Hello,
ı have a HDD. customer has BTC mining in 2011. after that he forgat. now he sad "where is my bitcoins". he has not trasfer to online wallet.
how may you help me ? :)
Best Regards
↧
Bitcoin Forensics
↧
Msc. Project Dissertation: The Enhanced Digital Forensic Framework for Uganda (EDFF)
Am Peter Wagabaza, an MSc. Computer Forensics Student at University of Southwales currently undertaking a dissertation named "The Enhanced Digital Forensic Framework for Uganda (EDFF)"
I have designed a questionnaire to capture responses from experienced computer forensics professionals that will only be used for my dissertation.
Kindly access the questionnaire on for your feed back and insightful will be highly appreciated.
https://forms.office.com/Pages/ResponsePage.aspx?id=fP6q5RuXt0qwORQa02rOwDGxXWUaMjxIm0Jt8YKBgmpUOFpaMTJaUzFRQTBIV1VMR0RLSUVFVkxGWC4u
↧
↧
Cellebrite latest software updates for Touch2 and PA full of problems?
Hello
Im just reaching out to see if anyone/org is sharing the same issues we have been having since the past few updates of Cellebrite software.
For starters two months ago the Touch2 kept having errors when downloading phone data from a mobile device, through the target (wormhole cable) and on to a mapped network drive using PA to start and the action. The error would flag up saying "unhandled exception". It would completely shut the system down and reboot either before, during or just before an extraction was complete.
This was apparently fixed in the latest release however we still see this error from time to time aswell as an error "Error writing to target". This has made the Touchbox an untrustable method as extractions could go on for a few hours and then fail.
Also the new PA seems awfully slow and crashes alot during decodes, the computers used are more powerful than the needed specs provided by celebrite.
This post is not a vent or anything of the sort im simply reaching out to see if anyone has come across similar issues. I understand Cellebrite like other companys are dealing with the effects of the pandemic, maybe with skeleteon staff and the likes. However the past few releases have seemed to have caused alot of bugs and glitches which as a customer i have to feel disastisfied with. Maybe the releases have been rushed without enough testing.
I know the solution is as simple as downgrading to earlier versions but alot of effort goes into updating all our systems, validation and paperwork.
↧
How to know if a MacBook pro has been restore ?
Hi
I've got an dd_rescue image of a Macbook pro not encryped (macbook.raw), and I'd like to know if this Macbook pro (Mac OS X 10.13.5 17F77) has been restore. (And the date of this restore) , maybe with AXIOM Magnet forensic tool ?
Thank you
↧
EnCase doesn't process Virtual Machine Image
Hello folks,
I have VDI image that I need to examine for IR purposes. I am trying to use EnCase to process/ analyze but EnCase doesn't produce any results. I converted the image to Raw and E01 using FTK imager to see if it makes a difference, but still, EnCase doesn't extract the file contents. Magnet Axiom, however, does extract the file contents. Does anyone have any hands-on experience with using EnCase for VDI images? I appreciate any help you can provide.
↧
↧
File path question. Please advise: iPhone/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoData/CPLAssets/
Hello,
Currently I'm dealing with a iPhone iOS 13.3.1 where i found the following location.
iPhone/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoData/CPLAssets/group349/XXXX-XXXX-XXXX-XXXX-XXXX.JPG/5003.JPG (39809 bytes)
I am new to this community but have a few questions. If someone will be so kind as to point me in the right direction I would appreciate it.
1) What does each part of this file path mean? I believe that photos are normally on the DCMI filepath correct? Is this simply thumbnails of the images contained in the DCMI folder or are these separate images?
2) More detailed, what does each part of the file path mean? "photodata","thumbnails","V2","CPLAssets", "GroupXXX", etc.
3) I have notices that most everything ends in 5003.jpg. What is the reason for this? Whereas on the DCMI they are sequentially numbered.
Thanks so much!
↧
Huawei Y9 Prime (STK-L21) passcode locked?
Hello,
I have Huawei P9 Prime (STK-L21) with FRP Lock, USB Debugging mode disabled and locked bootloader. Using Android 9.0 so the device is encrypted by default
HiSilicon Kirin 730F Chipset
The device is 6 digit PIN screen locked.
Any Suggestion for JTAG or ISP?
Are we able to root the device with some exploit?
Is this a possibility to get some user data from this model or to bypass the screenlock?
Maybe some exploit for this kind of chipsets ?
Best Regards
Arbab
↧
Is Cellebrite getting obsolete for Android devices?
This is what I've been thinking for the last months. I mean, most of the new Android devices (after Android 7), cannot be phisically extracted unless yo make the root process. But many of the devices cannot be rooted without losing everything because of the key (ciphered devices, I mean). So it is like a loop...
What do you think?
↧
Free Acquisition Software
Hello,
I am part of a San Diego based E-discovery and digital forensics team and would like to get some feedback on our new and completely free acquisition tool. The tool allows for the user to preserve, hash, and catalog all metadata. Download it here. We appreciate any critiques/suggestions. Thank you!
↧
↧
File path questions on Kindle Fire and Motorola e5 Play
I used cellebrite to extract data from an Amazon Kindle Fire HD7 and a Motorola e5 Play. Most of the images that are of interest are thumbnails. Was wondering if anyone had any knowledge of the file paths associated with them. They are as follows;
(ExtX)/Root/data/com.amazon.cloud9/cache/Cache/
(ExtX)/Root/media/meVideoplayer/thumb
Play.zip/sdcard/DCIM/.thumbnails/.thumbdata4/.thumbdata4_embedded_413.jpg
Media/Internal shared storage/Android/data/org.videolan.vlc/files/medialib
Play.zip/sdcard/DCIM/.thumbnails/1584267922209.jpg
Thank you for any help with this!
↧
Xfs supporting tool
Hi, I have some images, all have xfs file system. I use x-ways to process them. X-ways warns me that some xfs properties are not supported.
X-ways crashes and hangs lots of time while file carving. So i had to restart it countless of times in a week to complete 1 tb image.
I am not sure if the image or x-ways is problematic.
Is there any other tool which supports xfs file system?
Regards
↧
Microsoft Protected emails
Hi All,
I have sample email files which associate with Microsoft outlook RMS encryption
The body of the email shows, ‘This message is protected with Microsoft Information’ and has attachment as ‘.rpmsg’
The conventional method, It asks for the credential as the email address of the recipient further, the OTP has been delivered to recipient email address. Upon putting that OTP, I can access the content of the same
Is there any other way to access such content without intimating the recipient or sender? Or the domain administrator has any privileges to access the same?
↧
Heicard for Sim cards
We recently came across a "Heicard" wrapped around a Sim card in an I phone 8 plus. Cellebrite and Gray key were both unable to unlock this phone. Has anyone encountered this in the past?
↧
↧
Trigger for Chrome to save Credit Card Info
I found the artifact of a saved credit card within Chrome and I am researching to understand what cases would cause the credit card to be saved into the browser.
There are cases where you can manually add the card to the web browser or if you are logged in with a Google synced account then Gpay cards are available to be autofilled.
However I am looking for cases when you enter a unique credit card to purchase an item and Chrome offers to save the card information for later purchases.
I haven't found any documentation that shares when Chrome will offer to save this information so I have tested the following scenarios by setting up a fake store using Ecwid.
Scenarios:
1. If user is logged into Google account in Chrome, will Chrome prompt to save the credit card information in the browser?
2. If user isn't logged into Google account in Chrome, will Chrome prompt to save the credit card information in the browser?
3. If user isn't logged into Google account in Chrome but has a Chrome profile, will Chrome prompt to save the credit card information in the browser?
If someone could point me to some documentation to help with this scenario or you have suggestions for other scenarios to try I would really appreciate your input.
↧
MacBook Air ERROR-69808
For investigation I have MacBook Air A1932. I tried to do disk image in accordance with https://github.com/slo-sleuth/slo-sleuth.github.io/blob/master/Apple/APFSImaging.md.
When I try to unlock volume „diskutil apfs unlockVolume disk2s1 -nomount -passphrase ######“, I got ERROR-69808. When I tried to mount volume I got the same error.
Maybe anyone knows how I could repair volume file system without data loose? Command “diskutil verifyVolume disk2s1” gives same ERROR-69808.
↧
Manual Parsing for Drive Letters in EnCase Forensic 8.07
I can't seem to remember how to do this. What is the manual procedure for determining a drive letter within EnCase. I seem to remember the process involving LNK files and something else. EnCase Forensic doesn't assign the correct drive letters and I need to remember how to do this manually without an EnScript. Can someone remind me please? Thanks.
↧
Hardware (motherboard?) serial number in registry
To save me some time, does anyone know if the motherboard serial number is stored in the registry anywhere?
Essentially I've got a loose drive, with a modern Windows OS, and suspect it was probably the old main drive used in another chassis I have.
So, ideally I just wanted to compare something like the motherboard serial number, in the registry of the complete computer and this loose drive, to check whether it had previously been the OS drive in that chassis, before being upgraded/discarded.
If not, if there's any other good way to achieve the same thing easily, that would also be good.
Thanks
↧
↧
Huawei Mate 20X 5G Test Point
Hi all,
I’m an intern in a DFF at an LEA in the UK and we’re attempting to use Oxygen to do a physical extraction of the above device but need the test point for the device.
does anyone have information regarding this? We’ve tried Oxygen support and they’ve been unhelpful and asked us to contact Hauwei, which to no surprise they are reluctant to provide that sort of information.
Thank you for any help!
↧
WebCacheV01.dat permissions query.
I am trying to identify tools to analyse and produce a report of web history report from the IE 11 browser on a Windows 7 based PC. I've got an image copy of another users folder for test purposes, this is a test account:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\
There are a few free tools I've seen recommended from other sites, namely those on the Nirsoft website. Using these tools, you can point the app towards a set of folders taken from a remote PC, rather than loading the local history from the analysis machine. However from my testing, when you supply the path to the Webcache folder taken from the remote PC, than has been obtained from another users device, the Nirsoft tool seems to only produce a very limited set of history data which was not representative of what was expected (what I believe to be stored - which was in excess of a few weeks worth of history that can be seen from the IE Browser itself).
This is purely for testing purposes, but I have read the WebCacheV01.dat file when copied (imaged) from a remote PC relating to another user, and supplied to freeware tools such as those on the Nirsoft site, will only load a limited/blank report as the tool really needs to be run under the context of the user who the WebCacheV01.dat history belongs? Is this correct, and/or what tools do you use for analysis of the WebCacheV01.dat file? How do you overcome the permissions challenges if supplying the file to a tool run under a different user account?
This makes sense - as if I run the tool from my own machine it loads the history report fine, going back weeks, but this is ran under the same user context of running the Nirsoft tool as using the Browser.
In a nutshell - if ALL you have is the webcache folder for a 3rd party, will you ever be able to get a full report of the history stored within the WebCacheV01.dat file? Or is a change of strategy required.
↧
File path questions on Kindle Fire and Motorola e5 Play
I used cellebrite to extract data from an Amazon Kindle Fire HD7 and a Motorola e5 Play. Most of the images that are of interest are thumbnails. Was wondering if anyone had any knowledge of the file paths associated with them. They are as follows;
(ExtX)/Root/data/com.amazon.cloud9/cache/Cache/
(ExtX)/Root/media/meVideoplayer/thumb
Play.zip/sdcard/DCIM/.thumbnails/.thumbdata4/.thumbdata4_embedded_413.jpg
Media/Internal shared storage/Android/data/org.videolan.vlc/files/medialib
Play.zip/sdcard/DCIM/.thumbnails/1584267922209.jpg
Thank you for any help with this!
↧