Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have been tasked with finding a solution that fits the following requirement:
Project Description:  
Ability to track files copied  to physical devices (usb drives, cds, dvds) and track upload/downloads to internet via web portals, email, drop box etc

The customer is running a small Windows Server 2012 AD environment with around 25 physical and VM systems. They do not care whether the solution is software or hardware based and I have not been given a price range for the project. I would like to create a comparative matrix with a couple of the best hardware and software options with prices attached so that I can at least get a ballpark figure of what they are looking to spend.

So far I have looked at Sonar, Spector 360 and Spy Agent 8 software applications and the Solera and IPCopper hardware solutions. I spoke with a Solera rep but they said they don't usually work with a project this small

Apologies if this has been discussed ad nauseum but I am not even sure what categories to search or if I am looking at the best options. I am wondering what the experts have used or considered. If you could point me in the right direction I can do the deep research.
0
i am using DBAN to wipe hard drives with 7 rounds, is there anything faster out there
0
Would anyone recommend a software for storing IT Assets (Network resources/ documentation / licensing info). A web based solution would be ideal.
0
i know for normal SATA drive i have to do 7 passes when wiping the hard drive, i use DBAN for SATA/ATA Drives.

What can i use for SSD Drives?
0
Does anyone know of way to find dns entries and/or ip connection history within offline registry files?

I am try to find some information on someone that gained remote access to a computer via social engineering and caused some considerable damage.
0
I have a system which is repeatedly trying to make an outbound connection on port 4343. Judging from the pcap I took from the perimeter firewall, the connection is never fully established. It attempts the same public IP for each connection attempt.

I have since made sure this port outbound is not allowed.

Anyhow, I see the system still attempts connections as it is filling up my Deny logs. What is the best way to find out what process on this system is attempting this connection? I have tried TCPView and Currports but neither show this activity. I am not sure if those only show it once the connection is established or not. I also do not see anything from netstat -ano.
0
Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
0
Hi we have reports generated using Microsoft reporting services.  What we are trying to achieve is to get e-signature on those reports.
we have a commission system it generates 100 reports for 100 users we need to get signature on those 100 reports and store the reports along with the signature.

Can someone help us to see how we can do it.
0
How long Encase 4.2 will spend to read 500Gb HD ?
0
Just got a new Dell 8700 Desktop a week ago.  Yesterday it started eating up all the bandwidth on my DSL line (1.3MB Down/.35MB UP).  Task Manager shows that a Chrome Process is the culprit.  When I try to kill the process it comes back in 15 seconds and pegs out my internet connection.  Virus Scans show no issues.  Even when I uninstall Chrome there are still multiple Chrome processes running.

I know it is the new PC because when I take it off network the problem goes away. Not sure if this is a DOS attack, a trojan that has hijacked my system or something else.

How do I get rid of this issue and get my bandwidth back.  This one process is taking up 100% of the internet bandwidth.  Not good. I can send screen shots if that helps. I'm pretty self sufficient, but this has me baffled.....and scared.
0
1. I am looking for developer or others tools or solution that can help me to  export SMS and contacts from Windows Phone 7.x .

2. I'd like to ask if someone can recommend software for decryption ZUNE files (backup windows phone  7.x) or maybe only possibilities for decryption?

I am looking for all suggestion and solutions  

I have a Windows Phone 7.8 Nokia Lumia 800 , and I want to export all SMS and contacts in forensics way.
0
HI experts...

I've been struggling to open the attached file... can any here decode it?

it's been encrypted but I believe you guys will get it right

thanx
Afrikaans-Grade-1-LB-Inside-Page.pdf
0
I'm scanning old documents that likely will never be looked at again or once in the distant future. Cleaning out filing cabinets - old tax bills, closing statements from property my uncle owned and sold years ago, old school report cards, old wills of uncle & father that died years ago / estates are settled.  

Likely just things our kids / grandkids / etc will look at to reminisce (sp?) and not much more.

Best way to scan?  they are text docs so I am scanning at 200DPI - it's the text and overall appearance that's important.  Not to zoom in and see the nuances of the font used, etc.

And then what format?  PDF? JPG, something else?  A couple things are 2 page docs, so as a PDF, it's nice that the 2 pages can be in a single file.  There's no 2 page JPG, right?  TIF would do that, right?

But who knows in 50+ years what formats will still be readable?

care to guess?
0
I have two hard disks that were part of a RAID-5 array. Our company policy states we need to  low level these drives before sending them back to the manufacturer for the RMA. I attached them to a windows box with a SAS to SATA cable and a SATA to USB cable. Windows sees the disk under disk management, but cannot initialize it. I've tried under linux\parted magic, but it doesn't see anything at all. How can I format these disks?
0
My email forensics is a little rusty.  Here is what I am working with

Return-Path: <support.7@jonesday.com>
Received: from gideon.mail.atl.earthlink.net ([207.69.200.80])
      by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
Received: from jonesday.com ([96.46.255.60])
      by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0
      for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
Message-ID: <001901cf001392029beb8ac8a8c0@BillStanners-PC>
From: "Notice to Appear" <support.7@jonesday.com>
-------------
So to me the return path is probably faked.  Is the jonesday email address faked?  They used XimianEvolution for the email client.  I'd love to see a strong analysis to see what I am interpreting correctly and what I am interpreting wrong.  The payload was malware, but in my opinion, clearly targeted.  I've used a couple of free online forensic tools, but I don't have the name of the malware.  Your thoughts are appreciated.  I did see the bit about BillStanners-PC.
0
For each user we had to buy and use individual user certificate from third party which provides website to access their website. Now we are planning to buy and use organization wide digital certificate ( known as site digital certificate as well ) from that third party instead of buying and using individual user certificate to access their  website. So I want to know what organization wide digital certificate is , if  organization wide digital certificate is user certificate or computer certificate type, differences between organization wide digital certificate and individual user certificate , how to install organization wide digital certificate  and if we only need one organization wide digital certificate to buy for all users to access that third-party site.
0
How Do I see who has accessed a computer system and what operations he or she has performed during a given period of time? Is  Audit trails an option to show all record changes,modifications,deletions,creation,with time/date and person who made changes stored as part of their desktop daily activities (From past to Present discovery). Can anyone direct me to case studies or solution of such regarding audit trails?
0
Hi..

In order to have a secured  and trusted communication between our SAP PI system and our partner, we bought the public SSL Cert and sent to our partner for import to their system (which is to be able to connect to our server and drop some files). When the partner is browsing the URL that we gave him, he is saying that our server is not sending the actual SSL cert that we shared with the partner. That means the Cert mismatch error is found which is halting the further testing. During the handshake our server, seems like, is sending the self signed cert by default, instead of the SSL cert that we bought. Our side of OS is AIX and SAP is installed on it.
0
When using the PBKDF2, bcrypt to encrypt the password and sent through network as in this question Sending the Password over network, is it ok to send the salt used in the encryption process as plain text to the user ?
0
Hello I need to have a work creating an image of my hard drive could be like dd kind or any using Windows. These are the topics I need:
1.-Create the image of the hard drive in format dd or any format you suggest.What tool to use in Windows if there is free. I heard access data imager is good I think has cost.
2.-After create the image create the md5 hs from image and original HD to confirm was duplicated 100%. What tool to do thi in Windows free?
3.-Search in th image for files with the words "spell star".What tool to use in Windows free to search in the created image in format dd or any you suggested?
4.-Search in the image file for emails with the words "spell star".What tool in Windows to search in the created image in format with the words "spell star".
5.-For each tool to use in steps 1,2,3,4 if have the ability to store log files of each procedure step.

   If somene can help to know what tools to use in each step by free if there are.
Thank you
0
I have a load of ad traffic that is coming from suspected bots.  I do not use Google - this is via our own adserver.

I have 35,000 ad requestes of which 32,000 have come from just 14 IP addresses.  This leads me to suspect that it is bot traffic, however I wanted to try and find a test to prove this.

I have the following IP addresses:
86.138.33.163
81.152.90.196
2.100.248.214
90.244.38.87
82.39.117.105
86.29.101.167
86.149.231.103
2.221.46.25
82.26.240.24
213.249.135.36
86.129.5.190
81.106.59.5
81.133.58.48
94.0.128.74
89.241.88.120
86.135.209.252
2.219.38.165

Which I can determine their origin:


IP      Domain      Location
86.138.33.163      host86-138-33-163.range86-138.btcentralplus.com      United Kingdom flag United Kingdom
81.152.90.196      host81-152-90-196.range81-152.btcentralplus.com      United Kingdom flag United Kingdom, Y9, Porth
2.100.248.214      host-2-100-248-214.as13285.net      United Kingdom flag United Kingdom, J8, Nottingham
90.244.38.87      user-5af42657.broadband.tesco.net      United Kingdom flag United Kingdom, H9, London
82.39.117.105      cpc15-sgyl30-2-0-cust360.18-2.cable.virginm.net      United Kingdom flag United Kingdom, U8, Edinburgh
86.29.101.167      client-86-29-101-167.glfd.adsl.virginm.net      United Kingdom flag United Kingdom
86.149.231.103      host86-149-231-103.range86-149.btcentralplus.com      United Kingdom flag United Kingdom
2.221.46.25      02dd2e19.bb.sky.com      United Kingdom flag United Kingdom, L9, Sheffield
82.26.240.24      cpc3-basf8-2-0-cust23.12-3.cable.virginm.net      United Kingdom flag United …
0
Word document containing full semester uni work of my friend. She had NO backups and file was kept on USB key (hard to believe but true).
I have tried a number of recovery tools including onlinerecovery.com, DataNumen, Corrupt Docx etc. They all fail.
I tried renaming as .zip and extracting the document.xml - no luck.
tried hex editor to see if I could see any text  - nothing.
I'm not interested in recovering the images in the file (got those ok). Just need the text if possible. (or point me to tools which might work?)
Thank you very much.
Reflective-Journal-Submission-.docx
0
Hi all,

Recently a new client of mine was infected by a ransomware virus( since this infection, his previous IT consultant has gone underground).  All of his Microsoft Office files are encrypted and his backup drive is badly corrupted.  However, I was able to restore one file from the drive and so I possess the same file in it's encrypted and non-encrypted form.  Is there a way for me to find the encryption key from these two files?  I tried one utility from Panda Security, but it did not help.  Does anyone have any suggestions?
0
Forensics experts - is there anyway a facebook user could accurately tell which users (freinds or not) looked at their profile? And when?
0
Are there any free tools used by the forensics communuty for taking a forensically sound copies of a website (or specific pages) as it was at particular point in time.

Out of itnerest -- have you ever had any involvement in website forensics, and seeing as content can change at any time, how can you prove the copy you have taken is valid as it was at the time the copy was taken (even if the website/content is completely changed since).
0

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics
<
Monthly
>