shahar: I know pretty well the difference between Secure Boot and Secure Startup
Sometimes you don't need to deal with the Trusted Zone, the encryption key derived from the hardware key and the user lock can be found inside of a physical dump.
Whoever is reading this, please don't get me wrong, I don't say that this is always possible, that is why I wrote "Sometimes".
↧
Mobile Phone Forensics: S7 Edge secure startup
↧
General Discussion: Interesting Supreme Court decision
Nick.Barker1011 wrote:
CellHawk has a free support site to help investigators write their search warrants.
Nick, for clarity/full disclosure, you should add your qualifications of Marketing Manager of HawkAnalytics in your posts (or add them in your signature).
jaclaz
↧
↧
Mobile Phone Forensics: Decrypt iOS Keychain
Well, I've been using Elcomsoft to deal with iOS encrypted backups but lately, it doesn't do good work as it can't get even 80% of the passwords and they are still shown encrypted.
So, my question is, what other tool or way to decrypt those passwords?
↧
General Discussion: Mobile Forensics Discord Server
We're rapidly approaching 350 members. Just recently, an influx of TeelTech employees joined so we're thrilled to have them aboard along with the other vendors present.
↧
Mobile Phone Forensics: iOS Bruteforce
Well I will disclose what hasn't work for me so far:
I tested on iOS 11.4 and on 11.1.2 without success. I purchased a lightning to USB adapter that allows you to feed power and plug a usb device into an iPhone. I programmed a RubberDucky with a long string of numbers (with the last one being the one that would unlock the device) and got the 1 minute, then 5 minute delay. I will note that neither device had the wipe after 10 failed attempts enabled.
↧
↧
Mobile Phone Forensics: iOS Bruteforce
I noticed something very interesting when re-watching the video he posted. At 16 seconds, if you pause it, you'll notice the following: HDBox-Keyboard. Now at this point he has plugged the phone in (to what he says is a computer, but shows us nothing) and then I see that. I happen to own an HDBox which is a device that allows for the brute forcing of Android Passcodes, Patterns and iOS passcodes. Currently my device is at work so I can't test it, but will definitely test it out on Monday.
↧
General Discussion: Are shell bags reset when new version of Windows installed?
I can't find any shell bags prior to installation of Windows 10. Previously it was running Windows 8.
↧
General Discussion: Encrypted Mac image missing Recovery HDD and Un-mountable
So I restored this .img image to a physical disk and connect it to my macOS VM. Here are some more observations:
- Using diskutil list in command line I can see the drive connected with three volumes
- I can see the drive in MacQuisition
- still cannot mount the disk using Disk Utility GUI
- still cannot mount the disk using Disk Utility in command line
Interestingly, when I tried imaging the perceived 'encrypted' volume, MacQuisition didn't appear to recognise it to be encrypted and just went on to start imaging it - please correct if I'm wrong, I thought MacQuisition would normally detect a FileVault2 encryption and give you a chance to enter password & recovery for it?
Through these observations I'm now considering a different hypothesis; is it possible that this is an image of a reset system, where nothing - including disk encryption - has been initiated (since the 'Recovery HD' partition is only created at the activation of disk encryption?)
↧
Mobile Phone Forensics: iOS Bruteforce
Figured it out! It does definitely work on 11.4 and almost as described by the author. They've updated the article, but I think he was close to on the money.
↧
↧
General Discussion: Are shell bags reset when new version of Windows installed?
Few questions (because I dont know the answer....the update could wipe shellbags, not sure)
What is the install date of the OS compared to the creation date of the USRClass.dat?
What is the creation date of the user compared to the creation date of the USRClass.dat?
Have you got a copy of Win8 that you can upgrade to Win10 to test your hypothesis?
↧
General Discussion: Encrypted Mac image missing Recovery HDD and Un-mountable
@randomaccess it does sound like a feasible way to try. However I'm trying to get my head around how to do it - am I right in thinking that an 'option boot' (using the 'C' key at startup?) will allow me to select which media I want to boot into instead of the default one? In this case a VM should work just as well? Will definitely give it a try tomorrow at work thanks!
↧
Mobile Phone Forensics: NOTE 3 NEO SM-N7502 nand chip ??
Based on the different picture, that big chip to the left of SIM/microSD card reader. Should be a Toshiba eMMC, most likely BGA153.
↧
Mobile Phone Forensics: iOS Bruteforce
Yeah I was reading the retractions yesterday. The piece I don't get is how he was able to send the full string without a timeout. Nothing I did could reproduce those results as both devices I tested timed out after 5 attempts. We shall see I suppose!
↧
↧
Mobile Phone Forensics: Whatsapp ChatSearchV3 sqlite database
pcook8198 wrote:
Hi Paul
Fantastic.
We've been scratching our collective brain cell to figure it out.
Very much appreciated.
Kind regards
Paul
Thank you for your help, Paul. I'm glad you were intrigued by this as much as I was.
↧
General Discussion: same usb at the same time !!
jaclaz wrote:
And, AGAIN, you are mixing what happened on the SAME date:
1) early in the morning up to 8:30 AM
2) around lunch time, i.e. from 1:00 to 2:00 PM
The "MicrosoftWindowsSystemRestoreSR" actions are automated, it is part of the "System Restore" scheduled task.
At that time a VSS (Volume Shadow) Copy was seemingly made, and somehow the process did reset a number of keys related to USB (and non-USB devices).
As well anything marked "WindowsReadyBoost" is "normal" automated activities of the OS.
From what you posted human interaction with the PC was only around lunch time, where some USB storage devices were definitely connected.
BTW the reference to the .JPG on the I: volume makes me think that maybe that is the drive letter assigned to a volume on the attached USB disk should allow you to retrieve the disk information from MountedDevices.
jaclazthank u very much bro for helping ....
so i will rely on the logs that show that there is a user interaction on the pc in the court because they said that computer was turned off at that date <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
i think its time to give the police an order to bring some one <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
↧
Digital Forensics Job Vacancies: Digital Forensic\eDisclosure Position - MD5 - West Yorkshire
Digital Forensic\eDisclosure Position - MD5 - West Yorkshire
MD5 Limited, based in Normanton, West Yorkshire are pleased to announce a very exciting opportunity for an experienced Digital Forensic\eDisclosure Analyst to join one of the UK’s leading eForensic organisations. Salary very competitive attracting someone with the necessary ambition and drive to take on a very exciting challenge.
Our clients include Law Enforcement and Government Agencies, Corporate and Legal firms. Casework may involve dealing with data of a sensitive nature which may be offensive and distressing (e.g. Images of Child abuse).
The role will cover all aspects of Digital Forensics and eDisclosure and the successful candidate will be responsible for acquiring & investigating a wide range of electronic evidence together with the monitoring of staff and the development of new analytical methods and processes.
Key Skills:
• At least two years’ experience of undertaking digital forensic analysis of computers within a Public or Private sector role;
• Have excellent knowledge of digital hardware, experience in different file systems & operating systems artefacts;
• Knowledge of the laws & principles of digital forensics & electronic evidence;
• Be meticulous, have a highly analytical and enquiring mind,
• Excellent communication skills and able to convey complex technical issues to a lay audience in writing & verbally;
• Programming \ EnScript experience advantageous;
• eDiscovery experience;
• Able to work independently but also a good team player;
MD5 Limited offer an attractive salary based upon experience and a clear staff development and training program.
Appointments are subject to successful security vetting criteria and medical clearance.
Please email your CV with a covering letter to Geoff@md5.uk.com
↧
General Discussion: Help with final project.URGENT
I really need help with my final project, Im planning to work on one of these topics. Small to Medium business DDOS Detection and protection with Data mining or DDoS protection frameworks/systems for small to medium-sized business . If any one has better suggestion please kindly let me know, I need one on one guidance and I will compensate the person for his/her time.
↧
↧
General Discussion: Chip-Off recovery Olympus Recorder
We have a Olympus VN-7800 that we need to recover deleted recordings from. We went down the avenue of a Chip-Off recovery and obtained a full binary dump of the 4GB BGA169 chip.
Looking at the data in Hex, 90% of the chip is zeros which isn't good to start with. There are unusual filetypes in four folders on a FAT32 partition.
A portion of the folder structure is:
RECORDER\
RECORDER\FOLDER_A\
RECORDER\FOLDER_A\INDEX.DAT
RECORDER\FOLDER_A\VOC_110101-0004.AAE
RECORDER\FOLDER_A\VOC_110103-0008.AAI
RECORDER\FOLDER_A\VOC_110104-0009.AAJ
RECORDER\FOLDER_A\VOC_110106-0016.AAQ
RECORDER\FOLDER_A\VOC_110110-0018.AAS
RECORDER\FOLDER_A\VOC_110111-0019.AAT
RECORDER\FOLDER_A\VOC_110113-0020.AAU
We have tried to load some of these files into Audacity as raw data but none of these files play and are simply noise. The filetypes seem to be random (or incrementally generated) too, so is there any help or advice anyone can give with this?
We need to be able to play the files from the dump but this is the part we are having trouble with.
↧
Forensic Software: Axiom User Account Information
clou93 wrote:
Hi Jamie,
Thanks for your response, I hope the below helps:
I am looking at at 'user accounts'. When looking at a particular user's account, in the pane on the right hand side it states 'password required' and is marked 'True'.
Further down from that there is a 'login count' which shows a number in the thousands.
From the information supplied by Axiom, one would assume that the desktop is password protected - this is not the case after booting it up into VFC.
Thanks
Interesting, do you know if it's a domain account or no? GPO can force a pw, if not domain, it can be separate.
As Chad mentioned, it's definitely possible to have it required but not actually have a password. Those things are not related.
We also have a column for LM/NTLM pw hash, do you have anything in that column? as we will check for a hash (which again, is separate from the registry key checking if a password is required or not).
↧
General Discussion: Chip-Off recovery Olympus Recorder
UnallocatedClusters wrote:
Hello,
Can you share what is stored in the Index.dat file please? That might shed light on the other listed files.
If you can extract out the files named "VOC_110101-0004.AAE" etc., perhaps changing the extracted file extension(s) to .mpg or .wav or any of the other audio file extensions listed here will then allow you to open the audio files: https://en.wikipedia.org/wiki/Audio_file_formatMost probably the index.dat is nothing but a list of the files (in the "right" order), but no, if the thingy actually uses CELP, the issue is with the specific codec (which is specifically designed for speech compression) and that is unlikely to be present on a system/outside a specific program.
Moreover it seems like there are both "narrowband" and "wideband" versions of the encoding, so the speexdec.exe (windows) from 1.2beta3 should actually be the easier thing to try:
https://www.speex.org/docs/manual/speex-manual/node6.html#SECTION00620000000000000000
The problem might be that Olympus may use a slightly different version of the CELP codec. <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" />
jaclaz
↧