armresl wrote:
Does anyone have a link to the UFED reader?
I received a drive and there is no reader on it.
Can give email in PM if you can google drive or dropbox it.
Thanks.
Hello! The UFED reader can be downloaded only to registered users on the home site of Cellebrite, in your case, contact the creator of the report to get a UFED reader. Good luck
↧
Forensic Software: UFED rdr
↧
General Discussion: File contents...
Hi,
herewith I would like to know more about file contents like matadatas. Assumed, somebody creates a (legal) file on a computer inside an internet cafe and assumed, that file will be sent out then in another internet cafe later: Did you ever experience, that computer forensical experts are able then to detect, in exactly which internet cafe the file was created? Thanks.
P.S.: I'm not an English native speaker, sorry, if there are mistakes.
↧
↧
General Discussion: Anyone going to the ICDDF conference next week in Heathrow?
Im going if its not cancelled, but my broken arm isnt going to make it too much fun :/
↧
Forensic Software: Autopsy USB usage
Hi,
how can I see, witch files are copied to a USB Stick an when are the last access to the USB Stick?
Best Regards
Herry
↧
Forensic Software: Autopsy USB usage
USB forensics
the host will have more information than the device
read, and learn how to find what you are looking for specifically
↧
↧
Mobile Phone Forensics: Recovery messenger's secrete messages
It depends on the Messenger but in general according to our experience if a chat is self-destructed there are no traces of it in Android devices.
↧
Mobile Phone Forensics: Recovery messenger's secrete messages
I mean messenger from facebook
↧
Forensic Software: Barracuda Backup -> forensically sound emailbox extraction
Barracuda stores archived emails within database tables and may or may not have been configured to also archive email attachments.
Barracuda typically does not OCR content as it is ingested to its databases so I strongly recommend not using the Barracuda software itself to perform any date range nor key word filtering.
You can screen shot the export steps you are taking using Baracuda as a collection report.
The Baracuda exported EML or PST files (if it can export PST files) will have a creation date of today’s date, but the email internal critical metadata such as email sent date will be unchanged from the original email’s metadata dates.
You would definitely need a licensed version of Outlook on the Baracuda box itself in order to generate PST format exports (if that is even a Baracuda export option).
You can always use Aid4Mail Forensic Edition to convert the export EML files to PST format if you must have PST files.
↧
Mobile Phone Forensics: Recovery messenger's secrete messages
ok,thank you.
↧
↧
General Discussion: Anyone going to the ICDDF conference next week in Heathrow?
Was also due to be presenting, but it's cancelled now, due to you know what
↧
Mobile Phone Forensics: Cellebrite Reader and images in report.
Well if you're not after the details and just the pictures then you could just open a blank word doc and then just select-all from the images folder and drag them into it....
(but this may not be what you mean)
↧
Forensic Software: X-Ways Does Not Process APFS!!
PensiveHike wrote:
Once you have processed the image files with Axiom, a decrypted image file should be present within the Axiom case file. This can then be loaded into X-Ways. For the time being, this is how we are doing it.
Initially we tried loading the encrypted image into Passware and creating a decrypted image file, but certain data (pictures) was missing, so we stopped doing it this way.
Not sure whether his volume was encrypted in the end, however, just for the info of others, if you don't have Axiom, you can decrypt it using libfvde: mount it with fvdemount using the wipekey, and then acquire it (using ewfacquire for example).
I happen to have done a drive that way originally, and later via Axiom, and the hashes of the data were the same, just to confirm (dunno if they use the same library to do it - support haven't confirmed that or not).
↧
Mobile Phone Forensics: Cellebrite Reader and images in report.
Export all the images out to a folder, select all print, print to PDF.
This will do what you are asking.
↧
↧
Mobile Phone Forensics: Extracting data from a factory reset Android mobile phone
I have a phone that was accidentally factory reset on 3/6. I need to recover photos that were saved to the device prior to the reset. (No, there was no backup or sync at the time.) I've already rooted it, USB Debug on, SU allow, encryption appears to be off by default. I have tried some apps which are recovering stuff I believe was prior to the reset but it isn't what I'm looking for. The phone is an HTC Desire 626, model HTCD200LVW, Android 6.0.1. It was on the Verizon network at one point but hasn't been connected to a network in years. I had a tough time getting it rooted, apparently Verizon loaded the phones with something that made that difficult. Can confirm via SunShine s-off, & various root checkers that is is in fact rooted. The photos I need are screenshots that may be used in a custody issue later, otherwise it wouldn't be so important. Any help would be appreciated. Thanks.
Specs:
https://www.gsmarena.com/htc_desire_626_(usa)-7421.php
↧
Mobile Phone Forensics: Extracting data from a factory reset Android mobile phone
shadowplay wrote:
I had a tough time getting it rooted, apparently Verizon loaded the phones with something that made that difficult. Can confirm via SunShine s-off, & various root checkers that is is in fact rooted. The photos I need are screenshots that may be used in a custody issue later, otherwise it wouldn't be so important. Any help would be appreciated. Thanks.
If it's already s-off then just create a dump and take a look. Realistically tho, it may be only possible to get those data back by using NAND protocol method that also requires you to do a chip-off first.
↧
General Discussion: Anyone going to the ICDDF conference next week in Heathrow?
Thanks for that. When I asked on Thurs they told me it was going ahead...ill stop packing then Shame though.
↧
General Discussion: Windows Defender Firewall & IE 11 Sessions
I'm not sure if here is the right forum to post.
I'm not very versed with Firewall Rules, I'm hoping someone can help me with these 2 issues.
Issue 1:
I'm on a Windows 10 Home version 10.0.18362 Build 18362, from Windows Defender Firewall I have deleted rule "crazy" from both the Inbound and Outbound sections. However, under Monitoring -> Firewall the "crazy" rule is still there and there is no option to delete. It is also pointing to a path location that no longer exist.
As admin, I ran command netsh advfirewall firewall delete rule name="crazy" several times but keep getting error "An unrecoverable Windows Defender Firewall error (0x2) occurred."
How can I forcefully remove this?
I suspect the Firewall window is reading its data from the Registry (or some other system file), where is that data and can I go there and just delete the rule?
Issue 2:
I sometimes use the IE version 11 browser, which is configured to delete all history, cookies, caches, etc upon exit. However, each time I relaunch IE and go to gmail, it automatically signs me into my email. I know clicking 'sign out' will end the session.
But I'm thinking, since there are no cookies or caches being stored and I close IE, shouldn't the session end?
I even went to AppData\Local\Microsoft\Windows\INetCache and delete all the files, close IE, and then relaunch IE. It still signs me into gmail automatically.
How do I get IE to kill the session?
Thanks.
↧
↧
General Discussion: Staged photo, ok, but how much?
I have seen this photo on just about every DF website.
I think, WE (I have this pic saved and plan to use it when I establish my own DF lab..HAHAHA) envision that one day, we will have a lab setup just like that.
I specifically chose to include "Digital Forensics laboratory" in my company name, not Digital Forensics Service. I want to emphasize the SCIENCE of Digital Forensic. Customers will pay extra for something that's Scientific.
For the floor plan, I use this picture to mimic how the lab and clean room should be laid-out (no personal items). There will be a separate open space with desk and chair (to encourage Examiners to take a break).
↧
Mobile Phone Forensics: Extracting data from a factory reset Android mobile phone
This are very old Android phone where Garbage cleaning mechanism wasn't so effective... you will get data back after Factory Reset most likely using normal dump after S-OFF or by performing ISp/Chipoff. If not then only NAND read and image assembly can be used to get back data
↧
General Discussion: Western Digital SmartWare
Resurrecting this thread did anyone ever find a workaround if there was no password found?
↧