UnallocatedClusters wrote:
I downloaded the desktop client version of GitHub - maybe that will let me "clone" the repository if I am using the correct terminology.
Either that. Or download the zip using another browser. Or compile the au3 source yourself.
The usual annoyance wrt AV is that these type of compiled exe's are backlisted by default by less sophisticated AV.
↧
General Discussion: Extract $J
↧
General Discussion: PDF Manipulated
The suspected forged pdf document that I am working on has the Modified date (Filesystem) lesser than the Pdf creation date (info). Is this a clue for the forgery?
More details:
The pdf file is found in two different computers with the same "anomaly". It is "produced by" MS Word 10 and does have the section of XMP metadata XML (must be manually removed).
modified time (MFT) of two different copies of the same file:
Thu Apr 27 20:54:53.0000000 UTC+0530 2017
creation and modified time (info) (both are equal):
2017-04-27 22:24:29
I have tested saving a word file as pdf, the creation and modification for MFT and Pdf info are exactly same.
I am new to such analysis, any help or comment is highly appreciated.
↧
↧
General Discussion: Inconsistant PDF metadata
The suspected forged pdf document that I am working on has the Modified date (Filesystem) lesser than the Pdf creation date (info). Is this a clue for the forgery?
More details:
The pdf file is found in two different computers with the same "anomaly". It is "produced by" MS Word 10 and does have the section of XMP metadata XML (must be manually removed).
modified time (MFT) of two different copies of the same file:
Thu Apr 27 20:54:53.0000000 UTC+0530 2017
creation and modified time (info metadata, embedded inside the document):
2017-04-27 22:24:29
I have tested saving a word file as pdf, the creation and modification for MFT and Pdf info are exactly same.
I am new to such analysis, any help or comment is highly appreciated.
↧
General Discussion: Encase verification errors E01 image, Imaged using Guymager
Hi there,
I took a disk image using Guymager 0.8 application via CAINE Linux live distro and the verification was successful.
[img]https://1drv.ms/u/s!An03iU493hAgnj-0La5YzBnbmTx_?e=aV31xe[/img]
However, when I verify the image with Encase (v8.09) it results differences in hash values.
[img]https://1drv.ms/u/s!An03iU493hAgnkCAAwY71LsKlBev?e=B5roJd[/img]
Also at the time, I add the evidence I get the following errors
[img]https://1drv.ms/u/s!An03iU493hAgnkHdET5xR9nMZH9G?e=EqXxq5[/img]
Errors are;
Error in “Header” : String cannot be longer than 12 characters
Error in “Header” : String cannot be longer than 64 characters
Invalid date Value
Appreciate it if someone can tell why and how to avoid such Encase verification errors, and why such errors occur when adding the evidence into Encase.
Thanks
↧
Education and Training: NPCC guidelines?
GumStickStorage wrote:
I know there's an ACPO Guidelines but that was published six years ago.
Indeed, and a point underpinning your research. Moreover, it is noted in the Cloud Forensics community that ACPO Guidelines in 2015 were out of date.
GumStickStorage wrote:
ACPO as we know is now NPCC, so is there an NPCC equivalent to digital evidence guidelines?
Anyone can hold onto and espouse ACPO Guideline 'Principles' if they want to. Might look good in a report or witness statement stating """""""'ACPO Guideline 'Principles'".
It is inescapable, thus unavoidable, as it currently stands FSR Rules and supported with guidance remain the de facto (unless that changes) approach in most cases. Additional guidance for the approach to the wider field in digital evidence can be found in CrimPR, CPS Guidelines and so on.
GumStickStorage wrote:
NPCC haven't responded to my freedom of information request. So I'm wondering if any of you know where I could find it and if it's the equivalent of ACPO 2012.
What are the permitted timescales to respond to an FoI application?
NPCC, I would suggest, wont saddle themselves with creating a new best practice guide because there are numerous divisions/department/forces within the police doing something (but I could be wrong). NPCC aim is to transform forensics; there is then the forensic capability network (FCN); Police Scotland are doing something else; and so on.
NPCC did produce a template for police forces in 2019 regarding digital device examination and PIN/password access but it contained no reference to 'principles', 'ACPO' (but then again they wouldn't, would they), 'guidelines', 'best practice', 'FSR rules', etc.
↧
↧
General Discussion: Encase verification errors E01 image, Imaged using Guymager
1. Verify the image files using Guymager or another tool. It has been my experience that different tools can generate different MD5 hash values for the same exact evidence source; I have no explanation as to why this occurs but it does.
2. Open the image file with FTK Imager (green plus sign), mount the image file with OSForensics, and see if other tools can open, mount and interact with your image file. If no tool at all can open nor mount your original image file, it may have become corrupted.
Our best practice is to create and verify 2nd copies of forensic images to completely separate media in the event one drive holding a copy of the forensic image fails. If you have followed this best practice, try to verify, mount, open your second image copy.
↧
General Discussion: Extract $J
@Passmark
Are you talking about filepaths resolved from MFT or from UsnJrnl?
↧
Mobile Phone Forensics: Extract a encrypted iTunes backup with password and wechat
armresl wrote:
You are replying to a 4 year old post.
Ain't we allowed to reply on the old post?
↧
General Discussion: Extract $J
Ok, I think we just slightly misunderstood each other. Nice that point out in red that a path has changed at some later point in time.
As for paths resolved from UsnJrnl, I was referring to a method of using UsnJrnl only to resolve paths. By doing that you can resolve certain paths that existed at an earlier point in time than what MFT knows about (probably part of the path for those lines in red from your screenshot).
↧
↧
Education and Training: NPCC guidelines?
The fundamental problem is that, whilst the ACPO guidelines were trying to raise the standard of digital forensics, by giving sensible guidelines/suggestions for an overall approach, without being problematically rigid, ISO17025 is trying to give the APPEARANCE of raising standards in Digital Forensics, whilst more likely actually overall being a detriment to the field, for a variety of reasons (previously discussed so no need to bore everyone again).
There desperately needs to be some leadership and investment in improving digital forensics in this country.
Let's face it, despite the obvious bias, I'd say it's clearly the largest, and most important source of forensic evidence these days, as the scope of cases it covers, and is regularly used in, is almost everything, unlike DNA for example.
It's symptomatic of this country that the approach is essentially to increase red-tape and prevent people spending most of their time doing their jobs (as many police officers will know all too well).
As this is essentially a political problem, we need to use a political buzzphrase, and "get back to basics". This means setting out the key challenges (or problems) in digital forensics and then coming up with credible paths to solving them (or improving them).
As I've argued before, I think if you listed the key challenges/problems in digital forensics, and realistically weighed up how much ISO17025 would improve things, I'd say it wouldn't get a score of more than 2/10 on any measure (being generous here) and arguably would make things worse, if one measure was the effectiveness of a department/unit/company spending their time/money on it.
(apologies for another rant - it just really irritates me - as you can tell)
↧
General Discussion: Encase verification errors E01 image, Imaged using Guymager
We use Guymager for most of our imaging, though we don't use Encase but haven't encountered this problem yet.
Try using EWFverify from the CAINE distribution on the image, Guymager won't let you just verify an image AFAIK, and check the hashes after that.
I take it the image was created on a hard disk and then that hard disk was transferred to a machine for investigation?
↧
Mobile Phone Forensics: Extract a encrypted iTunes backup with password and wechat
msbettyhunt wrote:
armresl wrote:
You are replying to a 4 year old post.
Ain't we allowed to reply on the old post?
Sure we are.
BUT replying to an old post WITHOUT adding any relevant info is frowned upon, not only because it adds nothing, but it may also make some less attentive members reply, and then another one will reply, etc. while the OP (original poster) is already well past the original issue and most probably won't ever report if any of the suggestions have been found meaningful/useful.
BTW, in theory the scheme of a thread about a help/assistance request should be:
1) the OP asks the question, hopefully providing as much details as possible
2) one or more willing helping members try to suggest a meaningful, well thought solution to the OP's problem (and nothing else)
3) the OP tries the suggested solution and reports whether it worked or not
4) one or more loops to #2 until the issue is resolved or deemed to be unresolvable
What actually happens in practice most of the time is:
1) the OP asks the question, usually omitting any meningful detail
2) a number of other members either throw half @§§ed or vague/generic recommendations or ask for meaningful details
3) some of the good guys that actually make and sell commercial tools take the occasion to say how their tool would work instead
4) some spammer take the occasion - possibly years later - to mention their tool - even if already mentioned (and excluded) before
5) a willing helping member doesn't notice the date of the before last post and there may be a loop to #2
6) the thread having been posted to "floats" to the "recent posts" and a number of people will read it (AGAIN), won't notice the dates of the original posts and will add some comment (good or bad) and again a loop to #2 may happen
7) the original issue likely won't be solved anyway (or at least we will miss any confirmation on what - if any - worked), the forum database will increase (a little) in size, lots of members will have lost (a liittle) time reading an old, likely irrelevant thread and entropy will win another (little) battle.
jaclaz
↧
Mobile Phone Forensics: SnapChat For My Eyes Only Encryption
mcman wrote:
Are you looking at iOS or Android? We just updated AXIOM to support MEO in most situations:
iOS: Decrypt Memories recovered from images acquired using GrayKey. My Eyes Only snaps can also be recovered and decrypted if the snaps have been viewed locally and are available in the application's media cache.
iOS: Added support for recovering and decrypting MEO pictures and the opening frames of videos.
Android: Updated support to recover attachments from messages and memories on some versions. [10.68, 10.69]
For iOS you're going to need a full file system from GK or other option though in order to get the necessary files to decrypt.
Jamie McQuaid
Magnet ForensicsAs a MF customer, thanks for the help. Now, as MF and GK are venturing forward together, can you work on GK lowering their pricing. <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
Carver
↧
↧
Forensic Software: Metadata Interrogator
Hi,
That's a great tool you've created there. Thank you.
I've had a play with it from various file types of my own that I know the history of.
On all the (Word) Docs it gives a "Creation Date" and "Created" row.
In all cases the former shows 01.01.1980 00:00.00hrs and the latter gives me the times/date I created my document - precisely.
Can you tell me the intended difference between the two?
Thanks again.
↧
Education and Training: NPCC guidelines?
ACPO was replaced by the NPCC in 2015. In late 2016, I used the FoI to ask the NPCC about the ACPO guidelines. The key questions/responses were as follows:
1. Are you currently responsible for the "Good Practice Guide for Digital Evidence" document. This was previously published by ACPO.
RESPONSE: The NPCC is responsible for the ‘Good Practice Guide for Digital Evidence’.
2. If you are responsible for this document, are you currently planning any revisions to this document?
RESPONSE: The NPCC holds information to suggest this document will be updated.
As far as I am aware, the above situation has not changed since 2016 and the NPCC have not published any updated guidelines. As part of the same exercise, I asked The College of Policing the same questions. They replied that they were not responsible for this area.
Jim
www.binarymarkup.com
↧
General Discussion: Find a blank PDF form?
We are dealing with a trucking company that hauls road base to several cities in the state of Texas. They suspect that one of their adminsitartive employees has been embezzling. They belive she has a blank PDF file (used like a template but not in a template format) saved somewhere in her files that can be used for generating false work orders, false invoices, and she gets a front company to collect the real money.
Problem is, there is about 1TB of various PDF documents in various folders connected to her user account. They want us to find the one, blank 'template' PDF document she is using to generate the counterfeits.
My first idea is to export all PDFs, sort them by size, and begin looking at the 'smaller' ones. However, that could still leave us with maybe 300,000 files.
Does anyone have a most excellent idea we can use?
Thanks!
Mike
"Focus on the Whole Truth"
C.M. "Mike" Adams EnCE, LPI, TALI
Prime Focus Forensics
P.O. Box 847
Hutto, TX 78634
512.436.3610
admin1@pfforensics.com
We use voice dictation software. Sometimes the software gets it right, other times it just writes it wrong - (homophones)
↧
Education and Training: NPCC guidelines?
GumStickStorage wrote:
trewmte wrote:
NPCC, I would suggest, wont saddle themselves with creating a new best practice guide because there are numerous divisions/department/forces within the police doing something (but I could be wrong). NPCC aim is to transform forensics; there is then the forensic capability network (FCN); Police Scotland are doing something else; and so on.
I'm a little upset by that because just by reading ACPO, it was a well-written guideline and still gets praise today despite its progressively obsolete state (implying people are moving to up-to-date guidelines which makes more sense). However as stated earlier, it can generate a form of inspiration. Perhaps I can attempt to make proposed amendments to the guidelines so it satisfies the upcoming decade too.
Historically, when people travelled by horse and trap the de facto controller device was a 'buggy-whip'. Everyone needed one. When the automobile turned up where was the need for, or relevance of, the buggy-whip? Things change. The principles of safe travel by horse and trap continued to be considered relevant to automobile but only as principles of limited safety value but had to be updated to reflect reality. That reality relevant to today's technology comes in the form of Guidance
ISO has developed a set of global digital forensics standards:
■ ISO/IEC 27037:2012: Guide for collecting, identifying, and preserving electronic evidence
■ ISO/IEC 27041:2015: Guide for incident investigations
■ ISO/IEC 27042: 2015: Guide for digital evidence analysis
■ ISO/IEC 27043:2015: Incident investigation principles and processes
■ ISO/IEC 27050-1:2016: Overview and principles for eDiscovery
The principles in these standards are 'neutral' of other guidelines (e.g. ACPO, NIST, SWGDE, etc). This approach is not new.
So just tweaking ACPO Guidelines ("Good Practice Guide for Digital Evidence") might not be enough.
↧
↧
Mobile Phone Forensics: Oxygen Forensics - Decrypt android dumps
OxygenForensics wrote:
the_Grinch wrote:
To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?
Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.
And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?
↧
Mobile Phone Forensics: Iphone Exif Data
I was looking at an Iphone 7 using Cellebrite software. The exif data for a video showed the date the video was created and a modified date. The modified date and time was the time the phone was searched by an agents. Can someone explain why the modified date changed? I am wondering if the modified date changed because the video was downloaded from ICloud while the agent was looking at the phone. Any help or reference to some research would be greatly appreciated. Thank you in advance
↧
Mobile Phone Forensics: Iphone Exif Data
I was looking at an Iphone 7 using Cellebrite software. The exif data for a video showed the date the video was created and a modified date. The modified date and time was the time the phone was searched by an agents. Can someone explain why the modified date changed? I am wondering if the modified date changed because the video was downloaded from ICloud while the agent was looking at the phone. Any help or reference to some research would be greatly appreciated. Thank you in advance
↧