Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

So we have a sniffer capturing all network data to protect proprietary info.  Corporate email is easy to monitor since we operate that server.  Users still have personal gmail accounts -- and all those captured packets look like gobbledygook.  If a gmail user (assume not https, just http) sends an email saying "our top secret ingredient is chili peppers" why can't I find those packets in my EtherDetect Packet Sniffer?  When I test it by sending my own gmail account, I don't find any packets with clear text in them.  Is gmail using some new kind of encryption that isnt https but somehow in the body, they are doing all this encryption?
0
I need to audit file transactions specifically to/from USB enabled devices. What is is the best way to go about doing this?
I have looked at a couple of tools found some tools on the Web like LyncRMS and SafeGuard Data Exchange, does anyone have any experience of this applications, ease of use, reporting or effectiveness? Are there any open source alternatives?

The Network I want to monitor in this manner is distributed across a number of sites and totals about 1000 machines. It is made up largely of Windows XP machines.
Alternatively if there is a method (as oppossed to a product) that I could avail of perhaps through WMI scripting I would be interested in any suggestions.
Many Thanks!
0
I am looking for evidence of deleted files and folders in Windows XP and Windows 2000. Is there a log for this and where is it located?
0
How can an administrator of Windows Server 2003 know who is logged onto the domain and from what machine at the present time or at any time in the past? We are talking about accountability. If i need to moniter user's usage during and after sessions how and where do i do it.

Thanks,

JPertchik
0
Does anyone know about anonymous proxy server Hidden24.com.
Its Swedish company, its privacy policy says that it doesn't keep any record of the client except their user name and password, not even their client's billing information and ip address.

Is that true, or just they are trying to attract customers.

If it is true, then hackers can use their server to do anything and get away with that.
0
Apparently I have to grant read/execute permission to the Internet Guest Account to use the exec() function in PHP.

This rubs me the wrong way, but I haven't come up with a workaround yet.

The Question:

What damage could somebody do to my web server if the Internet Guest Account has access to cmd.exe?

Thank you
0
We have noticed a user at my work has a profile on our storage server.  He would have to be an admin to get one there.  We have also heard this user bragging he can bypass the user privledges.

How can we see where he has been on our network?
A search to see which computers/servers have a profile of his?
Anyother good info to see if he can truely bypass his privledges?
0
We recently got a threatening email with a Word attachment.  The only way I know how to find out the author of a document is to go into File > Properties and check the author name.  However, there was no data of any kind in the file's properties.  Is there any way to figure out who wrote this?  Is there a program that can do this for not only Word documents but other Office documents as well as non-Microsoft documents.  I've consulted my superiors and we don't want to go to any outside party to resolve this but want to know who did this.

Any help is appreciated.
0
I have been using TrueCrypt volume encryption since a long time. It is a nice product, no doubt. But when I see it's commercial counterparts like PGP and WinMagic, I wonder how reliable the open source products are. Does any government organization use these products? When you are serious about encryption, you will think of commercial products as they are tested thoroughly,  have been designed by experts in the field and most importantly, many government organizations are relying on them.

I want to know, when seriously talking about mission-critical data and encryption, should one go for open source tools?
0
Hi,

Recently purchased a Dell Dimension laptop with a finger print reader and because this laptop was going into an XP environement it was "downgraded" to Windows XP also (at factory so arrived ready to go).

However the finger print software it was supplied with seems poor (Dell embassy software) nothing like the software I've had with other Dell's and in particular does not have the ability to set up auto login to Websites and Windows forms ( Very useful feature).

I know this is possible on an XP PC because I have also supplied Sony Vaio's downgraded to Windows XP that have fingerprint software that works on XP with website /windows forms login.

However I'm told by Dell I can't get the software for XP. Embassy is the only option and it does not support web form logins.

Is it possible for me to acheive what I want? Surely it must be possible to acheive this with the Dell I have even if I have have to buy alteranatve software.

Does anyone know if the fingerprint reader in my Dell dimension would work with alternative software and if so how can I obtain this alternaitve software (to work on XP)

Note: My personal Vista Dell says software from Upek when I click on about.
Thanks in advance.
0
I am trying to determine when a share was created and my whom. I am examining the drive with forensic software and have access to the event logs and registry.  

I know the folder was created on a certain date, but I am trying to determine what user created the share and when.
0
A friend of mine told me that he's the victim of an attempted identity theft. He told me that he obtained the IP addresses of the computers that attempted this act (he wouldn't tell me how he got them). My question is this......how would one go about determining exactly who leased the IP addresses at the time of this act? He gave me the IP addresses and I did a whois search, but the whois search on networksolutions.com just gave the name level 3 provider that owns that block of IP addresses. What would be my next step? Thanks.
0
I'm having an issue which I think I understand but am looking for an answer.

I'm working with MS Infopath using a full trust form with digital certificate.  I've issued a code-signing certificate from our Microsoft Certificate Authority server.  

I requested it and installed it on Computer 1.  I sign the form using Computer 1.

Now, I would like to use Computer 2 to design the form.  If I attempt to design the form now on Computer 2, it says the certificate that was used to sign this form is not available and wants me to remove the certificate.

I understand this is because the certificate authority issued and installed the cert on Computer 1.  I understand this must be a feature and necessity of the certificate to only trust Computer 1.  

Is there a better way to do this so that more than one computer can design a digitally signed form.  The alternative is to request a new certificate and resign the form using Computer 2.  Then every user would have to then retrust the form for Computer 2.

I'm concerned with the future maintainability of forms signed this way.  What is the best practice to do this?
0
I'm in charge of running a team based video gaming competition. The competition is composed of teams of players that play against one another. Unfortunately, it has come to my attention that some of the more talented players are posing as ringers for other teams in order to artificial inflate another teams record which is a violation of the competitions rules. It is important to me that all the matches played between members are as above the table as possible. It is also my belief that some of the players involved are using a various proxy services in order to mask their originating IP addresses such that I am not able to determine exactly who is batting for multiple teams.  Here are some of my current contingencies:

All games are to be played on servers that I operate.
The servers use a TCP connection on one specific port
All access to these servers is granted via authentication of a specific username/password that is given to each player. (which they are not to share with 3rd parties)
Players must have installed anti-cheat software which preforms a check for known cheat rootkits

I am able to determine which proxy companies (and their respective IP ranges) are accessing my servers and enabling the undesirable behavior. Unfortunately I am concerned that simply banning these addresses will result in legitimate players being stripped of access. What I would really like to do is determine which originating IPs behind the proxy are using more than 1 username/password …
0
I was recently on a tech call to try and recover some missing files from a small office that had a laptop returned to them from an employee that recently left, but apparently deleted all of their work files. I was unable to find any ms office documents and was wondering if there were any programs that can detect if a disk wiper was used? As this is a small office, they won't be sending the drive away for any expensive file recovery services (they'll live without the files), but they were curious to see if the employee had used a disk wipe program.

Any ideas?
0
I need to know the last user to access or change an MS DB without opening it.  TreeSize is an excellent tool, but only tells me last access date and owner name.  
0
I have a client that wants to monitor what websites users on the network are going to, but not spend a lot of money. They want to be able to monitor from a central location, not have to visit each desk to see. I was thinking about maybe installing a relatively simple proxy server and enable logging. Does anyone know of an inexpensive / open source proxy server that runs on a windows server? Or of another way to get the logging in a central location that is inexpensive?
0
My boss wants me to find evidence of hacker software on a Windows XP computer. I am not a forensics expert. How do I begin? How could I find keyloggers, hidden files, surveillance software on this machine?
0
I believe my server is very secure. However, I believe it prudent to have checklists for such things.

Does anybody have a good checklist?

It's a dedicated Web/Email server with 1and1.

Thank in advance for your time.
0
Trying to print the Internet History for a client of mine.  The customer has Vista.

I can open up IE and press CTRL-H and the history comes right up.  I can see back for 3 entire months with no problem.  The problem is with PRINTING the history.  I can't print the history from IE.

When I go into the "%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low" folder I'm not seeing anything that I can print out.

I loaded up a program called Dutch Duck, and it allows me to see the history, but only back a few days.  Very strange.  I also used a different program to view the Internet History (I can't remember the name of it at the moment), and it also showed only the last 3 days of history.

I don't know for sure, but it's almost as if someone cleared the history files, but I can still see the history when I do a CTRL-H from within Internet Explorer!  Where is this information in IE coming from, and how do I display it in a printable format????
0
I've been having this phone for almost 2 years now and there was no problem with it until me and my husband divorced. He is computer savy and he always bragged about how he was a hacker in his youth.  He is been trying hard to stop me from calling the husband of the lady he's cheating with and a few weeks back i got a message from him with a hidden script that, i believe, remapped my keyboard. The phone didn't respond to anything but the red, cancel button. The phone was also calling people and it looked like it wasn't really random because numbers were popping on the screen like somebody would dial them on the keypad.
I went to Verizon and because the phone had the water damage warranty marker red, they said it's because of that. I didn't buy it but it was nothing else to do. I ordered a brand new phone. A few hours after i activated it i got a message from him wishing me happy birthday (it was my birthday) and the BRAND NEW phone started doing the exact same thing.

My son has looked at it and told me that it is not a bluetooth hack since the bluetooth was completely shut down on the phone. He also said that people can send everything they want through email by emailing my cell phone as followed: mynumber@vtext.com
I'm guessing thats how he attached the script to it but i can't prove it since nobody is willing to do anything about it.

Can you please help me find a company that scans cell phones for viruses or if there's a software out there, or anything that you …
0

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics
<
Monthly
>