Here is a good article with some ideas: https://dfir.science/2017/12/Getting-started-in-Digital-Forensics.html
↧
General Discussion: Budding Forensic Scientist here.
↧
General Discussion: Cellular Forensic Worksheet
Hello! I am taking a MSc course in CyberSecurith and just starting a Digital Forensics subject. In order to have some guidance, could you share this worksheet with me? Really appreciated it!
Best regards
↧
↧
General Discussion: Format Date of FAT 32 memorycard.
If u have a rough idea about the format time, u can try this
https://www.digital-detective.net/documents/Volume%20Serial%20Numbers.pdf
↧
General Discussion: One hour difference
Gius wrote:
Where could I find the "fatgen103.doc"?
You can find it somewhere on https://www.microsoft.com/en-us/download.
The full title is "Microsoft Extensible Firmware Initiative
FAT32 File System Specification:
FAT: General Overview of On-Disk Format"
For some weird reason it's a "Hardware White Paper
Designing Hardware for Microsoft® Operating Systems", and that may help making it invisible to anyone looking for software information. And despite the title it also contains information about FAT12 and FAT16.
I think it was part of one of these document collections that Microsoft released to the public some years ago.
Googling for the title seems to works fine -- I get it as my top search hit.
↧
General Discussion: Format Date of FAT 32 memorycard.
See also this:
https://www.forensicfocus.com/Forums/viewtopic/t=2134/
https://msfn.org/board/topic/152097-on-superfloppies-and-their-images/page/6/?tab=comments#comment-980297
jaclaz
↧
↧
General Discussion: One hour difference
Gius wrote:
Where could I find the "fatgen103.doc"?
Here (actual copy from MS servers):
http://download.microsoft.com/download/1/6/1/161ba512-40e2-4cc9-843a-923143f3456c/fatgen103.doc
jaclaz
↧
General Discussion: Format Date of FAT 32 memorycard.
It occurs to me that a makeshift way to find this out would be to use the MAC times of key filesystem artefacts like the "System Volume Information" folder and the "IndexerVolumeGuid" file. I suspect these are created at the point of format, or at least within a matter of seconds of the format completing.
Please do some testing before taking my word for it though - this is just a hunch off the top of my head!
Hope this helps,
Ben
↧
General Discussion: partially corrupted jpeg pictures
DiskTuna wrote:
I'm not sure what you're asking ..
This: each file 4 bytes every 512 are overwritten?Yes, 4 bytes every 512 are overwritten, but not on the actual "jpeg", rather in the .eml message, where the binary is actually base64 encoded.
So there is an "intermediate step, where the 4 bytes (base64) are converted to three bytes (actual binary, hex bytes) . (related to this at the time I put together a spreadsheet (intended to reducing the possibilities for text) analyzing the possible patterns, as the data is organized in "lines" of 78 characters, or - better - by 19 quadruplets, so 19x4=76 bytes+ CR+LF=78)
The spreadsheet was at the time only a base POC, but it showed that the probabilities were less than the 2^32-1 that could appear at first sight, depending on where the overwritten 4 bytes "fell" relative to the quadruplets, though possibly this is not true for the the whole 00-FF range <img src="images/smiles/icon_confused.gif" alt="Confused" title="Confused" /> .
I was thinking about something like (I see that you well know about it <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> ) repair-jpg:
https://www.disktuna.com/repair-jpeg/
where changing/inserting/deleting a single byte sometimes made *miracles*.
I thought that a "smart" jpeg parser might be able to "guess" much smaller ranges than the 000000-FFFFFF of the overwritten bytes and then provide an interactive interface so that the user can select the value that seems to "make progress" in the rendering of the image.
jaclaz
↧
General Discussion: Format Date of FAT 32 memorycard.
jaclaz wrote:
athulin wrote:
So the question arises if formatting has taken place at all.
Very correct question.
I would add that the SystemInformation folder is created at the time the volume is connected (mounted) on a Windows system, I doubt that in factory they use a Windows to format the sd-card, and the final customer may well buy the card (already formatted) and insert it in a device (let say a digital camera) and take a few shots on - say - the 2nd of April and then connect the SD card to a Windows only some 4 days later to copy/store them or to print/send them.
jaclaz
Interesting! Both of you make really good points here, definitely worth testing and following up on if possible.
Jaclaz, I'm curious about your point that they probably don't use Windows to format the SD card - what system do you suspect they would use? This may produce artefacts in and of itself.
Thanks,
Ben
↧
↧
General Discussion: ICAC defense examining rooms
Hi,
I have a question for those involved with ICAC, either LE or civilian examiners.
How are your ICAC examination rooms set up?
If there are more than one civilian examiners in your jurisdiction and they need to work an ICAC defense case how is the ICAC defense examination room set up? One computer/multiple computers?
Example: All ICAC defense examination rooms are probably set up at ICAC office.
Does your ICAC defense examination room have multiple computers for more than one defense examiner to examine their cases?
As we all know ICAC investigations sometimes involve multiple devices and may take an enormous amount of time for programs such as FTK to import devices, especially if indexing is enabled.
From begining to end an ICAC case it may take a month or longer to complete.
Are the other examiners forced to wait until you are done before they can start their case?
Do the defense examiners have access to the computers to load and update their forensic software and anti-virus or malware programs and insert/remove dongles?
↧
General Discussion: gambling forensc
dear all,
I am looking for documents about gambling forensic. I googled around but I found papers from 2010 or 2011. Too old.
There's something new?
thanks
↧
Mobile Phone Forensics: Buy UFED Device Adapter for 4PC
Maybe it would worth to ask them a quote, but even if they have, probably a budget consuming item.
https://forensicstore.com/product/cellebrite-products/
↧
General Discussion: gambling forensc
giandega wrote:
dear all,
I am looking for documents about gambling forensic. I googled around but I found papers from 2010 or 2011. Too old.
There's something new?
thanksWhat do you mean by "gambling forensics"? <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
Maybe if you spend a few words describingexactly, in detail what you are after someone will be able to point you in the right direction.
Only as an example, this is recent enough (2019):
http://lightweightcryptography.com/wp-content/papercite-data/pdf/c44tabuyoperis2019.pdf
but it likely won't help you at all.
jaclaz
↧
↧
General Discussion: Format Date of FAT 32 memorycard.
https://www.sdcard.org/downloads/index.html
https://www.sdcard.org/downloads/formatter/index.html
http://read.pudn.com/downloads188/ebook/881633/SD%203.0/Part_2_File_System_Specification_V3.00_Final_090416.pdf
↧
General Discussion: Format Date of FAT 32 memorycard.
Dilettante wrote:
http://read.pudn.com/downloads188/ebook/881633/SD%203.0/Part_2_File_System_Specification_V3.00_Final_090416.pdf
Nice! Thanks!
↧
General Discussion: ICAC defense examining rooms
You may want to ask your question on the ICAC listserv. You'll get a number of responses.
↧
General Discussion: ICAC defense examining rooms
Thanks Ed..
↧
↧
General Discussion: gambling forensc
thanks for answering me. For gambling forensic I mean analisys of slot machine, videopoker or other games. The purpose of the analisys is verify if they are legal or they are correct and don't cheat players.
↧
General Discussion: Office 365 Forensics
I'm examining O365 data in Magnet Axiom and Microsoft Security and Compliance Center. More specifically I'm looking at files downloaded from Sharepoint and trying to correlate if they were downloaded on a particular machine. The Unified Audit Log provides me with the IP address and several different ID #'s, but I'm not sure exactly what they are. Does any of these ID #'s point to a specific machine?
Can anyone recommend a best practice to correlate Sharepoint activity with a machine. I looked for web activity during the date/time of download to see if there were artifacts pointing to the download and I'm not finding anything. I'm starting to think that a different machine was used for the download, but feel that I may be missing something.
Thank you
↧
General Discussion: gambling forensc
I don't think that is a digital forensic matter, to me this appears more as a reverse engineering task.
However, very online gambling software I am familiar with is closed source and you will most likely never be able to substantiate if the online casino is fraudulent or not. Another matter to take into consideration is that online casino's usually operate in jurisdictions that have non transparent or absent online gambling legislation. That is why they have their presence there, because of the absence of legislation and / or control boards. I have been asked a few times to look into these online casino software and algorithms and my proverbial conclusion is that this is not feasible without the cooperation of the casino itself. I wish you good luck though.
↧