mshibo wrote:
Well, if you want to work with Pattern then it's not really hard to bypass in that model, even with the latest Binary.
First, you need to check weather FRP is ON or OFF from Download Mode.
If it's ON, you'll need to change it to OFF using Z3XBox and FRP UFS feature (Not only Z3XBox offers this feature, another boxes too and remember to use only this method bcuz this one doesn't touch data.
If it's OFF, then you can simply flash TWRP for your phone and then from there you can either do physical acquisition if data isn't encrypted or remove SystemUI from /system partition in case data is encrypted and after you reboot, you can do whatever you want as there won't be any pattern there.
Hi,
How can i remove systemUI from /system partition. Just deleting systemUI.apk file is enough? The lock pattern settings are stored in data partition. So if the data partition is encrypted you can't access that files. Could you explain a little more please.
Thank you.
↧
Mobile Phone Forensics: Sumsung SM-G920P Galaxy S6 Lte locked pattern
↧
Mobile Phone Forensics: Signal Messaging App
I successfully obtained a physical extraction of a phone through EDL method for an Android device. It appears the suspect utilized the Singnal Messaging app for his primary messaging. I understand the Signal app encrypts message data, and I am unable to bypass the lock screen to manually view the messages. Is there any method or possibility to decrypt these messages?
↧
↧
Mobile Phone Forensics: How to extract data from mini phones like Zanco
Found the solution to extract data from Zanco mini phones, using UFED 2 touch. Search in the menu for “Chinese phones BM70 L8 Star”. Connect cable A with T-100. The same works for the GTStar mini phone.
↧
Forensic Software: Recovery of video fragments
Hello, thank you for having me.
I have used photorec to recover files from the unallocated space of old Maxtor HDD with FAT32. I found that some recovered files listed --for example-- as .sqlite, or as .torrent had inside some chunks of video. I can see some of these chunks of video using mencoder/mplayer/ffmpeg. I am pretty convinced that there are many other small fragments of these videos that I cannot view with these tools, hidden in other small files that are also listed as .sqlite, .torrent, etc (or maybe not recovered at all by photorec).
Do you have any suggestions on software that I can try to recover those bits as well? Either on the file recovered by photorec, or software to perform a better recovery, or tricks that I can use to improve the recovery of "standard tools" (e.g., maybe I can use a reference video to see what kind of header to look for?)
Thank you for your help.
Additional info.
The command I use with mencoder is "mencoder -idx FILE -ovc copy -oac copy -o OUTPUT.avi"
For ffmpeg "ffmpeg -analyzeduration 2147483647 -probesize 2147483647 -i INPUT -vcodec copy -acodec copy output.avi"
↧
Mobile Phone Forensics: "Phone Activation Time" and "Last Known Use" values in UFED
I have physical dump of LG G3. UFED PA decodes two data.
What are the meaning of "Phone Activation Time" and "Last Known Use" in UFED PA?
Where does UFED PA get this values?
Regards
↧
↧
Mobile Phone Forensics: "Phone Activation Time" and "Last Known Use" values in UFED
mustafa-bicakci@hotmail.com maıl at ben sana yardımcı olurum ..
↧
Mobile Phone Forensics: Viber/Messenger message database data integrity
Hi,
Let's suppose that an investigation requires rooting an android phone and extracting the appropriate databases (eg. "threads_db2" for Messenger and "viber_messages/messages" for Viber). Is there any way to ensure that the messages shown are the original ones and not edited with a database editor? I suspect that Messenger uses some kind of cryptographic signature/verification to ensure the validity of the database because on my own device after editing a message in threads_db2, the specific conversation cannot be displayed anymore within the app (no message is shown and an error message saying there is no connection (while there is) is displayed while other conversations ,with no edited messages, load normally. As far as Viber is concerned, after editing a message and opening the application, the fake message gets displayed normally.
To sum up, is there a way to counter any claim that the presented messages extracted from these 2 apps are faked and thus prove their integrity?
Thanks in advance!
↧
Forensic Software: Recovery of video fragments
Photorec - generically speaking - is a recovery oriented (and automated) carver, it tries to recover files that it can recognize but tells you nothing on where the files are.
You need to use a software that can - besides (hopefully) being able to recover the same (or more) files than Photorec does - provides nfo on the extents occupied by the files.
Besides a few more targeted to video tools (Commercial) you can try using what I call "negative approach", i.e. once you have recovered a file (or the part of it) you can try 00ing the area where what was recovered was, this way only a restricted number of non-00's areas would remain, that you can try examining (or attempt combining) with the same or other tools.
Personally (though I am not in any way connected to the software) I like a lot DMDE:
https://dmde.com/
which you can try extensively before acquiring a license for (the limitations on the Free editions are on quantity of files and on nature of the recovery, i.e. for personal use only after a reasonable trial) which anyway is cheap.
jaclaz
↧
General Discussion: PDF Manipulated
Cults14 wrote:
Same subject but different, does anyone know of a tool that you can point at a bunch of PDFs and get a CSV or other report on all the metadata fields which you see in Properties of PDF documents in Reader?
It's the Date fields I'm after, BEC seems to do that for M$ Office docs but not PDF
CheersDoesn't the "simple" exiftool provide what you need/want?
https://www.sno.phy.queensu.ca/~phil/exiftool/
https://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/PDF.html
Like many similar tools, sintax (for anything more that "plain-plain") is a bit complex:
https://sno.phy.queensu.ca/~phil/exiftool/exiftool_pod.html
but of course it can be managed with a little of dedication/patience, simple use is simple <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> and there are examples.
https://owl.phy.queensu.ca/~phil/exiftool/examples.html
https://www.crossref.org/blog/exiftool/
Again, remember that metadata in info dictionary and XMP metadata are different sets.
jaclaz
↧
↧
General Discussion: Internal PDF Metadata (Dates)
Hi
Does anyone know of a tool that you can point at a bunch of PDFs (thousands) and get a CSV or other report on all the metadata fields which you see in Properties of PDF documents in Reader?
It's the Date fields I'm especially interested in, BEC seems to do that for M$ Office docs but not PDF
I know that the Created Date in PDF isn't infallible, but it can be useful
Cheers
↧
General Discussion: SYSTEM PID 4 - Network Access
Hi,
I see that some SOURCE_HOST has multiple failed accesses to DESTINATION_HOST\D$. The offending user is DOMAIN\SOURCE_HOST$ which points to a process running as NT AUTHORITY/SYSTEM (I can't find the article where I got that from, but it's in my notebook).
I want to track the culprit. Looking at events on SOURCE_HOST I see the process is SYSTEM PID 4 is making the network connections to DESTINATION_HOST.
I am thinking about dumping SOURCE_HOST memory then search for Strings (using strings or Volatility's yarascan) containing DEST_IP. But I am not sure this will yield much valuable info.
Any other ideas? I can't find good pointer anywhere.
↧
Forensic Software: Recovery of video fragments
harold wrote:
Dear jaclaz,
Thank you very much for your reply. I appreciate your explanation and the pointer you provided me with.
1. I will try DMDE as soon as possible.
2. Once photorec recovers a file, how do I know which sectors to zero out on my device? (or, better, in the image that I have obtained by ddrescue - ing my drive)?
3. In the meantime I am trying CnW (https://www.cnwrecovery.com/). it is recovering many chunks of the same files discovered by photorec, and many chunks that photorec had completely missed. This time, however, the chunks are very small (few kB), and they are partial (with bottom noise bands) or extremely noisy in the whole frame. Surprisingly, so far, CnW was not able to recover the biggest chunks found by photorec, that could play for at least a handful of seconds.
This is evidence that at least there's more to be carved. Do you think some other tool will be able to recover the files without all such noise? In addition, if you know some other, non free, tools, please do not hesitate to share their names with me. I would gladly spend a few hundred bucks to recover my files, rather than attempting time consuming approaches like the one you mention of zeroing the sectors.
Thank you.
Yep the point is exactly that Photorec doesn't tell you where the files are, hence the try with DMDE, which may find/recover the same (or more, or less) files as Photorec does but it can actually tell you the extents where the files (or parts of them are).
CNWrecovery is an excellent tool, particularly for images and video, but of course each tool has its own way to "recognize" files or parts of them so in the real world there is not a single "perfect" tool, depending on the importance of the data one needs to throw at the stupid disk (image) each and every tool (+1).
BTW the Author of CNWrecovery is a member (mscotgrove) of this forum, so if he sees your thread he may be able to explain you the matter with more detail, loosely video files are among the most difficult to recover because they tend to be very big (and thus more prone to fragmentation) and usually contiguous files can be recovered just fine whilst fragmented one can only be recovered by "special" tools (like CNWrecovery) that anyway may still "miss" some file (of chunks of them).
jaclaz
↧
General Discussion: Internal PDF Metadata (Dates)
Like a script looping through a directory listing or using exiftool with wildcards/in recursive mode?
https://www.forensicfocus.com/Forums/viewtopic/p=6600485/#6600485
See also over-scripting here:
https://sno.phy.queensu.ca/~phil/exiftool/mistakes.html
jaclaz
↧
↧
Forensic Software: Norton Ghost Backup
Kaly wrote:
I was given a hard drive with a computer backup on it, the backup was done using Norton Ghost back in 2011. That product was discontinued in 2013 and Symantec killed support for it in 2014. Does anyone know of a way to open the backup files in a different tool? I've tried FTK, but it couldn't extract the data.
Ghost Explorer?
Do you know which version was used to create the file?
Or is it a .gho or .v2i?
There is (maybe was) a converter from VMware that could convert .v2i images.
For ,gho images you need some version (which one is to be seen) of Ghost or Ghost Explorer.
Some have been published on archive.org:
https://archive.org/search.php?query=%28symantec%29&and[]=subject%3A%22symantec%22
This is a Ghost Explorer from Symantec official FTP repository:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_ghost_solution_suite/2.5/updates/Ghostexp-B1597.zip
jaclaz
↧
General Discussion: PDF Manipulated
Thanks as always Jaclaz (in both threads
Peter
↧
Forensic Software: Norton Ghost Backup
They are .sv2i files.
↧
Mobile Phone Forensics: Chip Off Damage
Didn't end up working. These cheap phones have so much glue that it just ends up ruining the chip when chipping it off. Thankfully I am going to an ISP course.
↧
↧
Off-Topic: What Are You Reading?
Just started to read Thinner by Stephen King (as Richard Bachman)..Book summary It's about curse from old Gypsy man on sucessful lawyer..Just started to read.. I do not know the plot exactly
↧
Off-Topic: Gifts Idea for souse birth day
I need to select a gift for my husband and it's hard detemine what should I give? Most of the gifts are really common and hard to determine uncommon and important thing.If anyone has a better idea..please suggest
↧
Forensic Software: Norton Ghost Backup
Kaly wrote:
They are .sv2i files.You should be able to use the following:
ftp://ftp.symantec.com/public/english_us_canada/linked_files/Ghost/Norton%20Ghost%20Image%20Browser.exe
which is the successor of Ghost Explorer, see:
https://community.norton.com/en/forums/browsing-sv2iv2i-files
to explore the image (but you should have I believe also a v2i file? <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> )
Or try the VmWare converter:
https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_converter_standalone/6_2_0
jaclaz
↧
