Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

Is there an easy way to get a report of all files accessed/opened by a user on a windows 2008 file server from a windows 2008 citrix server (i.e. WYSE terminal no laptop). Where could evidence be pulled from either system? I highly suspect due to the amount of users and files that the local security policies audit configuration is not capturing files accessed opened by I can check.
We have a monitoring tool that is reporting over 40K modified attributes for one specific user. I've checked Microsoft TechNet, however I don't see these attributes listed anywhere with details. The attributes are:


Is there someone that can tell me what these attributes are used for and why anyone would modify them?
Hi, I am looking for the best free intrusion detection/prevention system for learning computer security. Any advices?
On windows XP there used to be tons of fairly well hidden folders that contained LNK files for office type documents recently opened which could come in handy for forensics and/or basic trouble shooting.. Do you know if theres similar folders on windows 7 enterprise edition?

And also any idea where such folders may exist (if at all) on citrix xenapp/xendesktops server running server 2008? (accessed via WYSE terminals).

The XP ones were:
.\\Documents and Settings\UserName\Recent and
..\\Documents and Settings\UserName\Application Data\Microsoft\Office\Recent

Aside from these folders are there any other useful folders/files that keep a log of recently accessed files (ideally with the path).
I am an IT person myself. one of my clients who have a gmail email.
his gmail has been hacked or the password has been guessed.
and an email was sent to the bank pretending being him.

The bank forwarded the email. and we would like to know if it was sent from our office, or was it hacked by an external hacker.

we tried tracing the email, but as expected, Gmail did hide the originating IP.

I had been trying to contact Gmail for the last week for assistance in this regards.
i need the ip of the sender (from my email) or the IP of whoever logged into my account at that specific time.

i understand a court order might be needed, that is no issue, but we need to contact gmail to even send them the court order.

any ideas guys ?
If an admin is suspected of overstepping their priviliages and looking at browser history and possibly files of other users, is there any way to determine what files a user has accessed on a Windows 7 machine or possibly get an idea somehow of what they were doing on a particular system? This is in a AD environment (server 2008R2) and win 7 systems.  I really don't want to install anything on the systems at this point, just want to have a look around to see if suspicions warrant further investigation.  Is there a way to see if a particular user accessed certain files?
Dear Experts,

Here is a strange thing for you. I went to bed Tuesday and everything in my home network was working well.

Wednesday morning before going to work I want to reply an email. My internet is not accessible from my laptop. I see that my wireless connection is established, but my NIC card is not connected to the Netgear router. The Netgear router is not able to connect with the ISP modem, not obtaining the public IP address.

I came back that day and figure that my Raspberry Pi also does not have connectivity via NIC with the Netgear Router. After checking the Netgear router I see that all its network cards are not able to establish a connection. I called Cox to see if it was them and it wasn’t. I put a second laptop (work) in the network and got the same result no connectivity. I put that same laptop directly to the ISP modem and yes I get to go to the internet this way. So for sure it was not my ISP modem.

Basically all the NICs are affected for the Netgear router, Raspberry Pi and even my laptop.

To make matters worse I purchased a new home router and my laptop now only works with the wireless card to access the internet and it shuts down every ½ hour or so.  It shuts down if I do certain things like down load from the web something or try to check this file that I see in the event viewer an “MSS.log”(C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log).

For all this to happen overnight leads me to believe that my systems were hacked …
I am looking for people who  have used Sandboxie -  - and can tell me what they used it for - what worked/didn't work.  I want real world experience as opposed to promotional material from the vendor.  In particular whether anybody has used it for TSR's or to separate two programs that use slightly different versions of a similar database engine.

If you have not used Sandboxie please refrain from answering - I am only interested in Sandboxie field experience - this is not a general question about sandboxing. I say this because I have not posted twice asking a similar question and was responded to by people without any Sandboxie experience.  At this point I only want to hear from Sandboxie people - hopefully there are some out there.
Hi all, My company has a few file servers but our main fileserver hosts many departmental and functional group shares as well as user redirected homefolder shares.  

Recently files have started going missing in one of the shares located within a specific functional group folder.  I need to audit access to these files/folders and only these.  

I followed the directions here:

The file server is a physical file server running server 2008R2.  When I go to the local security policy and turn on Audit Object Access per the instructions, hundreds of entries start piling up in only one minute in the security event viewer, for the entire server!  Not where I told the sserver to spend time auditing!  When I look at the auditing settings for all these other areas there are no settings whatsoever yet all these access logs are being created.  This makes the feature absolutly worthless to me.  I only want to Audit one or two folders which are rarely accessed in the first place.  

Any thoughts?
Hello Experts,

I have a student who took a screenshot of her grades and I'm assuming she altered the screenshot by giving herself and A. However when I log into the system her grade is not an A. She claims that she did not alter the screenshot and that she claims to have been hacked. How can I determine if she did in fact alter a screenshot?
I am trying to find out who is sending me emails by analyzing the email header looking for "X-ORIGINATING-IP", however it has been removed by ms, Is there any other way to get this information?. I have the mail header which contents this info "X-TMN: [MFL/CsAQEKwS6FBaH6erkgcbcjS7fbWLKme6V2pHuA8=]". Can X-TMN be decryp?

Thanks in advance
How can I find-out if the following message is true or not:

[[sent from:]]

Hi Tom,

Someone recently used your password to try to sign in to your Google Account *** This person was using an application such as an email client or mobile device.

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Sunday, June 8, 2014 11:43:48 PM UTC
IP Address:
Location: Santa Fe, Santa Fe Province, Argentina

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.

Reset password  

If this was you, and you are having trouble accessing your account, complete the troubleshooting steps listed at 

The Google Accounts team      
This email can't receive replies. For more information, visit the Google Accounts Help Center.

I have used a lot of forensic tool kits and spend a lot of time connecting the dots. I have been searching the internet for a serious enterprise forensic analysis software tool to be used in-house and would like to know if anyone can share their personal experience with a robust forensic analysis tool.  I am open to suggestions and I do understand that some of the tools are expensive, like 50k and up.  

Thanks in advance.
Actually i have develop following following code which is working fine in jdk1.7 but not working in jdk1.4. My code is :
          int noOfCertificate = 0;
          ArrayList al = null;
          KeyStore ks;
          ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
          ks.load(null, null);

          Enumeration aliases = ks.aliases();
          al = new ArrayList();

            while (aliases.hasMoreElements()) {
                //System.out.println("Alieas Name : "+aliases.nextElement());

for (int i = 0; i < al.size(); i++) {
                X509Certificate cert = (X509Certificate) ks.getCertificate(al.get(i).toString());
                System.out.println("Issuer          : "+cert.getIssuerDN());

This code is working in jdk1.7 version. but when i try it in jdk1.4 error is coming. Error like  : no such provider: SunMSCAPI




so plz help me , how to solve this error regarding to jdk1.4 version.
Hello Experts,

Lately I have had a few customers come to me with infections of CryptoLocker. Is there a 100% solution to recovering the encrypted files that CryptoLocker encrypts without obviously paying the money, which I would never do anyway?

Is there a tool or any tool out there that can decrypt the encryption that CryptoLocker creates?
A user of mine has received a highly offensive email with a word document attached.
Now the email originated from a Hotmail address. Of which I know anyone can register for free to setup an account with false details.

Is there anyway I can inspect the .docx file we've received to find the users name or computer name. Anything that could indicate who created/saved or sent the file?

I have right clicked and inspected the properties but the author, company, last saved by are all blank.

Any help will be greatly appreciated!

Could be possible to trace or get more information from the source of a fake email sent by service?

Thanks in advance
I'm looking for an easy email header analyzer tool for Windows. (To be used in computer forensic case)

We prefer open source but we can also buy a commercial software.

Could you tell me which is your favorite tool for this purpose?

Thanks in advance

I am trying to DEPLOY Symantec DLP agent via SCCM. I have modified the MSI properties with ORCA. I have created a .bat file that point to the MST file with the settings.

Problem i have is that i get the following errors in under completion statistics

Device           User                                        MessageID                       Status Type        Description
SXS-1234       NT Authority\System            10006                                Error                   1619

In the CCM\Logs directory i see this in the CAS log

<![LOG[Saved Content ID Mapping COW00034.1, C:\WINDOWS\ccmcache\m]LOG]!><time="09:42:49.005-60" date="05-07-2014" component="ContentAccess" context="" type="1" thread="3060" file="cachedcontentinfo.cpp:188">
<![LOG[Releasing content request {67EDB127-F72E-4F2E-9E9D-CFCE8E1D82CC}]LOG]!><time="09:43:13.677-60" date="05-07-2014" component="ContentAccess" context="" type="1" thread="5668" file="contentaccessservice.cpp:1861">
<![LOG[All references to Content COW00034.1 in cache have been removed.                   Content will be Tombstoned.]LOG]!><time="09:43:13.677-60" date="05-07-2014" component="ContentAccess" context="" type="1" thread="5668" file="cachemanager.cpp:767">
<![LOG[Saved Content ID Mapping COW00034.1, C:\WINDOWS\ccmcache\m]LOG]!><time="09:43:13.693-60" date="05-07-2014" component="ContentAccess" context="" type="1" thread="5668" file="cachedcontentinfo.cpp:188">

Any ideas?
We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?

 If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.

Any hints or suggestion would be highly appreciated.

Thanks & Regards

Can anyone point us in the direction of expertise to help us track down sources of recent syn flood attacks.  We seem to be unusual in that we are getting persistent attacks and we need to understand whether this is one source or several.

Any advice would be most welcome

Many thanks

Seagate Barracuda 7200.11, 500GB, ST3500320AS, SD15

Background and symptom:
In external SATA enclosure, it spins up, makes the normal reading noise (Not clicking) for 1 second and just keeps spinning quietly...

Trying to see if it is possible to revive the drive and recover data

Not sure the purchase date, I read it could be  0 LBA error or BSY error.

Anyone has experience with this type of issue?
I just hesitate to do anything to make it worse before I know more this subject.

Any ideas or feedback would be appreciated.

Hello Experts,

Has anyone integrated a CMOS camera with a beagle board or arduino board before?  If so, can you provide the model or brand, of the camera and the steps to integrate to module?

I have a Western Digital Hard Drive that I need to get some photos off of. The laptop it came out of will not boot so I took it out & put it in a external HD enclosure. My Win 7 computer will recongnize the recovery partition for a few minutes then it will recognize the main partition & ask to format the drive then a few seconds later, boom both partitions go away with no error. If I go into computer mgt & then disk mgt, I see the 280gb drive but it will not initialize, i get the error "cyclical disk error" when I try to initialize it. I have the EaseUS Data Recovery software I normally get data off of drive with but it has to recognize the hard drive to mount I at a loss with this drive or can someone recommend any other way for me to get the data off with some type of software?
Hello experts, we recently had some suspicious activity on our exchange 2K7 server and I'd like to further investigate possible issues. I was wondering how I would go about creating an alert or filter so that I am made aware of any other user accounts logging into somebody else's mailbox. Any help would be deeply and  gratefully appreciated. Thank you

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics