Good Morning Folks,
I hope someone can help me with following issues. I am currently conducting a large CP case. I have a number of "calls" that have been made between 2 parties via Skype.
I need to know if the calls made are video calls, whilst the context of the messages would suggest they are, I need to know for certain.
I have 2 tables within the main.db I am interested in. These are the "Calls" and "CallMembers". I have obtained a few pieces of information from that has explained what some of these fields within these tables are however i would like to understand what the values within the following fields are.
Within the CallMembers table, the fields of issue are:
status, failurereason, soundlevel (is it a max of 10), videostatus, quality_status and quality_problems
Within the Calls table, the fields of issue are:
is_muted: i assume this would mean the mic is muted but i get two values 1 or 0 and I cant decipher which one is which
soundlevel as they appear to be all 0 even though I have different values in same calls in the CallMembers table.
current_video_audience. Everywhere that mentions this field show it as the destination of the call so i am assuming that this is a video call, but would like to know if this is a certainty.
Any help or documents would be greatly appreciated
Kind Regards
Dee
↧
General Discussion: Skype Main.db and Tables
↧
General Discussion: Internal Hard-Disk removal logs
CopyRight wrote:
Hey Folks,
Just wanted to ask you guys if there are possibilities of getting the logs of when an internal hard-disk is removed from a windows machine, and when the internal hard disk is returned into the the windows machine.
When i say internal hard disk i mean the hardisk that runs the OS. <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
Is there any log or event that stores these kinds records?
Thnks.
You may find NTFS's security descriptor stream (and file system transactions, keeping an eye on the progression of LSNs/USNs, timestamps, and SIDs) quite enlightening (as we have) in this kind of scenario. In other words, focus on the file system on the drive, not your workstation's operating system. I'm assuming your priority right now is simply determining whether the drive has in fact been removed and returned to your workstation.
I recommend using Joakim Schicht's Secure2Csv, LogFileParser, and UsnJrnl2Csv.
Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed
↧
↧
Mobile Phone Forensics: UFED CELLEBRITE CHECKM8
Will be interested to see if you have any luck with the iPhone X.
I've just tried again using the latest 4PC (7.30) and it still hangs just shy of 9GB of the way in.
Still appears to be problematic.
↧
General Discussion: Skype Main.db and Tables
I don't know the answer but it does sound like a prime candidate for doing your own little test. Ideally using the same version (if possible).
Create a blank Skype installation then make a variety of calls/messages/video-calls/group-chats/muted/not muted/muted for some of call/etc (noting down the details of each one, times, length, parties, etc).
Then examine your databases to see what tallies up with what.
At least then you've got justification for any assertion you make.
↧
Mobile Phone Forensics: REDDIT POST: Run checkra1n from an Android device
Repost from Reddit: https://www.reddit.com/r/jailbreak/comments/fctkfp/news_it_is_possible_to_run_checkra1n_from_an/:"Prerequisites
An iDevice compatible with checkra1n.
An Android device with root access. Newer Linux and Android versions are more likely to work. I used a Sony Xperia XZ1 Compact on Android 10 with kernel 4.14, rooted with Magisk 20.3.
A terminal app on your Android device, for instance Termux.
A way to connect your two devices. In particular some of the Apple USB-C to Lightning cables cannot be used to put iDevices in DFU mode due to missing pins. I used the Exsys EX-47990 USB-C to USB-A adapter and the Apple USB-A to Lightning cable.
Tutorial
Download the checkra1n binary for Linux and the correct µarch of your Android device.
Put it in a directory where execution is allowed, I used /data but the Termux virtual storage may be a cleaner solution.
Connect your iDevice to it.
Open the terminal app and gain root access.
su
Check that your iDevice is recognized.
lsusb
The USB ID should be 05ac:12a8.
Put your iDevice in DFU mode, see https://www.theiphonewiki.com/wiki/DFU_Mode for instructions.
Check that your iDevice is still recognized.
lsusb
Now the USB ID should be 05ac:1227. If it's no longer listed try to unplug the USB-C cable from the Android device and plug it again.
Run checkra1n in CLI mode.
./checkra1n -c
Profit! (or probably, try again since it's not very reliable)"
↧
↧
General Discussion: Internal Hard-Disk removal logs
CopyRight wrote:
Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS.
NTFS data is of course worth a look at, though - at face value - it fails a logical test (i.e. it is well possible, but not really "making perfect sense")-
I mean, if the user is hypothetically so "smart" as to remove the hard disk from the laptop and "copying data from it on another machine" (in order to leave no traces) why would he/she have actually accessed the filesystem at all [1]?
jaclaz
[1] as opposed to - say - having used a read only distro or making an image?
↧
General Discussion: Skype Main.db and Tables
Yeah that was being tested.
I fired up a few VM's, made few fake outlook accounts. Got the same version of Skype from oldversions.com and it wouldn't let me login with the username passwords which i knew were correct as I could login to the Web Mail.
If you cant login, it wont create the main.db as it has no username / liveID folder to put it in. It let me login on the latest version of Skype, however that doesn't even have a main.db or skype.db for that matter as it all cloud based now.
Has anyone ever had any luck with Microsoft in respect of this type of thing?
Kind Regards
Dee
↧
General Discussion: Skype Main.db and Tables
Ah I see. How frustrating.
↧
General Discussion: Internal Hard-Disk removal logs
CopyRight wrote:
There are no assumptions that the user is hypothetically "smart", but the head of IT has been told that this person has given the hard disk to someone else, which exposed some classified documents to someone else. Then the hard disk was returned to the same laptop.
The hard disk had also a "safety sticker" that broke if someone opens up the hard disk, but that still isn't enough evidence.
So the scenario here is could we actually "forensically" prove that the hard disk has been removed from the Laptop or not?
as you said, In theory there is no difference between theory and practise, but in practise there is.
Yep, but if (when) we are trying to make a (logical) theory, the logic must be the same.
IF the user took the hard disk out of the laptop, he/she needed:
a. (possibly, it may depend on specific models) a screwdriver
b. a not difficult (but not at all "easy" or "common") knowledge on how to disconnect the hard disk and later re-connect it properly
Since in order to simply copy some contents from a laptop there are at least three ways (in order of increasing complexity AND decreasing risk of leaving digital forensic traces ):
1) simply copy the data from the booted OS to an USb device (or send it as attachment to an e-mail or uploading to some http or ftp site, etc.)
2) use a bootable external OS (IF it is possible to boot the laptop to an external OS) to do the above
3) physically disconnect the hard disk, do *something* with it then reconnect it
IF the most complex #3 was chosen/adopted THEN there must be a reason.
Two possible reasons (among the many):
r.1) the user is "smart" and uses a more complex procedure in order to avoid leaving digital traces
r.2) the user is (very) "dumb" and either knows nothing about the simpler options #1 and #2 or has a masochistic attitude to choose more difficult options.
I was exploring possibility #r.1
jaclaz
↧
↧
Mobile Phone Forensics: Is it possible to prove a phone has been never rooted?
arcaine2 wrote:
Skywalker wrote:
How can I read the Knox bit (as well as Young II has the bit)?
Boot into download mode, and there should be either Warranty Void Flag, or Knox Warranty Void flag. It can 0, or 0x0, or 1 or 0x1 if anything custom was booted at some point.
Thanks!!
↧
Mobile Phone Forensics: REDDIT POST: Run checkra1n from an Android device
Not only can you use an Android to checkra1n an iPhone you can then install Linux on an iPhone and then, presumably, use that iPhone to checkra1n other iPhones!!!
↧
Mobile Phone Forensics: Extract a encrypted iTunes backup with password and wechat
jaclaz wrote:
msbettyhunt wrote:
armresl wrote:
You are replying to a 4 year old post.
Ain't we allowed to reply on the old post?
Sure we are.
BUT replying to an old post WITHOUT adding any relevant info is frowned upon, not only because it adds nothing, but it may also make some less attentive members reply, and then another one will reply, etc. while the OP (original poster) is already well past the original issue and most probably won't ever report if any of the suggestions have been found meaningful/useful.
BTW, in theory the scheme of a thread about a help/assistance request should be:
1) the OP asks the question, hopefully providing as much details as possible
2) one or more willing helping members try to suggest a meaningful, well thought solution to the OP's problem (and nothing else)
3) the OP tries the suggested solution and reports whether it worked or not
4) one or more loops to #2 until the issue is resolved or deemed to be unresolvable
What actually happens in practice most of the time is:
1) the OP asks the question, usually omitting any meningful detail
2) a number of other members either throw half @§§ed or vague/generic recommendations or ask for meaningful details
3) some of the good guys that actually make and sell commercial tools take the occasion to say how their tool would work instead
4) some spammer take the occasion - possibly years later - to mention their tool - even if already mentioned (and excluded) before
5) a willing helping member doesn't notice the date of the before last post and there may be a loop to #2
6) the thread having been posted to "floats" to the "recent posts" and a number of people will read it (AGAIN), won't notice the dates of the original posts and will add some comment (good or bad) and again a loop to #2 may happen
7) the original issue likely won't be solved anyway (or at least we will miss any confirmation on what - if any - worked), the forum database will increase (a little) in size, lots of members will have lost (a liittle) time reading an old, likely irrelevant thread and entropy will win another (little) battle.
jaclazYou Forgot #8
8. A bunch of people will read this long post of 7 bullet points and never get those precious minutes of their life back <img src="images/smiles/icon_razz.gif" alt="Razz" title="Razz" />
↧
Mobile Phone Forensics: Extract a encrypted iTunes backup with password and wechat
cs1337 wrote:
You Forgot #8
8. A bunch of people will read this long post of 7 bullet points and never get those precious minutes of their life back :PStill, if those people manage to get up to point #7 they will have learnt something that in the years will save them multiple times the little precious time lost today.
... one day they will thank me for those bullet points ... <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
jaclaz
↧
↧
Mobile Phone Forensics: Extract a encrypted iTunes backup with password and wechat
[quote="jaclaz"]
cs1337 wrote:
... one day they will thank me for those bullet points ... <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
jaclaz
Where is the button to just sticky this to the front page for ever and ever?
↧
Forensic Software: UFED rdr
Does anyone have a link to the UFED reader?
I received a drive and there is no reader on it.
Can give email in PM if you can google drive or dropbox it.
Thanks.
↧
Mobile Phone Forensics: HTC EDL Mode
Thank you!!!
↧
Forensic Software: Barracuda Backup -> forensically sound emailbox extraction
Hi,
Has anybody a suggestion to export a user e-mail box from within Barracuda Backup (Cloud) to a proper image file, without tempering date/time? The only option seems a directory structure with eml e-mail files.
Any suggestion would be appreciated.
Biedubbeljoe
↧
↧
General Discussion: How to know if there is User Password in Windows
Thank you for your infor.
↧
Forensic Software: Barracuda Backup -> forensically sound emailbox extraction
UnallocatedClusters wrote:
Be careful to make sure the EML exports include attachments as well as the emails themselves.
Thanks, but I was looking for an image/ pst export, not an extraction of e-mails in separate eml files.
↧
Mobile Phone Forensics: Recovery messenger's secrete messages
hello,
is it possible to recover a message or some messages sent using messenger secret chat? the one that disappear after an amount of seconds?
both the phones are android, sender and receiver.
we have the sender phone in hands.
↧