I watched the webinar too. Yup, it worked as described/advertised and I would love to get one too... but my fear is with the cost. Once Apple changes hardware/software and 'breaks' this $15k tool how long before they make it work again or will it require a new purchase... of another cool gadget. I know this is the game we're in but I am in a small agency, my annual budget isn't even the cost of this one tool.
Please, once you get it keep us posted here on your success with it especially when the next iPhone drops or software update occurs.
↧
Mobile Phone Forensics: Graykey
↧
Mobile Phone Forensics: how to mount encrypted userdata.img ( i have the password )
Not sure about activatiion but did you try MHL Mobile High Definition Link to mirror 1:1 the missing screen (not all manufacturer support MHL)?
↧
↧
Mobile Phone Forensics: Extracting Samsung Galaxy S8 SM-G950F (Cellebrite UFED4PC)
No luck with physical using bootloader im assuming (locked bootloader; im not sure what happens if you turn that off...does it wipe the phone? never done it), but what about turning on developer mode and going ADB method for a physical?
↧
General Discussion: Is my winhex gather free space doing what it's supposed to?
loonaluna wrote:
I couldn't help but notice when looking at a flash drive I was messing around with this week, that even though the sectors that were currently occupied were in the middle of the drive, defraggler showed the first sectors of the drive as the ones that were occupied. Winhex was contradictory, in the bottom half of the screen that shows the blocks, it showed this file beginning at about cluster number 90000, while the file reconstruction area of the winhex claimed its first sector was around 750000 or so. A brute hunt with pytruecrypt confirmed that it was indeed sitting at sector 750000 as that's where the header turned out to be. Does this mean that the information shown below in winhex, that shows only blocks but doesn't reconstruct files or file systems, isn't reliable and that a lot of file re-allocation goes on, even in HDDs, that make file recovery extremely difficult? If this is happening, does a write of a new file draw randomly from all parts of the drive, or does it stick to its own succession of blocks? Or maybe FAT32 of a flash drive behaves differently than an NTFS of an HDD? Still, I'm wondering if this would explain why Winhex was interpreting as free space, space that wasn't actually free space, or if it takes credibility away from the supposed two big blocks of space that are currently supposed to be sitting on the HDD.
Well, no idea, I cannot understand more than half what you are reporting.
You seem like having a not fully formed idea of the concepts around unallocated (what you call free) space.
Each and every sector on a mass storage device can be allocated when a given set of indexing is parsed and at the same time be unallocated when another given set of indexing (file system reconstruction) is parsed.
jaclaz
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
loonaluna wrote:
When it does brute force it doesn't look for sectors -1,-2,-3, only when it's chain?
Brute force never does, the chain method looks around places where it thinks a header might be. If it thinks that this is right near the start or the end of an image it might try to read sectors that do not exist. Its a bug I should probably fix.
It's line 149. search_size = 8 e.g. check 8 sectors before and after where we think a header might be.
loonaluna wrote:
Btw, how did you create such a small 30mb image (on windows hopefully)? I only know how to put a container into something like a flash drive, but that's 7gb size.
They are actually TrueCrypt containers themselves. I made a 30mb container, formatted it so that it was zeroed out, then put the 10mb containers in them.
loonaluna wrote:
Why only a few minutes?
If you get lucky and the header is right near the start, which will only take a few mins. Otherwise, as you've seen its super slow.
loonaluna wrote:
Is there any way to run multiple instances of this program, to make the search faster? Like, install various pythons and put pytruecrypt on each one xD, or is there only one cmd per OS?
You could do this but it would need changing some code, or run multiple instances against different parts of an image.
I could make the code multi-threaded which will use more cores... but multiprocessing is a right faff. I'll do it one day but I don't have the time right now.
loonaluna wrote:
But the chain method just wouldn't work no matter what size.
Well, that's rubbish. Could you create an entropy listing like Jaclaz suggested? Maybe with https://github.com/dupgit/entropie setting the size to 512? Or send me the ent.pickle file to look at. I can take a look at the peeks and see if I can work out why the chain method is making the wrong choice.
(If you can send me the full 7GB file image I could check that too if you like and see whats going on)
loonaluna wrote:
With the chain method, first I got a memory error and the follow times I tried, iirc varying the size of the chain=x, I went on to get EOFErrors. The size of the pickle file was about 400mb so maybe that had something to do with it? But the chain method just wouldn't work no matter what size.
Yeah, I was worried this might happen. hunt currently tries to keep all the entropy information in ram at the same time. It's not really needed and is just lazy programming on my part. I will work on an update that deals with this better.
↧
↧
General Discussion: DisasterCom 15Mbps SatUp
Iridium. Battery pack. Solar panels.
EDIT: It's slow so only good as the backup solution.
↧
Mobile Phone Forensics: Lightning Authentication Chip spy
UnallocatedClusters wrote:
I assume multiple members of the forum are in LE or the military and thus de facto are risking their lives and well being for the benefit of citizens of their respective countries for far too little pay.
I also assume, based upon 100% pure speculation on my part, that some members of the forum are participating here under nom de plumes to protect their own identities and perhaps actual lives.
So research on identifying spying and theft such as Mr. Guttman is performing seems to benefit normal citizens.
Well, in my personal case, you are assuming too much, JFYI:
http://www.forensicfocus.com/Forums/viewtopic/t=10993/
http://www.forensicfocus.com/c/aid=65/interviews/2013/jacopo-forum-member-jaclaz/
As a side note (and again, not being in any way connected to LE or the military) I personally doubt (with all due respect of course) that a large part of LE involved in digital forensics are actually literally risking their lives (as an ordinary policeman on patrol or a trooper in war time happens to do).
About the well being, it is different, I think that each and every good LE or similar dealing with IIOC or with homicides, violent crimes and similar pay a serious toll and we all should be thankful to them for this.
jaclaz
↧
General Discussion: Sandvine/Procera middleboxes
BAD TRAFFIC
Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/
jaclaz
↧
Mobile Phone Forensics: UFED PA Script
Hi
Have you guys figure out a way to include the "watch list search results" in the report ? Or any way to tag or select the files associated with those results ?
Thanks
Mark
↧
↧
General Discussion: DisasterCom 15Mbps SatUp
Thank you, good approach. I only can design 30W electrical power and have to calculate the sat link budget for Eutelsat 7°E. The main link has to run 24h, then a breakdown and the failover has to work non-interruptable. The backup should run for 96h, which is quite difficult at night, also 15Mbps with a 1,5m dish.
To make the excercise more difficult the hemispheric reflection deducts 8,5dBm (difference, not absolute RF signal).
A question remains: Is it helpful to move the sat unit to a higher elevation and install a directional link for broadcast up to 15km (no technical limitations, free in design, but add electrical power consumption). Solar is out, I would have to use a fuel cell instead. The sat unit gets during failover wind and is not fixed underpinned to avoid destruction of the dish. Not sure how to calculate the wind into angle adjustment for the dish pointing.
What impact has the sub-excercise of encrypting the link with a 512bit key?
Who has experience with disaster sat uplinks?
↧
General Discussion: Password-Protected Windows 10
what are the usual ones? Maybe i missing something
↧
Mobile Phone Forensics: bootloader data acquisition !!
TinyBrain wrote:
Did you get the result? Are they really pros?
we still work on it ...
↧
General Discussion: overwritten data
Bit of Sunday morning curiosity here. I cant find any (having looked / could be that its not worth it etc etc) work relating to how long it takes data to become overwritten (non-recoverable) on a typical system following typical usage. Whilst I know both are typically undefinable and moving targets, I wonder if it is actually work which is of value to our community - maybe to support triage, give an indication of what might not be still in existence to prevent search times?
I suppose in a nutshell, how long does a cleared browser cache (as an example) remain recoverable from UA for? I know media size, activity, capacity, file system, OS etc will all play massive factors in this but is it worth an exploration? I am trying to determine relevance and justification for undertaking a few experiments in this area...
↧
↧
General Discussion: DisasterCom 15Mbps SatUp
Regular WiFi network with a directional antenna is a good alternative, 802.11 A and B have higher ranges vs the later broad spectrum variants (but they are also slower). Diesel electric generators is one option, battery banks is another.
One option: if you do not need realtime data transfer, a terabyte hard drive in a rucksack and a mountain bike can beat the transfer rate of even a prioritised gigabit line... 15 km on a MTB take about 1 hour for an average person.
Always think practical.
↧
General Discussion: Password-Protected Windows 10
I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.
↧
General Discussion: Need help with a paraben .ds file
Hello everyone, i think it's been like ages since i last posted on this forum.. so.. hello again everyone old and new forensicators
I'm here begging you for help because let's be honest.. with this thing, i'm in big s***t.
I've received what the counterpart called a "forensic acquisition" (don't have me comment on this) of an iOS device, which was made with paraben device seizure (and don't have me comment on this either).
The problem is that i've received a "blob of data" inside a file that is a .ds file and the proprietary reader application.
problem: the reader application doesn't give me a level of access to data, low enaugh for me to work on the evidence in the way i want. and it doesn't parse the data i'm looking for.
So.. basically, it's useless.
I was wondering if anyone knows:
in side this .ds file is there the actual iphone backup? according to the size it's 15GB, so i really HOPE so...
and if yes (please be a yes), is there a way to extract the raw backup so that i can parse it with my own favorite toolchain?
thanks in advance for your kind help and reply.
↧
General Discussion: Password-Protected Windows 10
MDCR wrote:
I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , and that again is resetting the password, not bypassing it and not cracking it.
A number of recovery/forensic oriented distro's may include the Offline NT Password and Registry Editor:
http://pogostick.net/~pnh/ntpasswd/
or chntpw:
https://en.wikipedia.org/wiki/Chntpw
Which is included (example) in Kali and SystemRescueCD:
https://en.wikipedia.org/wiki/Chntpw#Where_it_is_used
that you can get also for most "standard" distro's
https://pkgs.org/download/chntpw
jaclaz
↧
↧
Mobile Phone Forensics: bootloader data acquisition !!
We didn't start working on it yet at all. It took some time to have the clearance for this task and getting the binary dump. We'll keep this post updated as soon as anything worthy happens.
↧
Mobile Phone Forensics: Extracting Samsung Galaxy S8 SM-G950F (Cellebrite UFED4PC)
ADB in developer mode was no succes
↧
General Discussion: overwritten data
Don't forget that the less amount of free space available, the probability is higher that something will be overwritten by a temporary file or a user generated document.
↧