Dear users,
assume that we have a 10:00 minutes conversation audio file and that you are suspecting that this file was cutted from the minute 5:00; in other words, the person who gives you tath file has probably used an audio editor to delete the first 5 minutes. So, this file is not created with i.e. a smartphone voice recorder but by an audio editor program. How can I check it? Is a audio-spectrum or a particular audio analyzer that can check this?

Thank you very much!

PS: the problem is not, a central part is cutted and the first and last are merged (in this case is easy check a discontinuity of spectrum). The problem is that, the entire start part is cutted.

do any of the default event logs on windows 7 give any clues when certain applications are started/closed, e.g web browsers, or office software such as outlook, word, excel.

And do any of the default event logs also capture times specific files were opened, e.g. a file on a desktop 123.docx (I am guessing this is an option but rarely enabled).

In our test/dev lab we are running vSPhere 6.0, 6.5 and 6.7 on different platforms.

We are looking into how to perform forensics on VMs (OVFs, Snapshots, etc.) off line.

Does anyone know of any products in the VMware portfolio or partner products that may be a good option for this use case?

are there any tools that can run on windows 7 which will capture which specific event logs or files such as log files / files in general , are updated as a result of certain user actions (e.g. opening certain file types, running applications, plugging in devices etc).

If you needed to get some clues on what a user 'did' when they logged into a domain joined windows 7 machine forensically where are the obvious places to check. I know there are 'recent' folders with lnk shortcuts to see what files they have accessed..
But interested to know what other artifacts could be turned to for a fuller picture.
. Eg what apps were opened/launched.

Hi,

I am trying to find information or definitions of metadata fields in PDF.
Specifically I am trying to determine how the following field is created

http://ns.adobe.com/pdfx/1.3/            pdfx:SourceModified:D:20180806072738

Please see attached screenshot.  The highlighted orange areas match with the information in Document Properties.

The yellow fields are of interest.  Do these indicate (reliably) that modifications have been made and is the field for the Application used set in stone once the document is created?

I have tried some internet searches and I can t find anything to point me in the right direction.

The purpose is to determine if this document is genuinely from 2004 or recently modified

Many Thanks

I am interested in finding out if a lawyer has manipulated the will of my mother, who has since passed. He sent me a copy of it by email and wondering if there is any way to forensically inspect the document? I saw a previous answer that said you could go into "inspect" the document to detect changes? Please any info appreciated!

Hello,
1. I have an msg file which is digitally signed and not encrypted, I could see 2 attachments from the email one is .P7M and the other one is .P7S. Can this happen ? I mean it should be either a .P7m file or a .P7s file right?
2. Can .P7s file support encryption and digital sign both?
3. Can you explain in detail the difference between .P7m and .p7S files?

aside from the standard history sql lit db for chrome, and WebCacheV01.dat for IE history files, where else on a windows machine could give clues if a user has accessed a certain webmail service and logged in using a specific email account? I suspect either gmail or hotmail. Just want to rule out any other areas such evidence may reside apart from the obvious browser history locations.

Hi there,
Please can you help me? On my Android Samsung Galxy S6 are stored files under /userdata/data/com.microsoft.office.word/app-EmailAttachments.. So, I know what this files are but I don`t know how the names of the files are generated.
i.e. /app_EmailAttachmentseaa8ac15-baaf-4675-9f6a-9698e54f0108. This file name belongs to a pdf i have sent. What does the string "eaa8ac15-baaf-4675-9f6a-9698e54f0108" in the file name mean?
Thx

if you used one of the digital forensics imaging tools, such as FTK imager of a live system that hosted a database, be that an exchange mailbox database, or sql server database - will the imaging process work, and actually give you a copy of the database that can be interrogated in your forensics search tools? My thoughts were that even backups have to follow a specific purpose which stops processes before they can be backed up - so trying to take an image of a running database is similar to try and copy and paste it - in that it will result in errors and you wont get a clean copy/copy at all?

are there any free tools which could scan a drive on a file server for potential inappropriate images, based on a nudity type calculation. I know these things exist in forensics communities but I have yet to see anything that is free. we need to do a quick scan to ensure one of our employees has not stored any inappropriate material on one of our file servers.

Let's say there's malware running on the Mac in OS 10.9. This malware launches whenever the computer is booted and/or connected to the Internet. Will upgrading the operating system to 10.11 have any effect on the malware, that is, will the upgrade force the removal of the malware?

If there's no other change to the system other than the OS installation, will the malware continue to launch on boot after the upgrade is installed?