Hi, I have some images, all have xfs file system. I use x-ways to process them. X-ways warns me that some xfs properties are not supported.
X-ways crashes and hangs lots of time while file carving. So i had to restart it countless of times in a week to complete 1 tb image.
I am not sure if the image or x-ways is problematic.
Is there any other tool which supports xfs file system?
Regards
Hi All,
I have sample email files which associate with Microsoft outlook RMS encryption
The body of the email shows, ‘This message is protected with Microsoft Information’ and has attachment as ‘.rpmsg’
The conventional method, It asks for the credential as the email address of the recipient further, the OTP has been delivered to recipient email address. Upon putting that OTP, I can access the content of the same
Is there any other way to access such content without intimating the recipient or sender? Or the domain administrator has any privileges to access the same?
We recently came across a "Heicard" wrapped around a Sim card in an I phone 8 plus. Cellebrite and Gray key were both unable to unlock this phone. Has anyone encountered this in the past?
Hi,
I'm looking to find out if photos via a certain camera were ever uploaded to the internet via my computer ( a Mac). Is there any way to find this out? I don't have any photos. Is there any way to check the computer logs going all the way back to the time I first got my computer? Would the EXIF data have been logged by my computer, which perhaps might contain the camera serial number? Please help! If you can think of any alternate ways to do this, please tell me.
Hi,
I want to see what images have been uploaded to the internet via my Mac and figured out that if any pics were uploaded to the internet, they would be in my Finder or Preview thumbnail cache. How do I find the Finder or Preview thumbnail cache? How do I go about viewing the images if they are in SQlite format?
Many thanks!
Hello all,
I am a retired software engineer who is trying to learn digital forensics. My computer experience, which goes back 38 years, encompasses a lot of system software, including many decades of Unix/Linux. I also have written a lot of Python scripts, and want to continue to use it for my own experiments in digital forensic analysis.
I just wrote a Python script to iterate over a set of files and directories, and to look at the EXIF data for all JPG files. If the EXIF for the file contains GPS information, it will go out and convert it to address information, and look for a keyword in either the 'town', 'city', or 'village' fields (if present). You can see how easy it would be to extend this model to look for anything that is part of the GPS location data, down to the street name.
The question I have is about camera raw files. I have Canon equipment. The older ones were .CR, and my newer 80D is .CR2. When I want to edit photos, I use a program like Canon's Digital Photo Professional to edit them, and convert to JPG. There are other programs, like RawTherapee that do the same.
But my question is really about what a DF analyst would do with thousands of CR2 files. The data about where they were taken would seem to be of possibly critical importance to an investigation, but it would be extremely time-consuming to manually convert them using a program like DPP4.exe.
I have tried to find Python libraries that would break open the raw files, but the only one I have found, rawpy, I cannot get to install properly.
But what do people do in the real world? Do programs like Encase or Autopsy have the ability to look inside raw files?
Thanks,
Mitch
Hi All
i am very new to this I have bought a simple usb SIM card reader of the internet and some blank cards. I have installed the SIM card reader and windows says it’s there but when I open the software it says it’s not present this is the software that came with it and the divers I have tried it on a windows 7 pc and it shows me the com port open and what it is and when I open the program to copy the SIM card it says insert card or reader both are inserted and I am going out of my mi d with this. Any help would be appreciated. I am doing this as an experiment for my sons as I think one of them has already had it done to him and it was very costly on his bill indeed.
thanks in advance
roger
Can anyone shed provide some insight. I was provided a file that was downloaded from a mainframe that the user thought it was malicious. We have a windows 10 environment designed for forensic. Using filezilla the admin connected to the mainframe and downloaded the file into the forensic environment.
Upon reviewing the file without internet (offline) i found the file and went to properties. The file shows as a REPORT FILE. I attempted to open the file with Notepad and Wordpad, both attempts merely showed a collection of unformated symbols.
Need to scan the document to find out if there is any hidden scripts and then would like to open the document and find out what is written.
Thank-You for any assistance.
With an iPhone readout via UFED, the log entry of an SMS sometimes shows interactionC (as source). What does this mean and why does the sender's address consist of 32 characters?
Hi there!
I'm Nico, new here and excited about this cool area. This is my first thread.
We have an iPhone SE (1st Gen) here, it's an internal device bought by the autority but unfortunately nobody remebers the Apple ID. I know the password but not the according e-mail address
The device has been resetted so the Activation Lock screen appears, with censored e-mail address of course. My colleagues said it must have been a freemail address.
Weird circumstances, but is there a possibility to acquire the Apple ID from this device? I tried GrayKey AFU and UFED Checkm8 mode but it seems as if there's no Apple ID plist file or something like that is stored in the file system anymore.
Is it possible to gather the according Apple ID maybe from the Apple servers?
It is a nice opportunity to test what's possible, so Apple Store should be our last solution.
TLDR: I do not want to bypass the Activation Lock (not neccessary because I have the password), we just need the according Apple ID e-mail address.
Thank you!
Nico
Our labs have come across two R Sims from I phones recently and wondering if anyone else is encountering the R Sim cards in I phones. Were you able to get anything from the R Sim card?
Hello to everybody. I have to do a forensic copy of an office 365 account, I have all the credentials.
What tools can I use? elcomsoft cloud? osforensics?
I really don't know...
Thank you
Is there anyone out there that owns XRY software that can convert phone extractions so I can import them into Magnet Axiom??
hi everyone,
I am a final year student about to embark on my dissertation/project and was wondering if anyone has any ideas or even works in law enforcement that has a suitable project in mind.
I would ideally like to work around smart home devices or IOT
any help is appreciated
regards
Rob
Team,
I am writing to you to check to get a possible resolution on an existing case with Microsoft O365 & Windows Tech Team. I am not getting a possible solution. Hence, I am writing here to check if anyone in the broader arena can help me to come out from this difficult situation.
Let me summarize the issue here:
My system no boot issue started on 16th of Aug’2020 when an Office 365 Tech Team member trying to help me with the upgradation of E1 to E3 and in the process he deleted some registry files.
System got irresponsive and on force restart, the system showing an error Stop Code: Critical Process Died.
Please note that Office 365 Tech Team member not taken the back up of my registry before did the Registry Edits. This major software changes triggers the bit locker
Further many trouble shoots were tried by various Office 365 Tech Team members.
With the help of Office 365 Tech Team member, we talk to Windows Tech Team and they suggested to perform the BIOS downgrade to solve this issue.
I contacted Dell and perform BIOS downgrade (downgraded BIOS to 2.6.1.) on 23rd August 2020. Still system shows the error Stop Code: Critical Process Died.
Further, connected in conference with Office 365 Tech Team, Windows Tech Team and Dell Tech Team. No solution to bring back to the boot situation. Finally decided to re-install the Operating System.
Reinstallation was successful deleting my complete data in the C Drive.
When trying to access the "D" drive, it's showing encrypted.
When clicking the “D” Drive, its asking for Recovery Key. We don’t have the key.
Screen showing “No Bit Locker Key” found under the Device Management of Microsoft. To recover the bitlocker key, tried with basic CMDs on bitlocker which is not supporting & proceeded with Intune MDM to recover the key. So went ahead & created, assigned the trial EMS license. Implemented Intune to O365 tenant and enrolled the laptop for Intune. Enrolment is successful but no key recovered from device management since the response found as "No Bitlocker Recovery Key Found for this Device".
Now anyone has a solution for me? Can anyhow help me to access my "D" Drive?
I am ready to pay for this service as well as the data is very precious for us. So please help me to get connected to the right resource who can help me to come out of this difficult situation. I contacted Microsoft to get a solution and made my life easy, and I am ending up in this deep trouble. Awaiting to get a positive response from this forum.
Also, let me know your views on whether I can go leagally against Microsoft on this issue as they created the mess on my system.
Thanks & Regards,
Dipil
+919538252522
dipilkumar@gmail.com
Hi Folks,
I have been searching for a solution!! Hopefully you can help! I have a MSAB kiosk mark 2 and currently it is freezing on the log on screen. I have tired reloading the new software version, custom workflow and running diagnostic. My overall Admin log on works but I cant add users as this is for updates only!
Any help?
Thank you in advance
Hi,
I'm going to be frank here. I'm a layperson that needs your help. I'm working as an investigative journalist for a newspaper and have obtained an excel file that is crucial to a story I'm going to write.
To determine the integrity of the data, I need information about a specific cell/line in the file. Ideal would be to see which user last edited the cell, otherwise it would also be useful to determine when the cell was last edited. The document was shared amongst many people, who jointly edited it. Track changes seems not to be enabled.
Is this at all possible? Can I do it myself? I'd also be open to hire a forensics expert if he could do the task.
My skill level: I can work with command line on linux and am decently familiar with Python. Unfortunately I have no experience regarding forensics.
Thank you very much for your help.
Hello Everyone, I am looking data science certification and I am confused about which certification is best as a beginner point. I have found the SAS and EDX certification platform. So Can anyone suggest me which platform is better to gain the certification online?
Good Afternoon,
I have just started using FTK Imager 4.3.1.1. In testing I deleted files from a thumbdrive then then using FTK Imager, added the thumbdrive as an evidence item, and was able to see the deleted files crossed out with red x's. I repeated the procedure on a harddrive I removed from a laptop, but was not able to see the deleted files. Wondering why that is? Thanks
Hello and I apologize if this in the wrong place.
I am doing an assignment and we are to take an E01 Image and convert it to dd (raw) format, so we can use it in Oracle's VirtualBox. I am following the exact directions and I can successfully go through the steps in FTK Imager (we have to have Image File as the souce). However, when I look for the conversion, I find the log file with the proper file extension of .001.However, the converted document I need for the raw data extracts as a winRAR file and I tried two different extraction programs to see if I could get the information. With the second one, I can create a folder with the six files that were in the winRAR file, three .fat, two .img and one ntfs. They cannot be compressed.
I have been trying all day to no avail. I am not sure if it is a ridiculous mistake I am making but it feels like I have tried everything. I apologize if I did not do a good job of explaining the issue, but hopefully it is clear enough.
