Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Course Of The Month
7 days, 13 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Digital Forensics
895
Solutions
2
Articles & Videos
1K
Contributors
Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.
Share tech news, updates, or what's on your mind.
I need to analyze a large number of hard drives to see what files were created by a particular user. What is the best forensic software out there to do this with?
5 Comments
Free Tool: Site Down Detector
OSXPmem version 2.0.1 will successfully dump to AFF4. However, we need RAW. I found references to a -format flag in various blogs but "-format" is not evident in the OSXPmem man page and entering the flag throws errors. OSXPmem is not really designed to dump to RAW but supposedly it is possible. I just can't get it to work.
My AFF4 dumps are around 12 GB. I attempted to convert these AFF4 dumps to RAW using this command:
bash# osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4
Multiple different copies of my AFF4 memcaps converted to new files sized at exactly 2.06 GB and then stalled with “Imaging failed with the error: -8”. Googling this error yields nothing.
There's very little documentation on OSXPmem and virtually zero support. It looks like you can only use OSXPmem dumps with Rekall. Any suggestions appreciated.
My AFF4 dumps are around 12 GB. I attempted to convert these AFF4 dumps to RAW using this command:
bash# osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4
Multiple different copies of my AFF4 memcaps converted to new files sized at exactly 2.06 GB and then stalled with “Imaging failed with the error: -8”. Googling this error yields nothing.
There's very little documentation on OSXPmem and virtually zero support. It looks like you can only use OSXPmem dumps with Rekall. Any suggestions appreciated.
We've downloaded Paladin 7.02 to a USB stick and we have successfully booted a MacBook Air.
Attached to the Air via USB is a Mac OS X drive in an enclosure called "Macintosh HD." Also attached is a Windows FAT32-formatted drive, "Image."
We need to E01 image Macintosh HD to the Image target drive.
We see that Paladin has provided 3 "Imaging Tools" that launch Linux terminal sessions. However, we can't find any documentation for how to actually render the E01 image. All suggestions welcome.
Attached to the Air via USB is a Mac OS X drive in an enclosure called "Macintosh HD." Also attached is a Windows FAT32-formatted drive, "Image."
We need to E01 image Macintosh HD to the Image target drive.
We see that Paladin has provided 3 "Imaging Tools" that launch Linux terminal sessions. However, we can't find any documentation for how to actually render the E01 image. All suggestions welcome.
I have written a module in Delphi that enumerates all the files on a volume.
How do I get to know the files that were updated / deleted / created since my last backup ?
Noticed that the FileUSNReference number and the ParentFileUSNReference number change upon any update done to the file. If I have stored the file details during my previous backup and if I compare the numbers with the current Reference numbers I can get to know that the files have changed.
Just need to know if this is a reliable method as this is just my observation and I do not know if this is how it is supposed to be
How do I get to know the files that were updated / deleted / created since my last backup ?
Noticed that the FileUSNReference number and the ParentFileUSNReference number change upon any update done to the file. If I have stored the file details during my previous backup and if I compare the numbers with the current Reference numbers I can get to know that the files have changed.
Just need to know if this is a reliable method as this is just my observation and I do not know if this is how it is supposed to be
Let's say there's malware running on the Mac in OS 10.9. This malware launches whenever the computer is booted and/or connected to the Internet. Will upgrading the operating system to 10.11 have any effect on the malware, that is, will the upgrade force the removal of the malware?
If there's no other change to the system other than the OS installation, will the malware continue to launch on boot after the upgrade is installed?
If there's no other change to the system other than the OS installation, will the malware continue to launch on boot after the upgrade is installed?
We need to do some RAM dumps from a Mac. Is there a functioning free tool out there?
We found a tool called Rekall. However, the documentation is limited. We are not UNIX / Python experts and we really need step-by-step installation instructions.
We know that we can pay $1,695 for Paladin but we'd rather not at this time.
We found a tool called Rekall. However, the documentation is limited. We are not UNIX / Python experts and we really need step-by-step installation instructions.
We know that we can pay $1,695 for Paladin but we'd rather not at this time.
Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk...
Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.
Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk"
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?
Header
Received: from DM2PR0401MB0973.namprd04.p
BN1PR0401MB0961.namprd04.p
Server…
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk...
Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.
Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk"
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?
Header
Received: from DM2PR0401MB0973.namprd04.p
BN1PR0401MB0961.namprd04.p
Server…
Given the scenario of a simple text file on file server share and a user opens the file on the remote share from their desktop and someone was to capture the SMB traffic and look at the pcap file, could you see the some of the file contents in the capture? This assumes that smbv3 with encryption is not used.
i was wondering if anyone might be able to tell me how to read the logs I've gotten from Network Miner. My system has been compromised and I'm trying to get information on the people that have done it. I see MACS that are not any of my devices in the logs & are these for sure the possible hackers? Also im wondering what are all of the other base folders in their system folder:
all-words.txt
oui.txt
tcp.xml
Changelog
dhcp.xml
etter.finger.os
p0f.fp
p0f.fp.netsa
can someone tell me what these logs tell me??
all-words.txt
oui.txt
tcp.xml
Changelog
dhcp.xml
etter.finger.os
p0f.fp
p0f.fp.netsa
can someone tell me what these logs tell me??
We need to prove if a user has accessed a corporate business system from a specific machine. the audit trails in the system itself frustratingly do not log user access/record access, I am unsure at this stage what language the app was developed, but I do know the system installs some client software on each users machine which is used to connect to the app server and provide a front end etc. This isn't opened in a browser, but I was thinking whether you could use pre-fetch to at least show the last time the applications (client) was launched. Are there any other common areas we could use to identify application access from the client side? Pre-fetch was the only obvious thing i could think of but after some inspiration if there may be anything else (windows 7 device).
Free Tool: IP Lookup
Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
are there any tools on windows, which for any user activity show which files/registry info on the system is being updated as a result of the user activity. I am sure there used to be something whereby any user activity, e.g. launch an application, insert external USB drive, etc would show which files/registry keys that user action had updated on the system, in real time, which was useful to see if user activity evidence for specific actions may be retrievable from certain hidden files/logs/keys. I just cant recall the name of the utility. We are trying to see if any action in a specific client/server application is updating any files on the client side which may prove user activity, in a system that otherwise has no audit logging enabled (server/database side of the application).
Hi ,
I have a client whose pc i am suspecting might be compromised. About a month ago her Amazon account was hacked and i found the fake username in the cache of Internet Explorer on her pc. The pc is slow , especially as i can detect speed quite easily when i am logged in remotely. I ran Malwarebytes, checked the router DHCP client list on the router for any strange IPs and check TASK MANAGER for any odd services but i am not convinced. I can only work remotely at the moment. Could anyone give me some tips on where i can look if i want track down any snoopers on the pc? Are there any good tools out there?
Thanks
D
I have a client whose pc i am suspecting might be compromised. About a month ago her Amazon account was hacked and i found the fake username in the cache of Internet Explorer on her pc. The pc is slow , especially as i can detect speed quite easily when i am logged in remotely. I ran Malwarebytes, checked the router DHCP client list on the router for any strange IPs and check TASK MANAGER for any odd services but i am not convinced. I can only work remotely at the moment. Could anyone give me some tips on where i can look if i want track down any snoopers on the pc? Are there any good tools out there?
Thanks
D
We recently had an IPS event and have hit a dead end on the logs, can I have some suggestion(s) for network based forensic tools that would give us better insight into what happened?
are there any specialist tools to analyse print spool files, i.e. shd and spl.
And does anyone know what kind of information they will contain, i.e. is it purely metadata such as user, print date/time, filename, printer, etc or does it give any clues on content of the print job?
And does anyone know what kind of information they will contain, i.e. is it purely metadata such as user, print date/time, filename, printer, etc or does it give any clues on content of the print job?
how to achieve digital signature in corporate and make less paper dependent
does anyone know if hp laserjet printers have any sort of audit log of what jobs were sent to the printer by whom.
And aside from pulling the drive out the device and taking a forensics copy for analysis, how this log would be accessed (management console of sorts?) over the network? I have no experience managing such devices.
for info it is a hp laserjet 11/11/2016 and is installed on a windows server
And aside from pulling the drive out the device and taking a forensics copy for analysis, how this log would be accessed (management console of sorts?) over the network? I have no experience managing such devices.
for info it is a hp laserjet 11/11/2016 and is installed on a windows server
Do windows 7 and above devices give any clues on what documents a user sent to a printer, and if so where on the file system or registry would this evidence reside?
are there any forensics tools that can take a replica copy of how a website looked at a particular point in time, e.g. users facebook profile. How can you actually prove that is how the website looked at that point in time, for cases such as facebook - considering content can change almost instantly. if you were challenged how could you prove that was how the site looked at that specific point in time.
the artist name is
http://www.proantic.com/en/display.php?mode=obj&id=188866
mentioned..
the artist mentioned is rolier
is it possible to find the exact artist and history of other works and what country origin etc?
http://www.proantic.com/en/display.php?mode=obj&id=188866
mentioned..
the artist mentioned is rolier
is it possible to find the exact artist and history of other works and what country origin etc?
Free Tool: SSL Checker
Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Hi, I'm looking for software or hardware that can run and allows for wiping USB drives.
I currently use dban but I'm looking for something a little more plug and erase.
Thanks in advance.
I currently use dban but I'm looking for something a little more plug and erase.
Thanks in advance.
Hello
We use mobile applications from vendors, most of whom now support Touch ID (Apple) and Android Touch (Android). The applications are developed by a third party for use on employees' personal devices (BYOD concept).
We had Touch ID certified last year, and now are looking at Android Touch.
Could someone tell me:
- Does Android Touch work in the manner of storing a hash of the fingerprint in a secure side of phone
- Is this information passed to Google at all
- Does Android Touch work on all Google devices, or just some
- Are there any concerns with Android Touch as opposed to Touch ID (security risks etc?)
We use mobile applications from vendors, most of whom now support Touch ID (Apple) and Android Touch (Android). The applications are developed by a third party for use on employees' personal devices (BYOD concept).
We had Touch ID certified last year, and now are looking at Android Touch.
Could someone tell me:
- Does Android Touch work in the manner of storing a hash of the fingerprint in a secure side of phone
- Is this information passed to Google at all
- Does Android Touch work on all Google devices, or just some
- Are there any concerns with Android Touch as opposed to Touch ID (security risks etc?)
I am not very computer savvy.. I want to set up a logger or sniffer or something that will capture data being sent through my home router. My daughter is having a hard time at school and I want to see she isn't being bullied via messages in her phone or apps on it, like what's app ect.. She will not let me on her phone so this is the only way to see she is ok, as her life is in that phone.. Can anyone help please? I'm in UK.
a user has accessed one of potentially 5 peoples calendars (it was a team meeting with several attendee's), and forwarded a meeting request on to a 3rd party. I can see from the tracking logs that they did it (as it shows that email sent to the 3rd party, from this person in question), but I need to identify which persons calendar they accessed to forward the meeting on to this 3rd party (for the record they do have access to all of these users calendar). Is this possible through any of the exchange logs or outlook logs?
aside from c:\users\username\appdata\
are there any others folders on a windows 7 machine that would give clues about files a user has recently accessed? I have read about a "recent places" folder but cant find it on a copy of a users hdd.
are there any others folders on a windows 7 machine that would give clues about files a user has recently accessed? I have read about a "recent places" folder but cant find it on a copy of a users hdd.
Hi,
I am victim of UK based company named as "Coinscrypt Ltd" having website : https://coinscrypt.net. I have invested there 3 Bitcoins (i.e. costs INR. 1,78,000 approx.) on dated June 19, 2016. I have registered on this website on dated June 17, 2016 with term and conditions that I can withdraw my amount at any time.
Now from June 25, 2016, this website is not allowed to withdraw any amount to me. I checked with some of the known person, and found some views of social networking that this website is not allowed to withdraw to anyone worldwide.
Company Details Provided on website :-
COMPANY : CoinsCrypt Limited
ADDRESS: 42 Walton Street London SW3 1RD United Kingdom
PHONE NUMBER: +44 (203) 000-0000
As per my investigation, I found some more details about this website :-
Admin Name : Eric Lynch
Admin Organization : Coinscrypt Ltd
Admin Street : 42 Walton St, Chelsea
Admin City : Landon
Admin State/Province : London
Admin Postal Code : SW3 1RD
Admin Country : GB
Admin Phone : +44 203-514-7241
So now, please help me to recover my money.
Thank You !!!
I am victim of UK based company named as "Coinscrypt Ltd" having website : https://coinscrypt.net. I have invested there 3 Bitcoins (i.e. costs INR. 1,78,000 approx.) on dated June 19, 2016. I have registered on this website on dated June 17, 2016 with term and conditions that I can withdraw my amount at any time.
Now from June 25, 2016, this website is not allowed to withdraw any amount to me. I checked with some of the known person, and found some views of social networking that this website is not allowed to withdraw to anyone worldwide.
Company Details Provided on website :-
COMPANY : CoinsCrypt Limited
ADDRESS: 42 Walton Street London SW3 1RD United Kingdom
PHONE NUMBER: +44 (203) 000-0000
As per my investigation, I found some more details about this website :-
Admin Name : Eric Lynch
Admin Organization : Coinscrypt Ltd
Admin Street : 42 Walton St, Chelsea
Admin City : Landon
Admin State/Province : London
Admin Postal Code : SW3 1RD
Admin Country : GB
Admin Phone : +44 203-514-7241
So now, please help me to recover my money.
Thank You !!!
Digital Forensics
895
Solutions
2
Articles & Videos
1K
Contributors
Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.
Top Experts In
Digital Forensics
