Eliel wrote:
Then, i heard about memory scrambling and rumours that this method are not guaranteed to work on DDR3.
But apparently, a new method of the "Cold Boot Attack" was discovered in 2018.
Does this method can bypass memory scrambling to allow a good dump ?
Can someone know how to pull off this method with no special hardware ?
Any help are welcome.
Thanks you.
I remember a paper from 2016 :
https://www.sciencedirect.com/science/article/pii/S1742287616300032
about descrambling DDR3, that also highlights how data persistence is much lower.
In 2018 there were findings by Olle Segerdahl and Pasi Saarinen
https://blog.f-secure.com/cold-boot-attacks/
possibly working around some of the defensive measures in the meantime implemented by manufacturers.
But all of them are - essentially - laboratory experiments, I doubt that they are replicable in real life, with real data, on *random* hardware.
jaclaz
↧
General Discussion: Recover unsaved notepad process ?
↧
Mobile Phone Forensics: Samsung SM-G928V Andriod 7.0 Unrecoverable?
Your main issue is Android 7 = encryption, Android 5 = not likely encrypted
Also, Verizon likely means locked bootloader so most of the obvious bootloader attacks are not available.
Next, any exploit that could have avoided the locked bootloader likely got patched when the phone was upgraded to Android 7.
I had assumed that model was a snapdragon but quick look up says it's Exynos which might mean the Exynos exploit might work on it depending on patches but I've never tried it on anything older than an S7 so I'm not sure if it would work or not (or even supported). I would see if Cellebrite's decrypted file system method works with that phone but I'm not sure worth a shot though.
Otherwise, you might be stuck with a backup if you know the passcode.
Jamie
↧
↧
Mobile Phone Forensics: Phone with Android - bluetooth question
anucci wrote:
Well... Kind of reviving an old post here, but wondering if anyone can clarify.
I am trying to find information for Bluetooth paired devices. I am more interested in audio headsets rather than transfer of data.
I located the btopp.db database for the android device I am working with, but the database is empty (the table structure is there, but no data within the tables when I open the db file).
Now... I am wondering if this is due to how Android stores information... or if I can only get these databases if the device is rooted?.
I obtained a physical extraction using Cellebrite UFED Touch 2 but this was a Smart ADB extraction. The device is not rooted, so I am assuming no sudo means I don't get this data?
Just wondering if someone out here as a better idea of where I should be looking...
Thanks for the help in advance!
I'm after this information also. I have a btopp.db, but it appears empty. Would a deeper extraction (such as UFED Premium) get this database at the root level?
↧
General Discussion: Recover unsaved notepad process ?
jaclaz
That what i was referring to.
I've sent an email to Olle Segerdahl but didn't receive any response yet.
It should be replicable in real world, why not ?
I've read the manual of the motherboard and i didn't see any mention about memory scrambling, unlike the motherboard of my 2nd PC from 2015 (Asus H97M-Plus) which have "Memory Scrambler" option. (which is enabled by default by the way)
So there is a hope that memory scrambling was not implemented yet in my old PC from 2012.
athulin
This was not implemented in Windows 10 ?
I didn't heard that Notepad keep unsaved instances in temp folder before Windows 10.
The process was not using so much memory, about ~500KB to 1MB for each process.
↧
General Discussion: Recover unsaved notepad process ?
Eliel wrote:
I will go for the "all or nothing" route directly.
In hope that my motherboard will not do any sort of memory scrambling.
But at least, i need the right tool which can capture all the RAM.
I tried the 32 bits version of the bios_memimage scraper and it's working.
But the 64 bits version are not launching, it just reboot the PC.
Here is the official link of the code : Cold Boot Attack
In order to compile the 64 bits version, this command is required :
make -f Makefile.64
Then, this command is required to write the scraper.bin file on the USB drive :
sudo dd if=scraper.bin of=/dev/sd?
*? are the letter of the USB drive, generally b
Someone with little more knowledge than me can maybe try to pull this off and see if the scraper are launching ?
No solution (that I know of) about 64 bit compiling, but there is a (better/easier?) way to make a USB stick (and test it on other hardware):
https://www.rmprepusb.com/tutorials/124
(BTW on there it is specified that noone seemingly was able to compile the 64 bit version)
The issue may lie with the way the BIOS (if it is BIOS) orders disks when booting.
Typically (but not always) the boot disk (the USB stick in this case) might become first disk (hd0) or the internal hard disk may remain first disk (hd0) and the USB stick may be second disk (hd1).
If you have UEFI instead, the above won't help as grub4dos is not UEFI compatible. (while the issue with disk numbering may still be relevant).
jaclaz
↧
↧
General Discussion: Recover unsaved notepad process ?
I am testing it on very old PC under BIOS so that should not be the problem.
I disabled all booting options in the BIOS prior to connecting the USB drive.
I'm forcing him to boot to the USB drive with the F12 key.
Like i said, 32 bits scraper work.
When i compiled the 64 bits version, it looked like it gonna work.
But when trying to boot on the USB drive, the PC reboot.
Very strange.
↧
General Discussion: Recover unsaved notepad process ?
Eliel wrote:
Like i said, 32 bits scraper work.
When i compiled the 64 bits version, it looked like it gonna work.
But when trying to boot on the USB drive, the PC reboot.
Very strange.
If you successfully built the 64-bit version, the grub4dos intermediate approach may still help you understand if the issue is in the early booting phase, as - as seen on the linked to howto - it may allow to modify some BIOS parameters and allow booting (if and only if the problem is in the very early stage of booting).
The Author of RMPREPUSB/EASY2BOOT is a member (and often takes parts in discussions) of reboot.pro as Steve6375.
Surely he would be interested in the 64 bit version (as there were issues at time in compiling it) and may possibly test it and/or provide insights in its bootability:
http://reboot.pro/
Eliel wrote:
I am testing it on very old PC under BIOS so that should not be the problem.
I disabled all booting options in the BIOS prior to connecting the USB drive.
I'm forcing him to boot to the USB drive with the F12 key.
.
Still this tells you nothing about how it will behave on the "real" machine (and besides you have to take into account the precious seconds needed to change BIOS settings - if needed - on the "real" machine).
jaclaz
↧
General Discussion: Recover unsaved notepad process ?
Eliel wrote:
Hello,
My PC crashed (BSOD) last week.
I had 40 to 50 unsaved notepad process.
Is it possible to recover them ?
When the computer BSOD'd did it create a crashdump? You may be able to analyse that with windbg
↧
General Discussion: Recover unsaved notepad process ?
jaclaz
I will press F12 key to access boot options on the target machine.
Anyway, when the RAM is under power, you could wait even hours in the BIOS without any effect on the memory.
randomaccess
By default, Windows 7 does not create a full dump of the memory on crash.
You need to change a parameter.
I do not think that i've changed this parameter.
But i'm pretty sure that it didn't create the minimal dump.
Only theses 2 lines appears at the screen :
Collecting data for crash dump ...
Initializing disk for crash dump ...
I think the BSOD was caused by the SSD.
There is a bug on the Crucial M4 under a certain firmware which cause a BSOD after 5184 hours.
That should explain why apparently the dump complete message is not there.
↧
↧
General Discussion: One hour difference
Hi,
we made a forensic copy of an HD with FTK Imager in E01 format; we was looking for a file that we found burned on a CD and, in fact, we found the same name file on filesystem with some difference.
The file on filesystem has:
File Modification Date/Time : 2003:01:01 05:39:12+01:00
File Access Date/Time : 2018:08:02 19:34:29+02:00
File Creation Date/Time : 2018:08:02 19:34:29+02:00
The one on CD:
File Modification Date/Time : 2003:01:01 06:39:14+01:00
File Access Date/Time : 2018:10:23 16:59:55+02:00
File Creation Date/Time : 2018:10:23 16:59:55+02:00
The bit a bit comparison of the files says that they are identical.
The two seconds could be explained with a copy on an USB key to transfer on another PC for burning.
All the files are created, modified and burned in the same time zone.
Some idea about the difference in hour or it's just a strange coincidence?
Thank you!
Gius
↧
Off-Topic: Is this code correct?
Someone made this up for a shirt which I guess is supposed to indicate
rack balls, break, run table.
The rest I assume is supposed to mean keep playing if they have money, is it written correctly?
o
{
rack_balls();
break();
run_table();
//} while (opponent_has_money());
} while (opponent[money] > 0 || opponent );
↧
General Discussion: One hour difference
Gius wrote:
The two seconds could be explained with a copy on an USB key to transfer on another PC for burning.
That explanation needs more work. Try it for yourself: can you do the transfer + create an image in two seconds? Even with practice? I doubt it.
Additionally, it assumes that the two computers are time synched to the second. Are they? (Or is the other PC five seconds behind the first, allowing for 7 seconds to do the same job? (Comparing time on two different computers needs pretty good groundwork, as you generally are comparing two notionally similar, but actually different sets of measurements. Like comparing measurements taken from yardsticks that are not lined up in exactly the same way.)
What file system on the CD? Different file systems have different rules for time stamps. One may have timestamps in UT, only converting to local time when a user views it, another may lock it into a particular time zone on write, and may not not be converted to user local time at all or may do so assuming that some particular DST rules are or are not in force.
If either CD or UDF is involved, you should also have a volume recording/creation time stamp.
But if either of them are involved, CD has file recording time stamp only (at least, that's what the standard says), and UDF has access time, modification time and attribute time. Neither has creation time ... so there's a problem with the data you are presenting. Is 'Creation date and time' correct? Local time timestamps are typically recorded with a time zone offset, but without any indication of the actual timezone, and so no way to get at DST adjustments from the medium alone: that has to be provided in some other way.
Do you know that that is done correctly? If not, the difference is likely to be 1 hour exactly.
Quote::
Some idea about the difference in hour or it's just a strange coincidence?
First, strange coincidence with what? You have to have at least another one-hour difference, in a different context before you have a coincidence, and you didn't mention one.
The base time zone offset is a possibility, but if that's the one, you should know if and how it enters the picture. Ascribing it to coincidence is often a euphemism for 'I don't know'. Better to be honest about it, I think.
I'd check if the CD has multiple file systems -- some have both ISO 9660 and UDF recorded at the same time. That might give additional light on the question.
↧
General Discussion: One hour difference
Hi Athulin,
thank you for your reply.
I said 2 seconds because the 2 seconds resolution of write time in FAT filesystems (https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times) instead of NTFS 100 ns; so copying on a FAT USB key a file that in NTFS has recorded time greater than 6:39:12.0000001 (but showed 6:39:12) will generate a copy with 6:39:14.
We know that the file we are talking about has been burned on this CD (UDF) in the same timezone so we think that there must be an explanation for that one hour difference.
In the FTK Imager file list the file is shown with 04:39:12 and exporting it has 05:39:12+01:00; could it depend on FTK Imager?
Gius
↧
↧
General Discussion: One hour difference
Gius wrote:
I said 2 seconds because the 2 seconds resolution of write time in FAT filesystems (https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times) instead of NTFS 100 ns; so copying on a FAT USB key a file that in NTFS has recorded time greater than 6:39:12.0000001 (but showed 6:39:12) will generate a copy with 6:39:14.
Well ... FAT file creation timestamp has a resolution of hundredths of seconds. Several tools ignore that additional precision, and make it look as if resolution was just 2 seconds. (byte offset 13 in FAT directory entry -- very confusingly named and documented by Microsoft, though; see fatgen103.doc for that.)
Not entirely sure if it is useful in this case, but if you need the added detail it is very probably there.
Quote::
n the FTK Imager file list the file is shown with 04:39:12 and exporting it has 05:39:12+01:00; could it depend on FTK Imager?
It could, but I don't know if anyone has tested it. So whether or not it does is a question that needs to be answered. (It can probably be answered by copying pre-timestamped files for the relevant range to USB, and check what happens. The CompForTest project at Sourceforge has a NTFS volume image (NTFSTEST001) with lots of timestamps that probably could be used.)
My protest was mainly about ascribing it to coincidence.
↧
Off-Topic: Is this code correct?
Quote::
The rest I assume is supposed to mean keep playing if they have money, is it written correctly?
Don't think so. But it may be a question of what programming language is involved.
Code::
break();
Those I know insist that break is a reserved word. But I am out of touch with modern languages.
Code::
o
I can only assume it should be 'do'.
Code::
while (opponent[money] > 0 || opponent );
To my eyes that is check for 'while opponent has money, or if he hasn't any, if he exists at all.' It might be something else. Or it may be a reflection of deep philosophical issues. But if it was me, I'd use reverse the tests, and use an '&&' operator instead.
Code::
do
{
...} while (opponent[money] > 0 || opponent );
plays a game before performing those checks. Each to his own, but I'd verify that before I started to play.
So perhaps something like
Code::
while (opponent && opponent[money] > 0) {
rack_balls();
break_off();
run_table();}
↧
General Discussion: partially corrupted jpeg pictures
/I was talking about "brute-forcing" partial data.
Would help if you have a JPEG created by same device. The file in this video is a blob of header-less JPEG data. Into the video you can see it's actually a combination of 2 JPEGs, first chunk being JPEG data without header, second part at bottom is start OF JPEG with header and some data. https://youtu.be/9XwhGObWCtY
In essence a header a header is glued to 'arbitrary' data (however entropy looks 'jpeggy'). Tool used strips data following the header from FFxx byte combinations that may upset a decoder so image, including corrupt data can be viewed. You can then remove corrupt data and work your way towards a presentable image.
If you used a file system based recovery tool, I'd suggest you rather use something that does a RAW scan. I have seen so many instances where file system based file recovery tools produced corrupt files while carving them was still possible.
I know it's an old thread, but I bumper into it ..
↧
General Discussion: partially corrupted jpeg pictures
DiskTuna wrote:
I know it's an old thread, but I bumper into it ..
Which is good, as you added interesting insight on the matter.
Old per old, I will point you to here:
https://www.forensicfocus.com/Forums/viewtopic/p=6544120/
Do you believe it possible (and actually useful besides my particular case, as an added feature to your tool(s)) to see if the missing/overwritten bytes can be bruteforced (specifically for JPEG images?
jaclaz
↧
↧
Mobile Phone Forensics: Samsung SM-G928V Andriod 7.0 Unrecoverable?
mcman pretty much nailed it.
Best change is doing to research into the owner and getting the pin code or lock pattern. People are creatures of habit and often use the same pin for years.
See if they have ever consented to a download in the past or given any codes up for other devices.
I have had decent luck using the old 1234 pin from time to time.
Only other option might be a chip off if you have a lab nearby that does those see if its a supported model.
↧
Mobile Phone Forensics: Recovery messenger's secrete messages
If the device is still on and stayed on since the message was sent there might be something in the RAM of a computer. Not sure on an Android. Sounds like something to experiment with though.
↧
General Discussion: partially corrupted jpeg pictures
I'm not sure what you're asking ..
This: each file 4 bytes every 512 are overwritten?
2D 2D 2D 2D is not a problem for JPEG decoders. FF 2D FF 2D would be. If the 2D's overwrite existing data then there's no way of easily guessing original bytes. If they were inserted, deletion of the bytes would restore the image.
It would certainly require some manual intervention. I'm not sure if the code that detects patterns in my tool is still active, I'd have to look but I think I disabled it. Detection is easy enough but then next question is what you want to do with it. if inserted, simply delete them but then I'd need first figure that out (insert or overwrite).
I am doing some experiments BTW currently, making the assumption that visually a MCU looks very much like the MCU right below or above it. It's basically what you do when clone-stamping corrupt data with data looking very similar to the corrupt portion.
So I am trying to see if I can use actual RAW data (pre-decdoded data) to fill corrupted areas with.
So in case of this image I patched away a complete row of corrupt MCUs, and then use the above row of MCUs to make up for lost data.
I see forum doesn't handle the photo too well, URL is https://i.imgur.com/NYdEfc5.jpg
↧