Multi SIM - a single MSISDN but many USIM cards exist for a small extra e.g. CHF 5/month. OSS-based is a limitation that only one in use and the others blocked. If you imagine several multi eSIM soldered in devices/cars how can you attribute the system which was in use at a certain time? You may say IMEI helps, ok but how detect the MNO's OSS which IMEI was in use? SIM Forensics normally reveals a lot of info but how do you find out by an eSIM that there exist others?
How do you by eSIM only reverse engineer that there must be a or several other eSIMs (Multi eSIM)?
Where in an eSIM is evidence that its a Multi SIM?
IoT brings eSIM en large and many of these devices are battery-based and one-time-use. They get in action and have to run for some years - and then just throw them away. Disposable IoT with eSIMs.
If disposable systems come into recycling a high risk of non-legal re-use or reworking can start. If not properly dis-associated because e.g a lost system with hope of finding it (FMX Find My X) the activation remains 'active'.
Is Forensics ready for Multi eSIM IoT?
↧
Mobile Phone Forensics: Multi eSIM IoT Fraud
↧
Mobile Phone Forensics: Encrypted itunes backup.
Might be worth checking if iCloud backups are enabled and if they know their username/password to login to it.
Elcomsoft and Celebrate have solutions that can grab un-encrypted backups from the iCloud servers, which may help you out. Failing that, Elcomsoft also have a solution to attempt to decrypt iOS backups through brute force; however this may be fruitless if a complex password is used.
↧
↧
Mobile Phone Forensics: A11 Bionic Chip-off
See the LGA here
https://cdn.macrumors.com/article-new/2017/08/a11-chip-1-800x354.jpg
Chipworks A10 teardown
https://cdn.macrumors.com/article-new/2017/09/chipworks_a10_die_photo-800x533.jpg
↧
Classifieds: Looking to buy EnCase Dongle
Anyone planning to sell their EnCase V6 or V8 dongles? Please inbox me as I'm interested in buying.
↧
Classifieds: Cellbrite UFED, laptop, FTK Dongle and TD3
Is the FTK dongle still available?
↧
↧
Mobile Phone Forensics: HELP TO DUMP CONTENT OF THE MEMORY OF A BLACKPHONE BP1
Hi, I'm testing with a BLACKPHONE BP1 phone, this device has an NVIDIA processor, model TEGRA 4i.
The phone I put in APX mode, with the drivers well configured on my pc, then with the program nvflash I send the following command ...
nvflash.exe --bct ../common_bct.cfg --bl ../bootloader.bin --go
nvflash.exe -r --read 4 ROM / bootloader.bin
nvflash.exe -r --read 6 ROM / bootlogo.bmp
nvflash.exe -r --read 7 ROM / lowbat.bmp
nvflash.exe -r --read 8 ROM / charging.bmp
nvflash.exe -r --read 9 ROM / lowbatcharge.bmp
nvflash.exe -r --read 11 ROM / tos.img
nvflash.exe -r --read 12 ROM / eks.dat
nvflash.exe -r --read 15 ROM / recovery.img
nvflash.exe -r --read 16 ROM / tegra148-ceres.dtb
nvflash.exe -r --read 17 ROM / boot.img
nvflash.exe -r --read 18 ROM / system.img
nvflash.exe -r --read 19 ROM / cache.img
nvflash.exe -r --read 23 ROM / MDM.img
nvflash.exe -r --read 24 ROM / log.img
nvflash.exe -r --read 26 ROM / userdata.img
and it only comes out ...
Nvflash 4.10.1800 started
chip uid from BR is: 0x61401001740970812000000017fb86c0
I need help to know what the error is.
A greetings greeting.
↧
General Discussion: Pulling license plates from HD cameras - with IR, even
I'm looking at a theft that occurred in my town of just over 7000 people the other day. The perps pulled right up in front of an HD camera, but because the camera is probably 15 feet up, I'm having the worst trouble getting the license plate numbers.
Unfortunately, our local LEOs aren't much help; I've got make, model, and range of years on this vehicle, but they apparently can't be bothered looking up what I have been able to extract from the license plate. I'm fairly certain I've got the first 3 characters, but the next 3 are proving elusive.
I'm starting to think I'm dealing with the luckiest idiots on the planet; the motion sensor where they broke in failed to detect them, and they never went into the other part of the building, where there was more valuable equipment, but active motion sensors.
I'd be leaning toward this being an inside job, but with only 4 employees, I'd call it unlikely. Only the one camera captures any view of the license plate, and I'm pulling my hair out, using Amped Five and the various tools that are supposed to deblur license plates. But it's almost like the IR on the camera overcompensates once they turn off their headlights, even. The plate becomes a total whitewash.
Anyone got suggestions/advice on this? I picked the wrong day to give up barbiturates. (Obligatory Airplane! reference)
Naturally, I don't want to just post my progress so far, but if anyone's interested in seeing how far I've gotten, I could message you an image or two.
↧
Classifieds: Looking for TACC 1441 or similar devices
Hi all,
I am looking for TACC 1441 or similar devices.
If you want to sell it, please contact with me.
Thanks.
↧
Forensic Software: W2L? Car Forensics - now
Tesla S 85 D - EV example
↧
↧
Digital Forensics Job Vacancies: Forensics position in Dallas/Richardson, Texas
I am interested, can you pm me the details and requirements?
Thank you.
↧
Classifieds: Looking for Encase Forensic(v8) EnCE courseware
Igor_Michailov wrote:
Hi Ganron,
I have:
Encase Advanced Internet Examinations
Digital Media - Acquisition and Triage
EnCase Examinations of Macintosh Operating Systems
Host Intrusion Methodology and Investigation
But they are not for EnCase 8.
Appreciate your response, but I'm looking specifically for Encase v8 ATM.
↧
Education and Training: Ence encase certified examiner
Hashad wrote:
ganron wrote:
jatinder wrote:
H,
I recently passed my EnCE and am now a certified examiner.
I purchased a Training passport from Guidance Software and took Modules DF120, DF210 & the Prep course, the instructors were really good, in addition to this, I brought the EnCE study as you did. I also did the free tests included many times over in the text book which really helped.
It was hard work and but I enjoyed it, the feeling when I passed was really worth all the work.
My background is Finance with some IT, but I wanted a career change and this seemed like the best course to do.
Now I just have to find a job!
Good luck.
* Edited to add I believe that they are only using Version 8 software now.
DO you plan to sell your materials ??? Let me know,thanks.
waiting
meaning ? Are you waiting for the course ware to arrive ?? Do you plan on selling it ?
↧
Mobile Phone Forensics: Faulty Roaming Phenomena
We investigate a few cases of customers outside LEO, public cases. A Swiss MNO charges customers which had flight mode activated but got charged with data consumption. Its obvious that the MNO has a problem in its own OSS.
As this is not a case of law enforcement the MNO does not open its own logs and data.
How can - must be possible for ordinary customers, not LEOs - be checked if data came over MNO or WiFi? Checked I mean logged and court bullet-proofed. A data consumption app is too weak as a free or paid App does not stand in front of court.
A new phenomena of a cry for forensics but nobody willing/able to pay and we as LEO are bound to not go to work.
But its kind of mission impossible for ordinary customers to fight against a Fortune 500 company.
Your recommendation for these users?
↧
↧
General Discussion: Pulling license plates from HD cameras - with IR, even
I have exported the entire video's frames into .bmp images, but I'm not terribly experienced with image manipulation. Of all the things I've done, this one has me learning a lot the hard way.
I don't mind a challenge, but this is a huge puzzle with pieces missing, and for a newbie to this area, it's a killer.
↧
General Discussion: Prefetch Registry Settings changed?!
Quote::
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. I also have a SSD (Samsung) with Windows 10 installed (upgrade from Windows 7) and my Prefetch was enabled by default as well.
↧
General Discussion: "Lost Files" folder in Encase
just curious, using Encase ver 7.12, have a bunch of files and folders in "Lost Files". Does the creation date of these files and folders indicate this is the date timestamp in which these files and folders were placed into "Lost Files". The File Created timestamp of all of these files seems to indicate that a user deleted a main folder which subsequently deleted all the subfolders and files in that folder.
The time stamps of the File Created dates indicate that the files and folders were all deleted in rapid succession (eg the person probably deleted a root folder containing all the subfolders and files). So essentially, under Lost Files, I have have thousands of deleted files in there which all show a creation date that spans a few minutes.
thanks.
↧
Forensic Software: W2L? Car Forensics - now
Tesla's electrical diagram not open to public
↧
↧
General Discussion: "Lost Files" folder in Encase
"Lost Files" in EnCase refer to deleted files with unknown parent, they are often called orphan files in other tools.
When a folder with files are deleted, all MFT entry will be marked as deleted. However, if the deleted folder entry is being reused, the deleted files can longer trace back to their parent. Thats how "Lost Files" are made.
When files and folders are deleted, none of those MAC time will be updated. So we cant determine the deletion time by simply looking at the MAC time.
So the answer for this question is No
Quote::
Does the creation date of these files and folders indicate this is the date timestamp in which these files and folders were placed into "Lost Files".
↧
General Discussion: Prefetch Registry Settings changed?!
shakes6791 wrote:
Quote::
i have observed a strange behavior from Prefetch and kindly ask someone on another Windows 10 OS (10.0.15063) to confirm that
I was unable to get access to a Windows 10 (10.0.15063) but I was able to test this on a Windows 10 (OS Build 14393.1715) and I saw the same results as you. [...]
Thanks a lot for your work, i will investigate this further.....!
best regards,
Robin
↧
General Discussion: Pulling license plates from HD cameras - with IR, even
It looks like we may have our thieves. For some reason, the shop that was robbed just decided to check and see if the vehicle involved was one they had worked on. It appears that it was.
That means they already had the plate number, the VIN number, and the customer's name, address, etc. They just had to look for it.
↧