Hmm so there isn't one ..
↧
Mobile Phone Forensics: Iphone is locked. Connect to Itunes.
↧
General Discussion: Latest news from the UK Regulator
https://www.theguardian.com/uk-news/2018/jan/19/uk-police-forces-failing-to-meet-forensic-standards-safe-regulator-miscarriages-justice-outsourcing"In her annual report, Gillian Tully highlighted her growing concerns about the failure of some forensic firms used by the police to meet basic quality standards. It means innocent people could be wrongly convicted and offenders escaping justice."
↧
↧
General Discussion: Forensic 4cast Awards Nominations Open
The Forensic 4Cast Awards nominations have opened.
Lee runs the awards at the SANS DFIR Summit in Austin every year.
The awards are community driven so nominate whoever you believe deserves the award (This site has won blog of the year twice running!)
I've shared those whom I'm nominating here.
Nominations close end of March and then voting on the top 3 nominations should open about a week after that
↧
Education and Training: Need help with my Assignment!
Thanks!
for the first part Yes, the boot.ini looks exactly like what you shown
for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1
Please take look at the screenshot and advise me. Thanks for the guides
https://imgur.com/a/erseH
I have also generated an download link for the ADs files, hope you able to download it and guide me along.
http://dropmefiles.com/y1ywM
jaclaz wrote:
Nephalem wrote:
https://imgur.com/a/tc3PI
Hi, this is what happened when i used it on FTK imager, I not sure what to do next
So, the file opened normally (there is no encryption). i.e. you can see the files inside the filesystem.
Now what is the problem?
What happens when you select "boot.ini" in the upper part of that view?
Does the bottom part look suddenly *like*?:
Code::
[boot loader]
Timeout=20
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
If Yes, good <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , you have just viewed the contents of a human readable (plain text) file.
Now what you have in your hands?
Two files:
jo-2009-11-19.ad1
jo-2009-11-19.ad2
How could they have been generated?
Maybe - just maybe - they were created by FTK Imager (since at least the .ad1 file opens just fine with it).
Now, how could have been the FTK imager have been used?
Try this test with a small device, let's say a 4 Gb USB stick.
File->Add Evidence Item
Choose a Physical Drive, then select the correponding device (let's say \\.\PhysicalDrive3).
The item will be added to the tree on the left.
Now, expand it.
Try selecting \\.\PhysicalDrive3, and right click on it, among the choices you will see "Export Disk Image".
Now select the first child of \\.\PhysicalDrive3, this can be either an item named "Partition n" or the name/drive letter of the volume on the USB stick.
If the item is "Partition n" when you right click you have still ""Export Disk Image".
If the Item is the volume, when you right click you will have INSTEAD "Export Logical Image AD1".
Choose that, you will be prompted to Add a destination, click on Add, you will be prompted with inputting case number, etc., just type some values in the fields and go forward.
You are now prompted for a folder (on your local hard disk) to store the image and for a name to be given to the image.
Choose a suitable folder and filename (without extension).
If you look just below it there is a default setting "Image Fragment size (MB)" set to 1500.
Press Finish.
In a few minutes the image will have been created.
If you go with Explorer in the folder you chose as destination, you will find a file:<name>.ad1 with size 1.572.864.000 bytes
and one or more files with increasing numbers in the extension, like:<name>.ad2<name>.ad3
Now you can remove from FTK Imager evidence tree the USB stick/PhysicalDrive and add to it the <name>.ad1 file.
It contents will be very similar to those of the USB Stick/PhysicalDrive seen before.
Now, remove from the evidence tree the <name>.ad1 file and add the <name>.ad2 file.
What has changed?
Now what can we learn from this experiment?
jaclaz
↧
General Discussion: Watson & Jones: Digital Forensics Processing and Procedures
I just wanted to draw attention to the following, from the Glossary, on page e4:
Quote::
Browser Short for Web Browser.
A software application used to locate and display Web pages.
The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer.
<img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
↧
↧
General Discussion: Latest news from the UK Regulator
True, but the way the article reads it almost sounds like it wouldn't have happened if the FSR has statutory powers and this lab was forced to comply with the regulations
↧
Mobile Phone Forensics: GSMA Roaming Database
Is there a way to get access for information only to the GSMA Roaming Database to see IR.21 parameters? The IR stands for International Roaming.
We search get our own direct access to the Infocentre2 of GSMA.
Who can advice?
↧
General Discussion: Lab backup solution
StreetForensics wrote:
Thanks for the reply. I'll look into those options! In addition to the Windows Back up (and letting it create a 'system' image) I also create E01 images of the entire disk containing the C partition for the 'nuclear' option. I only do this 1-2 times a year so I have to reinstall newer versions of a few programs, but that practice has worked so far.Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , the E01 image is of course excellent for the "nuclear" option, but is even "too much" (you don't really-really want to have/need a forensic sound image including slack space, unused sectors, etc.), the alternative proposed would allow for a periodic (let's say once a week or every two weeks) backup of the system and boot partition(s) in a way that is restorable even in the "nuclear" case.
The point is only on the convenience of the one or the other approach.
Restoring an "integral" E01 image may take more time and of course needing to reinstall this or that program reflects on the "overall downtime" of the system/workstation.
Making more often "system" images will need some more space (traditionally a rotating set of three copies was used [1]) and it has to be seen if the overall backup procedure stays "within the night closing hours" or if adding the "system" image to the routine will make it too long, thus making it infeasible in practice, but scheduling the "system" backup weekly on Saturday/Sunday may be enough to take care of the time needed issue while still having a fast handy way to recover in case of disaster).
Having such a "fresh" image will reduce the time needed to reinstall the "new" programs and - I believe with modern Windows and the stupid way MS manages them this is getting increasingly problematic - to have the system in sync with Windows Update.
I have seen quite a few reports lately of - besides actual issues - extremely long times for the connection and download of updates, often needing hours.
As always it is a trade off between complexity of the procedures and convenience in case of a "disaster" happening.
jaclaz
[1] Once upon a time - and this unfortunately shows how old I am - we used to have three floppies, one labeled Monday, one Wednesday and one Friday to which we made backups, overwriting the previous contents, so that at any time, including the case of some malfunctioning we had at most a one day old backup and if it failed a three day old one.
Over the years the three floppy became first Zip disks, then CDRW's, and later DVDRW's until hard disks (and important content in them) became simply too d@mn large to need NAS's.
↧
General Discussion: Latest news from the UK Regulator
minime2k9 wrote:
No worries, it just seems that she is using Randox as an example of why she should have statutory powers to force labs to hold ISO 17025 when it clearly didn't help in this scenario.Agreed. The Guardian and FSR have taken issues from different forensic fields and mixed them into one big cluster... <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
↧
↧
General Discussion: Another case dropped late......
And seemingly Judge Black didn't take it lightly:
http://www.telegraph.co.uk/news/2018/01/19/judge-hits-unnecessary-delays-oxford-students-two-year-rape/
Quote::
Judge Jonathan Black demanded the head of the CPS Rape and Sexual Offences (RASO) unit write to him within 28 days "with a full explanation of what went wrong" before he decides whether any action is required "at CPS or police level".
He said: "It seems to me in a case which is as finely balanced as you say it was, there have been unnecessary delays in investigating... leading to what seems to be a completely unnecessary last-minute decision in this case."Both Oliver Mears and the complainant have had this matter hanging over their heads for two years in circumstances, had the investigation been carried out properly in the first instance, would not have led to this position."
jaclaz
↧
Education and Training: Need help with my Assignment!
Okay i have followed what you tasked me and here are the result when i use Winhex
https://imgur.com/a/xIFga
it shown ADSEGMENTEDFILE at the right
for the Image fragment Size, maybe what you are trying to do is, to get the smaller bits of the image file so that able to see what's inside? or to decrypt and get the main size of the file which is 8.14gb?
I'm really not sure what are the numbers and value that i saw in Winhex are. does they mean something? like Ascii characters? i tried comparing those using Ascii table but it doesn't add up and mean anything, please advise me.
jaclaz wrote:
Nephalem wrote:
what should i do next? <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
Open the file part1.ad1 with a hex editor.
What do you see? (check the first two sectors)
Open the file part1.ad2 with a hex editor.
What do you see? (check the first two sectors)
Now remove from the evidence tree in FTK image everything.
Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.
Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.
Remove again from the evidence tree in FTK image everything.
Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?
Now the questions you need to answer:
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)
jaclaz
↧
Mobile Phone Forensics: W2L? 5G - your entry point
A swiss operator offers the option ´multi device´ which is multiple SIM cards (max. 3) concurrent usage but same contract. See here
https://www.swisscom.ch/en/residential/mobile/options/multi-device.html
How runs the proper authentication related to the geolookup fraud prevention? As offered for families their members can be split around the globe in different time zones.
Where do they limit the offered partial contract services (lets limit on data incl. VoLTE)?
Crack the nut yourself or PM me. Lets Block Criminals! on FF.
↧
General Discussion: SSD Or Windows Forensics
NANA wrote:
Wondering what would be the best for forensics research SSD or windows?.'Best' is not easy to evaluate. Anything that provides new and generally useful information is good. Anything that provides corrected and generally useful information is good. Repeating research that already has been done can be good (if it confirms a doubtful result) or useless (it doesn't add anything new).
It's like map making: adding (correct) information to a map is good, correcting information is also good. But just repainting countries in new colours is not clearly useful.
Quote::
In terms of effectiveness. I see many researches on SSD since 2013. But windows forensics not that much especially the latest version.
Not sure I follow you: but don't confuse quantity with quality. Does any of these stuff youre referring to fill in new areas, confirm previously done research or do anything else that is useful?
Windows seems a more wide and open area for research.
Quote::
I want my topic not be repetitive as well as helpful in my career.
And what is that career? Where is your goal?
And where are you in your career? Are you preparing for a Ph.D.? Or postgraduate research? Or ... are you only learning to research? If you're a student, talk to your tutor or equivalent: it becomes a 'how do I learn to research' question. Or is your career none of these, but something else entirely?
Find a question that you have some interest in that's either unresearched or needs complementary research due to later developments, and work that. If effectiveness or how much it furthers your career is more important ... I'm not likely to be able to help in any way.
↧
↧
General Discussion: SSD Or Windows Forensics
athulin wrote:
But just repainting countries in new colours is not clearly useful.... with at least a single known exception <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> :
https://en.wikipedia.org/wiki/Four_color_theorem
actually a milestone in the history of both computing and mathematics, the first theorem ever to have been proved by computer calculations.
jaclaz
↧
Education and Training: Need help with my Assignment!
The "second sector (starting at offset 0x200)" is it this?
https://imgur.com/a/VAEZ4
the screenshot i highlighted in red
the other tests i have tried, renaming of ad1 to adx and also adding ad2 as evidence item
its on the screenshot here
https://imgur.com/a/xIFga
Q1 - I think, change the field from 1500 to 200 is to divide the ad1 file into segment, but i'm not sure whats the purpose.
Q2 - If from what i highlighted in red from the first imgur linked i shown is correct. ad1 is the logical image of the main image file while ad2 is the segmented file? so it means to say all the other files up to ad42 are segmented?
Q3 - Both of them seems to be the same on the way its loaded
Q4 - Before i change "part1.ad1" to "part1.adx", "part2.ad2" was shown "ADATA UFD"
but after i changed, "part2.ad2" became ASEGMENTEDFILE shown on FTK
screenshot here: https://imgur.com/a/Wjs1o
jaclaz wrote:
Nephalem wrote:
Okay i have followed what you tasked me and here are the result when i use Winhex
https://imgur.com/a/xIFga
it shown ADSEGMENTEDFILE at the right
Good <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
Now what that might mean (in plain English)?
What is in the second sector (starting at offset 0x200) of the .ad1 file?
And what is in the second sector (starting at offset 0x200 of the .ad2 file?
What about the other tests:
jaclaz wrote:
Now remove from the evidence tree in FTK image everything.
Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.
Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.
Remove again from the evidence tree in FTK image everything.
Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?
Once completed the above, you should be able to answer to the given questions:
jaclaz wrote:
Now the questions you need to answer:
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)
jaclaz
↧
Education and Training: Need help with my Assignment!
Nephalem wrote:
The "second sector (starting at offset 0x200)" is it this?
https://imgur.com/a/VAEZ4
the screenshot i highlighted in red
Yep, that's it, and it is telling you that it is a "logical image" (though we already knew that as the .ad1 format is for logical images) and since you checked the .ad1 file of the original image of the assignment you can also see that the source for the image was a file:
D:\FORENSIC-IMAGES\jo19dd\jo19
So, this might be a meaningful difference, the .ad1 files have at offset 0x200 "ADLOGICALIMAGE" followed by something that is human readable and is evidently a path, whilst the .ad2 file at the same offset show only some apparently random binary data.
Nephalem wrote:
Q1 - I think, change the field from 1500 to 200 is to divide the ad1 file into segment, but i'm not sure whats the purpose.
Very good <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
The purpose - just for the record - is (was) to be able to copy the files on limited size media (think of CDR or DVDR).
The idea is that the whole image is saved in segments (or parts) to be easier to be copied/stored (or sent/downloadef).
Another possible target, as an example, would be storage on a FAT32 filesystem where the single file size cannot exceed 2^32-1, i.e. roughly 4 GB.
Nephalem wrote:
Q2 - If from what i highlighted in red from the first imgur linked i shown is correct. ad1 is the logical image of the main image file while ad2 is the segmented file? so it means to say all the other files up to ad42 are segmented?
Almost but not quite.
More simply, the .ad1 is the first file in a set of files, with extension .ad followed by a number indicating the sequence of the file in the set.
Nephalem wrote:
Q3 - Both of them seems to be the same on the way its loaded
Good <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
Nephalem wrote:
Q4 - Before i change "part1.ad1" to "part1.adx", "part2.ad2" was shown "ADATA UFD"
but after i changed, "part2.ad2" became ASEGMENTEDFILE shown on FTK
screenshot here: https://imgur.com/a/Wjs1o
Not only, you also got a pop-up message to the effect of "Image Detection Failed" when you tried to open the .ad2 file at the time the .ad1 was renamed to .adx.
Let's sum together the results of tests #3 and #4:
When the .ad1 files exists the .ad2 file looks exactly like the .ad1 file in FTK imager.
When the .ad1 file does not exist (as it is renamed to .adx) the .ad2 file throws an error and looks completely different in FTK imager, so next question.
5) How could this happen?
Again a "logical", "plain" explanation, rather than a "technical one", is welcome.
And time for next experiment.
Remove everything from the FTK evidence tree.
Rename back the .adx to .ad1.
Add the .ad42 (or the .ad31 or the .ad17) image to the evidence tree.
Select the "child item" (you remember, you will see on the top right pane [root], [unallocated space], etc.) , right click and "Export Logical Image (AD1).
Press the Add button, put *something* in the Evidence Item Information window, then go on, input a suitable destination path and a filename, I suggest "monolithic_test", and replace the 1500 in the "Image Fragment Size (MB)" field with a value higher than the sum of the sizes of all the 42 files you have now, let's say 20000.
Now ask to yourself, before pressing the Finish button, what would you expect to happen?
Press the "Finish" button, let the FTKimager do its thing, it will take a few minutes.
What actually happened?
jaclaz
↧
Forensic Software: QuickView Plus 2017 time format issue UTC vs GMT
rhall47 wrote:
Have any of you encountered a similar problem and could suggest an alternative viewer. I love the product otherwise but my clients are unhappy with having to explain the difference and why the time is displayed differently.
When i have encountered problems, i made a copy of the DD image, made a VMDK file referring to the DD file, cracked the pw, booted it in VMWare workstaion and took a look around from the users perspective. Beats any viewer you'll ever find.
Usually refereed to as "liveview".
↧
↧
Forensic Software: QuickView Plus 2017 time format issue UTC vs GMT
Thanks MDCR for your suggestion. I think the time scale we are working to in this instance would be an issue doing that right now.
More generally, I have done some research and I have discovered that there is no difference between UTC and GMT. The program Quick View Plus 2017 is representing the time incorrectly. I have used other metadata viewers and the actual time recorded again the MSG files is as displayed when you view the email in Microsoft Outlook.
So to summarise Quick View Plus 2017 is misinterpreting the time stamp. The program is not altering the data of course but it is displaying the time incorrectly.
Thanks to you all for contributing to the conversation. I very much appreciate your input.
Richard
↧
Education and Training: Need help with my Assignment!
Okay for now, i have checked the Monolithic (8.14gb) file and i sums up the ad1 to ad41 to check, its the same.
Sorry but i'm still kinda confused on the second part you said, so now do i need to do the same thing for what i did previously on ad1 to the same to ad2? like create another monolithic file, and try to combine them together? and if its so, how to merge/combine the 2 monolithic files together?
jaclaz wrote:
Nephalem wrote:
Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. <img src="images/smiles/icon_lol.gif" alt="Laughing" title="Laughing" />
erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?
No, I meant the "monolithic" and the set of files .ad1 to .ad42 you had before, to check that they contain exactly the same things (i.e. that when you created the monolithic image you selected the "right thing").
If you "right click" in Properties you should also see the exact size of a file in bytes, actually two of them, one being the actual size, and one the actual size on disk.
If you sum the size (in bytes) of each of the files in the .ad1 to .ad42 you should obtain a total the same size of the "monolithic" .ad1 file + 29992 bytes.
Now you should be able to make a new "monolthic" image out of the two (.ad1 and .ad2) files you had as assignment, which is one among the requests you made:
Nephalem wrote:
... i was told that need to decrypt and combined the 2 files in order to get the original disk image file.
The decryption is not needed as the files are not encrypted.
The "combining" is what you asked next and that you have (or should have) now enough knowledge/experience to do.
From that to get the "original disk image file" there is a looong way still (provided that recreating the "original disk image" is actually required/was actually asked, which I doubt).
jaclaz
↧
General Discussion: Match external eSATA drive to drive letter and/or file paths
Hi all. I am stuck on case which is pretty much completed but I want to do some due diligence.
BACKGROUND
Basically, user was flagged on a corporate network having Tor.exe. McAfee HBSS logs all show entries pointing to E:\.... for Tor.exe not to mention a slew of .torrent files. From the file paths listed in the HBSS logs, it looks as if the user was backing up personal computer data which included these prohibited files. User took off and returned the next day to hand in the approved eSATA external drive, presumably the E:\.
Of course the drive was wiped/formatted. I imaged and analyzed using FTK Imager and FTK 6.3. The drive is basically empty, although it is formatted NTFS and contains an elaborate folder structure but no files except occasional temporary files "~filename.tmp", etc. Also, most of the MAC times for the folders and files are identical or within seconds of each other. $MFT, System Volume Information, all have the same MAC times. I think it's safe to say this is when the drive was formatted? Also, when viewing the drive in raw disk mode, most of the drive shows hex data as 00's. So I'm betting he zero'd out the drive on his own computer when he took the drive home, formatted and then copied over some folders but not the data to make it look like the drive was being used.
Using AccessData Registry Viewer, I was able to identify 2 hard drives in the Controlset\Enum\IDE. 1 is positively the laptop hard drive with the OS, the other is unknown and NOT the external eSATA he returned.
Under Controlset\Enum\SCSI I found the eSATA drive (verified the model of the drive that is in the enclosure).
NOTE: USB drives are blocked via GPO so no entries under Controlset\Enum\USBSTOR
Now my question/problem:
I know the eSATA drive was most likely wiped. But I'm not sure if the other mystery hard drive could be the one that contained the prohibited files. Who's to say that he wasn't connecting an unapproved (personal) hard drive and took that home but also wiped and copied back some empty folders to the company provided eSATA?
I know the evidence is pretty strong to show some conscious effort to destroy evidence after he knew he was flagged, but it would be just that more compelling to be able to say exactly which drive had the prohibited files on them.
Hope to get some insight, I've been mulling over ideas for the last few days but could use a fresh set of ideas.
Thanks
↧