Quantcast
Channel: Forensic Focus Forums - Recent Topics
Viewing all 20107 articles
Browse latest View live

Mobile Phone Forensics: Physical extraction of iPhone 5S iOS 11.2.2

$
0
0
Pretty sure you can do it now using the checkm8 and checkrain (checkr4in?) exploits. Basically a root of the device and then most forensic tools will extract the data.

General Discussion: Counterfeit machine

$
0
0
trewmte wrote: Rich2005 wrote: https://www.snopes.com/fact-check/wrong-pin-stop-debitcard-theft/ :wink: Thanks Rich2005 -useful link. I didn't know about this scam until I was told about it recently. A contact in US law enforcement also gave some useful advice. "And once you put the wrong pin in and the driver thanks you for taking a ride, make sure to document everything about cab/driver because you just caught a bad guy." It is NOT a scam, or it is a NON EXISTING scam, or IF it is a scam, it is an undocumented, vague and rare one. It is just some FUD (Fear Uncertainty Doubt). At least here, the distinction should be clear. The whole point of a skimmer is to capture BOTH the card data AND the RIGHT pin in a COMPLETELY TRANSPARENT manner, i.e. if you input the wrong pin, the wrong information is forwarded to the card company and the payment is refused, if you provide a correct pin, the transaction succeeds AND the (hypothetical) taxi driver will have the data and the right pin. And of course, even on snopes the part about manipulating the machine to see if any loose parts come off is "pure bullshit" and will result in (percentage approximated): 1) 97.20% Nothing 2) 2.79% You break the machine and you have to pay for the damage 3) 0.01% You find a skimmer (and conversely one of the very few skimmer fraudsters so stupid as to not be able to place the skimmer firmly on their device [1]) jaclaz [1] please note how - unlike placing a skimmer on a ATM or similar where you have limited time and your actions are generally speaking video recorded, you have all the time in the world (and even more) to place a skimmer on a card reader/POS in your possession.

Mobile Phone Forensics: Cellebrite PA supports Remote Desktop Access

$
0
0
LOL I'd prefer to say experienced not old. But stand by my comment.

Mobile Phone Forensics: Decrypting Signal app sql database on IOS

$
0
0
Yes, the idea is to show how the key is generated, where is located and how to extract it. Regarding signal is horrible application, even to register it ask for your "real" phone number.... Signal exploits are public recently: open mic remote, etc.

Forensic Hardware: Laptops

$
0
0
Is anyone experiencing any heat issues with i9 processors in laptops? Looking at grabbing another Sager and as things keep getting smaller, I wonder if the heat is even more of an issue now than say 5 years ago. Dongles and cables are already hot on smaller processors even with a laptop cooler. Your thoughts are appreciated.

Forensic Hardware: Laptops

$
0
0
I have noticed the excess heat as well with laptops. Especially if the computer is running an SSD and is a "thin" model.

Mobile Phone Forensics: iOS meaning of "networkKnownBSSList Key"?

$
0
0
See if this applies: https://www.richinfante.com/2017/3/16/reverse-engineering-the-ios-backup Quote:: networkKnownBSSListKey - For enterprise/multi-ap networks, the phone maintains a list of all access points that have been connected. CHANNEL - The AP’s channel BSSID - The AP’s BSSID lastRoamed - The last time the AP was connected. jaclaz

General Discussion: Remote Imaging Macs Running Catalina and T2 Chip

$
0
0
Thanks Simon, that would be very helpful.

Mobile Phone Forensics: iOS meaning of "networkKnownBSSList Key"?

$
0
0
Would take some effort, but could you factory reset a test phone and then image it, then connect to specific wireless access points, etc, record network name and time, then reimage the iPhone for analysis of what changed in your specific file from the factory reset version to the “used” version. You could vary the experiment by having the phone only in Bluetooth, only with WiFi on, only with cellular data turned on to compare each result.

Forensic Software: Metadata Interrogator

$
0
0
Mobo wrote: Hi, That's a great tool you've created there. Thank you. I've had a play with it from various file types of my own that I know the history of. On all the (Word) Docs it gives a "Creation Date" and "Created" row. In all cases the former shows 01.01.1980 00:00.00hrs and the latter gives me the times/date I created my document - precisely. Can you tell me the intended difference between the two? Thanks again. Apologies for the delay, Word metadata is a bit of a pain - it has a few fields which are just 'default' ones. Every Word doc will have 01.01.1980 00:00.00hr as the Created date, as it's just saved in the metadata of every file (unless it's been overwritten specifically). I have no idea why, and it annoys me greatly. Anyway, I've tried to get round this in a few ways - in the latest version (0.8) of Metadata Interrogator you'll see a row that says *Creation Date. This is a calculated date which tries to pick the best 'creation date' for a file. It does this by ignoring any default dates, and picking the earliest date in any of the creation metadata fields. Be warned it's not perfect, so make sure to double check yourself. Dates and times are unfortunately one of the most difficult and unsure parts of dealing with metadata, which is frustrating as it should be some of the most useful data. Hope that helps!

General Discussion: Event 4624 question.

$
0
0
The first logon was done by the SYSTEM process- noise in 99,9999% of all cases. Some more experienced threat actors (dont want to write APT for that) are using the SYSTEM process to hide their "work". Generating a timeline for a breach might confirm such a scenario. Here it is very unlikely. Kerberos was used here, so a direct connection from a domain member inside a network. The second logon was done via a web interface/ website. "advapi" is the proxy process you see in these cases. Likely that the user entered his credentials on a website or service and this webserver process impersonated the logon. "advapi" is used for that. If it was not the user itself, some other process has used a HTTP(S) connection and authenticated. Verify this from the browser history of the user if you can. regards, Robin

Forensic Software: imaging using encase, FTK and X-ways

$
0
0
hommy0 wrote: EnCase has a few methods to acquire an evidence file of a live system: 1) EnCase Portable can be configured to acquire a physical device into an EX01 or an E01 2) In “Program Files\EnCase8” there is a command line tool cool WinAcq. This can also be used to acquire an E01 of a live system 3) Using the EnCase Agent, create and deploy onto the target system. You will then be able to preview and acquire over the network. There are agents for Windows, Linux and macOS (including Catalina) Regards We recently (within the last week) reached out to Guidance/OpenText regarding imaging Macs that have a T2 chip with Catalina over a network. They advised they are currently working on creating a new agent for Mac OS X Catalina that they hope to roll out next year. If you already have a solution, I would love to hear about it. I am currently tasked with overcoming imaging Macs over a network so I would be sincerely interested in any solution you have. Here is a link to my post on FF and a response by Simon Key of Guidance/OpenText: https://www.forensicfocus.com/Forums/viewtopic/t=18238/ I look forward to hearing from you, Kastajamah

Mobile Phone Forensics: iOS meaning of "networkKnownBSSList Key"?

$
0
0
Thanks for your responses. Jaclaz, I will look into the article, see how it all relates. As UnnallocatedClusters suggested, I think I may have better say if I do some testing myself. That way, I can speak to how things are logged and can say for certainty what it means. Thanks so much for all your help! - Just one more day in forensics... test, test, and more tests. !!!

General Discussion: Mac Firmware Password

$
0
0
With proof of ownership, Apple will reset it for you if you take the Mac to an Apple Store or send it in for service.

Employment and Career Issues: Student internship opportunity NCA NCCU in UK

$
0
0
I have nothing to do with this, just stumbled across the advert. I know that a load of students lurk in this forum and thought it may be of interest. https://www.nationalcrimeagency.gov.uk/?view=article&id=891:student-internship-national-cyber-crime-unit&catid=15

Mobile Phone Forensics: Android imaging

$
0
0
Frankly speaking you could not count on FTK or EnCase to do physical extraction from a smartphone. If the phone is rooted, that would be easier. If not, you could take professional mobile forensic tools into consideration, such as Oxygen, XRY, Cellebrite 4PC...etc.

Forensic Software: Evidence of youtube and other socials

$
0
0
When it comes to social media investigation on subject's computer running Windows, my suggestion is to use Belkasoft Evidence Center or Magnet Axiom. They both do great jobs on social media investigation and you could count on them.

Mobile Phone Forensics: Android imaging

$
0
0
Please refer to page 66 of the DEFT Linux manual: https://paper.bobylive.com/System/EN-deft7.pdf Imaging a rooted Android phone can be accomplished using the Android Debugging Bridge (ADB) by basically opening a Terminal Window and using a DD equivalent copy command to a locally installed SD card. You are correct that it is generally impossible to have a rooted Android phone internal memory storage be recognized as logical or physical drive connected to a Windows PC and thus directly imageable by a tool like FTK Imager. I was able to get a rooted Windows phone recognized by FTK Imager and was successfully able to create an E01 image file using FTK Imager I believe due to file formatting. So basically Android memory storage file format is not FAT/ExFAT/NTFS format and thus cannot be seen by FTK Imager. The differences in file formatting between Android OS and Windows OS is why one has to basically open a terminal window on the Android phone connected to the Windows PC over the Android Debugging Bridge to create a data dump DD image of the Android phones internal memory to an appropriately formatted internal to the Android phone SD card.

Forensic Software: Evidence of youtube and other socials

$
0
0
Use OSForensics’ Recent Activity button pointed at the physical forensic image. After the Recent Activity function has created a timeline of machine and user activity, only check the boxes for internet browsing activity and save the activity as an Excel spreadsheet. Using Excel filter the report to only show work hour activity. On a recent examination by our practice in a similar matter, we uncovered Steam logs that showed the employee logged into Steam, playing games, making game saves, and not working during work hours. Using OSForensics, after creating a searchable index of the imaged computer, search for *.log and review all interesting log files you find. Log files can show user activity. Also Webcache.dat. OSForensics event viewer function can also reveal employee activity such as logging in, rebooting, printing documents, etc. Make sure to look at each installed internet browser application’s browsing history. OSForensics might automatically include Internet Explorer, Firefox, Opera but I recommend identifying all SQLIte database files and reviewing them in OSForensics to potentially inform your analysis.

Forensic Software: AXIOM MAGNET OCR

$
0
0
OSForensics has the capability to OCR files.
Viewing all 20107 articles
Browse latest View live