These guys were selling access to 2 of the 3 telco networks in Australia. They used linkedin to target mainly private investigators. They could access 3 year old itemised billing statements, which included the confirmation of address, which was a major privacy issue.
The Telco's knew about this but struggled to investigate it, due to the juristriction issues. The AU federal police got involved and about 12 months later the first arrests started hapening.
↧
Mobile Phone Forensics: Illegally selling CDRs
↧
Mobile Phone Forensics: recovery image quest
@gehlen: whatever, it's your call, I was one of the very few people who actually knows what you were asking for and also might be able to help you, but since you are such a smart ass, I won't spend my time on you with this attitude!
Do what JaredDM said...
↧
↧
Mobile Phone Forensics: iPad and iPhone in 'Activate' mode after factory reset
If the case is important I doubt that a picture like that would be taken in consideration.
Try the Apple service, you got nothing to loose and you could end up with an official paper from them stating that the device has no active user data.
↧
Mobile Phone Forensics: recovery image quest
Even if it is true, I do not care about me. There are people who know there are important things in this world more than selfish.(see JaredDM)
Dont make a shadow over me
I Wouldnt want anything else... Diogenes
Good bye
↧
General Discussion: Encrypted Mac image missing Recovery HDD and Un-mountable
Hello all
I'm a digital forensics analyst and am experienced in mainly Windows platforms and mobile devices. Today I have a problem on a Mac image which I'm hoping to pick your brain on.
Our firm currently has this project going on involving a number of mobile devices and laptop images. One of the exhibits we received is a ~250gb .img disk image created using dd3dd by the client. It contains 3 partitions named EFI System, Customer and (sorry can’t remember the third one). The Customer partition is the largest in size and is believed to be the main partition for OS and user files. Here’s the problem:
- When we loaded this image into EnCase, we can see the partitions but no data at all, which is an indication that the partition is encrypted
- Based on the naming of the partitions we believe the disk image to be of a Mac which would mean it’s protected by FileVault2. However, there isn’t a ‘Recovery HD’ partition as Mac FileVault2 images usually would, nor does any of the partitions contain a .plist.wipekey file for decryption
- We tried mounting it on a macOS virtual machine running High Sierra (in attempt to decrypt it using MacQuisition), using the native mounting tool, however, the process would start and be aborted automatically midway. There was not any prompt of error encountered
Some more facts:
- the Mac VM has MacFUSE installed, to handle potentially different filesystems
- the .img file is sitting on a Win10 host and accessed by the Mac guest VM via VMware sharefolder utility
- this VMDK is 80gb in size
We are yet to try, 1) expanding the Mac VM’s virtual disk to larger than the size of the .img file, and 2) mounting the .img on a Linux machine.
Do any of you have come across an image/situation such as the above? I'd be much interested to hear how you dealt with the image/situation, or any suggestion at all on possible next steps to try. Thanks so much in advance!
Cheers,
Jessie
↧
↧
Mobile Phone Forensics: Illegally selling CDRs
badgerau wrote:
These guys were selling access to 2 of the 3 telco networks in Australia. They used linkedin to target mainly private investigators. They could access 3 year old itemised billing statements, which included the confirmation of address, which was a major privacy issue.
The Telco's knew about this but struggled to investigate it, due to the juristriction issues. The AU federal police got involved and about 12 months later the first arrests started hapening.
Thanks for the up date. Do you know if a report has or will be issued identifying more details?
I say that because itemised billing is not a CDR. A CDR is recorded by the DCM data capture machine at the switch (the exchange). The CDR is then harvested data (an 'image' if you will) and subjected to 'treatment' such as 'conversion', 'reconciliation', 'removal' of extraneous data, sent for 'abstraction' and then 'addition' for inclusion of customer name, pricing, etc. Pretty far removed from the stage of real evidence. Come what may the itemised billing in evidence is not the original at this stage but contain elements from the original.
↧
Mobile Phone Forensics: S7 Edge secure startup
Thank you for all your input and suggestions
Im currently finishing the 8 digit pin dictionary as i type.
Moving on to 9 digit dictionary soon.
Oh the joys
I'll keep you informed of my progress.
OR
The sun will burn out before i finish and it will not matter
↧
Mobile Phone Forensics: Whatsapp ChatSearchV3 sqlite database
I would suggest its the search function within WhatsApp. On Android if you open your conversation view, at the top is a Magnifying Glass (search function).
Typing words in there brings up messages (from all current chats) which contain the the words you searched.
Therefore any chats deleted after the search will have the searched items referenced in the ChatSearch V3 table. So not the full conversation but only messages containing the searched items.
Hope this helps a little.
I'm currently running some test to confirm this.
↧
Mobile Phone Forensics: S7 Edge secure startup
shahartal wrote:
No, this will never work on a Secure Startup phone (given it was properly identified as one).
Secure Startup means it is actually encrypted with the user passcode, therefore there is no way around discovering the passcode, and engboot will give you root but a fully encrypted user data partition.
If you have a valid brute force method, that’s the only way in.That is the only way in known by you maybe <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
If there is an encrypted binary dump, we can decrypt in many cases the encryped user data partition, no matter of the Android version.
We also fail sometimes, that's part of the game, but at least we don't pretend knowing everything!
↧
↧
General Discussion: OSX Recovery of Deleted User / Time Machine Backup
cs1337 wrote:
We also have a time machine backup from the system we can attempt to restore but i'm not sure if this is just going to give us user generated files and not necessarily any type of activity information.
Restoring deleted items from Mac systems has always been more difficult and less successful compared to your standard Windows machine because of the differences in file systems...
What I would recommend is restoring the Time Machine backup onto a different machine and then performing your analysis there. Time Machine will indeed restore both the user generated content and system files that can be used to draw conclusions from. I would start by looking at FSEvents logs, both on the machine that you have right now and also in the backup. It can give you a good view into recent file system operations.
https://github.com/dlcowen/FSEventsParser
↧
General Discussion: Encrypted Mac image missing Recovery HDD and Un-mountable
My clues would be that you got a corrupt image or the problem is around FileVault2 and AFPS.
↧
Mobile Phone Forensics: Whatsapp ChatSearchV3 sqlite database
I totally agree with you.
The main stream software concentrates on the actual databases where for want of a better term the data sits re messaging.
They do not look at all databases relating to an application.
Hence a good rummage through all databases is very worthwhile.
PS each message in the "docs_content" Table has a "docid" associated to it. This id in the "metadata" table has a date / time value (seconds from 2001)
Also it looks like the "c1Chatsession" column relates to the chat the message is associated too.
If a group chat the first part is the id of the chat creator. ie 44111111111-1012345678@g.us
Ie the 4411111111 is the creator of the group chat
I think the 1012345678 is a unique ID
together they make up the chat ID
Therefore with out the original chat it is difficult to say who sent the message(re data in the chat chatsearch db)
an ID of 4411111111@s.whatsapp.net is purely a chat with only two individuals. ie the handset being examined and the "other party".
The id should be the telephone number of the "other party"
↧
General Discussion: Encrypted Mac image missing Recovery HDD and Un-mountable
between axiom (fv2 hfs) and blacklight (fv apfs) you should be covered. But either way you need the password
↧
↧
General Discussion: Password-Protected Windows 10
JimC wrote:
Thank you @Jaclaz for the helpful summary of the different methods.
Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.
However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.
I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?
Jim
www.binarymarkup.com
If you don't want to lose access to EFS encrypted files or stored network/browser passwords, you have no other way but to recover the old password. Besides using Ophcrack to crack the password using rainbow tables, you can also use the following softwares to recover your password with GPU hardware acceleration:
RainbowCrack - http://project-rainbowcrack.com/
HashCat - https://hashcat.net/hashcat/
Password Recovery Bundle - https://www.top-password.com/guide/windows-password-recovery.html
Proactive System Password Recovery - https://www.elcomsoft.com/pspr.html
A high-end graphics card can boost the cracking speed a lot.
↧
Mobile Phone Forensics: Whatsapp ChatSearchV3 sqlite database
Hi Paul
Fantastic.
We've been scratching our collective brain cell to figure it out.
Very much appreciated.
Kind regards
Paul
↧
Mobile Phone Forensics: S7 Edge secure startup
You are free to take my words or not
Yes, some cases can be decrypted offline, but *not* on phones where the encryption key is derived from a hardware key and the user passcode (= Secure Startup).
People usually confuse Secure Boot with Secure Startup, they are not the same thing.
↧
Digital Forensics Job Vacancies: Experienced Digital Forensicator in Atlanta - Fortune 500
The Lead Forensics Analyst is a leadership position that will focus on maturing and managing forensic processes, procedures, and workflows. The Lead Forensics Analyst will be in charge of introducing and enforcing cutting edge digital forensics and eDiscovery best practices.
Responsibilities Include:
Refining current Digital Forensics and eDiscovery processes and procedures
Establishing a hardworking and passion driven culture on the Forensics team
Auditing the work quality of analyst and peers
Conducting internal investigations through the use of computer forensics technologies and philosophies
Performing forensics collections based on industry standards
Assisting in incident response through the support of forensics evidence
Managing multiple cases and prioritizing work load
Maintaining professional relationships with clients
Maintaining the highest level of confidentiality with respect to data
GA-Atlanta Area
Schedule: Full-time
Equal Opportunity Employer: Company supports a diverse workforce and is a Drug Testing and Equal Opportunity Employer. Company does not discriminate against individuals on the basis of race, creed, color, gender, religion, national origin
To review the EEO Poster, copy and paste the following link into your browser: http://www1.eeoc.gov/employers/upload/eeoc_self_print_poster.pdf http://www.dol.gov/ofccp/regs/compliance/posters/pdf/OFCCP_EEO_Supplement_Final_JRF_QA_508c.pdf
Minimum Requirements:
Bachelor’s degree in Information Security, Information Technology, Computer Science, with three or more years’ work experience in a cyber security-related role; OR at least five years of work experience in a cyber-security specific role with a demonstrable understanding of the cyber threat landscape as well as best practice prevention and detection techniques. In-depth, practical knowledge of information systems and ability to identify, apply, implement and drive cyber security best practices in an enterprise environment. Extensive, hands-on experience related to cyber security incident management; network, host and application security; intrusion analysis; malware analysis; vulnerability management & penetration testing; digital forensics or eDiscovery; as appropriate to assigned team.Advanced knowledge of cyber security tools such as: SIEM, IDS/IPS, Antivirus, anti-spam filtering, operating system security (Windows & Linux), network security technologies, penetration testing toolsets, or digital forensics and live memory forensics platforms, as appropriate to assigned team. Effective verbal and written communication skills for the purpose of presenting complex technical information, driving the implementation of best practice recommendations, and influencing business decisions.Demonstrated teamwork and collaboration skills.Strong time management skills and ability to manage priorities effectively.Demonstrated ability to provide direction and mentorship to teammates, peers and leaders.
Preferred Skills:
5+ years experience in computer forensics and digital investigations; experience or course work related to forensic software such as Guidance Software EnCase, AccessData FTK, X-Ways Forensic, or other computer forensic certifications; competence in computer forensics fundamentals and tools; working knowledge of computer hardware components, operating systems, file systems, computer networks, e-mail systems, mobile devices, IT security or incident response; experience with command line scripting, Perl, Python, SQL or other programming experience; exposure to log management solutions; knowledge of evidence and chain of custody procedures; working knowledge of relevant financial industry cyber security regulations, standards, and controls frameworks (e.g. FFIEC, PCI-DSS, GLBA, ISO 2700x, etc.); proficiency in Microsoft software: Outlook, Word, Excel, PowerPoint, and Visio; ability to manage multiple priorities and deadlines; demonstrated initiative and team work competencies and a client-centric focus; ability to handle and maintain the integrity and confidentiality of highly sensitive material and information; written and verbal communication skills; preferred certifications: – CFCE, CCE, ACE, ENCE, CISSP, CISM, PMP, SIX SIGMA, MSCE.
↧
↧
General Discussion: Zacinlo adware/malware
Here:
https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/
https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/
among other "features":
Quote::
Silently renders webpages in the background in hidden windows and interracts with them as a normal user would:
scrolling, clicking, keyboard input. This is typical behavior for advertising fraud that inflicts signifcant fnancial damage on online advertising platforms.
jaclaz
↧
General Discussion: Interesting Supreme Court decision
CARPENTER v. UNITED STATES
https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf
Quote::
Accordingly, when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.
Moreover, the retrospective quality of the data here gives police access to a category of information otherwise unknowable. In the past, attempts to reconstruct a per-
son’s movements were limited by a dearth of records and the frailties of recollection. With access to CSLI, the Government can now travel back in time to retrace a
person’s whereabouts, subject only to the retention polices of the wireless carriers, which currently maintain records for up to five years. Critically, because location infor-
mation is continually logged for all of the 400 million devices in the United States—not just those belonging to persons who might happen to come under investigation—this newfound tracking capacity runs against everyone.
Unlike with the GPS device in Jones, police need not even know in advance whether they want to follow a particular individual, or when.
Whoever the suspect turns out to be, he has effectively been tailed every moment of every day for five years, and the police may—in the Government’s view—call upon the
results of that surveillance without regard to the constraints of the Fourth Amendment. Only the few without cell phones could escape this tireless and absolute surveillance.
'nuff said.
jaclaz
↧
Mobile Phone Forensics: iOS Bruteforce
It is not a joke, just the story doesn't reveal everything
↧