Igor_Michailov wrote:
I am not sure what the opinion is correct for acquisition of a Mac with T2 chip.
It should let you acquire files still. And you could write a hunt to collect all of the files that you want.
But I'd love to see someone testing it out and demonstrating why it is or isn't suitable.
↧
General Discussion: Mac OS Remote Forensic Collection
↧
Forensic Software: Conducting an email review using free/low cost software
@UnallocatedClusters
Thanks you so much for your comment. I'll try these two softwares.
↧
↧
Forensic Software: Conducting an email review using free/low cost software
There is also Intella by Vound forensics that might suit your need.
It looked alright, but in the end it never ended up fitting in in our forensic investigations.
↧
Forensic Software: Conducting an email review using free/low cost software
Well their cheapest one is 1000 USD atm if you are to buy it.
Compare that to FTK or Magnet Axiom that is pretty cheap in the grand scheme of things.
After all I did not see any price limits in the "Free/low cost"
But the main reason why I listed intella is and I quote:
"Vound will be pleased to provide a fully functional, time-limited evaluation copy of Intella to qualified individuals."
Which would let him try out the full thing for free before having to commit to anything
↧
General Discussion: Time Zone
Hi All.
I still have debuts in the conversion from the UTC time zone to the local time zone.
I state that I am using Autopsy.
I identified the local location which is Chicago Time Zone UTC -6 or UTC -5 in Daylight Saving Time.
But there is evidence that also involves another UTC time zone -8 or -7 in the case of Dayligt Saving Time.
In the import file in Autopsy I set UTC time zone but I noticed that there is a difference of an hour.
I thought that maybe the problem could be in the file that I imported (.E01) which is perhaps set with GMT and that could create the extra daylight saving time problem.
For example, I have an e-mail in Daylight Saving Time
Data received on 31/5/2002 at 01:11:11
Data sent on 31/5/2002 at 01:11:10
Internet heater details
30/5/2002 17:11:11 -07: 00
In this case the email was sent from another UTC time zone -7. The calculation to obtain the local time zone of Chicago should be:
31/5/2002 01:11:11 - 5 = 30/5/2002 18:11:11 -5
which is different from 30/5/2002 17:11:11 -07: 00 already in the internet header details.
What's the problem?
↧
↧
Forensic Software: Conducting an email review using free/low cost software
jaclaz wrote:
LeGioN wrote:
Well their cheapest one is 1000 USD atm if you are to buy it.
Compare that to FTK or Magnet Axiom that is pretty cheap in the grand scheme of things.
After all I did not see any price limits in the "Free/low cost" :PYep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , everything is relative, a Tesla model 3 can well be called free/low cost if compared to an Aston Martin Rapide-E. <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
jaclazThat's why I no longer have a car at all. As there was no free and opensource car I could afford. <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" />
↧
Forensic Software: Why scalpel cannot recover file from E01 file format
Hi
1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?
2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'
↧
Forensic Software: Why scalpel cannot recover file from E01 file format
Tony75 wrote:
Hi
1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?
2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'
The E01 (actually) EWF file format is a compressed format.
Not entirely unlike you won't be able to carve a jpg header from a .zip archive.
You need to mount it in uncompressed form or convert it to dd-like in order to carve it.
jaclaz
↧
Forensic Software: Why scalpel cannot recover file from E01 file format
Whilst I haven't done it, you can likely use DFVFS to write a python script and then perform file carving. HECFBlog has a whole series on building the functionality to interact with images via DFVFS
↧
↧
Forensic Software: Why scalpel cannot recover file from E01 file format
Thanks randomaccess and jaclaz
↧
General Discussion: Journal of Cyber Forensics and Advanced Threat Investigation
Dear Cybersecurity Researcher,
Red || Yellow || Blue Practitioner,
The Journal of Cyber Forensics and Advanced Threat Investigations is an international open-access journal that publishes original research articles and review articles related to all areas of cybersecurity, digital forensics, incident response, and threat investigations. The scope includes the measures that governments or organization should follow to protect the online information & critical infrastructure, the impacts of cyber-crime & cyber-attacks in organizations and/or individuals, malware/ransomware, analysis & reversing, hardware/software security testing, zero-day attacks & exploits, large-scale digital investigations, unconventional penetration testing tactics, techniques & tools, social engineering & human hacking, anti-forensics & anti-anti-forensics, identity theft & protection, relevant case studies in cybersecurity, digital forensics, incident response, & threat investigations, and proficient strategies for tackling the various types of cyber-attacks and cyber-crimes.
CFATI is pleased to welcome manuscript submissions from you. Please browse through the journal website to find out more information about the focus and scope of the journal and the author's guidelines.
Journal Website: https://conceptechint.net/index.php/CFATI
Sincerely,
International Journal of Cyber Forensics and Advanced Threat Investigations
Contact
All questions about submissions should be emailed to: cfati@conceptechint.net
↧
General Discussion: Time Zone
elioi wrote:
Data received on 31/5/2002 at 01:11:11
Data sent on 31/5/2002 at 01:11:10
Internet heater details
30/5/2002 17:11:11 -07: 00
I don't understand.
elioi wrote:
In this case the email was sent from another UTC time zone -7. The calculation to obtain the local time zone of Chicago should be:
31/5/2002 01:11:11 - 5 = 30/5/2002 18:11:11 -5
which is different from 30/5/2002 17:11:11 -07: 00 already in the internet header details.That calculation is "flawed", if I get it right what you are trying to do <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> :
31/5/2002 01:11:11 -0500 is 31/05/2002 06:11:11 UTC
But you need to move from the message date (the one in the actual header) onwards:
30/5/2002 17:11:11 UTC -0700=31/5/2002 00:11:10 UTC
Whatever created 31/5/2002 at 01:11:11 was on UTC+1
You will need to detail where (exactly) that data comes from.
The e-mail header contains several dates/times.
I will provide you with an example (I am in Italy, so my local time is UTC +0200, currently, as we have +1 hour due to DST since March, 29) this shows in gmail view as Sat, Apr 18, 2020 at 5:22 PM:
in the e-mail header I have (midway, just before the actual message text):
Date: Sat, 18 Apr 2020 17:22:07 +0200
this is the actual time/date of the message (local of the sender, also Italian)
At the very beginning I have:
Delivered-To: <removed>
Received: by <removed>
Sat, 18 Apr 2020 08:22:12 -0700 (PDT)
this is the date Google servers (it is a gmail address) received the message in their local time, PDT or UTC-0700
further on:
Received: from <removed>
...
Sat, 18 Apr 2020 08:22:12 -0700 (PDT)
same as above
further on:
Received: from <removed>
Sat, 18 Apr 2020 17:22:10 +0200
this is the time the e-mail provider of the server (also in Italy) received the message
Now, a couple e-mails I got before DST was applied, i.e. at a time I was in UTC+0100.
Coming from UTC+0000, and going through a server in UTC - 0800 (PST) this shows in gmail as Mon, Feb 17, 2020 at 8:55 AM:
Date: Mon, 17 Feb 2020 07:55:06 +0000 (UTC)
Received: by <removed>
Sun, 16 Feb 2020 23:55:08 -0800 (PST)
Received: by <removed>
2020-02-17 07:55:06.568284864 +0000 UTC
Coming from UTC -0700 (PDT), shown in gmail as Tue, Mar 17, 2020 at 7:29 AM:
Date: Mon, 16 Mar 2020 23:29:05 -0700
Received: by <removed>
Mon, 16 Mar 2020 23:29:06 -0700 (PDT)
jaclaz
↧
General Discussion: Journal of Cyber Forensics and Advanced Threat Investigation
trewmte - Building Cyber Environments Based on the Work of Others
----------------------- Build (Yellow) ---------------------
-------------------------------------------------------------
-------------------------------------------------------------
------------[??]------------------------------[??]-----------
-------------------------------------------------------------
-------------------------------------------------------------
-------------------------------------------------------------
--(Attack (Red))--------------------------(Defend (Blue))--
↧
↧
General Discussion: Time Zone
Thank you jaclaz.
It is clear now!!!
↧
Mobile Phone Forensics: IOS - Email attachment placeholders
Hi all,
I was wondering if anyone could assist me? I working on a child exploitation case an I have located indecent images on an iPhone in an unusual file path. The path is:
private\var\mobile\library\mail\AttachmentPlaceholders
Does anyone know how do videos end up under attachment placeholders within the mail app?
Grateful for any help.
Thanks,
Rob
↧
Mobile Phone Forensics: Samsung SM-J700P EMMC points
I could not get it to interface in circuit. I ended up pulling the chip and reading it directly. The customer was willing to wait for the correct reader to arrive from china.
If you wanted to ship the board/EMMC chip here (PA,US) i could try to read it send you the contents.
↧
Mobile Phone Forensics: LG K9 LM-X210EMW how to enter EDL mode?
ih8rain wrote:
I'm trying to enter EDL mode on LG K9 LM-X210EMW, it's based on Qualcomm Snapdragon 8909, so I assumed that I need to join two pinpoints and hook up battery. Do you have any experience with entering EDL on that device?
Hi, did you have sucess with EDL mode and encrypted data?
↧
↧
Mobile Phone Forensics: Samsung SM-G928V Andriod 7.0 Unrecoverable?
HELP!!!!!!!!
I posses a Samsung S6 Edge Plus SM-G928V from Verizon running Android 7.0. Attempting to recover deleted txts and pictures. I have used low end recovery software with almost no success(only recovered two images). Paraben was unable to recover anything. An independent firm using Cellbrite and another using Oxygen are not confident an extraction is possible. Why? Is this a model issue? Android 7.0 issue? Verizon? Samsung? Combination? BlackBag, MobilEdit, Oxygen were all successfull with this specific model in 2018 when it was still running Android 5.1.1
Any advice or tips are greatly appreciated.
↧
Mobile Phone Forensics: Sent / Received file analysis with telegram
Does anyone have a good paper or other information about the messenger telegram? The chat messages can be read in plain text (UFED). So far. I am concerned with sent and received files. It says that a file was sent, but not which one exactly (neither the file name, the hash value or any indicator of what the file was).
↧
General Discussion: Recover unsaved notepad process ?
Hello,
My PC crashed (BSOD) last week.
I had 40 to 50 unsaved notepad process.
Is it possible to recover them ?
Details of the PC :
Intel Core i3 3250
Gigabyte GA-Z68XP-UD3P
G.Skill 2x4GB DDR3-2133
Crucial M4 64GB
Seasonic X-660
Windows 7 Ultimate x64
The PC is still running since the crash, showing the blue screen.
I need to make a full memory dump.
I heard about the "Cold Boot Attack" method to do so.
I managed to create a USB drive with the bios_memimage scraper tool.
The problem is that the 64 bits version of the tool don't work.
So i didn't tried it on the target machine since i have 8GB of memory on it.
Then, i heard about memory scrambling and rumours that this method are not guaranteed to work on DDR3.
But apparently, a new method of the "Cold Boot Attack" was discovered in 2018.
Does this method can bypass memory scrambling to allow a good dump ?
Can someone know how to pull off this method with no special hardware ?
Any help are welcome.
Thanks you.
↧