Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

i'm doing a project where i run several command line files on an "investigated' computer and the use netcat to put the results of the 'investigation' onto the 'investigator' computer...
so I have it working using netcat,
i'm using

type f:\diagsfile.txt | nc %ip_add1% 1234

on the 'investigator' computer and ; it basically is a batch file ported to netcat with an option

nc -l -p 1234 > diagsfile.txt

on the 'investigated' computer to open port 1234 and accept a file which will be called diagsfile.txt

the thing i'd like to do is make it fully automatic on the investigator end so i don't have to tell netcat to open a port ... just have the investigated machine do it automatically

is there a way to do that?
0
Following this example
"File Created 11/04/2013 21:01:19
File Written 12/04/2013 17:23:52
Last Accessed 12/8/2013 10:01:19"
If this info where from a video. And it has the same date and time in "File created" and "Last Accessed", this means the video was never opened or watched?
Also, if the last written date has a date after when it was created or accessed, in this case with the same date and time as the example, it means the video was opened or watched? For example if you opened the video with WMP (Windows MEdia Player) this can change the "Last written date"???
Which exactly, (examples) can change the last written date of a video (mp4) on a windows system? a system defragment? a antivirus scan?
0
We are working with a data recovery group in the hopes of salvaging data from a failed laptop hard drive. If I understand them correctly, there is a system area on the hard disk that has a translator module.  This module allows for the drive to "understand" the data written to each sector.  Without access to the translator, the drive cannot read any data.  Each module has another copy as a backup.  When one is bad, they have tool allows for the good one to be loaded into RAM and the data can be imaged on the fly. However, in our case, both copies of the translator module are bad.

 

Has anyone encountered this type of issue and figured out a workaround?
0
Found some interesting sounding recently accessed files on a windows 7 machine in
C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Recent

I was after a free utility that will pull out all the relevant fields from each lnk shortcut file and put them into an excel spreadsheet in a nice tabular format. The few I tried either put them in a bizarre format or didn't pull all the key fields from each lnk file, i.e. location the file existed etc.
0
If a user plugs in a USB/smartphone into a windows 7 PC via USB cable, it basically brings up the device as an additional drive in windows, if they then open an image  that is saved on their devices smartphone via the windows machine, although in the recent folders I can see they opened it, will there be a copy/thumbnail of the image viewed anywhere at all on the machine, and if so can you give any pointers on where to look. I did read about thumbs.db, but not sure they will be of use as the orginal device was unplugged from the machine.

Or... is the best you are ever going to get a list of filenames of images viewed which could be completely anonymous ai.e. IMG_12345.jpg and not give any clues on content.
0
We have a potential internal investigation whereby somebody is accused of watching inappropriate videos in works time. They suspect the videos were on either a USB pen drive, or on the users phone which was then attached to their windows 7 enterprise laptop. Would there be any obvious places to look for evidence to support if they did indeed watch such material? If so, can any pointers be provided? or is it a case of if the videos themselves were not saved locally on the laptop (i.e. were only ever on the USB drive and/or phone), there will be no real pointers of such activity taking place. I assume there wouldnt be an actual copy of the actual video played via USB/Phone stored locally on the machine itself?
0
I know there are a number of tools that can be run over live systems (i.e. Nirsoft USBDeview), but for sitations where you just have an image of a PC/Laptop, what files can be copied out from the image, and what tools can produce the same results as Nirsoft USBDeview to get a report of all USB drives/phones plugged into a machine). I cant see any option in the Nirsoft tool to import a file from an image to produce a similar report.
0
We have got a forensics replica of a windows 7 laptop, and need to determine what kind of websites a user has been browsing (in both IE and Chrome). Our IT section has created a copy of the drive using FTK Imager, but I am interested:

1) what locations/files can be pulled from the drive image to give clues on internet usage
2) what free tools can analyse these files/folders to get a management friendly report of the sort of websites they have been browsing?
3) As a general rule, how long will the history go back  for in either browser. We are not 100% at this stage the exact version of each browser.
4) is there anyway to determine/get a report of all networks the device has been attached too (both wired and wireless), in the past 30 days, including dates/times.

laptop will have been running win7 enterprise if that assists with suggesting files/folders/tools to use - for analysis.
0
I have the need to determine who created a user in AD. Unfortunately our old system administrator ( wjo no longer works for the company) didn't enable auditing on our DC's. Is there any way that I can find out who created this particular account from a few months ago?
0
We have a user very concerned that his iMac has had its security breached. The particular user is a bit upset so it’s not easy to get clear information from him and he does give us inconsistent information and some which are red herrings from his own research.

We have taken some steps to secure his system such as changing his passwords, ensuring that remote access things like screen sharing and VNC are turned off. The user themselves has been clicking on various things in a panic to secure things and has for example used FileVault to encrypt the data.

From what we can see at present there are no signs of remote access and we are sure that we have now secured it by taking the obvious previsions such as those listed above..
But are there any other steps we should be taking to ensure the Mac is secure? Any input appreciated in advance. Want to ensure we are turning over every stone.
0
Files received via the email.  Once you download the files to review the Creation, Accessed, and Modified date are the same.   This is the date/time you downloaded those files.  How else see the real metadata?
I need to make sure the security videos are genie and not edited.

Thanks.
0
WE are looking to review our hardware disposal policies to ensure any device that may or may not have stored sensitive or corporate data on it is adequately sanitised to reduce the likelehood the data could be compromised. Aside from end user devices, i.e. desktop computer, laptop, smartphone, type assets, what other types of hardware need to be included in such a policy. I was thinking along the lines of backup media, and anything else?
0
What is the best way to get a list of what files were copied/moved/accessed etc off a pretty OEM win2008 server?  Event viewer overwrites itself pretty frequently but they do backup the system state, as well as the file shares where the files are in question.  Trying to look back to a certain date and see what all was accessed.
0
Dear experts,

We recently had an employee leave our company, and are strongly suspecting that she has taken some of our company data and went to a competitor, since we lost our large account with one of our clients, and found out that the account followed her.
I have been instructed to restore any deleted file and emails on her laptop.
I used GetDataBack for files, and PST Walker to find hard deleted mails, but that is about all I could do.
She had a habit of always emptying out her Deleted Item box, even if I go back on our Exchange backup, I cannot seem to find anything else.
Is there another way for us to recover deleted messages from the Exchange?  I was also asked if there is any way we can find out if she copied files off of our network folders to an external source, but since we don't have any network monitoring tools currently running, I am assuming that we cannot find such info.  In the future, what should be our practice to avoid this type of situations?

Please advise.
0
Hi Experts,

Recently a staff member left our organisation and the laptop had the restore point removed. Also all the emails from his mailbox were permanently deleted.

I was wondering if anyone has come across any off the shelf software that could delve deep into the hard drive to restore the OST and other files from a previous date, about 2 months.

Or is this something that can only performed from a company with special forensic hardware/software?

Thanks in Advance,
0
Hi Experts , I need an Expert Witness for a Cyber case in the Dallas area.
Where should I look to find one who is knowledgeable in networking and AD ?

Any input would be appreciated.
0
A customer brought in this computer that, when it opens up to the desktop screen, the system will stop running and a message came up saying that all the files are encrypted and it gives a link to go to and for a fee the customer could have the encryption removed.  However, the link is invalid and since that system was unusable, I backed up the files, wiped the drive clean and re-installed that OS.  Now all of his files have .jthdooc at the end of each file and if I remove that extension, the file will open up but is all garbled.  
Any help on this issue would be greatly appreciated.
0
When you RFP for the IT Security provider to implement monitoring, virtual patching, forensic analysis, security incidents, zero day attack software, etc, what did you do? How you’ve selected the provider and what are the things they cover for you? Who were your choices for this?
0
Hi,

I have identified several directories on my web server that no one in my organization put there. One of them is a Wordpress site for Louis Vuiton handbags!

So obviously my server has been compromised, though all active websites are performing perfectly.

What is the purpose of someone planting hidden directories like this, and more importantly, if I'm using FTP User Isolation and it is unlikely that a password has been stolen, what other vulnerabilities should I look for? Do people use regular antivirus applications on their web servers? I've never browsed sites using that server, so I was under the impression I was pretty safe.

Any suggestions for next steps? I've been tempted to migrate to some newer hardware, but I don't want to bring any security issues with me...

Thanks

Bill
0
what software utilities do you use for forensics analysis/acquisition of both ipads and iphones?

Also - if an iPhone was setup as a hotspot, would their be any evidence locally of which devices connected to it/how much data was used?

Likewise if an iPad was connecting to iphones for tethering purposes, would their be evidence on the iPad of what devices it has connected to and how much data was used? Can you provide details of where any such information may be found?
0
can anyone recommend a good free webcachev01.dat viewer for IE history. The files have been pulled from a copy of a users PC, so I need something that can analyse them and give a list of websites visited. I cant seem to find much through Google searches in this area.
0
Hi i want to start IT Business in IT Auditing & Penetration Testing field, i need guideline, like which service i can start in this field, what type of service i can provide, how many team members i need, is there any kind of license i need, i know question sound very ridiculous to ask here, but any kind of help will be appreciated.
0
are there any specific files you could pull from an image of a HDD, that you could run through another utility, to get a reporta full list of software installed on a windows 8 machine?

Also, are there any files you could pull from a disc image, to run through another utility, to get a report of the local security policy settings on a windows 8 PC (specifically interested in the auditing settings configuration).
0
I am getting the following repeatedly in my event logs, but wireshark is not installed.  Does anyone have any insight?  Am I being attacked?

Event ID 7000: The WinPcap Packet Driver (NPF) service failed to start due to the following error:  The system cannot find the file specified.

Event ID 61703: Mbamchameleon Failed to obtain file name information - C00000BE
0
I have a client who need me to create a forensic image of one of their servers. Unfortunately, the server that I am imaging  has a RAID Volume that has a 7TB partition with almost 5TB of data. I am attempting to image to a NAS device that we have onsite. Tools I have used up to this point seem to crash part of the way through.
0

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics
<
Monthly
>