tootypeg wrote:
I guess what im curious here is, unlike DNA and finger marks, I dont seem to be able to find any high-profile cases where DF evidence has been crucial and it turned out to be bad.
Your restriction on 'high-profile' seem to limit the moment when 'it turned out to be bad' to very late in the judicial process, and probably at a time when the process had become public.
I suspect that in many cases points of contention are discovered and avoided as early as possible: possibly ambiguous digital evidence is replaced with definite evidence for something else. It simplifies the case, as long as the remaining evidence is strong enough.
It would, thus, be interesting (from a 'meta-forensic' perspective) to understand when that has happened, and with what effect. Particularly if the digital evidence was partially flawed in some respect.
However ...
The Pirate Bay case in Sweden (2008) had a very surprising moment, when something like half of the charges were dropped (those related to copyright infringement?), because the prosecutor could not show that torrent files in evidence actually used the PB tracker. (I may misremember actual details of what was dropped -- but there certainly was major moment of surprise early in the case that caused a lot of discussion.)
It probably doesn't fits the 'crucial' restriction completely, as the case went on.
↧
General Discussion: has DF ever had any high-profile fails?
↧
General Discussion: How do i Extract a jpg from an unallocated directory
etiennem wrote:
Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.htmlYep, that is a very good source for this info <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
Usually hex viewers/editors are usually slowish when searching, a tool that is suitable and works just fine/fast is gsar (in Windows):
http://tjaberg.com/
though unfortunately it has some limitations with the offsets, so it is a problem going through largish disk images becuase addresses "wrap" around.
jaclaz
↧
↧
Digital Forensics Job Vacancies: Digital Evidence Recovery Technician (NOTTINGHAM)
Please see the full advert at link below. Closing date is 22nd June
Main Purpose of Role:
Examination of mobile devices, computer triage, data recovery from other digital devices.
To assist in conducting the forensic examination of computers and other hi-tech digital devices for evidence in support of criminal investigations. To provide technical support to other investigators in order to give the Force an effective response to the investigation of all crimes that contain a hi-tech element.
Key Skills & Experience Required:
You will have knowledge of the range of tools and data extraction techniques used in digital forensics. You will understand the Regulation of Investigatory Powers Act, PACE powers and Human Rights legislation under which we operate.
Good organisational skills and an ability to prioritise high workloads with limited supervision will be essential.
You will have qualifications in an appropriate related discipline or relevant on the job experience
https://atsv7.wcn.co.uk/search_engine/jobs.cgi?SID=amNvZGU9MTczMjI2NCZ2dF90ZW1wbGF0ZT0xNDM5Jm93bmVyPTUwNjMwMDkmb3duZXJ0eXBlPWZhaXImYnJhbmRfaWQ9MCZwb3N0aW5nX2NvZGU9NzI5
↧
Mobile Phone Forensics: PoC Exploit Samsung Android Phones
I got Samsung Samsung Galaxy J7 2016 (J710FN) with broken screen. The phone is working but I cant see anything. I use this MTPwn exploit and it worked. It listed me phone's files and downloaded one random file.
My question is how to customize this to exploit to download all the visible - listed files ?
↧
Mobile Phone Forensics: Wiko Jerry Phone Bypass
I have Wiko Jerry Phone with USB Debugging mode disabled.
It has locked bootloader co I cant flash or boot TWRP.
It has Android 6.0 from factory so device is encrypted by default
It is MediaTek MT6580 so I was trying MTK Hack to get physical image using MobilEdit Forensic Express (I know It would be probably encrypted) but It wont work for this model.
It has pattern screen lock.
Any suggestion how to bypass the screen lock ?
↧
↧
General Discussion: has DF ever had any high-profile fails?
tootypeg wrote:
I guess what im curious here is, unlike DNA and finger marks, I dont seem to be able to find any high-profile cases where DF evidence has been crucial and it turned out to be bad.
This goes right along with some things I've been looking at myself over the past few years.
While not "high profile" cases, I have to wonder, particularly in the private/commercial sector, who determines "quality" in a DFIR report?
Again, not "high profile", but when a consulting organization responds to an incident or performs even a small modicum of DF analysis (one image, or just logs), who determines 'quality'? If logs are sent to an expert for analysis, who determines the quality of the findings or report?
Over my career, I've seen a number of reports where, once I get past issues of spelling and grammar, I can see that everything was done poorly from the beginning...data collection, analysis, documentation of findings, reporting...all of it.
Yes, I know that in the private sector especially, there are instances where the analyst has little say over the data that they're provided; however, I have seen a number of cases where analysts have either run a data collection script, or sent it to the client to run, and that script is where things start going 'bad'.
So...who determines the "quality" of a report?
↧
Mobile Phone Forensics: S7 Edge secure startup
Samsung S7 Edge Android 7.0
G935FXXS2DRC3
Handset requires PIN on Boot
Any suggestions much appreciated.
Ive tried
1 to 6 Digit pin
4,5,6 and 7 digit pins
Was partially through 8 digits
Very time consuming
Thoughts / ideas much appreciated
↧
Mobile Phone Forensics: Huawei P9 (PRA-LX1) Screen Lock Bypass
Thomass30 wrote:
Hello,
I have Huawei P9 Lite (PRA-LX1) with FRP Lock, USB Debugging mode disabled and locked bootloader.
Based on gsmarena it is:
Android 7.0 so the device is encrypted by default
HiSilicon Kirin 650 Chipset
The device is PIN screen locked.
JTAG or Chip-off gives me encrypted raw image so it's useless.
Is this a possibility to get some user data from this model ?
Maybe some exploit for this kind of chipsets ?
(I dont have access to Cellebrite UFED)
NO, IT IS NOT USELESS, IF YOU CAN PROVIDE THE DEVICE AND A PHYSICAL DUMP OF IT'S EMMC, WE MIGHT BE ABLE TO ACCESS THE USER PARTITION DECRYPTED!!!
↧
Mobile Phone Forensics: Wiko Jerry Phone Bypass
With a little luck, the extraction will contain decrypted user data.
↧
↧
General Discussion: Blue Whale Event
the auto translator helped me to explain what I mean? Anyway...
I know how to do the technical analysis. I want private information like key words.
↧
Mobile Phone Forensics: Uni Android Tool
He posted a link to a cracked versions (so it seems). I do have a legit license for nearly a year which is why i'm asking on what exacly he's expecting. In general, software seems to be a freely available solutions found on the net compacted into one binary with some custom stuff like partition manager for MTK and Qualcomm based phones + some rare firehose loaders. No fancy forensic type features included.
↧
General Discussion: Memory Forensics (Volatility) - Dst port 445 to public IP
Hi,
On a server running Windows 2012R2 I use SysInternal's tcpview.exe and see SYSTEM PID 4 making unwanted connections to random public IPs on port 445. Lines appear for a few seconds, then disappear.
When watching Sysinternal's Process Explorer during that same time frame I see no new process appearing and disappearing. Even a simple netstat will give you that info (SYSTEM is trying to connect to external IPs on port 445).
If I shutdown a specific service related to remote log collection, the strange connections stop. The service's role is to connect to internal servers to poll for windows event logs.
So you have SYSTEM connecting to both internal IPs (which is ok ) and external IPs (which is not okay). Even the vendor's tech was unable to figure out what's happening. It is apparently not a configuration issue. I have multiple similar servers doing the same job with the exact same setup an configurations and only this one is acting up.
I dived into memory forensics but can't find a strangely named process, or improperly located executable, not some bad dll. 'malfind' shows nothing suspicious (as per the notes I have on SANS 508) . Netscan shows me data but I end up with lines like this which I do not find useful (unless I can make use of the memory offset value?):
0x1363b0a00 TCPv4 _server_IP_:64242 80.106.26.167:445 CLOSED 4 System
Any suggestions?
Thanks,
↧
Mobile Phone Forensics: Apple iPhone location services log
iphone 6 (A1549) ios 9.3.1
iphone 6s (A1668) ios 9.3.1
↧
↧
Mobile Phone Forensics: MTPwn exploit customize
Hello,
Can sameone who was using this written in "C" - MTPwn exploit https://github.com/smeso/MTPwn
had customized this in a way that makes possible to pull all the listed files from the device ?
The current version of it only list path and names of files from the device and download one random file.
If the exploit can pull one file, it can pull all of them. But how to do it ?
↧
Digital Forensics Job Vacancies: Digital Forensic Analyst, £25k - £30K, Wakefield
I have very exciting opportunity for an experienced Digital Forensic Analyst to join one of the UK’s leading Digital Forensic organisations. Salary very competitive attracting someone with the necessary ambition and drive to take on a very exciting challenge.
You will be dealing with Law Enforcement and Government Agencies, Corporate and Legal firms. Casework may involve dealing with data of a sensitive nature which may be offensive and distressing (e.g. Images of Child abuse).
The role will cover all aspects of Digital Forensics and the successful candidate will be responsible for acquiring & investigating a wide range of electronic evidence together with the monitoring of staff and the development of new analytical methods and processes.
Key Skills:
• At least two years’ experience of undertaking digital forensic analysis of computers within a Public or Private sector role;
• Have excellent knowledge of digital hardware, experience in different file systems & operating systems artefacts;
• Knowledge of the laws & principles of digital forensics & electronic evidence;
• Be meticulous, have a highly analytical and enquiring mind,
• Review tools, in particular Cellebrite or Oxygen, X-Ways or EnCase and Nuix.
• Programming \ EnScript experience advantageous;
• eDiscovery experience advantageous;
• Able to work independently but also a good team player;
Call or email on 0203 7622230 / joe.rowley@fitzroysolutions.com
↧
Mobile Phone Forensics: Wiko Jerry Phone Bypass
Yes, it does have OTG support.
↧
General Discussion: Memory Forensics (Volatility) - Dst port 445 to public IP
Have you checked persistence mechanisms, particularly the AppCompatFlags? I assisted with a case a few months ago where we had similar activity, and it turned out to be this:
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
↧
↧
Digital Forensics Job Vacancies: eDiscovery Project Manager, London, circa £80k
I’m looking for a Project Manager in the eDiscovery space to manage casework in Relativity through both active casework and management of Junior Project Managers. The qualified candidate should have administrative experience with Relativity including at minimum, adding & editing fields, choices, searches, STRs, batch sets & batches, indexes, and production sets. Additionally, knowledge of custom objects, image sets, OCR sets, and event handlers is a plus. This position will include working alongside a variety of case team members and may include attorneys, company or government representatives, and other legal staff. It also includes a management aspect, leading a small team of project managers to properly delegate, staff, and complete case work. The candidate for this position should have a strong understanding of the EDRM and have familiarity with researching, designing, and adhering to different ESI protocols.
Some example job duties and responsibilities include:
• Manage eDiscovery and litigation projects within the Relativity document review platform
• Lead team of project managers to successfully staff and complete case work as necesary
• Work closely with data engineering team and other staff members to complete complex projects in a fast-paced, deadline-driven environment
• Evaluate projects for use of analytics and provide workflows for implementation and use
• Use industry standard processes to facilitate document reviews, ECA workflows, and document productions
• Provide reporting to case administrators related to workspace metrics, user activity, or other requested document based metrics
• Perform quality checks and detailed analysis on work product prior to document production or additional levels of review
• Provide consultation to case teams for document review, production, and data searching workflows
EXPERIENCE & QUALIFICATIONS:• 3+ years administrator experience with Relativity
• Understanding of the electronic discovery reference model (EDRM)
• General knowledge of litigation support industry
• Ability to communicate effectively and tactfully both verbally and in written format to team members and technical/non-technical individuals
• Ability to work effectively under pressure in time-sensitive situations and prioritize multiple projects with similar deadlines
• Relativity Certified Administrator certificate
• Relativity Certified User certificate
• Experience with basic scripting in XML, Java, HTML languages
Email me on joe.rowley@fitzroysolutions.com
↧
Mobile Phone Forensics: Huawei P9 (PRA-LX1) Screen Lock Bypass
I also wrote "we might be able to access the user data partition decrpyted". We can be 100% sure only after the success doing it is achieved
↧
Education and Training: PhD Cybercrime Topics
itprofessional1940 wrote:
My question to the forum, is I would like to hone in on specific methodologies, and if someone already knows methodologies please list them below.
Sniper Forensics
↧