[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

are there any tools that can run on windows 7 which will capture which specific event logs or files such as log files / files in general , are updated as a result of certain user actions (e.g. opening certain file types, running applications, plugging in devices etc).
0
Webinar: Miercom Evaluates Wi-Fi Security
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

If a user plugs into a windows 7 machine a smartphone or USB device via USB and views an image on the external device, apart from areas like lnk files and jump lists (and presumably certain registry entries) which will show a file name of the image opened, does windows create any sort of thumbnail on the PC's local drive of the image, or is the best you would ever get the date stamp and file name of the image opened, and not an actual thumbnail of the image itself. The filename in itself isn't of much use, but even a thumbnail of the image would be useful. I am just unsure where exactly on the drive that thumbnail may reside once opened.
0
If you needed to get some clues on what a user 'did' when they logged into a domain joined windows 7 machine forensically where are the obvious places to check. I know there are 'recent' folders with lnk shortcuts to see what files they have accessed..
But interested to know what other artifacts could be turned to for a fuller picture.
. Eg what apps were opened/launched.
0
Hi,

I am trying to find information or definitions of metadata fields in PDF.
MetadataSpecifically I am trying to determine how the following field is created

http://ns.adobe.com/pdfx/1.3/            pdfx:SourceModified:D:20180806072738

Please see attached screenshot.  The highlighted orange areas match with the information in Document Properties.

The yellow fields are of interest.  Do these indicate (reliably) that modifications have been made and is the field for the Application used set in stone once the document is created?

I have tried some internet searches and I can t find anything to point me in the right direction.

The purpose is to determine if this document is genuinely from 2004 or recently modified

Many Thanks
0
I need to make a forensic image of each HDD of a group of our employees' desktop computers; I need the same for their smartphones. What equipment and/or software do I need to makes these images without removing the drives?
0
I am interested in finding out if a lawyer has manipulated the will of my mother, who has since passed. He sent me a copy of it by email and wondering if there is any way to forensically inspect the document? I saw a previous answer that said you could go into "inspect" the document to detect changes? Please any info appreciated!
0
HyperV Audit

I Can notice that the event viewer shows most of the administrative tasks completed in a Hyper-V Server, but it does not specify the user performing the action. (i.e. Event Viewer \ Applications and Services Logs \ Microsoft \ Windows \ Hyper-V-*)

Considering a default installation (No additional software added, no settings modified to the default debugging level). How can I track which one of my administrators performed specific administrative actions in Hyper-V?
0
An Incident response plan is an organized approach to addressing and managing an incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
3
Hello,
1. I have an msg file which is digitally signed and not encrypted, I could see 2 attachments from the email one is .P7M and the other one is .P7S. Can this happen ? I mean it should be either a .P7m file or a .P7s file right?
2. Can .P7s file support encryption and digital sign both?
3. Can you explain in detail the difference between .P7m and .p7S files?
0
Would facebook provide any evidence under any circumstances if copies of a users posts etc were required, and to whom would they release this information, e.g. only law enforcement?

Also if a user deleted a post - would FB be able to prove a post ever existed?
0
Bootstrap 4: Exploring New Features
LVL 12
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

aside from the standard history sql lit db for chrome, and WebCacheV01.dat for IE history files, where else on a windows machine could give clues if a user has accessed a certain webmail service and logged in using a specific email account? I suspect either gmail or hotmail. Just want to rule out any other areas such evidence may reside apart from the obvious browser history locations.
0
does anyone know of a free tool which can pass the internet explorer history stored in WebCacheV01.dat and WebCacheV24.dat files to see which sites a user has visited? there were loads of tools for older IE releases, with the index.dat format, but not found much for the newer ESE databases
0
The Tech or Treat contest winner has been chosen! Congratulations to expert Thomas Zucker-Scharff, our champion, who submitted an article on a suspected hack into his work device that, to this day, has never been solved.
3
LVL 5

Expert Comment

by:Juana Villa
giphy.gif
1
It all started with a phone call. The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
1
Hi there,
Please can you help me? On my Android Samsung Galxy S6 are stored files under /userdata/data/com.microsoft.office.word/app-EmailAttachments.. So, I know what this files are but I don`t know how the names of the files are generated.
i.e. /app_EmailAttachmentseaa8ac15-baaf-4675-9f6a-9698e54f0108. This file name belongs to a pdf i have sent. What does the string "eaa8ac15-baaf-4675-9f6a-9698e54f0108" in the file name mean?
Thx
0
if you used one of the digital forensics imaging tools, such as FTK imager of a live system that hosted a database, be that an exchange mailbox database, or sql server database - will the imaging process work, and actually give you a copy of the database that can be interrogated in your forensics search tools? My thoughts were that even backups have to follow a specific purpose which stops processes before they can be backed up - so trying to take an image of a running database is similar to try and copy and paste it - in that it will result in errors and you wont get a clean copy/copy at all?
0
Greeting Experts,

I need help locating a software that is able to take a snapshot of a remote computers H/D without the end user knowing it. I have been searching the internet and have not found anything so far. Can somebody recommend software that is able to do this type of function?
0
I'm writing a program that displays a time stamp or large number in a datagrideview. I'm loading the data using a SQLite engine.

In order to convert the number (time stamp) I need to take only the first 11 characters or numbers from the value.

Is their a way to loop through all cells in a column and trim it down to say 11 characters?
0
3
Challenges in Government Cyber Security
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

4
LVL 5

Expert Comment

by:Juana Villa
Can people user their intelligence to help others? or ... at least not hurt them in any way?
1
are there any free tools which could scan a drive on a file server for potential inappropriate images, based on a nudity type calculation. I know these things exist in forensics communities but I have yet to see anything that is free. we need to do a quick scan to ensure one of our employees has not stored any inappropriate material on one of our file servers.
1
1
I need to analyze a large number of hard drives to see what files were created by a particular user.  What is the best forensic software out there to do this with?
0
OSXPmem version 2.0.1 will successfully dump to AFF4. However, we need RAW. I found references to a -format flag in various blogs but "-format" is not evident in the OSXPmem man page and entering the flag throws errors. OSXPmem is not really designed to dump to RAW but supposedly it is possible. I just can't get it to work.

My AFF4 dumps are around 12 GB. I attempted to convert these AFF4 dumps to RAW using this command:

bash# osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4

Multiple different copies of my AFF4 memcaps converted to new files sized at exactly 2.06 GB and then stalled with “Imaging failed with the error: -8”. Googling this error yields nothing.

There's very little documentation on OSXPmem and virtually zero support. It looks like you can only use OSXPmem dumps with Rekall. Any suggestions appreciated.
0
We've downloaded Paladin 7.02 to a USB stick and we have successfully booted a MacBook Air.

Attached to the Air via USB is a Mac OS X drive in an enclosure called "Macintosh HD." Also attached is a Windows FAT32-formatted drive, "Image."

We need to E01 image Macintosh HD to the Image target drive.

We see that Paladin has provided 3 "Imaging Tools" that launch Linux terminal sessions. However, we can't find any documentation for how to actually render the E01 image. All suggestions welcome.
0

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics
<
Monthly
>