Thank you so much for your response. Only good people take the time to help, so, you must be a 'good people'.
I am going to try that!!
Mike
↧
General Discussion: Find a blank PDF form?
↧
General Discussion: Find a blank PDF form?
Why does it need to be a "blank" PDF?
That doesn't make sense for two reasons.
1) The are lots of PDF editors available now that can edit existing PDFs, just like you are editing a Word document. No need for a blank one. We use FoxIT Phantom for editing PDFs, but there are other options.
2) Very few people create new PDF documents from old PDF documents. Much more typical is to work from a source document. e.g. start with a Word or Excel file or some cloud based system and then Save to PDF. Or create PDFs directly from the company's accounting system. Could even be using Photoshop to edit scanned PDFs.
But if you needed to, searching the PDFs should pretty easy. Make a text index and just search for some of the known text. If you can limit the search by date / time or file size that can help. Maybe using negative keywords can help as well if you are looking for a "blank" document. You should also be looking at what documents have recently been opened in Word & Excel, if the user has access to the accounting system, if a PDF editor is installed on the machine (and what files it recently opened). Also check the metadata in the PDF file itself, they often have details about what software created the PDF. Do the PDFs have a text layer or are they scanned bitmaps that need OCR?
Pretty much all the major forensics tools can do all of this for you. If you need specific directions let me know.
↧
↧
Mobile Phone Forensics: Oxygen Forensics - Decrypt android dumps
the_Grinch wrote:
OxygenForensics wrote:
the_Grinch wrote:
To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?
Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.
And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?
Yes, we offer various screen lock bypass methods for Android devices. This particular model is not supported but we are working on its support.
↧
General Discussion: Encase verification errors E01 image, Imaged using Guymager
klllmmm wrote:
[img]https://1drv.ms/u/s!An03iU493hAgnkHdET5xR9nMZH9G?e=EqXxq5[/img]
Errors are;
Error in “Header” : String cannot be longer than 12 characters
Error in “Header” : String cannot be longer than 64 characters
Invalid date Value
The EWF / E01 file format is not very well specified and different products implement it subtly differently. The "header" section of the image file contains case information (case number, examiner name, acquisition dates etc). This information is stored in a relatively loose text format. According to Joachim Metz's work EnCase imposes some limits on how long some of the text fields can be. These limits are not strictly necessary according to the format. I would suspect that Guymager doesn't know this and isn't trying to create an EnCase "compatible" file. You could work around this by setting using shorter text descriptions when creating the image. See:
github.com/libyal/libe...der_values
Provided the image worked in every other respect, I wouldn't be too concerned about the EnCase errors. However, the different hash values are a a different issue and maybe a sign of a more serious problem aquiring/verifying the image.
Jim
www.binarymarkup.com
↧
General Discussion: Mac Firmware Password
Is there any way to either extract or crack the firmware password on a Mac? FileVault is enabled on the HD, but I would have thought the firmware password would be unencrypted somewhere? Any in roads on this?
↧
↧
General Discussion: Find a blank PDF form?
Out of curiosity - what would having a blank document prove? Are these work-orders and invoices only generated from an automated system into PDF format, once properly filled out in the generating system, and therefore the existence of a blank one in theory not being possible, and therefore suspicious?
Perhaps coming at this from a different angle, assuming the suspect isn't particularly techy, before trawling huge amounts of data, it might be worth having a quick flick through things like the MRU lists, Jump Lists, shortcuts in Recent folder, etc. You never know you might find there's a small number of items worth checking first before you do a bigger trawl of everything.
↧
Forensic Hardware: [URGENT]Need help with Cellebrite UFED Touch USB Rescue Tool
kbertens wrote:
Maybe its better to contact celebrite support.
I don't know the usb Resue tool, Im only aware of a reinstall with an usb stick. It launches ghost and reinstalls the Ufed.
Hello
my, cellebrite ufed touch device is not booted and I change ssd and it says OPERATING SYSTEM NOT FOUND. please help where can i find and install the operating system with usb and ufed program
please send the .iso file of the operating system thanks in advance
gmail: ali.ege.sahin@gmail.com
↧
General Discussion: Counterfeit machine
Just learned from an army buddy of mine who gave me a heads up about this fraud."Police say someone had their bank accounts emptied after they paid a taxi driver with a debit card. They had wanted to pay with their credit card, but taxi driver asked for another method because he didn’t want to pay the 4% visa fee. Police advise that whenever you are asked to use a debit card instead of credit card for whatever reason, enter the wrong PIN. If it is a counterfeit machine it will pretend to process the payment and produce a receipt. Whereas an authentic machine will reject the PIN and request a “try again” message. Help spread the word, as the police state this type of fraud is becoming increasingly prevalent."
↧
Mobile Phone Forensics: Decrypting Signal app sql database on IOS
It's good solution for someone who has the encryption key. If you don't have the key it is an useless tool.
↧
↧
General Discussion: reconstruct SQL Injection attack from logs
SQLMAP is an automated tool. One would expect that there was some manual activity, by a human, after the automated attack?
So maybe you can check the timestamps and look for a pause in the automated activity when the human takes over. There might also be a change in the "User Agent" string in the Apache log. The obvious first thing to do once you are in the database is a SQLDUMP. Then see if you could get a shell running, or PHP code running.
↧
General Discussion: Mac Firmware Password
No takers?
↧
General Discussion: Tool Vendors and Testing (an open study)
If it was a reputable agency running the tests, then I am sure some would be happy to take part.
Except for the really basic functions, I think an apples to apple comparison would be difficult.
Example of basic function
================
Image a hard drive to make a E01 disk image.
But even this could be problematic, if levels of compression where different, or if there was a verification step, or extra hashing performed by one of the tools, or differences in handling of disk errors.
Example of high level function.
================
Index the files on the hard drive, search for files containing 50 different words and phrases, then export the results to CSV.
This is really hard to keep consistent. What file types are indexed, is OCR performed, are you testing in a low RAM environment, are you testing with hardware with a large number of CPU cores, is string extraction done binary files, is the indexing recursive (a PDF in a Zip in a Zip in a PST), what disk image format was used, what is the mix of file types, is unallocated space on drive indexed, etc...
In short there are dozens of variables & permutations.
↧
Mobile Phone Forensics: Extract a encrypted iTunes backup with password and wechat
UnallocatedClusters wrote:
You could try to restore the encrypted backup to a factory reset iPhone, “reset all passwords” under settings in the iPhone, and then acquire and analyze the iPhone data with whatever tools you have. Not sure if this would work - I have never tried it myself:
I don't think it will work,because there is no way to secure the rest of the data in the phone,if the iPhone Backup Extractor doesn't work well enough, Why not reset password directly.
↧
↧
Forensic Hardware: [URGENT]Need help with Cellebrite UFED Touch USB Rescue Tool
You didn't happen to buy your Cellebrite from a non vendor did you?
egeberkin wrote:
kbertens wrote:
Maybe its better to contact celebrite support.
I don't know the usb Resue tool, Im only aware of a reinstall with an usb stick. It launches ghost and reinstalls the Ufed.
Hello
my, cellebrite ufed touch device is not booted and I change ssd and it says OPERATING SYSTEM NOT FOUND. please help where can i find and install the operating system with usb and ufed program
please send the .iso file of the operating system thanks in advance
gmail: ali.ege.sahin@gmail.com
↧
Forensic Software: Is there a way to retrieve saved browser passwords Windows
Google,
forensics recover browser passwords
There are lots of options.
↧
General Discussion: Tool Vendors and Testing (an open study)
Prof. Buchanan and team from Napier University published a paper on:
Evaluating Digital Forensic Tools ( DFTs)
6 Conclusion
This paper has outlined evaluation and validation methodologies, where some of these are too complex to be used by digital forensics investigators such as Carrier’s abstraction layers model [19], and others do not cover all aspects of the tools [32]. For all them, none has been implemented in such a way that enable automations of the validation process. This means that testing may need to be performed manually. This is obviously an issue as it takes away a significant amount of time from investigators.
Beckett’s [3] methodology can be used to define the requirements to validate digital forensics functions. This is a good methodology which covers all aspects in the definition of the validation process. However, the methodology does not cover the actual implementation of the validation process. Therefore, another methodology is needed. A good candidate is the methodology of Wilsdon [13] based on black-box testing.
https://www.napier.ac.uk/~/media/worktribe/output-178532/flandrinpdf.pdf
↧
Forensic Software: AXIOM MAGNET OCR
Not only documents! I think it should be useful that Magnet Axiom has the capability to OCR images.
However, mcman, on the Magnet Forensics website there is an old announce (3 july 2018) where there was written the following:"Are PDF documents OCR’d during initial processing?
Not today, but optical character recognition (OCR) is functionality we plan to add to AXIOM this year."
As you can notice, "this year" was reported to 2018 but till today (2019 is ending) the function does not seem to be implemented yet.
In forensic field, this function is crucial.
↧
↧
General Discussion: Counterfeit machine
Rich2005 wrote:
https://www.snopes.com/fact-check/wrong-pin-stop-debitcard-theft/ :wink:
Thanks Rich2005 -useful link. I didn't know about this scam until I was told about it recently.
A contact in US law enforcement also gave some useful advice. "And once you put the wrong pin in and the driver thanks you for taking a ride, make sure to document everything about cab/driver because you just caught a bad guy."
↧
Webinars: New Triage Capabilities In BlackLight
Please use this topic for discussion of the webinar
New Triage Capabilities In BlackLight
Presented by Julie O'Shea, Ashley Hernandez and Dmitry Sumin
↧
Mobile Phone Forensics: Decrypting Signal app sql database on IOS
You need full file system access to the physical phone to get the key, this is nothing new. This isn't a problem with Signal, if the device security has been compromised then any app is vulnerable, encrypted or not. Telling people not to use Signal doesn't help anything, all apps would be compromised in that situation.
Jamie
↧