Got a powerbank of a school friend.
↧
General Discussion: PowerBank to Kill
↧
General Discussion: PowerBank to Kill
Sounds like your officer was hit with a very interesting rubber ducky usb attack.
↧
↧
Mobile Phone Forensics: 7 days till end - USB RM iOS 11.4
Apparently this feature was also in a previous beta, and wasn't in production; so no guarantee we'll see it in 11.4.
Probably eventually though.
In terms of Graykey, my understanding is they arent distributing outside of North America atm, and even then only to LE.
↧
Forensic Software: Twitter Forensic Investigator
Dear Coleagues
We have respect for you in the forensic world.I want you to try my software and say your comments. This is so important for me.
Its called twitter foresic investigator.Which can take screenshot of all tweets index it and give them hash without suspect password
www.socialmediaforensic.com
Best regards
Have a nice day
↧
Forensic Software: EnCase 8 “Is Deleted” field.
Hi,
Within EnCase reporting, the field for "Is Overwritten" is included under Entry Fields. This can be added by via the bookmark folder (and add folder to report - customising metadata - and look at Entry Fields) or by modifying the report template, and the formatting for the bookmark type. The bookmark type can be identified via the the bookmark folder, where the field required will need to be added for each type (image, entry etc).
Finally, the field will show whatever value is assigned to "Show True" and "Show False" in EnCase global options (from tools menu).
I don't believe this field can be added to a Bookmark Table, since the IsOverwritten field appears to not be present on Bookmarks.
Code::
style("Bookmark") {
counter(markindex) text(") ") filelink() {cell(field=Name) } par}
style("Metadata") {
fieldname(field=Name) tab cell(field=Name) par
fieldname(field=Created) tab cell(field=Created) par
fieldname(field=Written) tab cell(field=Written) par
fieldname(field=Accessed) tab cell(field=Accessed) par
fieldname(Entry, field=IsOverwritten) tab cell(Entry, field=IsOverwritten) par
Regards
↧
↧
General Discussion: PowerBank to Kill
RolfGutmann wrote:
The banking trojan tried to phone-home over the mobiles internet connection to P.R.C..
Dont plugin every powerbank.
Rolf, why don`t you and your colleague make an article from this story? Write down the story, more technical details, some photos from inside the device and publish it here on ForensicFocus. I am sure a lot of people here (and elsewhere) are very interested in more details, the manipulated firmware and the IP addresses the device connected to. Some PCAPs would be great, too.
Please get in touch with Scar and contribute this story to this audience here. I have done it twice and it was not only an interesting experience, it was a great training for myself.
regards,
Robin
↧
General Discussion: PowerBank to Kill
Good idea, will do so.
↧
General Discussion: Encase 8 L01 file creation of a zip file
Hi All,
Recently i have started using Encase v8, everything looks good but my only biggest concern is i am not able to create L01 file of a zip and other files together.
Suppose i have 1 zip file and 1 pst file. Now i mount the zip file either by using view file structure or Evidence processor.
Now when i am trying to create a L01 file of the mounted zip and the pst i am only getting 2 files, although my requirement is i should get 1 pst and the mounted zip file contents.
This same process can be easily done in Encase 6.
Can someone who has used Encase v8, please suggest me a solution so that i can create L01 image of both pst and mounted zip file contents in the L01 image.
Thanks.
↧
General Discussion: New File System on Macs
AmNe5iA wrote:
So the order of tools supporting APFS so far appears to be:
1. BlackBag Tech. with BlackLight 2018 R1 (February 2018)
2. OpenText (Guidance Software) with Encase 8.07 (May 2018)
3. Possibly X-Ways with X-Ways Forensics 19.7 (currently in preview/beta)
4......?
4. Recovery Explorer (formerly UFS)
5. R-Studio (also supports encrypted APFS in some cases)
↧
↧
General Discussion: Encase 8 L01 file creation of a zip file
One thing you can try is create one at a time. Blue check the ZIP file, create the L01. Then uncheck it. Blue check the PST and create an L01 of that.
I know it seems like using 2 steps in a process that should only be one step, but whatever is checked at the time of the L01 creation, that is what will be in it.
↧
General Discussion: Long Term Archiving for Evidence; Best Practices - Plus
I am posting this question for myself and for a Cincinnati, Ohio Officer, who brought to my attention that the size of cases has been growing and tasking his budget and physical storage (both device and physical storage) space. The policy for evidence that his agency follows is
Quote::
fifteen (15) years plus (+) current year .
I asked about which current standards body do they (his agency) adhere to and he said,
Quote::
There is nothing to direct you to. All of the documents are so vague that individual units and agencies are left to figure it out on their own. Most agencies have a policy like ours …
I brought to his attention that the Scientific Working Group on Digital Evidence and the Scientific Working Group Imaging Technology both have currently active documents for this concern.
A member of this site from Pennsylvania in the General Discussion Forum under the topic " Best Practice: Archiving Digital Evidence " says,
Quote::
I've found some information regarding the topic from the FBI, ACPO, NIST and a couple other sources. I'm having a little trouble finding specific standards set in place by ISO or other governing bodies.
The Cincy officer also indicated,
Quote::
But from the time of conception to the time the document is release there have been 2 generations of hardware and OS. Additionally, the documents have to be so general that they are frequently useless. In this instant discussion – the SWGDE guidelines are so vague that they are largely useless. If SWGDE isn’t the group that should decide what the 'best practices' are – then who should do that ? Hence our current discussion.
Here are links to the Group's currently found document's on Archiving Digital Evidence :
SWGDE Data Archiving Version: 1.0 (April 12, 2006)
< https://www.swgit.org/pdf/Section%2015%20Best%20Practices%20for%20Archiving%20Digital%20and%20Multimedia%20Evidence%20(DME)%20in%20the%20Criminal%20Justice%20System?docID=55 > of 2012
1. Some of our questions are then: What are other people / agencies doing – what ideas have they had – can we share that information so we can see if there are better ideas out there somewhere.
2. Anybody have a better solution – or a way to bring the volume of data storage from today’s size cases into compliance with case retention policies written in the paper era ?
3. What file format(s) do you use or keep your archive data in ?
4. Do you use compression within your software or do you use an exterior Open Source tool to save space for this case data archive ?
So we are asking the members of this site for your ideas and also to compare what and how you handle these issues within each of our geographical communities. It would be nice to see if there are any commonalities that could be helpful to us all.
Here are a few other Threads from this site regarding this subject, that you may want to review :
< http://www.forensicfocus.com/Forums/viewtopic/t=7602/ > < http://www.forensicfocus.com/Forums/viewtopic/t=2580/ > < http://www.forensicfocus.com/Forums/viewtopic/t=5409/ >
We thank you for your participation in this Forum's question, ahead of time .....
↧
Mobile Phone Forensics: Find My iPhone - Activation Lock
We know when you enable Find My iPhone it enables Activation Lock on the device meaning to completely erase it you need to connect to the internet to enter the Apple ID and password.
IF the phone owner has had his device lost/stolen, then he goes to Find My iPhone on the internet and sets the device to self delete when it next connects to the internet AND THEN presses the black X to remove the device from the account - does Activation Lock remain in place then after it has been removed from the account?
↧
General Discussion: Parking Crime on Innocent
Shocked innocents getting into the mills of law enforcement drain our limited resources for nothing. Zombies (infected devices) are an ever-rising problem for us here.
An innocent (within families very difficult by shared devices) gets catapulled into the light of law enforcement if CrimeData on the device. As in the beginning not sure WHO is the data owner its frustrating to finally find out that the device was missused for Parking Crime on Innocent PCoI.
And then the silly question: WHO was it, domain gone, IPv4/6 just a proxy...? Criminal Hidding.
How to deal with?
↧
↧
Mobile Phone Forensics: 7 days till end - USB RM iOS 11.4
benfindlay wrote:
And for those organisations who do DF investigations but sit outside the judicial systems, I think waterboarding might also be an option... <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
... particularly for odious crimes such as Parking Crimes that are reportedly on the rise :
https://www.forensicfocus.com/Forums/viewtopic/t=16625/
jaclaz
↧
General Discussion: cuckoo sandbox
Why is it so hard to make a cuckoo sandbox? I work for two days, but I have not succeeded. Is there a simple setup video on this topic?
↧
Digital Forensics Job Vacancies: Cyber Security Adviser for an International Prog - London
Foreign & Commonwealth Office
Cyber Security Adviser for an International Programme
£55,000 pa including location allowance + great benefits
Full time (flexible working considered)
3 year fixed term appointment
About the Foreign & Commonwealth Office
The Foreign & Commonwealth Office (FCO) promotes the United Kingdom's interests overseas, supporting our citizens and businesses around the globe. The FCO has a worldwide network of embassies and consulates, employing approximately 12,600 people in over 270 diplomatic offices. We work with international organisations to promote UK interests and global security, including the EU, NATO, the United Nations, the UN Security Council and the Commonwealth.
The role of Cyber Security Adviser
As part of our Cyber Security Capacity Building team of 12, this role is responsible for FCO engagement on our EU programme. You will act as our Technical Expert and Point of Contact for the programme which will focus on Cyber Resilience for Development. The programme will deliver international capacity building training and advice to between 6 and 10 partner countries in Africa and Asia. This role offers the opportunity to develop and apply your cyber security knowledge. You will gain geographical and policy experience in security and development and be able to demonstrate your ability to influence internationally. You may also be required to travel to Africa, Asia and Europe as part of international engagement of the programme.
About you
You will need to be a British Citizen and have been a resident in the UK for two out of the last ten years prior to your application. Extensive cyber security policy experience is a must and you will need to demonstrate resilience in an international environment. You will be a skilled leader, who can inspire and be a role model for a culture of self-awareness. Able to learn and adapt your behaviours, you will strive for continuous improvement across all areas.
Apply
Interested? Click apply
Closing date for applications: Midnight on Monday 4th June 2018
Interview date: Week commencing Monday 2nd July 2018
We celebrate diversity and recruit our staff from a broad range of backgrounds so that we benefit from fresh experiences and perspectives.
For more information and how to apply then click here:
Cyber Security Jobsite
↧
Forensic Software: MAC memory dump
I've never tried to use it on a Mac but you could try Volatility.
↧
↧
Forensic Software: MAC memory dump
Yeah agree with above, Volatility just released a whole bunch of new mac profiles last week too.
Jamie
↧
Services Required: Cellebrite services needed
Did you find a person to help on this? If you did'nt I can certainly help
↧
Mobile Phone Forensics: How to validate a cellebrite extraction
Seeking advice on how to validate a Cellebrite extraction using Physical Analyzer.
↧