Yes i know, I always try the simplest possible method.
I just want to try this Qualcomm 9006 Method in future cases when any other method fails
↧
Mobile Phone Forensics: Qualcomm Download Mode 9006
↧
General Discussion: RAID Metadata
There are pretty many tools with auto detecting features to rebuild hardware or software RAIDs from raw images.
We had great success with ReclaiMe RAID Recovery, Runtime RAID Reconstructor, R-Studio, etc.
For software raids, as JaredDM already posted, mdadm is your friend
↧
↧
Mobile Phone Forensics: Best cables you have found?
What are the best cables for each connection type you have found?
I found that ATT's USB C cable is incredibly reliable and not prone to any sort of connection issues.
Also, any cable bought from a gas station in a pinch on a job will be incredibly expensive and not work lol.
↧
General Discussion: Computer forensic issue
passcodeunlock wrote:
@jaclaz: the questions sound weird because of the Google automatic translations, these students don't even know some English...Maybe, but if that is the case (plain using of google translate or similar) the basic issue is not much different.
If you post in a public board something google translated without checking it there are serious possibilities of replicating what Douglas Adams foresaw, careless speaking is not much different from careless posting <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> :
Quote::
It is, of course, well known, that careless talk costs lives. But the full scale of the problem is not always appreciated. At the very moment Arthur said:"I seem to be having difficulty with MY lifestyle" ...
a freak wormhole opened up in the fabric of the space-time continuum, and carried his words far back in time ...
across almost infinite reaches of spac,e to a distant galaxy where strange and warlike beings were poised on the brink of frightful interstellar battle. The two leaders were meeting for the last time.
A silence fell across the conference table as the commander of the Vl'hurgs, in his red jewelled battle shorts, ...
gazed levelly at the G'Gugvunt leader squatting opposite him in a cloud of green, sweet-smelling steam ...
and, with a million be-weaponed star cruisers ...
poised to unleash electric death at his single word of command ....
challenged the vile creature to take back what it said ...
about his mother.
The creature stirred in its sickly, broiling vapour, and at that moment the words ..."I seem to be having difficulty with MY lifestyle," drifted across the table.
Unfortunately, in the Vl'hurg tongue, this was the most dreadful insult imaginable ...
and there was nothing for it but to fight terrible war!
Alpha males.
jaclaz
↧
Mobile Phone Forensics: Best cables you have found?
Just for the record, no-name/untested USB-C cables are actually "dangerous" for the device, so it is NOT a good idea to buy them anyway.
I guess that everyone knows the story of Benson Leung and his tests/reviews, in case:
https://plus.google.com/collection/s0Inv
Anyway, when it comes to USB-C, besides the tests by Benson, it is adviced to check the cable for the TID (i.e. that it is certified) here:
http://www.usb.org/kcompliance/view/USB%20Type-C%20Cable%20Certifications.pdf
though of course fakes are always possible.
jaclaz
↧
↧
Digital Forensics Job Vacancies: Digital Specialist - Software Developer - LONDON
Job Title: Digital Specialist - Software Developer
Salary: £38,531 to £43,127 plus £2,930 location allowance. You will receive £38,531 the band minimum. Progress to the band maximum of £43,127 will be via incremental progression
Location: West Brompton
Discover a software development role like no other
Today’s criminals and terrorists are more technically advanced than ever. As their methods change and evolve, Law Enforcement agencies must keep pace with digital progress to anticipate and neutralise threats. This pioneering work happens within Counter Terrorism Command – SO15’s TIDE, our Technical Innovation & Development Environment. And it’s here that you’ll be innovating as a Digital Specialist in Software Development.
In this uniquely challenging setting, you’ll use your skills to help prevent terrorist attacks. If the worst happens and an attack occurs, you’ll be helping to bring the perpetrators to justice. As a Software Developer, you’ll provide both tactical and strategic solutions to support counter-terrorism operations, working in a team with other software, hardware and cyber specialists. Together, you’ll create bespoke solutions, and also plan and prepare for emerging technological challenges. Your role could see you working with security partners both at home and abroad – and even supporting operations directly. You must therefore be prepared for extensive travel within the UK and further afield.
This exciting and varied work calls for a degree (or equivalent) in a STEM subject or experience in software development. Your expertise will cover some of the following areas:
· .NET (VB, C#, ASP.NET, .NET CORE)
· MVC Framework
· Python
· Java
· JavaScript (Node, React, Angular)
· LAMP Stack Development
· Working experience of Docker/containerization technologies
· Mobile and/or Desktop App Development
· Cryptography
· SQL / SQL Server
· NoSQL technologies (PostGres, ELK, mongo)
The only way to protect the country is by working together to meet the next technological challenge. You will therefore need the people skills to collaborate with experts from policing, government, academia, industry and the intelligence services.
To apply, please visit our website to download a role specific information pack and click on the link to complete and submit the online application form. You will also be required to submit a detailed CV and a personal statement.
The nature of counter terrorism means that the post requires access to the most sensitive intelligence material on a daily basis. Applicants must hold or be prepared to undergo Developed Vetting (DV) before taking up the post. In approved circumstances dual nationals (of which one element is British) may also be considered.
Completed applications must be submitted by 23.59pm on Friday 15th July.
Failure to supply all the relevant documents will result in your application being terminated
We view diversity as fundamental to our success. To tackle today’s complex policing challenges we need a workforce made up from all of London’s communities. Applications from across the community are therefore essential.
For more information and to apply click here
https://www.securityclearedjobs.com/job/801845980/digital-specialist-software-developer-/
↧
General Discussion: RAID Metadata
aandroidtest wrote:
Is there any specific metadata present in raid disks to signify there are part of a raid system?
I saw like "LVM" which is Logical Volume Manager in some sectors. But other than that what other metadata is present in the disk to prove that it is part of a raid system?
Forensic tools can rebuild the raid is all the disk image are available. If one is missing it can't detect? How to tell, what is the raid config from the disk if possible?
It depends on the type of RAID, of course.
A "recoverable" RAID (such as an example 5 or 6 ) can always be rebuilt even if one (or more) images are missing or corrupted, after all that is the whole pooint of a "recoverable" RAID.
And it is not like there are thousands of millions of possible configurations, all in all there are just a bunch of them so even testing them all blindly won't take forever.
See also:
https://www.forensicfocus.com/Forums/viewtopic/t=12274/
https://www.forensicfocus.com/Forums/viewtopic/p=6583245/
jaclaz
↧
Forensic Software: Encase 8.07 APFS
X-ways 19.7 Preview 5 also has updated APFS support, try it on that and see if that gives same result.
↧
General Discussion: RAID Metadata
jaclaz wrote:
And it is not like there are thousands of millions of possible configurations, all in all there are just a bunch of them so even testing them all blindly won't take forever.
If you're talking about 2-4 drives in a RAID 5 then yes, you are correct. However, if we're talking about large arrays then I'd beg to differ. Here are some numbers for you on the possible number of drive order combinations:
4 Drives = 24 possible combinations of drive order
6 Drives = 720 possible combinations
8 Drives = 40,320 possible
10 Drives = 3,628,800 possible
12 Drives = 479,001,600 possible
As you can see, the number of possible drive order rotation jumps exponentially. So by the time we're working on a 16 drive array we're into quadrillions of possibilities and brute force becomes impossible.
That's just the drive order. Then there's the other factors which all multiply the complexity. For RAID 5 it's not that many, just parity rotation scheme (4 different possibilities), block size (around a dozen possibilities) and parity delay (not used too often). But, if it's RAID 6, there are literally hundreds of ways it's implemented, and that's assuming you know the drive order. Is it Reed-solomon or double xor. Does the xor parity block include the RS bock? Is the RS block before or after the parity block? Is it single step or wide step parity rotation.
That's why we've got to spend time reverse engineering this stuff so we can figure out some of it and only have to brute force the final bits. I've had to handle RAID cases where there were literally trillions of possible ways it could be combined. The only way we get it done is by reverse engineering the metadata, analyzing the layout of file system structures, and often writing custom software to brute-force what we can't figure out easily.
↧
↧
Mobile Phone Forensics: PoC Exploit Samsung Android Phones
Yes, the MTP exploit is pretty decent, we had it in UFED since almost two years ago (August 2016) after we discovered it privately - that's what powered the "Partial File System" Samsung method.
Several other vendors have added implementations a few months after it was publicly released in November 2017.
Regarding the J320F/N950F with (or without) Secure Startup - we can provide lock-bypassing physicals with access to KNOX Secure Folder for these models and many others at CAS.
Shahar
↧
Mobile Phone Forensics: LG Secure Startup
As far as I know secure startup is additional encyption protection. If secure startup was enabled, the device will ask you for the password(required to generate the encryption key) during the boot process.
↧
General Discussion: Handling data with legal privilege
I would appreciate some insight from the community on how to handle digital data from computers and mobile devices when legal privilege is raised after a seizure.
I am working on a "best practices" guide for my organization since we are seeing more and more instances where legal privilege is raised data is seized.
From experience, there are usually 2 ways that we deal with (potentially) privileged data after a seizure:
1- The seized party provides us with a list of keywords to exclude and we perform the search and exclude ourselves.
2- We provide the seized party with a filtered dataset where each email/document is identified with a unique identifier ("DocumentID"). The seized party reviews the dataset and provides us with a list / privilege log of the documents that they believe to be subjected to client/attorney privilege. We then exclude the listed documents and provide the non-privileged data to the case investigators.
However, those processes bring their share of challenges whether we are dealing with mobile devices or computers / storage devices:
Keywords:
-- The "heat" is on the digital forensics team to perform the search and exclude without reading the content of the document.
-- Special characters
-- Spelling errors
-- Documents unable to OCR
Filtered Dataset:
-- Parent/children relationship (if a children is tagged as privileged, should the parent also be considered as privileged?)
Mobile devices:
-- Cellebrite UFED is not very practical when dealing with privileged data. We saw that even though you might exclude some data from the report (in UFDR format), there still might be traces of that data kept in the file system or the databases.
-- In Cellebrite there is no way to have a unique "DocumentID" for each item exported in the UFDR. There is a "#" column, but it may vary from one report to the other depending on the number of items exported or the way the data is sorted in UFED PA.
-- In Cellebrite, there is no way to seperate an attachment from it's message.
-- There is always the option to output the report in a different format than UFDR (Excel, PDF, etc), but then it becomes a pain to search through the data.
One of the solutions that we are looking into for mobile devices is to export a dataset from UFED PA into UFDR format, then input that UFDR into Nuix. From Nuix, we are able to produce an eDiscovery load file that we can send to the seized party and they can perform their review from their eDiscovery platform or manually by looking at the metadata fields in the load file and looking at the documents themselves. One advantage of that process is that there is a unique "DocumentID" for each item exported. Also, it's the same review method as for the computer items. The defense does not have to use UFED for mobile devices and another technique for computer items.
All in all, I would appreciate if you guys could share you experience with dealing with privileged items. What worked? What did not work?
Thanks
↧
Mobile Phone Forensics: Touch 2, File System extraction repeating
Has anyone else had any issue with the File System data extractions on the Cellebrite UFED Touch 2? I've now had a few devices, (current device LG Stylus 2 Plus), where the extraction goes just over 19MB, then restarts the phone and restarts the extraction. After 50 restarts, I had to end the insanity. My partner has run across the same issue.
I'm wondering if the data collected is just repeated data, or if it is new data, extracted each time, eventually coming to a complete FS extraction.
thoughts?
target device is a USB drive
↧
↧
General Discussion: Handling data with legal privilege
Having had a few dealings with these sort of cases, the stated case of R (McKenzie) v Director of Serious Fraud Office 2016 may help steer you in the right direction (which it sounds like you are heading anyway)."The scope of the duty upon a seizing authority was instead “to devise and operate a system to isolate potential LPP material from bulk material lawfully in its possession, which can reasonably be expected to ensure that such material will not be read by members of the investigative team before it has been reviewed by an independent lawyer to establish whether privilege exists”.
Seems to be the main conclusion.
From my experience it can be quite difficult to be generic about how the data is filtered, whether by keyords or dates. It becomes even more difficult when the legal advisor is also suspected of criminality. The main lessons being stop and think before revealing anything and keeping good notes about how you applied your processes.
↧
Mobile Phone Forensics: LG Secure Startup
passcodeunlock wrote:
If TWRP or other custom recovery was flashed (and there was dm-verity on), the error would be different, saying that the device must be factory reset. Flashing the recovery.img and boot.img from the original factory ROM to the device fixes this problem.
It may depend on device. What you're describing happen on Samsung devices (not only, but i've only seen it like this on Samsung) which then shows an error message saying that factory reset is required and yes, flashing stock image (either boot or recovery, depending on what was changed) fixes it. With LG, at least that K8 2016 this was not the case. I tested this 3 times with same result each time, on clean firmware. Right after i forced flash TWRP using LAF mode , phone immediately started to ask for password on boot. Flashing stock recovery which i backed up before did not fix this. For some reason that's how it worked on that phone.
Quote::
The OP didn't post anything saying that a custom recovery was flashed to the device, most probably it is the safe boot enabled from the Android settings.
I agree which is why i this is just a fun fact.
Quote::
Faulty (physically destroyed) eMMC is very rare, even if trying to physically destroy a phone, it's pretty hard to externally smash the eMMC, because usually it is shielded with locally resistant metal shields. Bending or twisting the device could cause much more damage to the motherboard and it's soldered components.
Physically destroyed eMMCs are rare. Faulty eMMCs are not. It can either be a corrupted firmware, bad firmware that'll lead to data corruption (Samsung Note, Note 2, S2, S3 etc) or just corrupted data in area that's required for phone to boot. LG devices (older like L9, F60, Fino, L65, L/F70) were known for such issues and usually area where boot.img was stored got corrupted. Usually, writing a boot.img solved the problem but after 2 or 3 months the same issue repeated until boot.img cannot be written anymore or whole eMMC goes read only due to too many errors. It is possible that userdata area gets corrupted and it'll lead to such error (this was a case in older Samsung phones, like Galaxy S or S2 from what i remember). I had LG K10 (2016) in store last week that stuck in bootloop. It then died while flashing a new firmware and stuck in 9008 mode. Checking the eMMC pointed to data corruption in area where aboot.bin is stored. I was unable to write aboot.bin back in 9008 mode and it seemed to be bad eMMC. I've seen reports from others who had the same problem.
↧
General Discussion: RAID Metadata
JaredDM wrote:
If you're talking about 2-4 drives in a RAID 5 then yes, you are correct. However, if we're talking about large arrays then I'd beg to differ. Here are some numbers for you on the possible number of drive order combinations:
4 Drives = 24 possible combinations of drive order
6 Drives = 720 possible combinations
8 Drives = 40,320 possible
10 Drives = 3,628,800 possible
12 Drives = 479,001,600 possible
As you can see, the number of possible drive order rotation jumps exponentially. So by the time we're working on a 16 drive array we're into quadrillions of possibilities and brute force becomes impossible. Sure <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> I am talking of what it is likely the OP is probably going to find in the real world.
I.e. IMHO 4-6 disks represent (outside enterprise datacenters) 95% to 99% of RAID's the OP will ever see in his life.
And I don't consider drive order a common "variable".
I mean, before taking the images it is normal to try and understand which order the disk drives have, and name the image as image_01, image_02, etc.
And usually these drives/images come from a given (hardware) RAID system, that only have a bunch of options.
I will have to confess however that I have rarely (like in "never"<img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> ) seen myself a RAID with more than 6 disks, or if you prefer, if you have something more complex than a 4 disks or 6 disks RAID, you won't call me (nor the OP) for imaging or recovery. <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
My earlier post is to be read in the contest of this one-week old thread by the same OP:
https://www.forensicfocus.com/Forums/viewtopic/t=16687/
No need to scare him more than the bare minimum ...
jaclaz
↧
Mobile Phone Forensics: Qualcomm Download Mode 9006
Yes, LG has LAF mode (download mode) which allows dumping data. LAF mode is also being limited with each firmware version and phones that came with 7.0 (like Q6) have some useful commands cut out."Many smartphones equipped with Qualcomm chip sets (except Samsung and LG) are equipped with a so-called Emergency Download Mode" - this is not entirely true. Both Samsung and LG have EDL mode. They do not have a simple key combination and so called EDL cable doesn't force this mode as well for most models, but it does work on G357 for example. In general, you can always reach it using testpoint (described by @passcodeunlock) as this is a mode implemented by CPU itself. What's missing are the correct loaders to utilize this mode to dump data. I haven't seen anything public for Samsung. You can find loaders for some LG devices at least up to G6/Q6 series as this method was used to remove FRP by Octoplus.
↧
↧
General Discussion: RAID Metadata
The real life practice shows that "collapsed" or faulty raids got 50% chances for recovery, no matter on the RAID type or the number of disks used.
Instead of building complicated RAIDs, which even with low chances, but could fail, always have a RAID + external (physically separated) backup!
↧
General Discussion: Handling data with legal privilege
This makes no sense from what I consider forensics, since you put user interaction (filtering) of the original data in front of the integrity of the analyzed data!
Never permit some user interaction to give the possibility for missing evidence! Evidence can't be trusted without 100% documentation of it's sources, even if those sources might create other trouble
Put everything on the table, in an unassailable way, that is the forensic experts role!
Let the judges decide on everything, including considering an evidence or not, that is their role!
↧
Mobile Phone Forensics: Touch 2, File System extraction repeating
It is just a point of failure of the UFED Touch 2, trying to read or write something to the device, which fails and then triggers a reboot.
Reboot looks like a safety implementation for not altering the device data in any way in case of failures, which is very logical way to gain trust!
If you are able to provide some logs, feel free to contact RonS or other tech people from Cellebrite. Their support is also good on known issues On unknown issues... well, be patient!
↧