New blog post on Timelines in P2P Cases. If you deal with this kind of 4n6 data, make sure you are using the right date/time information. Hope it's helpful.
http://troy4n6.blogspot.com/2018/03/timeline-in-p2p-forensic-cases.html
↧
General Discussion: Timelines in P2P Cases
↧
General Discussion: ediscovery
dear all, I need to analyze lot of word and pdf file, somwhere there xls. I need toex tract metadata
I need to know a opensource software or also a commercial software.
best regards
↧
↧
Mobile Phone Forensics: whatsapp on iOS: message receipt timestamp
Hello everyone, does anyone know if (and where) whatsapp on iOS stores informations about WHEN a message is successfully delivered to the destination recipient?
it's crucial for an investigation i'm working on
by looking at the database chatstorage.db i've noticed that there is a column named "ZRECEIPTINFO" it's a BLOB tho, and i have no clue on how to decode that blob.
any help is really apreciated.
Thanks in advance.
EDIT: ok, at least i've figured out that the content of the ZRECEIPTINFO blob is a binary plist, so it's easy to decode
In the decoded value there are two timestamps, i "think" one is related to when the message was SENT, while the other one when the message was DELIVERED, but I'd love some confirmation because i cant just assume.
Maybe anyone knows? else i'll have to do some tests in the lab.
↧
General Discussion: DisasterCom 15Mbps SatUp
MTB - very good approach. Previous trainings always had some struggle built-in, like unexpected equipment lost or delayed. Then we had to DIY-solder interfaces, cables and connectors.
For the sat uplink two major issues are power - e.g. diesel or battery banks and connectivity like SNR or adjusting the dish without precision tools like FSH3
https://upload.wikimedia.org/wikipedia/commons/8/85/Rohde_%26_Schwarz_FSH3_teardown.jpg
As delays and timing protocols are crucial over long distances, this time we have to use PTP IEEE1588v2 as maybe we have to cross-feed into a street small cell of Swisscom with the WiFi link to parasite use their wireless backhaul to avoid detection and interception by RF in a 'critical area'.
What do you think by daytime-to-night delayed or antedated transmission for better weather and space conditions?
↧
Mobile Phone Forensics: Extraction data from Samsung Galaxy s8
Hello, I had similar problem last month.
I couldnt find the way to root the phone (without wiping).
All I can do was logical extraction.
↧
↧
Mobile Phone Forensics: Graykey
Do you have a link to the webinar?
Struggling to find any information about this device, but if what is advertised is true, it would be very beneficial.
Kind regards
↧
General Discussion: Magnet Forensics Axiom - Is it just me?
Hi! I sent you a PM with some additional questions and some comments on things that may help with what you are seeing in AXIOM. It is showing in my Outbox and not Sent, so if you didn't receive it, please let me know. Feel free to reach out to me directly - jessica.hyde [AT] magnetforensics [DOT] com. I would love to be able to help you and figure out the issue you are seeing.
Regards,
Jessica
↧
Digital Forensics Job Vacancies: IT Security Officer at Coutts Private Bank, Bristol, UK
This may be of interest to members of this forum who are looking for a role in IT security outside of the digital forensics/ediscovery field.
- You'll be working for our prestigious brand Coutts, offering you exposure to wide range of unique activities with our high net worth clients
- We'll look to you to provide IT Security Subject Matter Expertise (SME) as a second line support function. The role helps prevent both internal fraud and regulatory censure
- You'll support the bank's position on web security, ensuring that all websites meet bank requirements, working with tech and web owners to make sure right solutions are in place
What you'll do
You'll ensure appropriate security is designed into Private Banking (PB) IT applications and that application role design supports the business requirements and meets Information Security principles. You'll also ensure that the Private Banking IT Control Plan is implemented across PB IT within the UK and that an effective testing regime (First Line of Defence and Second Line of Defence) is in place.
In this role you'll:
-Support both PB IT and business projects ensuring that IT security requirements are met through close liaison with project stakeholders and change functions to deliver the required change
-Identify potential security issues and escalate as appropriate
-Provide advice and guidance to PB and PB Services at all organisational levels on access control and information security issues
-Coordinate and support both PB IT and the business in the development and implementation of access roles / models in accordance with the principle of least privilege and segregation of duties.
-Provide subject matter expert guidance on access control to PB IT and the business as a key contact within the IT Security & Risk team through all channels
-Support Web Security scanning, asset monitoring and vulnerability remediation for PB internet exposed assets and manage key relationships with the PB Digital and RBS Web Security teams
The skills you'll need
To succeed in this role, it's essential you have experience providing consultancy services in the past. You'll need good stakeholder management skills.
You'll also:
-Show good analytics skills, and be able to review MI and report on this to monitor and analyse risks with systems
-Be an excellent communicator, able to communicate concepts in a user friendly manner across key interfaces
-Good strong experience in IT Security
To apply and for more information
https://jobs.rbs.com/jobs/2528899-information-security-officer
Note the closing date is Friday 23rd March 2018.
To find out more about Coutts and what we do
https://www.coutts.com/about/our-history.html
↧
General Discussion: DisasterCom 15Mbps SatUp
I hope for future tech too but first I want to DIY to log thunderstorms in the sahara (in-link further down)
https://directory.eoportal.org/web/eoportal/satellite-missions/g/gpm
↧
↧
Mobile Phone Forensics: UFED PA Script
No, I haven't gotten to make it work yet.
And Cellebrite support never contacted me on this.
Good luck!
↧
General Discussion: Password-Protected Windows 10
JimC wrote:
Based on this, I could argue that if a live image was not possible the next best thing would be to hibernate (rather than shutdown) a live workstation before seizing it. This would preserve the OS state and leave further options for future examination. This would of course overwrite the existing hibernation file which may not be desirable...Well, I could argue that IF the system has never been hybernated before the effects of writing a new hyberfil.sys file may be detrimental to the amount of data that can be carved from allocated and given how (often) hybernate is mal- or non- functioning, it represents IMHO a risk.
I guess it needs to be decided if the possible trade-offs are worth it depending on the specific case *needs*, I mean if the scope is knowing if in the last few minutes/hours a given program has been run, then having a hyberfil.sys is very meaningful, if the scope is finding (say) deleted correspondence it would be safer to shut down the system.
...decisions, always decisions ... <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
jaclaz
↧
Mobile Phone Forensics: UFED PA Script
Based on the documentation it doesn't appear they provide access to the Watchlist in the API.
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
4144414D wrote:
loonaluna wrote:
Is there any way to run multiple instances of this program, to make the search faster? Like, install various pythons and put pytruecrypt on each one xD, or is there only one cmd per OS?
You could do this but it would need changing some code, or run multiple instances against different parts of an image.
I could make the code multi-threaded which will use more cores... but multiprocessing is a right faff. I'll do it one day but I don't have the time right now.
No need thanks. Anyone can do this on their own by enabling multithreading and more cmd instances. I didn't know cmd could be open more than once when I asked.
4144414D wrote:
loonaluna wrote:
But the chain method just wouldn't work no matter what size.
Well, that's rubbish. Could you create an entropy listing like Jaclaz suggested? Maybe with https://github.com/dupgit/entropie setting the size to 512? Or send me the ent.pickle file to look at. I can take a look at the peeks and see if I can work out why the chain method is making the wrong choice.
(If you can send me the full 7GB file image I could check that too if you like and see whats going on)
I don't know what was up with that 7gb file but seeing as it was just a test container and a test file, I think we'd be better off if I don't send it to you for the time being as it would be very cumbersome. It's probably the pickle file that gets too large to be read, or something like that.
OK, so here's the thing, and I'm wondering if you or jaclaz has the answer. This weekend I found out that by typing three times the password of one of the containers into the first big chunk I isolated on the hard drive, at the third attempt the password works. But it comes with a warning, saying the headers are damaged. Indeed, the news isn't good and without being an expert, it looks like fragmentation. Whether or not I fix the headers of course, it's unreadable but says it's an 80gb file. But the chunk is only 52,7gb. Does this mean it saw the backup header because it was exactly 131072 bytes from the end of the file, as dantz said once along time ago in wilderssecurity that's where the backup headers were stored in truecrypt containers?
Btw, fixing the headers with truecrypt volume tools doesn't seem to rewrite the file beginning, as it still can't be spotted in --brute run with pytruecrypt. Maybe this is because the header can only be spotted if it's in a coherent file where the header is where the backup header says it is, and this isn't the case?
Anyway, so this chunk when run through entropie.py, only has one entropy number. Is that what you mean by entropy listing? Would finding other chunks with the same entropy mean adding them all up together could reach 80gb? Could the assumption be made that the first chunk is missing and that it could be sitting in one big chunk elsewhere, and that it could be added, and if so, can this chunk only be in a previous sector or can it be in sectors below? The second big chunk that I was hoping would be the second container gives 5 different entropy numbers btw, whereas this first chunk gives one result. Can this result be written on a pickle.ent file to get the chain method to work on such a big drive or is that not how it works?
↧
↧
General Discussion: Is my winhex gather free space doing what it's supposed to?
jaclaz wrote:
Well, no idea, I cannot understand more than half what you are reporting.
You seem like having a not fully formed idea of the concepts around unallocated (what you call free) space.
Each and every sector on a mass storage device can be allocated when a given set of indexing is parsed and at the same time be unallocated when another given set of indexing (file system reconstruction) is parsed.
jaclaz
Yes my apologies. I had conflated sectors with clusters and couldn't tell the difference when I typed the above. I was also looking at a flash drive with a file I thought should be in the middle sectors, but because I'd misunderstood clusters and sectors, didn't realise it was at the beginning of the flash drive, so when I saw it represented on defraggler as being at the start, thought defraggler couldn't read flash drives properly, maybe because of the file system it was using FAT32, or maybe because it was a flash drive storage instead of HDD. I had also recovered a previously deleted truecrypt container on said flash drive, through the file system only, with winhex, so I thought the recovered container was the one occupying the start of the flash drive as it was on an earlier cluster. But it had actually been mostly if not completely overwritten by the new container, so it's no surprise that none of the passwords I remember using worked. Anyways, I describe my present status in the other thread.
↧
General Discussion: TYS! - 5G DRX variants
Test YourSelf! 5G brings new variants of DRX Discontinuous Reception. Here the 3 variants to compare:
HD-DRX
D-DRX
C-DRX
If you did hang-in at W2L? 5G you should be able to start and to extend by own research to squeeze-out the pros and cons of the 3 variants.
Here is the exercise: A mobile drops from a bridge into a river. Which DRX variant has the highest probability to catch the very last moment of the mobile before diving into the water (the river has a 1m deep water flow)?
Director's cut: Underlying that the mobile dives with 0.1m/s vertical zick-zack dancing and after touches the river ground, after how many miliseconds of touching the water surface latest the mobile is paging to find a new cell (connection drops at touching water)?
You hate this tricky questions? No real learner
↧
Mobile Phone Forensics: Graykey
MrMacca wrote:
Do you have a link to the webinar?
Struggling to find any information about this device, but if what is advertised is true, it would be very beneficial.
Kind regards
Sign up for the next webinar from the company https://graykey.grayshift.com/
As for other information on this tool, it's very new so there may not be much out there yet...
↧
Mobile Phone Forensics: bootloader data acquisition !!
Hey guys the task is end because i cant pay they want a lot of money !!
But that guy is pro. He decoded some data from the image and send me as a proof
Thank u all for help
↧
↧
Mobile Phone Forensics: bootloader data acquisition !!
Unfortunately this is a general problem worldwide, many law enforcement organizations don't got the needed budget for this kind of tasks
↧
General Discussion: Anyone got a bot to find deleted truecrypt container header?
More doubts than answers, unfortunately.
You stated (here or elsewhere) that you found two suitable "chunks" one around 52 Gb and one around 74 gb.
Then, notwithstanding that at the moment the nice script by 4144414D didn't found anything (yet) you - evidently by sheer luck - isolated EXACTLY the right chunk (so exactly that actually Truecrypt accepts - albeit on third attempt only - the "right password") <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> .
I cannot see <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> (but I am not an expert on Truecrypt specifically) how inserting the "right" password three times (as opposed to one, two being a good compromise <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> ) can work.
The result you report seems like telling us that *somehow* the Truecrypt at first and second attempts tries to decrypt the header (that either isn't there or it is not in the right offset in the mapped chunk) then, on third attempt, *somehow* finds the footer instead[1]?
BUT, even if it somehow accepts the password, it states that the volume is around 80 GB, whilst the chunk is only 52 GB?
If this is the case, logically it should mean that *somehow* the chunk is missing around 38 GB at the beginning.
jaclaz
[1] by "footer" I mean the backup of the header at S-131072
↧
Mobile Phone Forensics: bootloader data acquisition !!
passcodeunlock wrote:
Unfortunately this is a general problem worldwide, many law enforcement organizations don't got the needed budget for this kind of tasks :(Well, one could argue that the issue could be easily solved in two ways, both equally effective <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> :
1) better funding the LEO's
2) lowering the amount of money asked by the "pro" people doing this kind of tasks
jaclaz
↧