Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi guys, something that I have been asked to do on occasion is to look into vague one off alerts from our security appliance and “Figure out what is going on” so to speak. In some of these cases I think the concern may by caused by an overzealous filter with an ominous sounding rule blocking the traffic.  I was wondering if maybe someone here could point me in the right direction to go in these kinds of situations.

As an example I recently got this email.

Can you investigate this please?  Its ******’s pc.


-----Original Message-----
From: *****@*****.****]
Sent: Friday, December 12, 2014 1:35 PM
To: ***** ******
Subject: Websense Alert: Critical Severity Suspicious Activity Alert (2 of 100 alerts for today)

Date: Fri 12 Dec 2014 01:35:06 PM EST
Type: Information
Source: Websense Usage Monitor

Suspicious activity has exceeded the alerting threshold for this severity level.

Severity: Critical
Category: Custom-Encrypted Uploads
Filtering action: Blocked
Threshold (in hits): 1

Log on to TRITON - Web Security and access the Threats dashboard for more details about these incidents.

Access TRITON - Web Security here:

---Most recent incident---
IP address: (Internal IP A)
Hostname: (Internal IP A)
Destination IP address:   Port: 80
Threat details: 100-1101-Custom Encrypted Files

I do not have access to the Security gateway due to some …
Other than the one reminding me of my vasectomy reversal, can someone please tell me which one is better and why?  We do not mind spending the money for Nessus Eprise, but if we don't have to, would rather not.  :)   Our need is for audits, compliance, patch management, vulnerability assessments, and server hardening.  Of course I like reports with pretty colors and charts as well.  :)
This morning on a 2012 domain controller active directory server share, all of the office documents, text files and pdfs got encrypted and renamed filename.extension.phszfud and I don't see any ATTENTION file, popups asking for money, or other instances of the word encryption and cryptolocker.

I've scanned all the workstations with SEP, trendmicro and malwarebytes, finding nothing but a few tracking cookies.  Only the files in the share directory of the server are compromised this way, not the other similar files on the server in the non-shared directories.

When I rename a file, deleting the nefarious phszfud, the file tries to open in its original application and reports corruption.  A text file renamed this way has contents that looks suspiciously encrypted.

Any ideas on where to look?
Investigating someone accessing an email account on a server that should not have through OWA.

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:


Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:


Does anyone have any ideas?


I am looking for some information on how a DropBox Business scenario as below can be investigated if you suspect there was a data breach and needed to investigate it.

Here the situation:

In a company the company directory is getting backed-up, the drives on the employees PC is not getting backed-up.  The  employee has a personal dropbox on his employee PC and saved files from the company directory to the personal dropbox.  If the employee gets kicked out and can’t delete the dropbox on the PC, but instead delinked online the dropbox on the employees PC from his personal dropbox,

1)      Can the company see if the files from the directory were saved on the dropbox or just on the employees PC drive?
2)      Can the company see which files were saved on the PC or on the dropbox (specific files or just if it was a pdf or an excel file)?
3)      Is it possible that the files did not get deleted from the employees PC and the company can see which files were on the personal dropbox?
4)    Last point is that the company did actually see how many files were uploaded to the dropbox.
5)    Does dropbox record when you delete files? I mean is it possible to see later when files were deleted?

Can anyone speak to some of these points in whether it is possible to find these records and how you would do it?

Found the following service (psexe) running on a user's workstation. I understand that it is part of a suite of tools that some admins will use to help support an environment it is also a tool that can be used for malicious purposes. Are there any known applications that use this service?

e.g. Spiceworks, PRTG, Solarwinds, Adobe Creative Suite, SQL, etc.
We are trying to lock down our data to prevent leakage.  I'm not taking about un-authorized access.  I'm talking about making sure that data that people are authorized to access doesn't get into the wrong hands ... such as competitors.

I can lock down my firewall to prevent access to certain sites.  I can block webmail internally.  I can restrict email ... somewhat.   But at least I can see what was sent to who.

However if a file is on a laptop and the laptop is not in the office, how can I prevent them from emailing that to someone via webmail?   Or downloading to a web site?

Also relative to data leakage.   We have folks that may travel and occasionally need to visit the business center of the hotel to print documents.   We have disabled the use of USB drives because of security concerns.  If they use OWA, that will let them print, but it leaves a thumbprint on the PC.   And it also gives the ability to leave the document open or download the file without us knowing about it.   I've tried to find ways to open and print, but not allow them to save, but have been unsuccessful at doing so.  When I restricted via HTML access only, the formatting was all messed up when we tried to print it.
We have a machine that has been hacked. The machine is a windows 8 laptop.

Is there any software on the market that will trace the hacker?

Can you find the hackers ip address from the event logs?

How can we determine hackers ip address?
I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
I keep receiving spoofed / anonymous emails from regular spammers but their email header leads me towards nowhere. Can somebody give me a basic information of how to do this or a legal body to report this issue as soon as possible.
Recently, it was brought to my attention that a server running Windows 2007 Standard edition randomly displays Russian webpages in the default browser without having launched the browser. It is also defaulting to Cyrillic text when typing in new folder names, or trying to type in the name of an executable in the Run line, or in typing text in Wordpad on the system. I noticed winrar (ru) was also installed as was Firefox (ru), both of which I uninstalled. I also ran TDSkiller and it found nothing. I ran MalwareBytes as well, with only a minor "Pup" object discovered. I also noticed a .txt file (2K in size) with a name in Russian, and the contents are also in Russian (I see some email addresses in it with It appears to be a windows install log file of some sort.

I checked the Regional and Language settings in Control Panel and they are all set to the correct, US, settings.
I certainly want to find and remove the cause of what clearly appears to be an infection despite the inability of
the tools I have used to locate and remove it. However, I would first like to reset the Windows Explorer setting(s) that are causing anything I type to appear in the Cyrillic font type. So, any assistance on both the search for and removal of the infection, and the correction of the text would be greatly appreciated.
I would like to built a new LAB for forensic in Saudi Arabia, I would like to know the best companies any where in the world including in saudi arabia, It is very high priority

One of our domain controllers appears to have been accessed without authorisation and I would welcome any resources you can point me to or guidance about investigating exactly to what extent we have been compromised.

We have locked down inbound and outbound access to the server network whilst we investigate.

I can see that our SAM appears to have been dumped and some files added as services, so assume that there is a rootkit at least.  These are 2012 DC's so surprised that this has happened.  I thought things were pretty tight from a security standpoint.

This follows on from a Shellshock exploit and so the two may be linked somehow.

Any pointers you can give me would be much appreciated.

We just purchased SolarWinds LEM and notice a strange message.  Yesterday around 14:38, changes were made to many of our service and administrative accounts.  Source Logon ID is 0x3e6 and the Source Account is Anonymous Logon.  This is the part that concerns me.  Does anyone know what this means or what would cause it?  There is information out there, but I simply do not have time to parse through it all.  I thank everyone in advance for your help.
Hi & thank you in advance,

Is there a software scanner that I can use to scan computers for sensitive information (social security numbers, credit card numbers, family information) stored in text, word, excel etc data files.  I looked into DLP but the company cannot afford to purchase.

I am open to suggestions.
1) can encase forensics image and analyze iphones?

2) if the phone is protected  by a PIN, do you require this to image/analyze the data?

3) are there specialist write blockers and software for iphones? If so who supplies them and how much do they cost?
I have just received a personal mail from a friend which I was in bcc. I will like to know if I can see other people who were blind copied in the email
I have an ~ 2 year old Sony smart phone that, just this weekend, has started to turn on the camera and even take pictures.  This seems to certainly be a security hack but I have no expertise in security.  

How do I determine if this is something malicious and, if it is, how to remove this from the phone?  While I am familiar with running PC security applications (Norton, Symantec, kaspersky) daily,  I am unaware of such applications for any brand of smart phone and how to properly secure smart phones.


        A software called "clean master" deleted my SMemo, are there any tools can recover those memos?

Is there any free software that can analyse iphone forensics.

Also - as with PC's what hardware is required to take a replica copy of the device (are there specific write blockers just for smartphones?)
Hello Experts,

I want to obtain phone number from Android phone for forensics with adb command.
I want to obtain it without operate Android phone directly.

Any hints welcome.
What is the best practice help me find the injected DLL in windows 7 without using Anti virus?
I need to know if it' can also give what the function added to this DLL or API? to have good investigation for virus behavior.

Below is a short 9 frame Wireshark capture between 2 servers separated by a firewall.  Capture has been exported to the text list shown below.  I need to understand what is being said.  IP's have been sanitized.

This came about due to this error message being displayed by the web application:
"No connection could be made because the target machine actively refused it"

Question 1:
Does this conversation prove the firewall is not blocking the communication?

Question 2:
What does this conversation mean?

No.     Time        Source                Destination           Protocol Info
      1 0.000000         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 1 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: (, Dst: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f17 [correct]
    Source: (
    Destination: …
Is there any free GUI software that can view/search evtx files (event viewer files)..
We have a strong password policy. But I'm wondering about best practices around managing and storing passwords for an organization in written form? Many times as the network admin I will need to log onto someone's system as the user in order to access and fix a problem.

In the past at our organization there was a password book where a record of all passwords were kept, sometimes a user would need to log onto another person's account when that person was out or sick, and of course they could find the password in the safe stored in the password book. But as we've grown and today we force password changes every 6 months that book can easily and quickly become outdated and I'm wondering if it's even a good idea to keep a  written record?

 So my question is what is the best practice around storing a written (or online) record of employee passwords?

Do you keep password books in your organization? Is it a best practice from a security position? Do you use online resources (Google Docs or another system).

We are bound by HIPAA rules but I couldn't find anything that references this particular issue.

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics