is there any free program for that purpose on the market?
↧
Forensic Software: CDR Analysis software
↧
Mobile Phone Forensics: Cellebrite Physical Extraction Question
It's a Nexus 6P (H1512).
I was trying the extraction on UFED 4PC 5.1.0.564, couldn't acquire a physical image using that version. Updated software to 7.1.0.751 and it seems to be working now (when the phone is rooted). Haven't attempted the ADB extraction method yet.
All good for now, thanks.
↧
↧
Forensic Software: Splunk alternatives
Really sorry, should've read the question twice before posting. We've just released the product and considering the initial feedback, it looks like a free version is something to seriously think about.
↧
Forensic Software: Reading, migrating, etc. Microsoft Word 4.0 (for Mac) files
@jaclaz
Thanks for all of your help. I was able to open all/most of the documents I needed, used PrintToPDF to save them to a hard disk partition on my local computer, and printed/saved them for the collection.
I think you were instrumental in getting me along this entire process and for that I thank you!
One final request: I'm wondering how I can save the emulated environment I have "created." In other words, I want to make sure that I can have other people open this particular environment that I have created (Mac OS 7.5.3 w/ Microsoft Word and PrintToPDF) on their computers. An "out-of-the-box" solution, if you will.
I'm having a hard time visualizing it; is this even possible? Maybe modify/save the ROM so that it already has all of that software installed?
Any input would be truly appreciated!
Thanks for all your help!
↧
Forensic Software: Splunk alternatives
Migs wrote:
Try Kiwi Syslog server.
Kiwi is more infrastructure, it does not enable even basic analytics.
A couple of organisations i've heard of go with Kibana/Logstash. It's free and scaleable and is based upon Elastic search, a modern and fast DB backend. Splunk is an overpriced piece of garbage that scales very badly with any wallet. I threw it out of the window, along with Arcsight, Logrythm, Alienvault and RSA security analytics. Dont forget that Netflow and PCAPs also are needed for visibility.
You're better off throwing logs into any (free) modern database and asking questions to it, SQL and Cypher can ask WAY more complex questions than the 1990s piechart GUI that SIEM systems come with. The only new commercial tool that shows promise was Packetsled with NLP and Datavis stuff, but their CEO had an... umm.. lets say "counter productive marketing strategy".
↧
↧
Forensic Software: Reading, migrating, etc. Microsoft Word 4.0 (for Mac) files
gapodaca wrote:
One final request: I'm wondering how I can save the emulated environment I have "created." In other words, I want to make sure that I can have other people open this particular environment that I have created (Mac OS 7.5.3 w/ Microsoft Word and PrintToPDF) on their computers. An "out-of-the-box" solution, if you will.
I'm having a hard time visualizing it; is this even possible? Maybe modify/save the ROM so that it already has all of that software installed?
Actually the ROM contains "nothing" (related to the actual apps) and being (originally) a ROM (i.e. a Read Only Memory) it is best left "as is".
Technically the OS 6/7/8 used a number of libraries that were inside the ROM, imagine that on Windows an actual chip on the motherboard contained the main OS .dll's.
What you want to save is the hard disk image(s).
If you used the two suggested hard disk images (hd1.img and hd2.img inside http://www.hampa.ch/pub/pce/pce-0.2.2-macplus.zip ), those will have been modified, by the install of PrintToPDF, by copying your files, etc..
So, if you have put those hard disk images inside the same folder as the emulator you used (at the end Basilsk II, if I got it right), all you have to do is to archive the whole folder inside a (say) .zip archive, that will include:
1) the emulator, including its config file and ROM used
2) the hard disk images containing the OS and data
Simply expanding it in a new directory on another machine should have it working, with the only caveat that since paths in the config file are absolute some editing of the config file will be needed, but it would be just a matter of adding a small "readme1st.txt" explaining which lines need to be adapted so that the "new user" in the future will be able to adapt it.
gapodaca wrote:
Thanks for all your help!You are welcome <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , it has been a nice occasion to re-visit how great was (at the time) System 7, it was years, that I hadn't an occasion to play with it again.
Ahh, the memories ... <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
I paid an awful amount of money in 1993 to buy a Powerbook with a System 7.01 and a whopping 4 Mb RAM/80 MB hard disk, with a greyscale display, starting the foundation of jaclaz's Law of laptops <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> , according to which each and every "decent" laptop costed, costs (and will cost) around 2,000 Euro, I am maybe at my 10th or so laptop in these 25 years, and till now it has proved true. ;), at the time that was around 4,000,000 Lire, and - to give you an idea - it was about 3/4 times a "normal" wage.
jaclaz
↧
Forensic Software: CDR Analysis software
I've actually written a Python script to go through CDR records (at least from one provider, though modifying it for every provider should be simple). In my case I was asked to find unique phone numbers, but was thinking of doing further work to provide more information (mapping, etc). Was thinking of open sourcing it or at least providing it for free to law enforcement.
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
Hey thanks for your tutorials. I've installed it all and got it running and it does exactly what it shows in the tutorial, with your example file. I have a chunk of material I need to look into though, so high and low entropy is not an option for me, so I think I need to do a brute force instead of a chain. I know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector (or hex kb of this sector or whatever it's called), until I cover the entirety of the free space that I suspect is involved here. Do I do this with dump.py instead of python.py instead, and if so how?
↧
Forensic Software: Hikvision DVR data recovery
There is a 2015 paper, specific to that make.
https://link.springer.com/chapter/10.1007%2F978-3-319-25512-5_13
Maybe it contains something useful?
Check also this one, it seems liek explaining the format in detail :
https://www.shs-conferences.org/articles/shsconf/pdf/2015/01/shsconf_icitce2014_02010.pdf
(though the actual frame headers are different)
Have you tried:
http://www.hxdvr.com/
AND check this related thread, where - besides some more info - some members offered their services:
https://www.forensicfocus.com/Forums/viewtopic/t=14950/
jaclaz
↧
↧
Employment and Career Issues: Digital Forensics US
because people from europe and UK post the jobs on here and US people dont?
AboutDFIR has a jobs page that has some US jobs on it
↧
Forensic Software: Hikvision DVR data recovery
Many others can also! Please be sure to get further quotes. There are rules about pedaling for business on the forum. This was not a services requested post
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
Ah ok I misread the chain concept as something that differentiated suspiciously obscure space typical of truecrypt from typically boring text files with little entropy. That's why I put a test container I made through the same script, didn't get much of anything at all, and thought I needed a brute instead. But of course I hadn't changed chain=256 to chain=4 million, so that's why the headers didn't show up probably. By the way, what is the reason why chain=4000000 when the file is 2GB?
↧
Mobile Phone Forensics: G920V Physical Extraction Question
Hello, I was hoping someone might be able to point me in the right direction. I don't have access to any of the professional tools, but am attempting to extract data (phyiscal) from a locked SM-G920V (G920VVRU4CPH1). I attempted to root the device but believe the bootloader lock is preventing the completion. The device never gets past the Verizon screen when the ENG_Root is flashed via Odin. In that state, that is with the ENG flash, (though USB Debugging setting is off) when the phone is turned off, I can get a root shell via regular old ADB. But it would appear the data is still protected/obfuscated by the bootloader. Having read about Advanced ADB, I know this device has a pre-Nov/'16 security patch. Would anyone be able to point me in the right direction of any other methods for physical extraction that may take advantage of the bootloader/pre-bootloader method? Options that are freeware or consumer grade would be preferred as possible. Thanks for any assistance and the great forum here.
↧
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
loonaluna wrote:
Ah ok I misread the chain concept as something that differentiated suspiciously obscure space typical of truecrypt from typically boring text files with little entropy.
No, you are completely correct. That is exactly what it does. Hunt tries to locate headers based on the differences between high/low entropy.
loonaluna wrote:
That's why I put a test container I made through the same script, didn't get much of anything at all, and thought I needed a brute instead.
A couple of things that are probably causing this.
1) hunt will create a file called 'ent.pickle' once it's calculated the entropy for a file. That's because calculating the entropy takes quite a while, and if we might try a few passes at the same file it doesn't make sense to recalculate the entropy each time.
However, if you move from one file to another and you've stayed in the same folder it will reuse the ent.pickle but for the wrong file. So instead of calculating the entropy it simply says 'Loading source entropy from ent.pickle'. Not the most obvious warning message I admit. If you delete ent.pickle and try again see how it goes.
I personally like to keep each of the images I'm working on in different folders, that way the extracted headers, ent files, and the results logs don't get mixed up.
2) The script isn't designed to run against containers on their own but 'hunts' (hence the silly name) for containers inside disk images. I actually think it'll crash on a full container. It might see the entropy starting at sector 0 but by default, it tries to look 8 sectors either side of where it thinks a header will be and sectors -1, -2, -3 etc do not exist and when it tries to read them it would crash.
I'll make changes to the script to make this more obvious and update the guide when I've finished the write up for example 2.
For now, try the brute force method on what you've extracted but only let it run few a minutes or so. If that doesn't get the header you are better off with the chain method.
loonaluna wrote:
But of course I hadn't changed chain=256 to chain=4 million, so that's why the headers didn't show up probably. By the way, what is the reason why chain=4000000 when the file is 2GB?
chain=256 is going to find basically any TrueCrypt header but has the most chance of getting confused with other random files on the disk. That is because 256 sectors are the size of the header, which is about 128kb. It's likely you'll have other random files that are larger than that which hunt will then waste time on trying to decrypt them.
chain=4000000 is looking for a minimum of 4000000 high entropy sectors in a row before it'll start trying to decrypt things. 4000000 * 512 = 2048000000 bytes, which is around the 2gb mark. You are less likely to have other files of that size that are as random as a TrueCrypt container so hopefully, hunt will find the result quicker this way.
Hence the ent.pickle file. If you manage to parse the full 2TB file you could try with a very big chain number and keep lowering it if you don't find anything. The ent.pickle file saves you from recalculating the entropy for each attempt, which saves a lot of time.
↧
General Discussion: PhotoDNA Database Search
Okay then I'll ask you. The photo in his hand is an obscene photograph. However, it is not clear whether it belongs to a child or not. How can I find out if this photo is included in the international child pornography database?
↧
Forensic Software: Hikvision DVR data recovery
Just a very quick summary regarding posts which may be viewed as promotional or commercial:
1. New topics created for the purpose of advertising a product, service etc. are strictly prohibited.
2. Replies to posts which make reference to a product/service which is clearly relevant to the topic under discussion are acceptable, within reason.
By "within reason" I mean that we want to balance the free flow information in the forums so that everyone can benefit from knowing about potential solutions with the need to make sure that the forums don't become a commercial free-for-all. In practice, if you sell something which you're confident can solve someone's problem then feel free to mention it but be very sure that the majority of your posts are non-commercial. If your forum usage is predominantly self-serving then that would likely be seen as going against the spirit of this site's terms of use.
This is undoubtedly something of a grey area in terms of moderation - there are personal judgments to be made which others may not agree with - but I hope the above helps to clarify things.
Jamie
↧
General Discussion: Video File Enhancement
Hello,
Please PM me if you have the ability and experience to handle video file enhancement for a civil matter in the United States.
↧
↧
Mobile Phone Forensics: Blackberry 9720 physical extraction
dandaman_24 wrote:
Chip off will obtain you a physical dump of the handset.
is this solution work with blackberry protected with 4 digt's PIN ?? if i do the chip-off can i read the data or they encrypted ?
↧
General Discussion: 5G Operators & LE collaboration
Hmmm, this opens a lot of questions.
Wouldn't that effectively make a PTO out of a full time PTO? (thus reducing the PTO of the involved PTO, excluding that PTO can be used)
Who would support the PTO for assisting the PTO, or should a PTO be established to award to a third party through a PTO ?
Should a PTO be established to coordinate the various PTO's re:ISO17025?
jaclaz
Here, place where you see fit
uoıʇɐzıuɐƃɹo ʇsǝʇ ƃuıʇɐdıɔıʇɹɐd oʇd
uoıʇɐzıuɐƃɹo ʇsǝʇ ʎɹɐɯıɹd oʇd
ɹǝɟɟo ɹǝpuǝʇ ɔılqnd oʇd
ǝɔıɟɟo ʇsnɹʇ ɔılqnd oʇd
ɹǝɔıɟɟo ƃuıuıɐɹʇ ǝɔılod oʇd
ɹoʇɐɹǝdo suoıʇɐɔıunɯɯoɔǝlǝʇ ɔılqnd oʇd
ɟɟo ǝɯıʇ pıɐd oʇd
ɹǝɔıɟɟo lɐɔıuɥɔǝʇ lɐuoıssǝɟoɹd oʇd
ǝlqɐɹǝdo ǝɯıʇ ʇuǝɔɹǝd oʇd
ɹǝɔıɟɟo ƃuıuıɐɹʇ puɐ ƃuıɯɯɐɹƃoɹd oʇd
ɹǝɔıɟɟo ǝɯıʇ-ʇɹɐd oʇd
↧
Mobile Phone Forensics: Lightning Authentication Chip spy
UnallocatedClusters wrote:
Thank you for the work you all (Jaclaz / Althulin / Rolf Guttman / et al) perform protecting us citizens. I sincerely mean that.
Well, speaking for myself, all I ever protected[1] (or at least tried to protect) were clarity and "common sense"<img src="images/smiles/icon_cool.gif" alt="Cool" title="Cool" /> (the latter being peculiarly uncommon), essentially by being grumpy and picky.
Now, as an example, comparing the contents of this post by RolfGutmann:
https://www.forensicfocus.com/Forums/viewtopic/p=6587435/#6587435
RolfGutmann wrote:
...
If we disconnect the device leaving just the cable connected to the PC the LPS sends an AES-128 string out to an IPv4 geolookuped residing in P.R.C. The delay time is between 1:58 sec and 2:03 minutes but seems to be initiated from outside.
...
with the recent post by CoraDias:
https://www.forensicfocus.com/Forums/viewtopic/p=6593016/#6593016
CoraDias wrote:
Hi...i am a new user here. As per my knowledge If we disconnect the device leaving just the cable connected to the PC the LPS sends an AES-128 string out to an IPv4 geolookuped residing in P.R.C. The delay time is between 1:58 sec and 2:03 minutes but seems to be initiated from outside.
I can see a pattern.
Plagiarism? <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
A bot testing the board? <img src="images/smiles/icon_question.gif" alt="Question" title="Question" />
Something else? <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" />
jaclaz
[1] but it would be interesting to know where/how you got the idea that I was ever involved in protecting citizens
↧