Does anyone have a non LE contact for someone in Legal or compliance to obtain certified copies of records from Amazon?
Legal is just a recording telling you to leave a message, and providing an LE portal.
Thanks everyone.
↧
General Discussion: Contact at Amaz?
↧
Mobile Phone Forensics: Cloud Mobile Backup Creation of Android Phones
Hello,
I am trying to identify one or more applications which could create the equivalent of "iPhone to iCloud" mobile backups for Android phones.
Basically, I would like a "remote collection" option for Android phones similar to the fantastic Elcomsoft Phone Breaker Forensic solution for iPhones.
Does anyone have any recommendations or experience with such applications?
↧
↧
Mobile Phone Forensics: Does iCloud Mobile Backup Creation Remove iTunes Encryption?
Two separate backups, one on a local computer and one in the cloud, which exist independent of one another. The iCloud backup is always protected by the iCloud user name and password, but not stored encrypted. The iTunes backup can either be encrypted or not encrypted on a local computer, based upon a user setting. That user setting is stored on the iPhone and will affect all future local backups, including Cellebrite. There is a workaround in iOS11 for removing the setting from the iPhone, so your Cellebrite backup is not encrypted.
↧
General Discussion: $I metadata file missing from Recycle Bin
What is the status of the $R file? is it allocated or deleted?
↧
Digital Forensics Job Vacancies: Northants Police - ISO Accreditation Technical Manager
https://atsv7.wcn.co.uk/search_engine/jobs.cgi?SID=amNvZGU9MTczNjAwNiZ2dF90ZW1wbGF0ZT0xNDM5Jm93bmVyPTUwNjMwMDkmb3duZXJ0eXBlPWZhaXImYnJhbmRfaWQ9MCZwb3N0aW5nX2NvZGU9NjA2
↧
↧
General Discussion: Chip-Off recovery Olympus Recorder
The CELP compression is rather complex, so it is entirely possible that one implementation is different from another.
Try this one:
https://www.moviecodec.com/audio-codecs/missing-audio-codec-tag-120-42360/
It is for the Philips CELP, but maybe it is the same the Olympus use?
You can also try the guys that make the Express Scribe software:
http://www.nch.com.au/scribe/index.html
and ask them if they know their software is compatible with the Olympus internal format, they do mention - for the Pro version - "Philips, Grundig, Olympus digital recorder formats", and the software is only a few tens of bucks, but asking them before buying a license is advised, it is possible that when connected to the PC the Olympus recorder does some kind of transformations to the files.
You can also try this one:
http://daviddeley.com/solutions/olympus/index.htm
(an older version of the Olympus player, it may work with the newer devices or it may not):
http://www.olympusamerica.com/cpg_section/cpg_support_faqs.asp?id=1272#4
http://www.olympusamerica.com/files/oima_cckb/DigitalWavePlayerUpdate214.zip
jaclaz
↧
General Discussion: what else other than memory dump
d4n13l4 wrote:
Hello
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.
I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.
What else do I need besides the memory dump of the machine to determine this.
Thanks for your help.
Besides what is in memory, you need to check what traces remain in the OS (please read the Registry assuming it is a Windows of some kind) and in the various logs and what is on disk.
As usual a full timeline is what is advised:
https://github.com/log2timeline
https://github.com/log2timeline/plaso
jaclaz
↧
General Discussion: ISO 17025 for Digital Forensics – Yay or Nay?
If you've ever read the standard, multiple dedicated posts are basically required for doing nothing other than paperwork.
I though you were pointing out that the "effective and efficient, high quality digital service" section of the job description contradicted the ISO 17025 part
↧
General Discussion: ISO 17025 for Digital Forensics – Yay or Nay?
Like this?
ISO 9001
↧
↧
Digital Forensics Job Vacancies: Northants Police - ISO Accreditation Technical Manager
You won't find anyone decent at that price. You're a good £15k short...
↧
General Discussion: $I metadata file missing from Recycle Bin
I have seen this most often when the recycle bin has been emptied. So that both the original file in the bin($R) and the information file ($I) have been marked as deleted and in normal usage of the file system the MFT record has become overwritten for the $I and hence the forensic tool cannot identify the $I and hence the tool cannot give back the original name for the $R.
I know EnCase will give back the original name if both $I and $R file are present in the recycle bin.
If the $I file is missing (using the example as above with the $I mft record being over written) I would use the $USNJRNL to try to identify the original name of the $R
↧
General Discussion: what else other than memory dump
If your budget allows, I recommend purchasing OSForensics from Passmark, which will allow you to forensically image the computer in question, perform a memory dump, and also perform timeline analysis of activities taking place around the time of infection.
↧
Digital Forensics Job Vacancies: Senior Digital Forensic Analyst, USA
Senior Digital Forensic Analyst
Approximate Start Date: ASAP
Location: Successful candidate must be located in the United States near a mid to large metropolitan area.
Travel: Minimal travel would be required but the ultimate amount will be determined based on individual client and project needs, approximately 0-15% in U.S only.
Hours: Schedule to be determined based on client and project requirements.
Base Salary: Commensurate with experience.
Bonus: This position is eligible for sales generation bonus.
Responsibilities
• Under limited supervision, work with external and internal clients to analyze criminal/civil/internal project requests and to plan and execute forensic support for both simple and complex investigations.
• Provide recommendations for identification, collection and preservation of digital evidence.
• Determine tools and procedures required for preservation.
• Collect, process, and analyze electronically stored information (ESI) obtained from network, cloud and end user digital sources in accordance with industry standards.
• Provide required documentation demonstrating chain of custody of evidence.
• Generate formal forensic analysis reports in a clear and concise manner to a non-technical audience.
• Provide digital forensic expert testimony.
• Work with other team members to provide guidance and assistance.
• Provide written and verbal status updates to external and internal clients in a clear and concise manner.
• Use industry standard digital forensic tools (primarily FTK and Axiom).
• Conduct research into project-related issues.
• Maintain forensic credentials and ability to provide expert testimony.
• Maintain an organized workspace and office.
Required Knowledge/Skills/Job Qualifications:
• 6+ years of work experience related to digital forensics.
• Current CCE or similar certifications are required.
• Prior FRE 702 qualification and testimony as digital forensics expert in a court of law.
• Strong attention to detail, concern for data accuracy, and high personal integrity.
• In depth experience with industry standard digital forensic methodologies, including: evidence handling, chain of custody procedures, and commonly used Forensic toolsets.
• Experience using physical, local, and remote acquisition tools across multiple OS systems.
• Ability to work remotely with limited supervision.
• Proven ability to work independently or with a team during large scale forensic investigations to complete established project milestones and deadlines.
• Ability to clearly document and communicate findings, opinions, and recommendations to both technical and non-technical audiences.
• Excellent people networking skills for client relations and sales leads.
• Experience in effective and efficient time and resource management.
• Capable of independently handling complex, large volume, and previously un-encountered situations and examinations.
• Ability to adjust to shifting priorities, demands, and timelines through analytical and problem solving capabilities.
• Ability to identify and manage different communication and behavioral styles of clients and team members.
• Strong interpersonal, written, and oral communication skills.
• Must be able to research and apply appropriate technologies to different examinations.
Applicants should provide a full CV to Info@Cyopsis.com
↧
↧
General Discussion: ISO 17025 for Digital Forensics – Yay or Nay?
minime2k9 wrote:
Like this?
ISO 9001LOL this is it exactly... <img src="images/smiles/icon_biggrin.gif" alt="Very Happy" title="Very Happy" />
↧
General Discussion: what else other than memory dump
Depending upon your budget, you could also use Open Source tools in combination with some commercial tools for capturing both RAM and Hard drive images and then analyze these images like you would with the OSForensic tool(s).
You will learn (like I did) how to use FTKimager within the Lynda training course - "Learning Computer Forensics". This product is one of the oldest commercial tools (current version 4.2 or earlier i.e. 3.2) all work within Windows environment. I use a much earlier version 2.5.3 loaded as a portable version that executes within Win7 from a Thumb/Flash drive and you can save the image as a "dd" image format.
FTKimager also comes in a Command Line Interface format that will operate in Windows, Mac, & linux and here is the CLI instruction PDF web-page. If you wish to use this tool from a Flash drive here is the instruction Web page for your convenience.
You will come across the Open Source tools in many other tool sets/distributions such as CAINE , SIFT Workstation Distro (SANS Investigative Forensic Toolkit), Kali Linux Distro Tools, etc.
These same tool sets will also contain The Volatility Framework which is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. You will also notice that these tool sets usually contain either or both The Sleuth Kit and/or Autopsy forensic analysis tool-set.
Most of these tools have a customization capability with the use of plug-ins. Plug-ins provide the flexibility with these tools that have this built-in feature. Here are some links to the other mentioned tools :
FTK imager 4.2
FTK imager 3.2
Volatility GitHub Site
Open Source Digital Forensics Tools (TSK & Autopsy)
I have tried to present an Open Source choice to a commercial choice even though I presented FTKimager. You will find in CAINE and SIFT other tools capable of creating an image of the selected hard drive.
You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.
Please review these tools and make your selection. I have presented some of the well known tools in this field for your edification.
↧
General Discussion: ISO 17025 for Digital Forensics – Yay or Nay?
minime2k9 wrote:
Like this?
ISO 9001Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , but more like <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
http://dilbert.com/strip/1999-11-29
jaclaz
↧
General Discussion: what else other than memory dump
d4n13l4 wrote:
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.
Which OS and version?
With the AV detection, you should have a full path to the file, so that might give you some kind of indication as to where to start, in order to determine the initial infection vector (IIV).
From there, a mini-timeline created using selected files might be the most valuable and revealing way to approach determining the IIV.
↧
↧
Digital Forensics Job Vacancies: Northants Police - ISO Accreditation Technical Manager
hectic_forensics wrote:
To be the ISO17025 Scapegoat (sorry, 'Technical Manager') I'd want at least £40-£45k a year...
ISO 17025 Scrapegoat should be the job title. Especially if you want someone to do CCTV, Digital, Phones etc. Chances are whoever you get won;t have enough experience (if any) in all those areas.
↧
Mobile Phone Forensics: Decrypt iOS Keychain
Just to confirm, are you taking about decrypting encrypted iTunes backups on a computer or are you talking about decrypting a keychain recorded from an acquisition of a mobile device? How are you using Elcomsoft? What data are you using to decrypt the files? How are you generating the wordlists?
If talking about encrypted iTunes backups, I come across these quite often at work and I have only failed to decrypt one (I've managed to decrypt the other 100+) by finding passwords on the source device (the laptop). Some suggestions to identify passwords:-
- Firefox Profile - I've had quite a lot of success with using passwords from here to decrypt an iTunes backup
- If the source device is a Macbook, have a look at the login.keychain. EnCase7 allows you to decrypt the data of this or there is a great free CLI tool called 'dumpkeychain' which will process the login.keychain.
- Data breach dumps freely available online - you can search these for an email address for the owner of the device and then try and passwords against this
- Use Magnet Forensics free tool, Wordlist Generator. You do need to have AXIOM to use this though. This will create a dictionary that you can then import into Elcomsoft
↧
Mobile Phone Forensics: Does iCloud Mobile Backup Creation Remove iTunes Encryption?
As Mark points out, these are two distinct backups - one is encrypted and stored locally on a device (computer) and the other is stored in the cloud.
↧