All systems show clean by Malwarebytes, Vipre, online testers, etc.
Mail server (Windows Server 2008 R2) same
Phone - clean
Minimal online presence, no social media use, no FB, no Google/Gmail account (not on my phone either), no Verizon syncing on my phone, no syncing at all except to my personally run server for my mail.

Samsung S8 Rooted w/ DroidWall, 95% of things locked down, no Play Store, minimal apps.

Problem:  Search a topic, next day (or a few days depending) scam/fake email shows up about that topic.

I want to know what tools, techniques, methods, forensic investigations I can do to track down the leak.

Thanks. :)

Dear users,
assume that we have a 10:00 minutes conversation audio file and that you are suspecting that this file was cutted from the minute 5:00; in other words, the person who gives you tath file has probably used an audio editor to delete the first 5 minutes. So, this file is not created with i.e. a smartphone voice recorder but by an audio editor program. How can I check it? Is a audio-spectrum or a particular audio analyzer that can check this?

Thank you very much!

PS: the problem is not, a central part is cutted and the first and last are merged (in this case is easy check a discontinuity of spectrum). The problem is that, the entire start part is cutted.

do any of the default event logs on windows 7 give any clues when certain applications are started/closed, e.g web browsers, or office software such as outlook, word, excel.

And do any of the default event logs also capture times specific files were opened, e.g. a file on a desktop 123.docx (I am guessing this is an option but rarely enabled).

In our test/dev lab we are running vSPhere 6.0, 6.5 and 6.7 on different platforms.

We are looking into how to perform forensics on VMs (OVFs, Snapshots, etc.) off line.

Does anyone know of any products in the VMware portfolio or partner products that may be a good option for this use case?

If a user plugs into a windows 7 machine a smartphone or USB device via USB and views an image on the external device, apart from areas like lnk files and jump lists (and presumably certain registry entries) which will show a file name of the image opened, does windows create any sort of thumbnail on the PC's local drive of the image, or is the best you would ever get the date stamp and file name of the image opened, and not an actual thumbnail of the image itself. The filename in itself isn't of much use, but even a thumbnail of the image would be useful. I am just unsure where exactly on the drive that thumbnail may reside once opened.

Hi,

I am trying to find information or definitions of metadata fields in PDF.
Specifically I am trying to determine how the following field is created

http://ns.adobe.com/pdfx/1.3/            pdfx:SourceModified:D:20180806072738

Please see attached screenshot.  The highlighted orange areas match with the information in Document Properties.

The yellow fields are of interest.  Do these indicate (reliably) that modifications have been made and is the field for the Application used set in stone once the document is created?

I have tried some internet searches and I can t find anything to point me in the right direction.

The purpose is to determine if this document is genuinely from 2004 or recently modified

Many Thanks

I am interested in finding out if a lawyer has manipulated the will of my mother, who has since passed. He sent me a copy of it by email and wondering if there is any way to forensically inspect the document? I saw a previous answer that said you could go into "inspect" the document to detect changes? Please any info appreciated!

Hello,
1. I have an msg file which is digitally signed and not encrypted, I could see 2 attachments from the email one is .P7M and the other one is .P7S. Can this happen ? I mean it should be either a .P7m file or a .P7s file right?
2. Can .P7s file support encryption and digital sign both?
3. Can you explain in detail the difference between .P7m and .p7S files?

does anyone know of a free tool which can pass the internet explorer history stored in WebCacheV01.dat and WebCacheV24.dat files to see which sites a user has visited? there were loads of tools for older IE releases, with the index.dat format, but not found much for the newer ESE databases

if you used one of the digital forensics imaging tools, such as FTK imager of a live system that hosted a database, be that an exchange mailbox database, or sql server database - will the imaging process work, and actually give you a copy of the database that can be interrogated in your forensics search tools? My thoughts were that even backups have to follow a specific purpose which stops processes before they can be backed up - so trying to take an image of a running database is similar to try and copy and paste it - in that it will result in errors and you wont get a clean copy/copy at all?