Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Share tech news, updates, or what's on your mind.

Sign up to Post

can anyone recommend any file/data recovery apps for NTFS formatted USB sticks, to recovery user data that has been accidentally deleted. There seems an awful lot of choice, but I'd rather test out any freebies before committing to a paid solution. Anything which could recovery data / files from an image of a USB stick taken using something like FTK Imager  as well would be most interesting.
0
HTML5 and CSS3 Fundamentals
LVL 12
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

In our test/dev lab we are running vSPhere 6.0, 6.5 and 6.7 on different platforms.

We are looking into how to perform forensics on VMs (OVFs, Snapshots, etc.) off line.

Does anyone know of any products in the VMware portfolio or partner products that may be a good option for this use case?
0
would there be any forensics artefacts on a windows 7/10 machine, specific to any emails viewed via outlook 2010, e.g. subject titles or the such like. I wondered if jump lists may have entries for outlook, and then each specific email be classed as a 'file'? Or any other locations where outlook 2010 forensics artefacts may reside. I want to prove ideally the subject titles of any recently opened emails. I am also looking from the exchange side as well, but client side would help also in this instance.
0
are there any tools that can run on windows 7 which will capture which specific event logs or files such as log files / files in general , are updated as a result of certain user actions (e.g. opening certain file types, running applications, plugging in devices etc).
0
If a user plugs into a windows 7 machine a smartphone or USB device via USB and views an image on the external device, apart from areas like lnk files and jump lists (and presumably certain registry entries) which will show a file name of the image opened, does windows create any sort of thumbnail on the PC's local drive of the image, or is the best you would ever get the date stamp and file name of the image opened, and not an actual thumbnail of the image itself. The filename in itself isn't of much use, but even a thumbnail of the image would be useful. I am just unsure where exactly on the drive that thumbnail may reside once opened.
0
If you needed to get some clues on what a user 'did' when they logged into a domain joined windows 7 machine forensically where are the obvious places to check. I know there are 'recent' folders with lnk shortcuts to see what files they have accessed..
But interested to know what other artifacts could be turned to for a fuller picture.
. Eg what apps were opened/launched.
0
I need to make a forensic image of each HDD of a group of our employees' desktop computers; I need the same for their smartphones. What equipment and/or software do I need to makes these images without removing the drives?
0
I am interested in finding out if a lawyer has manipulated the will of my mother, who has since passed. He sent me a copy of it by email and wondering if there is any way to forensically inspect the document? I saw a previous answer that said you could go into "inspect" the document to detect changes? Please any info appreciated!
0
HyperV Audit

I Can notice that the event viewer shows most of the administrative tasks completed in a Hyper-V Server, but it does not specify the user performing the action. (i.e. Event Viewer \ Applications and Services Logs \ Microsoft \ Windows \ Hyper-V-*)

Considering a default installation (No additional software added, no settings modified to the default debugging level). How can I track which one of my administrators performed specific administrative actions in Hyper-V?
0
Hello,
1. I have an msg file which is digitally signed and not encrypted, I could see 2 attachments from the email one is .P7M and the other one is .P7S. Can this happen ? I mean it should be either a .P7m file or a .P7s file right?
2. Can .P7s file support encryption and digital sign both?
3. Can you explain in detail the difference between .P7m and .p7S files?
0
Build an E-Commerce Site with Angular 5
LVL 12
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Would facebook provide any evidence under any circumstances if copies of a users posts etc were required, and to whom would they release this information, e.g. only law enforcement?

Also if a user deleted a post - would FB be able to prove a post ever existed?
0
aside from the standard history sql lit db for chrome, and WebCacheV01.dat for IE history files, where else on a windows machine could give clues if a user has accessed a certain webmail service and logged in using a specific email account? I suspect either gmail or hotmail. Just want to rule out any other areas such evidence may reside apart from the obvious browser history locations.
0
does anyone know of a free tool which can pass the internet explorer history stored in WebCacheV01.dat and WebCacheV24.dat files to see which sites a user has visited? there were loads of tools for older IE releases, with the index.dat format, but not found much for the newer ESE databases
0
Hi there,
Please can you help me? On my Android Samsung Galxy S6 are stored files under /userdata/data/com.microsoft.office.word/app-EmailAttachments.. So, I know what this files are but I don`t know how the names of the files are generated.
i.e. /app_EmailAttachmentseaa8ac15-baaf-4675-9f6a-9698e54f0108. This file name belongs to a pdf i have sent. What does the string "eaa8ac15-baaf-4675-9f6a-9698e54f0108" in the file name mean?
Thx
0
if you used one of the digital forensics imaging tools, such as FTK imager of a live system that hosted a database, be that an exchange mailbox database, or sql server database - will the imaging process work, and actually give you a copy of the database that can be interrogated in your forensics search tools? My thoughts were that even backups have to follow a specific purpose which stops processes before they can be backed up - so trying to take an image of a running database is similar to try and copy and paste it - in that it will result in errors and you wont get a clean copy/copy at all?
0
Greeting Experts,

I need help locating a software that is able to take a snapshot of a remote computers H/D without the end user knowing it. I have been searching the internet and have not found anything so far. Can somebody recommend software that is able to do this type of function?
0
are there any free tools which could scan a drive on a file server for potential inappropriate images, based on a nudity type calculation. I know these things exist in forensics communities but I have yet to see anything that is free. we need to do a quick scan to ensure one of our employees has not stored any inappropriate material on one of our file servers.
1
I need to analyze a large number of hard drives to see what files were created by a particular user.  What is the best forensic software out there to do this with?
0
Let's say there's malware running on the Mac in OS 10.9. This malware launches whenever the computer is booted and/or connected to the Internet. Will upgrading the operating system to 10.11 have any effect on the malware, that is, will the upgrade force the removal of the malware?

If there's no other change to the system other than the OS installation, will the malware continue to launch on boot after the upgrade is installed?
0
Angular Fundamentals
LVL 12
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

We need to do some RAM dumps from a Mac. Is there a functioning free tool out there?

We found a tool called Rekall. However, the documentation is limited. We are not UNIX / Python experts and we really need step-by-step installation instructions.

We know that we can pay $1,695 for Paladin but we'd rather not at this time.
0
Ok... I need some help clarifying details in an email header. Some one I know has been fished/whaled (which ever it is). I want to know how it was done.
A genuine email was sent from Seller@realdomain.co.uk to Client with genuine bank details for a transfer. This was followed up with a scam email requesting a change of bank details. BUT the scam email came from Seller@realdomain.co.uk... (I am trying to find out if the seller@realdomain.co.uk was hacked)

Both seller and client domains are on 365 and have SPF records setup. So I would expect spoofing emails to be rejected.

Anyway, below is the header... I would like to understand what it says, these are some of the questions I want answered:
1. is it a spoof email or was it sent through 365 servers (there is no trace in the seller sent items, but could have been deleted)
2. It looks like the email "return" address has been setup as "seller@fakedomain.com.uk" to ensure replies do not reach "seller@realdomain.co.uk" and alert the seller of the scam. I didn't think it was possible with 365 to modify the return address?
3. Can we tell if this was sent through a microsoft portal or outlook?
4. I can see an SPF fail on the header... does this mean the email failed its SPF check but was still allowed through?
5. What other information can be gained?

Header
Received: from DM2PR0401MB0973.namprd04.prod.outlook.com (10.160.98.139) by
 BN1PR0401MB0961.namprd04.prod.outlook.com (10.160.79.12) with Microsoft SMTP
 Server…
0
Given the scenario of a simple text file on file server share and a user opens the file on the remote share from their desktop and someone was to capture the SMB traffic and look at the pcap file, could you see the some of the file contents in the capture?  This assumes that smbv3 with encryption is not used.
0
i was wondering if anyone might be able to tell me how to read the logs I've gotten from Network Miner. My system has been compromised and I'm trying to get information on the people that have done it. I see MACS that are not any of my devices in the logs & are these for sure the possible hackers? Also im wondering what are all of the other base folders in their system folder:
all-words.txt
oui.txt
tcp.xml
Changelog
dhcp.xml
etter.finger.os
p0f.fp
p0f.fp.netsa

can someone tell me what these logs tell me??
0
We need to prove if a user has accessed a corporate business system from a specific machine. the audit trails in the system itself frustratingly do not log user access/record access, I am unsure at this stage what language the app was developed, but I do know the system installs some client software on each users machine which is used to connect to the app server and provide a front end etc. This isn't opened in a browser, but I was thinking whether you could use pre-fetch to at least show the last time the applications (client) was launched. Are there any other common areas we could use to identify application access from the client side? Pre-fetch was the only obvious thing i could think of but after some inspiration if there may be anything else (windows 7 device).
0
are there any tools on windows, which for any user activity show which files/registry info on the system is being updated as a result of the user activity. I am sure there used to be something whereby any user activity, e.g. launch an application, insert external USB drive, etc would show which files/registry keys that user action had updated on the system, in real time, which was useful to see if user activity evidence for specific actions may be retrievable from certain hidden files/logs/keys. I just cant recall the name of the utility. We are trying to see if any action in a specific client/server application is updating any files on the client side which may prove user activity, in a system that otherwise has no audit logging enabled (server/database side of the application).
0

Digital Forensics

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Top Experts In
Digital Forensics
<
Monthly
>