Quantcast
Channel: Forensic Focus Forums - Recent Topics
Viewing all 20121 articles
Browse latest View live

Email MAPI Assistance

August 6, 2020, 9:12 am
$
0
0

Hi Everyone,

We have recently started working on a case where we suspect that there may have been some email tampering involved. The reason being is that we have identified a number of emails where the attachment's modified dates (within the PST) is a few month's after the email was received.

We currently don't have access to the senders email & did not perform the collections ourselves. We have been informed that it was collected directly from exchange (but no idea how/with what tools etc.),. Analysing the data we have identified something strange within the PST we do have.

Using OutlookSpy we have identified that one of the attachments has the field PR_Attach_Long_Pathname_W populated. This field maintains the path of the attachment as being in the receiver's user profile and not the senders which I find extremely odd. Does anyone know when this field gets populated? I've done a bunch of research and testing and can't seem to get an answer. Secondly, some plausible explanations as to why modified dates of the attachments were after sent dates would be really helpful :)

 

Thank you!

Search

HELP! CAN IPHONE XS MAX iOS 13.5 BE BRUTE FORCED??

August 6, 2020, 5:21 pm
$
0
0

Hi, can IPhone XS MAX (iOS 13.5) with unknown 4-digit passcode be brute forced? Passcode missing and device switched off since March 2020. I need to access the device and attempt to recover deleted SMS and iMessages. iCloud back up for iMessage turned off. Please help! Thanks

Smart TV Acquisition

August 7, 2020, 9:19 am
$
0
0

Has anyone had any success acquiring data off of a Smart TV?

Writing forensic statements/reports

August 8, 2020, 3:11 pm
$
0
0

Hi all,

 

Can anyone point me towards any formal resources for forensic statements/report writing best practices. Ive had a look but can find much anywhere.

 

Thanks 😊 

EMMC Cloud Book Laptop Acquisition

August 9, 2020, 11:35 pm
$
0
0

Please can you advise me if anyone has managed to acquire the data from an Acer N15V2 (A01-431) Cloud book laptop?

Unfortunately, the laptop is password protected, and the individual is non-compliant. The on-board storage is a 32GB EMMC. An attempt has been made using Spektor, but this device is not supported, and Evidence Talk cannot help.

Many thanks

Tom

Ufed 4pc dongle

August 10, 2020, 1:33 pm

Recovering Deleted Facebook Messages

August 12, 2020, 7:35 am
$
0
0

Running a physical extraction of an AT&T Axia on Cellebrite PA V.35.2.16.

I realize this seems like a basic problem that I should know the answer to, but I remember hunting deleted Facebook messages in the hex of the .bin file in class, but that was years ago and I can not remember how. Could I get the dummy version to beat out the noggin cobwebs please?

Is it possible to repair these PNG images - corrupted

August 12, 2020, 2:53 pm
$
0
0

Hey,

1. I'm noob, but I've spent 20 hours to repair this files

2. I tried almost all what I could find on internet

3. I have few jpeg there - for example, for reference, i have one is corrupted and another is not, want to know if corrupted one possible to repair as well?

4. I cannot figure it out

https://drive.google.com/file/d/1q5wnUBVQ2otLA6HqYBfuMVLgAEprlOnk/view

5. I used theses sites as references:

 

HEX editor online 

https://hex-works.com/eng

HEX to image online

https://codepen.io/abdhass/full/jdRNdj

PNG - File contents analysis

"https://asecuritysite.com/forensics/png?file=%2Flog%2Fbasn0g01.png"

 

 

 

Search

Case management platforms

August 14, 2020, 1:20 am
$
0
0

Hi everyone,

I'm looking for a free case management application, for a small lab. Recommendations are welcome! 

Windows 10 Partition Issue?

August 14, 2020, 4:45 am
$
0
0

Hi

I have just use FTK Imager to perform imaging on some Windows 10 laptop. The image is a physical image. But when I opened it in EnCase, I found some partition with nothing in it. But when I check disk view, there's some data in it. How can I solve this issue?

Thanks,

Kenny

Android Imaging in Minneapolis-area

August 18, 2020, 1:09 pm
$
0
0

Hello, I have a client with a need for forensic imaging of a Pixel 3, based in the Twin cities.

If you can assist or know of a referral please let me know.

 

Thank you,

 

JS

Jump List Artifacts Hidden?

August 18, 2020, 2:27 pm
$
0
0

It is my understanding that for Windows 10, you can locate jump list artifacts within //Users//AppData/Roaming/Microsoft/Windows/Recent. Subsequently, there should be two folders within Recent named AutomaticDestinations and CustomDestinations, which contain aptly-named jump list entries.

I was looking around my own system and noticed that /Users//AppData/Roaming/Microsoft/Windows/Recent didn't appear to exist. In its stead, there is a folder named Recent Items. This folder does not contain the AutomaticDestinations and CustomDestinations subfolders.

However, after doing a jump list scan with IEF, the program successfully identified jump list artifacts with a source path of //Users//AppData/Roaming/Microsoft/Windows/Recent. I tried typing in the path manually, and voila; the folder does in fact exist, along with the sub-folders AutomaticDestinations and CustomDestinations

I'm trying to gain a more complete understanding of what's going on. Is this a relatively recent change? What might be obfuscating my view of the directory? I do have "Hidden items" enabled under the Windows File Explorer view options, but it doesn't seem to affect this folder's visibility. There are also several other advanced setting options to hide things like empty drives and protected operating system files, but nothing is enabled (hidden) there either.

How to play Swf files recovered from CCTV hdd ?

August 20, 2020, 2:29 am
$
0
0

I recovered some .swf format files from a cctv hdd. These files are not playable in any media player . Please help me with these files i need to extract a theft case footage.

Logical Extraction Hash?

August 20, 2020, 7:30 am
$
0
0

Very new to this still. I got access to a Cellebrite report of a logical extraction, but I don't see any hash values. Is that because it's a mobile device, because it's a logical extraction, or is it something else?

Security Camera License Plate Footage

August 21, 2020, 2:32 pm
$
0
0

 My mother was robbed all her retirement money in Argentina. She lives there. I have the video footage of of the camera were the car of the thief appears. It’s very blurry. My family and I don’t count with the resources to hire a forensic videographer. If anyone could give me a hand I’d be very grateful. 

Search

Opening search hits in X-Ways

August 21, 2020, 6:13 pm
$
0
0

Hello,

 

When I compare two forensics images in X-Ways, the software shows a list with the sectors in which it found differences. When I close X-Ways and I try to open the file in which search hits are stored, the software doesn't show them like when the differences were found the first time when the feature was executed. It shows them encoded.

 

Does anybody know how can I open the file properly?

 

Thanks!!

.nli Forensic image file

August 24, 2020, 6:41 am
$
0
0

I have a forensic image with an extension ‘.nli’

As per the associate log file, .nli file is a logical forensic image created using Nuix forensic software.

Is .nli extension nuix proprietary image format?

Does anyone know how to convert it to Raw/E01?

Thank you in advance

Is Cellebrite getting obsolete for Android devices?

August 24, 2020, 2:31 pm
$
0
0

This is what I've been thinking for the last months. I mean, most of the new Android devices (after Android 7), cannot be phisically extracted unless yo make the root process. But many of the devices cannot be rooted without losing everything because of the key (ciphered devices, I mean). So it is like a loop...

 

What do you think?

iOS - Message Retention and Find my iPhone Artifact

August 24, 2020, 2:36 pm
$
0
0

FF Community,

 

Wanted to know if anyone would happen to be able to assist me in locating the following information (if it exists). I have a Cellebrite Advanced Logical Image of an iPhone 7 running iOS 13.5.1.

 

It looks like the phone should be checkm8 compatible but i'm not entirely sure if performing this kind of extraction would be helpful in finding what i'm looking for anyway. 

 

Appreciate any assistance. 

 

1. com.apple.mobileSMS.plist -  I can see message retention set to 30 days - Is there anyway to tell when this was set to 30 days? PLIST modified data reflects date of collection. Are you aware if a checkm8 Extraction maybe able to paint a better picture of when this occurred?

 

I don't believe iOS Stores when this option would have been set to 30 days.

 

2. Setting for "Find my iPhone - On/Off" - Are you aware if this setting is stored in an artifact on the phone? Do you know if a checkm8 extraction may reveal this information? 

looking for MacBook with T2 chip " cheat sheet" poster

August 25, 2020, 5:37 am
$
0
0

Hi all

 

I have a MacBook with T2 chip and I have managed to forensically image it with blacklight Macquisition, after extracting the image file, I am able to run with it belkasoft for further investigation,

however, now I am wondering and looking for a cheat sheet that can help me with the investigation of this case,

I have looked online and I found nothing yet, and I thought to add a post here and hope to get something back!

So my question, is there a cheat sheet poster to use to help out with investigation and recover potential artefacts?

 

Many thanks

Silenthell

Viewing all 20121 articles
Browse latest View live
Search