Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hey guys,

I need the capability to remote wipe a laptop and also see where it is. What software can do this?
0
Hi, I'd like to know if any of you have a list of the different file paths where Microsoft stores the Index.DAT Internet Explorer cache file?

I know that different versions of the Windows O/S stored it under different paths. I was hoping someone would have a complete (or as close to it as possible) of the different Windows versions and their Index.DAT path locations.

I have also posted another questions regarding Index.DAT files so you can get additional points. The title of that question is: Index.DAT versions - how many are there and what versions of the Windows O/S do they correspond to?

Thank you for your help,

Best Regards,
Fulano
0
Hi, we all know that the Microsoft Internet Explorer cache file begins with "Client UrlCache MMF Ver 5.x", so that got me to thinking...how many versions of the cache file are there, and what versions of the Windows Operating System does each correspond to?

In other words, if I see "Client UrlCache MMF Ver 5.2", what version of the Windows O/S would that correspond to?

I have also posted a second questions (so you can get additional points) regarding this same topic, so if you'd like to view that questions I'd appreciate it.

The Title of the second question is: "List of the different file paths where the Index.DAT file is stored on the different versions of the Windows O/S."

Best Regards,
Fulano
0
how to prove audio recording came from
olympus ws 802
and was not edited

even when playing from actual device
because an audio editer can put edited audio onto the device using usb

Please add zones because I am unsure of zones.
0
Hello,

I have my friends Galaxy S6 mobile phone version 6.0.1.  I have done many data recovery on hard drives, RAID, Mac.  But I am having very difficult time to recover his pictures which has been deleted many weeks ago.

I have tried many freeware and paid version of Android Data Recovery softwares, and I seem to run into ONE major hurdle.  The phone needs to rooted.  I am quite not ready to root the device and I know he will not want that either.

What are some of my real solution to recover data without rooting?  I install WebDAV on the phone and I was able to mount the device as a drive letter and use one of my data recovery software to deep scan.  Apparently, mounted device was ignored by most data recovery software including Android Data Recovery Software.

I am really stumped.  Any solutions?
0
I have a client who suspects PDF files have been altered in their accounting shared folder. Is there a way to confirm if a file has been modified or altered
0
If you use logs from a windows server (i.e. windows logs, IIS logs) for an investigation as evidence, and you image the drive on the server where the logs are located using something like FTP Imager - how can you prove that image and those logs were as they were at the time of your acquisition, assuming in most cases you don't intend to take your server offline until your investigation is complete and image that way

I get the logic behind imaging and taking hash values for an offline PC where you image the HDD, as someone could re-image the drive and see the same hash value to prove its integrity - but for a live server how do you demonstrate the logs in your image were those on the server at the time you took an image of the drive? I dont understand how you can prove that as if the server stays online the logs are constantly being updated/overwrittedt?
0
Hi, I have a  forensic image of a hard drive that was created using the DD command line program (also know as GNU DD). The DD program, which is commonly used in Linux and Unix, basically creates a raw image of the media. The raw DD image has a .001 file extension.

So, I have the image and I would like to write C# code to read that image back (or mount the image) and recreate the directory / file structure, so I can read and examine the file therein.

I know that there are A LOT of commercial choices available, some of which are free. - Being able to read the image is not the objective. My objective is being able to write the code that can read the image and that can recreate the file structure.

I'd like to create a small application that I can browse to the DD image, select it, and "mount" it in a "tree pane" type of window. This is the first part of a much bigger project, but without this part, the rest of the project is pointless.

Does anyone have any insight into working with DD images or an approach to reading (mounting) a raw  image file using C# code? (By image I mean it in the context of a "raw disk image", not a picture image, such as a .JPG or .GIF, etc.)

Would I have to implement something like the Mount method of the Msvm_ImageManagementService class? (https://msdn.microsoft.com/en-us/library/cc136811%28VS.85%29.aspx)  -- Which I'm not exactly sure how to do... Or perhaps the file system parser which interprets the file system inside the .dd…
0
What would be a forensically sound acquisition of a users mailbox from an exchange server 2010? we wouldn't have capacity to image the entire mailbox database server - nor should we be doing, if only investigating a single users mailbox for an internal investigation. But what processes should you take to ensure you can prove the copy of the mailbox taken was how the mailbox was at that time. I don't really understand how if the mailbox will continue to be in use, how you can prove your copy of the mailbox is as the mailbox was at the time the copy was taken. At present our admin uses an exchange shell command which just creates a copy of a mailbox in PST format which can be imported into out forensics software for searching.
0
I have to do some post incident analysis on a Windows 7 registry and I wanted to get some recommendations on some tools that would help be view the users registry HIVE.   This is just some looking around so there is no chain of custody type of thing, just looking to try to see what changed (modified) in a given time frame and something I can read the values with.  Looking for something free and easy to use to try to learn a few things before we wile the system.  Any recommendations?
0
We are configuring both the Examiner and SAFE server. The SAFE server does not require alot of resources, but I believe the Examiner does. I am trying to size the Examiner server and leave room for growth. I saw the system requirement but it does not give me a good idea of how much space I should size for Examiner server to fulfill our use case. I will allocate 40 GB for the OS and Software. If i were to pull images from 5 systems at once that are 200 GB in size each, how much space/storage should I allocate on the server? Also, if I were to pull an image for a system 200 GB in size, would i really be pulling 200 GB or will the image size be compressed? I know it all depends on your bandwidth, but how long will it take when pulling an image 200 GB in size ?
0
Good evening experts,

I have a very bad situation at hand. I was in the process of moving thousands of jpg files ( an accumulating of family pics, screen shots, etc..) to another hard drive. I should have copied first and made sure the files were on the new drive. Unfortunately , I did not check and the  loss of all my jpg files was the result. So now I have two drives , the one I moved the jpgs from and the one I moved the jpgs to, both are empty.

I cant for the life of my tell you why the files disappeared from the destination drive , but I know the moved all the files from the source disk to the destination.

I have been up for two days trying to recover from either of the drives. I have used three different recovery softwares, Easus, Ontrack, and Spotmau. They all bring the data back, but the jpgs cant be opened.
!

I was so desperate to get my files back that I was willing to use a hex editor to fix, but the instructions are simply not intuitive and I would probably mess things up more. Here is what I am asking:

Suggest a more intuitive tutorial for using a hex editor to recover jpg files. the link below is where the other tutorial is

http://www.dpreview.com/forums/post/10291113

Open in new window


Recommend a reliable jpg/jpeg recovery software
I have already tried, picture doctor, Stellar Phoenix JPEG Repair 

Open in new window

Here is a link to other jpg recovery software. Please advise if they are worth the effort. https://www.raymond.cc/blog/repair-and-fix-corrupted-images/2/ 

Open in new window


One other note: the two drives have not been written over, they are still in the same state when I first started to move data.

I am hopeful that one of the EE gurus can help me find a solution.
0
what are some of the best utilities for analyzing a raw dd image for forensic analysis?

so far, i've used autopsy, belkasoft(trial), prodiscover, FTKImager, bulk extractor

all those have been excellent, but i'd like to try something else, if anyone has any suggestions

-dave.j
0
i'm doing a project for a forensics class, and i've extracted pagefile.sys from a raw image file

how do i view/ or parse the contents of the pagefile.sys once it's been extracted?

thanks

-dave.j
0
Hi, I connected my iPhone 5S to my Windows PC via a USB cable. Pursuant to that connection I was able to see the following folder/file structure:

     - Fulano iPhone                                                                  (Device)
        - Internal Storage                                                            (Root Folder)
          - DCIM                                                                            (Folder contains 2 sub-folders)
             - 100Apple  --- This folder contains 739 images      (Folder containing image files)
             - 101Apple  --- This folder contains 223 images      (Folder containing image files)

However, I cannot save a file or create a folder into the "Internal Storage" root directory (folder).

Why is that? What is preventing me from creating a sub-folder or placing a TXT file at the root of the "Internal Storage" root folder? How does one get around that...assuming someone wanted to do that?

Your assistance in understanding what is technically happening and your advice would be appreciated.

Best Regards,
Fulano
0
i think the title explains it all :)

I need to convert a raw dd image to vmdk for use on windows virtualbox

i am trying liveview right now but having some problems with it ... looks like it has some dependencies, like vddk and this is not working on my system ... i'll try again .. any suggestions ... i downloaded the vddk that goes with vsphere and it just does not seem to work... it is a collection of dll's... but liveview insists on finding some requirement installed ... and there is no installation media in the .zip file

i've also found some uncompiled utilities such as dd2vmdk, and raw2vmdk ... but i don't have a compiler on this computer and i am not sure they are intended for use on windows ....

i do prefer windows as i'm much more familiar ...

thanks for your help

dave.j
0
We had a successful phishing attempt whereby a couple users were tricked into clicking a link in an email and giving their username and passwords.
Really silly i know.

I can see on our Exchange CAS servers that the phisher then logged in via OWA.
Those compromised mailboxes started spewing out spam.
That's how the problem got noticed.

Our Security department wants to know if protected customer information was accessed in the compromised mailboxes.
I really have no way to determine that.
Like, if an email was Read, or if an attachment was opened..

Our OWA is setup so that it presents a choice of  Public Computer or Private Computer at logon.
If Public Computer is chosen then file attachments are blocked.

So would there be anyway to determine if the attacker came in on the  Public or Private option?

Upstream of our CAS servers are a couple Forefront TMG servers.
But i'm not finding much of use in Reports on the TMG servers.

Also does anyone know of a company that would be able to perform a forensics analysis of this incident?
0
i need a grep and strings for windows.

can someone recommend

I've done a google search and found copies that dont work, etc..
0
Hello Experts,

I have a Seagate 750GB SATA HDD that I need to recover data from. The HDD powers up fine and when connected to my computer via SATA to USB Converter Windows will list the Drive letter in "My Computer" but I cannot connect to it. I'm prompted to "Format the HDD before I can use it" message. I have tried using TestDisk but TestDisk tells me that the file system is corrupt. Is there anything else that I can use to fix the corrupt file system to recover my data? Is there something in TestDisk that I can try to fix the corrupt file system? I tried running a chkdsk from command prompt but I get a message that the drive is in a RAW format and that chkdsk does not except that RAW format.
0
do any of you who have responsibilities for doing forensics analysis of IT equiptment for more internal disciplinary cases rather than criminal/prosecution policies..have any sort of documented policy around how you can ensure your analysis was targetted based on allegations, rather than a phishing excercise? What does your policy include, and what evidence do you keep from your forensics software to prove you only did analysis in line with targetted analysis rather than a phishing excercise? I assume such as policy also includes who can approve access to hardware for analysis, rather than just the analysts themselves saying it is a good idea. are there any useful template policies or guidance on how to demonstrate you only followed targetted searches.
0
I would like to know what the technical definition of "content" is as it pertains to MS Office documents. We all know that the word "content," in the vernacular means -- something that is contained within something else - such as the contents of a bag or box. That's not what I'm seeking in my question. What I'm seeking is below:

When one creates an MS Word document, a date known as "content created" is established for that document.  However. if one creates an MS Word document that has nothing in it, hence no content, we still get a "content created" date, but obviously, there is no content to speak of. -- So, what exactly does MS Office (MS Word in this case) consider to be content? - How does Microsoft define "content"?

I've looked high and low on the Internet for an official definition for "content" - as it pertains to MS Office documents, but have not found one. If you read any Microsoft technical documentation, they constantly refer to a document's content, but never define it specifically. In my example of the empty document, there was nothing saved into the document, but we still got a "content created" date. Therefore, there has to be something within each documents, perhaps in its metadata, that Microsoft is referring to as "content" and hence issuing a content created date. - My question is, what is that? How does Microsoft define "content"?

Thank you,
Fulano
1
Hi, I'd like to know if anyone has an "official" set of definitions for the document properties within an MS Word (or any MS Office) document? -- I am not looking for the properties themselves. I have those. I need to know how Microsoft defines each property. -- For example, what does "Content created" mean? What does Microsoft mean by "content"?

I'd like official definitions for ALL of the properties specifically the properties with dates.

I'm sure MS listed them somewhere, but I can't find a good set of official definitions that aren't guesses or assumptions.

Thanks,
Fulano
0
Hi, I'd like to know if anyone has an "official" set of definitions for the document properties within an MS Word (or other MS Office) document?

I'd like to understand what Microsoft means by the date for say ..."Content created", etc. I need to understand what "content" means, how does the document know that all the content has been created, so it can time stamp it, etc.

I'd like official definitions for ALL of the properties specifically the dates.

I'm sure MS has them listed somewhere, but I can't find a good set of definitions that aren't guesses or assumptions.

If possible, I'd also like to know which date takes president over another. In other words, which date should be time stamped before another date.

As mentioned above, I need an official set of definitions or definitions based on a forensic study, not simply a guess of what it should mean.

Thanks,
Fulano
0
i am continuing a project i posted about here previously and having a problem with psexec.exe

i continue to get a access is denied error connecting to the remote computer

please help
0
my question pertains to the use of the netcat utility ( i believe the developer is Hobbit) in windows.
i am using this utility (this is for a project and i must use netcat (no other solution))

i am using this utility in a batch file to put a file onto a remote computer

i am using it as such:
on the local computer
type f:\diagsfile.txt | nc %ip_add1% 1234
where diagsfile.txt is the text file i'd like to port to the nc (netcat command) at ip address %ip_add1% on port 1234

on the remote computer i use:
nc -l -p 1234 >diagsfile.txt

so on the remote computer netcat (nc) opens a listening port which will accept input and put it into the diagsfile.txt file locally


what my question is .... is there a way to eliminate the second step, either by logging into the remote computer using credentials(probably via netcat), or by stealth putting it on the remote computer ...

i'd like to eliminate the second step of opening the port and have to do the execution only on the initiating computer

all this is ( of course ) taking for granted that the firewall is turned off

thanks in advance

solution must be scriptable(batch file)
0

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics
<
Monthly
>