I have some data from Snapchat for a users account. Included are several files that are encrypted, I believe they were encrypted using the 'For My Eye's only' feature of SnapChat.
Does anyone know if they can be de-crypted?
↧
Mobile Phone Forensics: SnapChat For My Eyes Only Encryption
↧
Mobile Phone Forensics: Blackberry 9720 physical extraction
qassam22222 wrote:
is this solution work with blackberry protected with 4 digt's PIN ?? if i do the chip-off can i read the data or they encrypted ?
Yes with a 4 digit PIN, If the data is encrypted, the data is encrypted, you need to decrypt it to read it.
Your original post mentioned the device had no security and no encryption.
↧
↧
General Discussion: PhotoDNA Database Search
If you are in the United States you can contact the National Center for Missing and Exploited Children Foundation. They may be able to help. When I worked with the North Carolina Internet Crimes Against Children Task Force a few years ago they were the ones that had that capability.
http://www.missingkids.com/home
Hope this helps!
↧
Forensic Software: CDR Analysis software
Another "free to law enforcement" piece of software.
I'll never get the idea of free to LE.
the_Grinch wrote:
I've actually written a Python script to go through CDR records (at least from one provider, though modifying it for every provider should be simple). In my case I was asked to find unique phone numbers, but was thinking of doing further work to provide more information (mapping, etc). Was thinking of open sourcing it or at least providing it for free to law enforcement.
↧
Mobile Phone Forensics: Blackberry 9720 physical extraction
If you know the user blackberry ID and the password, you can decrypt the physical dump.
↧
↧
General Discussion: Video File Enhancement
Could you go into detail about the job?
* What is the nature of the data? (Theft, accident etc)
* How long is the material?
* What format is it? (MP4, AVCHD, AVI etc)
* What is the job? Zoom in? Clean it up? Increase brightness?
* When is the result expected?
* Is there monetary compensation or is there a reason to do it pro bono?
Reason for the first point is that i prefer not watching some things...
↧
Webinars: How The Onset Of Security Apps Is Impacting Investigations
Please use this topic for discussion of the webinar
How The Onset Of Security Apps Is Impacting Investigations
Presenter: Jessica Hyde, Director of Forensics, Magnet Forensics
↧
General Discussion: PowerShell AnalysisCacheEntry
Hi,
I found in a timeline that there where several entries in
c/Users/<user>/AppData/Local/Microsoft/Windows/PowerShell/CommandAnalysis/PowerShell_AnalysisCacheEntry_*
Googled around for PowerShell_AnalysisCacheEntry but couldn't find anything meaningful. What does the AnalysisCacheEntry mean? Is that a cache for a PowerShell script run, or a cache for libraries, which are needed by a PowerShell script?
Thanks.
↧
General Discussion: PhotoDNA Database Search
mcman wrote:
gehlen wrote:
I have a photo and a PhotoDNA Hash from this photo. How am i learn if this photo is in PhotoDNA database? Thanks in advance
There is no PhotoDNA database. PhotoDNA is a hash algorithm like MD5 or SHA1 except it's a fuzzy hash that will match on similar photos. Many hash databases make use of and store PhotoDNA hashes but PhotoDNA doesn't have it's own database.
Jamie
Well, yes and no.
The database exists with PhotoDNA records for IIOC, there are actually two (three) of them, one is called Child Exploitation Tracking System (CETS), curiously initiated in Canada:
https://en.wikipedia.org/wiki/Child_Exploitation_Tracking_System
and the other one is Project Vic (managed by the ICMEC):
https://en.wikipedia.org/wiki/International_Centre_for_Missing_%26_Exploited_Children#Project_Vic
and a third one managed directly by Microsoft via Microsoft Azure:
https://www.microsoft.com/en-us/photodna
This latter is reserved to operators like online services:
Quote::
Who can get PhotoDNA Cloud Service, and how?
Intended users are trusted online service providers and businesses hosting user-generated content. This service is not intended for use by law enforcement at this time. Service applicants will submit an online form and subscriptions are approved on a case-by-case basis. This evaluation process is performed by a third party and involves careful consideration of organization-specific attributes and other relevant qualifications.
CEST is AFAIK only accessible through national police agreement, cannot say if Turkey has such agreement, so, as talon0769 suggested, contacting the NCMEC or the ICMEC:
https://www.icmec.org/
is likely the best choice.
jaclaz
↧
↧
General Discussion: Howto group bitmaps from Remote Desktop Protocol CacheXXXX?
Hi,
I was able to get 6k bitmaps from Cache0000.bin. Well this is nice, but can I somehow automatically group them? Otherwise it is a pain to reconstruct them.
Bitmaps were extracted by "RDP Bitmap Cache parser" from github.
Thanks
↧
Mobile Phone Forensics: how to mount encrypted userdata.img ( i have the password )
good luck to you
↧
Mobile Phone Forensics: bootloader data acquisition !!
Did you get the result? Are they really pros?
↧
Mobile Phone Forensics: Extracting Samsung Galaxy S8 SM-G950F (Cellebrite UFED4PC)
Hello,
I have been extracting a Samsung Galaxy S8 (SM-G950F) with our UFED4PC.
Physical extraction was not working, Physical extraction with Samsung Generic was not working.
I did a logical extraction and File system extraction. I got all the data out of it except de app-data.
In my case especially the WhatsApp and the facebook Messenger data is very important.
What can i do more to extract the app-data (WhatsApp/Facebook Messenger) out of the smartphone?
Best regards,
Dimi
↧
↧
Mobile Phone Forensics: Graykey
I watched their live webinar 2 days ago. Lots of info on the product and a live demo. They will have another webinar next week. Register on their website. For now it is available for US and Canada law enforcement only.
They are constantly researching new ways to get in iOS so if Apple closes one method they will have another way to get in the device.
The device will get the iPhone/iPad's passcode, get decrypted keychain, get a full file system image, "fix" (too many passcode attempt) disabled device, and other features I cannot remember. The most interesting feature I learned was it gets emails.
The device works on iPhone 5 to X and all iPads. iOS 9.2 to latest 11.#.
We plan to purchase one just for the backlog of iPhones we have is worth it. We sent almost 10 iPhones to Cellebrite in the last year.
↧
Forensic Software: USB Imaging Software
I use Sumuri Paladin. You can purchase their USB stick or make your own for free by following their blog post.
↧
General Discussion: PowerShell AnalysisCacheEntry
If I took with strings (Linux) I can see some function calls as it seem. E.g.
Quote::
Add-ADCentralAccessPolicyMember
Add-ADComputerServiceAccount
/Add-ADDomainControllerPasswordReplicationPolicy
&Add-ADFineGrainedPasswordPolicySubject
Add-ADGroupMember
Add-ADPrincipalGroupMembership
Add-ADResourcePropertyListMember
Clear-ADAccountExpiration
Clear-ADClaimTransformLink
Disable-ADAccount !
Disable-ADOptionalFeature $
Enable-ADAccount '
Enable-ADOptionalFeature *
Get-ADAccountAuthorizationGroup -
/Get-ADAccountResultantPasswordReplicationPolicy 0
Get-ADAuthenticationPolicy 3
Get-ADAuthenticationPolicySilo 6
Get-ADCentralAccessPolicy 9
Get-ADCentralAccessRule <
Get-ADClaimTransformPolicy ?
Get-ADClaimType B
Get-ADComputer E
Get-ADComputerServiceAccount H
My question: what creates this entries? Is it a PowerShell script, or libs loaded?
↧
Mobile Phone Forensics: how to mount encrypted userdata.img ( i have the password )
Bolo wrote:
Best way & solution: buy new screen and install to your phone - then if you got PIN you can perform Logical/FS once you will unblock it by PIN
yes i know that solution bro ... but i cant buy screen for each broken phone ... that's why i need a tool or solution to do it via hardware product or software
↧
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
4144414D wrote:
2) The script isn't designed to run against containers on their own but 'hunts' (hence the silly name) for containers inside disk images. I actually think it'll crash on a full container. It might see the entropy starting at sector 0 but by default, it tries to look 8 sectors either side of where it thinks a header will be and sectors -1, -2, -3 etc do not exist and when it tries to read them it would crash.
When it does brute force it doesn't look for sectors -1,-2,-3, only when it's chain?
Btw, how did you create such a small 30mb image (on windows hopefully)? I only know how to put a container into something like a flash drive, but that's 7gb size.
4144414D wrote:
For now, try the brute force method on what you've extracted but only let it run few a minutes or so. If that doesn't get the header you are better off with the chain method.
Why only a few minutes?
Is there any way to run multiple instances of this program, to make the search faster? Like, install various pythons and put pytruecrypt on each one xD, or is there only one cmd per OS?
4144414D wrote:
chain=256 is going to find basically any TrueCrypt header but has the most chance of getting confused with other random files on the disk. That is because 256 sectors are the size of the header, which is about 128kb. It's likely you'll have other random files that are larger than that which hunt will then waste time on trying to decrypt them.
chain=4000000 is looking for a minimum of 4000000 high entropy sectors in a row before it'll start trying to decrypt things. 4000000 * 512 = 2048000000 bytes, which is around the 2gb mark. You are less likely to have other files of that size that are as random as a TrueCrypt container so hopefully, hunt will find the result quicker this way.
Hence the ent.pickle file. If you manage to parse the full 2TB file you could try with a very big chain number and keep lowering it if you don't find anything. The ent.pickle file saves you from recalculating the entropy for each attempt, which saves a lot of time.
I put a test container inside a FAT32 flash drive, made a raw image of the flash drive, but only because winhex allows me to do that with what it understands is a drive. It ran through at about a rate of 5gb per day with the brute method and found the container's header. But the chain method just wouldn't work no matter what size. With the chain method, first I got a memory error and the follow times I tried, iirc varying the size of the chain=x, I went on to get EOFErrors. The size of the pickle file was about 400mb so maybe that had something to do with it? And the container was sitting in one of the sectors near the beginning of the flash drive.
↧
General Discussion: Is my winhex gather free space doing what it's supposed to?
jaclaz wrote:
If this is the case, the actual header (if survived) may well be 1 or 2 GB off the beginning of the unallocated large chunk.
In the case of the the 74 GB chunk where you remember a 75 GB container it could be that some data was re-written/re-allocated, in which case it may depend if the re-written area is at the beginning (and thus the bootsector has been overwritten) or at the end of the chunk.
In any case the sizes of the "chunks" you found and of the containers you remember are similar enough to allow excluding large parts of the disk.
I couldn't help but notice when looking at a flash drive I was messing around with this week, that even though the sectors that were currently occupied were in the middle of the drive, defraggler showed the first sectors of the drive as the ones that were occupied. Winhex was contradictory, in the bottom half of the screen that shows the blocks, it showed this file beginning at about cluster number 90000, while the file reconstruction area of the winhex claimed its first sector was around 750000 or so. A brute hunt with pytruecrypt confirmed that it was indeed sitting at sector 750000 as that's where the header turned out to be. Does this mean that the information shown below in winhex, that shows only blocks but doesn't reconstruct files or file systems, isn't reliable and that a lot of file re-allocation goes on, even in HDDs, that make file recovery extremely difficult? If this is happening, does a write of a new file draw randomly from all parts of the drive, or does it stick to its own succession of blocks? Or maybe FAT32 of a flash drive behaves differently than an NTFS of an HDD? Still, I'm wondering if this would explain why Winhex was interpreting as free space, space that wasn't actually free space, or if it takes credibility away from the supposed two big blocks of space that are currently supposed to be sitting on the HDD.
↧
Forensic Software: Hikvision DVR data recovery
Hi Jamie and thanks for your remark!
↧