So we dug into the problem a bit more. It seems Bitlocker locks the drive (as we already knew). It would seem self-evident that unmounting the drive should avoid this lock. But it doesn't.
According to Microsoft in MSDN, if a volume is dismounted, the next call to open the volume causes it to be mounted again (automatically).
So our speculation is that Bitlocker is doing some activity regularly in the background and the volume gets auto remounted fairly quickly after being dismounted. Which blocks the wiping of the drive.
But we also found there is an additional option in Windows to both dismount and take the volume 'offline'. Taking it offline removes the lock and allows the drive to be written to again. This change will be appear in OSForensics V6 and the next release of ImageUSB. So their will be need to use Linux or the command line going forward.
↧
General Discussion: Wiping a BitLocker Encrypted USB Drive - Possible?
↧
Forensic Software: Windows triage script
Yes, you can copy the files to a stick or run them from a different computer.
You collect them in text format if you want to parse them with tools that are good with parsing them and not support their native format.
It was a sample triage script, when you get a large problem, you triage (hence the name) off USB or by directly connecting to the system. When you have a small problem, you can do proper offline, readonly forensics. Time is a factor.
↧
↧
Forensic Software: PST Search Tools
Guys
Many thanks
Mark
↧
Forensic Software: PST Search Tools
How did you solve your task after all ?! What was the program you used for your analysis ?
↧
General Discussion: Data theft investigation
Hi. I’m seeking for some opinions. I am attached to a local banking company in Malaysia. Recently one of my ex-staff in the Customer Relation department has left the company with less than 24 hrs notice resignation. Other staffs were perplexed and also kept thinking about why. Someone has taken his own initiative to check his computer station (I’m not quite sure that guy was doing) but he suspects there could have been some data from has been stolen. All panicked. How can we investigate that possibility? What information we should look into? Is there any quick way to prove something of data theft possibility? The nightmare is, worst case scenario, he has copied some of confidential data of high customer profiles and could have sold it. Should we invite computer forensic team from local enforcement agencies or we do it the 'forensic' thing?
↧
↧
Mobile Phone Forensics: Help with CLSLocationscache
Iphone 7 running 11.2.1
Found location data in this sqlite...But would like to ID what Application or process it was associated with.
TarArchive/File System/PhotoData/Caches/GraphService/CLSLocationCache.sqlite
Note from admin: we have altered the title as it was too long to show up on the homepage.
↧
General Discussion: Windows 10 Timeline
We also had a play with it at the end of last week.
https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/
More work to do, but some encouraging finds in there!
↧
Mobile Phone Forensics: KYOCERA HYDRO REACH C6743 - Screen bypass success
Hello all,
Just wanted to inform the group that I was able to bypass successfully the screen lock of a Kyocera Hydro Reach C6743 using Cellebrite UFED4PC and Cellebrite cable #523.
Cellebrite then created a physical extraction from the phone.
↧
Forensic Software: PST Search Tools
Fore future reference, Microsoft seem to have made a tool for this: Outlook-to-text-converter. Haven't tried it, seem to be compatible from XP to Windows 10, Server 2008-2016.
https://gallery.technet.microsoft.com/pst-to-txt-9160fb4b
↧
↧
Forensic Software: RTF Format to PST or MSG Conversion
I don't know of a conversion tool that can do that. I would contact the client and ask if there is an OST or PST in the image and export that out. I do it in EnCase all the time.
It is possible that the user saved them as an RTF. If it is saved in the system as an RTF and not an OST or PST, you might be stuck.
↧
General Discussion: Data theft investigation
athulin wrote:
Beatrice wrote:
Hi. I’m seeking for some opinions
On May 4th you posted the exact same question over at Computer Forensics World.
Sorry, i gave here some digital food. Should have checked that before... a lazy student from Malaysia again.
a little bit frustrated,
Robin
↧
Forensic Software: RTF Format to PST or MSG Conversion
It is hard to comment without seeing an example of one of these RTF files.
Does the RTF file contain the EMail headers records?
Did attachments to the EMails also get exported?
In the case where the Email had both a text and HTML version, did both get exported?
Did the folder path get exported with the RTF file?
I am guessing the answer to some or all of these questions is no. So conversion back into the original format will be impossible. Or if conversion is possible, there will be some data loss.
RTF to PST isn't a common operation. There might be no tools available to even do a lossy conversion.
↧
General Discussion: Windows 10 Timeline
Im currently testing and working on this but all of a sudden my timeline has stopped recording stuff
whilst this is annoying, it also makes me wonder where the hell everything has gone, why has it gone and what impact this has on an investigation.
↧
↧
Digital Forensics Job Vacancies: DMIU Technician - Lancashire Constabulary
Applications are invited for the post of DMIU Technician, within the HQ Crime, DMIU based at Hutton Headquarters
The purpose of this role is to provide flexible and comprehensive technical support to the Digital media Investigation Unit.
Further details of the requirements and duties of the post can be found above on the candidate specification.
Please apply through the below link
DMIU Techician - Lancashire Constabulary
↧
General Discussion: Data theft investigation
I would not be surprised if the case in question were the M57.BIZ, or a similar one, used for teaching and learning purposes.
↧
General Discussion: Anyone going to Techno (room)
Looking for anyone who is going to Techno in June and has a room.
I jumped in late, and need to be onsite.
If you have 2 beds and would be intrested in splitting the costs (and I'll buy a few dinners) please let me know.
Thanks.
↧
General Discussion: UltraFast Drone Shutdown - Slingshot
We search in addition for the most compact, smallest but fully funcitonal paintbool gun with round bullets?
Who may in Asia knows more and can help?
Please provide if you can links and pics. Thank you!
↧
↧
Mobile Phone Forensics: KYOCERA HYDRO REACH C6743 - Screen bypass success
This Cellebrite UFED EDL extraction method will work on most models based on these Qualcomm chipsets:
MSM8909, MSM8916, MSM8936, MSM8939, MSM8952
Best regards
Ron
↧
Mobile Phone Forensics: Network event anomaly
Agree. Stop right now. Without the device no SMS forensics. Hard but fact.
↧
General Discussion: VPS Google Lens Forensics
Visual Positioning Service VPS by Google Lens puts an AR layer on the life-cam stream. Is there a chance to get reverse engineered the visual vectors of the VPS?
https://www.lowyat.net/wp-content/uploads/2018/05/google-maps-vps.jpg
Where in the e.g. Snapdragon 840 GPU and internal 2nd level cache or dedicated cache for the GPU is the processing of the algo for the VPS?
Who did work deeply inside Google Lens and did run all sorts of forensic tests?
My account enables to PM me.
↧