Who is an expert in DMR (Hytera hw, CPS sw)?
↧
General Discussion: Please, help to resolve this.
It was foreseeable, with money you always find some one...
↧
↧
Digital Forensics Job Vacancies: Mobile Phone Examiner (North Yorkshire Police)
ROLE: Mobile Phone Examiner
LOCATION: Northallerton, North Yorkshire
SALARY: £21,999 to £26,535
HOURS: Full time, Permanent
We are currently inviting applications to work within the Mobile Phone Unit based at Police Headquarters. This is an exciting opportunity to undertake data recovery and provide evidentially sound technical support to the investigation of mobile phone related crime and crimes where mobile phones have been used in order to assist in the commission of the crime and to undertake Network Investigations as a member of the Mobile Phone Unit.
The post-holder will be responsible for extracting, analysing and reporting upon complex digital data for the purpose of assisting in criminal investigations, including indecent images of children. The role will also include providing advice and support to operational colleagues on digital forensics and emerging technologies and providing scientific technical evidence and attend court. Crime scene attendance for the purpose of triaging devices, assisting investigators with interviews, file presentation, attending case conferences, meetings and workshops will also form part of the role requirement.
The successful candidate will have excellent IT and communication skills, along with previous investigative experience. A degree in Forensic Computing or equivalent experience would be desirable but full training will be provided. There is an expectation that any post holder will undertake all required training as set out in the Career Progression Plan. In addition, due to the significant training involved with this post there is a requirement to repay, in part, training costs if the post holder leaves within a defined period of time.
To apply please click the following link: https://northyorkshirepolice.tal.net/vx/lang-en-GB/mobile-0/appcentre-3/brand-3/user-2/xf-81475081847b/wid-1/candidate/so/pm/6/pl/1/opp/789-Mobile-Phone-Examiner/en-GB/posting/1000
Applications for this role will close at 9.00am on 8th August 2017.
↧
Digital Forensics Job Vacancies: Senior Computer Forensic Consultant - Dubai
Our client, a global consultancy firm is seeking a Senior Computer Forensic professional to be based in their office in Dubai, UAE. You will be involved with investigation of complex computer related incidents, using computer forensic techniques and providing technical assistance and expertise to other team members. This will be a highly client-facing role with travel required, both regional and international, to client sites across the UAE and Africa.
This Senior Consultant position is a part of a growing Computer Forensics team based in Dubai. The primary duty of this position is to be part of a team delivering computer forensics services to clients, including data collection, forensic analysis and reporting.
Background/Experience required:
Strong independent analytical and problem-solving skills.
Ability to communicate technical concepts in a non-technical way
Experience with industry-standard forensic applications and tools such as EnCase & FTK
Strong Computer Forensic skills are essential.
Experience of dealing with complex computer related incidents, using computer forensic techniques.
Knowledge of operating systems & Law
Experience in collections, imaging and witness statements
Candidates must have experience working in the private / consulting sector. Prior law enforcement experience will be useful.
Excellent benefits and bonus on offer as well a defined career path.
To view this position in more detail and to apply please click here or follow the link below.
https://www.cybersecurityjobsite.com/job/5101461/senior-computer-forensic-consultant-dubai/
↧
General Discussion: People often OVERestimate forensic capabilities
keydet89 wrote:
wotsits wrote:
Something I have seen more the longer I spend around this industry, is non-forensics people (lawyers, police, armchair experts, etc.) continue to overestimate the capabilities and reach of computer forensics.
I often hear things along the lines of, 'they can get everything you've ever done on that device', 'anything that's been deleted can always be recovered', 'whatever it is they'll be able to break into it'.
While I agree with the comments about the "CSI Effect", there is another phenomenon at play here. During Chris Pogue's interview with Douglas Brush (https://cybersecurityinterviews.com/001-chris-pogue-like-chihuahua-pork-chop/), Chris mentioned something that I see a great deal of with clients and sellers...that is, a very technical topic that isn't understood is reduced to an often-incorrect absolute.
Recovering contents of a deleted file once then becomes, "...forensics can recover everything, always..." because the conditions are too technical and difficult for most folks not actively involved in DFIR work to remember.
There's also an aspect that is faced more so in consulting, and that's the effect a seller has on client interpretation and understanding. For example, I once worked in a building that had showers available, and 3 days a week, I'd run a 7-mile course. A seller introduced me to a client, saying that I ran "30 miles a day". How's the client to know any different?
wotsits wrote:
Capabilities are, if anything, diminishing as operating systems develop, increased use of encryption, drives that use TRIM, improved security and technology advances that far outpace forensics.
Capabilities of whom or what? I've found that as operating systems develop, more and more artifacts are automatically generated, to the point where your general DFIR analyst isn't able to keep up. Artifacts are misinterpreted, or simply missed ("uhm...did you think to look at X?"), in part because there are so many of them. As such, an over-reliance on automatic tools becomes the norm.
IMHO, what's happening is that our laziness is catching up with us. The vast majority of the DFIR community is completely passive, with their primary involvement being downloading tools and clicking "Like" or "retweet". If more folks documented and shared their findings, and got involved, the efforts of the community would keep pace with technology advances.
Really interesting point regarding OS artifacts. Do you think there are any windows (for example) artifacts that we (DF) currently does not understand?
↧
General Discussion: ISIS uses Telegram
For people in counter terror units
https://pages.icpro.co/LandingPages/Download.ashx?key=460|344D14|4F72|17C|EB4B|53|2116FFE3
↧
↧
Classifieds: EnCase V6 Dongle For Sale
Thank you for the fast reply.
Cheers
↧
Classifieds: EnCase upgrades
After 10 years of Digital Forensics at work, I'm looking around for EnCase software/hardware solutions for possible contract work in the next few years but want to continue practising at home.
Do any of you know the full extent to Guidance Software's upgrade program/system for EnCase?
Can I buy an old V5 and upgrade to V7?
I still feel that V8 has changed too much with the interface and colours etc...slows me down, I prefer V7.
Has Guidance forced yearly fees to analysts who still just want to use V7?
I suspect this SMS fee is just a yearly software update/management fee...why wouldn't we just use EnCase 7 without yearly updates...especially to try to save up cash in the beginning of a new business?
Thanks for any feedback you all can provide.
Cheers
RJ
↧
General Discussion: Connecting industry with academia a bit more
jaclaz wrote:
tootypeg wrote:
From my perspective, I find it very frustrating when trying to find existing field problems from which to undertake research, so I imagine students also do - albeit some might go about finding a project the wrong way.
BUT, there is a list of possible research fields/topics here:
https://www.forensicfocus.com/Forums/viewtopic/t=6829/
http://www.forensicfocus.com/project-ideas
since years.
What *regularly* happens:
https://www.forensicfocus.com/Forums/viewtopic/t=14528/
https://www.forensicfocus.com/Forums/viewtopic/p=6587750/#6587750
jaclaz
Ah yes, I am aware of this set of projects on here. I suspect not many people take them up as I dont think the list has been edited in a few years.
My thoughts are that this may be due to more detail being required or some context, or even a lack of a contact from which to have an initial contextualising discuss of the project and then set off on the research journey.
This is an example of what worries me about doing something like this, as it is an existing strategy but one that doesnt seem to have work in the context of getting project uptake and collaboration.
I wonder if practitioners have maybe disengaged from it and students just haven't got on board or seen something which is in their opinion some they can tackle.
I also think that to make sure wasted time is cut down, it needs managing from a level above the student. A middle man- sort of. Someone to oversee the project and make sure that it is implemented and disseminated effectively. In this sense, it could fit in quite well with existing dissertation formal requirements if managed well.
↧
General Discussion: Connecting industry with academia a bit more
tootypeg wrote:
I suspect not many people take them up as I dont think the list has been edited in a few years.
Your suspects are exactly what I gave as certainty in my post:
https://www.forensicfocus.com/Forums/viewtopic/p=6587750/#6587750
tootypeg wrote:
My thoughts are that this may be due to more detail being required or some context, or even a lack of a contact from which to have an initial contextualising discuss of the project and then set off on the research journey.
With all due respect <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , very unlikely to be the issue, or IF this is the actual issue we are doomed <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" /> .
Going back to this particular pet peeve of mine, that list of ideas/topics is not aimed to the "general public", it is aimed to a rather narrow subset of people that:
1) are studying or have studied exactly the same matter (or very contiguous one)
2) are near the end of their course of studies (let's say 1 year before the degree)
3) their course of studies is related (or should be related ) to a career as (digital) forensicsinvestigator or expert
4) that are (hopefully) within (say) 2 years from entering the professional world as a (digital) forensics investigator or expert (junior as much as you want, but still an investigator or expert)
5) need - in order to get the degree - to work on a dissertation on a related topic
In my pervertedmind a (digital) forensics investigator or expert is someone whose work is to find here and there traces or fragments of information and from these (limited) traces or fragments be able to rebuild (with as much detail as possible) a whole (plausible and provable) story of what happened.
Is it really *needed* (for this specific, narrow subset of people) to (say)? <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> :
a.) number the ideas with an unequivocal reference
b.) provide an article explaining in detail the possible applications of the idea, its possible branching, the similarities to similar existing approaches, cross reference to previous work and current state-of-the-art
c.) provide the name of a "tutor" that on a 1:1 basis will counsel on further details, steps to take, etc. or however guide through the initial taking of the project
d.) keep a register of who ("applicant") has taken what idea and periodically update on the status of the project
e.) whatever else
It seems to me that if any of the above is actually *needed*, the level of the "applicant" in 2 years time (i.e. on the job) won't and cannot be the one that anyone in the industry would expect.
Now, that list (right or wrong) has been compiled by jamie based on suggestions of members, if we exclude that the ideas there have been submitted in bad faith or in order to trick the poor student into unneeded work, they represent what people more or less in the field (often since many years) find lacking.
So, *somehow* this is the problem:
tootypeg wrote:
I wonder if practitioners have maybe disengaged from it and students just haven't got on board or seen something which is in their opinion some they can tackle.
Practitioners are NOT engaged at all, they provide(d) some ideas, that's it.
Students seem to find the board just fine (even if the fact that a soon-to-be-investigator ALWAYS needs to start a new topic asking for the ideas/dissertation topics as noone finds it should say something). (just for the record besides searching for it, it is one of the 3 stickies in the "Education and Training Forum")
If in their opinion they don't even begin to tackle ANY of the ideas in there because they are ALL too difficult or complex, and they cannot find even one suitable. then there is a BIG problem (IMHO).
Remember that those ideas are what the (experienced) members of the board find missing/lacking, it is not that you can change the list replacing topics with "easier" ones, or (like I suspect happens in academia) with "re-known" ones.
When these students will be on the job, (I repeat not decades in the future, possibly 1 or 2 years from now) they will most probably need to tackle much more complex and serious problems with no or little counsel/assistance and it is not like in real life you can choose to face this simpler problem instead of that more difficult one.
And BTW the future profession of these students is not one that has not heavy consequences, they will contribute to put people in jail or to exonerate them, to make people and/or firms pay (or not pay) huge sums of money, it would be much better for the society if they know what they are doing.
tootypeg wrote:
I also think that to make sure wasted time is cut down, it needs managing from a level above the student. A middle man- sort of. Someone to oversee the project and make sure that it is implemented and disseminated effectively. In this sense, it could fit in quite well with existing dissertation formal requirements if managed well.
Yes :), that may be - as said - a role that I would find extremely useful, though it will be needed (provided that the list a.-e. I made above makes any sense and is actually *needed*) to decide who does what.
I would guess that:
a.) could be made by jamie or scar
b.) ???
c.) maybe tootypeg
d.) possibly (provided that feedback is given) by scar or some other member of the board
e.) ???
jaclaz
↧
↧
Mobile Phone Forensics: iOS 10.3 and iPhone 7's
Hi there, thank you for your response.
Yes we have Physical Analyzer 6.3.5 released now in July
↧
Mobile Phone Forensics: How to find a date when Android OS is installed
you have to find "setupwizard.xml" and look at its creation date. this file is under that way:
/data/data/com.google.android.setupwizard/shared_prefs/SetupWizardPrefs.xml
it is created after first install of android os and entered gmail account
if user dont enter a gmail account and continue to use the phone you cant find that file. this is all about gmail account
↧
Mobile Phone Forensics: BROADPWN - Broadcom worm
Seems like very interesting:
Quote::
BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM’S WI-FI CHIPSETS
https://blog.exodusintel.com/2017/07/26/broadpwn/
jaclaz
↧
Digital Forensics Job Vacancies: Information Security Manager, Sony Pictures - London
Sony Pictures Entertainment is a leading creator and distributor of entertainment products, services and technology. Our global operations encompass motion picture production and distribution, television production, programming and syndication, home video acquisitions and distribution, operation of studio facilities, development of new entertainment technologies and distribution of filmed entertainment in over 70 countries.
The Information Security Manager will be based in London UK, reporting to the regional Information Security Director and will assist in the delivery of the Sony Pictures Entertainment information security program to offices and employees in the Europe, Middle East and Africa region.
The responsibilities of the Information Security Manager will include:
• Managing multiple aspects of the information security program, including policy, compliance, risk management, and ad-hoc consultancy to the business; reviewing and proposing changes to existing policies, standards and guidelines
• Engaging with business stakeholders to understand business practices; gathering and facilitating the convergence of business, technical and security requirements; liaising with IT to align the environment with existing and future requirements
• Risk assessing external entities (e.g. vendors, suppliers, partners, joint ventures); assisting with due diligence reviews of merger and acquisition deals
• Collaborating with IT to ensure security is factored into the evaluation, selection, installation and configuration of hardware, applications and software; researching technologies and identifying differentiators and integration challenges; providing technical and managerial expertise on maintenance and administration aspects
• Providing support and guidance on legal and regulatory compliance including data privacy
• Tracking and coordinating the remediation of security vulnerabilities
• Delivering security awareness training to employees
The Information Security Manager must have:
• Hands-on experience deploying and administering security products such as firewall, intrusion detection/prevention (IDS/IPS/UTM), web application firewall (WAF), advanced endpoint security, file integrity monitoring (FIM), data loss protection (DLP), and vulnerability scanning.
• Excellent understanding of information security concepts, protocols, industry best practices and strategies; analytical skills to evaluate security requirements and relate them to appropriate security controls
• Detailed knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an understanding of the business impact of security tools, technologies and policies
• Practiced proficiency in performing risk, business impact, control and vulnerability assessments; well-versed in network and web application vulnerability scanning; defining treatment strategies
• Proven track record of project management and reporting skills
• Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with IT, project and application development teams, management and business personnel; capable of building strong relationships and understanding business imperatives
• Hands-on experience deploying and administering IT systems such as identity management, authentication, DNS, configuration and hardening, event logging, and patch management
• Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks
Some travel may be required within region, as well as to home office located in Los Angeles. Out-of-hours support may be required depending on nature of the operations.
For a full job description and to submit your CV and Cover Letter to be considered, please visit the Sony Pictures careers website: http://www.sonypicturesjobs.com/
↧
↧
Mobile Phone Forensics: iOS 10.3 and iPhone 7's
Hi Oxygen,
Thank you.
I have submitted a ticket for the Demo license.
We have used your software with a lot of success with Nokia mobile phones.
Should this assist us with the iOS I will motivate the purchase of a new license.
Thanking you in advance
↧
Mobile Phone Forensics: CLSBusinessCategorycache
Hi,
Has anyone ever encountered a iOS file called CLSBusinessCategorycache.sqlite
I have found some geo-location data in it and was wondering what events created it.
Thanks
Si
↧
General Discussion: People often OVERestimate forensic capabilities
tootypeg wrote:
Really interesting point regarding OS artifacts. Do you think there are any windows (for example) artifacts that we (DF) currently does not understand?
Most definitely. In fact, there are a great many artifacts that go misinterpreted pretty regularly. The sad part is that most of them are misinterpreted due to the fact that (a) they're not understood, and (b) they're very often viewed in isolation.
Too many times, DFIR analysts will look at artifacts in isolation from each other, even though they're from the same system. Viewing Windows Event Log records, for example, from one log file at a time does not constitute "system analysis" and very often leads to the bigger picture being missed.
AppCompatCache is still wildly misunderstood...I just had a discussion about that yesterday with someone. The time stamp associated with the data is the file system last modification time, derived from the $STANDARD_INFORMATION attribute within the MFT record. It is NOT the execution time of the application.
↧