I dunno...you could spend a few minutes designing a pertinent verification/validation process for it, that will provide you with objective evidence that it's fit for the specific purpose you intend to use it for. That is very ISO17025.
Or, you could twiddle your thumbs until the 'better' software finally appears to work (and on their say so) and then you can pull the proverbial 'forensic white rabbit' out the hat for the court!
↧
Forensic Software: X-Ways Does Not Process APFS!!
↧
Forensic Software: X-Ways Does Not Process APFS!!
If your APFS volume is encrypted then XWays doesn't support and never will.
Stefan is either stubborn about encryption support or he cannot get licensed/authorized to for it.
I am an XWays user.
↧
↧
Forensic Software: Reporting help in the X-ways
Yes Kenobyte is right.
When something is "added to a report table" Xways has created a Report Table Association for you (Xways speak for Bookmark).
When producing your report you need to include this RTA in your report, or like Kenobyte said, explore recursively your entire drive and filter the Report Table column in directory browser.
↧
Mobile Phone Forensics: Download exactly 60 minutes on iPhone?
badgerau wrote:
Scenario: The phone was tethered and the device that was connecting through the phone had a time out set. e.g VPN set to disconnect after 60 minutes. If this devices was a Windows 10 computer and it was downloading one of the latest updates this could explain the amount of data.
Timeline analysis may show changes/updates to data on the phone. If none of the data on the phone has been changed during the specified time period, this may confirm that all the data was indeed tethered to another device.
Scenario 2: confirm if the phone was in WIFI mode at the time and if the phone downloaded the latest IOS update.
To further clarify my comments regarding the IOS updates. Depending on the users settings, the phone could download the latest updates but not install them.
↧
Forensic Software: Recovering video from Everfocus DVR
Thank you Kastajamah. I do believe the unit is a one terabyte 16 channel model. So the actual video sizes are relatively small. I'm just curious if the full recording has been overwritten if there isn't also system logs to show when the archive was accessed and modified at a certain date. Or if an investigator would be able to find possible evidence of tampering.
↧
↧
Mobile Phone Forensics: UFED CELLEBRITE CHECKM8
Checkm8 update. My problem was caused by the lack of key Windows 10 drivers. No surprise there. It turns out a clean Windows 10 install on a clean system drive (no updates, no upgrades) leaves critical Intel drivers customized by the PC manufacturer uninstalled. So you have to go in search of your missing Intel drivers from your PC manufacturer's web site, or use their various support assist wizards. Worked like a charm on my Dell Precision.
After getting UFED 4PC checkm8 to work on both 1809 and 1909 editions of Windows 10 Pro this weekend I can confidently say best practices are 1) clean Win 10 Pro install 2) Intel drivers update from Dell, HP, Lenovo, your manufacturer, 3) Windows Update several times, 4) install UFED 4PC with Windows 10 real-time virus and threat protection disabled.
To date I have extracted an iPhone7 and an iPad Pro and gotten full file systems with rich evidence. An iPhone 6S Plus hung after only 20% of DAR extraction. I'm going to try an iPhone X next.
↧
Mobile Phone Forensics: Download exactly 60 minutes on iPhone?
Thanks for all the info. I was surprised I got so much info! Thanks for taking the time to give some insights.
Unfortunately, the phone itself is not available for analysis. Something I should have mentioned at the start is that the amount of data transferred during the 60 minutes was less than 10KB uploaded and downloaded during that time. Yep, KB, not MB or GB. This leads me to look at things like push notifications or some kind of auto update. The timeout theory also holds in this case.
Based on your answers, I am doing some tests on a similar phone to see what goes on with data usage when no one is using the phone and there's no WiFi (in the situation in question, there wouldn't have been WiFi access). I've downloaded a couple of apps that track usage by day or hour, so I should be able to see if I can get some comparable results in my sleep, so to speak.
I will check out Sarah Edwards' work, too. She always has some good insights.
In this case we don't need to prove anything, just need to offer a reasonable explanation for why the phone was busy when the user wasn't using it. In this regard, the tiny amounts of data transfer might be more key than the unlikely time increment.
↧
Forensic Software: Magnet Axiom Examine "Locate Source"
Has anyone dealt with an issue with GreyKey dumps being decoded in AXIOM.
I always seem to recieve a message at the side during analysis saying "Source information about this item cannot be displayed "Locate Source"
Although all the contents seems to be being displayed it still doesn't sit right to be recieveing that form of message whilst perfoming analysis.
Anyone know why this is happening or how to fix it.
Thanks.
↧
General Discussion: Staged photo, ok, but how much?
JDCoulthard wrote:
I believe the Bat-Molecular Dust separator is from the motion picture where the members of the UN are turned into cat litter?Right you are:
https://en.wikipedia.org/wiki/Batman_(1966_film)
But to be picky it was - as clearly labeled <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> - aSuper Molecular Dust Separator.
jaclaz
↧
↧
Forensic Software: Magnet Axiom Examine "Locate Source"
I'm not sure about this, but just in case, have you moved the evidence that was processed? (or renamed any part of it or its path)
Sounds like the sort of message you'd get if the source data was moved off the top of my head.
↧
General Discussion: Staged photo, ok, but how much?
JDCoulthard wrote:
You are right, but it should be the Bat Super Molecular Dust separator to go with the Bat-Copter, Bat-Cycle and Bat-Boat!
Yep, but on the other hand we have the batcave and the batpoles (without hyphens), the batscilloscope and the brain-wave batanalyzer, and the more simple "television" and "anti-crime computer" (without bat):
https://www.thevintagenews.com/2016/05/29/gadget-labeling-level-batman-batman-labeled-gadgets-television-series-1960s-2/
We can conclude that device naming was not ISO 9001 compliant (let alone validated)
jaclaz
↧
General Discussion: Staged photo, ok, but how much?
Indeed, a complete lack of a Bat-Quality Management System in place. Perhaps Bruce Wayne told UKAS to stick one up their Bat-Poles?
↧
Forensic Software: Magnet Axiom Examine "Locate Source"
We've had a few reports of the message not disappearing when the evidence gets moved but everything still shows up fine. Feel free to reach out to support with some more details or me via email (jamie.mcquaid @ magnetforensics.com) and we can see what's causing it.
Jamie McQuaid
Magnet Forensics
↧
↧
Mobile Phone Forensics: Download exactly 60 minutes on iPhone?
Bearing in mind that's such a tiny amount of data it makes me question what you mean by:"carrier records show a user's iPhone had activity at a particular date/time for exactly 60 minutes"
What exactly are these records of, what exactly are they indicating/stating, what's their resolution?
Is it simply the case that it's an indication of a window of 1 hour where 10kb of data was transferred at some point, or points, during that entire window, rather than for 60 minutes? (as I think Jamie was suggesting)
Or is it a lot more granular?
↧
Mobile Phone Forensics: Download exactly 60 minutes on iPhone?
The report gives a date/time stamp down to the second, "elapsed time" in minutes:seconds, amount of data uploaded/downloaded, and whether there was a "recipient" number (as with text messages). In the line item in question, it was 60:00, under 10 KB uploaded and downloaded, no recipient. Some of the timestamps do follow an hourly pattern, so thanks for making me look!
There are also entries that show 0:00 time and a small amount of data transferred, and others that show several minutes with 0 KB transferred, all with no recipient.
Unfortunately, it's not so easy to ask "What does this mean?" All the carrier knows is what their database recorded. I believe the developers of the apps would have more information than the carrier regarding what's really going on, but trying to get that information from a developer... don't get me started!
But based on this report, it looks to me like there is sometimes an open connection for several minutes at a time, during which data is transferred part of the time. Kind of like calling someone and neither of you speak for several minutes, but you stay on the line, and once in a while one of you blurts out a word or sentence.
Perhaps some kind of polling activity is going on, or auto updates, or checking whether there need to be updates, or keeping the line open while the update does some things on the phone itself.
I did some tests last night and there was similar activity around 3am, 4am, and 5am, a few KB back and forth while I was sleeping. Calendar, email, and a few other services. The app tells me the time window down to the hour range, and the amount of KB transferred, but not the exact start/end time for the transfer, but I'm going to keep looking for an app that will. And even if I do find out the transfer start/end times, it's possible that while the carrier records an "open line", the phone only records actual data transfer times.
In any case, I'm having a good time pecking away at this conundrum. And I have enough comparative evidence from my own phone to satisfy my client that "data transfer activity in the middle of the night does not necessarily indicate that the phone was being manually used."
↧
General Discussion: Staged photo, ok, but how much?
Hmmm. I believe UKAS has more similarities to a mob protection racket. With the way it is all being implemented, I think the Joker is running the show with procedural clarifications provided by the Riddler ????
↧
Mobile Phone Forensics: UFED CELLEBRITE CHECKM8
Carter907 wrote:
Im just wondering what everyones experience so far has been like using the new Cellebrite update for Checkm8?
Has anyone had either postivie or negative results?
Anyone compared the data extracted between Checkm8 and Greykey full file system extractions?
Any errors?
Thanks.
I recently attempted to use the Checkm8 exploit and so far have had success with an iPhone 6s+ as well as an iPhone 8. I initially ran into issues, but found using the default apple cord resolved my issues and has worked more consistently than the recommended "cable no.210".
The iPhone 6s+ is my work phone, so it was my "controlled" item for testing the Checkm8 exploit compared to full file system extraction on GrayKey. Here is a listing of the phone type, software versions and more:
iPhone 6s+ (A1634) iOS 13.3.1 (54.74GB/64GB available)
UFED Touch 2: 7.28.2.8
Cellebrite PA: 7.30.0.228
GrayKey: 1.6.6
I started with the Checkm8 full file system extraction, the extraction pulled 11 GB and finished within 32 minutes with no errors during extraction after swapping the "cable no.210" for the original apple cable and used PA (7.30.0.228).
Graykey also had no issues, the extraction pulled 11.35 GB and took about 17 minutes from start to finish. I used the .zip file with PA (7.30.0.228) and come up with almost the exact number of files extracted.
The only difference for this particular phone that I experienced was the duration of extraction time and the issues with the cable, otherwise I found the two full file system extractions to be very similar in results.
↧
↧
Mobile Phone Forensics: Extracting data from a factory reset Android mobile phone
Thank you. Is that even the case for chip off techniques? Can security tokens be extracted?
↧
General Discussion: Internal Hard-Disk removal logs
AmNe5iA wrote:
If the OS isn't running how do you expect it to log anything?
Of course there is no way, and of course such a log cannot exist, though in theory, the OS could log the SMART data of the hard disk (power on cycles) at shutdown and throw a fit if at next boot it is not increased of only one, and besides, that could well be implemented in the BIOS or UEFI firmware.
jaclaz
↧
General Discussion: Staged photo, ok, but how much?
JDCoulthard wrote:
... with procedural clarifications provided by the Riddler ????<img src="images/smiles/icon_mrgreen.gif" alt="Mr. Green" title="Mr. Green" />
jaclaz
↧