Hi
What's the difference between Little endian and Big endian in FTK Imager?
↧
What's the difference between Little endian and Big endian in FTK Imager?
↧
Where is the encyrption key?
I have a mobile phone image, it is physical forensics image.
User data partition is encryted but UFED PA is able to decrypt and decode as ExtX as this partition. I wonder where UFED PA gets the encyrption key from the image. I am asking because of my curiosity.
Regards
↧
↧
Telegram Password
Is there a way to hack Telegram's password? (Using UFED)
↧
What does the tag “&lst=” and “&sk=” mean in Facebook URL?
In terms of digital forensics of Facebook, these artifacts are recovered from computer's hard disk. I need to interprete the URLs.
What does the tag "&lst=" and "&sk=" tags refer to in Facebook URL?
in the Facebook example URL given below:
https://www.facebook.com/profile.php?id=100xxxxxxxx99&lst=100xxxxxxx87%3A10xxxxxxxxxxx99%3A1555899680&sk=about§ion=living
↧
UFED / Error 14 - Wait it out?
We are seeing a number of IOS units returning error 14 (full mem) when using UFED Advanced Logical Checkm8. Is this something everyone is waiting out for a solution? Any other testing my techs can do to try and resolve/get around?
↧
↧
Question/s to assist with Job progression
Hi Folks,
I'm looking to progress further in my current role (from Examiner to Analyst) but I am stumped on a few questions. I have completed some research but it is hard to find answers and explanations to some of the questions I have!
Hopefully you can help me out!
1. What files would be required in order to break a lock screen on an Android Lollipop device? - Am I right in thinking custom recovery (.twrp)?
2. An iOS device routinely uses plist files. What format do they usually come in? - Am I right in thinking this is a trick question? Although I'm under the impression that plist can be transferred to XML and binary?
3. Identifying a device has custom recovery installed on the device - I think I would start the device in recovery mode and differing logos/interface and differing text would be appear?
Thank you in advance!!!
↧
UK POLICE FORENSICS
Does anybody know what forensic software UK police forces commonly use?
↧
Grenfell Tower Inquiry
I've been following this via the media and was interested re the use of e-mails as evidence. I'm curious as to the powers of the enquiry re obtaining full data and whether the data has been captured as per UK criminal procedures. No pro connection with the enquiry, just curious.
↧
Itunes encrypted backup
I have an Itunes backup file from an apple device backed up to my console. I no longer have the cell phone. I do know of software that is available that may be capable of bypassing the encryption such as Passware Kit, but what I am wondering is there any software available that may be more cost effective or even free? Thoughts?
↧
↧
'How to break into computer forensics' ... of sorts.
Brian Krebs just posted advise for people thinking about a career in cybersecurity:
https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/
It struck me that with only minor changes, that is a pretty good overview of the situation is digital forensics as well. Critical skills are slightly differently weighted, but on the whole the situation seems similar.
↧
SQLite table
I'm examining an SQLite database at the moment and finding some interesting information. I'm hoping to get some opinions off anyone else who has some expertise in this area.
Lets assume I have a table in the database that stores data (leaf type pages) and occupies a single page (no leaf index pages) and currently holds 3 live data records. The page size is 4096. The primary key for the table is an incrementing number field.
These 3 live data records are stored at the very end of the page (so bytes ~3600 - 4095) and have a primary key value of say 200 - 203. There are other deleted records within the page (some referenced from deleted cell pointers at the top of the page) that have earlier primary key values (<200)
To me this would indicate that, at some point, all the data from this table was deleted and then these 3 records were stored.
I'm looking for alternate theories, a way in which these records could end up at the bottom of the page but without someone clearing all the data from the database first.
As it's a single page database, I've already ruled out the pages being re balanced due to deleted records.
I'm hoping I've explained this clearly enough, but anything that isn't, I'll be happy to fill in as many details as I can.
↧
iCloud for iMessage Artifact
Hello everyone,
I was hoping that someone knew of an artifact that tells you if iCloud for iMessage is enabled or not on an iPhone. Would this artifact be apart of a standard logical extraction or would a full filesystem extraction be required?
Thanks for any help!
↧
At t definitions
Hello,
Does anyone have a definition sheet for AT T which outlines each field.
Such as Call Record Type phone Missed true Duration 0
Not specifically looking for the above, just an index of each code.
It's not in the 10 pg AT T records key which is provided each time.
Thanks everyone.
↧
↧
DCIM/Picture Source Data
Ok, I think I am overthinking this so I just want to get other peoples' opinion.
I did a logical acquisition of an LG about a year ago. I actually got quite a bit, including pictures, videos, etc (what you would expect).
Now, I know with Android OS', images can exist in different locations. I have a few pictures for instance that are stored in:
shared\DCIM\.thumbnails
&
sdcard\Android\datacom.android.gallery3dcache\imgcache.0
or
shared\DCIM\Facebook\FB_IMG_.jpg
&
sdcard\DCIM\Facebook\FB_IMG_.jpg
Since there is an SD card in the phone, the picture was not only stored in the internal memory but written to the SD card, correct? Which would explain the duplication. I know that thumbnail is obviously a small version of the photo that appears in gallery (along with other photo thumbnails) and then when you select the picture and view it in full there is a separate file path for that. Imgcache allows the phone to reload the image quicker when you want to view it.
Is this all correct?
Last and most importantly, pictures in the DCIM storage. My understanding is thatthese had to have been downloaded to the phone/SD card and/or taken on the phones camera or a camera app. My main question and one that I need a definitive answer on - are the pictures stored in the DCIM ONLY pictures that had to be placed there by the user or could they be "cached" there in essence by browsing or an application. Like the Facebook picture I mentioned above. That would no be that the person was just scrolling through Facebook and looked at an image, it would have had to be downloaded to be placed on there, correct?
My internal logic says yes but I just want to be certain.
Lastly, does anyone have any resources regard picture storage on Android?
Thanks all, I hope that was clear!
↧
Autopsy forensics
Hi
Autopsy recovered two images with a red cross icons from formatted USB with the name image1 and f0000000.jpg both images are the same!
My question is what mean “f0000000.jpg” is and why autopsy recovered two times however I put one image (image1) in USB ?
↧
Assistance needed with Kyocera (Android Feature Phone) Model S2720
Dear members,
I am doing a forensic recovery of a device belonging to a suicide victim. I require some assistance since my normal toolset is not functioning with this phone. Ordinarily, I would make use of Access Data Mobile Phone Examiner, but this product has been discontinued and although I got it temporarily relicensed, it does not have a profile for this model of Kyocera phone. The device appears to run android, although because it is modeled after a "feature phone" and not a "smart phone" I am struggling to retrieve SMS, Phone book, media and SIM data (basically anything).
Does anyone here have experience or advice for me as to how to retrieve information from the phone without manually having to copy everything by hand? The data is readily available, and device encryption has not been established on the device. I prefer open source tools where possible so that I do not need to go acquire a license. If this is not available, perhaps there is a low-cost tool online that may work. I have already tried one or two which did not seem to work belonging to "coolmuster" (both the android and mobile lab products).
Thank you in advance. This is somewhat urgent.
Golan.
↧
How to get information about Private Domain ?
The incident was the ixxxll.rxxx@bxxxxxo.com is phished by sales1@sxxxss.com
On checking email header, the source IP address is reached up to email server so unable to discover the origin for the same
Neither email login page for sales1@sxxxxxxss.com nor website for www.sxxxxxxss.com is available however, the domain is registered with a registrar.
The domain privacy and protection service has been enabled for the same which shields the domain’s personal information from public display.
Can I get more information about the domain or email address from any other means as a domain registrar is not providing information?
↧
↧
Help running XWF X-tensions
Currently tinkering with XWF. I've downloaded the XT_XWF_AutoCTR x-tension, which automates extraction of common file types to a container but I can't get it to run.
I've searched the web, but haven't been able to find a proper explanation on how to set up x-tensions. I believe I have to compile the code into a .dll. Could anyone point me in the right direction, or know if there's a basic guide/tutorial to setting these up?
↧
Forensic audio enhancement
Hi
Amped five is a wonderful forensic image and video enhancement software.
Anyone can recommend me a good Forensic audio enhancement software?
↧
EnCase vs Magnet Axiom
Hello,
My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you!
↧
