I'll see what I can find...
↧
Mobile Phone Forensics: How to validate a cellebrite extraction
↧
Forensic Software: MAC memory dump
I will also agree with the above comments. I have tried volatility for Windows and its a great open source tool. The good thing about it is they are improvising the software regularly and their tech support is great too.
regards
↧
↧
Mobile Phone Forensics: How to validate a cellebrite extraction
Also for additional verification/validation, Cellebrite lists the hash values for each new release of the software with the release notes that they send to your email when advising you of the new release. You should also be able to find that stuff on mycellebrite.com and access your account-support.
NIST also has the following reference material on validation/verification that you can review:
Mobile Device Test Tool Assertion and Test Plan
And in 2016 Homeland Security produced their own report regarding validation test results (benchmarking I guess) for UFED4PC v4.2.6.5. Obviously it is a couple of years old but nonetheless should bolster any assertions you may make regarding the tool itself.
↧
Forensic Software: MAC memory dump
I could be wrong, but I don't think Volatility actually includes any functionality to make a memory dump on a Mac.
↧
General Discussion: Copying files to external drives on Mac Vs Windows
No, it isn't correct. It is more complex.
It depends on the file systems in use on each drive. e.g. NTFS to FAT32 or HFS+ to FAT32, or FAT32 to FAT32.
It also depends on the tool used to copy the file. e.g. drag and drop in Windows explorer, xcopy, or some specialised forensic's tool.
Also depends on what you define as metadata. e.g. dates, times, streams, file ownership, encryption, hard links, junctions, fragmentation, slack space, alternative 8.3 names, compression, attributes, etc.....
↧
↧
Forensic Software: MAC memory dump
Volatility does not support ram dump, is used to extract & analyze artifacts from a dumped volatile memory.
MAC OSx has limited number of tools to dump volatile memory, I would suggest you to use MACQuisition by BlackBag or if you are looking for open source then go for Lime Forensics . However, you have to compile and build Lime module according to the target machine.
↧
Mobile Phone Forensics: Export facebook messenger messages without root
Hi,
Device: Lenovo C2 (K10a40)
OS: Android 6.0
Chipset: Mediatek MT6735P
Just took full unencrypted dumb with SPFlashTool. So I can confirm that this tool is working. You just have to get your drivers working properly.
Thank you arcaine2!
↧
Mobile Phone Forensics: Iphone 6 data recovery
Of course, it's possible to recover deleted videos from iPhone 6 before they are overwritten by new data. First use iPhone data recovery software to scan out iPhone 6 and check if the deleted videos can be scanned out. If yes, you can easily get them back.
↧
General Discussion: Copying files to external drives on Mac Vs Windows
What Passmark said. Typically copying files onto an external drive from a Windows machine will mean brand new created dates and times for the files copied whereas Macs tend to keep the original created dates and times when files are copied. But as always there are lots of ifs and buts, if you want to rely upon whatever you are trying to prove, you'll need to test it.
↧
↧
Digital Forensics Job Vacancies: Relativity Consultant
I'm currently looking for a Relativity Consultant to work with one of the world's top eDiscovery Consultancies. Working in there Technology practice to help clients manage the risk and cost of e-discovery. From forensic data collection to fully managed document review services you will collaborate with Clients to deliver strategic solutions tailored to their unique legal requirements As part of the London based team, you will assist on all phases of e-discovery projects and will have responsibility for client delivery of small to medium projects.
Key Responsibilities:
• Liaise with clients and project managers regarding client requests and manage expectations
• Plan and execute electronic evidence collection exercises, on-site at client premises around the UK and abroad
• Utilise industry standard and bespoke software to access, extract and cull data from electronic evidence sources
• Assume responsibility for day-to-day data processing, conversion, analysis, quality control, import, and other specialized tasks including interaction with other consultants, supervisors, and client personnel
• Co-ordinate closely with colleagues within and across teams to manage the delivery of client requirements
• Be customer-service-oriented to meet client deadlines, including working out of business hours when necessary
Experience:
• Solid experience working in an e-Discovery or technology related role
• Knowledge of and experiencing in configuring and operating with Relativity as a document review management application
• Electronic discovery experience or experience managing document review teams
• Experience supporting document review software applications
• Knowledge and execution of data manipulation tasks, data conversion and data analysis activities in a SQL environment
• Litigation support experience
If you interested in the role please email Joe Rowley
joe.rowley@fitzroysolutions.com
↧
Mobile Phone Forensics: Iphone 6 data recovery
If you mean deleted for good, not only moved to Recently Deleted, all you can recover is thumbnails. When real deletion happens, the encryption keys used to encrypt each file are also zapped and there is no way to recover the original image(s).
@congufo: can you please post the name of the programs and their vendors, which can recover really deleted files from iPhone 6 ?!
↧
General Discussion: SQLite Forensics Book
This shall not be deleted, this kind of informations are very useful for the FF community.
@PaulSanderson: congratulations and thanks for spending time creating such a great book!
↧
Mobile Phone Forensics: Export facebook messenger messages without root
If you ever face an encrypted userdata partition, feel free to PM me, we got a solution for that too
From what I know, our solution for Android based devices is unique worldwide. If you can provide a full dump and the device, there are big chances that we can open any kind of user screen locks, not depending on device type or the Android version.
↧
↧
General Discussion: Copying files to external drives on Mac Vs Windows
I think I've read a thread about this before, but I can't find it now. The informations from this link help a lot to know the reality regarding file times in Windows 10:
http://cyberforensicator.com/2018/03/25/windows-10-time-rules/
Thanks to Oleg Skulkin and Igor Mikhaylov for their tests and conclusions!
If somebody got anything similar for Macs, feel free to post it, that would also be very useful.
↧
Mobile Phone Forensics: iCloud lock removal
https://www.youtube.com/watch?v=G9ns02AZ2vU
29.04.18 posted on yt. Is this still working? Who may did test it?
Any domain just .uk I would question. Normally it looks .co.uk right?
↧
General Discussion: Computer Forensics Investigation Process
In all honesty, if that is your first question, then you may want to hire someone to perform the investigation.
↧
General Discussion: SQLite Forensics Book
On my list to purchase and read!
↧
↧
Mobile Phone Forensics: iCloud lock removal
It's a proxy server, which has a fake DNS resolving for *apple.com If it is still working, you should be able to connect it worldwide.
↧
General Discussion: Computer Forensics Investigation Process
@MissIla: everybody started somewhere, so are you. First you should have a university degree related to IT in general, then do some targeted forensics classes in a few fields. After having the basics needed, join a forensics company as apprentice. Life will show the rest. Hopefully
↧
General Discussion: Destination drives smaller than the source drives
The day is finally here, usually we buy 3gb HDD's in bulk and the image process is no problem. However in one case right now the suspect had 4 disks, 8gb each. The destination drives is much smaller than the source drives.
How would you guys go ahead and image these? In fragments using FTK Imager? Won't that be a mess anyways? I would need to mount 3 Hdd's in order to index and examine the evidence.
How will the fragmented, i.e 01.E01, 02.E01 etc affect the hash values?
↧