Well... Kind of reviving an old post here, but wondering if anyone can clarify.
I am trying to find information for Bluetooth paired devices. I am more interested in audio headsets rather than transfer of data.
I located the btopp.db database for the android device I am working with, but the database is empty (the table structure is there, but no data within the tables when I open the db file).
Now... I am wondering if this is due to how Android stores information... or if I can only get these databases if the device is rooted?.
I obtained a physical extraction using Cellebrite UFED Touch 2 but this was a Smart ADB extraction. The device is not rooted, so I am assuming no sudo means I don't get this data?
Just wondering if someone out here as a better idea of where I should be looking...
Thanks for the help in advance!
↧
Mobile Phone Forensics: Phone with Android - bluetooth question
↧
General Discussion: Cellular Forensic Worksheet
I don’t have a spreadsheet for you, but I did design an entire app around handling the type of notes you’re trying to take and maintain:
Monolith Pro -
www.monolithforensics.com
↧
↧
General Discussion: Cellular Forensic Worksheet
It sounds like you are on the right track. Depending on where you work, you should include the contact person for the case along with their contact information, the search warrant/court order number that authorized the analysis, and a space for the software and the version of the software you are using. For example, Cellebrite Physical Analyzer 7.xxxx and so on.
If there was a keyword list provided by the contact person or created by you or another examiner, I would have a space to document that, where it could be found, and if the search for those terms was completed. You will want a space to document if a report or other deliverable was created, to whom it was sent, and the way it was delivered (in person, shipped with tracking number, etc). If you have a property sheet that already documents such things, it will be up to you if you want this type of redundancy.
For those entries involving dates (for example when a keyword search was done, when the examination started, when the deliverable was sent out, evidence received/returned) leave a space so the date can be written out and not just a check box indicating it was done.
I do not have a copy of the form I created, but there were many times most of my case notes were on the sheet. It also shows a workflow documenting what has been done. In case, for some reason you are not available to complete the analysis (sickness, transfer, vacation, etc) or if someone needs an update on your analysis, all that needs to be done is someone to review your sheet and they can give the update or resume the analysis without duplicating steps.
Feel free to reach out to me if you want any further ideas or feedback on the spreadsheet you are working on.
↧
Mobile Phone Forensics: Mobilyze 2018 - Android issue
Have you looked at the troubleshooting tips on BlackBag's page?
https://www.blackbagtech.com/resources-android-resources/
In particular, have you tried the USB modes other than MTP?
↧
General Discussion: SHC entries from User Hives
Anyone knows what's the SHC entries used for? In what scenarios will the Operating System creates an entry in Software\Microsoft\Windows\CurrentVersion\UFH\SHC?
I tested on my own machine and it seems it create an SHC entries whenever I install an app and adds it to the start menu. Not sure if this is the only scenarios?
↧
↧
Mobile Phone Forensics: Decryption of WhatsApp db by importing into older extraction
Hello,
I received an iPhone Xs and recovered the the data including WhatsApp. One month later the same phone set is returned with WhatsApp removed. I can see the WhatsApp enc files in a folder. There is no SIM so the account cannot be restored.
Can I pass the found enc files to my older extraction and recover data through Cellebrite or any other tool?
Regards
↧
General Discussion: Cellular Forensic Worksheet
Please send me a PM with your email address and I will send you our template Evidence Map Excel spreadsheet.
Our Evidence Map contains multiple tabs for recording all critical case information:
Forensic Tracker tab: Custodian information, device information, forensic preservation information, BitLocker and other passwords, uniquely assigned evidence numbers, evidence locker bin number location.
Timeline tab: Significant events including who/what/when/source of evidence
Key Words tab: key words and phrases
I am happy to share this tool with anyone else who sends me a PM. It is as valuable to our practice as any forensic software tool.
Basically when I need to write an affidavit or expert report, all information needed to include in such documents can be pulled from the matter specific Evidence Map.
↧
Mobile Phone Forensics: Buy UFED Device Adapter for 4PC
It is impossible
↧
General Discussion: What images were uploaded to the Internet via a Mac?
It sounds like you're asking if Mac OS stores a centralized upload history and the answer is no.
↧
↧
General Discussion: What Can Happen if Write Block is Not Enabled?
tracedf wrote:
Without write-block, you are going to make some changes to the drive/device. But, it's not always possible to avoid making any changes. The goal should be to avoid making changes to the greatest extent possible. If you are working on a removable hard drive from a computer that is not currently turned on, then you should always use a write-blocker. In other situations, you may want to make some changes in order to capture the maximum amount of evidence. For example, you might load a program to capture RAM from a running computer. Or, you might be required to confirm the presence of such-and-such relevant evidence before taking the computer with you. In another circumstance, you might need to boot to a live distribution to recover data from a hard drive that is not removable.
The risk, when not using a write blocker, is that you'll change evidence in ways that hinder your investigation. For example, you might update last access timestamps or create new thumbnails by browsing pictures. You might even make a mistake and destroy evidence by accidentally deleting or overwriting a file. If you need to proceed without a write-blocker, it is important to understand what you are doing, limit your activity to what is necessary, and document each step you take so your work can be reviewed later.
does the write-block also kill internet connections? what happens to internet connections and data transfers as write-block is engaged/started/initiated on the machine?
↧
General Discussion: What Can Happen if Write Block is Not Enabled?
The question "How critical is Write-Block during onsite triage?" needs qualifiers to answer accurately.
Every scenario is independent from another. What is 'critical' in one scenario may not be in another. Case objectives, device configurations, and conditions onsite affect the decision-making of whether to write block or not, and if you can write block at all.
--Is the computer off?
-----Then you can "triage" in a write-protected mode using a forensically sound boot OS (Linux or Windows). Decryption key needed if the device is encrypted or else you won't have access to the data.
-----Of if the drive is accessible to a physical write protect device, triage via a forensic workstation with the drive attached through a hardware write blocker. You'll still need the key if the drive is encrypted.
--Is the computer on?
-----Do you need the RAM? You can't write protect if you do.
-----Is it encrypted and you don't have the key? You'll have to image while its running (live) without write protection.
-----Is someone's life or limb at risk and you need intel now? Best to get the intel and not worry about write protection.
There is a sliding scale of what is reasonable as it relates to write protecting evidence. On one hand, if a storage device is easily accessible (removable as an example), not encrypted (or you have the decryption key), and time is not of the essence, then write blocking the drive to triage is probably most reasonable. However, if you are onsite of a child that has been lured away, and the computer is running, I would hope you would not even consider writing blocking the device, since that would mean (1) shutting it down, (2) losing RAM, and most importantly, (3) wasting valuable and potentially life saving time.
↧
General Discussion: Mac OS Remote Forensic Collection
Hi,
EnCase Forensic / Endpoint Investigator version 20.2 contains the agent which allows for preview/collection of a Mac running macOS 10.15 Catalina and with the T2 security chip over the network - via a PC
Regards
↧
General Discussion: Remote Imaging Macs Running Catalina and T2 Chip
Hi
Not sure if you found a solution however EnCase Forensic / Endpoint Investigator version 20.2 now contains the agent which allows for preview/collection of a Mac running macOS10.15 Catalina and with the T2 security chip, across the network.
Regards
↧
↧
Forensic Software: Sans sift workstation install
I am attempting to install Sans Sift Workstation on Ubuntu 16.04. I get the the key verification part and it gives me a file open error. Please see error below. I am welcome to suggestions!! I'm out of ideas.
gpg --keyserver pgp.mit.edu --recv-keys 22598A94
gpg: keyring `/home/steven/.gnupg/secring.gpg' created
gpg: keyring `/home/steven/.gnupg/pubring.gpg' created
gpg: requesting key 22598A94 from hkp server pgp.mit.edu
gpg: /home/steven/.gnupg/trustdb.gpg: trustdb created
gpg: key 22598A94: public key "SANS Investigative Forensic Toolkit <sift@computer-forensics.sans.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
steven@steven-OptiPlex-790:~$ gpg --verify sift-cli-linux.sha256.asc
gpg: can't open `sift-cli-linux.sha256.asc'
gpg: verify signatures failed: file open error
↧
Forensic Software: Sans sift workstation install
Thank you AmNe5iA! That was exactly what it was, thank you for you're help!! Have a good day.
↧
General Discussion: Mac OS Remote Forensic Collection
randomaccess wrote:
Velociraptor is a free collection utility. You can create a server on aws or your local network and deploy the agents to collect/hunt/monitor
We use the Windows version a lot, but there is a Mac client. Haven't personally tested it but I know Mike did recently.
[url=velocidex.com]Velocidex[/url]
I am not sure what the opinion is correct for acquisition of a Mac with T2 chip.
↧
General Discussion: How to recover a hacked Instagram account?
sovietpecker wrote:
The only way to recover a hacked account is to contact the customer care and provide as much information as possible that would tie the true owner to the account. Every account is tied to an email address or to a phone number. If the account was hijacked and the email address was changed then you can alert customer care that someone suddenly changed the original email account the Instagram account was tied to. However, if the email account remained the same then i see no reason as to why the individual can't just initiate a password reset. Maybe you should explain exactly how the individual lost access to his account and then, step by step, identify information that would be valuable to customer support to validate that the individual is the actual owner of the said account.
Which email? "Support" address is not working for these purposes. Every personal information in the account was changed by the hacker, email, phone, everything. When I try to recover the account through the username, I obtain a message which says I have to contact with Instagram but the message does not provide a contact email address. I have written to an account and sent a photograph of my customer holding his ID but there is no way, they say it is not enough information.
I really can't believe this.
↧
↧
General Discussion: Budding Forensic Scientist here.
I was wondering if anyone could help me. I have my work experience coming up soon for secondary school (Year 10) and was wondering where I could go to further my knowledge on Forensic Science.
Thanks, a budding Forensic Scientist
↧
General Discussion: Data Recovery from EMC Isilon cluster
data stored on a cluster comprised of 14 different devices containing over 500 individual HDDs
data is encrypted in motion and encrypted at rest
this sound more like recovery from a data center than a traditional recovery using tools like Axiom or FTK.
not sure something like this is even possible
any help, guidance, direction, or even a flat-out "no" would be appreciated
thank you
↧
Forensic Software: Conducting an email review using free/low cost software
DISCLAIMER: I have no professional association with Passmark, maker of OSForensics.
In my opinion OSForensics is the most cost effective tool to use to review, analyze, tag and produce email files short of using a dedicated electronic discovery tool.
One can create separate dedicated indexes per custodian in the same OSForensics project which can then be searched individually or in combination with another custodian's index.
The main downside with email review using OSForensics (as compared to a dedicated electronic discovery tool such as Relativity) is that responsive emails must be converted to PDF files for Bates stamping and production individually rather than in batches.
However, that caveat notwithstanding, OSForensics can generate an HTML format report containing key-word responsive emails and email attachments, which can then be reviewed for production by attorneys.
So the basic OSForensics workflow is:
1. Create a new OSForensics project
2. Generate individual indexes for each custodian; name each index by the custodian's name.
3. Run search terms across all custodians' indexes at once (or one custodian's index at a time)
4. Generate an HTML report containing key word responsive emails and email attachments
5. Open the HTML report and review the key word responsive emails and email attachments for responsiveness.
6. Print responsive emails and email attachments to PDF files from the HTML report
7. Apply Bates stamps to the PDF files for production using Nuance's PDF software or Adobe Pro.
GetData's Forensic Explorer also has a very robust email review capability but is more expensive than OSForensics.
↧