Short and compact: BMW and 5G operated by SK Telecom
https://www.globalskt.com/home/info/2052
Have a great weekend
↧
Mobile Phone Forensics: W2L? 5G - your entry point
↧
General Discussion: Recommended Tracking Tools
As mentioned here:
https://www.forensicfocus.com/Forums/viewtopic/t=15070
maybe you want a kids tracking software, or - as unallocatedclusters suggested - airwatch (but this latter may be offering "too much").
jaclaz
↧
↧
Forensic Software: Caine and UEFI
please share with us whether it works or not
↧
Forensic Software: W2L? Car Forensics - now
Lets concentrate on CAN bus as MOST is for all infotainment and LIN, FlexRay we care later. See here that from OBDll to Diagnose CAN at the data bus diagnostic interface is the first way to go.
https://www.a4-freunde.com/attachment.php?attachmentid=290267&d=1418555547&stc=1
http://www.audi-portal.com/en/diagnostic/ecu_12666.html#1
CAN wires are always drilled together (CAN Low and CAN High). Their signals are opposite but timely synchronous.
Which signal levels (Volt) can you expect to watch on your oscilloscope (DSO)/protocol analyzer?
What means recessive and dominant related to the signal levels?
Which value of a resistor terminates each CAN L and CAN H?
Which bandwidth runs on CAN (kbps)?
Is the CAN protocol fault-tolerant?
Is it possible to MITM between gateways running over CAN?
Which ISO standard defines CAN?
Afterwork: R&C! Relax & Click! Here you see Audi A8 AI (2018), by clicking to the right you get tech, by clicking to the left you get design (BTW this car is by far not the most advanced globally, just a locally available example!)
https://www.netcarshow.com/audi/2018-a8/1280x960/wallpaper_1b.htm
Try to understand everything about CAN. Next tomorrow.
↧
General Discussion: New Apple laptop without tunderbolt
c.wawrentowicz wrote:
I have got new Apple laptop without tunderbolt port .
Perhaps you might say exactly what laptop or hardware you have? I've tried to identify new Apple laptops with only USB, but I don't seem to come up with any answers in a reasonable time. But perhaps I misunderstand 'new', or perhaps it's a model that isn't sold where I live.
You might also add some account of how you verified that the preconditions for booting the way you did are fulfilled. Do you know that the USB socket works, to begin with? Do you have a stable and clean power supply? Do you know that there are no hardware memory problems? Have you run Apple Diagnostics or equivalent -- that should probably be one of the first things to do when things go wrong in unexplained ways.
Quote::
I have to image disk or read data from disk. First I used KALI linux on pendrive to boot this laptop but there was black screen after booting from EFI (retina ?).
So ... are you using a good Kali release? One that does do EFI booting? Were you following the instructions for EFI booting on the KALI web site? Are you using rEFInd? Have you done this before -- that is, booted Kali on a Apple system?
Does the pendrive boot on another platform? I mean, it's not the pendrive or the image on it that is faulty?
Quote::
I prepared WinPe 10 to boot Windows but in Windows I do not see disk.
I assume you're saying that the disk does not show up in the Disk Management console.
And what does the Windows system logs say? Any interesting errors, warnings or other messages? There should be something ...
Quote::
I tried to install Paragon hfs+ but in this version PE I get message about some problem with DLL file.
And? A 'message about some problem' is perhaps the most unhelpful information you can provide, as it doesn't tell us anything at all that is relevant to the problem.
(It does tell me that you almost certainly do not keep a proper log of what you are doing. I'm afraid that's a bad sign. Is this a professional assignment, or are you a student?)
Quote::
I am looking for method of reading this data
The general impression I get is that you tried something, it failed, you tried something new, and it too failed. Perhaps you just tried to keep the posting short, and omitted things you think are obvious.
You may need to be a more persistent. From your account, I see no indication of what you did when you failed: what troubleshooting did you do, what adjustments to your approach did you do ... and so on. For example, what did you do once you suspected that the Kali you used might not support Retina? (At least, that's how I interpret your '(retina?)' note) . I would probably have checked if there were any enlightening error messages in the Debian boot log ... did you do that?
You need to provide exact details. You failed to boot an unspecified version of Kali on an fairly unspecified Apple platform (we only know it lacks Thunderbolt), and we don't even know if the boot identified hardware or driver problems, or if it the computer just folded and died. Much the same thing with Win10PE. That's not a good starting point for recommendations or suggestions.
We don't even know that the system is in working order.
And you probably need to brush up your PC/Mac troubleshooting skills
Neither of that answers your question, but that's because I don't have anything solid to work on.
Added: I don't see there's any real value in trying new things. It may work. You won't learn a thing except that 'random actions may work'. And you will not be able to say if the platform is sound or if there is an error that may affect your imaging or any later analysis. (Unless you were using non-working tools or equipment in the first place ... and that would be a problem that needs its own solution.)
Figure out what the problem is, and solve it or work around it.
If this is a professional job, I hope you understand that you should document your failures? Especially if you don't make any attempts to identify the reason for them?
↧
↧
Mobile Phone Forensics: HELP TO DUMP CONTENT OF THE MEMORY OF A BLACKPHONE BP1
It's not that simple. In fact, Tegra based devices were always a problem, even to recover from APX mode.
To actually use APX mode you need a special blob file that's unique for each device. It authorizes the connection and then allows you to use nvflash. Here's how it looked on Nexus 7 2012 with Tegra 3. The main problem is getting that blob file.
↧
General Discussion: Ethereum forensics
The CEO of BinaryBook (Binary Options) was arrested by the FBI. Who from the FBI can contribute about the technical investigation process (anonymized) they were running?
Technical aspects only. I want to learn.
↧
General Discussion: New Apple laptop without thunderbolt
I don't use X-Ways products except WinHex (I have got Encase) but price of X-Ways Imager is about 150Euro and I can take a risk and buy this product.
↧
Mobile Phone Forensics: Encrypted user partition Android 7.0
Hello colleagues! I have an image of Android 7.0, obtained as a result of the chip off device Nexus 5X (32gb). The phone is out of order. As it turned out, the user partition is encrypted. I have a user password.
Tell me, is there any way to get data from the encrypted section of Android? We are considering the idea of a live download of the system and user razels using SDK tools, but so far there is no success. Also, if there are no software methods, we want to try storing images in the memory of a similar device. Tell me, who tried the live download of images of Android using SDK tools or other programs, is it possible to do this in practice?
↧
↧
General Discussion: Options for "Live Host forensics" other than using EnCase
And the venerable 'netcat' too.
↧
Education and Training: LinuxLEO Website and Training Materials - Updated
binarybod wrote:
In truth, neither are 100% safe but I would opt for hardware blockers.
With software blocking you are at the mercy of kernel code and library writers who's first priority is to ensure the disk & file system drivers actually work. Ensuring nothing is written back to the disk comes some way down their priority list.
This is why the write blocking functionality should be implemented in a single spot somewhere in a kernel.
binarybod wrote:
At least with a hardware blocker the company making them has a reputational stake in the process.
Reputation should never replace validation.
binarybod wrote:
I once went to a demonstration by a hardware blocker manufacturer and was heartened by them admitting that they sometimes get it (accidentally) wrong, for example, when the chip manufacturers change the API allowing undocumented write-backs. In this example the write-blocker manufacturer was made aware (quite quickly) by their users and issued a patch forthwith.
The explanation mentioning API changes is really odd. If a hardware write blocker is implemented on top of a microcontroller, then there should be modified (custom) firmware created using the original one provided by the vendor of the microcontroller. For example, a Tableau T35u write blocker is using an ARM Cortex M3 microcontroller from Texas Instruments, its firmware is based on what Texas Instruments provides to customers. If things change in the original firmware, developers from Guidance Software should notice that in the vendor's source code before they start distributing an update of customized write blocking firmware. If they don't, well, there is no valid reason to blame the API change. Also, what API?
binarybod wrote:
I am not aware of any hardware write blocker that uses Linux or any other OS as a background system (incidentally, wouldn't that make it a 'software' blocker?), there is no need to mount the filesystem at all, I would soon ditch it if it did. All that is needed is a chip (or number of chips) that allow all read operations and disallow ANY writebacks.
Tableau TD3 & TX1 devices are running Linux (these are forensic duplicators, but both are capable of acting as a network-based write blocker, and both have "write blocked" ports).
Tableau T356789iu devices are running Linux (this model is a pure write blocker).
binarybod wrote:
Bottom line - both have to be taken on faith unless you have lots of expensive equipment to PROVE that under all circumstances there are no writebacks. I used hardware writeblockers for many years without any problem. I used software write blocking too when I had to, though I had less success with this (mainly due to having occasional fat fingers and/or being slow of thought <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> ).And I saw a Tableau TD3 device writing to a drive attached to a "write blocked" port. Also, I saw a Tableau T356789iu device blocking perfectly legal and usual read requests. A "reputational stake" is pretty bad here (but things may change since I found my software write blocking patch implemented in Tableau TX1 <img src="images/smiles/icon_biggrin.gif" alt="Very Happy" title="Very Happy" /> ).
↧
General Discussion: New Apple laptop without thunderbolt
The Kali issue is likely just a resolution issue with the splash screen. Try booting to terminal or alternatively you can try resizing or deleting the splash screen.
↧
General Discussion: New Apple laptop without thunderbolt
Apple offer a USB C to USB/Diplay/USB C all in one.
Using this you can boot to a USB device as normal.
To be honest, for most Apple laptop imaging we tend to use macquisition.
↧
↧
Education and Training: LinuxLEO Website and Training Materials - Updated
thefuf wrote:
It is possible to create a simple IDE-to-IDE write blocker without firmware (using an FPGA).
Sure, and that is probably the "last" actually hardware writeblocker.
More or less "parallel" allowed that, "serial" not so much.
Though, just as an example, the Read Only version of this adapter is declared to be "hardware only":
http://www.addonics.com/products/adsau31r.php
Quote::
WRITE PROTECT version, model: ADSAU31R-WP
All features are identical as the standard version except the WRITE function is disabled. This unique feature ensures absolute protection on any hard drive or SSD against virus contamination or data tampering. It is a great tool for sharing drives containing important data among different users or for forensic application. Drives connecting to this bridge appears as a READ only media, similar to CD or DVD disc.
Same features as the standard version except READ only
Protect drive against virus contamination or data tempering
WRITE disabled at hardware level. No software hacking to circumvent the WRITE PROTECT function
No volatile memory
Drive appears to OS as READ only device. Options to format, delete and others that alter the content or structure of the drive are all disabled by the OS
I suspect that it instead contains some unmodifiable firmware. <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" />
And - but this has nothing to do with the writeblocker and its software or hardware nature - modern (last 10-15 years) storage devices are way too "smart" for a writeblocker to be really-really 100% effective anyway.
It will never happen, of course, but in theory nothing prevents from reprogramming the disk (or SSD or flash) controller to behave differently from what is expected, and possibly even to detect the presence of a write blocker.
jaclaz
↧
Mobile Phone Forensics: Possible Anomaly with Email Extracted from iPhone
Colleagues,
Help and guidance please on explaining an anomaly I am seeing within email extracted from an iPhone.
DEVICE ANALYZED: Apple iPhone 6s Plus (A1687) (N66AP)
IOS VERSION: 10.3.3
TOOL USED: UFED4PC v 6.2.1.17
JAIL BROKEN STATUS: Not jail-broken
1) I informed the attorney client that I am working for that email cannot be extracted in its entirety from non-jail-broken iPhones running iOS 10.3.3.
2) Cellebrite was able to extract partial email metadata from the iPhone from the "iPhoneRecentsLog" but not any email bodies.
3) After making a logical and file system extraction of the iPhone, I created an iCloud email account using Apple's iCloud service named by my client's name. Then, I created an iCloud email account on the iPhone itself. I then selected email on the iPhone within the existing Outlook account on the iPhone and copied the selected email to the newly created iCloud email account on the iPhone itself.
4) Copying the emails from the Outlook folder on the iPhone to the iCloud email account folder on the iPhone caused the emails to be uploaded to Apple's iCloud storage.
5) I then used Fooke Software's Aid4Mail forensic edition to download the iCloud email account content in the form of an Outlook PST file.
(NOTE: I explained in advance to the client that movement of the Outlook email on the iPhone to an iCloud email account is the only method I am aware of by which email content can be extracted from an iPhone.)
ANOMALY???:
6) Out of the 1,300 emails and attachments within the Outlook PST file Aid4Mail Forensic downloaded and created, 1,200 emails have the original email headers and email dates intact.
7) However, there are 100 emails whose email headers only ready:
Content-Type: multipart/alternative; boundary="Apple-Mail-770D86AB-7CBF-4234-979F-D4BB0C9FF6E1"
Subject: FW: Attached Image
To: "John Smith"<js@smithcompany.com>
From: "Johnson, Frank"<Frank.Johnson@johnsoninc.com>
The date stamps for the 100 emails whose headers only reflect "boundary="Apple-Mail...." reflect the date and time the emails were uploaded to Apple's iCloud from the iPhone itself. The other 1,200 emails all reflect their original date and time stamps.
So, I am trying to explain why the 100 emails out of the total 1,300 emails moved to Apple's iCloud are missing their original headers and dates and times.
One theory is that the 100 emails did not have header values and thus Apple's iCloud service stamped the 100 emails with the "boundary="Apple-Mail...." value when the emails were uploaded to the Apple iCloud account.
I have encountered situations in which in the absence of metadata, values will be inserted into documents/email by forensic software, email clients, or e-discovery processing software as the metadata values cannot be blank (for whatever reason).
As one solution I asked my client to be allowed to analyze the original iPhone again to look at the 100 emails' metadata (although I doubt email headers can be viewed as email sits on an iPhone).
Has anyone else encountered the above situation and please provide suggestions/opinions.
↧
General Discussion: Not unlocking an iPhone now a Terrorist offense!
http://news.sky.com/story/man-guilty-of-terror-offence-for-not-unlocking-iphone-11052785
Quite disturbing misuse of terrorist legislation. The man was the director of a legal firm, and said his iPhone and MacBook contained legally privileged material, which as anyone knows is exempt from search and seizure.
He was subject to an unwarranted search and would not hand out his passcode for those reasons.
He is now convicted of a terrorist offense and subject to all of the reporting and monitoring requirements of a terrorist.
I find this a real misuse of powers and understandable why people are angry that terrorist hysteria is being used to break people's privacy and other rights.
↧
General Discussion: Any Apple CoreStorage / Fusion Experts on Here?
Lately I've been getting a lot of cases where an Apple CoreStorage fusion drives are messed up by computer techs who don't understand what they are doing.
I'm currently doing a lot of research and testing of the low-level writing of data from these.
My biggest interest in this is figuring out how to successfully carve out the LVMs (logical volumes) from both drives and stitch them back together on a block level.
It doesn't seem that there is any way using diskutil to actually get information on the starting and ending sectors of the LVMs.
Right now I'm doing some testing by writing a generated pattern to a test fusion, but I figure it doesn't hurt to ask if anyone already has info about how to carve these out manually.
↧
↧
Mobile Phone Forensics: Blackberry SMS format
Hi folks,
Got several Blackberries for deleted SMS extraction 9800; 9900; Q10.
Having idea to code some carver. Anyone knows some source where I can read about SMS formats and where they stored (only for BB). I think I can see phone numbers but text is encoded, I might be wrong though.
Any information is appreciated.
↧
General Discussion: Not unlocking an iPhone now a Terrorist offense!
adamd wrote:
It is disturbing, but perhaps taking 30,000 privileged documents to the middle east for a wedding wasn't the best idea.
It's just a fact these days that people take their computer and phone with them when they are going away for a period of time. People have work and stuff they can't be away from for too long. I'm often on the move and take a laptop/tablet with me as well as my phone of course as most people do. I have privileged and sensitive documents on there that I could face legal or professional consequences for if I gave out freely - apparently I now face being prosecuted as a terrorist if I hesitate in doing so.
If it were a case involving a warrant and all the usual presumptions of innocence and rights against unreasonable searches without grounds for a suspicion then I might be slightly less disturbed by all this. But it seems now it just takes one person to say 'you could be a terrorist', then if you opt to stand your ground on your privacy rights and protect your private material they will make you a convicted terrorist as has happened here.
I hope his appeal is successful. Give me a petition and I'll sign it, but the way our rights are going even doing that will probably be a terrorist offense soon!
↧
Forensic Software: Malware in .pst
We got infected in Outlook 2013 with malware in the .pst file. About 3k email messages included in this archive. How can we effectively clean out the malware by not destroying the .pst?
Thank you for your help.
↧