Actually I believe you could use the images (as opposed to the original drives), converting them to RAW ones.
The issue might be that you would need (if kept as images and use a virtual disk driver) two 6 TB disks or - if you temporarily deploy them to disk - two 4 TB disks.
Also, you should check the images contents.
Often (but not always) such "Storage Spaces" are simple RAID 1 (mirroring), i.e. the two disks have almost identical contents.
Also, the filesystem actually used could make a difference, is it ReFS?
I think that X-Ways/WinHex supports them, but you'd better ask for confirmation.
jaclaz
↧
General Discussion: Windows 10 Home Edition Storage Pool
↧
Education and Training: Evidence Management training
For now, I have found 2 organizations that seem legit:
- Evidence Management Institute (https://evidencemanagement.com/) offers a 2-days live training (350$) and certification (50$ 1year / 100$ 3 years)
- IAPE International Association for Property & Evidence (https://home.iape.org/) offers a 2-days live training or a 14 hours online training (375 $ for live or online class). They also offer a course for the supervisor of the evidence room. They offer live classes in Canada.
Anyone have any review on either of those organization?
↧
↧
Education and Training: Question regarding SANS GCTI.
MindSmith wrote:
It is a course with materials as detailed here: https://www.sans.org/course/cyber-threat-intelligence. It is also available online /on demand.
Details related to the exam: https://www.giac.org/certification/cyber-threat-intelligence-gcti
Thank you for the information.
As I register on Sans page https://www.sans.org/registration/register.php?conferenceid=1251&os=126850 there is a question: "Please describe your study methods and the materials you will bring to the testing center for your certification exam." , can someone please advise on best practice regarding the exam?
↧
General Discussion: Govt-response-forensic-science - UK
Hi,
As someone who works in digital forensics but has also worked in traditional scientific test and calibration laboratories, I have a fairly unique perspective in understanding both environments well.
When I read the ISO17025 documentation I understand it because I understand the equipment, the physical environments, the storage considerations, the processes, the repeatability requirement and so on.
It should of course be noted that ISO17025 was not created for 'traditional' forensics but is now being ported over to digital forensics. But even if a standard were created for traditional forensis, it is still too different a field to try to apply it to digital forensics.
You could say that the previous FSR, whose decision it was to choose this standard, chose a standard intended for an industry in which he had never worked and sought to apply it to another industry in which he had never worked.
In terms of this report, I have never worked in a traditional forensic field so I can't say what the current issues are. Everything in this report might be entirely on the money when it comes to traditional forensics. Having more than 15 years experience in digital forensics, I can say it definitely is not!
The issue of cost has had very little serious discussion. Not so long ago a major provider of forensic services needed a bailout and I know of many smaller forensic providers who simply cannot afford to achieve accreditation. The FSR's Codes of Conduct needs to include a section on financial viability in order for accredition to be granted and government contracts to be awarded. There is a risk that accreditation becomes the thing that kills forensic science in the private sector.
I am concerned about the field of work I love. I'm sure there are people pushing for these changes because they beleive they are the right thing to do. It's a case of not asking the right people, not seeing things at the ground level and not understanding the technology.
I've said a lot on this subject before. I won't say it all again.
Steve
↧
General Discussion: Windows 10 Home Edition Storage Pool
Have you tried getting something like arsenal image mounter, mounting the images and seeing if Windows automagically takes care of it for you?
↧
↧
General Discussion: Govt-response-forensic-science - UK
Rich2005 wrote:
I really wish they'd realise that being UKAS accredited doesn't demonstrate competence in any meaningful way.
And according to the Parliamentary document an organisation can have two chances to demonstrate being incompetent because organisations have two masters, not one! Oh no, that would be wrong and to be politically correct, one mistress and one master..
GOVERNMENT RESPONSE...:A BLUEPRINT FOR CHANGE wrote:
12. Having carefully considered responses from the public consultation, we consider granting the Regulator the power to issue compliance notices and prevent noncompliant providers from providing evidence to court to be sufficient. Further, the Regulator cannot be granted the power to rescind a provider’s accreditation as UKAS, rather than the Regulator, is the awarding body.
↧
Education and Training: Question regarding SANS GCTI.
do the class; generally speaking the classes provide you everything you need to pass the exam
↧
Forensic Software: FTK Imager and "N/A: bad blocks found in image"
Hello guys,
a quick question about EWF image verification in FTK Imager. I was verifying the content of an image with the "Verify Drive/Image" command on FTK Imager and the verification failed. The "Computed Hash" is different from the "Stored verification hash", there's a "Bad Block List" populated with sector information about "Bad Block(s) in image" and the "Verify Result" states as follows: "N/A: bad blocks found in image". Does that mean that the image is faulty - i.e. there are bad sectors on the disk the image was stored on? The forensic acquisition report does not mention errors or bad sectors, which let me presume the copy was good.
Furthermore, if I check the image with X-Ways forensics, the "hash-recomputed" gives an error BUT the computed hash is different from the one calculated by FTK Imager and there's no mention of bad sectors... O_o
Thanks!
↧
Forensic Software: Forensic tools for Facebook Messages
Good suggestion, but only for existing Facebook messages: you won't be able to get deleted messages, which Facebook does not keep in the onlint account... they can be recovered - as someone posted above - only with physical access to a device where Facebook was accessed from.
Mreza wrote:
vivianfrench2 wrote:
I am looking for forensics tools to recover deleted Facebook messages without physical access to the device. Is this possible?
Yes. Use usernames and password or tokens extracted from the target PC to gain access to a cloud storage.
↧
↧
Forensic Software: FTK Imager and "N/A: bad blocks found in image"
pakim wrote:
The "Computed Hash" is different from the "Stored verification hash", there's a "Bad Block List" populated with sector information about "Bad Block(s) in image" and the "Verify Result" states as follows: "N/A: bad blocks found in image". Does that mean that the image is faulty - i.e. there are bad sectors on the disk the image was stored on?
That's difficult to answer -- it depends on how the image was produced, and what the tool used did if/when it encountered a bad sector.
However, in general, it does mean that the checksums/hashes computed at the time the image was created and stored inside the file do not match the checksums/hashes computed by FTK from the blocks stored in that image. Something has happened to the file since then.
Possibilities: a) the sector data was damaged, b) the sector data is OK, but the stored hash was damaged, or c) both were damaged.
So: The image file is damaged, and should not be used further. Archive it just in case you need it later. Fall back on the gold image ... if you have one. (If not, now you know why you do need one.)
I would not use even blocks that are not reported to be damaged, unless you know exactly what you're doing. You need to explain why it is safe to do so ... and I don't think it is, except perhaps in very unusual circumstances.
Quote::
The forensic acquisition report does not mention errors or bad sectors, which let me presume the copy was good.
Well, that depends on the tool that created the image. I assume you know it well enough to make that interpretation.
↧
Forensic Software: Forensic tools for Facebook Messages
vivianfrench2 wrote:
I am looking for forensics tools to recover deleted Facebook messages without physical access to the device. Is this possible?
If you have access to the Facebook messenger database, you are able to recover deleted message. You can use Belkasoft for recovering the messages.
↧
Digital Forensics Job Vacancies: NHS Forensic Computing Specialist - Newcastle-upon-Tyne
NHS Counter Fraud Authority (NHSCFA) delivers a service focused on the protection of NHS resources from fraud. The aim of our counter fraud work is to protect health and care staff and resources from activities that would otherwise undermine their effectiveness and their ability to meet the needs of patients and professionals. Ultimately this helps to ensure the proper use of valuable resources and a safer, more secure environment in which to deliver and receive care.
The post holder will work as part of the NHSCFA Forensic Computing Unit, within the Operations Directorate, whose responsibility is to investigate allegations of fraud bribery and corruption in the NHS. The Forensic Computing Unit has recently been granted ISO 17025:2005 accreditation and is currently working to extend their scope to ISO 17025:2017 and FSR Codes of Practice. The post holder will be play an active part in extending scope to accreditation, not only by working within the established Quality Management System, but assisting with writing, updating and implementing SOPs and other associated documentation.
The Forensic Computing Specialist will work as part of a dedicated team who work to identify, preserve, extract, interpret and present computer based evidence and provide an efficient and effective forensic computing support function to the NHSCFA.
The successful candidate will be expected to complete the NHSCFA’s Induction and Continued Improvement Programme (ICIP), a bespoke training and development framework designed to meet the learning and development needs of NHSCFA staff. It includes the Accredited Counter Fraud Specialist qualification and identifies and provides development support for staff in specialist roles, ensuring they are adequately equipped to carry out their duties with an up to date and ongoing support service. If required, external training in the tools and products used within the Forensic Computing Unit will be provided.
For more details and to apply: Forensic Computing Specialist - NHS
↧
General Discussion: Signal database decryption
LeGioN wrote:
Hey! <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
John tells me that no passwordhashes are loaded.. So think something might be missing in my rather excelent plan of getting out the content of the database :@
Your hash.txt file will contain the following;
SecureSMS-Preferences.xml:$signal$1$4032$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$XXXXXXXXXXX
The hash itself is everything following the : after SecureSMS-Preferences.xml.
The file loaded by JTR should be in the following format;
$signal$1$4032$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$XXXXXXXXXXX
↧
↧
Forensic Software: How to obtain Offline MS Exchange EDB mailbox listing
Veeam Explorer does what you're after
https://www.veeam.com/microsoft-exchange-recovery.html
↧
Forensic Software: Extract live data from a memory dump
Which Windows profile are you using?
SANS have a Volatility cheat sheet here; https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf
What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.
Are you able to contextualise what you're actually seeking?
↧
General Discussion: WeChat History from PC App / Decoding
WeChat data is stored in EnMicroMsg.db which can be decrypted relatively easily.
What kind of image have you obtained? Logical/Physical? How have you identified the app is installed? Can you open it on the machine itself, or is it only a backup of app data?
↧
Mobile Phone Forensics: IOS app data
dandaman_24 wrote:
In order to use Apollo, you need a FS which you can only get from a jailbroken device or from a GK / ufed premium dump
Not quite. APOLLO requires artefacts included in an encrypted iOS backup - ie Health database etc. It definitely doesn't have to be jailbroken to extract the required databases.
↧
↧
Digital Forensics Job Vacancies: Digital Forensic Investigator - Manchester
Digital Forensic Investigator
Greater Manchester Police is one of the largest police forces in the UK and is responsible for keeping its diverse population of almost 3 million safe, spread over more than 1,200 sq. km. Manchester in particular has been billed as the most diverse city in Europe with its population speaking at least 200 different languages, leading to the city being named as Britain’s “City of languages”. GMP are committed to ensure that the make-up of our workforce is reflective of the communities we serve and we recognise that having a diverse workforce makes us more approachable and relevant to the public.
The Greater Manchester Police Digital Forensic Investigation Unit (DIU) is one of the largest and continuously expanding digital forensics teams in the UK, striving to become a centre of excellence for digital forensics. Recently the unit have secured a significant investment to further expand the team to 72 staff and officers over the next 2 years, with the initial expansion focusing on a number of key roles within the team. This expansion is a genuine acknowledgement of the crucial and valuable contribution that digital forensics brings to the modern day police investigation.
In addition to the expansion in resources there are plans in place to re-locate the unit along with colleagues from Forensic Services to a purposely designed facility perfectly located on the outer city M60 ring road, with access to all major routes in and out of Manchester.
The expansion includes a complete re-design of the unit structure, incorporating new management, supervisory, team leader and co-ordination related positions. The uplift also includes increases in technical and investigative positions to further enhance the requirement to support front line policing.
The DIU is looking for driven and motivated candidates to continue this journey and help support policing in an ever-changing technological environment.
This is an exciting opportunity to be part of an expanding Digital Investigation Unit team.
In this role you will conduct intelligence led digital forensic investigations on a wide range of digital devices, providing evidence and expert interpretation of the evidence in a secure format acceptable to the court. As a member of a dynamic team, you will work closely with others in the unit with different experience and specialisms, and lead on cutting-edge research and development.
With previous experience working in the digital forensics sector, or within a similar computer related industry, you will have the knowledge, skills and abilities to conduct forensic examinations and analysis of a wide range of digital devices. You will use these and knowledge of criminal investigation to support complex, high-profile and challenging police cases.
You will use your knowledge with your communication skills to present evidence to police investigators, prosecutors and the courts, explaining complex digital evidence in a manner that can be understood by a wide range of audiences.
The ideal candidate will have knowledge of criminal legislation detailed in the job description.
You will have degree level qualification in a digital forensic or computer related subject, or relevant work experience demonstrating the same level of knowledge.
This post carries 4% weekend enhancement and 0.92% night allowance.
If you are interested in applying, please click on the link below;
https://atsv7.wcn.co.uk/search_engine/jobs.cgi?SID=amNvZGU9MTgxNzU0NSZvd25lcj01MDQzOTE0Jm93bmVydHlwZT1mYWlyJnBvc3RpbmdfY29kZT0zNTImdnRfdGVtcGxhdGU9MTEyMA==
↧
Digital Forensics Job Vacancies (Archive): THIS JOBS FORUM HAS BEEN ARCHIVED
Forensic Focus has a new job board and this forum has now been archived.
If you are a job seeker, please view our current list of job vacancies at https://jobs.forensicfocus.com/jobs/
If you are an employer/agency and wish to post your job vacancies, please register at https://jobs.forensicfocus.com/registration/
↧
General Discussion: WeChat History from PC App / Decoding
Try to use Belkasoft for extracting the chats.
↧