Digital Forensics - general-discussion-and-questions

Channel added based on the poll in #announcements. Let's give this a trial and see how it turns out. Fire away!

1

anyone got any ideas for university studies or projects i could do in my 3rd year ? (just thinking ahead)

dfir related?

6:17 PM

Implement Laika Boss: https://github.com/lmco/laikaboss/blob/master/LaikaBOSS_Whitepaper.pdf

lmco/laikaboss

Laika BOSS: Object Scanning System. Contribute to lmco/laikaboss development by creating an account on GitHub.

6:17 PM

there's already some code on the github

Not sure how useful it will be for anyone but there is currently a free SQL Masterclass by Udemy going on hot uk deals. Seems more based for business analytics on postgresql. If you're interested here's the link: https://www.hotukdeals.com/deals/learn-sql-course-free-sql-masterclass-sql-for-data-analytic-udemy-3169505 (edited)

Learn SQL Course FREE: SQL Masterclass: SQL for Data Analytic @ Ud...

All Credits to Cartman_SP who is the original founderSQL course covering important topics of Business Intelligence for SQL Database ( PostgreSQL ) from Beginner

@RABIDFOX what's your coding background?

1:08 AM

And what are you interested in?

1:08 AM

(I ask the coding one first because I have a coding project ha)

@randomaccess i dont know much just some basic java and SQL

Hmm ok

1:22 AM

And what kind of projects do people usually do?

all sorts really im not sure i have a project fair on monday where we will talk about it a bit more

1:24 AM

but things like examining a specific program for artifacts such as skype for example would be something

Great! There's plenty of room for that kind of project without coding

1:26 AM

I mean pick a few apps off the various stores and pull them apart

1:26 AM

Hotel apps might be an interesting one. See what they store in clear text. But may be difficult without staying at all the chains

1

We've had a few cases where we have had to do some digging into various hotel apps (booking.com etc). A general study on them would be useful for us as well

@K23 people should post this stuff on aboutdfir! Even if it's a passing "I really should look into this" Because someone may be looking for something or may have already done it

1

Just submitted it, cheers

Since Sanderson Forensics is on hold at this moment for bereavement leave, what are you guys using for SQL forensics, ?

Any word on when he comes back, if at all?

I've been trying to figure that out. Our licenses are still working, but if he disappears forever I don't know what we'll switch to.

looking back, i should have gotten a multi year licence.

literally just some sqlite db viewer

@Sudo how about handling deleted rows / wal files.. i know the free stuff doesn't look at that

probably not no

6:31 AM

I never said we were up to speed on sql forensics

Did you try the PA SQL Wizard?

Good point Ron. I know it does a good job for deleted records

1

Anyone have good white papers on cloud forensics? My employer wants me to get up to speed and I’m looking for credible resources

What are you looking for in particular? Best practices or particular scenarios.

Working with AWS and deleted containers and more or less the ins and outs of the process. I guess the basics or how to apply traditional forensics to the cloud. I have many years of experience with non cloud related forensics.

I've spent the last 2 years figuring out dfir for the cloud - it has been an incremental approach.

5:48 PM

EC2 instances - that's traditional forensics (except for the ephemeral stuff).

5:48 PM

the rest of the services - we log the heck out of things and splunk it.

5:49 PM

the forensics at that point becomes turning the minutiae of the logs in to macro events (50k foot level).

5:49 PM

e.g. what does it look like when someone turns an S3 bucket public - and then turns it off

5:50 PM

adds IAM roles, accounts, creates instances from stacks and all that.

5:51 PM

check acloudguru - official AWS training (free too) use a free account and start playing. If you haven't used AWS yet, then everythign at this point is at the concept level. Need to get used to the terminology

I appreciate your response and will check out the acloudguru material. Thanks

Forensic Browser is my go to SQLite tool, but my second choice would typically be Oxygen Forensic Detectives SQLite viewer (which can be run standalone). Doesn't do as good a job of deduplicating fragmented records but it's the best alternative I've seen

4:18 AM

Ribbon from CCL Forensics has a SQLite viewer which I think does a decent job with deleted records, but it's been a while since I've tried that particular feature

Anyone actively use timeline presentation tools? Any real world experience? Not for dfir anakysis but for presentation to suits

I have four phones 2 Iphones and 2 Samsung devices sealed. They were shipped to a person who is involved in a scam. Apparently for him reshipping items he might win 2.8 million who new.... Well wondering if I can track the items back to where they were purchased with the IMEI. anyone ever done this?

Novice level python user looking for help on some grad school project questions. Need help with explanation behind the code used and not just told the answer. Anyone willing to help?

do you have an example of the questions you will be asking

Create a list with 5 team names (strings). Create a separate list to hold game scores. Use a loop to prompt the user to enter a score for each team. Add the score they enter to the game score list. After the data entry is complete, print the highest and lowest game scored. Seems like I can understand all of the commands separately when in a lecture, but have a hard time comprehending how to combine them while completing labs.

so for this portion

1:13 PM

Create a list with 5 team names (strings). Create a separate list to hold game scores. Use a loop to prompt the user to enter a score for each team. Add the score they enter to the game score list. After the data entry is complete, print the highest and lowest game scored.

1:13 PM

are you looking for a Systems Design answer, a list of the functions and steps that would be created (think a flow chart)

1:14 PM

sometimes writing the answer in Pseudo code format helps with these tasks

Yes I am looking for a “how to” almost. I’m appreciative of any help offered but also have 0 background knowledge and just downloaded python onto my computer yesterday. I have notes from an intro lecture on how to do a simple loop for counting up or down. And I know how to prompt someone to enter a value. But I have no idea how to put all of this knowledge together to write this specific command.

@echo i will take a look at some old class notes and pass along anything useful

Thank you. A list of commands and the steps would be extremely helpful. I have no idea what I am doing or how to approach these types of questions.

The questions are pretty basic, they are just testing knowledge of syntax and its functionality

1:23 PM

it will come easier as you start practicing the subject matter

1:25 PM

here is a good site to just learn about lists in python, it covers recursingthrough a list (the loop question) http://effbot.org/zone/python-list.htm#overview

I understand the level of basic these are, that is why I said novice user seeking help. I have 0 familiarity of anything involving programming. 0 knowledge of the language. I was just hoping for a push or hint to help me get started on this specific problem so that I may submit this lab question on time. Thank you for the link.

@echo theres an app in the google store which can teach you some basics of python

https://play.google.com/store/apps/details?id=com.sololearn.python&hl=en_US

Learn Python - Apps on Google Play

1

Looking into dongle server or virtual usb dongle server. I have seen the SEH products but I am curious if anyone has used the virtual here windows usb server ?

10:02 AM

in there labs

10:03 AM

I am not sure if it would be worth purchasing hardware for 2k for the 16 port dongle server rack or looking into virtual dongle rack

We have been using VirtualHere now for a couple months. So far it's worked flawlessly. The server is running on a Synology NAS, but there are many ways to do it.

do you know of any reason that one would need a dongle server rack over something virtual

10:26 AM

I am trying to see the pros and cons

10:26 AM

I was just going to launch the hardware on my evidence server and buy some hubs and test it out

10:26 AM

but not really sure

Does the VirtualHere now work with Cellebrite if you RDP into the machine ?

I am not looking for offsite stuff

10:29 AM

just internal

10:30 AM

but I think that is a pro for the dongle server rack mount

I'm not aware of any benefits to the hardware server. There may be some, but it was such a price difference that once I saw how slick VirtualHere is, I stopped looking at the hardware. I paid $50 for the software plus another $100 for a nice USB hub, versus $1850 for the hardware version.

10:31 AM

I keep ours on a local network so I haven't tried off-site. No problems with Cellebrite locally. I would expect it to work though.

Is the $50 a one time cost? Or recurring? Either way it's nominal

I think its yearly

10:31 AM

but 50 bucks a year

That's nothing. Don't go to McDonald's once per month for a year and that pays for itself

haha

That's how I justify purchases in my brain sometimes

i know my way around the area by the restaurants

I was under the impression it is one time. I just looked at the website and it's not really clear.

I believe VirtualHere is a one time purchase. I have been using it in my lab for a few months and love it. Works perfectly.

We've tested and are about to install in the data center a Digi AnywhereUSB device. We have a couple virtual servers running forensic software, and physical servers are being phased out. Our use case may be a bit different, but my experience has been this device works well. We have the 14 port model, which can split out USB ports to up to 14 different computers. Not a cheap option, BTW. About $1,500

We had issues with virtual here for some reason. But I think it was the config stuff. I'm not sure. The seh utn servers are fantastic. Super simple to setup. Just expensive

2:42 PM

But by gd I never have to go find who has a dongle stuck under their desk in the back of a machine

2:43 PM

Looking into a method of tracking dongle usage ATM actually. Found some software I'll need to get a license for. Otherwise have to write it :(

Can anyone point me to a white paper or research regarding the difference in artifacts between physical hard drive and a snapshot from AWS Cloud?

can't piont to a paper, but

6:18 PM

a snapshot can't be interacted with forensically - what you do is create a volume from a snapshot which you can then treat as a physical disk.

Has anyone seen exif data for a camera photograph that has Data originated/date digitised being the same And then another field called timestamp. That's a similar date, but in a different date format. I think it was a Pentax camera from the early 2000s

8:08 PM

But by similar date I mean same day, but the time is different

In a Facebook extraction ( extracted with token from a mobile ) I find some locations in the bookmark section. Anyone have any experience with what kind of locations this is ( actual places the user has been or locations saved by the user without being there )

@EFU003, as normal, it depends. If you think about FB, you can tag a location of a post or a picture without actually being there. So i'd be hesitant saying that the device / person was actually there. Similar to Instagram (edited)

A couple of days ago there was a discussion on VirtualHere/Dongle servers ( @San4n6 @Joe Schmoe @Andrew Rathbun ). There was a brief mention of accessing these remotely. Does VirtualHere behave well via a VPN? Our potential use case would be that our trainers could connect to a VPN that we run and then use the dongles over that. I'm aware that VirtualHere offers a paid for VPN service, so I assume it's simple enough to manage directly (and freely!) (edited)

I managed VPN on my own.

7:46 AM

Using OpenVPN

Great, thanks! At $49 it seems like such good value, just wanted to make sure everyone will be able to use it

Sounds like a good solution, with split tunneling onyour VPNclient should make field work much easier

does anyone know the most current pricing for Belkasoft evidence center single user with dongle? I wrote them an email but haven't heard back

Morning all, do we have any UK LE that have broached cloud forensics yet? I am looking to gather advice on the legal side.

@Law Enforcement [UK]

@Rom yeah we have

6:36 AM

we're a little bit outside of the UK realm, but still follow it pretty much

6:36 AM

so far, from other forces I've spoken to, plus our own internal musings, it's very much up in the air

6:37 AM

the current thoughts around it are basically just, try it on until someone says otherwise

@Rom The Information Commissioner (the ones who review if LE are behaving with this type of thing) published a report to say that accessing a cloud would be intercept, but can lawfully be done with a property interference warrant. It sort of fits the legislation-ish... This is a chief constable authority for crime matters. However not sure how this has changed with the new IP Act.

10:41 AM

@Rom Some police forces just do it as a matter of course, others are more wary.

Does anyone have experience or knowledge of the Origin Fields from metadata of an IMG file ?

3:43 PM

3:44 PM

I've never seen it populated before

3:44 PM

The program name has the first 3 characters of the mobile device model #.

3:47 PM

Question the ADA asked is it possible to ever tell where a picture came from ? My experience is I've only seen make and model of a device and never the serial number

@Jay528 I've never seen the serial number of a camera in any image metadata.

I've seen the serial number once actually. Photographs were taken between 2000-2004. Can't recall the camera model though

12:35 AM

But never on mobile phone cameras

got it

5:16 AM

thanks

@Rom we use S20 PACE which seems to be tailor made for cloud data. As long as you're doing it from the premises you're lawfully on and you're aware of unlawful interception of communications, it seems safe.

9:00 AM

Re camera serials - it's common on DSLRs and a handful of others. Some Fuji compacts used to have it on. Never seen it on a phone.

thanks

@wibblypigftw what about when your at the office starting from an extracted token?

Nope, that's out of scope because you're not at scene. So you'd need the owner's consent - that's under RIPA anyway, there are probably provisions in the IPA but I don't know them yet

. To my thinking anyway you'd be committing an offence under the Computer Misuse Act by going into it without a warrant

I have a defense expert who will be testifying that they can match the photo to the make/model and exact device

@Jay528 do you know if they're basing it on something like this? https://www.mobiledit.com/camera-ballistics/

Camera Ballistics — MOBILedit

Overview of Camera Ballistics product features and functions.

No idea which metadata field they are using

9:45 AM

i am leaning towards the windows date created

9:45 AM

and not the EXIF

9:46 AM

They're saying the officer couldnt have taken the photos because he was not there

@OllieD played with that a bit. Works well

Yeah I've seen it demoed using a DSLR, not seen it with a mobile device (which is my focus)

1:20 PM

Good results on those too? I've seen that they have it listed as a use case but didn't know if the average camera sensor is detailed enough for that kind of analysis

Did anyone ever find out if the $50 for virtualhere is a recurring fee?

1:36 PM

website says "Very competitive per unit cost (no monthly fees or update fees!)"

1:36 PM

so i am guessing its not....

1:36 PM

just was wondering from people's experience (edited)

not 100% certain on this, but I think it's restricted to 1 machine

2:09 PM

So once it gets activated, it has to be on that device, if you need to put on another machine, you need another licence. but again, I'm not 100% on this

It is tied to one machine.

@OllieD did some comparisons between pictures on a phone, pictures taken with that phone,and then took photos and it accurately identified which ones were taken on that camera

1

If I recall correctly, I read awhile back that there was a way to determine with a high degree of certainty which camera took a photo of you had the camera in question or a known photo from that camera. The method compared the specific jpg compression standard used by the camera. The compression was impacted by imperfects in the camera sensor that would allow someone to make a "fingerprint" of the camera. When I initially read it I believe it was just in the concept phase but maybe that's what they are doing.

@4n6_Guy(Kevin Salhoff) That's exactly what the Camera Ballistics product appears to do: build a fingerprint based on sensor imperfections

1

I think the program griffeye can do that.

There have been papers on the topic going back to at least 2006: https://ieeexplore.ieee.org/document/1634362

1

Does any one have a template for a subpoena, search warrant or some sort of legal process to send to IMO or services like LiveMe or Up live to get video content back?

9:54 AM

Please send me a PM if you do.

FYI @everyone , if you've previously been an EFT dongle user, please reset your password! I've just found a data dump that appears to include a lot of users details with passwords in plaintext. I'm going to ping a copy over to Troy Hunt to update HaveIBeenPwned but wanted to give you all some advanced warning!

8

9:02 AM

And apologies for tagging everyone but some quick grepping includes the email addresses of several people I know

thanks I am changing mine now.

Thanks for the heads up @OllieD. I'd say that's worth the everyone mention

2

Any idea how old that dump is? I do remember that EFT reset my password 2-3 months ago

November 18 is the date I've got here on the file, so that would fit (edited)

9:06 AM

The dump contains user registration dates and the last date is 2018-10-12

9:07 AM

About 18,500 users

Damn, got my dongle delivered 11.10.2018

What case management software solutions are being used in your work area?

We are using Lima Forensic Case Management . Made by IntaForensics

1

We are getting started with Atlas from Magnet Forensics.

@Adam Cervellone how is it? We use an Excel spreadsheet

We are still in the very early stages but once we work out some kinks I think it will be good. I am hoping by end of next week we can start using it for evidence intake.

@Forensic@tor We wrote our own, using filemaker (edited)

question: why is it so hard for forensic tool developers to get reporting right

We also use a self developed solution, shared with the regular forensics

you know that humans, non-techy humans at that, have to be able to know what the hell is going on right

I couldn't agree more @Sudo ! I've had evidence reviews recently where I saw the flaws in some of the tool reports from a non-techy perspective and it drove me nuts!

I think it's just death by information a lot of the time

2:15 AM

it includes stuff like the offset for the data, or the raw html of an email

2:16 AM

most people aren't going to even know what all that means, so trying to find the actual evidence in a generated report is like minesweeping

1

Agreed. I find that oftentimes the tables in the reports are the hardest to deal with, especially for evidence like SMS and chat conversations. I would like to see some sort of an option (if it doesn't exist already) to have a "conversation view" in a report

yeah

2:26 AM

been saying that for ages

2:26 AM

I'd just like it to be modular you know, let me choose what to include in terms of output

2:26 AM

and for chat or conversations, an export in a chat view type format

2:26 AM

I think XRY are furthest ahead on that last front

I suppose it depends on what you’re using the report for.

@Forensic@tor We are also using Lima from IntaForensics. It's been very good for us for the last 6 years. (edited)

court mostly

7:00 AM

but also interviews and meetings etc

Yeah so. For court and whatnot, and this is one guys opinion mind you, I write a very verbose report. I use tool reports only as addendums. And rarely an actual tool report, but rather things i am highlighting that bring me to / support a conclusion or opinion. Yes it takes longer. But it has been far more effective in my experience.

Oh yeah no doubt

7:03 AM

I do exactly that too

7:03 AM

I write custom reports for the most part

7:03 AM

Much better imo

So. The tool report is really meh for me. Although I do agree they all pretty much suck.

But sometimes you do just need the quick, overview report of the data you've tagged and what have you

7:03 AM

like for file times or something you know

I don’t disagree. And that’s what they are good for, IMO.

or something like, we're going into interview and want the emails to put to them

7:04 AM

and yeah, that's what I use em for

7:04 AM

but still, I just feel like it could be better presented for non dfir people you know

7:04 AM

I'm just popping off that's all

7:05 AM

usually it's no big deal cuz like you say I write a report and can add in exactly what I want

7:05 AM

but sometimes...

Oh. I get it. I’ve had an hour plus call this morning where I’ve all but turned the business on it’s head. So. I’m a little salty myself

1

7:06 AM

I totally get what it's like being a developer too so, I don't wanna be too mean

Yeah those guys generally do good work. Reports are almost an afterthought it seems. I always liked FTKs reports for their purpose.

yeah they do

7:07 AM

I mean I personally appreciate having that information

7:08 AM

but I know that the guys I hand it to don't as much haha

7:08 AM

that's why we work with the reader type files these days too, cuz then it's super easy for them to look through and tag stuff

Right. It’s the non tech people who could care less. Fine balancing act between report I can use, and a report they understand lol

which can then go onto a written report

7:09 AM

yeah, I wanna give them enough to get the point through, but not so much they're like, "offsets? what's that"

Yeah im a huge proponent of the reader type reports. Here’s “everything” go nuts and get back with me and we will figure out the final reports

basically yeah

7:09 AM

that's the best way to go

7:09 AM

it's worked really well for us so far

Either way, my ass will be typing. A lot.

plus we have them do it in our viewing area so we're always close to give more info

7:10 AM

haha yup

Nice

I like giving them a 27,000 page PDF to sift through

2

I'm glad I type fast

7:10 AM

haha

Rath ur killing me

that’s one way to get them out of ur hair

Ctrl+f is your friend

1

another force did give one of our guys a like, 4GB PDF on a DVD once

7:11 AM

it didn't go down super well lol

Lol it doesn’t really help them

Oh god the read speed on a DVD for a PDF that big, oh the agony

it was great

7:13 AM

plus it was on a machine with 2GB of RAM and like a celeron

Jesus

I love a good DVD

With all of your internal reporti g do u often have to inckude timelines (for whatever data it is) and if so how do you all present tjose timelines?

Anyone have any ideas on how to break a password set on an excel spreadsheet?

We made our own case management system using C#, python and SQL server database but we have stopped further development until we know whether they push all police forces towards black rainbow. (edited)

12:06 PM

I was on leave when they did a demo for us but the team liked it and the managers liked the pretty stats and graphs....

1

@Ghosted can passware crack the excel password?

@Ghosted , @sholmes advice is ok. Try pass ware https://www.passware.com/excel/

@Ghosted you can use hashcat to crack the password on an excel file. https://hashcat.net/forum/thread-6678.html

If only the sheet is password protected (and not the workbook, ie. asks for password when opening) removing it is a 1 second job with some VBA

Thanks guys

Hello people. Who will assign me to the right group? The Mods?

@Tilt I just took care of you and a bunch of others.

1

all those new friends

anyone know a good .dat video file converter or player?

@paintrainjr https://windowsfileviewer.com/open/dat_files

Open VCD Video DAT Files

How to open VCD Video DAT files for free with File Viewer Lite.

11:57 AM

Have you tried this yet?

Yes i did.... thanks though. It failed every time i tried to load the files i have.

virtualdub is a nice tool for converting, supports many video containers.

1

anyone have any idea why X-ways wouldn't show files we know are existing?

12:32 AM

one workstation running the same image gets different results

also big news, Cellebrite 7.19 has chat reports!!

@Sudo - are all filters turn off?

turns out the volume professor snapeshot wasn't complete for some reason

2:07 AM

just ran it again after it clicked when a colleague of mine further described the issue

also anyone know if I can add further stuff to a griffeye case

@Sudo - hit the arrow under new and select add to case

ta

Anyone have ATM skimmer extraction experience? I’ve done of these before by removing the chip using hot air and connecting to a SOIC clip and attempted to read it. Appeared to be encoded? Or some type of non human readable data. Seeing if anyone has had success with getting human readable data from this type of skimmer. Thanks in advance!

11:37 AM

This is a Skimmer plus camera to capture the pin pad as identified by CFIR at Deutsche Bank . In Germany magstripe is not used but it is used in other countries. As the Head of Cyber Security at HSBC Germany pointed out "Let’s not forget that magstripe is still used in a lot of countries over the globe. Regarding Germany the bad guys take the data from the skimmer placed in (German) ATMs and use it in other countries. If you take a German card and use it a day later in the Netherlands it might not get marked as suspicious... Furthermore they sell the data." (edited)

@Jonny so I added the additional xml files to the case, but it just hangs on 0% and never process any

@Sudo - it should work as long as the xml files are not corrupted. What version are you using?

18.4.0

2:20 AM

it must be corrupt

@Sudo - try the extraction again

yup

2:43 AM

well, that's done

2:43 AM

but it isn't looking good

2:43 AM

it just hangs on importing files into case

2:44 AM

0% and speed less than 1 files

the joys of IT

my guess is it's "looking" for files that don't exist or something

double checked in x-ways and everything's fine, it exports fine, all the files are present

2:57 AM

but for whatever reason it just, doesn't import

Did you try importing it into a new case to see if it works?

yeah it works when importing into a new case

has anyone got a mundane and utterly irrelevant emlx file they can share with me for testing?

@Sudo - was the original case done in 18.4? We’re still using 18.1 as we were having problems with versions above it

@Sudo - there are error logs in \ProgramData\Griffeye Technologies\Griffeye Analyze\Error which might give you a clue about what is causing the issue

@Jobbins I would image the chip contents, then put the chip back into place and capture the I2C/SPI/Microwire/whatever traffic goes to it, with a logic analyzer like one of the Saleae ones for example, and "skim" cards with known contents in order to reverse engineer the storage format and encoding

@Kr thank you for the advice! I will do some research into that and try it out! I’ll let you and the rest of the group know my results!

1

I have 2 Garmin GPS devices, is it possible to extract the contents ? There is a SD slot but no SD card

I will attempt generic Garmin from UFED4PC

@Jay528 : Garmin Navis have a hidden menu. There you could activate mass storage and then you can dump it e. g. with Access Data FTK Imager.

12:08 AM

Do you know this?

anyone aware of a resource (powerpoint, website) that gives advice on identifying skimmers via bluetooth?

@mikewilliams5306 Half way through this article they discuss a app called Skimmer Scanner if you haven’t heard it. They do a good job describing exactly how the app works. https://learn.sparkfun.com/tutorials/gas-pump-skimmers/all

is it possible to let my calculator sayLOL instead of "CASIO" when it boots up?

@Deleted User You should be able to get the .BMP with fxRemote, edit it and put it back

How would i be able to edit the chip on board? (edited)

.bmp is an image file, not a chip

1:30 AM

Extract the image using fxremote if your calculator is supported. Edit the image file with ps or gimp. Put it back in the calculator.

Not supported :(

2:20 AM

It's a casio fx-92B

Then I don't know, sorry

Ok

3:42 AM

Still thanks tho

anyone have any experience with SSH on Android

Only for server management - using an SSH client to a server, not SSHing into an android device

yeah SSH from android

5:22 AM

over to linux

5:22 AM

I'm trying out Juice SSH

5:22 AM

but it doesn't seem to cope super well when the terminal window changes

5:22 AM

it just hangs there

5:22 AM

i.e. when you run a command that will open its own window/tab or however it functions

Let me just check what app I use, it's been a while

Thanks

5:34 AM

An example is if I run cgps

5:35 AM

on my laptop it'll open the page and show me the details, and then of course ctrl-c to exit and return to the main terminal window

5:35 AM

but on Juice SSH (or android) it won't load that cgps page

ConnectBot was the one I played with but tbh i didn't really do anything heavy with that, just general updates, a bit of nano editing but not a lot else. You could give that a try and see if it's any better

5:38 AM

Terminus is meant to be very good but some features are locked behind a paywall

yeah I love the old paywall

5:42 AM

it's fine, I would pay

5:42 AM

but it's a monthly fee

5:42 AM

ain't got time for that

5:42 AM

I'll try connectbot

5:42 AM

it's based on putty I think

Believe so yes

I use putty at home so

5:42 AM

works fine usually

5:43 AM

it's just this, "separate window" thing

5:43 AM

that I need to work

5:43 AM

I dunno what to even call it, it's not really a new window

I used to use putty but since terminal (OSX) and powershell now accept ssh natively I've just been using them

yeah I use my mac terminal primarily

Yeah I know what you mean, it's loading another application within the session

but for out and about on the down low

5:43 AM

I could do with using a phone

5:44 AM

JuiceSSH does work, it just won't load the app window

5:44 AM

well, it does load it

5:44 AM

but I don't see it

5:44 AM

so I can't close it either

5:44 AM

so it just hangs

5:44 AM

even though it's probably not actually hanging

I'm stuck in the office until at least 1700 today and haven't setup VPN fully for my homelab yet so won't be able to do any testing for a while haha

Ah don't worry, was just curioso

Does it do the same thing with apps like nano? just out of interest

not sure, I'll give it a try

5:49 AM

when I get a chance as well

xD

I do have a little macbook that I can use outdoors anyway

5:50 AM

so it's not a huge deal

5:50 AM

if it doesn't work properly

well, kismet works fine from Juice

7:16 AM

so, good enough

7:17 AM

it's just the cgps that won't

looking to get a new USB writeblocker or possibly a combo with multiple connections, aside from Tableau and Wiebtech are there any others to consider? Needs to be stanalone/portable and not fixed in a drive bay

@bizzlyg Not that this is a physical piece of hardware but have you considered Sumari Paladin?

@bizzlyg there's one produced by salvation data and another I've just found out about made by deepspar. I don't know anything about either of them though

Check out Atola

Does atola produce a USB write blocker? @todd.shipley

7:59 PM

I thought it was just data recovery re insight and Taskforce

Writeblocking is built into their products

Thanks guys, I'll take a look

@todd.shipley sure... But price And neither are portable currently. Apparently the taskforce will be updated soon to be more portable

@Dr.Who-IACIS Paladin looks pretty cool as an additional extra

Paladin works well as a boot usb for acquiring physicals

2:53 AM

And it's free, so what's not to like

yup, I have used CAINE in the past, Paladin looks similiar but maybe a bit more polished

Paladin is very easy to operate due to it's integration of the various tools into one program. But you've got individual programs available to run manually if you need to do something a bit different

2:56 AM

You just have to be really careful what you select as a destination drive, because it won't warn you before mounting the drive as r/w :S

5

Paladins are pretty good for people who want to chop and change their playstyle, but they have a lack of mobility so they probably aren't great for beginners (edited)

Does anyone have experience on Xbox One, I cloned the drive to another drive and plugged it in. The Xbox powers on however will not display on the screen. I currently have the case open, is there a sensor on the case, where it needs to be closed before it will fully work?

Hey, kinda off topic, I am doing a presentation for a probation and parole class for DF evidence handling, real basic and maybe a little bit of what can be obtained. Anyone have anything like this they already made?

Hello, I'm new to this channel and to the DF world. I want to get into DF as a career but I have a problem with looking at body parts and all the biology/anatomy area. I don't have a strong stomach so my question is, is there a division where you don't have to be in that area and focus on non-body parts. What's is the technical term? What division/unit would you call that?

Anything DF/eDiscovery to do with finance/banking etc should be a safe bet! (I would hope)

1

9:13 AM

e.g. if you're investigating fraud/tax evasion, you'd hope there won't be any bodies cropping up!

9:14 AM

I'm sure there will be plenty of people on here who work within that kind of area and never have to deal with the gory bits

@Jobbins - when I’ve examined Xbox One consoles, I’ve always reassembled the device fully with a cloned drive. For the cloned drive, I had to use X-Ways to copy the E01 image as the Xbox wouldn’t boot using a cloned drive made by other tools

Aww yes, that sounds a lot better. My stomach and eyes would be pleased lol. So what type of companies would I look into that would have that?

In the UK HMRC is probably a good shout @shanster187

9:26 AM

Just seen from your intro that you are US based so that's probably not helpful sorry!

Hahaha no worries. I can still do research and get a better idea at least. Appreciate the help!

Anyone has experience with imo messenger subpoena or can share an official way to contact the company that produce this app? Thanks.

@OllieD I dont know, the thought of investigating exclusively financial crimes has a pretty negative effect on my stomach

1

3

@shanster187 the big 4/5 consultancies will do lots of ED/financial work eg Deloitte, KPMG etc

Just remember, if it's personal computers you're dealing with, it's sort of unavoidable

7:34 AM

pure like, company devices though, you'd probably be OK (mostly)

I am assuming by body parts he meant like gory stuff, if its litterally body parts ie porn then yes unless its purely corporate then its unavoidable and even then I expect pops up in corporate too

7:36 AM

I would suggest DF is not a wise career choice if 0 body parts of any kind can be tolerated

ah gory stuff

7:37 AM

that's a little different

7:37 AM

I mean I don't particularly like that sort of thing, I see it rarely and it's annoying but it's not often thankfully

I'd assumed they meant gory stuff when they mentioned body parts, not nudity

if it's purely any body related stuff then yeah df is probably not the one cuz it's everywhere haha

I am only guessing, thats what came to my mind when I read the initial post

yeah that makes more sense

7:38 AM

I just assumed since body parts don't really show up much, so I took it to mean like, body parts like various...orifices etc

and yeah same, I don't like overly gory stuff, never had to see it much

unless there's loads of people photograping like, spare arms lying around or something

3

He should do incident response forensics

and we just don't see it in our little island

Hey thank you for all the input,Let me clarify on what i mean, ie: homicide and child pornography. Anything along those lines that deemed gruesome./gory. Also, what does ED mean?

eDiscovery

so normal porn is OK?

1

7:43 AM

you'll be fine then

@shanster187 I would concentrate on ED, Incident Response or something for a corporate/financial entity. Any kind of LE work I doubt you will avoid one or both of child images/murder stuff

still go a fincrime route though if you can, less exposure

7:44 AM

yeah Law Enforcement you won't avoid it

does LE have a incident response or finance side or is it strictly homicide?

As mentioned previously, an organisation like HMRC (HM Revenue & Customs) are government/LE but focus on the financial stuff

1

got it, thank you all for your insight and advice. I will look into those type of corporate as I am trying to land an internship in the DF area.

7:48 AM

Will be making a lot of phone calls.

https://www.elcomsoft.com/news/716.html

Elcomsoft iOS Forensic Toolkit 5.0 enables iOS 12 physical extract...

Elcomsoft iOS Forensic Toolkit 5.0 is a major update adding support for physical acquisition of Apple devices running iOS 12. The tool extracts the content of the file system and decrypts passwords and authentication credentials stored in the iOS keychain.

8:20 AM

Am I late to the party on this one?

They're basing it on a public exploit

8:21 AM

I believe they're using this https://github.com/GeoSn0w/GeoFilza

GeoSn0w/GeoFilza

Filza iOS 12 with r/w only to /var! Contribute to GeoSn0w/GeoFilza development by creating an account on GitHub.

8:21 AM

Hence the same 12.1.2 limit

8:21 AM

(or the exploit that makes that project possible)

I figured as much. I was wondering how long it would even be applicable. Apple damn near forced me to update to 12.1.4. I figure I will see less phone running < 12.1.4 (edited)

Yeah, they've already stopped signing IPSW files for 12.1.2 and earlier

Is your icon a hint as to your private sector work?

Click my name to get more than a hint

All I see is private sector. No company affiliation. Dont use discord much anyway so I am not farmiliar. Havent seen that logo before but it looks like a key that is in a grayscale. Which would mean you have much more firsthand knowledge with theses things.

Oh right, no, not GrayShift if that's what you mean

@ThatLukeGuy you can click on anyone's name (on desktop/web) or long press (on mobile) to see what roles they are assigned. @OllieD works for @Control-F which is a UK-based forensic training company. He's been a great recruiter for this server, as an aside, and for that I'm very appreciative

2

good job @OllieD !

anyone know anything about cellsite analysis?

I do know they are doing an overhaul on the software and its supposed to be alot better with a new release soon

is there any certifications for the analysis of the mobile/computer devices, excluding the extraction portion?

SANS FOR585, GASF certification

Thank you @Andrew Rathbun . I'll check those out

That would be for mobile. There's also a Windows Forensic Analysis course that would cover computers. Mac course too

also, IACIS has good courses for LE

12:32 PM

they might be open to public too

12:32 PM

I think they are

12:32 PM

https://www.iacis.com/training/

IACIS - Training

IACIS 2019 ORLANDO TRAINING CONFERENCE REGISTRATION NOW OPEN! Overview IACIS has been providing computer Forensic Training for over 27 years. IACIS

12:33 PM

best bang for your buck I think, SANS are really good as well but costly

https://www.isfce.com/certification.htm

Thank you all!

Isfce is a good process, as is iacis, I'm currently in the iacis mobile device examiner cert process and it's been very rewarding

what's some popular forensic wiping software you guys have come across?

@RABIDFOX some use EnCase. I use Eraser for my personal stuff. It's pretty customizable and most importantly free

im planning on doing a project around them so im trying to gather a large list of the most popular ones

Formatting through windows while unchecking Quick Format should probably be another one for your list, if you're doing comparison

oh yeah

9:10 AM

and eraser one im already looking at its pretty hardcore

See if linux has a tool to wipe (maybe Disks?) so you have something from Linux

9:12 AM

https://www.lifewire.com/free-data-destruction-software-programs-2626174

40 Free Programs to Completely Wipe Data From Hard Drives

Here are several free data destruction software programs, sometimes called disk wipe software or hard drive eraser software. Last updated February, 2019.

aaah perfect

9:12 AM

i can maybe get funding from uni so i might be able to get paid ones as well

Data Sanitization Methods: DoD 5220.22-M, AFSSI-5020, AR 380-19, RCMP TSSIT OPS-II, HMG IS5, VSITR, GOST R 50739-95, Gutmann, Schneier, Random Data As far as advanced options go, Eraser wins the data destruction competition hands down. With Eraser, you can schedule data destruction with all the precision you'd expect with any scheduling tool. Not sure if you're comparing wiping methods or not but Eraser has a ton of them

9:14 AM

Your university might have EnCase already? It's just Tools, Wipe Drive, and follow the prompts from there

yeah they have most the main forensic tools

And frankly, I just did all that without needing a dongle. You'd just need the EnCase exe

one of the things eraser does is it allows you to add random files to replace everything with if i remember correctly

9:16 AM

it came up in one of my projects on my file systems module

9:18 AM

data not files

@RABIDFOX We boot to Paladin (https://sumuri.com/product/paladin-64-bit-version-7/), on a Windows based computer from a thumb drive, and use it to wipe everything we use in the our lab (thumb drives, pocket drives, bare drives). It's Linux based and works great for wiping. It's free to download and includes quite a few other helpful forensic tools.

PALADIN (64-bit) - Version 7.05 - SUMURI

PALADIN is a modified “live” Linux distribution based on Ubuntu that simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox. PALADIN is a complete solution for triage, imaging, examination and reporting. PALADIN is available for FREE. Ho...

4

Good to know, doesn't surprise me Paladin has a feature like that but that's not how I do it. That's the beauty of all this information sharing. I learn something new all the time from you guys. Plus, all of this info is searchable for those in the future to benefit from. Thanks for the info @Yap

2

Anyone have experience with email header analysis ? Looking for some guidance to compare one email to another

If using Linux, you can use dd or dcfldd to wipe disks. There is also shred...

@Jay528 https://commons.erau.edu/cgi/viewcontent.cgi?article=1095&context=jdfsl maybe it will help you

11:18 AM

https://www.metaspike.com/forensic-examination-manipulated-email-gmail/ this one is interesting too

Forensic Examination of Manipulated Email in Gmail - Metaspike

Forensic examination of a manipulated email in Gmail to determine how it differs from the original. Both server metadata and email header are utilized.

got a thumb drive with paladin on it i think

thanks, i will take a look

1:14 PM

i reviewed the metaspike link earlier

@RABIDFOX just curious, what did you use to make the flash drive bootable? I've been using Rufus portable a lot lately and that's been serving me very well

1:16 PM

I've had issues recently getting Paladin to be bootable so that's why I asked. Or at least those are the warnings that are shown when I try to image Paladin to a flash drive

https://www.linuxliveusb.com/

LinuxLive USB Creator

LinuxLive USB Creator is a free and open-source software to easily create Live USB

1:17 PM

i use this create my bootable thumb drive

1:18 PM

https://www.pendrivelinux.com/yumi-multiboot-usb-creator/

admin

YUMI - Multiboot USB Creator | USB Pen Drive Linux

YUMI (Your Universal Multiboot Installer), is the successor to our MultibootISOs. It can be used to create a Multiboot Bootable …

1:18 PM

this for multiboot

i cant remember i got it when i was trying to convert an EO1 to VMDK which was unsucessful until i used that imm2 virtual

@RABIDFOX hecfblog had a post of wiping tools last year around August Dave has also done a lot of posts on using journal analysis to identify when and what was wiped, at least by name

1:33 PM

Also, something you could script is to create a series of VHDs, create files, wipe them with various utilities etc The good thing about making that is that anyone else can then use it to validate your findings

yeah i was thinking about doing something along those lines that way its easier to replicate the data im using

So I run a LEA digital forensic unit UK, with the amount of devices seized and extracted and drives imaged and software such as cellebrite, magnet & griffeye to name a few and the mountains of GB produced what do you all use currently for reviewing and disclosure purposes

@Beno 🇬🇧 at my old shop (LE) we stored mobile device images on a NAS. We stored computer images on HDD's and stored in our evidence room. What do you do currently?

All our material is on a secure network - storage isn’t a problem review and disclosure for criminal investigation is the issue

We have a blank statement at the bottom of all our emails and SFRs regarding unused material not produced on disc, stating it's available for viewing on request from our viewing room. Officers can book in, defence / barristers can also view this material at our site but that's a lot more rare. Basically as long as you outline what you have extracted and put on disc, and more importantly what bits you have not done then you're on pretty good footing and there shouldn't be an issue there and we haven't hit a problem so far. @Beno 🇬🇧 (edited)

@Beno 🇬🇧 In my last place we had this issue in regards to large/complex fraud cases. We had to change our processes as several barristers stated that is was no longer sufficient to just put a line somewhere (statement, MG form or whatever) saying theres a load of unused on exhibit ABC and come and look at it if you want. Under CPIA there is a responsibility to some extent on the prosecution to search the material properly for disclosure and for locating evidence, this also needs to take into account defence statements and reasonable keyword lists from the defence. In order to make this process feasible (due to the amount of digital data these days) we used an ediscovery/legal review approach where keyword response items where tagged using custom fields, eg evidenc, unused non sensitive, unused sensitive, reviewer name, description field etc. The workflow we used allowed data to be batched up and split between however many investigators were needed to get it done quickly - eg there are 20,000 responsive files to view, 1 person doing that takes months but 10 people doing 2000 each only takes a week or 2. The tool was web based so they dont need to visit a special room or use a special machine.

1

12:27 AM

I will say though, it required a lot of investment in both time training people and money for hardware/software. It also required breaking away a little from the air gapped network idea, but we didn't have IIOC to worry about (at least, we didnt do IIOC specific investigations). For LEA its more tricky due to budget issues, worries about data leakage and cases often being 90% IIOC based

12:29 AM

Since we put this in, we never had any more questions about disclosure, we even had several positive remarks on how thorough it was from judges. In the cases we had they always went after the processes and not the evidence as such and this removed one area of attack immediately

Yeah IIoC is the biggest thing preventing us from doing that right now, that and priority issues due to backlog, ISO and everything else. I can see us going down that road at some point, but right now we need to get over the hurdle of providing content on disc and getting a networked solution in place... which has been in the works for several years but is getting nowhere fast. Sounds like you have a very nice and mature process going on there @bizzlyg (Or had at your last place!).

1

sorry my typos btw, still adjusting to German keyboard

Gotta love the qwertz!

@K23 yeah it took a while to get it running properly and efficiently. I can put you touch with someone if you ever decided to see how it could work at your place in future, just for a look at how it works etc

12:33 AM

Also the setup we used could def be tweaked and different products used instead of the one we went with

That sounds like discussions that will need to be taken above my paygrade unfortunately. But if I get asked for an opinion on it I'll message you for the contact details and will try and put the idea in managements head...

sure no problem

1

12:36 AM

we helped out a few forces with fraud cases and did the DF work for them as the HTCU backlog was too big and full with more urgent/IIOC type stuff. I was always open to showing people the setup and discussing the good and bad bits openly. I am sure my successor wouldn't mind, for LEA especially

Thanks, resources like that can be invaluable to pushing these things forward and making everyones lives easier

1

Morning @K23 @bizzlyg we do have a networked solution currently. Being DIU I agree review disclosure is not our issue, ISO17025 is a major pain. BUT we have a responsibility to provide a review platform that allows the OIC to easily review, retain, reveal record evidence, unused, sensitive relevant material. I think the college or the home office need to grasp this issue

1

@Beno 🇬🇧 yeah thats what we implemented so our investigators could deal with disclosure of digital data properly. I can explain what we had set up if you want, just drop me a PM

Hey everyone. In UK Law we have some sex offenders with orders that prevent them deleting internet history. I have a case where it has been believed some internet history from Edge was deleted as there is a gap in history of about a few weeks. I've had a look in Axiom and at the WebCache.dat and all the history is there - anyone got any advice?? I have no idea whether someone has deleted the history or if it could have happened some other way...the history is all there in the database :/

@Rossko, what is the browser used?

@Rossko I am a bit confused, you say it is believed the history was deleted but on examination its not deleted? I am clearly missing some other part of the story... where did the original belief come from? I assume its not just that it was never deleted and the belief was wrong, otherwise you wouldnt be asking the question

6:42 AM

@mitchlang looks like Edge

Hi, it's Edge yes. If you look on the browser itself there is a gap in recorded history, 1 record for example is april, then next is june, so one month missing. However if i look at WebCache.dat I can see search history during May

ah ok gotcha, so there was a live check on the machine?

I have virtualised it

1

6:45 AM

it was seized on this basis however

was just about to ask about virtualising

I'm running BrowsingHistoryView on the VM and just trying to figure it out by manually deleting history and seeing what changes

yeah I have not done much with Edge, best plan is test it out

@Rossko you able to serve process of MSFT for that history?

6:47 AM

I've never done MSFT myself, but have had outstanding success with Google.

You can sometimes assume deletion if you can see the unique index Ids created for the database table. If they jump from 100 to 150 then that's usually a good indication that something has been deleted as they auto increment. However, I have no idea what type of DB Edge uses!

2

good idea, I'll look into that one

6:49 AM

also, MSFT..?

its probably an ESE database, being MS and all

Microsoft

6:55 AM

I would have to confirm, but Google obviously retains all the history from chrome, Microsoft I am assuming does something similar.

6:57 AM

I would agree with @ducksprey if you could not get the complete history via court order.

Was there any volume shadow copy available to be looked at ?

Hmm not sure I'd be able to get MS involved as it's not a highly important job

7:04 AM

I've got to head off, thanks for your help though guys I'll keep you posted!

What happens when you use InPrivate Browsing? Does that omit records from the history but still leave them in the DB? I have not tested this at all, just thinking out loud

I had some training from Rob Attoe awhile back and InPrivate was taught to me....there is a flag set to 8 within some container tables stored at AppData\Local\Packages\Microsoft.MicrosoftEdge_####\AC\MicrosoftEdge\User\Default\Recovery\Active.

good to know!

I still need to analyse that one though

7:08 AM

anyways I've got to head off I'll catch you guys about if you're about tomorrow. thanks again.

1

these entries in May , do they look any different in the DB than the others?

A few things. Axiom will distinguish between parsed and carved records Browser history view to my knowledge won't be carving and will work on the database on a mounted image. Manually viewing the database (container 4) should show you the history as it is and you can use nirsofts ese database viewer to examine it, decode the dates etc

Thanks. Yes now that I look at it, in Axiom the dates in May are coming from "File Offset 123434536" and so on, and not from any containers. The ones showing up in the actual browser are the ones that are still in containers. So it looks like the history has been deleted, however not overwritten yet.

2:22 AM

I'm assuming no but is there any way to know what action removed these entries from the containers..?

2:23 AM

And thanks Randomaccess - I'm now manually reviewing things in nir sofers ese database and yes it's only showing the live data which is still showing within Edge.

2:28 AM

One other thing of interest. There are a ton of entries for login.live,com www.bing.com secure passport.aspx - is that perhaps user activity being to microsoft or something...?

2:28 AM

being sent*

Not sure where to put this exactly but a colleague stumbled across this recently https://gchq.github.io/CyberChef/ -could be quite handy!

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

1

4:02 AM

@Andrew Rathbun - maybe one for the resources list?

4:04 AM

nevermind just seen its already there

any NCA lads here

Good Morning Y'all

1

I've made about 50 photo's of a chat conversation. Do you guys know a tool which can import the photo's and for example uniquely number them so I use that to reference in my report?

griffeye

Never used it before. I'll have a look. tyvm

You can import into Physical Analyzer

6:05 AM

Or just Hash the photos and rename them as the hash number

np. It should be free for Law enforcement I believe

Griffeye is free to only folks who work CP cases

6:05 AM

At least that is what I used it for about 2 years ago

I think LE in general

yeah LE in general, just sign up for an account

All hail @Jay528 why didn't I come up with that myself....

Thanks, i learned it from this chat channel

Griffeye is currently free for LE but it's a cut down version compared to how it was in the past. They have paid versions that include more features now. I think they got sold recently and is trying to make money back.

Working a computer tampering case. User/intruder ran a powershell script which collected data from the pc’s on the network to include; serial number, computer name, model, manufacture, monitor name, monitor serial number, monitor manufacturer year. What good can that data do for someone?

Hack into other machines connected to the network

12:28 PM

Or it might be microsoft seeing if you are pirating any software

That is what I would think of the user trying to do

12:46 PM

See which other machines they can hack

Yes, sounds like they are mapping your network

it's an interesting choice of data to record

1:04 PM

I'd expect more interest in performance attributes of the systems than monitor serial numbers

I didnt know it was possible to get the monitor s/n

Anyone come up with their own unique (cheap) Faraday cage? We have a small box now. It was fine for putting a phone in airplane mode but it's really difficult to process a phone. More and more phones can't be placed in airplane mode when locked.

Arson cans worked well from my testing. Though you can't process, but you can get somewhere where signals are weak, like a basement

@Joe Schmoe probably worth investing in a Faraday box and then some Faraday bags without windows.

5:27 PM

Esp if you're working with evidence...

@randomaccess We have the box. I just don't find it very useful anymore. More space would be helpful. Building a cage might be a little too much though.

Oh right. Missed that sentence

5:35 PM

Ya. Cages are big investments

5:36 PM

I've never used the box to process a phone. Why is it harder? Isn't it just a matter of plugging in and then hitting dump?

It might be just mine, but more often than not the phone isn't recognized through the box. The window is small and hard to see through. Not to mention the gloves creep me out. They are hard to clean.

1

Well you're meant to wear gloves inside the gloves so you don't have to worry about cleaning or tearing them

7:04 PM

Yeah the screen isn't great. Looking online it doesn't look like much movement has been made on improving the boxes either. Maybe the patent holder is dragging their heals

7:11 PM

I guess a workaround would be to get a bag that has a cable output in it And a bag that has a window And then use the box as an transition space. Cheaper than building a Faraday cage but much more fidly

I use the Faraday box to disable all access to the outside world and then process it. Not much that's going to connect to with Wi-Fi Bluetooth and everything else turned off. In addition I remove the SIM card. I do all processing outside the box.

Hi, Need a help, does whatsapp creates a backup db.crypt12 everyday even if we put the phone in flight mode?

5:33 AM

As I know, phone needs an internet connection to create a backup everyday at 2:00 am. Or am I wrong?

I am wrong, Whatsapp creates backup everyday, even if the phone is in flight mode.

5:52 AM

However, I am using a pixel phone, it doesn't create databases for the 4-5 days. Why is that, I have enough storage space left on my phone. I don't understand how the backup thing works now. I will dig more and share if I found any valid reason.

Was the phone powered on at 2am on each of those missing days? If the phone is switched off, it just skips that backup

5:56 AM

You're correct that a local backup doesn't require internet connectivity. If the phone is on cellular data, it will wait until wifi is connected to produce an online backup (by default)

My phone wasn't off. Running all the time.

6:03 AM

First screenshot from WhatsApp Business db and second one is from the WhatsApp Db. Both these apps are running on the same phone. (edited)

@Forensic@tor. I ran in to a problem with WiFi. The phone connected to the Xfinity network and started updating when the box was opened for another phone. I'm going to see if I can have that network turned off.

That is why I turn off everything in the box first. You will have to replace your router with a non Comcast box to turn that off. It is a separate broadcast from their box and no user settings available to turn it off. (edited)

That's the point of the box but it's not possible on many newer phones without the passcode. They can't even be powered off. Anything these companies can do to make our lives just a little more difficult.

12:22 PM

I hate Comcast.

I have yet to meet a phone I can't power off. Usually have to force into recovery and select power off from there. (edited)

I actually didn't think of that. It's a good idea. Generally I don't try because you are risking triggering secure startup. Not enabling airplane more annoying. Most of the time pulling the SIM will be good enough. It only takes one problem to cause a huge headache.

Ya we do not turn phones off anymore due to secure startup and AFU mode.

What type of analysis can be done to see if an email was spoof ?

1:05 PM

I took 6 samples of an email from the sender to recipient and compared the # of hops and it was about the same throughout the year until sender changed ISP

1:05 PM

All emails from sender that year was the same IP address

1

headers?

1

https://blog.sucuri.net/2014/06/phishing-tale-an-analysis-of-an-email-phishing-scam.html

Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my

1:38 AM

https://blog.nettitude.com/4-steps-to-take-to-analyse-a-phishing-email

4 Steps to take to analyse a phishing email

Here we give an example of what a phishing email looks like, and the necessary steps to take when analyzing and dealing with phishing attempt.

1:38 AM

There's some research on the topic, not typically forensic but might help get you started @Jay528 (edited)

1:39 AM

Here's another good breakdown https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/

Don’t think that it’s just your banking details that are important: after all, if someone gains control over your account login they not only know the information contained in that account, but the odds are that same login information may be used on various other accounts...

thanks

5:20 AM

i was looking at headers

5:20 AM

just not sure what type of forensic analysis can be done other than tracing

Anyone know of the steps to search the dark web for CP on a mobile device ? I have a case where the defendant told my c/w that he searched for CP and my underage defendant search himself on his personal phone as well. Due to the nature of the case, I dont want to ask the underage the process. My defendant's phone is a Samsung S9 and I only have a file system/logical collection. Wondering if it is worth it to get a physical from CAS.

3:15 PM

Any artifacts or applications that might be of use ?

I would think it would start with Orbot or a similar app that uses Tor. If that's the case I don't think CAS will help with search history, but maybe some torrent files out something. @Jay528 (edited)

5:12 PM

Unless maybe it's a poorly coded.

Maybe some of the @NW3C folks can chime in since they teach a dark web course

We’ve had mixed results with forensic artifacts related to DW investigations. PM me so we can discuss specifics and get you pointed in the right direction.

Question regarding cloud storage vs maintaining a server for approximately 400 people 2-3 tb per person. Looking for ideas and suggestions right now to provide staff with. I am thinking of QNAP server with expansions that will allow up to 1200 TB of data (does not have to be raided) which someone would have to maintaine within the agency. This can be encrypted and secured IDS/IPS/Firewall etc with its own line which will allow storage for the offiers and also allow them to create shareable links to provide AGs etc with the data. I know there is also cloud storage however some of these phone dumps are getting up to 100GB and that might cost more than the 100k ish for the sever..

Sounds like a lot of storage! How are you protecting it/backing it up?

1

4:48 AM

when I say protecting I mean from data loss due to hardware failure, as I see you already mentioned intrustion detection/prevention systems

well we have a server with all digital evidence that we maintaine already

4:52 AM

this is mostly for storage for the officers with teh ability to create shareable links to transfer data securely as well

4:53 AM

if something crashes we have a backup

4:54 AM

but you have a good point regarding backup/hardware failure etc

4:54 AM

1200 raided would cost double lol

4:55 AM

I am providing them with that option as well

4:56 AM

the issue is sharing a 100gb phone dump accross the state

4:56 AM

besides driving or emailing a thumbdrive

1

At my last place we used StorNext from Quantum https://www.quantum.com/en/solutions/ but from what you said I think it might be overkill and not quite fit

Capture. Create. Share. On Quantum.

Quantum technology and services help customers capture, create and share digital content, with the fastest performance for high-resolution video, images, and industrial IoT.

5:01 AM

since you already have something for the evidence

5:04 AM

I guess the advantage of cloud is you dont need to worry about backup, maintenance or time spent looking after physical hardware when it goes wrong

@San4n6 in regards to secure file transfers, I know my agency currently uses kiteworks by Accellion

5:16 AM

Throwing something on an unencrypted flash drive and putting it in someone's computer is a cardinal sin. Kiteworks effectively replaces that

5:16 AM

That being said, that may be an option to look into?

I agree

we used this for transferring stuff https://www.egress.com/

5:34 AM

worked alright generally

I have a qnap set up that we run in the lab for encrypted file transfer that works well but we need more storage for offiers in general

sorry I meant sharing rather than transferring

I understood

5:54 AM

thanks for the tips guys

5:54 AM

I am writting this up and they are not going to like the costs lol

Doesn't AWS provide gov't solutions for cloud storage ?

5:57 AM

Much easier to upload/download imo

@Jay528 Yes, AWS does offer the GovCloud which is CJIS complaint. But it would be about $2000 a month just for 50tb of storage and that is not including transfers. @San4n6 I would say physical hardware on premiss is going to be a lot cheaper. Still expensive but cheaper in the long run.

o damn

Regular AWS is still FedRamp medium and extremely secure but it does not have the CJIS certificate

Would that be cheaper ?\

I was looking into AWS prior to purchasing our server.

6:28 AM

Yes it is, consumer AWS is $0.023 per GB a month for the first 50TB and GovCloud is $0.039

6:29 AM

https://aws.amazon.com/s3/pricing/

Cloud Storage Pricing | S3 Pricing by Region | Amazon Simple Stora...

Detailed information on Free, Storage, Requests and GovCloud pricing options for all classes of S3 cloud storage

Hello all, I am a post graduate student in digital forensics and computer security, I'm considering an area for my dissertation. Your kind suggestion and advise is appreciated please. Either mobile phone or computer forensics. You can e-mail me on my private on gokolorie1@derby.ac.uk Thank you

https://www.androidguys.com/tips-tools/get-instagram-data-report/

Alexandra Arici

How to request and download your Instagram data report

Instagram allows users of the platform to download their own data report. If you haven't tried it, this is how to do it.

5:44 AM

Not sure if we can pin this kinda stuff

5:44 AM

thanks @K23

1

Andrew Rathbun 3/6/2019 5:54 AM

https://thehackernews.com/2019/03/update-google-chrome-hack.html

New Google Chrome Zero-Day Vulnerability Found Actively Exploited ...

Update your Google Chrome browser immediately to patch a new high-severity zero-day RCE vulnerability (CVE-2019-5786) that hackers are actively exploiting in the wild

8:56 AM

https://www.wired.com/story/google-project-zero-buggycow-macos-zero-day/

Hack Brief: Google Reveals 'BuggyCow,' a Rare MacOS Zero-Day Vulne...

Google's Project Zero researchers find a potentially powerful privilege-escalation trick in how Macs manage memory.

buggy cow. Always wonder who comes up with the names for these!

1

2:20 AM

so named for Copy On Write

2:20 AM

COW

That makes more sense

2:26 AM

Shows I needed to read the article in a bit more depth and not just skim it

haha, yeah interesting naming ideas. Seems this one, whilst theoretically serious, isn't so easy to exploit - at least from what I understand reading the article

yeah doesn't seem easy

2:31 AM

it's probably a, very specific set of circumstances in a lab environment with no outside pressures or complexities

2:32 AM

still serious but probably not likely to come across our desks

That's what quite a few of these tend to be like to be honest. Like Spectre, that was never seen in the wild but was potentially very serious, especially for those using cloud services like AWS etc

yeah

2:34 AM

probably not on the scale of like, wannacry

Not quite

cool names though

2:42 AM

if I ever find a bug I'll be sure to name it something cool

Think it's a requirement for bug finding. That and making a snazzy logo for it

2:45 AM

Like these: https://meltdownattack.com/

2:46 AM

2

All that's left is to actually find a bug

1

2:59 AM

Unfortunately I think there are a lot of people a lot smarter than me who may find them first

2:59 AM

Same here. I'd love to do that kind of research, but would need to up my coding knowledge and find the time... Unless you're being employed by someone to find them, or get lucky with some of the grants companies provide for finding bugs in their software it's a hard thing to justify time wise

pretty much!

3:16 AM

I'm just getting into cyber now so unfortunately I have to learn

3:16 AM

javascript

3:16 AM

(javascript isn't that bad I just have a dislike for it)

Yeah javascritpt, PHP and Python are the ones I'll be going for. Ruby is apparantly worth looking into as well. Also want to do a bit of playing around with docker etc for devops. All homelab projects!

PHP is the main part of these phishing kits for sure

3:22 AM

I've not tried docker but I've heard good things (never had much of a use case?)

3:22 AM

but I guess now apache with PHP etc could be one...

Yeah it's more infrastructure stuff. Containers as an equiv to VMS. Tends to be used a lot in software development but can also be used for infrastructure, especially if you are looking from a devop perspective - so automating infrastructure

yeah basically

Docker is great, makes it easy to distribute prerolled environments to other people as well (edited)

@Sudo javascript makes the world run lol; embrace the suffer

I've got an .eo1 of a purism laptop which has an encrypted container inside, I haven't dealt with one of these encrypted linux machines before. Anyone here have experience with one?

what exactly is encrypted? the partition? a directory? a file?

12:37 AM

Since you're talking about purism laptop (which is running PureOS), I would guess the partition

Also, PureOS is based on Debian, so my guess would be that the encryption is LUKS

sounds like LVM probably

8:48 AM

LUKS as Karamba says

8:48 AM

I believe you can mount it with a tool (though you'd need a password)

8:49 AM

also question: are there a lot of TOR exit nodes in Nigeria?

Actual status : https://metrics.torproject.org/rs.html#search/country:ng%20

12:27 PM

Historical search (based on IP) https://metrics.torproject.org/exonerator.html

thanks

anyone have like a document or something that lists all the email headers and their meaning?

3:08 AM

nevermind just found one haha

Is there a “code” I can use on a locked iPhone to reveal the phone number. The SIM is not ‘talking’ to my cellebrite.

Emergency number

11:59 AM

But not working in airplane mode

@tankboy855 Out of curiosity, did you try putting the SIM in the slot for full size SIMs? For some reason the nano SIM slot keeps failing on our adapters.

@Joe Schmoe OMFG! You win the Internet! Worked!!! Thanks! You saved so many subpoenas!

2

@Joe Schmoe email CB support - they'll send you replacements

@tankboy855 Glad to hear it!

12:45 PM

@Jay528 I'll have to do that. It seems to be common. The old adapter from our Touch did that. I have two that are about 6-8 months old and they both have that problem already. (edited)

ask for replacement cables as well, i ask for 100 and 210

12:46 PM

wear and tear

any guys here from Coventry? Gimme a shout if so!

Just confirming; no way to restore iPhone to factory settings without Apple ID and PW? Have one on forfeiture but it’s useless unless I can reset it...

Email Law Enforcement Assistance at apple, they should be able to help you reset the phone. Is that what you mean ?

It's possible to restore it to factory but you won't be able to activate and use it unless find my iphone was turned off or you know those data

@tankboy855 i sent you a DM

Quick question. Does android have a .db file specifically for DCIM content from the device's camera? If so, what is the typical .db file name?

got a stupid question here ive got two wifi configurations and they both have the same MAC address does this mean its from the same IP so its in the same building or does it mean something different?

taking a guess... same router with 2.4 and 5 gz

4

3

yeah ones talk talk the others for an inn so im guessing ones for pub users and theres obviously a second one for those paying for lodging

The newer routers are also able to create a guest SSID

yeah ones a guest account

3:48 PM

thanks anyway jay

np, i didnt do much

https://pulsesecurity.co.nz/articles/TPM-sniffing

Extracting BitLocker keys from a TPM

Extracting BitLocker keys sealed with a TPM by sniffing the LPC bus

6:09 PM

someone posted this on the IACIS list

Sorry a bit oot

6:32 PM

What is the advantage for company have own threat hunting team compare with outsource to threat hunting services ?

Our threat based intelligence group is specific to our environment. What makes APT such a threat is that it is customized to your own environment. The initial drop, C2 and so on may be common amongst campaigns, but the recon and specific methods of targetting are unique to our environment, and thus we need to fine tune our approach to defense.

6:57 PM

This of course requires in-house expertise and does not come cheap - 3rd party intel solutions are cheaper initially of course until you want to throw some resources at the finer details of attacks specific to your own environment.

My name is Megan Needham, I am a PhD researcher and part time lecturer at Staffordshire University. At Staffordshire University, we are conducting research on behalf of the Transforming Forensics Digital project, to establish the impact that digital forensics analysis has on improving criminal justice outcomes. After an extensive literature search, no literature has been found within this area. Therefore, the research team are inviting you to voluntarily and anonymously contribute to this project by providing information about your knowledge of research in this area. It is a short survey which will only take 5-10 minutes of your time. If you would like to participate, please can you complete the Qualtrics survey via the following link. http://staffordshire.eu.qualtrics.com/jfe/form/SV_6nEFrjJHadbfhEV We appreciate your participation.

2

Done.

5:54 AM

I'm always willing to do a survey for academic research. I was in your shoes once (not as high of an academic level) so I know how tough it is to get responses. Every response counts!

Thank you, really appreciate it!

Anyone know anything about blackbag? We had it one time and I do not have any training or knowledge about this product. Let me know thanks.

What was the term in which iOS devices run deletion ? Is it Garbage collection ?

@Jay528 Garbage Collection and Wear Leveling are a flash memory thing, to my understanding. General concepts not specific to iOS

Got it

7:31 AM

thanks

@spoon1997 Macquisition is considered one of the better OSX acquisition tools. I've also heard Blacklight is good for iOS and OS X images

7:31 AM

Those are both products by @deleted-role

@Andrew Rathbun thanks man

Wear leveling Magnetic storage media has an indefinite working life because the platter coating does not wear and the read/write heads never contact the media. As storage techniques emerged, there was no problem writing and over-writing the same places on magnetic media when data changed frequently. These so-called "hot spots" had no real impact on magnetic disk reliability. However, flash memory cells have a finite working life and can fail after several thousand program/erase (P/E) cycles. This poses a problem for SSDs because allowing some write-intensive applications to erase and rewrite the same series of memory blocks -- while other memory blocks remain relatively untouched -- cause flash memory cell failures far sooner. The technique of wear leveling spreads out new P/E cycles across the entire space of the flash chip. Wear leveling doesn't make flash chips any more reliable but spreading the usage can help avoid storage hot spots that might cause failures much sooner. Garbage collection Flash memory is organized into blocks comprised of a series of pages. Data can be written to pages anytime as long as the page is unwritten or erased. However, flash memory cannot erase individual pages within a block; the entire block must be erased before the pages within the block are freed for re-use. This means that changed data winds up being written to subsequent pages within the same block. To free the old pages and preserve the updated pages, the current pages are first copied to another available block, while the old or unneeded pages -- the "garbage data pages" -- are discarded. So the newly written block winds up holding just the current pages and the prior block can be erased and freed for re-use. The SSD garbage collection process in flash memory is almost always implemented in concert with wear leveling.

1

7:36 AM

Just so we all have a fresh reminder of the difference in the two

7:36 AM

Since this is all perishable knowledge

much appreciated @Andrew Rathbun

Not necessarily relevant here, but Garbage Collection is also a term used by some programming languages/systems. In the context of, for example, a Java program, Garbage Collection would affect the longevity of objects related to that program in memory

7:45 AM

Not necessarily relevant here, but Garbage Collection is also a term used by some programming languages/systems. In the context of, for example, a Java program, Garbage Collection would affect the longevity of objects related to that program in memory

7:46 AM

@Andrew Rathbun 's explanation of the two concepts is probably more relevant in forensics than the internal workings of an individual program!

https://searchvmware.techtarget.com/tip/How-are-SSD-garbage-collection-wear-leveling-and-TRIM-different is the source for the explanation, I will not take credit! Just my Google Fu!

1

Anyone have a recent pinterest search warrant template?

@Andrew Rathbun great information on Flash translation layer activities; when i teach the block on that I usually get many orbs of glass staring back at me! but it's the new standard in forensics, from mobiles; laptops, etc SSD NAND based media is the go to. and just when we get a grasp on those two concepts, we get to throw in things like wear leveling and ATA Trim from the OS; which seems quite pervasive in APFS and Mojave

anyone recommend specific hardware requirements to run various software such as cellebrite, encase?

@mazummohttps://www.cellebrite.com/en/platforms/

Cellebrite

Platforms - Cellebrite

@Krisaytha thank you

https://www.guidancesoftware.com/document?types=Whitepaper

Guidance Software | EnCase - Whitepapers, Case Studies, Product Briefs

Whether you're new to the industry or a seasoned pro, you'll find content here to learn something new in the fields of cyber security, digital forensics, ediscovery, and risk management.

8:59 AM

these of course being the recommended; in the world of processing data; it never hurts to have more available; as it will allow more efficient use of your most important resource... time. Also one of the biggest hurdles I've faced is having to build a machine which will continue to perform for 5 years in some cases; requiring it to be over engineered in the beginning only to fall legacy towards the end of the life cycle

Does anyone out there happen to have a repository of sanitized federal SW's and Preservation Letters handy for some of the bigger companies? PM if you do and are willing to share

How do you write block a network connected external drive? The only ports it has are for a power adapter and ethernet.

Does changing the registry key work ?

12:30 PM

I heard the TD3 is able to write block the network connected drives.

12:30 PM

I've never used it

Which registry key do I need to change?

12:32 PM

Would Paladin or another forensic linux bootable block it by default?

Kali Linux has a forensic mode which blocks writes (edited)

12:33 PM

Wasn't someone mentioning how Paladin has a format option and therefore isn't read only?

12:33 PM

Might've been another linux distro

https://tweaks.com/windows/39147/disable-usb-storage-device-write-make-them-readonly/

Disable USB storage device write (make them read-only)

In the corporate world, a lot of time is spent on locking down computers to minimize the risk of confidential information leaving the company....

12:34 PM

are you live imaging ?

12:34 PM

or unplug the external drive?

The drive is seized evidence so it is currently unplugged from power and network.

It is probably raided

12:40 PM

No USB port

Nope. During the on scene work, the computer it was connected to was password locked, The suspect lawyered up immediately and didn't give us a working passcode.

12:45 PM

So i never got to preview what was on the drive while it was connected and running.

@Adam Cervellone Is it not possible to take it apart and image the standard drive(s) using normal methods? (edited)

1

@Andrew Rathbun Paladin can mount drives as r/w but all drives (other than the bootable media) will be unmounted by default. You can then explicity mount as r/o through Disk Manager or Paladin will automatically do it for you if you select the drive as the source for an extraction

1

Anybody using @Magnet Forensics Automate or Review?

Can anyone assist me: I'm using ffprobe to output video/audio files as XML, and want to then display the output as a sortable spreadsheet (just as Excel will import it as an 'xml table') without using Excel. Any ideas/insight?

Python script? Python can ingest xml and output excel spreadsheet files

Are there any other vendors that should be invited here? I think we have most of them invited at one point or another. I obviously can't force any vendor to join and be active but I can at least try. It's been probably since last summer since I did a substantial vendor recruiting push. If there are any, let me know and I'll reach out

5:15 AM

I just reached out to Berla again for the first time in probably 9 months or so

I'll try AccessData folks, too

Is anyone from Elcomsoft represented here?

Don't think so

5:27 AM

Passware has one or two people here, don't know the last time they've logged in though

5:28 AM

Same with EnCase, but who knows what that company is up to nowadays since being bought out by OpenText

5:31 AM

I reached out to AccessData via email

ADF Solutions ?

Never heard of, what do they do?

ADF Solutions has a Triage program used to scan devices for low hanging fruit.

6:11 AM

Similar to OS Triage

Similar but different. It's very good for child porn case. Can use hash set and different options for acquisition

6:15 AM

and analyzes

6:16 AM

Also good for keyword search

If anyone has used the new OS Triage can you pm me thanks..

@Andrew Rathbun You can contact Elcomsoft. They also contribute a lot in /r/smartphoneforensics on reddit

I agree that ADF would be good to have here. We use their triaging software and have found it to be very good

@Goovscoov I know I've reached out to them before but apparently no luck

1

8:13 AM

I will send out invites to ADF and Elcomsoft

Sent

1

Hey all

9:39 AM

Do any of you know if Microsoft Groove has logs or forensics

@bizzlyg That is something I've contemplated but we have run into issues where the drive data is encrypted or otherwise inaccessible when not connected to the controller board of the enclosure.

@Andrew Rathbun I've got a solid contact at ADF I'll give him a call tomorrow and see if they want to hop in

1

6:40 PM

Lol well then I keep reading after a NIST meeting all day and see you e already reached out

@Andrew Rathbun I can try to dig up my contact from the FBI who was heading up the dev of OSTriage after Support stopped for it.

Hey guys reach out to any and everyone. I don't care if efforts are duplicated. Let's make a solid attempt to get them in here. Can't force them but we can give it an honest effort.

I'm about to email Rob Attoe from Spyder Forensics, I'll ask if he wants in too.

I invited FinalData to the party. They did me a solid, giving me a full 30 day demo of Final Mobile. (edited)

@Rossko @Forensic@tor Thank you for taking the initiative

@Andrew Rathbun do we have anyone from Arsenal on here? I couldn't find anyone; I'll reach out and see if anyone wants to join

@Krisaytha not to my knowledge, feel free to run with it

already ran

2

Just curious, does anyone here participate in any device/OS beta programs to get early warning of changes that we might all face? For example, the Apple Beta program

@Deleted User I'm in a few; but we'll need to move this to Direct messages

Thanks for joining @Arsenal

1

Anybody have a recent Facebook preservation request example in which they needed FB to not notify the user as well as the subsequent warrant for user and account info with the same restrictions? This case involves guns so I don’t want FB to inadvertently blow my cover and have suspects destroy evidence. If anyone has their template or copy of the warrant, I would be extremely grateful. If you wish to be so helpful, you can email me at christopher.crayne@state.mn.us Thank you very much!

@IamGroot! don't you not need any paper for Facebook preservation letters? I thought it was all done through their online portal

12:31 PM

In my previous job, we had non-disclosure orders as standard language with any legal process

@Andrew Rathbun Yes, I’m in complete agreement on the non-paper preservation piece, but didn’t know if that had changed recently. Based on the non-disclosure piece for a subsequent warrant, looking to see if someone had a current template or copy of a recent Facebook warrant that included the non-disclosure language, amongst other things.

Yeah hold on, let me check

12:42 PM

IT IS THE ORDER OF THIS COURT that Microsoft SHALL NOT DISCLOSE to the subscriber of the IP addresses listed above of the receipt of this search warrant and/or the disclosure of the requested information, as such disclosure may hinder the ongoing investigation.

12:43 PM

That was the standard boilerplate language used on 100% of my search warrants to every provider

12:44 PM

Change Microsoft to Facebook and you're golden

12:45 PM

Rinse and repeat for future legal process to other providers

the hashcat gui is really useful

@Andrew Rathbun thank you for info. I really do appreciate it. I have Friday brain fry.

No worries, that's the beauty of this server. We all can't be on top of everything in this field. Hope the language serves you well!

1:12 PM

Naturally, check with your local prosecutor/DA/whatever you call it in your area to make sure that lingo will fly. It worked fine in our jurisdiction

Does anyone know how to get ahold of customer support for EnCase besides doing a ticket through OpenText? This has been a huge headache for me. My dongles are way out of date and need to be updated. I can't seem to get anyone to respond.

@Andrew Rathbun I did but it took few hour before they send me an email

I've been wrestling with them all week. Which email address did you use?

I've navigated the new OpenText maze several times. Submit a ticket through their support website and once you get that email, you're dealing with a direct human. Phone number and everything. And don't let the ticket resolve until everything has been answered

1:55 PM

I get responses within a few hours, and then it's you and a human

I do have a ticket going but I think the representative is toying with me lol. We've been back and forth in emails and I've explained the issues multiple times in multiple ways but nothing is budging. I throw my digits at her to call me but I've not received a call yet. It's like pulling teeth

for sales you'll be dealing with opentext, but if it gets technical you'll get some familiar nanmes from tech supports answering and they rock (former guidance0

OpenText maze is accurate. That site was not implemented with EnCase users in mind at all

yeah

1:57 PM

once you do get your dongles in the system it works quite well. I've built three SAFEs since the transition, and beyond the initial new cut license email it's all self-service.

1:57 PM

learning x-ways from scratch was easy by comparison hah

1

I still am very curious what the future holds for EnCase. The closest regional training office for Guidance closed within the last 1.5 years or so. EnCase is rarely updated anymore. IDK, writing seems to be on the wall

yep - opentext has a reputation for milking maintenance contracts. our 3 year SMS comes due next year and will be interesting to see what nonsense they pull.

All I know is I have 4 EnCase dongles and none of them work because the license files are way out of date. Would be really nice to get this figured out so I can work

Matt shannon is receptive to suggestions with f-response, I've tested it several times, but unfortunately for our use case, ~150k encase enterprise licenses they are not quite there yet.

2:02 PM

you trying to do some decryption?

Nah nothing special. Just want to process some evidence and whatnot

Looking for some varying opinions. My agency is looking at getting new forensic workstations for mobile and computer exams. They were looking at the Forensic Dedicated workstations such as FREDS or Sumuri or Forensic Computer. It appears that could build a custom computer through some companies that aren’t dedicated forensics for similar price possibly better specs. What is everyone’s thoughts custom or forensic designed?

2:23 PM

@Forensic@tor do you use Cellebrite on it? Any issues with drivers and such?

I build my own - I get as much CPU, RAM and SSD I can get per budget costr

2:24 PM

but I run Windows 10

2:24 PM

all tools work, including Blacklight

2:24 PM

for OSX

@Sir No1 that is what I was thinking, custom building it as it would be better specs for budget.

HP Z2xx, Z4xx or Z6xx are the models we use. I have a Z620 as my primary and solid

2:25 PM

what's your $s budget per workstation?

I’ll have to look into those model numbers

2:25 PM

Haven’t gotten official budget but I believe around 5k (edited)

$2k-$3k is the z2xx range, and then +$2k from the 4xx and 6xx

MacPro gives you access to the MacOS for apple based investigations (edited)

ooh can buy a lot of workstation if you have $5-$7k per unit

Yeah I’d say about 5k per unit

ncie, go to HP and spec out a Z6xx workstation or Z4xx.

2:27 PM

it's fun to spec them out

Yep! I enjoy it, thank you for the recommendation.

We have HP Workstations too

Is there a big difference between Z6 or Z4 just base specs?

fortunately nothing uses GPUs yet so spend that surplus on a nice 38" curved

1

2:28 PM

upper limits of memory, but mostly it's on how many drives you want to throw at it.

Perfect! Time to go play on the builder!

cool, see ya in an hour hah

We use MacBook Pro's for on scene work too (edited)

Speaking about hw specs for jobs like this. What would be a better option? An older workstation with older Xeons 8/16 or dual 6/12 threads or the most current regular i7 but with higher clock speed? (edited)

2:40 PM

Decent spec'd HP or Dell workstation with Xeons based on sandy or ivy bridge, with 64GB of RAM are quite reasonably priced, refurbished ofc (edited)

Don't bother getting dual xeons. Our tools don't utilise them properly

3:45 PM

Ram is your main priority. As well at nvme and raid for speed and high storage

3:46 PM

I have 128gb ram, 1tb nvme, and 4tb raid. Works pretty well :)

Ok, but still, older, slower, single Xeon 6/12 threads or rather some modrrn one with 8 threads but with higher clock and turbo. How big of a difference can there be, assuming you have enough ram and decent storage solution, nvme, raid etc

3:59 PM

IPC difference itself is 30-40% percent or more but how this translate to tasks like this. I feel like generating a report takes the most time. (edited)

@Jobbins I’ve got a Sumuri Talino machine that I received from a training. That same facility now uses Freds. I’ve also built my own with ASUS motherboard, 64GB RIPJAW RAM, Intel i7, Windows 10, 1-500GB SSD for Windows, 1-500GB SSD for FTK postgres, 1 TB SSD for miscellaneous, 4 deck 8 TB HDD RAID 10, RAID card, MSI GTX 1070 graphics, forensic multimedia card reader, UPC, Blu-Ray w/r, etc., hot swap drives, workstation case, and more. Cost me about $5500 total with parts coming from NewEgg, Amazon, & Micro Center. Same setup from Digital Intelligence or Sumuri would cost well over 10k.

@IamGroot! When possible could you give detailed list of components used to build your machine? The price is interesting.

@FabianoQ Sure. When I’m back at work tomorrow, I’ll dig out the spec list for the machine. You want me to email it to ya or list it here?

1

Please list !

@IamGroot! I think also others in the list may be interested, expecially if you confirm that the rig you built is stable and gave you no problems with the usual forensic softwares. Thanks.

@IamGroot! I would be interested in this as well

Any CDR gurus it there? I'm trying to figure out the difference between SMSC and SMSMSC in TMobile records. The latter has tower information so I want to make sure it's accurate.

Have you reached out to T-Mobile's LE number and asked for clarification? Or did they provide a guide for their records?

I haven't yet. I just mapped the records. Typically T-Mobile is voice only for location information but I noticed some of the text messages have the tower info. (edited)

Does anyone have a power bank/charger for apple devices ? You would take out the battery and plug it directly into the phone ?

@FabianoQ rig is stable and I use FTK on it with little to no issues other than occasional operator error. Also have Cellebrite PA on it and the Talino. Busy Monday. I will try and post specs tomorrow morning prior to executing multi-location warrants.

I am building a new forensic machine and was wondering what graphics card you all would recommend?

Do you do lots of password cracking? What's your budget?

Not at the moment but I would like to have the hardware if needed. I would say $1500-$2000 for the GPU (edited)

https://tutorials.technology/blog/08-Hashcat-GPU-benchmarking-table-Nvidia-and-amd.html

Hashcat GPU benchmarking table for Nvidia en AMD

Check

6:07 AM

Judging from those benchmarking results, it's probably most cost efficient to get a couple either 1080's/1080TI's rather than one 2080

6:09 AM

However, be wary of supply shortages and inflated prices. I bought my 1080TI back in late 2017 for $799.99

6:09 AM

You shouldn't pay more than that. Check NewEgg, Amazon, anywhere

Here is the build sheet with current links. There is more updated and powerful hardware out there. This is what I used to build my tower about 1.5 years ago. Works great with no issues. Let me know if you have any questions.

towerbuild.pdf

109.92 KB

1

6:23 AM

@goalguy @FabianoQ @scott h @Jobbins posted the build sheet. Since you would be saving so much money, I would recommend spending more to get 128GB RAM. I upgraded my own RAM in the Talino and it is fast. Cellebrite still crashes occasionally, but that’s a Cellebrite issue. (edited)

1

@IamGroot! awesome!! I appreciate that!!!

Thanks @IamGroot!

https://www.amazon.com/VIPFIX-Multi-Function-Current-Supply-Switch/dp/B07D37CWW3/ref=sr_1_3?keywords=power+on+apple&qid=1553610417&s=gateway&sr=8-3-spell

7:27 AM

This is the hardware I was referring to apple devices

@Jay528 I use this...it is great. No need to remove the battery. https://www.dhgate.com/product/all-in-one-professional-phone-current-test/421264229.html (edited)

All In One Professional Phone Current Test Dedicated Power Cable B...

repair cell phone, cell phone repair las vegas and cell phone repair shops are on sale! Do not miss the special opportunity, just show the type of chances you can take. kaomianjin gives the super all in one professional phone current test dedicated power cable battery chargin...

1

it is cheap enough to purchase out of pocket but bank account is closed

That could save me a lot of time swapping batteries out... Nice one

@Jay528 Your bank or theirs? If theirs...just google that model...can find it all over the place.

personal bank

7:35 AM

lol

7:35 AM

ill see if its on amazon

7:36 AM

much easier for my agency to purchase

Several models exist so make sure to get the one that powers up to iPhone X

7:37 AM

https://www.amazon.com/Professional-Repair-Power-Cable-iPhone/dp/B07G29JG1L

Where do you connect the power to ?

@K23 I found it after I caused a battery explosion trying to remove one. Barely nicked it.

Sorry, not familiar with this kinda stuff

7:38 AM

https://www.amazon.com/Service-Supply-Current-Testing-iPhone/dp/B07NKWR6FK/ref=sr_1_fkmrnull_8?keywords=power+cable+w103&qid=1553611061&s=gateway&sr=8-8-fkmrnull

7:38 AM

this one for iphone X

you need a DC power supply. Such as this: https://www.amazon.com/Eventek-KPS305D-Adjustable-Switching-Regulated/dp/B071RNT1CD/ref=sr_1_1_sspa?crid=2WJXY99BBPXB&keywords=dc+power+supply&qid=1553611130&s=electronics&sprefix=dc+pow%2Celectronics%2C159&sr=1-1-spons&psc=1

7:40 AM

@Jay528 That one works, but more expensive than the one I linked above. Your specifically mentions the XR and XS phones....so maybe a better buy. (edited)

Just spoke with my boss and it might be better to buy the battery because of the unlocking time

@Jay528 Are you needing a solution to maintain power while attempting password bypass? Or to facilitate data extraction? (edited)

Both, this would work on a consent search where we know the password

I use that device when the battery is not functional and need to maintain power for extraction.

My plan is to buy 2 batteries for all the iphones that came out

I use a divided power hub for long term power needs, such as bypass when it may take some time to complete. For this purpose we use this: https://www.amazon.com/10-Port-Charging-Station-Storage-U280-010-ST/dp/B017KXQOJA/ref=asc_df_B017KXQOJA/?tag=hyprod-20&linkCode=df0&hvadid=309818716690&hvpos=1o2&hvnetw=g&hvrand=16936796593124463194&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9011541&hvtargid=pla-492857851909&psc=1. It allows us to label the device and put them between the dividers. (edited)

Amazon.com: TRIPP LITE 10-Port USB Charging Station Dock with Stor...

Amazon.com: TRIPP LITE 10-Port USB Charging Station Dock with Storage Slots for Tablet iPhone iPad & Laptops (U280-010-ST): Computers & Accessories

https://www.amazon.com/Charging-Multiple-NTONPOWER-Organizer-Products/dp/B072MLL1QJ/ref=pd_ybh_a_146?_encoding=UTF8&psc=1&refRID=23H5TT1415NFXE1A3225

7:54 AM

i have 6 of these

What does everyone use to verify files when they move form usb or external HDD to storage server?

Teracopy is good

3

Paid program is SafeCopy

10:20 AM

TeraCopy or Robocopy

another vote for teracopy here ✋

Thanks. Teracopy looks decent.

Hey All, I work for a sheriff's department and we are moving our two man forensic team to a bigger area in the hopes that we will get some more help soon. We have a limited build out/furniture budget. Is there anything that you guys have done in your labs that has made an improvement in your work/workflow? Any suggestions for desks? chairs etc.....

1:50 PM

Thanks in advance for any opinions.

@ds275 I would highly recommend adjustable height desks. Great for your posture and overall wellbeing. There are anywhere from cheap to expensive ways to do it. You can get creative but I would wholeheartedly recommend them. I type this message to you standing up

Any brands you like?

@ds275 https://www.reddit.com/r/StandingDesks/ would be your best bet for researching brands. I have a pretty expensive brand (Uplift) at home so I wouldn't recommend it for the budget conscious. You could always find adjustable height legs somewhere and install them to any tabletop you can find. Or you can buy something from VariDesk or Uplift or any of the other brands. I know any office furniture company will have adjustable height solutions available. However, the DIY route/not going through an office furniture company might be cheaper. (edited)

r/StandingDesks

Hi, thanks for the invite. I’m most interested in learning firmware forensics.

2:44 PM

I do not see a channel specifically on firmware, which alternative is most suitable ?

Currently there is none. This is probably the best channel since it's a general channel (edited)

cool cool, are you familar with that subject rathbuna?

Not at all, unfortunately

2:51 PM

I just work here

work here?

NVM. Was a joke

2

@RubberDucky any particular devices or firmware project your interested in?

I'm beginner looking to learn @Krisaytha

3:38 PM

the extraction of data off a firmware, compare to the original firmware, perhaps RE, etc

@RubberDucky always ready to help, but I'm having trouble figuring out what your looking to learn. Do you have anything or device you would like to work on, a mobile device and the firmware of a specific component on the device, or working with an embedded system such as a Google home or similar

I need to acquire the skills to be able to work on devices in general

3:50 PM

I expect it to be a long journey, aka no shortcuts

@RubberDucky any reason why you're narrowing down on firmware forensics as a beginner? Frankly I've not heard much talk about that from even industry experts. Unless I'm misunderstanding what you're talking about

perhaps I'm not a beginner

jk I have a ton to learn still in many others aspects of forensics, however I would like to enhance my teams capabilities

3:55 PM

currently I have found resources in hardware hacking channels

3:56 PM

they teach the extraction, exploitation and modification of firmware, which is basically want I need, but I figure I'd ask here too

@RubberDucky not meaning to sounds too pointed, but to help clarify... What are you meaning when you state firmware?

No problem, I’m new anyways

5:16 PM

I mean like the data in a chip on a circuit board that controls stuff. Like the bios, or something. @Krisaytha

@RubberDucky are you looking for an emphasis in mobile or computer forensics. All the above?

5:19 PM

That is a very specific area of expertise for either field.

5:20 PM

What is your background?

Anyone try this for report writing and building templates??? https://github.com/SerpicoProject/Serpico

SerpicoProject/Serpico

SimplE RePort wrIting and COllaboration tool. Contribute to SerpicoProject/Serpico development by creating an account on GitHub.

@sholmes I don’t understand

I think the feeling is mutual

Lol

5:51 PM

Extract data from a smart light blub, or controller for a HD, or the bios of a mother board

IoT forensics, then?

Sure good enough

@Andrew Rathbun sounds good iOT forensics and other associated embedded systems it is! @RubberDucky specializing in this type of acquisition and analysis is often at the higher end of the spectrum as it comes to skill set and prerequisite knowledge ; my advice if your wanting to focus on this avenue, is to check into things likehttps://azeria-labs.com the information for arm architecture is spot on, and is the prevalent architecture for iOT, mobile, embedded systems etc. your desire to jump in is great, but know it's something which may require tons, and I do mean tons of hardwork, also bear in mind, BIOS is a pretty far stretch from say a smart light bulb; focus on the cores, ARM architecture, linux for embedded systems, and see how things shake out. But rest assured this group will be here ready to support and help as long as hardwork is evident!

unknown

Home

Thank you very much @Krisaytha ! I have been reading that site a lot, good to know it’s highly recommended

Hello! I am having a little trouble with the usage of Magnet Axiom, i am trying to take the files in my evidence and create a hashlist from these that i can later re-use in later cases. I am having trouble finding any resources on the matter, or if the functionality is even available. Any insight on the matter would be greatly appreciated.

4:07 AM

@Magnet Forensics

@Cygonaut Axiom Process can accept hash files that are structured one hash per line in a. Txt file. You would need to export all the hashes you wish to include and then create a simple text file of these, one per line. Then you would be able to add this file into Axiom Process.

4:19 AM

Best way would be to export to a CSV, the. Delete all other columns apart from MD5 Or SHA1 (can't have both) and then hit save. Axiom will actually accept the CSV but you will need to enter *. * in the open file dialog to get it to show up.

Thank you! I will give it a try

What do you guys use as your forensic case management ?

ours is bespoke currently

4:46 AM

but I hear a lot of people like black rainbow

4:46 AM

and some others use lima

We use Lima, but hopefully moving to black Rainbow soon

Other alternatives are magnet review and teeltech xbit

Xbit is pretty cool. Check out a demo.

Anyone heard of the term "auto vacuum" on an iOS device ?

5:25 AM

https://www.tutorialspoint.com/sqlite/sqlite_vacuum.htm

SQLite VACUUM

SQLite VACUUM - Learn SQLite in simple and easy steps starting from basic to advanced concepts with examples including database programming clauses command functions administration queries and usage along with PHP, PERL, C, C++, JAVA, Python, SQLite concepts, Overview, Instal...

is that like trim for databases (edited)

SQLite databases can employ a variety of vacuum functions; many databases, including the sms.db employ it

Does anyone have another tool for sqlite databases as Sanderson is on bereavement ?

ios 12 sms.db

5:44 AM

@Jay528 if you have cellebrite PA, the SQL wizard function is quite nice, if you have oxygen forensics detective

5:44 AM

it too is quite nice

@Jay528

️

5:45 AM

pa is pretty slick

Sanderson does wondering recovery

5:45 AM

wonders ^

5:45 AM

This was a database found on a laptop for ichat messages

pa sql wizard has many of the bells and whistles including the ability to write visual queries; spend some time in it, you won't be disappointed

5:46 AM

same structure, iOS macOS, your all good

got it, thanks

https://www.magnetforensics.com/blog/find-more-evidence-that-matters-with-magnet-axiom-3-0/ some pretty cool new features/additions. Excited to try out that timeline

Rick Andrade

Find More Evidence That Matters with Magnet AXIOM 3.0 - Magnet For...

Magnet AXIOM 3.0 will let you recover digital evidence from more sources than ever before, a powerful and intuitive new Timeline view, and much more.

I have an ADA's Apple iPhone that is randomly calling people, opening apps, face timing people. The phone is not jail broken

9:32 AM

She thinks she got hacked

9:32 AM

Anyone experience this ?

Is it doing this wen only plugged into a charger or all the time @Jay528 ?

all the time

That is strange. Is it like phantom touches or do the actions seem like a person is controlling it?

they think someone is controlling it. I took out sim and it isnt on wifi

Still happening when isolated?

On another note, a few months back we were discussing Virtual Here and if it would allow @Cellebrite to work when connecting using RDP. I can now confirm that it DOES NOT WORK when RDPing to my forensic machine. (edited)

yes

9:55 AM

it is weird

My first guess would be moisture but if it is too deliberate of actions that doesn't support that claim.

thanks.

@goalguy cellebrite is horrible for remoting. We use Axiom or Oxygen for those reasons when we need to be outside of the lab env. Also cellebrite won’t give you a soft license either for fear “you’ll abuse it outside of the one person who is to be IDed as the primary user”. Frankly their customer service is very subpar

11:34 AM

@Jay528 can you confirm what type of iPhone it is? Model #?

i just gave it back and theyre going to the apple store

11:47 AM

I think it is a Att Apple 8 Plus

I have seen an iPhone do similar things. The issue was resolved with a restart. This phone would change functions so fast that it did not seem "human" controlled. But it would open random apps and change/close windows on its own. I do not remember it making calls.

Did you let the phone die off ?

1:21 PM

Apple was probably hacking the customer

Simple restart. Haven't heard yet if the problem has returned after a day or two.

Had a similar. The phone was curved.

1:39 PM

It was not really flat

Has anyone dealt with chatting apps: signal and telegram? If so, what tools did you use to view the data?

PA parses them. For Android you need a physical and iOS a full FS.

2:44 PM

I can’t recall if signal is getting decoded at this point .. going off memory

Not for nothing. If someone has remote control of an iPhone, they’re sitting on or have acquired a million dollar exploit. IJS

1

Pegasus SPyware FTW

Agreed

2:51 PM

Can you bring a computer image into PA to parse? The signal and telegram chats are from a Mac computer. We know the password

No it doesn’t do computer images in that a sense for artifact decoding

Check to see if IEF/Axiom will parse it

1

You can also use Cloud Analyzer to pull the cloud based Telegram one

@ds275 is the touchscreen broken, hence randomly simulating user input ? Just a wild guess

So what’s an average day like working in digital forensics?

@Tyføøn Today we had to dismantle an iphone in order to dry the inside components because the suspect throwed her phone in the

(and

on it ) while the officers were trying to kick open her front door. Typical LE day where you think you have seen it all, but you haven't. (edited)

6

@Kramnias. I have actually seen something similar to that.

@Kramnias ahhh who pulled it out?!

6:28 PM

toughest job, ever

The rookie

Lol

@CLB-Paul @natalied4784 PA doesnt decode Signal (iOS FS) but Telegram is decoded... I really need to extract some data from Signal.sqlite (iOS), if you find something please let me know.

@Cellebrite Hello i have an Question to UFED4PC Version 7.16.0.93 and Android Applikation downgrade. In the Release Notes March 2019 there say, there where a new one. My UFED-PC isn´t online to the internet. After installing UFED4PC, a window is popping up and suggarate there is a new version to install for "Android backup APK downgrade" and a have to load and install it. On the Cellebrite Download WebSite only i found "APK Downgrade Pack (Aug 2017)". Must i install this old version now?

Yes, this is the relevant apk pack

@CLB - RoyA Thanks. But is this methode safe to new WhatsApp and Facebook Messenger Version?

Yes. I'll DM you for further info

@Cellebrite What are the apps that the APK Downgrade method can extract? I tried looking for a list on the Cellebrite website and could not find it.

@gt530 (edited)

Thanks!!

anyone use xenserver / xencenter

I've dabbled. Used Esxi / Hyper-V / Proxmox a lot more

I need the fixup iso

6:51 AM

or I guess, I'll see if I can run one port on internet and one not

I could probably try nab that for you tonight, looks like it's included with the main installer so should be somewhere on the file system

yeah I woulda thought so

6:52 AM

but I guess not

I'd just install it in a VM and have a play in the filesystem

6:52 AM

https://support.citrix.com/article/CTX124961

Operating System Fixup in XenCenter 5.6 or later OVF Appliance Plug-in

Operating System Fixup in the XenCenter 5.6 or later OVF Appliance Plug-in

but I don't think it comes with xcp-ng

6:53 AM

xcp do provide a compilable iso, but the makefile is broken

What version of xenserver? I think you could get the older version for free with limitations, but could potentially grap the fixup iso from there but it may be out of date

7.6.0

6:54 AM

I'll just re-install from scratch I guess

6:54 AM

I had a pre-setup hashtopolis server

6:54 AM

but it won't import the vmdk

That one had a free version I believe

6:55 AM

Oh bummer

6:55 AM

Why not use ESXi free for it? Assuming it's just to host the vmdk

ESXi locks you out of a lot on the free

6:56 AM

so I didn't feel like it

True it does, but depends when you are using it for

6:56 AM

Fair enough haha

we were going to use hyper-v but it was too painful

Hyper-V standalone is pretty decent. No feature lock-out and that's entirely free

6:56 AM

Ahh. What walls you hit?

not compatible with the server

6:57 AM

or at least, it refused to install

I'm currently playing with it in my lab enviroment. It's fun without a domain for sure but runs on pretty much anything

6:57 AM

Oh

it's not a player / standalone thing

6:57 AM

it's a full server

I know

that I'm doing

You can get hyper-v standalone server for free

6:57 AM

Suprised that didn't work. Basically runs a very light version of server core

oh I mean there's licenses for them available

6:58 AM

but essentially, the server refused the install

6:58 AM

and at that point I said, I don't even want hyper-v

6:58 AM

so I gave up

Fair enough

I could have got it working I'm sure

6:58 AM

but I just don't really want hyper-v anyway haha

Haha, I'm just using it at home as I know it's widely used in the industry but it was a bit of a nightmare to get going without a domain - getting it managed via server manager. But now it's there it's actually not too bad. Proxmox and xcp-ng are on the list for a later stage

yees

7:01 AM

I dunno I just don't like the idea of hyper-v

7:06 AM

I'm just gonna start from scratch

7:06 AM

such is life

Haha because it's microsoft?

7:09 AM

Just think of it as more learning! It's good to start from scratch sometimes

7:18 AM

or is it

1

Probably not, but otherwise it's just sad and frustrating

Hah yeah

7:32 AM

I had a nightmare of a weekend

7:32 AM

with VMWare

Does anyone have an old Dropbox LE Guide on hand? I can't seem to find a current one. Seems like a lot of providers stopped making guides for LE

Update: I requested a guide through Search.org - https://www.search.org/resources/isp-list/, at the bottom of the page and got an email with all guides within a couple hours

Just general info — but I found a site that has full Reddit Dumps if anyone is in need of that info.

5:06 PM

They’re about 13GB compressed and they do it basically once a month and have archives

@RandyRanderson Post it

https://files.pushshift.io/reddit/submissions/

2

1

5:36 PM

It’s in a my presentation on Weds at Magnets Summit

Has anyone upgraded their GK internal HDD ? Can you DM the make/model of the SSD you bought

When a defense expert is allowed to view a copy of an image from a mobile phone but he doesnt' have Cellebrite what file format would you provide him the data in? In this case I have a logical file and physical extraction.

12:16 PM

Im thinking giving him the physical bin files is sufficient correct me if I am wrong

@Ghosted did you provide prosecution with a ufed reader or similar?

1:06 PM

If so, the same should be provided to the defense, if not now, they'll request it during discovery anyway, best bet is to be transparent and verbose

I would give it to him in the format you have it (all images). If he is an expert he can read it. (edited)

@Ghosted We typically provide prosecution and defense with a UFED Reader and PDF version of the relevant extracted data.

2

@Yap I do the same and have the raw extraction ready to disclose if requested

1

As a nice gesture we provide UFED Reader

I believe his question is centered around the raw extraction not the end user deliverables. I would just provide the raw extraction in the format that I obtained them in. It is the defense "expert's" problem on how to parse it. If truly an expert he/she has the necessary tools to parse it out.

I took the OP as I have conducted acquisition and analysis using Cellebrite, how should I proceed in initial discovery or subsequent discovery to a defense analyst As such not only should the acquisition in it's native state be disclosed , but also product associated with it, which had already been provided to the prosecution

@Krisaytha As he said "defense expert" wanted to view the "images", I assume he was past the initial discovery. (edited)

@Krisaytha Your correct. I am trying to see what people are letting them use.

@Forensic@tor and @Ghosted in my neck of the woods providing a physical image to a defense expert is a pretty rare event. If we're ordered to turn over a physical image so that defense can conduct a separate exam, we would provide a hashed copy of the image to the prosecutor to release to defense. If it's a CP case, the defense must conduct their exam within a secure space provided police department (i.e. we won't release evidence into the wild).

1

This is a CP case and I was planning on providing the physical image on a thumb drive for them to use in our secure space and they are not to take any copy or part of the extraction.

Right on, providing initial acquisition is always been my way state and federally, just to save time later down the road, CP cases were a different beast of course

1:36 PM

Infact CP cases @Yap hits it on the head if CP is involved in too would. Proxy through the prosecution

1:36 PM

I too

So is just giving them the physical extraction ok or do I need the logicl and file system to go with it too? Thanks for all the guidance.

If you're LE, I would check with the prosecutor for guidance and release everything to defense through them. We always release evidence to defense through the lead prosecutor. But, generally, you would probably give them all of your end products.

I can't release the CP to them. They have already been given the extraction - the CP. The defense expert wants to view the raw image is what I was told. The expert said he may need the information in raw form.

@Ghosted See my edited post above.

Yeah - CP is different. I would make sure you're on the same page with the prosecutor (as to what should be released) and then make it available in a secure environment at the PD. Obviously, the exam occurs in the secure environment and nothing leaves when it's concluded.

1:44 PM

@Forensic@tor is spot on above.

Yes that was my plan I have a secure room for them to utilize and I was going to put the evidence on a drive for them to use and that drive will stay after they are done. I just wasn't sure it I put logical file and physical on the drive or just the physical. From what I'm hearing I will put all of them along with the reader program.

Does anyone use the FRED L forensic laptop? Looking for feedback! Thanks.

FRED has a laptop? We use to use their tool. Now we only use it for legacy systems we cant use our new tools on

@Hells https://digitalintelligence.com/store/products/fred-l-forensic-laptop

wow

6:58 PM

thx! i can only give feedback on the fred tool itself and encase

One thing I always wonder, why do forensics tool reports have to be so horrible to look at

Great question!

I just did a PDF export on Cellebrite and it's horrific

3

4:53 AM

can't make heads or tails of it

I think I might have posted previously that I'm a big fan of the reports that FIVE from @Amped Software generates, in that they include references to the research that backs up the video enhancement methods. Doesn't solve any layout/navigation issues, but makes the report far better in my opinion

Hey @Law Enforcement [UK], I've got a question. So I'm looking to develop a cloud storage forensics tool that'll harvest the credentials, or with provided passwords, or the password from an OSINT source, from the PC and then login to the cloud storage providers, e.g. Dropbox, OneDrive, Google Drive, etc.. it'll then download the artefacts from all of these services that've been uploaded. Is this legal for investigations in the UK? Does it break ACPO in any way? Cheers.

@Lloyd Whoever used itwould need to get RIPA - https://www.legislation.gov.uk/ukpga/2000/23/contents

Regulation of Investigatory Powers Act 2000

An Act to make provision for and about the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic da...

Hey @Lloyd . We currently teach these kinds of processes on some of our training. To the best of my understanding, doing so is legal with the correct authorities

7:18 AM

What @MrMacca (Allan Mc) said. Different forces are justifying cloud extractions in slightly different ways, but that's more of an internal/force legal decision atm

I think getting the authority can be difficult to justify though? Unless is a very serious case/very high profile

I'd say that whilst you might be violating ACPO 1 (almost certainly changing logs on the cloud side), demonstrating competency, keeping audit logs and keeping OIC informed (so principles 2, 3 and 4) make it acceptable in my eyes. The cloud is such a powerful source of evidence that it's essential to have the skills to interact with it safely if the correct conditions are met

7:21 AM

@bizzlyg Can potentially do it based on consent of account owner

good point

I think cloud extractions are unavoidable

Anyone know of CTFs for DFIR?

ACPO leaves a bit of room for justification so, as long as you have the authority

Thanks for all the input! Yeah, I think I'm going to develop a product which ties all of them together and attempts to harvest credentials for the services too.

7:45 AM

I was speaking to a few people from a force in the UK who said it's a real issue

7:45 AM

Or make it open source, not decided yet

it's mostly just because things are stuck a bit with the rigidity of original ACPO intent

7:45 AM

but I mean, if you have a HP stream with 1TB in the cloud

7:46 AM

what can you do but cloud extract it

True, I wasn't sure about logging into services though

7:46 AM

I thought that was the iffy part

7:46 AM

With a set of credentials

depends I think

7:47 AM

like, tokens are very accessible

7:47 AM

we would usually go for voluntary first, i.e. the person who owns the account

@cyberc3nturion check out #MUS2019 on twitter the CTFs should be released soon

1

but afterward as long as the OIC or whatever accepts the requirement and stuff

7:48 AM

but yeah, it's unavoidable, otherwise you would just have nada

I dont think the issue is with ACPO at all imo, its simply down to whether or not you have legal jursidiction to get the data. If the person consents, all good, if they don't then you need some kind of authorisation, like RIPA, and depeneding on what you want to do (eg if classed as interception) it might be tricky to get that. It doesn't matter that cloud extractions are needed or that OIC wants it, it ultimately comes down to the legality as its that which will get potentially questioned by defence

2

8:14 AM

From what I understand its simpler to get this authorisation in Austria, even routine, but unless its changed recently in the UK, it seemed much more restricted there

8:14 AM

Just using Austria as an example from my perspective

I agree, apologies if I made it sound like I considered ACPO to be the obstacle, I was just addressing the question regarding ACPO from @Lloyd It does indeed seem to be the legal aspect that's the obstacle here

@OllieD Yes sorry, I was also more directing that at the original question

1

@cyberc3nturion did u find any?

@RubberDucky no

I have a consent search to assist witness to grab specific icloud email. The user has a copy of the email on his mac. What method have you used ?

@Jay528 anything against him just forwarding the emails to your work account? That was always good enough for me.

Jumping on the cloud discussion, we have fairly strict guidelines on cloud extractions, in which we either need a DSA and one sided consent, or an equipment interference notice + a DSA if one sided consent is not given. Both of those need to be signed off by someone fairly high up and are not the easiest things to get hold of. However this area is constantly changing and the best advice is to get the OIC to consult the force CAB on a case by case basis

2

@OllieD Thanks for the feedback about the report. Could you please elaborate more on "Doesn't solve any layout/navigation issues, but makes the report far better in my opinion". Just wanted to understand what layout issues you are referring to. Thanks!

@martino_amped Hi, I was not clear with my earlier message. I was not criticising layout (as that was the point raised about all forensic tool reports in the earlier question), I was just complimenting the transparency/referencing of the reports. I am not a FIVE user, but have attended workshops that have used it. I'm a big fan of the transparency element, but I appreciate that there's a far greater wealth of academic material on video/image enhancement than on mobile forensics!

Griffeye question: Does anyone know of a shortcut for creating bookmarks? If not, has anyone made a script that will create a batch of bookmarks?

1

Hello good morning . Does anyone have a document comparing the functionalities of msab toolset to that of cellebrite

With versions changing and updating so frequently I imagine that would be a hard document to maintain @Santetla. We have both in house though so feel free to DM me some specific questions and I'll help where I can

@Santetla are you looking to purchase one of those or do you already have one and are looking to compare to the other?

Hello @Andrew Rathbun .we currently use XRY and looking to purchase cellebrite. I have to justify the purchase and so want to compare features

XRY's strength is in the older/burner phones. They touted that during their sales pitch/training a couple years ago. It all depends on what your jurisdiction sees in terms of phones.

1

@Andrew Rathbun sometimes they are too lazy to forward 50+ emails

@OllieD thanks for the clarification. Sure, there’s way more “stable” paperwork in the imaging science domain.

Anyone use quick hash ?

6:35 AM

I download the free version and I wanted to create a HTML report for my results of file only

6:35 AM

Is it possible to do it on a free version ?

@Jay528 I have a variant of a script Lee Reiber publishes in his book which takes a given directory and hashes each file within it; listing size, location, sha1 md5 and outputs to CSV; would this help?

yes, thanks

Awesome, if others are interested I can share; it's about 95% lee reibers work, from his book but ive sprinkled in a little compatibility etc

https://nypost.com/2019/04/03/teens-cop-dad-holds-suspected-groper-until-police-arrive/

Teen’s cop dad holds suspected groper until police arrive

Paternal instinct met police training as an off-duty NYPD sergeant chased down and held for fellow cops a creep who allegedly had just grabbed his teenage daughter’s butt as they walked down a Broo…

7:07 AM

I need to download this video with audio

7:07 AM

I was able to download the video with a chrome extension but not the audio

disregard

7:16 AM

online converter ftw

7:16 AM

https://www.onlinevideoconverter.com/success

Free Video Converter, Online Video Downloader, Screen Recorder - O...

Convert video files or videos from YouTube, Vimeo, Dailymotion to many formats in HD quality. No software required, easy to use and totally free!

Anyone running griffeye 18.4? Could you confirm a bug that our office is having: exporting pictures appears to be appending file names with '_2'... New feature?

Just had a weird thing happen. Using PA I was reviewing an email account within a full file system iPhone dump. Trying to figure out a person's facebook identifiers I clicked on one of the Notification emails whcih stated they had 2 messages and 7 notification. If opened the persons facebook account and messages. No examiner interaction beyond click the link for 2 messages within the email found in PA. Anyone else ever have this happen to them?

9:34 AM

It not only gave me their messages, but their profile page access..............

So is there a difference between digital forensics and cyber forensics?

Cyber sounds very buzzwordy. That word is more associciated with the investigation of computer enabled crime but not neccesarily the actual digital forensic side of things (At least this is the case in our force with our cyber team) .

1

Ah ok, a better word would probably just be computer. Cyber now sounds to security related. Thanks for the response! (edited)

To be honest my use of the word computer there was wrong. It's more like digitally enabled crime, i.e any crime that would take place using a phone / computer / networked device (e.g. computer misuse) as opposed to a crime that would take place physically (e.g burglary), but evidence can be provided to support it via digital forensics. Agreed, cyber appears to be a lot more security related

Anybody have any good suggestions for digital report management systems which work well with the digital forensics field?

@Jameson if you are talking about case management systems, Lima by Intaforensics seems to be one of the main ones being used nowadays

Thanks I'll give it look

Has anyone dealt with a laptop that has had both the RAM and HDD stolen and still been able to perform any sort of forensics on the box?

5:31 PM

5:32 PM

I have a box just like this

5:33 PM

If so, please DM. Thx

@Pathfinder what could possibly store any information of forensic value if both of those components are missing? Happy to be corrected but it sounds like there's nothing of value to be found there

I have no idea. I said the same thing. But I am going to make some sort of effort and I am not sure where to start.

@Jameson also Atlas built by two police officers and bought and upgraded by Magnet Forensics

5:43 PM

https://www.magnetforensics.com/products/magnet-atlas/

crowdlinker

Magnet ATLAS - Magnet Forensics

Simple, Powerful Case and Lab Management.

Magnet is great stuff

5:45 PM

I use it and tons of other stuff

Thanks

Intella, FTK, EnCase, Eric Zimmerman's stuff

5:46 PM

BlackBagtech is great too

Yes but was answering a question about case management specifically by @Jameson

5:47 PM

All good stuff in the community

Oh I know. I was commenting how our office likes it

5:47 PM

We use Magnet quite a bit

You guys have Atlas?

5:47 PM

Cool appreciate the shoot out

I don't recall...i know we have case management tools..i swear i have seen Atlas in our cloud

Cool

We save different software for diff things

5:55 PM

May is Cellebrite training update.

case management via sharepoint... its as terrible as it sounds...

@Hells Right there with you.

We use SharePoint too but not for case management. We have something equally as ancient but I don't hate it... Yet lol

I was looking into using a home brewed solution too but I don't want to create something I have to leave to someone else to manage eventually..I would rather have a product with proper support (edited)

@Jameson You might want to try this.... https://github.com/SerpicoProject/Serpico

SerpicoProject/Serpico

SimplE RePort wrIting and COllaboration tool. Contribute to SerpicoProject/Serpico development by creating an account on GitHub.

1

@Jameson I've been using Atlas for about 8 months now with good results. I particularly like that it has an online case request form for my detectives which gets me the pertinent information and the legal authority without having to ask

Morning Everybody! Has anybody had any success getting any info off of a Roku? Not sure on the exact model yet but just wanted to see if it was worth trying to extract.

https://youtu.be/P3sjzF1z080

Alanna G Todd

Roku Digital Forensics Examination

6:28 AM

http://sveoti.net/archives/5367

Contributor

Forensic Analysis of a Roku XS 2

Abstract The Roku XS 2 is digital media streaming devices made by Roku Incorporation. The Roku is a relatively new device. The first generation of Roku was introduced on May 20th, 2008 (Roku…

Thanks @Andrew Rathbun Looks like extracting data would be ISP or Chip-Off and even after that wouldn't be able to really decode and analyze the data. Seems not a whole lot of data is even stored on the device other then channel info.

1

I am working on next years budget and I am looking for some survey-type information: Are your main forensic machines PC's or Macs? Is your main forensic machine home built or commercial built (Sumuri/Digital Intelligence, etc...)? How much RAM do you have in your main machine? Thanks in advance for the info.

Lol

2:34 PM

128MB? Haha

@RubberDucky oops...it was a commodore pc (edited)

PCs, commercial (currently Sumuri), 128gb.

PCs for work in the lab, MacBook Pro bootcamp'd for being mobile. HP Z840's for our workstation. 128GB.

+1 for the bootcamped mac pro as well

@Forensic@tor how much that set you back?

Why did you go the maxed out Mac Pro instead of just using the laptop when you needed it?

3:41 PM

I looked at it a while back but couldn't rationalise the cost compared to a similar windows machine

The Mac allows us to do Mac forensics natively. We use the laptop for mobile work.

@franksvensson @natalied4784 Regarding your messages about Signal, perhaps drop @TROUNCE a DM. He has previously written a Signal bruteforcer

@OllieD thanks!

@Jamey any idea about what Atlas runs on top of an axiom license?

11:03 AM

Or could you give me a ballpark rather.

No idea brother $$$ wise but can get you some direct number to inquire instead of going through the exchange.

@Jamey sounds good. I just put in a request for a demo still waiting to hear back but I'm not in any rush

Cool let me know if I can get it expedited for your.

anyone know much about email

4:06 AM

hoping to understand why you would get <image0.jpg> (or any image name) in place of the actual embedded image

Might be a dumb question so I apologize ahead of time. Can you not use a Cellebrite dongle through a VPN? I'm having issues currently trying to remote into my workstation and having my workstation recognize the dongle.

To clarify, the dongle is physically plugged into my workstation that I'm remoting in to. It's not showing the expiration date of the dongle or what the dongle is licensed for on Show License Details. But, when I take that same dongle and put it in my laptop or another desktop and bring up PA, it'll show in Show License Details everything and allow me to parse dumps

@Sudo I think the default naming is imageX when a filename is not present

also, more important

5:36 AM

how do I convert base64 back

5:36 AM

i.e. to an image

I've never got it to work with remote desktop let alone via VPN @Andrew Rathbun.

@K23 I wonder if that's by design? @Cellebrite

This is on their knowledgebase: "Issue UFED Dongle license (for all Cellebrite's PC applications, i.e. PA, UFED 4PC etc.) is not recognized if user connects via RDP (Remote Desktop Protocol). Cause By default, a license in a sentinel dongle (HASP) is not recognized if connected via RDP from a remote machine. Solution Dongles have to connect to a local PC."

Bah, that's unfortunate. I'll have to work around that then. Thanks for the info!

On another thread "*Dongles cannot run under terminal (RDP/Remote desktop is disabled)"

5:42 AM

so looks like it's disabled by design

I'm sure it's a measure to ensure multiple users aren't mooching off the same license or something to that effect. I get it, but it's inconvenient. It's all good though!

1

Interestingly VNC apparantly works

5:44 AM

https://www.reddit.com/r/computerforensics/comments/7x0vpi/cellibrite_dongle_not_working_when_rdp_into_the/

r/computerforensics - cellibrite dongle not working when RDP into ...

1 vote and 10 comments so far on Reddit

wrote a script for the b64 (edited)

6:03 AM

probably nothing

6:04 AM

are all emails encoded in b64?

not all, but attachments, images, and often the message body

cool, so it's definitely not just an image

6:04 AM

can be all sorts

if looking at .eml files

yeah I am

6:04 AM

there's refs to images in the emails

there's a good python tool for dumping objects

<image.jpg>

6:04 AM

<filename.jpg>

6:04 AM

etc

6:05 AM

but there are no images

didier steven's emldump.py

6:05 AM

ah

and I know in my personal email, I encoded my logo as b64

6:05 AM

for my signature

6:05 AM

so I wondered, are they just buried

6:05 AM

but probably not

usually it'll be a multipart email and you'd see the image as a b64 encoded segment

there is a b64 encoded element yes

6:06 AM

after a

6:06 AM

MIME TYPE

usually right above the b64 segment will be metadata describing the content

6:06 AM

are you working from a .eml file, a .msg file or something else?

ah yeah

6:07 AM

content type text/html

6:07 AM

so I suppose it's not

there will usually be multiple segments like that

I wonder where the images went then

quick and dirty conversion is echo 'copy/pasted b64' | base64 --decode > file.filetype

yeah the script does it

if you convert the html segment, maybe there are hints there?

what do I copy out the b64 in

6:08 AM

hex?

6:08 AM

utf?

6:08 AM

seems more like the actual characterset not the hex

ascii/utf

6:09 AM

ascii I believe

6:10 AM

if it's a .eml file I typically just cat it, then copy paste. if it's a .msg file I convert to eml

6:12 AM

I think where you're seeing <image.jpg> it's because it's the plaintext version of the e-mail- so it wouldn't have embedded images but would just leave the name of the image. The HTML version is probably doing an <img src="http://somewebsite/image.jpg" />

gotchas

6:27 AM

thanks for the inpoot

6:28 AM

I don't see any refs to images really

6:28 AM

just the tags <filename.jpg> etc

ah ok, I'm not sure then. Maybe image parts not saved to save space?

What are the different titles for someone working in digital forensics

There are too many, my title is Senior Digital Forensic Analyst. My city title is "Executive Assistant"

Mine currently is Forensic Computer Examiner

Ah ok

Incident Response Analyst/Operator

Also i am newbie to this field

Data Security Analyst (more on the IR side)

As in i am studying for the comptia a+ 901

11:44 AM

But i want to make this a future career when i graduate high school

try to find internships

11:48 AM

or if you are confident... tell them you perform digital forensics everyday... i didnt study or prepare for this position

Oh i see

@maskedroyalwindadept try your hand at the Magnet CTF

Oh what's that

@maskedroyalwindadept let me know when your ready for an internship, I just got my intern for this summer from this list!

12:29 PM

High-tech crime specialist is the title, prior ot was computer crime specialist

Hey all, I came across this Discord server after a little general DFIR googling and I've got some questions that I'd appreciate some input on if you could help me out! So, my Agency is new to this and we've always outsourced our DFIR needs to other agencies, etc. However, my administration has decided that they'd like to start doing things in-house. I was approached as the person to start looking into the field and essentially create a report for 1. "what equipment we'd need to get this going" and 2. "what we might need in the future to build on what we've established." Our primary focus has mostly been analyzing cellphones for incriminating data (I'm sure there's a billion things you can do in the field) but that's essentially where we're starting because it's 95% of what we've needed so far. I thought it was probably a good jumping off point to start with.

1:52 PM

^ so I'd love to hear what your thoughts are/point me in a general direction? Thanks!

@DEEBO I would say one of the things they need to understand and be able to promise is a steady training budget. It's one thing to buy licenses to forensic software. It's another (and almost equally expensive) thing to know what your software is doing. Make sure they know they need to send you to training a couple to a few times each year and that it won't be free. Most good training costs anywhere from $750-$1000 USD per day of training.

1

@Andrew Rathbun Yeah, that was the big thing I made sure to tell them. It's not cheap, and it will have recurring costs. I've been assured that we'll have 30-35k to work with (to begin with) and we'll go from there as equipment/training is needed. I got a load of great info from @deepdive4n6 !

We do conference + a training each year at our agency for each of us. Sometimes you can get three out of them. Bosses know that I'll be cranky if they ever stop funding at least that much. Our two examiners have 10+ years of experience each, so it's less about the basic courses at this point and more about maintenance / specialization.

1

@DEEBO I think many of us would agree Cellebrite is an essential tool. I would highly recommend UFED 4PC over the Touch or anything like that. That way, you can throw 4PC on as many laptops (for field work) or desktops (for lab work) as you want and just play musical dongles as needed. A Touch unit adds an extra step in the extraction process in that you'd have to transfer it to an external media and then transfer the dump to your final storage medium (a NAS/server, for many). With 4PC you can just dump straight to your NAS or what have you.

1

@DEEBO I would suggest a strong forensics PC, a NAS with more space than you think you need and Cellebrite software to start with phones.

6:15 PM

Make friends with the Secret Service in your area. It would be a good start to get training at NCFI. It's free and includes a lot of equipment and software.

1

@DEEBO If you want a good second tool for mobile that doubles (and primarily functions) for computers, AXIOM is a no brainer. Between those two, you at least have computers and phones covered on a limited budget. This would get you by the first year until reduced maintenance costs come into play (initial purchases are always more expensive than yearly renewals). Then after a year of experience you could learn more about other tools and see what gaps you have in your toolbox.

1

6:19 PM

You'll want to get Cellebrite certified, CCO/CCPA and CCME while you're at it, it's not that much more work. If you do Magnet, see about fulfilling the requirements for MCFE.

6:19 PM

Magnet also offers a training passport, which is an awesome deal. For the price of essentially two classes, you can attend an unlimited amount of classes within a year's time.

6:20 PM

this message brought to you by Magnet Forensics

6:20 PM

jk

I was waiting for you to see that

I love the love on this server

1

EnCase used to offer the same deal and FTK I believe still offers the same deal. Not sure of any other vendors that offer passports

6:25 PM

I would also suggest some vendor neutral training in your second or third year (SANS, TeelTech, etc) to learn about free tools, different tools, etc. SANS is like $1200 per day but is industry standard with marketable certifications. TeelTech offers great outside the box training that you'll want a foundation built first before you tackle it (flasher boxes, chip-off, ISP, etc)

6:26 PM

SANS FOR585 will be the mobile class you'll want to consider down the road. If you're totally green to digital forensics, going to this class in your first or second year would be a waste of money. You'd be way in over your head. Learn the basics of your tools, get certified in your tools and go from there.

2

6:26 PM

This message brought to you by my stream of consciousness

@Andrew Rathbun. Ha ha. That's about 10 years of training for most budgets.

Hope that helps @DEEBO

1

6:28 PM

He's got 30-35k to work with. That's a pretty good amount. I guess it all depends on how many examiners that's training and outfitting with dongles. If it's just him, that's awesome.

Definitely a good start. Equipment will suck up a chunk. I agree about the Magnet annual pass. It's the best bang for the buck.

@Joe Schmoe All depends on what budget you're used to. My last and current employer were blessed in that regard. I'm just offering advice from a perfect world scenario in my personal experience. It may be wise when getting initial quotes from vendors for him to plan out the next 2-3 years of renewal quotes to see the drop off from the initial cost.

@Andrew Rathbun. It's all good stuff. I just chuckled because I pictured some admin heads exploding.

I'm sure they will be humbled by how expensive this field is. Surprises me they'd want to start up their own shop but it's good for @DEEBO

1

@Krisaytha i dmed you check it out i am interested

Wow, I missed out on a great opportunity with all these replies! Thank you all! @Andrew Rathbun @Joe Schmoe @Jamey ! @Andrew Rathbun Yes, I was leaning more towards the 4PC and I had no idea you can load it on multiple devices like that! I had just assumed one license = one device. However, I guess it comes more into play with the dongles like you said. Huge benefit there though as I can just as easily be in the field as I can be in the office. With that, I will definitely be going to those Cellebrite schools when my admin offically decides to go with Cellebrite. I probably won't mess around with PC/Mac's just yet and will add things like AXIOM and such in the future. I definitely need to look into this Magnet training passport. I had not heard of that until now... I am pretty dang green when it comes to digital forensics though so I'm doing my best to take it slow and not get into too much, too quickly. My experience basically boils down to watching some people download phones for me and me sifting through the data for what I need. But yeah, so far it's just going to be me as I am the one obtaining most of the digital evidence for my agency (phones). I'm sure we'll end up getting a boatload more when we start doing these things in house and I'll have two other part-time individuals helping out. (me doing mostly narcotics work, and the other two doing general detective work related items). We've been fortunate enough to get a decent chunk of seizure money through some of our cases so my admin wants to funnel it back into what we're doing (yay us!).

1

10:48 PM

@Joe Schmoe , Yes I spoke to @deepdive4n6 and was given some great forensic PC advice that I'm sure we'll go with. As far as space, I work for a County Sheriff's Office and we use a lot of server storage space so I'm sure our IT dept can help us out storing all of this stuff (bc right now I just have a giant safe full of external hd's). Yeah, I actually already went down that road and wasn't able to come up with any luck with the secret service school down in AL... I was super stoaked (as was my admin) when I came across a free training/equipment but then I wasn't able to really get my foot in the door sadly.

10:50 PM

but my Admin wanted me to do a "thorough investigation" into all the different companies that have skin in the game, and come up with what will work best for us, have the least ability to become an obsolete paperweight, and will get us that best results. ...which is quite the tall order in the tech business.

Hello @Magnet Forensics , does Magnet cloud tool acquire YouTube videos? (edited)

@DEEBO. I agree with everyone else. In the meantime, I would start by going to www.nw3c.org and take all the free online courses. It will give you some foundation.

1

3:01 AM

@DEEBO You need a secret service field office to sponsor your classes at the Alabama NCFI training facility.

@Mitok Yeah I actually feel pretty good because I had found NW3C a while back and have slowly been working my way through their free online stuff! Lol And yeah I hit a dead end on the SS school. I was just politely told "no" lol. By that I mean they said how competitive it is to get a spot and that they fill the classes from feds first, then state police, large metro agencies, other people, anyone else, and then local LEO last and that "I'd be better off doing it on my own." Which is fine, I get it. It's a heck of a deal if you can get in. I'd love to go. Just probably not going to happen.

@DEEBO i would also suggest to spend money where it is needed. Are you mostly dead box forensics or mobile or video/audio

5:01 AM

Different type of investigations with different tools

@Mitok I'm gonna start with cellphones primarily and work from there as needed / when I get further into it.

@DEEBO @Forensic@tor yes @NW3C's free online and in-person training should be a priority because the price is right. Also, check out #dfir-resources as there are some other free self-learning opportunities through Texas AM, for instance, that you can use to a) pad the resume and b) start building the foundation of knowledge for free immediately

5:23 AM

And now I see you've already been working through the online courses so good on you. I should probably finish reading my unreads before responding

I'm asusming those free online training courses at @NW3C are only free for the US? not UK LE?

@K23 I would try making an account at https://www.nw3c.org/online-training and seeing if it allows you

Online Training

NW3C offers online training courses geared toward state and local law enforcement.

+1 for NW3C. I would really try to go to some of their live classes before any others. They keep changing the names of the classes so I don't know what they are called now. They are foundational classes that will help you get a better understanding when you go to Cellebrite.

5:35 AM

Looks like the Digital Forensic Fast Track has all the classes is you can get it. If there are none in your area, your department might be able to host it.

That's pretty cool, that must be a new thing. I frequented their course list a lot in the past and never saw the fast track series.

I’m currently in the fast track course. For the beginner will be great

5:37 AM

I’m just taking it just for record and for desktop and iOS

@Andrew Rathbun My department is hosting the Fast Track series in a couple months. I've been to some of the (old) classes but there is a couple I haven't done yet.

5:39 AM

I didn't know that's what they call it until now.

@K23 you are correct our funding comes from the US DOJ; however DM me and we'll see if we can get some fee's waived for you

@DEEBO you can also place AXIOM on multiple machines and just move your dongle and it also does not only mobile devices but computer media as well.

1

7:40 AM

Hello @NapsterForensics here are the current cloud sources AXIOM collects from

1

@Jamey - do you know if it is apple icloud data with or without apple itunes backup ?

@Jay528

7:47 AM

iCloud backup, iCloud Drives Files, iCloud Photos, and iCloud mail.

Thank you !

7:47 AM

So i'll need the icloud module

But I believe the entire industry is having issues with cloud backup since 12.0 so let me check on that version issues.

7:49 AM

if it's 11.2 and higher and MFA is NOT enabled, we can get it anything higher than 11.2 while MFA is enabled, no one can

7:50 AM

had to check with @cScottVance as I thought it was 12.0

7:51 AM

He is my mobile guru

Thanks, much appreciated

YW

Are roles super important here?

@RubberDucky roles just get you access to the channels and properly label you so everyone knows what you do (private sector vs LE vs student vs vendor, etc)

Different roles have access to different channels? @Andrew Rathbun

Negative, once you're assigned a role you have access to all the channels

Oh, so no need to switch I guess. Thanks!

Well, if you got employed, feel free to let me know

8:13 AM

If anything changes and you want your role to be accurately reflected of your current work situation, let me know and I'll make the change (edited)

8:13 AM

I've had multiple DFIR Students PM me and say they got a job in the Private Sector, so I just switch them

Thanks but there is no real need imo.

I can only lead a horse to water, can't force them to drink!

Looking for a bag to carry all my equipment. Any suggestions? Looking for either oversized backpack or roller bag. Fit 2 laptops, writeblockers, couple hard drives , notepads, etc. anyone have a good brand or one they really like? I like pelican but was thinking something little less bulky.

@Jobbins https://www.511tactical.com/rush-72-backpack.html is what I carry my 2 laptops in every day. It's massive as it's made for camping for 72 hours but it's a great backpack. I have a couple MOLLE attachments on it as well for my water bottle, dongles, handcuffs, etc (edited)

RUSH72™ Backpack 55L

RUSH72™ Backpack

9:02 AM

https://smile.amazon.com/5-11-Tactical-Unisex-Adult-Carrier/dp/B0019MM1QO/ref=sr_1_11?crid=32I0AHJ4J0EI6 (fits my 32oz Camelbak water bottle easily) and https://smile.amazon.com/5-11-Tactical-Handcuff-Case-Black/dp/B0019MNJGK/ref=sr_1_3?crid=TMSJCK4II0K8 (don't need this anymore but whatever) and https://smile.amazon.com/gp/product/B0019MPOG8/ref=oh_aui_search_asin_title?ie=UTF8&psc=1 (dongle pouch)

9:03 AM

Rush24 might be a good option, too. It's a 24 hour pack and thus is smaller. It's probably more fitting for what you're looking for and the same attachments can be thrown on the 24 or any other backpack with MOLLE capabilities

9:06 AM

There are also plenty of other options out there, too. Don't just have to go with 5.11 but I will say MOLLE is awesome as it makes your backpack customizable to your liking

9:06 AM

MOLLE can be found on many other brands too, just include that in your search query, if you want

9:10 AM

Also, these are good for securing your various keys onto your bag. Would recommend this for anyone with any bag that has MOLLE - https://smile.amazon.com/gp/product/B004GABHOS/ref=oh_aui_search_asin_title?ie=UTF8&psc=1

@Andrew Rathbun awesome! Thank you, I appreciate it! That is a nice setup

@Jobbins @Andrew Rathbun This is exactly the bag I use as my go bag. You will not be disappointed

1

9:13 AM

https://www.511tactical.com/rush-72-backpack.html

RUSH72™ Backpack 55L

RUSH72™ Backpack

5.11 is pretty common for LE and military folks with good reason. Quality products (edited)

9:15 AM

And naturally, you have to buy a nametape to put on your bag because that's the tacticool thing to do

9:16 AM

6

This is my Magnet Backpack but that is the reason for velcro

9:22 AM

8

2

4

9:23 AM

It proves that no matter the distance or LE organization we are all wired the same

Nice! I have no shame when it comes to gear organization, lol. It's almost a hobby at this point.

As you can see even my Magnet Bag has Molly on it.

Yo, does anyone have a good warrant template for apple iCloud information?

does that rush 72 backpack meet carryon requirements for common airlines?

11:34 AM

seems like it should be fine

Yeah I've brought it multiple times on planes

That’s a good thought didn’t think about that

Has anyone done a reverse location search through Google?

@mitchlang for that I would just mirror a Google search warrant and change verbiage to fit Apple's ecosystem

Aw man I want a tacticool backpack

2:56 AM

with a nametag ofc

3:01 AM

haha there's a Scottish thin blue line patch

Axiom can decode Googly Chrome passwords if given the password right?

4:57 AM

do you need to re-do the analysis phase

@Sudo Yes - if you provide the users Windows password, we can get their login password and their saved credit card information. This needs to be configured during the search setup phase (in the artifact selection screen, there's an 'OPTIONS' link under the Chrome icon)

1

Yeah I thought so

5:30 AM

No probs, just have to run it through again I guess

Does anyone know if there's some decryption available for GandCrab 5.2? So far there's nothing publicly available but someone insisted there's something "super duper top secret" around. Maybe someone hacked into the NSA's super-computer and cracked the whole key!!!

no clues

Keep an eye on this, https://labs.bitdefender.com/tag/gandcrab/

GandCrab

Tag archive for GandCrab.

1

Hey all, what is the current approximate cost of CAS at the moment?

Reach out to your local sales rep

Hi all, I’m in the private sector, and am working on some DFIR scripts for an AWS environment. I’m also reading through Practical Forensic Imaging with Linux (Bruce Nikkei, 2016) Most of the cloud based python scripts I’ve come across are created AdHoc and differ widely in their complexity. From the broader DFIR community are there any guidelines you all could share regarding securing cloud evidence? Thanks!

it is going to depend heavily on the env. For AWS, I've just used Cyber Ducky or AWS PS modules for when it has been owned by us

Thanks , I’ll take a looks at those.

know any good free alternatives to blancco?

@Joe Schmoe I’ve sent one off but haven’t received a response yet.

Anyone know why my comp is trying to reach out to this Cellebrite site automatically? The software is off and I didn't accept the monitoring that popped up with last update.

I think it reaching out is also the cause of the bug where it holds saying "please wait for background updates to finish"

are they affiliated with facebook?

Hello all, have a nice week. Any advice metadata tool for AutoCAD files. Need information of the file when created?

try exiftool

Thank @San4n6 will try

exiftool not supported

@Andrew Rathbun you helped me my last grey key question. The key accessed the phone but it’s not giving me a passcode. Any ideas on how to access the passcode?

@Sudo when you set it to reprocess since you have already done everything else just add the same evidence again and turn everything else off and then under the Web Related artifact category choose the Options under chrome and enter the Windows password. Because none of the other indexing or artifact stuff is being processed then it will be quick

12:07 PM

@Davesdailypicks I don't have access to GK anymore. I was working off memory. I'd recommend checking with their support or if someone here can help you through it that'd work too

Dear colleagues! Belkasoft is happy to inform about the v.9.5 of Belkasoft Evidence Center (BEC) is now released and available for download. As was announced earlier, this release includes the following new large-scale functions: remote acquisition, incident investigations, cross-case search, TWRP dumps mounting and analysis, full file system copy of jailbroken iOS devices, detection of arrows and crosses on photos, Telegram X decryption, support for multi-partition APFS, massive update of the multi-user Team Edition version. Besides, we have added Bitlocker detection and decryption of Bitlocker and McAfee Endpoint Security with a known password. If you do not have a valid license, you can try the new version at https://belkasoft.com/trial. Sign up for a webinar on the new version at https://belkasoft.com/webinar

3

thanks for the info @Jamey

YW

Hey guys, I am attending the study Digital Forensics and I just started. This week we are having our Raspberry PI's hacked by teachers. The teachers leave evidence and we have to decode the files/messages and provide the solution. We found a PDF file on our PI and the only thing we found in it was the author which was encrypted in BASE64. We haven't been able to figure out ANYTHING else and are kind of clueless of what to do now. We tried decrypting the BASE64, but that didn't go anywhere(or we just can't figure out how). If anyone could maybe take a look and give us some tips that would be very much appreciated.

8:27 AM

2019.pdf

33.11 KB

if you look at the hash of that pdf in virustotal there are clues for you

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-pdf-malware-part-1/

Analyzing PDF Malware - Part 1

Background I'd like to think that security awareness has gotten to the point where the average end user thinks twice before opening an 'exe' file sent to them as an email attachment. I like to think that. I really do....

8:59 AM

I would also learn and understand what sandboxing is and understand hybrid analysis if you want to see what the pdf is doing..

9:00 AM

https://cuckoosandbox.org/

9:00 AM

another link to learn

Thanks, i'll go ahead and check it out.

@Deleted User Also it's important to not confuse encryption, hashing and encoding: Base64 is not something you "decrypt", it's something you simply decode

anyone have experience with Encase EDR? We have encase 8 right now and are about to start installing their endpoint product

@@Kr yeah, we're completely new to this, hence why I might have made a mistale. Thanks for telling me. (edited)

1

Anyone of you who had to deal with "Mcafee File and Removable Media Protection" and knows about any kind of tool that could support in decrypting the files? We received an external harddrive, where this was used to encrypt the files and it came along with a wizard, but the wizard regularly crashed when trying to access the encrypted files... I'd like to test out other ways of accessing the files if there are any. Thank you!

talking about the .bup file?

@here My agency is attempting to identify any possable suspects for a prosititution ring based out of my area. During a search warrent execution a clover credit/ debit card machine was collected for evidence. I have now been tasked with determining if any data remains stored on this device. Does anyone have any suggestions?

How are you all getting tokens for cloud extraction? Is there a favourite method yet? Thanks!

6:46 AM

From computers that is

UFED CA released a program which can get tokens from both PCs and Macs, haven't tested it though so not sure how well it works @King Pepsi

Ahh wonderful, I’ll look into it!

Cloud login collector is what it's called, you can grab it from their download portal

Ahh I see it, cheers!

From @heatherDFIR on her FOR585 Alumni Group

7:41 AM

Hey everyone, I recently did a marketing call with Oxygen to tell them where I think they are doing well and where issues lie. They are looking for some scenarios where Oxygen was helpful in opioid cases. I don't work cases like these, so offered to ask around. They do not need specifics and are nice enough. If you would consider talking with them - let me know. See the details below. Also, they are now recognized as a US based company. Could you reach out to your google group of alumni to see if any would be interested in sharing their stories with us? We would love to speak with them. In particular, if any of them have stories about their use of Oxygen Forensics products to combat the opioid crisis or fight drug crimes that they would be comfortable sharing publicly that would be great. Also, please find below a few sentences for customers that may have questions about whether Oxygen Forensics’ is an American company: Oxygen Forensics is a U.S. company based and headquartered in Alexandria, Virginia. In order to work with federal departments, companies must be certified by the U.S. Government under the Commercial and Government Entity Program and the National Institute of Standards and Technology, which Oxygen Forensics went through to help U.S. government agencies including the IRS, US Army, USSS, FBI, US Department of Defense, US Department of Justice, and the US Department of Homeland Security with their digital forensics needs. The company has also passed a rigorous training and vetting process through the FBI and was certified to be used as a tool by the computer analysis and response team (CART).

Hi everyone, I had someone reach out to me asking about conducting computer/cell phone forensics on a laptop issued by there agency that is connected to their Domain and Active Directory. They tried to argue against it saying they needed to be completely isolated. There response was once you connect your profile is cached and then you can be air gapped. Does anyone have any resources or documentation that could back this up? Or what are everyone’s thoughts? Thanks!

You can do whatever you want @Jobbins just document it

8:40 AM

Best practices dictate you should have an isolated device (when possable) and capture volitile infromation / decrypted data first.

8:41 AM

But if you have a uncooperative victim or whatever just document it in the report that you utilized encase or whatever to remotely connect to the device and captured an image while it was on

Sorry, I should’ve reworded that. They want the examiner to use the agency owned device to conduct forensic on. Like as a forensic laptop. That has all there forensic software to conduct exams

@Jobbins PD sysadmin here

9:45 AM

i have any machine that is going to touch a device from the outside world 1.) not joined to our domain and 2.) on a separate VLAN that can’t touch the rest of our network

9:46 AM

i want anything that’s being used to image as isolated as possible

9:47 AM

not to say it wouldn’t work on a domain joined machine, because of course it would, but its poor security practice

9:47 AM

to answer your question yes, you could sign in while connected to the domain and then unplug

9:47 AM

then used that cached domain credential to get into the computer....

9:48 AM

so there would be an airgap, but what’s the point if the machine is assumedly going to touch the LAN again in the future anyway?

9:49 AM

and if it’s not going to touch the LAN again, why does it need to be joined to the domain?

9:50 AM

IMO the best approach is to treat any machine that is going to use to image stuff from the outside as a potential risk and isolate as much as possible

9:50 AM

aka non domain joined, but that’s just how we do it at my department

3

Oxygen forensics has also just on-boarded Keith Lockhart to head their training team, I am in no doubt that with his training background and Lee Reibers Mobile knowledge we will see some new things from that camp soon

@suckit thank you, I agree with you 110%

anytime man

I'm drawing a blank....does anybody know of a piece of software written by an LE guy that converts epoch time? (edited)

Anyone know the current status of MPE+? Just saw a SMS renewal come across my desk. I’m leaning towards “no” given the number of cell phone forensics tools we have.

2:30 PM

@Jameson DCode from Digital Detective?

2

That's it..thank you. My brain was not working today

Does anyone use MPE+?

2:31 PM

we have it too, but I have never used it

@sholmes We haven’t for a very long time, but we’ve been paying for it.

Us too

MPE+ has not been updated in a long time but it is now part of the FTK suite of tools so something to work with if no other tools are working. I have used it on a Google phone and got good results but on iPhones and most Android phones it lacks functionality

Not sure why people would be paying for a tool that isn't updated? Unless I'm missing the AD updates, them and guidance are slowly updating their tools every 3-6 months. Way too slow to keep up with today's mobile stuff

1

MPE a sinking ship, don't think AD are actively pursuing mobile forensics anymore, they are more interested in integrating the ingestion of extractions from other mobile forensic tools to then display the results in FTK. Of all the mobile forensic tools out there, MPE imo isn't one to be paying for still, unless they bundle it in for free with your other licence renewals - happend in my previous job but then we had licences for almost all of their other products

If you’re not using Cellebrite or XRY (older and knock offs), treading a thin line IMO. Even Oxygen is suspect with extractions. Which is a bummer bc their pricing model is a lot better than Cellebrite

I've not had the most success with Oxygen or XRY extractions, personally. Cellebrite has always been the best far and away. Oxygen is a great analysis tool though as it can ingest Cellebrite dumps.

1

@DMG Warrant to Clover. They will give you everything.

@dfeyen that’s what I told the investigator the Lt however wants me to pioneer new forensic methods apparently since he doesn’t want them to do that for some reason

@DMG ha-ha. Well, tell him to buy you a practice device to test it out first. I’ve seen a handful of inquiries over the past few years like yours but most end up taking the legal process route.

Hey ! Someone here have write ups of last year dfir challenge ?

4:30 AM

by brett shavers

@StormXploit which challenge? I don't recall Brett writing up any challenges, just doing his case studies through patreon

idk, like the one with the forensics on Alexa (Amazon bluetooth speaker) or the NAS forensics challenge @randomaccess

Not sure. Don't think either were Brett But you can go to thisweekin4n6.com and there's 52 weekly posts for 2018 for you to skim :) you'll probably find it there

thanks

https://brettshavers.com/brett-s-blog/entry/how-to-start-a-digital-forensic-lab-in-your-police-department

How to Start a Digital Forensic Lab in Your Police Department

So, you want to start a brand new, right-out-of-the-box, digital forensics lab in your police department? Want some tips? If you (1) work for a large-sized department, you probably already have a digital forensic lab staffed with full-tim...

5

9:36 AM

Pretty good write up for those earlier asking how to start up a lab

Wow, that's a pretty nice setup @Forensic@tor thanks for sharing

@Andrew Rathbun Thanks...I got a similar one from a class and tweaked it.

@Forensic@tor send it my way. I love peer reviewing

@Andrew Rathbun I attached it to the message.

My bad. Got a word document for track changes?

@Andrew Rathbun I created it with Publisher and surprisingly I can't save it in word format.

9:32 AM

@Andrew Rathbun I converted via Acrobat. Not sure if the formatting held up. Sent it to you.

Ok I'll get to it when I'm not driving

@Forensic@tor wow. This is nice! I just looked over quick but seems awesome and very informative. I can give it a closer read, shortly!

@Jobbins Thanks. @Andrew Rathbun gave me some feedback...so I have made some grammatical changes and such.

@Forensic@tor I've downloaded it thanks. We are currently presebting Ufed reader training to our detectives

anyone know how I can re-analyze a Nuix extraction to index all the text

1:51 AM

from an email extraction, so I don't have "raw source" data as such (anymore since it was cloud)

@Jobbins @Deleted User Let me know if you have any feedback

@Forensic@tor will do!

I have a boost mobile hotspot device. Is there any information I could extract from this? I’m trying to connect it to a suspect but it’s the only device located.

@natalied4784 I would think if you could get an extraction from it, you could get what devices had previous connections to the device.

@Forensic@tor I didn’t see anything that needs change or added. Thought it all flowed really well and highlighted the key points and explained how to do lots of functions. Screenshots were great! Think it’s great! Thanks for sharing!

@Forensic@tor My only criticism is your time zone map doesn't show the Provinces in Canada! * shakes fist * but no great job sir, passing it along internally (edited)

@Oxygen Forensics what is up with the customer page? I can't download updates. According to https://www.isitdownrightnow.com/customer.oxygen-forensic.com.html the site has been down for a week.

Customer.oxygen-forensic.com Down or Just Me ?

Customer down? Check whether Customer.oxygen-forensic.com server is down right now or having outage problems for everyone or just for you.

Just got off the phone with Tech support and they confirmed the site has been down for a period of time and they are trying to resolve the issue. However, they were able to give me the updates I needed through other download mehods. Thanks @Oxygen Forensics (edited)

What do folks use for case management and record keeping purposes? I have been using spreadsheets but am looking for better ideas.

@Beefhelmet there was a lot of discussion recently on this. Try the search and see if that gives you some ideas in addition to others chiming in.

We use a fairly dated IT support ticketing system for our examinations, (along side a police system), which while it does the job is running EOL soon. Will be fun when we change that out considering how embeded it is into our ISO 17025 SOPs right now (edited)

I've twice requested a demo of ATLAS from magnet but haven't gotten a response

As others have mentioned previously Black Rainbow is probably what we will move onto

Is there any script or product that verifies secondary evidence (images) automatically or semiautomatically? It's easy to verify an image from 6 months ago, but multiply by # of cases and it gets pretty nuts.

@Beefhelmet I used to use Lima, works pretty well - https://www.intaforensics.com/lima/

@sholmes thanks I will let you know if I can get an extraction.

@pmow can you explain your scenario a bit more?

For analysis, exports, etc. I put a copy of every ingested image into a couple of ZFS arrays. Those are replicated to two other boxes and they're hashed and auto-healed.

8:40 PM

But garbage in, garbage out. I know that what I put in will continue to be the same hash, since the filesystem does block level bit-wise hashing on read and write. That isn't the issue. The issue is that there isn't a log of this, and the risk of a file being loaded incorrectly, which would just replicate the "bad hash" files. Which admittedly, is pretty unlikely.

8:41 PM

Arrays because speed, the advent of networking and all of those benefits, and well I still keep a copy offline

8:43 PM

But eventually, I'll migrate that copy to a second offline drive, and there's a cost involved in connecting it, attaching each image, verifying, and checking it off a "to do list". As you can imagine, after even just 5 years of doing this at 2 images a month, you'd have 120 images to maintain (and their copies). Wouldn't it be nice if an app would verify forensic images, like backup software does?

8:45 PM

@randomaccess before you say it, yes I know you can just script something like ftkimager cli, I sort of wish I'd have taken my scripts with me from my last job

Scripting would be the cheap way but I think magnet automate would do what you're after too

magnet automate eh? okay I'll check it out, thanks!

encase hashes the image too

@pmow but for cost, probably worth just scripting

Anyone tried out the Magnet App Simulator?

Hey dudes, how can I get the eMule/ed2k hash of all the files within a particular directory, outputted to a text file or something??

5:44 AM

I can do it one by one with Hash Calc but I'm losing the will to live.

~~If you're comfortable with Java @Rossko , my recommendation would be to adapt the code from https://sourceforge.net/projects/jmule/ and just separate out the hashing functionality~~ (edited)

JMule

Download JMule for free. JMule - Java eDonkey2000 p2p file sharing client. More info on http://jmule.org

7:21 AM

Ignore all my previous advice, just found https://www.slavasoft.com/fsum/index.htm from the same authors of HashCalc

7:22 AM

Command line tool, easy to call, would be easy to automate

ah cool, cheers i'll check it out

I think hasmyfiles from Nirsoft can do that too (gui and free program)

@FabianoQ no, it just hashes

Afternoon - does anyone have or know of a source for general/generic digital forensic statistics? By that mean a (global if possible) view of digital device proliferation, number of devices dealt with by police forces annually, stuff like that? Like an overview of the current state of play in the field (estimated)

What's the name of the faraday box with the moon-man gloves and see through window? I brain farted it and I want to request one.

Ramsey box?

1

yes - thanks!

They're awesome, more expensive than a faraday box or bag but also a lot more effective.

1

10:17 AM

@bizzlyg https://www.reuters.com/brandfeatures/venture-capital/article?id=40388 might be a lead for you

Global Digital Forensics Market 2018-2025 Demand Analysis, Future ...

The report “Global Digital Forensics Market 2018-2025” provides, wherever applicable and relevant, technical data and sheds useful light on expected commercial uses and current R&D status. This report will help the viewer in Better Decision Making. Dallas, United States ...

10:17 AM

Additionally, maybe someone from one of the vendors has some statistics they can share?

Good afternoon all, I've got a E01 hash question. I've imaged the same drive with XWF 19.8 in 2048 MB chunks and in FTK Imager 4.2.0.13 with 1500 MB chunks. Should the hashes of the two images be the same?

Depends what your source is and how you're hashing I suppose

@Andrew Rathbun Cheers I'll take a look when I'm back in the office tomorrow

@Adam Cervellone - I haven't tested what you're asking about so I'm doing that now. My assumption is that the imaged media hasn't changed between acquisitions (no TRIM etc)

10:24 AM

I also assume you're hashing the e01 in a tool that knows how to hash an e01?

10:25 AM

my expectation is that they should hash out the same, but I will find out soon

a hash of the e01 file itself will yield a different hash because e01 files contain extra metadata. a hash of the image contained in the e01 should match the original media, regardless of it was written to disk.

1

10:27 AM

*regardless of how it was written to disk

The evidence is a 320GB HDD from a damaged netbook. I am currently using Imager to verify the drive connected via my wiebetech forensic ultradock. Hopefully it matches one set of hashes.

10:30 AM

I was using XWF and Imager to run verification after the image creation. Those should be hashing the image contained within the E01 file, correct?

My short test matches, assuming you're not hitting bad blocks etc I would expect them to match

I will document the results of the drive hashing and use which ever image file it is consistent with. I had already processed the original image from X-Ways in Griffeye before I found out something may be wrong with the image so I may not be able to use the original griffeye processing results now.

I am starting a new group. It's going to be called OEUAA (pronouced OH-EE-Wa). It's the Organization to End the Use of All Acronyms. Let me know if you are interested in joining. I am working on the web-site now.

3

1

@ds275 but I work for an acronym

Interesting article on sky news today @Law Enforcement [UK] https://news.sky.com/story/criminals-could-go-free-because-of-inadequate-forensic-services-11707804

Criminals could go free because of 'inadequate' forensic services

A lack of funding and poor high-level leadership has led to a crisis in the forensic services.

didn't mention my jurisdiction

2

Here's the review / action plan for those interested! https://www.gov.uk/government/publications/joint-review-of-forensics-2018-and-implementation-plan

Joint review of forensics (2018) and implementation plan

A joint review of the provision of forensic science to the criminal justice system in England and Wales and accompanying implementation plan.

@Adam Cervellone if the source disk is damaged then different forensic tools fill the gaps with a different filler, which will cause a different hash on the image.

I think this point is the most stand out one which will have the biggest impact for us:

1:54 AM

From April 2019 the Criminal Procedure Rules will change so that commissioning parties havea duty (if serving an expert’s report) to disclose anything which might reasonably undermine the reliability of an expert’s opinion or detract from their impartiality. The defence do not have to disclose a report if they do not want to use it. The Criminal Procedure Rules provide that experts must give details of their qualifications, relevant experience and accreditation and the associated Criminal Practice Direction requires that experts confirm they have acted in in accordance with the code of practice or conduct for experts of their discipline, and that they identify the code in question. For forensic scientists that will be the Regulator’s Code of Conduct. Where laboratories are not accredited the Forensic Science Regulator’s guidance recommends that any evidential submission should include such information as the court may need to decide whether the expert’s opinion is sufficiently reliable to be admissible as evidence. From 1 April 2019, experts will also have to make a declaration to those commissioning them if they have been subject to criticism by a relevant body. It is for the Crown Prosecution Service (CPS) to decide whether to include the evidence in the prosecution case and for the Court to decide whether it is admissible.

That would make sense. I hashed the disk again over the weekend and that came back as different than either one of my two images. The images are still good as their hashes have not changed.

Any @Law Enforcement [UK] heard of EVIDENCE2e-CODEX/CASE? Particularly interested if anyone in a management/governance role has encountered these projects and is aware of any input being given from the UK (edited)

Got an AXIOM question, maybe I'm overlooking something. Can you make a Portable Case that has just, say, Documents and Media, or whatever categories I want to choose?

11:56 AM

Because I don't want the technologically illiterate case agent to have to sift through all the other categories of stuff. Only Documents and Media are relevant. Nothing else (edited)

If you filter for Documents and Media from the Artifacts dropdown in the filter bar you can do a portable case and use the Items in current view setting

Ahhh yes, that sounds familiar. I could've sworn I did this in the past! Thanks @Adam Cervellone

12:01 PM

I think it'd make more sense to just Create Portable Case and be able to choose categories from there but I also see the customizability of doing it that way, too.

12:05 PM

Now one more question, I generated a full Portable Case earlier with all evidence. Now that I know how to narrow it all down, the option to create a Portable Case is now greyed out. Any idea how to undo that?

Not off the top of my head but I can test it out in a little bit! I've got relatively small axiom case up right now with only one cell phone in it.

If not, @Jamey might have an idea

anyone here work in the Tampa, FL area?

@mazummo I am at IACIS and the officer next to me is from near Tampa. Does that count.

anyone know anything about Page file ".url" hex data

@Andrew Rathbun I'm currently testing out portable cases in Axiom. I did one of all my tagged items and one of everything in the case in that order and I don't seem to be having an issue with the portable case option being grayed out!

@Adam Cervellone thank you for looking into it! I think I figured it out. I think when you have the Portable Case open while you have Examine open, you can't generate a Portable Case while it's already open

6:26 AM

I closed it and that option wasn't greyed out anymore so I think that must've been it

6:27 AM

Because I had generated a Portable Case with all artifacts and had that open already. I wanted to generate another Portable Case with just Documents/Emails and I apparently wasn't able to do that while another Portable Case was open. At least that's my theory and I'm sticking to it since it seemed to work out that way

@Andrew Rathbun @Adam Cervellone looks like by my mere absence you figured it out. If you have any more questions feel free.

3

@Jamey - Thanks for your quote. "No APFS support for IEF". Agency approved the purchase

1

@Jay528 great to hear you are upgrading to AXIOM. Let me know if you have any questions.

This is more of a LE question but has anybody been able to get "port" info from Facebook regarding IP address they provide through Subpoena or SW. DM me if you have thanks

President signed an awesome cybersecurity executive order today! Here it is if you havnt seen it yet https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/

Executive Order on America’s Cybersecurity Workforce | The White...

By the authority vested in me as President by the Constitution and the laws of the United States of America, and to better ensure continued American economic prosperity and national security, it is hereby ordered as follows: Section 1. Policy. (a) America’s cybersecur...

@Hells very interesting! Will be interesting to see how this plays out

yea, much needed

seems like a lot of places are starting to kick it into high gear

Anyone using Eric Zimmerman's recmd tool? the cmd line version of registry explorer?

A little bit

4:06 PM

@karch4n6 you have an issue?

do you know any tricks to get "hh:mm:ss" output? All I can get is "hh:mm" and seconds are always :00... tried some --dt options but all my output is the same...

I'm sure there's a way. I'll have to check when I get to a computer Otherwise @EricZimmerman might know ;)

Thanks, I pinged Eric. Was just hoping I was missing something. Have a good weekend!

@karch4n6 looks like there's a bug that he'll fix next week

@randomaccess he wrote me back this am - handled already...he's a machine!

@Everybody anyone work for FDLE in Tampa?

@mazummo you might want to ping @Law Enforcement [USA] instead

Connie Bell runs the digital forensic lab in Tampa.

What is the best way to clone a hard drive? Image and then restore forensic image to the non-evidence disk?

10:32 AM

if so is one software best to use?

@sholmes I believe FTK imager will do that.

Yeah I was going to image it with FTK imager. I wasn't sure if imager would actually copy the image to a drive, but I know FTK will. I was just seeing what others were doing and if there was a best/better way of doing things.

10:44 AM

Thanks @Dr.Who-IACIS

@sholmes If you can get your Linux geek on, Guymager is part of several linux DF distro's. Will do the cloning for you.

@perryk_2772 Thanks. I like that idea as well. We do use Kali for extractions. We could use that as well.

11:06 AM

Just thinking out loud here, but Is there an advantage to imaging first and then loading the image to a drive vs direct cloning?

11:06 AM

If you image, you can always reload and go

11:07 AM

vs touching evidence each time you reimage

depends on what you are ultimately wanting

true

11:07 AM

PS4

11:07 AM

PS4 review

evidence device?

yep

HD is encrypted...so the clone is for analysis. hmmmm. policy decision. The clone will give you an md5 hash

11:09 AM

if you image, now you have that

11:10 AM

which you can blow out at anytime to any HD

I was leaning towards image and blow out

11:11 AM

so if it gets called into question and we need to retest, etc. then we have don't have to keep a cloned drive as evidence

that is the 'proper' process, unless storage of image files is an issue

isn't it always an issue. LOL

or this device is not really that much of a concern and its more of a preview

right

11:12 AM

we are doing one right now that is really just a preview. no suspected issues with the drive.

11:13 AM

however, I just received one where they suspect issues, so before I get to that case, I am prepping mentally.

11:13 AM

I think image and load to drive for testing.

11:13 AM

Thanks for walking me through that one.

I believe we have used the Tableau Imager to make clones in the past

2:00 PM

Faster???

We do have one of those, but I usually try to avoid it at all costs.

2:02 PM

I haven't ever found it to be faster, but I have never really performed a time test on the same drive with it and a different write blocker.

Thinking out loud, For game consoles its probably good to use a tool that lets you image and clone at the same time

@randomaccess such as? and why?

2:06 PM

That is why I posted the question earlier, to find best solutions.

Depends on your overall process

2:07 PM

If your lab is imaging anyways, then using tools that do both at once is an obv time saver

2:07 PM

Paladin will let you image to two places at once. But I'm not sure if it will clone

2:07 PM

The drive recovery tools by atola allow it, but expensive

2:08 PM

Otherwise theres things like the Voom shadow copy that allow you to interact with the original drive without changing it. But that brings us back to "do you image everything"

we do image as much as we can

For the last Xbox 360 I did, we imaged with data recovery tool (damaged drive), ran axiom over it, cloned it, and then used a stream recording tool to video the screen with the cloned drive inserted

I do like the image and clone at the same time, but not at the price of atola.

2:10 PM

I find Axiom usually does a pretty good job on the xbox family.

2:10 PM

we usually just image and then analyze those.

2:11 PM

Do you get much from them from the live access through a clone that you don't get through the analysis of the image of the drive? Obviously you had a damaged drive, so that changes the scenario potentially.

Xbone and PS4 are encrypted so haven't had luck there. But even then, you can quickly take photos of what the player saw which was always good evidence

Does anyone have a preferred method of iCloud acquisition?

12:46 AM

For the most complete data

@randomaccess - alot of the tools dont work anymore because of the 2FA, for icloud data, I downloaded icloud for windows and synced all files and then created a logical image of the captured files

5:56 AM

documented the process

@sholmes if you use Kali already for things, it has Guymager already in the Forensics folder.

2

@Jay528 ElcomSoft advertised that they dodeal with 2fa

I prefer making an image as opposed to cloning, because then you don't need to think about drive sizes, so long as target => source. I have FTK Imager and Tableau Imager in my kit as well. Biggest performance limitations are always on the bus - USB 3, 3.1, Thunderbolt, spinning rust vs. SSD, etc.

2:42 PM

A key thing is to also ensure you're using a hardware write-blocker of course.

2:43 PM

Checksum all the things, and then original goes in an evidence bag, chain of custody, etc. etc.

2:43 PM

Oh, and photographs.

Thanks @SageFedora I think we are on the same page. I think the best bet would be the image, based upon the need to preserve the original image for potential future issues. Once imaged, I can copy it out to a drive for reviewing.

Yep, and then you can make copies of copies, if you really want. My view is to ensure I'm not screwed 2-3 years from now if I'm in court testifying ...

1

@randomaccess i have some friends in the private sector that said it didnt work after the new updates from apple

@Jay528 yep. General consensus is 11.2 with 2FA caused issues

Do you guys know any great blogs or articles about beginner for computer forensic terminologies or concepts?

@chipmunk6416 in summary, what are you familiar with, if anything, and what do you hope to get more familiar with?

8:27 PM

Texas AM has free online training that may be useful for a beginner. Check #dfir-resources for the link

Sure! I am sort of all over the places. What I know is basic fundamental information about how to use volatility and concepts of COC process. However, those are all done by researching and googling. I learned a lot of terminologies such as like Disk partition, different type of spaces, swap files, offset, hash... etc, but like to rebrush those terminologies as well.

8:28 PM

Thank you for the guide.

8:30 PM

I am currently looking at multiple forums from forensicfocus to learn more about forensic tools such as Encase by Access Data, Oxygen Forensic, Cellebrite, Axiom, Volatility, sleuth kit, etc.

If you want to toy around with Axiom - https://www.hecfblog.com/2019/04/daily-blog-657-mus2019-dfir-ctf-open-to.html?m=1

Daily Blog #657: MUS2019 DFIR CTF open to the public

A blog about computer and digital forensics and techniques, hacking exposed dfir incident response file systems journaling

8:33 PM

EnCase is by OpenText, formerly Guidance Software. AccessData has FTK (edited)

8:34 PM

Google FTK imager and download it for free

8:34 PM

Image some flash drives around your desk and throw them into tools like Autopsy or the free trial of Axiom I linked

8:35 PM

Poke around and ask questions as you see fit

This is amazing. Thank you for the detail information. I was wrong about Encase as well. (memoed haha) Thank you so much for providing information and this is wonderful!!

Can anyone recommend a tool for SQLite forensics? Has anyone used the forensic version of this tool? https://www.sqliteviewer.org/ . I have used regular SQLite browsers to import / analyze the db, wal, journal files but those are open source and unsure how good it is. Got Sanderson's book - just need to find time to dig into it. Thanks!

Sqlite Forensics Explorer Tool to Analyze Sqlite Files

Sqlite Forensics Explorer provides great features for forensics investigation of Sqlite database and capable to read, preview universal data from Sqlite files.

When you are doing extractions in your lab, are you extracting directly to an internal drive? ext HD? or NAS/Server?

@ds275 I do both internal and external, depending on which way the wind is blowing. Ideally, straight to evidence HDD first then make a working copy from there. Either way, I make sure a best evidence copy is made for the evidence HDD and then a working copy is put on either my internal drive or NAS (edited)

general question - msab horizon .... i have some aquired mobiles (with ufed4pc) from a group of persons (illegal immigrants) and another group, which where caught on same day on another location.... i want to analyze their connection between eachother and between the 2 groups with msab horizon (don´t have ufed analytics) i know i can import .ufdr-files from PA to horizon and tried, but sometimes there is an errormessage on import, so.... someone knows which are the minimal requirements of an ufdr to import to horizon? is it enough to have an .ufdr mit contacts, calls, sms and phoneinfo for a fast import with no errors? thanks for helpful answers

(edited)

@MSAB

good morning @Andrew Rathbun

1

it's 2342 hours here!

8:43 PM

Almost midnight!

oh, i forgot... here in austria it´s 05:43

I'll be back on at the end of your workday

1

Good morning @chrisforensic , you’re an early one! Guessing the error is version is too new or unsupported (I don’t remember the exact wording off the top of my head)? Unfortunately we have seen that with the more recent versions but not 100% sure why. Our development team are investigating, there’s something causing some .ufdr files to not import, question is what! I’ll let you know if there’s any update!

9:32 PM

XAMN 4.2?

hi @Erumaro thanks for your answer... five .ufdr files i imported to XAMN 4.2 and exported to .xry just three where supported? files where made with same version of PA 7.17 ? just don´t understand why

(edited)

I agree that does sound odd if it was the same version which leads me to believe there is something inside the file that XAMN does not handle. I will pass this along to our dev team!

4

Has anyone downloaded the Sleuth Kit from here: http://www.sleuthkit.org/sleuthkit/download.php I cant seem to get this to work. Im running Windows 10 64-bit

The Sleuth Kit: Download

The Sleuth Kit is a C library and collection of open source command line tools for the forensic analysis of NTFS, FAT, EXT2FS, and FFS file systems

Hey Everyone. Does anyone here in Law Enforcement have a list of questions already made up to provide to the Investigators at a search warrant? These questions are for the suspect to prove ownership of the device in question. Attain all social networking credentials, Usernames and passwords etc. This is in the event that I can't attend the search warrant myself. This is what I've come up with so far. Just don't want to recreate the wheel if I can help it.

3:28 PM

To prove ownership of the device. 1. Who owns this computer / laptop? When did you buy it? Who is your internet service provider? Spark / Vodafone etc. 2. Is there any encryption on this computer? 3. What is the password to the computer? 4. Is there anything on this computer that you’d like to tell us about before we start our search? 5. Is there anyone else that uses this computer? If so who? 6. Is there more than 1 username? 7. Who is your internet service provider? Spark ? Vodafone? Other? 8. Before we search the computer… Is there anything you’d like to tell us about that’s on the computer? 9. Do you use torrents to download files? Utorrent, bit torrent? Others? 10. If so / What kind of material and where is it stored? Downloads folder? / My documents folder? External Hard drives? Memory Stick? On the cloud? Drop Box, Google Drive, One Drive or any other cloud storage or file sharing service. 11. What social networking apps are you using? Facebook? Yes / No Instagram? Yes / No Twitter? Yes / No Telegram Yes/No What’s app Yes / no 12. Are there any other’s that I haven’t mentioned? 13. What are the usernames and passwords to these accounts?

email accounts?

Cool. Thanks.

@Magnet Forensics just doing some general server housekeeping, I typically try to match the color of a vendor's role with the dominant color in their logo. Do you want to keep this random color I assigned a long time ago or do you want something more blue? Or option C - something else? Let me know any strong feelings one way or another.

@Andrew Rathbun no strong opinions here. Amusingly our first M logo was more purple than blue

If you have a picture you can share, that'd be cool to see

@Andrew Rathbun I am kind of used to it now...

@Jamey if that ever changes or if @Jad has strong feelings one way or another I can adjust. Figured I would poll you guys to get input. Just let me know!

thanks

Looking for a recommendation for a stationary magnifying glass, preferably on a swivel

@mitchlang

9:17 AM

@mitchlang how about a lamp instead.

1

That is what i'm looking for for sure. I just did the Kyocera E4610 EDL and was really squinting. it was crazy tiny shorting points.

https://www.tagarno.com/tagarno-digital-microscope was what I had at my old shop. Expensive but it was awesome

Digital camera microscopes from TAGARNO with USB and video

Get digital camera microscopes with USB to display live high resolution images and video on a screen in up to 590x magnification and capture images

@mitchlang I also have head worn magnifier. Bausch & Lomb Magna Visor with Lens Set from Amazon.

I had that hooked up to my Windows laptop and used the Windows camera app to see on screen what I was doing.

That is a great idea as well

12:55 PM

I submitted a request for a desk mounted unit this morning. I can see this being a re-occurring issue and a much needed tool.

I have a investigator from a cold case unit that brought in call detail records from a 2002 homicide. The CDRs reference cell towers that were used to make the calls. However, the cell tower location was not included only the number that referenced a tower. Does anyone have any way to learn which cell tower it was from 2002. Also- the cell company (AT&T)does not keep records going back that far and cannot tell us which towers were used.

eh, tough spot. i would try the feds to see if they have any input. or check with all possible departments that would have jurisdiction for that time frame and location to see if anyone did cell tower work for a case +/- a year or two...if anyone has a case that happened to take place in the vacinity...they may have some record you could use as reference. if what i am saying makes sense (edited)

That’s exactly what we are hoping for. Or someone that had a master DB. It was shortly after 9/11 so I’m sure the info is out there somewhere

yeah, its really a crapshoot...you dont have any real reliable option.

6:35 AM

i would hit up local/municpal departments all the way up through the federal agencies and hope to get lucky.

6:35 AM

did you try cell hawk?

6:36 AM

long shot cause i doubt the company is that old but may be they might be able to help

@Unoriginal_name can you post a few lines of the CDR?

@Dr.Who-IACIS I’ll see if it is okay with the investigator.

Hi! I'm starting to study the core of volatility but I don't understand how the VType size is calculated. Let say I have this VType:

'process' : [26, {
    'pid' : [0, ['int' ]],
    'parent_pid': [4, ['int']],
    'name' : [8 , ['array', 10, ['char']]],
    'command_line' : [18 , ['pointer', ['char']]], 
    'ptv' : [22, ['pointer', ['void']]],
}]

why the size of process is 26? (edited)

Hello! Im looking to write up some reports for practice when i have the spare time, and im just wondering if the ones employed in the DFIR area have any report-outlines thar they are allowed to share. Mostly leaning towards evidence reports in digital forensics, just so i have an idea of the structure and what needs to be included in a professional report

Does anyone know a vendor board level repair for Samsung Note 8 ? I had a phone with an inflated battery

@Cygonaut At my previous gig, we just did a Word document with various headings and subheadings for each piece of evidence in the case. They would include a summary of how the evidence came into my possession, how I prepared the evidence for extraction, how I extracted it, the summary of contents extracted (think like Extraction Summary page on UFED PA) and then my findings summarized meaning whatever artifacts I located that were relating to the case. My summary report would be provided along with the million page reports generated by the forensic suite. Often my summary report was the go-to for the low hanging fruit evidence but naturally the million page reports were ultimately used to go over everything on the device. Hope that helps, let me know if you have any other questions

Anyone use FEX here? I have a really dumb question.... I normally use XWAYS and can create reports easy az... I'm using FEX as one of my primary tools now. I've booked marked a ton of evidnce and want to create a report in HTML or PDF... I just can't find an option in the bookmarks to create a report from there... I have a reports option but and can extract to PDF from there however there's nothing that I bookmarked in the report. Any clues please?

Thanks in advance

@Gumpoo @GetData might be able to help. I tried FEX for a few weeks and really liked it. Wish I still had access to it.

@Andrew Rathbun Thanks bro. yeah I'm loving FEX over XWAYS. I use Xways to validate my findings

Thanks for your input.

4:46 PM

Belkasoft got back in touch with me with regards to Telegram.

4:47 PM

Hi Maria, Thanks for your email. I’m currently trying to get further information with regards to the telegram app. I’ve had a number of cases now where I can prove possession of an objectionable video (Mosque shooting, Christchurch NZ) There is a telegram app folder on the desktop with a number of other incriminating videos contained within it. I need to be able to prove that the user ‘distributed’ ie: Shared these videos using the Telegram application. Can Belkasoft Evidence Centre provide any other information That UFED or AXIOM can? look forward to hearing from you

4:47 PM

Dear Duane, Sorry for delay with the answer. Is it Telegram Desktop for Windows? As far as we know, it stores info on downloaded files but not on file transfers (that is on uploaded files). Also it doesn't keep communications locally. We will try to find something more tomorrow, but most probably we have nothing to help. Best regards, Anton. Belkasoft

@Gumpoo The reporting in FEX is terrible to start. You need to build a template first.

@Joe Schmoe Really? Bummer.. Ok. Will go back to Xways for now.

6:38 PM

Thanks for letting me know

@Gumpoo I still like the program but the reporting is frustrating. It has some built in templates you can start with but it's not like PA or Axiom where you can just check some boxes and good to go.

1

FEX is a really IMO once you get used to it and like stated create a template its pretty good. The template making can be tedious but once you figure it out its all godo

1

Find hidden friends and communities for any Facebook user https://techblog.mediaservice.net/2019/05/find-hidden-friends-and-community-for-any-facebook-user/ https://www.mediaservice.net/upload919/ffff-graph/

1

Anyone knows how to easily parse Google's file for synchronization, Sync_log.log? I need to find out when Google Drive was synchronized. If it was done automatically or if a user actually did it.

@Joe 🍿🍺 free online parser here: https://toolbox.googleapps.com/apps/loggershark/ (filter for "info" events) Also does plaso: https://github.com/log2timeline/plaso (edited)

log2timeline/plaso

Super timeline all the things. Contribute to log2timeline/plaso development by creating an account on GitHub.

Thanks

hi, i am usually only dealing with windows devices and smartphones, but got this time a macbook image, which is file vault 2 encrypted. is there a way to perform an unencrypted re-aquisition of the image with blacklight to have a non-encrypted copy? I am not really familiar with blacklight and its kinda urgent (edited)

@Gumpoo @Joe Schmoe FEX Explorer reports are generated within the report module based off of items bookmarked. The reports are template based and attending one of our classes you receive a GetData Training template. Sample templates are also included in the software by clicking on the new button of the report module. Feel free to send me PM to discuss and I can assist individually.

3

@.yuzumi. do you have knowledge of the pwd ?

Got a question relating to @Magnet Forensics AXIOM. Let's say I deliver a Portable Case to an Agent and it's riddled with the worst malware, spyware, viruses, etc. I have suspicions that the Portable Case is an enclosed container, for lack of a better word, and the contents of the drive(s) that I provided as a Portable Case won't be a threat to the technologically illiterate people that may be on the receiving end of it. Am I correct in assuming that?

@Andrew Rathbun the portable case would include any documents and media you selected within the included attachments database.

I get that, but it appears the attachments database is in a proprietary format that's read by the Portable Case. Does said malware simply existing in the attachments database pose as a threat to the Agent receiving the Portable Case? Or would said malware need to be exported from the Portable Case and onto the machine before it can pose as a threat?

12:45 PM

Why I'm ultimately asking is because I need to be able to provide proof there's no malware/viruses on these Portable Cases I hand over. If I can say nothing poses as a threat in the case unless manually exported/Save Artifact To... is initiated, that's just all I'm trying to understand

12:47 PM

However, I see that I could just export all, say, Documents and Emails, to a folder on my case drive and just run a scan from there and include a screenshot of the results along with the Portable Case. So that's an option to consider, too

that's a concern our group has as well, we're primarily in cybersecurity IR

1:36 PM

since we'd primarily be marking the malware for reporting in the first place

@Karamba I have the recovery key, but not the password.

@.yuzumi. BlackBags MacQuisition have the abilty to decrypt it if you have the recovery key or pwd, seems to be the case with BlackLight aswell according to this blogpost https://www.blackbagtech.com/blog/2018/04/02/ask-expert-apfs-encryption/ I haven't tried it myself

Ask The Expert: APFS Encryption

Here are our top five frequently asked questions about APFS encryption answered by Dr. Joe Sylve, one of our BlackBag forensic experts.

@Oscar thank you for your reply. yep, I can open the image with the recovery key, however, other tools like EnCase only accept a "password" instead of the recovery key while in blacklight u can use both password or recovery key, so I was wondering if i can create a decrypted image out of the encrypted one using blacklight. similar to re-acquiring bitlocker images with EnCase. reason for this is, our team uses homebrew enscripts to pre-process data to push it then into nuix and they would like to continue using EnCase.

@.yuzumi. I think that - if I understand your end-goal correctly - you need to retake a logical image (edited)

Anyone here use JEB as an Android Decompiler? Thoughts or feedback?

Its the best one on the market but a bit expensive

Yeah, looks cheaper than IDA Pro + relevant decompilers initially, but at least IDA keeps functioning after a year if the subscription lapses

1:10 AM

Do you think it's better than IDA Pro + Decompiler for Android? (edited)

It's different

1:12 AM

There is no dex/java decompiler in ida pro

1:12 AM

And i didn't used jeb for native décompilation so no opinion on that

Ah my bad, I misunderstood. Forgot that the IDA support is for native ARM binaries

1

1:13 AM

That makes sense then, thank you

1:13 AM

I've just been making doing with jadx so far

It's like using objdump vs idapro+hexrays

Wow, that big a difference? I'm going to need to scrape together some budget then haha

Jeb is robust, have a lot cool things like xref/symbol renaming,... And a nice API that is very nice when you want to deobfuscate something

1

1:18 AM

Last time i tried jadx it was damn slow also... Maybe it has changed

1:19 AM

Also you pay for a quick support service (like idapro+hexrays)

I would have loved to have had symbol renaming on my most recent project. Yes, it was fairly slow (whilst still consuming a good amount of RAM)

Anyone free to log into their blackbagtech account ? I am unable to log into the website.

Yeah what do you need?

I want my license key to update to macquisition but it is stuck at the log in screen

Just logged in fine with Chrome

5:32 AM

What browser are you using?

Chrome and IE

Try Firefox? I have to use that for Cellebrite as Chrome never lets me download anything

might be my account

@Jay528 support@blackbagtech.com

Thank you !

@OllieD if you need what JEB does...like need it lol; it is worth it (just my 2 cents)

Great, thank you

I've played around with the demo this morning after @sh4ka 's recommendation and I have been impressed so far. A few methods in my target apk are not decompiled by jadx and stepping through the disassembled bytecode has previously been very time consuming. JEB appears to handle them correctly (although refuses to show me the decompiled results for a few of them because of demo restrictions). Being able to debug an APK from the same environment is nice too

1

I was on the fence about it for awhile, but after getting a test drive of the full version; and the amount of time I was spending in the work, it was a good decision

1

Is this JEB ?

seems about right

6:34 AM

does someone maybe have an .iso image of fccu linux 12.1

?

may I ask why you need that specifically?

because it's the latest version ^^

10:11 AM

well, late in that kinda sense

why the fccu distri? there are a lot of other more stable and up-to-date

yeah, but just for testing

10:13 AM

it's fun

10:14 AM

and the only one I could find is 9.0

I could check this next week back at the office; in either way it's deprecated for about 10 years I think, you should really move on to something up-to-date

thank you ^^ as said, just out of pure interest

Hey All, im having some issues in Ubuntu command line. Can anyone help out?

@mazummo any details ?

Microsoft Adds Live Response Capabilities to Defender ATP https://www.securityweek.com/microsoft-adds-live-response-capabilities-defender-atp

Microsoft Adds Live Response Capabilities to Defender ATP | Securi...

Microsoft has added live response capabilities in Microsoft Defender ATP to help security teams more easily investigate incidents on remote machines.

1:26 PM

big news!

Hi all! We (me, Heather Mahalik and Adrian Leong) publishes today a paper on our research on “Using Apple Bug Reporting for forensic purposes”. It is a paper plus a set of scripts. You can find it here https://www.for585.com/sysdiagnose We wait for any kind of feedback!

Files shared via Tresorit

Tresorit uses end-to-end encryption to keep file exchange secure and private. Access the received content via this link.

Does Axiom support AFF4 image format?

@NapsterForensics no but you can mount an aff4 image with either evimetrys file system bridge or the latest version of Arsenal image mounter

1

I check it out @randomaccess thanks.

Anyone have the SEH dongle server ?

10:54 AM

https://www.seh-technology.com/products/usb-dongleserver/myutn-80.html

myUTN-80

The myUTN-80 Dongleserver lets you manage your USB dongles over the network.

10:54 AM

Got a question

Man those things looks awesome but I totally can't justify one

yup

10:59 AM

there is a cheaper alternative that people are using

10:59 AM

http://virtualhere.com/usb_server_software

10:59 AM

Not looking to spend my own $ on a Rasperry Pi

@Jay528. I love VirtualHere. So far it has worked flawlessly. I have it running on a Synology NAS.

How many ports is on the NAS ?

11:56 AM

Would you be able to use a USB 10 port hub and connect it to the NAS ?

@Jay528 we have a couple of them.

@randomaccess hey- do u know if the free version of arsenal image mounter will work with aff4 ?

@Jay528 yes

3:08 PM

Don't get it from github

3:08 PM

Sign up to their mailing list and you should get a download link

3:09 PM

Overall the process for getting the free version is unnecessarily difficult if you have multiple computers @Arsenal Recon

How about APFS ?

3:11 PM

I created an AFF4 with MacQ on a newer macbook

Major new version of AIM, and new website, on the way soon. Currently at Microsoft (CTIN) so I will be expediting these things next week.

2

Great!

3:12 PM

@Jay528 a few questions arise from that. An aff4 ingesting tool is only going to get you part of the way

3:12 PM

Is the image encrypted?

3:12 PM

Do you have a tool that can read apfs

No, it isnt encrypted

3:13 PM

I wanted to process in axiom

3:13 PM

As the APFS Container on the T2 system is acquired, MacQuisition interfaces with the T2 chip to decrypt the T2-protected data creating a decrypted physical image. In order to create the physical image, MacQuisition creates an image using the open standard Advanced Forensic File Format (AFF4) image format. AFF4, supported by a number of popular forensic tools including BlackLight, provides modern compression algorithms and the flexibility required to efficiently image data in a non-linear or sparse way.

3:13 PM

I wanted to mount the AFF4 and process with axiom

Right

3:14 PM

Try AIM. It may work

Otherwise evimetry using the file system bridge should display the contents of the image as a .raw file which you can process with axiom I'm not 100% sure the file system bridge comes with the community version of evimetry though

3:15 PM

What version of AIM do you have?

v2.6.40

Hmm I think that's the earliest version. It might not work with whatever macquisition is doing

3:19 PM

I have done it before though with an aff4 image converted from e01

3:20 PM

By earliest I mean current. I need more sleep

3:21 PM

If you want to make it really convoluted you can get blacklight and then export to LEF and load that into axiom. Lots of effort and expense tho

3:23 PM

Also you should probably tag @Magnet Forensics @cScottVance @Jamey to help They may have a work around

cool thanks, have a good night

I can send you latest internal build when I’m done at MS. Email mspencer@ArsenalExperts.com. We have been using the AFF4 w/o problems in our latest internal builds. (We has intended to launch over a month ago, but... software.)

3:27 PM

Has=had

thanks !

@Jay528 There is a 20 Port USB hub attached. No issues with it at all.

How to use Windows Sandbox in the Windows 10 May 2019 Update: https://www.windowscentral.com/how-use-windows-sandbox-windows-10-may-2019-update

Have to run an untrusted app? You can run it in Windows Sandbox. H...

In this guide, we'll show you the steps to enable and get started using the new Windows Sandbox experience to run untrusted apps without affecting your device on the Windows 10 May 2019 Update.

3

Sandbox looks interesting. I know some anti-virus products had a similar option a while back. Personally I tend to just throw untrusted stuff into a secure VM but this might be a viable alternative if it's done right (edited)

Too bad some stuff detects VM and refuses to work

2

4:00 AM

I have to test this at home, 1903 installed fine somehow and i have a candindate app to try

@Joe Schmoe - I'd like to remote desktop into a working machine to create cellebrite reports. Dongle is not recognized. Any issues ?

EnCase and Cellebrite and likely a few others aren't recognized over RDP. I've heard TeamViewer is a workaround but I haven't tested that myself

5:39 AM

Axiom and FTK dongles work over RDP. Source: doing that as I speak

You mean your locally connected dongle doens't work on remote machine over RDP or if you connect to a remote machine that has dongle connected, it won't work?

6:13 AM

It should make no difference what kind of software you're using if dongle is connected to remote pc. Otherise some soft of usb sharding/redirecting would be required but i don't think RDP or TeamViewer does that

Anyone whose used the type script command; how did you write it up? Currently the output looks very messy Thanks!

Apologies for the lack of clarity. I mean script for Ubuntu etc

@Arcain if I RDP from home to my office into a workstation that has a Cellebrite or EnCase dongle plugged into it, it will not recognize the dongle and therefore the software will act as unlicensed aka inoperable.

@Andrew Rathbun that's odd security protection. After all you're just accessing your own remote workstation.

@Arcain couldn't agree more. Frustrating, to say the least. So now I can only use Cellebrite or EnCase on computers physically in front of me. I travel often in my job so that makes it tough because I'd like to be able to do all my processing remotely on a beefy workstation rather than a 4 year old MacBook Pro

I guess i won't test Windows Sandbox. It doesn't work for some reason... says it can't find a specified file type error.

9:29 AM

So that's about it being useful for me

9:33 AM

Seems to be an issue related with using a localized version of Windows, an error reported 3 months ago... good job MS

@Andrew Rathbun You can get around this for EnCase v6 & 7, not sure about 8. Do you have the batch file to use RDP with EnCase? I think David Nides may have built it?

Nope I don't. Frankly, I try not to use EnCase so that wouldn't be of much use to me but it would be good to have just in case I'm in a pinch. Got a link? I have dongles for 6/7/8 so I can always test on 8

Ok. I will email it to you.

Will PM you my email

Anyone have a good terroist keywork list?

now that is one hell of a request

I didn't know there were good terrorists.

It's all relative, I guess

lmao

1:17 PM

. (edited)

1:17 PM

ty ty ty

1:19 PM

#define terrorist

I put one together and must have been questionably intoxicated when I posted. Was looking for something with weapons, bomb making material, high risk venues etc

Reminded me anarchist’s cookbook

4:04 AM

If that is still available online

im sure you could still find it if you looked

Yes, I've just had a quick look, and found a PDF online. On a side note, there's youtube vids apparently where guys rent out a warehouse to try some of the stuff contained in the book.

Regarding the remote software licencing VNC works very well as you get your current desktop. We use it to access some headless workstations for axiom processing, but as it's only sharing your desktop 'screen' everything works.

What backpack do you carry for on-scene previewing?

Not a forensic question as such, more of a Microsoft Word question, so hoping this is the right section to ask, as well as there being a Microsoft Word Guru present :p. We have a report that is generated and then we import the photos to the document. The issue is that the alignment is completely out of place. 1 - Is there a way to make every image within a word document resize so that it fits a certain dimension? 2 - Is there a way to detect an image, and then create blank space until the next page after it? Otherwise we will have to continue manually editing 500+ pages

@MrMacca (Allan Mc) https://www.datanumen.com/blogs/2-methods-quickly-resize-pictures-word-document/ might be helpful? Looks like you set a setting and then can easily repeat it with F4 for each picture. Might require manually scrolling but it might make it hurt less

I think you can do it with a macro as well, I seem to remember using one a long time ago for something similar to this but I am afraid I didn't write it and no longer have it!

https://superuser.com/questions/940771/how-can-i-resize-multiple-images-in-a-ms-word-document has a macro in it

How can I resize multiple images in a MS Word document?

In a blank document, I insert images (screenshots - all are of same size and same format) from a folder. I want to resize the images to a desired size. All now I am doing is selecting one image by ...

1

@Andrew Rathbun Yeah I tested it, seems to resize fine. Now I need to find one that will create a new page with the text that follows the image.

@MrMacca (Allan Mc) Here's someone talking about the find and replace and what to look for after an image https://word.tips.net/T009624_Placing_Many_Graphics_in_a_Document.html

Placing Many Graphics in a Document (Microsoft Word)

Word documents can contain more than just text. You can even create documents that contain almost no text at all. This would be the case if you have a document in which you want to insert a large number of graphics. This tip explains how you can easily do the insertion and ma...

@JaiRoc Looks promising, the replace function works, just need to find out what's the command to place it on a new page, rather than a paragraph. Cheers for that.

6:14 AM

trying ^m

6:15 AM

Yeah that works

Awesome!

So within Word, Press CTRL H to bring up the find and replace Find what = ^g Replace with = ^&^m

6:16 AM

now for a proper test it works

We use a macro that replaces the images in our contraband reports with place holder images for creating our sanitized reports. I will see if I can get it to you.

At the moment, we have a file that generates the word document, then imports all of the photos. Those photos then need to be aligned and resized so ideally they can fit onto 1 page, unless they are a full page image. And then the next exhibit entry should appear on a fresh new page, rinse repeat. It's a tedious job atm formatting it and so on for the report, so i'm trying to find a nice easy 2 minute solution. @RAM Thanks, It could come in useful.

Do any agencies/companies present here use a mobile forensics lab such as a van with tables and power outlets to do on-scene forensics?

I just have a large Pelican case full of equipment that I bring on scene and I just set up shop in a room and utilize the local table and power outlets.

We have a van that we use for on scene forensics. Nothing special. Very low budgets.

11:02 AM

But it works

I am asking because we just got two new ones to replace our old ones that were unsafe at any speed. They are fully outfitted but we need a chair to use at the pull down desk we have mounted to the wall. The stock fixed height chairs we used last week on-scene were a bit short for me and I am about 5'6"

Would definitely like to see pics of your setup, if you're willing and able

We use folding chairs so I don't think I can advise on a specific chair to use.

@ds275 chair comfort is important!

11:06 AM

as is height, at 5' 8" i don't like t leave my legs dangling

1

Last time I closed the door on our Forensic van half of the rocker panel fell off so I believe we are in need of a new one as well.

3

I'll check with my supervisor to see if i can send a picture or two of the van. Our old ones had bad breaks, carbon monoxide issues, and had problems starting up so the new ones a huge blessing!

we just applied for one. Hopefully they approve it.

1

Morning from Georgia. I am mostly a Mobile guy currently but was posed at the file that would provide details if a user will be prompted with a password to login into Windows 7 OS. Thank you in Advance

you want to know if the setting is on for the user to have to login with a password?

anyone recommend any open-source wifi finders?

6:23 AM

for connections found on a phone

https://wigle.net/ @mazummo this what you're looking for?

WiGLE: Wireless Network Mapping

Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.

@0x3db Thanks. I have attempted Wigle; however, I don't think it works well with x.25 format

Yes if the setting is on

These "i know your password" emails are getting hilarious xD

Am giving a presentation next week to our first responders with regards to best practice with CCTV, Navman GPS type systems, Is there any guide anywhere that you peeps know of? Just don't want to miss anything if I can help it.

thanks in advance. (edited)

Anyone know if eBay maintains original photos with metadata?

@Joe Schmoe serve the paper and let us know

@Krisaytha. Well you're no help.

1

6:43 AM

I was hoping that eBay was a little slow to the metadata stripping party but no such luck.

Does anyone know if Axiom is able to process apple prodcution data?

10:47 AM

I cant use PA because I RDP into the machine and license doesnt work

I'm told that eBay does keep the original images for a limited time. Not sure how long. I'll give an update when I get the search warrant results.

Folks that have passware plugin for axiom. Is it a one time purchase of the passware software? I get that there are a year of upgraded included in the initial but if I decide not to reup I still have access to the software?

5:49 AM

Further, I don't run into a need for it often but once in a while I get a complicated case involving encryption...what's the success like on decrypting something like APFS?

Does anyone have an up to date matrix of software/hardware capabilities with respect to mobile devcies and compatibility? For example, in order to examine an iPhoneX, you need tool X, Y or Z.; in order to analyze a Samsung S9, you need tool X, etc. OR alternatively, a matrix that lists tools and provides what their capabilities are. My group needs to explain to managment what our specific capabilities are (or more specifically what our limits are). While I can certainly explain it verbally, I'm wondering if there's such a matrix out there already for presentation or reference purposes.

@5cary I will keep looking but best I can find is https://docs.google.com/spreadsheets/d/1EeDjYdZM0ByKgnJgc7Go6ihV8IuqEw8tm9H93O3_3xQ/edit from the MDFA Google Group. Looks like this is more a case for Cellebrite UFED

Phone Extraction Entry (Responses)

Form Responses 1 Timestamp,Phone Manufacturer,Phone Model,Extraction Method,Difficulty,Processor,Memory Type,BGA Chip Part Number,BGA Package Type,Notes 2/23/2017 13:24:31,Alcatel,2017B,Chip Off,Easy,QSC6155,eMMC,JW616,BGA137NP,FCC ID RAD506. Have had same model with other ...

8:22 AM

What tools do you currently have? What types of cases are you mostly working?

@Andrew Rathbun : That's a very useful spreadsheet. Thanks. We have Cellebrite tools (UFED Touch 2 and PA), and are equipped for basic JTAG and chip off. No ISP/Flasherbox or GrayKey. So I'm trying to communicate to managment what we cannot do (I guess that's a better approach here).

@5cary off the bat, I would highly recommend 4PC over the Touch. You can throw 4PC on a hundred laptops and just pass the dongle(s) around the unit

8:32 AM

Going from the first Touch a few years at my previous agency was a great decision for the unit

Yeah seconding the touch being the dumbest thing. NCFI is still giving out touch 2 rather than 4PC

9:11 AM

It's just a pain and adds a step in the process for me

9:11 AM

because I have to either write straight from the device to my PC or to removable storage

9:12 AM

the connection to PC doesn't utilize 3.0 so it's gross.

9:12 AM

and it takes up desk space.

9:13 AM

I get their reasoning to have something mobile...but you could do that same with a laptop with 4pc

9:13 AM

so no...I don't get the reasoning

9:14 AM

I highly recc GrayKey if you can get the budget for it. Yeah it can bypass the need to brute a passcode in certain circumstances and can bruteforce (but very slowly) where it shines is in this full extractions on paired devices

9:14 AM

KnowledgeC is where all your smoking guns are if you get lucky enough to get it.

9:15 AM

and you only get that with that level of extraction. ...no other tool out can get you that. That's the selling point of Graykey...not the passcode bypass IMO.

Good info @Beefhelmet . I'm on board with the 4PC, but right now we have what we have. I'm just a knuckle dragger. We've pushed for GrayKey for a couple of years now...no dice.

I got mine funded by having our multi jurisdiction NARC unit pay for it

9:23 AM

"hey think of all them dealerz phones we can hax"

9:23 AM

They pay for it in one forfeiture...

9:24 AM

Since then I've touted as such an asset to the rest of the counties major crimes investigations the chiefs/sheriffs re-upped it with no questions asked

9:24 AM

Just gotta get creative :3

Well, I'm at a 3 letter .gov, and we use iphones on our enterprise - still no dice.

Same boat. We just have a county wide drug unit that the DA's office runs. I just asked nicely for a new gray box instead of them blowing it on another "undercover" blacked out charger...

9:31 AM

with the promise to handle any DFIR needs they might have

for you incident response folks, how do you generally organize your loadout? I don't have a dedicated preview vehicle and won't be getting one. Currently, I have a checklist and I pack a backpack plus a cellebrite and a TD2U briefcase. Was curious if there's a sub $300-400 padded case option like a pelican that you folks use

9:52 AM

or if you HAVE the padded case option and feel it's not all it's cracked up to be that'd be good to know also. The backpack solution is just disorganized and I spend a lot of time packing/repacking

@whee30 I just switched from this old, beat up Pelican case

9:53 AM

To this Pelican Air case, which is longer and not as wide and is a lot lighter.

9:54 AM

I was worried about losing the storage on the inside of the lid in the first picture but I was actually able to fit everything perfectly in the Pelican Air case

9:54 AM

I also bring a backpack carrying my laptop and any snacks, dongles, paperwork, etc, but that's about it

I had been looking at cases large enough to hold the laptop also, I suppose if I carry the laptop separately my options are greater

I carry a Rush 24 backpack so it's way overkill. I could get away with a lot smaller backpack but I like having the MOLLE attachment for my water bottle, an attachment where all my dongles are stored, etc

9:55 AM

Plus I'm tacticool that way

molle and velcro patches help the downloads go faster

It's science

I see you use pelican, did you check out other brands or just go with the known name? It's the only brand I know to consider

It's what I was given. The Air is a lot more manageable in terms of weight than the Pelican case in the first picture. Another thing to consider for my situation is I ship this kit all over the country for operations if need be. I pretty much need a Pelican case. I haven't shipped the Air yet so I don't know how that will hold up compared to the beastly previous one

9:58 AM

https://www.pelican.com/us/en/product/cases/air/1615 this is the one I have

1615 Air Case | Pelican

Buy 1615 Air Case Available with trekpak divider system, padded dividers, no foam, foam. Up to 40% lighter protective waterproof cases. Interior: 29.6

1

10:02 AM

I also work for a 3 letter .gov so it's more about what's given to me than what I shopped for. That being said though, I can't say I'd consider anything else because they really are solid

@Andrew Rathbun US gets that carpet whole sale, our office has the same

2

Seconded the carpet

10:15 AM

Also what in the hell are you taking out? I bring a laptop and a TD2 kit and maaaybe a cellebrite.

10:16 AM

I'd rather just take phones back to the office

10:16 AM

oh and a wallet of a gajillion flashdrives

4 TD2us, all corresponding cables and power cables, every cable you can think of for SAS, SATA, etc, drive docks, lots of HDD's as you can see on the bottom right, thunderbolt dock

10:18 AM

various writeblockers

10:18 AM

This is geared for me being out of state and responding

10:18 AM

not having an office down the road

he takes all the thingz, all of them

@Beefhelmet Just came back from NCFI and they gave out 4PC dongle. I don't know when they switched. I like 4PC much better than the Touch.

yo i have a new keyboard ibstalled instead of the default

11:26 AM

ive made my new one the default but when rebooting its the default keyboard thst shows when i type in my passcode. whh is that and can i change it, its android 9 and a huawei

@Magnet Forensics I have this error on few memory dumps. Do I need to recapture it or any work around available for this error?

@NapsterForensics If you have the means, a recapture is probably ideal. Alternatively, if you happen to know the image profile information, if you back out of that screen and choose the second radio button of 'I want to select the image profile myself', and provide the details it should work

1

Noted, Thanks @Moody

@CLB_joshhickman1 - Hi Josh, I have been reading some of your blog today (great job, very interesting articles) and came across the part about the Android 9 image you populated with test data. It could be im just being stupid but in the associated download link I cannot see the sda.7z file, only the Andriod 9 tar - is there another link to get the bin file? Thanks! (edited)

Hey, does anyone have a method of creating custom bad sectors on a brand new hard drive, that can then be used for testing acquisition software accuracy?

@MrMacca (Allan Mc) honestly, https://groups.google.com/forum/?hl=en#!forum/datarecoverycertification might be the right place to ask. It's all data recovery experts in there

Google Groups

Google Groups allows you to create and participate in online forums and email-based groups with a rich experience for community conversations.

6:00 AM

I did some Googling but found nothing definitive. Saw some very old posts talking about a MAKEBAD command you can send to mark sectors bad without making them bad

6:00 AM

Not sure how much of that is still valid in 2019

@MrMacca (Allan Mc) I might be able to get hold of something that does it, in Linux. We did this in my last job for ISO 17025 which I have no doubt is why you are asking the question

6:01 AM

But I dont have the commands to hand and can't remember them, however I will see if I can reach out to someone

@bizzlyg You are correct. Cheers @Andrew Rathbun

@bizzlyg Since the image was moved to Digital Corpora, the format has changed slightly. The android_9_tar.gz should contain everything. But, you reminded me that I should modify the blog post accordingly.

@CLB_joshhickman1 cheers, however its only 4gb ish which from reading your notes is way too small?

6:05 AM

I opened up that tar, can see a logical extraction in there but no bin

I still have the sda.bin sitting around on my NAS at home if anyone wants it

No, that's the right size. They REALLY compressed it.

@bizzlyg I'm seeing the same thing

6:05 AM

no .bin

Really? Hmm...

someone has stolen the bin!

If you have a way of sharing it @Andrew Rathbun that would be great

I'm a digital hoarder so you can always count on me for stuff like this lol

haha

It'll take a bit to compress and upload but I can do it unless @CLB_joshhickman1 has a mirror readily available

6:08 AM

I can host it on the shared Google Drive, too

No worries, no rush at all I just wanted to try it through our software, as a test

Well, the .bin had all of the available partitions from the phone. The issue was the /data partition was encrypted (I couldn't get a single .bin file with everything).

6:12 AM

Even though the phone was rooted.

6:13 AM

Apologies for that. Let me contact the host and see if I can get it corrected.

No problem, actually wasn't sure if I was being a muppet and just not seeing the obvious somewhere

@Andrew Rathbun I have a compressed sda.bin file (64 G down to 11 G), but I'm working off of a slow wireless connection today (construction workers cut our fiber line yesterday - still not fixed).

6:16 AM

It'll be later this afternoon/evening before I could upload it.

@CLB_joshhickman1 I'll see what this gets down to. If it's not 11GB, then we can just wait until later this afternoon for your 11GB copy. I'm happy to host on the shared drive if you need a place to host. Open offer, no obligation (edited)

@Andrew Rathbun @CLB_joshhickman1 - really no rush at my end, I am happy to wait

10.8GB, will upload now

1

Thanks @Andrew Rathbun

Thank, @Andrew Rathbun

Anyone mess with astra linux at all?

@bizzlyg @CLB_joshhickman1 https://drive.google.com/open?id=1HfQEFiErAFgESuTN_KHWdRKC9R1io7OG

1

Cheers @Andrew Rathbun

Anyone have experience in submitting search warrants to google?

@mazummo Yep, what's up?

@Andrew Rathbun do they require judge-ordered?

8:06 AM

additionally, you have contact info for LE? It doesn't appear they have a portal

@mazummo https://lers.google.com/signup_v2/landing

8:07 AM

Preservation requests don't require a judge/magistrate

8:07 AM

That's the link to the portal. They'll send you a login URL. You'll probably have to establish an account if you don't have one already

8:08 AM

Search warrants obviously will need a judge/magistrate to sign off on the legal process

This helps. Thank you!

Let me know if you need anything else. That should get you started

How do you guys handle a back log with warrants pending? Like SW supposed to be served within 10 days but generally the data is as it exists at the time the warrant was sought. I've always thought of it like lab testing.

I'd say just do the preservation letter within the 10 days and serve the search warrant within the 90 day preservation period and the rest is out of your hands

I mean with regards to phones

9:13 AM

So patrol gets a SW on a device that was seized during an arrest. Im usually getting to it within the timeframe when I can but sometimes it might take me two weeks

9:14 AM

the SW applies for the seizure and the search of the device...so technically the device was seized and is just pending "testing"

9:14 AM

as long as you aren't getting data that occurrs beyond the 10 day window which shouldnt be happening because the phone is isolated.

9:17 AM

beyond that matter I'm usually not finished "executing" searches on computers for weeks even.

There is case law stating that if the evidence was submitted to a lab within the date and time within the 4-corners of the search warrant your good to go even though there is a back log.

9:24 AM

I will have to try to find it for you

http://www.iacpcybercenter.org/prosecutors/digital-search-warrants/

9:25 AM

Is it an issue of being "sent to lab" if I just let it stay in evidence control until I'm up to pull it. We still in the same building or is there a distinction. Surely there isnt

9:25 AM

Basically I consider the time of execution as the time that I receive the warrant and request for processing

you can look at it that way

9:25 AM

it doesnt matter if the lab is in the same buildin g

9:26 AM

building as long as it was submitted within the time frame your good to go

9:26 AM

the extraction process and date really is irelavent

9:26 AM

sometimes it takes months

9:26 AM

to research an exploit and or get data sometimes

Right

I would speak with your AGS

9:27 AM

make sure you guys are on the same page

9:27 AM

since they have to defend that aspect

Right I've had this discussion with them before and trying to figure out how to better relay it to them

I will get the case law ours use

9:27 AM

you might have to remind me

9:27 AM

ADD and busy gets in the way

#remindmein10days

9:27 AM

9:28 AM

United States v. Mutschelkaus, 564 F. Supp. 2d 1072, 1077 (D.N.D. 2008)

9:30 AM

The Government contends that Rule 41(e)(2)(A) of the Federal Rules of Criminal Procedure only requires that the search warrant be executed within ten days and does not require the subsequent examination of the items seized to take place within ten days.See Docket No. 28.

In this case, the computer and electronic storage media were seized within the ten (10) day time limit established in the search warrant and the forensic analysis took place within the sixty (60) days granted by the magistrate judge. As set forth above, the Federal Rules of Criminal Procedure do not require that the forensic analysis of computers and other electronic equipment take place within a specific time limit. Any subsequent search only needs to be conducted within a reasonable time. The Court finds that the forensic analysis conducted on the computer and electronic storage media by February 12, 2008, was done so within a reasonable amount of time after the execution of the search warrant and, therefore, the evidence shall not be suppressed.

9:33 AM

2nd line

9:33 AM

I did reach out the AGs as well

9:34 AM

In United States v. Hernandez, 183 F. Supp. 2d 468, 480 (D.P.R. 2002) original case

9:34 AM

for that paragraph

thanks for that by the way

Looking to buy video format conversion software for my department. Any suggestions?

InputAce ?

Input Ace and DVR Examiner

Another case management system question incoming... I've heard of all the common systems that most people use, Atlas, BlackRainbow, Lima, Spreadsheets etc. I'd like to know if anyone has looked into Jira from Atlassian, their main business is to cater for software development teams but they have expanded to include business management and IT service 'ticketing' which I would think could be adapted for a digital forensics workflow.

We haven't used Jira but we currently use infra which is an outdated IT ticketing system, and as it wasn't really designed with digital forensics in mind it has been a bit of a nightmare adjusting / getting fields to fit with our workflow, and it does not intergate well with our current forensic tools at all. Jira might be different, but I'd imagine you'd need quite a lot of customisation which could get costly (edited)

I evaluated Jira as an internal R&D planning board, configuring it to not be completely focused on software dev was very time consuming. I agree with @K23 that I think you'd end up investing a lot of time and effort to adapt it properly

i use humhub, not designed for a project management software but you can make it look that way. fancier

7:10 AM

https://humhub.org/en

HumHub - The flexible Open Source Social Network Kit for Collaboration

HumHub is a free social network software and framework built to give you the tools to make teamwork easy and successful.

I've been messing around on the trial and that seems to be the case, I need to a lot of customisation to be able to adapt it properly which is a shame as the general idea of assigning tasks/sub-tasks and a set workflow is quite good

@Beefhelmet check this case law United States v. Cleveland, 907 F 3rd 430 : https://www.leagle.com/decision/infco20181019392

U.S. v. CLEVELAND | 907 F.3d 423 (2018) | By JOHN... | 20181019392...

OPINION JOHN K. BUSH Circuit Judge. A jury convicted Defendant Appellant Dockery Cleveland of conspiring and attempting to possess...20181019392

I am planning on creating a small presentation for our detectives here that will be using the AXIOM portable case files to conduct further investigations. Is there any basic training material out there in PDF format or powerpoint that can easily explain all the artefacts etc etc... Thanks in advance.

@Gumpoo axiom has an artefact reference guide in the help

going to be running a project on smart watches that im obtaining out of my own pocket any suggestions on where to start looking for information on them and is there any brands that people think are popular?

Definitely Apple Watch

4:29 AM

and then in terms of Android, there are many options. I'm guessing a Samsung Gear model, probably a Fossil model, not sure what else

4:30 AM

https://fccid.io/BCG-A1891 will have FCC info on those devices. That link is for the Apple Watch, in particular

FCC ID BCG-A1891 Apple Watch by Apple Inc.

FCC ID application submitted by Apple Inc. for Apple Watch for FCC ID BCG-A1891 ( BCG -A1891 ) User Manual, Frequency, Reports, Images and more.

Morning Everyone! what is the average response time from Snap Inc. (Snapchat) when serving them with a preservation request?

Usually within a week. They used to be much quicker a couple years ago (edited)

How does that work when you are trying to preserve something that they claim to only keep for 48 hours?

In my experience, I've gotten the last 90 days of snaps every time I did a search warrant through them at my previous gig

5:56 AM

My MO has always been to do a preservation letter to them immediately and it's always worked out fine for me

Any of you super organized types keep a benchnotes journal?

@Beefhelmet am a super organized type. Do you mean like running notes on cases I work?

@Andrew Rathbun I've started keeping kind of a bench notes journal...like a lab journal of sorts. I'm fully aware it is discoverable etc. and it's part of the reason I'm keeping it. Just a composition book that I date from the start of its use and until I fill it which I'll then just file it away.

10:37 AM

I use it more or less as my day planner but for example I'll list every case I have tasks for that morning and then pull them for evidence. and then for each item I just notate case number what phone it was and what method I used to extract etc. in shorthand

10:38 AM

especially if I have to go outside standard forensic practice ie. had to live boot it @ hrs because <reason>

10:38 AM

or ya know attempted to put the device into a download state but missed the prompt and it booted.

10:39 AM

but 99% of the exams are just one liners in the log

10:39 AM

just wanted to get some opinions on it...or see if others do somethign simlar

I didn't do anything like that at my previous gig but I adopted the use of OneNote at my new job and I quite like it. I do a running list of what I've done when so when I have those everyday moments where I can't remember what I ate for breakfast let alone something from 2 months ago, I have my stream of consciousness description of what I did that day on OneNote. Simple rule of thumb to never put anything in there that I wouldn't want to read in front of a jury.

10:55 AM

My agency is heavily invested in the Microsoft ecosystem (OneDrive, Office 365, OneNote, Outlook, OneNote, etc) so everything "just works" and it works well with my workflow. It's just a cool program overall. Like Word but with a lot more flexibility and tabbing as well as being able to share notebooks and whatnot. I'm sure there are worthy alternatives - https://alternativeto.net/software/microsoft-onenote/

Microsoft OneNote Alternatives and Similar Software - AlternativeT...

Popular Alternatives to Microsoft OneNote for Windows, Mac, Android, iPhone, Web and more. Explore 25+ apps like Microsoft OneNote, all suggested and ranked by the AlternativeTo user community.

I've started dabbling in one note lately. Someone distrubuted a case report example of one done in one note in a class I took a while back and I rather like how it works. I don't fully understand all of the program's capabilities though and really need to sit down and tinker with it. Generally I keep a running spreadsheet on google drive of my exams but I feel like writing things down in a notebook feels more purposeful and deliberate.

@Beefhelmet I currently have tabs titled "2019 Active Cases", "2019 Inactive Cases", and "Admin" which have pretty much covered everything I've needed to document so far. Admin mostly for taking notes on the administrative nuances of this new job. Within those tabs, I have pages for each case with my running notes. I can also create subpages as needed to better categorize beyond the pages. It's a neat setup and I think it'll work well for me in the long run.

careful with one note

4:34 PM

we had years worth of info in a onenote because it was networked, every new day was a new page in there. it definitely died on us haha.

Does anybody know a source about how to use FTK Imager in computer forensics?

@Igor Mikhaylov are you trying to complete a task or just looking to obtain a manual for reference?

I remember I've read a good article about how to use FTK Imager in computer forensics. It was a ages before. Now I can not find the article.

I have a bunch of INTEL Compute Sticks that I need to image. Just racking my brains on how to do this...? I'm thinking this possiblility unless someone can advise me otherwise... INTEL Compute sticks have a micro SD slot and a USB port.. So...Not in this order.. Boot PALADIN from a Micro SD Card. Add a USB Hub to add a keyboard and mouse so I can see what I'm doing. The Chipsets are soldered so can't remove them. Plug into a monitor or tv with HDMI.... Should work right? Anyone else had this scenario? Thanks in advance.

@Gumpoo that sounds very logical to me. Good thinking outside the box

2:09 PM

USB Hub for destination drive too

Yes destination drive!! Missed that one.. Thanks for that. Will give that a go. Cheers @Andrew Rathbun

1

How Does AI Contribute To Digital Forensics? - Forbes https://apple.news/AS47mhuxTQJOvwl6DTWh3eA

How Does AI Contribute To Digital Forensics? — Forbes

How does AI contribute to digital forensics? This question was originally answered on Quora by Lee Reiber.

Anyone up?

@whee30 just ask away

Need some assistance please if possible. I'm having to write a formal written statement with regards to my involvement in a case involving a dude possessed 'objection material' on his phone. The being charged with possession is fine but The 'crown' want to know why we couldn't charge with 'distribution'. Within facebook messenger there is a conversation where the guy has sent a video named let's say VID_20191306_MP4 or very similar naming convention. This is in relation to the mosque shootings video's that were sent around. The conversation prior to this file being sent and after reveal that this is a copy of the mosque shootings however the video cannot be viewed / doesn't play nor does the file name give it away and make it obvious. Flight mode was turned on immediately when it was seized by Police.

2:49 PM

Conversations and the manifesto pdf cached to the handset but no video. Does anyone know if this is common practice for Facebook Messenger?

2:50 PM

Also no thumbnail of the vid cached

Does anyone know of a way to tag or export watch list hits in physical analyser? I want to highlight a number of keyword hits but it would take too long double clicking on each on then tagging. I can't find a way to do it in bulk, any ideas?

@Gumpoo Not sure what OS you're talking, but I've encountered the unplayable attachments thing for FB Messenger for some time now. I've been recommending alternatives such as cloud acquisition or screen video capture to obtain them if they're relevant to a case.

Thanks @forensicmike @Magnet . It's an iPhone 6. It would have been a different story had I been at the search warrant. Before flight mode is activated I could have been looking through his phone onsite

3:55 PM

The crown.. want to know why and I need to provide an answer that they can understand.

But yeah the thumbnail-less attachments thing is definitely common, even for full filesystem iOS extractions. "Because Facebook wants to make our lives difficult" might be a solid summation a layman can understand.

4:01 PM

Seriously though, short of doing the research on your own I wouldn't be drawing any hard conclusions. Maybe an expert opinion that apps constantly change, often becoming more complex (and thus more difficult to decode), that the forensic tools are under constant development to improve said decoding, and so on. (edited)

4:02 PM

You could also try running the extraction through a couple of different tools to confirm that indeed, parsing Messenger attachments in 2019 is hard.

Thanks @forensicmike @Magnet I also ran it through AXIOM. Still same result. Good advice. Cheers

Where do you guys buy test phones? I found my model phone, LG M257 harmony on eBay, and our procurement department is having a fit over purchasing through eBay. Any other solutions?

@sholmes I've always advocated getting phones from a local lost and found. Build up a supply over time for free. Get with a local library, police department, or any other community center to see if you can be implemented into their lost and found policy

12:34 PM

At my previous job, my front desk could turn over phones to either the women's shelter or us after 90 days. (edited)

Yeah that is a good idea, but wouldn't help in this case as I need this actual model for testing.

12:35 PM

We are actually looking at modifying our disposal rules to allow us to keep devices to use as test devices.

That's a great idea

12:36 PM

Could always just dispose them and fish them out of the trash

LOL

Can't say you didn't dispose of it

12:36 PM

What happens after that happens

I was getting some through a local halfway house as well. They would seize them from guys who couldn't have them or had them inside the residence. They destroy them after so long, and would give us them for testing.

That's great. I'm sure there's lots of untapped resources like that in everyone's respective community

for sure

If they're having issues with eBay, maybe see if you can just buy it new somewhere? If they don't like that then say eBay is the only other option

I am trying exactly that right now. My google fu says the phone isn't available anywhere else except ebay. LG M257 Harmony. Feel free to prove me wrong. LOL

12:59 PM

no seriously if someone else can find it in the US through a non-ebay vendor, I would be appreciative and never so happy to be wrong.

i found it other places, but ebay was cheapest. try your local craigslist and facebook marketplace

eBay is our main destination. Used to use CeX, still do occasionally when we need to check whether a device is running a specific OS/firmware version (the dirty looks I get when I start putting their Samsung phones into recovery/download mode...)

quick question

3:20 AM

for everyone

3:20 AM

master copies of your, things, whatever it may be

3:21 AM

phone extraction, E01s, Axiom cases and so on

3:21 AM

retained digitally on your storage yes?

yup

3:45 AM

I am sensing there is more to this question

@Sudo images of devices get thrown on a HDD as a best evidence copy. Working copies go on my NAS. Portable cases or UFED reader reports or any other generated reports are provided to the case agent but not maintained by me. They can be generated at a later date with the best evidence copy if need be. They could be, I suppose, since there's always room for them on the best evidence HDD but I just don't.

4:08 AM

Axiom cases don't get saved or anything. Pretty much anything that can be generated from the best evidence copy isn't kept

cool, ty

4:11 AM

you're both US LE right (edited)

4:11 AM

or US?

Yep

4:11 AM

@bizzlyg I think is UK though

there is indeed more

4:12 AM

but not any more question

I am from the UK but in Austria now

just motive behind it

but worked in the UK

I just want to get a little idea of a few jurisdictions views on the matter (and find they likely are all the same)

4:13 AM

but Rath say your E01 file

here we keep stuff on network storage and tape backup, before in my old job we had a ridiculoulsy sophisticated SAN which did all kinds of clever things

that's stored on your storage as the "master"

4:13 AM

i.e. copies for working are made from that

4:13 AM

makes sense, we have storage and tape too

ah I see where you are going with this

all I wanna know is, is people's server storage their "master" storage location

4:14 AM

so rather than being in a bag, it's hashed up on the server as the "master"

To be honest, we had multiple copies but we didnt specifically designate one as the Master

no I know

Server storage is our working copy. Master copy is just sitting dormant on a HDD wrapped up in an anti-static bag

but, as a hypothetical

4:14 AM

this isn't usually an issue

I guess if I think about my old place, we had working copy on the spinning disk storage and the master was on tape

4:15 AM

if you define it like that, but we didn't specify working and master copies

4:15 AM

if that makes sense

yeah makes sense

4:19 AM

regardliss of storage location as such

4:19 AM

you can have a "digital" master

4:19 AM

that's all I mean

yeah dont see why not

you're not like, doing the E01 then putting it on a single disk and bagging it

4:19 AM

in an exhibit bag

as long as its stored in the proper way with some redundancy

you're storing it digitally with redundancy etc etc

yep thats what we did

yeah well we have two servers raided then mirrored + tapes

never went down the road of physically sepeating a master copy out and locking it away

4:20 AM

I know places that do, but we never had any issues. We went through ISO 17025 without it being a problem too

yeah, I don't mean it reaaaallly like that, not convoluted anyway

4:20 AM

more just

4:20 AM

imaged exhibit hard disk to the server

4:21 AM

verified data integrity

4:21 AM

it now stays there

4:21 AM

I copy it down to my workstation to process

4:21 AM

should anyone ever need that E01, I can provide it and they can verify its integrity

I dont a problem with that, we didnt even copy stuff localling, ran it all over the network

4:22 AM

locally

same with CCTV, video file gets hashed and copies can be given and anyone can hash their copy to see it's the same file

yeah

yeahhhh, when you have a 1TB E01 though haha

haha

we don't have 10gig

4:22 AM

not yet

fair enough, we had 16gb fiber

nice

yeah it costs a bit

we have trunking into our servers so we do each get the full beans

4:22 AM

but our links in are only a gig

still good

server can handle multiple gig connections though so

4:23 AM

there's (rarely, never really) any reduced speed

4:23 AM

in an ideal environment obviously, if there are like 10,000 filesystem entries to write that's a different story

yeah but as long as it does the job you need, no point going crazy with new infrastructure

we probably will add 10gig cards

4:24 AM

they're pretty cheap now

4:24 AM

but our workflow is fine really

4:24 AM

anyway, cool, I just wanted to get some second opinions on "masters"

4:25 AM

and if retaining it digitally like that is reasonable (and realistically more efficient and secure)

yeah we had no issues essentially having masters stored on some kind of networked storage/tape library

4:27 AM

we did also backup reports, statements and E01s to a further tape and send off site but not because of a master copy philosophy but just for disaster recovery purposes

yees

4:28 AM

cool, thanks for the infos

2

I hve noticed a few questions about Hancom mobile forensic products over the last few months, we have tried it in the past and I am just taking another look at their stuff again. Has anyone else had chance to try it and compare it with other toolkits? Specifically the RED and NEXT products - I'm just interested in hearing other peoples opinions, if there are any, to see if they match up with my initial thoughts

4:50 AM

RED is a PA equivalent and NEXT is the 4PC equivalent

never heard of it, just had a look

4:54 AM

seems very XRY-esque

4:56 AM

I can't imagine it would perform any different to other tools

Yeah I don't think it has much exposure in the EU/US market, yet anyway

5:03 AM

My initial thoughts are the software is fairly intuitive and looks professional, I do seem to have some descrepencies from the same devices though between PA and RED, after respective decoding/processing. I was kind of expecting that to some extent and its that I was wondering if anyone else had experienced. I am guessing almost nobody here is using it though

nope not here

6:48 AM

honestly I wouldn't really be inclined to, we get so little off phones these days that it wouldn't make a difference

6:48 AM

won't be long before we just become photographers

That would be a big prob for mobile forensic companies

they could start selling fancy "forensic" cameras or something!

1

Gotta call it a tactical camera

the Android Tactical Camera

Apple Tactical Camera sold separately

I'd say that one should be Apple Facebook Messenger Tactical Camera

7:02 AM

Apple Facebook Messenger Tactical Camera Depending on Which Version is Installed

Could easily double the price of the Apple variant just because it has Apple in the name

7:18 AM

still can't believe the price of that monitor stand, although granted these would not be official Apple products

if Apple made forensic software...... "Meet Apple Dongle Holder. This product will transform digital forensics. For the first time, the dongle will not need to dangle. Starting at US$599"

4

They're out to lunch with their pricing schemes but hey, it sells for whatever reason!

1

2

3

1

anyone have experience with adobe creative cloud search warrants? I'm working a case involving psd files and the metadata suggests it was created with CC 2015. Wondering if they track MD5 etc. to see what account created the file. Not sure if the storage is cloud based or just the application function.

I have an email out to their LE contact, will update when/if they respond

Anyone got any advice on how you would approach a job where the suspect is saying they have been hacked and thats why x y z illegal content is on their machine?

1:56 AM

Like is there a set procedure of things that can be done to help prove/disprove it

First I'd get them to define what they mean by hacked as that's a pretty broad term. If it's an email account that was compromised you might see evidence of security emails stating someone had logged in from a new location (Gmail) for instance, and try to find other references to the account. If they are just stating that the computer itself was hacked then running malware scans is a good place to start. These ones are always tedious, I had a case recently where they were claiming an iPad was remotely accessed and remote controlled to get the illegal material on there. Can be really difficult to disprove it without tripping over yourself in the statement and opening a few holes, I was lucky in the fact that they stated it was remotely jailbroken when there was no evidence that the device had been jailbroken at all for that one.

2

I would start with a timeline if in fact the computer might have been compromised. However if an email was compromised like the above said get the logs from said email provider which can prove or disprove this maybe. If the suspect was using a vpn to change locations that could cause an issue too. Alot of variables in this type of invest. However a good timeline can be very useful if you dont get lost in all the data..

3

Another good thing to consider in addition to the above, again along the same lines as a timeline, I am assuming you have some incriminating material on the machine (IIOC?), you can build a timeline of all activity around the timestamps of such material and see what else was happening. For example long ago when I worked for LE we had a job where web browsing activity and IIOC creation was right before and after accessing online banking, online shopping etc using their own account. Sure they can still say that was also hacked, but it starts to get less and less probable, also its more likely the hacker would harvest the creds and use them elsewhere, not on the actual machine that was targeted. Basically try to build up as much personalisation as possible to the suspect/owner

3

Hello! Please I am working on Drone Data Analysis. I have requested for Dataset from NIST but got no reply, is anyone able to help?

Asumming you requested access through here? https://www.cfreds.nist.gov/drone-images.html While we do have test data for this we cannot share it unfortunately as there is still some personal information contained within, e.g. the test sites and staff conducting the tests.

@K23 Yes please, through that link

I've just requested access through my force account, I'll let you know if I hear anything back, and if I do I'll query access for you.

@K23 thank you so very much

@Rossko check for IOCs and standard persistence locations

1

Thanks for everyones suggestions. Things to look into :).

Has any LE out there written a Search Warrant for a VOIP recently? Looking for a "to wit" to review so we are not missing anything.

8:43 AM

DM please

Update to my creative cloud question last week in case it helps anyone else out, I received a response from Adobe that they do not have the ability to search stored files for a specific hash value.

1

@whee30 thanks for circling back

Can anyone confirm testing forensic tools such as axiom or PA on xeon processors as opposed to I7 or I9? CPU is running on 2% and takes hours to process some of the heavy dumps. My only conclusion is that its software related but would like hardware recommendations or anything that can speed up the processes..

@awnexus - we use Xeon processors with both Axiom and PA. Axiom runs well utilising 16 cores (Magnet rep told me that anything over this is a waste of time). PA responds better to a higher clock speed, especially when generating reports. For best of both worlds we went for workstations with 2x Xeon 6128 with 6 physical cores running at 3.6ghz. I do know UFED is going to be revamped soon and will take advantage of more cores

Does anyone have picasa installed on Android or windows arnd can take a screenshot and send it to me? I'm trying to figure out whether someone used Android or windows and I'm coming up with nothing

@randomaccess http://www.oldversion.com/windows/picasa/ for Windows

Download Old Versions of Picasa for Windows - OldVersion.com

Ya. It's more that if I get multiple people taking screenshots and sending them to me I might be able to then ask them how they did it I haven't been able to figure it out when installing Picasa on win10. It doesn't seem to have a screenshot feature or it doesn't remove exif data

Hi all, do you people that have to see CP material, get proper psych support? I mean it is really disturbing and would most likely have negative effects on one's mental health.

Our agency doesn't do anything more than a token effort to support us. We have had many members transfer out of the unit because of the effects of exposure to CP and I had a close friend forced into a disability retirement because of it. They send us to a mandated employee assistance program about once every other year. The program is good and makes recommendations on how to best handle the work. Our agency however disregards any suggestions made by the training. They do not appear to care if they destroy our mental health, they'll just replace us once we're used up.

4:11 AM

It's frustrating

@Dr. Kaan Gündüz when I was in LE we had conversations with a psych every 3 months. Allowed you to talk to someone if you wanted. We also talked internally if there was ever something particularly troubling. But we also took a lot of steps to avoid exposure. So no one in the lab would actually spend the time categorising material. That would go to the case officer. Helps spread the load

5:27 AM

@Andrew Rathbun disregard. I figured it out. If someone forwards an email a few times and you pull the photo that was originally an attachment google or a server along the way may mess with the file. Always request the person exports the email in question and provides that.

I've been in a year - no one has really talked w me about it. Most cases are fine, a few have bothered me. As an agency we have psych support available in general, I will just have to seek it out. There is no proactive psych appt. imposed.

i think it is like exposure to radiation. one should not look at that sort of material too frequently.

A lot of LEOs will be afraid to say anything about it because of the "stigma" about seeking counseling. Then there's the agencies that will take away creds if you seek counseling for depression or something like that. It's important to be with an agency that has you back when dealing with those kind of cases.

We have a policy for our Section that requires mandatory annual health evaluations for all Section members; this is done by a licensed psychologist. The policy also allows for additional visits for Section members if they voice the need or if I (as Section head) make a determination that it is needed. The policy also covers spouses in the event that the spouse needs assistance with helping the Section member cope. We also have a certified therapy working K-9 on staff.

12:28 PM

Additionally, we rotate case-types so that examiners are not bombarded with CP cases back-to-back. We also make a point to go out to dinner at least once every other month after hours to decompress.

6

2

are you hiring

Not at the moment. I hope to be later this year as we are a bit short-staffed.

12:48 PM

@JaiRoc is right: it is important to have agency buy-in on a mental health program. And just like anything else you ask for from management, numbers/facts/figures usually help. Forensic Focus published a good article a few months ago that discusses DFIR burnout, and it references several other articles discussing the same issue. If you're looking at implementing something at your organization, I'd start there. It doesn't address CP, per se, but CP exposure certainly contributes to burnout.

12:48 PM

https://articles.forensicfocus.com/2019/03/15/burnout-in-dfir-and-beyond/amp/?__twitter_impression=true

Burnout in DFIR (And Beyond)

by Christa Miller, Forensic Focus Quite a lot has been written over recent weeks about burnout. Not only DFIR-specific posts, first from Richard Bejtlich and then, in follow-up from Eric Huber and …

1

today in a CP case, i came across a document called "pedofile's handbook"

12:58 PM

a pedofile, who claims to be a psychologist, wrote about all aspects of CP. how to find a target, how to do sexual intercourse etc.

12:58 PM

it was like reading satanic bible

@Dr. Kaan Gündüz oh God I've come across that too. It was deeply disturbing. Though according to a federal judge that wasn't an indication that the defendant was interested in looking for victims

suspicious judge there

1:00 PM

i read many articles and books about CP

1:01 PM

but hey were all from the perspective of non-pedofiles

1:01 PM

medical professionals, forensic examiners etc.

1:01 PM

that document was written by a pedo, to other pedos.

1:02 PM

without any regrets and shame

1:02 PM

i saw thousands of CP images, but this was particularly disturbing

1:03 PM

the weird thing is the author sold his book on amazon

I think it's easier to see the images and brush them off a bit than it is to read the how to. The how to gets stuck in your head as this is actually how these monsters operate

it is completely different

1:06 PM

from what the medical pros wrote

@whee30 I would recommend this to you and your agency. They can provide training to teach you the negative effects that long term exposure can cause as well as some basic strategies to help limit and reduce the effects. https://www.shiftwellness.net/

3

1:20 PM

@CLB_joshhickman1 sounds like you and your agency are doing a great job to help your members' mental health. We tried to enact some of those ideas too but our higher ups have ignored them all together.

@whee30 thanks. We do alright. And +1 for Shift. Our ICAC commander has them come through once a year. (edited)

I found the audio from the videos most disturbing. As mentioned by @4n6_Guy(Kevin Salhoff) images you brush off, but the videos with audio... that stuff you cant forget

Oh yeah I don't even have speakers connected toy analysis machine. I'll even listen to audiobooks/music when going through pics/videos to further distance my brain from the content.

4

Good Morning. Just got a case where the suspect walked into a 7-11 gave the clerk $500 in cash and asked to have it added to his Green Dot card. He handed the Clerk the cash and the card. When the clek placed the card into the reader the system locked up and crashed. The suspect then asked for his money back and left the location. When the system came back online it showed that the transaction had gone through . This happened at two 7-11 locations in my city same suspect discription. Has anyone else heard of this? If so do you know how they are doing it. I'm guessing they might have shorted out the pads on the chip and maybe this made the POS crash but this is just a guess and if so how is the money still getting on the card? Thanks for the help.

7-11 stated this is a know issue apprently insearting a card into the POS system while the clerk is entering a transaction forces the system lock up and crash. when the system goes back online it completes the transaction just FYI.

@Dr. Kaan Gündüz have a MD5 for that pedo handbook?

@Hells I just got the entire website on a case. The guy downloaded the handbook website from TOR.

7:40 PM

From a TOR site.

gotcha. if someone gets a hash id love to get the hash so I can search for it on our networks

@Hells i will send it when i am at the office

Anyone dealt with Google Desktop before? I have some files with plain text data in them but not sure what if any tools exist that can parse the data into a nice table or something.

Good morning. Has anyone here had any experience with an email server/client application called FirstClass? My partner has a case involving a newspaper (victim) that uses it and we are trying to find a way to extract all data from a single user. The newspaper is very small and has no IT staff to assist. Any help would be appreciated.

@Hells 1362137f777a9311e97d48ce71832216

9:52 AM

7zip file for that handbook

thx. have one for the extracted handbook as well?

Can anyone explain your opinions on law enforcement digital forensics vs corporate side digital forensics? (edited)

@Tyføøn in what regard? In general, you're more susceptible to CP investigations in LE vs private sector. I can't speak for private sector as I have no experience but if you have any LE specific questions, myself and many others would be happy to answer.

@Tyføøn although it's basically the same process the two are very different thought processes. LE cases tend to be much more focused on putting the bad guy/gal behind the computer. For instance in a CP case the big question is always is there CP on the device and was my suspect the person who knowingly put it on there. There is a much higher burden of proof beyond a reasonable doubt for the public sector than private sector. Private sector seems to be more interested with a "did this act probably happen" so they can take appropriate action; terminate an employee, sue a competitor, etc. (Please take into account that I have much more experience in LE than I do in the private sector)

1

I was just curious about a general description of both, or pros and cons (edited)

@Tyføøn private sector pays better. It's easier to go to private sector from LE than the other way around. Getting experience in LE can prove to be very beneficial for future employment opportunities.

Just recently began talking to a guy who works for Consumer Energy and he started out in LE and made his way to the corporate side. I didn’t know what the Corporate side was like so he was explaining to me his experiences and pros and cons of LE and corporate side. I was just kinda curious about what other professionals opinions were. (edited)

@Tyføøn are you MI based?

8:37 PM

NVM. We've already chatted about this via PM when you joined

@Hells it is a bunch of web pages, zipped together, not a PDF/DOC etc. file

4:06 AM

i'll PM

no worries then @Dr. Kaan Gündüz

md5_cp_book.txt

6.64 KB

does anyone from MSAB here know why a bunhc of posts go up on the blog as protected first, and then sometimes just disappear liek this one https://www.msab.com/2019/06/19/xry-8-0-xamn-4-3-and-xec-director-5-1/

1

It’s probably our marketing team preparing for the grand launch of XRY 8.0 and the rest

We hope to be able to have it out within the next couple of weeks! (edited)

@Erumaro eh id say 80% go up as protected first. Some of them disappear. Some get unprotected.

I will check with our marketing team in Monday, thanks!

@Rossko I saw your post from Monday asking about advice when someone says they got hacked and you are trying to prove/disprove it. It depends on how and what material you are looking. If lets say a user is going to site they should not be and abusing the Acceptable Use Policy. You can look into the information the analytic cookies left behind. Within those cookies you can normally achieve the first time a user went to the website, last time the user went to the website and the count on how many times said user went to the website. This cookie also has a lifetime of two and some up to 10 years on the end point. (This is if the cookies have not been wiped or he/she has not used incognito mode). So if you can not only deduce the amount of times he has gone with the actual number within the analytic cookie, but you can also determine if these actions have been going on for a longer amount of time. If you are looking for illegal files on the endpoint then the best way to perform forensics is pivoting off some sort of timestamp. Start pivoting off the timestamps on the file itself and try to look for artifacts around that time. Like website history, again if incognito mode was used then you are going to have to start looking at network data stored on the proxies/firewalls/netflow to help determine what happened around that time. You can also check if an exe ran using .pf data and or shimcache data to potentially ID malware. If he/she potentially sneakernet a USB to the computer start looking for the modification timestamps within the USBSTOR registry. You can also get the make/model/ and I believe serial number of the USB used. That is just a couple of tactics to identify if someone is lying about it or not. Do not forget the integrity of evidence though, since stuff like this has the potential to go to LE.

Just curious, has anyone implemented Windows Sandbox into their forensic workflow at all? For those not in the know, it's basically a Windows VM that comes ready to use with one of the newest W10 updates.

Our Windows 10 image is so out of date it will be a while before we can even test it, yet alone stick it in our workflow

Is that due to ISO #####?

5:08 AM

I forget the string of numbers

5:08 AM

17025 or something

Partly, in this case it's just due to very slow IT updates, as we do not manage our own IT. We have our own network, but a small (and quite stretched) part of force IT manages it, so our updates and fixes in general are pretty slow. (edited)

17025, the dreaded numbers

1

The version we are running is pretty stable so I can't say I'm unhappy with it, but our updates are slow for sure. Being an air-gapped network that's not the biggest issue on the world, but I do wish our updates were a bit quicker

5:09 AM

Think the only thing connected to the internet is the WSUS server

@Andrew Rathbun I came on here today to ask the same question. I have the latest W10 on my research laptop and have been playing about with windows sandbox. Anyone found any blog posts on recovering artifacts from it?

Yes hello good morning. Is this the best chat to ask about eDiscovery products? I'm about to start looking into a new option and I was hoping for recommendations to look into so I have some ideas once all the requirements are established.

@Jack of Trades what do you currently use? Nuix is the new hotness at my agency

I keep hearing this, anything in particular special about it?

Nuix is is the in tool at the moment for LE big data. Speak to your NUIX rep, it's expensive and takes a while to get your head around it, but you'll get there. It's take n me 2yrs to get to grips with it properly.

8:21 AM

It can handle / parse all types of data, search, export, produce production sets. A d much more, look online for into, or YouTube for demos.

Alright, I'll def take a look.

depending on what you are trying to accomplish, evidence.com is another option. we use it for distribution of any kind of digital evidence...mostly body camera video, but really anything including DF reports and surveillance video is the hope to add to it one day. We are just in the beginning stages of implementing this so i cannot help with parsing of data. I just know its fairly simple to use.

8:40 AM

i should also note that i am not sure if they do work for private sector, but im guessing like most companies, money is money

I'm trying to locate a stolen item that is pinging off a Bluetooth signal, has anyone worked with bluetooth sniffing with a directional antenna and what equpiment they have used ? Idealy I was thinking a USB WiFI modem that had bluetooth built in to use it for both types of sniffing and locating.

this may not be the most helpful since I've not done directional locating, but i've definitely used signal strength to triangulate stuff ive lost personally by just repeatedly moving and measuring the strength of the signal with my phone. Works pretty well with BLE devices, but it really only puts you in the same room as it, i was locating wireless earbuds and it got me down to the right part of the right room in my house, but after you get close enough it really stops working as well

@Andrew Rathbun Windows sandbox is cool but you have to sacrifice VMware if you are using it and for most of the people that is not acceptable...Also, since there is no option to restart the machine it makes it less usable in general. I would been nice to have it along with other VM products just to check some stuff for malicious activity and similar stuff. Regarding investigation of it, it seams that it creates a hidden ~10GB BitLocker partition on your system - would not expect to find much unless someone found a way to decrypt it....still under research

2

any of you nice folks use a dongle server?

hi i need help for cross compiling android 9.0 API28 anyone can help me ?

@Sudo I use VirtualHere and highly recommend it. We've had a few discussions about it if you search that name. In short it's really cheap ($50) and runs on just about anything.

ohh cool, I'll look into it (edited)

6:33 AM

what did you use for all the USB ports

6:33 AM

just a hub

Yup. A large hub attached to a Synology NAS.

6:41 AM

I've had it for about a year and so far it has worked flawlessly.

cool, thanks for the info

I second VirtualHere @Sudo . Have been using it for some time now with no issues at all. They have a client for every OS

and it's just real cheap

6:52 AM

is that a recurring fee or a one of purchase

one off !

Yep, VirtualHere is great, We have been using it with about 20 dongles for a few months now. No problems and everyone likes it (which is rare!). It a one off purchase

awesome

7:47 AM

is it viable to run from a VM?

7:48 AM

because that would give me good excuse to up our hypervisor capability

@chick3nman thanks for the info, where you using a blutooth app to locate signal strength ? The same room would be close enough for me.

@Sudo I don't see why not. I will test it on one of my VMs and let you know. I have it running on my host with no issues

@DCSO Yes, there are a few Bluetooth and BluetoothLE scanners that will just show all the devices in the area and their signal strengths on the android app store

10:40 AM

because it periodically updates

10:40 AM

as you move around, you can watch the strength on your target device fluctuate up and down as you get closer/farther

1

@goalguy thanks, just would be good to know if I can do it through a VM and pass through the hubs and things

7:24 AM

then I can use it as an excuse to upgrade or get a new server for a hypervisor, rather than drop thousands on just a dongle server you know

As long as the VM can see the hub I don't see any issue with it. I would say go ahead and say it will work and upgrade your hypervisor and worst case scenario you just use the host. It is a very lightweight program.

seems there's a couple tricky bits with xenserver USB passthrough but, seems that there's also ways round it

7:28 AM

do you know if virtualhere has a trial sort of version so you can test it?

one license at a time i believe is free

7:32 AM

technically, 1 usb device at a time works

7:32 AM

doesnt have to be a license dongle

cool beans

7:32 AM

I can test it then at least

that was as of like 5 months ago i believe

should be pretty cheap to test as well so that's good

7:32 AM

just need a hub and stuff

IIRC someone here used it on a raspberry pi if you dont want throw it on your server environment.

probably doesn't need much grunt

7:39 AM

and yeah I saw it can run on a pi, so that's cool

might help someone else if they search and find this conversation

I'll report back eventually once I figure out what I'm gonna run it on

@Sudo I've set up some Pis running virtualhere. If you go down that route and need pointers feel free to reach out.

Anyone have experience in a private matter to investigate stolen iphones ? I had someone reach out with the serial number of the iphones and it was activated by the person who stole the phones. Is there anyway the phone can be tracked by private investigators (non sworn LE)

11:12 AM

Please DM if you have experience on the proper way to find the devices

anyone know the best way to practice imaging harddrives and attempting to restore whats on them?

@John I will send you a message.

Anybody have the tech support phone number for @Cellebrite ? Have a dongle/license issue.

yep -- sec

11:35 AM

@goalguy SUPPORT North America: +1-800-609-9912

11:35 AM

https://www.cellebrite.com/en/contact/

Cellebrite

Contact - Cellebrite

Thank you

+443308089051

@Sudo +1 for VirtualHere. We have it running off of a Windows Server and it works very well. Cheapish 12 port USB port of Amazon does the trick. Being able to rename/hide specific dongles from the server is useful too

In a previous conversation regarding mental health support for DFIR professionals (particularly in the context of indecent image investigations), @4n6_Guy(Kevin Salhoff) recommended Shift Wellness as a source of mental health training. Is anyone from @Law Enforcement [UK] aware of a UK/European equivalent?

8:38 AM

https://www.shiftwellness.net/

Adam Silver

Home

We do have mental health support put in place at our force, posters in our lab/office. https://mhfaengland.org/

We've just been told to refer our self to OHU if we feel it's getting too much. Bit crap really considering the workload we carry and the content.

We used to get 6 monthly 'checkup chats' but now it's self-referral to OHU.

Ollie. In UK LE it's changed a lot in recent years. It's gone from larger offices where you only see your screens and annual meetings with trained professionals. Now it is analysts packed into a room where you see everyone else's monitors and untrained OH require examiners to complete a questionnaire via a portal. I get the impression these are bought in and marked by a computer syste. I don't work with CP anymore but did work on more than 400 CP cases. I don't think the support on offer now is enough.

2

Thanks guys for the insight. Doesn't sound like those are particularly robust solutions

Interesting to hear that it hasn't always been that way @Tommy Cockles

9:18 AM

@Pacman Do they come in and provide training? And is it done in the specific context of indecent images, or just general mental health?

They don't actually - it's just posters on walls for our info.

9:38 AM

We do have OH which we have to see every 6 months, can also see them on self referral.

Yep every 6months or self referral.

6 months or referral here too

Ok, thank you :)

10:23 AM

So no-one aware of something comparable to Shift Wellness in the UK? (edited)

What is it, it looks like mindfulness training?

10:26 AM

I know a lot of folks over here have self-referred and ended up going through mindfulness sessions

10:26 AM

nothing mandatory

I think the whole mental health awareness or training isn't that particularly great - just a chat every 6 months. Self referral very rare since people don't come forward. I don't know if it's true but there's a police force in UK recruiting volunteers to spend something like 4 days a month to grade IIOC - no pay, don't think OH/self referral applies. :\

1

@Pacman West Midlands Police recruiting volunteers to do some DF work, with exposure to IIOC, it's been well publicised in the news, criticising the whole thing. (edited)

I don't know the inside story and I didn't want to call out the force lol - I don't like believing things in the news.

Sometimes reporters do tell the truth https://wmp.referrals.selectminds.com/jobs/digitial-forensics-team-volunteer-565 Although it doesn't mention the viewing of IIOC as part of the role in this link. (edited)

Digitial Forensics Team Volunteer in BIRMINGHAM, United Kingdom

Are you interested in technology and how computers work, or even how CCTV evidence is recovered and collated? Well then you are just the person we...

Years ago we used to see an external trauma counsellor every quarter, who we all got to know well and built up trust with. It wasn’t mandatory but everyone went. She was let go with the first round of cuts (seen off by a DI who did pretty much nothing else of note in his 12 months with us) and was replaced with an unqualified OHU staff member who’d take us through a tick list of whether we were drinking too much, having dark thoughts etc.

@OllieD We're the largest muni agency in our state... we did the SHIFT Wellness bit and it didn't go over well. Then we participated in a pilot ICAC program, that basically involves having a psychologist come in and meet regularly with your unit, and track responses over time. That's now morphed into regular group meetings roughly every month or so and the shrink we hired is also available for one on one visits. Everyone has met with him individually and as a group, and the unit had a hand in interviewing/choosing who the psychologist would be. Everyone is strongly encouraged to attend, but you could opt out if you wanted to. There were a whole bunch of initial struggles that I think should be expected whenever you're getting LE people together to talk about their feelings. No one wanted to talk, for MONTHS. People only barely talk now, and it's mostly about superficial stuff - like handling ordinary work/family stress. Most of the work done in the group sessions is educational and similar to a Psych 101 lecture. Our shrink has a great personality that's a good fit for the group, but his preparation and org skills could use a bit of work... I dropped the group meetings and I have my own counselor that I see quarterly. I much prefer that - I can tell the boss that I'm participating in the spirit of our wellness program, and he uses it as an example that several of us are more comfortable speaking with someone one on one, and he's supportive of that choice. Same time commitment on my part, but I get more out of it.

2

12 month questionaire which might get you an appointment with Occ Health here. If you don't do the questionaire then you cannot just book an appointment which is crap as the questionaires really are not fit for purpose. Support from that perspective really isn't good enough.

@OllieD we rarely encounter IIOC - perhaps 5% of the evidence has a token picture on, and very few of those are 'collectors'. We tend to find bestiality to be far more common now. Easily 30% of the jobs have this material present.

Thank you all for your input! Kev was asked by a customer if we knew what kind of provisions other forces had in place and Discord is the perfect place to find that out!

12:59 AM

@Deleted User Wow, wouldn't really have expected that kind of balance!

@OllieD I know - it tends to be shared within WhatsApp groups under the facade of 'just a bunch of mates sending each other shocking pics' except the volume depicts a different story

1

Has anyone had any issues running XRY or UFED products on AMD systems over Intel systems?

Not an exciting topic but how does everyone go about with archiving their case data? Copy it onto a hard drive, chuck it into a safe/locked cabinet/shelf and fill in a spreadsheet?

We have a case management system which retains details on the cases itself, the data generally gets archived onto tape though after 6 weeks of sitting on the server. Not sure on all the nitty gritty details but we do use commvault

Has anyone had any luck tracking down a swatter? I have reached out to multiple spoofing companies and no luck so far

@Davesdailypicks I wish I had a better answer but maybe you can reach out to police departments that caught one according to news

Thanks! Im trying but just in case we run into dead ends I thought this was worth a shot.

1

@Davesdailypicks -- when I was with Ottawa we had a couple of Swatting files. Most information came from the FBI CyberCrime Centre in Pennsylvania. Not sure who you work for, but definitely a good resource to tap into.

Ouststanding! Thanks!

@Davesdailypicks mind you one of the files, it was so easy to prove as numpty recorded everything on skype and it was saved on his PC.

I’m sure it has a lot to do with location but how many hours a day is average in digital forensics?

@Tyføøn do you mean how many hours a day do I do digital forensics? For me, it's my full-time job. But that doesn't mean every second I'm in front of a piece of forensic software or imaging devices. There's a lot of paperwork and, for me, preparation for search warrants that take away from facetime with forensic software. Hopefully that answers your question? Feel free to follow-up with any more you have

I guess I meant per week, like I work 8 hours a day Monday-Friday and 40 hours a week

Same here

9:54 AM

If you're working in LE there can be odd hours if you ever need to respond to a high priority incident that involves digital evidence, but if you're more on the backend of things, nothing is an emergency and you just go about it 40 hours a week at a time

Ah ok cool, wasn’t sure if the hours were fixed or random

9:55 AM

Thanks for clearing things up

Hey yall I have a samsung galaxy j2, is my only opinion to do a boot loader?

I am working on a terrorism case in which the defendant used a PS3/PS4 to chat and browse the internet

5:07 PM

Is there any artifacts that might be useful from duplicating the drive ?

5:08 PM

How would I get the user account information ?

@Jay528 any chance you can do a SW to Sony for any online communications and browser history attached to that account? (edited)

Where do i go about getting that information ? clone the drive and boot up the playstation ?

do you have the actual Playstation?

just got the PDF file with link you posted way back about ps

5:10 PM

I have possession of the playstation

I don't think you can remote wipe a playstation

5:10 PM

so you could just boot it up and see what the username is

5:11 PM

email attached to the account

5:11 PM

serve a preservation letter

ok cool. thanks

That's probably what I would do. Of course, document what you do

5:11 PM

Can't remember what that PDF document said about PS forensics but hopefully there will be something about browser history

oops

5:14 PM

wrong chat

5:14 PM

Here is the link from above that @Andrew Rathbun posted. https://cdn.discordapp.com/attachments/427877097768222740/459041954722742281/Forensic-analysis-of-a-Sony-PlayStation-4--A-first-_2015_Digital-Investigati.pdf

Just got my book to study for the security+ certification, any other good certs I should strive for?

@Jay528 i just finished a case with a ps4. I booted it up, offline, It was password protected and I managed to figure out the password from analyzing the passwords from two different phone extractions. After logging in I found that browsing history and bookmarks was available offline, so I documented it with a camera. Settings and account stuff is also available offline.

1

1:06 PM

Password = 4 digit pincode

@Tyføøn depends on what you want to do in cyber and if work is paying for them

Ah ok that’s easy enough lol

i and others can give you the certs in a certain direction, but whats the direction? if incident response and forensics, S+ is a good start. SANS GCIH and the GCFA are the main ones after that if work is paying, DCITA has good certs too. stay away from ec-council.

Just general ones that can get you a job in digital forensics. (edited)

Morning people, What software would you recommend for wiping a hard drive so that it is forensically wiped? At the moment we use the WIPE feature of the TX1 Tableau write blocker, but we are wanting a fall back option if and when that fails. Thanks in advance.

Encase? might be a bit slow though

Yeah, that's what we are thinking about it. Also debating Mac OSX Disc Utility option. There's DBAN but seems silly to spend more money when we potentially have other tools already that can do the same job.

Have you looked at hardware solutions?

Yeah, I have not used the newest encase versions but 6 let you wipe stuff even without a dongle

Oh right, you want to use existing tools

Can use anything Ollie if needed

Depending on price range, something like this will erase 5 drives at once: https://www.amazon.co.uk/StarTech-com-SATA-Hard-Drive-Duplicator/dp/B00QL1ADXQ/ref=sr_1_9?keywords=hard+drive+eraser&qid=1562576302&s=computers&sr=1-9

Does MacQuisition let you wipe an attached drive?

We have the single slot model

2:00 AM

Easy to use and standalone. Can even hook up a receipt printer to generate a log if necessary

looks pretty sweet @OllieD

Cheers for that

There are other similar systems that can do 24 drives at once, but you're looking at a good chunk of change and a lot of them will only erase with null bytes (don't know if that's sufficient or not) (edited)

TBH we don't wipe that many, but it's good to have additional fall backs. I'll make a note of that one. Thanks again

No problem

2:07 AM

as a cheap option, this will erase two drives in a single pass: https://www.amazon.co.uk/StarTech-com-SATA-Drive-Duplicator-Eraser/dp/B00G6TG5YE/ref=sr_1_4?keywords=startech+eraser&qid=1562576821&s=gateway&sr=8-4

2:08 AM

We have this unit, which only supports one drive but you can select different erasing profile and keeps a reviewable log: https://www.amazon.co.uk/StarTech-com-Standalone-Eraser-Dock-Drives/dp/B011NLY9FQ

@OllieD Definatley cheaper than getting another TX1

2:14 AM

Thinking maybe > TX1, that Single slot unit and then a Software solution for any external Hard drives.

question for everyone

2:31 AM

say you have an officer who does a kiosk extraction

2:31 AM

they tag relevant items, but for some reason, they can't export them

2:31 AM

they ask you to help and export them for them

2:31 AM

who exhibits that export

good one

2:33 AM

Did they just not know how to export it or did you do something special/unusual to get it to work?

no they just couldn't because the kiosk is temperamental

2:36 AM

so they asked one of us (not me) to export those tags to a disc

2:37 AM

and we're deciding whether our guy who created the DVD of the tags from the export is exhibiting the export, or the officer who did the master extraction and tagged the items

I assume they normally exhibit it themselves? If all your guy/gal did was essentially press export I would suggest the officer has done the actual extraction and also decided which parts to tag so they can exhibit it?

1

personally I think the work went into the tagging, and us just exporting those tags for them from the master is their exhibit (edited)

2:39 AM

yeah that's what I would say as well but there's disagreement

2:39 AM

so I just wanted to get other opinions

Yeah can see its a bit of a tricky one

it's whether creating that physical DVD itself is the exhibit

2:40 AM

or the tags themselves

I imagine the officer would rather your people exhibit it so they dont need to worry about testifying about it

yeah, I just think it would potentially cause trouble right?

2:40 AM

like you get called to court and the court says, you exhibited this export, why did you tag these items

2:40 AM

you'd say, well I didn't, officer 123 did

I think so, as your guy would be like "I just exported it and didnt select stuff" and then they would need the officer in anyway to talk about what he did and why

and they'd say so where's his statement

2:41 AM

I mean maybe the officer will do or have done a statement

2:41 AM

but yeah

2:41 AM

so sure, it's probably doable, but I feel like you're introducing yourself into the chain without need to

maybe one of the current LE people have a plan, here comes @K23

yeah I spoke to him lol

just seen him typing away

we agreed the same too

You've already had my feedback on this one in PM. Personally I think if as a technician all you are doing is pressing export, on an exhibit someone else examined, and someone else reviewed and tagged then it should be kept as their exhibit. Otherwise it's just potentially confusing other officers / wasting court time as they might infer that you've had a greater role to play, instead of just hitting a button. (edited)

2

2:43 AM

Yep we were on the same page

yeah that's essentially what I assumed

2:44 AM

but I mean, I do understand why it could be done that way

2:44 AM

it's just the question of where that exhibiting comes from

2:45 AM

the physical creation or the, work that went in prior to creation

2:45 AM

like if someone arranged something and then you took a photo, the photo would be yours

2:45 AM

but I feel like with digital it's different

@MrMacca (Allan Mc) Eraser is a free option that has many wipe options ranging from first 16 bytes being overwritten to being wiped 30 times over. https://eraser.heidi.ie/ is the link

+1 for Eraser as a software based solution

2

Going to do some testing and speed comparisons, thanks alot

1

I use eraser and active kill disk

@Dam looked into Active Kill Disk. That Erase Certificate feature is pretty neat

6:49 AM

http://www.killdisk.com/downloads/erasecertificate-killdisk-standard.pdf as an example

@Andrew Rathbun yes but only with the paid version. The free version doesn't have a nice certificate

Bah of course!

Anyone perform extractions on an apple tv ?

I dont but check https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1513004504.pdf

thanks

@Dam I also like those certificates! The startech eraser I linked earlier can print an erase confirmation on receipt paper but the certificate is nice for anything 'customer' facing

Even the free version of active kill disk is nice.

Really liking the look of Active Kill Disk, especially the report. Also like the fact you can have concurrent erases going.

Yeah that is nice. Eraser is just one at a time but you can queue up as many as you want and set and forget it

The reporting feature of Kill Diskis nice for ISO 17025, so I think we are going to look into purchasing the Ultimate version.

1

anyone know how to stop X-Ways wanting to "activate the viewer" all the time?

6:17 AM

seems to do this constantly

It needs the viewer to parse/display some files, have you downloaded the viewer and mplayer components?

yeah I have

6:18 AM

I've always had it

6:19 AM

sometimes it works, sometimes it doesn't

6:19 AM

it'll say please activate the viewer component, so I use it, then it forgets and says activate it

Never had that issue, I just copy it to the same folder as the X-Ways install, then tick the box in options -> viewer programs and put a full stop in the “use separate viewer component”

yeah, mine is constantly (when I search for example) saying please activate the viewer

6:23 AM

so I check the use separate viewer, point it to it

6:23 AM

hit OK, then it just asks me to activate it again

The only thing I would try is to remove it completely and install it again

yeah, bout all I can do really

6:29 AM

just seems to always happen eventually but, oh well

6:29 AM

I'll just start fresh

@Jamey , I sent you a PM regarding some computer hardware suggestions for our lab! We did purchase the SSDs we spoke about previously and they are performing well.

Has anyone done search warrants to Blink or is familiar with the file name format? If so, can you contact me offline please

@Adam Cervellone https://siliconforensics.com/ is your answer and I also put that in the PM

Silicon Forensics Home

Default Description

Thank you! I will take them into consideration if we have to get bids from multiple vendors

What do ppl look for in entry level DFIR candidates? We are hiring and We would like a general idea or even sample interview questions if ppl have any to help.

anyone know what the client.db-wal file is

3:24 AM

seems to be an Apple database for connected clients or such

3:25 AM

nevermind, it's part of the iCloud Photo Library

Hi , please I will appreciate any research material on Discord Instant Messenger . Thank you You can send to my e-mail address <okolorieu@yahoo.co.uk>.

@gokolorie1 search this server for a PDF to Discord forensics

1

4:28 AM

it's been linked multiple times

@Andrew Rathbun thank you very much, very helpful

@Law Enforcement [USA] besides Google, Comcast, Facebook/Instagram, what other LE portals exist that require user registration/login?

6:10 AM

I'm trying to compile a list for my coworkers so we can all get our logins established

Sprint

I think ebay paypal but not sure you need a login

ebaypal?

Verizon

https://lers.corp.ebay.com/ yep you're right @Dam

i remember seeig that verizon had one or one was coming but dont know hot to get it

Apple I think do

Microsoft

Verizon is complicated and they provide the agency with a portal manager who then hands out logins

@Sudo re: Apple Government and law enforcement personnel submitting a legal request to Apple should transmit it directly from their official government or law enforcement email address to mailbox: lawenforcement@apple.com.

6:12 AM

@mbryan897 you're right, I remember that from my previous job. What a pain in the ass

6:13 AM

https://leportal.microsoft.com for Microsoft

Apple is LE friendly like getting your hand caught in a rat trap

i think hand is too pleasant of an analogy

For Verizon: email vsat-lea-accounts-admin@verizon.com and they will get you set up with their eLERT system (edited)

2

True very true

Hey everyone, I am working on creating a policy/ protocol document for my PD. We are trying to start an official Digital forensic lab. If anyone could share what your agency has, please private message me- I’ll send my work email over for any validation of my credentials

Charter communications/ Time warner

Cox cable as well

6:17 AM

Unless that’s now charter

@Jimmy Sackss are you starting from scratch or do you have anything to work off of?

6:18 AM

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf is very wordy but might be a good reference for terminology or definitions in your final policy

@Andrew Rathbun I will be starting from scratch. I am on the USSS electronic/ financial crimes TF. So I’ll eventually be going to NCFI for bcert.

NCFI BCERT and MDE classes provide some useful sample documentation to reference to.

My goal is to establish a full time position and functional lab.

what state you in?

@mutantblack Yeah I know. Unfortunately, I’m needing to work on policy and whatnot now while waiting

6:21 AM

Kentucky

anyone in here with Orange County FLA? Can you PM me? (edited)

@Jimmy Sackss maybe someone who has already been there can provide some documentation, if they're allowed. Also, not sure if @IACIS Staff would be able to help. Also, @NW3C might be able to help via https://www.nw3c.org/technical-assistance-request. They have a model policy for cryptocurrency on their website. Maybe if you contact them they have model policies for a lab? Worth asking

Thanks @Andrew Rathbun I’ve explored and “exhausted” those options already. While reading through messages on here, figured I would ask in the general chat. I’m also on the ICAC TF and have requested through the listserv. I only got a hand full of responses. Unfortunately, you find there can be a grave difference between different states and departments policy needs.

The only other thing I can suggest is if you create a Google Doc and draft up a very rough draft, you're welcome to post it here and we can critique it either in the document or in here together. I know how daunting it can be to have to go from zero to something actionable like that so don't do it alone, if you can avoid it

6:30 AM

I don't have access to my previous agency's policy otherwise I'd supply it. However, I do know if I looked at something on my screen and saw what it was missing, what it has, what it doesn't have, etc, I'd be a lot more help that way

6:31 AM

One idea would be to start with bullet points on things you want to hit in the policy i.e. handling of CP evidence, chain of custody, all that fun stuff. Flesh it out as much as you can and, I'll speak for myself, but I'd be happy to take a crack at it

6:31 AM

I'm sure others would too

6:31 AM

I love doing editing of resumes, forensic guides, policies, etc. I did/do that all the time so happy to offer my services

Ok thanks

ahh OK, I just know my colleague did Apple and had to go through some channel but if they don't need a login that's cool

@bizzlyg Yes MacQuisition will let you wipe an attached drive, but has safety measures in place to avoid the mistake of the systems drive and you will have to mount it read/write before you can start the action, sorry for late reply was at the beach

2

Thought it was possible somehow, thanks @vipnola

@Jimmy Sackss https://www.swgde.org They have an amazing set of policies papers , document and report templates and forensics best practices documents. (Just my personnal opinion as I am not in the USA.. but I find their papers well done. They also have a lot of references in their paper you can reference too. )

SWGDE

digital forensics best practices standard operating procedures

1

4:42 PM

You can filter their papers by field (forensics, videos, imaging etc. ) It can be a great starting point if you start from scratch (edited)

Thanks

https://forensic4cast.com/forensic-4cast-awards/2019-awards/ Not long left to go for voting!

Lee Whitfield

2019 Awards

8:07 PM

(a few hours maybe?)

Does anyone else find sometimes that Axiom takes forever to load thumbnails in Thumbnail View? I have 2.6 million records in this case from a TB of data between 7 evidence items. I often have to close Axiom and reopen it for it to be more responsive for a limited period of time

Anyone have any luck bypassing a SM-G892A with secure startup enabled? Or know if might be supported in the near future. Cellebrite is telling CAS should be able to handle it.

so, my office just got a NCMEC tip of CSAM uploaded 7 years ago...with no current records or logs (edited)

6:01 AM

hurrah

This channel has been changed from general-dfir-questions to #general-discussion-and-questions

4

6:09 AM

@kmacdonald1565 your post finally made me make the change since this idea has been in my head for a long time. Your post was totally fine in content and this was the best channel for it, but it always bugged me that the channel was labeled questions despite general discussion occurring here. Now things are a bit more cleaner and makes more sense. Hope everyone agrees

6:13 AM

I try not to make change for no reason so hopefully this was an improvement. Feel free to react below

10

1

Can anyone recommend a program that can essentially create a file similar to an SFV, but doesn't do any sort of hashing. I'm wanting a program that can be ran on a folder, it lists all the files that are within the folder and can also check whether they still exist or not. The issue with an SFV is it can take a good few hours to generate on some folders, and this is something I'm trying to avoid. Ultimately i'm after a self contained file exist check that is fast. Anything anyone can recommend or is the SFV the best route?

3:28 AM

So in the future, I run this file and it checks that everything is still present, after a restore or a copy

3:29 AM

One alternative could bv generating a CSV file with the folder contents, and then in the future doing the same, and then comparing the New and Old CSV.

@MrMacca (Allan Mc) You want to know if a file appeared/disappeared, not if it got modified?

Yeah just whether it exists or not

3:46 AM

Working on a method now using NotePad ++ to do the comparison of 2 files generated, which works, but i'd love to have the ability to just double click a file and then that does the checks, exactly like an SFV but faster

@MrMacca (Allan Mc) If so then simply diff <( find /path/to/before -type f | cut -d / -f 5- | sort ) <( find /path/after | cut -d / -f 4- | sort ) where 5 and 4 are the number of columns to ignore from the file paths

Thanks @Kr I'll give it a whirl

I added "-type f" to find only (regular) files but actually you can "-or -type d" to add directories, or remove options altogether in order to get all file system entries under the chosen path

Does anyone have the user manual for a TX1 duplicator ?

7:34 AM

I'm having issues going to the website

@Jay528 I'll PM you with a link

thanks

Does anyone recommend any other servers to join?

@Tyføøn check #dfir-resources for some others

Has the red pill blue pill server been abandoned? I can’t gain access to the rest of the server

No clue, honestly

Lol, I tried joining July 4 and the same thing is happening.

3:07 PM

I can only access the #welcome channel but I did advance to level 1 lol (edited)

Yeah no idea, that server isn't very active. I actually just removed it from #dfir-resources

we can have our own pills here!

2:09 AM

with black jack

2:09 AM

and hashcat

I've been roped into some kind of "demonstrative" display of the dangers of open wifi

4:12 AM

I had a couple of ideas, basically they want to demonstrate what "could happen" if you connect to Free WiFi Totally Legit

4:13 AM

I don't think there's much on the table though in real terms, not with TLS and things, plus each "website" having their own app now

4:14 AM

what would you guys do (my only real idea was DNS redirects or some partial sniffing but not a lot there I don't think)

4:14 AM

or a captive portal of sorts that could operate a couple different ways

what would we do? offensively or defensively?

Have there been any developments in acquiring data from a Sandisk Secure Access vault v3.02?

offensive

7:47 AM

basically

Does anybody have some good keyword lists you can share. I have a pretty good CP list but I am looking for others. things like slang words for drugs, weapons, etc...

@goalguy PM incoming

Do you guys use RegEx with your keyword lists?

@Muad'dib there is a CP Regex list in #dfir-shared-drive, in case you don't have that yet

We have several IIOC regex lists but I tend to find them not necessary if you just use known material names

if anyone has played around with captive portals with hostapd and apache DM me, need some advice

Does anyone have any idea if the TD2u formatting options can be changed? Not seeing how to change it from formatting the destination HDD from ExFat into...anything else

@Andrew Rathbun Looks like exFat is the only option supported for formatting.

Good to know. Thank you @JaiRoc

Trying to get a physical on a samsung T727T1 via decrypting - I get the error Critical CMDLINE include invalid parameter

12:00 PM

Does it mean it isnt supported for extraction ? @Cellebrite

If 'CRITICAL' is mentioned (instead of WARNING:), the physical extraction will fail due to a patched Firmware.

12:11 PM

Anyone know how to get out of it ?

@Jay528 did you try the recovery tool

it didnt work. On the phone with support

12:26 PM

thanks Paul

alright

a call to support and its all good

12:32 PM

had to restart the device and put it into d/l mode again

glad you got it sorted out

Still waiting on the OnePlus

Patience

1

Anyone in here a ROBOCOPY genius?

@nbh2493 did TeraCopy not do the trick?

I am having an issue

12:12 PM

1

12:13 PM

I want to know how to exclude this from a mounted AD1 to a path on my network....

12:14 PM

that same string of App Data shows again further down the page with the same number of folders

Has anyone here tested and came to conclusions whether virtualized machines are faster or slower than running axiom or x ways processing on an actual machine ? Aka performance of popular forensic tools on a host vs guest machine ? I’m guessing with virtualized servers having more CPUs / RAM performance than a typical tower, performance might favour them, if the software takes advantage of the extra resources... any help would be appreciated, thanks

Total shot in the dark, but does anyone know if there's a way to obtain a serial number for an iPhone from Apple or somewhere else if all one has is the phone number? No known Apple ID or serial number. Needed for the purpose of a search warrant. Not sure if you can subpoena Apple for a device's serial number if you only have the phone number of the device. If anyone has any thoughts it would be appreciated!

@Andrew Rathbun I don’t see why not since I’m sure they have all that stuff logged. Now playing devils advocate, some ISP wouldn’t let us serve them a SW with MAC address only since they couldn’t “search” their systems based on that. And they needed IP address. (edited)

7:40 PM

100% of shots you don’t take don’t go in. #99 Wayne Gretzky

3

@Andrew Rathbun can you serve apple with the number and get info that way?

That's my take on it as well @CLB-Paul

7:42 PM

Asking for a coworker

I’m all about pushing the limits on that stuff. You never know unless you try

@sholmes my response was what you suggested. Throw mud at a wall and see if it sticks

7:43 PM

@CLB-Paul me too. Worst they can say is no

And you’re in the same spot as before

‍♂️

2

And it's just paperwork. It never hurt anybody to do a little extra. The pen is mightier than the sword

7:44 PM

Thanks guys. You all have a great night

@CLB-Paul MAC address of the modem connecting to the ISP (with e.g. PPPoE) or MAC address of a device in the subscriber's LAN?

I have an Alba 1.8" ACF18 with what I believe is a spreadtrum chipset/OS. I've not had any luck in obtaining a physical or logical extraction of this device as this model isn't supported on both UFED or XRY. Any suggestions?

@Kr mac of the modem

1

@nbh2493 did u get help on robocopy ?

dunno if anyone else can assist me

5:30 AM

I've got the captive portal going, works on old androids, iphones etc

5:30 AM

but newer androids don't seem to auto detect the portal so don't prompt for sign in

5:30 AM

and I'm not really sure why

@Pacman have you tried the generic spreadtrum profiles in XRY. I've had success with some phones with no support using that.

5:58 AM

Only issue is finding the 'magic button' to make it dump

I have Joe - none of the buttons seem to trigger the dump

@Andrew Rathbun might be able to obtain the serial number with just a subpoena

All just a heads up that I took a position with Cellebrite. If you have specific concerns, issues or questions let me know and I can try to help before you have to hit support.

9

@heatherDFIR I'll add you to the Cellebrite role now

I am still SANS too

6:30 AM

So keep that in mind.

You're both now!

1

Congratulations!

Thanks! I am excited to dive into more research, fix things, explain things, blog and do webinars.

Def. a change from Gov Contracting work

Congrats @heatherDFIR . What a great addition to the @Cellebrite team.

1

2

@heatherDFIR - need another law enforcement discounted SANS Mobile course

@Jay528 email me. hmahalik@gmail.com and I will put you in touch with who can help. I need the course, location and make sure your signature shows LE.

I took mobile forensics in 2017. I remember an in person course for the LE pricing which was great

7:13 AM

I took mine online

Is there a command in adb to get the specific unique identifier for certain apps?

Do you mean the package name?

7:32 AM

'adb shell pm list packages' to get all of the installed packages

1

I mean the application ID. Apart from the general android-id every app gets its own unique id.

To circle back on my Apple question from last night, it appears you can use a subject's name and phone number in a subpoena to Apple and they will then provide all the devices, dates devices were purchased, serial numbers of said devices, etc in an Excel spreadsheet. It will be found in their production in the spreadsheet under the GCRM TAB sheet. Also, it appears a full name of the subject and their physical address works in lieu or their phone number.

5

Has anyone encountered a File Path too long while using NUIX Evidence Mover?

12:51 PM

or with TeraCopy?

I use teracopy and no issues with long file path

12:52 PM

just use treesize pro to compare the files

12:52 PM

or robocopy with the listing command

jay--- ever had an issue moving files with TeraCopy with a known .DB error associated with Symantec?

never experience it but that seems to be your issue

1:05 PM

hate to say this..

1:05 PM

either use /XF *.db or manually export by folders via FTK

yeah, that was the next course of action... exporting out per suggestion....

@nbh2493 What file system are you writing to? File path length is usually a limitation of file systems

So noone has a clue if there is a adb command to get the specific android id for example the facebook messenger app, since it's after android 8 or something differs from the units android-id.

@Arlakossan You mean something like "com.facebook.orca-UjytdIiAHnXSKmwB_gwJrA=="?

1:44 AM

To clarify a bit, the application id is com.facebook.orca, as it always has been. However, since Android 8, the actual folder that it's installed to now has that extra random bit of data

1:46 AM

Which is a random base64 string. See here for details: https://android.googlesource.com/platform/frameworks/base/+/refs/tags/android-8.0.0_r1/services/core/java/com/android/server/pm/PackageManagerService.java#16866 (edited)

1:47 AM

Assuming that you want to get that the id including that random bit, you can run adb shell pm list packages -f

1:47 AM

Which will include something like package:/data/app/com.facebook.orca-UjytdIiAHnXSKmwB_gwJrA==/base.apk=com.facebook.orca

1:49 AM

If I've misunderstood what you're looking for, I apologise in advance! But hopefully that's helpful to you

Anybody else notice that @Cellebrite pulled PA 7.21? The latest on my.cellebrite is now 7.20

@CLB-Paul has mentioned in #mobile-forensic-decoding that it has been pulled whilst a bug is resolved and that it will be back up soon

Thanks @OllieD I guess it would help if I looked in all of the channels

No problem!

Anyone have IP address look up

10:52 AM

I also have this for IP address report

@spoon1997 https://centralops.net/

Free online network tools - traceroute, nslookup, dig, whois looku...

Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6. Some source code included.

Has anyone received a "Instagram Business Record" document from a subpoena request at Instagram? I'm working with one and curious if it is the original document, or if the previous group printed it to PDF and omitted certain information.

Hi guys, a quick question. I might be kind of an oddball as I started out in mobile forensics a few years ago and did not much with regular computers. Now I want to develop more in that field and my question is which kind of literature you recommend to get the basics? I'm talking about a book like Shon Harris' CISSP that is a very good guide for network security from the basics to specifics, but I need that for forensics.

I read through a lot of Harlan's books to get my basic understanding of the artefacts on a windows system. But if you've got the money the FOR500 class teaches you everything

File system forensic analysis by Brian Carrier might also help

Lost a good guy. If you need help, reach out. There's no shame in seeking someone to talk to. https://www.policeone.com/health-fitness/articles/482821006-Suicide-prevention-resources-for-first-responders/

Suicide prevention resources for first responders

From police officers to firefighters, studies show that suicide continues to outpace other causes of death for first responders

Andrew Rathbun 7/22/2019 7:07 PM

Anyone familiar with trying to locat the sender using an Anonymous Remiler program? From: Anonymous Remailer (austria) <mixmaster@remailer.privacy.at>

This may be the wrong place to ask this, my apologies in advance, I recently picked up a Samsung Galaxy S8 version SM-G950W Its a Canadian phone currently locked to Koodo (I think?). I was hoping there would be a way to root this phone, or better yet flash it with TWRP or something. I've scoured google and xda for a root, but every attempt so far has failed. This phone may be un-rootable, but I thought I would ask anyways. Thanks :]

hi

hrllo

11:13 AM

hello

11:13 AM

https://www.youtube.com/watch?v=YQHsXMglC9A

AdeleVEVO

Adele - Hello

1

Is anyone familiar with QQ.COM being set up on iphones ?

Can anyone fill me in on how @Cellebrite "Auto Detect" pulls the correct profile with addtional methods but if I manually enter the model number it does'nt show up as a suggestion. Its like a hidden menu or "easter egg" of profiles

1:19 PM

S2720PP for example

That actually happened to a co-worker of mine. But for us, it was almost like the profile was semi-generic and it filled in the blank with the model name

@kmacdonald1565 correct, the icon for the profile is generic. Just don't understand how i can't manually input that model and have it popup, why does it have to be auto detected.

1:22 PM

For example somone calls and says we have this phone can you get into it ? I input the model and its not supported but Auto Detect pulls a list of suppored methods.

oh i am agreeing, if that wasnt clear. we found it peculiar as well

Hi all, the reason for this feature works only when using auto detect is due to the fact that we validate the connected device properties against our DB. Therefore we can see for example if the device OS version meets the requirements and others. This way on the fly we can adjust and suggest other methods

Hi all, just a quick question. Is there any way of identifying the last time an iPhone was factory reset? It's just come up on a job and no one's quite sure. I assumed it was impossible, but two of the guys think they heard of it. (edited)

@KeenoRen Try looking for an '.obliterated' file (0bytes) within the file system if its available - this time and date should be a good indicator of a wipe

1

Awesome, thank you. I'll take a look.

do u have an extraction ?

5:33 AM

look at the databases and it should be the same as the obliterated file date/time

@Magnet Forensics Can someone give me clarification as to how Magnet Wordlist Generator orders its output wordlists? Is it searching the case in specific locations and ordering its output strings accordingly, or is it just outputting everything and anything in no particular order? i.e., are the first 100 words more likely to be relevant than the last 100?

@Magnet Forensics do you guys sell network licences ? aka licences that aren't tied to a single dongle? Thanks

Has anybody served a search warrant to Slack before?

sup all

1:25 PM

anyone know what these mean in a group chat?

@tupp3rwar3z Not in front of computer.. and maybe cellebrite could give a better answer.. but i think i saw that it was "read" or "delivered" or something like that. Can't remember if i saw it when you mouseover the icon or export in excel and see all columns names ...

1:34 PM

It catched my attention this week as some messages had the icons and other one didn't

yeah same, just curious why theres no substance

1:35 PM

I thought it would be read/delivered too, but wouldn't that appear on every message then?

1:35 PM

its only on a few

Its a type of flag.. could verify tomorrow.

1:36 PM

The Excel export has a lot more columns.. or check the source database ... im sure someone will answer us quickly .. lol

haha yeah ill do a little more digging just figured I'd fire it off in here first

1:39 PM

thanks @Kramnias

And why those messages are empty is a great question haha .. Maybe virtual analyser could help.

I always assumed it was the opposite and it meant that those messages had not been read, hence the closed envelope (edited)

Has anyone seen this type of USB device before?

looks like a SD card adapter

I removed the MicroSD card inside, and it contains images of a young girl and indecent images.

5:16 AM

but we can't find any information relating to the device.

any side pictures ?

Of the girl?

the usb device

5:17 AM

definitely dont be sharing those materials here

Yeah that's not going to happen.

5:18 AM

Yeah got some of the sides

5:18 AM

Does seem to be a Camera and Mic hole

https://www.amazon.com/gp/product/B006T9B6R2/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

5:19 AM

could be a hidden cam

5:19 AM

did any of the content appear to be ?

5:22 AM

Yeah definitely hidden in my opinion

https://www.amazon.com/KEQI-Hidden-Portable-Pinhole-Recorder/dp/B07DVVL1FS/ref=sr_1_28?crid=2POMIL5KALEBJ&keywords=usb+hidden+camera&qid=1564057327&s=electronics&sprefix=usb+hidden%2Celectronics%2C146&sr=1-28

Amazon.com : KEQI Hidden Camera 1080P Mini U-Disk Portable HD DVR ...

Amazon.com : KEQI Hidden Camera 1080P Mini U-Disk Portable HD DVR USB Flash Drive Pinhole Camera Video Recorder (+32GB Memory Card) : Camera & Photo

Yeah that looks more along the lines. It's been reported anyhow as we don't deal with such material.

https://www.alibaba.com/product-detail/Mini-DV-U9-USB-Flash-Drive_1897093417.html

Mini Dv U9 Usb Flash Drive U Disk Hd Hidden Camera Motion Detectio...

Mini Dv U9 Usb Flash Drive U Disk Hd Hidden Camera Motion Detection 1280x960 , Find Complete Details about Mini Dv U9 Usb Flash Drive U Disk Hd Hidden Camera Motion Detection 1280x960,Mini Usb Camera U9,Hd Mini Dv U9,Mini U-disk Digital Video Camera from Video Camera Supplier...

nice

That's the one. Nice one

@MrMacca (Allan Mc) for purposes of documentation if needed. I GTS with the terms "usb flash drive camera" and viewed the images.

Thanks @Forensic@tor

I have an external hard drive that contains android backup. I used the generic android profile and I couldnt get anything other than pictures/videos. The file extension is EBK

5:43 AM

Anyone have experience decoding these files ?

5:44 AM

Good teamwork on that one too guys

Just checked the release notes of AXIOM 3.4, good on @Magnet Forensics for including the officer wellness features, that's really cool. Thankfully I don't do CP related stuff anymore but I'm still looking forward to checking out that feature.

9:17 AM

https://youtu.be/oIj3Dh6JrQY

Magnet Forensics

Exploring the Officer Wellness Features in Magnet AXIOM

Agreed. Great message from Jad as well on the subject of officer wellness https://www.youtube.com/watch?v=2u83Jbr3qYg

Magnet Forensics

Officer Wellness: A Message from Jad Saliba

Hi all, I have an ex01 image of a drive encrypted by mcafee’s end point encryption software, full disk. I tried to process it in Magnet, which prompts for the decryption key, but it fails.

10:07 AM

Ive confirmed that the decryption key is valid with another tool, but I prefer to do this exam in Magnet Axiom

10:08 AM

Please @ me with replies

I received the location history in CSV file back from Google. It has the times in UTC and lat/long info. Does anyone have an easy way to batch convert all the UTC times to PST and batch convert the lat/long to physical addresses?

I'll msg ya...

11:45 AM

@renfantino Excel conversion for UTC to PST is easy enough, then reverse geocoding service like: https://www.geocod.io/upload/ to convert the Lat/Long to address.

Geocodio

Batch or bulk geocode a csv, tsv, or Excel spreadsheet of US and Canadian addresses, cities, or zip codes into latitude/longitude and reverse geocode latitude/longitude into addresses

Had a depo today. I was explaining file deletions by comparing it to a book. I told the attorney that deleting a file was like removing the table of contents enrtry. He stared at me all glossy-eye and said, "I get it, it like footprints in the sand and someone comes along and brushes away part of them". After my long awkward pause, I respond with, "no sir, you don't get it at all!"

4

On a personal level I have a S8 Samsung that says moisture detected and keeps beeping when i try to charge it. (yep it’s my device) It has not had moisture in it and this has been going on 5 days. I can't only wireless charge it. Its driving my bananas !!! today I placed the USB C port under my inspection camera, used 99% alcohol, polished it up with a tooth brush and it still popping up the USB moisture detection. I'm at a loss

2:37 PM

I've also cleared the USB cache in the app

2:37 PM

Anyone deal with this ?

I've had luck when that happens switching to a different cable. Very annoying.

@deepdive4n6 thanks, i've tried 4-5 different cables, only way try and get it to charge with a cable is to restart with the cable in and it will trick it and charge for awhile until i unplug and plug it back in and it will do the same thing over and over. UGH !!

Hit it! Only mostly kidding...I've fixed two of my phones with that solution. One had a bootloop thanks to crud stuck in the crack around the power button. Second was a zenfone 3 where the camera stopped focusing. Sharp smack and it'd start focusing again. Till the next time, anyways. Known problem lol...

1

can vouch for percussive maintenance, sometimes it just works

1

@DCSO I have had that

problem on my S8+. Now i never let it drop to 0%, and wireless charge it if it happens. I had the moisture problem and also the blinking charge indicator problem were if you unplug the charger while the cable was still connected to the phone the USB setting would enter a loop. USB also tough for some reason that the wall charger I plugged was a device to be charge by my phone.. resulting in severe overheating. Solution for me was : go to setting / applications/ (3 dots) / show system applications/ then look for USBsetting. Go inside storage , then delete cache or delete data. I haven't had any problems for months with charging. Wishing you good luck.

4:44 PM

There is a lot of videos on Samsung s8 moisture problems with all kind of solutions. Maybe the solution I used worked or they push a software update that fixed it, but I assume you are up to date with your software so I guess they haven't fix it.

1

anyone know how I can re-apply an E01 to a drive

12:10 AM

to make a copy of the original in a sense

nevermind, it's under the "file" and "restore" menu of xways

12:24 AM

little bit hidden

well that didn't work

Mount the e01 and DD?

2:56 AM

@Sudo

I guess that's what I'll have to do

2:56 AM

what a faff

There is a way to do it in xwf

2:57 AM

I'm sure there is just don't remember right now and not at my desk

uhhhh

3:04 AM

this isn't normal...

3:06 AM

I open the NTFS basic data, C:

3:06 AM

and I see [orphan[, [root] and [unallocated space]

3:07 AM

is that just what FTK does? can't say I've ever used it for examinations

3:08 AM

yeah OK I guess this is just what FTK does, how bizarre

how bizarre, how bizarre

3:45 AM

@Sudo Don't know about FTK but with xmount under Linux you get a .dd emulation from EWF files, so with that you could dd your E01 back to a disk. But I agree, it's making me crazy, every time I look around, it's in my face

yeahhhhh

3:52 AM

just annoying

3:52 AM

should be simple

3:52 AM

probably gonna write my own dam software for it

X-ways did do it

4:35 AM

on about the 3th try

Does anyone know how to convert from AFF4 to E01 ?

5:35 AM

processed AFF4 image using Axiom and mounted it via arsenal

5:35 AM

It can not locate the source

@Kramnias thanks for the advice i'll double check it again, still on day 6 of moisture indication !!! i'm due for a new phone but would of liked to sell this one with out this issue. Yes I'm uptodate to the point i searched for updates that where forced last night and it pushed a minor security update. No go

@Sudo I think to make a clone of an E01 to an actual Drive, you goto TOOLS > Disk Tools ? CLone DIsk (or CTRL and D) Then you click the blue icon to choose the E01, and then you click the DIsk icon of Destination and choose the drive you want to clone to.

it's under "file"

10:46 AM

oddly!

@Jay528 throw it in x-ways and make a new image (e01) of it

Leaving my agency in 2 weeks, had to return my xways dongle

you can try the same, but on a linux then

Thank you

Question for everyone still on here. We’ve a case right now and the detective just obtained a mobile device. It belonged to one of a potential witness. The detective stated that the witness let the suspect borrow the phone and believing use before and during the crime. The detective wanted to get the phone dump at the original state. Then he wants to connect it to the WiFi. He believed the suspect use social media app to communicate and it would see if all the chat messages can load into that device. The detective wanted to get a phone dump after the connection of WiFi. Should I even attempt the original state or even thinking about after WiFi. Is there and legal way to prove the suspect use the phone?

Wouldn't it just be easier to get a search warrant for the messages? So much of your evidence would be stomped on if you connect that phone to the WiFi. I would strongly recommend not connecting the phone to the WiFi. You could also run into title 3 issues depending on the communications that were sent to the phone while connected.

If you get a dump of the device you should have the cloud tokens and from there you could use a cloud analyzer tool to access all the messages? I know in the UK at the moment it’s a bit of a grey area and the forces tend to go through special operations to see if they can do it. It’s a safer way than breaking forensic code and connecting a device to a network.

Thanks

Does anyone know how you might restore a windows defender quarantine file in order to do analysis off the original pc? We pulled it from an infected computer and think that it's legit, but want to ensure it is and see if we can figure out why it got snatched up.

anyone know about the mail transfer protocol LMTP

5:24 AM

local mail transfer prot

5:25 AM

not sure on that Jack, I'd imagine there might be some sort of storage location for quarantined files ?

Hey important question does anyone here have a contact email address for "CEOP" Child Exploitation and Online Protection command in the UK

@Sudo I know where they go, yes. However I presume a quarantined file will go back to whatever folder it came from, but if I put it on a new install of windows and create the folder, I'm not sure if it'll go back or not. I'll let you know if it doesn't work I guess :)

I'd imagine it would Jack yeah

5:55 AM

I'd say if it were to go back it'd depend on how it sees the path

5:56 AM

if it just requires the path to be the same, or if it takes more into account like the SID and what have you

why dont u boot the forensic image (if there is one) and click restore on the record

@Jay528 shoot that's a good idea

5:58 AM

We'll have to take one, but yes we can

Where should I send the 2.99 consulting fee to ?

6:08 AM

Anyone Familiar with TIB collections?

Anyone familiar with Arconis?

What's up regarding Acronis ?

11:19 AM

you need to collect or restore ?

11:20 AM

purchase the software and click restore

11:20 AM

bam

11:20 AM

work is done

i have some Files that were collected by Acronis, I have the containers but no clue on how to blow them out so they can be ingested with a program we run on my end

11:21 AM

it is not like blowing out through Xways or Encase

you'll need to purchase the software

I assume you cant restore using trial version?

that's how i did it previously

11:22 AM

i would buy it and charge the client

11:22 AM

if it doesnt work, its coming out of your year end bonus

11:22 AM

ok

11:23 AM

thanks

@nbh2493 you don't need to buy. The free version should allow you to mount the backups (right click,on the file, select acronis, mount)

has anyone ever reconstructed a RAID of Apple drives (from around 2004)

3:24 AM

seems like it's just RAID 1 (edited)

3:25 AM

but doesn't seem to detect a filesystem, so that's cool

@Sudo try R-Studio

is it free or?

Trial - but if that shows that it can work, its not expensive https://www.r-studio.com (edited)

Disk Recovery Software and Hard Drive Recovery tool for Windows, M...

R-TT offers disk recovery software and hard drive data recovery tools. Network and RAID support.

cool, thanks

3:49 AM

I've just carved for stuff at the mo, seems to have worked

3:49 AM

but it does seem a bit strange

strange how?

well it's mostly identical on each drive

3:51 AM

but then also isn't

3:52 AM

I jump to an arbitrary sector and the data is the same

3:52 AM

but one drive imaged at 6GB compressed, one at 8

Could be Raid-10 or something similar

it's probably some sort of Apple fusion raid drive thing

Does this look like the source of the drives by any chance? https://en.wikipedia.org/wiki/Xserve_RAID

Xserve RAID

Xserve RAID is a mass-storage device that was offered by Apple Inc. Xserve RAID held up to 14 hot-swappable Ultra-ATA hard drives, and had a capacity of 10.5 TB when filled with 750 GB modules. Xserve RAID supported RAID levels of 0, 0+1, 1, 3 and 5 in hardware, hybrid RAID l...

no they came out of an old mac tower

@Sudo some ref: https://itstillworks.com/test-raid-speed-12318218.html https://www.apple.com/xserve/pdf/RAID_Utility_User_Guide.pdf (edited)

ty ty

I have an iPhone 5 which I am trying to examine. I powered on this device and found a welcome message "Hello". At first I thought it might have been the first time this device has been turned on since an iOS udated however I can't seem to progress further without connecting the device to Wi-Fi. Can anyone tell me what's the difference between a wiped device or a simple updated device?

Hello indicates the device has been reset as that is the setup procedure for an idevice

Well this also happens when an iPhone has been udated.

1:50 AM

updated*

1:51 AM

So not necessarily wiped - however in this situation I think it has been wiped.

If the select language promt comes after the hello, then it is a wiped device

Ah - well after hello I was prompted to connect to WiFi which I can't skip.

Morning Everyone! What free tools are you guys using to wipe and sanitize SSD drives?

Morning @goalguy - You can do it on EnCase if you use that? (edited)

5:55 AM

Anyone got a good keyword list for drug terms?

I've got an old DEA one that someone shared a while back? Not sure how applicable it is to the UK market

@3X3 Don't have EnCase unfortunately.

5:58 AM

@OllieD I would be interested in that list

I have a rather skeleton one that I tend to use, however, it's worth a look through your one if you'd be willing to send @OllieD

Have a gander at this

DEA_Drug_Slang_Code_Words-1.pdf

3.15 MB

1

Hello everyone, i am helping out someone regarding a probation search. they came across these blue key looking devices. i am guessing a hardware lock of some sort, but have no idea. Has anyone ever seen this?

5:59 AM

isolated on one "key"

5:59 AM

my tineye and google image searches failed me

They look like authentication keys, I think the likes of Facebook allow you to use them to login now too. Let me try to find the one I'm thinking of just as a similar reference.

6:03 AM

(Just an educated guess)

They don't look like Yubikey or Titan designs to me

I'd agree, was just looking for a similar sort of concept.

they have too many pins, looks more proprietary

1

Could it possibly be something associated with AT&T?

i am not directly connected to the case, but i saw that ID...and suppose it is a possibility (edited)

6:07 AM

someone says its a door key, and their apartment uses similar ones (different color but looks the same)

That'd make more sense than my initial guess, since it's on a set of car and misc keys

@goalguy Eraser is a good free tool

totally looks like a usb key for sure

Anyone able to parse and extract information form office FSD cache files? I’ve tried the scripts on https://github.com/rickvg/office-cachefiles but it creates invalid docx files.

Does anyone have any equipment setup thoughts on this, I am wanting to have a network air-gapped forensic computer but I need to be able to transfer data files to a networked server. A couple thoughts I had was having a second network computer close by that is connected with a crossover ethernet for transferring the files to the 2nd computer's RAID which is shared on the network. Second thought, was some sort of NAS attached to the forensic by USB and then it is networked.

11:56 AM

I dunno, anyone have any ideas? What is everyone else's setup for transferring data to a network storage. (I am really trying to limit putting onto a USB drive or something and swapping between computers, lazy i guess

Any particular reason you want it to be air-gapped?

IT restrictions and group policies mainly, I need to retain full control. And if i connect it I am forced to follow that.

Makes sense. Not sure if this is an option for you but I (with the approval and help of IT) created a separate domain for my forensic workstations and servers. Still connected to our main network and have a trust set up with our main domain but I control all policies and access.

12:03 PM

If that is not possible then I think the NAS idea could work

Hmm yeah, that might not be a bad idea long term. One problem is we have a very convoluted IT system here and I fear that would be a major undertaking to get that all figured out and approved.

That is the biggest draw back. I am very lucky that my IT team is small and right outside my office. It also helps that I was a part of that team before taking over the forensics.

Making a Databse with Access and SQL for laboratory management., Dont wont to post it directly, but if you feel this is something you may have a use for to assist in case management, please send me a PM.

thanks

1

@Saylorman001 if you haven't finished developing it yet, I built something similar for our lab but found that having a MySQL backend instead of Access was much better. It seems to handle multiple connections better. This may have been due to my programming. It's been managing our cases for the better part of 8-10 years now.

1

Would be awesome if one or both of you could share

@Saylorman001 #programming_reverse-engineering is probably your best bet

copy

I did a sql backend, just used Access for its cosmetics appeal to the novice users as a front end. happy to discuss in PM, just didnt want to to take up page space with a bunch of examples

@.karate. We found that tool did not work properly on anything but very simple documents. We parsed all the FSDs manually on one of our ongoing cases. It was worth the effort as the original documents were not only gone but deltas to the documents when they still existed were important. Please PM and let us know about the urgency, as we might automate what we did and release a surgical tool for only this purpose.

3

@Arsenal Awesome. I’ll send a pm

@Saylorman001 & @4n6_Guy(Kevin Salhoff) I would be interested if you guys are willing to share

Totally random, but for the forensic guys that use a cellphone to take pictures of serial numbers /sim cards etc. I use an app by Falcon in Motion LLC called Mag Light. You can zoom in on objects and add light etc and it works much better than a regular iPhone camera.

12:47 PM

https://apps.apple.com/us/app/magnifying-glass-with-light/id406048120

‎Magnifying Glass With Light

‎"Why we like it: It’s incredibly handy! There will always be a time where the menu writing is too small or the room is just too dark – this magnifying app will be just what you need." - appsmitten.com "This free app comes in handy when you find yourself in a dimly l...

FYI, Tableau Firmware Update 7.29 just released with a new firmware release for the TD2u. First update since November 2017. https://tableau.guidancesoftware.com/index.php?pageid=firmware&releaseID=0&view=overview for more information

2

My computer is pretty old and really doesnt do well with running a VM. What would you guys suggest for building a PC that can handle DFIR labs,etc. (edited)

@Deleted User gaming PC build is a good start with some minor modifications. A gaming PC with a writeblocker is basically a forensic workstation

4:22 PM

Google Talino workstations and toy around with customizing one of those. Those are the highest end and ridiculously priced but they are badass machines

4:23 PM

HP Z840 is what I have. Google that too and see what the optional specs are

It will definately be an investment to get my own work station. I'd like to learn a bit more before I get it.

PCPartPicker is what you'll want to use to spec out a build. Feel free to build one on there and share it here

4:49 PM

Also check out r/computerforensics for any build threads. Or forensic focus

I have one specifically for gaming that I am building right now. It is in the $800 range. To be honest I dont have enough experience to know what I need. I have been interested in cybersecurity for awhile but only just recently took a plunge into digital forensics. M community college class's start next year but before I get to that I want to gain some experience first. I also have been really close with my county's sheriff and he is starting up an operation to catch child predators. Hopfully I can somehow gain some insight as to how I can help with that.

See if you can job shadow someone in your county or state who does digital forensics for LE and see what build they have

4:53 PM

I'd recommend seeing what others have via forums or in real life before splurging. It will cost a lot more than $800 for anything respectable.

Do you have any recommendations on which agency's have such programs etc. I am in Northern Illinois.

@Deleted User hmm I'm in Michigan so I'm not sure. Check with any University PD's or just ask your sheriff which agencies have labs. Most don't because training and equipment is so expensive so there likely won't be many choices

5:21 PM

Are you by Northwestern?

Not really. Im just outside of chicago in the suburban areas.

@Deleted User Mostly make sure the VM is not running from a mechanical drive, and if your gaming build and DFIR one are two separate machines, I would strongly recommend high core count for the latter: an AMD Ryzen or ThreadRipper for example will be slower per core so that's not ideal for gaming, but you get so many more cores for the same price and that makes a huge difference for virtualization and other DFIR workloads

hold on let me show you my gaming build

2:18 AM

https://pcpartpicker.com/list/7HXMJ8

2:18 AM

i want something cheap but good so

@Deleted User And if you think you might get into password cracking later, make sure you get a case capable of very high airflow

2:20 AM

@Deleted User For gaming I think that CPU is too slow and its 8 cores won't be all used

2:21 AM

Better to go with a faster (as in 4.5GHz for example) 4C Intel one, in the case of gaming

well i'd have to find a new board so if you got any CPU and MOBO suggestions let me know

Definitely upgrade from the 1700 CPU. Based on pcpartpicker pricing, you can get a 2700 or a 2700x for less. If you can stretch to a 3700x, you'll see a huge improvement relative to the 1700

2:26 AM

https://www.cpubenchmark.net/compare/AMD-Ryzen-7-2700X-vs-AMD-Ryzen-7-3700X-vs-AMD-Ryzen-7-1700/3238vs3485vs2970

2:27 AM

But as @Kr pointed out, a higher speed 4C model may fit better

2:27 AM

Depends on predominant use case

This is just for a gaming rig for me I am not even thinking about a forensic workstation because I dont know anything about DFIR yet to even begin.

I think the 3700X is a good balance between single core and multicore performance

2:30 AM

But even the 2700x will be a good step up from the 1700

2

Around the $280 price of the CPU you chose, according to PCPartPicker there are: i7-8700 at $295 i7-6700K at $275 K means can be overclocked

Another option if your budget is stretched would be to get a used workstation and upgrade that. That's what I've done with my homelab for learning DFIR / networking, i've got an old but still decent Dell PowerEdge server for a few hundred with a Octo core and 32 gigs of ram. If you're going new though I'd defo go the AMD route. On the used market there are decent workstations available, or servers if you fancied playing with a level 1 hypervisor and keeping this separate from your main desktop. (edited)

https://www.reddit.com/r/buildapc has lots of advice

r/buildapc

3

Missed that you wanted this to be a gaming rig too, my options aren't going to be great for that but would suit DFIR / VM Labs on the cheap. as they come with plenty of cores and ram, clock speed isn't the greatest though. If you are thinking about used servers look at towers as they generally run a lot quieter and use less power than some of their rack counter parts. It's a great way of getting some experience with enterprise equipment but depends entirely on your usecase. A half decent used workstation would probably suit both roles, but again will not complete with something newer on games.

2:45 AM

https://www.ebay.com/itm/Dell-Precision-Tower-5810-10-Core-Workstation-w-Intel-Xeon-E5-2630v4-32GB-RAM/254299861035?hash=item3b3573f02b:g:5nwAAOSwP41dLlCP - Chuck an SSD or two in that and it would fly for VM workloads. Plenty of room for upgrades too

Dell Precision Tower 5810 10-Core Workstation w/ Intel Xeon E5-263...

Model:Precision Tower 5810. This workstation is fully tested and working and includes a fresh installation of Windows 10 Professional. RAM:32GB DDR4 @ 2133Mhz. 1TB 3.5’’ Hard Drive. The unit in the pictures is what you will be receiving.

@Deleted User https://www.forensicfocus.com/Forums/viewforum/f=4/ I'm sure has a thread on DFIR builds

Forensic Hardware Digital Forensics Forum | ForensicFocus.com

Forums Digital Forensics, Computer Forensic Training, eDiscovery

6:06 AM

And yep, there's a sticky. Check it out

Afternoon, does anyone know of a tool that I can throw an E01 of a Mac , and it will pull out information quickjly relating to install date, Operating system version and so on?

Install bootcamp

6:24 AM

Blacklight

6:24 AM

Recon should work as well but ive never triedi t

I have blacklight, but either i'm being a numpty or looking in the wrong place.

not sure if there is a registry viewer for mac

6:27 AM

just export out the registry and check the record for install date

@MrMacca (Allan Mc) there are plists which hold some of this info, eg OS, user account info etc. I actually thought Blacklight showed this somewhere but I don't have a copy to check now

o shoot, misread

6:35 AM

i thought viewing e01 of a mac

6:35 AM

my bad

6:35 AM

e01 on a mac

6:35 AM

brain freeze

Otherwise you can manually check the plists, systemversion.plist, com.apple.loginwindow.plist - this is going back a few versions in mac OS though so not sure if something has changed, depending on what OS version you have

6:36 AM

@Jay528 its an E01 of a mac, I think!

Yeah it is an E01 of a Mac

6:38 AM

Ive got the E01 loading into blacv light now so once that has finished I'll take a deeper look

triage it by selecting on what you want

suggestions on free software to open and view emails from DBX containers?

7:35 AM

seems AXIOM does not parse them

how about a reliable and affordable software ?

7:36 AM

Aid4Mail

7:36 AM

It has helped me convert and collect webmail via imap

7:36 AM

used it for 14 years

7:37 AM

or as long as i remember

I will check it out, thanks!

@MrMacca (Allan Mc) you can absolutely throw it into BL to get that info. to save time make sure you deselect everything. Another option is depending on the filesystem you can mount it with your tool of preference and look at the plist which contains that info

https://www.backblaze.com/blog/hard-drive-stats-q2-2019/

Andy Klein

Backblaze Hard Drive Stats Q2 2019

This review looks at the Q2 2019 and lifetime hard drive failure rates of the data drive models currently in operation in our data centers.

5

I love how transparent they are with these HDD stats over the past few years. Really cool to watch play out

2

Yeah backblaze are great for that

transparency? preposterous

@Jay528 Aid4Mail worked out well, thanks

2

Steam 0day! (from HackerNews) https://amonitoring.ru/article/steamclient-0day/

Steam Windows Client Local Privilege Escalation 0day

Описание

glad to hear !

10:30 AM

i hope they give me a referral fee

2

@forensicmike @Magnet that is a good one...gotta love when people dont care

1

Gizmodo: Report: Apple Has Activated Software Locks on iPhone Batteries to Discourage Third-Party Repairs. https://gizmodo.com/report-apple-has-activated-software-locks-on-iphone-ba-1837053225

Report: Apple Has Activated Software Locks on iPhone Batteries to ...

Apple has activated a “dormant software lock” that effectively kneecaps third-party replacement batteries on some newer models of iPhone, according to a report from iFixit on Wednesday, by disabling access to battery health data unless the replacement has been installed b...

FFS, Apple.

They know what's best!

Yet you can replace the brakes on your 6,000lb SUV with no one looking over your shoulder... (edited)

Yet. I wrote a short paper on how John Deere is preventing farmers from fixing their own tractors by locking down diagnostic information. There is a tractor hacking initiative (https://tractorhacking.github.io/) seeking to help farmers take back their...tractors.

1

Wow, who would've thought. How silly

Imagine if a John Deere tractor is involved with an accident and police are unable to get information out of it without having to wait for a John Deere tech.

Yeah, that whole John Deere one is stupid. Farmers aren't buying tractors anymore; they're buying a licensing agreement for the right to use John Deere's product.

12:27 PM

https://arstechnica.com/gadgets/2019/06/hackers-farmers-and-doctors-unite-support-for-right-to-repair-laws-slowly-grows/

Hackers, farmers, and doctors unite! Support for Right to Repair l...

The right to repair battle trudges on despite a record amount of legislative proposals.

Hey, I was wondering if anyone can help. I'm using Z3X Easy JTAG to read a UFS chip, I read one fine this morning and a regular eMMC chip earlier this afternoon and it was working all fine. But now I am getting the error: Can't open link, Code: -507, Reason: UIC: Link initialization fail We've had loads of trouble previously with East JTAG, for some reason it doesn't like to initialize for us. We have no issue with UFi box or other similar tools but since out Dedi Prog developed issues we've had to go to using Easy JTAG. Also, is there away of using Easy JTAG offline? Our box will only detect by the software as long as there is an internet connection

right to repair really needs to get through already...

1:46 AM

getting ridiculous now

Would right to repair apply to leased/rented products though? Because as @deepdive4n6 pointed out with the John Deere example, farmers don't actually own the tractor itself. Extreme example, but I could see other device manufacturers looking to employ similar tactics

I'd say that probably the only real reason that the tractors aren't owned by the farmer is equally the fault of lack of right to repair and this "as a service" culture

2:40 AM

two pieces of the same puzzle, you know?

2:40 AM

like the games I buy on Steam, I effectively have a "license" to play them, but do I physically own them

2:41 AM

even more so now as developers go for this "as a service" with recurring pay-to-play fees and so on, when in the past you bought a physical disc that you can do anything with

@MD5/VFC_Aaron D may want to try #jtag-isp-chip-off-flasherbox

I have but haven’t got a reply yet

When you examine a PS4 can you locate a Unique ID that I could use to say the PlayStation was the device that made a threat on social media. From search warrants I have a UUID and I am trying to find that specific device.

oof, sounds a bit of a stretch maybe

2:13 AM

I've never known a console to give up much useful info

2:13 AM

where's the UUID from

Happy Monday all

At least it's Tuesday now

Starting to image 41 devices (desktops, laptops, phones etc). Let the fun begin!

Due by the end of the day.

1

Hahaha RIP me

@Andrew Rathbun got those devices done yet? LOL (edited)

5

Isn't it govt work?

1:15 PM

Take your time

1

@Andrew Rathbun. No sweat ...2-3 more coming in tomorrow.

@MSAB hi MSAB folks, is there plans to expand Proton to other apps?

Absolutely! We are working on trying to get Photon to work for more apps than WhatsApp and there are some exciting things which will be coming in the next release iirc

Should be a month away tops, currently not in the office so unable to confirm but keep your eyes on the release notes!

3

yeah I meant Photon

12:17 AM

cool, I like it so was just curious

Can anyone recommend a good Plist viewer for windows, which can take in a EncryptedRoot.plist.wipekey and allow me to extract the Hex of the PassphraseWrappedKEKStruct?

5:16 AM

I've decrypted the EncryptedRoot.plist.wipekey

Thought the group might be interested in this : What is Paged Out!? Paged Out! is a new experimental (one article == one page) free magazine about programming (especially programming tricks!), hacking, security hacking, retro computers, modern computers, electronics, demoscene, and other similar topics.

5:22 AM

https://pagedout.institute/

1

love the cover

4

5:52 AM

seems cool, thanks DF

Does anyone know if it is possible to do Phrase searching or word searching for someone using Cellebrite Reader?

@Sudo : most welcome

@nbh2493 you can use the all project search. Deep searching stay within PA

Does anyone have any suggestions on how to trace a BT MAC address back to a specific vehicle? I’m working an auto theft ring, and one of the suspect’s phones was examined and those results showed a prior Bluetooth connection to a UConnect system, which is a Sirus XM service on Chrysler products, which are some of the preferred vehicles for this group to steal. I have the Bluetooth MAC, but I have struck out so far with Chrysler, UConnect, and Panasonic. Does anyone have any ideas about how I can trace the Bluetooth MAC to a particular infotainment system in a particular vehicle?

http://www.coffer.com/mac_find/

4:57 PM

I'm not sure if you will get enough info to help but I would start there.

Thank you. I have called Panasonic (the manufacturer) but they don’t seem to know who can give me the info I need, which would be the serial number of the head unit. Then maybe I could get Chrysler to tell me the VIN of the car into which that head unit was installed. At least, that’s the idea.

@VolSarge might not be a bad idea to shoot an email over to the folks at Berla. Maybe someone might have knowledge of something you've not thought of

6:37 PM

Also, maybe a search warrant to Chrysler? When you say you struck out with them, did they straight up tell you if you served legal process for what you're looking for that they would be unable to provide it? I did that all the time as a detective. I cold called companies and point blank asked if I draft paper for XYZ, will you be able to provide what I want? One time I got the info without a warrant lol. Former cop on the other side of the phone

They straight up told me that they had no idea where to get the information I wanted, or even who to put me in contact with that might be able to get me that information.

Might not be a bad idea to try again and hope to get someone else who can leave no stone unturned and get back to you when they know for sure and can sell it to you that that info doesn't exist

@Andrew Rathbun Will do. Thank you.

If it's that important to your case then I'd want some proof of due diligence on their part but that's just me.

6:50 PM

And I always documented very well if a company was unable to provide me with what I hoped to acquire

1

6:50 PM

CYA and all that

6:52 PM

But we also had the expectation to investigate until the wheels fall off and explore every possible lead even for something as petty as stolen laundry. So that's just what I'm used to

6:54 PM

Where I worked before we were always trying to make sure 5 years from now our reports weren't getting picked over by the media for holes much like what is happening right now in the media at that very same place so it was just what we did. Your mileage may vary

Same here. This is a multi state, multi million dollar auto theft ring. Got to get it right the first time.

@VolSarge I would ask to speak with their LE liason unit or legal compliance department. Usually more apt to know what you need.

2

@VolSarge Maybe worth to ask mobile OS vendors if by any chance they collect info about Bluetooth connections (e.g. Google SensorVault) in order to find the rightful users of that Chrysler?

@pathsofglory did you find a solution for your mcafee's encryption drive with axiom ? we have the same problem here.

@Kr Good idea, but there aren’t any rightful users. The cars are all new and taken off the lot.

1

@Dam I did not unfortunately. We had to proceed with a logical image

4:29 AM

Using enCase I did get a physical acquisition of the logical drive on the hdd, which allowed limited carving (edited)

@Deleted User if you don't get an answer here, hit up Brett Shavers on Twitter or Eric Zimmerman on Twitter and they will likely help

@pathsofglory we just tried with axiom 3.4 and it works.

You got a decrypted physical acquisition as an e01 from Axiom?

Well we did an acquisition with xways and tried to put the password in axiom but it says that the password is wrong. With axiom 3.4 it was working

5:45 AM

Anyone got any idea what these are?

5:45 AM

DC/DC converter

i am going a cheap tens machine

5:55 AM

muscle stimulator

5:55 AM

they usually have a audio jack though

5:56 AM

the pads have a similar snap connection to the bottom of whats on this device (edited)

5:57 AM

total guess by the way

Guys, much obliged... confirmed as a muscle stimulator by my own recently electrocuted forearm.

6

4

lol

just a heads up, i couldnt find anything that small on the usual shopping sources

6:44 AM

@ChangoMunk

Anyone know of any free programs/apps/other to analyze Call Detail Records (CDR)? I am trying to help do a couple frequency reports about how many times this number called etc.

2:16 PM

I am pretty sure you can do similar things with pivot tables in excel just wasn't sure if there was something someone already made that is setup for that type of thing

Have you tried Perphound by NW3C?

Thank you, I remembered there was something. But when i searched NW3C I couldn't find any tools. Trying to download now, hopefully it is what I need.

6:16 AM

Source: https://www.howtogeek.com/436788/what-is-microsd-express-and-why-it-matters/

SD cards—everybody’s got a few, but nobody thinks much about them. That’s a testament to how well they work. But performance always matters, and microSD Express promises to make microSD cards much faster.

@forensicmike @Magnet congrats on the new Magnet tag

@forensicmike @Magnet yes congratulations!

@Andrew Rathbun Is Perphound for US law enforcement only?

@Dr. Kaan Gündüz I believe so but might wanna check with @NW3C

it's not me, they blocked the whole country, so it is ok, not personal

(never got the email) (edited)

@Dr. Kaan Gündüz send me your email in dm and I can send a copy of perhound over

hey iv been doing some security research and came across a Critical level vulnerability in a US law enforcement system trough passive means, Does anyone know where I could go trough to report this disclosure to them?? im in UK area so not ust to to the US based Cyber Sec connections... any ideas

https://www.us-cert.gov/report

Report Incidents, Phishing, Malware, or Vulnerabilities | CISA

US-CERT provides secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities. If you would like to submit a report, please select the appropriate method from below: Incident Reporting Form for reporting incidents to US-CERT...

1:03 PM

Try that?

yeah il give them ago wasnt sure since its Law enforcement and not a .gov domain

1:06 PM

thanks

You could also email or call the agency

2

Yeah I am going to give CERT a call, a unnamed individual gave me a poc at the office so going to go that way with it, thanks for the tips all

@ChangoMunk mini roombas

Happy Monday all

It is Monday... not sure about happy lol

Happy is a relative term lol

1

@CLB-Paul @Andrew Rathbun Thanks guys. just getting setup here!

2

Survivable Monday, everyone

Has anyone who uses TD2u units ever have it where you image a device and then check your destination HDD and the image is nonexistent and the HDD can't be recognized?

10:46 AM

I've been having that a lot lately and I think it's a faulty TD2u. I just imaged 4 devices onto a HDD (hindsight being 20/20 I should've checked each image after I did them) and the HDD won't recognize so the 4 images are nonexistent. Thankfully, it's 4 240GB SSDs so it's not the end of the world. Maybe 90 minutes of imaging total. But just curious if anyone else has experienced this. Latest firmware (June 2019)

10:47 AM

Mind you, formatting was done with the TD2u unit itself

10:49 AM

I can't prove it's a faulty TD2u right now, but I hope to when I have time hopefully later this week to reenact what I did today and see if I can duplicate the issue

Observations from the digital backyard-2 - https://trewmte.blogspot.com/2019/08/observations-from-digital-backyard-2.html

Observations from the digital backyard-2

Good to have a catch-up chat with my old friend Vinny Parmar . Vinny holds the position Higher Digital Forensics personnel responsible as th...

sooooooo we have a 30k page pdf search warrant return from facebook. No bookmarks or hyperlinks that I can find. Is there an easy button to break these up somewhere? Or just Ctrl+F until the end of days?

3:27 PM

I searched and saw a reference to NDCAC dot social, I've requested access but nada yet

Wow, that's crazy. I thought they provided a bunch of HTML pages of someone's profile and messages, etc

https://www.theverge.com/2019/8/20/20813129/yubico-first-security-key-for-iphones-works-with-usb-c-google-titan-ios-ipad-pro-1password-lastpass

The first Lightning security key for iPhones is here, and it works...

But it won’t work with USB-C iPad Pros

@Andrew Rathbun I believe you can ask for it or download it that way, this person didn't do that and I believe the download links have since expired. Anyhow, dot social works.

1

pretty soon we're all gonna be the photographing stuff unit, or the "sorry can't get into it" unit

1

Anyone try this yet: https://tsurugi-linux.org/

Tsurugi Linux | Digital Forensics, Osint and malware analysis Linu...

Welcome to TSURUGI Linux world the new DFIR open source distribution to perform your digital forensics analysis and for educational pourposes

Based on ubuntu 16LTS, so a bit dated. Like SIFT Workstation. I'll have a download

Good morning all! Has anyone had issues with @Magnet Forensics AXIOM displaying SQLite databases and plist files from iOS devices?

DM'ed

Is the image you're working with an encrypted backup?

Yes, from Physical Analyzer. Still not prompting for the password but I have been adding the 1234 password from Cellebrite into the passwords section of Process

Not really a forensic question ... In appropriate situations LE can have a carrier locate a phone. However recently it came to our attention that carriers can not ping iphones. Has anyone served paper on Apple to successfully to compensate for this?

@DMG What carrier claimed they can't ping an iPhone?

so far T-mobile / Verizon

7:22 AM

and its not that they cant ping the phone ... accuracy is >1000 yards of varience

7:26 AM

According to the Techs when accessing the 911 system the location is reported accurately to the systems however when it doesnt involve a 911 call ping results are reported with the minimum accuracy

I've experienced this outwith work, whereby a phone was stolen from a family member, and mobile providers can't get an absolutely accurate location from an iPhone. I always thought it was due to the phone changing which mobile data mast it connects to as you're moving around. (edit: I was pretty vague there, that's kind of what I was getting at, the fact of moving around and not being able to locate due to changing data masts, therefore not having 3 in a cell to triangulate the location.) (edited)

Cell phone carriers don't have access to the GPS on the phone. They use trilateration from cell towers to find the location. The phone type shouldn't matter.

7:32 AM

My guess is that they don't have at least three towers.

7:32 AM

At least that's my understanding.

My Sgt. was at a presentation yesterday at which the techs from these companys are saying apple has tech in there phone which precludes them from obtaining accuracy <1000 meters (he corrected me from my statement about yards above) (edited)

7:35 AM

They are saying they dont have the same issue with samsung phones etc

@DMG That's new to me. I'm curious as to why that would be the case. There is no issue getting the tower information with iPhones. Maybe something measuring the distance to the tower.

he just added they said "Apple is required to comply with E-911, but they arent under any obligations to allow anyone else to ping them"

7:46 AM

They dont allow the carriers access to accurate pings due to "privacy" (edited)

@DMG That's the case for every phone so that's why I'm confused. The phone type shouldn't matter. Things change constantly though so who knows.

@Joe Schmoe I don’t know just passing along info I heard and looking for a solution to a problem

Do we have anyone from Griffeye in here?

A Win7 computer shows that Chrome has been logged into a specific Gmail account on several occasions different days. However, the computer’s owner were away on some of the days and the computer was at home. It could be the computer was left powered and still logged on and the person was using Gmail on another device, then it synced to the computer because it was logged in. Or, the computer was powered off but when it is later booted up and logged in, previous logins to the Gmail account were synced to, maybe if the browser itself were logged in to same Google account. I am not sure about the second option though. Any other ideas? Dont count in remote access to the computer, not an option here :) Anyway, it’s hard to be sure about what creates timestamps when sync of devices might be involved..

Anyone know how to either load more than 1 million rows into Excel or a program to remove dupes from a text document. Doing some work on stripping the NSRL hash set for UFED. I've used NSRL Stripper to export only MD5's. I then attempted to load into Excel to use remove duplicates feature but got the 1 million rows limit. EDIT: @chrisforensic pointed me towards EmEditor. It will do what I need. (edited)

Was thinking Notepad++ or UltraEdit, good you solved it.

I never thought to see if Notepad++ would remove dupes. It always crashed when loading the full NSRL set. EMEditor will work for other stuff I've got. FEX won't ingest the NSRL hash set as it is. I'd have to strip out MD5's or SHA1's and add some ##comments## at the top. I previously been using trial version of 010 Editor since Notepad++ would crash loading even the stripped sets. (edited)

I'm trying to interpret some safari browsing history and I'm stuck with one of the URL components. It's a bing image search record from an iOS backup. I can follow the links and find images consistent with the nature of the case however when I try to replicate the mechanics of the search "kittens meowing" in this case, my URL results are different. Specifically, my suspect history does NOT contain a mediaurl="*.jpg" tag inside the URL. Every method I've tried, computer, iPhone, private and not private include the mediaurl tag.

11:59 AM

My hypothesis is that an image search was conducted and displayed images were "clicked on" to be viewed, however my tests yield different URL results than my suspect evidence. It is worth noting that I am testing in august of 2019 and my suspect history is from 2018... so it's entirely possible it has just updated since. Is there a place I can go to test legacy versions of safari?

11:59 AM

Or I suppose safari wouldnt be the culprit if the engine has changed, bing would.

@whee30 it could be a combo of both. I did some research on Google searches and some of the stuff in that no longer applies because either google or the browsers updated and the parameters or activity is now different

12:24 AM

But I think finding legacy versions of iOS software may be tricky to identify.

@Mr. Eddie Vedder from Accounting I would try https://www.emeditor.com/ - have been useful for me when open huge databases when others crashes

@Magnet Forensics has there ever been discussion about adding a Pause button to AXIOM Process? Often times, I'm throwing 5-10TB at a case at a time and it'd be nice to have a pause button in case I needed to do something else quick on my workstation for another case. I very often have cases processing for 48+ hours so that's a long time to go without using my workstation for another case. Just an idea!

3

Anyone use SiForce faraday bags made by silicon forensics? They seem reasonably priced with power banks included. Or any other suggestions for buying bulk bags and power?

@Andrew Rathbun Interesting idea... Sounds like it has been talked about in the past - also in the context of being able to resume from a crash/failure, but not recently.

It may not be useful for everyone but in my case I throw a ton of evidence all at once at it and it takes quite a while to process while using all 32 threads I can spare

Hey @Andrew Rathbun there is a feature request in for this already, if you want to drop an email into Support@magnetforensics.com I can add your details to the list and let you know when this gets added to a future release!

@Andy Thorpe doing so now, thanks

Sent

https://www.androidauthority.com/android-brand-redesign-2019-1018245/

Inside Google's massive Android rebrand

Google's Android branding is evolving, in hopes of feeling more accessible to a global audience.

9:36 AM

Looks like Google couldn't think of a Q dessert and is now calling Android by numbers like iOS

Here is md5 list that you can import into cellebrite to knock off some of the newer app data pngs for ios and android devices. Essentially what I have been doing is going into cellebrite and then unchecking all the images, once they are all unchecked I then go down into the hash sets and click on this one. Once this is done loading up with all the known files in the hashset click checked to make sure they are all checked. Once this is done you will then have to go back into your main image tab and click sort by unchecked which will eliminate all the known checked hashes.

4

10:03 AM

San4n6_Knowns.txt

3.47 MB

hey anyone here ever use this brand or model in the field https://www.plantronics.com/hk/en/product/voyager-legend my company is having a few of us look at items for surveillance work for wondering if there any good ??

Voyager Legend, Mobile Bluetooth Headset | Plantronics

Unsurpassed audio and comfort, voice commands, smart sensors, and incoming caller announce.

@CyberViking https://www.reddit.com/r/sales/comments/62fijq/how_to_pick_the_right_headset/ has some comments about that headset, ctrl+f "legend" for the comments. Sounds like high praise

r/sales - How to Pick the Right Headset

29 votes and 54 comments so far on Reddit

10:23 AM

https://www.reddit.com/r/sysadmin/comments/6juldq/wireless_headset_recommendations/ too

r/sysadmin - Wireless Headset Recommendations?

1 vote and 4 comments so far on Reddit

yeah not grate reviews there, pitty they seem really low vis and have a solid gov rating in the US, taught they would be good for investigations

@CyberViking What about something like Apple Airpods?

thats what i said, but the manager we have seems to have a hard on for this brand (edited)

Welcome to all those from NCFI in Alabama, thanks for joining!

well

7:45 PM

I had a meeting with my sheriff today about things and I brought up my interest in digital forensics and now I am going to be working with the detectives who handle child exploitation.

I am not sure which channel my question should be in, whether if it's this channel or DFIR, but I'll fire away. We have a faraday box and we're trying to come up with a process of validating and verifying that it works at it should be. What's the best process?

11:52 PM

Should we find a phone, install a faraday box tester application and run it, then place it in faraday box to show that it is working as it should be? Wouldn't we also have to validate that software we found from app store?

@Pacman I would expect that UKAS will ask if the tester App you choose has been validated or not yes (edited)

That is what I thought too - I was told an application called Mission darkness was recommended by Control F. @OllieD are you able to provide an input or ideas as to how we can validate this app?

Excellent question! Put it in a known working Faraday box and make sure it records that it's been isolated (and hope that UKAS don't notice the cyclic dependancy?

)

1:47 AM

In all seriousness, that's not a question I've really considered previously. I'd reach out to Mission Darkness themselves to ask them what validation they've done on their own app, which could give you a headstart. You could also see if you can identify a second validation app/tool that you can compare against

1:48 AM

Full disclosure: I was pleased with how the Mission Darkness app functioned from my brief testing, as it correctly identified that our Ramsey box worked and some older Faraday bags did not. I have not thoroughly tested or validated the app myself. Proceed with caution before incorporating an app like that into your validation processes for ISO purposes!

1

Thanks for your input - I have a slightly better idea on what we can do now!

For any lurkers: https://mosequipment.com/pages/mission-darkness-faraday-bag-testing-app from Mission Darkness/MOS Equipment

Mission Darkness Faraday Bag Testing App

3

Does anyone else use Kiteworks for secure file transfer?

6:38 AM

Just curious if there's a known file limit. I've done <10GB files multiple times but I tried a 30GB file last night twice and the session timed out before the upload could complete. Not a huge deal but just curious if anyone else knew the answer. I won't lose sleep either way

Anyone have a reasonable way to view HEIC images on Windows 10?

Windows store HEIF plugin - doesn't work. Copytrans... sure, but looking for something a bit more "official" and without licensing issues since ultimate end-user is Defense/Prosecutor.

@deepdive4n6 in the windows store check out HEIC Image Viewer Support Converter. It's free to view images, pay if you want to covert

2:55 PM

Irfanview is supposed to work too if you have the plugins installed but can never get it to show all images. Errors on a lot of them.

HEIC Image Viewer Support Converter... as opposed to HEIF Image Extensions, roger.

2:56 PM

I will try that, thanks.

@deepdive4n6 I converted them with image majik successfully. Even preserves exif now

The Mission Darkness is not a bad idea. From an iso17025 perspective I would have thought the 'repeatability' of test requirements would be difficult to achieve. It would require samples of every faraday cage, case and bag out there and assessment the full range of different makes and models and that includes devices with internal and external aerials, clamp-shell mobiles, OS/versions and so on. Not suggesting checking the baby or bathwater out on this one, but [1] examiner's cannot load app on to suspect target device, [2] any SOP pertaining the apps usage relevant to a specific make/model and OS of mobile and so on that were subjected to repeatable testing would need to be specified for each single mobile and that could take along time. For instance have a look at Wikipedia and all the Android versions - https://en.wikipedia.org/wiki/Android_version_history

Android version history

The version history of the Android mobile operating system began with the public release of the Android beta on November 5, 2007. The first commercial version, Android 1.0, was released on September 23, 2008. Android is continually developed by Google and the Open Handset All...

Does anybody know any freeware software for imaging drives?

FTK Imager

6:43 AM

https://accessdata.com/product-download/ftk-imager-version-4-2-0

FTK Imager version 4.2.0

AccessData provides digital forensics software solutions for law enforcement and government agencies, including the Forensic Toolkit (FTK) Product.

Ah, I wasn't sure if it was part of the FTK suite

Guymager through Linux

1

6:44 AM

no it is a separate download.

Ah, FTK would work great, I didn't know it was freeware. Thanks

I think you give Accessdata your email and they send you a link to download it.

6:44 AM

FTK isn't free, just the imager

Yeah, that's what I meant

That link should take you right to the download link

Magnet Acquire is another one

1

https://accessdata.com/product-download

7:51 AM

4.2.1 is the latest version, FYI

7:51 AM

for FTK Imager

I forgot all about Acquire.

Does anyone know whether the FitBit application contains much useful data? GPS, SMS etc?

Can anyone tell me why after a restart the os won’t get past this screen now.

https://www.phonearena.com/news/Android-10-release-date-confirmed-official-Pixel_id118451

Android 10 release date confirmed: Here's when Google will release...

Android 10 release date officially confirmed by Google...

2

1

8:11 AM

@Legis have you tried rebooting into safe mode and seeing if you get the same issue?

Right now I’m running a memory diagnostic from the bios. I have not tried rebooting in safe mode tho. I have reset cmos ram and hdd because after first it wouldn’t even let me in the bios. @Andrew Rathbun

@Rossko Hasher by Eric Zimmerman can hash out all files and output the hashes into Excel rather than doing it one by one via HashCalc

What is everyone using for mbox viewers? Anyone got a top one they recommend?

@Jobbins FTK 7 should do the trick

@Jobbins https://sourceforge.net/projects/mbox-viewer/

Windows MBox Viewer

Download Windows MBox Viewer for free. Windows eml and mbox viewer. Windows Mbox Viewer. Gain access to mbox archives or single eml messages.

I used to use that all the time when dealing with mbox files from Google SW productions

Hi, quick question for you. I have a HP Elite Book with a M2 128GB memory. When I use my write bloker, I cannot see the drive. (I tried other connector but didn't work) I turn on the laptop.and this is what I see

5:32 PM

any advice?

That appears to be like secure startup for HP laptops. Interesting

Had drive boot password

6:26 PM

PC-3000 could possibly remove it

yep, It's weird that I cannot see the M2 memory on my PC. Ill try on a mac or with linux tomorrow.

I had a similar thing with an HDD and had to remove it to image it

pc 3000 ... humm ... we have this at work

If that is what it is, then the password is in the firmware is keeping it from loading until password is entered.

6:28 PM

I think

6:28 PM

I took the class on PC-3000, but was a C- student at best

6:28 PM

Lol

Well I remove the M2 memory but I cannot read it. I tried a lot of connector and 2 different PC.

6:29 PM

lol

6:29 PM

Pc3000 is not easy ...

I had one a long time ago which needed a proprietary connector, but that screen says it is probably password protected.

6:31 PM

If you have service with Ace for PC-3000 they will help. Just send a ticket in and they can even teamview your pc.

This PC is from a big firm in Canada. So it's mostly encrypted!

6:32 PM

Thanks

Ahhhh

6:47 PM

Good luck

Are you connecting it to your computer via an adapter... in that case it might be the wrong adapter, had a similar problem with a HP laptop where my M.2 adapter didnt support NVMe

I used a Tableau adaptor. In fact I try the 3 adaptor that I have.

@merantos on the latest firmware too?

anybody have a method for reconditioning batteries (laptop, phone, etc.)? We get dead batteries in devices all the time. I was wondering if it would be worth it to try and recondition them occasionally to get the device to work. Any thoughts

Anyone have any experience in understanding filename format for picture content from Verizon?

9:23 AM

Here is the filename: 017EECDB4DA90000B4300002-attachment-1-MFDC6964.jpg

9:23 AM

Also this one: 0A7BAA4868720000EB400002-attachment-1-2016042995021154.jpg

9:24 AM

FYI all the meta is stripped from the file.

@mitchlang I can take a picture and send it to from my Verizon acct if necessary.

Yeah, if you can get this same naming format that would be an excellent test.

Was it a text or email?

Specifically i am looking at decoding the 2016042995021154 part of the message as the year I am looking at an event in 2016

9:47 AM

txt

@mitchlang I sent you a DM

9:54 AM

https://m-cacm.acm.org/news/238639-keeping-up-with-the-phone-hackers/fulltext

Keeping Up With the Phone Hackers

The growing challenges to digital phone forensics.

4

@jw The FitBit app can contain location history, as well as records of the activities a user was performing... So I wold say it does have useful data

Is it possible to get a physical extraction from any of the FitBit wearables?

anyone gotten a phys off of a Samsnug J3, if so, what method?

TWRP

4:45 AM

@Sudo

4:46 AM

it was a J320fn

4:46 AM

But I think that 4PC will do that model now

yeah

4:47 AM

J320FN is what it is

4:47 AM

with a "Spreadtrum SC9830"

4:47 AM

CPU

4:48 AM

you flashed TWRP?

yes

4:49 AM

with odin

gotcha

@stephenie

4:54 AM

4:56 AM

I have read the very good article. It is worth noting for law enforcement, particularly when investigating, is that device seizure require identification of the feature provided by the phone.

4:56 AM

Anonymity at first instance can be hard to trace when feature phones have this feature enabled

4:58 AM

Flash messages are Class 0 message neither predefined to be stored on handset or SIM.

4:59 AM

Consequently, the message (subject to any restriction on phone) can be seen and read even where handset is password enabled.

5:01 AM

Equally, handset that can be connected to laptop with SMS API software can control content sent OTA/VOIP.

@Colman Hello ! You mentioned an article, could you share it? Thank!

@BorgSl did you mean the link - https://www.sciencedirect.com/science/article/pii/S1742287618304201

1

@Jobbins Regarding Mbox viewers so far autopsy forensics freeware has been the best for us. It index the Mbox so you can seach it and its really slick. Can't beat free !! https://www.sleuthkit.org/autopsy/

Autopsy

Autopsy is an open source graphical interface to The Sleuth Kit and other digital forensics tools.

What's the standalone json -> CSV program you guys using?

@Colman that your own collection of phones there...... lol

2

1

If a computer gets infected by malware what’s the best thing to do? I’ve heard nuking it and rebuilding might not be the best option but it’s the safest

Best thing to do is follow whatever policy is in place by your organization at work and use your judgement on your own stuff. @Tyføøn

Thank you!

@Cellebrite is there any reason that Cellebrite Reader won't work on machines with internet? It seems to not work as it asks for "activation"

@Sudo Just have them say no or they can create a free account.

I always just say no and it works fine. No need to activate.

yeah, seems to be an issue with that specific reader

6:07 AM

but could only get the issue to replicate on internet enabled machines

6:08 AM

worked around it by giving them a standalone reader

anyone have any experience with console ports

7:50 AM

specifically the VGA style one to RJ45 (the system has the VGA style out, not the cisco style RJ45 to VGA style)

Does anyone have a waiver form they could share for possibly destructive cell phone extractions?

any reason why i can't format a 64GB thumb drive to FAT32 using "Format /FS:FAT32 D:"?

All set. Thank you @CLB_joshhickman1

@ds275 windows set a limit to 32gb for fat32 partitions.

How far back can a physical extraction find?

@Tyføøn it'll give you everything on the device

It’s not just for deleted items?

@Tyføøn it'll get you everything on the device and in some instances allow you to virtualize the device in PA

What about a logical extraction? (edited)

Explaining-Cellebrite-UFED-Data-Extraction-Processes-final.pdf

749.96 KB

2

@Tyføøn hopefully that answered your questions

@Andrew Rathbun yes it did thanks again

1

How do u keep up with your projects or make schedule to study ethical hacking skills? Idk where to start.

You have to have a plan, and the discipline to stick to the plan.

No one plans to fail. They fail to plan!

6:31 AM

That and the 7 P's. Proper prior planning prevents piss poor performance.

3

2

What encryption software are people running in their labs?

We use Veracrypt to encrypt partitions on our MacBook Pro's where we store our evidence. We're not allowed to take evidence home with us that's stored in the clear. We also use Aegis Padlock Drives for external HDD's that are encrypted.

7:21 AM

Hopefully that's what you're asking about @I_Am_NoOne and not like Passware, Hashcat, and other encryption defeating software

@Andrew Rathbun that's exactly what I was talking about. I've looked at VeraCrypt but just wanted other opinions. Do you ever have problems or find it limits you at all?

Not that I've noticed. My only limit is the MacBook I inherited, I wish the encrypted partition was a few 100gb bigger and the OS unencrypted partition was a lot smaller lol

7:26 AM

I am honestly not sure if I'm able to expand the partition on the backend but frankly I should look into it because lately I'm doing lots of evidence shuffling to make room

@Andrew Rathbun sounds fun, cheers for tips.

Good luck!

@Andrew Rathbun VeraCrypt on a MBP partition? Mind if I ask why you chose that over FileVault?

Sorry, boot camp W10

9:04 AM

Should've specified that earlier

Ahhhh that makes sense

Anyone got any advice on how best to package up a phone that's been in salt water for a few days while it gets transported to a lab?

@I_Am_NoOne We also use veracrypt right now but are thinking about moving to bitlocker at some point as that's where the rest of our force is heading. Can't see it changing any time soon though

11:52 PM

Can't comment on transport @Aneesh96 but sticking it in an ultrasonic bath is probably the best idea. Can't say it's an area of expertise of mine though. I'll check with our guy who did the training when he's in

Is anyone aware of an expert witness whose area of expertise is impact damage? We have several devices damaged or broken and the investigators were wondering if there is someone who could demonstrate or report their opinion on how they were damaged. Its a long shot I know but you never know!!

@K23 I hear keeping it in salt water while in transport so it doesn't mix with air is the best thing to do. Is this similar to what your guy says?

Leave it in the fluid that it's in, otherwise the minerals dry around the components, so yeah you're spot on the money there. Then into an ultrasonic bath @Aneesh96 is what I was just informed! (edited)

Yeah we advocate keeping it in whatever its in where possible, can't honestly say I have ever had to deal with something like that though (edited)

3:57 AM

Assume its still a pretty rare occurance?

3:58 AM

@K23 whats the significance of the ultrasonic bath?

From what i've been told it's to dry out the components / clean out the crap that's on the device so that it can be examined and powered on safely. Think our process is take it out the container that the phone arrives, so in this case out of the salt water and put it into the ultrasonic bath to give it a good clean before taking it out and continuing with the examination. We did a test on an iPhone in fairly liquid that was left powered on in the bowl until it stopped responding, stuck it in the bath and after a session in there it started working fine. Really not an expert in that area though and it's not something we see often (edited)

Awesome, good to know

@K23 great, thanks for your advice!

There's an article on "Forensic analysis of water damaged mobile devices" in the proceedings of DFRWS 2019 USA. We received our printed copy this morning

6:43 AM

@Aneesh96 and @Zhaan, this may be of interest in relation to liquid and impact damaged devices respectively: https://www.dfrws.org/sites/default/files/session-files/pres_damaged_device_forensics.pdf.pdf

6:44 AM

It's just the slides that accompanied a very interesting talk, but could be worth reaching out to VTO Labs, particularly in the impact damage case. Unaware of anyone else conducting research on this

@OllieD I shall chase them up and see where it gets me, thanks!

@OllieD thanks for sending the presentation across!

No problem

Is there a way to set default interface language in Cellebrite Reader? (edited)

Sooo.... I messed up and closed a text file that had a randomly generated password in it. I was depending on my password manager to grab it but apparently it did not. Doing a ram capture now to try and recover it. It was the password to a protonmail account I control. Anyone have any ideas? laptop has not been power cycled.

@ThatLukeGuy Did you use standard notepad from Windows or Notepad++ perhaps? I'll assume you didn't save the txt file at some point?

This might be a noob question but I would really appreciate any help. I have installed Tails on my usb but it showed up this error. How can I fix it?

3:37 AM

Apparently an issue caused by the graphics driver, I suggest you install proprietary drivers and disable nouveau's ones: https://askubuntu.com/questions/897627/ubuntu-showing-sched-error-20-on-boot (edited)

Ubuntu showing sched_error 20[ ] on boot

I am seeing the below message during boot, preventing my system from running: 19 printk messages dropped [200.119021] nouveau <missing> fifo: sched_error 20[<missing>] How can I...

1

@Sockmoth Did not save file. Normal notepad.

Thanks for the help! @//

Hope everyone in the US has a good holiday weekend! Back to the grind

1

just got back also

schools back, and summer's done

Ready to break September’s back and make it humble.

Do I risk tampering with HDDs if I simply plug them onto an external HDD reader, and do I need to take any precautions beforehand? (edited)

Write blocker?

I read a bit about them earlier, but I have no clue how they work yet

6:38 AM

https://github.com/msuhanov/Linux-write-blocker https://superuser.com/questions/846546/why-are-write-blockers-needed-when-there-is-mount-with-read-only/846591#846591

msuhanov/Linux-write-blocker

The kernel patch and userspace tools to enable Linux software write blocking - msuhanov/Linux-write-blocker

Why are write blockers needed when there is mount with read-only?

Let’s say we're using some flavor of Linux and we mount a partition using following command: sudo mount -o ro /dev/sdc1 /mnt The partition is supposed to be read-only so that the OS and user cannot

6:38 AM

Found this

If you're dealing with evidence or something that could come back to bite you in the ass for lax procedures, you should use a writeblocker, as @K23 said

Alright, I'll dig deeper and try it out then

You can use a software writeblocker or hardware writeblocker, whatever you want, but don't assume it works. Trust but verify that it works.

6:39 AM

If a software writeblocker works and is validated, then go ahead and use that

1

6:39 AM

If you have questions on how to test, feel free to ask

Sure thing, thanks for the information

That last point is key. Verify it works on something unimportant first, especially software ones prior to use in case something isn't properly enabled

2

Basically, enable your software writeblocker and try to create a txt document, drag files on there, etc, then unplug and plug back in and see if those files exist on preferably a spare USB drive or something

1

6:40 AM

Then if it works on a throwaway USB, go ahead and use it on your evidence drive or whatever you're working with

Got it, thanks

If those files persist, find another software writeblocker or another softwriteblocking method! Rinse and repeat until profit

Got a question relating to Data Storage and Backups. What are people using to backup large amounts of Data? We are currently using Acronis, but it just doesn't seem to be performing as good as we were expecting. Do people backup to tapes anymore?

@MrMacca (Allan Mc) if you search the server for tape backup, there was some discussion last year about tape backups. That could point out some users who have experience with it

@Andrew Rathbun thanks, I'll have a search. We used to use Yosemite backup, which apart from corrupting itself due to Bit Defender seemed to work well. But we lsot confidence in it. And now they no longer support it, so we opted for Acronis, which at the time seemed to offer everything we wanted.

@MrMacca (Allan Mc) We use a large Synology NAS for storage and a second one as a backup.

Looking to pick up a current mac for mac investigations. We use blacklight for acquisitions etc. Blacklight recommends some serious specs for their computers. min. spec to optimum spec is 2.7 i7 - 3.1 xeon e5 16 RAM - 32 RAM looking at specs I could do a macbook pro at 2.4 i9 and 32 RAM for $3400 vs a iMac pro w 3.2 xeon w and 32 RAM for $5000. Does anyone here use a MBPro with blacklight? Any performance issues? The cheaper cost plus the desk real estate saved makes me want the MBPro but I don't want to waste money and buy something that wont practically work for what I need.

@whee30 I frequently use a 2018 15" MBP for investigations. For the most part, BlackLight works - I do find it struggles if you have a case with many devices - I had a case recently with 5 or 6 hard drive images and BL really struggled (opening & closing the cases took a looooong time - so much so that I would be on the phone with the client and I couldn't bring the case up for reference)

1

7:26 PM

My solution for that problem is just to break it up into multiple cases, which isn't so bad

7:27 PM

I will say, I find Mobilyze to be much less optimized than BlackLight - where BlackLight might have some gains from beefier hardware, I think Mobilyze would perform the same

Anyone had a look at the INTERPOL guidelines on Digital Forensics labs? The document is dated May 2019 but I've only just been made aware of it. Particularly interested in feedback from lab managers or anyone working within a lab in @Law Enforcement [UK]

2:41 AM

https://www.interpol.int/content/download/13501/file/INTERPOL_DFL_GlobalGuidelinesDigitalForensicsLaboratory.pdf

I'll have a gander cheers Ollie

No problem! A quick skim read doesn't seem to propose anything radical, but perhaps useful to have something publicly circulated

Question for CaseNotes users...I am having an issue with my CaseNotes where only the first entry is showing. Also if I load a CaseNote file with number of entries completed from another machine it will again only show the first entry. Any ideas? (edited)

@ApC I had the same issue with CaseNotes. It would display a small selection of my notes, and if I reloaded the same case, the notes displayed would be different. I ended up extracting my notes manually from the DB, and haven't had a chance to go back and look at it.

Statement on the High Court judgement on the use of live facial recognition technology by South Wales Police (posted today by the UK Information Commissioner's Office) https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/09/statement-high-court-judgement-frt-south-wales-police/

Statement on the High Court judgement on the use of live facial re...

An ICO spokesperson said: "We will be reviewing the judgment carefully. We welcome the court’s finding that the police use of Live Facial Recognition (LFR) systems involves the processing of sensitive personal data of members of the public, requiring compliance with the Dat...

@Expat4n6 I have recently reformatted my machine and it only briefly sorted the issue. back to square one again now!

@OllieD I have read INTERPOL guidelines on Digital Forensics Labs and it's ok; it attempts though to be the master of principles to follow with no real detail. (edited)

@ApC I installed on second machine, and used same notes DB files. It worked for a while as well, then the same issue happened.

@Colman Yes, quite a high level document

@OllieD Agreed. Fair play though for having a go to prepare guidelines..

@OllieD I've already approached the FSR about this. They are bringing it to the attention of the NPCC for consideration.

@Deleted User Ah ok, interesting! I wonder how they will receive it

@OllieD watch this space!

1

our team has some budget to rebuild our lab, does anyone have any recommendations on optimal cpu cores/threads/speeds, disk, ram that would not cause one to bottleneck the rest too much running the popular forensics tools like xways,axiom, plaso, etc? thanks.

Some tools have different specs - EnCase V6 and lower would handle one CPU core overclocked, and multi-core/hyper-threads tend not to affect the processing time. Others, like Nuix would happily devour as many cores as you can throw at it, and pretty much all the RAM too

8:09 AM

In short though, over-speccing is totally the thing to do, as future proofing is always helpful. Some tools may not be designed for multi-cores, whilst others will. Budget plays a big part of this - as does any lab procedures on assessing hardware suitability (if you have any standards in place)

8:11 AM

For reference, our current builds (soon to be phased out) are i7 5630K (overclocked), 128GB RAM, 1080Ti graphics, SSD primary OS and primary software, and a storage magnetic HDD (4TB+)

8:12 AM

We will be moving to i9, 128GB RAM/192GB RAM, 2080ti, PCIE-SSD OS and Software drives, magnetic storage HDD

8:16 AM

$6k Canadian? I think we are looking towards pushing the envelope and going for i9 9900X if we can. They are £1kGBP per unit (less VAT)

8:16 AM

maybe some haggle room in there too, but we wouldn't get much change from £750-775 I'd imagine

I assume usd, ? That was just for the CPU alone

8:18 AM

So we really need to figure out what is best before buying dozens of machines

You have to consider with the latest intel CPUs the cooling. A lot of the new CPUs have issues with the thermal compound present between the heatspreader and the CPU PCB. In short, they overheat very easily.

Ok thanks

Air conditioned lab, and all-in-one water coolers should suffice

Isn't the thermal compound the same in air vs water? Or u mean aftermarket cooling

the issue is the actual CPU itself - as an end-user you view the CPU as one complete component, but if you heat and prise the silver heatspreader/lid off the CPU die, you will find more thermal paste there - that is the one that is substandard

Thanks

some CPUs are OK, some are very poor, and some are amazing. It is very changeable

8:23 AM

all in the same batch!

Thanks

Two more social networking sites for mobile apps.

8:28 AM

https://pocketnet.app/ https://joinmastodon.org/

POCKETNET

A Revolutionary anti-censorship decentralized publishing and social platform. Based on the blockchain technology, it runs on a set of computers around the world, not controlled by any single entity. Self-policed by users with good reputation where nobody records your keystrok...

Mastodon

Mastodon is an open source decentralized social network - by the people for the people. Join the federation and take back control of your social media!

I forget the model that was proposed but its probably xeon

@RubberDucky We have a smattering of different dual Xeon processors in our boxes, mostly Xeon E5-2690 v4's, but also a few Xeon Gold's (6137 iirc). They all have comfortably handled everything we've thrown aat them.

Thanks @dfa_adam what other specs are they ?

128gb ecc RAM (can't recall speeds), SSD RAIDs (varied sizes), nvme OS drive, nvme or standard ssd data drive, and depending on the generation, a 980/1080/2080 GPU. Started ordering them with dual GPUs for downtime work as hashtopolis agents.

Thanks

https://www.apkrook.tk/2019/09/clean-master-phone-boost-vip-mod-apk.html

Clean Master Phone Boost VIP + Mod Apk for Android

This site contain's cracked and modded android application and games, Android Tips and Tricks etc.

Anyone had success recovering data from a TomTom 4fc54a? Store name is a TomTom Start 50.

@0x3db If it has a microUSB, i think only with chip off. If it has a mini USB, u can use FTK. Best regards

@Karlsson thanks for the heads up

microUSB I'm afraid. At this point I think I'll just document what's visible on the device whilst in a fday box

@0x3db you can use coded From https://www.forensicnavigation.com/index.php/products/coded

CODED

Leaders in Sat Nav Forensics for TomTom, Garmin and Navman

10:59 AM

I always use it for tomtom and it works perfectly

1

10:59 AM

Non destructive

anyone got a physical from a samsung a6?

have a great weekend all!

2

Anyone have any issue with any forensic software install on windows 10 machine

Tried Caine on vm for the first time. Very good user interface. They hve short explanation of wht each tools do in the menu. Useful for beginners.

@spoon1997 which software are you having issues with?

5:36 AM

@ned7778 I've not used CAINE yet but I frequent Kali and Paladin. Guymager is one of my favorite imaging programs which is found in Kali and maybe CAINE as well. There is someone who works on @CAINE here, too.

@Andrew Rathbun I’m just asking. Cause I’m about getting new workstation with windows 10. Just want to know if anyone have any issue with windows 10 and their forensic software

I've been using W10 for almost 4 years (in this line of work) now and I've not had any compatibility issues at all. (edited)

Thanks. All I have are windows 7

Worst case scenario, you can always just put together a W7 VM

Once in a blue moon I found that having a trusty laptop running Win7 came in handy when it came to USB connectivity for acquisitions

2

Now that you mention it, I've had a few rare occasions where Linux saw an external device whereas W10 was giving me fits about it. Just furthers the narrative of having multiple tools to do your job

@Sudo Samsung Active ? I believe they where locked to AT&T that made it a pain to aquire because they did'nt want people to buy them and move them to Verizon, T-Mobile etc..

@Cellebrite so I was thinking and drinking and it occurred to me what would be an awesome idea would be to have processes in UFED PA. Example. I set a job decoding over night and once it's finished it will export images to location X, videos to location Y and then create a report in location Z. Just a random, mildly tipsy thought.

3

1

Isn't that like what Magnet Automate is except for Magnet products, obviously?

1

@Majeeko Let's chat more about this idea. Or email me heather@cellebrite.com

@Andrew Rathbun not just Magnet products, you can use other tools, scripts or utilities in workflows as well. (edited)

@MF-cbryant good to know. Had no idea. Thanks for the info

Magnet Automate does a similar thing with multiple tools, Nimbus by Black Rainbow also has automation functions. Interesting that Magnet have locked Axiom down so it only works with Automate. Understandable in this competitive market. Not everyone can afford such tools or have small labs that don't warrant them. @heatherDFIR , I'll drop you a DM when I get into the office, like I said it was a random idea I had whilst chatting on the phone page and I didn't really flesh it out before I posted. Rum will do that to a man.

Can anyone help me? ... I have a HP Notebook with a chip on the board. When booting the laptop up I'm presented with "Something happened and your PIN isn't available. Click to set up your PIN again". When clicking to set the pin up again, it prompts you to enter the email address password associated with the account, this should then send you a code via email to enter into the laptop (it doesn't) I've tried PC Unlocker to bypass the windows log in screen, that doesn't work either. Any other solutions?

@jw is it a Local account or a Windows Live account? Does PC Unlocker give yout he option to change the password? or does it just reset it?

1:52 AM

Does it also not give you the option to change from Pin login to say the windows user account?

It's a local account and it won't even boot into the USB to load PCUnlocker

The E01 image you have, is that decrypted? can you see the oeprating system files?

I'm not imaging the device, it's from a family member to fix but I'm having trouble getting past the log in screen

1:54 AM

It gives me no other option other than to enter the code they have sent via email (which doesn't exist weirdly)

Yeah that does sound weird

1:56 AM

Any way of doing a system restore to a previous time period?

1:56 AM

incase a windows update has caused the issue

if the disk isn't encrypted, I would go the old fashioned way of replacing sticky keys exe with cmd and either resetting password with net user or creating new account to get in

Bear in mind the laptop is only 4 weeks old so can still be taken back to the store. Just thought there may be another way I haven't thought of

1:59 AM

I can get into the BIOS and I've tried PC Unlocker from there but no luck. I can't access anything past the windows splash screen asking me to create a new pin which can't be done as I can't get the pin to verify via email

2:01 AM

2:02 AM

Btw, the email is definitely correct as it doesn't let you get to this stage if you enter the wrong email

What happens when you click the option in the bottom left of the screen you have a photo of?

3:25 AM

regfarding an alternative method

Anyone knows a simple way to make a bootable virtual image from an image?

5:17 AM

to make it bootable in vmware or virtualbox etc

Disk2vhd from Sysinternals

Thanks

@Deleted User Paladin can also do it.

Anyone have any experience using suricata? Im supposed to configure the IDS so tht it will block certain malicious syntax from executing. Any tips?

@Law Enforcement [UK] if anyone has any resources around the copying of discs and digital data and the evidential chain, I could use some help, having an issue with people not understanding hash values and how that demonstrates data integrity

1:04 AM

particularly that you wouldn't exhibit a copy as your own

@Sudo We generally make one encrypted master disc / USB and reference that in our SFR. If the officers or CPS want to make copies for their own use there is nothing we can really do about it. If they ask for a second because they have lost it there is a load of forms and questions and they generally find it pretty sharpish. I don't have any resources on it though.

but say if you stored digital data, on your server, or wherever

1:26 AM

that digital data will have an exhibit ref

1:26 AM

you wouldn't make a new exhibit ref for a copy of that data to disc

It could just be considered a working copy of the same exhbit.

yeah that's what I think too

1:32 AM

if anyone has documentation to that effect, would be good, but otherwise thanks for the insight anwyay

No documentation available but we operate the same way.

working copy of same exhibit?

For legal purposes we issue a Master (which will be sealed - intention being it is opened in court before the Jury); we also issue at least 1 Working copy (although many disclosure officers request upwards of 4 additional Working copies) which is left unsealed. The data remains the same across both.

1:39 AM

We produce these in a statement, alongside the report/detailed statement.

in this scenario, cctv footage has been obtained via USB and uploaded to the storage server, hashed and exhibited

1:42 AM

so a master digital copy

1:43 AM

would you exhibit the disc working copy that's burned for interview / court or whatever

1:43 AM

as a new exhibit

technically the USB was the master copy I'd argue

1:43 AM

the original is the DVR

I would say it's just the vessel for the footage, and the footage is the exhibit

1:43 AM

but this is the discussion we're having

if the footage can be demonstrated to be the same as when originally seized, not a problem

yeah so it's hashed on the USB stick, and hashed on the server, and compared

1:45 AM

a statement is produced as well by the seizing officer

1:45 AM

to say, I seized this footage on this USB and blah blah

I'd say it is a non-issue. Plus, only a defense team with The Joker at the helm would try to intimate that you had manufactured footage

yeah, we're not up against that, more the fear of I guess

1:46 AM

I'm mostly trying to get a picture of how people view digital data and its integrity, and the exhibiting of digital data

1:46 AM

though I think every other place will probably not be using DVDs for storage

We used to issue evidence on DVDs!

We do as above, then on one of our disclosure forms packaged with the sfr, we include that further data is held regarding the exhibits but not attached to the SFR, then it would down for defence to request further disclosure

we use SANs now

futuristic eh

1:47 AM

it's been a nightmare here really

1:47 AM

stuck in 1995

the biggest issue with us lot, is we overthink things

I'm glad to see that's not a local problem

Were still pushing out evidence on DVD's!

james when you say as above, you hash it etc and provide "working copy"

1:48 AM

or you exhibit these copies of, cctv, whatever, as "new" exhibits

as long as the lead forensic officer for the case has the tenacity and conviction to state that the data has not changed and the hash is sufficient proof to meet the test, then you're all good

you would think so, but not in the current predicament

1:49 AM

the forensic process, digital practices and so on are being ignored at this time

not doing 17020?

hence why I'm trying to see if there are other places that have "policies" around this

1:50 AM

nope, not currently

nor us, yet...

it'll only happen to us when very specific things happen

1:50 AM

but I don't see it occurring for a while so

it's an inevitability; we go out on around 12-15 warrants per annum, and they are usually big warrants

I'm sure it'll come eventually

1:51 AM

for now it's ride the wave til it does

in this instance, for a second set of eyes, contact Dave Thorne from Demux Forensics

1:52 AM

he is a DVR/CCTV god

1:52 AM

usually he offers a bit of advice for free

will give it a shot, thanks

my only parting question would be, what would you/your colleagues do differently to avoid this status quo?

1:54 AM

If nothing, then you've likely not done anything wrong

honestly, nothing

1:54 AM

we've been doing it the way we do it for years

1:55 AM

it's only kicked off now

by 'kicked off' what do you mean?

1:55 AM

CPS?

yeah, I'll DM

1:59 AM

for anyone else, it's basically the distinction between digital and physical that is the issue and the lack of understanding

has anyone ever tried to visualize or graph or "report" a Google takeout json or xml?

If anyone in here from @Cellebrite can contact me offline @ josh.brunty@marshall.edu I’d appreciate it. I’m running into an issue with our purchasing dept. with some language that is in one of the Cellebrite agreements and it’s holding up one of our license purchases. Thanks! (edited)

Two years and a ton of government red tape later... I am finally moving forward and I'm currently taking @Cellebrite CMFF course online. I'm so glad my agency finally decided to take a step into the digital forensics arena!

4

1

@Sudo can you explain a bit more on what you're trying to do with the Google takeout piece?

Does anyone know how to get past the new iOS 12 screen time restrictions code?

@Josh Brunty did you get a reply from someone ?

1

@MF-cbryant just visualize somehow, turn it into graphing with number of times visited etc

12:03 AM

I'm sure I can figure it out

@Sudo are you looking at location history? (edited)

web history

12:32 AM

I'm sure I can just script something to bodge a graph out of how many times a unique URL appears

@Jack Hmmmm, I’m suspicious this is my 12 yr old son on Discord trying to bypass my settings on his iPhone

@DCSO I have an android

9:16 AM

Also I'm a university student lfmao

1

@Jack its a good question though, I have'nt seen it posted before.

I know how to get past the other ones. But iOS 12 is awful

@Jack as in other meaning below iOS 12 ?

Yeah

9:37 AM

But that's just because of the restrictions code is easier, like after that they put It in the screen time code

Note to Cellebrite Employee's: Your "Quick Scan" for carving images from unallocated space is not "Quick". Quick means that after I hit the button, turn around to do something else in my lab, then turn back around and it's done?? Then I would say, "Wow, that was quick". I turned around 600 times and it still carving. Don't get me wrong, the function is awesome, we just need to rename the function. How about "Kinda faster" scan? Just an idea. (edited)

5

Has anyone ever removed evidence from AXIOM Examine's dashboard? I'm removing a 1GB image file and it's taking going on 10 minutes. Just curious if anyone else has had this same experience. I have a couple more I need to do but at this rate I might consider other options

Also, I imaged a 256MB USB Flash Drive the other day. What's the smallest storage medium anyone has imaged lately?

^^ <128MB

What are the professional responsibilities of someone in digital forensics?

@Tyføøn identification, acquisition, and analysis of evidence. Maintain and document chain of custody. Paperwork. Training. More paperwork.

Thanks!

Don't forget general skullduggery.

What about ethical and social responsibilities? I’m taking an internship class and the paper I have to do (expectations assignment) wants to know these questions based on what professional role you hope to obtain (edited)

I figured this was homework! I was about to say lol

Lol I figured I’d ask professionals rather than looking it up online

ethically speaking i would say presenting evidence as it was found on scene and being able to provide proof that evidence was not altered from when it was found, acquired, and analyzed

1:43 PM

also, not excluding exculpatory evidence is important

1:43 PM

you can google that term

That’s fine, I’m not looking for anyone to do this paper for me. Minimal descriptions are more than enough

Please ignore any of my comments if you are doing homework, Iv'e been working since 5:00 am this morning.

social responsibilities? well those who work in LE have a huge impact on society by getting murderers, rapists, pedos off the street

I just am looking for an idea what to say in the paper. Yeah that’s a huge impact definitely

1:53 PM

Thanks for the replies, it’s very much appreciated

Good luck and if you need a peer review, feel free to send it my way

1

@Andrew Rathbun if you have multiple evidence items to remove from the same case you can do them in one shot from the Process menu. It will be a bunch faster than doing each individually.

3:55 PM

If you're having troubles DM me and I'd be happy to help

@MF-cbryant I'm talking in Examine when everything is already processed. I had to remove them so I could do it over again due to a crash AXIOM experienced. So I just wanted to start over because I wasn't sure if it crashed in the middle of one of them or not.

A question for forensic folks, do you guys have certain tools and their versions your team approves for usage, and when new versions are released you test the new versions and get them approved before being used on cases? Please ping @ me if you are replying to me, thanks!

@Expat4n6 mainly web history and search history

@Andrew Rathbun I have experienced the same issue. After 23h of axiom trying to remove the evidence file, I finally gave up and I haven't had the time to explore any solutions to the problem yet

Anyone know if there is a way to wipe iPhone and iPad without pin

DFU and restore. It will activation lock the device though

@Mr. Eddie Vedder from Accounting I can’t pass the locked screen

@spoon1997 https://www.theiphonewiki.com/wiki/DFU_Mode

DFU Mode

8:40 AM

if you are just trying to wipe a device that has contraband or something like that DFU mode and plug into computer. iTunes will prompt device is in DFU and needs to be restored before working. iTunes will grab the newest iOS for that device and install and wipe device. The phone will start at Hello screen and while going through setup should say (edited)

8:44 AM

I do this at my agency when we have a phone to return to teen after they've completed the "sexting" classes. I tell them they've got x amount of time to get my icloud password so I can remove account and wipe phone or I DFU it and you're on your own figuring out the rest but either way I've satisfied my requirements to destroy the contraband. (edited)

What's the sdabin9pie on the shared drive?

@Jack https://thebinaryhick.blog/2019/04/11/android-pie-9-0-image-is-available-come-get-a-piece/

Binary Hick

Android Pie (9.0) Image Is Available. Come Get A Piece!

In continuing the series of created Android images, I’d like to announce an Android Pie (9.0) image is now available for download. Unfortunately, I had to retire the LG Nexus 5X (it topped …

1

Oh thanks

Are there any differences in responsibilities between someone working in law enforcement for cybercrime vs. someone working in the private sector?

@Tyføøn preservation letters and search warrants are commonplace in LE whereas private sector folks don't have authority to do either. LE deals with criminal matters that rely on proving X happened beyond a reasonable doubt whereas private sector folks probably deal with more civil matters or policy violations. CP is an LE only matter, too. (edited)

4:39 PM

LE has to deal with prosectors, judges, the courts, etc. That's a whole animal in itself.

4:40 PM

Private sector folks can speak more to what they're dealing with since I don't have that experience

@Andrew Rathbun thanks!

@Tyføøn Meant to say CP, not CO. Corrected now. (edited)

Wondering how people treat this scenario. Stolen digital device in my case a tablet. Tablet is utilized while it was stolen by suspect. Owner grants consent to search. Is a search warrant needed to search the device for the use of the suspect during the time he had the device or does he/she have no expectation of privacy in that material as it was not their device to begin with.

When in doubt, get a SW so you're covered. Leaves no door open for an issue to be brought up in court later. Removes the seed of doubt from the equation.

Yeah I agree but few in my department don’t feel the suspect can have any expectation in the device as it isn’t his

@Ghosted if there's evidence of a crime on the device you'd be better suited to have a SW for it to CYA

4:46 AM

But I only speak to what my Prosecutor's Office would want as well as my admin. Every department and jurisdiction is different. A little bit of paperwork to CYA and make sure the case is administratively pure is worth it IMO

Yeah I agree

@Ghosted. That wouldn't be an issue at all in my state. It's a stolen device. He has zero expectation of privacy.

1

7:44 AM

It's a little more tricky if it's a device owned by a business and he is allowed to use it.

Watched a video preview of the new iOS 13 coming out, says there is a new feature that will allow Bluetooth connections for location purposes even when in airplane mode. The goal apparently is to track stolen devices even in airplane mode so that they can be recovered. I’m wondering if this new hidden Bluetooth tracking mode would also allow a remote wipe?

8:27 AM

The service is supposedly crowd sourced like those tile trackers. Every cop with an iPhone would then be a vector for deletion for their evidence if that’s a thing... will be interesting to see

https://www.macrumors.com/guide/find-my/amp/

iOS 13: Everything You Need to Know About Apple's Find My App

Apple in iOS 13 and iPadOS merged the Find My Friends and the Find My iPhone apps into one app that's just called "Find My," because,...

9:35 AM

Looks like it does wipe as well

@whee30 where did you read that also wiping is possible? Didn't find any info on this. Just found locating is possible if Bluetooth is on. But will definitely test it asap

does the sprint L-Site still work? i am setting up my account (always used fax before) and i am having trouble getting into the l-site. i installed the certificate and all correctly but i am having trouble getting in, it just says page cannot be displayed. i figured i would ask here before reaching out to sprint and looking like an ass

8:25 AM

lolol never mind...it just doesnt work in IE...have to set up everything in IE with compatibility settings and all that BS but as soon as I moved to chrome it worked

@kalinko from the linked article: "There's an option to mark a device as lost, which locks the lost device, disables Apple Pay, and allows contact information to be put right on the lock screen, and as a last resort, there's a tool for deleting all of your data."

9:09 AM

I missed the spot in the article where it said turning off bluetooth in addition to airplane mode prevented the tracking... at least it's not permanently on in the background!

@whee30 Thx for your answer. It seems it was too early in the morning yesterday to read such an article

Anyone who knows any good crawler/spider that can search for an specific bitcoin adress in darkweb/deepweb that maybe is posted on an market or a forum etc?

Does anyone have any idea when Cellebrite 8 is coming out?

Does anyone have a Law enforcement guide for Twitch.Tv?

@Nemesis I've never seen one before so not sure if one exists

Anyone use the Cellebrite Textalyzer never heard of it until our traffic guys came in and asked about it

@Nemesis Twitch is a subsidiary of Amazon. Might be able to go through their LE contacts.

2

hey @SPVQct3207 what are you actually looking for a break down of the complete URL for a requested page?

6:03 AM

my mind is not working correct today so...

Is there a free hard drive wipe any of you recommend to use?

@Tyføøn download Eraser

3

umm dban, hdparm, dd, actaully ccleaner does a good job too

I use dban as a bootable tool, Eraser for everything else

6:15 AM

Well, I use a hardware solution now, but those are my software choices

Hardware solution?

tableau i am assuming @Erumaro (edited)

I think the tx1 can wipe

6:17 AM

along with some others

A hammer would be a lot more creative, and fun!

2

nice

or nice cobalt drill bit

I've set up a raspberry pi in my office for Virtualhere and figured I'd also throw Pihole on it to block some ads. This got me thinking about iOS remote wipes. Would it be possible to block whatever service is sending the request to wipe the device? (While its connected to office wifi) https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Blocking_or_rate_limiting_iOS_updates i found some documentation on blocking the updates but does anyone know if blocking remote wipe is possible

Blocking or rate limiting iOS updates

@Mr. Eddie Vedder from Accounting Absolutely, I've done this to provide a WiFi network for jailbreaking iOS devices without triggering Find my iPhone

@OllieD Can you share what you block to prevent the wipe?

I take the opposite approach! Block everything and whitelist the specific domains required

7:19 AM

Got a WiFi network connected as part of a VLAN to a Draytek router which makes it easy to allow specific domains on the fly (edited)

7:20 AM

Identifying the domains to whitelist may require some traffic sniffing (depending on what you're trying to allow), but that's a far safer approach than trying to keep on top of whatever domains Apple are using (in my opinion)

That makes sense. I was going to try running some test one of my work phones and see what i could figure out. I do like your idea of just blocking all that may prevent other data from being altered on the device if I'm just going after one specific app. I'll mess around some more and let you know how it goes.

My concern regarding allowing everything except specific domains is that if Apple update the domains being used (via an iOS update for example), I could either miss one or just fall behind and I wouldn't know until it was too late. Whereas if an app starts using a different domain which I miss from my whitelist, it will become evident when the app just stops working (edited)

7:29 AM

But good luck with it

Has anyone ever had success with recovering data from a segmented E01 image? Basically, I have 40 or so 2GB segmented files for an E01. Long story short, the HDD they were initially imaged to deteriorated and was riddled with bad sectors. I should have .E01-.E40 but I'm missing 3 or 4 of those segments now due to being deemed as corrupted. Same with another E01 but with like 7 or 8 segments. Naturally, one of these images is very important to the case. Just curious if anyone has any insight on if anything can be obtained from what I do have despite not being a complete E01.

5:08 AM

Here's a visual

Does anyone know the difference between method 1 and method 2 sd card physical extraction in ufed4pc? @Cellebrite ?

@Andrew Rathbun I'm not 100% certain but if you rename the existing e01 files so they are now make up a complete collection, that should open them up just without the missing parts.

5:40 AM

So if for example yuou have 10 E01, but numbers 7 and 8 are missing, then you would rename 9 to 7 and 10 to 8

5:40 AM

I've never tried this however, just going on something i heard a while back

@Andrew Rathbun full guess here but what happens if you put in an empy file for one of the missing files. so if your misisng e07 just generating a blank e07 file as a filler. if what ^ said doesnt work

Hmmm I am not sure. I will try both of those theories though

5:46 AM

Thanks for the ideas

5:47 AM

I'll try renaming them from 1-whatever and then I'll try maybe either copying one E0X files and just renaming it to complete the puzzle and if that doesn't work I will try a blank E01 file

5:47 AM

Thankfully, I really only need documents off them so even if I can get something it's better than nothing

From that picture I would rename e09 to e07 and so on

Thankfully, that picture is the one that isn't important

5:51 AM

Here's the one that is, standby

"shows picture of 200 e01 files"

5:52 AM

it's a little longer but thankfully not 200 haha

5:52 AM

missing E02, E11, and who knows if anything past E40

What does the log file say?

The backstory on this was I imaged this to what happened to be a 1TB WD HDD manufactured in 2011

5:53 AM

Between the time I verified the image was good on scene and all parts were in tact and when I got to the office to transfer it to my NAS, things got corrupted or bad sectors went wack

5:53 AM

I went to transfer the E0X files to my NAS and it failed on like 4 of them via TeraCopy

5:53 AM

said they just couldn't transfer over, for whatever reason

5:54 AM

Logfile will show a full, complete image, which it was at one point

5:54 AM

What I have copied over and are showing you here is all I was able to copy from the original destination drive

Yeah I had one, and it was the final e01 that just wouldnt complete. And the image was of a drive that took about 3 days to image due to issues and bad sectors.

and the missing parts just couldn't be copied over at all

5:55 AM

Yeah I tried imaging this 2011 drive and it had thousands of bad sectors on the TD2u. It's not an unrecognized file system but in Hex you can see ExFAT in the 12th physical sector, but that's all the further I've gotten at this point

Well fingers crossed it shows up something

5:55 AM

maybe do a small batch test file, before renaming everything and it doesnt work

Moral of the story, destination drives on scene should be manufactured within the past couple years lol

5:56 AM

right now i'm making a few copies of the corrupt image files so I can run the above experiments on them. Working copies of an incomplete working copy

5:57 AM

Appreciate the ideas, I'll report back sometime later today. This copy is going to take a bit

No worries, Ive got a 2 hour meeting now

Have fun with that!

OpenText just emailed out a customer survey. This would be a chance for anyone to bring up concerns about the lack of attention given to EnCase, if anyone cares

1

@MrMacca (Allan Mc) @kmacdonald1565 this is the outcome of using blank E01 files to fill in the missing segments

ah weak

same result

7:16 AM

Not surprised but they were great ideas that I hadn't thought of before. Appreciate the input

Try it in X-ways

8:13 AM

Gonna do a test on my machine, see if I can get it to work

X-Ways can recreate a missing Exx image

8:19 AM

Good to know, I will have to get ahold of an X-Ways dongle then

...under the condition that you have the descriptive text file, created when imaging with x-ways

8:20 AM

because you need to fill in the correct amount of chunks

Ahh damn

8:21 AM

I won't have that then

ah ok

It was imaged with a TD2u

you can reproduce them also, but it's little bit more hardcore, and I don't have the documentation with me

8:23 AM

will look it up later, keep your eye on this channel

Thank you @Karamba

8:23 AM

I can probably get an X-Ways dongle one way or another. I don't have one issued to me but some coworkers do.

the solution is that - in order to calculate the missing chunks - you need to trick x-ways

8:25 AM

he will give you the error - with amount of missing chunks, so that you can make a dummy one

8:25 AM

i'll keep you informed

I've done a test and added it to X-ways, it throws out alot of errors, but it is showing some of the contents. I'll try to extract something and see if it gives partial data

8:29 AM

this is just by adding the renamed E01

8:31 AM

@Andrew Rathbun Yeah X-ways might get you what you need, I didn't recreate any of the missing chunks, just renamed the file extensions so they are all in sequence with no gaps. Then I did a test export of the Config folder and it worked.

@MrMacca (Allan Mc) that's great news, very encouraging. I appreciate you trying that out! I will work on getting a dongle in my hands. I know my partner has an X-Ways Imager dongle so I will get ahold of that but that's only half of a win. I will work on an X-Ways Forensic dongle.

I got ahold of X-Ways a lot quicker than I expected. It was able to parse out the unimportant partition of that image but it got a lot further than any other tools so I have to give it credit. I'm missing .E02 so I think that is really critical to not being able to show the partition I need. I will keep chipping away but thanks for the leads

9:26 AM

Also, the other image looks like it was able to parse most of the data partition so that's great news! BUT, of course, that's the significantly less important computer to the case. But I'm a lot further than I was so I really appreciate the help @Karamba @MrMacca (Allan Mc) @kmacdonald1565. This is a perfect example of why this community is valuable and thriving

Excellent news @Andrew Rathbun

@Andrew Rathbun I looked up the documentation; there is only a workaround in x-ways if it is one missing segment or multiple contiguous missing segments (edited)

1:18 PM

in the case of multiple non-contiguous segments (which is your case, I believe), the only way is working with the descriptive text (edited)

1:20 PM

I see in the screenshot that there is a log-file; any interesting in that file ?

It's just a TD2u log file. Not sure if you're familiar or not. I will post some of it tomorrow to see if any would be relevant

1:30 PM

@Karamba

Slightly silly hypothetical question:

12:26 AM

If you recover login details you're not allowed to use them without a warrant

12:26 AM

And likewise with session cookies or whatever

12:26 AM

But could you use an API endpoint to refresh the session token until you get a warrant?

12:26 AM

Actually I guess by that point you could just ask the service provider

@Seagull it's always best, in my opinion, to just get the information from the service provider through a warrant. I've never used any cloud analyzer software from any of the vendors so someone else could chime in on that. Typically what I do with the production form the service provider is make an .AD1 out of it with FTK Imager and use that as my best evidence copy. That will go on a HDD and placed into evidence. Then I have a working copy that I use for my analysis.

Yeah that makes sense, thanks

10:01 AM

Not a professional so it was just a silly idea

No worries, glad to help

@Karamba here's pretty much the only partially useful info in the TD2u log

11:17 AM

Capacity in Bytes: 250,059,350,016 (250.0 GB) Block Size: 512 bytes Block Count: 488,397,168

11:18 AM

File Size in Bytes: 2,000,000,000 (2.0 GB) Files written: 39 Total errors: 0

11:18 AM

I have 36 files, so 3 are missing on this one

11:18 AM

Just circling back on this. Not expecting this to help me get over the hurdle but just wanted to pass it on

ow, no luck there...

I figured. Oh well :/

11:20 AM

Appreciate the insight

11:24 AM

I think for the other unimportant image though I will be able to get documents off there so that's significantly further than I was before

for500 done!

2

11:43 AM

Such a relief

Did anyone else notice with 4PC 7.23 it's no longer a single executable? It's very much like AXIOM where there's 3 files with 2 of them being .bin and one executable

i think there is a 2g max for the exe file or somthing like that.. i think i remember reading they reached the 2gb max

1

anyone having issues with media player classic and x-ways

4:10 AM

command switches seem to be unrecognized

iOS 13 = No more magnifying glass = Devastating news for a Friday

ty @Cellebrite just bypassed (removed) a complex code on j737t1 galaxy j7 that was sitting on my desk that we desperately needed. for a high profile case. Used the latest UFED 4 PC (7.23.0.10)

(edited)

4

10

dang this place is cool

@Cellebrite and @Forensicator Now if they can just add full unlocking support for Alcatel 5041C devices

1

that family of MediaTek support would be great

STORY TIME! Sooo, I went to pick up the new iPhone today as a surprise gift for my SO. And it dawned on me I don’t know when she last did an iCloud backup. Not wanting to tip her off and ruin the surprise I ask the Apple employee if there is a way from their side to know when her phone was last backed up. He goes “Sure!” “Let me just make her a reservation at the Genius Bar, then it will tell us when she last backed up...” I said hold on I don’t want her to know, will making this reservation send her an email? No he says as long as you don’t hit confirm it won’t notify the user. I have to tell you guys the information they had was awesome if you have a case and you want to know what devices and when they last backed up to iCloud in preparation of sending legal process to Apple, get yourself a friend that works there FWIW...

Regarding the EXE file size.... The 2 GB limit refers to a physical memory barrier for a process running on a 32-bit operating system, which can only use a maximum of 2 GB of memory.[1] The problem mainly affects 32-bit versions of operating systems like Microsoft Windows and Linux,

@Zhaan I still have magnifying glass after updating to iOS 13

I don’t!

12:00 PM

They can’t trust me with it!

Andrew Rathbun 9/20/2019 12:04 PM

@NerdCop cool story, thanks for sharing! I know we had a good relationship with our local Apple store and whenever we had stolen iPhones that were recovered, we were able to give them the serial number and they were able to notify the victim for us to reunite them with their recovered device

12:05 PM

I think they said they weren't technically allowed to do that but were doing it as a favor to help

12:06 PM

@CLB-Arnon Tirosh thanks for the insight!

@CLB-Paul reviewed the forum for a LG-K550 with chip MSM8937, and did not see a clear answer so wanted to post again. Attempting to gain an extraction from this device, I placed the phone in EDL mode using the test ports but the extraction quits after step one, any one else have any luck regarding this device? I see @Draugrs had this same issue last year, not sure of it was ever resolved. ...Additionally the interesting thing with this particular device is that it's unlocked, however i'm unable to access developer options via tapping the build number? its running android 6.0.1 and the security patch is 5/1/2016, any assistance, thoughts or ideas is appreciated.

@jenks31 so if it quits at step one, it means that there is no firehose (communication programmer) to the device. Many are device specific.

2:55 PM

With it being unlocked, did you try Smart ADB?

2:56 PM

Its been out for a while, and even thoguh it was out with 6.0 there is a chance that it is no encrypted. I do not know, so maybe LAF (LG Recovery) could be an option.

2:56 PM

I am not sure, and did not try these, just spit balling ideas off the top of my head.

@CLB-Paul He won't be able to use smart ADB as the developer mode is locked -- no debug mode.

3:05 PM

@jenks31had a similar situation the other day and a older model. I tapped a different option seven times to unlock developer. I don't remember what it was but it wasn't build.

@Forensic@tor ok thank you, i'll try to tap different ones. Unfortuanlte as @Forensic@tor stated all of the extraction methods are not working currently due to not being able to get dev options to work I'll try LG recovery as well see if that works

@jenks31 MDM perhaps ??

@CLB-Paul I didn’t see one on there, I’ll take another look though when I get back in the lab. Good thought.

You might not easily see it as a user. Where did it come from. The device

Anyone have an LE contact at Facebook? Preferably a phone number and name for a Florida based LEO. Thanks!

Could someone from @Project VIC DM me please? I have a couple of questions about their data set and seeing conflicting information in different tools used the ProjectVic json files.

does anyone have a resource for comparing cars visually. trying to find a hit and run vehicle involved in an auto v. ped. video kinda sucks because its dark out, not too much can be done by the way of enhancement. ill post stills in a minute with what i could do...i thought about trying to code a website that can do this as a service (similar to identifont) that basically plays 20 questions with , but dont have the time. it would be nice if there already is a resource to say view all rear ends of vehicles, or all profiles, or all tail lights or something.

12:27 PM

12:31 PM

so far what i got is gray sedan, tails and headlights wrap towards side. license plate on trunk even with tail lights, or pretty close. tail lights have two bulbs, possibly bigger reflector in towards license plate. trunk/licens plate area is angled similar to how civics have their trunk area, not sure how else to describe it...can see it best in second pic here i think. 10 spoke wheels (or 5 split spoke depending on how you look at it). video makes it look like HID or LED headlights, probably projector based.

12:32 PM

i used to be so good at IDing cars when i was on patrol...that skill has dropped off severely

crowdsourcing?

12:38 PM

if you just need to find a matching model/make

12:38 PM

looks like a bmw to my eyes

12:40 PM

12:41 PM

not familiar with US makes though

12:46 PM

headlights are quite possibly different

Any LEO's have any tips or tricks up their sleeves for a Snap Chat extortion case ? I have a case where the suspect is threating to send out pictures of a minor that he has obtained and I would like to narrow down there location with a search warrant and any other means. DM me and if something works I’ll post it.

@DCSO have you served legal process to Snap before?

1:03 PM

I'd recommend sending out a preservation letter ASAP. I don't recall getting location information from Snap, but you should get the last 90 days of snaps and the entire history of messages for the account, last I knew

2

@DCSO i cannot promis it wil help, but i have used the snapmap feature to track runaway kids before...if you have a dumb enough suspect it might help.

@kmacdonald1565 I did just check to see if there location was on and they were not sharing it. I"ve served Snap Chat before but I'm thinking of doing an account take over and sending a tracking IP assoicated to link now vs waiting months for the warrant return to comeback ?

that is a very tough spot...personally that is something i would run up my chain and consult a prosecutor about but to me the exigency exists for it.

Snapchat used to do 2-3 hour turnarounds on search warrants for me back in early 2017 when I was serving a ton of SW's and preservation letters to them, but I think they've gotten a lot busier since then and it's been slower

in 2017 or 2018 they more or less screwed my department...had a missing/runaway JV. only using snapchat. would borrow a stranger's phone sign in, send a snap, sign out and keep going. They wouldnt send us more than 2 updates a day (roughtly 8-10 hours apart. needless to say, we were way behind the 8 ball. Intel had her in a major city an hour and a half away with nothing, no food, money, or other clothing in the hottest week of the summer. they more or less didnt care.

1:31 PM

they really have never been good to us

That sucks! Hopefully everything turned out all right with the juvie

yeah, old fashioned police work found her...ended up charging a few people if you catch my drift.

5

is there any way to retrieve recently deleted messages (whole conversation) from Telegram?

Has anybody used ADF Solutions Mobile Device Investigator? We are looking for a mobile triage solution and this came highly recommended but wanted to get some more opinions on it. https://www.adfsolutions.com/mobile-device-investigator (edited)

Mobile Device Investigator iOS Android Forensics

ADF Mobile Device Investigator (MDI) for iOS and Android smartphones and tablets is the best mobile forensic tool for field investigations

Does anybody know of any apps that will encrypt text messages?

@Tyføøn Can you be more specific? Are you trying to encrypt some text for testing? Or do you mean an app that encrypts messages before putting them into a local database?

Just for texting Ex- healthcare or medical information (edited)

cyberchef is good just for playing around

9:01 AM

oh

An app like Wickr claims they do not possess the keys to decrypt your messages on their end, and they definitely encrypt them at rest on the device.

Okay, thanks I’ll check it out

+1 to cyberchef though even though it was for a different question

1

Signal.

9:43 AM

(For text encryption).

1

@goalguy Have you tried Mobilyze by BlackBag? https://www.blackbagtech.com/mobilyze.html

Mobilyze iOS and Android Forensics Software

BlackBag's Mobilyze is the premier software for analyzing information on Apple iPhone and Android devices.

I have not @Semantics 21 (Tom)

does anyone know where Android app backups actually go

6:24 AM

I would've assumed GDrive

6:30 AM

hmm OK, devs of this particular app are saying it's only using Google to auth, not to store

6:30 AM

so that answers that

@goalguy what kind of results are you looking to get from mobile triage? We might have something (new) that can help, happy to explain it via PM if you are interested

Does anyone have a generic computer search warrant template they can shoot over to me quick? I can PM you my work email

@Jobbins shoot me a PM as a reminder and I can email you one later this week when I get back home. I'm out of town for work now

Does anyone have a contact with Microsoft by chance?

@kmacdonald1565 maybe i'm late but I think your car in the picture is a subaru legacy

3:38 PM

thanks for the suggestion!

3:38 PM

never too late

yeah front headlights look more promising

anyone ever had an issue with X-ways where partly through imaging the device becomes unavailable

6:19 AM

seems to be USB devices so maybe it's my tableau

Hi all, Here is my new article: Tools up: the best software and hardware tools for computer forensics https://www.group-ib.com/blog/digital_forensics_tools

Tools up: the best software and hardware tools for computer forensics

The review of the best software and hardware solutions for computer forensics.

1

@Legis did you get your microsoft contact ? You can check search.org they have a couple contacts.

I did not yet @DCSO

8:11 AM

I will check

That will not work @DCSO thank you though!!

@Sudo yep. Tableau UltraBay3d on my FRED has caused problems in the past for me.

@kmacdonald1565 about the car pictures, maybe it's a Mk3 Ford Focus Sedan. The second last picture could show some design lines at the doors, that are pretty similar, also the frontlights are similar pulled back above the fender. I am not quite sure about the taillights, they don't match excactly, but this could be due the poor image quality or base model/aftermarket taillights.

7:10 AM

nearly same angle

@MikeWhiskey thank you!

I think it was a duff cable, I managed to image it in the end

7:23 AM

I also changed my drive sleep settings, as it might've been that

7:23 AM

odd though cuz, it's in use so I dunno why it would sleep

Are there any average education and work experience requirements to work in digital forensics?

Generally some IT knowledge helps. @Tyføøn Depends if u r going for beginner or senior or whatever, the more senior the more needed ofc Some teams might be willing to train you up That's my experience

@Tyføøn if you're going the LE route, sometimes all it takes is being informally designated the midnight shift IT person. That's what happened to me since I was the techiest person by far on the shift. Word gets around and I got slotted to become a detective doing digital forensics (as well as other general casework). It just snowballed from there. Right place, right time, right department, right budget, etc. I was very fortunate to have that opportunity as it changed the trajectory of my career (edited)

12:43 PM

My coworker was a sysadmin in a previous life and now he's doing digital forensics.

12:44 PM

Knowing what I know now, I wish I had a stronger background in networking as that can only benefit and give you more options moving forward.

@Andrew Rathbun My exact route also.

3

I'm sure many others, as well

Yup! I’m fresh into my detective role but that’s my path as well.

1

Vulnerability in WIB simcard-browser that causes serious harm to hundreds of millions of telecom subscribers worldwide in 2015, and the vulnerability has not ever been published yet. By sending a malicious SMS to victim phone number, attacker can abuse the vulnerabilities in the WIB sim browser to remotely take control of the victim mobile phone to perform harmful actions such as: send sms, make phone call, get victim’s location, launch other browsers (e.g WAP browser), get victim’s IMEI, etc. https://ginnoslab.org/2019/09/21/wibattack-vulnerability-in-wib-sim-browser-can-let-attackers-globally-take-control-of-hundreds-of-millions-of-the-victim-mobile-phones-worldwide-to-make-a-phone-call-send-sms-to-any-phone-numbers/

Lakatos - Chief Researcher - Ginno Security Lab

#WIBattack: Vulnerability in WIB sim-browser can let attackers glo...

Can anyone send me a link of what a security policy is supposed to look like, what it’s supposed to include, etc. (edited)

Are there better and worse OS's for DFIR? And is there such a thing as a free OS that's good for DFIR? (edited)

SANS have a SIFT image for both windows and Linux

@Tyføøn You're going to need to be a lot more specfic than that. A security policy for what exactly?

12:19 AM

@CodewordPorcupine most commercial DFI software tends to run exclusively on Windows, but there are various open source options available and some software specifically made for MacOS. Choose your forensic product first, then work out what OS it runs best on. And remember you're likely going to be using multiple bits of software here so think about compatibility. SIFT suite is a great free and open-source start.

Yeah I'd say if you're building a machine you'd definitely want to at least be able to run Windows

12:29 AM

But obviously if your workstation OS is an image it's much more flexible

@K23 forget about it. I found what I needed

I was just handed a 12TB padlock drive. This is the largest HDD I've ever had in my hands. 10.9TB usable which sucks but it is what it is

1

@Andrew Rathbun my largest is 8tb so far. Having to clear room out just to image a drive is a PITA, not to mention processing it.

Oh absolutely. I can imagine. Thankfully this already has evidence on it and it's nothing I have to image. Maybe make a logical image of the 5TB of contents or so at a later date. Pretty crazy though. Their website shows 16TB as the highest option available for a cool $1040 USD (edited)

If anyone has had experiences with SkyECC devices, please dm me.

So just taking a shot out there with this one. We have some MAC addresses of devices from a router log. We have identified about 4 devices of interest. They are all android devices including LG, Coolpad, and Samsung. Is there anyway to identify a device with just a MAC address? Of course the goal is to potentially get an IMEI or even identify the provider. I’ve never had to do this before. I’ve identified devices before by their MAC address with a Shadow, but that’s it. Anyone have any experience with this?

Anyone know which company that owns fr.bbsecure.com? Its a MDM-service company, cant find any info at the web

https://markmonitor.com/ according to whois

msalangsang

MarkMonitor - Clarivate Analytics | Brand Protection, Domain Manag...

MarkMonitor helps establish and defend some of the world's largest brands online

3:59 AM

Cheers, i got something called BlackBerry UK Limited but it has to be wrong since its and iphone..

Doesn't look like you're far off

4:02 AM

https://docs.blackberry.com/en/endpoint-management/blackberry-uem/12_11

4:02 AM

Blackberry do provide an MDM which works on iOS

4:03 AM

And *.bbsecure.com is referenced in their documentation here: https://docs.blackberry.com/en/blackberry-dynamics-apps/blackberry-access/2_12/blackberry-access-administration-guide/lnb1484165962504/Whitelist-the-BlackBerry-UEM-App-Store-in-the-BlackBerry-Connectivity-profile

4:06 AM

Think that's your winner

4:11 AM

Seems like every company is providing an endpoint management solution these days. Feels like it's the current big trend

@Arlakossan what a coincidence....Exactly what skyECC seems to use (my comment just above yours...)

6:10 AM

And they run blackberry uem it on iphones, blackberries, and pixels

@dfa_adam have you gotten somewhere? I want the token for the iOS device to open it

I recall somone talking about Life 360 and having more info in the DB than whats viewable manually. Anybody recall this ? I've searched an can't seem to find it. We have a device thats from an accident and its past the 3 days that it offers for the free version. I"m wondering if its still stored on the device. This is an Android OS device.

Hey guys, anyone happen to have a WinFE USB image by any chance? This is so complicated to make it seem

Just realized the Sanderson Forensics website has been revamped by @TeelTech - https://sqliteforensictoolkit.com/ looks like there is a Google Group now, too

Sanderson43nsics

SQLite Forensic Tools by Sanderson Forensics | Sanderson Forensics

Anyone on here conduct investigations on cryptocurrency mining

We are looking at placing some game cameras in the woods to locate a serial arsonist. We have been ordered to find a way to track the game camera in case it gets taken. I’ve been researching ways and have seen crowdsourced tiles that use BT to track but I am leaning towards GPS. Does anyone have any recommendations on small GPS or maybe enlighten me in another way to track it.

Uhm, is there any way we can get a discord localstorage file on windows? Or did they removed it?

@Unoriginal_name we just bought game cameras that weren’t too expensive and hid them carefully. Anything traceable via gps is going to get expensive quickly and burn a lot of battery as well. The typical car gps tracker requires many hundreds of dollars for subscription service etc. a tile is an okay idea but you’re relying on other tile users to be nearby, the tile to function (mine never did when I needed them to) and for the thief to not notice the big white tracking device attached to the camera. Honestly, the best bet is to buy some cameras with the understanding that you might lose some. In the last five years I have lost none while using no tracking devices etc.

Android ID's, are they consistent within a device. If my Android ID is 1234, then I wipe my phone start again is the ID the same or is a different one generated. If not known I'll do some testing.

Any help will be most grateful. Huawei P20. I have files relating to - Media/internal storage/ .photoshare Does anyone have any suggestions what the .photoshare location is? I am unable to identify on the file manager

would've thought it was just files relating to that application

4:56 AM

orphaned from the previously installed app maybe

@Unoriginal_name Depend how many you plan on installing but you could use a raspberry pi with GPS+GSM module or just take some old phone, connect them to a big powerbank and hide them in the camera.

@Sympathizee pretty sure what does exist for Discord stuff is in appdata

6:33 AM

I've looked before and I don't think the forensic value is there

6:35 AM

some cached images tho

@Unoriginal_name cost and placement are really the deciding factors. Many narcotics units use covert cameras of all type and GPS trackers. I am sorry for the longish post but here are a couple of options and background if you arent familiar (not brand specific sorry, but can find out and PM you in like 5 hours) If you are looking for in a wooded (remote) area, hunting/bait cameras are an option. Pro: low cost, decent picture quality depending on model, pretty good battery life, camouflaged and hard...Con: not highest quality, dead stick when battery dies until you can recharge, you forget where you put it,...its gone, no GPS at low $, no remote viewing, limited recording (SD card size/quality) If you are looking for in an urban area, pole cameras are an option. These are covert boxes directly connected to power lines and put in place by utility companies. Pro: great picture quality, power not a concern unless utility suffers an outage, some have GPS capability but moderately tough to steal anyway, pretty well camouflaged, can be set up to record to HDD (we had recordings for several weeks using one), remote viewing. Con: moderately expensive, difficult to install/takes time to get right, requires 4g connection for remote viewing (we use cradlepoint routers), can be finicky with connection issues, requires utility poles (some areas don’t have any) and that can cause a less than optimal camera position/angle.

6:57 AM

Homebrew solution: Raspberry Pi: use a Pi and a webcam or Network cameras. There are tons of tutorials on this. This can be done super cheap. If sourced well, it can be done with spare/salvaged parts for probably $50 or so. If it runs on a pi zero w, they cost like $10 or $15. If you need a 3b or 4, they are like $35 to $70. My estimate of 50 is based on a $35 3b. You can add GPS and GSM module for a pretty small fee. Pro: super cheap- potentially lowest cost option, customizability. Con: setup time and configuration, need to build own casing, depending on components video quality concerns, powering the devices, can potentially throw it on a UPS or something GPS Trackers: generally have good battery, if your using it other listed above, you are likely going to run out of battery on the camera or system before the tracker anyway. You might not be able to do a swap as easily though. These do get expensive with tracking plans, but I am not privy to specific costs.

Does anyone have a contact with the US Army that may know something about MDMs and US Gov't issued cell phones?

@Forensic@tor shot in the dark but https://dodcio.defense.gov/Cyber-Workforce/Contact.aspx might be a good last ditch effort

@Andrew Rathbun Thanks but they were of no help. I finally found a guy. It took an act of congress, but finally found him.

@Forensic@tor glad to hear it all worked out

@Andrew Rathbun Partially. They could have remotely reset the PIN for me, but the phone was terminated due to inactivity. Just have to wait for the brute-force to complete.

@Forensic@tor

anyone using cloud storage for evidence.... for disaster recovery/bc file sharing etc.. ?

6:28 AM

I need to come up with some solutions and would like some insight if anyone is doing so

6:28 AM

We currently are using tape backups

oh dear

o ya

6:28 AM

backing up 80TB

6:29 AM

now and its super fun

6:29 AM

upload and download transfer speed to cloud I think might be an issue

and security

ya that too

6:29 AM

but if we encrypt it on our end ..

they call it data aging in that industry

6:30 AM

fast storage-> backup storage->slower storage->tape backup etc.

what is the norm currently

6:30 AM

off site backup ?

i think it's better

we do not. We are using a 100TB storage server with tapes.

you can have 2 datacenters

6:31 AM

in different locations

ya but then manpower etc

with fiber

my agency will not do that

hoping to mirror to another server in another location in the near future

most of nas solutions have automated replication options

6:32 AM

that datacenter could be in the same building

ok so if your backing up lets say 70TB a year of case files you would need a PB to last approx 10 years?

buying 1 pb now isn't the best idea

6:33 AM

because prices go down every year or so

6:33 AM

if you have 100Tb/year

No reason to buy 10 years of space right now when you can incrementally buy since storage space is going to get cheaper year over year

6:34 AM

3 years from now buying 1 PB in 2019 will look like a dumb decision, maybe even sooner

true

you can buy an expandable solution

Buy maybe 1 year ahead of time, at most? That sounds a lot more reasonable

6:34 AM

Bingo

like build a nas cluster with 3 nodes

Yes

and add new nodes as data grows

All depends on how quick your procurement process is will also play a factor in to how far ahead to purchase storage space for

(that could be a folk song)

1

6:36 AM

most nas devices are not build for big file transfers

6:36 AM

by big i mean 1 tb single image file

6:36 AM

they use ssd's for cache

6:36 AM

so if you transfer lots of smaller files, that cache can be useful

6:37 AM

but huge files don't benefit from that cache

6:37 AM

deduplication is a cool feature

6:37 AM

if you don't encrypt your images of course

6:39 AM

6:40 AM

this chart changes from time to time

6:40 AM

the top right quadrant are the cadillacs

ya we have some HPE stuff currently

most HPE products are scalable

Moved over from decoding as this thread is better suited: Just out of interest, how do people handle redaction of data for defence / disclosure purposes? I have a case where a victims phone has been examined, emails are being provided but some email address etc contained within the conversations themselves need to be redacted which is obviously something that cannot easily be done through UFED - you can just choose which emails to include, which ones to exclude. Current solution for this is to export them as a PDF with full body contained within the report, and have the officer go through and manually redact data by hand on a printed copy / through acrobat which is far from ideal. Would be interested to know how other forces / teams handle these kinds of requests

Its an annoying issue to have for sure - we used a document review/ediscovery tool for this in my old job, but it still requires people manually redacting stuff before it gets produced as pdf/TIFF. This was OK as they just did it as they went along whilst looking for relevant data but it's not gonna work for you I don't think

6:50 AM

and its not worth buying it just for that

On the thread above regarding storage and backup we have two data centres, one which replicates to the other. From that point stuff is manually archived to slower storage, after it's been there a set period of time it gets put onto tape backup. If we run low on space they currently just buy more tapes, but I can see it being a problem for us in the near future as our extractions are getting a lot larger (My unit is literally just phones, but we have another unit using the same system with different drive pools for computers etc). Can't see us moving to the cloud any time soon, but there may be big changes if we become more intergrated with the force network to allow officers to view our products a bit easier, as right now it's two separate networks. But a lot of what ifs / things to consider there.

Also when I said manually redacting, I mean within the tool, not printing stuff and scanning it back in or something

We are running into issues with this as well. I know @heatherDFIR was polling people in the community regarding this issue. Last I knew, this is on Cellebrite's radar so I'm sure a solution will be forthcoming eventually

@bizzlyg Good to know, that's likely going to be a more useful tool for our disclosure officers than something we can implement on our end. It's the age old question though, as the kind of redactions that are needed would involve altering the data as some of the things that need to be redacted are say within messages and message threads. Not as simple as just unticking a box. @Andrew Rathbun good to know it's on Cellebrite's radar, this will be a problem that affects all tools I imagine.

nuix is your friend

Nuix is also prohibitively expensive for local LE. It's more geared towards eDiscovery shops

Yeah you can get more cost effective solutions than NUIX

6:55 AM

would be the worlds most expensive redaction tool if you bought it just for that

2

ok, nuix is not your friend

Nuix / equiv could be an option, just depends where exactly it would sit in our organisation as it's going to be something more useful for disclosure officers. But in many cases there are normal officers acting as disclosure, so the scope for that is pretty huge. Not to forget the training etc. This is just one case that has brought this to mind, but I can really see it being an issue on a lot of others but it just hasn't been raised to us yet

Attorney/client privileged communications on devices, mostly phones, is becoming a huge issue in my shop. It's dragging everything out and having us to tap into external teams to review the data and redact the privileged communications, etc. It's just a massive pain but it's the nature of the beast

2

We did civil edisco jobs for the health dept and they had this issue constantly, which is why we invested in an edisco tool so they could use web front end, review stuff and use inbuilt redaction tools as they go. Then at the end only the redacted version is produced along with whatever else they selected as being relevant/evidence. We didn't seem to have the issue as often with the criminal stuff and when it did come up I think they just did it manually with acrobat, def not the best solution though (edited)

7:00 AM

Cellebrite have introduced image redaction now so maybe they can expand on that and allow parts of documents/emails to be redacted etc. Can't see it being a huge challenge for them (edited)

Yeah as if it's done that way it can be clearly marked up as to what's been redacted, while maintaining integrity of the evidence. However, from my perspective it's not just going to be product from cellebrite that we will hit this issue. Sounds like it would be better for us to invest in something that could be compatible with the outputs of a lot more forensic tools (Not saying that inclusion in UFED wouldn't be useful, because of course it would!)

Yeah for sure

I can see this being a much bigger issue when the ICO starts to crack down on things a lot more from a GDPR perspective. It's definitely a big issue, the limelight just has not been shined on it yet over here. When it does we will be in for some fun times

Also in terms of data storage/backup infrastructure mentioned earlier - my old place have this https://www.quantum.com/en/products/file-system/ - you can link sites together, auto sync to cloud, tape etc

StorNext File System

With its high-performance file system and policy-driven data management software, StorNext combines protection, flexibility and efficiency into an enterprise-grade system engineered for today and tomorrow.

7:05 AM

Expensive though

https://www.commvault.com/ is what we use currently for archiving to slow storage, then tape. First step is on demand, think second step is automated. Works pretty well

mhepburn

Commvault - Award-Winning Enterprise Data Protection Solutions

Commvault offers industry-leading solutions that enable your organization to protect and use its data.

7:06 AM

No idea on pricing as unfortunately that kind of infrastructure is outside my remit, as much as I have a passion for a bit of sysadmin

Question for everyone - Currently we operate with standalone forensic workstations. We have a large refresh coming due next year, so we are considering reallocating the budget and moving to a thin client/forensic server model. Does anyone have recent experience with the pros and cons of each system? Obviously we have to factor in how we will sort out licenses, service agreement and consequences of downtime, upgrade plans, etc...But we think it'll be more cost effective and efficient overall.

7:07 AM

Also, StorNext works well. For the most part.

Network transfer speed would be my biggest concern there. Followed by the fact that UFED doesn't work over RDP (But other remote options are available). But cannot speak from practice as that's not how our system works

UFED's dongle not working over RDP is really unfortunate since I do a lot of my analysis remotely. My workaround is just to use UFED on my laptop but I don't benefit from the power my workstation offers. At least the job gets done

7:13 AM

EnCase is in the same boat, too. FTK and Magnet dongles work over RDP thankfully

7:13 AM

X-Ways does too

We already have 10g pipes set up. Wouldn't mind upgrading to fiber for future proofing, but not sure the budget would be there. Good to know about UFED....I wasn't aware of that.

7:15 AM

Is it just the dongle that doesn't work remotely? I was expecting problems perhaps with 4pc acquisitions...

Yeah it will act like you don't have a dongle plugged in even though you do

7:17 AM

So this would apply to 4PC (which, I'd never use remotely because you have to be near the evidence to use 4PC, of course) and UFED PA

7:17 AM

I'm sure other Cellebrite products too but those are the only ones I use

Can you plug the ufed dongles direct into the server, assign them to a vm, and just log into the vm - as opposed to plugging into the thin client? Or does that also pose issues?

@dfa_adam did you try StorNext out? I never came across anyone else using it when I was there, what are your thoughts on it?

I am not sure @dfa_adam. I use RDP through VMWare Horizon where I'm at and all I know is that doesn't work for us. Maybe someone else will know. I don't have the flexibility to try your proposed scenario though

@bizzlyg We have StorNext. I don't really have experience with other systems, but it's good. Setup is a bit finicky on each machine, and no clue how painful the backend sysadmin portion is, but once it's up it's pretty smooth. We do occasionally run into problems, but it has only been an issue with the StorNext (vs IT changing a network setting improperly) once or twice. We upgraded to an SSD cache recently, and that makes a difference for sure.

7:26 AM

@Andrew Rathbun Okay...we will have to do some testing. Don't have much time to push this through, so a major issue like that will need a plan before we pull the trigger

cool, the backend is a bit of a ballache at first but their support is v good generally if it goes wrong. We had to look after it as well as use it, but like you said it generally performed pretty well. We did have a few major meltdowns at first but that turned out to be an issue with the initial setup

7:27 AM

If you have it already it might be worth exploring the off-site sync to cloud, if you have the bandwidth and are allowed to put the data there. Takes the headache out of dealing with tapes etc

@dfa_adam best of luck, hope you can figure something out. I know a lot of people here use VirtualHere as a result of prior discussions in this server and that's been met with universal acclaim. Just, with RDP, I don't know if it would work still. Might be worth using the search for VirtualHere and PMing some people who have implemented that setup. (edited)

@bizzlyg Yes, every time they work on it, it's pretty unstable for a bit. Seems to be very sensitive to precise configuration settings. Fortunately, IT handles all the backup to tapes, etc., so it's no headache for me! Although accessing older stuff can be a real drag waiting for the tape to get spooled up....

yeah agreed, if you need to get older stuff there is that waiting period. The way it works for some things is also better suited for media organisations than DF. I guess to get round that you could change the tapes to a diff storage type but obv expensive (edited)

@Andrew Rathbun Thanks for the pointer - I'll look into virtualhere. Might help. Low cost.

Vmware horizon or citrix xenapp are the way to go

8:12 AM

Server 2016 for backend

8:12 AM

Inside esxi

8:13 AM

Vmware takes care of bandwidth

8:13 AM

They all use RDS licensed from MS

8:14 AM

But you can use realvnc for a simpler setup

8:14 AM

Use raspberry pis for main workstations

1

Just need them to release a pi with 10G networking

Not really

8:40 AM

For remote desktop, 1g is more than enough

If you're extracting from the thin client to the server surely that might cause some issues? All processing will be done on the server so no bottle neck there which would be good

8:43 AM

Unless you had some dedicated machines set aside for imaging, then rest of the analysis and processing can be done via remote desktop / equiv. That could work nicely

You just defined our lab

1

8:44 AM

We use dittodx for imaging

8:44 AM

To nas share

How do you deal with phone extractions in that environment? Manual examinations etc too? Take it that all gets done from the imaging machines?

Not all

8:45 AM

Let’s say most

8:45 AM

Mini pcs for cellebrite

8:46 AM

And z840s for manual stuff

8:46 AM

But virtualization is solid

Interesting. The z840s for manuals sounds like overkill haha but I'm assuming they have other uses. Definitely, can see the industry going that way. (edited)

You will see dockerized forensic software

8:48 AM

And swarms

8:48 AM

That is the near future

8:49 AM

FAAS

K8s style deal. Think we are a long way off of that. That's the thing with containers, they are the future but are not always useful / applicable for every environment. Fun to see the progress though

Fun it is

@Andrew Rathbun but ufed not working over RDP you mean sharing your locally connected dongle, or dongle being connected on host and it doesn't work once you connect to the host over RDP?

The latter

2

NoMachine would be worth a try then. Performance and quality is decent.

TGIF everyone

friday is the day all problems emerge out of nowhere

3:35 AM

FF

at 4pm

2

BlackBag is increasing their prices starting 1/1/2020 by an average of 18%

5:12 AM

SMS for existing licenses: BlackLight - $995 USD MacQuisition - $640 USD Mobilyze - $775 USD New licenses: BlackLight - $2995 USD MacQuisition (120gb) - $1270 USD MacQuisition (1tb) - $1620 USD Mobilyze - $775 USD Softblock - $520 USD

blimey, big jump for Blacklight

5:15 AM

and MacQ - how is that 18%? those prices have doubled/tripled

At least the SMS is reasonable

sorry I am being an idiot

5:17 AM

I didnt read that right, I was comparing them both ie first existing and the 2nd list new prices !

Hahaha woops!

h

5:17 AM

a

5:17 AM

It's friday..

MacQ is a great tool though. All those SMS prices are very reasonable, too. Sub-$1k USD.

Yep

5:18 AM

It's the best mac imaging tool, imo

BlackLight is the only one that stings the first year.

Yeah, also a good tool

As an aside, by my math we are 3 members away from 2000!

6:25 AM

I'm only counting members assigned to a role, not the 35 sitting in New Members right now

7

2

how is this possible?

12:03 PM

36K+ computer forensic experts? I wonder if there are that many in the world.

They've been around a lot longer than us. Lots of people probably have retired, switched jobs, forgot about it, etc

12:04 PM

I count for 2 of those. I had an account for my previous employer and now I have one that's my same username here which I'll ride out the rest of my career

Well, i deleted my account.

Also, we're at 1999 members so I'm just waiting for one more person to get assigned a role...

ah the wait...

I posted on there a few times when I first started. I haven't been back except when all else fails

I go on there every couple weeks just to poke in and see what's what

no need, i can summarize what happens

I'm glad it exists because some people don't like listservs or don't like real-time chats like this or IRC. Something for everyone and everyone can choose which flavor they like

step 1. you ask a question

12:06 PM

step 2. someone mocks you

1

@Dr. Kaan Gündüz I am glad you said that.

12:06 PM

I feel like there were some very condescending answers on there

Step 2 has always been my favorite part about this server and the people in it. Because step 2 doesn't exist here and it won't be tolerated.

2

1

Agree @Andrew Rathbun

thank you all for this server

Discord=the brain child of a few people chatting on IRC about forensics......well mostly crypto at the end if I remember right. LOL

This place has to be comfortable for the least experienced, most intimidated examiner. There are no stupid questions! We're all trying to put away bad people or just to further our investigations regardless of the nature of the case.

1

12:10 PM

@sholmes yep crypto was a big part of the last leg of it haha!

crypto and dreams

1

@Andrew Rathbun Are there balloons, cake and drinks for the 2,000 member ? I’m tempted to deactivate and come back at the 2,000 member. I like cake ! (edited)

2

1

greenest avenger

Did I just hear @Andrew Rathbun is buying dranks to celebrate #2000

1

Yeah pretty sure @Andrew Rathbun committed to that in our super secret mod chat!

2

for all

3

6

3

and all for

Looking for a method to tell if an iPhone was wiped. I don't have the .obliterated file, but there isn't squat on the phone even though the bad guy says there should be.

2:39 PM

and I have a Full File System extraction of the iPhone.

@sholmes check any dates on the system apps or when contacts were created. Think of the first things you do when you reset your phone

1

That worked to tell when things started on this device. Thanks.

1

3:04 PM

Now to work through what he did to have such a "clean" phone.

@sholmes check health dB. It tracks updated etc. Worth a look there

Thanks @CLB-Paul I checked that as well. Everything seems to have started on the same day. Now I just need to figure out if he actually used this phone the way he claims he did.

https://www.gov.uk/government/news/uk-and-us-sign-landmark-data-access-agreement

UK and US sign landmark Data Access Agreement

Home Secretary Priti Patel last night (Thursday 3 October) signed an historic agreement that will enable British law enforcement agencies to directly demand electronic data relating to terrorists, child sexual abusers and other serious criminals from US tech firms.

3

That will be extremely useful

LE UK will have to keep us appraised if it actually makes a difference and when it actually happens

1

awesome!

Looking for insight on what y'all think I should be looking for on an iPhone. Did research this weekend and came up empty. Bad guy claims to have used the phone to view porn the night before, but when the phone was seized the history was clear. I have the full file system from the phone and it is processed through Axiom. No internet history relevant to porn or images found on the phone. There are also no text messages, only a couple hundred phone calls in the logs, and a few contacts. No obvious super secret apps. No files showing the phone was reset, and files on the phone indicate he most likely activated the phone at Verizon in January.

6:23 AM

So is there anything I should be checking for activities bad guy claimed to have done on the phone. Word searches have come up empty for standard porn words.

6:23 AM

And GO!!!

@sholmes Depending on the app used, KnowledgeC has the 'Now Playing' log type that I have seen to show the actual names of videos (even advertisements are distinguished) and how long they were on the screen for.

1

6:47 AM

Even if it wasn't logged as Now Playing, let's say it was some kind of specialty app with its own player, you should be able to use App in Focus to help corroborate or refute what he is telling you.

@sholmes might want to see if they were using a gmail account to obtain that info from google. They could have internet history also look into icloud subpoena as well. What browser were they using or application to view said porn?

7:16 AM

Knowledge C like @forensicmike @Magnet suggested is good also running apollo script on it might produce some artifacts as well.

7:17 AM

you can pull out all sql.db and then grep through them as well with some keywords. I do have some python scripts to pull all sql db and plists out of an iOS dump if you want.

Thanks guys. I knew the group would have some good suggestions. @San4n6 DM sent

@sholmes if you have a copy of BlackLight , the Apollo scripts are now built into our program. Process using the Comprehensive option and try content searching for indicative words. Failing that, can you carry out a Apple data request? https://www.blackbagtech.com/blog/2018/05/31/apple-icloud-production-service/

Apple iCloud Production Service

Based on news reports some may assume Apple doesn't respond to search warrants, but BlackBag has successfully worked with Apple iCloud production sets.

Thanks @Semantics 21 (Tom) we do have BlackLight. I will see what it finds as well. Thanks

7:59 AM

@forensicmike @Magnet can a user clear their KnowledgeC Now Playing section.

8:00 AM

Using your information above, I can see where he used Safari for one hour the night before the phone was seized. This could be consistent with his story. KnowldegeC Media History ends earlier in the night. Like 4 hours earlier. So I was wondering if he could have cleared that too (edited)

Not heard or seen evidence of any such thing. I would expect if it was somehow possible (besides factory resetting) to purge knowledgec it'd be all or nothing

that is what I thought too

But bear in mind there is a distinct possibility if he is using some other app to view porn that it wouldn't show up under nowplaying.

true.

8:02 AM

good reminder

8:02 AM

I am trying to use his admission as a guide, but not lock myself into the belief he is an honest individual.

@sholmes perhaps viewing it in private mode and closing tabs when done?

Thanks @Forensicator1005 it is possible I guess. Weirdly I found lots of internet activity through knowledgeC database. However, I never found data showing he watched videos. He was using about 100mbs of data in an hour a few times, but that just shows data usage and not where he was visiting through safari.

7:49 PM

@forensicmike @Magnet did a lot of work helping me today. He showed that if you used private viewing it would still be in knowledgeC

1

7:50 PM

So I think at this point we showed he used the phone for internet access, but couldn’t show what.

7:50 PM

Not even cached images of anything

@sholmes what about if he used the hotspot feature on the phone and was connected to it with another device and that device was being used to,view it instead of the one you have?

I am definitely leaning towards he possibly has other devices.

Good morning everyone. I might have a somewhat stupid question... I got a case recently involving Bitcoin transactions. My culprits seem to have used MtGox to sell their BTC. As MtGox was hacked 6 years ago, I was wondering if anyone knows where to find the old MtGox database? The one you can find using regular search engines seems to be incomplete, as the real one should be around 200GB.

#computer-forensics BlackBag Technologies has just released a new Buyback program which reduces a copy of BlackLight to £1125 (LE) & £1600 (Corp) More info can be seen here: https://offers.blackbagtech.com/buyback2019?utm_campaign=Buy%20Back%20Program%202019&utm_source=hs_email&utm_medium=email&utm_content=77674666&_hsenc=p2ANqtz--wvYO7x91uPugKpVESC4s4A_Kkmh4vQvgq-Gy09zogW7rsA0nIVp6X2zSzU_P-vIuWi6ARmDTV0Q02O005SK3wNzd8hA&_hsmi=77674666 (edited)

Make the Switch to BlackLight

Are you tired of your forensic tools underperforming? Make the switch to BlackLight and save for a limited time.

1

@Cellebrite or anyone else. Is there anyway to generate a report from PA where the attached images are not resized? I got a chatt with over 700 messages that include attachments and our prosecutor want the image viewable with the text...

"....a process which prevents law enforcement from using forensics tools against your phone...." https://arkadiyt.com/2019/10/07/pair-locking-your-iphone-with-configurator-2/

Pair Locking your iPhone with Configurator 2

Learn how to pair lock your iPhone to break law enforcement forensics tools and protect your data.

Thanks! Very interesting @Colman

1

@.karate. were you able to unpack newer Huawei firmware files, those .APP? I'm trying to revive LDN-L21 and can't get it fully flashed. There's always on error on system partition. I was able to write system.img fully via EDL mode, but it's mismatched and it boots into diagnostics mode instead. Old unpacker for Huawei doesn't work on those APP files, 7zip sees the file but can't extract system.img fully. I doubt firmware file is corrupted as it's the same on multipile ones

@Arcain i think you need to convert it into a ext4 image if you flash it via EDL.

7:48 AM

If i remember correct i used simg2img before flashing it

7:49 AM

if you run "file" on the system.img, what is the response? Or if you try to mount it. I dont think you can

7:54 AM

Maybe i was a bit quick on the response. If i understand correct, you cant even extract the system.img from update.app ? Or can you extract it, and it then fails? In my case above i assumed you could extract system.im. Then run simg2img on it, and then flash it

It was never required to convert those files if you extract them out a firmware files, for any brand really. EDL isn't any different that flashing in fastboot or erecovery, it doesn't convert them in the fly. I have a board firmware from AL10 version and partially flashed it with files from there. I get a logo, OS is booting and then black screen and it goes into 9006 mode.

7:56 AM

I can't fully extract system.img from .app file, with 7zip i get unexepected data end

7:57 AM

when flashing with dc-phoenix each time i see "Extracting partition SYSTEM... Erasing SYSTEM partition Partition SYSTEM erased Writing SYSTEM partition sending sparse file 534712284 bytes Waiting for answer... send sparse file ERROR SYSTEM partition UPDATE :FAIL Bogus chunk size for chunk type Raw"

7:58 AM

older .APP files required special app to extract them but this software no longer works on this firmware

@Arcain splitupdate.pl ?

8:04 AM

./splitupdate UPDATE.APP 00000000 ERECOVERY_KERNEL 44.69MB 2019.02.21 15.14.22 00000000 ERECOVERY_RAMDIS 28.97MB 2019.02.21 15.14.23 00000000 ERECOVERY_VENDOR 2.62MB 2019.02.21 15.14.23 00000000 SYSTEM 2.51GB 2019.02.21 15.14.23

8:04 AM

Running on LDN-L21 8.0.0.155(C185CUSTC185D1)

I was using this before HuaweiUpdateExtractor_0.9.9.5

What firmware are you trying to extract?

London-L21B 8.0.0.100(C432CUSTC432D1)_Firmware_Android 8.0.0_EMUI 8.0.0_05015DWV

I sent the script to you in a dm

Yes, thank you

Has anyone conducted any tests with the find my iphone and remote wipes with the new capbailities of iOS 13 communicating with devices that are off? From what I been reading and want to test can someone remote wipe with this new feature?

2

@San4n6 this is news to me do you have a link to the article ?

@Arcain @.karate. just for info.... UMT Qfire can extract update.app without errors....

I don't have this one but script provided by @.karate. did the job as well.

Oh, good.... maybe i can get the script too? @.karate. thanks (edited)

@chrisforensic https://github.com/marcominetti/split_updata.pl

marcominetti/split_updata.pl

Improve split_updata.pl for Huawei phones. Contribute to marcominetti/split_updata.pl development by creating an account on GitHub.

1

A mac maniac that works in the lab was talking about it today. So I will get that info from him

https://ios.gadgethacks.com/how-to/everything-you-need-know-about-find-my-ios-13s-new-app-for-find-my-iphone-find-my-friends-0198393/

Everything You Need to Know About 'Find My' — iOS 13's New App f...

If you've ever used the Find My iPhone and Find My Friends apps in iOS 12 and below, you may be surprised to hear that those apps have joined forces in iOS 13. Now, instead of two separate apps, they're combined into one convenient package. But what does that mean for you and...

2:00 PM

New to iOS 13 is "Offline Finding," one of the best new features in the Find My app. In previous versions of iOS, if your device had no internet connection or a thief turned off cellular data and Wi-Fi, it would prevent you from tracking it since it has no way to send its location. With the new "Enable Offline Finding" switch on, your iPhone will also use its Bluetooth signal to report the device's location to any nearby Apple devices using end-to-end encryption. So if a thief turns off cellular data and Wi-Fi but leaves Bluetooth on, or more likely, if you forget your iPhone somewhere and there's no mobile reception or hotspot to connect to, Bluetooth can still save the day.

@San4n6 Thanks for sharing. They say the offline phone emmits location by bluetooth to other devices... have you found the answer or any indications on remote wipe using bluetooth with other devices coming into contact ?

no I have not had time to test this

5:05 PM

I am assuming its only a location using bluetooth but someone said something different so I just raised the question

5:05 PM

hopefully i can test it

And that question has major impacts

(edited)

@San4n6 @Kramnias I'm currently testing this out. Setup a clean iPhone with 13.1.1 and enabled Offline Finding. Phone was then put in flight mode with bluetooth still enabled. Then logged in to iCloud in a browser and chose erase device. Also tried the Locate device option. None of this has worked - the phone did not wipe and no notifications has come up so far. The phone is surrounded by "live" iOS devices with bluetooth enabled, also running iOS13. Not sure if I missed something or if this feature hasn't been rolled out in my country or if some other explanation is at play here.

3:41 AM

Perhaps the wipe request has to be sent from an actual iOS device and not just from webbrowser on a Windows PC? I don't know. I don't have access to a second iOS test device right now.

I have wiped via iCloud so you set it up correctly. I will try to do some testing here but I do not think its country specific but that could be a thing. Thanks for testing this out since you should be able to locate it at least per Apple.

Oxygen Forensics Detective 12.0 just released. Sounds like a new UI and everything

Anyone have problems submitting search warrant through the Facebook LE portal? I just keep getting the error "There was a problem creating the case. Please try again". Of course there is no number or email listed to contact them.

https://medium.com/bugbountywriteup/whatsapp-delete-for-everyone-doesnt-delete-media-files-in-android-f7912b520b39

WhatsApp “Delete for Everyone” doesn’t delete media files in...

Deleted media files still exists in recipient’s phone internal storage.

Reposting from Steve Whalen of @SUMURI on the IACIS listserv: Hey Everyone, Just some quick advice. If you are using a Mac for forensics do not update to Catalina (10.15) just yet (my opinion only). There are a lot of changes in this build and if you follow the news there are a lot of issues to be addressed. Also, if you have 32-bit applications they will not work. Stick with last version of 10.14 until Apple works out the bugs. Best wishes! Steve (edited)

Hello guys thanks for the add, i will be lurking for a bit. Im particulary interested on learning about cyber-threat intelligence, so maybe i will do some questions in the future. Also being a lawyer i can help with legal questions, so if that would be of any help please let me know.

@BETBAMS: The new offline location with iOS devices only works if you access it from a second iOS device that belongs to you. Since the location is encrypted only your devices can decrypt the location data that is distributed via Bluetooth. So you can

12:59 AM

@BETBAMS: So you can't use the icloud.com website. Also, as far as I know, this Bluetooth communication is only one-way, meaning the device cannot receive a wipe command via Bluetooth.

4

12:59 AM

It just broadcasts its location into the world, hoping for some other iOS device to pick it up

anyone else have an issue with UFED Cloud Analyzer not generating UFDRs

It's always painful to do a UFDR with UFED cloud. It takes long time and then you have to import to PA to recreate an other UFDR with the complete extraction of the cloud and the phone.

@Deleted User Thanks for clearing that up. I guess I need to find me a second test-iPhone. I wonder what my boss thinks about that...

(edited)

Does anyone happen to know what kind of connector this is? I am pretty sure the top slot is for a microSD card.

@Adam Cervellone trying to look on https://www.deviantart.com/sonic840/art/Computer-Hardware-Chart-2-0-587798335

Sonic840

Computer Hardware Chart 2.0 by Sonic840 on DeviantArt

2

7:22 AM

there's a link to the 156mb PNG file below

7:22 AM

not having any luck yet, but passing the link along in case you forgot about this picture

Thanks! That device is a covert camera disguised as an AC adaptor so I am trying to figure out how to see the data. No SD card was in it so it could be empty.

@Adam Cervellone I've used one of those before and they are awesome. Data will be stored on the SD card. That's probably a female end for a proprietary power cable

7:32 AM

Looks like it's trying to be USB-C but it's rectangular

7:33 AM

Those covert cameras have a .txt file on them where you can modify the date/time and a couple other minor settings. They're really cool. Used them in a few fraud cases for stuff like people stealing from money from a cash register, etc

This one was in near a toilet in a funeral home

I also have an iMac in this case too for some reason. I guess the thought is that videos might be on the business's iMac

@Adam Cervellone a reasonable assumption. Hopefully that ends up being the case

Quick question. How often are these covert camera devices used with criminal intent ? And are these cases with a higher degree of sophistication insofar as the technical capabilities of the perpetrator ? (edited)

For those particular covert cameras that are AC Adapters, I think it's probably more acting on their twisted urges than being technical. My grandma could set up one of these successfully. Just insert a microSD card, plug it in, and you're off. They are just very convincing because it looks exactly like an everyday AC Adapter. In terms of how often? I'm sure there are more out there than we're aware of. That's the whole point of them, right?

oh i meant if there any cases which they have been deployed to deliver a sophisticated attack (edited)

11:49 AM

i was thinking more of higher crime not the type that involves a creeper that wants to put this on a bathroom, but more like utilized for exfiltrating sensitive information type of deal

11:50 AM

but that also answers part of my question much appreciated @Andrew Rathbun

1

Let it run. It took hours today for my report to gen on 17GB. It will finish.

long, not overly technical question incoming (sorry): so our big conference room has an old shitty ~60 inch TV in it (no hdmi; more or less broken audio; etc). i have been making the case to get a new one for a few years and recently some bosses were up set that certain things werent working...go figure... The room is used for conferneces, union meetings, case discussions, surveillance operations during some bigger cases, etc. Room is 22' x 28' x 9' with the TV currently and likely to continue to be along the 22' wall. The maximum width for a TV is approximately 85 inches on that wall due to whiteboards which i know they will likely want to keep. Some space at the other end of the room is also lost because it is a pseudo break room with kitchen equipment. my questions to all of you would be do i push for a bigger TV (80 inch) with sound bar (based on audio complaints in the past) or a projector with a larger screen (~120 inch, maybe more; because some details and documents viewed are small) and opt for say some good speakers or sound system of some sort? also, do you have any recommendations on what product to buy or stay away from. we are looking for something solid with standard connections. I am pushing to move away from VGA but want it as an option incase it is needed....but again not manditory. not looking to start some big debate but want to know which you think is more valuable for the money. TV will be generally better viewed when lights are on but it is significantly smaller. I think the TV is the easier route, not that i am installing, but probably will weigh on the decision makers. I also feel like the TV will "just work" with a single HDMI connection where as the projector with separate audio might be an issue for..ahem..some of our seasoned staff. I think i know my vote but dont want to bias anyone here because i am looking at all options.

For a room that size I'd say the TV with sound bar is probably the more reasonable bet. If it were bigger, the projector would be a better choice.

9:25 AM

TV would be lower maintenance for the seasoned staff, too. Lol I like the way you put that

9:26 AM

Get one of those massive ones that slap you in the face when you walk into Costco lol

I would say the TV route as well. Cost will be slightly lower than a quality projector with sound system.

new mac terminal in zsh why not

forensic explorer 5 is relased. pretty cool.

Release notes?

4:41 PM

I used it a couple times and really liked what I saw

http://download.getdata.com/support/fex/documents/forensic-explorer-v5-release-notes.pdf

4:45 PM

new version of fexcli is also out there

4:45 PM

http://www.forensicexplorer.com/command_line.php

Command Line Computer Forensics

Forensic Explorer Command Line (CLI) is tool for processing large volumes of electronic data in e-discovery.

4:47 PM

Nice. I always loved that window on the bottom right. Really underrated tool

now it can use 3rd party tools in fex gui

That is pretty sick

4:58 PM

Nice work @GetData

https://youtu.be/MMyMB4zm9so

Data Is Beautiful

(UPDATED!) Most Popular Mobile OS 1999 - 2019

Looking for a crimes against children detective in Arizona please DM

https://www.reddit.com/r/computerforensics/comments/dh8c0k/whats_the_most_interesting_way_someone_has_tried Really interesting thread

What's the most interesting way someone has tried to hide informat...

Posted in r/computerforensics by u/Tink747 • 37 points and 23 comments

Does anyone have experience with recent Android-smartphone where the internal wifi-adapter can be put in monitor mode (useful for wifi-sniffing) ?

Can be done if its rooted, right?

10:31 PM

also @Andrew Rathbun that reddit post was a good laugh

1

It's not because it's rooted it can be put in monitor mode. The chipset has to support it as well. The problem is that a lot of smartphones use a SoC with integrated WiFi that can NOT be put in monitor mode.

Oh I didn't know that. I assumed most would just support it.

No, only a minority support it.It could be a useful tool instead of using a laptop, Raspberry Pi, ...

Kali has a mobile based distro don't they

yes, nethunter ... but if the hardware doesn't support it ...

Question about mobile device extractions. How are you cataloging all of the folders and files. Here is my situation, my workstation is in another physical location. I transfer these files back to my agency and upload them to a server under the case folder and the evidence item number. It feels like there has to be a better way to maintain these and link them to the cases, is there?

So your setup is Case#\Evidence#\Contents? If so, that's what I've always done, too

8:42 AM

We also have datasheets associated with each phone/computer image that has a lot more details about the dump

Yeah, that is exactly right. Yeah I have my excel as well, originally to keep track of when I finsihed it and if I could go back and get more. @Andrew Rathbun what are your headers on your spreadsheet you are tracking?

I don't use a spreadsheet. We have fillable PDF forms for each device we image where we can specify details about the dump. We also have another form (federal gov't lol) where we summarize all the images for a specific case/operation which gives a high level look at everything dumped. Lots of duplication of effort but it is what it is

Gotcha! TY

I do also keep a spreadsheet on the side that keeps track of the stats the bosses ask about a few times a year (duplication of effort but it helps in the long run), like amount of data analyzed, how many devices, etc

For sure. Yeah, that is my go to for pivot tables / quick graphs when I am creating a proposal. Presenting visualized data is pretty powerful when I am going to ask for something.

I have a software question for you folks... My office currently has an active license for Blacklight and Axiom. My FTK just expired but I haven't actually used it except to blow an e01 back onto a drive in the last six months. Am I missing something huge with FTK? It has always seemed to be more complicated and less forgiving than Axiom. I don't think Axiom is perfect but it's pretty good from what I've seen.

9:28 AM

I have been considering spending that FTK money elsewhere

9:30 AM

mostly i was thinking about OSForensics from a demo I saw recently. I've had forensic explorer in the past but only used it to live boot acquisitions so that has since lapsed as well

I have used most of the traditional software and they all have the pluses and minuses. I am most familiar with FTK. I am transitioning to XWays, as soon as I can get some training on it. It is lightweight and powerful. I will keep my FTK and Axiom licenses as they are good tools.

@whee30 if you had FTK money to spend, what would you buy instead?

I want xways but have no formal training on it other than NW3C stuff around six years ago. I feel like verifying data in the hex would be way easier in xways than axiom. I like some of the features of OS Forensics but have never actually used it.

X-Ways is like 20mb. That's insane lol

the FTK renewal would cover either one but not both

I'd suggest checking out ForEx too. Get a demo

never heard of forex, i'll go look. I also liked semantics21 but I don't JUST do CAC investigations and that tool seems to be specifically geared toward it

ForEx is made by @GetData. Get a demo and see if it'll fit your needs instead of FTK. They have a cool live boot feature too. This message is not sponsored by them lol but it's an overlooked tool

9:56 AM

Price should be more wallet friendly too

oh forensic explorer - I had it but i didn't "get along" with it

9:57 AM

for some reason I couldn't get into it. I liked the live boot feature a lot and thats all I would use it for

9:57 AM

My license on that lapsed two weeks ago

9:57 AM

I can still use the old version as long as I don't update, AFAIK

@whee30 we have been using FEX for 3 years, you can buy 5 licenses from @GetData for the price of 1 ftk license. pretty fast and has many features. i'd check out v5. (edited)

1

Galaxy Note 8 question, i have a N950U that is locked and lock pick would not work. I see that the N950F has a physical decrypted bootloader but the prompt says to go to recovery mode wipe the clear partition and and proceed. If it fails to boot to use the Exynos recovery.

12:58 PM

My question is it appears both phones are using qualcomm snapdragon chips. If i use the N950F profile on the N950U clearing the partition will i wipe the phone ?

1:00 PM

Never mind appears another website is saying the N950F does use the Exynos chip not the Snapdragon like phone scoop says it did.

[UK] with ACPO being effectively moved to NPCC, does anyone know if they ever revised the DF Guidelines?

maybe someone can help me out.... I am trying to generate an export list using Xways. I have found all deleted files and I am ready to generate the report. I noticed that Xways, prior to export, recreated original names of deleted files, so I thought, great info. However, once I exported the data to the report, the original names were not included in the exported report. Anyone dealt with this before? Is it a simple setting that I am over looking? Any help would be appreciated.

Anyone going to be at OSDFCon tomorrow?

@JaiRoc I think @San4n6

@whee30 are you aware that BlackBagTech has a buyback offer running at the moment, you can exchange your FTK or Axiom/EnCase license into another BlackLight at a discounted price. https://offers.blackbagtech.com/buyback2019?utm_campaign=Buy%20Back%20Program%202019&utm_source=hs_email&utm_medium=email&utm_content=77674666&_hsenc=p2ANqtz-_hr2rAgU0ZmodW0awlWPm1o3ijrP6eaeWifWdtZtSJPSrFxhEW-AG534kv40oQGFpojJRRVIoYPpHK52IE1vvi2x8taw&_hsmi=77674666

Make the Switch to BlackLight

Are you tired of your forensic tools underperforming? Make the switch to BlackLight and save for a limited time.

@Semantics 21 (Tom) Thanks - but I'm a one man department and I already have it

@whee30 no problems, Xways and BlackLight is a great combo

Does anyone have a good guide to follow, that will explain how to recreate an unknown Raid configuration?

Hello i have a quick question, i was exploring the filesystem permissions for a chinese made phone, why would the camera have access to the android.fingerprint_manager ?

Maybe because the camera is tied in with biometric authentication (face)?

hm, this device doesnt have that authentication method

also this is a very interesting case https://www.canlii.org/en/bc/bcsc/doc/2017/2017bcsc676/2017bcsc676.html

@UnholyHeresy I read through most of it, basically defense complained about grabbing surface level pdf screenshots of a facebook account and said that prosecution can't rely on it because it doesn't collect every item in their original forms... despite later obtaining a copy of the items from facebook?

10:15 AM

looks like all the evidence was upheld unless I'm reading it wrong

@whee30 Indeed, also to be note that when transferring said files the format of the files could have changed thus potentially altering the properties of the evidence due to improper handling, the defense also recurred to an "expert" on the digital forensic analysis that validated the improper handling claiming that for evidentiary purposes software such as X1, Inspector Hunchly, Webcase could have been implemented and given the capability of hashing the file the evidence could have been better preserved (since you can ensure nothing change by comparing hashes)

10:29 AM

the part where they argument that Awesome Screenshot is greyware and thus seemingly not a reliable tool to obtain said evidence really catches my attention, this means that defense can opt to attack and discredit tools if they aren't from reliable source

Assesing evidence loss due to unacceptable negligence Canadian law: "The police cannot be expected to preserve everything that comes into their hands on the off-chance that it will be relevant in the future. In addition, even the loss of relevant evidence will not result in a breach of the duty to disclose if the conduct of the police is reasonable. But as the relevance of the evidence increases, so does the degree of care for its preservation that is expected of the police."

10:38 AM

I did not expect Canadian jurisprudence to be this fascinating to be honest, but if i get my hands on something similar i would like to share with the server if it is ok

anyone in the NYC area? any good conferences going on in the area these days upcoming?

Anyone deal with ADT for obtaining video footage? Can not locate contact info. Their app is “Pulse”

ADT Security Services Online Service: ADT Security Services Online Service Address: 3190 S. Vaughn Way. Aurora, CO 80014 Phone Number: 888-238-2727 Note(s): ADT onlyaccepts subpoena by mail. Last Updated: May 2019

11:08 AM

@dmac

11:08 AM

source: https://www.search.org/resources/isp-list/

SEARCH

ISP List

The only way to contact them is by mail?!

I would call them at that number listed above

11:09 AM

and go from there but sounds like for legal process it's by mail only. I'm sure a human on that line can confirm

11:09 AM

Search.org is typically kept up to date by their userbase

11:09 AM

I know I always send updated info to them when I get it

Awesome, thanks!

@pop_scotch might be worth asking in #training-education-employment since that's where most of that conversation occurs so it doesn't get lost in the shuffle

https://twitter.com/gleeda/status/1184582659894329345

Jamie Levy 💻 (@gleeda)

It’s alive!!! https://t.co/BUAetxuRZw #dfir #memoryforensics

Likes

119

1:03 AM

Volatility 3.0 released on GitHub

1:08 AM

Public beta, I should say

Anyone good with Hopper v4 I need a way to get Str list to a text file. I am sure this might be a limitation of the free version

7:33 AM

So might go to ghidra to do so

disregard got it with Ghidra

What are people’s thoughts on ISO17020 and it’s impact on DF?

I got a heads up that I have a gps tracker waiting for me at work when I come back. Anyone work on one in the past? The advert for the item claims no data is held locally. I’ll dump the sim of course and I would assume serve a warrant to the company. Anyone know how to work one of these devices? https://get.spytec.com/gl300-buy-now/?campaignid=2061031431&adgroupid=81774494811&keyword=&matchtype=&device=m&network=u&targetid=pla-784875518581&gclid=EAIaIQobChMI3q_f-I2q5QIVYRitBh2vCAboEAQYAyABEgKdu_D_BwE

GPS Tracker for cars, people, and property.

@whee30 this tracker is quite popular and has the ability to send UDP tracking data to a server so it has some sort of OS. I have never taken one apart but I have used them before

1

3:10 AM

You can command them over SMS or IP

3:10 AM

You can program them so there is NV storage

LE Question: How are your departments storing evidence files that are bigger than will fit on a blu-ray disc? We have been in the past keeping evidence on a per case basis but this is getting costly to buy a 64GB or 128GB USB for every case that won't fit on a blu-ray.

@ds275 do you segment your image files?

no, but that has come up as an option.

That may be your solution then. do 2GB segments on your image files and then bundle the blu-ray discs together and label them appropriately. So disk 1 has E01-E10 on it. Disk 2 has E11-E20 on it, etc

7:44 AM

Just an idea I pulled out of nowhere. Never done that but it makes sense to me

With the newer technology of cell phones, even our Cellebrite reports are up over 40GB's.

Do you have to store your generated reports on a blu-ray? Or can you just store the images and generate the reports any time in the future? Maybe that's an opportunity to change from storing reports. Unless the generation of the reports at the time of the analysis with the version used is important to you

7:46 AM

For instance, I never store my generated reports because they can be generated again in the future, if needed.

7:46 AM

But every shop is different and there's nothing wrong with either method

That's why I am asking around. We are re-evaluating our whole system now. Trying to find out what other LE agencies are doing.

7:47 AM

I was wondering if anyone is using an 8TB NAS or something similar to archive evidence files from different cases?

My previous agency did not segment image files. Looking back on it, it probably would've been better to as it gives more flexibility for issues like what you're bringing up. Also, if you're transferring a 100GB image file from point A to B, at my old shop, if that file transfer fails halfway through, I have to start all over. At my current shop where we do 2GB segments, I still have 50% of it done and I can resume it after I reinitiate the file transfer

7:48 AM

I have a 24TB NAS right now to store working copies of images

7:48 AM

We store all evidence copies of images on HDD's until the cases are adjudicated

7:48 AM

Then they get wiped multiple times and thrown back in the pile to be used again

We store working copies but we are required to put copies of images in to property control on a per case basis.

When I acquire the initial image, it goes on an HDD which is the best evidence copy (original evidence). I then make a copy of that segmented E01 onto my 24TB NAS which I do my analysis off of. We have a massive supply of 2TB WD Black HDD's for evidence purposes and working copies, if need be. We just store everything on HDD's so they can be entered into evidence and evidence transactions for those particular evidence images can be completed as necessary

We did 650 units last year so you can see why it could get costly.

units meaning cases?

no, individual items

Oh gotcha

7:54 AM

I try to cram as many evidence items on an HDD as possible, within reason, and just ensure the evidence label on the HDD accurately reflects which images reside on the drive

7:54 AM

otherwise I'd be using 30-50 HDD's per case lol

I just did an iPhone with 220GB's of data, not sure where that one is going just yet.

Depending on your datasets, maybe it's more economical to purchase many of these? https://www.amazon.com/Black-Performance-Desktop-Hard-Drive/dp/B008968L6M?th=1

7:56 AM

55 bucks for 500GB

7:57 AM

If you can consolidate evidence images it may end up being more economical, but just spitballing here

I second the segment image files, makes life much easier. I use a 24TB NAS for current work, and archive to HDD until retention period is over.

What would cause our small business server from handing out the wrong ip addresses?

What are you all doing for large PC hard drives with ~1 TB or more? Are you still storing full images? argeted collection?

9:01 AM

*Targeted

I would say you can use something like kape to extract specific items for the exam.. However you should have an image saved somewhere until case is complete/adjudicated

9:06 AM

We have enough storage so I just create images

9:06 AM

last case I had 20 TB of crap to go through

@tracedf if I'm on site and I have to image 20 of them before I can go home, definitely make logical images of the ones I can and only take physicals of what I can't get away with not doing a logical on (i.e. having to rebuild databases or wanting to virtualize later on)

a nas with deduplication would be cheaper as long as you don't encrypt yor images (edited)

I have a redundant 600TB SAN array where I store our working cases. I'm working on pushing archival cases to AWS gov glacier

1:33 PM

encrypted of course

1:34 PM

I think a large network storage drive is great for working cases but archival is the troublesome part. Storing on USB flash drives is a nightmare and extremely costly. I'm still looking for the best answer to the problem myself

Where should I link a server that I highly recommend joining?

@Tyføøn hit one of the mods to have them check it out and add to the resources

Yep just did that @Krisaytha he’s sharing it in dfir resources

Go ahead and post it here @Tyføøn

2:51 PM

I posted it in #dfir-resources

https://discord.gg/Azwvt7d

Looking for help on an extraction of a Galaxy J7 Crown (SM-S76VL). I have done an ADB partial extraction with Magnet AXIOM with no problem, but I seem to be having issues with Cellebrite UFED Touch 2. I attempt to start the extraction and the Touch 2 reads the device, showing the preview of the device. When the Touch 2 begins to start the extraction I receive an error stating the Touch 2 can not connect to the device. "Extra info read failed". I have tried a generic Android profile, Generic Samsung, and other J7 profiles and the same issue occurs. I am using the same cables I used for the AXIOM extraction, so I know it is not a cable issue. Anyone ran into this issue and have a solution?

@ppd-det i don’t have a solution for that specific error. But you could backup app-data with adb from outside Ufed and then import the backup ( adb backup -all -shared -system -keyvalue -f backup.adb ). The bad part about that is that you’re gonna miss out all the data their agent gets.

the "extra info read failed" just means that UFED could not establish a ADB connection with the device in order to install the client app

in Axiom, I have it saying "some information about this item cannot be displayed" and to LOCATE SOURCE

2:03 AM

anyone know what the source file might be

2:04 AM

I did move it to network storage

2:04 AM

so I'm sure it's lost its internal paths or something

yeah could be that you had a short disconnect

2:04 AM

so you want to locate whatever raw data file was decoded

just curious if it means the E01, or maybe the attachments file within the case

2:04 AM

ahh

should be the e01

yeah the evidence information there at the bottom says exhibit.e01

2:05 AM

so that'll be it then

2:05 AM

ah, nevermind, there's a hidden little dropdown that tells you the source file

so I found it, easy peasy when you're not half asleep

2:06 AM

ty for the assistance

anyone know how to get Nuix to reliably process E01s

every other tool handles it fine, it's just Nuix decides to process them as files themselves, instead of realizing they're image files

think maybe I get it, it's temperamental and will only accept E01s made by specific software

nevermind, it won't even take an X-ways produced E01

@Sudo When you add evidence, try Add Folders, and select the folder which contains the E01 (if you haven't tried already!)

Does anyone know if Cellebrite Premium supports LG zone 4 model number LM-X210VPP? It's in a secure startup and regular cellebrite can not bypass the lock.

yeah tried that

found out the problem

12:41 AM

apparently workers should have a minimum of 4GB assigned to them

12:42 AM

(though Nuix default is 1GB so, how it's the minimum I don't know)

@Sudo ahhh glad you sorted it. Even on NUIX workstation, we have to bump the memory up as the default is far too low

yeah

1:24 AM

I already did bump up the application memory

1:24 AM

which I think was 1GB too

1:25 AM

but evidently the workers also need their memory allowance upped too

I have an iPhone that connected to a device via USB connection. It appears to have generated a unique number consisting of 24 characters (numbers and letters). I believe this is generated by the iPhone and not the vehicle when it's connected by USB. Anyone know what this is (USB Serial number?) and any value without the actual device?

@RBegs2637 https://www.theiphonewiki.com/wiki/UDID perhaps?

UDID

6:12 AM

Not looked at it in the context of vehicles, but UDIDs are found on computers that have connected to iDevices

6:15 AM

If that is what you're seeing, a UDID can be submitted to Apple who can then provide more details about the device

@OllieD Familiar with UDID being (40) characters, but this is only 24. Told this is generated by the iPhone. Other iPhones connected generated their own unique number.

6:26 AM

@OllieD ....actually I believe the new UDID is 24 characters??

As of September 2018, new iDevices generate a 24 character code

6:26 AM

Exactly

6:27 AM

Normally it's displayed with a hyphen (making it 25), but if you can see 4 leading 0s, its probably a new format UDID

Yep, thank you!

As it null pads the chip ID

6:27 AM

no problem

6:27 AM

https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/

Discord Turned Into an Info-Stealing Backdoor by New Malware

A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.

8:06 AM

There is malware targeting Discord

What would cause the os not reading a dvd drive. The drive has power and you can hear the disk trying to be read but the computer will not read the actual drive.

Hey guys, Cellebrite is conducting its annual Industry Trend Survey. The survey asks about the challenges you and your agency face and what is important to you in your investigations. I would welcome you taking the time to complete our survey. The survey will take ~10 minutes to complete. Please click here: http://bit.ly/CellebriteIndustryTrendSurvey With more than 2,700 respondents last year, this survey has quickly become an essential resource for providing insights into the use of digital data in investigations and your input is essential. Once our survey results are compiled, we will be sharing those results with all respondents. Thank you, Shahar

2019/2020 Industry Trend Survey

Take this survey powered by surveymonkey.com. Create your own surveys for free.

4

Hello everyone! I am going to do be doing some training for another agency next week and was wanting to get them hands on with @Cellebrite Reader. Does anybody have a good UFDR that they use for training or could be used for training?

@goalguy That's a really good question! I'd be interested in that. I wonder if @Cellebrite peeps have one?

See I’ve always generated my.own test data

@Cellebrite support said they did not.

@goalguy Could always just push them towards the UFDR training on the Cellebrite Learning site. It's free and takes it off your plate.

4:56 PM

@goalguy or just find a department phone and dump it. I'd recommend using a phone that was issued to someone with Sergeant stripes or higher, to avoid disclosing any actual case work.

1

@goalguy, what you define as a good UFDR? UFDR with many different models? UFDR with lots of apps?

@deepdive4n6 the UFDR training from Cellebrite will be their follow up training. @alona Mainly looking for one that has a good amount of data to show all the different items that were parsed.

1

that discord thing is interesting, my personal discord has been acting odd lately

3:20 AM

not that I recall doing anything that would result in it, checking though when I get home!

Hi. I have something like 2000 Facebook IDs that i need to associate to vanity names...anyone knows of a method/product/script/... that can do that in bulk???

Anybody have issues with @Cellebrite PA 7.24.0 crashing when creating a UFED Full Reader of a Apple iPhone full filesytem ? Twice in a row my computer black screens and freezes and I have to manually restart. It creates a Tmp file that says "donotzip" its about 20 gb in size and obviously did not complete. Both the extraction and PA are on the same SSD as Cellebrite recommends.

@DCSO i just had one that was 280 ish gb and it was fine. took forever, but was fine. extraction on internal ssd (or m.2 to be more precise) and report generated directly to an external drive.

@kmacdonald1565 , I have Cellebrite installed on a SSD and the extraction on the same drive. Thats what they recommended recently but i'm open to something else. Right now i'm uninstalling Cellebrite and trying to do a clean install vs an update ?

honestly couldnt tell you...if i can, i almost always opt for a second PC to try it on but thats just me. i was just saying that i had an unusually large (for my dept) GK full file system that worked. computer is one of our beefier ones, but nothing outlandish at all

12:59 PM

a clean install is always worth the effort as long as you dont mind setting it back up

I wonder how many have downloaded this app and used it? "Privacy Friendly PIN Mnenomic is an Android application which can provide strategies to memorize a 4-digit PIN. Therefore it determines whether the PIN forms a T9-word, underlies a mathematical rule or forms a date or year." https://github.com/SecUSo/privacy-friendly-pin-mnemonic

SecUSo/privacy-friendly-pin-mnemonic

This Android Application provides strategies to remember 4-digit-PINs - SecUSo/privacy-friendly-pin-mnemonic

Happy Monday all

if you say so

6:32 AM

6:35 AM

my happy monday begins about 5 pm

3

4

hey - quick question that I feel like I should know the answer to. I am trying to restore an e01 to a drive to be released to defense for reasons. The drive provided by defense is a 4TB external, the suspect acquisition is from a 4TB internal. I'm guessing there's a slight difference in capacity because FTK says my destination is too small to hold the source, despite advertised capacities being the same. The suspect drive has open space, of course, so the actual data minus unallocated should fit easy peasy. How should I proceed?

11:40 AM

the difference is around 2kb

I would provide them the e01 file. Their expert or now needed expert will work from that. Easy to show the files were not altered as well.

1

its not for examination, it's just work files. Was thinking about mounting and doing a logical acquisition, not sure if there was a faster way.

So it's just work product? If it's going to a defense expert, just leave it as an e01. If it's going to a lawyer for review, mount it and export everything. If unallocated space doesn't matter, that should be fine I would think

1

yeah - its going to defendant to run their business in the meantime per the prosecutor

Oh, I gotcha. Depends if they need it to boot or not. The above should be fine if they don't need it to boot (since it's an external, I'm guessing they just want the files).

yeah - I already finished the OS drive, this is just the big data drive. I'm making the image now, was just asking in case there was a faster way to deal with nearly 4tb of data!

12:09 PM

thanks for your help

Workstation specs question. What is everyone thought about i7 vs Dual Xeon? My agency is looking into getting us new workstations and I am wondering what specs are people using.

You using them for phones, computers or both? Phone extraction / decoding software right now works a lot better with higher single thread performance, and isn't massively multithreaded. That might change but right now IPC is more important than cores on phones. With computers its a bit different

Both. Computers and cell phones.

I think its also misleading in some ways to only think about the processor. Certainly for most forensic software applications now (excluding X ways to some extent) you also need a decent amount of RAM and probably most importantly decent fast storage and depending on the type of applications you want to use, seperate storage arrays for storing different kinds of data (eg one for database, different one for temp data, another for evidence files etc)

6:05 AM

You can have an intel i5000 and its going to be crap if you have 8 GB of RAM and a couple of Seagate 7200 spinning disks (edited)

6:05 AM

also same goes with network speeds, if you are reading and writing across to network storage systems

I understand. We will get about 64 or 128gb of RAM with multiple bays. No network for us. Just curious about pro and cons of different types of processors.

Yeah fair enough

6:12 AM

I think definitely decent storage makes a big difference

6:12 AM

Often that or the network which becomes a bottleneck during processing

We try to make sure to have enough storage on different drives to avoid the bottleneck.

1

I'd be inclined to put more money into storage rather than to upgrade to dual-Xeon vs an i7.

@gt530 i7

1

11:01 AM

we have both, i7 is better than xeon in terms of forensic software

11:01 AM

unless you plan to use nuix

Just in case you missed it - The annual Industry #TrendSurvey is now open! We want to learn more about what’s important to your #digitalinvestigations and the challenges you and your agency face. The survey will take ~10 minutes to complete. Please click here to complete: http://bit.ly/CellebriteSurvey

2019/2020 Industry Trend Survey

Take this survey powered by surveymonkey.com. Create your own surveys for free.

@Cellebrite where's the best place to contact for services like CAS?

@Sudo https://www.cellebrite.com/en/cas-sales-inquiry/

Cellebrite

Advanced Unlocking & Extraction Sales Inquiry - Cellebrite

thanks

Regarding the recent forensic workstation build question, an email from Cellebrite today had the following: Did you know that Cellebrite has it’s very own – Digital Forensic Workstation? Black Tower with 12 Bays with exclusive top mounted docking station with high speed top mounted imager with: • Power Supply: 1300/1350 Watt Modular • Chipset: Intel® C621 chipset • Processor: Intel® Dual Xeon Silver 4208, 8-cores/16 Threads, 2.1 GHz/3.2 GHz Turbo Speed, 11 MB Cache with liquid cooling • Integrated LAN: Intel® Dual Gigabit LAN Controller • Video: GeForce GTX 1650 PCI-E 4GB GDDR5 memory• Sound: 8 Channel (7.1) High Definition Audio Codec with optical S/PDIF • OS Drive: 512GB M.2 NVMe SSD for Operating System • Temp Drive: 512GB M.2 NVMe SSD for Temp Files • Data Drive: 4TB 7200 RPM Enterprise Class HDD for Data, Mounted in 3.5" Hotswap Tray • High Quality Whisper Quiet Fans throughout the unit • 1 x 2.5" Hot Swap Bay with 4 Removable Trays for 2.5" SSD/HDD • Windows 10 Pro • Tableau write blocker • Cellebrite Extraction Bay • 16X BD-R/BD-RE/DVD±RW/CD±RW Blu-ray Burner Dual-Layer Combo Drive • Standard 104 Keyboard and Optical Mouse • Integrated LAN: Intel® Dual Gigabit LAN Controller • Forensic Card Reader - Read Only (SD and MicroSD Cards) • 5 Year Warranty

3

@Law Enforcement [UK] does anyone have documentation around CPS and the handling of indecent image jobs, particularly surrounding police not being tasked to pick out files to return

7:55 AM

nevermind, found it, easy to find dunno why he said it wasn't

@Andrew Rathbun I emailed Cellebrite back asking for a quote but I havent heard anything yet.

Greg when did you reach out?

I emailed yesterday.

10:51 AM

Yesterday, I got told to get quotes for new workstations by the end of the month.

@gt530 did you contact @SUMURI for a quote on a Talino?

One of my coworkers did get a quote from Sumuri.

https://www.computerforensicreviewsonline.co.uk/

CFRO - Independent Reviews of Forensic Hardware & Software - Home

is a full-service IT consulting agency based in Lowestoft, . We apply unique technology solutions to your small or medium-sized business.

11:34 AM

New website recently created. I saw Steve Whelan posted it in one of the DFIR listservs. Will be interesting to watch the site evolve

Hi Everyone. Hope you are all well. I need a little bit of guidance with Axiom... We had a sudden death a few weeks back. We think he played alot of games online and used his computer heavily. The investigator has asked whether we can easily determine USER usage vs Normal Computer Functions within the logs. He had his computer running constantly for months. No shutdowns. No hybernation or even sleep. This is to assist the coroner to determine approx time of death. His body wasn't located for 3-4 weeks after his death so autopsy wasn't able to be performed to determine cause of death.

@Gumpoo how about browser activity? See when that stops

Yep. We've looked at that. This guy was a big gamer that uses steemit. The investigator wants to get an idea of his gaming habits.

He probably has a Steam account. That should potentially show when he was last logged on but I suspect he probably left it open and thus that might not be helpful. Just spitballing here

12:33 PM

Also, if he's a big gamer, he probably has Origin, Epic Games, Blizzard, etc. Community profiles for those distribution platforms might have last active timestamp somewhere

1

maybe Win10 Activity Timeline is of use?

1

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps should show which apps were most recently open. Hopefully there are some timestamped artifacts of interest there

1

@gt530 I just spoke to @danmiami0001 about this, it is going through out Training Dept, I'll make sure they get ahold of you

2

Thanks Team. Really appreciate it... I love it how Digital Forensics is just never ever ending learning!! lol

12:50 PM

Yeah he used Steam heavily and seems to be running in the background pretty much constantly

@Gumpoo If he plays games then I can imagine lots of games might potentially have logs that would allow you to tell when they last were active

4:29 PM

like online games will typically kick you after a certain amount of inactivity

4:29 PM

Seems like you'd have plenty of other options though

maybe screen saver/lock screen event logs?

4:55 PM

screensaver invoked, Event ID 4802 screensaver dismissed Event ID 4803 console locked: Event ID 4800 console unlocked: Event ID 4801

4:56 PM

@Gumpoo

@Cellebrite You held a webinar yesterday on EDL, is it possible if we can have a copy of this webinar to watch? Updated - See below. (edited)

12:09 AM

We had someone at office ready to watch at 4pm (London) - unfortunately she saw the last 3 minutes of webinar! I guess you guys forgot that we had our clock turned back 1 hour recently! lol (edited)

@pacman Maybe Cellebrite can post the Link of the Webinar for all people here? This can interrest many people here

Has anyone ever collected/preserved a Pinterest account? It doesn't look like they have an option to do a data export without emailing them and waiting 30 days. Axiom and Cellebrite Cloud don't seem to support it either.

Kind of a weird question but I'm away from my resources on this atm, can you see hard drive model in volume information in windows

12:15 PM

i.e. if you had seized a computer with the hard drives removed after being shut down what could you determine about those drives

https://winaero.com/blog/find-hard-disk-serial-number-windows-10/ would be my response to your first question

Find Hard Disk Serial Number in Windows 10

A serial number is a unique number assigned to the hardware by its OEM. You can find your Hard Disk Serial Number in Windows 10 using the built-in tools.

Ah I know I can see that information but is that from Windows querying the device?

12:16 PM

For example speccy shows this but it seems like it might well be coming from the drive rather than registry or similar

12:17 PM

Love Speccy, btw, cool program

1

Incidentally there was an eric zimmerman or similar cli tool that showed volume information

12:17 PM

and i can't remember what it was called

HKLM\SYSTEM\ MountedDevices

12:18 PM

in Registry

12:18 PM

Probably Registry Explorer you're thinking of

doesn't seem to have a very detailed bookmark

https://www.nirsoft.net/utils/device_manager_view.html

Alternative to device manager of Windows

Alternative to the standard Device Manager of Windows, which displays all devices and their properties in a flat table.

12:26 PM

try this

12:26 PM

find a drive then open in RegEdit

12:26 PM

via right click

Does give the model name, which is helpful

12:31 PM

this is actually because I'm considering doing a project for alternative methods of doing stuff like this

12:31 PM

for school

12:33 PM

basically you want to know if a busted drive has been inserted into the computer: you have the disk but can't use shellbags or UID or whatever to ID because it's broken

12:33 PM

so using stuff like size available which may vary between iterations of the same product

For my Texas DFIR peeps out there: we're looking at moving to a cloud solution (Azure) to archive our case data from a local server-based process. During discussions, it has come up that some of our data contains illicit images/videos. We already encrypt our case data (AES256 via zip store) with a password being randomly generated and lengthy. However, there is concern that we still cannot legally transfer those images across the internet regardless of their encryption. I know that we cannot be the first agency to explore this option so I'm reaching out to find others that have already plowed this field and have the answer as to the legality in the form of hard documentation (ie. an AG's opinion or case law or something legally firm). We've been told that, until we get a firm legal standing, we cannot move forward with any off-site storage plans that involve the cloud. Thanks in advance.

Anyone know if Discord app or Roblox stores anything of value? Chat logs, friends, servers visited ect

From my limited testing a few months ago Discord was server side only but I'd love to be proven wrong! Didn't dig into it too far back then though

I though as much. Thanks

Robox is an interesting one

Many thanks to @Cellebrite, I really enjoyed the Summit. The evening was filled with plenty of fun and games. I particularly enjoyed the customer panel. It was a great idea.

1

4

https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/

Hackers Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken ...

Three audience members, three different smartphones, twenty minutes and just one result: all fingerprint security can now be compromised, Chinese hackers claim.

Anyone from @Cellebrite around for a quick CAS question via DM?

Which is the best channel for a question about converting dash cam files to regular videos?

@Gwaihir Scout #multimedia-forensics or here, really. Either one works

Thanks

General is a catch all but I know some subject matter experts may only monitor certain channels

Ok. I asked the question down there, but if anyone here knows how to convert Panasonic Arbitrator AV3 files to normal videos, please let me know.

https://www.ynetnews.com/articles/0,7340,L-5618901,00.html

'I sleep well at night because I know for whom I work and whom I s...

Even though it helped solve 2.5 million criminal cases this year, Israeli Tech Company Cellebrite is still mostly known as the 'iPhone cracker'. Co-CEO Yossi Carmil talks with YNET about extracting information from digital watches and drones, AI in service of the police, and ...

2

If I have a phone number, is there anyway I can find out the subscriber and the provider

@spoon1997 http://www.fonefinder.net/ for provider

Fone Finder query form

Telephone search engine that returns the city, state, and country of any phone number in the world.

12:18 PM

You might want to see about any resources posted in #osint for the subscriber. There may be something there, perhaps.

12:18 PM

I always used to run the phone numbers through Facebook and I used to get hits all the time but I'm not sure if that has changed or not

@Andrew Rathbun @spoon1997 If you are a LEO you can sign up with Zetx and use there free service. https://phonelookup.zetx.com/

ZetX - Free Phone Number Lookup by ZetX.com

Start your CDR Mapping investigation with ZetX Free Phone Look Up and access current provider information and search warrants.

Thanks

S7- running what i believe is Android 8 G935V , looking at the list i see one person that was able to get it locked but not showing the method. We have tried Lock Pick and disable lock etc, bootloader with no luck

@DCSO EFT-PRO has support for it. Depending on what version of firmware it’s running. SM-G935V_U8_8.0.0 SM-G935V_U9_8.0.0 SM-G935V_U10_UA_8.0.0 Boot into recovery and check what firmware you have. In most cases they flash an eng-root. So you could also check online if you find one.

2

@.karate. Good to know, of the tools we don't have. Something worth investing in ?

1:41 PM

I believe its running Android 8 via Sammobile.com they don't have the exact firmware but its simular to all the version 8's

Has anyone done the AX250 AXIOM Advanced Computer Forensics training? I used IEF for years and Axiom a bit, wondering if I could use it to learn Axiom better as well as what's on the course

I think one of my colleagues did some Axiom training @wibblypigftw

4:21 AM

he said it was good

4:22 AM

it definitely covered the tool itself, whether it was the Advanced one or not I'm not sure

thanks @Sudo

Anyone know if Cellebrite licenses work for old software after expiring? Still working on renewal and cutting it close. Might be a few days overlap. Curious if I am out of a tool or just don't update for a few days?

11:53 AM

@wibblypigftw my partner did their classes and couldn't speak highly enough about their vlive program. It was good stuff.

@wibblypigftw I'm on the training passport now. I'll be taking it in the next couple months. I've done 2 classes and have 5 more on the docket before end of January. If you can swing it, get the training pass and just knock out all the courses.

11:59 AM

Looks like I'm taking AX250 in mid-late December

@Palazar82 I'm interested in the vlive stuff - I enjoy the networking at a live course but it's a lot of extra expense and hassle. Glad to hear it's worth doing. @Andrew Rathbun it's a good deal isn't it? Hopefully I'll be able to sell it at work. Are you doing live or vlive?

@chiefcham care to elaborate on your exp with the V-Live and if you took AX250.

@wibblypigftw virtual

@Palazar82 If your Cellebrite license expires, you'll still be able to use the software. Just can't update if the updated version was released after the expiration date.

Thank you, I thought that but wasn't positive.

I’ve done the virtual at your own pace AX250, couldn’t recommend it enough if you dont have time or budget to go in person class. Great hands on activities and videos were great with reinforcement assignments at end of each chapter. I liked that it went over their tool but did general forensic knowledge as well as explaining different artifacts and switches and things to look for and where to find normally overlooked artifacts.

That sounds great, I'll see how the request goes

Morning everyone. I'm curious if anyone had any dealings with iOS log entries, in particular with CommCenter/com.apple.datausage.telephony and voiced/com.apple.datausage.accessibility. Both entries were found in DataUsage.sqlite on iOS 12.4 with data shown as sent and received. I'm currently dealing with fatal collision case where those entries were made by the handset's OS and I can't explain if they relate purely to OS automatic processes or are user initiated. Thanks. Any suggestions much appreciated.

Does anyone have LE contact information for Slack? Basically everything I'd need for a preservation letter

3:44 AM

Search.org ISP List has nothing. Will be looking to add that information once I acquire it. I also sent Slack an email so hopefully they respond in a timely manner

I contacted Slack and they got back to me. For future reference, refer to Search.org's ISP List. I sent them an email with the information I gathered so it will be there sometime in the next day or two

1

Anybody here use @Cellebrite Analytics and willing to help me out with what I would think is a simple task?

anyone have luck with an alcatel 4044V?

@geekwithgun Those should have the 8909 which means they can get physicals with UFED through non-decrypting qualcomm EDL. Some you can hold vol + & - while connecting usb. Others you may have to force EDL with emmc faults. Being that they run KaiOS though only FinalMobile has some scripts to parse the data.

11:16 AM

@geekwithgun and i think the new v12 of Oxygen supports KaiOS too

@goalguyI have forwarded your request to the CLB US team, in any case you can also email support@cellebrite.com and that will open a case for you!

@goalguy what you trying to do

I have always found that what someone describes as a "simple" task, rarely is.

3

1

Hashset question, is there any known 'good' up-to date hashset lists for Android/iOS devices, that mainly filters out system files/known emojis etc.... that people use once an extractions opened using, for example ufed PA?.. I know PA has its build in hashset.db, just interested into seeing how people manage running their own/or collected hashsets?

No idea how good it is on Android/iOS device (I don't personally use it), but you could check out https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl

National Software Reference Library (NSRL)

Welcome to the National Software Reference Library (NSRL) Project Web Site. This project is supported by the U.S...

1

I was going to suggest the same thing. I use it but I haven't really dove into what exactly is filtered out. I use the Modern, iOS, Android, and Legacy sets found here: https://www.nist.gov/itl/ssd/software-quality-group/nsrl-download/current-rds-hash-sets

Current RDS Hash Sets

RDS Version 2.66 - September 2019 ISO 9660 images of RDS CDs If you have a fast Internet connection, you may download...

1

Does anyone know some good dfir resources for cryptocurrency? I have an assignment about Digital Forensics and Cryptocurrency

@Svelte you may want to get with the @NW3C peeps such as @Eric | fraudsterglossary.com or @Adv4n6

Alright, thanks!

6:02 AM

@Svelte and if my two compadres aren't responsive im here too

What ya need?

6:03 AM

Send me a PM

Does anyone know if the Paul Sanderson timestamp conversion software is still available? I can't seem to find it in our lab's software collection and its not available online from what I've seen

You might reach out to TEEL Technologies Canada or America. I believe they handle that now. https://teeltechcanada.com/?s=sanderson

You searched for sanderson | Teel Technologies Canada

@Adam Cervellone @TeelTech @TeelTech Canada

https://investigatingcryptocurrencies.com/ This book has everything one should know on the subject...goes pretty deep into the tech and explains everything very well

Zane Clements

Investigating cryptocurrencies – Promoting the Investigating cry...

Just another WordPress site

2

@Adam Cervellone I sent you a DM

Hey there, short user question related to Magnet AXIOM. Currently buildung my first Custom Artifact. Just wanted to know: Is there a way in AXIOM, after I already processed the Image, that I can just run one specific Custom Artifact against the Image to get the additional data? Something like additional processing on the already processed images? I only know the option to add new evidence and then select the same image again.

@kalinko that's the way to do it

3:52 AM

But definitely send the request through so the ticket to merge identical items gets another +1 :)

@randomaccess Thx. I will do this

WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts (An article on WhatsApp forensics and what data can be obtained from a device during forensic analysis) https://www.group-ib.com/blog/whatsapp_forensic_artifacts

WhatsApp in Plain Sight: Where and How You Can Collect Forensic Ar...

An article on WhatsApp forensics and what data can be obtained from a device during forensic analysis

3

very detailed informations

I'm trying to use Sarah Edward's Apollo script for iOS analysis and am getting this error message: Traceback (most recent call last): File "S:\Apollo\APOLLO-master\apollo.py", line 259, in <module> parse_module_definition(mod_info) File "S:\Apollo\APOLLO-master\apollo.py", line 56, in parse_module_definition parser.read(mod_def) File "C:\Python37\lib\configparser.py", line 696, in read self._read(fp, filename) File "C:\Python37\lib\configparser.py", line 1079, in _read raise MissingSectionHeaderError(fpname, lineno, line) configparser.MissingSectionHeaderError: File contains no section headers. file: 'S:\Apollo\APOLLO-master\modules\simplekml-1.3.1.tar\dist\simplekml-1.3.1\README.txt', line: 1 'Simplekml is a python package which enables you to generate KML with as little effort as possible.\n'

2:17 PM

anyone know what i'm doing wrong

what python version are you running

4:49 PM

did you pip install Simplekml ?

4:49 PM

there are some dependencies with that script you need to download

4:49 PM

you will see them with #include

4:49 PM

grrr

4:49 PM

import

4:50 PM

so you will see packages like import Simplekml import <insertPackageHere>

4:50 PM

https://pypi.org/project/simplekml/

simplekml

A Simple KML creator

4:51 PM

you will have to pip install them on your local machine..

I have created a small utility to provide software write blocking on a Windows machine. It is lightweight and easily reversible, but avoids having to make manual registry changes yourself. If anyone would like a copy of it send me an email: admin@volatile-data.com

11

Is there anyone in contact with the people from BlueBear LACE? I've been attempting to debug something with them however since Friday all of my emails to their addresses are coming back as undeliverable. I'd like to know if it's us or them that is having issues!

1

Would a question about routers be best in Network forensics? :-)

I would say so, yes

Cheers :-)

Morning folks, can anyone recommend software to write protect USB sticks going from computer to computer?

what do you mean by that? are you looking for a generic software write blocker?

2:35 AM

if you want to protect the stick itself regardless what software is installed on a computer that the stick is plugged into, your best choice might be those hardware-encrypted sticks that don't mount until you launch the decryption utility and enter the password

@eSko ok thanks, had seen those items too, cost would be the issue wth that

We use these - kingston datatraveler vault privacy 3. Not super cheap, but they’ll serve the purpose

@Zhaan you may want to check https://www.computerhope.com/issues/ch001617.htm

How to enable and disable write-protection on a USB flash drive

Ways to enable and disable write-protection for a USB flash drive, including a write-protect switch, file properties and flash drive security.

@Cellebrite anyone around for a quick CAS compatibility question?

@K23 DM me

Have done cheers

Thanks @Dr. Kaan Gündüz

nema problema

https://www.forensicfocus.com/Forums/viewtopic/t=18158/

ACPO Principles Revised - Digital Forensics Forums | ForensicFocus.com

I thought I would post this as its something ive been working on and the exact issue has popped up in another recent thread by GumStick. I have long thought that despite ACPO not existing anymore we constantly will refer back to the 4 governing principles

Odd question, so getting a dump from another agency and they used lantern (extraction done in Mar of 19) I was under the impression lantern went off and died. Is that not the case?

@Palazar82 https://www.forensicfocus.com/Forums/viewtopic/t=18017/ has more insight

Katana Forensic gone? - Digital Forensics Forums | ForensicFocus.com

Hi Guys, Does anybody know if Katana Forensics, vendor of the Lantern forensic software is still operational? I was trying to extend a license but their website appears down. Saludos, Lex

Yeah that is what I saw too, so maybe the other agency used an old version or something. Anyone know if magent or Cellebrite will read one of those pulls?

If it's a .bin then PA should be able to parse it just fine

iPhone extraction not expecting a .bin but who knows. Never messed with lantern.

9:14 AM

Should be fun I am curious what lantern having been dead and no updates for awhile did on a phone running the current iOS for it's time back in March of 19. From my googlefu ability looks like Lantern died before iOS 12 really. This phone appears it would have been running iOS 12.

9:14 AM

How it did*

Yikes. I'm guessing the phone is no longer in the government's custody?

Correct other agency returned the device kept extraction as hest evidence.

9:15 AM

Device has since been reset...

Naturally

9:16 AM

Well please report back what the files look like from a Lantern dump. That'll be interesting to see what you can do with it. Hopefully there's something to manually examine, at the very least. If it's just logical files and whatnot, PA or AXOIM should be able to ingest it just fine. Fingers crossed for you!

Oh will do, should be a fun learning experience.

Aka why using a proprietary format is very irritating

1

hi there, does anybody here know of a website where you can search cell phones by their SoC? I have a burned phone & only the Motorola XC55000 Chip is identifiable (any other source to identify the possible cell phone would also be highly appreciated)

3:02 AM

I am pretty sure it's a simple cellphone, definitely no smartphone. It also has a weird "keyboard" layout, top row 3 buttons, 2nd row one button on the leftside and one on the rightside, between them a D-pad, than probably the normal numbers 1-3, 4-6, 7-9, # 0 * and on the bottom row another key in the middle. I hope this is the right channel to ask

@MikeWhiskey Can you provide a photograph of the keyboard?

I managed to identify it. It's a Car Telephone from Audi, built into their 2003 A8

1

but for the curious heads

5:36 AM

thats the phone in better shape

SPOILER

Whoa!

5:38 AM

How did you go about identify the device with only the chip number? Google Fu?

Damn, excellent spot

it was found inside a car and later it came to my mind, cars around that time still had builtin phones. My google search about just the chip didn't lead me to anything

3

Fascinating, thanks for sharing that!

you're welcome

I have been tasked with creating training for my fellow detectives and patrol in preserving digital evidence. Talking real basic stuff like airplane mode, faraday bag, etc. Instead of trying to reinvent the wheel, I would assume someone here has a good template or powerpoint. If someone does, would they mind sharing? Thanks guys.

I feel like this question has been asked multiple times before but I am not sure if anything has been provided by anyone in public for a layman's guide on this stuff. I could be wrong though. I know there's been conversation to work on a collaborative document which would be a great community project. I'd personally be happy to help facilitate that if the need arises. A sort of universal template that one could implement their own department's logo

6:49 AM

That's been in the back of my mind for a very long time so if the need is there we can certainly work on something

I am looking at around a one or two hour training block. If no such presentation has been made, I will definitely be making one in the next few weeks. Obviously I'll share for both critique and peer review.

Feel free to send it my way if you need a second set of eyes

I offer my eyes as well.

3

@@ThatLukeGuy Yeah making a ppt has been on my to-do list for a while but I've I just haven't started yet. I think I have some printed "best handling practices" sheets from a state Police lab somewhere though. A well thought ppt would be very useful for me come annual training though.

Google Slides would be the best way to collaborate on something like that

9:08 AM

Like I said, something universal to where anyone could download it and insert their agency logo

1

https://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/

SANS Digital Forensics and Incident Response Blog | Best Practices...

SANS Digital Forensics and Incident Response Blog blog pertaining to Best Practices In Digital Evidence Collection

1

9:22 AM

SeizingElectronicEvidence.pdf

370.03 KB

1

Also interested. I feel like I came across something on NDCAC a while back that was along the lines of being pretty basic..

Anyone know how to stop Chrome on Android from 'leaping' back to the top when viewing History? A real pain in the backside when running Photon on it. I have been lucky enough on some cases to find that Chrome doesnt always do it but 90% of the time it is. (edited)

Wikipedia (WikiTribune) launches WT:Social a news service to rival with Facebook and Twitter - https://wt.social/

WT:Social

News focused social network

1:26 PM

"The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new." (https:// www. wired .com/story/ 146-bugs-preinstalled-android-phones/) See https://www.kryptowire.com/android-firmware-2019/

Samsung A6 - it's gone and bricked itself from trying to disable user lock

3:46 AM

would normally be the Cellebrite Exynos recovery to recover from that right?

3:46 AM

doesn't seem to be working

@Sudo SM-A600FN? I had the same issue a while back. It took me a couple of tries with the Exynos recovery but in the end it worked again.

cool, ta

Samsung A10 locked with 4 digit PIN. Any solutions?

I might be missing the simplest option here but Is there a way to rename evidence names in encase evidence view. I've acquired using magnet acquire but bringing it into encase it just shows up as "description" unless of course I acquire using encase then I can make it whatever I like but that would be double handling

"By storing all information in an external location the KB addresses the scalability issue so relevant to binary analysis and reverse engineering. " https://discuss.ocaml.org/t/ann-bap-2-0-release/4719

[ANN] BAP 2.0 Release

The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a suite of utilities and libraries that enables analysis of programs in their machine representation. BAP is written in OCaml, relies on dynamically loaded plugins for extensibility, and is widely used for s...

To the fellow ISO17025 sufferers: do you guys have a validation test source for data recovery? there are tests for computer and mobile forensics but for data recovery or multimedia forensics i couldn't find any.

1:05 AM

https://www.cts-forensics.com/cart/products_results.php?Search=1&ProductCategoryID[]=15

1:05 AM

like these

Any good tools for parsing Facebook Messenger conversations that the user have downloaded from FB? (in json format)

@Sudo I've had a situation where XRYs exynos recovery worked for me when UFEDs didn't. Might be worth a shot if UFED didn't fix it after a few tries

it worked on attempt 5

just a general question - we have a huawei honor 8x where we can't extract whatsoever. Hi-Suite enabled, Stay awake and USB Debugging enabled, however USB debugging keeps disabling immediately as soon as we try to extract.

7:01 AM

Logical or filesystem won't start

7:02 AM

How do we deal with these devices?

@.karate. are you LEO?

@PlastikPistol yes.

Is it possible to find out when a user deleted the email on a exchange server ?

6:08 AM

I have the exchange audit logs but it doesnt show the a user deletion

Not sure if this is the appropriate place.. but, ironically, I’m look for some search warrant language for discord. Any LEOs have one they’ve used that they’d share before I try to create one from scratch?

@PlastikPistol I don't have a template but I'd be happy to help you craft the language

That’d be awesome. I have a copy of their law enforcement guide. Figured I’d go through and try to pull the info from there. It’s a third party cyber tip from NCMEC that suggests a guy was bragging about having several underage girlfriends and the images that normally go along with that. I figure surely discord will have some kind of logs that will help me associate the messages to his account and hopefully the address that I have for him.

Do you have any personal identifying information on this guy? It'd be great if you had the username and the discriminator, ie the #1234 after his name

9:55 AM

On Discord, technically 9999 people can have the same username (not server nickname)

9:55 AM

Because they are differentiated by their discriminator

9:56 AM

And since usernames can change at any point in time, it would probably behoove you to nail down a timestamp of when he used whatever username you hopefully have on him

9:56 AM

So your language would be something like Any and all content for the username suspect#1234 from X date to Y date including but not limited to: insert what we'll come up with together here in bullet point fashion

9:57 AM

I created a shared document appropriately titled for this discussion. It's easier to throw it up on there so here's the link.

9:57 AM

https://docs.google.com/document/d/1mOXZTMVawEueBvbTibgzIysqNNIbibBaMyAAMvkdRhc/edit?usp=sharing

Discord Search Warrant Language

10:02 AM

Do you also have a server ID or channel ID or message ID for the alleged communications?

10:02 AM

Because those would be helpful as well

I don't have his username but I have the email address associated with his account

perfect

looking through the stuff for IDs

Your language should then be something to the effect of Any and all content relating to the any Discord account(s) associated with the registered email address suspect@gmail.com from X date to Y date UTC including but not limited to: (edited)

Oh i lied.. I do have it with discriminator

10:04 AM

dude you're johnny on the spot!

edited my post, because I've had success before with asking for all account(s) related to a phone number, etc

10:05 AM

did that with SnapChat once and found out the suspect had a second snapchat account!

10:05 AM

whereas if I had just asked for the username, i would've only got what I asked for

I'm actually in the process of one of those right now too.. I might add that to mine

You really should

10:05 AM

it might pay off sometime

this whole case makes me leery.. I live in a pretty rural part of Missouri.. most of the area is really behind the times

10:07 AM

There's a kid that lives a couple jurisdictions away that is Mr.L33T and is all over social media always bragging about the cool hacks he does.. blah blah

10:08 AM

I've caught him on a couple different occasions reporting "screenshots" to local news media. He finds a target then screenshots their facebook, instagram.. whatever and alters it to make it look like something nefarious.

10:08 AM

He's the only person in this area I've ever ran in to that uses protonmail.. this tip came from kind a similar protonmail address

10:09 AM

he's pretty good at hiding behind tor and cleaning up after himself.. i'll give him that at least

Interesting! Well hopefully Discord can help make a strong case against this guy

10:09 AM

Did you serve a preservation letter yet?

typing it now

Awesome, you can use these bullet points for your preservation letter, too, if you so desire

I'm gonna steal that language from your google doc.. I appreciate the swift response

I keep changing it so check back before you send it

10:10 AM

You can watch me edit it live

that would have taken me quite a bit longer

you'll see when I'm done because there won't be any more edits

ok.. I appreciate it.. thanks for the snapchat tip too

Good luck man, I'll keep chipping away and thinking about all the possible stuff one could obtain from Discord since I use it so much

1

10:12 AM

generating pres letters and search warrant language was always fun to me

Thanks man.. I'm a search warrant fan too.. I'm just a little too overloaded right now

I know the feeling. Happy to help!

10:22 AM

Some of the bullet points might be kinda out in left field but they could lead to something bigger, for all you know

10:22 AM

like if he's part of some CP server, then I'd want to know what roles they're assigning their members because it would be amazing if like (creator, distributor, etc)

10:22 AM

longshot but just letting you know my thought process

10:23 AM

As an admin here in this server, just trying to think what an illicit server would have that LE might care about for their case

10:23 AM

reactions to posts, etc to show a pattern of behavior towards certain illicit content

10:23 AM

You just never know!

That all makes a lot of sense! I’m relatively new to discord... unrelated but I also downloaded TikTok for the first time.. oh my

I'm glad I'm married and boring, lol. So much debauchery in these apps these days lol

@PlastikPistol think I'm done. Can't think of anything else

sweet. I’ll grab it. Thanks again!

@MrMacca (Allan Mc) @kmacdonald1565 just to circle back on our conversation from a couple months ago, https://discordapp.com/channels/427876741990711298/537760691302563843/623851924315176960 for reference, apparently Atola was able to recover everything on the trouble HDD so all my image segments will be returned to me on a new, shiny HDD

4

11:52 AM

@Karamba too

According to court released documents a student has been arrested attempting to build a custom Gentoo Linux distro for Ansar (ISIS supporters) and allegedly created a Python script to automate saving ISIS multimedia from official social media channels. This allowed other members to share by reposting the material on their own accounts and help spread the terrorist group’s propaganda. https://www.justice.gov/opa/press-release/file/1218561/download

@Cellebrite anyone have issues with PA taking HOURS 3+ to parse or go through a text now database from a FS iOS 12.4.1 XR. 7.24 & 7.25 both and this has been restarted a few times. Still same result.

turn on the PA log and see if there are any errors

Nothing around it’s current process and only a key failed to locate in relation to Instagram

Have you tried restarting the computer ?

12:01 PM

I've had experience where it took overnight to parse

12:01 PM

How large is the extraction ?

57gb yep one start

@Jay528 I got a FS of a similar device last weekend. 7.25 took over an hour to go through Safari data so it showed in the logs. I'd just leave it run overnight and see how it goes.

@Jay528 @J Harder @Dfdan @Cellebrite PA has been really slow for me on all iPhone extractions. I had to let a couple AFU extractions run for over 24 hours.

@Magnet Forensics looking for a source for axiom 2.6, can anyone help me out?

@whee30 sure thing, drop an email to Support@magnetforensics.com and we will send you a link to it for you.

1

@goalguy clear on that. Thanks

@goalguy , are you referring to a GK extraction?

@Jay528 yes

Ah. I don’t have access no more. I’m in the private sector

8:42 PM

I’ll be glad to beta test for the private sector

8:42 PM

Technical Advisory: Multiple Vulnerabilities in Alcatel Flip 2 - https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-alcatel-flip-2/?research=Technical+advisories

Don’t suppose anybody has a template policy around managing staff welfare who are exposed to IIOC /CAM / CP as part of their role that they can share? Thanks in advance (edited)

I apologize if this belongs in off-topic. One of our microsoldering students doing civilian data recovery asked me a question that I thought folks in here may be the right group to ask. He was hired to recover data from a user’s phone. The data included ISIS propaganda, specifically an issue of the Dabiq pdf magazine. Is this something that he should report (where?) or is this mind yo beeswax. Advice?

@Jessa surely there must be an anonymous way to report what he found?

I would say the FBI would likely have a hotline or website set up for that.

1

@Jessa https://www.fbi.gov/tips

Submit a Tip | Federal Bureau of Investigation

The public can report violations of U.S. federal law or suspected terrorism or criminal activity to the FBI online or via telephone or mail.

1

10:58 AM

I would say that could be a good place to start, or contact local law enforcement.

Thanks guys! I’ll pass it along

In the spirit of a previous conversation linked here: https://discordapp.com/channels/427876741990711298/537760691302563843/646769451672535040 what other providers would you or your agency benefit from? I'm going to work on creating a language repository of sorts that can be used for preservation letters, search warrants, etc, and i'll host it all on AboutDFIR since that'll be a better venue for it than a server channel. So, besides Discord which has already been completed, PM me or @ me here of which ones and I will keep a running tally and chip away at them as time allows

I think verbiage that results in google giving accurate results since they have so many services... I had a case where I asked for drive contents, emails, user info etc and got user info emails and no files. I had artifacts on a phone suggesting photo transfer but no google results to match. It has nagged at me that I probably just didn’t name the appropriate “service” like google photos.

Yeah services like Google will take some trial and error for sure

7:32 PM

I have examples that have worked for me in the past but admittedly I didn't need even 10% of the services they offer

Anyone know if it's possible to sniff/intercept and see communication between two devices that uses RJ11 cable between them?

if anyone is particularly good with access points (and the things driving them) and web servers etc, ping me a DM I could use some advice

Might be worth posting the question in #network-forensics as well

thanks, did so, it's probably a biiiit outside of your normal dfir remit so, we will see!

Does anyone use any tool for screen recording (video) Android mobile devices that's easy to use and works totally offline? I've had a look over previous posts but can't see anything obvious. We're currently trialling Vysor but it requires a Google sign in. Although it still works once this is done and then the laptop disconnected from internet it means we can't use it on isolated forensic network. It also downloads an app to the phone which probably isn't ideal! Has Photon expanded to general video use? Ideally after something like that but me moving the screen

https://github.com/Genymobile/scrcpy

Genymobile/scrcpy

Display and control your Android device. Contribute to Genymobile/scrcpy development by creating an account on GitHub.

2

9:20 AM

One of my favourite free tools

If anyone listening has any prized search warrant language for a device, provider, etc that they are willing to share, please send it my way via a PM

In another follow-up to a previous conversation (https://discordapp.com/channels/427876741990711298/537760691302563843/649083878832734219), I've begun working on the search warrant/preservation letter template language repository. See below: https://aboutdfir.com/research/preservation-letter-search-warrant-language/discord/ (edited)

9:42 AM

More to come

I have a stack of ipads lying around my office. Is there a way to get Apple to remove the icloud lock from them if they are "lawfully seized" devices. Most of them are disposals from evidence in cases that have been adjudicated and that haven't been picked up. Or is there a way to "break" the icloud lock with any of our tools.

I seen some iCloud bypasses using checkrains boot rom exploit I think

7:20 PM

I think that’s for older devices though @Beefhelmet - not many free iCloud bypasses going around for new iPhones

7:23 PM

I am curious - what happens with all this tech that gets seized? Does it go up for auction or is it destroyed?

Sometimes it goes back to the owner once a case is adjudicated (i.e. suspect was found innocent/guilty and all court proceedings are over with). Sometimes the devices can be converted to training devices if not claimed after X amount of days (refer to internal department policy, if one exists). Or they get destroyed. Pretty much the only 3 options I can think of. Or donated to a shelter after they've been forensically wiped.

1

Nice - thanks for the answer @Andrew Rathbun !

It'll be different from agency to agency though. All depends on their internal policy and procedure. That dictates everything

Makes sense - I am curious how much extra money could be raised for the departments if they did online auctions of forensically wiped devices

Probably too much of a liability, tbh. All it would take is one screwup of some PII getting out and the program would be cancelled immediately. Probably not worth the risk but a good idea though

Ohhh that is a good point - makes sense / in other news for everyone in America happy turkey day! I’m heading off to enjoy some festive dinners ! Take it easy @Andrew Rathbun

Take care! And Happy Turkey day to you too and everyone else

Yeah we dont auction devices that contain or potentially contain personal information. What @Andrew Rathbun said we generally destroy them if they arent able to be auctioned or donated. I get all cellphones and computer hardware and generally keep them for parts to repair case work if needed or use them for testing. I've got about 4 filling cabinets of cellphones now that maybe one day before I retire I'll organize. Until then its dig around until I find what I need for the part I want. Used to be good to keep a stock of devices to probe ISP points if needed but that's kind of gone the way of the dodo as well. For me is mainly keeping iphones/pads to swap screens if needed or a usb port or battery here and there. (edited)

I'm trying to intercept a connection a Xiaomi IOT Doorbell is making to a HTTPS server. I changed the local dns to resolve to my own IP. Anyone has any idea how to fake the doorbell to accept my own webserver or a python webserver with fake HTTPS or something?

@cygnusx you got any more information on the webserver, certs or anything?

sure, it connects to https://processor.smartcamera.api.io.mi.com/

4:43 AM

and it could have the certificate saved locally, to maybe thats why a different cert is not working... not sure

I suppose you'd need to see what request and response are being traded

4:47 AM

I take it you've already tried with a self signed

4:49 AM

if it's using a trusted CA it would probably be pretty unlikely to be able to spoof it

Been having a quick look at some of the android lock screen apps you can get on your phone. Some of them are incredibly dodgy, this one claims that if you forget your password that you can contact the company and they will email it to you, meaning it's stored in plaintext on their server. Might be useful in an investigation one day... "How can I unlock my device if I forgot the password? 1. By security answer Tap the security question icon on the lock screen and enter your security answer to unlock; 2. By security email Check your registered email and find out the email we have sent to you with the password you set; 3. Email us Please send us email at cs_locker@pin-genie.com with your registered email address so that we can send to you in case you don’t find the password in your email. " https://play.google.com/store/apps/details?id=com.pingenie.screenlocker&hl=en_US

PIN Genie Locker-Screen Lock & Applock - Apps on Google Play

The most secure lock screen and Applock on Google Play. With App Lock

, nobody can check your photos, videos, messages and apps. The patented PIN pad is the ultimate in privacy and will keep anyone from seeing your PIN, even if they watch you input it!

Go ahead use...

4

the most secure lock screen on Google Play

3

In response to Darkrage, you are right we will always ask you if you use software with non-signed USB drivers when you have issues as described above and so will Cellebrite. We work closely with them on issues like those and they will appear anywhere that Windows, hardware with multiple USB options and Software co-exist. We will always get the drivers sorted out and the workstation running Cellebrite again whether it’s a TALINO or any other laptop/workstation. Any one with continued issues feel free to reach out to me directly jason@sumuri.com.

@Andrew Rathbun Is Colin Fagen in here? He has a hell of a pdf full of search warrants and contact info. I could reach out to him to see if he’s ok with me submitting it?

@PlastikPistol is he the one who makes the technology resource guide for LE?

Yes

I have that guide laying around. I'll have to poke into that as well. I might reach out to him as well. It's been a while since I've looked at the guide so I'll refresh myself on it. Thanks for reminding me about the guide. I'll add it to AboutDFIR

i'm really interested as to if anyone has done any research on artefacts generated by discord, and discord-forensics

5:06 PM

if anyone knows any papers, bits of research or anything at all, please let me know, thanks!

@bailey search this server for a publication posted previously

okay, i'll do that, thanks

@bailey also check AboutDFIR for a blog post or two under the tools and artifacts section

i'll check it out, thanks very much!

https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/snapchat/ Just published my Snapchat SW language template on AboutDFIR (edited)

Snapchat - AboutDFIR - The Definitive Compendium Project

Serving Preservation Letters/Search Warrants As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal p...

2

@Andrew Rathbun Using this right now, great timing!

@whee30 great to hear, I welcome any feedback!

@whee30 any other requests you need, too, I can add them to my list

10:33 AM

and if you have any improvements or suggestions for that format, let me know

10:33 AM

I have Discord and Facebook on there as well

10:33 AM

just looking to go down the list that develops itself as time goes on

great resource. I had my warrant drawn up already but I'm adding some features I had forgotten about from your list. Seems pretty comprehensive so far

10:38 AM

I'm just trying to sculpt one request right now, asking for user info from three diff. accounts in one bullet point and then asking for: "Any other Snapchat usernames which share the phone numbers and/or email addresses for the previously solicited Snapchat user accounts for the time period of 09/01/2019 to present."

10:38 AM

I dont have PC for unknown account content but it could give me a lead based on the phones I've dumped. Does that verbiage make sense?

so that verbiage, to me, sounds like you are just asking for the name of the user accounts that you don't know about that may or may not exist

10:39 AM

which, that would be good to know and as you said you don't have PC for the unknown accounts, if they even exist

seems kind of clumsy, trying to make it sound better.

10:40 AM

i have three known accounts, trying to figure out what other user accounts they're using

10:40 AM

then if i find relevant chats in the phones im dumping i can draft another warrant

You could request something like: Basic account information (username, registered email address, registered phone number, account creation date) for any Snapchat accounts which share the registered phone number and/or registered email address for the above Snapchat user accounts for the time period of 09/01/2019 to present (edited)

1

10:42 AM

i think that might better fit what you're going for?

yeah - that's a bit smoother.

post edited

10:43 AM

changed to singular instead of plural (addresses and numbers)

10:44 AM

i also added that verbiage as a bullet point on the Snapchat page

when i write subpoenas i word it saying "alternate" or "associated" so alternate usernames, alternate addressess, other associated accounts, etc. which ever word fits better. can probably do the same thing with warrants. just a bit of grammatical judo to make it sound a little better. it helps it seem related to what you are looking for

1

@kmacdonald1565 thanks for the insight! I typically used the same language for both. Pretty much copy paste. Just different documents and formats of said documents

Is there any tool to decode php files ?

@whee30 and anyone else, any feedback or changes needed to this page would be appreciated - https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/

Preservation Letter/Search Warrant Templates - AboutDFIR - The Def...

This section is a work in progress. This part of the site will contain template boilerplate language to include on various forms of legal process. It is highly advised to check with your local prosecutor and mind your local laws when serving legal process. These templates are...

@Rickytickybobbywobbin so, like most answers in this world, it depends but i dont know of any tools to "decode" the php files, but you should be able to look at the file in a text editor. Long story short, PHP is a serverside language that runs on top of HTML. PHP will have a set of commands on the server that build the webpage and the user typically never sees. so if you are looking at a .php webpage you are really only getting a small part of the picture, and that is largely HTML code you are looking at. if you have the source PHP, then you can look into how it works more.

6:00 AM

so, i suppose what are you looking at is the question?

6:00 AM

also cool name

anyone have any idea what "Method 1 and Method 2 cannot be used because the device was not unlocked with a code after it was reset"

6:24 AM

means

@Sudo Are you doing extraction of phone? I think it is bc the phone reboots during extraction and u need to enter code after reboot

I was yeah, solved it by updating UFED

7:43 AM

it hadn't rebooted or anything which is why it was odd

Good afternoon all ... Does anybody have a safe boot loader to flash past a locked Samsung J7 (SM-J260T1) to get a Logical or F/S ?

https://www.androidcentral.com/you-can-now-chat-google-photos-app Potential new platform to share illicit images? I'm sure it's been used before but now that chat is being implemented that could bring it to a whole different level. Worth noting for purpose of serving legal process

You can now chat in the Google Photos app

Google's pushed a new update to its photo gallery app that lets you chat with friends about the photos you've shared.

Android A1 MAX tv box, anyone created a forensic image of one? (edited)

Hi all, Has anyone come across the Apple SIM card? We have one which will not extract with any of our tools. Not come across one in an exhibit before?

xry 8.2 was released (edited)

3

Amped Five and Convert have new versions too

2

@Sudo your iPhone is running a newer OS than your UFED supports. Is there an update for UFED available?

7:09 AM

Disregard.. I scrolled down... whoops

7:15 AM

Anyone from Magnet in here? Specifically dealing with ATLAS?

@Magnet Forensics

DM'ed

Thank you!

yup I updated!

Hello all, I am looking to find someone who might be using virutalhere USB Dongle server in their environment to share out codemeter devices. Send me a PM if you might be able to help out

@spamspamspamandeggs search the server for discussions in the past about this same subject. I know there's been at least 3. Start there for some immediate help

@spamspamspamandeggs its pretty straight forward, i dont use it professionally, but do personally. server is on raspberry pi running raspbian and connecting to it with windows 10 machines

Hello everyone im looking to do a solid course on Criminal Intelligence analysis. Does anyone by chance have recommendations ?

Is anyone aware of a hash database, perhaps similar to NSRL, that contains MD5 hashes of published MP3s?

@Zhaan as an MP3 hoarder and curator, I have to wonder if there would be any value to such a database? I say that because if if you take Artist - Song Title.mp3 from Amazon and then grab the same song from a P2P service, they likely will have different hashes due to IDv3 tags likely being different. I curate my IDv3 tags for my music collection so the hashes of my MP3 files are constantly changing as I update embedded album art, lyrics are added, tags are modified etc. So basically, what would be considered the de facto hash for a given song? I think there's just too many variables and that it likely doesn't exist. (edited)

2:22 AM

It's no different than taking an image and changing one pixel in the image to generate a new hash. Main difference being people very commonly modify tags on audio files but people don't really change one pixel on an image (edited)

2:25 AM

Amazon embeds their own song signatures into the tags off music you buy from them. I'm sure Apple does the same. Bandcamp files do as well so all those will have different hashes despite being the same song

@Andrew Rathbun Thanks, I know what you mean but thought if I don't ask I'll never know! With mobile devices streaming and storing so much content these days, audio/video slows down investigators and increases export sizes. I have been adding audio to my local db as I go but when I was confronted by 19,000 audio tracks this morning, I felt it was time to ask! Yes, you could argue if its in an iTunes path is it likely to be evidential and why not simply ignore it but the little OCD demon in my head says 'yeah but what if', so I find myself checking anything I add to my DB.

1

To further this, think of all the bitrates of audio files. FLAC all the way down to like 32kbps. In between those two is like 50 different possibilities for audio quality for the same song. Which means each one will have different hashes. Arguably V0 and 320 sound nearly identical to the human ear but one is a constant bitrate while the other is variable. But they will have different hashes for obvious reasons. I think it would take audio signature analysis on the front end cross referencing with a massive known database to eliminate your 19k files but that would take forever to deal with for any tool. I think we are probably just stuck with it for now and probably the foreseeable future (edited)

1

2:37 AM

https://youtu.be/aTQS25w8kZo would be an example of this. Each quality version would have a different hash. This is where audio signature analysis would likely be the solution

YouTube

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

Anyone got a Logitech MX Ergo? (edited)

So I have been using Oxygen for years now and have traditionally really enjoyed it. It and Axiom are the two tools I have in my office and if I need cellebrite I simply need drive to my neighbor agency. Having said that I have a few thoughts for anyone who uses Oxygen primarily (I know you guys are out there).... It has been a LONG time since I have been able to get a physical on ANY phone. I think the last one I obtained was on a pre 7.0 android a few years ago. Is anyone else having a similar experience? Most of my extractions have been OxyAgent and leave much to be desired. I think of Messenger data (which every criminal in the history of time uses).

5:55 AM

I certainly do not want to disparage any software company. Their customer support has been awesome and have recieved help quickly from the engineers on issues. Just wanted to see if anyone else is running into the same issues. More and more I am having to run the devices to the cellebrite next door....

Has anyone here done pentests on card terminals(EFT devices)? E.g. trying to find sensitive information such as the card number etc

HERREVAD databases now extends to use in OSINT cases - Update3 - HERREVAD Databases Geo Location Artefacts https://trewmte.blogspot.com/2019/12/update3-herrevad-databases-geo-location.html

Update3 - HERREVAD Databases Geo Location Artefacts

This is the continuing/on-going research and discovery into HERREVAD Databases Geo Location Artefacts. Back in 2017 little was known about...

Has anyone been able to use the UFED Screen Shot method with an iPhone 13.* IOS ? Says to disable iTunes Backup Encryption but i'm thinking its just not going to work. I would rather use this vs taking pictures. (edited)

@ThatLukeGuy I agree Oxygen doesn't support physical acquisition these days, especially after Android 6.0.

@DCSO Worked fine for one of my exhibits, try running the disable itunes backup encryption through the tools menu, that's worked for me in the past.

@Akko Good to know, I was'nt aware of that feature in UFED 4 PC etc. Would it delete any saved passwords or tokens that would be encrypted ?

@DCSO It attempts to remove the UFED default encryption password 12345 which is used when an extraction is performed - its just something worth trying it doesn't lose user generated encryption tokens (that I'm aware of)

1

eSIM - Observing Possible Outcomes Part 1 - https://trewmte.blogspot.com/2019/12/esim-observing-possible-outcomes-part-1.html

eSIM - Observing Possible Outcomes Part 1

Back in 2012 I wrote about the introduction of a new form factor for SIM Cards (4FF). The outline and a potted history of SIM Card form fact...

Why is it on so many search warrants and police reports I see "I-Pad" or "Ipad" written instead of the proper spelling. I can't be the only one that goes nuts over this

Hi, I don't know how it works in the USA, but in France, the cops just don't care about that it's "not their job". So it's pretty usual to have misspelling or even inaccurate information (edited)

11:31 AM

And in general, as everybody knows that what's written on the box might be wrong, they just don't care

That's a frustrating mentality but I get it. I worked with many of those types. Hilarious because most of the offenders own those iDevices but don't know how to properly spell them in a professional work product

If it was only a spelling issue it would be great x)

11:33 AM

In France, if the brand of the phone is written, you're lucky

11:34 AM

Not speaking about the model, which we discover when we receive the phone

Ya know how in different parts of the country people call things by different names? Here I call a soda a soda.. friends up north call it pop.. family in California call it Coke, whether it's actually coke or not. Here, everything is an iPhone (Iphone.) Or I'll get a request for a black ATT phone, or Verizon phone.. The timeframe questions.. how long will it take? Why does it take so long.. why could you get information from this phone but not the one the other day? There is a lot of frustration from places I never would have expected when I got started.

Maybe with search warrants and police reports have the product ID already stated and the person completing the warrant/report just ticks the box so to speak. I remember one police force who would reject paperwork and return it to the person if s/he had not used correct coloured pen for the relevant section of paperwork - pedantic maybe, but if the person didn't improve their standard they would get a bollocking from the Inspector. With computerised forms it is very easy for a template warrant/report to include placing 'X' in the box against the most common product names on the market.

US based: Ten questions about the phone evidence -

5:20 AM

http://revforensics.com/ten-cell-phone-questions-for-interrogatories/

TEN CELL PHONE QUESTIONS FOR INTERROGATORIES - Revelation Cellular...

Cell phone evidence is fragile. Most cell phone companies keep the records for a limited time, and evidence in a cell phone’s memory can be deleted intentionally by the user or unintentionally by normal processes of the operating system. We need to identify potential eviden...

5:26 AM

Cell Phone Record File Types

5:26 AM

http://revforensics.com/file-types/

Cell Phone Record File Types - Revelation Cellular Forensics

This post covers the types of files the carriers use to send their records and how to open them in Excel. The typical file types the phone companies use are as follows: .xlsx Microsoft Excel 2007 and later .xls Microsoft Excel 97 to 2003 .csv Comma Separated Values .txt Plain...

5:31 AM

@Andrew Rathbun - does this article tell you something you didn't know?

5:31 AM

https://revforensics.com/sending-the-warrant-or-subpoena/

Sending the Warrant or Subpoena - Revelation Cellular Forensics

Once the judge signs the warrant, or we have a subpoena ready, we need to get it to the carrier. We will need to prepare the packet to send to the carrier’s company and decide on the method of delivery. All the carriers will receive the records by fax or mail, but some have...

5:33 AM

@Andrew Rathbun And pdf templates are here: (edited)

5:34 AM

http://revforensics.com/search-warrants/

Search Warrants - Revelation Cellular Forensics

I'll take a look at those later. Thank you sir. Might be helpful in some regard hopefully

1

does anyone know what the name is for those SMS code messages

3:15 AM

you know the ones from very short numbers i.e. 621093

@Sudo Verification codes?

yeah like 2FA

3:57 AM

but the numbers they come from

3:57 AM

it sends you a verification code from a number like 621093

3:57 AM

as opposed to a full number

I think they're called authorization codes or verification codes

3:58 AM

not sure there is a formal name for them

3:58 AM

SMS based 2FA authentication codes?

yeah, I would take that to be the 2FA code itself, not the number it came from

4:07 AM

maybe they don't have a name

4:07 AM

I'll just go with something like SMS authentication provider

oh I see what you're asking now

4:08 AM

SMS authentication provider seems like a reasonable term

yeah, it's not always a number

4:09 AM

WhatsApp, Amazon, they come through as "WhatsApp" or "Amazon"

4:09 AM

even though you don't have them saved as a contact

4:10 AM

I just wondered if it had a specific name, like you have phone number, this is [whatever] number

SMS Authentication Dispatch Provider is another possible term

yeah, it's not a big deal, I was just writing it down in my update and thought, oh, what's that even called

SMS Dispatch Modem is another term I saw floating around too

SMS generator, but anyone can grab those online.

Amazon calls it "SNS", simple notification service

4:13 AM

ah!

4:13 AM

SMS short code

4:14 AM

https://en.wikipedia.org/wiki/Short_code

Short code

Short codes, or short numbers, are short digit sequences, significantly shorter than telephone numbers, that are used to address messages in the Multimedia Messaging System (MMS) and short message service (SMS) systems of mobile network operators. In addition to messaging, th...

4:14 AM

makes sense, they're shorter than normal numbers lol

Ahh now I see what you mean. Yeah the 5 or 6 digit number that's the sender's "address", so to speak. Didn't know it was called that. Learn something new every day!

4:19 AM

Same with like how you can text a tip to the police by sending it to 12345, for example

yeah that's what I was after

4:29 AM

figures it would literally be "short code"

4:29 AM

I thought it would have some elaborate technical name

is there a linux distro that doesn't have an awful file picker

7:04 AM

or is it all the terrible gnu one

7:05 AM

(I know it's a meme at this point)

i'm a monday, anybody recall how to power of a LG with pincode to power off ? We have tried the typical hold volume,power,home button(located on rear)

@DCSO Get it in to recovery mode and choose power down option. Hold volume down and power until it starts to reboot. Then immediately conduct key combos for recovery mode

Hi, I’ve got an encrophone - bq Aquaris X2, it’s newer than anything we’ve had before. Does anyone know how to access the encrypted operating system? I’ve tried all the different button combinations

There are 3 possible ways to boot to secure startup. Two are default on and can be disabled. A third can be user specified with a pattern of directional swipes on the touchpad. (edited)

5:44 AM

The two defaults include 1) pressing "short short long" on the power button, and 2) by accessing a slider switch on the settings menu for "privacy mode" (or something similar - been a minute for me)

5:45 AM

Keep in mind the secure startup, once you get to it, will be a minimum length of 15 characters for a passcode, and can be setup to wipe after failed attempts or even wipe in response to a decoy passcode being entered.

5:47 AM

If you get past that, there is still the screen lock to consider. If you get past that, the USB port only permits charging operations, never data transfer. ADB type acquisitions won't work. Also note the only apps you can use on the encrochat flavor of Android are encrochat apps, which have strictly enforced limited lifespan messages and additional security measures. It's not possible to send regular SMS or make regular calls using these phones.

5:47 AM

@tinycar94

5:48 AM

I've gotten into 1 ever, and that was because the owner was kind enough to leave both passwords on a sticky note next to it.

Lol

@spamspamspamandeggs anyone have a workaround for using virtualhere over RDP? So far it works only if the remote machine has a VM running and everything inside

Any UK folks have a current and up to date drugs search list they could send through DM?

@tinycar94 Normally when you boot into the Encro-partition on an X2, you need to do the short short long press on the power button like @forensicmike @Magnet mentioned. You need to do this when the phone is already booted up in "normal" mode aka. the empty vanilla Android partition. At least that's what we saw with most of the phones we get in.

@3X3 @Law Enforcement [UK]

I only got a kind of meh-ish one I think I made

5:47 AM

but I might have one I can email you

Interesting problem. I just got a box of old phones that were lost and have defaulted to my agency due to time lapse. Most of these will simply become test phones. I do have a newer iPad in the box as well that I might be able to use for various investigative purposes. This is NOT an evidence device, simply a device to be used by my agency.

6:23 AM

The device was PIN locked with an unknown PIN. I attempted factory reset and ran into an activation lock requiring Apple ID login to remove\

6:23 AM

obviously I do not know the apple ID.

6:24 AM

I elieve it is running iOS 11.X. Anyone have any ideas or is this thing a brick? I have very little experience with jailbreaks myself.

@ThatLukeGuy Maybe wiping it via iTunes and DFU mode will reset it? Maybe also be aware that the IMEI will become active on the network again if you succeed and start using it. For this reason we can't use perfectly good devices from lost and found as test devices, but that may just be the laws in my country.

Anyone familiar with the ins and outs of bypassing biometrics? Specifically looking primarily at fingerprint sensors, but also faceID. I have been tasked with this, and I'm looking for up-to-date information

@ThatLukeGuy I believe you will have to contact Apple and have them remove the activation lock. I have heard of people having success with this by showing them paperwork that proves you (your agency) legally own the device.

@ThatLukeGuy If it is a WiFi model, you can desolder the NAND chip and change the Serial Number (may as well upgrade the storage at this point too right??) to remove the iCloud lock.

Does anyone out there like Catalina? I want to smash my mac.

Anytime I try something new (remote session, webex, etc.) it lets me down.

@CloudCuckooLand This is what I may end up doing here. Thanks for the advice!

Trying to figure out under what circumstances iOS will generate a KTX vs a PNG under (for example) applications>com.apple.mobilesafari>library>safari>thumbnails ? The pngs are basically screenshots of a website and based on what I’m reading they are generated when the app goes to the background. I can’t view the ktx files natively but I’m trying to figure out why both file types are stored in this folder and when one is used over the other.

It seems that the PNGs I’m seeing are likely residual from a previous iOS and the newer iOS only produces ktx. I’ll leave it up for the next confused soul to find!

1

@heatherDFIR the one redeeming quality is sidecar, much smoother than DUET for using my iPad as a 2nd monitor, but alas... That's it as I sit on a throne of things busted by Catalina

anyone had any experience with PDF malware

@whee30 You're correct, ktx replaced png at some point, maybe iOS 11?

5:21 AM

But its conceivable there might be some holdovers.

or if you're like me and keep those tabs open from ios 11 - ios 13

1

Do we have some "verified" sections for LEA members?

Nope

8:46 AM

As in LE only channels?

Yeah, or at least verified in terms of "trustworthy" meaning from companies or public sector.

No one gains access to the server without verifying themselves.

Really? I never showed my color though

And there will never be LE only channels on this server. The private sector folks and vendors would be excluded from that and frankly they are too valuable to everyone else to be segregated. The minute we start segregating people by giving certain roles special access to certain channels is the beginning of the end of this server, IMO. This gets asked of me a lot of the cons outweigh the pros tenfold.

8:50 AM

Verification process didn't begin until like 1200 members in

8:51 AM

it's a relatively new thing in the life of the server. we never thought we would be this big so we had to adjust fire once we reached a certain point in membership numbers

Ah ok, so basically after reaching a critical number you guys started vetting us. But the "old" ones (the elder of the internet - for those who get the joke) could still be unchecked though.

LE personnel shouldn't post differently in an LE only channel vs posting here in a general channel. Discord hosts the data you post and you should never post anything you don't want the media to publish. This is social media 101 for any LE personnel and this server is no different. So that pretty much takes the benefit of having an LE only channel away. It's not like LE will be posting suspect names and addresses of victims in that channel. I just don't see what benefit it would serve. And it would alienate a large, important group(s) that call this server home, too

6

8:53 AM

We're much stronger of a community together than divided

8:53 AM

Yes that's correct @bit_reader

8:54 AM

And there are ways to go about reverifying everyone but we've not had that discussion yet. No real reason to at this point. If it ever becomes an issue that needs to be discussed, we will for sure. We're in this for the long haul. But we nip issues in the bud pretty swiftly so we've never had anything we've had to elevate to that level of discussion yet

Sure, I'm not that stupid to post some ID material. ;) My point is more that if the baddies start to hang out here we'll run into serious trouble sooner than later because TTP will leak to some certain extent.

No bad actors can gain access to all the channels you know and love without interacting with the mods

8:56 AM

this has been the case for the past 1000 members or so

https://aboutdfir.com/resources/tool-testing/ new page added to AboutDFIR. Links to forensic testing images. If anyone is aware of more out there, please let me know

Tool Testing - AboutDFIR - The Definitive Compendium Project

Continuing from the earlier discussion, if anyone has any concerns or questions, you're always welcome to PM me or ask here in this channel. Any of the mod staff. Whatever suggestion, question, problem, etc, just bring it up. No such thing as a stupid question except the one that goes unasked.

2

i have a stupid question

12:31 AM

how do you validate a mobile device imaging method in ISO17025?

anyone had experience with email forensics, I've got some super bizarre stuff to try and work out what's gone on here

What do you have going on?

just a whole mess of odd things

4:43 AM

someone has been phished, basically, in some manner

4:43 AM

I thought it was one party, but now I'm not sure at all

4:44 AM

basically, party 1 have received a bill from party 2 but it wasn't really from party 2

4:44 AM

party 1 have lost the money it seems

4:44 AM

the real party 2 at one point says to party 1 you use freeola.co.uk/webmail which doesn't work with outlook sometimes

4:45 AM

party 1 doesn't use freeola, but party 2 does

4:45 AM

embedded through the email though, and I'm guessing from party 1, are images for freeola.co.uk

4:46 AM

and other href /webmail/compose?to

4:46 AM

then in the headers, ,there's a return path of a totally different email, party 3

Not an expert in this by any means, but are there any anomalies with the SPF, DKIM, etc?

SPF? DKIM?

4:56 AM

the "reply to" header on this email is for a name.name-company.co.uk@dr.com

4:56 AM

so that's clearly not legit lol

SPF is sender policy framework which validates the IP address with the originating domain and DKIM verifies the message has not been changed via digital signature

4:58 AM

copy the email header into a text editor and do some Ctrl F for SPF and DKIM

4:58 AM

see if there's any PASS or + or anything like that that indicates something positive (+ can mean pass)

4:58 AM

if there are positive indicators like that you can generally trust the read of the header content, however, since you already suspect this is fishy, you're probably not going to have positive indicators.

no DKIM or SPF info

Like I said, not an expert, but I did take a SANS course 4 months ago that briefly mentioned these concepts (equivalent of staying at a Holiday Inn Express last night)

just normal headers

https://articles.forensicfocus.com/2019/02/15/email-forensics-investigation-techniques/ might be some help

Scar de Courcier

Email Forensics: Investigation Techniques

by Chirath De Alwis Due to the rapid spread of internet use all over the world, email has become a primary communication medium for many official activities. Not only companies, but also members of…

5:00 AM

SPF and DKIM and DMARC are some things along with phishing, forensics, etc you should include in Google search queries

5:00 AM

and see if you can find anything that helps

gotchas

5:01 AM

none of these sample emails have any of that in

Well that is likely a clue that something is fishy

5:01 AM

but gives you something to run on

yup

5:01 AM

I'm basically just trying to figure out who was compromised

5:02 AM

but it seems like the person sending the emails with the dodgy return path and reply to

https://www.computerhope.com/issues/ch000918.htm#email-header

Understanding the information contained in an e-mail header

Full information and examples to help you understand the information contained in an e-mail header.

5:03 AM

ctrl f SPF

5:03 AM

see how there's the pass indicated there?

yeah I see it

5:04 AM

not present in any of these though

if you're not seeing that i would say that's a red flag, but at least you can see what you should be seeing and clearly aren't

unless they're not using any kind of security

I bet the people at https://www.metaspike.com/ would be good to reach out for this. Since they have that Forensic Email Collector software. I'm sure they're well versed

5:06 AM

@Metaspike but I don't think they frequent here

5:07 AM

https://articles.forensicfocus.com/tag/email-forensics/ Some other articles potentially of interest

ty

5:09 AM

I originally thought someone else had been the source but

5:09 AM

based on this, it definitely seems like they're the ones who have been hit

5:09 AM

it threw me because party 2 using freeola said "oh you use freeola" to party 1, which smarked to me "ah they've been phished via their webmail"

5:10 AM

but evidently not

also one email from party 2 the from is mail.google.com/webmail/compose?to=them and the to is again mail.google.com/etc/etc

5:21 AM

there's so much going on here

Has anyone worked with Ring Camera's? I'm working a case where someone remotely logged into someone's camera. Does anyone know if Ring saves IP login logs?

@Davesdailypicks My Ring camera doesn't show any logs for remote login. However, the app does show who has shared access to the doorbell. Obviously this isn't information from an extraction of the doorbell, just what I see on my iPad's applciation

Are Ring DB hooked up through the wifi? Would the router log show the access to the network?

Yes they are WiFi.

We would be happy to help if we can, @Sudo. We have a few quick write ups on our blog on email authentication techniques, which might give you some ideas.

2

9:58 PM

As @Andrew Rathbun mentioned, DKIM verification is very helpful. If you don't have DKIM signatures, I would check other sample messages among the same parties from the same time period to see if that's typically the case, or if there is something unique going on with the messages you are investigating.

2

@Davesdailypicks might be worth emailing their LE contact and ask them if they record IP logs and their retention policies

10:07 PM

subpoenas@ring.com

10:07 PM

https://support.ring.com/hc/en-us/articles/360001318523-Law-Enforcement-Legal-Process-Guidelines

Law Enforcement Legal Process Guidelines

These guidelines are intended for use by law enforcement when seeking information from Ring LLC or its subsidiaries (“Ring”). All requests should be submitted to subpoenas@ring.com. If your request...

@Arman Gungor thanks, I'll get them to send me over more emails to check

Just learned from an army buddy of mine who gave me a heads up about this fraud. "Police say someone had their bank accounts emptied after they paid a taxi driver with a debit card. They had wanted to pay with their credit card, but taxi asked for another method because he didn’t want to pay the 4% visa fee. Police advise that whenever you are asked to use a debit card instead of credit card for whatever reason, enter the wrong PIN. If it is a counterfeit machine it will pretend to process the payment and produce a receipt. Whereas an authentic machine will reject the PIN and request a “try again” message. Help spread the word, as the police state this type of fraud is becoming increasingly prevalent."

And once you put the wrong pin in and the driver tthanks you for taking a ride, make sure to document everything about cab/driver because you just caught a bad guy.

2

https://twitter.com/chaignc/status/1207354323329527808 I leave this here in case someone has motivation to explore this "new linux memory artefact" (edited)

chaignc (@chaignc)

8 months ago I left a tips that sudo leaves artefact in memory if an attackers tries to use sudo because token attempts are stored in tmpfs. Did someone wrote a @volatility plugin? @_bcoles ported it to metasploit but what about #DFIR https://t.co/MGaeGLYzrQ

Really random question on behalf of a coworker, does anyone know of or have any documentation on how iMessages are transmitted? As in, they're trying to see if iMessages hit out of state servers to help a wire fraud case. I personally think it would be more than reasonable to say an iMessage, when sent even to the person sitting next to you, that servers out of state are used in the transaction. However, I can't prove that nor do I have any documentation supporting that claim. Anyone have any $.02 they can throw into the pot?

@Andrew Rathbun depending on the physical address of the servers yeah. Apple collects metadata on the conversations on iMessage. I understand they are end-to-end encrypted.

3:25 PM

Here is an article from last year on it. https://wccftech.com/apple-logs-imessage-contacts-ip-addresses/

Rafia Shaikh

Apple Logs Your iMessage Contacts and IP Addresses

Apple logs your iMessage contacts and IP addresses among other metadata and could share it with law enforcement authorities, if compelled.

1

3:27 PM

If that is the case couldn't someone just tracert the ip address for the Apple imessage service? (wouldn't know how to do it without an IP address on an iOS). (edited)

So I’m thinking of switching out the Touch2 for 4PC ... any drawbacks or other consider?

@Lflores did the same thing at my previous lab. Couldn't recommend it enough. 4PC can be installed on any amount of laptops you have in your lab. Obviously requires the dongle to work

@Lflores Another vote for 4PC. We did that swap several years ago and I can't think of any drawbacks whatsoever. We take 4PC on a laptop (with other forensic software) into the field all the time; it's not as streamlined as the Touch2 solution is, but it is a lot more versatile.

@mitchlang thank you. I'll look into this more tomorrow

1

@Lflores My only issue with 4PC is a potential for driver conflicts. I have had many that don't occur on the Touch2. Every time you plug in a device windows wants a driver. I do run windows via boot camp on a Mac and they may cause some of it. (edited)

Thanks for the replies! I'm Gonna pull the trigger and switch!

@Andrew Rathbun National Police Chiefs’ Council (NPCC) - NPCC FINAL CONSENT v1.2.pdf https://www.npcc.police.uk/documents/NPCC%20FINAL%20CONSENT%20v1.2.pdf

https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ Fox-IT published a whitepaper about APT20, a Chinese espionage group that went silent for a while. Fox-IT observed this threat actor live during a incident response case. Definitely worth a read (edited)

Operation Wocao : Shining a light on one of China’s hidden hacki...

4

Has anyone been able to recover a stolen Xbox One via logging into the victim's account; or any other way?

maybe if you did this: https://support.microsoft.com/en-us/help/12441/microsoft-account-see-child-device-activity

See your child's device use with activity reports

Learn how to receive and interpret activity reports of your child's device use, including web browsing, apps and games usage, and screen time.

1:46 PM

assuming it's signed in still

I asked a couple weeks ago about an activation lock bypass and if one actually existed. The consensus was that it did not exist. Just found one that ACTUALLY works. Run it on three separate test phones. I did brick an ipad though.... didnt wait long enough for a command to execute and home button no longer functions rendering it effectivley useless.

2:54 PM

https://www.youtube.com/watch?v=qy0fxLiteT8

Apple Tech 752

iCloud Bypass with CHECKRA1N! (FULL TUTORIAL)

2:55 PM

Three iPhones later though and I can say it works

@ThatLukeGuy I guess stealing iPhones just got profitable again? I wonder if they can be successfully set up w a new iCloud and connected to a provider... I don’t see why not. Will be interesting to see!

@whee30 I will test this tommorrow

Haha little late in the game. Its just a Bypass, no service and low functionality. Enables JTAG debugging which is the best part

@whee30 device is still not activated so no gsm network, no access to app store, own icloud, screenshots etc. So far nobody cracked apple activation. It is possible to copy valid activation data as well as apple account from another, fully working device but this has its limit as well so i wouldn't say it's profitable again

1

Hello, thx all I came here few days about about sudo memory artefact left in memory, we now have a defined methodology to retrieve them, the question now is was this already documented?

https://twitter.com/chaignc/status/1208036686153895942?s=20

chaignc (@chaignc)

Perfect bro

New #DFIR Artefact? tsdump can recover attempt from sudo files stored in tmpfs. See bellow for the methology: https://t.co/3lihZbCkae Bellow the source code: https://t.co/K5EfgIdld9 Thx @attrc and @indieami <= creator of sudo #Forensic #SOC #CERT #Yara ...

Anyone have any issue update their windows 7 to windows 10 with all the forensic software on it

@spoon1997 I did an in-place upgrade on one of mine; no serious issues. Don't forget to set EnableLinkedConnections registry value if you use network drives.

Question about a Square Reader , is there any data on it or is it a passthrough data like im thinking ?

Does anyone have a link for KAPE? The Google links are not working

@Bob.I - DFO Ottawa-IACIS https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape

Kroll Artifact Parser And Extractor (KAPE) | Cyber Risk Services

Kroll Artifact Parser and Extractor (KAPE) is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes.

11:06 AM

you have to fill out a form

@deepdive4n6 thanks

Has anyone had anyone tried pulling logs off either a Xerox Workcenter 7830i or a Brother ADS2000 (desktop scanner)?

TFPO Kernal Exploit for A12-A13 Out Now!

I'd say just try the web interface, but I guess you did that

Not sure if it's been posted yet, but andriller has been made open source: https://github.com/den4uk/andriller

den4uk/andriller

Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. - den4uk/andriller

4

Nice! Good utility!

Anyone from @Magnet Forensics able to quickly help me?

Yep, what's up

2

Merry Christmas everyone

17

I got a case involving a FireStick using the Kodi app to allegedly show porn to a minor. Anybody know what artifacts that made be there? So far, I found add-ons for adult streaming sites. I was hoping to find possible search history.

@gt530 I usually run the extraction through Axiom.

7:41 AM

You might be able to go through the Kodi databases to find the search terms. I haven't ever tried that before. (edited)

7:42 AM

What type of extraction did you get? What did you use?

I ran through IEF (We havent upgraded to Axiom yet). I mainly been looking at the extraction through X-Ways. I used ISP for the extract, which I think you did the pinouts for. Thanks BTW.

LOL glad they worked.

7:45 AM

I don't use x-ways, but can you get to the databases with it?

I did use a couple of search terms but they seem to hit on the add-ons as they used a hyperlink to a video on the the streaming site as a test. Yea, I can x-ways to look at the databases. I also looked at them through Cellebrite.

7:46 AM

The pinouts worked great. super easy.

Let me see if I can find one of our evidence dumps which had kodi on it. I think we just did a 4k which had kodi.

Thanks

@gt530 the last firestick didn't have kodi like I thought. It had references to it, but it wasn't installed. I will need to dig around a bit more.

ok. I been looking through the databases. only finding TV shows and movies. I wonder if it depends on the add-ons if the search history get saved.

can you search the hex for search terms?

10:32 AM

that might tell you if they are actually saved in a db

good call. I will try that

Looking for ideas on how someone might have faked geofilters on snapchat. I have a FFS dump from an iPhone. I have a Snapchat image showing the geolocation filter for the Orlando Florida airport (MCO). He has home area geolocation filters later in the day. Seems like he might have flown home. However, analysis of any of the data (location and other types of data) from the day before it appears it is all for his home area. Bad guy says he faked the tag. (Seems reasonable to lie if you don't wan to get in trouble for traveling.) I have found where someone can use the apps itools or phantom to fake a gps location. Neither of these are on the phone. Any ideas how to prove it is faked?

@sholmes look up what apps are / were on the phone. Apps like Fake GPS and alike

@Dfdan I did try that. I searched the entire extraction, as well as the Installed Applications section, for GPS, Fake, as well as a few specific app names. All negative results.

12:56 PM

manual inspection of the phone revealed no apps of concern.

1:02 PM

Just figured it out. Found in a conversation where he has someone else logging in as him and snapping for him.

3

@sholmes good stuff.

I have spent hours checking apps and long/lats for different pieces of evidence and nothing was adding up. So I just went back to working the rest of the case and BAM! "login and post on my snap."

1:05 PM

sometimes it is too easy and people aren't lying.

1

everyone is a liar until proven otherwise

1

1:06 PM

</cynicism>

I miss LE work

Does anyone know what is the purpose of the file path com.snapchat.android\files\file_manager\snap_first_frame? Android phone btw

Hey, not sure if this is the right place to ask, but is anyone aware of CVE-2019-19781 being exploited yet?

Any snapchat experts on today?

@Pacman not so much with the app itself but with search warrant stuff I am

Also probably doesn't help it's the holidays and most people are burning time, likely

Yep I figured it's a difficult time to ask questions lol

i am somewhat familiar with the app and sw stuff, what do you have? not sure if i would be an "expert" but i know a little bit

Got two illegal pictures found in file path com.snapchat.android\files\file_manager\snap_first_frame. Device is an android, and I'm trying to work out what the file path is for.

5:40 AM

My best guess is its a thumbnail picture for a video.

@Pacman I've had success with emailing Snapchat directly through their LE email listed on Search.org and asked them technical questions like this. I'd recommend doing that as a last ditch effort

Yeah that's the plan. First POC is here, no luck then I'll try snapchat Monday

6:58 AM

How responsive are they?

@Pacman they've always been pretty responsive for me. Usually within 24-48 hours. Few years ago they were within the hour for email responses. 2-3 hours for SW returns. However, I think their business has increased dramatically since then

7:05 AM

I think 2 hours 13 minutes was the quickest response I got from them on a SW. Average was about 2 and a half hours

that makes sense to me @Pacman so for the story portion, it will show you a single frame from the video as a preview to it, i imagine it needs a place to store it until its viewed...i cant tell you for sure for that path, as i havent ran into that....i can tell you i have had bad luck with using snapchat in an exigent situation. we had missing kid, that we found out was using snapchat on stranger's phones. She was almost 2 hours away in a major city...snapchat would only update us 2x a day, every message was 5 or 6 hours old information and location. made it a pain to find her.

https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/instagram/ finally got around to finishing this

Instagram - AboutDFIR - The Definitive Compendium Project

Serving Preservation Letters/Search Warrants As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal p...

1

2

9:42 AM

Any and all feedback is welcome

https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/mobile-devices-computers/

Mobile Devices/Computers - AboutDFIR - The Definitive Compendium P...

Search Warrant Language Template (Mobile Device) The person, place, or thing to be searched is described as and is located at: The following device(s): Apple iPhone 6S Plus Color: Silver Model: A1687 FCC ID: BCG-E2944A IC: 579C-E2944A Serial: 1234567890 IMEI: 1234QWER5678TYUI...

10:30 AM

another one, would really appreciate some feedback on the Desktop SW language

10:31 AM

If anyone has a better template, please pass along

https://saelo.github.io/presentations/36c3_messenger_hacking.pdf

4:01 PM

Remotely Compromising an iPhone over iMessage

@San4n6 I read articles like that and feel like a tiny little child in this field. The people who figure this stuff out are wizards.

8

Welcome @Vitaliy Mokosiy from @Atola Technology

5:48 AM

Atola saved my butt on a case recently so thank you very much for your work

1

@Andrew Rathbun Welcome @Vitaliy Mokosiy from @Atola Technology Atola saved my butt on a case recently so thank you very much for your work It is always a pure pleasure to hear such things! I do hope to learn more from community feedback to help my team developing our hardware imagers in a proper direction (edited)

@Vitaliy Mokosiy https://discordapp.com/channels/427876741990711298/537760691302563843/646800075603050507 if you want to read the story

1

@whee30 DFIR is a field with so many highly specialized sub-disciplines, and yet due to the dynamic nature of digital forensics, many practitioners are expected to know at least a little about almost everything. I think this dynamism can also be used to our advantage however.. each new file can be seen as a potential opportunity to learn just a little more than we knew before on a particular specialty. This philosophy gets us out of the dreaded "forensic hamster wheel" where all we ever do is push a few buttons, generate a report, and move on to the next case without actually learning or benefiting as an examiner. The holy grail though I think is sharing what you learned (inasmuch as you are able) with a community like this one. (edited)

8

1

Has anyone extracted any usefull data from a Playstation 4 hard drive? Thanks

@ds275 I would love to find this answer. If you find something, let me know. We usually clone the drive and then manually examine the cloned drive through the PS4.

12:52 PM

Looking for free software to play mp4 videos. Specifically one I can go frame by frame and possibly zoom in on guns. Great videos of the guns, but can't stop the video long enough to see if a serial number is legible. VLC wouldn't play the mp4s on my workstation. #multimedia-forensics (edited)

@sholmes might be worth asking in #dvr-multimedia-surveillance or #multimedia-forensics

12:53 PM

I know some of the relevant vendors only monitor those channels

1

@forensicmike @Magnet +200 for sharing

2

Great responses already on that survey, thanks everyone

https://forensicswiki.xyz/page/Main_Page Forensics Wiki is apparently back up

Embarrassed to ask this but Digital Forensics is a perishable skill.. seeking advice on best way to open and blowout a .CTR? it has been a long long time..

8:36 AM

Xways is the preferred choice but just drawing a blank

8:37 AM

LOL disregard, I got it... LOL.... Starting the new year off with a bang LOL

Mind posting the solution @nbh2493? for the purpose of the search

8:38 AM

No such thing as a stupid question either. We all experience brainfarts, too

mount it in XW, do a Recursive View on the home folder root, select all files, then right-click to get the "recover/export" option

Does anyone know of a free RSS feed aggregator for a Twitter hashtag, namely #DFIR? I'm testing out a #DFIR on Twitter feed in #twitter-dfir-feed but I'm on a 14 day trial and really don't want to pay 20 bucks a month after that

4:07 AM

I just want to push hashtag results via a RSS feed. Not seeing any free options

4:07 AM

Any help would be appreciated!

@Andrew Rathbun how about finding sponsors

there must be a bot that can do it

4:21 AM

an open saucy one

well, we used Discord.RSS for our other feeds, but Twitter removed native RSS feed generation back in 2013 apparently

4:22 AM

so now third party services are all you can use to generate a RSS feed for a hashtag, apparently

4:22 AM

the free version of Discord.RSS has 5 slots, of which we use 4 right now

4:23 AM

#DFIR on Twitter would be 5 and frankly the last probable one we'd ever need for this server so it'd be a perfect fit (edited)

but twitter don't do RSS basically

#twitter-dfir-feed looks to be working right now just fine but I don't want to pay 20 bucks for that 14 days from now lol

https://github.com/atomheartother/QTweet there's stuff like this but it's not RSS

atomheartother/QTweet

A qt Discord bot who cross-posts from Twitter to Discord - atomheartother/QTweet

4:24 AM

not sure if it does hashtags, it doesn't say explicitly

4:27 AM

https://github.com/Astalaseven/twitter-rss there's stuff like this too

Astalaseven/twitter-rss

Rss-generator for Twitter. Contribute to Astalaseven/twitter-rss development by creating an account on GitHub.

4:27 AM

but that supposes you have the hardware

Hmmm, like I said, I have 14 days to figure this out so we'll see what else people come up with. It's a nice to have feature based on feedback from the survey so I want to make it work but I don't want anyone to have to pay for it

4:29 AM

if people really wanted to pay, I'd rather they help us get the vanity URL via Discord Server Boosts lol

yeah ya don't gotta pay

4:29 AM

I've never used RSS but that's what I found just googlin around

4:29 AM

whether it's actually helpful

4:30 AM

what's the vanity URL

if we get 30 boosts (we have 7 currently, I think), then we qualify for a vanity invite URL, i.e. I'd make it discord.gg/digitalforensics

4:30 AM

then we all work off the same sheet of music

4:30 AM

it'd be pretty awesome to have that but it's very not free lol

gotcha

4:34 AM

I've never used Nitro or I'd boost it for ya

4:34 AM

though the allure of spicy gifmojies is high for sure

Not sure why there's so many duplicate tweets but we will continue to monitor and see how it is. Feel free to mute it if it annoys you. That's the point of having separate feed channels, anyways. That whole category can be collapsed, too. If anyone has any questions, just let me know

Got an iPhone 7 A1778, keeps rebooting, doesnt get passed the Apple logo before rebooting. It does respond to a hard shutdown (who doesnt!) but when you try and boot it in DFU/iTunes mode, it carries on rebooting. Any ideas? (edited)

Sounds like either a hardware fault or a software corruption of sorts. The latter would be fixed by DFU and re-flash which I assume wouldnt help. Maybe a quick teardown to check there isnt a HW fault. Is using Checkrain out of the question, this might allow you to debug the issue? (edited)

huh, I never heard of checkrain before, is it valuable for forensics?

@Zhaan Open the iPhone up, disconnect the front camera flex, see if that helps. One of the more common issues that causes bootloops (of many). You will need the tri-wing driver for the insides (edited)

@CloudCuckooLand thanks

@Sudo Its a non-persistent JB but I dont think anyone has done the sort of analysis that would be required for you to use it in a "legal" way

by "legal" do you mean ISO compliant or?

basically

6:05 AM

as with these things the concern would be whether someone could use the Trojan Defence (edited)

gotcha

6:05 AM

I assume that it does enough to make that a possibility

indeed

I wonder if this is what that thing does

6:06 AM

or close to it

We use it to assess apps and the OS from a security standpoint

is it an "app" you have to load onto the device?

6:08 AM

only because the QnA says open the app

yes but it also exploits the boot process so you can sideload the app

gotcha

6:08 AM

that makes more sense

checkm8 and checkra1n same same but different

so can it bypass locks or circumvent anything?

TBH I kind gloss over those details for the shiny shiny

it's cool, just trying to get an idea of it

6:09 AM

I'm sure I could work it out from the documentation

6:10 AM

answered my own question

bypass locks.....no those are still held in the secure element. There is nothing to stop you from access the non-encrypted data though

"no"

You don't have to open the checkra1n app to get your root ssh access

love root ssh access

You have to open it to then install Cydia (which is downloaded over the web, so requires internet connectivity)

makes sense

6:13 AM

sounds interesting

6:19 AM

are there any applications then for DFIR or is it more just, jailbreaky bit of fun

Read the useful blog posts from Mattia Epifani to see what it can and cannot do for you: https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-1-before-first-unlock.html?m=1

Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone!...

DFIR research

thanks

There are five parts to the blog post currently. It can effectively get you anything that would be accessible in other forms of BFU extraction (does not bypass passcode, but can bypass USB restricted mode)

what if you had the code?

6:21 AM

I suppose that code is only useful when combined with the OS though

Then it could get you a full filesystem

6:22 AM

Not sure I understand what you mean about the combination. You can jailbreak the device without knowing the code, then unlock the device and use any of the forensic tools that have support for checkra1n to perform an extraction

I meant like thinking say I can have someone's Google password but without accessing Google I can't use it

6:22 AM

like the salt/hash to spit out

6:22 AM

if that makes sense

6:23 AM

like I can't just throw a code at encrypted data, it needs to work with that code to decrypt it via whatever method

Ah right, yes, the device itself has to be unlocked. Can't be decrypted after the fact, due to the usage of Secure Enclave

cool, gotcha

Definition for Firehose Programmers added to https://aboutdfir.com/education/forensic-terms/ based on feedback from the survey

Forensic Terms - AboutDFIR - The Definitive Compendium Project

This page is meant to serve as a forensic terminology reference guide for the community on potential definitions, both layman and technical, as well as analogies and potential courtroom explanations for juries. This website and its writers claim no responsibility for incorr...

1

8:14 AM

If there are any more terms that need to go on there, let me know guys

if you are encountering T2 Macs and know the username and pw: https://github.com/slo-sleuth/slo-sleuth.github.io/blob/master/Apple/APFS%20Imaging.md

slo-sleuth/slo-sleuth.github.io

Data Discoveries. Contribute to slo-sleuth/slo-sleuth.github.io development by creating an account on GitHub.

oh and why not try the tools that are supposed to work? we did - those tools failed. lastest version of macquistion 2019R1.2 failed regardless of how it was deployed, based on the instructions provided by BlackBag - and yes we exhausted all manner of trying to acquire it using macquistion; Recon Imager stuck at v 4.0 (latest i think is perhaps v 6) , and expired so we couldn't update it. so v4.0 failed as well..

10:44 AM

and this on two different unrelated T2 devices that came into lab over a 2 week period

What does everyone use to validate their write blockers? As in, is there a program that will create some sort of report for write blocking validation and imaging? I have to validate all my hardware for our annual validation festivities so just wondering if there is a best practice out there besides just creating my own image and copying out FTK Imager reports and manually validating that I can't write through the write blocker.

Best way I could think of was make an image from a known and verified write blocker. Then image device over with new equipment, and compare hashes....

1

11:09 AM

Use small drives and it goes quickly.

Going old school: http://forensicfocus.blogspot.com/2008/01/validating-write-blockers.html

Validating write blockers

In the Recommended forensic hardware thread in the Hardware forum I recently wrote the following about a hardware write blocker I'd just co...

1

this checkra1n is wild

5

I've used (quarterly, including today) Wiebetech's writeblocking utility. Does the job with an automated sectorwise report

1

Thanks guys. I remember that utility. I'll try it again. I have to verify a bunch of TD2u units so just looking for the most efficient and best practice

Posted this in extraction: A colleague of mine found this website https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213 where he was able to soft root a test device, however he's had unsuccessful attempt to image the phone. Netcat doesn't work and using mount command with SD card attached doesn't look right.

Amazing Temp Root for MediaTek ARMv8 [2019-12-28]

-all-the-things.jpg Software root method for MediaTek MT67xx, MT816x, and MT817x! So it's no big secret that not too long ago, I found a way to achieve te…

2:29 AM

Has anyone seen this post?

@Deleted User what writeblocker do you use this on? I have TD2u's I need to test and might as well test my Tableau writeblocker that's attached to my workstation

I use em on all my bridges, card readers.. not on an independent unit like a TD2u.. I'd probably just attach a small USB and image with it, try/verify with a bridge/wiebetech validator, and reimage with TD2u to show no changes. I'm happy to hear what others do for it though

1

Hi all! As a DF student I feel that I can have some pretty basic questions I was wondering if this would be the right channel to ask in. (If it isn't just delete the post

). Anyway, I am currently working on an assessment were we have an image of a FAT16 usbdrive, all the files fall into the times around november 2019 where there is one that has a Modified time set to 2022 and A and C date in 2019. Have tried to find answers online with no luck. So do you have any tips as to what it might mean? Thanks

@AdriKL manually changing the system time then modifying the file (edited)

8:54 AM

Should be an easy scenario to recreate and test for yourself

@Andrew Rathbun haha thats true

Thanks for the answer

1

No problem. Glad you felt comfortable enough to ask your question! Let us know if there's any more you have

1

Ok, found another question. On the image we have been given all the access times have the "correct dates" but all the times are set to 00:00:00. I cant seem to be able to reproduce it or find any useful info online :/ any tips would be greatly appriciated

@AdriKL Maybe the timestamps in the file have been modified at the hex level? I was going to say maybe the MFT had been modified but it's a FAT system. I'm way more familiar with NTFS than I am FAT. My suggestion, and it may be wrong, is to look at the file in hex and see where the timestamps are located and see if they've been zeroed out. Just a guess

Ahh FAT doesn't seem to store the access time only the date in the root directory

Then I learned something new today as well

But thanks for the help regardless @Andrew Rathbun

Hello all. anyone in a LE lab in NY, who is addressing e-discovery requests? I’m interested in how others are addressing e-discovery production. Also, if there is anyone in a lab who regularly deals with e-discovery production... please let me know. Thank you all.

@luis511_ what's your question regarding eDiscovery? I deal with it a bit where I'm at.

Hey.... do you have a set process for managing requests, identifying, compiling and distributing content to meet e discovery requirements?

4:20 AM

Regarding cases involving cell phones, what do you release for an e discovery request? Source data - extraction? UFED reader with all check boxes ticked?

My workflow is we get the request from the defense that they want eDiscovery copies of all the evidence imaged. They provide a padlock drive. I throw all images on there and my hands are washed clean of it. On the prosecution side, it's just churning out documents and emails and anything else in particular relating to the case. We provide the EO1's and phone images. Defense can get their own expert to make them into something readable

The cell phone question is an example... but it’s along the lines of what I’m after

I also keep track of which copies of which devices were given when to who for which client.

So for a phone case where you used celebrite to extract, you’re giving a copy of the iPhone.tar file Cellebrite creates?

Yep whatever is output by UFED 4PC is what they get. No generated reports.

4:23 AM

They can generate their own with their own expert

Ok...

4:24 AM

Don’t mind the dots. My brain is just thinking

1

4:26 AM

Are you accepting requests for e discovery production via email? As the starting point to track the request? Or is it just verbal, and you document the request in your case notes

Our workflow is the defense usually emails the prosecutor (AUSA) and then they email the case agent and CC me so I'm aware of it. Case agent has to submit a formal request via an agency specific form to have me fulfill the eDiscovery request. Once I get it and my boss and his/her boss approve it, I fulfill it. Defense has to provide a padlock drive though. Or a regular drive which I will then encrypt with bitlocker.

4:31 AM

Then I have some paperwork that I add to the electronic case file when I fulfill it

4:32 AM

I usually attach the initial request to the report of my activity via Combine Files in Adobe and then digitally sign it and upload to the ECF

Perfect!

Let me know if you have any other questions. Hope that helped. I'm taking a nap now since my kid felt like waking up at 0430 was a great idea.

I understand it’s the easiest way to reach the dark web but does anyone here support the Tor browser? And/or use it for personal use? (edited)

@Tyføøn I've only really used it just to poke around on the dark web for familiarity's sake. It's too slow for a daily driver. I use ProtonVPN as well for my VPN needs

For anyone interested in a Windows explorer alternative: Directory Opus is having a sale: It's all 40% off! :) To take advantage of this sale, use the coupon code NEWYEAR2020 before January 27th, 2019.

7:39 PM

Been using it for a bit now, and if you're a heavy user in moving files and OCD in organization, take a gander

@Deleted User Thanks for the heads up! Some of you might be familiar with DOpus from Amiga in the early 90s. Highly recommended on a DFIR workstation!

My bad, just noticed this was posted here too. I just posted it on #off-duty. Oh well, more exposure! Use it daily and will never go back. (edited)

@luis511_ another idea to track what you produced to the defense would be to generate a Snap2HTML file for the final production and keep that for your records. If you're not familiar, download it and try it on like your C drive to see what I'm talking about. You'll likely fall in love with it if you haven't already

create fancy dir listings

anyone ever use Nuix, seems like it's not that popular

@Sudo I did in FOR500 and my agency has been implementing it very slowly over the past few years. Seems like we're finally turning a corner and will be implementing it into our workflow soon. They had us do a training pass and I've done 3/4ths of the classes so far. I've heard NUIX is prohibitively expensive so that may be why it doesn't seem as popular but I've also heard it's very popular. All depends on who you ask and what they do, I suppose

I constantly have problems with it

4:07 AM

two separate cases both corrupted today

4:07 AM

or at least it's saying the data is corrupted

It seems like a very powerful tool but it seems very overengineered for what we need it for. It's a pretty complicated tool, NUIX Workstation is. Powerful though once you get a grasp on it

4:08 AM

I haven't installed it on my machine(s) yet so I can't be of much help right now. Ask me in 6 months and it might be a different story

yeah it doesn't feel very well designed at all

4:08 AM

all the pathing and stuff for evidence etc is really bad

4:08 AM

any other tool you can freely move or provide a sub-report of in some form

4:08 AM

but not Nuix

There's gotta be a way, you'd think. Maybe it's just not readily apparent. I'm sure there's an overcomplicated path you have to take to get there

I'm not sure how these cases corrupted but I'm guessing it was from moving it

Do you need a contact for one of their trainers to ask a question? I do have the email of one of my instructors. You might know him since he's in your neck of the woods

I have asked their tech support before and they basically said "iunno"

4:09 AM

might be useful yeah

4:10 AM

I just want to know if the data is actually corrupted or if it's just missing paths

Sent you a PM with his email

ta

@Sudo We use Nuix in our lab, when moving cases during ingestion process you must edit the stored evidence XML file to point at the evidence container whether it be forensic image or mobile extraction. We use dedicated servers for Nuix ingestion which we copy the forensic images onto before starting the process off - may help, we rarely get corrupted errors.

yeah I have done that in the past

5:51 AM

but the XML doesn't actually have any info around the stores location

5:51 AM

it was an email extraction, it just says "email@email.com" and some additional data

I'll be providing a small course on DF investigations to a police academy, anyone have any good youtube videos to help get some ideas of evidence, big data, or legality that is simple yet informative. I've got this one on the data google collects https://www.youtube.com/watch?v=0s8ZG6HuLrU

Fox News

How much info is Google getting from your phone?

Here is a video I saw online:

2:14 PM

https://www.youtube.com/watch?v=ZUqzcQc_syE

ISACA HQ

Overview of Digital Forensics

1

2:15 PM

It might be tough to find one to provide a clear overview for a recruit class. Besides that most wont really care since they are getting there @ss kicked in the academy and will just want to make it through.. (edited)

2:16 PM

That is what I found while teaching new recruits.. I think its best to provide evidence collection towards the end near graduation since its more laxed at that point in the training.

@Magnet Forensics Is there a way to create a report which includes items tagged inside of the File System view? It won't let me create a report from this view, and when I select Artifacts, I can't see my bookmarks in the Create Report section.

3:57 PM

Disregard. Select all Bookmarked files in the File System view and right click and Save to Artifact. Go to Artifact section and BOOOM! They are now in the Artifacts side and can be placed ever so nicely into a report. Thought I'd share in case someone else has this issue.

Yep, or you can select tagged items from the items to include section and it will automatically also include tagged stuff from the filesystem explorer.

3:59 PM

The way you put above will be a little better in the short term though.

Tagged items was grayed out on my options

3:59 PM

on the Artifacts side

4:00 PM

and obviously not an option on the FS side

That said we are actively working on syncing tags between the filesystem and artifacts, so things more automagically get pulled across for reporting.

4:00 PM

That's odd. I'll have a look at that.

That would be nice if it would pull FS tags into the Artifact tags when creating a report.

4:02 PM

Thanks @MF-cbryant. I appreciate you helping me out.

@sholmes Np!

anyone ever heard of the Win10 Xbox app being compromised?

3:33 AM

specifically to "hack" someone

I have to analyze memory of Linux (centos v7) but facing issue in setting profile in volatility kindly if anyone can guide me or any suggestion Thank you

did you use lIME to pull the memory?

6:57 AM

I am assuming you ran imageinfo and attempted kdbgscan? Did nothing come back?

6:57 AM

do you know what kernel version?

Good morning fellow nerds

7:11 AM

Might be doing 508 this year. Much hype

I just went through the new one its a good course

7:12 AM

well revamped version

7:12 AM

top answer

Morning! Is anyone aware of or has anyone ever compiled a checklist of possible indicators (that can be checked with manual inspection or non-invasive techniques) to show when/if a mobile device has been either jailbroken or rooted? I am thinking of things like - check for cydia, query with ADB commands etc, but wondered if there was a more complete/definitive list? (edited)

Hi all, Has anybody looked at a GPS tracker like the one on the pictures? It has a micro-SIM card slot and a mini-USB port. I can't see the actual board as I'm afraid of damaging the battery that sits right on top. When powered on and connected to a PC, the tracker is recognized as an "Other Device" by Windows. As it is not recognized as mass storage, I haven't had luck in getting any data from it. Would you have any other tips, besides ISP/chip-off? Thank you in advance!

Hello All, somebody here has experience with forensics on modern cars and their digital equipments? I think it will be a core task for crimes investigation and their solution in the future, as it is now for smartphones. Any experience?

3:08 AM

I'm sorry, I've seen right now that there the dedicated channel #vehicle-forensics

Anyone here can assist with autopsy on Mac OS X and how to allow the solr service to access a NAS shared folder. Receiving errors regarding core creation. Works fine storing to local drive and external ssd but not to NAS. Thnx.

Out of curiosity, how does everyone record key steps and evidence identified during their forensic investigations thus making it easier for when writing the Forensic/Intel report? Do you use Excel/OneNote or even a speciality tool?

Personally I use Monolith notes to help keep me organized as I go along.

1

8:40 AM

They have a paid version, but I've just used their free option so far.

norbs.ac

Personally I use Monolith notes to help keep me organized as I go along.

Thanks! I'll have a look into this

ShadowTruth

Out of curiosity, how does everyone record key steps and evidence identified during their forensic investigations thus making it easier for when writing the Forensic/Intel report? Do you use Excel/OneNote or even a speciality tool?

By policy, we have to write chronological case notes. Probably some better ways to do it, but another idea. We use MS Word. Every day gets its own heading.

1

8:58 AM

Additionally, we have worksheets for every physical evidence item that we fill out identifying information (e.g. serial number)

Cole

By policy, we have to write chronological case notes. Probably some better ways to do it, but another idea. We use MS Word. Every day gets its own heading.

That's another great idea, thanks!

@spadart sent you a PM

Hello good, a question. In windows we can create partitions and put files in that partition. A program for this is VeraCrypt, which creates virtual partitions After that we can simply delete the disk partition. How could this be detected?

sanity check, if I wanted to timeline windows login activity for the past month, would it be sufficient to focus on the Windows Security Event IDs login (4624) and logoff (4647)or do other sources contain more information?

11:27 AM

context: a potential hack over a month ago with leaked credentials

Fierry

sanity check, if I wanted to timeline windows login activity for the past month, would it be sufficient to focus on the Windows Security Event IDs login (4624) and logoff (4647)or do other sources contain more information?

Definitely check RDP, as well. 21, 24, 25 from TS-LSM. 1102 will show outbound RDP from a system. 4624 type 10 will be RDP as well. 4778/79 are good ones, too, sometimes you see threat actor workstation names bleed through in these events

4

3

good call, thanks

1

Andrew Rathbun

Definitely check RDP, as well. 21, 24, 25 from TS-LSM. 1102 will show outbound RDP from a system. 4624 type 10 will be RDP as well. 4778/79 are good ones, too, sometimes you see threat actor workstation names bleed through in these events

Pretty sure people have spent thousands on training just to learn this info right here.

2

conf1ck3r

Pretty sure people have spent thousands on training just to learn this info right here.

heh not sure why if it's just that - that's all on the SANS blue and red posters that are free

1

I'm looking to pick some brains about a personal NAS setup i have. I've got a primary synology NAS and an underused TrueNAS build. I'm wondering about ideas to use them both. I'll start a thread on this.

Cole

I'm looking to pick some brains about a personal NAS setup i have. I've got a primary synology NAS and an underused TrueNAS build. I'm wondering about ideas to use them both. I'll start a thread on this.

CHIA farming.

4:59 PM

I actually did that for awhile but it wasn't actually going to be worth the cost

@spadart I only see one pic without any marking or brands. IME you can get great info from the provider that tracks the tracker data. Because what good is a good tracker if you can’t check the info real time on some server?

6:56 PM

Are there pics beyond the first once that would make ID any easier?

conf1ck3r

Pretty sure people have spent thousands on training just to learn this info right here.

https://twitter.com/Cyb3rSn0rlax/status/1431583396325699588/photo/1

HAMZA (@Cyb3rSn0rlax)

Made this a while back, might also help https://t.co/0e9f4N0Ftg

1

@Cyb3rSn0rlax nice work on that

Andrew Rathbun

@Cyb3rSn0rlax nice work on that

Thanks

5:21 AM

Full pdf versions on github. The mindmap needs some further reviews according to each windows version but it has the general ideas https://github.com/H1L021/RDP-NLA

GitHub - H1L021/RDP-NLA: RDP usage artifacts with and without NLA e...

RDP usage artifacts with and without NLA enabled. Contribute to H1L021/RDP-NLA development by creating an account on GitHub.

Cyb3rSn0rlax

Full pdf versions on github. The mindmap needs some further reviews according to each windows version but it has the general ideas https://github.com/H1L021/RDP-NLA

What are you using for mindmapping?

For this one i used draw.io Whimsical and minmanager are also greag alternatives

If you're able to open source the mindmap file, others could import into XMind (what I'm using currently) or another MindMap tool to expand upon. I've long thought about starting a DFIR MindMap project which would open source the files themselves so the community could build upon them

Andrew Rathbun

If you're able to open source the mindmap file, others could import into XMind (what I'm using currently) or another MindMap tool to expand upon. I've long thought about starting a DFIR MindMap project which would open source the files themselves so the community could build upon them

I would love to but this was not made with a mindmap tool just drawing one

1

5:28 AM

Greag idea btw visual learners like me prefer mindmaps so it would be great addition to the community

1

Cyb3rSn0rlax

Greag idea btw visual learners like me prefer mindmaps so it would be great addition to the community

I have one for KapeTriage ready to add, so we can start with that? I can get one going

Andrew Rathbun

I have one for KapeTriage ready to add, so we can start with that? I can get one going

Would be awsome

Cyb3rSn0rlax

Would be awsome

alright standby, let me get it going

1

Andrew Rathbun

alright standby, let me get it going

https://github.com/rathbuna/DFIRMindMaps

GitHub - rathbuna/DFIRMindMaps

Contribute to rathbuna/DFIRMindMaps development by creating an account on GitHub.

1

5:44 AM

Just added my KapeTriage one. I'll work on an !EZParser one later today

5:44 AM

.xmind file should be able to be imported into other tools, it's a pretty common format (edited)

5:47 AM

https://github.com/rathbuna/DFIRMindMaps/tree/main/KAPE/KapeTriage Added a readme as a template for others that get added. I think there's a nice benefit to have the current .PNG there so people see what it looks like along with the source file so people can improve upon it

DFIRMindMaps/KAPE/KapeTriage at main · rathbuna/DFIRMindMaps

Contribute to rathbuna/DFIRMindMaps development by creating an account on GitHub.

https://github.com/rathbuna/DFIRMindMaps/blob/main/KAPE/!EZParser/README.md EZParser one is up now, cc: @randomaccess

DFIRMindMaps/README.md at main · rathbuna/DFIRMindMaps

Contribute to rathbuna/DFIRMindMaps development by creating an account on GitHub.

Andrew Rathbun

https://github.com/rathbuna/DFIRMindMaps/tree/main/KAPE/KapeTriage Added a readme as a template for others that get added. I think there's a nice benefit to have the current .PNG there so people see what it looks like along with the source file so people can improve upon it

Great effort and work Andrew Will help and contribute

Cyb3rSn0rlax

Great effort and work Andrew Will help and contribute

Thank you! I will work on some MindMaps as I study for the GCIH so that's also part of my motivation for doing this, as well

Andrew Rathbun

Thank you! I will work on some MindMaps as I study for the GCIH so that's also part of my motivation for doing this, as well

Thank you for starting this

6:27 AM

And good luck

1

@Cyb3rSn0rlax https://github.com/rathbuna/DFIRMindMaps/tree/main/NetworkTools/tcpdump rough draft of tcpdump is now up, definitely not a final version

DFIRMindMaps/NetworkTools/tcpdump at main · rathbuna/DFIRMindMaps

A repository of DFIR-related Mind Maps geared towards the visual learners! - DFIRMindMaps/NetworkTools/tcpdump at main · rathbuna/DFIRMindMaps

1

Andrew Rathbun

@Cyb3rSn0rlax https://github.com/rathbuna/DFIRMindMaps/tree/main/NetworkTools/tcpdump rough draft of tcpdump is now up, definitely not a final version

I am making an RDP DFIR mindmap

2:22 PM

should that be in a separate folder different than tools ?

@Cyb3rSn0rlax if you want I can create a DFIR MindMaps channel in the DFIR Community Room and we can continue to collaborate there?

Andrew Rathbun

@Cyb3rSn0rlax if you want I can create a DFIR MindMaps channel in the DFIR Community Room and we can continue to collaborate there?

great idea

1

hey all - anyone particularly good at X-Ways? One of the new features says that i can parse .evtx logs into a .tsv file. I was hoping to understand where exactly the .tsv files are then stored, or placed, for me to look at?

Salvatore

hey all - anyone particularly good at X-Ways? One of the new features says that i can parse .evtx logs into a .tsv file. I was hoping to understand where exactly the .tsv files are then stored, or placed, for me to look at?

I can poke around on Monday and see if I can help with this but in true X-Ways fashion I'm sure it's not a straightforward process. I think they implemented something similar to Eric's Maps so I'm curious myself to see their take on event log parsing

1

5:19 PM

X-Ways Forensics can extract specific data from the event payload in .evtx event logs and list 
them directly in the event list. This makes working with event logs much more powerful, as it 
allows to quickly filter for usernames, IP addresses from log-in or RDP events, task or service 
names, PowerShell commands, etc. There is a tab-separated definition file "Event Log 
Events.txt" in the installation directory that contains a list of event IDs, (optional) log provider 
and the list of individual data fields to extract. The definition file can be adjusted to your own 
requirements. The events in an .evtx file are output in a TSV table.That table contains the 
complete payload of each event. It is ideally viewed in MS Excel or similar applications.

i would guess it's in the case folder, but generally i havent found xways useful for event log examinations - that being said, my experience with it for event logs has been when looking in the timeline feature and its generally vague in its descriptions of events

1

I checked the case folder, but ill check once more, and run greedy mode refine volume snapshot

hey, does anyone have the invite to the Magnet Forensics Discord server?

8:04 AM

Can you please dm me?

Deleted User

hey, does anyone have the invite to the Magnet Forensics Discord server?

https://www.magnetforensics.com/blog/introducing-the-magnet-forensics-discord-server/amp/

Introducing the Magnet Forensics Discord Server | Magnet Forensics

The Magnet Forensics Discord Server will give you the opportunity to speak with each other as well as speakers after the conclusion of their talks.

Andrew Rathbun

https://www.magnetforensics.com/blog/introducing-the-magnet-forensics-discord-server/amp/

tysm

hi guys, i have started to learn how to use autopsy and volatility from CTFs and tutorials but never in real life. Recently i thought it would be a great opportunity to practice on an old samsung table i have that its screen doesnt work and just try to get something out of it. My question is should i use volatility or autopsy (or sth else) for such job

vaghoul

hi guys, i have started to learn how to use autopsy and volatility from CTFs and tutorials but never in real life. Recently i thought it would be a great opportunity to practice on an old samsung table i have that its screen doesnt work and just try to get something out of it. My question is should i use volatility or autopsy (or sth else) for such job

if the screen doesnt work youre going to be battling uphill for entry level mobile forensics unfortunately. so you may want to try replace the screen and then you can take an ADB backup (manually or use the free tools by belkasoft or magnet) and examine that

ok thnx

@vaghoul don’t dismiss the idea though. ADB is a command line interface where you can interact with an android device and navigate the file system etc. it’s definitely fun to play with and learn some of the commands. Reminded me of my first time wandering through Linux

The problem here would be to enable and pair adb at that state, but it depends on the phone. Once you do that, you can use scrcpy to view the screen over adb as on a working phone

whee30

@vaghoul don’t dismiss the idea though. ADB is a command line interface where you can interact with an android device and navigate the file system etc. it’s definitely fun to play with and learn some of the commands. Reminded me of my first time wandering through Linux

Second this, knowing adb is very useful, I've had to use it a few times in the past

Arcain

The problem here would be to enable and pair adb at that state, but it depends on the phone. Once you do that, you can use scrcpy to view the screen over adb as on a working phone

I have never heard of scrcpy. Looks very useful, thanks for sharing!

Anyone else getting "this system needs 9.5.X of XRY" when trying to update to the new micro release? 9.5.0 is installed and working.

whee30

@vaghoul don’t dismiss the idea though. ADB is a command line interface where you can interact with an android device and navigate the file system etc. it’s definitely fun to play with and learn some of the commands. Reminded me of my first time wandering through Linux

i have seen some tutorials about ADB and im ready to test this out. At first i was thinking i would want to use sth like autopsy to access the data but from the tutorials i have seen ADB is worth trying. Thanks for the tip

Arcain

The problem here would be to enable and pair adb at that state, but it depends on the phone. Once you do that, you can use scrcpy to view the screen over adb as on a working phone

The scrcpy idea really helped me with the screen situation (i was in a dead end)

. Thanks

@OggE Sounds like 9.5 may not be perfectly installed, check in Control Panel that both MSAB XRY x64 and MSAB XRY Extraction Platform are on 9.050. If not, uninstall both, restart your PC, install 9.5 and then run 9.5.1. Feel free to DM me if you have any further issues! (edited)

Erumaro

@OggE Sounds like 9.5 may not be perfectly installed, check in Control Panel that both MSAB XRY x64 and MSAB XRY Extraction Platform are on 9.050. If not, uninstall both, restart your PC, install 9.5 and then run 9.5.1. Feel free to DM me if you have any further issues! (edited)

will try, thanks

Erumaro

@OggE Sounds like 9.5 may not be perfectly installed, check in Control Panel that both MSAB XRY x64 and MSAB XRY Extraction Platform are on 9.050. If not, uninstall both, restart your PC, install 9.5 and then run 9.5.1. Feel free to DM me if you have any further issues! (edited)

MSAB XRY x64 was 9.040, time to uninstall

1

OggE

MSAB XRY x64 was 9.040, time to uninstall

That would explain why, uninstall that and then run the 9.5 installer again and you should hopefully have more luck!

Anyone familiar with crack OSX

12:26 PM

Or xforce

what do you mean exactly with "crack OSX", @maddie ?

@maddie Do you mean pirated software for OSX type of crack ?

Hi guys, Can anyone give me any ideas for Machine Learning based projects in Digital forensics ? It would be really helpful for me doing a mini project on any such ideas

maddie

Anyone familiar with crack OSX

I really don't think you should be doing crack man

Rob

If anything, say only stuff you know you can be certain

I would add to this, it's okay to say "I don't know" and "I'm sorry, but I am not the right person to answer that question".

1

Sneak peek of Belkasoft X v.1.10! Watch the video: Irene and Yuri are brute-forcing passcodes for iOS devices with the help of Belkasoft X

Irene works with an iPhone while Yuri cracks an iPad. Who will be quicker to find the correct unlock code? That's the intrigue! https://www.youtube.com/watch?v=CYiGtpccwKk (edited)

Belkasoft

Who is faster to crack an iOS device passcode?

2

Looking for some advice. I was doxxing myself and found a website with a list of emails including mine in a "leaked" txt file. The website is full of files that indicate that they are most likely a hacking group (folders with dates of leaks, cracked software, hacking software, porn). I did some investigating and managed to find other websites created by the group. I went to report them to actionfraud but it says they don't deal with cybercrime if it's outside the UK. Any advice on who to report them to? (edited)

hmmm... on latest ios ? don´t think so....

ryd3v

I really don't think you should be doing crack man

I was being serious but ok thanks for nothing

DCSO

@maddie Do you mean pirated software for OSX type of crack ?

I wish I even knew I’m looking at an image and that’s was the beginning the file structure says

Deleted User

Looking for some advice. I was doxxing myself and found a website with a list of emails including mine in a "leaked" txt file. The website is full of files that indicate that they are most likely a hacking group (folders with dates of leaks, cracked software, hacking software, porn). I did some investigating and managed to find other websites created by the group. I went to report them to actionfraud but it says they don't deal with cybercrime if it's outside the UK. Any advice on who to report them to? (edited)

You can try here: https://www.ic3.gov/Home/ComplaintChoice

Deleted User

Looking for some advice. I was doxxing myself and found a website with a list of emails including mine in a "leaked" txt file. The website is full of files that indicate that they are most likely a hacking group (folders with dates of leaks, cracked software, hacking software, porn). I did some investigating and managed to find other websites created by the group. I went to report them to actionfraud but it says they don't deal with cybercrime if it's outside the UK. Any advice on who to report them to? (edited)

Depends on who controls the domain I suppose, you might get the pages shut down.

DFIRDetective

You can try here: https://www.ic3.gov/Home/ComplaintChoice

Thank You, I've reported them.

CCC

Depends on who controls the domain I suppose, you might get the pages shut down.

Yes, I was going to report them to whoever gave them the domain but then I realised they would just get new domain and start over as they had previous ones before.

Deleted User

Yes, I was going to report them to whoever gave them the domain but then I realised they would just get new domain and start over as they had previous ones before.

Options are a takedown request from an attorney with focus on how the content either infringes your rights or causes harm to your person. It’s a roll of the dice though. Another option is same takedown request to the sites service provider. Option 3 - poison the address (change the account owners name, use it to register on a bunch of sites you would never normally use, post it in pastebins with gibberish data) and then create a new address. (edited)

maddie

I wish I even knew I’m looking at an image and that’s was the beginning the file structure says

Maybe the image was previously encrypted and it was "cracked" can you access the image? Your question was pretty vague , OSX is free if you have access to a Mac, so there is no cracked OSX, it's not like Microsoft where you need an activation key right (edited)

Deleted User

Options are a takedown request from an attorney with focus on how the content either infringes your rights or causes harm to your person. It’s a roll of the dice though. Another option is same takedown request to the sites service provider. Option 3 - poison the address (change the account owners name, use it to register on a bunch of sites you would never normally use, post it in pastebins with gibberish data) and then create a new address. (edited)

Thanks for the advice, I've reported them to Internet Crime Complaint Center.

1

maddie

I was being serious but ok thanks for nothing

xforce could be a keygen software used to crack various paid programs, or another application, chances are it's a keygen software

Anyone had success reading the logs within MEGA. The file header appears to be US BS NULL

Does anyone have any thoughts on optimizing Autopsy? I've been running file type identification (and no other ingest modules) on an image of a 1 TB drive for like a week and its only 18% complete. JVM memory is set to 25 GB (which it is using all of). You can see the CPU and disk usage fluctuating in the task manager so its definitely not frozen, but when you look at the Ingest Progress Snapshot its been trying to identify a file for the past 17 minutes.

Looking for input on video recording our examinations. State's Attorney wants us to start recording extractions as another layer of proof that we did not manipulate the evidence. Obviously I can't take my workstation to our interview room and tie that up for days on end. Do we just buy a couple security cameras with SD card storage or is there something more appropriate for this scenario?

wcso_pete

Looking for input on video recording our examinations. State's Attorney wants us to start recording extractions as another layer of proof that we did not manipulate the evidence. Obviously I can't take my workstation to our interview room and tie that up for days on end. Do we just buy a couple security cameras with SD card storage or is there something more appropriate for this scenario?

Wow. That seems like an unreasonable request. Maybe a body camera if your agency has them. If it were me, I would want something I could disable audio with.

Joe Schmoe

Wow. That seems like an unreasonable request. Maybe a body camera if your agency has them. If it were me, I would want something I could disable audio with.

I think it’s a little crazy too, but they want the entire process from unsealing the evidence bag to extraction completion even though I warned them some computer drives could take days

wcso_pete

I think it’s a little crazy too, but they want the entire process from unsealing the evidence bag to extraction completion even though I warned them some computer drives could take days

The video size will almost be as large as some of the drives.

FastStone capture does a good job in regards to screen recording.

wcso_pete

Looking for input on video recording our examinations. State's Attorney wants us to start recording extractions as another layer of proof that we did not manipulate the evidence. Obviously I can't take my workstation to our interview room and tie that up for days on end. Do we just buy a couple security cameras with SD card storage or is there something more appropriate for this scenario?

Looped recording that uploads to a backup server , onsite, obs or another screen recorder for the on desktop work. You could do it with blink cameras but it would be a bit more labor intense than a professional surveillance camera system (edited)

wcso_pete

Looking for input on video recording our examinations. State's Attorney wants us to start recording extractions as another layer of proof that we did not manipulate the evidence. Obviously I can't take my workstation to our interview room and tie that up for days on end. Do we just buy a couple security cameras with SD card storage or is there something more appropriate for this scenario?

Surely just verifying the hash is good enough?

10:24 PM

You can't be recording screens for risk of recording csam etc

1

wcso_pete

I think it’s a little crazy too, but they want the entire process from unsealing the evidence bag to extraction completion even though I warned them some computer drives could take days

To me it would be reasonable to photograph the process. The timestamps on the photographs combined with the forensic tool hashing the extracted data in transit should be enough to prove the examiner did not tamper with the evidence. At the very most you could video record the beginning of the extraction and photograph the rest, but you gotta do what you gotta do.

Rob

You can't be recording screens for risk of recording csam etc

You could blur the screen on some parts of the process if need be though

ryd3v

You could blur the screen on some parts of the process if need be though

True, but sounds like they'd be possibly accused of manipulation.

Same with time stamped photos, also can be manipulated. I agree though, I don't think it should be recorded at all, unless it's just cctv of the examination room.

11:10 PM

At that point though, if you don't trust chain of evidence, and the people on staff, how can you accept anything

(edited)

7

11:12 PM

Maybe they watched the line of duty, good show btw xD The season with all the evidence tapering (edited)

2

wcso_pete

Looking for input on video recording our examinations. State's Attorney wants us to start recording extractions as another layer of proof that we did not manipulate the evidence. Obviously I can't take my workstation to our interview room and tie that up for days on end. Do we just buy a couple security cameras with SD card storage or is there something more appropriate for this scenario?

Windows? Use gamebar or obs potentially

11:25 PM

Or grab a body worn video

11:25 PM

For me, I photograph the bag sealed, unseal and do the exhibit, make an extraction, reseal and photograph the bag.

Is there any powershell guru here in the channel who would like to help me out with an little project. DM for more information

CCC

For me, I photograph the bag sealed, unseal and do the exhibit, make an extraction, reseal and photograph the bag.

Yeah, I think anything more than this is definitely going into unreasonable territory

2:57 AM

Never heard of someone asking for the whole thing to be video recorded before, sounds ridic to me (edited)

@wcso_pete Just say NO

thats crazy

1

I mean most programs seem to generate a hash, you can record this and note it when copied across but yeah, 'I pressed extract logical and waited'.

bizzlyg

Yeah, I think anything more than this is definitely going into unreasonable territory

Her whole concern is that a defense attorney is going to tear me apart because we use Autopsy and there isn't a certification for it (that I've found at least). She is one of these people that believes that if you don't have a couple letters after your name and a piece of paper then nobody is going to believe you. I agree that it is a little overkill, but my orders are to do this for now to prove to them I'm not an idiot.

Hey guys, I’m sure lotta ppl ask this but forgive me if I sound like a broke. Record. What cert/course should I start with to get into forensics ? I have solid cyber foundation, cissp certified and MSc in cyber. Most of my experience is with FWs and networking.

@TheGhostHunter Welcome, head over to the training-education channel I think there should be resources for you there and ask this question.

wcso_pete

Her whole concern is that a defense attorney is going to tear me apart because we use Autopsy and there isn't a certification for it (that I've found at least). She is one of these people that believes that if you don't have a couple letters after your name and a piece of paper then nobody is going to believe you. I agree that it is a little overkill, but my orders are to do this for now to prove to them I'm not an idiot.

Autopsy do their own training, it was free during Covid but costs like $500 normally I think

9:35 AM

It’s not the “letters after your name” kind of training though

Matt

Autopsy do their own training, it was free during Covid but costs like $500 normally I think

If I recall the training is usually free for LE members. You get a cert upon completion.

@Deleted User I think your correct, and would be much easier than having to record 24/7

@wcso_pete Better yet, tell the States Attorney you will record yourself doing the job if she does the same

3

wcso_pete

Her whole concern is that a defense attorney is going to tear me apart because we use Autopsy and there isn't a certification for it (that I've found at least). She is one of these people that believes that if you don't have a couple letters after your name and a piece of paper then nobody is going to believe you. I agree that it is a little overkill, but my orders are to do this for now to prove to them I'm not an idiot.

The IACIS BCFE class has a scholarship every year for a LEO to attend their training in Orlando. They have the application online.

Hi guys, We are in the process of moving into another building and therefore we have the chance to build up our digital forensics lab from scratch. We are currently discussing options of how to control electrostatic discharge in our lab. What are you guys using in your lab? A simple ESD mat for desks and wrist straps or do you guys have a more advanced setup with ESD floor matting, grounding stations, body ESD tester, earth bonding point bars, etc.

Unoriginal_name

The IACIS BCFE class has a scholarship every year for a LEO to attend their training in Orlando. They have the application online.

I'll definitely look into this. Thanks! I'm waiting to find out if I got into the NCFI BCERT course in October, but I've heard from some of my federal friends that the training centers are closing down again.

goofycom

Hi guys, We are in the process of moving into another building and therefore we have the chance to build up our digital forensics lab from scratch. We are currently discussing options of how to control electrostatic discharge in our lab. What are you guys using in your lab? A simple ESD mat for desks and wrist straps or do you guys have a more advanced setup with ESD floor matting, grounding stations, body ESD tester, earth bonding point bars, etc.

there's likely to be a ton of hardware options out there, overall's / tools / gloves etc but those would depend on the level of how safe do you need to be (do you regularly have drives and circuit boards in bits, or exposed on a bench top. Do folks need to walk between benches a lot and so forth (heel straps & ESD flooring))?. one thing oft overlooked is that of staff training and accountability: the kit is next to worthless without proper handling procedure and a means to verify your straps/PPE at a local ESD test station and stamping your QC/QA book.

5:58 AM

you might also want to check the plugging in/out of USB devices. they have their own set of issues if not protected, ESD wise.

6:01 AM

on a comical note, my previous work was in a MilSpec lab designing/building/testing radar warning receivers / filters / and the like. The QA guy, a friend, told me the single biggest contribution to ESD safety in the firm was me having my hair cut (think Brian May in his HeyDay) having measured several thousand volts on me noggin

1

Can someone refer to me free software that can unlock android devices. The only ones i have found are either not commercial or overpriced or they only work with USB Debugging on

Free software that does what you’re asking doesn’t exist.

10

goofycom

Hi guys, We are in the process of moving into another building and therefore we have the chance to build up our digital forensics lab from scratch. We are currently discussing options of how to control electrostatic discharge in our lab. What are you guys using in your lab? A simple ESD mat for desks and wrist straps or do you guys have a more advanced setup with ESD floor matting, grounding stations, body ESD tester, earth bonding point bars, etc.

At a previous job we used ESD mats with grounding stations, our examinations were mostly limited to retrieving hard drives from desktops/laptops. What are your use cases?

Fierry

At a previous job we used ESD mats with grounding stations, our examinations were mostly limited to retrieving hard drives from desktops/laptops. What are your use cases?

Thanks @Fierry. We have a similar use case. We are mainly disassemble hard drives from laptop / desktop pc and do JTAGing on various types of smart devices (IoT). We do use ESD mats. Now we consider to invest more in ESD material. On the other hand, we've had almost zero incidents the last 10 years.

Digitalferret

you might also want to check the plugging in/out of USB devices. they have their own set of issues if not protected, ESD wise.

Thanks @Digitalferret. We do have disassemble parts of laptop / desktop pc lying around on benches and the working tables are shared tables. So there is a bit of walking between tables. But as you said, it should be easy enough that people can follow the procedures, otherwise it's worthless. We are just wondering if using ESD mats on tables is enough for our use case (disassembling HDDs from laptops / pc's) or if we should invest more equipment.

goofycom

Thanks @Digitalferret. We do have disassemble parts of laptop / desktop pc lying around on benches and the working tables are shared tables. So there is a bit of walking between tables. But as you said, it should be easy enough that people can follow the procedures, otherwise it's worthless. We are just wondering if using ESD mats on tables is enough for our use case (disassembling HDDs from laptops / pc's) or if we should invest more equipment.

Where your device travels between it being acquired, operated on and finally being discharged (groan) will have a bearing on the gear you require. it's my understanding that ESD damage can be small but cumulative; for instance the more a device (in production say, with many different stages) travels the greater the potential (sorry) for damage than if it's a one off job like your bench disassemble/repair/reassemble. the other part of training is rudimentary ESD education such as labels and what they mean and best practices; where to use what and how. For instance, knowing the difference between dissipative or conductive materials and where to apply each? Again, the stages of travel may determine what you required better than a shotgun approach at purchase. from the description you gave, it sounds likely that there's little travel other than between one or two work stations if that. Maybe then start by making a diagram of your work cycle from start to finish and addressing each stage of reception/work/discharge whilst devices are in your care?

1

1:23 AM

even if it only travels a few feet across your work area, between benches say, the benches, the route, and the device should be protected or at least the risk identified and mitigated.

1

1:25 AM

also, are you looking at, or already have, ESD rated tools such as tweezers, drivers, soldering kit? gloves to prevent contamination (conductivity of fingerprints, oils, bench detritus and so on). (edited)

1

Hey guys, random question but does your main machines use the exfat file system?

lala1234

Hey guys, random question but does your main machines use the exfat file system?

If I use a Win box I would say its usually NTFS. I believe exfat is designed for flash drives.

In my experience exfat is slower than NTFS so I stick with NTFS whenever possible for everyday use.

Hello! Anyone know how I can modify the gui of autopsy like changing logo and nav style etc. ?

Deleted User

If I use a Win box I would say its usually NTFS. I believe exfat is designed for flash drives.

Thank you!

1

FullTang

In my experience exfat is slower than NTFS so I stick with NTFS whenever possible for everyday use.

Thank you!

1

Echo: Is there a way within Office 365 admin centre to review previous alias assignement? I have an email address that only seems to have ever been an alias. I can see its current assignment but is there a means to determine how long the alias has been in play and whether it was pointed elsewhere prior?

Is any mail auditing logging available? Inspecting previous mails could give you a clue

In the Microsoft 365 mailbox audit logs for MailItemsAccessed, message-id's are used to identify the e-mails. Beyond using messagetrace to identify the specific e-mail involved (limited to 90 days) or using something like Veaam backup for office365 (limited to searching for one message-id at a time).. is anyone aware of a way to quickly determine properties like the subject or the sender for a couple thousand message-ids?

lala1234

Hey guys, random question but does your main machines use the exfat file system?

I use exfat on large portable devices when they go between different OSs. Mac can't write to NTFS. I don't think you can boot off exfat either.

2:02 PM

on a side note I wish there was general acceptance of large format file systems. A FAT32 flash drive can be plugged into literally anything and work, but that caps out at 4GB per file. I can't say the same about any other file system.

@Cole the number of times I have had to field a "My thumbdrive is empty but it says I don't have enough room" phone call... I just want windows to fess up to what the error really is so that people aren't so confused.

Bryserker

In the Microsoft 365 mailbox audit logs for MailItemsAccessed, message-id's are used to identify the e-mails. Beyond using messagetrace to identify the specific e-mail involved (limited to 90 days) or using something like Veaam backup for office365 (limited to searching for one message-id at a time).. is anyone aware of a way to quickly determine properties like the subject or the sender for a couple thousand message-ids?

I haven't looked into this but I would write a query through edisco as a compliance search for the message IDs. It might not be obvious in the GUI do you'd have to do PowerShell queries. And you'd end up with a big list of the identified emails

whee30

@Cole the number of times I have had to field a "My thumbdrive is empty but it says I don't have enough room" phone call... I just want windows to fess up to what the error really is so that people aren't so confused.

If we are wishing for Windows fixes, how about file signature analysis instead of relying solely on the extension when determining how to open a file?

1

Anyone good at wireshark

FullTang

If we are wishing for Windows fixes, how about file signature analysis instead of relying solely on the extension when determining how to open a file?

Radical thinking there

1

John Ksi

Anyone good at wireshark

#network-forensics

FullTang

If we are wishing for Windows fixes, how about file signature analysis instead of relying solely on the extension when determining how to open a file?

But then I couldn't hide all my illegal files by changing the extension!

1

6:02 AM

Obviously the computer people won't be able to find it

whee30

@Cole the number of times I have had to field a "My thumbdrive is empty but it says I don't have enough room" phone call... I just want windows to fess up to what the error really is so that people aren't so confused.

ughh windows. Let's try to make a seamless experience by hiding all errors or other process output because our software never has any issues and if it does they can just call Microsoft to help them or look up an 0x code. Our users totally know that you have to convert the 0x hex code into decimal to actually find the problem.

Hello Everyone, Recently I found a unusual thing. I sent a message through Signal from a android device (OS-11) to an iPhone user, they already using Signal but the message delivered into the native imessage application not into the signal. I tested this on two iPhone 5S (OS-12.5.4) and X (OS-14.7.1). Once I opened the signal manually on iPhone the message is not there, it's still showing into the imessage application.

8:17 AM

Is there any probable cause for this unusual behavior or is there any bug in Signal or iOS

DeepDiveForensics

Is there any probable cause for this unusual behavior or is there any bug in Signal or iOS

I thought there was an option to send to sms when setting up signal, been a long time so maybe I forgot ...

Yes, that option is Avaliable for Android, you can set as default messaging application

I use to have a PDF and working sheet on the most common swipe patterns but have misplaced it. Does anybody have any recent content ?

Does anyone know if an older Google Pixel pattern lock will wipe if to many tries are attempted, right now i'm at 17 and its at 30 seconds each attempt, which is fine with me i can try the most popular ones but worried at say 20 or 30 it wipes ?

DCSO

I use to have a PDF and working sheet on the most common swipe patterns but have misplaced it. Does anybody have any recent content ?

Let me check the archives

1:20 PM

I will put it on GitHub if its not sensitive in any way

1:20 PM

@DCSO

Trickytricks__Common_Lock_Patterns_of_mobiles_phones_Screen_Lock.pdf

2.31 MB

1:21 PM

https://mytrickytricks.blogspot.com/2013/07/commonlockpattern.html?m=1

Common Lock Patterns of mobiles phones Screen Lock

Here are some Common Lock Pattern which people keep and believe that this will save their phones. But no it won't Compare your Pattern Lock with ones given here and check is your phone really Locked. With tips to select a proper more secure pattern for your mobile Click here and Read to know more

1:21 PM

1:24 PM

https://github.com/Digital-Forensics-Discord-Server/LawEnforcementResources/blob/main/CommonLockPatterns.jpg hosting here as a backup to the original host

LawEnforcementResources/CommonLockPatterns.jpg at main · Digital-Fo...

Resources provided by the community that can serve to be useful for Law Enforcement worldwide - LawEnforcementResources/CommonLockPatterns.jpg at main · Digital-Forensics-Discord-Server/LawEnforcem...

1:25 PM

Also, if that's not the one you're thinking of, I may have it laying around somewhere and I can look elsewhere, but that's at least a start, even if its from 7 years ago

1:26 PM

https://youtu.be/zD4ge-HPIGQ

RAONE

10 Most Common Pattern Locks

1:26 PM

https://arstechnica.com/information-technology/2015/08/new-data-uncovers-the-surprising-predictability-of-android-lock-patterns/

New data uncovers the surprising predictability of Android lock pat...

Like "p@$$w0rd" and "1234567" many Android patterns are easy to guess.

It's weird that this jpg doesn't have more variants of an L type (the short one, like 1478, 1236, 2369 etc) passcode. I found them used quite often in my area (edited)

https://github.com/ByteRockstar1996/All-Possible-Pattern-Locks

GitHub - ByteRockstar1996/All-Possible-Pattern-Locks: List of all p...

List of all pattern locks possible in numerical order. Also files containing pattern locks of certain length - GitHub - ByteRockstar1996/All-Possible-Pattern-Locks: List of all pattern locks possib...

@Andrew Rathbun Thanks Andrew this helps !

1

I will centralize when I have time on the #dfir-open-source-projects LE Resources repo but its here for now

@Andrew Rathbun I was hoping Cellebrite would put something together on what they harvest from extractions.

1

Does anyone have experience with Apple Airdrop? Our schools are getting airdropped with threats of a school shooting and I’m trying to locate the sending party. Any help or guidance would be appreciated!

DB

Does anyone have experience with Apple Airdrop? Our schools are getting airdropped with threats of a school shooting and I’m trying to locate the sending party. Any help or guidance would be appreciated!

I found this https://www.magnetforensics.com/resources/following-the-airdrop-breadcrumbs-with-axiom/ Specifically: Additionally AXIOM will provide the sender’s name and the device that initiated the transfer, which can be quite useful if you’re working to identify additional persons of interest for your investigation.

Following the AirDrop Breadcrumbs with AXIOM | Magnet Forensics

AXIOM will parse the unified log for entries surrounding the use of AirDrop, which can be reviewed on computer & mobile sources.

DCSO

@Andrew Rathbun I was hoping Cellebrite would put something together on what they harvest from extractions.

I love the idea, but how would cellebrite know? Gone are the days of gatekeeper where the pattern lock was stored in plain text numbers... Cellebrite never really interacts with pattern locks anymore... maybe info from when lockpick worked? If they don't ask for it, then how would they get the info? I've had relatively good luck with the lists that @Andrew Rathbun posted above so I default to them. I would love a more recent and authoritative voice though.

DB

Does anyone have experience with Apple Airdrop? Our schools are getting airdropped with threats of a school shooting and I’m trying to locate the sending party. Any help or guidance would be appreciated!

have dealt with that very specific issue, what I ended up doing was initiating and dumping unified logs. I was able to determine the airdrop name of the sending device but unless it

9:07 PM

s something specific like "whee30's iPhone", it wasn't super useful. I'm unaware if a paper to Apple could ID an Apple ID through the airdrop info provided by those logs

9:08 PM

https://www.mac4n6.com/blog/2018/12/3/airdrop-analysis-of-the-udp-unsolicited-dick-pic

AirDrop Analysis of the UDP (Unsolicited Dick Pic) — mac4n6.com

I saw this article “ NYC plans to make AirDropping dick pics a crime ” on Friday and it got me thinking. What exactly are the cops going to find if they do an analysis of a device, either the sender or the receiver? I’ve already done my fair share of analysis when it comes to the Conti

9:09 PM

I used this blog post as a how-to on taking a look. It may not be perfect, but it's a start. The logs you generate this way are pretty massive.

9:09 PM

I hope it helps, it was ultimately a dead end for me but I still learned something along the way

Hey guys, for the life of me I don't remember where I came across the resource but, there was something (I think it was open source) that allowed an investigator to take a video and break it into its individual frames for analysis, to allow the investigator to search in each frame for items, wording, faces. Does anyone know what I am talking about, or is this something that I totally imagined?

Thanks for the info. I received the same article earlier today from a USSS contact. I’ll try looking into the sysdiagnose log of a receiving phone.

AccessInvestigations

Hey guys, for the life of me I don't remember where I came across the resource but, there was something (I think it was open source) that allowed an investigator to take a video and break it into its individual frames for analysis, to allow the investigator to search in each frame for items, wording, faces. Does anyone know what I am talking about, or is this something that I totally imagined?

Tsurugi Linux ships with several OCR tools that can do most of this for you https://tsurugi-linux.org/

Tsurugi Linux | Digital Forensics, Osint and malware analysis Linux...

Welcome to TSURUGI Linux world a DFIR open source distribution to perform your digital forensics analysis and for educational pourposes

DB

Does anyone have experience with Apple Airdrop? Our schools are getting airdropped with threats of a school shooting and I’m trying to locate the sending party. Any help or guidance would be appreciated!

Running Wigle on an Android device in the area might produce a result in regards to location. Inconspicuous as well because it’s running off a smart phone. Option 2 could be Kismet on a laptop with an external WiFi antennae for range. https://wigle.net/ https://www.kismetwireless.net/

WiGLE: Wireless Network Mapping

Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.

Kismet

The home of the Kismet wireless sniffer and related projects and documentation.

AccessInvestigations

Hey guys, for the life of me I don't remember where I came across the resource but, there was something (I think it was open source) that allowed an investigator to take a video and break it into its individual frames for analysis, to allow the investigator to search in each frame for items, wording, faces. Does anyone know what I am talking about, or is this something that I totally imagined?

You can use ffmpeg for this

2

9:42 PM

Sidebar if someone wants to automate the collection of the matrix 4 teaser trailers from the internet over a 24 hour period, strip out each frame, deduplicate and recompile into a single video that'd be appreciated :)

2

randomaccess

You can use ffmpeg for this

You know the more I think about this, I am now thinking it was a DF vendor or maybe a whitepaper that was discussing the ability to dissect videos into frames for the software to analyze each frame for exploitation, so an investigator didn't have to spend hours watching videos that may not even be relevant. This obviously would not be an open source tool. I just can't remember where I read or saw that. It gets harder everyday to even remember my name LOL

Hello! Can anyone tell me either all iphone versions 3g to 12 have same architecture and file system or not? My team is working on iOS forensics and want to test our autopsy modules on real phones but we don't know if they will work on every iphone or if there is some difference in the file system.

ssaadakhtarr

Hello! Can anyone tell me either all iphone versions 3g to 12 have same architecture and file system or not? My team is working on iOS forensics and want to test our autopsy modules on real phones but we don't know if they will work on every iphone or if there is some difference in the file system.

maybe #mobile-forensic-decoding #mobile-forensic-extractions

heya, does anyone know if its possible to include the file system view in axiom portable cases? thanks

@whee30 Good points, I wasn't sure if Cellebrite Premium service would catalog the swipe pattern etc.

Harry

heya, does anyone know if its possible to include the file system view in axiom portable cases? thanks

not sure if/when they pop in, but chance pinging @Magnet Forensics

1

@AccessInvestigations I second FFMPEG open source, tons of You Tube videos out there

1

Hello, I've got a bit of an odd question. I've been doing some benchmarking for file recovery. This particular image is of a FAT32 formatted thumb drive. I have deleted a file, whose metadata is still present, and no clusters have been overwritten. I can recover the file without carving using encase or xways, however using autopsy/TSK it seems that only the first cluster is recovered. Is TSK not trying to recover the file based off its size and first cluster?

10:11 AM

My exact command was :

10:11 AM

icat -f fat -r DISK.dd 7

10:12 AM

Or am I using the tool the wrong way?

10:12 AM

(which is most certainly the case)

Harry

heya, does anyone know if its possible to include the file system view in axiom portable cases? thanks

From experience we always found it was a licence only thing

Grenadine

Or am I using the tool the wrong way?

What does 'stat' show for that same directory entry? Under sectors...

1:44 PM

'istat' I mean

only one is visible, which is expected

1:44 PM

I read the source code and it seems that if the fat parser deems the clusters unfit for recovery it just returns the first cluster

1:45 PM

So my guess is my image hits one of those checks, I'll investigate further tomorrow (edited)

Okay...you have piqued my curiosity, so if you find anything, let us know!

Will do

Harry

heya, does anyone know if its possible to include the file system view in axiom portable cases? thanks

Need a license for that

Ah that’s a shame - cheers all

Digitalferret

not sure if/when they pop in, but chance pinging @Magnet Forensics

@Harry No their are only select views available in Portable case and by nature File System view is not one of the as portable cases are no longer connected to the evidence files and run instead off of the Database. And thanks for the callout @Digitalferret (edited)

Grenadine

Hello, I've got a bit of an odd question. I've been doing some benchmarking for file recovery. This particular image is of a FAT32 formatted thumb drive. I have deleted a file, whose metadata is still present, and no clusters have been overwritten. I can recover the file without carving using encase or xways, however using autopsy/TSK it seems that only the first cluster is recovered. Is TSK not trying to recover the file based off its size and first cluster?

@Grenadine There are 6 items in a FAT 32 Directory entry. (1. Created , 2. Accessed, and 3. Written dates and times, 4. Logical size, 5. starting cluster, and 6. filename). The FAT Table only tracks allocation and fragmentation of the files and clusters that data is laid down on. I believe EnCase and XWays uses the starting cluster from the Directory entry if it has not been overwritten and calculates the number of cluster it would take to recover based on the number of bytes per cluster on the drive geometry set forth in the Volume Boot Record. There is a problem that once the FAT Table entry is deleted for a file in a FAT file system Volume it is a guessing game as their is no map to put the file back together. Because Encase and Xways reads the directory entry for the file and knows it is 6 clusters long and its starting cluster it "hypothesizes" the starting cluster laid out in the deleted, but not over written, 32 byte directory entry as well as the following 5 contiguous clusters are the ones to make up the file. If however the file is fragmented or was prior to deletion this is where the hypothesis can go wrong and the recovery not be accurate. I believe Autopsy does not try to hypothesize and instead lets you see the first cluster. In the same scenario using EnCase or Xways imagine the starting cluster is being reused by another file but the directory entry has not yet been overwritten you will get the Ghostbuster symbol and it will state deleted and overwritten in the status of the file. I really hope I did not take you further down the rabbit hole and will glad speak to you on the phone if you like.

4

Jamey

@Grenadine There are 6 items in a FAT 32 Directory entry. (1. Created , 2. Accessed, and 3. Written dates and times, 4. Logical size, 5. starting cluster, and 6. filename). The FAT Table only tracks allocation and fragmentation of the files and clusters that data is laid down on. I believe EnCase and XWays uses the starting cluster from the Directory entry if it has not been overwritten and calculates the number of cluster it would take to recover based on the number of bytes per cluster on the drive geometry set forth in the Volume Boot Record. There is a problem that once the FAT Table entry is deleted for a file in a FAT file system Volume it is a guessing game as their is no map to put the file back together. Because Encase and Xways reads the directory entry for the file and knows it is 6 clusters long and its starting cluster it "hypothesizes" the starting cluster laid out in the deleted, but not over written, 32 byte directory entry as well as the following 5 contiguous clusters are the ones to make up the file. If however the file is fragmented or was prior to deletion this is where the hypothesis can go wrong and the recovery not be accurate. I believe Autopsy does not try to hypothesize and instead lets you see the first cluster. In the same scenario using EnCase or Xways imagine the starting cluster is being reused by another file but the directory entry has not yet been overwritten you will get the Ghostbuster symbol and it will state deleted and overwritten in the status of the file. I really hope I did not take you further down the rabbit hole and will glad speak to you on the phone if you like.

I know this wasn't my question but this made perfect since to me. Thanks for the explanation!

1

Anyone in the UK know of a company that manages ISO 17025? So for example we pay a company to look after our networks and computers, we are potentially looking to find a company to assist with our ISO 17025 accreditation instead of employing an in-house Quality Manager.

Majeeko

Anyone in the UK know of a company that manages ISO 17025? So for example we pay a company to look after our networks and computers, we are potentially looking to find a company to assist with our ISO 17025 accreditation instead of employing an in-house Quality Manager.

I know Intaforensics offered consultancy services for 17025 but not a complete management afaik. You could give them a shout still though

If you are involved in DFIR in any way and haven't read Kim Zetter's recent Substack article, please do so now - https://zetter.substack.com/p/hacking-team-customer-in-turkey-was

Hacking Team Customer in Turkey Was Arrested for Spying on Police C...

An investigation that weaves a winding tale between police in Ankara who were charged with spying on their own colleagues... and the purchase of Hacking Team's surveillance software.

2

6:00 AM

In terms of electronic evidence tampering involving the misuse of offensive technologies (particularly those provided exclusively to government users), the canary in the coal mine has long since died. Kim's article exposes some of that to the general public.

Majeeko

Anyone in the UK know of a company that manages ISO 17025? So for example we pay a company to look after our networks and computers, we are potentially looking to find a company to assist with our ISO 17025 accreditation instead of employing an in-house Quality Manager.

The amount of work you need to achieve accreditation is not really something you can outsource. For it to work properly, there has to be internal investment from your team. You might be able to get advisors as Bizzly suggested, but I highly doubt you will be able to fully outsource this. You will also need more than one post, a QM alone is not going to cut it

AccessInvestigations

You know the more I think about this, I am now thinking it was a DF vendor or maybe a whitepaper that was discussing the ability to dissect videos into frames for the software to analyze each frame for exploitation, so an investigator didn't have to spend hours watching videos that may not even be relevant. This obviously would not be an open source tool. I just can't remember where I read or saw that. It gets harder everyday to even remember my name LOL

Input Ace may be what your thinking of

Jamey

@Grenadine There are 6 items in a FAT 32 Directory entry. (1. Created , 2. Accessed, and 3. Written dates and times, 4. Logical size, 5. starting cluster, and 6. filename). The FAT Table only tracks allocation and fragmentation of the files and clusters that data is laid down on. I believe EnCase and XWays uses the starting cluster from the Directory entry if it has not been overwritten and calculates the number of cluster it would take to recover based on the number of bytes per cluster on the drive geometry set forth in the Volume Boot Record. There is a problem that once the FAT Table entry is deleted for a file in a FAT file system Volume it is a guessing game as their is no map to put the file back together. Because Encase and Xways reads the directory entry for the file and knows it is 6 clusters long and its starting cluster it "hypothesizes" the starting cluster laid out in the deleted, but not over written, 32 byte directory entry as well as the following 5 contiguous clusters are the ones to make up the file. If however the file is fragmented or was prior to deletion this is where the hypothesis can go wrong and the recovery not be accurate. I believe Autopsy does not try to hypothesize and instead lets you see the first cluster. In the same scenario using EnCase or Xways imagine the starting cluster is being reused by another file but the directory entry has not yet been overwritten you will get the Ghostbuster symbol and it will state deleted and overwritten in the status of the file. I really hope I did not take you further down the rabbit hole and will glad speak to you on the phone if you like.

The ghostbuster symbol LMAO!! Just a couple days ago my colleagues and I were trying to figure out what that symbol was actually called.

1

Has anyone built autopsy from source? I need some help

Have you looked at the CI build file? https://github.com/sleuthkit/autopsy/blob/develop/appveyor.yml

autopsy/appveyor.yml at develop · sleuthkit/autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to invest...

Matt

Have you looked at the CI build file? https://github.com/sleuthkit/autopsy/blob/develop/appveyor.yml

I have followed BUILDING.txt file but on step 5 when I'm building autopsy by running 'ant' command it shows build failed error

2:57 AM

I am getting this error

Looks like you’re missing some dependencies somehow

Matt

Looks like you’re missing some dependencies somehow

How to check which ones I am missing?

Matt

Have you looked at the CI build file? https://github.com/sleuthkit/autopsy/blob/develop/appveyor.yml

I’m not sure, try following the steps in this file

ssaadakhtarr

I am getting this error

From the errors it looks like Java is required but isn't installed

7:53 AM

Also why build from source on windows? They release a installer file no?

7:54 AM

https://github.com/sleuthkit/autopsy/releases/tag/autopsy-4.19.1

Release Autopsy 4.19.1 · sleuthkit/autopsy

Bug Fixes: Fixed connection leak associated with creating OS Accounts Decreased priority of OS Account Content Viewer Misc bound check fixes in TSK

ryd3v

From the errors it looks like Java is required but isn't installed

I have the required java version installed but still getting this error

ryd3v

Also why build from source on windows? They release a installer file no?

Actually I am trying to change the ui and develop changes in the autopsy source code thats why I am building it

ah I see ok

8:54 AM

well your erros say your missing 2 modules, so track those down and it should be good to go

The above errors got resolved and autopsy build was successful but when I'm running 'ant run' command it loads autopsy but then the terminal says build successful and closes the ui

3:49 AM

ssaadakhtarr

Click to see attachment 🖼️

It shows this loading screen then it disappears. Anyone know about this issue?

ssaadakhtarr

It shows this loading screen then it disappears. Anyone know about this issue?

I was going to suggest the Sleuthkit forums, but I see you've already posted there. Are you sure you have all the plugin requirements installed? I've never installed Autopsy on Windows, by the error you're seeing seems to indicate a plugin issue.

5cary

I was going to suggest the Sleuthkit forums, but I see you've already posted there. Are you sure you have all the plugin requirements installed? I've never installed Autopsy on Windows, by the error you're seeing seems to indicate a plugin issue.

I guess I'll try to redo all the steps maybe I have missed something.

AccessInvestigations

Hey guys, for the life of me I don't remember where I came across the resource but, there was something (I think it was open source) that allowed an investigator to take a video and break it into its individual frames for analysis, to allow the investigator to search in each frame for items, wording, faces. Does anyone know what I am talking about, or is this something that I totally imagined?

Our LASERi-X tool can do just that but it’s a paid for application. Face, scene, object, age, CSAM, OCR, ANPR, emotion, blurred detection, QR can all be run against frames or images.

https://www.businesswire.com/news/home/20210913005606/en/Magnet-Forensics-Acquires-DME-Forensics-a-Leading-Video-and-Multimedia-Evidence-Solution-Company

Magnet Forensics Acquires DME Forensics, a Leading Video and Multim...

Magnet Forensics Inc. (“Magnet Forensics”) (TSX:MAGT) a developer of digital investigation software used globally by public safety organizations and e

1

3:00 PM

Wow, so Magnet owns DVR Examiner now

Andrew Rathbun

Wow, so Magnet owns DVR Examiner now

I saw this earlier. It will be interesting to see how/if they integrate directly into Axiom.

If I'm looking to get data recovered off an SSD, and want to go to a local place, what kind of places should i look for? keep in mind that I want to find someplace that's local that I can walk into, since the issue im having seems to be related to the ssd failing to communicate properly with whatever system i put it into rather than with the data itself (see https://discord.com/channels/427876741990711298/528318849565589505/886975461891137546) im in australia if it helps to know (edited)

which part of australia @Waruta

4:30 PM

We've used OnTrack in the past

melbourne

unsure if they have a melbourne presence (edited)

im currently looking at technetics https://www.techneticsdata.com.au/ (edited)

technetics

Data Recovery Melbourne - Fast & Reliable Data Rescue Services

Technetics Data Recovery specialises in providing data recovery services. Our expert team performs a wide range of recovery services for a variety of different clients. For professional data recovery Melbourne based & nation-wide services, browse our website or contact us directly and we will be ready to assist you.

Does anyone happen to have a contact at Microsoft that could help recover a compromised Microsoft O365 admin account? I've been getting the run around from the support rep who has been handling the case. I've gotten so far as to validate the domain but Microsoft has still refused to give access back.

Waruta

im currently looking at technetics https://www.techneticsdata.com.au/ (edited)

if you haven't sent already, I've check and filtered a few responses in HDDguru's forum for you. This seems to be the best recent. http://www.elcotronics.com.au/contact.html from http://forum.hddguru.com/viewtopic.php?f=3&t=40251&hilit=australia

2:20 AM

I have known Haque (online) for some years, and he's relatively BS free, compared to some of the usual suspects in there

(edited)

Digitalferret

if you haven't sent already, I've check and filtered a few responses in HDDguru's forum for you. This seems to be the best recent. http://www.elcotronics.com.au/contact.html from http://forum.hddguru.com/viewtopic.php?f=3&t=40251&hilit=australia

i probably should've mentioned im in melbourne as well i couldn't find any good places within distance to drop it off physically, but i did find ozdatarecovery which quotes $150

2:31 AM

i'll try the methods in #data-recovery first since i can only mail the drive tomorrow

Any advice on what professional associations are worth joining? Especially if any offer any extra training/education resources? Looking to join a couple and any info would be greatly appreciated! Been thinking about HTCIA

@Andrew Rathbun I love DME DVR Examiner, they moved to a pay system that tripled in price and a yearly license that shut off after expiring. This prevented us from getting it as $1,500 a year was to much for 2-3 DVR's that we get.

DCSO

@Andrew Rathbun I love DME DVR Examiner, they moved to a pay system that tripled in price and a yearly license that shut off after expiring. This prevented us from getting it as $1,500 a year was to much for 2-3 DVR's that we get.

I really like the monthly purchase @Arsenal Recon does for use cases like that

@Andrew Rathbun I'll take a look, I know there was a pay per use for DVR Examiner but i think it was up to $750 a case.

DCSO

@Andrew Rathbun I'll take a look, I know there was a pay per use for DVR Examiner but i think it was up to $750 a case.

they just got purchased by Magnet - not sure how that may alter things

Hallo! Not sure in which channel this would best fit, so let me do it here in general. Is anyone aware of a way to extract data from a partial 7z archive? So in the scenario of downloading a 1GB 7z archive, download fails at 500MB, which leaves you with a 500MB archive.7z.part file. So far, none of the standard archive tools I've tried can do anything with the file.

jaco

Hallo! Not sure in which channel this would best fit, so let me do it here in general. Is anyone aware of a way to extract data from a partial 7z archive? So in the scenario of downloading a 1GB 7z archive, download fails at 500MB, which leaves you with a 500MB archive.7z.part file. So far, none of the standard archive tools I've tried can do anything with the file.

you could have a look at https://7-zip.org/recover.html see if any of the methods there suit your case. i'd save the original tho and work on a copy; always protect the source.

2:09 AM

involves some hex editor work. maybe give the generic "we can fix your file" programs a miss, some are wildly optimistic

Digitalferret

involves some hex editor work. maybe give the generic "we can fix your file" programs a miss, some are wildly optimistic

What do you do to your links to make them un-clickable? I have to copy and paste them into my browser to follow them. Is it a security thing?

He uses ` around them to mark them as block

3:08 AM

`URL GOES HERE` (edited)

jaco

Hallo! Not sure in which channel this would best fit, so let me do it here in general. Is anyone aware of a way to extract data from a partial 7z archive? So in the scenario of downloading a 1GB 7z archive, download fails at 500MB, which leaves you with a 500MB archive.7z.part file. So far, none of the standard archive tools I've tried can do anything with the file.

any reason you cant just redownload it

Good morning, does anyone happen to know where I can find the verification hashes once Axiom is finished processing a piece of evidence?

AmNe5iA

What do you do to your links to make them un-clickable? I have to copy and paste them into my browser to follow them. Is it a security thing?

it's a channel courtesy to prevent Discord fetching webpages & images which would clutter the chat, but allows members to copy and paste if interested. As Matt noted you enclose the text with the ` character (the Shifted-key under the Esc button). for multiple lines, such as formatted text / code etc you can use three strung together before and after. (edited)

Hello there, just wondering if there are any law enforcement officers from USA who are able to enlighten me on the US Court's rules in terms of admitting digital evidence, and if possible how the court views/opinions on the admissibility of performing live acquisition. And also, if there have been any instances whereby a foreign law enforcement agency officer has ever testified as an expert witness US court. Very much appreciated!

(edited)

Hi! I am trying to snag credentials from a locked Windows pc using P4wnP1 and Responder.py. But unfortunately it is not working. According to Google I think the problem is that there is no local-proxy-config in the DHCP config that sends a wpad.dat file to the victim machine. Now my question is, how do I add a wpad.dat file to the DHCP config in a P4wnP1 machine? The service is started with the command P4wnP1_cli net set server -i usbeth -a 172.16.0.1 -m 255.255.255.248 -o "3:" -o "6:" -r "172.16.0.2|172.16.0.2|5m", so it is not a normal DHCP config file.

Bushykai

Hello there, just wondering if there are any law enforcement officers from USA who are able to enlighten me on the US Court's rules in terms of admitting digital evidence, and if possible how the court views/opinions on the admissibility of performing live acquisition. And also, if there have been any instances whereby a foreign law enforcement agency officer has ever testified as an expert witness US court. Very much appreciated!

(edited)

These are important questions that require long answers. Trying to remember from my schooling on these topics to give specific examples. Depends on the state, but generally digital evidence doesn't follow the "Best Evidence" rule (for example, a photocopy of a document would not be considered "Best Evidence", however, the parties can agree that it is admissible and then it isn't an issue). If a party challenged digital evidence as being altered or non-original, then you might have to show exactly where that information resides on the original evidence, rather than a forensic image. Typically forensic images are accepted and it is the collection process that is under scrutiny. Non-traditional acquisition methods (like a live acquisition) can be accepted as accurate but you need to be able to explain what consequences and changes there are for doing so and also why a "dead-box" acquisition wasn't performed. I don't have an answer for the foreign law enforcement testifying in US court but I'm sure its happened.

Cole

These are important questions that require long answers. Trying to remember from my schooling on these topics to give specific examples. Depends on the state, but generally digital evidence doesn't follow the "Best Evidence" rule (for example, a photocopy of a document would not be considered "Best Evidence", however, the parties can agree that it is admissible and then it isn't an issue). If a party challenged digital evidence as being altered or non-original, then you might have to show exactly where that information resides on the original evidence, rather than a forensic image. Typically forensic images are accepted and it is the collection process that is under scrutiny. Non-traditional acquisition methods (like a live acquisition) can be accepted as accurate but you need to be able to explain what consequences and changes there are for doing so and also why a "dead-box" acquisition wasn't performed. I don't have an answer for the foreign law enforcement testifying in US court but I'm sure its happened.

Thanks alot for your inputs!!

arnby.

Hi! I am trying to snag credentials from a locked Windows pc using P4wnP1 and Responder.py. But unfortunately it is not working. According to Google I think the problem is that there is no local-proxy-config in the DHCP config that sends a wpad.dat file to the victim machine. Now my question is, how do I add a wpad.dat file to the DHCP config in a P4wnP1 machine? The service is started with the command P4wnP1_cli net set server -i usbeth -a 172.16.0.1 -m 255.255.255.248 -o "3:" -o "6:" -r "172.16.0.2|172.16.0.2|5m", so it is not a normal DHCP config file.

Using the P4wnP1 lockpick? Microsoft patched it a while ago so it only works on older versions.

ughhhh Axiom crashed due to running out of RAM when it was 99% complete with processing after 30 hours (again). Is there any other way to prevent this other than throwing more RAM at it? I have 112GB of RAM installed right now.

(Admins please delete if not allowed) Our CactusCon Call for Papers is OPEN! We are Arizona's premiere (well, only) hacker/security conference! With 1.5k in-person attendance back in 2019 and even more in our digital-only 2020 conference, we're excited to return in February with a hybrid model! Cannot wait to see your blue-, purple-, red-, and other-related submissions!! https://www.cactuscon.com/cfp

CFP — CactusCon

Call for Papers

1

Digitalferret

it's a channel courtesy to prevent Discord fetching webpages & images which would clutter the chat, but allows members to copy and paste if interested. As Matt noted you enclose the text with the ` character (the Shifted-key under the Esc button). for multiple lines, such as formatted text / code etc you can use three strung together before and after. (edited)

you can use <example.com> to make the clickable without them embedding

1

4:41 PM

anyway, im looking at https://ozdatarecovery.com.au/ for a non-mission critical ssd data recovery, but couldn't find much info on them

Data Recovery Melbourne - OZ Data Recovery

Most affordable data recovery Service in Melbourne. At OZ Data Recovery Melbourne not only give free quotes but no data no charge option

4:41 PM

any thoughts?

4:42 PM

i've been on the phone with them and so far my only gripe is that they don't do full byte for byte copies, and only copy over the files that are deemed user files and not system/os files, to an ntfs or fat32 partition on another drive

4:43 PM

the drive in question was a raspbian boot drive for a Pi 4

@Waruta you're probably not going to find a) many Australians on here and b) many that have an opinion about the variety of data recovery shops in Melbourne. Sorry. Overall YMMV with data recovery shops. And I have no idea how to determine if they're going to do a good job. You may be able to ask them to do a full DD, or a full file system copy rather than them going through all of your file (they'll still go through all of your files either way...)

Deleted User

Using the P4wnP1 lockpick? Microsoft patched it a while ago so it only works on older versions.

No, I added Responder.py to the P4wnP1 and using that. I like the P4wnP1 system and want to use it as a base. If I can't get it working there are other options. Thing is dat Responder need that local-proxy-config and I can't find how to add that to the usbeth DCHP settings.

arnby.

No, I added Responder.py to the P4wnP1 and using that. I like the P4wnP1 system and want to use it as a base. If I can't get it working there are other options. Thing is dat Responder need that local-proxy-config and I can't find how to add that to the usbeth DCHP settings.

Tried editing the Master Template? (I assume you are using P4wnP1 A.L.O.A.) Should be able to add your wpad.dat file from there I reckon.

Waruta

i've been on the phone with them and so far my only gripe is that they don't do full byte for byte copies, and only copy over the files that are deemed user files and not system/os files, to an ntfs or fat32 partition on another drive

they don't do full byte for byte copies did they say why?

Digitalferret

they don't do full byte for byte copies did they say why?

from what i heard over the phone its because not every file or part of the filesystem is guarranteed to be intact

2:27 AM

it could also just a case of them not understanding im an advanced user

Morning everyone. Has anyone ever had any dealings with downloading/extracting data from OCULUS QUEST VR headsets? My questions are as follows: Is it even possible?/can you extract data from the headsets? What kind of data does the OCULUS store? If data can be extracted, what tools were used? What tool was used to decode the data? Any help would be appreciated.

Waruta

it could also just a case of them not understanding im an advanced user

yep, might be they see little value in collecting anything other than what they can directly access.

i kind of find it odd how that ssd failed anyway

2:42 AM

it's a datacentre one that's at 99% remaining life

blake-ee

Morning everyone. Has anyone ever had any dealings with downloading/extracting data from OCULUS QUEST VR headsets? My questions are as follows: Is it even possible?/can you extract data from the headsets? What kind of data does the OCULUS store? If data can be extracted, what tools were used? What tool was used to decode the data? Any help would be appreciated.

no idea but i'm intrigued as to what you guys are looking for. has "that sort of material" gone VR?

and it dies while being used as a boot drive for an rpi (edited)

2:43 AM

granted i did use it for plotting proof-of-space crypto before, but the drive should still built to handle heavy workloads like that

Waruta

and it dies while being used as a boot drive for an rpi (edited)

from the brief trawl i've seen on the forums, some are saying it was the OS that screwed things over. but there's a lot of clutching at straws, with no real hard evidence, nor any repeatable solutions. folks individual problem seems to be particular to themselves and not to others

never really heard of an os screwing up a drive that it won't even be recognised as a disk, firmware corruption maybe?

maybe. i still get "witchcraft" cases, a la "Any sufficiently advanced technology is indistinguishable from magic.”

(edited)

to be fair, i have had a few issues keeping the thermals down on that ssd while plotting, which could've shortened it's life

2:48 AM

it just seems a bit odd that it would die during a shutdown while hosting raspbian rather than plotting

it probably needs some sort of direct access, non-OS, to check its proper status.

2:49 AM

but

2:50 AM

in similar vein, Win can leave drives un-mountable elsewhere

i have had that issue before

2:51 AM

a thumbdrive that shows up as a usb-drive that's never ready on one system, while working flawlessly on another

2:52 AM

it shows up fine when i boot into linux and access it from the latter system, heck i can even boot from that thumbdrive into a live environment (edited)

if i recall right it's a windows hybrid shutdown issue on some. use Shift-Shutdown to force a full, not a hybrid

oh

else it's left as marked "Active"

well anyway, i've mailed the ssd to the recovery shop i mentioned earlier, along with an identical drive to copy the results to

2:54 AM

hopefully they can tell me what part of the drive died

2:55 AM

i did open it up before to see if there was maybe a piece of metal shorting out the pcb, but found nothing

2:55 AM

i noticed that the only thermal pad on the ssd was the one on what i assume to be the controller (edited)

the other thing to remember is that there are some wholly disreputable businesses out there. the good seem to be those that were "enthusiasts turned pro" and don't have a shark like business approach. the other end is run by "bean counters" and will do anything and everything based on client stats to extract the maximum possible amount for the minimum amount of work. they will bait with cheap offers and then sting with the real price and a "assessment fee" which inlines clients to drop into the sunk-cost fallacy. they also tend to be the most guarded when it comes to giving the client good info. Of course this is a huge generalisation. (edited)

3:07 AM

but there have been cases where reputable Co's have found sabotaged chips when clients have "taken it elsewhere, after a bad experience ie "if we aren't doing it for you, no-one else is" which is dispicable (edited)

Waruta

hopefully they can tell me what part of the drive died

let me know. you might get the "oh, the technician report doesn't say" if you're being dealt with by Reception / non-tech staff

3:09 AM

which is a coverall for "can't say or won't say"

Waruta

i did open it up before to see if there was maybe a piece of metal shorting out the pcb, but found nothing

i'm sure you know, but, don't ever do that with spinning disc type of drives. any evidence of "lid off" attracts a significant price increase. a reputable lab i use will add 100GBP if the lid has been off.

yeah i would never open up a hdd like that

3:11 AM

as for the reputability

3:12 AM

the data on there isn't valuable enough that i'm willing to look for another more expensive option

another, a client here, had "lid off" bc the local PC shop said it wasn't recoverable. he's an Engy (not DR) so took a look. it came to me wrapped in tin foil and was beyond anything (edited)

Waruta

the data on there isn't valuable enough that i'm willing to look for another more expensive option

yeh, it's always the balance

so i figured i'd take my chances with oz-dr. according to their website they're a team of 9 to 11 people

that sounds reasonable for a small/medium, but website claims can be what ...uuuh, optimistic

(edited)

we'll see i guess

3:14 AM

if it turns out to be a scam, then i guess i'll be the first one to leave a review for them

yeh

i'll paste the next, just for entertainment, in prv. i think "proper business" has been done in main chan, save clagging the place up

in addition to calling authorities i guess

lol, aye

Wondering if anyone uses a program to automatically hash files transferred to a server. I have a server which holds my evidence images but I am trying to streamline the process of having to hash them once they are onto the server. I am wondering if anyone is using a program which will hash the files put onto a specific volume, folder, or server.

hey i have an audio file and i wanna check if it's edited is that possible ?

Player V

hey i have an audio file and i wanna check if it's edited is that possible ?

for free you could have a look at Audacity, otherwise there's the professional gear

Player V

hey i have an audio file and i wanna check if it's edited is that possible ?

Yes. Absolutely possible. Problem is that there aren’t any tools where you can put in a file and get a simple yes/no answer. Tools will will give results but interpreting them is another story…

3

then there's the examiners "interpretation" skills to consider

1

Brandon E

Yes. Absolutely possible. Problem is that there aren’t any tools where you can put in a file and get a simple yes/no answer. Tools will will give results but interpreting them is another story…

yea np wanna check if two audios are merged into one file

Player V

yea np wanna check if two audios are merged into one file

grab Audacity then maybe simulate your own to see what "merged" looks like

okk thx i'll check that

Ghosted

Wondering if anyone uses a program to automatically hash files transferred to a server. I have a server which holds my evidence images but I am trying to streamline the process of having to hash them once they are onto the server. I am wondering if anyone is using a program which will hash the files put onto a specific volume, folder, or server.

Have you considered TeraCopy?

Player V

yea np wanna check if two audios are merged into one file

When you say “merged” do you mean one file was inserted after another to make it seem as one? That is called a “butt-splice” if you want to search or read up on it. Can be detected. I would recommend starting with https://drive.google.com/file/d/1dcmOt-8Evyhf3E9iU_b1C4aNbANVsCcx/view?usp=drivesdk for some background.

2018-09-20 SWGDE Best Practices for Digital Audio Authentication_v1...

Brandon E

When you say “merged” do you mean one file was inserted after another to make it seem as one? That is called a “butt-splice” if you want to search or read up on it. Can be detected. I would recommend starting with https://drive.google.com/file/d/1dcmOt-8Evyhf3E9iU_b1C4aNbANVsCcx/view?usp=drivesdk for some background.

mean inserted in top of it like playing voice at the same time of playing another

Player V

mean inserted in top of it like playing voice at the same time of playing another

Ahh sorry that is something entirely different and would probably be more in lone with “device identification” in that doc. But at least I got to use the term “butt-splice” today…

4

Brandon E

Ahh sorry that is something entirely different and would probably be more in lone with “device identification” in that doc. But at least I got to use the term “butt-splice” today…

lol yep thx for helping anyway

3:23 PM

am saving this doc for future looks interesting

Hello to all, I am analyzing the internet data consumption in 2016 on an iphone 4s. I see that all these processes consume a lot of 2G/3G data. Do you know if these processes are related to Apple's services or if they are user actions? Thanks for your answers.

@DeeFIR 🇦🇺 going to check it out today. Thanks

Ghosted

Wondering if anyone uses a program to automatically hash files transferred to a server. I have a server which holds my evidence images but I am trying to streamline the process of having to hash them once they are onto the server. I am wondering if anyone is using a program which will hash the files put onto a specific volume, folder, or server.

RapicCRC

Teracopy would do it if you are copying to the server. It would chekc the source and then compare it to the destination file. You would have to manually click to save the final hash however.

1

Hello. If I’m asking in the wrong room, please redirect. I’m reading the Brian Carrier book and I see a lot of references to dd images, xxd and the mmls tool. I’d like to get some real data to look through and start to understand some of the file system layouts and Hex output. Is there somewhere I can get ‘fake’ dd images from to learn with ?

CloudyT

Hello. If I’m asking in the wrong room, please redirect. I’m reading the Brian Carrier book and I see a lot of references to dd images, xxd and the mmls tool. I’d like to get some real data to look through and start to understand some of the file system layouts and Hex output. Is there somewhere I can get ‘fake’ dd images from to learn with ?

https://aboutdfir.com/resources/tool-testing/

Ahh. I see. It looks like http://dftt.sourceforge.net/ would be closer to what I'm familiar with. I'm comfortable with the command line but new to this . Where would a beginner start ?

a "dd" image is really just a block by block copy

10:47 AM

are you more interested in windows, or linux systems?

10:49 AM

looking for CTF challenges is a good place to find some

Well. I'm trying to learn Win, Linux, and BSD.

10:49 AM

I'm studying the book and I'm on the BSD partition chapter now.

another option is to spin up small VMs and generate images from those

10:50 AM

virtualbox is free, microsoft offers free development VMs

I thought about the VM thing but I figured that would be too big on an image.

10:50 AM

I have virtual box and Proxmox

probably in the 30-40gb range is more than enough

10:51 AM

linux/bsd much less

Tell me more about the CTF challenges. I'm only familiar with them on the ethical hacking community.

they're not as common as the exploit/web categories for ctf events, but they're frequent enough that an event will offer volatile memory challenges, or disk images with a challenge to find x,y,z for the challenge

10:53 AM

and often there will be write-ups available from teams who competed, giving a path if you are stuck

Oooh. Cool.

10:54 AM

Volatile memory = RAM ?

https://ctftime.org/writeups searching can be a bit awkward, as a lot of other things get put in the forensics category at these events too

CTFtime.org / Writeups

Capture The Flag, CTF teams, CTF ratings, CTF archive, CTF writeups

10:54 AM

yep

10:54 AM

so using volatility or other tools

10:55 AM

https://cfreds.nist.gov/ this is actually new to me

10:55 AM

but might be what you want

Wow. There is a lot here. The book I'm reading seems dated. Is this the best way to learn ? Grab data, throw it in a VM and start digging around with tools ?

CloudyT

Wow. There is a lot here. The book I'm reading seems dated. Is this the best way to learn ? Grab data, throw it in a VM and start digging around with tools ?

@T.F. If you're referring to File System Forensic Analysis, it is a very dated book but still very relevant. The majority of the concepts still apply and once you get a grip on the way file systems allocate data and manage files you'll be well on your way to understanding file system analysis. Forensics as a whole is much more than that (application layer forensics is a whole 'nother beast). If you want to try the tools in Carrier's book (you mentioned mmls and xxd), I'd like to suggest giving the guide at https://linuxleo.com a try. It covers basic linux and Brian Carrier's Sleuthkit tools (as used in the book). There's also practical images for the hands on parts. (edited)

1

@5cary Thanks a lot. This all looks cool . I don't know where to start. hah

yeah experimenting, if you have a goal in mind it makes the motivation a bit easier which is where I like CTF stuff

@rayeh Thanks. It takes me a while to follow all of this little/big endian and Hex stuff but I'm just going to jump in.

CloudyT

@rayeh Thanks. It takes me a while to follow all of this little/big endian and Hex stuff but I'm just going to jump in.

if you haven't seen it already, take a look at cyberchef for a quick way to move between encodings/number systems

Quick question…….I’ve got a situation where a school monitored chrome book sent a notification to IT that a child attempted to search and goto an adult website during a known timeframe. The child says he clicked on an email that took him to a blocked website. He then exited and deleted the email. My dilemma, I’ve acquired a cloud acquisition of the Google account and downloaded the Google takeout request with no luck. I haven’t found evidence of the search history or the email. Am I missing something or would there be something of value on the chrome book itself? Thanks.

CloudyT

@rayeh Thanks. It takes me a while to follow all of this little/big endian and Hex stuff but I'm just going to jump in.

If you're just focusing on file systems then I wouldn't bother with getting a VM or test images. Create a VHD in windows disk manager, put some files and folders on it, mess around and then image it. That way you can play around with data you created

@randomaccess Ah, I see. Very good.

burgers_N_bytes

Quick question…….I’ve got a situation where a school monitored chrome book sent a notification to IT that a child attempted to search and goto an adult website during a known timeframe. The child says he clicked on an email that took him to a blocked website. He then exited and deleted the email. My dilemma, I’ve acquired a cloud acquisition of the Google account and downloaded the Google takeout request with no luck. I haven’t found evidence of the search history or the email. Am I missing something or would there be something of value on the chrome book itself? Thanks.

What kind of monitoring platform is the school using, and what kind of logs does it produce? Depends on how far you want to push it - you could always deploy your own chromebook, emulate the same setup, test both theories and see if the kid's story fits your data set

Monitoring platform is Bark. I’m not very familiar with it and I haven’t seen the supposed logs yet. Good idea with test setup, I’m not sure this case warrants it but it’s good to keep in mind.

Looks like everything through Bark is proxied somehow, so you could possibly generate or analyse some kind of timeline of activity.. but it depends on the granularity of the data they (Bark) can provide you with

Hello, I am trying to install SANS SIFT-CLI on an Ubuntu machine. I got stuck on the " Install cosign" step. I keep getting an error "The go.mod file for the module providing named packaged contains one or more replace directives" I have tried researching this and very few resources on cosign out there. Anyone successfully installed this and able to help? Thank you

Hello everyone, does anyone knows an web app security logging field standard ?

Has anyone used tokens extracted from a device to log into that account to bypass two-factor authentication? Asking for a LE friend who has a homicide victim's locked phone they they were able to extract data from but not unlock. They need to get access to the the victim's home security camera system.

FullTang

Has anyone used tokens extracted from a device to log into that account to bypass two-factor authentication? Asking for a LE friend who has a homicide victim's locked phone they they were able to extract data from but not unlock. They need to get access to the the victim's home security camera system.

Is the home security system cloud based or closed circuit? Was going to suggest SW if it's something like Ring.

Andrew Rathbun

Is the home security system cloud based or closed circuit? Was going to suggest SW if it's something like Ring.

It is cloud based and they are looking into that as well, but it is unknown how long that will take. If anyone has a good template for Blink that could be useful.

FullTang

It is cloud based and they are looking into that as well, but it is unknown how long that will take. If anyone has a good template for Blink that could be useful.

I don't have access to IACIS anymore but maybe someone who still does could check for anything historical. @IACIS Member @IACIS Staff Anything we can centralize on AboutDFIR or GitHub for future reference would be great, too. I'd love to be able to help out LE enough to where there's a place for this information when it's needed, especially for homicides and other heinous crimes.

11:31 AM

ahh it's an Amazon company, interesting

Ring is Amazon company as well

FullTang

Has anyone used tokens extracted from a device to log into that account to bypass two-factor authentication? Asking for a LE friend who has a homicide victim's locked phone they they were able to extract data from but not unlock. They need to get access to the the victim's home security camera system.

We do that, mind you don't always bypass the 2FA

Rob

We do that, mind you don't always bypass the 2FA

How do you do it?

I'd imagine the ask on the SW would be something to the effect of:

Any and all recordings during the timeframe specified at the residence with the service address of insert address here belonging to victim's name
This includes recordings and logs from all devices attached with the account belonging to victim's name including but not limited to : video recordings, sound recordings, motion detection event logs, video recording event logs, audio recording event logs, and other general security events within the residence

11:38 AM

Being a Ring customer for 5 years now, if I were to do a SW on my own Ring account for something like a homicide, I feel like this would cover all you'd need

11:39 AM

maybe a blurb to specify recordings from certain devices i.e., state types of devices Blink offers or what you know the household had in it (floodlight cam, stick up cam, etc)

Good verbiage, thanks for sharing.

FullTang

How do you do it?

We use UFED Cloud or Axiom. Sometimes 2FA require us to use the original exhibit to recieve the text or notification to allow access

1

oh I have door sensors with Ring. I'm sure door opening/closing events would be great to have too. Also, do they have a smart garage door opener? Or is that tied into Blink? Either way, video will be super hepful

1

Rob

We use UFED Cloud or Axiom. Sometimes 2FA require us to use the original exhibit to recieve the text or notification to allow access

Do you know of a free tool that will do that? It doesn’t need to be a forensically sound way to access the account, they just need access.

Not that I'm aware of sadly, a suggestion I'd say is since most home security services nowadays are cloud based. If you can find the credentials from your download, perhaps login using another computer and pray there's no 2FA

11:53 AM

Then see what you can access.

11:54 AM

The only concern I have, Ring doesn't save much unless the user has a premium account

11:55 AM

Not sure if this the same for yours.

Rob

Not that I'm aware of sadly, a suggestion I'd say is since most home security services nowadays are cloud based. If you can find the credentials from your download, perhaps login using another computer and pray there's no 2FA

Ok thanks for the heads up. Looks like a preservation request + SW is the way to go.

If you can find the PIN for the original exhibit, that's the route I'd take in your situation

11:56 AM

Otherwise I believe there's been some UFED have had some Ring parsing functions.

1

Possibly look into if Blink has a public API they could use to get data.

1

Anyone have any idea what the format of this string is eg "f18f21d2-43cf-47cd-84b9-848d1f2600da" ? I have seen it used as a UID in some places but not sure if it resolves or decodes into something else?

depending on an attorney's interpretation of the law in your local jursidiction, they might want a wiretap for cloud based video since audio can be recorded on some of those cameras. The issue came up a couple of years ago where they insisted on doing that here, haven't had it pop up don't know if they're still trying to navigate down that rabbit hole

How do I add tags to my profile? I'm an IACIS member and noticed some people have that tag

(not that it really matters!)

Ross Donnelly

How do I add tags to my profile? I'm an IACIS member and noticed some people have that tag

(not that it really matters!)

You do what you just did

added!

Andrew Rathbun

You do what you just did

added!

Cheers Andrew!

Deleted User

Anyone have any idea what the format of this string is eg "f18f21d2-43cf-47cd-84b9-848d1f2600da" ? I have seen it used as a UID in some places but not sure if it resolves or decodes into something else?

it looks like a microsoft guid. it is used as a record identifier which takes into account machine, date time etc https://docs.microsoft.com/en-us/dotnet/api/system.guid.tostring?view=net-5.0, https://devblogs.microsoft.com/oldnewthing/20080627-00/?p=21823 I thought it was not unique, there were exceptions in the past, but the article claims different.

Guid.ToString Method (System)

Returns a string representation of the value of this instance of the Guid structure.

Raymond Chen

GUIDs are globally unique, but substrings of GUIDs aren't

A customer needed to generate an 8-byte unique value, and their initial idea was to generate a GUID and throw away the second half, keeping the first eight bytes. They wanted to know if this was a good idea. No, it’s not a good idea.

SamJack

it looks like a microsoft guid. it is used as a record identifier which takes into account machine, date time etc https://docs.microsoft.com/en-us/dotnet/api/system.guid.tostring?view=net-5.0, https://devblogs.microsoft.com/oldnewthing/20080627-00/?p=21823 I thought it was not unique, there were exceptions in the past, but the article claims different.

Thanks I’ll have a look. In this case the UID I quoted is being used to ID an account in a Ponzi so it’s making me wonder.

@Deleted User it can be a GUID for any platform, it's just a structured piece of data used as an identifier. I recently received a gift card and the giftcard ID is in the same format.

DeeFIR 🇦🇺

@Deleted User it can be a GUID for any platform, it's just a structured piece of data used as an identifier. I recently received a gift card and the giftcard ID is in the same format.

Yeah I suspected as much, but was hoping there was something I could extract from it. Thanks!

Hey has anyone ever did analysis on ardamax key logging software?

Hey guys, is there anyway to extract a file found on MFT but is no longer on disk? Im using volatility!

Deleted User

Thanks I’ll have a look. In this case the UID I quoted is being used to ID an account in a Ponzi so it’s making me wonder.

I searched a little bit and seemingly in some cases you can extract info http://guid.one/guid

SamJack

I searched a little bit and seemingly in some cases you can extract info http://guid.one/guid

Excellent thank you! My research did not yield much but this is all helpful. Thanks community Salute

@Magnet Forensics Is it possible to change the Axiom Case Number? I made a typo and I don't want to reprocess days of evidence...

Cole

@Magnet Forensics Is it possible to change the Axiom Case Number? I made a typo and I don't want to reprocess days of evidence...

Edit the case information.xml file I believe.

6:14 AM

Will display the Case Number in there

6:14 AM

Also Case information.txt

6:15 AM

Make a copy first tho, before you do, but was the case with IEF that you could just edit the txt file and it'll update the actual case number.

I tried both of those (replacing all instances the number appeared) but it still shows the old one. I'm guessing I'd have to edit the case database file :/ but I don't want to touch that unless I have to.

Sad

6:40 AM

Not even sure if you can edit the mfdb file

I opened the case database (including the WAL and SHM) in DB Browser and I found case information in a couple places. First, under the case_info table under the case_number field. This probably changes the easily visible case number in axiom. I also found the case number under the table scan_attribute buried in a json value (once per entry). After writing changes, axiom successfully opened the new database and the values are now correct

1

Can anyone recommend a way to find out if the user uploaded any files from laptop to cloud drives or webmail solutions?

6:46 AM

This is just by looking at the laptop as there is no access to any proxy logs nor is there any DLP or any endpoint protection.

I'd also like to thank Magnet for making the database super easy to read and understand

indianadmin

Can anyone recommend a way to find out if the user uploaded any files from laptop to cloud drives or webmail solutions?

Could be a better solution, but one idea is to A, see if those files exist on the laptop, B, check web history over the times that the files were allegedly uploaded, and C, check internet connection/traffic at that time.

6:52 AM

If you can determine that the laptop has the files and the cloud platform was accessed at the time the files were uploaded, that gives you a lot of evidence. You'd still need other information from the subject or the cloud provider to make the conclusion solid.

Cole

Could be a better solution, but one idea is to A, see if those files exist on the laptop, B, check web history over the times that the files were allegedly uploaded, and C, check internet connection/traffic at that time.

I agree, but I only have access to the laptop and not to the cloud platform.

indianadmin

Can anyone recommend a way to find out if the user uploaded any files from laptop to cloud drives or webmail solutions?

Is it a drive, or an application like onedrive, google drive or box? Which OS?

SamJack

Is it a drive, or an application like onedrive, google drive or box? Which OS?

Laptop with Windows 10. No applications like google backup or box sync and drive are present.

@Magnet Forensics when I am trying to export out a report to html, or even a pdf. No matter what I do, they always fail. How can I find out the reason for this? The only thing it will export to successfully is the portable case. Any ideas?

The #DFRWSEU2022 CFP deadline is around the corner! Submit your paper before October 3rd! Details here: https://dfrws.org/conferences/dfrws-eu-2022/ #DFIR

Mark Scanlon

DFRWS EU 2022 - DFRWS

DFRWS EU 2021 will be held virtually 28th-31st March, 2022, with all of the content one would normally expect at DFRWS. CFP open through Oct 14, 2021.

MrMacca (Allan Mc)

@Magnet Forensics when I am trying to export out a report to html, or even a pdf. No matter what I do, they always fail. How can I find out the reason for this? The only thing it will export to successfully is the portable case. Any ideas?

How long is the path you're trying to export to? Try exporting to your desktop

8:37 AM

One of the logs should give you an error reason

I'll give it a try, cheers.

MrMacca (Allan Mc)

@Magnet Forensics when I am trying to export out a report to html, or even a pdf. No matter what I do, they always fail. How can I find out the reason for this? The only thing it will export to successfully is the portable case. Any ideas?

Sending DM now

MrMacca (Allan Mc)

@Magnet Forensics when I am trying to export out a report to html, or even a pdf. No matter what I do, they always fail. How can I find out the reason for this? The only thing it will export to successfully is the portable case. Any ideas?

If you have not already solved the problem please try to exclude the evidence in formation in your report and see if that solves it.

12:07 PM

Hey all, I'm a digital forensics student, and still pretty new to the field, trying to get some help with a school assignment involving FTK imager. It's pretty basic stuff I think, is there a specific channel I might ask for help in?

v3izy

Hey all, I'm a digital forensics student, and still pretty new to the field, trying to get some help with a school assignment involving FTK imager. It's pretty basic stuff I think, is there a specific channel I might ask for help in?

#computer-forensics would be a good starting point. Otherwise, you can post it here and people can redirect you.

Thanks!

Jamey

If you have not already solved the problem please try to exclude the evidence in formation in your report and see if that solves it.

Sadly the 2 recommendations did not work. I attempted to create a HTML report using the 43 tagged items. I had them all selected, right clicked and chose Create report. I also use the FILE > Create Report option and only chose the specific tags I wanted. Both times I deselected the Evidence overview. I also tried a different destination location. Which Logfile do I need to interrogate to see what might be causing the issue? Thanks in advance

I would suggest at this point to use the collect logs in the help menu and then send that to support@magnetforensics.com with a brief description of the issue so they know what they are looking for in the logs and they can get you squared away. This will open a formal trackable ticket and correspondence with you.

5:01 PM

@MrMacca (Allan Mc)

indianadmin

Laptop with Windows 10. No applications like google backup or box sync and drive are present.

This is not an answer, but it helped me to better understand better how data leakage can be detected. So perhaps it can help you. See https://cfreds-archive.nist.gov/data_leakage_case/data-leakage-case.html at the bottom you find questions and the answers give a hint what to check https://cfreds-archive.nist.gov/data_leakage_case/leakage-answers.pdf . Maybe this can also help to dig deeper in windows 10 activity timeline https://www.youtube.com/watch?v=-vsXFrOZOtc

BlackBag Technologies

Windows 10 Activity Timeline: An Investigator's Gold Mine

Has anyone come across AVG Photo Vault before? Since when were they encrypting and hiding media files?

Folks, what would you throw in a IR Playbook **Faremwork** doco? I've got one but that's more like a style guide doco.

Hello, Does anyone know how i can remove wind noise from ring doorbell audio to try and focus on voice

B74

Hello, Does anyone know how i can remove wind noise from ring doorbell audio to try and focus on voice

Could try something like Camtasia?

@B74 you could try to use rtx voice to do that, https://www.youtube.com/watch?v=KbWpOr_mg0o

Yak Almighty

RTX Voice on Adobe Premiere! Perfect Noise Reduction!

izotope rx 8

2

I could use help from any law enforcement official who can make an urgent data request to a site for an investigation. We need verifiable evidence of whether certain accounts share IP addresses. Apologies if this isn't the appropiate channel for this.

Randomware

I could use help from any law enforcement official who can make an urgent data request to a site for an investigation. We need verifiable evidence of whether certain accounts share IP addresses. Apologies if this isn't the appropiate channel for this.

You need to go through your local PD and provide information so they can properly follow through. This is purely a jurisdictional issue. No clue where you live but the police department that has jurisdiction (this is key) over where the crime occurred is the only entity that can handle this. If they are not tech savvy, then reach out to us and we'd be happy to help spoonfeed steps to take in order to fulfill the request, so long as probable cause exists (if you're in the USA, at least. I can't speak for other countries).

If they are not tech savvy

Yes, this is a considerable part of the problem. Also the legal process is making things way too slow.

8:39 PM

I'm from outside the U.S.

8:41 PM

I'll see what other options there are. Thank you.

B74

Hello, Does anyone know how i can remove wind noise from ring doorbell audio to try and focus on voice

You won’t be able to remove it but you might be able to reduce it in some cases. I would rather try EQ the voices and start around the 500hz mark bringing it up and down to find that sweet spot.

1

Randomware

I'm from outside the U.S.

You can ask your legal reps to make a request for the data. Or at least you could try get them to preserve the logs until the process to obtain them gets through

hello @Cellebrite ... can you give info, when will a new bssid database be put online?

1

We’re looking into options. The services that have previously helped us create that dataset have updated their policies and no longer provide the locations of individual BSSIDs.

thanks @CLB_iwhiffin for info ✌️

Is it possible to root a locked android phone? If yes then how?

That really depends on the type of phone, what phone are you working with?

Anyone use encase v8 here? How do I get a list of all the emails accessed

Robin Hood

That really depends on the type of phone, what phone are you working with?

Samsung A7 with android 8.0

3:36 AM

i am trying to bruteforce the passcode of android and when i tried to run it.. It shows the following error

3:37 AM

Anyone who have worked with this package

3:38 AM

please help!

this won't work, you need a phone with proper kernel that can switch your phone to act like as a hid device

3:40 AM

plus, samsung phone you're trying to bf will increase delays with each failed attempt to a point that makes this method pointless

What do you mean by proper kernel? Is not there on android devices

3:52 AM

U mean rooted phone?

A Nethunter phone (or any rooted Android with HID kernel support) - that's from the github that you took the script from

4:11 AM

https://github.com/pelya/android-keyboard-gadget

GitHub - pelya/android-keyboard-gadget: Convert your Android device...

Convert your Android device into USB keyboard/mouse, control your PC from your Android device remotely, including BIOS/bootloader. - GitHub - pelya/android-keyboard-gadget: Convert your Android dev...

Andrew Rathbun

You need to go through your local PD and provide information so they can properly follow through. This is purely a jurisdictional issue. No clue where you live but the police department that has jurisdiction (this is key) over where the crime occurred is the only entity that can handle this. If they are not tech savvy, then reach out to us and we'd be happy to help spoonfeed steps to take in order to fulfill the request, so long as probable cause exists (if you're in the USA, at least. I can't speak for other countries).

One detail's been bothering me. What entity should handle it, given that a crime was commited through a public internet platform by an anonymous account and we only know the location of the accusing victim? (in other words: if we don't yet have any verifiable way of proving where that specific crime occurred) Is it whichever police department has jurisdiction over where the platform is hosted?

3:34 PM

Or can the request be made by the police department that the victim resorted to?

Any local, state, or federal department that covers the victim's jurisdiction would need to take it in as there's no identifiers for where the suspect would be and issue a subpoena or w/e other legal authorization for that account. They can either try to work in conjunction with the local agency or make a referral to where the suspect resides if its out of their jurisdiction. Or it comes back to a foreign country that doesn't care and it's not a big enough crime to warrant a MLAT and you go

‍♂️ (edited)

4

1

Solec

Any local, state, or federal department that covers the victim's jurisdiction would need to take it in as there's no identifiers for where the suspect would be and issue a subpoena or w/e other legal authorization for that account. They can either try to work in conjunction with the local agency or make a referral to where the suspect resides if its out of their jurisdiction. Or it comes back to a foreign country that doesn't care and it's not a big enough crime to warrant a MLAT and you go

‍♂️ (edited)

This

️

Hello, I'm trying to access UFED Application via RDP but it's showing License not found. Any Idea @Cellebrite

DeepDiveForensics

Hello, I'm trying to access UFED Application via RDP but it's showing License not found. Any Idea @Cellebrite

DMing

Has anyone found a way to identify a spoofed number or where the number originated?

Hello, I hope that this is the right channel for this post. I’m looking for some guidance and/or mentor. I’m currently a patrol officer for a US LE agency. I’m wanting to shift directions in my career and work more in cyber security/digital forensics. I’m new to all of this but I am super eager to learn. I’m feeling a bit overwhelmed with all the available online training and different study pathways. If anyone has any insight on how/where I should focus my studies I would appreciate your thoughts.

RangerDude

Hello, I hope that this is the right channel for this post. I’m looking for some guidance and/or mentor. I’m currently a patrol officer for a US LE agency. I’m wanting to shift directions in my career and work more in cyber security/digital forensics. I’m new to all of this but I am super eager to learn. I’m feeling a bit overwhelmed with all the available online training and different study pathways. If anyone has any insight on how/where I should focus my studies I would appreciate your thoughts.

Start with the fundamentals like networking, learn some Operating Systems outside of Windows like OSX and Linux. That foundation is essential. Then worry about the tools and methodologies. You can’t go wrong if you run Kali Linux and complete a few of these tutorials: https://null-byte.wonderhowto.com/ you can always DM for further questions.

Null Byte — The aspiring white-hat hacker/security awareness playgr...

Null Byte is a white hat hacker world for anyone interested in hacking, science, networking, social engineering, security, pen-testing, getting root, zero days, etc.

@RangerDude welcome, try taking a peek in the #training-education-employment channel. @Andrew Rathbun and the crew have spent a lot of time filling it up with helpful information.

RangerDude

Hello, I hope that this is the right channel for this post. I’m looking for some guidance and/or mentor. I’m currently a patrol officer for a US LE agency. I’m wanting to shift directions in my career and work more in cyber security/digital forensics. I’m new to all of this but I am super eager to learn. I’m feeling a bit overwhelmed with all the available online training and different study pathways. If anyone has any insight on how/where I should focus my studies I would appreciate your thoughts.

You're welcome to DM me so we can get you on the right path. I used to be on patrol as well. Looking forward to talking to you soon.

RangerDude

Hello, I hope that this is the right channel for this post. I’m looking for some guidance and/or mentor. I’m currently a patrol officer for a US LE agency. I’m wanting to shift directions in my career and work more in cyber security/digital forensics. I’m new to all of this but I am super eager to learn. I’m feeling a bit overwhelmed with all the available online training and different study pathways. If anyone has any insight on how/where I should focus my studies I would appreciate your thoughts.

I would recommend starting with https://www.nw3c.org/. They are a good stepping stone into digital forensics and some of the Online Trainings certainly apply to a patrol officer even they don't want to transition into digital forensics. The "CI153 Searching Without a Warrant" has great info for everyone in law enforcement that I have yet to see in another online training, but maybe I am deprived

‍♂️

NW3C Home

The National White Collar Crime Center (NW3C) is a nationwide support system for the prevention, investigation and prosecution of economic and high-tech crime.

Deleted User

Start with the fundamentals like networking, learn some Operating Systems outside of Windows like OSX and Linux. That foundation is essential. Then worry about the tools and methodologies. You can’t go wrong if you run Kali Linux and complete a few of these tutorials: https://null-byte.wonderhowto.com/ you can always DM for further questions.

Thanks for that resource. I’ll check it out.

Solec

Any local, state, or federal department that covers the victim's jurisdiction would need to take it in as there's no identifiers for where the suspect would be and issue a subpoena or w/e other legal authorization for that account. They can either try to work in conjunction with the local agency or make a referral to where the suspect resides if its out of their jurisdiction. Or it comes back to a foreign country that doesn't care and it's not a big enough crime to warrant a MLAT and you go

‍♂️ (edited)

Thank you.

RangerDude

Hello, I hope that this is the right channel for this post. I’m looking for some guidance and/or mentor. I’m currently a patrol officer for a US LE agency. I’m wanting to shift directions in my career and work more in cyber security/digital forensics. I’m new to all of this but I am super eager to learn. I’m feeling a bit overwhelmed with all the available online training and different study pathways. If anyone has any insight on how/where I should focus my studies I would appreciate your thoughts.

Make friends with your local secret service office. They can send you to free training at the NCFI for everything to social media investigations to full-blown network intrusion investigations. It’s all free to you (including hotel/per diem/ equipment). Probably the best resource for state/local officers. Feel free to DM for further info or for “tips” to help get in.

1

Are there any best practices related to hunting for IOC's on a Windows system?

Fierry

Are there any best practices related to hunting for IOC's on a Windows system?

Sure, for IR? Run Loki against an image or Chainsaw over Events Logs. Also, RECmd has limited support for Threat Hunting artifacts - https://github.com/EricZimmerman/RECmd/blob/ce3edbcff61857b0851871741724627cfbaf5912/BatchExamples/Kroll_Batch.reb#L3016 (edited)

1

Loki was already on the list, REcmd wasn't. Thanks!

If you're running Loki against a mounted image, be sure to include --noprocscan so you're not scanning your live system's processes

7:12 AM

@cyb3rops thanks for the work on Loki, btw. Great tool

1

Andrew Rathbun

Sure, for IR? Run Loki against an image or Chainsaw over Events Logs. Also, RECmd has limited support for Threat Hunting artifacts - https://github.com/EricZimmerman/RECmd/blob/ce3edbcff61857b0851871741724627cfbaf5912/BatchExamples/Kroll_Batch.reb#L3016 (edited)

chainsaw look like an awesome tool is it integrated in kape as a module i just updated m modules and dont see it, seems like it would be a good addition

NibblesNBits

chainsaw look like an awesome tool is it integrated in kape as a module i just updated m modules and dont see it, seems like it would be a good addition

I added the Chainsaw Module within the past week or so. KAPE will never ship with any binaries outside of Eric's own for liability purposes. You need to download Chainsaw and place it into the .\KAPE\Modules\bin folder for the Module to run correctly (edited)

8:29 AM

Ping me if you have issues with it

8:29 AM

Output will be in .\KAPE\Modules\bin\chainsaw since Chainsaw doesn't support choosing output directory yet

Can anyone explain why when using KAPE via CLI, flush is not enabled by default, but when using gkape it is enabled by default? I've heard too many horror stories about people deleting files without meaning to only because it was enabled by default in the GUI. I'd honestly prefer (and I'm sure others would too) for it to be disabled both in CLI and GUI, but I'm not sure where to send a recommendation for that.

NetSecNinja

Can anyone explain why when using KAPE via CLI, flush is not enabled by default, but when using gkape it is enabled by default? I've heard too many horror stories about people deleting files without meaning to only because it was enabled by default in the GUI. I'd honestly prefer (and I'm sure others would too) for it to be disabled both in CLI and GUI, but I'm not sure where to send a recommendation for that.

https://github.com/EricZimmerman/KapeFiles/issues is where you bring up any grievances

Issues · EricZimmerman/KapeFiles

This repository serves as a place for community created Targets and Modules for use with KAPE. - Issues · EricZimmerman/KapeFiles

1

6:18 PM

Since this issue would involve a codebase modification, Eric will be the one to respond to this.

hello @Cellebrite short question: will the "USB2 Communication Cable" sent automatically to all customers? If you connect cable 170 on usb2-port on this sort of extraction, will it be possible without this cable? (edited)

2:06 AM

chrisforensic

hello @Cellebrite short question: will the "USB2 Communication Cable" sent automatically to all customers? If you connect cable 170 on usb2-port on this sort of extraction, will it be possible without this cable? (edited)

You can try Cable 170 alone but it could fail since our exploit works better with a USB 2.0 cable... I believe you can just use a standard male to female USB 2.0 extender cable. I highly doubt we will send one out to each customer...

thanks @CLB-dan.techcrime for fast answer, top

ESIM question for the group, I have a Note 20 Ultra 5G that I can not get into airplane mode without the pin code, we have removed the sim card and it was in a faraday back all the way to use until we got it into a ramsey box. Now what ? I can't keep the thing in there forever and we want to keep the device on for AFU extraction. I"m worried that removing the sim has not isolated the esim connection. Is there some thing on the screen to indicate it was using the esim over Sim card ?

Hey guys, I'm looking for help decoding a powershell string found in a windows server event log. Which channel should I go to with this request?

Welcome @Wrisk there's some resources from #incident-response which can be accessed from https://discord.com/channels/427876741990711298/440608301898530838/882606725025382421

Matt

Welcome @Wrisk there's some resources from #incident-response which can be accessed from https://discord.com/channels/427876741990711298/440608301898530838/882606725025382421

Thank you

Is anyone aware whether it's possible to enable SRUM (srudb.dat) on Windows server? I've noticed it is enabled by default in Windows Server 2022 now, which is great! But I've not been able to find a way to activate it for Win2K12R2.

@Bryserker I tried and failed

6:33 AM

I have seen it on David cowens test kitchen on server 2019 but it turns out it depended on the installation media used because a different installation didn't have it on

@randomaccess Thanks and yeah, that matches my findings so far. It appears the relevant .dll files (e.g. appsruprov.dll) aren't in the system32 folder. It's a shame because it's usually servers where I'd love to have the logging, haha.

Latest version of UFED4PC. IPhone X running iOS 14.7.1. Trying to complete a checkm8. Phone goes into DFU no problem and exploits and shows the checkm8 symbol. As soon as that completes, the phone reboots and checkm8 fails. Any ideas? Tried on two machines. Same results on each. (edited)

Trashboat667

Latest version of UFED4PC. IPhone X running iOS 14.7.1. Trying to complete a checkm8. Phone goes into DFU no problem and exploits and shows the checkm8 symbol. As soon as that completes, the phone reboots and checkm8 fails. Any ideas? Tried on two machines. Same results on each. (edited)

#mobile-forensic-extractions

@DCSO I have a very similar situation, just a slightly different model of phone. My current plan is to just carry my ramsey box to the office where it will be downloaded and try it through the shielded ports. Good luck, let us know how it turns out. I'm fairly confident mine has a wipe command waiting on it based on comments by the owner.

whee30

@DCSO I have a very similar situation, just a slightly different model of phone. My current plan is to just carry my ramsey box to the office where it will be downloaded and try it through the shielded ports. Good luck, let us know how it turns out. I'm fairly confident mine has a wipe command waiting on it based on comments by the owner.

Along the same lines, I keep a small faraday bag in my faraday cage so that I can keep a phone fully isolated at all times. I can put the phone into the bag for a short time to open the cage to add other phones, battery packs, transport faraday bags, remove faraday bags from phones delivered in faraday bags, etc. (edited)

hey i have a file called uboot.env

2:56 PM

and i have no idea

2:56 PM

what it is?

2:58 PM

anyone can tell any info about this file

https://bootlin.com/blog/mkenvimage-uboot-binary-env-generator/

Thomas Petazzoni

mkenvimage: a tool to generate a U-Boot environment binary image

mkenvimage: a new utility to generate a U-Boot environment image - Contributed by David Wagner from Bootlin.

2:59 PM

Google knows most things

yea i've looked into that

3:02 PM

but the file send seems encrypted or something like that

3:02 PM

it's actually a ctf challenge and they gave me three files

3:03 PM

an image file called u-boot.img

3:03 PM

and a zImage file

Are the others valid - can you boot it?

i have no idea how to boot it

Not sure, cursory google suggests they are all to do with a linux boot so probably need to get them on a removable media and find a linux machine

wdym by removable media ?

sd card / usb

oh yea

I mean I just googled uboot and zimage

yep that's what am trying to do rn

3:27 PM

and am lost lol

Have you ran the hash through VirusTotal or found a HybridAnalysis or JSB link for it? In the future, try not to upload random files here because we can't verify if it's malicious or not. Not that we suspect you're up to no good, and it's not that I don't trust you, but I don't trust anyone

Galaxy A70 Android 10. File System Qualcomm Live extraction. The device has Secure Folder installed but passcode unknown. I can see all sorts of databases relating to the Secure Folder, when it was created, what’s inside, I’ve got the images for the secure folder default apps. What I would like to know is if the folder root/data/Knox is totally empty (0 files 0kb) does this mean the Secure Folder has not been extracted?

@Law Enforcement [UK] or any other law enforcement. What is everyone doing about iOS 15 coming out? Any 5g Faraday bags out there? Or is it business as normal for everyone until a device is wiped? (edited)

@Player V looks like a part of firmware of some kind (based on linux with an kernel image and a boot wrapper?) Is the third file a squashfs? (edited)

pinball

Galaxy A70 Android 10. File System Qualcomm Live extraction. The device has Secure Folder installed but passcode unknown. I can see all sorts of databases relating to the Secure Folder, when it was created, what’s inside, I’ve got the images for the secure folder default apps. What I would like to know is if the folder root/data/Knox is totally empty (0 files 0kb) does this mean the Secure Folder has not been extracted?

◀️ maybe echo in #mobile-forensic-extractions

Andrew Rathbun

@cyb3rops thanks for the work on Loki, btw. Great tool

I wonder why you wouldn't use the free THOR Lite. LOKI is somehow unmaintained. (I only do bugfixes and brought it to Py3 a while ago) (edited)

cyb3rops

I wonder why you wouldn't use the free THOR Lite. LOKI is somehow unmaintained. (I only do bugfixes and brought it to Py3 a while ago) (edited)

I'll dive into Thor Lite then. I've only heard of it. Never actually used.

Thanks, just filled out the form

THOR Lite Overview Web Session : https://www.youtube.com/watch?v=C0absUumKlQ

Nextron Systems

THOR Lite Introduction and Demo

1

12:59 PM

I'll send you some Trial Vouchers for THOR via PM

1

Thanks Florian, I'll run it this week

If you're investigating a real incident, it'll help you more ... We'll release the current TechPreview v10.6 on Monday or Tuesday. Make sure to update the version that you download before scanning using the "thor-util" command line tool.

1:05 PM

The new v10.6 features a monitoring thread that detects CobaltStrike beaconing and other new detection features

1:05 PM

https://www.nextron-systems.com/2021/06/10/thor-10-6-8-techpreview-with-etw-watcher-to-detect-cobaltstrike-beacons/

THOR 10.6.8 TechPreview with ETW Watcher to Detect CobaltStrike Bea...

Awesome, sounds very robust. I'll give it a whirl on some evidence this week when it arrives to our lab

1

Nice

cyb3rops

If you're investigating a real incident, it'll help you more ... We'll release the current TechPreview v10.6 on Monday or Tuesday. Make sure to update the version that you download before scanning using the "thor-util" command line tool.

I was just having a play with this. Is there a way to scan a mounted image with the Lite version? If I use the --fsonly switch I get an error that only the Forensic Lab license supports this, so I assume it's only in the paid version.

Anyone good with batch scripts and writing them?

Ross Donnelly

I was just having a play with this. Is there a way to scan a mounted image with the Lite version? If I use the --fsonly switch I get an error that only the Forensic Lab license supports this, so I assume it's only in the paid version.

http://thor-manual.nextron-systems.com/en/latest/usage/special-scan-modes.html#forensic-lab-license - we'll add the link to the chapter in the manual to the error message (edited)

cyb3rops

http://thor-manual.nextron-systems.com/en/latest/usage/special-scan-modes.html#forensic-lab-license - we'll add the link to the chapter in the manual to the error message (edited)

Good to know, thanks

Does anybody have much experience with the ADF Solutions (https://www.adfsolutions.com/) suite of software? Such as the Triage-Investigator? (edited)

Best Digital Forensics Software | DEI Triage | Computer Forensics

The best computer forensics & mobile triage software, iOS forensics, Android forensics, MacOS forensics, Windows, Linux - Frontline Field Digital Forensics

Yes

Does anybody have much experience with the ADF Solutions (https://www.adfsolutions.com/) suite of software? Such as the Triage-Investigator? (edited)

Ive never used TI, but I have used their DEI software a ton.

Rob

Anyone good with batch scripts and writing them?

Depends what you want to do

DeeFIR 🇦🇺

Depends what you want to do

Trying to figure a simple if statement based on user input

Any input would be greatly appreciated.... I have a motherboard to a 2017 MacBook A1534. I only have the motherboard. I have purchased an A1534 and tried to put the suspect motherboard into the new macbook but it would not boot. Does anyone know a way to recover the data from the soldered on SSD?

https://9to5mac.com/2016/11/24/apple-special-cdm-tool-macbook-pro-ssd-recover-repairs/

Jordan Kahn

This is Apple's special tool to help customers recover data from th...

When the first teardown of Apple’s new 2016 MacBook Pro was published earlier this month, a couple notable changes were spotted related to the machine’s SSD. Components for the SSD are now soldered onto the logic board, which likely allows for some design and thinness enhancements, but hurts overall repairability. On top of not being […]

5:19 PM

Aside from the above device, perhaps there's a pinout somewhere that will allow you to remove the drive and solder an m.2 or sata connector to it.

AARC TASK FORCE

Any input would be greatly appreciated.... I have a motherboard to a 2017 MacBook A1534. I only have the motherboard. I have purchased an A1534 and tried to put the suspect motherboard into the new macbook but it would not boot. Does anyone know a way to recover the data from the soldered on SSD?

Does it power on at all? Can you get into recovery? Or is the board dead?

Does not boot at all. LED light on the logic board is lit.

FullTang

Along the same lines, I keep a small faraday bag in my faraday cage so that I can keep a phone fully isolated at all times. I can put the phone into the bag for a short time to open the cage to add other phones, battery packs, transport faraday bags, remove faraday bags from phones delivered in faraday bags, etc. (edited)

That's how I get the phones in there to begin with, it just gets very cumbersome very quickly. The ramsey box is limited on space to maneuver. I have a new Mission Darkness XL box but it's at a different facility than me for the next few months. It'll be so nice to have all the extra room in there!

whee30

That's how I get the phones in there to begin with, it just gets very cumbersome very quickly. The ramsey box is limited on space to maneuver. I have a new Mission Darkness XL box but it's at a different facility than me for the next few months. It'll be so nice to have all the extra room in there!

The XL box looks massive, I am jealous! I like the idea of actually transporting the ramsey box with the phone inside to where you will do the extraction if needed. You can keep the phone plugged into power the entire time with a car inverter and not worry about battery packs inside of faraday bags.

@AARC TASK FORCE is the screen dead can you try an external monitor ?

Hi not sure if this is the right channel to ask. Recently did a fresh install of Linux from a live USB and enabled LUKS encryption. I noticed on the USB today that there are "install-logs" present, from what I can tell they mainly just have details of what software was installed during the installation. Will there be any trace of the LUKS key or password on that USB? I would assume not as that would be a massive security issue, but just wanted to confirm

hannix7403

Hi not sure if this is the right channel to ask. Recently did a fresh install of Linux from a live USB and enabled LUKS encryption. I noticed on the USB today that there are "install-logs" present, from what I can tell they mainly just have details of what software was installed during the installation. Will there be any trace of the LUKS key or password on that USB? I would assume not as that would be a massive security issue, but just wanted to confirm

I don’t have the answer, but you can perhaps try to do at first a keyword research on the usb key (I mean on the « block dev »).

hannix7403

Hi not sure if this is the right channel to ask. Recently did a fresh install of Linux from a live USB and enabled LUKS encryption. I noticed on the USB today that there are "install-logs" present, from what I can tell they mainly just have details of what software was installed during the installation. Will there be any trace of the LUKS key or password on that USB? I would assume not as that would be a massive security issue, but just wanted to confirm

Usually all this stuff are made in a temporary memory like tmpfs file system.

ah i see. I was just worried in case it meant that a copy of my luks key was now on that USB

11:42 AM

the live usb

hannix7403

ah i see. I was just worried in case it meant that a copy of my luks key was now on that USB

Should not be, no. Booting off USB is non-persistent unless you have configured otherwise. The OS is loaded into RAM and runs from there until reboot.

Hi all, are SANS SIFT VM's usable on the latest M1 MacBook Pro's?

1:04 AM

If so, I'm quite curious about the performance

@Fierry nope. VMware doesn't support x86/x64 emulation.

ah that's too bad :/

1:47 AM

hopefully some sort of ARM-based forensics image will be available in due time

I don't expect there to be an ARM based SIFT image.

1:49 AM

Not in the near future anyways

Would experience in litigation or eDiscovery be helpful in transitioning into a career in digital forensics?

can you expand abit more on that?

Sure! So I’m a litigation paralegal and I would like to transition into digital forensics. I am in grad school for comp sci ( but my BA was in legal studies unfortunately). I am wondering if I were to work in an eDiscovery firm I could eventually transfer over to a job in digital forensics/forensic analyst? Here’s more info on the skill set of a paralegal in eDiscovery. https://www.rasmussen.edu/degrees/justice-studies/blog/what-is-ediscovery/

What is eDiscovery? How to Become a Paralegal Cyber Sleuth | Rasmu...

eDiscovery has become a crucial part of a paralegal’s job due to the increased prevalence of information sharing via technology. Learn more about th

8:07 AM

Or is it unreasonable to think working in eDiscovery could land be a job in computer forensics?

Suggest moving this to #training-education-employment channel, but no it's not unreasonable thinking you can transition from edisco to dfir.

Thank you @randomaccess !

I have recently cleared the cache of my browser, which inturn removed some credentials I had for certain apps and require me to relog into them. Is that information stored within a logged file that I could access for the browser or can i assume the information is gone?

ImWell

I have recently cleared the cache of my browser, which inturn removed some credentials I had for certain apps and require me to relog into them. Is that information stored within a logged file that I could access for the browser or can i assume the information is gone?

Well, yes. You have removed your cookies.

ImWell

I have recently cleared the cache of my browser, which inturn removed some credentials I had for certain apps and require me to relog into them. Is that information stored within a logged file that I could access for the browser or can i assume the information is gone?

with Howard on that, but maybe you could run some Nirsoft kit and see if anything else had access to those credentials and spilled/stored them?

hello @Cellebrite just 4 info.... updated system win 10 to win 11... no problem to work with UFED4PC or PA

(edited)

1

chrisforensic

hello @Cellebrite just 4 info.... updated system win 10 to win 11... no problem to work with UFED4PC or PA

(edited)

Intel, or AMD system?

Arcain

Intel, or AMD system?

Intel

I'd hold on with AMD for now. Read that new scheduler causes issues with L3 cache on Ryzen CPUs, resulting in much lower performance, like 15% in various tasks

Looking to virtualize an E01, any ideas?

Jogoyo

Looking to virtualize an E01, any ideas?

@FabianoQ Posted this guide a while back. https://www.forensicfocus.com/articles/imm2virtual-a-windows-gui-to-virtualize-directly-from-disk-image-file/

Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image F...

This is a Windows 64 bit GUI for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox. It is forensically proof.

quick question

12:30 PM

im trying to use dban to wipe a hard drive but it just wont boot from the USB

12:30 PM

I tried it on other machines and it works there

Zealot

im trying to use dban to wipe a hard drive but it just wont boot from the USB

Is secure boot enabled?

its off (edited)

Zealot

its off (edited)

Is the USB before the HD in the boot order?

yes.

There might be another setting in the BIOS that is preventing booting from USB. You could try booting into Paladin or similar to see if the machine will even allow booting from any USB and work from there. At least that's where I would start.

The boot option correspond with the bios UEFI/Legacy ?

Zealot

im trying to use dban to wipe a hard drive but it just wont boot from the USB

Iirc DBAN isn’t maintained and just isn’t very good as it can’t wipe some drive types. I use ABAN instead https://aban.derobert.net (edited)

I wonder if anyone has dealings with recovering data from an Xbox One X? We have a job where the suspect has several hundred indecent images stored within his Xbox at a file path of U:\Users\usermgr0\pictures we are doing an examination using a clone of the original and can’t seem to find any method of getting these files off the device for evidential purposes. We have tried different storage media and there is no option to copy data from this area to any external devices. Any help or ideas would be appreciated

Would copies from a viewer screen or the like suffice? Or it has to be direct chain from the device to your evidence needed?

Or can you pull the hard drive and connect it to a FRED?

cdbandit

I wonder if anyone has dealings with recovering data from an Xbox One X? We have a job where the suspect has several hundred indecent images stored within his Xbox at a file path of U:\Users\usermgr0\pictures we are doing an examination using a clone of the original and can’t seem to find any method of getting these files off the device for evidential purposes. We have tried different storage media and there is no option to copy data from this area to any external devices. Any help or ideas would be appreciated

Messaged you, if that’s alright

cdbandit

I wonder if anyone has dealings with recovering data from an Xbox One X? We have a job where the suspect has several hundred indecent images stored within his Xbox at a file path of U:\Users\usermgr0\pictures we are doing an examination using a clone of the original and can’t seem to find any method of getting these files off the device for evidential purposes. We have tried different storage media and there is no option to copy data from this area to any external devices. Any help or ideas would be appreciated

Xbox drives are fat32 iirc, have you tried dmde on the image to find any artifacts?

Nice

ryd3v

Xbox drives are fat32 iirc, have you tried dmde on the image to find any artifacts?

I have looked at the image of the drive in various tolls but it appears that the images may be contained in the personal encrypted area of the drive

Ah OK, yeah, in that case, it would have to be decrypted first which I'm sure your aware, sorry I couldn't help you further

Hi - has anyone done any testing re: iOS 15 and the possibility of it receiving a ‘kill signal’ via the ‘Find My’ network?

Dang, lots of good stuff today, get back with you Aaron!

Just for info, tracking an iPhone 12 that's been turned off only seems to currently work on the 'Find My' app and doesnt track it on the iCloud website. (edited)

That runs counter to what Apple claims, I believe

busted4n6

Hi - has anyone done any testing re: iOS 15 and the possibility of it receiving a ‘kill signal’ via the ‘Find My’ network?

@busted4n6 I did some testing on that feature and the location tracking in the iOS 15 betas, and found that the phone was not able to receive the wipe command while powered off.

8

@CLB_joshhickman1 And was that with a internet-connected iOS15 iPhone 11(?)/12/13 nearby?

Yes.

10:35 AM

https://thebinaryhick.blog/2021/06/25/apples-find-my-iclouds-throne-of-lies/

Binary Hick

Apple’s Find My & iCloud’s Throne of Lies

I live in the Apple ecosystem, and have for quite some time now. I use an iPhone, have a couple of HomePods, use AppleTV, and typed this blog post (and most of my others) on an iPad. The integratio…

3

1

@CLB_joshhickman1 You were testing an iPhone 8 - my understanding is that the offline and off remote wipe feature is only supported by iPhone 11 and up devices with the U1 chip.

Interesting I had not heard that there were specific U1 capabilities. It was my understanding that offline tracking would work with any device running iOS 15. As far as an offline wipe, I would be interested in hearing more about what you know so I can give it a test spin.

CLB_joshhickman1

Interesting I had not heard that there were specific U1 capabilities. It was my understanding that offline tracking would work with any device running iOS 15. As far as an offline wipe, I would be interested in hearing more about what you know so I can give it a test spin.

"This new feature is based on Ultra Wideband (UWB) technology, which is part of Apple’s U1 chip. Only iPhone 11 and newer models (except for the second-generation iPhone SE) have the U1 chip, so that is why only these devices will work with Find My even when turned off." https://www.google.com/amp/s/9to5mac.com/2021/07/21/ios-15-here-are-the-devices-that-support-find-my-when-turned-off/amp/

Filipe Espósito

iOS 15: Here are the devices that support Find My when turned off

Read on as we detail which Apple devices support the new Find My location when turned off with the iOS 15 update.

Ah, ok. Offline ≠ Power Off. Thanks for pointing this out. I’ll test and report back.

3

hello @Cellebrite is latest version of PA available on customer portal? shows releasedate 10.10.2021, but download is not possible for new version...

11:45 PM

Is there any good photo album software that people use? Otherwise I shall continue to use word or just batch print to pdf, but not optimum.

@CCC you tried IRFANVIEW? https://www.irfanview.info/ Download that along with the plugins.

IrfanView - Official Homepage - One of the Most Popular Viewers Wor...

IrfanView ... one of the most popular viewers worldwide.

7:01 AM

then when it is installed, you goto OPTIONS on the menu at the top, then Multiple images > then PDF

7:01 AM

If that's what you are after that is.

Thinking more for my digital camera roll, but I didn't know that about Irfanview so thanks!

I've extracted a Huawei P20 Pro physically in XRY. I've found some interesting pictures in the folder /snapchat/memories/filenname_thumnail.jpg does anyone know or have done any research regards to this amtter if its the owners stories thumbnails or is it if the owner has looked on a story?

10:04 AM

I cant find the original files I'm afraid and when I look in the phone the memories aint "cached" and we are not allowed to connect it to the internet.

Question about axiom, when we make a portable case, we can’t have the timeline. (How) Is it possible to add the timeline in the portable case ? Thank’s (Manual said that other kind of view are disable of the portable case, but is it possible to enable it…)

Feg

Question about axiom, when we make a portable case, we can’t have the timeline. (How) Is it possible to add the timeline in the portable case ? Thank’s (Manual said that other kind of view are disable of the portable case, but is it possible to enable it…)

Might need a dongle to enable it, I'm guessing.

Andrew Rathbun

Might need a dongle to enable it, I'm guessing.

I have dongle and a full licence …

Feg

I have dongle and a full licence …

Plugged into the machine while viewing the portable case?

Andrew Rathbun

Plugged into the machine while viewing the portable case?

In our case yes the dongle is into it.

Hmm not sure then

i believe the portable case does not support timeline

Talmidim

i believe the portable case does not support timeline

A ticket is send I will update the answer here. But timeline by default in the « Examine » is not generated. But if you generated it, and not it the portable it’s a real issue for « lambda » inspector. For non ICT inspector timeline is really more explicit.

@Feg If all parties have a full license you can just give them the normal case folder instead of creating a portable case

(edited)

Feg

Question about axiom, when we make a portable case, we can’t have the timeline. (How) Is it possible to add the timeline in the portable case ? Thank’s (Manual said that other kind of view are disable of the portable case, but is it possible to enable it…)

Timeline isn't available in portable.

1:05 AM

Regardless of dongle.

Oscar

@Feg If all parties have a full license you can just give them the normal case folder instead of creating a portable case

(edited)

Here I just test my extraction before to share it with non ict inspector but they don’t have the dongle.

Rob

Timeline isn't available in portable.

That’s really a missing point compare to their « IEF » portable case.

I'd agree.

1

You can generate the timeline in examine without a dongle

3:20 AM

Although I don't think you can export it

3:21 AM

Heh I'm also a bit hesitant to give people that don't know what they're doing the timeline because some artifacts are in categories that I think people will incorrectly attribute meaning

2

1

I shutter to think how many cases may have gone a certain way or another by someone saying something happened at X time but it was like a Registry LastWrite timestamp or something, and no one knew any better

busted4n6

Hi - has anyone done any testing re: iOS 15 and the possibility of it receiving a ‘kill signal’ via the ‘Find My’ network?

@busted4n6 @CloudCuckooLand after a little bit of fuss, I was able to test this out using an iPhone 11 and 12 Pro (the test phone). Both phones were running 15.0.2. I was not able to erase the 12 Pro while it was powered off. (edited)

2

1

5:29 AM

I am going to write up a short blog post about what I saw.

2

5:30 AM

Also, the tracking stuff I mentioned in the other blog post still applies (iCloud could not see the 12 Pro while it was powered off, but Find My on my iPad could) (edited)

CLB_joshhickman1

@busted4n6 @CloudCuckooLand after a little bit of fuss, I was able to test this out using an iPhone 11 and 12 Pro (the test phone). Both phones were running 15.0.2. I was not able to erase the 12 Pro while it was powered off. (edited)

That’s good. Did your testing include sending a kill signal to the iPhone 12 and then switching it on but keeping off WiFi and cellular? What we’re curious to know is whether a nearby ‘online’ iPhone can cause the factory reset of an ‘offline’ device

It did. Under simulation (i.e. pulled SIM card and Wi-Fi radio off) the phone was still not able to receive the command. However, I would recommend keeping these devices in a signal-free zone (no other phones/wearables)...Apple can always change things.

5

For a Discord search warrant, do you receive only files that the user personally uploaded or anything that they've looked at? I've got a case where a user has some CP files in their account. Need to make sure they are the ones that personally uploaded the files or whether they just accessed them after somebody else posted them

RyanB

For a Discord search warrant, do you receive only files that the user personally uploaded or anything that they've looked at? I've got a case where a user has some CP files in their account. Need to make sure they are the ones that personally uploaded the files or whether they just accessed them after somebody else posted them

I honestly cannot speak from experience but it seems like files they've personally uploaded would be the expected outcome vs anything they've viewed. Either that, or media that was uploaded to servers they're apart of? Are the folks at Discord helpful whatsoever with clarifying questions?

Random question: Why are partitions needed at all? Why can't we just format an entire disk as NTFS or another FS?

If you assign space to a system partition, you don't need to worry about the user taking up so much space that the machine becomes inoperable

8:21 AM

E.g. the user partition could be full, but so long as the system partition has space available, it can still make use of that space

That explains why multiple partitions are useful. I'm referring to an instance where only a single partition is used

https://askleo.com/should_i_partition_my_hard_disk/ has some good reasons why. I don't know if it's needed per se. But I'm guessing it is "needed" because the operating system needs to know how to store and access files, how to handle deleted files, etc. NTFS does things differently than FAT32, etc. Are you basically asking why can't everything just be raw disk space and leave it at that?

The reasons why multiple partitions are useful is exactly why we don't run with single partitions typically. Perhaps I'm misunderstanding the question

8:25 AM

So let's say you have a single partition on your PC and the user decides to download loads of movies - partition gets full, system can't swap memory, no space for logging, no space for any temporary files at all

8:25 AM

System dies

I should have phrased the question differently - Based on the first instruction of a FS being a JMP to the bootloader, shouldn't it be possible to have a disk with a single filesystem and no MBR/GPT ? (edited)

8:27 AM

(And yes, I'm aware that this would make having a second partition or filesystem on the disk impossible) (edited)

Ah I see. I believe that some embedded systems work exactly like that (but am certainly not an expert in that)

Embedded linux devices or simpler devices?

So if you had a use case that only necessitated a single partition, I guess whatever primary bootloader exists could boot straight from the single partition/filesystem available

moshekaplan

Embedded linux devices or simpler devices?

Simpler

ack

RISC OS based devices I think may meet that use case

I was thinking more devices that are created based on ASICs * (edited)

It iterates over any physical drives connected until it finds a "!Boot" file and then goes from there

Right, I'm aware

1

8:38 AM

I'm writing some training slides on Windows forensics now and I was thinking about partitions - trying to anticipate questions and make sure I have answers (edited)

Ahhhh I see

8:38 AM

So are you trying to find functional examples that don't use logical partitioning?

Nope. Just a thought exercise for my own understanding

1

8:39 AM

This is meant to be 'intro to cyber' for HS students. 4 days of instruction. day 1 is disk forensics.

8:40 AM

Rough outline

Gotcha - makes sense to want to arm yourself with that knowledge, but can't imagine you'd be able to go too in depth on the relative strengths and weaknesses of MBR vs GPT etc in that time frame?

Nope. Not even planning on discussing them

1

8:42 AM

Like, I could if someone asked. But I otherwise plan to gloss over details like an MBR existing.

I always find it shocking how many forensics-related capabilities are implemented as one-off scripts or tools. (edited)

11:33 AM

Like, Autopsy is relatively mature, but I'm only scratching the surface and still seeing things that are only available as external programs or plugins.

The realese notes for UFED 4PC is not available under My login, Can any1 share it?

9:59 PM

I can download the new exe but not Read realese notes

@Arlakossan Release notes are not an option for UFED 4PC for me either. The PA release notes are available but not UFED, maybe someone forgot to upload them? @Cellebrite ?

Wouldn't surprise me if the "release notes" is the bit at the top in this minor release.

Im checking into it

Anyone good with using netwitness

Odd question: I took the test out option for Cellebrite Mobile Forensics Fundamentals. How would you write that into a CV? Do you write "0 Hours", or "Exam Only", or just leave it blank in the area I normally place the hours of training?

GRIZZ

Odd question: I took the test out option for Cellebrite Mobile Forensics Fundamentals. How would you write that into a CV? Do you write "0 Hours", or "Exam Only", or just leave it blank in the area I normally place the hours of training?

add it as a certification

Has anyone used this forensic tool? https://www.tc4shell.com/en/7zip/forensic7z/

Forensic7z

Forensic plugin for the 7-Zip archiver

8:15 PM

It's a plugin for 7zip that lets you browse EnCase and FTK files and such. Sounds pretty nifty but I am wondering if it is reliable and trustworthy.

malwarehobo

Has anyone used this forensic tool? https://www.tc4shell.com/en/7zip/forensic7z/

I haven't used that plugin but I use the "CRC SHA >" right-click function from a normal 7zip install all the time. I have never been given a reason not to trust it and it has caught copies that for some reason did not have the same hash when moving them between volumes.

Hey everyone, if you need to ship a parcel but maintain proof of chain of custody, are there any UK courriers you use? maybe one that does direct pickup and delivery w/o a depot being involved?

misterturtle

Hey everyone, if you need to ship a parcel but maintain proof of chain of custody, are there any UK courriers you use? maybe one that does direct pickup and delivery w/o a depot being involved?

maybe a tamper proof container?

Is that sufficient for using a standard courrier service?

not sure how LEA deal, but i'd use a hard box and seal, or at least a tamper evident bag/box. paperwork: received - seal intact

2:11 AM

whichever courier you use how else would you verify no one took a peek, or worse?

2:11 AM

high value is another matter i guess

2:12 AM

both for belt and braces (edited)

Even single courier we would have tamper proof box or seals, advice from an ex colleague was that sending a package with chain of custody would require a single courier with a direct delivery, so I've just approached it with that assumption

2:13 AM

I'll look into the legal side, but tbh I can't see an issue with tamper proof equipment

yeh, likely good

2:15 AM

best i've seen, previous job, dude flew in from US with an attache case handcuffed to him. car from airport to factory, bit of "aircraft kit" loaded into lockable/tamper evident case, car back to airport, fly back to US. likely had some sort of arms although we didn't see

2:16 AM

someone told me it was the single "foreign" bit of a B2's electronics suite (edited)

2:18 AM

hilarious bit: someone dropped a unit on the way through the factory. all hell let loose to replace the bent handle. minutes to go

misterturtle

Hey everyone, if you need to ship a parcel but maintain proof of chain of custody, are there any UK courriers you use? maybe one that does direct pickup and delivery w/o a depot being involved?

https://www.dxdelivery.com/corporate/services/dx-secure/ I think DX is/has been used by some UK labs

DX Secure - Your Home Delivery Solution

DX can help you deliver a 1st rate parcel service to your customers with our secure and tracked residential delivery service

OllieD

https://www.dxdelivery.com/corporate/services/dx-secure/ I think DX is/has been used by some UK labs

added

I've found these guys too https://www.topspeedcouriers.co.uk/chain-of-custody/ but obviously have no experience with them for recommendations

2:21 AM

Thanks for the link OllieD

misterturtle

I've found these guys too https://www.topspeedcouriers.co.uk/chain-of-custody/ but obviously have no experience with them for recommendations

Never heard of them, but I see DX vans and lorries everywhere

topspeed looks ideal, esp for the sensitive forensic, perishables etc

2:23 AM

maybe echo in #policies-and-procedures ?

I'ma give them a call and see what they're like

I've been working on write blocker validation today, following a long and generally boring process. I've not done validation work before, so this is new to me. I've come across NIST's CFTT Live Linux suite and found it really useful. Has anyone used this for validation that has passed a UKAS assessment? I know how...........particular UKAS can be.

misterturtle

Hey everyone, if you need to ship a parcel but maintain proof of chain of custody, are there any UK courriers you use? maybe one that does direct pickup and delivery w/o a depot being involved?

We use Topspeed at MD5.

Majeeko

I've been working on write blocker validation today, following a long and generally boring process. I've not done validation work before, so this is new to me. I've come across NIST's CFTT Live Linux suite and found it really useful. Has anyone used this for validation that has passed a UKAS assessment? I know how...........particular UKAS can be.

We use this (doesn't need to be a Wiebetech blocker) - UKAS didn't have any issues with it https://www.cru-inc.com/support/software-downloads/writeblocking-validation-utility/

WriteBlocking Validation Utility - CRU

Forensic Software Utility allows you to update the firmware, view information about, or modify features of your CRU forensic products.

1

Ross Donnelly

We use this (doesn't need to be a Wiebetech blocker) - UKAS didn't have any issues with it https://www.cru-inc.com/support/software-downloads/writeblocking-validation-utility/

Thanks, i'll take a look

malwarehobo

Has anyone used this forensic tool? https://www.tc4shell.com/en/7zip/forensic7z/

I have used it and it does work. However, I would suggest trying it out and testing it with what you do regularly and see if it would have any value

hello folks at @Cellebrite can i get a short info about difference of UFED premium and premium ES ? we have UFED Ultimate and want to upgrade to a stronger solution. maybe a short DM? thanks in advance

Hey @chrisforensic shoot me a dm. And we can chat. (edited)

1

I have been missing from in the server for a while--maybe I need a better process to manage my 20+ discords!. I hope everyone is doing well. I have been working on a project that people can now probably take a look at https://pypi.org/search/?q=xleapp < just added it to PyPI today. Still in alpha phase. The CLI is stable (at least I think so) but the GUI is currently broken. I'll be fixing that soon, I hope. There are still artifacts that need to be transitioned over from the iLEAPP (which is where I started) and the other sister programs. Also anyone have an iTunes backup they can share or test with? I think that maybe broken too. I have been testing with a tar file -- https://thebinaryhick.blog/2020/04/16/ios-13-images-images-now-available/. If you want to help me out, drop me a line.

Is there any possibility to find out the admin PW when I have an unencrypted dump of a MacOS system? I somehow need to get into the keychain-

12:28 AM

I tried to chance it via pre-boot terminal but that did not work (forensical soundness not required)

this is more a question for #password-encryption-cracking you can try to crack the admin pwd; more info here https://hashcat.net/forum/thread-7792.html

at what point in cloning an external hdd does the data being copied become readable?

or, @Luci , you can try to crack the keychain-hash, wich is faster (but contains more false positives); more info, here https://github.com/hashcat/hashcat/issues/2457

Are there any free tools similar to forensic notes?

cnc747

Are there any free tools similar to forensic notes?

Maybe try Obsidian or OneNote? Not 1:1 but probably the best you're going to do.

Andrew Rathbun

Maybe try Obsidian or OneNote? Not 1:1 but probably the best you're going to do.

Thanks Andrew!

@Magnet Forensics can someone from the AXIOM Process side of thing (Product Manager or otherwise) send me a PM so I can run something past you? (edited)

Andrew Rathbun

@Magnet Forensics can someone from the AXIOM Process side of thing (Product Manager or otherwise) send me a PM so I can run something past you? (edited)

Morning @Andrew Rathbun passed the request along to the team. Someone will be in touch soon.

1

Do we have any reps from Griffeye on the server?

@Griffeye

2

figured may be quicker on here than help portal.

Any individuals from Hampshire DFU present? I need a contact, if possible to reach out to regarding a private company who you may have dealt with previously.

1

Hi, Does anyone know if there is a diff module for autopsy? I would like to compare two images to the which files have been changed. If there is any other open source project as well, id love to look into those. I need the files that has been altered to be highlighted somehow. So far I havent found anything but the Golden Image module, which I could not make work.

So, I use UFED/PA a lot as I'm sure many of you do as well. It's a good tool, my biggest gripe is the slow project opening times and the propensity to crash. Today, I lost a few hours into a project that takes over an hour to open. I save relatively often but I still lose some work when it crashes and then it takes over an hour to open back up again. Nothing is failing in the trace window and my computer is no slouch, I'm just wondering if anyone has discovered any tricks to making the software more reliable?

2:04 PM

I've got an i9 7900X, 64GB RAM and a GeForce 1050Ti. It's a few years old but should still be plenty of computer to run the software.

@Law Enforcement [UK] Anyone got a contact or email for Instagram data? Specifically access logs from a victim's account

MrTurdTastic

@Law Enforcement [UK] Anyone got a contact or email for Instagram data? Specifically access logs from a victim's account

You will need to speak with your SPOC. IG has a law enforcement portal for these types of enquiries

Yeah apparently they know sod all about it which is a ballache

1

They should be able to access CD Services which has a list of the types of data they can get. They can also engage with the National knowledge and engagement team for more esoteric questions. You can definitely get IP login history via an IPA event data application.

4:02 AM

Also, be aware of the criminal offences that can be committed by requesting communication data if you’re not a SPOC

Hello all, I've been asked questions about FindMy Offline Tracking. We have a covert site for exhibit storage and there has been raised concerns that the new iOS Feature will disclose this location due to the high amount of phones being stored (Which may not have been powered off correctly) and employees devices which would be live. would this pose a risk? and aside from faraday environment is there any other solutions to mitigate this?

guys can you help me take data out of my bad drive???

Well finally got the magnetic closure Faraday cases made. Only 6 months late

. https://mtdfe.com/products/new-advanced-faraday-mag-case-tablet-sized

NEW (Intro Rate) - Advanced Faraday Signal Blocking Magnetic Closure C

Strong magnetic closure

Cellphone and tablet RFID signal blocking case with padding to protect your devices.

Perfect for large tablets and large phones + cases. It will even house a small laptop such as a Chromebook.

Compatible with Apple and Android devices.

Isolates mobile devices to help prevent remote erasing w

8:33 AM

There are free cases on the site as well if you check out the catalog. I pay for everything. Plz only 1 ea.

1

LAmbrose

Hello all, I've been asked questions about FindMy Offline Tracking. We have a covert site for exhibit storage and there has been raised concerns that the new iOS Feature will disclose this location due to the high amount of phones being stored (Which may not have been powered off correctly) and employees devices which would be live. would this pose a risk? and aside from faraday environment is there any other solutions to mitigate this?

iOS devices are placed within anti static Faraday bags to block any signals when at our sites. This stops / reduces the chances of your devices talking to the exhibits.

Also - if you find yourself running out of actual bags to store devices long term until the battery finally dies, buy some nice tinfoil for those devices that need long term storage.

1

Can anyone one in here give me their opinion on the proper way to express numbers in forensic reports (ie; 1-9/10 written, written up to two words then numeric, etc)? It seems that my peers have mixed opinions and was wondering if I could get an "industry standard" point of view. I have referenced APA, Chicago, and MLA, as well as tried to find answers online, but there are a lot of opinions. Just looking for a bit more of a definitive answer than I currently have. TIA

I don’t know specific to DFIR but through college it was always write out zero-ten and then use numbers for the rest.

3:26 PM

What do folks here use for in-field write blocking of nvme drives? The tableau bridge is $$$$ and I’m leaning towards getting a USB enclosure and using my existing USB write blocker. I’d never get around the controller anyhow so trim etc don’t seem to matter here.

jwatson7428

Can anyone one in here give me their opinion on the proper way to express numbers in forensic reports (ie; 1-9/10 written, written up to two words then numeric, etc)? It seems that my peers have mixed opinions and was wondering if I could get an "industry standard" point of view. I have referenced APA, Chicago, and MLA, as well as tried to find answers online, but there are a lot of opinions. Just looking for a bit more of a definitive answer than I currently have. TIA

Hopefully my response will be relevant to what you're asking, but I apologize if its not in advance. We usually say "....observed ten (10) endpoints where Cobalt Strike was...."

4

I'm looking for a better way to handle investigative datasets of facilities (account details, IP history, phone numbers, addresses) that is currently stored in a spreadsheet. On top of static spreadsheets, almost all of my cases involve multiagency with no shared storage/network connectivity. I want to move this format to a database and I think Neo4j would be perfect. Is anyone using Neo4j to store case data and to track relationships for large cases?

Just had a question, a new update to iPhones allow phones to be remotely wiped when in an off state? Is this true? I’m guessing it has something to do with their ultra wideband technology?

4JSN6🇬🇧

Just had a question, a new update to iPhones allow phones to be remotely wiped when in an off state? Is this true? I’m guessing it has something to do with their ultra wideband technology?

@CLB_joshhickman1 did some testing in this channel recently and couldn't get it to wipe whilst turned off - the UWB seemed to be limited to only tracking the device (for now)

Interesting! And wildly concerning at the same time

4:33 AM

thanks @Ross Donnelly

Hello! I am researching different standards that are related to digital forensics, and i have found the ISO series, SWGDE standards and NIST so far. Do you know of any other standards that might be relevant?

Anders

Hello! I am researching different standards that are related to digital forensics, and i have found the ISO series, SWGDE standards and NIST so far. Do you know of any other standards that might be relevant?

Those are the major ones in terms of "standards" if you expand your research to practice guides and procedures you should turn up some other sources or see where the adopted the ones you already found. ACPO - Association of Chief Police Officers is an example.

1

Hi All, I am currently completing one of my DFIR Uni assignments, we have been tasked to pull evidence out of a computer image. I am currently attempting to pull emails, the target was using the Windows 10 Mail app and I attempting to recover any sent/received emails. The Unistore/UnistoreDB is clean and there are no emails present. In the EFMData folder there are a couple of emails however this is not a complete list. Researching the HxStore.hxd file (https://boncaldoforensics.wordpress.com/2018/12/09/microsoft-hxstore-hxd-email-research/) and reading it with a hex editor has allowed me to manually pull out fragmented and mildly corrupted emails. I was wondering if anyone had any insight into tools I could use to automate this process or even correct the corrupted emails I have already? Thanks.

jboncaldo

Microsoft HxStore.hxd (email) Research

Possible additional Windows Live Mail message location? Up until Windows 10, you could find email-related files with the extension “.EML”. These files presented the opportunity for ema…

yddeT

Hi All, I am currently completing one of my DFIR Uni assignments, we have been tasked to pull evidence out of a computer image. I am currently attempting to pull emails, the target was using the Windows 10 Mail app and I attempting to recover any sent/received emails. The Unistore/UnistoreDB is clean and there are no emails present. In the EFMData folder there are a couple of emails however this is not a complete list. Researching the HxStore.hxd file (https://boncaldoforensics.wordpress.com/2018/12/09/microsoft-hxstore-hxd-email-research/) and reading it with a hex editor has allowed me to manually pull out fragmented and mildly corrupted emails. I was wondering if anyone had any insight into tools I could use to automate this process or even correct the corrupted emails I have already? Thanks.

I should note, I have already found numerous emails within "HxStore.hxd" that were not present in EFMData that have either been removed or just are stored somewhere I am unable to find them.

@yddeT What tools did your professor recommend ?

DCSO

@yddeT What tools did your professor recommend ?

I am currently using Autopsy in conjunction with FTK Imager, they have recommended MailXaminer and a few other tools to process these email files. However, our workshops were on Outlook .pst files and there are none present with the assignment so I'm just researching and going from there at the moment.

@yddeT Autopsy is a great too, I would also look at @Arsenal Recon Arsenal Image Mounter https://arsenalrecon.com/products/ I believe the freeware version should work for education and is slightly better than FTK Imager in my opinion.

Products

DCSO

@yddeT Autopsy is a great too, I would also look at @Arsenal Recon Arsenal Image Mounter https://arsenalrecon.com/products/ I believe the freeware version should work for education and is slightly better than FTK Imager in my opinion.

I'll take a look, thanks.

If I wanted to add a line to a search warrant to get the logs from an iPhones KnoledgeC how would you phrase it? The best I can think of is “logging of application usage from (time X to time Y)”

6:11 AM

But that wouldn't include screen unlocks and plugging in though...

Why not specifically mention KnolodgeC in your warrant? You may also have to include a paragraph explaining what KnolodgeC is and what information it contains, but that seems like the most straightforward.

1

To be honest, I'd have to admit its not clear to me what the extent of the database is in order to explain it elegantly, and without loosing them in the weeds. But I appreciate your suggestion and will look into this option today. (edited)

1

@GRIZZ typically we don't get that detailed on what you are searching for like "SQLite database area" blah blah, it should be "device usage including locations and app data usage related to the homicide investigation occuring on January 1st 2020" etc... Just my 2 cents

5

This server is obviously a great resource for many people. I have my own server and think it would be really cool to benefit from following the Newsfeed channels. It also would provide a way for members of my server to automatically find this server and recognize the news sources as notable DFIR news. Could a mod consider this feedback and potentially allow us to use the Follow integration (Discord feature)? Thanks! Tagging @Andrew Rathbun to coordinate.

Swiz

This server is obviously a great resource for many people. I have my own server and think it would be really cool to benefit from following the Newsfeed channels. It also would provide a way for members of my server to automatically find this server and recognize the news sources as notable DFIR news. Could a mod consider this feedback and potentially allow us to use the Follow integration (Discord feature)? Thanks! Tagging @Andrew Rathbun to coordinate.

Sure, what is needed from my end? Are you currently unable to Follow one of those channels?

12:15 PM

Let me know which cord I have to trip over in the Server Room to fix things

Andrew Rathbun

Sure, what is needed from my end? Are you currently unable to Follow one of those channels?

I believe this means you have to enable it per channel. For example, if you go to this Arduino server, you will see a Follow ability under #\announcements.

12:18 PM

https://support.discord.com/hc/en-us/articles/360028384531

Looks like the requested channels has to be considered an announcement channel, which I don’t think ours are currently configured that way. (edited)

Yup there it is!

I don't see any reason not to do this

12:22 PM

I can change each one in DFIR Newsfeed category

12:23 PM

unless @Jobbins you wanna start from bottom, I'll start from top?

I do'nt think it changes anything

I think we could do our announcement and news feeds channels

agreed, nothing more needed really

Exactly

It DOES allow others to follow your server indirectly. The pros of this are others not having to join the server, but with the easy pointer to it if they want to. Yup, just for the news channels

12:24 PM

However, I do encourage that also for the actual announcement channels.

I'll start with #13cubed and you wanna start with #this-week-in-4n6 ?

Yup sounds good

#announcements has been changed now

Gaming and other types of communities often do this as a way for people to easily follow when a new release, bug fix, event, etc is available.

12:25 PM

I'll let you know when the above works for the news channels

12:25 PM

Appreciated! Now I won't have to constantly invite ppl invidually to the server

@Swiz try now

12:25 PM

might need to ctrl+r

they show the megaphone icon now on my screen

Works!

12:26 PM

yup

12:26 PM

mega

thanks for speaking up

4

How it looks

very cool!

12:39 PM

thanks for sharing

Hey guys, I plan to study cybersecurity and this question is not exactly forensics related but is C used elsewhere in cybersecurity besides writing exploits (if you're pentesting)? I believe any unique tooling required would likely be written in something like Python but I'm not sure. (edited)

Sure, like reading decompiled C code while reversing vulnerabilities, exploits, and malware

12:08 AM

At least that's why I plan on studying it

12:09 AM

Besides that, you could contribute to projects written in C

I see, thanks.

12:21 AM

I C*

2

12:21 AM

Thought I'd try learn a bit of C before starting uni

12:26 AM

Just realised I forgot to ask if we were going to cover assembly in the uni course

C has kinda always been the default for digging deep into the OS. Historically all the really good libraries for systems type programs were available for C. Its also typically easy to statically compile, so usually you can just run system type utilities without having to install a bunch of dependencies. Having said that... I am finding GoLang to be a decent alternative. I thing C is still better, but GoLang is easier and pretty powerful.

Go's syntax threw me off a little

12:33 PM

I'm a bit picky when it comes to the style of syntax

12:33 PM

Same reason I didn't like python and went for JS instead (edited)

12:36 PM

Not sure if anyone here has experience in the pentesting industry, but is it common for roles to include a bit of physical security too? (edited)

Hello everyone, I'm currently doing my dissertation on Threat Intelligence for SOC. I'm currently doing research around preventing SOC fatigue through the use of machine learning to help reduce false positive and aiding incident response times. To those working as a SOC analyst, this question is for you. From a security operations perspective, what are some of the biggest challenges you face working as as a SOC analyst when comes to dealing with threat intelligence feeds ? realistic Insights will greatly benefit and add value to what I'm doing as this is a big issue within the security community being able to change the way we look threat intelligence will not only aid SOCs and Incident response teams but also truly help protecting infrastructure including banks, hospitals and other cooperate companies who have a security dedicated teams. (edited)

@$CozyBear I may have some feedback regarding your main question, but can I DM my information?

1

Squiblydoo

@$CozyBear I may have some feedback regarding your main question, but can I DM my information?

@Squiblydoo Yes that would be amazing, please do

1

Any recommendations for a 3rd party decryption tool that can be used in a ransom recover activity? One that can be scaled and deployed well across Enterprise network?

I was going to say hashcat but I thought it was too sarcastic xD

1

equation

Any recommendations for a 3rd party decryption tool that can be used in a ransom recover activity? One that can be scaled and deployed well across Enterprise network?

Try enquiring with Crypto Sheriff https://www.nomoreransom.org/crypto-sheriff.php

Crypto Sheriff | The No More Ransom Project

To help us define the type of ransomware affecting your device, please fill in the form below. This will enable us to check whether there is a solution available. If there is, we will provide you with the link to download the decryption solution.

I've tried to look this up, but... Does anyone know the format of Axiom .kws (keyword list) files? I'm simply not able to find a description or examples.

Andbern

I've tried to look this up, but... Does anyone know the format of Axiom .kws (keyword list) files? I'm simply not able to find a description or examples.

What's the file header?

I'm not so sure there is a header. It's the file format Magnet Axiom uses to add keywords that it then again is run against the evidence. I looked for a "questions about tools" kinda channel but this general one seemed tobe the closest.

Has anybody seen or dealt with the Jupyter backdoor in the wild?

7:06 AM

Not a Jupyter notebook vulnerability, rather the generally called "Jupyter Infostealer/Backdoor" or "Jupyter loader"

Andronidas

Has anybody seen or dealt with the Jupyter backdoor in the wild?

Yes, I do a lot of research into Jupyter Infostealer

7:34 AM

I've seen it in numerous client environments and have it in a lab.

Squiblydoo

Yes, I do a lot of research into Jupyter Infostealer

Hey Squibly, didn't know you participated in here

8:06 AM

Is it ok if I dm you?

Andronidas

Hey Squibly, didn't know you participated in here

Yes, go ahead and DM. I haven't really posted in the server previously, just been lurking.

Roger that, ty

I see it a lot

Can I ask what capacity you work in, rayeh, and what actions you take for mitigation/response? (edited)

IR for academic medical, usually users looking for various documents (personal and work related), we contain/re-image at minimum and investigate more depending on how much was allowed to run or data residing /processed on device

8:23 AM

recently it hasn't been able to proceed beyond setting up persistence, with the persistence mechanism being blocked by behavioral engine

OK, good to know. I try to download it every week and upload it to a few places to keep detection up. Microsoft has been good at stopping the setup script right now.

8:26 AM

They started dropping their infostealer again this week, but it also has high AV detection rates.

yeah, I saw that when I grabbed one last week

1

8:27 AM

yeah I see your comment on the dll I uploaded last week on VT

Ah nice. I was glad to see someone else had grabbed it and uploaded both DLL. :)

they changed their powershell loader from what I usually see from the bxor to gzip but it doesn't seem to have done any favors

8:29 AM

at least with falcon

That is good to know.

I'd love it if users would pause a bit more when searching

8:30 AM

their strategy seems very effective from what we see, of people at least attempting to grab it

8:32 AM

so far I haven't really observed them do much of anything

8:32 AM

have either of you?

Likewise. I read pretty much everything that gets published about it, and I have not seen anyone who has observed any further activity than stealing information.

Andbern

I've tried to look this up, but... Does anyone know the format of Axiom .kws (keyword list) files? I'm simply not able to find a description or examples.

Do you have one already or are you trying to make one?

rayeh

their strategy seems very effective from what we see, of people at least attempting to grab it

If you would mind pinging me (DMs/Twitter), when you find new samples, it would be appreciated. Even just a VT link would be appreciated. Of the researchers I know, I am being the most agressive with tracking, documenting, and reporting aspects of the malware. However, I do my malware research as an independent, so additional sources of information are appreciated. I’ve got some connections with larger research organizations and am passing them intel as well as having my own unique sources of intel.

Squiblydoo

If you would mind pinging me (DMs/Twitter), when you find new samples, it would be appreciated. Even just a VT link would be appreciated. Of the researchers I know, I am being the most agressive with tracking, documenting, and reporting aspects of the malware. However, I do my malware research as an independent, so additional sources of information are appreciated. I’ve got some connections with larger research organizations and am passing them intel as well as having my own unique sources of intel.

yep will keep you in mind

1

Andbern

I'm not so sure there is a header. It's the file format Magnet Axiom uses to add keywords that it then again is run against the evidence. I looked for a "questions about tools" kinda channel but this general one seemed tobe the closest.

Is it not just a plain text file, with one keyword per line? That's the format I usually use with Axiom when importing a keyword list (but not .kws specifically)

That is one way. But by using the mentioned format the other settings (charset, regex/grep) are preserved. Or so the documentation claims. I have yet to find a format description or example of the not-txt option. (edited)

1

hxz

Not sure if anyone here has experience in the pentesting industry, but is it common for roles to include a bit of physical security too? (edited)

I'm not a pentester, but yes, depending on the security audit required by the company, pentests often require being a spy. Theres a bunch of good stories on the podcast Darknet Diaries from these people. Basically a company might hire you to hack into their computers, and then you have to work yourself into the building and gain access. Or you might be hired as an "intern" and try to work your way to domain admin.

1:51 PM

Really exciting stuff if you are really good at what you do.

Can I ask a quick point of order question?

1:52 PM

Wouldn’t pentesting refer to the loud knocking, obvious, noisy attack simulations?

1:53 PM

While trying to be more covert or using tactics extremely close to those of threat actors would more be known as red teaming?

1:54 PM

The entirety of the service offered and executed being an engagement?

1:54 PM

I’m not trying to be pedantic, I just want to make sure I’m not mistakenly thinking I know my terms when I do not

1:55 PM

I wanted to do pentesting and red teaming and all that awhile back

1:55 PM

But DFIR stole me away

My impression has been that pentesting is a red team thing, as in pentesting falls under the umbrella of red team duties

1

Sounds reasonable too

1:55 PM

You’re probably right

i am sure there are other red team things they do besides pentesting that fall under the Red Team umbrella, but honestly, maybe joining the SANS Red Team Discord Server might be a good idea for you to ask those experts

Sure, additional knowledge is always welcome. Truthfully, I’m here because this is where I found my passion in security

1:57 PM

DFIR is all about the coolest things, to me

1:58 PM

I really hope I can learn a lot from the experts here

Andrew Rathbun

i am sure there are other red team things they do besides pentesting that fall under the Red Team umbrella, but honestly, maybe joining the SANS Red Team Discord Server might be a good idea for you to ask those experts

links please

Cole

I'm not a pentester, but yes, depending on the security audit required by the company, pentests often require being a spy. Theres a bunch of good stories on the podcast Darknet Diaries from these people. Basically a company might hire you to hack into their computers, and then you have to work yourself into the building and gain access. Or you might be hired as an "intern" and try to work your way to domain admin.

Ah yes, I've heard of such stories from my cybersecurity teacher and was wondering if that was still done nowadays The darknet diaries sound interesting, I haven't listened to them yet but I heard that they had some good episodes covering NSO and Pegasus (edited)

I watched a pretty damn good talk from Chris Nickerson, mentioning all the names and teams and divisions we have in sec

Cole

I'm not a pentester, but yes, depending on the security audit required by the company, pentests often require being a spy. Theres a bunch of good stories on the podcast Darknet Diaries from these people. Basically a company might hire you to hack into their computers, and then you have to work yourself into the building and gain access. Or you might be hired as an "intern" and try to work your way to domain admin.

I'm guessing they don't teach that stuff at uni, right?

hxz

I'm guessing they don't teach that stuff at uni, right?

I did have two classes that went over a bunch of security related practices and how to do OSINT, but no one specifically taught us how to pick a lock or clone a rfid badge lol

TyphoidMeredith/Case

Wouldn’t pentesting refer to the loud knocking, obvious, noisy attack simulations?

No not necessarily, the idea is not to get caught.

ryd3v

No not necessarily, the idea is not to get caught.

I suppose yes that is accurate. But as far as my understanding has been and my learning, Penetration Test you can do the easiest and loudest stuff first to see if that’s picked up

4:50 PM

And if it’s not, well that’s a damn big finding already

4:50 PM

So why proceed to the quieter more subtle attacks?

4:51 PM

You already know your engagement isn’t going to involve super stealth techniques, they couldn’t even tell when you were banging on the door

General question/poll: I've always run Kali in VMs for ease but also paranoid safety. Is it worth the hassle? Environment 1:

TryHackMe (online but guided, spins up dedicated VMs for you to interact with, has no open team vs. team scenario, provides vpn)

Environment 2:

Scoped-CTF (global online team vs team, maybe red-vs-blue, is scoped to specific challenges and boxes, often there is monitoring for mucking with the challenges/platform itself)

Environment 3:

Non-scoped CTF / bug-bounty programs (HackTheBox or interacting with real environments, possibly where bad actors are more likely to be present, even if just trolling)

Environment 4:

Professional purposes (at your real job, involves your real identity, as contractor or internal infosec, typically assumes safer environment but may have a smaller footprint and test how effective internal endpoint monitoring is)

Environment 5 (this is for entertainment/debate - open thread to discuss):

Personal banking and shopping (VM in VM in VM? USB? Single device? LTE only?)

For polling the community here, use the following emoji: USB

= USB

= VM

️ = native OS (edited)

6:13 PM

Environment 1 (edited)

1

3

6:13 PM

Environment 2 (edited)

1

5

1

6:13 PM

Environment 3 (edited)

1

6

1

6:16 PM

Environment 4 (edited)

1

4

6:16 PM

Alternatively, point out if there is another or better way to pentest safely and for the environment/scenario, or if all of this doesn't matter at all.

Looking to transition from a paper and camera method to tablets for onscene documentation. Looking to see if anybody has any recommendations. It would be strictly for documentation.

TyphoidMeredith/Case

So why proceed to the quieter more subtle attacks?

well that's not really the philosophy, red-teaming is designed to simulate an attack or infiltration, so bad guys don't use that methodology right

krisc#21223

Looking to transition from a paper and camera method to tablets for onscene documentation. Looking to see if anybody has any recommendations. It would be strictly for documentation.

iPad

krisc#21223

Looking to transition from a paper and camera method to tablets for onscene documentation. Looking to see if anybody has any recommendations. It would be strictly for documentation.

Panasonic Toughpads are decent for your typical LE usage

Hi, I'm currently using ENCASE for computer's analysis and i'm considering acquiring BELKASOFT X in addition of the first one. Would someone have feedback (benchmark) between those two softwares ? (MacOS imaging with all chips available, data extraction, bitlocked computer for example) Thanks in advance.

I have a Samsung A01 Core running Android 10. Both CPU and memory chips are cracked on one corner (the phone has been bent in half). Any amazing gadget out there we could use like a chip fixerer? I am of the opinion it is the end of the road for this phone but just casting my net out there JIC.

Anyone give me some advice regarding getting data from an alexa show 5? Never received one before and not sure whats stored on them, if we can get it, and if so, what tools should be used. Thanks

KR-4n6

Hi, I'm currently using ENCASE for computer's analysis and i'm considering acquiring BELKASOFT X in addition of the first one. Would someone have feedback (benchmark) between those two softwares ? (MacOS imaging with all chips available, data extraction, bitlocked computer for example) Thanks in advance.

Belkasoft X was really fast in my brief testing and the GUI was really nice. I was impressed. I liked how they put the SQLite databases themselves in the examiner's face so they can see the raw data rather than how it's being parsed and presented by the software.

Zhaan

I have a Samsung A01 Core running Android 10. Both CPU and memory chips are cracked on one corner (the phone has been bent in half). Any amazing gadget out there we could use like a chip fixerer? I am of the opinion it is the end of the road for this phone but just casting my net out there JIC.

#mobile-forensic-extractions

Artea

Anyone give me some advice regarding getting data from an alexa show 5? Never received one before and not sure whats stored on them, if we can get it, and if so, what tools should be used. Thanks

I'd probably try the same channel too ^

Hi Guys, What software can I use to repair corrupt Audio files (aac, mp3, m4a)?

@Magnet Forensics and anyone else who wants to chime in, is there a way to create a portable case in Axiom that contains artifacts filtered to a date range but also include all artifacts which have no timestamp at all? I'm trying to adhere to some frustratingly specific terms in a search warrant but I seem to be running up against a wall on this... (edited)

chipapa1974

Hi Guys, What software can I use to repair corrupt Audio files (aac, mp3, m4a)?

what's the back story ie the source of the files? if it' from a data recovery it's less likely to be corruption and more fragmentation? (edited)

n3ls0n

@Magnet Forensics and anyone else who wants to chime in, is there a way to create a portable case in Axiom that contains artifacts filtered to a date range but also include all artifacts which have no timestamp at all? I'm trying to adhere to some frustratingly specific terms in a search warrant but I seem to be running up against a wall on this... (edited)

If you use your filters to get things down to a dataset you want to add to a portable case you can tag it and include it. In other words add a "no Dates" tag to the files that dont have dates you have determined and then Tag the files that are in your date range with "Dates within range" and then when you generate your portable case you can check all

7:28 AM

that apply

That should work, though it is a little effort intensive. I'll give it a go. Thanks @Jamey

Original message was deleted or could not be loaded.

#training-education-employment

Andrew Rathbun

#training-education-employment

My bad

Anyone know a similar server but for red team/ pentesting?

Swiz

links please

@hxz Check out this thread for multiple cyber Discord servers.

Thanks

hxz

Anyone know a similar server but for red team/ pentesting?

DM me

Digitalferret

what's the back story ie the source of the files? if it' from a data recovery it's less likely to be corruption and more fragmentation? (edited)

Hi, the files are from data recovery, they were deleted from the folder created on the desktop and also deleted from recycle bin. I run a recovery software and managed to recover the entire files from the recycle bin but those files were all corrupted. I tried several data recovery softwares but same results. My next step is to try repair those corrupted audio files recovered which I am asking for someone who knows a tool that can help to repair the files.

chipapa1974

Hi, the files are from data recovery, they were deleted from the folder created on the desktop and also deleted from recycle bin. I run a recovery software and managed to recover the entire files from the recycle bin but those files were all corrupted. I tried several data recovery softwares but same results. My next step is to try repair those corrupted audio files recovered which I am asking for someone who knows a tool that can help to repair the files.

it may not be as simple as that. with fragmentation the files can be stored on the (HDD) disk as many much smaller files. if the recovery software recovers via a file table/index it will pick up all the fragmented parts, much like the normal file system would and reassemble as a full file. (edited)

12:44 AM

if the data are "carved" using header info, the software may only pick up the first so many bytes and you will have that and an undetermined size after of garbage found at that disk location as there will be no means to pick up the other scattered fragments.

12:45 AM

this is for spinning hard disks. solid state drives store files as fragments regardless so it's even worse in that respect. that's my understanding of it anyway.

12:46 AM

given that, you may not be able to repair the file because the original data are not intact in the file that is recovered. it isn't so much corrupt, as just garbage with a good file header at the front (edited)

ryd3v

DM me

Doesn't let me lol

1

Andrew Rathbun

Belkasoft X was really fast in my brief testing and the GUI was really nice. I was impressed. I liked how they put the SQLite databases themselves in the examiner's face so they can see the raw data rather than how it's being parsed and presented by the software.

Thanks for your feedback

Anyone know of any good, yet cheap, portable USB harddrives which come with either port covers or a carrying case? Preferably at least 1TB and on reputable sites like Amazon. Thanks. (edited)

hxz

Anyone know of any good, yet cheap, portable USB harddrives which come with either port covers or a carrying case? Preferably at least 1TB and on reputable sites like Amazon. Thanks. (edited)

I use this one and it's great https://www.canadacomputers.com/product_info.php?cPath=179_1160&item_id=139023 Sure you can find it on Amazon

ORICO NVMe M.2 SSD Enclosure 10Gbps, Silver

ORICO NVMe M.2 SSD Enclosure 10Gbps, Silver (ORICO TCM2-C3-SV-BP)

I think that's only an enclosure, also sadly out of my budget

ryd3v

I use this one and it's great https://www.canadacomputers.com/product_info.php?cPath=179_1160&item_id=139023 Sure you can find it on Amazon

Btw, don't you get data loss if SSD's are unpowered for like a week

Nope

1

I plugged in a SSD from like 3 years ago earlier this year, still had data on it

Oh

Yep, I've plugged in SSDs from years ago, nothing changed.

11:50 AM

Also nvmes are 'non-volatile'

11:50 AM

Basically a big fast usb stick xD

1

I was referring to this, I'm guessing that's probably a rare chance

Yeah I don't know where that is from, but it's incorrect

I guess anything's possible but yeah sounds very wrong to me (edited)

I always thought that was true lol, so I was scared to use SSDs for important data

Nowadays, cloud storage is so cheap/free. Important stuff should be backed up ideally using the 3-2-1 rule, but even a free Google or Microsoft account will give you 15GB or so of free storage. I don't think those companies are going away anytime soon

SSDs don't last forever but they do have a shelf life, doesn't mean the data magically disappears, but data loss is a factor over time, something like 10 years, or a certain amount of read, write cycles, I found this article that has a few good facts, although, ssd manufacturers consistently update their hardware and software, there is also space reserved on a ssd for this reason, https://www.ontrack.com/en-ca/blog/how-long-do-ssds-really-last Don't quote me on any of the information in the article, I just skimmed it, but it seems to be pretty standard info *Edited because my phone keyboard hates me

(edited)

SSD Lifespan: How Long do SSDs Really Last?

Recovering data from failed SSDs is still more challenging than HDDs for data recovery service providers. Read more about the SSD lifespan.

Btw

12:00 PM

is it safe to buy second hand hard drives? (edited)

Define "safe". You could buy a used drive, carve for files and find some shady stuff on it. Or, you could review the SMART data and it could have 100000 power on hours and then you know it's closer to the end of its life than the beginning lol

12:01 PM

The answer is always "it depends"

4

Was talking about the latter but would be fun to try run Autopsy or smth on it lol

12:01 PM

Was gonna use it for my main backup

Could be fun, could also be a piece of evidence for your local PD's evidence room

I dumpster dive often

"It depends..."

12:09 PM

The best answer because it is always right!

Good enough

12:13 PM

Only reason I'm buying an external drive is cause I can't trust my current backup one, about a week ago it randomly stopped working, Windows kept telling me it's unable to write to it, I then restarted the pc and it took a solid 2 minutes to load the HDD (edited)

ryd3v

I dumpster dive often

I'm sure there's cool stuff to find, but I'm not gonna bother unless I have a spare hazard suit lying around

12:14 PM

I'm not good around bugs and stuff

hxz

Only reason I'm buying an external drive is cause I can't trust my current backup one, about a week ago it randomly stopped working, Windows kept telling me it's unable to write to it, I then restarted the pc and it took a solid 2 minutes to load the HDD (edited)

Cloud backups?

Sounds expensive

12:14 PM

Or rather

hxz

I'm not good around bugs and stuff

Yeah, electronic dumps usually are pretty bug free but yolo (edited)

I'm like 80% sure I won't be able to pay the monthly fees because my bank often drops to periods of below £10 (edited)

Interesting, there are lots of free online storage available, and if you have concerns about the data, just encrypt it locally before you back it up to the cloud.

there are lots of free online storage available

I have about 800gb worth of stuff to back up, the free ones usually provide like 2gb max

12:22 PM

But I like have an offline backup too

12:22 PM

When I'm more financially stable I'll likely look into cloud backups too (edited)

Anyone know how to exclude OS pics from the Media tab in Axiom?

Trashboat667

LG 125DL Classic Flip. Is this phone possible? It’s a flip phone and I can’t figure out how to get into debug or if it’s even possible

Ever have any luck with this?

Forgedmom

Ever have any luck with this?

Yes we did. This is what we did. https://media.discordapp.net/attachments/838873723498790972/854023764550746172/image0.jpg

Jogoyo

Anyone know how to exclude OS pics from the Media tab in Axiom?

If you use the NSRL Hash Database to exclude files, I think that will exclude those pics

PSA: There seem to be an ongoing phishing campaign to target discord user via the link "discorde[.]gift". Be aware (edited)

abefroman

If you use the NSRL Hash Database to exclude files, I think that will exclude those pics

Awesome! Thanks!

Trashboat667

Yes we did. This is what we did. https://media.discordapp.net/attachments/838873723498790972/854023764550746172/image0.jpg

Thank you!

Trashboat667

Yes we did. This is what we did. https://media.discordapp.net/attachments/838873723498790972/854023764550746172/image0.jpg

So... we did this and now the phone wont even turn on... any ideas?

Forgedmom

So... we did this and now the phone wont even turn on... any ideas?

Is the phone plugged into UFED? It may actually be on and in EDL. The screen is just black. (edited)

Trashboat667

Is the phone plugged into UFED? It may actually be on and in EDL. The screen is just black. (edited)

We arent sure what happened. But we shut it all down, rebooted, and started again. Ended up with a partial extraction. Cannot seem to get SMS off the device. These older phones are a real PITA

Forgedmom

We arent sure what happened. But we shut it all down, rebooted, and started again. Ended up with a partial extraction. Cannot seem to get SMS off the device. These older phones are a real PITA

It worked when we did it. However that was several ufed versions ago

Original message was deleted or could not be loaded.

test comple :: please change password now Rebooting in 3,2,1 ... Connection lost

@Forgedmom when you plugged the phone in to a computer and look in the device manger do you see a "Qualcomm" connection ? if so you are in EDL and should be able to pull it.

1

For someone trying to really figure out what they want to do in cyber security space, I know there are a ton of options ( i have no comp sci/ computer background). I am using cybrary.it so far and really enjoying it but always lookinga for more ways to learn if anyone has suggestions (looking for more beginning level / intro stuff till I know more)

So I dropped an executable into virustotal and it came back with 0 detected viruses, yet windows defender for some reason quarantined on my pc few days ago when i downloaded it and said it was a trojan the executable does nothing virus-like, it doesn't even connect to the internet, mainly just does some calculation, so I have no clue why it was flagged does the method of downloading a file also determine whether it gets flagged? Because when it got flagged, it was immediately after I downloaded it via powershell

@Roll4Combat #training-education-employment

Thank you must have missed that @DCSO ty

hxz

So I dropped an executable into virustotal and it came back with 0 detected viruses, yet windows defender for some reason quarantined on my pc few days ago when i downloaded it and said it was a trojan the executable does nothing virus-like, it doesn't even connect to the internet, mainly just does some calculation, so I have no clue why it was flagged does the method of downloading a file also determine whether it gets flagged? Because when it got flagged, it was immediately after I downloaded it via powershell

download it via alternate means and check?

I already pressed allow on windows defender

1:23 PM

I later removed the exemption and downloaded again via the same method

1:24 PM

But it didn't flag this time

1:24 PM

I'll try it on a vm or smth and see wagwan

There's the possibility it's packed, and has routines to detect if it's running in a sandbox and not unpacking

7:24 AM

I would expect that to raise the score on a couple of vendors though

Hey, I'm trying to run FTK Imager Lite and it's telling me that "An administrator has blocked you from running this app", my account is the only account on this computer and also has administrator privileges so I'm not sure why I'm being blocked

4:30 AM

Oh apparently it's to due with it being an old version, I'll try a newer version (edited)

FTK Imager Lite has been updated in 11 years. You're likely using the most updated version

Is there no portable up-to-date version of the regular ftk imager?

Some people turn FTK Imager (not Lite) into a portable version but I'm not personally up on that method. Would be worth a blog post if one doesn't exist already. Try searching in this server for instructions as I know it's been talked about before

4:33 AM

I recall trying the method a couple years ago and I always ran into some missing DLL issue or something like that. I just moved on

‍♂️

Ah

4:33 AM

Technically it should work if you just dropped the whole accessdata folder where it's installed onto a usb, right?

In theory yes but in practice it didn't work for me but it worked for others, so likely something I did wrong

Ah

I don't think they even do Lite anymore.

It's still available for download but it's not been touched in over a decade

Ye, sounds about right. Speaking from experience, good ol regular FTK imager is fine.

4:48 AM

I've used it effectively in a portable stance albeit it not the latest.

hxz

Technically it should work if you just dropped the whole accessdata folder where it's installed onto a usb, right?

No, you need to copy some DLL files too. There is a list on their site, but they don't mention all of the DLL files required.

5:26 AM

https://exterro.freshdesk.com/support/solutions/articles/69000765662-run-ftk-imager-from-a-flash-drive-imager-lite-

Run FTK Imager from a flash drive (Imager Lite)

Question How can I run Imager from a portable drive? Answer Prerequisites: A computer other than the target system Procedure: On a machine other than the system to be imaged, install FTK Imager Insert a flash drive formatt...

Hey guys, so say you have some internal tools running locally and you wanted people to easily access it whilst connected to your vpn, so instead of typing out the IP for the service say I wanted them to use a subdomain, i.e. admin.hxz.wtf Now, I've tried adding a DNS A record for admin which points to 10.8.0.2, which works fine but is that normally how you'd so something like that? If someone accesses it and they're not connected to the vpn, it would technically point to a service on their local network right? not really a problem but a bit weird imo

9:25 AM

not exactly forensics related but I'm guessing you guys would have some idea about how that stuff usually works

exploit.quest

Hey guys, so say you have some internal tools running locally and you wanted people to easily access it whilst connected to your vpn, so instead of typing out the IP for the service say I wanted them to use a subdomain, i.e. admin.hxz.wtf Now, I've tried adding a DNS A record for admin which points to 10.8.0.2, which works fine but is that normally how you'd so something like that? If someone accesses it and they're not connected to the vpn, it would technically point to a service on their local network right? not really a problem but a bit weird imo

The A record would usually be published only on your internal DNS. This means the correct IP is presented when connected to the VPN (so internal DNS is accessible), but would simply fail to resolve when not connected.

Okay thank you, what's common practice for urls to internal services?

1:29 PM

I was told some people use *.internal.example.com

1:30 PM

is there any other common styles of doing it

exploit.quest

Okay thank you, what's common practice for urls to internal services?

Yeah a subdomain of an externally routable address (like your example) is considered best practice, although some people with legacy domains might not be able to do that very easily.

Released my database crawler on github if anyone wants to use it. Useful if you are looking for Ex: a row called latitude or a blob that contains a string. https://github.com/Ogg3/DatabaseCrawler

GitHub - Ogg3/DatabaseCrawler: Finds databases in a directory and t...

Finds databases in a directory and then crawls them looking for strings. - GitHub - Ogg3/DatabaseCrawler: Finds databases in a directory and then crawls them looking for strings.

4

does anyone know if there is a discord channel for "M365 Defender" which discusses the threat hunting aspect of the product?

ForensicDev

does anyone know if there is a discord channel for "M365 Defender" which discusses the threat hunting aspect of the product?

#incident-response is probably your best bet (edited)

Anyone here familiar with the Cellebrite Touch 2? And doing a bit of troubleshooting? I turn it on I see the windows investigator screen for about 2 seconds shows the dots in a circle loading thing. Then screen goes black. Leave it for hours never comes back try touching screen never a response but when you push the power button on back you see a very quick shutting down circle of dots again then black screen and off. Any ideas?

Palazar82

Anyone here familiar with the Cellebrite Touch 2? And doing a bit of troubleshooting? I turn it on I see the windows investigator screen for about 2 seconds shows the dots in a circle loading thing. Then screen goes black. Leave it for hours never comes back try touching screen never a response but when you push the power button on back you see a very quick shutting down circle of dots again then black screen and off. Any ideas?

Try a different lead? We tested a new kettle lead recently as ours wouldn't power up properly or charge and found it was the lead.

Rob

Try a different lead? We tested a new kettle lead recently as ours wouldn't power up properly or charge and found it was the lead.

I did try that, I have 2 units I just got in the mail since the one worked perfect figured swap the cables but no luck. The one that did work once I saw investigator screen it did also go black but for like 10 seconds then the UFED 7.45 loaded up. (Just downloaded 7.49 going to update in a bit) What makes me think it might now be power issue is that hours later when I push the power button it shows shutting down as if it was on the whole time.

12:36 AM

It's also a much longer shutdown time (I say longer it's maybe 5 seconds) but the busted one it is maybe a second or two shutting down maybe a rotation. Of the circle and black screen.

Sounds like you need to do an RMA ticket with cellebrite

That hurts the soul.

Hello everyone, i was wondering if it was possible to use usb license dongles over the network using anywhereUSB by Digi, if anyone has any experience please let me know. e: since we have different physical servers and moving around dongles is very hectic with the techs in my company (edited)

@Cellebrite is there someone available to talk about the touch 2 and how to get like an ISO for the touch 2? For the Touch 2 mentioned above. I connected a display to it thinking maybe it is trying to display on a separate screen. Sadly it doesn't show. But when I connect a keyboard and do control alt delete and get to task manager I can sign out and see the investigator when when I select sign in black screen. But there is a UFED manager that I don't have the password for. Wondering if there is something more I can do. Really don't want to do an RMA.

Deleted User

Hello everyone, i was wondering if it was possible to use usb license dongles over the network using anywhereUSB by Digi, if anyone has any experience please let me know. e: since we have different physical servers and moving around dongles is very hectic with the techs in my company (edited)

Yes y havve used it for virtual machine and it woeks very well I have encase ftk oxígen cellebrite and no issues

5:55 AM

They are some software solutions to try the worked to, but is much more easy the digy solution

Palazar82

@Cellebrite is there someone available to talk about the touch 2 and how to get like an ISO for the touch 2? For the Touch 2 mentioned above. I connected a display to it thinking maybe it is trying to display on a separate screen. Sadly it doesn't show. But when I connect a keyboard and do control alt delete and get to task manager I can sign out and see the investigator when when I select sign in black screen. But there is a UFED manager that I don't have the password for. Wondering if there is something more I can do. Really don't want to do an RMA.

There are ways to recover it. Best way to start is via our support groups. I know before I joined cellebrite I did have to 'restore' a unit. Touch base w/ support@cellebrite.com or via the portal

I'll see if I can get the website portal to work. Thanks.

If you can't, you can just email them also

mdogilvie

They are some software solutions to try the worked to, but is much more easy the digy solution

yes i have been looking at virtualhere and USBnetworkgate

6:53 AM

thank you btw

The only thing to considera is if that hardware fails, it happend to me and we had to do magic to work, we had our lab in hyper v and it didn t recognize the do gles

U mean if the usb hub fails ?

@Magnet Forensics - Is there any way to run AXIOM (not cyber) in an azure vm instance? The sales rep is trying to push cyber and cloud licence server which is what we dont want, as we only have one axiom licence.

DF51 Shaf

@Magnet Forensics - Is there any way to run AXIOM (not cyber) in an azure vm instance? The sales rep is trying to push cyber and cloud licence server which is what we dont want, as we only have one axiom licence.

Hello Shaf, I believe I know the answer already but, double checking something with my licensing guru's. I will DM you the answer when I get my response...

Jamey

Hello Shaf, I believe I know the answer already but, double checking something with my licensing guru's. I will DM you the answer when I get my response...

Thank you kindly sir. Appreciate the followup!

Jamey

Hello Shaf, I believe I know the answer already but, double checking something with my licensing guru's. I will DM you the answer when I get my response...

I would be interested in this as well. In a very similar situation.

1

Does anyone recommend any social media analysis/OSINT tools?

10:46 AM

At this time we are looking at Voyager and Maltego/Shadowdragon (edited)

10:48 AM

oh and Skopenow

pathsofglory

Does anyone recommend any social media analysis/OSINT tools?

#osint and @7oaster

1

@Cellebrite - time sensitive question if there’s tech support on right now

Hey. Not tech support but can try to help. (edited)

Love that support. Thanks for the assist!

Deleted User

yes i have been looking at virtualhere and USBnetworkgate

I use VirtualHere on a Synology NAS and it works perfectly.

Good afternoon everyone. I am working on a European DF project called Formobile and as part of the project they are producing guidance for the Judiciary. I've been asked to provide some case studies that show what we do well and where things have gone wrong. So if anyone is aware of cases in the public domain that cover the following areas - pre-acquisition, acquisition, preparation, analysis and reporting then I'd be really grateful. Feel free to DM me if you want to know more or have any such cases you can share. (edited)

(KAOS) ReacherJ

Good afternoon everyone. I am working on a European DF project called Formobile and as part of the project they are producing guidance for the Judiciary. I've been asked to provide some case studies that show what we do well and where things have gone wrong. So if anyone is aware of cases in the public domain that cover the following areas - pre-acquisition, acquisition, preparation, analysis and reporting then I'd be really grateful. Feel free to DM me if you want to know more or have any such cases you can share. (edited)

SWGDE might cover some of these https://www.swgde.org/

SWGDE

The Scientific Working Group on Digital Evidence (SWGDE) brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as to ensure quality and consistency within the forensic community.

Morning all, I know this question was asked last year without an answer, but is there any go to GPS expert that forces refer to in the UK at current? @Law Enforcement [UK]

Not to my knowledge, I'd suggest your local NCA office may know though (edited)

1

K23

Morning all, I know this question was asked last year without an answer, but is there any go to GPS expert that forces refer to in the UK at current? @Law Enforcement [UK]

Most forces or their ROCU should have an RFPS team. Although they don’t do GPS they may know someone who does. Otherwise NCA expert witness finder

1

Thanks all!

3:14 AM

Another one for @Law Enforcement [UK] , how, if at all, are you deploying Cellebrite Reader so that it can be used and accessed on force IT systems? Or at current are you just directing users to view on standalone viewing machines?

K23

Another one for @Law Enforcement [UK] , how, if at all, are you deploying Cellebrite Reader so that it can be used and accessed on force IT systems? Or at current are you just directing users to view on standalone viewing machines?

We advise to view on standalone machines as a matter of operational security. However, I know of forces that allow it on standard networked machines also. Its a matter of internal policy.

@Magnet Forensics Any of you lovely chaps at the Tech Talk in London next week? Be good to network

hello everyone, for those who use cellebrite, have you encountered problems concerning the "openjdk platform binary" process which makes the CPU go to 60/70% while not using the ufed4pc / PA software?

4:03 AM

@Cellebrite

RW_Digital

We advise to view on standalone machines as a matter of operational security. However, I know of forces that allow it on standard networked machines also. Its a matter of internal policy.

In the past we have directed to use standalone but these machines are not widely supported by IT and come in varying shapes and sizes, and arguably more of an operational security concern as these are not managed. With deployment on standard network machines, was more looking for technical details as we have hit a few road blocks with the more recent releases of reader unfortunately.

K23

Another one for @Law Enforcement [UK] , how, if at all, are you deploying Cellebrite Reader so that it can be used and accessed on force IT systems? Or at current are you just directing users to view on standalone viewing machines?

We deployed it and XAMN Viewer through IT and the Force Software Centre, built into Windows enterprise. New version releases were tested by IT and pushed out for users to install locally. Seems to work well.

1

K23

Another one for @Law Enforcement [UK] , how, if at all, are you deploying Cellebrite Reader so that it can be used and accessed on force IT systems? Or at current are you just directing users to view on standalone viewing machines?

We have XAMN Viewer & Cellebeite Reader on our Software Centre (available to download) for all network machines

1

manuelevlr

hello everyone, for those who use cellebrite, have you encountered problems concerning the "openjdk platform binary" process which makes the CPU go to 60/70% while not using the ufed4pc / PA software?

Hey. Shoot me a dm we can chat more about it

Br3W7h1S

We deployed it and XAMN Viewer through IT and the Force Software Centre, built into Windows enterprise. New version releases were tested by IT and pushed out for users to install locally. Seems to work well.

Thanks we do similar with XAMN and our IT was able to do that without issue. Its just CB that's been the problem!

Artemisia (They / Them)

We have XAMN Viewer & Cellebeite Reader on our Software Centre (available to download) for all network machines

Interesting, mind if I drop you a DM?

K23

Morning all, I know this question was asked last year without an answer, but is there any go to GPS expert that forces refer to in the UK at current? @Law Enforcement [UK]

We at KBC might be able to help if you wanted to get in touch. We regularly work on GPS cases https://www.keithborer.co.uk/

Home | Keith Borer Consultants

Keith Borer Consultants provides high quality independent forensic science consultancy in criminal, civil, family and disciplinary matters. Our Forensic Scientists are expert witnesses and are instructed by solicitors, barristers, police forces, companies and private individuals to examine the strength and reliability of evidence and report on ...

Ross Donnelly

We at KBC might be able to help if you wanted to get in touch. We regularly work on GPS cases https://www.keithborer.co.uk/

Thanks Ross, I'll pass the details on

K23

Another one for @Law Enforcement [UK] , how, if at all, are you deploying Cellebrite Reader so that it can be used and accessed on force IT systems? Or at current are you just directing users to view on standalone viewing machines?

We're old fashioned. Standalone for analysts and CD/DVD for RO to run the generated reports on Force IT.

any idea when iphone 13 will be supported by cellebrite

10:36 AM

it works treating it as a 12 pro max for logical though

10:37 AM

and other things

K23

Another one for @Law Enforcement [UK] , how, if at all, are you deploying Cellebrite Reader so that it can be used and accessed on force IT systems? Or at current are you just directing users to view on standalone viewing machines?

We currently place our reports with Cellebrite reader on a network drive for officers to access on their workstation. It not a brilliant solution but it just about works. The issues we have at the moment are that the corporate laptops and computers struggle to open large UFDR files. Also our IT are getting virus alerts which regularly point to something within the UFDR file. The deeper our IT department move along their NEP/365 journey I can’t see us being allowed to distribute reports the way we are We are looking at Magnet Review though however are yet to see a demo of it.

1

Hi guys - I have an iPhone back up stored on a computer that is encrypted with apples back up encryption - any idea where I may find the password

Benj

Hi guys - I have an iPhone back up stored on a computer that is encrypted with apples back up encryption - any idea where I may find the password

indirectly "Asymmetric Thinking", but I just lifted an entire raft of passwords, from web browsers on an associated (windows) machine using Nirsoft. More than a few followed the same naming system so wasn't too hard to extrapolate for the clients lost (iPad) passwords. worth a look if you have similar scenario?

1

Thanks! Sounds like a good plan

Digitalferret

indirectly "Asymmetric Thinking", but I just lifted an entire raft of passwords, from web browsers on an associated (windows) machine using Nirsoft. More than a few followed the same naming system so wasn't too hard to extrapolate for the clients lost (iPad) passwords. worth a look if you have similar scenario?

This is by far one of the easiest ways to find likely passwords

pug4N6

This is by far one of the easiest ways to find likely passwords

yup. it's easy to get so involved in lock picking to the point you forget to try the handle first or look for the keys, hung over there ->

7:27 AM

be like Progressive Undertaker: thinking outside the box

Hi guys i was wondering if it is still possible for mobile phones to receive signals if they are powered off and if a powered off phone was found at a crime scene whether a faraday bag should be used or not?

MrSadface

Hi guys i was wondering if it is still possible for mobile phones to receive signals if they are powered off and if a powered off phone was found at a crime scene whether a faraday bag should be used or not?

Hot topic atm. With iOS 15, it is possible to locate switched off iPhones. Faraday use depends on local force policies, but yes it would always be recommended where available. Unfortunately cost implications of each bag and the facility for Faraday boxes to safely open up the bags / examine the phones are quite high so there's a lot of risk management that happens based on case risk level etc.

It sounds silly, but tin foil is just as effective as faraday bags. The downside is foil is more cumbersome and not as reusable as faraday bags.

How are agencies talking about dealing with devices being brute forced? Faraday cages come to mind but those can get pricey too. Does airplane mode adequately protect from a wipe?

Can anyone recommend a timeline analysis tool for me? I am using timesketch now, but there are often some bugs, oft need refresh page

warlock40

How are agencies talking about dealing with devices being brute forced? Faraday cages come to mind but those can get pricey too. Does airplane mode adequately protect from a wipe?

As far as I know there haven’t been any reports of a device in airplane mode being wiped, but maybe someone else has

RX

Can anyone recommend a timeline analysis tool for me? I am using timesketch now, but there are often some bugs, oft need refresh page

https://discord.com/channels/427876741990711298/427936091220344833/881236998315212950 Here's my answer about timeline stuff. Still curious if a good solution exists out there but it all depends on your use case, what's important to your case, and the potential level of scrutiny down the road you could face (i.e., courtroom testimony, etc)

1

Hello, do you know the filesystem that ps4 hard drive uses? (edited)

Prometheus

Hello, do you know the filesystem that ps4 hard drive uses? (edited)

They encrypt them so I have never gotten further than that. I did read an article where an examiner found somewhat of a solution by imaging drive first, then attaching console to video capture device and recording.

Prometheus

Hello, do you know the filesystem that ps4 hard drive uses? (edited)

I’m of the understanding that they are encrypted to the device they are from. I have used a voom shadow and then powered in the console in the past

FullTang

It sounds silly, but tin foil is just as effective as faraday bags. The downside is foil is more cumbersome and not as reusable as faraday bags.

In the UK world of validation, the codes and 17025 that method would be a big no!

3

Hello! does anyone know what chipset a Scroll Excel 2 tablet has? There is very limited information online. Thank you!

@g.wilson Boxchip A10, aka Allwinner A10 most likely

1

@Arcain Thank you!

Hi everyone, doing some brainstorming right now in regards to an email sent out by a gmail address and received by a company address. goal would be to identify the original sender of that email or any information that could narrow things down like location information. The email contains no attachments and the work is public sector related (no LE). Currently, I could imagine doing the following but maybe some of you got additional ideas. a) Header Analysis: Having a look if information about the email client, IP or any location information can be deduced. From what I remember there won't be much for gmail as no IP of the sender etc. should be visible here? b) OSINT: verifying if the email address was used somewhere else so it potentially could be associated with an existing profile. c) Associations on local drives: if there is a suspected user, the users harddrives could be analyzed for any associations to the particular email address. There would probably also the option to use the password recovery function in order to get a small potion of an associated email address, phone number or associated device. Cheers

.yuzumi.

Hi everyone, doing some brainstorming right now in regards to an email sent out by a gmail address and received by a company address. goal would be to identify the original sender of that email or any information that could narrow things down like location information. The email contains no attachments and the work is public sector related (no LE). Currently, I could imagine doing the following but maybe some of you got additional ideas. a) Header Analysis: Having a look if information about the email client, IP or any location information can be deduced. From what I remember there won't be much for gmail as no IP of the sender etc. should be visible here? b) OSINT: verifying if the email address was used somewhere else so it potentially could be associated with an existing profile. c) Associations on local drives: if there is a suspected user, the users harddrives could be analyzed for any associations to the particular email address. There would probably also the option to use the password recovery function in order to get a small potion of an associated email address, phone number or associated device. Cheers

a) with gmail the headers won’t reveal much b) OSINT only works some of the time because these types of emails are usually from one-and-done burner accounts c) suspect likely to have sent email from somewhere they felt safe to do so likely not on a company machine. The content of your email is usually your biggest clue. Find the motive and go backwards from there. Social engineering the suspect via that email address can sometimes work but has to be done just right.

warlock40

How are agencies talking about dealing with devices being brute forced? Faraday cages come to mind but those can get pricey too. Does airplane mode adequately protect from a wipe?

https://thebinaryhick.blog/2021/10/27/ios-15-powered-off-tracking-remote-bombs/ This talks a bit about it but essentially it looks like they can track location but can't remote wipe when the device is off/disconnected for now.

Binary Hick

iOS 15 Powered-Off Tracking & Remote Bombs

If you are not a member of DFIR Discord you are really missing out. It is a fantastic resource. I am constantly learning stuff from the practitioners there and it helps me keep up with trends in ar…

Thinking that has to change in the future though, right?

CCC

Thinking that has to change in the future though, right?

It has stayed the same from iOS 14 to 15, with remote wiping requiring internet access but tracking only requires Bluetooth. This can probably change whenever apple decides to, but there must be some reason why they kept it the same.

Does anyone know what the current renewal price is for cellebrite UFED Ultimate?

MrTurdTastic

@Magnet Forensics Any of you lovely chaps at the Tech Talk in London next week? Be good to network

We will have about ten people at Tech talk including @Jad Nick Volpe and many others...

Look forward to it

There are zoom issues today so we will have to postpone Life Has No Ctrl+Alt+Del until next week. Sorry for the hassle! See you on Monday.

3

.yuzumi.

Hi everyone, doing some brainstorming right now in regards to an email sent out by a gmail address and received by a company address. goal would be to identify the original sender of that email or any information that could narrow things down like location information. The email contains no attachments and the work is public sector related (no LE). Currently, I could imagine doing the following but maybe some of you got additional ideas. a) Header Analysis: Having a look if information about the email client, IP or any location information can be deduced. From what I remember there won't be much for gmail as no IP of the sender etc. should be visible here? b) OSINT: verifying if the email address was used somewhere else so it potentially could be associated with an existing profile. c) Associations on local drives: if there is a suspected user, the users harddrives could be analyzed for any associations to the particular email address. There would probably also the option to use the password recovery function in order to get a small potion of an associated email address, phone number or associated device. Cheers

was it malicious? if it's more than just annoyance/interest maybe contact Google with whoever you have highest rank there. had one yrs back, malicious mail to member of staff. Head of IT contacted Yahoo directly. miscreant was caught in rapid order.

Anyone have a good setup they are using for charging devices while BF is being done?

I’m looking for some charging stations for long term phone storage. Anyone know if the stations that protect from overcharging turn off at 100% (like batteries) or if they will keep the phone charged indefinitely?

Ghosted

Anyone have a good setup they are using for charging devices while BF is being done?

Oddly enough I posted the same thing before I saw your comment.

1

Deleted User

a) with gmail the headers won’t reveal much b) OSINT only works some of the time because these types of emails are usually from one-and-done burner accounts c) suspect likely to have sent email from somewhere they felt safe to do so likely not on a company machine. The content of your email is usually your biggest clue. Find the motive and go backwards from there. Social engineering the suspect via that email address can sometimes work but has to be done just right.

Re gmail headers, it depends on how the suspect sent the email. If it was sent from the web interface, then the headers won't contain the end user's IP address. If it was sent using an email client, then it will.

My googlefu is lacking these days, I can't find an answer to this. Is there a way to correlate what URL dropped a file into the browser cache? For instance, if there's a hit for some malicious js. I'd like to know the source of it. The creation timestamp on the file may correlate closely to the URL's recovered from the browser history. But without analysing that URL and then any subsequent i-frames, includes or redirects you'd end up with a somewhat accurate picture, maybe. This likely gets worse as the investigation time moves forward from the time of the detected download. Would be curious about what's around for all usual suspect browsers, but Edge (chromium) in particular.

00willo

My googlefu is lacking these days, I can't find an answer to this. Is there a way to correlate what URL dropped a file into the browser cache? For instance, if there's a hit for some malicious js. I'd like to know the source of it. The creation timestamp on the file may correlate closely to the URL's recovered from the browser history. But without analysing that URL and then any subsequent i-frames, includes or redirects you'd end up with a somewhat accurate picture, maybe. This likely gets worse as the investigation time moves forward from the time of the detected download. Would be curious about what's around for all usual suspect browsers, but Edge (chromium) in particular.

https://www.nirsoft.net/utils/chrome_cache_view.html Have you tried this tool and maybe see what it says and try to correlate with browsing history and the MFT?

Cache viewer for Google Chrome Web browser

ChromeCacheView is a small utility for Windows that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.

00willo

My googlefu is lacking these days, I can't find an answer to this. Is there a way to correlate what URL dropped a file into the browser cache? For instance, if there's a hit for some malicious js. I'd like to know the source of it. The creation timestamp on the file may correlate closely to the URL's recovered from the browser history. But without analysing that URL and then any subsequent i-frames, includes or redirects you'd end up with a somewhat accurate picture, maybe. This likely gets worse as the investigation time moves forward from the time of the detected download. Would be curious about what's around for all usual suspect browsers, but Edge (chromium) in particular.

Try Hindsight, should timeline cache alongside history, and might correlate the site the cache came from https://github.com/obsidianforensics/hindsight

GitHub - obsidianforensics/hindsight: Web browser forensics for Goo...

Web browser forensics for Google Chrome/Chromium. Contribute to obsidianforensics/hindsight development by creating an account on GitHub.

Andrew Rathbun

https://www.nirsoft.net/utils/chrome_cache_view.html Have you tried this tool and maybe see what it says and try to correlate with browsing history and the MFT?

Thanks, I'll definitely check it out. It may not suit what I'm ultimately after as my next steps are geared towards usage with a SOAR platform.

stark4n6

Try Hindsight, should timeline cache alongside history, and might correlate the site the cache came from https://github.com/obsidianforensics/hindsight

This might be very helpful, I should be able to dig out the process of the correlation from here to implement as part of pulling the required pieces remotely for evaluation. Thanks.

Hey, need some help identifying some exif tags on some jpgs. IFD0 - Artist IFD0 - XP Author XMP-dc - Creator XMP-rdf - about (There is a uuid here). I found a little more about the tags on exiftool.org but after that i couldnt find much.

Hello, I need your help. Is there any data(report or something..) on the use of Cellbrite CAS or Graykey by law enforcement agencies in U.S.? Even if it is not the U.S, it is okay to be in other countries such as Europe.

I would say a Microsoft app either modified or created the image based on “IFD0 - XP Author”. Have you tried to google dork the UUID for luck?

If anyone is looking for an awesome SQLite program, Navicat is having a sale for the next 3 days. 30% off licenses.

3

@KoKi why do you need to know this ?

What channel would be the best one to ask about acquiring a USB HID device? It's not showing up under /dev to acquire it and I'm not finding any way to acquire from /devices/pci*

0b01000011

What channel would be the best one to ask about acquiring a USB HID device? It's not showing up under /dev to acquire it and I'm not finding any way to acquire from /devices/pci*

probably #data-recovery bc plugged in hw? altho i guess here is as good as any. what device and have you tried lshw hwinfo and the like?

Just curious, does anyone know a way to compare 2 ufdrs and only display the differences? Maybe @Cellebrite has a solution? Or does pathfinder supports this?

B

Just curious, does anyone know a way to compare 2 ufdrs and only display the differences? Maybe @Cellebrite has a solution? Or does pathfinder supports this?

In PA you can open the first ufdr and then open and merge the second one into it. In the merged project, on each table view in the Analyzed Data section you can filter for only the non-deduped items.

3

Does anyone know what discord data is available from a GrayKey extraction, both BFU and AFU of an iphone?

Maybe somebody use LTO8 tape drives for data archiving? Do these devices require special software or everything to work Drag & Drop? Does it take long to retrieve the recorded information? e.g. if I want to extract only one small file from a tape? I'm talking about an external device not about tape libraries.

Hello everyone, could you recommend external SOC services? (ie: Arctic Example, eSentire)

Digitalferret

probably #data-recovery bc plugged in hw? altho i guess here is as good as any. what device and have you tried lshw hwinfo and the like?

Yea, used dmesg -w to get VID and PID. Also, captured the keys pressed when it was inserted. I think we got all we need. Thx again @Digitalferret

1

Any recommendations regarding CyberSecurity Bootcamps? Trying to speed up the pace of my learning and get job ready faster (can fund anywhere between 12-26 weeks of fulltime bootcamp) Just looking for suggestions/ reccomendations if any of you have gone down that path.

Anyone ever had a situation where a machine has two monitors (Win 10), but when trying to remote in with TightVNC, it shows only one and a black screen for the second? (edited)

3:08 AM

It's as if TightVNC detects the second monitor, but isn't displaying it.

3:09 AM

Just a black screen for where the display would be

I'm not sure it should matter, but is the second monitor connected through a second gpu? (like using integrated motherboard GPU + dedicated gpu)

rayeh

I'm not sure it should matter, but is the second monitor connected through a second gpu? (like using integrated motherboard GPU + dedicated gpu)

There is no external gpu. All through the motherboard. (edited)

5:57 AM

We have an exact same setup next to the machine that works

5:58 AM

But despite my best attempts at copying it, I can't figure out what's not working

Rob

But despite my best attempts at copying it, I can't figure out what's not working

maybe poke around in Settings-Display (on both source and taget) if you haven't already. on single here so can't check, but maybe also look for laptop style option to either mirror or extend display to second screen. no doubt it'll be obvious once you sort but :clutching-straws: here, lol

6:49 AM

Digitalferret

maybe poke around in Settings-Display (on both source and taget) if you haven't already. on single here so can't check, but maybe also look for laptop style option to either mirror or extend display to second screen. no doubt it'll be obvious once you sort but :clutching-straws: here, lol

Both are set to extend.

6:55 AM

To clarify, both monitors are working perfectly fine as expected and displaying both screens fine

6:56 AM

However, they're in another part of the building we're in so we have to walk over to them currently instead of remote connecting as we normally do.

6:58 AM

Looks like this to us when remote connecting (not actually the desktop, just taken some random image off google)

6:58 AM

So we can for example see the left display, and it's seemingly detecting the second, just not displaying it

1

Is it a limitation of tightvnc perhaps? You tried ultravnc?

baggins

Is it a limitation of tightvnc perhaps? You tried ultravnc?

I haven't, but willing to give it a try. Tightvnc works on the exact same computer next to the one that doesn't that has the same setup ie two monitors etc.

arforensic

Maybe somebody use LTO8 tape drives for data archiving? Do these devices require special software or everything to work Drag & Drop? Does it take long to retrieve the recorded information? e.g. if I want to extract only one small file from a tape? I'm talking about an external device not about tape libraries.

We use LTO8 there are applications that use ltfs which is universal, but to be honest if really doesn't play nice with lots of small files. We are in the process of trying to find a new application but so far struggling to find one that isn't overly complex

Roll4Combat

Any recommendations regarding CyberSecurity Bootcamps? Trying to speed up the pace of my learning and get job ready faster (can fund anywhere between 12-26 weeks of fulltime bootcamp) Just looking for suggestions/ reccomendations if any of you have gone down that path.

#training-education-employment

1

https://www.engadget.com/kyle-rittenhouse-ipad-pinch-to-zoom-lawyers-claim-142110207.html

Rittenhouse defense incorrectly claims iPad pinch-to-zoom modifies ...

Lawyers for Kyle Rittenhouse inaccurately claimed an iPad's pinch-to-zoom would manipulate video, and the judge appears to have accepted the argument..

4:45 PM

Also posted to the multimedia channel - I'm surprised to see misinformation/spin like this

1

hi everyone, a quick one in regards to compliance center: a colleague just told me that they getting errors when using the content search when it comes to paths that have e. g. parentheses included. since I cant look it up right now myself / test it due to traveling: is there any annotation so that the full path for the content search is considered even if it has special characters included?

Why is there not an Incident response channel? Do we just class is as dfir as a whole?

you mean #incident-response channel?

1

6:40 AM

⬅️

6:41 AM

nah, haven't seen one mate, poke (W)rathbunny

(edited)

Ah hahahaha pops on glasses

lol, i do it all the time (spec savers ad)

1

New to field here. Question, I fairly certain it's not possible but I wanted a second opinion. *Is it possible to trace the actual end point IP of the email sending computer in a corporate enviroment like O365\Outlook? *Some reference info, 2 users involved, one user whos account the offending email was sent from claims she shared her account credentials with another user and claims that user actually sent the offending email. HR wants to either disprove one of the original user didn't sent it, or prove the accused user did send it. All fun...lol

easy: hit the one that shared credentials

1

Thats was my first sentance to HR when they spoke to me , clearly stated in their employee contract

Original message was deleted or could not be loaded.

check bottom board (the one with charging port) and a different battery

@Moderators This chappy be a spambot

yep we just had like 50 accounts join all at once, thanks for the heads up

np

Everyone, just ignore and report/block/whatever you want to do. Don't fall for it, obviously

Of all the discord servers to do it on

2

Anyone who joined between 0846-0848 is getting banned

5:52 AM

if anyone had a buddy who joined in that timeframe, let me know, and I apologize ahead of time, I can unban later

5:54 AM

we have controls in place that prevent them from posting in the general channels, thankfully, but the way Discord works, all they need is a mutual server to be able to PM someone

5:59 AM

all banned, let's move on with life

I really thought I won some $btc

6

MrTurdTastic

@Moderators This chappy be a spambot

But free BTC

Matt

But free BTC

Would be better if this happened a decade ago

Tru dat

Hindsight is always 20/20

Andrew Rathbun

Would be better if this happened a decade ago

My mate misplaced a wallet with half a BTC in and couldn't find it

Matt

My mate misplaced a wallet with half a BTC in and couldn't find it

RIP

Ouchh

My brother sold about 100 btc when they were ~100$

4

Thanks all for reporting that earlier. Great to know there's others keeping a watchful eye on this community of ours

We have been hit by the Conti ransomware :/

malrker

We have been hit by the Conti ransomware :/

Very sorry to hear that. Do you have good backups? If you need assistance with what to look for, frankly, that's the best ransomware variant to be hit with given recent leaks. Check out #cyber-threat-intelligence if you have more questions on IOCs

Andrew Rathbun

Very sorry to hear that. Do you have good backups? If you need assistance with what to look for, frankly, that's the best ransomware variant to be hit with given recent leaks. Check out #cyber-threat-intelligence if you have more questions on IOCs

yeah our backups were luckily not hit, we have shut down the entire network and the backups to prevent them from infecting them. busy doing DFIR now

7:45 PM

Thanks will check it now

malrker

yeah our backups were luckily not hit, we have shut down the entire network and the backups to prevent them from infecting them. busy doing DFIR now

https://thedfirreport.com/2021/05/12/conti-ransomware/ https://us-cert.cisa.gov/ncas/alerts/aa21-265a https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Conti.csv

7:48 PM

https://www.fortinet.com/blog/threat-research/affiliates-cookbook-firsthand-peek-into-operations-and-tradecraft-of-conti

we've got a couple conti cases ongoing, havent had to deal with them in a little bit

8:00 PM

search for rclone and anydesk

@randomaccess is anydesk and rclone used as their dropper for conti?

rclone is for exfil

1

8:05 PM

anydesk is remote admin, so likely

their entire playbook leaked. Check into it @malrker

anydesk and spalshtop are commonly associated with conti affiliates

The Conti cases I've dealt with since the leak have been very, very similar to what intel the leaks provided

@malrker you dont happen to run onprem exchange do you?

@randomaccess yeah we do

ah. yeah. i'd look there first

Proxy* is likely infection vector, I would guess

yeah thats what ive seen a lot of lately

put it this way we are a perfect candidate

8:09 PM

except for backup

check iis logs and the exchange evtx for references to autodiscover/powershell/New-MailboxExportRequest

thats running new hardware n new os etc

you may find webshells that are hidden as .cer/.psts or just plain randomly named aspx files

@malrker https://github.com/microsoft/CSS-Exchange/tree/main/Security/src has some scripts you may want to run

CSS-Exchange/Security/src at main · microsoft/CSS-Exchange

Exchange Server support tools and scripts. Contribute to microsoft/CSS-Exchange development by creating an account on GitHub.

8:15 PM

https://github.com/microsoft/CSS-Exchange/tree/main/Security

CSS-Exchange/Security at main · microsoft/CSS-Exchange

Exchange Server support tools and scripts. Contribute to microsoft/CSS-Exchange development by creating an account on GitHub.

yeah found some last night

8:18 PM

@Andrew Rathbun theyre using new CVE's for attack vectors though

8:18 PM

new ndays and such

8:19 PM

Some thats only a week old or so

ah yeah thats not going to end well

@Random @Andrew Rathbun how can i kill the ports theyre using for their webshell?

Killl the webshells. Patch exchange?

12:10 AM

But once they're in and moving around the webshell isn't necessarily how they persist. So you have to try track all their activities

@randomaccess is carbon black the best tool for that?

12:34 AM

as theyre using aa fake cert

12:34 AM

keeps regenrating if you remove it

Itll help.

12:34 AM

What keeps regenerating?

a certificate

12:35 AM

they sign their own

12:35 AM

ehats good tools to use to track their movements?

12:35 AM

a SIEM?

We roll carbon black cloud which will let you block the certificate from executing and also let you search for processes making network connections. We also roll out a free tool called Velociraptor that lets you collect and query data at scale. A Siem would be useful too but that may depend on the complexity of your network as to how hard this is to stand up quickly

We pretty much switched the whole network off too

12:43 AM

to prevent the spread

Both CB and velo allow you to isolate hosts from the network so they can only communicate with their respective servers

@randomaccess yeah cool, we are using CB, and i also had a look at velo, we are using a siem atm too, is there any good open source tools to be able to scan any dormant malicious files that may be present on the backup server that hasnt been encrypted yet? before backing up

I don't think you can rely on a tool to find everything

2:02 AM

The main issue with a backup is knowing when the attackers got in and whether they had set persistence when the backups were taken. You'd need to do your analysis across the incident to figure out what they did and then what backups may give them access again should they be restored. May be worth getting some external assistance

Yeah we have two third party companies helping us do IR, but the one only asked for the actual file/payload/loader

2:03 AM

the other is using carbon black and siem

2:04 AM

but we are not sure if the company using carbon black will be doing manual DFIR

2:04 AM

or if theyre just automating it

Would anyone be familiar with acquiring discord chats from devices (ie laptop / iPhones) - would Cellebrite get the local stuff

12:12 AM

Or is the better process to go down the court order route?

Dorsidhion

Would anyone be familiar with acquiring discord chats from devices (ie laptop / iPhones) - would Cellebrite get the local stuff

Axiom claims to support Discord messages but I've never had cause to use it. On Windows at least, everything is stored in LevelDB files. Here is a research paper on it too https://www.researchgate.net/profile/Michal-Motylinski/publication/347044759_Digital_Forensic_Acquisition_and_Analysis_of_Discord_Applications/links/6073a738299bf1c911c5c7df/Digital-Forensic-Acquisition-and-Analysis-of-Discord-Applications.pdf

Dorsidhion

Would anyone be familiar with acquiring discord chats from devices (ie laptop / iPhones) - would Cellebrite get the local stuff

If Cellebrite doesn't get it, you can use ChromeCacheView (https://www.nirsoft.net/utils/chrome_cache_view.html) to extract some of the files from the Chromium cache. The messages are stored as JSON files in there. Further information such as username can be found in the Local LevelDB databases

Cache viewer for Google Chrome Web browser

ChromeCacheView is a small utility for Windows that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.

4:32 AM

If you need a tool to view the database, I have one that I developed specifically to read the Discord LevelDB files that I can DM you a repo link to

Ross Donnelly

Axiom claims to support Discord messages but I've never had cause to use it. On Windows at least, everything is stored in LevelDB files. Here is a research paper on it too https://www.researchgate.net/profile/Michal-Motylinski/publication/347044759_Digital_Forensic_Acquisition_and_Analysis_of_Discord_Applications/links/6073a738299bf1c911c5c7df/Digital-Forensic-Acquisition-and-Analysis-of-Discord-Applications.pdf

My ArtEx tool will recover cached messages from iPhones; and I believe iLEAPP does the same.

1

Dorsidhion

Or is the better process to go down the court order route?

You’ll most likely need an Full File System unless you have something that can specifically target Discord. On iOS devices, Discord stores its cached files under in Applications in the "/Library/Caches/com.hammerandchisel.discord/fsCachedData/" directory which can include chat messages in JSON format. User configuration information is stored in "/Documents/mmkv/mmkv.default" and avatar images can be found in the "/Library/Caches/com.hackemist.SDImageCache/default/" directory. I’ve found that many of the high end tools have trouble parsing out Discord chats with the JSON format.

OggE

Hey, need some help identifying some exif tags on some jpgs. IFD0 - Artist IFD0 - XP Author XMP-dc - Creator XMP-rdf - about (There is a uuid here). I found a little more about the tags on exiftool.org but after that i couldnt find much.

Update on this: It looks very likley to be converted photoshop files, the tags and patterns look very alike.

2

Some question on sock puppets. 1. Do you have them pre made and set up ready for when you need them on all the Facebook, LinkedIn, Tik Tok etc? 2. Do you use them to gain friends and followers to seem more legit? 3. Do you have a VM made where you have them all logged on with that you use/ Is there any good articles about sock puppets and best use etc have tried looking but nit finding much? How do you use yours if you have?

https://medium.com/dark-roast-security/dark-side-116-sock-puppets-ed7a9bd5a556

Dark Side 116: Sock Puppets

What if I told you not all fake social media accounts are used maliciously?

8:36 AM

Found this actually and its really good.

Matt

If you need a tool to view the database, I have one that I developed specifically to read the Discord LevelDB files that I can DM you a repo link to

That’d be really appreciated!

Has anyone here tried making a custom logstash parser in SOF-ELK? I'm having some trouble getting elasticsearch to see the data

Anyone have experience doing a Discord server investigation? Looking to see what info I can get out of it. Looking to determine who posted certain messages. Do IP addresses get captured on the posts? I have never looked at a Discord server. Thanks

Have you got Discord court/warrant data? You can determine some information from client-side data but you'd need Discord's help to put IPs to usernames

No warrant and this may amount to a civil matter but as I thought, IP tracking info would be with Discord and not the server admin side.

sheepdog751

No warrant and this may amount to a civil matter but as I thought, IP tracking info would be with Discord and not the server admin side.

You're right, server admins don't have IP data within Discord. You'd have to go direct to Discord for that data.

Yeah discord servers are all hosted on Discord’s infrastructure

10:05 AM

No access to that stuff without discord’s compliance

sheepdog751

No warrant and this may amount to a civil matter but as I thought, IP tracking info would be with Discord and not the server admin side.

nice profile pic

rayeh

nice profile pic

Thanks. It's my wallpaper on my VM host PC. Stole it from the internet. It's floating around somewhere

similar story for how I found it

I'm shopping for a Faraday enclosure... Ramsey boasts the following Isolation: >90dB @ 918MHz >85dB @ 2.4GHz >80dB @ 5.8GHz And Mission Darkness ( @Ryan MOS Equipment ) Boasts the following:

blocks WiFi (2.4 & 5GHz), Bluetooth, cell signals including 5G networks, GPS, RFID, and radio signals with >70dB average attenuation. It has been lab tested and certified to shielding effectiveness standards IEEE 299-2006.

Without going back to school, does this mean Mission Darkness blocks more bands but not as well, and Ramsey blocks less bands better? (edited)

11:57 AM

They both really look like the same box just diffrent branding.

Make sure you get the XL https://mosequipment.com/collections/analysis-enclosures/products/mission-darkness-blockbox-lab-xl

Mission Darkness™ BlockBox Lab XL

PLEASE NOTE: This product does not qualify for free domestic shipping. Mission Darkness BlockBox Lab XL - RF Enclosure for Mobile Device Analysis SKU: MDFB-BBL-XL-RJ45 The Mission Darkness™ BlockBox Lab XL offers the ultimate radio frequency ...

DFIRDetective

You're right, server admins don't have IP data within Discord. You'd have to go direct to Discord for that data.

Can confirm

2

I have both boxes, the XL mission darkness is larger and roomier but the gloves feel very thin/flimsy

2:27 PM

I haven’t tested their blocking abilities, nor would I really know how to but it seems like both work for me.

1

When is microsft going to issue a security update for this LPE vulnerability CVE-2021-34484 ? I can see ransomware crews will start probably utilzing this, it affects windows 10, windows 2012, windows 11 and a bunch of other versions of windows, there is even a PoC existing online for this.

3:29 PM

0patch has already patched it

whee30

I haven’t tested their blocking abilities, nor would I really know how to but it seems like both work for me.

You can try https://mosequipment.com/pages/mission-darkness-faraday-bag-testing-app

Mission Darkness Faraday Bag Testing App

I've got that app, but other than the device "passing" I haven't gone farther. So far that has worked for me! I was told by the Mission Darkness folks that the velcro on most current faraday bags can be rough on the gloves. Some manufacturers are making magnet closure bags now for that reason, according to them.

Anyone from Cellebrite able to chat on DM?

1:38 AM

@Cellebrite

@whee30 we just take an iphone and an Android and place them into the box and attempt to locate and or call the phones to field "test" the box

whee30

I haven’t tested their blocking abilities, nor would I really know how to but it seems like both work for me.

I have one test I'd love for someone to run that had both boxes. Do you have Bluetooth headphones? I've found no faraday enclosure can stop the music from my phone to my BT headphones.

@GRIZZ I'll try that shortly. I ran that test when I bought faraday bags, about half of them failed bluetooth. I ended up with silicon forensics bags and they have worked well so far.

8:13 AM

the ramsey box next to me cut BT to my iPhone 13 immediately. My blockbox is in a different building so that will take a while.

8:15 AM

Took about 3 seconds to reconnect to BT on open and about 5 seconds for a pending icloud lock to hit it.

1

GRIZZ

I have one test I'd love for someone to run that had both boxes. Do you have Bluetooth headphones? I've found no faraday enclosure can stop the music from my phone to my BT headphones.

What kind of headphones do you have just curious.

NibblesNBits

What kind of headphones do you have just curious.

https://www.lg.com/us/headphones/lg-hbs-sl5-black-tone-style

LG TONE Style HBS-SL5 Bluetooth® Wireless Stereo Headset (HBS-SL5 ...

Shop LG HBS-SL5 Black on the official LG.com website for the most up to date information. Buy online for delivery or in-store pick-up.

Hello all. Is there any forensic value in investigating Orphaned files?

@Jogoyo depends on the case, but sure! Aside from the files themselves and the content therein potentially being consistent with your investigation, plenty of files carry internal metadata to give context. Just know what you can't prove with an orphaned file and it will guide your reliance on them.

12:38 PM

@GRIZZ FWIW I used airpod pro headphones for the BT test. Same thing I used previously with the faraday bags. Some bags you could listen to music and pass commands back and forth such as play/pause, next/previous song. Certainly something to be aware of given the current capability of phones to be tracked via BT even when "off"

1

whee30

@Jogoyo depends on the case, but sure! Aside from the files themselves and the content therein potentially being consistent with your investigation, plenty of files carry internal metadata to give context. Just know what you can't prove with an orphaned file and it will guide your reliance on them.

That is my worry.. even I find something of interest, I cant say anything with certainty. Did the suspect create that file? If not, did a software create it? Metadata is limited with orphaned files

Well - filesystem metadata certainly. But a word doc still contains the internal metadata, just like a photo will still contain EXIF data. It really depends on your case. For example, an orphaned selfie of your prohibited possessor holding a gun with a legible serial number and internal location data pointing at their house would still be a great "clue" to stumble across

1

12:42 PM

it's not ideal but I wouldn't discount orphaned files as a category

12:43 PM

orphaned web cached images from an unknown timeframe/browser/user? Maybe not so valuable.

Jogoyo

That is my worry.. even I find something of interest, I cant say anything with certainty. Did the suspect create that file? If not, did a software create it? Metadata is limited with orphaned files

Nah orphaned files are great. I had a case where someone had a large folder tree of bad files. They copied it to a truecrypt volume and deleted the top level folder. The shellbags showed the folder structure and the orphaned folder retained its structure and content. So could see what all the files were etc

is there any DFIR tools that are opensource for LastPass, I found one the other day but I can't seem to find it again

Anyone here familiar with htran? to prevent mimkatz creds retrival I had a 17k powershell alert never got around to them "Detection and Protection Establishing a base or normalised network profile, combined with ongoing capture and analysis of network traffic can assist network defenders detect unauthorised connections from tools such as HTran. A combination of network segmentation, denying corporate computers direct Internet connectivity and network/host firewalls will help the prevention or limit the effectiveness of HTran. In some of the samples analysed17, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders are able to view details about the TCP connections being made. HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format18: sprintf(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2); This error message is relayed to the connecting client in the clear. Defenders can monitor for this error message to potentially detect HTran instances active in their environments. " https://www.cyber.gov.au/sites/default/files/2021-06/Joint%20report%20on%20publicly%20available%20hacking%20tools%20-%2020200106.pdf If you ctrl f to htran Is there any way we can prevent them if they modify the htran code/variables to prevent them from attacking mitigate/prevent the attackers When we try deploy credential guard it crashe

Are there any forensic tools that allows for redacting info from seized data? If, for instance, there is information on a device that is protected by the attorney-client privilege, but there is also information relevant to an investigation on there, it would be nice to redact the attorney communication and build a portable case/report/whatever product that can be handed to an investigator. If I remember correctly you can hide files in x-ways, but I have not come across it in any other tools.

torskepostei

Are there any forensic tools that allows for redacting info from seized data? If, for instance, there is information on a device that is protected by the attorney-client privilege, but there is also information relevant to an investigation on there, it would be nice to redact the attorney communication and build a portable case/report/whatever product that can be handed to an investigator. If I remember correctly you can hide files in x-ways, but I have not come across it in any other tools.

EnCase from memory, you can could make an L01 (I think excluding items). Nuix you can exclude. X-Ways you can exclude and make a skeleton image. Not sure on other tools.

Rob

EnCase from memory, you can could make an L01 (I think excluding items). Nuix you can exclude. X-Ways you can exclude and make a skeleton image. Not sure on other tools.

Skeleton image sounds interesting, I'll look that up, thanks

1

torskepostei

Are there any forensic tools that allows for redacting info from seized data? If, for instance, there is information on a device that is protected by the attorney-client privilege, but there is also information relevant to an investigation on there, it would be nice to redact the attorney communication and build a portable case/report/whatever product that can be handed to an investigator. If I remember correctly you can hide files in x-ways, but I have not come across it in any other tools.

X-ways = Skeleton Image ~~Magnet = Exclude feature~~ FTK/AD Lab = Exclude feature NUIX = Exclude feature Relativity = fun stuff to do it, but I've never done it personally EnCase or FTK Imager = Make a L01/AD1 (edited)

RandyRanderson

X-ways = Skeleton Image ~~Magnet = Exclude feature~~ FTK/AD Lab = Exclude feature NUIX = Exclude feature Relativity = fun stuff to do it, but I've never done it personally EnCase or FTK Imager = Make a L01/AD1 (edited)

Hm, is there an exclude feature in Magnet Axiom? Could not locate anything like that earlier, but I may have missed it.

torskepostei

Hm, is there an exclude feature in Magnet Axiom? Could not locate anything like that earlier, but I may have missed it.

Looks like they removed it? I know from years past they had that option as we used it to remove text messages from laptops where an iOS backup was there. It looks like the "convoluted" wait would be to create a Bookmark for everything not under taint review...but ya...I don't like that. At that point you're doing the L01/AD1 anyway...

RandyRanderson

Looks like they removed it? I know from years past they had that option as we used it to remove text messages from laptops where an iOS backup was there. It looks like the "convoluted" wait would be to create a Bookmark for everything not under taint review...but ya...I don't like that. At that point you're doing the L01/AD1 anyway...

Thanks anyway for the great list, I know about a lot more options now

Don't know if @Mike MC from Magnet knows if the exclude feature is taken out of Axiom or perhaps renamed?

I could be completely jacking that up since I can't find the feature. But I could have SWORN they had it in there

1

General question for the group, has anyone used "LiquidFiles" to transfer case file information ? If so please DM me. THX

If the 'AirTag Found Moving With You' message pops up but you can't click on it in time, how do you get back to that notification? https://www.macrumors.com/how-to/airtag-found-moving-with-you/ (edited)

'AirTag Found Moving With You' - What it Means and What to Do

Apple's AirTags have a built-in safety feature that's designed to prevent them from being used to track you, so no one can plant an AirTag in...

https://www.zdnet.com/article/australias-hacking-bill-passes-the-senate-after-house-made-60-amendments/

Australia's 'hacking' Bill passes the Senate after House made 60 am...

Shadow Home Affairs Minister declared the Bill before the Senate was a better Bill because of amendments, and as such, Labor threw its support behind it. Greens, however, took issue with cops being able to take over a person's social media.

1:08 PM

What do you guys think of this new law thats been passed in Australia?

1:12 PM

Wouldn't the 'modify' part, basically break the chain of custody for forensic investigators?

malrker

Wouldn't the 'modify' part, basically break the chain of custody for forensic investigators?

maybe not if a golden copy of everything was made before take-over. besides, isn't this the way some illicit dark-web sites were taken and thus members tracked? (edited)

Digitalferret

maybe not if a golden copy of everything was made before take-over. besides, isn't this the way some illicit dark-web sites were taken and thus members tracked? (edited)

Ah right I see. This law was only passed recently, I think a month or two ago, so not sure if the law was in effect then when illicit dark-websites were seized

Iphone

@klw27 What about iphone?

Whats the best mode of action to retrieve event logs for suspect servers (ransomwared by Conti)? I don't really want to recconect and RDP in

8:35 PM

They are vm's so can get to the consoles without the network card

@malrker https://kb.vmware.com/s/article/900 to pull the vmdks?

9:37 PM

& vmem

malrker

Ah right I see. This law was only passed recently, I think a month or two ago, so not sure if the law was in effect then when illicit dark-websites were seized

that's what i meant, sites have been seized for quite some time now. no idea what effect this act will mean. maybe it extends the Govts rights to do as they will, when and where they want and short cuts some of the legislation. ie just extend their powers to draconian. bit Matrix-y but "What do all men with power want? More power"

1:21 AM

ofc this changes from jurisdiction to jurisdiction.

malrker

Ah right I see. This law was only passed recently, I think a month or two ago, so not sure if the law was in effect then when illicit dark-websites were seized

Think it's still waiting for Royal Assent

1:25 AM

Which surprised me given that it's Australia, though that was only a UK thing

Matt

Which surprised me given that it's Australia, though that was only a UK thing

isn't Royal Assent a given? QE2 has no political power, paper is handed to her by the Govt and she signs.

Yeah pretty much, I just was surprised (some) commonwealth countries still bother with the formality

some might say other world leaders are in a similar posn, regardless of their title

1:31 AM

how many Prez' have walked in expecting to change the country (and ofc reveal all about the UFO cover up: gotta have some tinfoil) to find they are as mired as all their predecessors

Digitalferret

ofc this changes from jurisdiction to jurisdiction.

This is a federal law

1:56 AM

In Australia

1:56 AM

So it gives the AFP and such power over here in Australia

Be interesting to see how it’s used in the future, the account takeover is of particular interest

Here in Australia if you don't give up your password to police, they can send you mandatory 6 months jail, and potentially prolong it until you give up your password to your device.

2:01 AM

Thats a law thats been around for a while.

2:01 AM

Though.

2:01 AM

Learnt that in Forensics Course at Uni.

Matt

Be interesting to see how it’s used in the future, the account takeover is of particular interest

Yeah I just hope it isnt abused by dodgey cops.

We’ve got one around protected data in specific cases (s49 notice, RIPA 2000)

I don't think it will be, but never know

2:03 AM

Correlium lol

malrker

Yeah I just hope it isnt abused by dodgey cops.

You’d hope there’s enough safeguards especially with warrant applications

Greybox lol

2:03 AM

Grayshift sorry*

Matt

You’d hope there’s enough safeguards especially with warrant applications

Here for Terrorism and Drug offences no warrant is required.

2:04 AM

To search your premises

2:04 AM

just reasonable suspicion

2:04 AM

Afaik

2:06 AM

We also have no privacy laws here.

Matt

We’ve got one around protected data in specific cases (s49 notice, RIPA 2000)

Have you ever gotten around bitlocker and such?

2:07 AM

Without the key ofc

2:07 AM

I remember there was a vulnerbility with it a while ago

2:08 AM

I think it was jonas_lyk who discovered it

malrker

Have you ever gotten around bitlocker and such?

Not personally

2:24 AM

I have seen a good blog post on BitLocker just using the TPM, and extracting the key from it

@Matt https://twitter.com/jonaslyk/status/1301245145568997376

Jonas L (@jonasLyk)

Lock screen/Bitlocker bypass/elevation of privilege in Bitlocker https://t.co/Q2t1lCRX92

Retweets

305

Likes

643

Thanks I’ll read it in a bit

1

malrker

Yeah I just hope it isnt abused by dodgey cops.

lol "hope it isnt abused" ... not only by dodgy cops. Govt want anything they just have to append terrorist or paedophile. sorry, having dealt directly with politicians i have a very jaded/cynical view. I'll stop now, before we pollute forum too much with the unholy trinity of S/P/R

Yep I agree, it's very likely it will be abused by the govt.

1

https://github.com/0x90n/InfoSec-Black-Friday Stay tuned as PRs come in over the next few days

GitHub - 0x90n/InfoSec-Black-Friday: All the deals for InfoSec rela...

All the deals for InfoSec related software/tools this Black Friday - GitHub - 0x90n/InfoSec-Black-Friday: All the deals for InfoSec related software/tools this Black Friday

2

Andrew Rathbun pinned a message to this channel. 11/19/2021 3:44 AM

Brainstorm!! I have an E01 of a bit locker encrypted drive. I acquired the bitlocker keys from the companies system administrator but none of the keys that he gave me match the bitlocker identifier of the image. Any ideas?

Does anyone have experience virtualising android extractions (both logical and physical) with Windows 11?

Not tried it yet. Usually just use Cellebrite for the individual applications

@AARC TASK FORCE are you trying to attach it directly to a windows box or through a forensic software ?

@DCSO I have had it in both Axiom and EnCase. Keys were sent to my (with the identifiers) but none of the identifiers match. I do believe that the keys that the system administrator gave me are what are true to the system.

Hello all, i joined specifically to ask this question. I seem to have deformities in my left pinky finger and right thumb prints, can anyone tell me what these are? They have been there for as long as i can remember (edited)

Orydian

Hello all, i joined specifically to ask this question. I seem to have deformities in my left pinky finger and right thumb prints, can anyone tell me what these are? They have been there for as long as i can remember (edited)

Are you making a joke about 'digit'al forensics?

1

11:26 AM

Cuz if you aren't, you're in the wrong place.

AmNe5iA

Are you making a joke about 'digit'al forensics?

No, i am genuinely curious about what the deformities on the tip of my fingers are

11:27 AM

I just figured people with expertise would know. Its entirety possible im asking the wrong group

It's possible someone here may know but I feel a 'wet' forensic discord may be more likely to know this sort of thing.

AmNe5iA

It's possible someone here may know but I feel a 'wet' forensic discord may be more likely to know this sort of thing.

What do you mean by wet?

blood, fingerprints, dna type forensics

AmNe5iA

blood, fingerprints, dna type forensics

Ah. Makes sense

Best I know of is https://en.wikipedia.org/wiki/Adermatoglyphia

11:32 AM

In your case, maybe you burnt those fingertips as a kid. (edited)

AmNe5iA

Best I know of is https://en.wikipedia.org/wiki/Adermatoglyphia

I mean i still have a distinct fingerprint, there is just a spot on my right thumb and left pinky that doesnt line up with the linear fingerprint and more resembles dots. Entirely possible it may be burns from childhood, i wouldnt be aware though. I thought fingerprints regenerate through burns? (edited)

11:33 AM

Yeah this is not a forensic science Discord server, this is like cell phones and computers digital forensics. @Orydian you're definitely not the first and won't be the last

Cool we got random fingerprints now

4

TFW folks just pop in to give us the finger

anyone use ftk imager or autopsy? (edited)

i want to open a ad1 file but its confusing

which part is confusing? @Brother O

randomaccess

which part is confusing? @Brother O

im making a new case and mounting the ad1 file as a logical file but nothing comes out

3:35 AM

in autopsy

i dont use autopsy regularly enough to assist on that front - but if you add it as an evidence item in ftk imager what do you see?

oh i got it to work now

3:41 AM

how do i make a report on ftk imager so it holds all the evidence in a folder

you cant do reporting in FTKi, but im also not entirely sure that's what you want to do?

randomaccess

you cant do reporting in FTKi, but im also not entirely sure that's what you want to do?

I want it to be evidence I gathered with notes on it

Ftk imager doesn't do any of that so you're probably best served with another tool

randomaccess

Ftk imager doesn't do any of that so you're probably best served with another tool

Does autopsy do that?

If I remember correctly from my courses, I believe autopsy does, but it’s been a little over a year since I used it.

Brother O

Does autopsy do that?

Yes. But it makes no sense without context so you can add the Autopsy report as an annexure to your report and make reference to it. (edited)

Deleted User

Yes. But it makes no sense without context so you can add the Autopsy report as an annexure to your report and make reference to it. (edited)

ok

Is there any good tools to parse and forensically analyze logs in .csv file format?

timeline explorer

1

@DeeFIR 🇦🇺

message.txt

2.7 KB

2:44 AM

Not sure why I am getting this error?

2:44 AM

WIth timeline explorer

2:45 AM

When I do have the plugin

2:46 AM

Any ideas?

@Andrew Rathbun

2:47 AM

Andrew should know @malrker

Thanks, any ideas why its not working @Andrew Rathbun ?

malrker

Thanks, any ideas why its not working @Andrew Rathbun ?

I'm awake now, sorry

3:25 AM

Did you use Windows to extract the Timeline Explorer files? If so, never do that again. Use anything else.

3:27 AM

Without those DLLs you're not going to be able to load things into TLE. Use 7Zip or WinRAR

@Andrew Rathbun I used 7zip

4:26 AM

@Andrew Rathbun Now I am getting a bunch of warnings saying bad data found

4:29 AM

@Andrew Rathbun What format should the xml file be?

malrker

@Andrew Rathbun What format should the xml file be?

XML? Why are you loading XML into TLE?

malrker

@Andrew Rathbun Now I am getting a bunch of warnings saying bad data found

I need a lot more context. What exactly are you trying to load into TLE? You mentioned CSV above but now we're talking about XML? XML and TLE do not mix. If Excel can display it then TLE can too, in most cases with some limitations

@Andrew Rathbun Oops I meant .csv

4:47 AM

Not xml

4:47 AM

I am loading a csv file

It probably has bad data because the first line isn't headers

4:48 AM

If that's the case, then just delete the first line and make the top line include the headers and only the headers

What should the headers be?

Anything comma separated

4:50 AM

https://github.com/EricZimmerman/TLEFilePlugins/blob/3fc77ba0eb26fa667375675dc459f38eb98bc9d8/TLEFileMisc/Misc.cs#L501 As an example

Looking to create some DFIR training videos for work, any suggestions on a free tool for video editing, mainly just looking to cut out mistakes and waiting for processing or combine two videos together?

pug4N6

Looking to create some DFIR training videos for work, any suggestions on a free tool for video editing, mainly just looking to cut out mistakes and waiting for processing or combine two videos together?

Kdenlive is a good tool for video editing. I use it for editing videos for the missus. Quick and easy (edited)

can anyone recommend a good reputable mac laptop forensics firm in Berlin, Germany

pug4N6

Looking to create some DFIR training videos for work, any suggestions on a free tool for video editing, mainly just looking to cut out mistakes and waiting for processing or combine two videos together?

I know you asked for free, but I use Camtasia to do all my videos (most of which are internal to my employer). Besides Camtasia, I've heard OBS Studio as a common free alternative to Camtasia which is what a lot of YouTube/Twitch people use for streaming, etc. Maybe worth looking into.

similarly, OBS only for capture though, and Camtasia for editing. look out for BlackFriday deals on the latter, inc Snagit, too.

SnagIt and Camtasia are chef's kiss

Hello guys, Do you know if there is a way to find out if the audio speaker was " on " or "off" on windows ?

CWolf

Hello guys, Do you know if there is a way to find out if the audio speaker was " on " or "off" on windows ?

https://www.nirsoft.net/utils/sound_volume_view.html Maybe try this?

@Andrew Rathbun Agree, if I recall correctly Camtasia is pretty pro LE and donates a lot of there software to ICAC investigations. That's how I came across a raffle license and love it.

Digitalferret

similarly, OBS only for capture though, and Camtasia for editing. look out for BlackFriday deals on the latter, inc Snagit, too.

Literally just got this email:

The Cyber Monday Sale You Need to See

We’re cranking up both the holly and jolly this Cyber Monday with our biggest sale of the year!
 
Expect eyebrow-raising savings from Monday, November 29 to Tuesday, November 30 on all things TechSmith, including Snagit, Camtasia, Assets for Snagit, Assets for Camtasia, Audiate, and Knowmia. Don’t miss it!

Andrew Rathbun

Literally just got this email:

The Cyber Monday Sale You Need to See

We’re cranking up both the holly and jolly this Cyber Monday with our biggest sale of the year!
 
Expect eyebrow-raising savings from Monday, November 29 to Tuesday, November 30 on all things TechSmith, including Snagit, Camtasia, Assets for Snagit, Assets for Camtasia, Audiate, and Knowmia. Don’t miss it!

yep, regular as cuckoo cuckoo

12:17 PM

same for some DataRecovery s/w, Affinity art proggies and more. being a tightwad i pretty much have them taped

<4Yorkshiremen>

@chaosmunkey @Andrew Rathbun and @Digitalferret Thanks! I’ve been using OBS, if I want anything else I’ll probably have to buy it myself, but I’ve heard good things about Camtasia, I’ll have to check it out

Does anyone know of any good, legit test images for practice?

OxOA

Does anyone know of any good, legit test images for practice?

https://aboutdfir.com/resources/tool-testing/

7:19 PM

Practicing what, in particular?

I want to try Autopsy on Linux (edited)

7:20 PM

I have used it on Windows, previously.

Ok that's fine. Are you looking to investigate a Windows system? Something else? What are you trying to accomplish?

7:20 PM

Test images is a very broad statement

I am just trying to keep my skills from getting rusty, atm... I was thinking about disk images...

7:21 PM

Really, the puzzle of figuring out how to deal with any particular one is what I am after.

What skills in particular? That's very broad too.

Puzzle solving, I guess, lol.

7:22 PM

I took the Autopsy certification on Windows when it was free. I want to make sure I don't forget what I learned.

IR? DF? Do you want an image that has a bunch of deleted stuff and you try to recover it? Do you want a malware case? There's so many potential skills to sharpen

I really wish I could practice on FTK again, but that will be a while

7:24 PM

Ah, I see what you mean... I did general forensics before, but only a little malware analysis... (edited)

If you learn the artifacts, not the tools, you won't have to worry about forgetting how to use a tool. You can just use a tool to make it work for you around your understanding of the artifacts, if that makes sense

2

that does.

Unless you're talking about X-Ways, then yeah that's not the easiest tool in the world to use haha

Actually, I think what you sent covers what I'm after for right now... I do plan to spend time in the Malware Analyst's Cookbook, at some point

1

OxOA

Actually, I think what you sent covers what I'm after for right now... I do plan to spend time in the Malware Analyst's Cookbook, at some point

Glad to hear, that's why it was curated the way it was!

OxOA

Does anyone know of any good, legit test images for practice?

Here is a good place to look: https://digitalcorpora.org/

simsong

Home

4

Deleted User

Here is a good place to look: https://digitalcorpora.org/

Seconded, other sources are cyberdefenders.org and blueteamlabs.online

Andrew Rathbun

If you learn the artifacts, not the tools, you won't have to worry about forgetting how to use a tool. You can just use a tool to make it work for you around your understanding of the artifacts, if that makes sense

I'm stealing that line to put on a motivational poster.

Andrew Rathbun

If you learn the artifacts, not the tools, you won't have to worry about forgetting how to use a tool. You can just use a tool to make it work for you around your understanding of the artifacts, if that makes sense

yep, pretty much this. ie the ingredients make the cake, not the food mixer

CCC

I'm stealing that line to put on a motivational poster.

I'm sure I got it from someone like @randomaccess he's always full of wisdom like that

There's going to be a thread full of dolphins with quotes soon.

1

Pacman

@Cellebrite Yesterday I tried to carry out Android Generic Exynos FBE extraction on a Samsung Galaxy S10, it started a full file system extraction and I left it. I found that it appears to have errored and it asked me to put the phone into download mode. Entered download mode, selected Continue - and it came up with an error message with an option to abort or retry. Retry doesn't do anything so I had to abort. Samsung S10 is now stuck in a boot loop CMD Parameter modified. Unable to enter recovery mode, but can enter download mode. I have tried Samsung Exynos Recovery and I keep getting "Communication Error (Cannot initialize connection)". What do I do>

I'm at this stage now on an S10! Can I ask what the fix was? @Cellebrite (edited)

For anyone who is interested - The guest request application for the January 10-14 SWGDE meeting (virtual) is now open until 12/10 at https://www.swgde.org/membership/guest-request

SWGDE - Guest Request

Guest Attendance Request

Is anyone experiencing any issues running Cellebrite Reader (current version) on Windows 10 machines?

luis511_

Is anyone experiencing any issues running Cellebrite Reader (current version) on Windows 10 machines?

v7.50? Not that I've noticed but it only came out on Monday.

Sorry. Version 7.49.13 of reader

Does anyone have a nice forensic glossary of terms written up that they like to use as an appendix for their mobile device reports? SWGDE's is a bit lacking on the mobile front and NIST's is rather old (2014). I'm working on updating what I have but it's a real pain going in and adding terms. I'd be glad to share mine (edited)

Beefhelmet

Does anyone have a nice forensic glossary of terms written up that they like to use as an appendix for their mobile device reports? SWGDE's is a bit lacking on the mobile front and NIST's is rather old (2014). I'm working on updating what I have but it's a real pain going in and adding terms. I'd be glad to share mine (edited)

Sounds like a really good thing to centralize on GitHub. Let me know if you're interested and we can host it so everyone can collaborate

8:14 AM

If you provide what you have I can add it and we can ensure alternate definitions exist for those who want multiple options

Andrew Rathbun

Sounds like a really good thing to centralize on GitHub. Let me know if you're interested and we can host it so everyone can collaborate

Absolutely. Would you like me to PM you?

8:48 AM

It's a hodge-podge from NIST, SWGDE, and some stuff that other examiners that I've met have put together, as well as stuff I've written (specifically to do with graykey and software I use)

I should add that it's largely mobile speciffic

Beefhelmet

Does anyone have a nice forensic glossary of terms written up that they like to use as an appendix for their mobile device reports? SWGDE's is a bit lacking on the mobile front and NIST's is rather old (2014). I'm working on updating what I have but it's a real pain going in and adding terms. I'd be glad to share mine (edited)

If you want to pass along any terms to add to the SWGDE glossary please feel free to send to secretary@swgde.org Please also feel free to join us in January to suggest them then. Guests requests are now open (see my post above). Would love to have the input!

Brandon E

If you want to pass along any terms to add to the SWGDE glossary please feel free to send to secretary@swgde.org Please also feel free to join us in January to suggest them then. Guests requests are now open (see my post above). Would love to have the input!

Sure thing, I'll send my version. Like I said it's mobile device specific, generally, I just use the SWGDE glossary from 2014 when doing computers. I do have information about specific proprietary information about a certain gray device that we don't talk much about. Just in terms of what extraction types it creates. I don't think it violates anything NDA-wise, just stuff that I think I would have to explain in court anyhow. (edited)

9:23 AM

So with that I'm leaning on your descretion with that info.

Beefhelmet

Absolutely. Would you like me to PM you?

Please do

Quick question, what kinda certs should I start looking out for "entry level" digital forensics, I'm mainly looking to go into law enforcement.

Halito

Quick question, what kinda certs should I start looking out for "entry level" digital forensics, I'm mainly looking to go into law enforcement.

#training-education-employment

Oh I'm blind, I looked up and down for one like that and didnt see it, thank you!

Anyone know how I can receover deleted firewall logs from checkpoint firewall server? It's running gaia which is a form of centos

this is pretty australian centric, but i imagine similar issues are found in all countries, and it's a bit more cyber-general than df, but i'm hoping i might find some useful perspectives here to assist a young woman who has recently asked for some advice:

Could you please explain as an international student how to start my journey in cybersecurity, I am struggling to secure a role with my 485 visas? I had many interviews and talked to many networks in the industry, I couldn't get a role due to budget constraints and not citizen or PR. Thanks.

Anyone know any good tools that I can use to demonstrate email spoofing to compare headers to legitimate email?

@ro after you trying to send spoofed emails? If so you can setup a local mail server and send email using smtp commands

1

The Microsoft email header analyzer is a good tool to review the email headers https://mha.azurewebsites.net/ (edited)

1

9:04 PM

mail-tester.com is a good email for testing if your emails will make it through spam filters https://mha.azurewebsites.net/ so you can use that for a test example

Does anyone have a tool that'll let me filter Event Viewer that contains a particular phrase within the EventData?

1:19 AM

Not analysing an E01, just trying to hunt down the crash logs for Axiom

You can use evtxecmd to parse your live logs and then use tle?

1:20 AM

Otherwise event log explorer should work

Anything better than Event Viewer will probably be good

Running evtxecmd as an admin will work

1

1:22 AM

But the crash logs for axiom are either in the case or in the root of your os drive usually

Axiom in my case isn't handling the crashes

1:24 AM

So there isn't any crash logs in the usual locations

1:24 AM

Speaking to their support peeps currently.

when I create VICS case from UFED sourceID for the files is missing in the JSON file. Someone know why? Is there a setting or something for that?

Chainsaw is pretty good for event logs

1

2:10 AM

you can specifiy strings

2:10 AM

and specify the log types

2:11 AM

it runs on both Windows and Linux

2:11 AM

13cubed did a recent video covering it

Rob

Does anyone have a tool that'll let me filter Event Viewer that contains a particular phrase within the EventData?

EvtxECmd all day. To automate it with KAPE, open up gkape, enable both Targets and Modules side, you know what, screw it, gonna GIF it up for you

Rob

Does anyone have a tool that'll let me filter Event Viewer that contains a particular phrase within the EventData?

Do this, let it parse, ingest into Timeline Explorer, and filter and search to your heart's content

1

Thanks!

Target Destination (where files pulled are stored) and Module Destination (where tool output is stored) cannot be the same, so that's why Execute was greyed out initially, i changed blah to blaha just to enable it

1

12:02 PM

you can technically just run Module side by itself, but personally, I like have a copy of the files I'm analyzing residing outside the image, triage package, whatever, etc so I can throw other tools at those specific artifacts, if necessary.

Hi All, do anybody have study material in connection with analysing IPDR, finding the clue of VoIP calls in IPDR, tracing IP address, types of data which we can ask from telecom service providers etc...

randomaccess

@ro after you trying to send spoofed emails? If so you can setup a local mail server and send email using smtp commands

I recommend NodemailerApp for this

You know how governments sometimes ask companies (mainly those that handle communications afaik) to add backdoors for them, how are these usually implemented? Are they just given a VPN and login credentials to connect to an internal administration service? Also I recently heard of port knocking, is that ever used for something like this?

Large vendors typically have lawful intercept functionality built in these days: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/lawful/intercept/book/65LIch1.html To first order, lawful intercept wouldn’t bother with using something as complex as port knocking

Lawful Intercept Configuration Guide - Lawful Intercept Overview [C...

Lawful Intercept Overview

mtu

Large vendors typically have lawful intercept functionality built in these days: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/lawful/intercept/book/65LIch1.html To first order, lawful intercept wouldn’t bother with using something as complex as port knocking

I see, thank you

Ghosted

Do we have any reps from Griffeye on the server?

Evening Ghosted, just double checking to see if the questions you had were answered. If there are questions about @Griffeye and I can help, let me know.

Quick question guys will Timeline Explorer eventually support MDE (Microsoft Defender Endpoint) output as a plugin? I'm trying to get some colour coding on key events to work with an MDE eported CSV file. I haven't found much info on the plugin development but was unsure if this was on the roadmap. I guess failing that its developing my own plugin (edited)

2:44 AM

The CSV file is extracted from the MDE Timeline from the portal

@3pil0gu3#112 you can build your own support so yes it will if you build it :)

4:46 AM

@Andrew Rathbun probably has written a guide

3pil0gu3#112

Quick question guys will Timeline Explorer eventually support MDE (Microsoft Defender Endpoint) output as a plugin? I'm trying to get some colour coding on key events to work with an MDE eported CSV file. I haven't found much info on the plugin development but was unsure if this was on the roadmap. I guess failing that its developing my own plugin (edited)

If you're looking for color coding then that's related to the .layout file. Right click on a column header, conditional formatting, then make all your changes and save that layout.local file.

1

4:48 AM

I'm working on making a repo with stuff like that for Eric's tool output

4:48 AM

Simple things like highlighting scvhost.exe etc

4:50 AM

No coding is required. Plugins only help mostly for adding line and tag columns along with making columns with timestamps treat each timestamp not as a strong but date and time so the filtering can be identical to Eric's tool output

1

Thanks @Andrew Rathbun will have a look at this cheers (edited)

1

Hi questions for all, I have going thru a users PC and see a txt file in users\public directory, I viewed the file it mentions a website and when I search this website on VT it shows clean and search on alienvault it shows as a crypto mining pool. There is a passwords in the txt file aswell. I didnt provide the website, cause I dont know if that is allowed. Are they things main things I should check on this PC to see if anything suspicious is going on? EDR didnt pick anything on the PC. Thanks

7:43 PM

Should mention this website doesnt ping and when searched on abuseipdb shows low hits running on an ec2

are any suspicious processes running, suspicious network connections and so forth. Also maybe doing a quick AV scan to identify if anything suspicious/malicious is present as a fast triage

7:47 PM

Then from an EDR perspective generating a package/timeline to investigate how the file got there

7:47 PM

and also reviewing from a network perspective whether you have had any rules that have fired or suspicious activity from the endpoint

7:48 PM

on your IDS solution

Yeh scanned with AV no threats. Was going to ask EDR admins to send me report on the PC. We use zscaler for our proxies and if a user goes to this spexific websire it gets flagged as a cobalt strike flag. The PC didnt get get flagged by zscaler as it never went to that site

8:31 PM

Need to figure out how this file got there

See if there's a zone identifier attached to the file in the MFT. That might give you a hint (edited)

8:32 PM

Also you should install Sysmon on all your systems moving forward for better logging. I don't have advice on a specific config file but that'll help log any badness much better

8:33 PM

Default Sysmon is better than no Sysmon

Cobalt Strike is interesting if that is present would be looking in event logs for 4688 process creation security Event Logs, possibly logging for SMB named pipe creation and also if rundll32 was used as a side loading technique. However you will need to do some timeline analysis. @Andrew Rathbun is correct with sysmon logs (edited)

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Command line process auditing

Learn more about: Command line process auditing

8:36 PM

Turn this on

8:37 PM

Also check out the ConsoleHost_History.txt file for every user and see if you can see PS commands ran by someone who shouldn't be there (edited)

Hmm kk cool will do. I appreciate the help @Andrew Rathbun @3pil0gu3#112

C:\Users\%user%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt (edited)

1

I would think our SOC would be able to give me more info on the event logging. We do have a SIEM and SOAR

Check for shady 7045 events. 400/600/800 PowerShell events

Kk will do. Will report back on the outcome.

If attributed to Cobalt Strike DFIR report have an awesome writeup https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

Cobalt Strike, a Defender's Guide

As you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. Some of the most common droppers we see are IcedID (a.k.a. BokBot), ZLoader, Qbot (a.k.a. QakBot), Ursnif, Hancitor, Bazar and TrickBot.

2

Hi, is there any information about android "data_usage.db" tables and columns?

So I find out an answer on the above issue with that txt file and cobalt strike alert. Its part of an 3rd parry pentest activity. They will need to figure out why this 3rd party is dropping these files on users PC.

2

Is anyone good with troubleshooting why my wireless network adapter wouldn't be able to connect in my Kali Linux vm in virtualbox?

what type of wireless network adapter

@Cellebrite Hi, when will I be able to watch yesterdays webinar on demand ?

Hello guys, Do you have a trick to connect (at first time) a usb key into the computer, first in VM (virtual box) but never in windows ? I ask for that because i wonder what is the benefit it would comes if the usb connect at first on windows then and VM ( for avoid trojan, virus from a connected usb to the computer) thanks for the answers

sooooo cool

1

@AccessData/Exterro Hello, we have a problem with accessing FTK license manager. When we have our dongle inserted and we open it, it says that there are multiple security devices found. Codemeter shows a GetData Trial CMstick but we have no idea how to remove it since 'Remove license is greyed' Thank you very much

1. Stop the Codemeter Service from Codemeter Control Center. 2. Go to programs files/Codemeter /CmAct. 3. Cut and paste those files somewhere else. 4. Then run the License Manager. Once task is done, paste those files at the same location.

callzor

@Cellebrite Hi, when will I be able to watch yesterdays webinar on demand ?

Give it a week or so. It will be on the website. If you registered You will get a link to it.

CLB-Paul

Give it a week or so. It will be on the website. If you registered You will get a link to it.

Thanks for the information.

DeepDiveForensics

1. Stop the Codemeter Service from Codemeter Control Center. 2. Go to programs files/Codemeter /CmAct. 3. Cut and paste those files somewhere else. 4. Then run the License Manager. Once task is done, paste those files at the same location.

thank you very much this helped

@Magnet Forensics Anyone available to help with a CLS issue? Just updated to the latest version on a box and Process won't recognize the license even though the license manager says otherwise.

Tyler_Leno

@Magnet Forensics Anyone available to help with a CLS issue? Just updated to the latest version on a box and Process won't recognize the license even though the license manager says otherwise.

Sorry I am at the hospital today but for this Operations needs to get involved so i recommend involving support@magnetforensics.com It will open a ticket and get quick attention and your email will get automatic responses on the progress of the ticket up until the point they are able to call you.

Jamey

Sorry I am at the hospital today but for this Operations needs to get involved so i recommend involving support@magnetforensics.com It will open a ticket and get quick attention and your email will get automatic responses on the progress of the ticket up until the point they are able to call you.

Thanks - I'll reach out to them.

Hi Someone from @Magnet Forensics please ? Or someone who knows... I have a google token available to get data with UFED Cloud but when I try with Axiom it says the token is incorrent

11:47 PM

Anyone already had it ?

Hi guys, i got a question im using a wiebetech ultradock v5.5. But I'm able to create and delete files on the mounted folder. It seems like the write block isn't working but if power it down and back up its all gone. And when making a image there are no traces of the activity. Is it some caching funtion on the writeblocker or some windows thing?

https://www.cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ For those that missed the webinar. Cheatsheet also included in the link.

Heather Mahalik - Senior Director of Digital Intelligence at Cellebrite

Episode 15: iBeg to DFIR – Location Data on iOS and Android Devices...

In this episode, we are joined by special guests Jared Barnhart & Ian Whiffin to discuss location information as recorded by iOS and Android devices. Location data has been integral to many investigations but there are so many different types of location artifacts that are recorded by a device making it can be challenging to … Continue reading "...

Hello folks! Question. Is is possible to recover Calendar event\meetings and deleted emails from O365 online? No physical access to device

CLB-Paul

https://www.cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ For those that missed the webinar. Cheatsheet also included in the link.

This webinar is awesome. It is pure gold! The research performed by @CLB_iwhiffin @heatherDFIR and the rest of the Cellebrite team is outstanding. Congratulations to you all! And thank you for sharing this. It is so useful and enlightening. Salute

1

theAtropos4n6

This webinar is awesome. It is pure gold! The research performed by @CLB_iwhiffin @heatherDFIR and the rest of the Cellebrite team is outstanding. Congratulations to you all! And thank you for sharing this. It is so useful and enlightening. Salute

Glad you enjoyed it.

Hello everyone, Any issue with eDiscovery module from compliance.microsoft.com since they had the "new case" function ?

hello! excited to participate in this community.

2

Hey everyone! Has anyone worked with instagram/facebook vanish mode? Has anyone had any success with recovering the vanished messages from either an android or iOS device?

I have a dumb question - I believe I am overthinking but I need someone to set me straight! I have a huge extraction 100+gb. I need to carve it, etc but its taking over 24hrs. The warrant is only for 90 days. Is there a way to save just 90 days I want, load it into PA and carve it, etc?

Forgedmom

I have a dumb question - I believe I am overthinking but I need someone to set me straight! I have a huge extraction 100+gb. I need to carve it, etc but its taking over 24hrs. The warrant is only for 90 days. Is there a way to save just 90 days I want, load it into PA and carve it, etc?

@Cellebrite Help?

Forgedmom

@Cellebrite Help?

So kind of but your will only be caring within the files. What are you trying to carve for specifically ?

Forgedmom

I have a dumb question - I believe I am overthinking but I need someone to set me straight! I have a huge extraction 100+gb. I need to carve it, etc but its taking over 24hrs. The warrant is only for 90 days. Is there a way to save just 90 days I want, load it into PA and carve it, etc?

You already have the extraction from the phone in question? Isn't that considered the search at the time of extraction? Then the dump of the phone can sit in evidence for months and still be analyzed whenever. Did things change in the last 2.75 years or do you work in California or somewhere like that?

6:36 PM

It's coming back to me now that I'm thinking about it but I'm pretty sure the west coast had some ridiculous ruling that put time limits on analysis of devices. I forget the justification but I always thought it was whack. Maybe that is trickling east now?

CLB-Paul

So kind of but your will only be caring within the files. What are you trying to carve for specifically ?

I’m just trying to see if there’s a way to cut time. I’m on 36 hours of location carving and it’s not done. Plus the detective can’t look at the whole extraction, just what they have the warrant for - which is 90 days. So to wait for days for it to process on PA to carve and parse the entire phone is frustrating.

Andrew Rathbun

You already have the extraction from the phone in question? Isn't that considered the search at the time of extraction? Then the dump of the phone can sit in evidence for months and still be analyzed whenever. Did things change in the last 2.75 years or do you work in California or somewhere like that?

We extract the whole phone, but they can only look at the timeframe in their warrant. So I filter those dates for them in PA. This case I’m working currently has 9 phones. It’s taking me forever.

Forgedmom

We extract the whole phone, but they can only look at the timeframe in their warrant. So I filter those dates for them in PA. This case I’m working currently has 9 phones. It’s taking me forever.

Oh so the 90 days is the timeframe authorized in the search warrant, not an expiration date for when you have to stop looking at said devices. I think I'm tracking now

Andrew Rathbun

Oh so the 90 days is the timeframe authorized in the search warrant, not an expiration date for when you have to stop looking at said devices. I think I'm tracking now

Yes. We had a law like that but it’s been revised - thankfully.

Forgedmom

Yes. We had a law like that but it’s been revised - thankfully.

I'm very glad to hear that lol. Ok well I'll step back since I can't help you on this but best of luck. Any thoughts on just doing one phone at a time? Instead of 9 at once?

Andrew Rathbun

I'm very glad to hear that lol. Ok well I'll step back since I can't help you on this but best of luck. Any thoughts on just doing one phone at a time? Instead of 9 at once?

I am doing them one at a time. But it’s a high profile case so they are wanting everything yesterday.

‍♀️

Forgedmom

I am doing them one at a time. But it’s a high profile case so they are wanting everything yesterday.

‍♀️

Fully understand and appreciate that. Always a battle those in LE have with the less technical minded in our ranks. Tell them if they want it quicker that you need better equipment or more personnel lol

Andrew Rathbun

Fully understand and appreciate that. Always a battle those in LE have with the less technical minded in our ranks. Tell them if they want it quicker that you need better equipment or more personnel lol

Literally what I’m doing. Hahahaha. They are pricing out better computers.

Forgedmom

Literally what I’m doing. Hahahaha. They are pricing out better computers.

Strike while the iron is hot! Good luck

1

Forgedmom

I’m just trying to see if there’s a way to cut time. I’m on 36 hours of location carving and it’s not done. Plus the detective can’t look at the whole extraction, just what they have the warrant for - which is 90 days. So to wait for days for it to process on PA to carve and parse the entire phone is frustrating.

@Forgedmom We have a test version of PA 7.51 with a fix for the location carving issue, could send you a link for it, please DM your email if you are interested

Hey all

7:32 AM

I have a hunch Zoho's codebase or, at least Tomcat has been compromised

7:32 AM

First AD manager, now Service Desk+, both exploited via a failure in apache tomcat

7:33 AM

Can anyone tell me if I'm crazy or not

@Ben Smash maybe try #cyber-threat-intelligence #incident-response ?

will do thanks

how to get started in dfir

Tiedye9531 my new account dm

how to get started in dfir

depends what "turns your cogs". do you like finding things, for instance?

Digitalferret

depends what "turns your cogs". do you like finding things, for instance?

yes

there you go, you have started already

8:37 AM

maybe start refining that interest and pursuing it

Tiedye9531 my new account dm

how to get started in dfir

take a look at https://startme.stark4n6.com, plenty of resources to get you started, play with tools and whatever else you'd like! (edited)

Take a chance to win Belkasoft X full-featured license! Traditional Belkasoft end-of-the-year customer survey has started. Share your user experience of Belkasoft products. Your opinion about interaction with Belkasoft educational materials and events is important as well. Take a part in the survey and get a chance to win a full-featured Belkasoft X license. Filling out the survey will take about 15 minutes. Do it now: https://bit.ly/3dm2QM3

2:12 AM

Anyone know how fast a TX1 can duplicate a drive? wondering how many min per gb.

9:32 AM

Spinning drive to spinning drive

Afternoon, I have been informed that our unit that monitors RSOs are having to change the software they utilise to monitor their phones and computers. They currently install and monitor via eSafe but was wondering what other forces are utilsing. Apparently eSafe are really pushing their prices up next year and therefore an alternative needs to be found. Thanks

Ghosted

Anyone know how fast a TX1 can duplicate a drive? wondering how many min per gb.

I typically get 75-90 MB/s for acquisition and slightly higher during verification.

@Tyler_Leno thanks

anyone used / using Nuix discover?

Anyone using JMP Software for data analytics?

https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/

AWS us-east-1 outage brings down services around the world

Cloud outage just in time for the holidays

It's always us-east-1

Anybody have a thoughts on playing video surveillance from cheap wireless pan/tilt cameras ? My partners of course went out removed the SD cards from them and didn't document the device. The file format is a 21345.data files on a fat32 formatted MicroSD's. I"ve tried Axiom and its not decoding it. #dvr-multimedia-surveillance

DCSO

Anybody have a thoughts on playing video surveillance from cheap wireless pan/tilt cameras ? My partners of course went out removed the SD cards from them and didn't document the device. The file format is a 21345.data files on a fat32 formatted MicroSD's. I"ve tried Axiom and its not decoding it. #dvr-multimedia-surveillance

I'd definitely expect a better answer in #dvr-multimedia-surveillance so I'd cross post there for sure. Is there a specific header / magic in your data files? Sometimes that can be more telling than the filenames/extensions in the world of CCTV cameras.

1:14 PM

but DVR Examiner would have a better chance at decoding than AXIOM

and they can do trial licenses upon request I believe.

@forensicmike @Magnet appears open source player MPC-HC.org is able to play it but not stop/fastforward etc. hope this helps someone else #dvr-multimedia-surveillance

1

DVR examiner is designed to work with proprietary DVR filesystems (which it does a great job with) but it won’t work with individual files on a SD card. I am sure other software vendors will chime in to lend a hand but in the meantime you can try FFmpeg (open source) to get playback or convert. https://drive.google.com/open?id=1OH9tNLeZ3_aqXlVJsUNB6nr3SR1ULR74 (edited)

2018-11-20 SWGDE Technical Notes on FFmpeg_v2.pdf

1

Agree with @Brandon E that ffmpeg might work, and there is a document from SWGDE about h.264 that might help if the file was encoded as h.264. You are welcome to send it over to us at @Amped Software as well (www.ampedsoftware.com/upload)

What is the best resource to install a client and monitor an android device completely including things like Snapchat, when you have very brief access to the device? The device owner has to remain unaware this is occurring. This to be done with full legal authority to do under the scope of a Title III search warrant. Is a pre-built "spy app" like Spyine better or is there more success with one built in Linux and then install the apk? I'm proficient in Kali Linux and it's components. Just never been faced with this potential challenge. Thoughts? Suggestions?

Glad I switched to iPhone recently

Ransomware data recovery possible any tools have

ryd3v

Glad I switched to iPhone recently

Pegasus has entered the chat

2

Pacman

A Snapchat video extracted from a Samsung Galaxy A51 was found to be relevant to investigation, and will be relied on in court. The question was is it possible to say the snapchat video was recording using Samsung Galaxy A51? (As opposed to having received the video from someone else)

@Pacman did you ever find an answer to this? I'm guessing the answer is no, as snapchat videos do not contain metadata with the device name.

Pacman

Filepath is: /data/media/0/Snapchat/Snapchat-1861604616.mp4

^ file path in question

Mr Saturn

@Pacman did you ever find an answer to this? I'm guessing the answer is no, as snapchat videos do not contain metadata with the device name.

We have had success in answering this question based on a different analysis approach using a video file’s structure. Basically able to say this video has been recorded on a make/model device and never transmitted anywhere or this video was recorded on a make/model device and transmitted using xyz app. You can shoot me a DM or check out www.medexforensics.com for more details.

@Brandon E I like the idea of FFmppeg i've only used it to pull still images out of a video feed, did nt think about using it as a player

Morning all, does anybody have any experience using the NIST cal-drive.csh script in the CFTT linux distro to create reference data on M2 chips? I've been trying for a couple of weeks now and despite running through USB3 connected adaptors it seems to run glacially slowly, and I haven't yet seen the script finish.

Hi, am sure this has been asked before but would some1 know a good resource that grabs news from threat actors from the “dark web” such as claiming to infect, alrdy infected or any news in general? TIA

Ghosted

Anyone know how fast a TX1 can duplicate a drive? wondering how many min per gb.

Hey don't know if anyone answered We just did 2 -1 TB Spinner to Spinner in just under 2 hrs

This Log4J issue is becoming an issue..

B74

This Log4J issue is becoming an issue..

Yeah seems like a big deal...oof

It’s a big deal

Hopefully lots of applications get patched in the near to immediate future

eh, it only scored a 10 on cvss

4

@Andrew Rathbun even if they do .... Well ...I have a call about unpatched exchange next week

1

I'm more talking about Steam and other everyday applications. Exchange servers are hopeless at this point

People not patching is going to keep me in a job for a long while

7

@DCSO amped5 has this implemented for me a while back. @Amped Software (not sure if all the .data structures are the same though) (edited)

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

Chris Smith

Internet is scrambling to fix Log4Shell, the worst hack in history

The Log4Shell hack is a brand new 0-day attack that’s considered the worst computer vulnerability the internet has ever seen.

Anyone have any info on detecting air tags in stalking cases?

In order to keep all information regarding log4j together and easily searchable, please use #log4j thread in the #incident-response channels (edited)

Ghosted

Anyone have any info on detecting air tags in stalking cases?

Its my understanding that iPhones not connected to the iCloud account of air tags will notify the user of the iPhone that an unknown air tag is following them. As far as physically locating the air tag, would an electronic detection K9 find them?

Morning all. When looking at deleted files in Autopsy, what is the difference between ‘File System’ and ‘All’? I can’t seem to find the answer anywhere.

For sharepoint: does the owner of a an item (e. g. video) see in any ways who viewed the item? I know the log files might show activities but asking from a frontend / notification perspective

florus

@DCSO amped5 has this implemented for me a while back. @Amped Software (not sure if all the .data structures are the same though) (edited)

Of course, there are always different variants, we support a few but some are more popular than others!

FullTang

Its my understanding that iPhones not connected to the iCloud account of air tags will notify the user of the iPhone that an unknown air tag is following them. As far as physically locating the air tag, would an electronic detection K9 find them?

That's what I through I'd read too

FullTang

Its my understanding that iPhones not connected to the iCloud account of air tags will notify the user of the iPhone that an unknown air tag is following them. As far as physically locating the air tag, would an electronic detection K9 find them?

And Wigle on an Android phone?

martino_amped

Of course, there are always different variants, we support a few but some are more popular than others!

Thanks for the insight!

1

Deleted User

And Wigle on an Android phone?

Could work. Does Wigle show a signal strength for nearby BT devices? I have used a BT scanner on Android and it showed signal strength but I don't remember the name right now.

FullTang

Could work. Does Wigle show a signal strength for nearby BT devices? I have used a BT scanner on Android and it showed signal strength but I don't remember the name right now.

Even though I use it almost every day, I honestly cannot remember. I was behind a delivery van the other day and it picked up a smart tag in the back which I thought was interesting. I think it was just a generic tag.

1

BLE finder is one that i have used on iPhones for an app, @Deleted User@FullTang

1

Has anyone got a contact in the UK to buy Infinity box credits? Fonefunshop is no longer supporting them.

2:24 AM

Or does anyone use the Pandora box and wouldnt mind DM me their thoughts on it?

Zhaan

Has anyone got a contact in the UK to buy Infinity box credits? Fonefunshop is no longer supporting them.

gsmserver sells them

1

Ghosted

Anyone have any info on detecting air tags in stalking cases?

Apple have just published "Tracker Detect" for Android devices

https://play.google.com/store/apps/details?id=com.apple.trackerdetect

1

hi there im a new to digital forensics and i want to ask what digital forensics certs is good for someone like me and what sites are offering them. thanks!

Hector!221B

hi there im a new to digital forensics and i want to ask what digital forensics certs is good for someone like me and what sites are offering them. thanks!

#training-education-employment

OllieD

Apple have just published "Tracker Detect" for Android devices

I would say Airguard, but that has to be near a tag that is away from its respective paired iphone for 15 minutes or more. Now I'll have to look at tracker detect, probably works the same.

CCC

I would say Airguard, but that has to be near a tag that is away from its respective paired iphone for 15 minutes or more. Now I'll have to look at tracker detect, probably works the same.

Most likely. Think it needs manually running, it doesn't automatically scan, unlike the equivalent functionality on iOS

Airguard can be set to always run in the background, depends how bothered you are I suppose.

7:42 AM

But trying it at my desk was useless owing to the 15 minutes way from phone caveat

7:43 AM

I wonder if anyone actually uses them for tracking? I just seem to see gps on cars.

7:44 AM

I don't seem to have trackerdetect on play store.

Anyone know off the top of there head where the default file path voicemails are stored. (android device.)

Out of curiosity, how does everyone go about explaining to their client when a device needs to be sent into CAS for extraction?

Always interested in meeting new people! Would love to connect with anyone on LinkedIn :) https://www.linkedin.com/in/garrett-hassian/

ghass

Always interested in meeting new people! Would love to connect with anyone on LinkedIn :) https://www.linkedin.com/in/garrett-hassian/

here I am!

Hey, does anyone have decryptor for globeimposter ransomware? I've already tried emsisoft decryptor and it didn't work

Does anyone know of any other online free digital magazines for DFIR similar to whats below for EVD Collection? TIA. https://read.nxtbook.com/wordsmith/evidence_technology/

cmuk

Morning all. When looking at deleted files in Autopsy, what is the difference between ‘File System’ and ‘All’? I can’t seem to find the answer anywhere.

Hi. The difference is that All will also contain carved files.

B74

This Log4J issue is becoming an issue..

Our IT department just started on a change freeze for the holidays which means they could spend time to do a bunch of upgrades for our forensic lab infrastructure. Now they're all busy with the Log4j.... my christmas is ruined lol

b8vr

Hi. The difference is that All will also contain carved files.

Thanks B8vr

Our department IT must have changed something in response to Log4j, now my Cellebrite readers don't work on any IT managed device. Same readers work fine on unmanaged devices

Oh crap

11:16 AM

Are you still able to do your job then or is this just borked?

I'm just including HTML/PDF with the readers for the managed devices. I've assigned an unmanaged device to them for the readers so they can tag and make new reports etc.

12:48 PM

they just can't put the unmanaged device on the network so it's airgapped

any tips on how to image a vhdx, Windows won't mount it and its not visible in the explorer. Arsenal also mounts it buts not visible to the end user

Any Idea of the best tool for reconstituting Disk images that form part of an LVM

8198-IZ54

Any Idea of the best tool for reconstituting Disk images that form part of an LVM

I've used libvslvm (libyal project) in the past. The vslvmmount tool from libvslvm will fuse mount the LVM to a given mount point.

sorry for the semi-long story incoming: One of my local (non-tech) detectives just received an iCloud production. the file was unusually small (~1.5 MB). I open it up, find a couple of html files. they have multiple downloads corresponding with bookmarks, contacts, pictures (multiple downloads), etc. each one of these downloads also need to be decrypted. I am working on downloading all of the files and decrypting them. its only a about 9 GB worth. but I imagine this would be a painful task with larger productions. my questions are: 1. did apple move to this for all of their productions? 2. say I had a 100 GB production, is there a way to automate this (besides writing my own script)? 3. does Cellebrite still support production decoding with having so many files and no central hierarchy? (x-posted on #cloud-forensics )

@Fierry What do you mean image a vhdx? It's already a container, why cant you just hash it, duplicate it and then hash verify?

7:04 AM

If arsenal mounts the vhdx and you aren't "seeing" a drive, it may be formatted in a manner that Windows doesn't support for the GUI. open up disk manager to see if you have a new disk available. Open up FTK imager when the vhdx is mounted to check for the new "disk" that way as well.

7:08 AM

For example: I have an .aff4 acquisition created by Cellebrite Collector. I can mount that acquisition through AIM and nothing pops up to me or is visible in explorer. FTK Imager shows it as a Arsenal Virtual SCSI Disk and I can browse the structure that way. Does that answer your question?

whee30

@Fierry What do you mean image a vhdx? It's already a container, why cant you just hash it, duplicate it and then hash verify?

It turned out that arsenal attempted to mount it and shows it as mounted, however other checks confirmed that the vhdx supplied by the client were incomplete :/

8:02 AM

Thanks for the assist

https://www.bloomberg.com/news/articles/2021-12-13/spyware-firm-nso-mulls-shutdown-of-pegasus-unit-sale-of-company?srnd=technology-vp

The 2022 DFRWS USA CFP is now open. This is a great venue to publish a peer-reviewed paper in an academic setting that understand the value of memory forensics and malware analysis. Please see the full details here: https://dfrws.org/dfrws-usa-2022-call-for-papers-is-open/

John Newsom

DFRWS USA 2022 Call for Papers is Open - DFRWS

The DFRWS USA 2021 Call for Papers is open through March 7, 2021. Prepare and submit your digital forensics research papers now!

The Magnet Summit 2022 CFP is now open. Submit your presentation here: https://magnetmarketing.wufoo.com/forms/magnet-user-summit-2022. We're excited to be presenting the Magnet Summit 2022 as both an in-person event and virtual event in April 2022. The in-person event is taking place in Nashville, TN from April 11-13, 2022. 30-minute lectures will be available for both event formats, along with workshops and hands-on labs happening only at the in-person event. Interested in filling one of our available 30-minute speaking slots? Any qualified industry professional is welcome to submit a proposal and all ideas are welcome — including DFIR talks that don’t include our products. Our goal for this event is to be relevant to the industry, with general interest talks that help investigators from all walks. Among other things, this speaking opportunity is a great way to educate and share with others about the important work you do. The deadline to submit your proposal is January 3rd, 2022. Reach out to us at magnetusersummit@magnetforensics.com if you have any questions.

Good afternoon. I currently am classified as a DFIR student, but I have since graduated and am now employed in LE in the US. How would I go about getting myself properly classified? Also, I am being tasked with rebuilding the digital lab essentially from scratch. Would anyone have suggestions for types of hardware and software I should look at? Thank you!

One of the mods should hopefully see this and get in touch to update your role

1

Nilandia

Good afternoon. I currently am classified as a DFIR student, but I have since graduated and am now employed in LE in the US. How would I go about getting myself properly classified? Also, I am being tasked with rebuilding the digital lab essentially from scratch. Would anyone have suggestions for types of hardware and software I should look at? Thank you!

I got you. Congrats on graduating and the new gig! Make us proud

Nilandia

Good afternoon. I currently am classified as a DFIR student, but I have since graduated and am now employed in LE in the US. How would I go about getting myself properly classified? Also, I am being tasked with rebuilding the digital lab essentially from scratch. Would anyone have suggestions for types of hardware and software I should look at? Thank you!

What types of cases are you going to be working?

Andrew Rathbun

I got you. Congrats on graduating and the new gig! Make us proud

Thank you! I'm very excited. I'll be taking whatever cases get sent my way, but I've been warned the vast majority of cases will deal with child exploitation.

Nilandia

Thank you! I'm very excited. I'll be taking whatever cases get sent my way, but I've been warned the vast majority of cases will deal with child exploitation.

Start learning about file and folder access artifacts so you can prove when your suspect opened a file, whether it exists or not. Learn about the $MFT and $J. If you have questions on how to learn about those things, please ask. (edited)

This ^ and do the preservation request asap.

Good idea. I do know some, but it's good to become as familiar as possible.

I would also sign up for the Facebook/Instagram and Google portals to serve them with preservation requests/legal process before you get the case where you need to do it. I am assuming you will be doing investigations in addition to digital forensics, and that might not be the case for you.

1

Nilandia

Thank you! I'm very excited. I'll be taking whatever cases get sent my way, but I've been warned the vast majority of cases will deal with child exploitation.

Side note, if you have never done it before or it's your first time, be prepared, the first one is rough. Was for me anyways.

ryd3v

Side note, if you have never done it before or it's your first time, be prepared, the first one is rough. Was for me anyways.

I appreciate it. It will be my first one. I'm trying to brace for impact, but I know there's no such thing as being truly prepared.

1

Nilandia

I appreciate it. It will be my first one. I'm trying to brace for impact, but I know there's no such thing as being truly prepared.

Just be mechanical about it. Understand it's what you have to do to put horrible people away. Think ahead and plan out ways to review the material as few times as possible. In my mind, there's the first pass where you discover where it's located as you're scrolling through all the pictures and videos on the device. Next, at least the way we did it, we had to describe the pictures and videos in detail since they obviously can't be included in our report. Try to make it so you only go through each piece of media once for that part of the report. Do what you gotta do while it's in front of you and really try not to have to revisit it again even though the images will never leave your head.

1

3:59 AM

Also you'll need to know counts of all pictures and videos so maybe you do that when everything is a small thumbnail so you're not getting a lot of detail with each one. Counting illicit images, you only need to see the image enough to know it's bad, not the high definition details

Andrew Rathbun

Also you'll need to know counts of all pictures and videos so maybe you do that when everything is a small thumbnail so you're not getting a lot of detail with each one. Counting illicit images, you only need to see the image enough to know it's bad, not the high definition details

this is where I'd imagine Dopus to be a huuge benefit, what with all the extra info at fingertips. (just bought in. wish I'd have sooner)

1

Digitalferret

this is where I'd imagine Dopus to be a huuge benefit, what with all the extra info at fingertips. (just bought in. wish I'd have sooner)

Yep I wish I knew of DOpus back then. Going on 3+ years of use and never looking back. Sorry Microsoft

4:06 AM

If DOpus is too expensive, strongly consider XYplorer. Everyone should be using a File Explorer replacement. I did a lot of research on various File Explorer replacements and number one was DOpus and second was XYplorer IMO. The rest were a distant 3rd and beyond. Mostly those Commander apps. (edited)

Digitalferret

this is where I'd imagine Dopus to be a huuge benefit, what with all the extra info at fingertips. (just bought in. wish I'd have sooner)

https://github.com/AndrewRathbun/DirectoryOpus-DFIRConfig If you use this, please let me know any feedback you have

GitHub - AndrewRathbun/DirectoryOpus-DFIRConfig: A config file that...

A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks. - GitHub ...

3

Andrew Rathbun

https://github.com/AndrewRathbun/DirectoryOpus-DFIRConfig If you use this, please let me know any feedback you have

thanks, already bookmarked, still finding my feet with basics. got a big time investment required this weekend for a pro bono neighbourhood report thing. tons of images / vids. can't now imagine sorting without Dopus. only reason i stayed with R-Studio as data recovery s/w was the better file management and file selection. now i have dopus i can do that outside of DR progs

Digitalferret

thanks, already bookmarked, still finding my feet with basics. got a big time investment required this weekend for a pro bono neighbourhood report thing. tons of images / vids. can't now imagine sorting without Dopus. only reason i stayed with R-Studio as data recovery s/w was the better file management and file selection. now i have dopus i can do that outside of DR progs

You'll want to look into customizing media folders. Right click on a column header, More, then toy around with the default columns. You can set that as default for various folder types and all that. Pretty cool stuff.

4:13 AM

https://scribbleghost.net/2018/08/03/view-mode-based-on-folder-content-in-directory-opus/ Check this out too. Probably a better guide

scribbleghost

Custom folder view based on folder content in Directory Opus

Andrew Rathbun

You'll want to look into customizing media folders. Right click on a column header, More, then toy around with the default columns. You can set that as default for various folder types and all that. Pretty cool stuff.

thanks, yes indeed. i've already fallen out with MS for categorizing my phone/media etc a ****ing music box: file name : album : artist etc

every time. can't use cleaners / shellbags without it resetting

1

Andrew Rathbun

https://scribbleghost.net/2018/08/03/view-mode-based-on-folder-content-in-directory-opus/ Check this out too. Probably a better guide

pretty much exactly what i meant. cheers

1

Thanks guys, we do on scene examinations and so this might help for usb drives - I will try this Dopus.

Nilandia

I appreciate it. It will be my first one. I'm trying to brace for impact, but I know there's no such thing as being truly prepared.

The best thing I've found is using a timer. I never view material for the first hour after I get into the office, thirty minutes either side of lunch break, and an hour before I go home. It's easy to fall into the trap of working it regardless of time or overtime, but all that leads to is burn out and bad dreams. Take care of yourself and be conscious of how often you're viewing the material. Welcome aboard to one of the best jobs in the world, because doing it right means the bad guys go away for a long time and stay there!

2

Andrew Rathbun

https://github.com/AndrewRathbun/DirectoryOpus-DFIRConfig If you use this, please let me know any feedback you have

So I have been using DO. I know this feature exists as a add in script but cant seem to find it or make one work. Can it display a hash value of the file in question or verify hashes?

NibblesNBits

So I have been using DO. I know this feature exists as a add in script but cant seem to find it or make one work. Can it display a hash value of the file in question or verify hashes?

Not at my desk this very second but try Edit -> Calculate hashes

6:10 AM

You should be able to add this as a function in your right click context menu. You can add pretty much anything there that you want

6:10 AM

If you need more direction beyond that, let me know and we can figure it out together and document centrally so we never have to do that dance again

Andrew Rathbun

Not at my desk this very second but try Edit -> Calculate hashes

Guess I should RTFM DOH!

NibblesNBits

Guess I should RTFM DOH!

You can make that column default too if you want, but that'd be pretty CPU intensive. You could always make it so directories with images or other certain file types will calculate the file hashes by default, if you wanted

1

You all are amazing. Thank you for the tips! I do know that I'm good at viewing rather disturbing crime scene photos, so I'm hoping at least part of that will carry over into the child exploitation cases.

Another thing I will say is if you've never seen the videos that were hosted on sites like rotten.com, ogrish.com, etc, from back in the day (could still be around now, who knows), the impact of viewing those types of images will very likely be greater than someone who has seen those messed up videos in the past (edited)

Hi everyone, I just joined the server and wanted to know if there are any informative or helpful websites for beginners. I also really enjoy the challenge type websites also. I recently took a cyber crime and digital forensics class and fell in love with the field. I would appreciate all of it ❤️ Feel free to dm me so the reccomendations don’t get lost! (edited)

laflame

Hi everyone, I just joined the server and wanted to know if there are any informative or helpful websites for beginners. I also really enjoy the challenge type websites also. I recently took a cyber crime and digital forensics class and fell in love with the field. I would appreciate all of it ❤️ Feel free to dm me so the reccomendations don’t get lost! (edited)

https://aboutdfir.com/ should have some good stuff to poke around about in. Let us know what else you're looking for when you see or hear about something you're interested in

Home - AboutDFIR - The Definitive Compendium Project

Andrew Rathbun

https://aboutdfir.com/ should have some good stuff to poke around about in. Let us know what else you're looking for when you see or hear about something you're interested in

I really appreciate it! I will get back to everyone (:

another Log4j deserialization about to drop..

6:25 PM

(or dropped)

6:25 PM

-about

While everyone is dropping knowledge in here - I also avoid having audio on with videos unless it's necessary. I can review audio independently but somehow with them together its just extra bad.

2

laflame

Hi everyone, I just joined the server and wanted to know if there are any informative or helpful websites for beginners. I also really enjoy the challenge type websites also. I recently took a cyber crime and digital forensics class and fell in love with the field. I would appreciate all of it ❤️ Feel free to dm me so the reccomendations don’t get lost! (edited)

I'll send you the same message here https://www.learn2hack.ca/index.php/DFIR My site is a wip, but this should get you going, also War Games has some DFIR stuff too https://www.learn2hack.ca/index.php/War_games

DFIR

War games

ryd3v

I'll send you the same message here https://www.learn2hack.ca/index.php/DFIR My site is a wip, but this should get you going, also War Games has some DFIR stuff too https://www.learn2hack.ca/index.php/War_games

Thank you so much!!

1

where do I start to learn DFIR properly.

I´ve had a question from an investigator do run a virus/malmware scan on a few devices. Whats the best approach?

Tejas

where do I start to learn DFIR properly.

Read through #training-education-employment this has been answered a few times. If you have specific questions feel free to ask.

sure thanks

jaikl

I´ve had a question from an investigator do run a virus/malmware scan on a few devices. Whats the best approach?

Phone or Computers or both?

Jobbins

Phone or Computers or both?

Computers/harddrives

jaikl

Computers/harddrives

Run MalwareBytes or Windows Defender or insert other AV solution here

Andrew Rathbun

Run MalwareBytes or Windows Defender or insert other AV solution here

Okey, but when you say run, how? I have the disk imaged as 01 files. Should i mount the disk and then run ex. windows defender?

jaikl

Okey, but when you say run, how? I have the disk imaged as 01 files. Should i mount the disk and then run ex. windows defender?

Mount with AIM and scan the drive letter

Tejas

where do I start to learn DFIR properly.

Check this out

https://startme.stark4n6.com (edited)

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

2

4

wow thanks man

hello everyone i want to have your opinion on the chfi cert for beginners is it good or there are better options and thank you

Hector!221B

hello everyone i want to have your opinion on the chfi cert for beginners is it good or there are better options and thank you

#training-education-employment try there, and use the search function in discord to search chfi as I believe there has been previous discussions about it.

Jobbins

#training-education-employment try there, and use the search function in discord to search chfi as I believe there has been previous discussions about it.

yes i did but didn't find what im looking for

We have some interesting holiday reading for all of you. The fourth Arsenal report in the ongoing Bhima Koreagon case is now public. This case involves (by many metrics) the most disturbing electronic evidence tampering which has ever occurred. This is another case in which digital forensics practitioners before us have failed in spectacular ways - from essentially blessing the evidence to fundamentally misunderstanding what happened to the victims. There is a tangible human cost associated with these failures. Here are links to all four reports (with exhibits), along with examples of press coverage: First Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip / https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8087f172-61e0-11eb-a177-7765f29a9524_story.html Second Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-II.zip / https://www.washingtonpost.com/world/2021/04/20/india-bhima-koregaon-activists-report/ Third Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip / https://www.washingtonpost.com/world/2021/07/06/bhima-koregaon-case-india/ Fourth Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip / https://thewire.in/rights/rona-wilson-pegasus-iphone-arsenal When I (this is Arsenal President, Mark Spencer) worked in law enforcement many years ago, I thought the kinds of electronic evidence tampering we have been dealing with in some of our cases at Arsenal was the stuff of spy novels (the fiction variety), not the real world. Everyone involved in digital forensics, from student to professor and from evidence custodian to prosecutor, should carefully read each of these reports.

9

3

So I have a bit of time before I go into field training. I start training in January, meaning my time right now is free and I'd like to make the most of it. Which online service provider portals require creating an account before I can submit requests that you believe would be worthwhile setting up? Any free training you'd recommend? Anything else I can be doing while I wait?

@Nilandia #training-education-employment off hand I can think of Google LE portal and Facebook portal to get acquainted with it.

1

DCSO

@Nilandia #training-education-employment off hand I can think of Google LE portal and Facebook portal to get acquainted with it.

Yahoo (Oath) and Charter Communications are a couple of other portals I have used, but they are less common than what DCSO mentioned.

Arsenal

We have some interesting holiday reading for all of you. The fourth Arsenal report in the ongoing Bhima Koreagon case is now public. This case involves (by many metrics) the most disturbing electronic evidence tampering which has ever occurred. This is another case in which digital forensics practitioners before us have failed in spectacular ways - from essentially blessing the evidence to fundamentally misunderstanding what happened to the victims. There is a tangible human cost associated with these failures. Here are links to all four reports (with exhibits), along with examples of press coverage: First Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip / https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8087f172-61e0-11eb-a177-7765f29a9524_story.html Second Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-II.zip / https://www.washingtonpost.com/world/2021/04/20/india-bhima-koregaon-activists-report/ Third Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip / https://www.washingtonpost.com/world/2021/07/06/bhima-koregaon-case-india/ Fourth Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip / https://thewire.in/rights/rona-wilson-pegasus-iphone-arsenal When I (this is Arsenal President, Mark Spencer) worked in law enforcement many years ago, I thought the kinds of electronic evidence tampering we have been dealing with in some of our cases at Arsenal was the stuff of spy novels (the fiction variety), not the real world. Everyone involved in digital forensics, from student to professor and from evidence custodian to prosecutor, should carefully read each of these reports.

Awesome thank you!

1

Nilandia

So I have a bit of time before I go into field training. I start training in January, meaning my time right now is free and I'd like to make the most of it. Which online service provider portals require creating an account before I can submit requests that you believe would be worthwhile setting up? Any free training you'd recommend? Anything else I can be doing while I wait?

If you go to https://www.search.org/toolbar/ we have a list of LE portals you can access/register for on the very bottom option of resources

SEARCH Investigative and Forensic Toolbar

Web site created using create-react-app

3

When analysing files on a USB (FAT32) drive, would there be any reason why a file wouldn’t be found? If the file was deleted it should still show up in a tool like Autopsy or FTK. Thank you.

@cmuk depends "how" it was deleted, how long ago etc etc

whee30

@cmuk depends "how" it was deleted, how long ago etc etc

One of the more recent files. I can’t see lots of files just not the one in question.

with FAT32 on a standard delete, the directory entry is marked with a 0xE5, the FAT chain is zeroed out but the data is left alone

can*

can you find the directory entry in the hex when you open in FTK imager?

The folder was deleted where the file was stored

10:16 AM

There is no evidence in the root directory

can you find the 0xE5 directory entry for the folder that contained the file?>

10:16 AM

that would be an "orphaned" file, if your tools categorize those differently

Ok. I’ll take a look. Thanks for the swift response

sure. PM me if you have more questions... I'm just sipping my coffee and catching up on emails.

jaikl

I´ve had a question from an investigator do run a virus/malmware scan on a few devices. Whats the best approach?

clamav is integrated inside forensic explorer, you can give it a try without mounting a disk image

Hello Everyone There is a way to know when someone clean the web history ( Chrome for example)

CWolf

Hello Everyone There is a way to know when someone clean the web history ( Chrome for example)

Are you asking or telling? I'm guessing you're asking. Check the last modified time in the MFT for the History SQLite Database. Maybe that will provide some insight? Or check the $J for that file in particular to see when datatruncation occurred.

Andrew Rathbun

Are you asking or telling? I'm guessing you're asking. Check the last modified time in the MFT for the History SQLite Database. Maybe that will provide some insight? Or check the $J for that file in particular to see when datatruncation occurred.

yes, sorry, i was asking :), thank you, i will check

maybe this has been asked before but does anybody have a youtube video or free webinar for Detectives to use UFED Reader ? @Cellebrite I can share vs recreating the wheel. Thanks

DCSO

maybe this has been asked before but does anybody have a youtube video or free webinar for Detectives to use UFED Reader ? @Cellebrite I can share vs recreating the wheel. Thanks

We do have online courses for reader you could enroll using Cellebrite learning center website but it is not free

1

Hi, I learn a bit of computer forensics by myself on Udemy and Youtube and I really love DIFR. I am a student in a software developer. I'm not sure to continue school to become a software dev. I heard that many people in DIFR study something completely different. I was wondering if companies are interested to make an internship with my little bits of knowledge in computer forensics?

what kind of knowledge do you have?

@Fierry Restoring browser history, restoring deleted files, and mail. and a bit more + OSINT I also take the OSCP training (no exam) (edited)

maybe try completing some CTFs at cyberdefenders.org to see if you still like it

11:59 AM

there's lots of free software to assist you like Autopsy, KAPE, plaso and other tools

11:59 AM

try to take lots of notes about stuff you came across so you can refer back

And what is CTF ? That they teach

A CTF is a challenge in which you answer questions pertinent to the case

Capture the Flag

2:10 PM

As mentioned above, you get given a image and questions

I especially can recommend the Hunter CTF as it gives you a good overview of Windows evidence

- https://cyberdefenders.org/labs/32

CyberDefenders: Hunter blueteam challenge.

Training platform for #BlueTeams to test and advance their #CyberDefense skills..

Andrew Rathbun

Are you asking or telling? I'm guessing you're asking. Check the last modified time in the MFT for the History SQLite Database. Maybe that will provide some insight? Or check the $J for that file in particular to see when datatruncation occurred.

Thank you for yr help

1

Is it free?

CCNA

Is it free?

The Hunter CTF? It is free.

hi not a specific question about specifics, but in general what changes has there been in the computer forensics world in the last decade

3:28 AM

biggest changes, pros, cons, etc

The last decade? That's an enourmous period.

hannix7403

hi not a specific question about specifics, but in general what changes has there been in the computer forensics world in the last decade

Encryption.

1

hannix7403

hi not a specific question about specifics, but in general what changes has there been in the computer forensics world in the last decade

the sheer breadth and quantity of data to sift through whether that's just a function of the increase in storage device sizes or the cumulative effect as folks either collect (images/videos in their millions) and add to or, rather than house-keep (deleting emails say), just add more storage. Recent case reported on BBC where couple (sexual exploitation of minors) apparently had 175,000 pages of text/comms passing between each other. How the heck?

Agreed, I think the DFIR future relies on post processing of data quite a lot to make it more easily accessible to investigators, parsing evidence sources manually is going to take a lot of time if the amount of evidence keeps expanding

11:32 AM

That’s not to say parsing is effective in all cases, manual verification remains a necessity in order to ensure evidence and artifact validity

I reckon the cloud side of data will become more of a thing as well.

Just today I had a case in which manual parsing yielded more date/time stamps, so know your tools and know the limits of your tools as well

(edited)

What are some resources for real-life blue team simulations? Cyberdefenders/blueteamlabs any others? Looking for good technical practice in memory forensics, logs and pcap analysis, RE, etc. (edited)

Mike_Blueteam

What are some resources for real-life blue team simulations? Cyberdefenders/blueteamlabs any others? Looking for good technical practice in memory forensics, logs and pcap analysis, RE, etc. (edited)

for RE maybe HackTheBox

hello from austria to @MSAB

Just a general question. If I want to install XRY on a new PC, is it enough to install XRY Office 10.0 and XAMN 7.0? are all necessary files installed then for acquisition and decoding? Or do I have to install an older version first and then update it? Is the latest XRY-licensemanager included in latest setup? (edited)

@chrisforensic yes, grabing the latest xry 10 bundle from the customer portal will install the full XRY 10 will all the trimmings, as well as lates XAMN and licence manager. So you will be good to go

1

thanks @MartinW for info

Please be aware of recent spam/phishing messages, claiming to be for 3 months of Discord Nitro. These are scams and not from Discord or this channel. If you see posts containing these types of messages please alert @Moderators and we will deal with them accordingly. Thank you all!

5

Merry Christmas fam

Merry Christmas!

CCNA

Hi, I learn a bit of computer forensics by myself on Udemy and Youtube and I really love DIFR. I am a student in a software developer. I'm not sure to continue school to become a software dev. I heard that many people in DIFR study something completely different. I was wondering if companies are interested to make an internship with my little bits of knowledge in computer forensics?

Probably not, you should finish school.

Merry Christmas

everyone.

Quick question. I work for a pretty small police department in VA, about 50 sworn. We recently got Cellebrite with the standard UFED/PA combo. We’re looking at dropping some money on a dedicated forensic workstation for Cellebrite and future programs (GrayKey and Axiom). Budget would be 12-13k. We’re pretty set on a Sumuri Talino. Are there any “must haves” for the workstation? What should be the priority when building it?

mcdoz

Quick question. I work for a pretty small police department in VA, about 50 sworn. We recently got Cellebrite with the standard UFED/PA combo. We’re looking at dropping some money on a dedicated forensic workstation for Cellebrite and future programs (GrayKey and Axiom). Budget would be 12-13k. We’re pretty set on a Sumuri Talino. Are there any “must haves” for the workstation? What should be the priority when building it?

Be aware of bottlenecks. Talk to Sumuri about it, if needed. Don't buy top notch parts that can't go faster than another really important part of the processing workflow that you ended up skimping on. Thankfully with those builds it should be pretty bottleneck proof but just keep that in mind when you start modifying one of their preconfigured builds.

MartinW

@chrisforensic yes, grabing the latest xry 10 bundle from the customer portal will install the full XRY 10 will all the trimmings, as well as lates XAMN and licence manager. So you will be good to go

info: fresh install XRY 10 on Windows 11 worked without problems, thanks !

Does anyone have experience with dell optane memory? I received two E01’s for examination. One E01 is showing the acquisition of a 512GB hard drive from a dell. The other E01 is showing an image of a 32GB drive. The 512GB drive appears to be encrypted but the 32GB drive has the file structure of the full 512GB. The 32GB image shows that the files exist but they can’t be exported as a readable file due to the file not residing on the 32. Is there a way to rebuild it to get a live acquisition?

9:54 AM

Any other ideas?

AARC TASK FORCE

Does anyone have experience with dell optane memory? I received two E01’s for examination. One E01 is showing the acquisition of a 512GB hard drive from a dell. The other E01 is showing an image of a 32GB drive. The 512GB drive appears to be encrypted but the 32GB drive has the file structure of the full 512GB. The 32GB image shows that the files exist but they can’t be exported as a readable file due to the file not residing on the 32. Is there a way to rebuild it to get a live acquisition?

I had an optane drive not to long ago. We imaged it and the hard drive. I found evidence on the optane. I will DM you

Passware has a dell encryption bruteforce option

1:55 PM

I'd imagine maybe there might be something similar for hashcat if you don't have

1:56 PM

Whether it's the same encryption

‍♂️

https://support.passware.com/hc/en-us/articles/1500007095861-Passware-Kit-2021-v2-supports-Dell-Encryption-Dell-Data-Protection-decrypts-QuickBooks-2021-databases-and-automatically-extracts-Wipekey-files-from-FileVault2-disk-images

Wonder if @Magnet Forensics detects what type of encryption and if it is the Dell type

Never personally used that option tho

I asked and then googled. So I deleted my question. LOL @Rob

I like the @Passware option

2:06 PM

I also wonder if the encryption key would be stored on the optane drive, since it is used as a cache drive.

I have never run into an Optane drive, nor had I heard about it... am I living under a rock? Is this a niche or a widespread thing?

I'd say it's not a permanent data storage option, more used for data processing. Came out around 2018 or so.

Hey, has anyone tested or knows how reliable locations from snapchat memories are? Thanks

dushe

Hey, has anyone tested or knows how reliable locations from snapchat memories are? Thanks

If locations are enabled, it depends on the accuracy within the OS. On Android obviously locations can be spoofed, while on iOS you can prohibit an app from knowing your precise location.

4:14 AM

Same with jailbroken iOS. Generally if it provides coordinates that can be verified using an external source eg Google maps, always worth double checking

4:14 AM

@Pacman if you see this, please pitch in

Take a chance to win Belkasoft X full-featured license! This week is the last chance to participate. Share your user experience of Belkasoft products. Your opinion about interaction with Belkasoft educational materials and events is important as well. Take a part in the survey and get a chance to win a full-featured Belkasoft X license. Filling out the survey will take about 15 minutes. Do it now: https://bit.ly/3pwVrjG

1

4:17 AM

So we got a reference iPhone which we use for reference testing that displays some kind of error when I did an upgrade from iOS 14.x to 15.x. Got the error "SCEP server configuration is not supported" during the iOS 15 setup screen. Does anyone know a way to fix the error or skip the setup screen somehow?

Not even sure what channel this would belong in. What software would be used for analyzing the electrical network frequency (ENF) and would this type of analysis be possible for those of us not in the UK? https://www.youtube.com/watch?v=e0elNU0iOMY&ab_channel=TomScott

Tom Scott

The hidden background noise that can catch criminals

FullTang

Not even sure what channel this would belong in. What software would be used for analyzing the electrical network frequency (ENF) and would this type of analysis be possible for those of us not in the UK? https://www.youtube.com/watch?v=e0elNU0iOMY&ab_channel=TomScott

The majority of the work on ENF was carried out by Dr. Catalin Grigoras, now at the National Center for Media Forensics (NCMF) at UC Denver. It is possible to be done outside of the UK/EU using Matlab scripts. There may be other ways but that is the only way I know of. There are a lot of published papers on the topic at the NCMF website linked below. I should also note that it is my understanding that advances in cell phones and wireless communication makes ENF analysis pretty limited nowadays. https://artsandmedia.ucdenver.edu/areas-of-study/national-center-for-media-forensics/national-center-for-media-forensics-research (edited)

4

FullTang

Not even sure what channel this would belong in. What software would be used for analyzing the electrical network frequency (ENF) and would this type of analysis be possible for those of us not in the UK? https://www.youtube.com/watch?v=e0elNU0iOMY&ab_channel=TomScott

I recently found a YouTube channel of a guy named captain jive Turkey who analyzes old hydrophone audio from incidents involving submarines and posts the analysis. Some very cool stuff and gets you thinking what else you can do with this… https://m.youtube.com/watch?v=9HIyW4PC8vo

Sub Brief

The Hårsfjärden Incident October 1982

2

1

Hello everyone, Do you know any open source IR scripts(generic evidence collection at this point) for FreeBSD Only found https://github.com/tclahr/uac so far, if anyone can share some alternatives, it's much appreciated.

GitHub - tclahr/uac: UAC is a Live Response collection tool for Inc...

UAC is a Live Response collection tool for Incident Response that makes use of built-in tools to automate the collection of Unix-like systems artifacts. - GitHub - tclahr/uac: UAC is a Live Respons...

blake-ee

Morning everyone. Has anyone ever had any dealings with downloading/extracting data from OCULUS QUEST VR headsets? My questions are as follows: Is it even possible?/can you extract data from the headsets? What kind of data does the OCULUS store? If data can be extracted, what tools were used? What tool was used to decode the data? Any help would be appreciated.

What did you find out about examining the Oculus headsets? We just got one with out controllers. It does have the ability to store images and videos from a computer on the headset. Just wondering if a ChipOff or other method of extraction might be possible.

11:14 AM

I was able to go through the settings using the volume buttons to make selections on the screen. I connected it to a computer and it loads as a USB device, but I think it might need Oculus software to be able to interface with the device. I was wondering if it is possible to see the drive, even if logically, so it can be imaged through FTK / Axiom / Etc.

11:16 AM

Doing the manual exam of the Quest 2, I was able to see the device can go to websites etc, so I am leaning towards doing a chipoff if it is eligible. More research needed before I try that.

The Oculus Quest 2 It does appear to be eligible for ChipOff, based upon the chip image from iFixIt.

Do we have anyone here that is experienced with ADF Solutions DEI software?

AccessInvestigations

Do we have anyone here that is experienced with ADF Solutions DEI software?

maybe prod Rob ..? https://ptb.discord.com/channels/427876741990711298/537760691302563843/894823197386637373

1

Digitalferret

maybe prod Rob ..? https://ptb.discord.com/channels/427876741990711298/537760691302563843/894823197386637373

Thank you

1

Hi all. Any recommendations on a Mac platform (and specs) suitable as a forensic workstation? Mac Minis, iMacs etc? Intent is to go Boot Camp or VMs for Windows-specific tools etc.

You’re pretty limited on Mac configs unless you want to juice up a Mac Pro to like 50k or something… Sumuri sells bundles of computers+software on their site, that should be a decent baseline at least for their product.

10:09 AM

I had thought the new M1 processors no longer allowed dual boot to windows but maybe someone figured that out?

It's a legal minefield due to licencing around Windows on ARM

Oof - I thought I was joking but…

2

1

10:14 AM

I have a touchbar MacBook Pro that I can dual boot but I have found it easier (if you have the space and budget) to use two computers. I rarely get macs in though, so having a Mac centric bottleneck with what hardware I can use doesn’t make sense (edited)

Yeah plus I doubt there's much forensic software for non-macOS uses which runs well on Mac

I have an investigation where I received a large number of logs from Apple which include for example Store Transaction History and iTunes in the Cloud Authorization. Does anyone have details on how/why these logs are populated? Specifically I have devices with multiple Associated Date entries, IP addresses and User Agent Strings. They seem pretty self explanatory but am looking to validate what I am interpretting.

whee30

I have a touchbar MacBook Pro that I can dual boot but I have found it easier (if you have the space and budget) to use two computers. I rarely get macs in though, so having a Mac centric bottleneck with what hardware I can use doesn’t make sense (edited)

Oh wow. Duly noted. Yes I think until the M1 becomes a little bit more mature, Intel Macs would be best due to compatibility. Thanks

theridlr

Oh wow. Duly noted. Yes I think until the M1 becomes a little bit more mature, Intel Macs would be best due to compatibility. Thanks

M1 Mac's won't really be suitable for forensics until someone emulates x64 and the big players like vmware arent going down that path last I heard.

8:12 PM

Intel Mac's are being phased out so they're hard to find in laptop form

I don't have recon (yet) but I was told that it's M1 native, its a very purpose built tool though. Needs a mac to run on and only examines macs. I like my work intel macbook pro and my personal m1 mini but I find that I'm using the PCs way more often.

Happy New Year everyone! I hope no one bricks any phones and don’t get stuck in a boot loop!

5

1

whee30

Oof - I thought I was joking but…

The computer cost the same price as a car, it's crazy expensive. I know apple silicone and Nvidia are in war of with GPU is the best now Nvidia, are willing to make the RTX Serie 40 much better. (edited)

Hey thanks for allowing me to join recently got into cyber securty last year from a career chnage bene working in a soc now for 7 months looking to move in to a DF role. Currently learning Autopsy Chain of custody Types of digital evidence Aka all the Billy basics So thanks for having me

4

OggE

Hey, need some help identifying some exif tags on some jpgs. IFD0 - Artist IFD0 - XP Author XMP-dc - Creator XMP-rdf - about (There is a uuid here). I found a little more about the tags on exiftool.org but after that i couldnt find much.

Update: The exif seems to be coming from the builtin windows snippet tool

1

mcdoz

Quick question. I work for a pretty small police department in VA, about 50 sworn. We recently got Cellebrite with the standard UFED/PA combo. We’re looking at dropping some money on a dedicated forensic workstation for Cellebrite and future programs (GrayKey and Axiom). Budget would be 12-13k. We’re pretty set on a Sumuri Talino. Are there any “must haves” for the workstation? What should be the priority when building it?

For 12-13K you should be asking for a Threadripper 3990x. My last build I had this processor put in and the difference is unreal when it comes to processing times. If that can’t put you in that processor at that price point let me know.

3

I'll take a threadripper in exchange pls....

1

2:57 AM

^ gamer's (and forensics dudes) be like ^

2

Dang right.

Do we have any members here that are currently or have experience with the PCI PFI (https://www.pcisecuritystandards.org/assessors_and_solutions/pci_forensic_investigators) program?

PCI Forensic Investigator (PFI) Program

PCI data security standards are for all merchants levels who accept credit cards. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards. This site provides: credit card data security standards documents, PCI compliant software and hardware, qualified security assessors, technical...

The Scientific Working Group on Digital Evidence (SWGDE) is pleased to announce posting of the following draft documents for public review and comment at https://www.swgde.org/documents/draft-released-for-comment • SWGDE Best Practices for Forensic Audio v2.5 • SWGDE Best Practices for Frame Timing Analysis of Video Stored in ISO Base Media File Formats v1.1 • SWGDE Considerations for Facial Recognition and Face Comparison v1.1 • SWGDE Considerations for Release of Synopsis Videos for Public Review v1.0 • SWGDE Lighting Techniques in Forensic Photography v.1.0 • SWGDE Technical Notes on FFmpeg v2.1 As noted on the cover page of all our documents, SWGDE encourages stakeholder feedback and suggestions for modifications to any document are welcome at all times. Please use the "Submit Comments" link beside the listed document to provide feedback. We appreciate your participation as SWGDE continues its mission to bring together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as ensuring quality and consistency within the forensic community. Please feel free to forward/redistribute this announcement to any colleague, forum, or listserv you deem appropriate.

SWGDE - Draft Released For Comment

SWGDE encourages stakeholder participation in the preparation of documents. The following documents are draft versions being provided for comment by all interested parties for a minimum period of 60 days. Suggestions for modifications are welcome and must be submitted following the provided

1

Andrew Rathbun pinned a message to this channel. 1/4/2022 9:25 AM

Hi all, wonder if any of the UK forces have gained 17025 for Kiosk deployments across their respective divisions, using central config etc? If so I would like to hear from you please. Ta.

Obi-Wan-IP

Hi all, wonder if any of the UK forces have gained 17025 for Kiosk deployments across their respective divisions, using central config etc? If so I would like to hear from you please. Ta.

@Law Enforcement [UK]

3:04 PM

btw, I secretly love reading when all of UK LE gets tagged. You all are in the same boat with ISO and all that. Really awesome collaboration which is in the spirit of what this server is all about. Love seeing it every time you all assist each other

7

3

Rumour has it the certain UK forces are looking to rid themselves of ISO once and for all.

We’re about to start on it. Using cellebrite infield and commander

^^ this is what I'm talking about

You're just jel we have our fish and chips @Andrew Rathbun

6

In theory we only have to validate one kiosk and I’m arguing a lot of the techniques (we only allow logical methods) are already validated when we validate ufed

We use cellebrite Responder, for certain front line teams. We have SOP's, and a peer competency SOP for it.due to add it to our ETS this year

1

3:13 PM

Centrally validated, and the various deployments verified

CptWaistcoat_57354

Centrally validated, and the various deployments verified

How's the process to iso mobiles gone?

3:17 PM

Annoyingly for us the computer side of things they've just vomited words up into SOPs so praying mobile side of things is smoother and written by an examiner

Anyone use magnet outrider for Mac Acquisition? Wondering how it works

If there is anybody with HDD recovery experience can you please have a peek at what i posted in #data-recovery ? thanks

Andrew Rathbun

btw, I secretly love reading when all of UK LE gets tagged. You all are in the same boat with ISO and all that. Really awesome collaboration which is in the spirit of what this server is all about. Love seeing it every time you all assist each other

Pity UKAS don’t ‘assist’ us!

1

You do seem better off making zero effort first time around and getting the list of how you should do it from UKAS.

robbieD

Rumour has it the certain UK forces are looking to rid themselves of ISO once and for all.

We can only dream

Does anyone have a program or script to compare the hash values of images that are in two separate folders?

iNDO_o

Does anyone have a program or script to compare the hash values of images that are in two separate folders?

What are you trying to do exactly? Find a known photo(s) in a group of unknown photos or verify that two different folders contain the same data?

I have two folders from separate cyber tips, on a CD. both contain csam images but all the file names are different so i'd like to compare all the hash values from the separate cases for matches

11:49 AM

I should specify, the new cyber tip contains photos of images i recognize form an older case.

11:50 AM

So instead of manually trying to find the matching photos, i'd like to just compare the hash values and filter by any that match

If I were to do it I would load the photos from each folder into Eric Zimmerman's hasher to get a list of hashes. Do it again for the other folder. Use Excel magic to find the duplicates. Or load the hash list into your old case and search for the photos. https://ericzimmerman.github.io/#!index.md

11:51 AM

But I am sure there is a better way.

1

Could put them into griffeye?

11:51 AM

Then you can filter by hash etc.

11:52 AM

But probably the above method would work

I'll load the hashes into the old case, was just hoping for the easy way

Just passed my GCIH lezzz gooo!

5

2

Next stop.... Sec 508 I guess

iNDO_o

I should specify, the new cyber tip contains photos of images i recognize form an older case.

You could probably use the FCIV tool from Microsoft to hash all files, and pipe the output to a text file. You could then import that into Excel and filter.

1

iNDO_o

Does anyone have a program or script to compare the hash values of images that are in two separate folders?

QuickHash may do it under one of the “compare” tabs but I haven’t used it so I can’t be sure. https://www.quickhash-gui.org/

Quickhash-GUI - free, cross platform data hashing tool

The homepage of Quickhash-GUI - free, cross platform, data hashing tool for Windows, Linux and Apple OSX

You can do it in powershell on windows if needed. Get-filehash and you have -algorithm to specify a different hash type. You can add all of the hashes to an array and just check for duplicates.

Forensicator

Next stop.... Sec 508 I guess

That's a good one. Are you using GCIH and GCFA material in LE currently?

iNDO_o

Does anyone have a program or script to compare the hash values of images that are in two separate folders?

http://www.listdiff.com/ or http://barc.wi.mit.edu/tools/compare/ can do it online. I've used these before. Hashes aren't sensitive, per se, but YMMV re: using an online service. https://www.excel-easy.com/examples/compare-two-lists.html too (edited)

ListDiff - Compare multiple lists to find list differences

Compare list differences online with this text fixer and list comparison tool

Compare Two Lists in Excel

This example describes how to compare two lists in Excel using conditional formatting. For example, you may have two lists of NFL teams.

Andrew Rathbun

That's a good one. Are you using GCIH and GCFA material in LE currently?

Yes, we respond to cyber intrusions all the time. It's actually our bread and butter at my agency.

4:33 PM

kick down the door yell CYBER POLICE! and pull out the forensic falcon

1

4:37 PM

We kinda chop up PICERLL though to PIC.... and assist with Eradication but most of the time we don't do that at all. We leave recovery and Lessons learned up to the places we go to (edited)

4:38 PM

So while it was fun learning all of the material I kinda had to take a step back and think about how much it really applied to my everyday. It's definitely beneficial though for my home lab when I release malware on it!

2

sholmes

What did you find out about examining the Oculus headsets? We just got one with out controllers. It does have the ability to store images and videos from a computer on the headset. Just wondering if a ChipOff or other method of extraction might be possible.

Hi. The advice I received was to try eMMC or chip off with one of these readers: https://www.desertcart.com.om/products/55328149-allsocket-ic-socket-bga-adapter-e-mmc-169-153-ic-reader-with-sd-interface-bga-169-153-adapter-nand-flash-memory-data-recovery-reader-chip-off-tool-retrieve-data-for-android-phone-broken-cracked

ALLSOCKET Internal Memory Adapter,eMMC169/153 Memory Reader with SD...

Buy ALLSOCKET Internal Memory Adapter,eMMC169/153 Memory Reader with SD Interface BGA153/169 Adapter FLASH Memory Data Recovery Reader Chip-off Tool Retrieve Data for Most Android Smartphone online at best price at Desertcart. ✓FREE Delivery Across Oman. ✓FREE Returns - 55328149.

1

robbieD

Rumour has it the certain UK forces are looking to rid themselves of ISO once and for all.

I think that the Forensic Science Regulator Act 2021 gave the FSR statutory powers. Depending on the route the new Regulator takes it may be possible for a force to rid themselves of ISO but I suspect that the act would make it more difficult to do so if the Regulator continues to support 17025 and 17020 for forensics in the Codes. https://www.legislation.gov.uk/ukpga/2021/14/contents/enacted https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1041792/2021_FSR_Newsletter_37.pdf

3

I have heard that ct and the three letter group and looking into suspending it as it’s not working and is not viable

4:05 AM

DF should never have fallen under the Regulator, we should of just written on a national sop that had the blessing of the chiefs and ran with that.

2

Hi all. Has anyone done 'live' forensics on Docker containers?

4:47 AM

Looking for a method to pull processes without offlining it and doing dead box 4n6 on it

@Cellebrite Does Cloud Analyzer still allow for capturing public profiles? I'm looking for alternative capture methods and we used this product years ago with success but havent in more recent years.

@NibblesNBits you can even do with PA without cloud licence, you need to add an avatar for this

Anyone doing corporate work ever had to do a part 35 compliant forensic report? I've read and understand the rules okay, i'm just wondering if it has to be in a specific format or as long as it contains all the required data its okay.

bypx

@NibblesNBits you can even do with PA without cloud licence, you need to add an avatar for this

I will look for a new installer. I tried this and also added an avatar but it doesnt seem to allow collection, admittedly its a very old version. I appreciate the confirmation though. (edited)

@NibblesNBits just tied now with latest PA selecting “last month” activity of the target.

sim0n

I think that the Forensic Science Regulator Act 2021 gave the FSR statutory powers. Depending on the route the new Regulator takes it may be possible for a force to rid themselves of ISO but I suspect that the act would make it more difficult to do so if the Regulator continues to support 17025 and 17020 for forensics in the Codes. https://www.legislation.gov.uk/ukpga/2021/14/contents/enacted https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1041792/2021_FSR_Newsletter_37.pdf

When I left CT 6 months ago they were still neck deep in ISO 17025, not as anal as another force I worked for though. Some parts of it work okay but the majority is just a ball ache.

JustNit

Hi all. Has anyone done 'live' forensics on Docker containers?

Some of my notes from research I did a year-or-so ago, might help: https://netsecninja.github.io/dfir-notes/docker/

Docker

Notes regarding how to use Docker and some DFIR information that I researched

1

NetSecNinja

Some of my notes from research I did a year-or-so ago, might help: https://netsecninja.github.io/dfir-notes/docker/

Awesome thanks!

@Law Enforcement [USA]@Search.org Does anyone have contact info for someone for Merkury cameras? I have a high-profile case that centers around those cameras. I know there is likely to be minimal cloud data stored, but I still would like access logs to the camera systems. Search.org and my Google-Fu are both failing me.

8:29 PM

https://www.walmart.com/ip/Merkury-Innovations-Smart-WiFi-720P-Camera-with-Voice-Control-Requires-2-4GHz-WiFi-White/835969619

8:30 PM

https://merkuryinnovations.com/pages/about-us

About Us

For almost 20 years, Merkury Innovations has followed the trends of electronic accessory and tech, keeping us ahead of the curve and providing you affordable products without compromising taste and design. Our wireless sound systems, E-sports gear, and LED home décor help to personalize your atmosphere while our advanc

FullTang

@Law Enforcement [USA]@Search.org Does anyone have contact info for someone for Merkury cameras? I have a high-profile case that centers around those cameras. I know there is likely to be minimal cloud data stored, but I still would like access logs to the camera systems. Search.org and my Google-Fu are both failing me.

I was able to find employees including the CEO on LinkedIn. Maybe you could try cold messaging people on LinkedIn?

2

https://support.mygeeni.com/hc/en-us/articles/360002471174-Contact-Details

10:07 PM

site:merkuryinnovations enforcement gave a privacy page that referenced mygeeni (parent company? sister company?) Same process for mygeeni gives support emails for both and a physical address

2

10:11 PM

https://www.bbb.org/us/ny/new-york/profile/importers/merkury-innovations-llc-0121-83323

10:12 PM

that phone number has a robo attendant for merkury

10:12 PM

212-840-8550

Thank you, good leads to try!

Is there a quick fix for 'failed to enable constraints' error message if a re-installation doesnt fix it???

iNDO_o

I have two folders from separate cyber tips, on a CD. both contain csam images but all the file names are different so i'd like to compare all the hash values from the separate cases for matches

Morning @iNDO_o. There are a few ways you could tackle this with @Griffeye to make things a bit easier. 1. If you have a list of the hashes from the older case you can load them into your Griffeye Intelligence Database (GID) and then bring in the files you are looking to inspect. The GID would then flag the files you have already seen and identify the files that you have left to work with.

iNDO_o

I'll load the hashes into the old case, was just hoping for the easy way

You could also see the visual or binary copies stacked together so if you have matches from the two different folders you can see them pointed out to you. Reach out to me when you get started back up today if you are interested.

Hello

2

Hello!

3

Have a WesternDigital MyPassport USB drive that uses their proprietary WDUnlock.exe tool to unlock the data partition. I need to verify the password provided by the owner. I tried connecting the WD MyPassport to various USB blockers (Tableau Bridge T3456789iu and Tableau USB Bridge), yet the usually emulated CD-ROM drive does not appear to unlock the drive. I have tried multiple machines, no luck. The TX-1 sees the two data partitions, one containing the WDUnlock.exe. Any other ideas on how to "test" the password, without compromising the integrity of the evidence by not using a write-blocker? (edited)

MD4N6

For 12-13K you should be asking for a Threadripper 3990x. My last build I had this processor put in and the difference is unreal when it comes to processing times. If that can’t put you in that processor at that price point let me know.

The only threadripper they have available is the 3960X which is the one I’m looking at. I would have have it with 128GB of 3600MHz ram, RTX 2080 super, M.2 NVMe SSD drives. For OS, temp and database and a quad M.2 carrier.

Anyone familiar with examining the Hola browser?

Matt

Anyone familiar with examining the Hola browser?

Considering there's nothing new under the sun... Is it a repackaged chromium and can be parsed with axiom/hindsight?

It did not parse with axiom

6:42 PM

My limited research is that it is a browser plug-in.

randomaccess

Considering there's nothing new under the sun... Is it a repackaged chromium and can be parsed with axiom/hindsight?

https://cdn4.hola.org/www/hola/pub/img/hola_br.svg?ver=1.192.690 sure does look like it

Matt

My limited research is that it is a browser plug-in.

Could be both according to the site

7:30 PM

Suggest you'll need to get into the weeds with a Json,XML,sqlite viewer

7:30 PM

And write up what you figure out :)

Haha.

7:31 PM

Smooth.

Andrew Rathbun

https://cdn4.hola.org/www/hola/pub/img/hola_br.svg?ver=1.192.690 sure does look like it

That gives me Firefox vibes

7:32 PM

But I'm still banking on chromium

Appreciate the references. I’ll get to work Monday

The vertical dots give me huge Chrome vibes, almost 1:1

7:33 PM

but that's just UI and can be customized so

‍♂️

Who even uses computers anymore…

‍♂️

1

7:34 PM

Just when you make progress on mobile devices you get a computer curveball

Thankfully Chrome and Firefox are mostly SQLite and plenty of queries out there floating around

Very true. I’m looking forward to that.

Matt

Anyone familiar with examining the Hola browser?

If I remember correctly hola uses P2P to give you “VPN” addresses. So in essence it’s tunneling your traffic through another user of the Hola extension. It was notorious for that behavior.

Hi I have a question. How you harden your windows forensics workstation ? Do you some scripts or not harden at all ?

sidi7

Hi I have a question. How you harden your windows forensics workstation ? Do you some scripts or not harden at all ?

Not all of this will apply to a forensic workstation setup, but there's some good advice and policies available here: https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/windows Section 23.3 of the FSR codes of practice also includes some guidance on this area, although the majority of that is more policy based for the wider forensic lab & organisation than physical steps for your windows machine: (Page 67 onwards): https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/968638/100_Codes_of_Practice_and_Conduct_-_Issue_7.pdf

Windows

1

K23

Not all of this will apply to a forensic workstation setup, but there's some good advice and policies available here: https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/windows Section 23.3 of the FSR codes of practice also includes some guidance on this area, although the majority of that is more policy based for the wider forensic lab & organisation than physical steps for your windows machine: (Page 67 onwards): https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/968638/100_Codes_of_Practice_and_Conduct_-_Issue_7.pdf

Thank you

Anyone have experience with Siforce forensic towers? How to they compare to Sumuri?

?? TCL A509DL MTK 6765 file based Android 11 - Patched October 2021 I tried MTK Live and filesystem MTK nothing

Thoughts ?

So my agency has run into a need to see what data is stored on the mag strip of a homebrew CC. Is there a recommended tool for this? I'

11:11 AM

I'm sure I could just hunt eBay and find something but if there's a industry standard tool that might look better on the expense report

also - a lot of what im seeing are read/write. I'd like to get just a read only tool so my people dont accidentally wipe data or overwrite it

@whee30 send you a PM

1

whee30

I'm sure I could just hunt eBay and find something but if there's a industry standard tool that might look better on the expense report

might not be what you are looking for but some interesting research in regards to magstripes: https://samy.pl/magspoof/

1

I'm using KAPE on a arsernal recon mounted E01 image that I know has Itunes backups. When I run KAPE with the Itunes backup target enabled, it doesn't see the backups? Any ideas as to the cause of this? I've checked the target options and the filepath is referenced. Kind regards

Deleted User

might not be what you are looking for but some interesting research in regards to magstripes: https://samy.pl/magspoof/

Cool post! The bit where he dips the CC into the metal dust to reveal the barcode is really cool.

2

whee30

Cool post! The bit where he dips the CC into the metal dust to reveal the barcode is really cool.

Kamkar is a really smart guy. You might remember the MySpace worm years ago that kept adding everyone as a friend to a certain account. That was him.

@Nuix hey there, any chance to dm me about search and tag json format ? Many thanks

@ForensicDev You'll have fun with this one. Hopefully you have the right password - though there are options if you don't. First, regarding your writeblocker question - if I recall correctly, you can't use the built-in unlocker successfully through a writeblocker. So, you need an image or a clone. Shuck your drive - is your My Passport a model with an integrated USB interface, or is it SATA with a plug-in USB adapter?

MrMacca (Allan Mc)

I'm using KAPE on a arsernal recon mounted E01 image that I know has Itunes backups. When I run KAPE with the Itunes backup target enabled, it doesn't see the backups? Any ideas as to the cause of this? I've checked the target options and the filepath is referenced. Kind regards

make sure to update the targets, I think @Andrew Rathbun changed/pushed something today (edited)

stark4n6

make sure to update the targets, I think @Andrew Rathbun changed/pushed something today (edited)

That was as a result of this

Andrew Rathbun

That was as a result of this

I had a feeling but wanted to make sure haha

stark4n6

make sure to update the targets, I think @Andrew Rathbun changed/pushed something today (edited)

2

whee30

Cool post! The bit where he dips the CC into the metal dust to reveal the barcode is really cool.

Agreed...I never knew that!

@Magnet Forensics Hi, I have a question regarding "baseband date/time" timestamps for a battery status from the PowerLog (iOS). Do you have an article more in depth about this or do you have time to answer a question?

For anyone familiar with the iOS KTX files, do you know if iOS creates two at the exact same time, one in light mode and one in dark mode? The timestamps on them are the exact same but one shows a light background and one shows a dark background. This is regarding the recent apps.

seems like that makes sense... do you see any without a paired image?

6:43 AM

anything different about the directory or naming convention? It would make sense to generate those up front for when your night mode kicks on so the phone doesn't have to render all of the "active" ktx files all at once

Hello everyone, a new comer here

2

Welcome!

Kinda serious question for anyone UK-based. Any word from Kevin Beaumont? https://mobile.twitter.com/GossiTheDog

Kevin Beaumont (@GossiTheDog)

cybersecurity pleb

my tweets are severely limited by my lack of understanding of what I am doing.

Tweets

75949

Followers

117700

7:45 AM

No activity since 12/31.

That is unusual.

Yeah, he's usually super active.

whee30

anything different about the directory or naming convention? It would make sense to generate those up front for when your night mode kicks on so the phone doesn't have to render all of the "active" ktx files all at once

Appears that they probably do that. On another device, an iPad, theres actually several KTX images, in dark mode and light mode, but also different orientation and some are labeled as downsampled. Maybe they just generate them all at once so that they can use the correct one for any scenario.

And a good dude full of good info.

Oh yeah. He's high on the list in my twitter feed.

LinkedIn also quiet since then

7:52 AM

Hopefully he's taking a well-deserved vacation after his exceptional log4j efforts.

3

Ok, I found a coworker of his and they're gonna check on him.

1

Any tips or tutorials for case report writing? [US]

DFE Travis

Any tips or tutorials for case report writing? [US]

https://www.youtube.com/watch?v=sUwfqk293xU https://www.youtube.com/watch?v=1jNVDADwqf0

SANS Digital Forensics and Incident Response

Reporting for Digital Forensics | Jason Wilkins

DFIRScience

DFS101: 4.4 Documentation and Reporting for Digital Investigations

1

Amazing, thank you

dfa_adam

@ForensicDev You'll have fun with this one. Hopefully you have the right password - though there are options if you don't. First, regarding your writeblocker question - if I recall correctly, you can't use the built-in unlocker successfully through a writeblocker. So, you need an image or a clone. Shuck your drive - is your My Passport a model with an integrated USB interface, or is it SATA with a plug-in USB adapter?

@dfa_adam thanks. Didn't even think of making a clone onto one of our MyPassport USB drives. Will give that a try. The drive is a 2.5" MyPassport with a USB 3.0 <> SATA adapter.

ForensicDev

@dfa_adam thanks. Didn't even think of making a clone onto one of our MyPassport USB drives. Will give that a try. The drive is a 2.5" MyPassport with a USB 3.0 <> SATA adapter.

Okay, if the drive itself is SATA, you're in luck. That saves you a bunch of soldering to bypass the integrated usb that is on some my passports. Remove the drive from the enclosure, and take a look at the chip on the bridge. It's likely a JMS538S, but it could be an initio, symwave, or plx chip. Remove your bridge and image the drive. You should also check out the reallymine repo on GitHub, as well as the linux-mybook-tools repo. They'll provide a lot of in-depth info and tools to unlock your drive (or an image of it) on Linux. If you run into any other issues, let me know.

Morning all, if anyone uses Eurofins, please DM me.

Hey, anyone that knows how reliable locations from My Eyes Only are from snapchat?

dushe

Hey, anyone that knows how reliable locations from My Eyes Only are from snapchat?

Take them with a pinch of salt, they could be falsified on Android/jailbroken iOS. If possible use OSINT to verify the location

@dushe What Matt said and I would add that recent iOS feature allow for less accurate locations via the iOS if you choose.

What does an informational interview for a digital evidence lab internship entail?

PolePuma

What does an informational interview for a digital evidence lab internship entail?

#training-education-employment try in there or #dfir-recruitment

Jobbins

#training-education-employment try in there or #dfir-recruitment

Thanks!

Hello everyone I am in quite a unique situation here so let's get right into it. I been researching ways to start a startup business and in my research I know I want to approach this with a Craftsman mindset of selling digital products and improving on said product until I can eventually sell it off to the highest bidder. Now my problem lies in that I am not sure what vehicle I want to use for my prototype like on one hand i was super set on making a web app and doing a zero to hero thing by learning flask/Django and I still intend on learning flask but I am also in a network security co-op or internship and I want to use that expertise or knowledge that I will learn from there into my own MVP. So in a weird way I am torn I want to get really good at a skill that will help me build my prototype for my business but I want to know what will be the best course of action should I combine both or choose one and go with it. (edited)

This isn't a SaaS startup forum, you're better off on another Discord channel (or posting it in another off-topic channel)

Great post by @Brett Shavers . I'm guilty of not documenting things I've done and I need to get on it! https://brettshavers.com/brett-s-blog/entry/there-are-only-two-things-that-set-you-apart-from-another-dfir-practitioner

There are Only Two things That set you Apart from Another DFIR Prac...

Two things that set you apart from other practitioners are (1) what you know and (2) what you can do. In this litigious world where court...

I was looking to review YouTube Videos on Discord, when I came across one that I suggest that you also view in-order to get a security view on the Social Media -- If you have Privacy and Security Concerns in the use of Discord (does this group have concerns of ?), then you may want to review this video < https://www.youtube.com/watch?v=oHCK3NKFBW4 >

Techlore

The Dark Side of Discord (And best Solutions and Alternatives!)

1

Harvey

I was looking to review YouTube Videos on Discord, when I came across one that I suggest that you also view in-order to get a security view on the Social Media -- If you have Privacy and Security Concerns in the use of Discord (does this group have concerns of ?), then you may want to review this video < https://www.youtube.com/watch?v=oHCK3NKFBW4 >

not watched the video link yet but I've always has misgivings about how data farming was conflated with security concerns. Discord for some time asked permission to monitor your prv msgs, under the guise of keeping you safe. the wording was also suss, ie something like "you like to live dangerously" or some such, if you declined to be "protected". like any business, the sole purpose is to generate profit, it's just that the morals/ethics/scruples tend to matter less to companies nowadays.

10:02 AM

every now and again some settings would revert. so with Discord (and W10), i make regular checks as to what they've reset. always assuming they actually comply with your own settings, which i suspect some don't (edited)

Digitalferret

not watched the video link yet but I've always has misgivings about how data farming was conflated with security concerns. Discord for some time asked permission to monitor your prv msgs, under the guise of keeping you safe. the wording was also suss, ie something like "you like to live dangerously" or some such, if you declined to be "protected". like any business, the sole purpose is to generate profit, it's just that the morals/ethics/scruples tend to matter less to companies nowadays.

A regulatory fine is a surcharge we pay to do what we want anyway. It’s all part of the business.

Digitalferret

not watched the video link yet but I've always has misgivings about how data farming was conflated with security concerns. Discord for some time asked permission to monitor your prv msgs, under the guise of keeping you safe. the wording was also suss, ie something like "you like to live dangerously" or some such, if you declined to be "protected". like any business, the sole purpose is to generate profit, it's just that the morals/ethics/scruples tend to matter less to companies nowadays.

You said, " like any business, the sole purpose is to generate profit, it's just that the morals/ethics/scruples tend to matter less to companies nowadays. " But when did it become Only for profit and not for providing something that is needed and solves a need for business and/or community ? I understand, but it use to be also about doing the right and ethical way of business. Taking the community and the people in it in consideration. When did it change to be anything goes as long as it is not Criminal and to gain as much profit regardless. It has been a long and slow change, but you would have been somewhat blind if you did not see this coming (Only Profit for Profit sake)...

conf1ck3r

A regulatory fine is a surcharge we pay to do what we want anyway. It’s all part of the business.

So it is Ok to pass this accumulated expense and pass it along to the consumer all in the name of just doing Business, right ? The only right is that you are doing business and not a Good business ? Help me to understand.

9:11 PM

Is it right for Discord to record everything and that they claim it for their own and then to sell this collected communications / information to the next buyer without anyone's say on all of these Servers ? (edited)

Oh no. I wasn’t trying to argue right vs wrong. I’m just telling you the actual arguments I’ve heard when discussing things with the lawyers. A fine is just a “do what I want tax” when the bad behavior has some sort of negative consequences and it makes you enough money to not worry about the consequences. (edited)

conf1ck3r

A regulatory fine is a surcharge we pay to do what we want anyway. It’s all part of the business.

yep, a bit like the old UK TV series "Porridge" (jail time). the judge tells him that he takes prison as an occupational hazard. for those that can generate so much money (from a single job say) they will "take the hit" regardless. much like a Newspaper publishing a scoop before establishing the truth of it. (unlike Cronkite who was diligent in waiting for facts to be established regardless of pressure to go to News) (edited)

Harvey

You said, " like any business, the sole purpose is to generate profit, it's just that the morals/ethics/scruples tend to matter less to companies nowadays. " But when did it become Only for profit and not for providing something that is needed and solves a need for business and/or community ? I understand, but it use to be also about doing the right and ethical way of business. Taking the community and the people in it in consideration. When did it change to be anything goes as long as it is not Criminal and to gain as much profit regardless. It has been a long and slow change, but you would have been somewhat blind if you did not see this coming (Only Profit for Profit sake)...

doing the right thing is irrelevant (as a business) if the process does not make profit. Food for instance. originally the basic product say, was made as a form of nutrition. the food came first and if it could be sold for money, then that was good. now "added value" food starts with "is it profitable?" and has far less concern as to nutritional value: (convenience v time, say). end result is manufacturers providing a product that has entirely dubious benefit to the consumer but makes good money. the recognisable turning point in some is when a small business sells to "bean counters

2:41 AM

who are detached from the process.

2:42 AM

maybe continue in #off-duty as we are deviating from dfir? (edited)

Hello, i need some advice to formulate a research question on the topic of cyberforensics/network forensics or computer forensics, does anyone wanna help and discuss, feel free to DM me!

conf1ck3r

Oh no. I wasn’t trying to argue right vs wrong. I’m just telling you the actual arguments I’ve heard when discussing things with the lawyers. A fine is just a “do what I want tax” when the bad behavior has some sort of negative consequences and it makes you enough money to not worry about the consequences. (edited)

I'm sorry for the misunderstanding, but it seemed to offer the chance to be understood in that manner. Lef me ask, how do you feel these fines change things ? Does it affect small to mid-size firms the same as large ? I do not believe so and thus my comment. So dependent upon the size of the firm, a fine will have varying results (some of what we would want and for larger, just the cost of doing business)...

Digitalferret

maybe continue in #off-duty as we are deviating from dfir? (edited)

Sorry for the way that this information that I provided has deviated. I am still interested in views After member's finally view the video And the information that is presented about how Not secure direct use of Discord via an app versus Use through (the suggestion) of use by and through a Browser. Also, What about their suggested Alternatives.

So to update my personal situation, and I maybe off by posting this and apologize in advance, I have found out this morning that there is an individual who was trying to "recruit" my baby sister into providing CP to him starting from the time she was 13 years old, and it is ongoing, he says he is American from Texas. I don't even know how to ask this question as being it's a family member, I am a bit perplexed. I think I need advice on this one, please help me. If anyone in Toronto can help me via pm or here in general I don't mind, I would be grateful. @Law Enforcement [Canada] I need to hand off my sisters phone to the correct cyber division, and make sure it get's into the right hands for analysis, and tbh the constable that originally handled the case is a rookie, I don't want this evidence getting lost in the void for lack of experience, being that it was overlooked the firs time around.. I am in Toronto currently, is there a specific division I can go to, that I can directly hand it off? I don't know if Peel has the expertise this situation requires. Please help.

@CLB-Paul @forensicmike @Magnet might be able to assist too even though they were in different parts of Canada

1

That would be amazing, her mother is handing me off the phone this afternoon, she contacted me, I plan on taking an image as soon as I get it before I hand it off, at the least a full backup of the device.

ryd3v

That would be amazing, her mother is handing me off the phone this afternoon, she contacted me, I plan on taking an image as soon as I get it before I hand it off, at the least a full backup of the device.

Just consider the image LE needs to try and make their case before you go doing anything to that phone. It is evidence and as little as you can do to it before LE gets their image the better

The constable isn't necessarily the person that will dump the data fromm your sisters phone. He will take it through the proper channels i.e to a trained DMFT tech or a DFU. Rookie or not, that's in their training with chain of custody (edited)

Andrew Rathbun

Just consider the image LE needs to try and make their case before you go doing anything to that phone. It is evidence and as little as you can do to it before LE gets their image the better

100% anything with regards to the handoff I should do, to keep the COC

Shotty_2_Hotty

The constable isn't necessarily the person that will dump the data fromm your sisters phone. He will take it through the proper channels i.e to a trained DMFT tech or a DFU. Rookie or not, that's in their training with chain of custody (edited)

100%, just first time around, they didn't do that , even-though they had the device

12:38 PM

Also the OIC is off until, tomorrow , but I have to pick up the phone today

It may be wise to data mine your sister's brain for info on this guy. Usernames, apps used, timeframes, anything related to a personal description of him etc

1

12:39 PM

If LE has to do a search warrant for comms that are owned by some company then they're going to need specific information for the purpose of a search warrant/MLAT

100%

12:42 PM

may I share the pic that has got my attention? it is a message which he divulges some information regarding him. tbh I am kinda stunned xD

ryd3v

may I share the pic that has got my attention? it is a message which he divulges some information regarding him. tbh I am kinda stunned xD

This is a public forum so it's your call but if you feel more comfortable via dm then you can do that too

it's cool, nothing graphic, we can always delete later , to say the least, it's got my attention, as he states he owns a "Cyber Security" company

12:44 PM

12:45 PM

the pic was sent to me from the mother just a half hour ago, so I'm trying to prepare my next steps

12:45 PM

keep in mind, she was 13 years old at this date

Hope things get better for you and your family @ryd3v :) @Shotty_2_Hotty is right, the person accepting in the phone might be clueless, hopefully the person working the phone isn't though.

So I'm a little on fire atm

RubberDucky

Hope things get better for you and your family @ryd3v :) @Shotty_2_Hotty is right, the person accepting in the phone might be clueless, hopefully the person working the phone isn't though.

1005%Thank you brother (edited)

So after some thought, the plan I've come up with is to record the handoff from the mother, then drive the device to TPS and hand off to the OIC, I think that dots all the i's and crosses the tee's

Anyone familiar with Recon Imager for MacBooks?

@Law Enforcement [USA] Has anyone served Sony (PlayStation) with legal process? I have done my fair share of search warrants, but Search.org says to contact Corporation Service Company ("CSC") to serve them. When I contacted CSC they said I needed to serve their representative in my state via personal service or a recognized mailing system (certified mail?), they would not accept service via fax or email. Just making sure this is correct, because I have yet to serve a digital warrant via snail mail, and it seems odd to do so for a large company like Sony. (edited)

FullTang

@Law Enforcement [USA] Has anyone served Sony (PlayStation) with legal process? I have done my fair share of search warrants, but Search.org says to contact Corporation Service Company ("CSC") to serve them. When I contacted CSC they said I needed to serve their representative in my state via personal service or a recognized mailing system (certified mail?), they would not accept service via fax or email. Just making sure this is correct, because I have yet to serve a digital warrant via snail mail, and it seems odd to do so for a large company like Sony. (edited)

Haven’t served Sony but we used to have to serve every cell phone company and Facebook that way. They all used one of two law offices and close enough to drive to and serve in person.

2:01 PM

After a court ruling a couple years ago it was no longer necessary.

Joe Schmoe

Haven’t served Sony but we used to have to serve every cell phone company and Facebook that way. They all used one of two law offices and close enough to drive to and serve in person.

I am glad Facebook changed to using an online portal and it is good to know this method has been done before. Thanks!

The latest release of XWays has this in the release notes - does anyone have any resources about the new EXIF format? "Improved PNG screenshot identification. In particular, a new Exif format is supported that is used mainly for Android screenshots. This allows to verify whether such Android screenshots are original."

FullTang

I am glad Facebook changed to using an online portal and it is good to know this method has been done before. Thanks!

One judge wouldn’t sign any search warrants if there wasn’t a local agent to serve. He said he didn’t have jurisdiction outside the state. Luckily that’s been addressed.

1

FullTang

@Law Enforcement [USA] Has anyone served Sony (PlayStation) with legal process? I have done my fair share of search warrants, but Search.org says to contact Corporation Service Company ("CSC") to serve them. When I contacted CSC they said I needed to serve their representative in my state via personal service or a recognized mailing system (certified mail?), they would not accept service via fax or email. Just making sure this is correct, because I have yet to serve a digital warrant via snail mail, and it seems odd to do so for a large company like Sony. (edited)

It's been a few years, but their rep was a local attorney. Dropped off at his office and in a few days Sony called and gave me everything I needed. It was reference Playstation accounts and IP logging.

1

@FullTang Yes, that’s the correct process. I spoke with Sony legal counsel who confirmed this when I served a search warrant for PSN records last year. After getting the SW signed by my local judge, I mailed it certified USPS to my state’s CSC location which you can look up. It took a few weeks but eventually got emailed results direct from Sony pertaining to the SW. https://www.cscglobal.com/cscglobal/pdfs/CSC-registered-agent-addresses.pdf just mail to the closest location in your state.

zc823

@FullTang Yes, that’s the correct process. I spoke with Sony legal counsel who confirmed this when I served a search warrant for PSN records last year. After getting the SW signed by my local judge, I mailed it certified USPS to my state’s CSC location which you can look up. It took a few weeks but eventually got emailed results direct from Sony pertaining to the SW. https://www.cscglobal.com/cscglobal/pdfs/CSC-registered-agent-addresses.pdf just mail to the closest location in your state.

Excellent, thank you! I would think that a big company like Sony would have an online portal or accept service via email/fax, but I guess not.

ryd3v

Click to see attachment 🖼️

SnapChat? Or am I getting rusty? Lol

Yeah that’s Snapchat

1

FullTang

Excellent, thank you! I would think that a big company like Sony would have an online portal or accept service via email/fax, but I guess not.

Of course! I know right? Isn’t it 2022? You should be good getting results that way. Hopefully they work out for your case.

2

ryd3v

the pic was sent to me from the mother just a half hour ago, so I'm trying to prepare my next steps

just a little bit of advice, dont have the mum send you anything that can be considered illegal i.e. csam pics etc. (even if its her own daughter). Both the mother/you would technically be committing an offence yourselves if you did.

2

1

3:09 PM

At least the way we do things over here, is to recommend they just leave things as they are and we'll arrange with the victim (or guardian based on age) to do a phone download and then wipe the phone if needed and return said phone ideally within 48hrs to victim/guardian

1

DefendingChamp

Anyone familiar with Recon Imager for MacBooks?

I’m testing recon out right now. What questions do you have?

Andrew Rathbun

SnapChat? Or am I getting rusty? Lol

You got it right on the head haha

Rob

just a little bit of advice, dont have the mum send you anything that can be considered illegal i.e. csam pics etc. (even if its her own daughter). Both the mother/you would technically be committing an offence yourselves if you did.

100%, I know this as well and nothing was sent to me directly, this pic came from my Dad

Rob

At least the way we do things over here, is to recommend they just leave things as they are and we'll arrange with the victim (or guardian based on age) to do a phone download and then wipe the phone if needed and return said phone ideally within 48hrs to victim/guardian

100%, don't think they will wipe the device, but it was handed of to the OIC just an hour ago, so hopefully all goes well with their investigation. I'm staying out of it

1

forensicMouse

I’m testing recon out right now. What questions do you have?

Under Recon Imager for a Macbook, the volumes listed are Macintosh HD - Data disk1s1 vs Macintosh HD- disk1s5. Both have the same size. Does it matter which one gets imaged? Is there a difference? Google is giving conflictng answers.

I got a bit of a strange question but here goes Does anyone know if there is any research done on what thumb people usually use for each position on a locked screen when unlocking phones in general ? I got a case where we can possible see each thumb press for the unlock on surveillance but where it is impossible to determine exactly what is being pressed. My thinking is that humans probably are more likely to use the different thumbs for different numbers which in this case might be used to create better brute force candidates. This might be totally a rabbit hole with no real answer but I thought I would throw the question in here! maybe some1 has had a similar case

I'm looking for a way to export a report in Autopsy that would give me the exact same result as the "Files - Text" CSV does, but WITH every folder as well. Because it only does files it seems to skip folders that are empty, I want the folders to be part of the list, not only listed as a parent of a file (kinda like treating any folder like a file). Anyone has a take on this, or could point me in some direction? (edited)

it seems someone is claiming they're coming back to target more security analysts. https://twitter.com/campuscodi/status/1483084191864655878

Catalin Cimpanu (@campuscodi)

Someone claiming to be LeakTheAnalyst is threatening to expose data from security firms

7:27 AM

I think I found the video in question https://www.youtube.com/watch?v=D2aZPwEESPE

Lorensia Kulik

LeakTheAnalyst

7:28 AM

Video ends implying they're coming after Syborg SentinelOne Verint McAffee CheckPoint Trendmicro PaloAlto F5 Clearsky CyberArk

7:29 AM

Warning: wild speculation ahead So Russian intel likes to resurrect past hacktivist operations and masquerade. We saw this with guccifer 2.0 and Syrian cyber army turning out to be Ivan. They also like to do stuff around civil rights holidays in the US. Blue leaks targeted the fusion centers and was dumped in honor of Juneteenth in 2020. Today is obviously MLK day. Didn’t some of those orgs have problems related to solarwinds? Lots of coincidence here… (edited)

Anyone know if an outlook profile contains any artifacts related to delegation changes? Checked server side logs and they have already rotated.

Hi i am having a problem with regripper when i run perl ./rip.pl -r reghive.e01 -f all > report.txt i get error on all plugings not found how can i fix this

@Alvo would suggest reading the documentation about what file types regripper supports and what file type you've provided it

I have tried with all other file formats buts still same error @randomaccess

All?

Sorry not all i meant to say different

Right. What is an E01 file?

Even changing the -f to a -p while specifying one plugin still get an error

3:26 PM

I believe its an encase file obtained from ftk imager

Alvo

Even changing the -f to a -p while specifying one plugin still get an error

Yes this won't do anything. Were working through your problem :) rather than just giving you the answer

Alvo

I believe its an encase file obtained from ftk imager

Yes. And what file type does regrippper say it needs?

4

Let me share a screenshot

1

3:41 PM

3:42 PM

I think that should be a better veiw of both erros @randomaccess

Oh I know exactly why it's not working

3:42 PM

But I want you to figure that out

How can i fix that

What file type does regrippper expect?

I want to say a raw file but i am not quite sure its my first time working with regripper

That's ok

3:44 PM

Have a look at the first comment in the code

Hive file

Yep. And an E01 or RAW/DD is what?

I know DD is a raw image

3:53 PM

E01 is encase so it means i would have to convert the E01 to DD or something of the sort because i know a raw file would work with volatility

Volatility is for memory images

3:54 PM

You don't need to convert it. You'll just need to figure out how to open the disk iamge to get the registry hives out

But i have seen people use it to get data from .raw files

3:57 PM

I have opened it with autopsy but the file is to big and jumbled up and the rip.pl documentation show i can open the EO1 file and specify the -f system and rip the information regarding the system and grep what i need from that and also autopsy takes quite some time to parse through the file and give me output (edited)

You can open an e01 as a disk image with autopsy

4:00 PM

It sounds like you've opened it as a file

4:00 PM

Otherwise you can mount an e01 using ewfmount

No i selected disk image file

Or open it as. Adisk image with ftk imager which is a windows based tool

I tried mounting with ewfmount but when i use mmls to get the offsets it gives another different error

4:04 PM

Both ftk imager and autopsy work its just that its quite large to go through i have done some research and seen people solve it with regripper unfortunately i get that error about the plugins i have tried it on windows, ubuntu, siftworkstantion and remnux without any luck

When you say work, if you open it with ftk imager can you see the file system?

Yes i mean i see all the file systems it even shows thats its a windows image

That's great! So now you just need to figure out where the registry hives are, and export them so you can parse them with regripper

4:12 PM

Bearing in mind they aren't all in the same place and regripper plugins will tell you which give they're expecting

4:13 PM

(I think that may have changed, I haven't used 3.0 in a while)

3.0 from my experience today hasnt been so helpful one major thing with it is that i checks if the hive i dirty the gui that comes with it has no plugins option

4:15 PM

I guess i would just have to read through all this data then till rip.pl is updated or fixed

Ha you will be waiting a long time for it to be fixed when its probably not broken

4:19 PM

If a hive is dirty it'll still parse it just won't show you the data in the transaction logs

4:20 PM

Harlan isn't adding in transaction log support and states in his documentation how to repair the hives to work

I gues i will have to go about it the hard way for know and read through the documentation more maybe change some if the code in rip.pl

Why do you need to change some code?

I dont know i think that it cant locate the plugins from the error that plugin nit found

Maybe. But as I said before, it doesn't support e01s so you were also giving it the wrong input

4:25 PM

Otherwise you can execute rip.pl and the plugins are all .pl files in the plugins directory

4:25 PM

If there's nothing in plugins then yeah itll fail because regripper needs plugins to work

4:26 PM

https://github.com/keydet89/RegRipper3.0

GitHub - keydet89/RegRipper3.0: RegRipper3.0

RegRipper3.0. Contribute to keydet89/RegRipper3.0 development by creating an account on GitHub.

I have checked some tutorials on youtube as i was looking for a simpler way if doing it and i came across regripper and they showed a guide on how to do it

4:27 PM

The plugins directory was the first thing i checked and to my surprise everything is in there

Heh the next question is what does log4shell have to do with the windows registry

Its the name if the challange as i downloaded it from cyberdefenders.com

But that's a bigger question of "what are you looking for". I'd suggest doing a few things and reporting back Firstly, figure out where your key registry hives are located Then export them in ftki or autopsy Next make sure rr is set up correctly (just download the newest version of GitHub, unzip using 7z, run rip.exe -c - l and see if it gives you a list of plugins). Then try parse some hives

I am basically looking for os information such as ip address domain name assigned user creation dates stuff like that

Well getting the list of plugins from regripper will help let you figure out which hives that data sits in

All plugins are present for some reason i dont know how it breaks

Have you given it a registry hive instead of a disk image?

Because i have seen i can run rip.pl -r .e01 -f system > report.txt then from there i can just grep for os_version and so on

randomaccess

Have you given it a registry hive instead of a disk image?

No i havent the challange come with e01 and nothing more

Right. Go back and look at the steps Ive described

4:35 PM

Youre giving it the wrong input and then saying the tool is broken

Alvo

Because i have seen i can run rip.pl -r .e01 -f system > report.txt then from there i can just grep for os_version and so on

No you can't. That doesn't work (edited)

Okay let me search for a hive file and try it

randomaccess

No you can't. That doesn't work (edited)

Please check this it’s possible https://www.sans.org/blog/regripper-ripping-registries-with-ease/

SANS Digital Forensics and Incident Response Blog | RegRipper: Ripp...

SANS Digital Forensics and Incident Response Blog blog pertaining to RegRipper: Ripping Registries With Ease

Alvo

Please check this it’s possible https://www.sans.org/blog/regripper-ripping-registries-with-ease/

Where am I looking?

Then i gues it need a hive file

1

3

4:46 PM

Okay they have not specified the extension but the syntax is correct

All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.

This may be slightly different because that's an earlier version of RR. But the -h flag should give you the full command syntax

4:47 PM

Harlans pretty good at documenting these things

Okay can i convert the e01 to hive file

1

No...

To bad them its autopsy for me then

Sure. Autopsy should even run regripper if you choose the right module. From memory you can set it at ingest

Why don't you use FTK to export the hives?

DeeFIR 🇦🇺

Why don't you use FTK to export the hives?

That's what I would do. Or just mount the image with ewfmount or ftk imager

DeeFIR 🇦🇺

Why don't you use FTK to export the hives?

Dint know this was an option will definitely do this

Alvo

Dint know this was an option will definitely do this

I said this like 20 minutes ago ha

randomaccess

That's what I would do. Or just mount the image with ewfmount or ftk imager

Doesnt work for me when i use mmls to get more mount points i get some error

randomaccess

I said this like 20 minutes ago ha

I asked above and you said no

Alvo

Okay can i convert the e01 to hive file

This is me asking

No I didn't

4:52 PM

That's not the same thing

randomaccess

No...

Your answer

You can convert a forensic image to a disk image or another disk/forensic image format (edited)

4:52 PM

But you don't convert a ZIP file to a JPEG

Its just that i used convert instead of export my bad

Ha yes well they're different things

4:53 PM

Think of a disk image as a container

4:53 PM

You need something to open the container, parse the file system, and then you can go find the hive files to export

Funny thing the hint on the challange says that i should use regripper

Sure. It's a good tool for its use case. But you need to use it correctly

Thanks let me export it to a hive file then try and see what happens

1

What's the resolution to this absolute nail-biter of a drama

12

Hi all, has anyone here encountered this issue on iOS devices: Snapchat chat participants are displayed only as hexadecimal strings, with no usernames being identifiable. I looked in the SQL database for Snapchat and the User IDs are all hexadecimals strings in the actual database too, so it isn't a decoding issue

12:53 AM

I've tried different decoding tools and two different extractions, both which gave the same result

12:53 AM

Does anyone know why this might happen?

Alex Owen

Hi all, has anyone here encountered this issue on iOS devices: Snapchat chat participants are displayed only as hexadecimal strings, with no usernames being identifiable. I looked in the SQL database for Snapchat and the User IDs are all hexadecimals strings in the actual database too, so it isn't a decoding issue

You can map guid to username if you check the following files: table "snapchatter" in primary.docobjects, arroyo.db and/or pref.docobjects.

2

Alex Owen

I've tried different decoding tools and two different extractions, both which gave the same result

Sometimes axiom has been able to show the usernames correctly but this is not always the case i have seen.

.karate.

You can map guid to username if you check the following files: table "snapchatter" in primary.docobjects, arroyo.db and/or pref.docobjects.

I've managed to find this now, thank you for pointing me in the right direction

1

man that conversation was master level trolling

1

5:23 AM

you can lead RegRipper to an E01, but you cant make it parse it

1

My Eyes Only (Snapchat) question: Can we get exif data like, device model, from a "video (first frame)" by using the exif tool?

Give it a try. Should work since EXIF data is in the file header (preceding the first frame).

DeeFIR 🇦🇺

What's the resolution to this absolute nail-biter of a drama

Hi everyone, since I am not that experienced with analysing network related log files: I am trying to see when a user was connected to the network. is it safe to assume the machine was up and running in the time frame where I see tons of kerberos authentication messages (ticket requested, granted), login events (tons of "an account was successfully logged on" how does it actually happen that tons of logon events are being created during the day? is it just being automatically verified if the session is still up and then counting as a logon event?), UserID login messages etc. that during those times the machines associated with the user (its the same machine) was connected? I dont have the machine at hand and was able to create a rough timeline of events including when the user started to work. but there are also blanks where I dont see any activity except of mail synchronisations but kinda a few of the events named above. so I am wondering if they still occur, even if the machine would be fully shut down.

https://arstechnica.com/gadgets/2022/01/the-pinephone-pro-brings-upgraded-hardware-to-the-linux-phone/ Has anyone come across a linux phone? I'm curious how the download process would work with one of these

The PinePhone Pro brings upgraded hardware to the Linux phone

Pine64 calls this "the fastest mainline Linux smartphone on the market."

.yuzumi.

Hi everyone, since I am not that experienced with analysing network related log files: I am trying to see when a user was connected to the network. is it safe to assume the machine was up and running in the time frame where I see tons of kerberos authentication messages (ticket requested, granted), login events (tons of "an account was successfully logged on" how does it actually happen that tons of logon events are being created during the day? is it just being automatically verified if the session is still up and then counting as a logon event?), UserID login messages etc. that during those times the machines associated with the user (its the same machine) was connected? I dont have the machine at hand and was able to create a rough timeline of events including when the user started to work. but there are also blanks where I dont see any activity except of mail synchronisations but kinda a few of the events named above. so I am wondering if they still occur, even if the machine would be fully shut down.

Are you looking at the event logs from a Domain Controller? It sounds like it just by what I'm reading here

I had a question from my boss to see if I know of a private firm that does "video enhancement" I didn't know off hand as I only deal with LEO's. Anybody ? PM me if you have some insight.

DCSO

I had a question from my boss to see if I know of a private firm that does "video enhancement" I didn't know off hand as I only deal with LEO's. Anybody ? PM me if you have some insight.

@Amped Software might be able to advise

DCSO

I had a question from my boss to see if I know of a private firm that does "video enhancement" I didn't know off hand as I only deal with LEO's. Anybody ? PM me if you have some insight.

and @iNPUT-ACE

@DCSO I have a few of our private users I have the ok to send information on. I'll send you a message.

2

Anyone had to try and triage an ESXi host? Finding that UAC and Catscale aren't running properly.

Which is better for DF? CS or CE?

codyp915

Which is better for DF? CS or CE?

What is CS or CE?

Andrew Rathbun

What is CS or CE?

Computer engineering=CE Computer science=CS

CS is Cobalt Strike to me so yeah, thanks for the clarification

5

codyp915

Computer engineering=CE Computer science=CS

#training-education-employment BTW. Let's continue there

How much does @Magnet Forensics Axiom leverage the graphics card when processing/examining files? Is it significant enough to spend additional money for an upgrade?

AtomicDI

How much does @Magnet Forensics Axiom leverage the graphics card when processing/examining files? Is it significant enough to spend additional money for an upgrade?

You're using IEF right now then? I think processing is more CPU related since they show all the threads and their individual tasks when processing. If you're going from IEF to AXIOM then there's no comparison IMO. I just did the MCFE for both of them and going back to IEF was like a trip back to the 90s, comparatively

Thank you. I'm currently using Axiom and am a fan of it myself. My laptop died that I run it on and need to replace it. I wasn't sure if I upgraded the graphics card if I would see significant time savings. Everything is pricy theses days.

I think it uses the graphics card for magnet ai

5:07 AM

But not for other processing

5:08 AM

That being said, axiom should be significantly faster than Ief

hi there what do you recommend tryhackme or BTLO or any other platfortm?

AtomicDI

How much does @Magnet Forensics Axiom leverage the graphics card when processing/examining files? Is it significant enough to spend additional money for an upgrade?

agree with both @randomaccess and @Andrew Rathbun , as far as I know (not an engineer) AXIOM only uses GPU directly for AI purposes as mentioned, and perhaps indirectly by some dependencies. if your goal is to optimize for AXIOM processing, you are generally better speccing more/faster RAM + more/faster CPU cores.

forensicmike @Magnet

agree with both @randomaccess and @Andrew Rathbun , as far as I know (not an engineer) AXIOM only uses GPU directly for AI purposes as mentioned, and perhaps indirectly by some dependencies. if your goal is to optimize for AXIOM processing, you are generally better speccing more/faster RAM + more/faster CPU cores.

Thank you all for clarifying. I appreciate the insight.

Hector!221B

hi there what do you recommend tryhackme or BTLO or any other platfortm?

Both good platforms. It depends what you’re after. If you want more blue team BTLO is good. But if you after more of a broad selection THM is good.

DefendingChamp

Under Recon Imager for a Macbook, the volumes listed are Macintosh HD - Data disk1s1 vs Macintosh HD- disk1s5. Both have the same size. Does it matter which one gets imaged? Is there a difference? Google is giving conflictng answers.

Generally disk0 is the physical and disk1 is the APFS container of disk0s2. I would recommend imaging disk1 entirely which includes disk1s1 and disk1s5. They all share the logical space of disk0s2 so it shouldn’t take that much longer and take up more space. I think disk1s5 is a virtual machine of disk1s1 that Mac creates for whatever purpose.

Does anyone know of somewhere I can download an apache web server test image that has been "compromised"? Trying to come up with a training for my team without using actual client data.

chuckych33s3

Does anyone know of somewhere I can download an apache web server test image that has been "compromised"? Trying to come up with a training for my team without using actual client data.

https://github.com/ashemery/LinuxForensics/tree/master/Workshops/Case1

LinuxForensics/Workshops/Case1 at master · ashemery/LinuxForensics

Everything related to Linux Forensics. Contribute to ashemery/LinuxForensics development by creating an account on GitHub.

(I'm assuming you're answering your own question and not asking where to download the case data for this?)

1

forensicMouse

Generally disk0 is the physical and disk1 is the APFS container of disk0s2. I would recommend imaging disk1 entirely which includes disk1s1 and disk1s5. They all share the logical space of disk0s2 so it shouldn’t take that much longer and take up more space. I think disk1s5 is a virtual machine of disk1s1 that Mac creates for whatever purpose.

Got it! Thank you! I was double checking since the size were the same. Odd.

Question: I've moved into a more LEO organization and wanted to know how you all cope with seeing images and videos of some pretty terrible stuff. Like do you have counselors at your place of employment that you can talk to? A support group? If not, what are some of your coping mechanisms. Looking for ideas to implement at the start of my career

DFE Travis

Question: I've moved into a more LEO organization and wanted to know how you all cope with seeing images and videos of some pretty terrible stuff. Like do you have counselors at your place of employment that you can talk to? A support group? If not, what are some of your coping mechanisms. Looking for ideas to implement at the start of my career

https://discord.com/channels/427876741990711298/537760691302563843/921370513471856660 is my answer from before and I stand by it

Andrew Rathbun

https://discord.com/channels/427876741990711298/537760691302563843/921370513471856660 is my answer from before and I stand by it

Thanks man, I've been here on this server since I was a student. Can't believe I'm finally starting in my dream job of a federal level LEA as a DFE. I'm sure you'll see me here tons more now. I'll be using Axiom, which I read now has some officer wellness tools, hopefully that works too.

3

DFE Travis

Thanks man, I've been here on this server since I was a student. Can't believe I'm finally starting in my dream job of a federal level LEA as a DFE. I'm sure you'll see me here tons more now. I'll be using Axiom, which I read now has some officer wellness tools, hopefully that works too.

Really awesome to hear you've been here so long and are still here. Happy to have you and don't hesitate to check in with us since a lot of us have done what you're about to do (re: viewing potentially horrible things)

1

DFE Travis

Question: I've moved into a more LEO organization and wanted to know how you all cope with seeing images and videos of some pretty terrible stuff. Like do you have counselors at your place of employment that you can talk to? A support group? If not, what are some of your coping mechanisms. Looking for ideas to implement at the start of my career

In addition to Andrew's post, try not to view the terrible stuff towards the end of the day. Give yourself a at least a few hours before you end your shift and go home to your family so you don't go directly from terrible images to everyday life.

1

Hector!221B

hi there what do you recommend tryhackme or BTLO or any other platfortm?

HackTheBox

ryd3v

HackTheBox

yeah but i think it's more red teaming

Hector!221B

yeah but i think it's more red teaming

There’s some forensics challenges

Hector!221B

yeah but i think it's more red teaming

https://socvel.com has some perpetually running BlueTeam CTFs; they give you a bunch of logs from a Windows host and ask a bunch of questions

DFE Travis

Question: I've moved into a more LEO organization and wanted to know how you all cope with seeing images and videos of some pretty terrible stuff. Like do you have counselors at your place of employment that you can talk to? A support group? If not, what are some of your coping mechanisms. Looking for ideas to implement at the start of my career

Keeping balance is key. What happens in the office must always stay there and people who have not seen and done the things you have, will never understand or be able to empathise. Which is understandable. If you do not have a hobby, find something you enjoy and send it. When struggling, talk to someone, either a colleague or professional. Congratulations on the new role

1

This is the best place I could think of to ask this: Is it illegal in the EU to download publicly available database dumps of breaches? rockyou.txt came out of such a dump and every offsec person has this file on their pc. Anyone knows the legislation here?

Skusku

This is the best place I could think of to ask this: Is it illegal in the EU to download publicly available database dumps of breaches? rockyou.txt came out of such a dump and every offsec person has this file on their pc. Anyone knows the legislation here?

If it's illegal anywhere, that's a perfect example of law in the books vs law in practice. Are prosecutors really going to charge millions of people at this point with possession of something that's illegal? Kinda like MP3 and Movie Piracy. They try to cut the head off the snake. I'm guessing since rockyou.txt is being hosted so freely around the web and it's not like whack a mole to find a site that's hosting it this very minute, it's likely not illegal. Not a lawyer, not in the EU, but just my personal opinion on the matter, for what it's worth

1

Thanks, yes that sounds reasonable, just looking for some opinions of people who are close to this topic

not sure, but your question reminds me of this fun github convo

11:02 AM

https://github.com/danielmiessler/SecLists/pull/155

Remove my password from lists so hackers won't be able to hack me b...

Skusku

This is the best place I could think of to ask this: Is it illegal in the EU to download publicly available database dumps of breaches? rockyou.txt came out of such a dump and every offsec person has this file on their pc. Anyone knows the legislation here?

https://www.al.com/news/2015/08/is_it_illegal_to_download_the.html

In other words, the legal community is split on the issue of whether someone could be charged and convicted of crimes for downloading illegally obtained files such as those contained in the Ashley Madison data dump could be charged and convicted of crimes. Proceed at your own risk.

not EU but both sides of the argument, and pretty solid. consensus: don't put yourself in the position of a test case. EU/UK folks have been had for another publicly available bit of kit - an4rchists c00kbook. (edited)

1

Looking to upgrade some writeblocker hardware, anyone have favorites? Most I've seen are still operating over USB 3.0 speed wise

rayeh

not sure, but your question reminds me of this fun github convo

I think they also asked to rename the streisand-effect to dolphins-effect

1

stark4n6

Looking to upgrade some writeblocker hardware, anyone have favorites? Most I've seen are still operating over USB 3.0 speed wise

depends on how much you want to spend but have you considered imaging hardware such as Deepspar and associated addons? not cheap tho it also covers drive instability, bad sectors and so on

Digitalferret

depends on how much you want to spend but have you considered imaging hardware such as Deepspar and associated addons? not cheap tho it also covers drive instability, bad sectors and so on

Like Guardonix?

Digitalferret

depends on how much you want to spend but have you considered imaging hardware such as Deepspar and associated addons? not cheap tho it also covers drive instability, bad sectors and so on

Honestly we have some spend to use to looking for probably something like Tableau's, Weibetech, etc. something that can handle multiple input types (SATA/NVME/IDE) mostly

stark4n6

Honestly we have some spend to use to looking for probably something like Tableau's, Weibetech, etc. something that can handle multiple input types (SATA/NVME/IDE) mostly

i was thinking the full shmoo, like DDi4 - SATA/native connections

but the rest of the kit options inc usb stabilizer / Guardonix you can tailor features v expenditure and so on, too (edited)

Hi all, I'm looking for links/sites that "index" forensic/IR tools and resources. We all have methods for tracking the insane amount of information out there, and a while back, I saw a post (Twitter, I think) during a SANS community event that included a nice spreadsheet of resources. Looking back, it looks like I failed to bookmark it, but it came to mind this morning. A couple of examples of what I'm rambling about are: https://start.me/p/q6mw4Q/forensics and https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607

IAwardYouNoPoints

Hi all, I'm looking for links/sites that "index" forensic/IR tools and resources. We all have methods for tracking the insane amount of information out there, and a while back, I saw a post (Twitter, I think) during a SANS community event that included a nice spreadsheet of resources. Looking back, it looks like I failed to bookmark it, but it came to mind this morning. A couple of examples of what I'm rambling about are: https://start.me/p/q6mw4Q/forensics and https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607

@DFIRDetective is the one who put those together!

IAwardYouNoPoints

Hi all, I'm looking for links/sites that "index" forensic/IR tools and resources. We all have methods for tracking the insane amount of information out there, and a while back, I saw a post (Twitter, I think) during a SANS community event that included a nice spreadsheet of resources. Looking back, it looks like I failed to bookmark it, but it came to mind this morning. A couple of examples of what I'm rambling about are: https://start.me/p/q6mw4Q/forensics and https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607

Yep that was probably me! https://linktr.ee/dfirdetective should take you to all the SANS summit links I had saved from 2021 and I plan to do it for 2022 when I can as well! (edited)

Andrew Rathbun pinned a message to this channel. 1/21/2022 6:43 AM

rayeh

not sure, but your question reminds me of this fun github convo

This absolute gold

I am looking for any information on NIST standards relating to cell site coverage areas. Anyone have any links for documents they can pass on?

forensicmike @Magnet

agree with both @randomaccess and @Andrew Rathbun , as far as I know (not an engineer) AXIOM only uses GPU directly for AI purposes as mentioned, and perhaps indirectly by some dependencies. if your goal is to optimize for AXIOM processing, you are generally better speccing more/faster RAM + more/faster CPU cores.

Can you say how AXIOM uses the AI with a GPU and what would be the best configuration for performance throughput ?

Rese4rch_4D

Both good platforms. It depends what you’re after. If you want more blue team BTLO is good. But if you after more of a broad selection THM is good.

Can you help with translation of "BLTO" & / or "THM" ..

DCSO

?? TCL A509DL MTK 6765 file based Android 11 - Patched October 2021 I tried MTK Live and filesystem MTK nothing

Thoughts ?

Any luck with getting ffs on this device?

Harvey

Can you help with translation of "BLTO" & / or "THM" ..

BTLO is Blue Team Labs online and THM - is TryHackMe.

Rese4rch_4D

BTLO is Blue Team Labs online and THM - is TryHackMe.

Thanks for this explanation. We can get into our own use of abbreviations ..

Digitalferret

i was thinking the full shmoo, like DDi4 - SATA/native connections

I haven't heard of this device, but I do believe that we need to maintain the ability to connect to even old Tech due to the habit of Corp to create a system and as long as it keeps working, they do not replace it. So it could be 10 or more years old. So if you have older device that work keep them and make them available when called upon.

stark4n6

Honestly we have some spend to use to looking for probably something like Tableau's, Weibetech, etc. something that can handle multiple input types (SATA/NVME/IDE) mostly

Which Vendor should be considered for these types of devices, May I ask ?

forensicmike @Magnet

agree with both @randomaccess and @Andrew Rathbun , as far as I know (not an engineer) AXIOM only uses GPU directly for AI purposes as mentioned, and perhaps indirectly by some dependencies. if your goal is to optimize for AXIOM processing, you are generally better speccing more/faster RAM + more/faster CPU cores.

Is there any other DFIR Software that seems to be designed in this manner ?

11:39 AM

I leave now but will return much later ...

Digitalferret

https://www.al.com/news/2015/08/is_it_illegal_to_download_the.html

In other words, the legal community is split on the issue of whether someone could be charged and convicted of crimes for downloading illegally obtained files such as those contained in the Ashley Madison data dump could be charged and convicted of crimes. Proceed at your own risk.

not EU but both sides of the argument, and pretty solid. consensus: don't put yourself in the position of a test case. EU/UK folks have been had for another publicly available bit of kit - an4rchists c00kbook. (edited)

So that would apply to password sites like Dehashed etc., right?

2:41 PM

Or having the large password database comb21 or similar

whee30

So that would apply to password sites like Dehashed etc., right?

i think with all similar things, it depends if someone makes a nuisance of themselves / attracts attention or if an establishment wants to make an example of someone. a lot of illegal activity is "blind eyed" bc it's simply not worth the expense of chasing what are effectively ghosts. password lists on their own is a different thing say, to releasing them with the associated logins, cc details, addresses and more. downloading those and storing might be akin to the police catching someone "going equipped".

3:55 PM

its similar to the old "is a Brick an offensive weapon" scenario. it depends on the circumstance. in the hand of a youth in a nightclub, well yeah. if it's in the hands of a builder on site, then no. Semi amusingly, on a TV police show, some dude is caught walking down the highstreet (UK) with a chainsaw, albeit in its bright orange blade cover. "come with us sonny" "but officer, I'm doing nothing wrong..." and the so long day dragged on

Harvey

I haven't heard of this device, but I do believe that we need to maintain the ability to connect to even old Tech due to the habit of Corp to create a system and as long as it keeps working, they do not replace it. So it could be 10 or more years old. So if you have older device that work keep them and make them available when called upon.

indeed. i still have SCSI / 3½ 1.44MB floppy drives, iOmega Zips, not sure if i have a 5¼ 360k, etc (edited)

Harvey

I haven't heard of this device, but I do believe that we need to maintain the ability to connect to even old Tech due to the habit of Corp to create a system and as long as it keeps working, they do not replace it. So it could be 10 or more years old. So if you have older device that work keep them and make them available when called upon.

the main use for Deepspar kit is to image unstable / bad sector HDDs and more recently drives with USB interface, and now to keep Windows from crashing on SSDs that are flaky by acting as a man in the middle device

Hey all, quick question. I am taking a course on Apple Forensics, and there are some practical questions involved. My question is, is it shady to document what some of the artifacts show on a blog post which I will later be linked to my Linkedin account? I will mention that I am taking a course (more than likely not by name). Does anyone have any opinions on this?

Just to add to my previous post, I am doing this as an attempt to become a better writer and to showcase my passion for Digital Forensics.

xxSuccessful-

Hey all, quick question. I am taking a course on Apple Forensics, and there are some practical questions involved. My question is, is it shady to document what some of the artifacts show on a blog post which I will later be linked to my Linkedin account? I will mention that I am taking a course (more than likely not by name). Does anyone have any opinions on this?

Are you allowed to reproduce the content in that course? Don't do anything that goes against any agreement you signed by taking the course.

Andrew Rathbun

Are you allowed to reproduce the content in that course? Don't do anything that goes against any agreement you signed by taking the course.

That is a good point, I'll review the agreement and move from there. Thanks for the feedback!

1

xxSuccessful-

Hey all, quick question. I am taking a course on Apple Forensics, and there are some practical questions involved. My question is, is it shady to document what some of the artifacts show on a blog post which I will later be linked to my Linkedin account? I will mention that I am taking a course (more than likely not by name). Does anyone have any opinions on this?

Generally the answer is "yes demonstrate what you've learned, but don't share the data that would 'ruin' the class for someone else" For example in the sans 500 class we do an investigation throughout the week. If you shared some of the findings that would make it a lesser experience for someone if they hadn't read your post

11:22 PM

What I generally say is recreate the artifacts, which is an even better way of demonstrating your understanding on top of your communication skills

11:22 PM

"not only can I explain this artifact, look if I push this button this happens"

DFIRDetective

Yep that was probably me! https://linktr.ee/dfirdetective should take you to all the SANS summit links I had saved from 2021 and I plan to do it for 2022 when I can as well! (edited)

Very nice and many thanks!

randomaccess

Generally the answer is "yes demonstrate what you've learned, but don't share the data that would 'ruin' the class for someone else" For example in the sans 500 class we do an investigation throughout the week. If you shared some of the findings that would make it a lesser experience for someone if they hadn't read your post

Thank you for this. I will follow this format.

xxSuccessful-

Thank you for this. I will follow this format.

Send me your blog post when it's written so I can include it in the weekly

randomaccess

Send me your blog post when it's written so I can include it in the weekly

Thank you, I will!

What do y'all use for tracking of physical evidence, drives and such?

there's a lot of different systems but it depends on your use case ranging from a simple spreadsheet to monolith/magnet atlas/cellebrites offering which i forget the name of/lima forensics and a bunch of others

8:50 PM

i like monolith because its fairly cheap per user and the dev is very responsive, we use it for the class that i wrote $dayjob we used to use atlas but it was turning out to be more expensive than we needed for a really big team - but if you had a req to track a lot more than just evidence it was very fully featured

We just do spreadsheets but I'm kind of considering pushing for software or something we can self host ourselces

5:03 PM

It's just evidence but I feel like there's a more "proper" way idk

5:05 PM

Trial by fire baybeeeee

ask matt at monolith for a trial of his tool

If anyone is interested in learning about A/I / Leap (and others), @Brigs is on Life Has No Ctrl Alt Del today at 1230EST.

2

Hey all

Is anyone else unable to locate the "OR" filter in XAMN v7.0.0? @MSAB

@Artemisia (They / Them) Unfortunately the filter had to be removed last minute due to it causing some instability in XAMN when used together with some of the new features in XAMN 7.0. I am happy to discuss this further with you in direct messages in case this feature is sorely missed and take that back to development (edited)

Bye bye AccessData https://twitter.com/AccessDataGroup/status/1485631989025755139 (edited)

AccessData, an Exterro company (@AccessDataGroup)

New Year, New Us! AccessData is changing our name to ExterroFTK!

2

1

Anybody ever do and/or have a Google Keywords search warrant?

@Trashboat667 from my understanding Google would not comply with that as its to broad.

DCSO

@Trashboat667 from my understanding Google would not comply with that as its to broad.

That’s what I’m afraid of. I attended a webinar recently where one presenter was talking about them and he made it sound like he’s had returns on them.

randomaccess

i like monolith because its fairly cheap per user and the dev is very responsive, we use it for the class that i wrote $dayjob we used to use atlas but it was turning out to be more expensive than we needed for a really big team - but if you had a req to track a lot more than just evidence it was very fully featured

Plus one to Monolith, our firm uses it and it’s excellent

Anyone have any idea of the cost for Magnet User Summit this year? Need to request funding soon.

Hi y’all! Question:

11:18 PM

Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, xcb.

Aborted (core dumped)

i am facing this type of error

11:19 PM

Reinstalled and all, any suggests? On how to fix the installation?

Is QT_PLUGIN_PATH pointing to the correct path in your environment variables?

I’m not certain of the answer I’m helping someone out with this and I know here is the place to ask

11:37 PM

If the path is wrong, fix that and off to the races?

11:37 PM

@Deleted User thank you for helping, btw

If it's a Linux machine, try running export QT_PLUGIN_PATH=/usr/lib/qt/plugins first

Alright

11:41 PM

Attempted, no improvement

11:41 PM

Path is set pointing correctly

11:43 PM

Is it due to a broken install or anything?

Is the plugin actually in that directory?

Allegedly so

Are you able to list the contents of the directory to confirm?

Sec

11:46 PM

I received this in response:

robon@ubuntu:~$ env  | grep QT
QT_ACCESSIBILITY=1
QT_IM_MODULE=ibus
QT_PLUGIN_PATH=/usr/lib/qt/plugins

11:46 PM

Not sure if that is even helpful

The error is saying it's unable to locate the plugin so you're going to have to locate it direct it there using that environment variable

1

11:49 PM

These solutions look promising as well https://askubuntu.com/questions/308128/failed-to-load-platform-plugin-xcb-while-launching-qt5-app-on-linux-without

“Failed to load platform plugin ”xcb“ ” while launching qt5 app on ...

I wrote application for linux which uses Qt5. But when I am trying to launch it on the linux without Qt SDK installed, the output in console is: Failed to load platform plugin "xcb". Available

1

Thank you @Deleted User problem is now solved

12:00 AM

Somehow there were dependencies missing

12:01 AM

Dependencies installed, no issues

12:01 AM

Done deal

Awesome. Good to hear.

I’m not sure, wouldn’t you really perforce have to go the route of a handheld or whatever OCR, one that doesn’t need to talk to the Internet?

I've a question, just asking, can we copy/extract files of specific path ( files in system32) in the image using linux commands?

Do you mean in an ewfmounted image? In that case, yes.

Ghosted

Any luck with getting ffs on this device?

No I could only get an Advanced Logical

‍♂️

1

DCSO

No I could only get an Advanced Logical

‍♂️

quite a few of my devices get ffs'd .... uuuh, wait up

Doofenshmirtz

I've a question, just asking, can we copy/extract files of specific path ( files in system32) in the image using linux commands?

You can simply mount the image and copy the directory out, quick and dirty. If you're looking for a command line way, something like "sorter" from the Sleuthkit is a bit more "forensicky" to extract the contents of a specific directory.

Ok guys so here is a good one for you, anyone know if iOS logs any relevant data when it sees an air tags. I've got a concerned individual that thinks she is being stalked because she is getting the notificaion on her phone that "Your current location can be seen by the owner of this item." We've been unable to locate an airtag on her and she doesn't own any. Secondly, does this only happen with airtags or do other bluetooth le devices cause it.

@Chris Chris this can occur with other Apple Devices, its a flaw if you ask me. We had the same issue and I determined it was Apple Airpod Pro that was bluetoothing to the "victims" device. It would mention that a "unidentified accessory" can view your location. https://nerdschalk.com/unknown-accessory-detected-message-alert/

Mudit

Unknown Accessory Detected Near You: What is it, Why Are You Gettin...

Apple has revamped a lot of features with the release of iOS 15 and one of them has been a major overhaul to the Find my app. The app can now track your AirTags, notify you about lost items and eve…

1:00 PM

Look at # 6

Interesting, I'll have the investigator check with her on this

Is there any analysis I can do on a signature on a pdf that wasn’t digitally signed? Aside from looking at the metadata and hash of a file I can’t imagine what else I could do

Chris

Ok guys so here is a good one for you, anyone know if iOS logs any relevant data when it sees an air tags. I've got a concerned individual that thinks she is being stalked because she is getting the notificaion on her phone that "Your current location can be seen by the owner of this item." We've been unable to locate an airtag on her and she doesn't own any. Secondly, does this only happen with airtags or do other bluetooth le devices cause it.

https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f

AirTags within iOS File Systems

A brief look at AirTag artifacts within an iOS Filesystem

3

1

@Cellebrite Android Full File System extraction with the latest 7.52 is take over 3+ hours and has not completed it appears to be 1/4 of the way done and its only 30 gigs. Anybody else have issues with this latest release ?

Ross Donnelly

https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f

nice

DCSO

@Cellebrite Android Full File System extraction with the latest 7.52 is take over 3+ hours and has not completed it appears to be 1/4 of the way done and its only 30 gigs. Anybody else have issues with this latest release ?

Not sure which phone you're dealing with, but it always took a long time, at least for Samsung devices

DCSO

@Cellebrite Android Full File System extraction with the latest 7.52 is take over 3+ hours and has not completed it appears to be 1/4 of the way done and its only 30 gigs. Anybody else have issues with this latest release ?

How big is the extraction. ? Is the phone fully loaded ?

How-to find which App on an Android 11 Samsung phone has given-up recent information between two (2) friends during a conversation ? What happened, my friend was talking to a friend about his need for an Uninterruptible Power Supply (UPS) for his PC. When they disconnected, his friend received a Pop-up message suggesting a product and saying that it was coming from my Friend, who had just disconnected from his friend and the conversation. Is there any known possible cause of this type of Pop-up and/or is there a suggested tool to help locate this Pop-up ? ?

@Magnet Forensics Anyone from Magnet able to reach out and discuss use cases and which version would best fit those?

Murst

@Magnet Forensics Anyone from Magnet able to reach out and discuss use cases and which version would best fit those?

If you shoot me a message with: 1. your contact details (name, email, phone #) 2. where you're located and 3. which agency / org you belong to I can pass that along to the right person at Magnet to have a chat with you about your use cases!

Mel_Hungate

If you shoot me a message with: 1. your contact details (name, email, phone #) 2. where you're located and 3. which agency / org you belong to I can pass that along to the right person at Magnet to have a chat with you about your use cases!

Thank you!

Good morning. I have a photoDNA question and I'm not sure where else to post it. I have an "Original Binary Hash of File (PhotoDNA)" that I received in a NCMEC file. It is all numbers (224,0,21,3,75,24,12,17,8,50,5,57,12.....etc.) not binary 1s and 0s. After processing all seized devices with Axiom all the image PhotoDNA hashes are a combination of letters and number (Jk0YYB00EjAajx2PqUIfvVUlIGIYwRg...etc.). Is there some sort of conversion that can be done on either hash so I can find a match? Thanks in advance.

CLB-Paul

How big is the extraction. ? Is the phone fully loaded ?

It was a FFS GK 32 Gb Samsung took over 8 hrs to decode. We've never had it take this long, I'll try the extraction with a lower version of UFED PA and see if its quicker and decodes the same amount.

DCSO

It was a FFS GK 32 Gb Samsung took over 8 hrs to decode. We've never had it take this long, I'll try the extraction with a lower version of UFED PA and see if its quicker and decodes the same amount.

Not overly big. Can you shoot me logs via dm if possible

https://twitter.com/rj_chap/status/1486385327702904835 I'm not 100% sure if posting your own Tweet is SUPER lame, or just kinda lame. But here we are :).

Ryan “Chaps” Chapman (@rj_chap)

Want to learn more about the #Log4j #vulnerability in @vmwarehorizon? My awesome co-workers at @BlackBerry have put together a great article! Check out "Log4U, Shell4Me" by Codi Starks, Will Ikard, and Ryan Gibson. https://t.co/jC8X3eohoQ #Log4Shell #vulnerabilities #DFIR

9:19 AM

Drop a link and bounce mode, ACTIVATED!

2

Hi, so I took up a forensics class this sem in my college and I am trying setup a lab env for myself. The course requires me to use Autopsy and FTK Imager. I was thinking of setting up a VM in cloud and wanted some suggestions. I had a look at azure and I do have some student credits there, but is there any better option to setup a cloud instance which is cheap? (edited)

ArcherL

Hi, so I took up a forensics class this sem in my college and I am trying setup a lab env for myself. The course requires me to use Autopsy and FTK Imager. I was thinking of setting up a VM in cloud and wanted some suggestions. I had a look at azure and I do have some student credits there, but is there any better option to setup a cloud instance which is cheap? (edited)

Azure/AWS if you can use your student credits. Are you looking at Linux or Windows? If you're just looking at an isolated environment for something non-malicious such as testing tools on specific datasets (and not performing malware analysis/RE etc) then I'd just setup a virtual machine on your host using virtualbox/vsphere etc.

I am looking for a windows machine, to run autopsy. The course has case studies which after unzipping expand upto 60GB.

2:53 PM

so running a 2 day analysis on the virtual machine would be very resource intensive, and I have other classes as well lol, so I was thinking of a cloud based option

ArcherL

Hi, so I took up a forensics class this sem in my college and I am trying setup a lab env for myself. The course requires me to use Autopsy and FTK Imager. I was thinking of setting up a VM in cloud and wanted some suggestions. I had a look at azure and I do have some student credits there, but is there any better option to setup a cloud instance which is cheap? (edited)

depending on what youve got on your host microsoft provides free VMs for browser testing

3:01 PM

cloud is fine, just may cost i think i processed a full axiom case on a windows vm on a 5 year old computer overnight, so i wouldnt worry about performance too mcuh. that image was about 60gb as well

1

Thanks @DeeFIR 🇦🇺 and @randomaccess for the help! Much appreciated : )

Hey everyone, new to the Discord, so if there is a better place to post this, please let me know! Does anyone have experience collecting from updox.com? I have a client asking me about this, but I can't imagine that it will be easy given that it's a telehealth/medical information handling site.

@Magnet Forensics Anyone from Magnet for a quick question please?

Hello, Can anyone suggest Or share me some resources for cyber forensics

Chirag Garg

Hello, Can anyone suggest Or share me some resources for cyber forensics

You looking for books? courses? ctfs?

ryd3v

You looking for books? courses? ctfs?

Books and Courses

I'd probably look at INE and Packt to begin https://ine.com https://www.packtpub.com

Expert IT Training for Networking, Cyber Security and Cloud | INE

INE is the premier provider of online IT training and certifications, focused on providing world class instruction with hands-on labs. Focusing on Networking, Cyber Security and Cloud, our 100's of courses feature 1000's of in-browser labs, designed to immediately challenge you to prove your knowledge. Our certifications in Cyber Security and Cl...

Packt | Programming Books, eBooks & Videos for Developers

Packt is the online library and learning platform for professional developers. Learn Python, JavaScript, Angular and more with eBooks, videos and courses

Okay, I have a question that has probably been asked but I'm looking for a definitive answer. I've always done lab based DF in law enforcement, more recently the private sector. I'm getting lots of recruiters approaching me for DFIR jobs. What are the skills I will need for DFIR that I'm not using in lab based forensics?

Majeeko

Okay, I have a question that has probably been asked but I'm looking for a definitive answer. I've always done lab based DF in law enforcement, more recently the private sector. I'm getting lots of recruiters approaching me for DFIR jobs. What are the skills I will need for DFIR that I'm not using in lab based forensics?

maybe echo that in #training-education-employment too

1

v3N0m

@Magnet Forensics Anyone from Magnet for a quick question please?

I am in the US so just got in but yes I am here feel free to email me at jamey.tubbs@magnetforensics.com or DM me here

rj_chap

https://twitter.com/rj_chap/status/1486385327702904835 I'm not 100% sure if posting your own Tweet is SUPER lame, or just kinda lame. But here we are :).

I think the potential for lameness depends greatly on the who and the what. In this case I think it's perfectly hip

1

1

ryd3v

You looking for books? courses? ctfs?

Humble Bundle has a 27-ebook cyber bundle for $18 right now. Some of the stuff is a bit older, but still relevant.

1

Yeah! Humble bundle is dope, I've really expanded my personal collection from there

Chirag Garg

Hello, Can anyone suggest Or share me some resources for cyber forensics

Harlan Carvey’s books are fantastic in terms of Windows forensics

12:57 PM

https://www.amazon.com/Harlan-A.-Carvey/e/B001JPCIY6%3Fref=dbs_a_mng_rwt_scns_share

Harlan A. Carvey

Follow Harlan A. Carvey and explore their bibliography from Amazon.com's Harlan A. Carvey Author Page.

TheArchbish0p

https://www.amazon.com/Harlan-A.-Carvey/e/B001JPCIY6%3Fref=dbs_a_mng_rwt_scns_share

@Chirag Garg Brians book is also good. It helped me sleep at night preparing for IACIS cert

https://www.amazon.com/Brian-Carrier/e/B001KDJ2KK?ref=dbs_a_def_rwt_sims_vu00_r0_c0

Brian Carrier

Follow Brian Carrier and explore their bibliography from Amazon.com's Brian Carrier Author Page.

1

DCSO

@Chirag Garg Brians book is also good. It helped me sleep at night preparing for IACIS cert

https://www.amazon.com/Brian-Carrier/e/B001KDJ2KK?ref=dbs_a_def_rwt_sims_vu00_r0_c0

File system forensic analysis was instrumental in passing cfce

Chirag Garg

Books and Courses

There is a big 'o list of books here too ->https://6ixcode.com/books

@Cellebrite @Oxygen Forensics Good morning, I have an iphone XR (A2105) with ios 13.2.3 with known passcode and known encryption backup password. The iOS backup ectracts all chat applications except facebook messenger (it extracts only contacts). Is it due to the fb programmer that fb messenger backup is not included in ios backup? I tried acquisition with Oxygen, UFED, XRY as well as decoding with Axiom, but still database is not retrieved.

DCSO

It was a FFS GK 32 Gb Samsung took over 8 hrs to decode. We've never had it take this long, I'll try the extraction with a lower version of UFED PA and see if its quicker and decodes the same amount.

We're seeing similar performance issues with Android extractions in PA 7.52

1

Flipz4n6

@Cellebrite @Oxygen Forensics Good morning, I have an iphone XR (A2105) with ios 13.2.3 with known passcode and known encryption backup password. The iOS backup ectracts all chat applications except facebook messenger (it extracts only contacts). Is it due to the fb programmer that fb messenger backup is not included in ios backup? I tried acquisition with Oxygen, UFED, XRY as well as decoding with Axiom, but still database is not retrieved.

Facebook Messenger on iOS is one of those apps which has gone in and out of the iTunes backup unfortunately, do you know what version of Messenger was installed and what version of XRY was used?

Erumaro

Facebook Messenger on iOS is one of those apps which has gone in and out of the iTunes backup unfortunately, do you know what version of Messenger was installed and what version of XRY was used?

Thanx Tobias for the response. App version is 244.0.0.41.220 and XRY version is 10

Flipz4n6

Thanx Tobias for the response. App version is 244.0.0.41.220 and XRY version is 10

We do not have support for that version specifically but we do have support for 243.2 and 261.1 which both are unfortunately only possible to extract/decode from jailbroken or full file system extractions of some kind.

Flipz4n6

@Cellebrite @Oxygen Forensics Good morning, I have an iphone XR (A2105) with ios 13.2.3 with known passcode and known encryption backup password. The iOS backup ectracts all chat applications except facebook messenger (it extracts only contacts). Is it due to the fb programmer that fb messenger backup is not included in ios backup? I tried acquisition with Oxygen, UFED, XRY as well as decoding with Axiom, but still database is not retrieved.

FB Messenger presence in iTunes backup depends strongly on its version. For example I had extracted an iTunes backup with Facebook Messenger of version 282.0 and got Cache, Accounts, Contacts, Group chats info, Chats, Calls. But some other may not get it. Most likely you need a jailbroken device or device on which it is possible to perform a checkm8 on to extract the Facebook Messenger data of version 244.0

Anyone from @Cellebrite for a question please?

TheArchbish0p

Harlan Carvey’s books are fantastic in terms of Windows forensics

I'm new to the group. I used to work with Harlan when he was at SecureWorks...was always super helpful

Flipz4n6

@Cellebrite @Oxygen Forensics Good morning, I have an iphone XR (A2105) with ios 13.2.3 with known passcode and known encryption backup password. The iOS backup ectracts all chat applications except facebook messenger (it extracts only contacts). Is it due to the fb programmer that fb messenger backup is not included in ios backup? I tried acquisition with Oxygen, UFED, XRY as well as decoding with Axiom, but still database is not retrieved.

@Elcomsoft iOS Forensic Toolkit supports a full file system extraction for this device if I’m not mistaken.

Flipz4n6

@Cellebrite @Oxygen Forensics Good morning, I have an iphone XR (A2105) with ios 13.2.3 with known passcode and known encryption backup password. The iOS backup ectracts all chat applications except facebook messenger (it extracts only contacts). Is it due to the fb programmer that fb messenger backup is not included in ios backup? I tried acquisition with Oxygen, UFED, XRY as well as decoding with Axiom, but still database is not retrieved.

Have you attempted a FFS from those tools you mentioned with "checkrain" exploit ? I believe it's within the specs.

pinball

Anyone from @Cellebrite for a question please?

Hey. It’s been a busy day. Can I help ?

@CLB-Paul busy day also in front of the Parlement ?

SPVQct3207

@CLB-Paul busy day also in front of the Parlement ?

Ha I had to dip before blocked in by the trucks

6:26 PM

Our CAS lab is right downtown sooo ….

@CLB-Paul Yeah I know the area....Be patient I think they will be there more then saturday

(edited)

#closedforweekend

1

6:30 PM

Même les Québec flag

1

Has anyone tested Windows 11 ARM Insider Preview on a M1 Mac yet? Specifically if the emulation is working for common forensic software.

6:51 AM

I don’t want to be the first guinea pig haha

yep Edit; *Works fine (edited)

There may be some spam messages going around in private messages. Please don't click those links!

Got one, didn't click.. It says something like "this gift is for you bro"

2

Sorry about that, still trying to figure out what happened

Flipz4n6

@Cellebrite @Oxygen Forensics Good morning, I have an iphone XR (A2105) with ios 13.2.3 with known passcode and known encryption backup password. The iOS backup ectracts all chat applications except facebook messenger (it extracts only contacts). Is it due to the fb programmer that fb messenger backup is not included in ios backup? I tried acquisition with Oxygen, UFED, XRY as well as decoding with Axiom, but still database is not retrieved.

Try an APK downgrade extraction in Oxygen!

skysafe-josh

Try an APK downgrade extraction in Oxygen!

For an iOS device.. what kind of wizardry is this?

2

1

Ah the devils in the deets, I got Android on the brain. This don’t work for IOS devices. I started reading the post and got focused on app version numbers and the APK downgrade rushed to the front of my brain! Hah (edited)

if we verify md5 of e01 using ftk/autopsy, md5 value is different than md5 calculated using md5calculator.

Doofenshmirtz

if we verify md5 of e01 using ftk/autopsy, md5 value is different than md5 calculated using md5calculator.

why is that?

also md5 of dd image of an USB drive ( created by ftk ) and verifying md5 of the whole usb drive ( again using ftk ) showing different values. any reason for this?

Doofenshmirtz

if we verify md5 of e01 using ftk/autopsy, md5 value is different than md5 calculated using md5calculator.

Is md5calculator only hashing the data blocks of the .e01 or is it hashing the whole .e01?

Doofenshmirtz

also md5 of dd image of an USB drive ( created by ftk ) and verifying md5 of the whole usb drive ( again using ftk ) showing different values. any reason for this?

Is the dd image of the entire USB including the MBR or is it only a dd image of the allocated clusters?

FullTang

Is md5calculator only hashing the data blocks of the .e01 or is it hashing the whole .e01?

the whole .e01

FullTang

Is the dd image of the entire USB including the MBR or is it only a dd image of the allocated clusters?

entire drive!!

Doofenshmirtz

the whole .e01

I am pretty sure that FTK/Autopsy only calculate the hash of the data blocks of the .E01, and compare that to the hash of the data blocks that is stored in the .E01. If you hash the entire .E01 (including the CRCs and the hash) you should get a different value than the hash that is only targeting the data blocks.

2

FullTang

I am pretty sure that FTK/Autopsy only calculate the hash of the data blocks of the .E01, and compare that to the hash of the data blocks that is stored in the .E01. If you hash the entire .E01 (including the CRCs and the hash) you should get a different value than the hash that is only targeting the data blocks.

got it! thanks

1

speaking of FTK, does anyone know why FTK and/or Intel drives flip their serial numbers? The Intel drive I have has a printed serial number of(example) 123ABC but FTK prints out CBA321

dnguyen

speaking of FTK, does anyone know why FTK and/or Intel drives flip their serial numbers? The Intel drive I have has a printed serial number of(example) 123ABC but FTK prints out CBA321

Edit: It does not do that to all Intel drive. I have 2 Intel drive. One prints of the serial number flipped, one prints the serial number as it is printed on the drive label.

dnguyen

Edit: It does not do that to all Intel drive. I have 2 Intel drive. One prints of the serial number flipped, one prints the serial number as it is printed on the drive label.

It's an issue that's been known for a while: https://gessen-forensics.blogspot.com/2018/01/ftk-imager-issue.html https://www.linkedin.com/pulse/dont-use-access-data-ftk-imager-ananta-sansare/

AmNe5iA

It's an issue that's been known for a while: https://gessen-forensics.blogspot.com/2018/01/ftk-imager-issue.html https://www.linkedin.com/pulse/dont-use-access-data-ftk-imager-ananta-sansare/

Awesome. Thank you!

@Law Enforcement [USA] Hello all, can anyone tell me how to execute a search warrant on Telegram? I can’t seem to find an email/portal or anything. It’s my understand that they’re outside the US as well, so any information would be helpful

You check search.org yet?

C. Russell

@Law Enforcement [USA] Hello all, can anyone tell me how to execute a search warrant on Telegram? I can’t seem to find an email/portal or anything. It’s my understand that they’re outside the US as well, so any information would be helpful

It’s based out of the UAE. They won’t respond to US legal process.

Yeah search.org had nothing. If they won’t respond is there any way to get that information?

1:06 PM

*without the device

C. Russell

@Law Enforcement [USA] Hello all, can anyone tell me how to execute a search warrant on Telegram? I can’t seem to find an email/portal or anything. It’s my understand that they’re outside the US as well, so any information would be helpful

My guess would be an MLAT, but never had to serve them yet.

3

I guess you could try to Suss out an mlat but you might be out of luck

yeaaah we all know that’s not likely

thanks everyone

C. Russell

@Law Enforcement [USA] Hello all, can anyone tell me how to execute a search warrant on Telegram? I can’t seem to find an email/portal or anything. It’s my understand that they’re outside the US as well, so any information would be helpful

As far as I know Telegram is encrypted end to end so they would not have any useable data. From Telegram: Q: Do you process data requests? Secret chats use end-to-end encryption, thanks to which we don't have any data to disclose. To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data. Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world. To this day, we have disclosed 0 bytes of user data to third parties, including governments.

Perfect, thank you for sharing!

So, this one has me/us a little stumped. our Cellebrite Physical Analyzer computer (yes, singular; its a Dell Precision 3620) is throwing an error while trying to decode exams. Seems to be happening to most last week, and all this week....windows generic error box (title: CellebritePhysicalAnalyzer.exe - Application Error) "The instruction at 0x771df127 referenced memory at 0xffffffff. The memory could not be read. Click on OK to terminate the program I have rebooted and tested, uninstalled, rebooted, reinstalled and tested to absolutely no avail. version 7.52.0.36, windows 7 (I know, I know). The system has plenty of free drive space. BIOS basic diagnostic test came up okay, extensive memtest is going on now. I tested on a separate computer (windows 10, but with less ram than the 3620) I just threw PA on and it seems to open. Any advice on how to proceed?

Have you tried rolling it back a version to see if it’s the new update?

it started on the one previous we had installed. 7.49 i believe. it started, tried the update, didnt fix.

1:18 PM

we havent tried rolling it older

1:19 PM

I have to also test to see if this happens with all exam types. we have tried several different ones so far, but several different full file systems ones

C. Russell

@Law Enforcement [USA] Hello all, can anyone tell me how to execute a search warrant on Telegram? I can’t seem to find an email/portal or anything. It’s my understand that they’re outside the US as well, so any information would be helpful

I was advised by one of our people that because they are EU our people have to use MLAT (sorry, I'm not familiar with that). They work with FBI as well.

This is from a recent FBI report in encrypted messaging apps. From our research, their development team is in Dubai....they don't provide a contact for LE.

You can try their business address in the British virgin islands.....if you're dealing with something in the EU, they have an address for their rep in London under their privacy policy. Good luck.

Anybody know if a foreign mobile phone provider like Digicel in Jamaica is allowing a customer to roam in the United States mainland will IP address activity still show Digicel in Jamaica or will it show a domestic company?

And I am sure you know this, but be careful about using Maxmind or other geolocation services to say where a mobile IP address came from. I have personally seen it be off by hundreds of miles or more.

FullTang

And I am sure you know this, but be careful about using Maxmind or other geolocation services to say where a mobile IP address came from. I have personally seen it be off by hundreds of miles or more.

Yeah I ignore their location stuff. I just use their ISP info. I don’t know on the IP stuff. Everything I find is 50/50. Some route it back to the home country some don’t. Depends on lots of factors. (edited)

Trashboat667

Yeah I ignore their location stuff. I just use their ISP info. I don’t know on the IP stuff. Everything I find is 50/50. Some route it back to the home country some don’t. Depends on lots of factors. (edited)

When I say it goes back to Jamaica I really just mean a company in Jamaica.

Hi does anyone have the official solution for digital corpora m57-Jean?

Anyone know what the cost of Oxygen Detective is for a year? Ball park.

Ghosted

Anyone know what the cost of Oxygen Detective is for a year? Ball park.

@Ghosted I tagged @Oxygen Forensics for you. They can help you with that question.

1

@sholmes Thanks I have an email into them but was trying to put a memo into admin for the tool just needed estimate of cost. I was thinking must be similar to PA and Axiom.

No problem. Hopefully they hit you right back to get you that information.

1

Ghosted

@sholmes Thanks I have an email into them but was trying to put a memo into admin for the tool just needed estimate of cost. I was thinking must be similar to PA and Axiom.

Messaged you

Thank you for the tag @sholmes

2

1

1

I'm examining an iOS device where two Apple IDs have been found. CSAM is found in DCIM. Any thoughts on how to conclusively link the CSAM to a single Apple ID and eliminate the other Apple ID?

1

kmacdonald1565

So, this one has me/us a little stumped. our Cellebrite Physical Analyzer computer (yes, singular; its a Dell Precision 3620) is throwing an error while trying to decode exams. Seems to be happening to most last week, and all this week....windows generic error box (title: CellebritePhysicalAnalyzer.exe - Application Error) "The instruction at 0x771df127 referenced memory at 0xffffffff. The memory could not be read. Click on OK to terminate the program I have rebooted and tested, uninstalled, rebooted, reinstalled and tested to absolutely no avail. version 7.52.0.36, windows 7 (I know, I know). The system has plenty of free drive space. BIOS basic diagnostic test came up okay, extensive memtest is going on now. I tested on a separate computer (windows 10, but with less ram than the 3620) I just threw PA on and it seems to open. Any advice on how to proceed?

So a follow up to my things yesterday. Advanced memtest came back okay. The Windows Event Logs show the crash is related to .net framework. @Cellebrite What do you recommend for repairing physical analyzer given my tests. Simple uninstall/reinstall didnt work. Should I reinstall the .net framework? Wipe computer and start over? I have event logs if they help.

Great question. I’ll ping devs for guidance.

thank you

hello everyone, on an iphone after how many wrong passcode attempts, the device is permanently disabled? Are there any data recovery solutions in these cases?

manuelevlr

hello everyone, on an iphone after how many wrong passcode attempts, the device is permanently disabled? Are there any data recovery solutions in these cases?

As of iOS 15.3, it’s 10 failed attempts. It will be iCloud locked as well upon reset. No recovery solutions since it will delete all data. (edited)

CLB-Paul

Great question. I’ll ping devs for guidance.

hey, any update?

Hi there, i would like to learn forensic windows and linux after that analysis malware, how i can start please ?

@dongle_dude. I am not sure this can be done. It has been about a year or so since I looked at iOS forensics though. Your best bet is to locate the photos.sqlite (/private/var/mobile/Media/) and parse this manually. You can extract information about the image including the album name it belongs to, which application created the image and if it exists on iCloud. You could (location and legal dependant) request Apple to provide ownership information if it does exist on iCloud. Here are a couple of blogs that might get you started in the right direction; https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/ Edit: now with less IP address (edited)

Using Photos.sqlite to show the relationships between photos and th...

First, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistan…

Mike Williamson

iOS Photos.sqlite Forensics - forensicmike1

Discussing with Shafik the correlation of photo albums to pictures on iOS using Photos.sqlite.

Gohy

Hi there, i would like to learn forensic windows and linux after that analysis malware, how i can start please ?

#training-education-employment

ok @Andrew Rathbun thanks

Velcro

@dongle_dude. I am not sure this can be done. It has been about a year or so since I looked at iOS forensics though. Your best bet is to locate the photos.sqlite (/private/var/mobile/Media/) and parse this manually. You can extract information about the image including the album name it belongs to, which application created the image and if it exists on iCloud. You could (location and legal dependant) request Apple to provide ownership information if it does exist on iCloud. Here are a couple of blogs that might get you started in the right direction; https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/ Edit: now with less IP address (edited)

This is good advice & I def agree, I am deeply curious how you ended up with an IP address instead of my domain forensicmike1.com though

google?

forensicmike @Magnet

This is good advice & I def agree, I am deeply curious how you ended up with an IP address instead of my domain forensicmike1.com though

google?

Ah, the vagaries of copy/paste from my iPhone. Using the copy function when using the share button gives the IP address. Should have copy/pasted from the address bar. I will go edit; computers are hard (edited)

Velcro

Ah, the vagaries of copy/paste from my iPhone. Using the copy function when using the share button gives the IP address. Should have copy/pasted from the address bar. I will go edit; computers are hard (edited)

haha it prompted me to double check and sure enough that was the IP of the ec2 instance, not cloudfront/load balancer.... not a big deal really but that def shouldnt be permitted by the vpc / security group rules since it bypasses the load balancer & WAF rules. i got 'er fixed

just glad I happened to notice your message lmao

Hi everyone. I am in graduate school getting my masters in CS. I am interested in security so I took a DF class. Part of the class is a semester long research project where i need a practical/experimental component. I am new to DF and do not know where to start. Does anyone have recomendations as to what resources i should look at for inspiration? Does anyone have an idea they wanna pitch?

4:25 PM

examples of past projects GPS Accuracy comparison between Garmen handheld GPS, IPhone phone, and Android phone. Chat messenger forensics with modern chat applications Steganography algorithms use and detection Data recovery with modern harddrives Data recovery between various file systems Creating Hash Collisions Skin tone detection algorithms overview and implementation Malware analysis Decryption techniques (edited)

Looking for assistance with a Google SW return explanation of the location data accuracy that is provided

What other players in the market (besides AXIOM) provide an ad-hoc agent for full disk / memory collection?

Velcro

@dongle_dude. I am not sure this can be done. It has been about a year or so since I looked at iOS forensics though. Your best bet is to locate the photos.sqlite (/private/var/mobile/Media/) and parse this manually. You can extract information about the image including the album name it belongs to, which application created the image and if it exists on iCloud. You could (location and legal dependant) request Apple to provide ownership information if it does exist on iCloud. Here are a couple of blogs that might get you started in the right direction; https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/ Edit: now with less IP address (edited)

Here is another photos.SQLite post I did which has links to my most recent queries. I’ll have updated queries this week or by next weekend…NHL All Star game this weekend… https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/ Feel free to dm me if you have any questions.

scottkoenig3347

Photos.Sqlite Queries

Hello everyone! Back in August 2020, I wrote a blog “Using Photos.Sqlite to show the relationships between photos and the application they were created with?” which was posted on Heather Mahaliks’ …

3

trickyricky

What other players in the market (besides AXIOM) provide an ad-hoc agent for full disk / memory collection?

Cederpelta? https://www.brimorlabsblog.com/2019/04/live-response-collection-cedarpelta.html

Live Response Collection - Cedarpelta

Hello again readers and welcome back!! Today I would like to announce the public release of updates to the Live Response Collection (LRC)...

npd206

Looking for assistance with a Google SW return explanation of the location data accuracy that is provided

What's the issue?

Gene

Hi everyone. I am in graduate school getting my masters in CS. I am interested in security so I took a DF class. Part of the class is a semester long research project where i need a practical/experimental component. I am new to DF and do not know where to start. Does anyone have recomendations as to what resources i should look at for inspiration? Does anyone have an idea they wanna pitch?

#training-education-employment

Andrew Rathbun

#training-education-employment

Ty

re DOpus: anyone know if it's possible to add to the Exif data shown on a files, mouse-over to check for GPS co-ords? tried a number of help keywords, mouseover, popup, hover, metadata and so on, to no avail.

Does anyone have experience with Cortex XQL queries?

Digitalferret

re DOpus: anyone know if it's possible to add to the Exif data shown on a files, mouse-over to check for GPS co-ords? tried a number of help keywords, mouseover, popup, hover, metadata and so on, to no avail.

standby

Digitalferret

re DOpus: anyone know if it's possible to add to the Exif data shown on a files, mouse-over to check for GPS co-ords? tried a number of help keywords, mouseover, popup, hover, metadata and so on, to no avail.

https://youtu.be/x5fH2H2APOY?t=1320

MonroeWorld

Directory Opus (File Manager) - Customization / Layout / Look 'n Feel

1

8:57 AM

timestamped link ^^

Andrew Rathbun

timestamped link ^^

many thanks. I'd originally wanted the mouse-over to show GPS (see pic) and still can't but it looks like the addition of Co-ords column makes that an even easier / quicker proposition

9:52 AM

column's option makes it "at a glance" - would have never even thought to check for that. very much appreciated (edited)

9:54 AM

additionally, if anyone uses, info given with irfan view if you open the image and go to Info has a direct link-through so you can go right to Googlemaps from the extracted GPS metadata

Digitalferret

many thanks. I'd originally wanted the mouse-over to show GPS (see pic) and still can't but it looks like the addition of Co-ords column makes that an even easier / quicker proposition

Your best bet would be to post on the forums asking for this as a feature, if you want. They're always adding stuff and the forums are full of power users. There may be a solution out there or they could implement it.

Andrew Rathbun

Your best bet would be to post on the forums asking for this as a feature, if you want. They're always adding stuff and the forums are full of power users. There may be a solution out there or they could implement it.

noted, cheers

Digitalferret

noted, cheers

https://resource.dopus.com/, namely https://resource.dopus.com/c/support/11 (edited)

Help & Support

Main area for support: Questions, suggestions and bug reports.

i think the columns option though, in this instance, completely overshadows the mouseover in terms of speed and utility

2

Does anyone have a clever idea or tool to preserve full movies that are being illegally streamed on a site? There is approx 1000 movies to capture as evidence.

return2zero

Does anyone have a clever idea or tool to preserve full movies that are being illegally streamed on a site? There is approx 1000 movies to capture as evidence.

the usual "security expert" kit is a VPN and video ripper to ~~download~~ preserve to your own storage ... so I'm told

- sorry, couldn't resist (edited)

1

Digitalferret

the usual "security expert" kit is a VPN and video ripper to ~~download~~ preserve to your own storage ... so I'm told

- sorry, couldn't resist (edited)

Ha, the ol' tried and proven method hey.

trickyricky

What other players in the market (besides AXIOM) provide an ad-hoc agent for full disk / memory collection?

Volexity’s Surge, F-Response

return2zero

Does anyone have a clever idea or tool to preserve full movies that are being illegally streamed on a site? There is approx 1000 movies to capture as evidence.

youtube-dl might work and you could maybe script something if the page for each video has a UID eg piratesite.com/00001 -> piratesite.com/999999. Also, perhaps run "wget -r piratesite.com" and then parse all the links it downloads as well since they might lead to more videos.

Deleted User

youtube-dl might work and you could maybe script something if the page for each video has a UID eg piratesite.com/00001 -> piratesite.com/999999. Also, perhaps run "wget -r piratesite.com" and then parse all the links it downloads as well since they might lead to more videos.

Thanks for the response, I'll look into this and test

1

return2zero

Thanks for the response, I'll look into this and test

there's a number of solutions, be very wary of those that offer access via a web interface or app

3:01 AM

if you want to learn a bit around it, look up how to download with ffmpeg - lots of forum posts

Digitalferret

if you want to learn a bit around it, look up how to download with ffmpeg - lots of forum posts

Cheers!

@Magnet Forensics Is there a reason why there is no longer an option for OCR in AXIOM 5.9?

Flavius

@Magnet Forensics Is there a reason why there is no longer an option for OCR in AXIOM 5.9?

Are you attempting to utilize the OCR in PROCESS or EXAMINE? In EXAMINE you simply need to navigate to Process|Extract Text From Files(OCR) and follow any prompts

Tim F

Are you attempting to utilize the OCR in PROCESS or EXAMINE? In EXAMINE you simply need to navigate to Process|Extract Text From Files(OCR) and follow any prompts

In PROCESS. I haven't checked the EXAMINE yet, it's the first processing I do with the new version (edited)

I just checked in EXAMINE and it's unchanged from 5.8, let me take a quick peak at PROCESS

8:46 AM

You should still see it as a feature within processing details.

8:50 AM

I try also a clean install

Do you have an AXIOM Complete license?

Yes, excluding the cloud part

We're working on replicating the issue. It shouldn't be missing given all the variables. Hang tight while we work it out

Thank you. I asked a colleague and he reported having the same problem (same license, also same workstation). Tomorrow I will be able to tell you if the option is also missing in the EXAMINE and i'll try on a different pc

Hello, are there people who need to capture videos, comments on social media sites like Facebook for live events in public profile? What software do you use to be more productive? Currently our team does it manually with Opera (PDF files), extention savefrom.net, etc... I will try Hunchy next week. Thanks ! (edited)

SPVQct3207

Hello, are there people who need to capture videos, comments on social media sites like Facebook for live events in public profile? What software do you use to be more productive? Currently our team does it manually with Opera (PDF files), extention savefrom.net, etc... I will try Hunchy next week. Thanks ! (edited)

Hunchly was going to be my suggestion. Hope it works out for you.

1

What dependencies do I need to run cmd.exe and powershell from a portable evidence drive to avoid launching it on the target computer? I tried just putting the actual cmd.exe on the drive but it gets errors with system messages.

Hi all, looking at potentially buying some new hardware for a new machine and was wondering what people are using or recommend. We currently use Griffeye, Cellebrite and XRY. As far as i'm aware non of the above are GPU accelerated so we would focus most of the budget in the CPU. But we are unsure if more cores are better or if clock speed is more important... Would like to hear what you guys have to say

dn

Hi all, looking at potentially buying some new hardware for a new machine and was wondering what people are using or recommend. We currently use Griffeye, Cellebrite and XRY. As far as i'm aware non of the above are GPU accelerated so we would focus most of the budget in the CPU. But we are unsure if more cores are better or if clock speed is more important... Would like to hear what you guys have to say

In XRY we can use nVidia CUDA to speed up the image recognition so if that is something you are looking to do that's worth keeping in mind!

1

Erumaro

In XRY we can use nVidia CUDA to speed up the image recognition so if that is something you are looking to do that's worth keeping in mind!

Thanks Tobias will keep that in mind

Good day folks. Has anyone done a Search Warrant to Google for any data relating to a specific IP address during a specific window of time? We have a suspect that we know was doing google searches from his home during a 24 hour period we're interested in. We want his searches, googles search results, and which links he clicked on.

UnicornSprinkles

Good day folks. Has anyone done a Search Warrant to Google for any data relating to a specific IP address during a specific window of time? We have a suspect that we know was doing google searches from his home during a 24 hour period we're interested in. We want his searches, googles search results, and which links he clicked on.

https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/google/ I've done Google SW's in the past. Do you need help drafting language? See the above for a jump start and let me know if anything needs to be added.

Google - AboutDFIR - The Definitive Compendium Project

Legal Disclaimer The information listed below is purely informational in nature and not meant to be a substitute for legal advice. One should consult with their respective jurisdiction’s district attorney, prosecutor, judge, etc prior to using this language for any legal process in an actual investigation. AboutDFIR and its authors are not liabl...

We've done regular google warrants regarding specific google accounts, mostly ICAC.... This is a first for us trying to get a data dump for everything on a specific IP. We dont have a google account.... We just know he was using google to search for info relating to his crime.

UnicornSprinkles

We've done regular google warrants regarding specific google accounts, mostly ICAC.... This is a first for us trying to get a data dump for everything on a specific IP. We dont have a google account.... We just know he was using google to search for info relating to his crime.

I think main thing would be date and time or range of time for when that IP is of interest. As specific as possible. I can click a button and I have a new IP address so I can't imagine they will like a non-specific request

So we confirmed with comcast his house IP did not change during our timeframe. We also know his T mobile phone IP was constant during our timeframe.

9:15 AM

Is there verbage different from what we'd use in our google warrants that go after a known account?

UnicornSprinkles

Is there verbage different from what we'd use in our google warrants that go after a known account?

Haven't been in LE in a few years, so take my advice with a pound of salt, but something to the effect of

Any and all data associated with the IP address 123.123.123.123 from X timestamp to Y timestamp, including but not limited to the following:

* Personal identifying information of the account owner related to the aforementioned IP address during the timeframe of interest
* list things you're interested in here
* Google has a ton of services so be specific

(edited)

@UnicornSprinkles i dont have too much other insight, but let us know how you make out with this. love hearing about some pioneering work

UnicornSprinkles

So we confirmed with comcast his house IP did not change during our timeframe. We also know his T mobile phone IP was constant during our timeframe.

If possible I would see if there was a way to get his DNS lookups.

Thanks for the insights. I'll keep y'all posted in how this goes.

I like the DNS lookup idea. It looks like that would require a warrant to Comcast as the ISP is usually responsible for DNS queries.

1

Anyone have Amazon SW template they are willing to share?

SPVQct3207

Hello, are there people who need to capture videos, comments on social media sites like Facebook for live events in public profile? What software do you use to be more productive? Currently our team does it manually with Opera (PDF files), extention savefrom.net, etc... I will try Hunchy next week. Thanks ! (edited)

Try page freezer's web preserver or a tool called FAW

1

Original message was deleted or could not be loaded.

Yes, After I ran media categorization and Watchlist. When I go to tag items it crashes. I have been making full reader files and tagging and exporting from there.

hello, when trying to connect to the mycellebrite page, I encounter the following warning. Anyone get similar error. @Cellebrite (edited)

2:16 PM

invest00

hello, when trying to connect to the mycellebrite page, I encounter the following warning. Anyone get similar error. @Cellebrite (edited)

i got in no problem ...

FullTang

I like the DNS lookup idea. It looks like that would require a warrant to Comcast as the ISP is usually responsible for DNS queries.

Thanks. Sometimes this can be useful as well if you know subjects IP and have no warrant: https://iknowwhatyoudownload.com/en/peer/

Torrent downloads and distributions for IP 35.237.4.214

Detailed statistic for torrent downloads and distributions for IP address 35.237.4.214

2

Hi, anyone knows if there are ways to get data from Wickr on IOS or Android, trying to gather information about data analysis that can be done for it for a school assignment, and from what I can find, there doesn't see to be alot of data that can be collected from a device when talking about Wickr.. Thanks for any help or site that might give more info

@Nathan_Infinity https://thebinaryhick-blog.cdn.ampproject.org/v/s/thebinaryhick.blog/2019/08/23/wickr-alright-well-call-it-a-draw/amp/?amp_gsa=1&amp_js_v=a8&usqp=mq331AQKKAFQArABIIACAw%3D%3D#amp_tf=From%20%251%24s&aoh=16442316818196&referrer=https%3A%2F%2Fwww.google.com&ampshare=https%3A%2F%2Fthebinaryhick.blog%2F2019%2F08%2F23%2Fwickr-alright-well-call-it-a-draw%2F

Wickr. Alright. We’ll Call It A Draw.

Portions of this blog post appeared in the 6th issue of the INTERPOL Digital 4n6 Pulse newsletter. I would like to thank Heather Mahalik and Or Begam, both of Cellebrite, who helped make the Andro…

2

Afternoon, anyone from @Cellebrite around for a licence question?

1

Andrew Rathbun

@Nathan_Infinity https://thebinaryhick-blog.cdn.ampproject.org/v/s/thebinaryhick.blog/2019/08/23/wickr-alright-well-call-it-a-draw/amp/?amp_gsa=1&amp_js_v=a8&usqp=mq331AQKKAFQArABIIACAw%3D%3D#amp_tf=From%20%251%24s&aoh=16442316818196&referrer=https%3A%2F%2Fwww.google.com&ampshare=https%3A%2F%2Fthebinaryhick.blog%2F2019%2F08%2F23%2Fwickr-alright-well-call-it-a-draw%2F

a mere flesh wound!! lol, never not mention Monty

found that yeah was wondering if there was anyting more recent. I know there's ways to get some data if you manage to extract the entire FS including the keychain even though from what I understand it's still pretty hard to do even with all that..

Have others seen a location shown in a different state when 1) pairing an apple watch 2) approving in person a child's app request? I've seen this in a few different client accounts. I suspect it is an apple server and not reflecting the actual location since the user is logging in just before the prompt. Can anyone confirm?

Nathan_Infinity

found that yeah was wondering if there was anyting more recent. I know there's ways to get some data if you manage to extract the entire FS including the keychain even though from what I understand it's still pretty hard to do even with all that..

#mobile-forensic-decoding #mobile-forensic-extractions

does anyone have a template or a resource on how you should set up your file structure when you begin a case? For instance, the main folder being the case number, having a folder for each forensic tool [cellebrite, axiom, ftk, encase,etc]? Anything else?

DFE Travis

does anyone have a template or a resource on how you should set up your file structure when you begin a case? For instance, the main folder being the case number, having a folder for each forensic tool [cellebrite, axiom, ftk, encase,etc]? Anything else?

This is a great question. I’m going to respond right now to say that I find putting all of the tool case folders under the main case folder is more difficult than having evidence files and tool case files under a separate parent folder (e.g. U:\EvidenceFiles\Case123 And V:\AxiomCase\Case123). This is based on how the tools use default directories.

1

uochaos

This is a great question. I’m going to respond right now to say that I find putting all of the tool case folders under the main case folder is more difficult than having evidence files and tool case files under a separate parent folder (e.g. U:\EvidenceFiles\Case123 And V:\AxiomCase\Case123). This is based on how the tools use default directories.

Yep this - you're better off trying it and seeing how the tools interract then document it. I've always included a \tmp dir within the case folder so any exports I do can be stored in one place, and then binned at the end when they're not needed rather than filling up different areas of disk that I might be paranoid about clearing out

Very good points, thank you. Do you think, then, that perhaps dropping a shortcut to the tool folder for the respective case might be a good alternative in case I have to reference a specific case and navigate to it?

DFE Travis

Very good points, thank you. Do you think, then, that perhaps dropping a shortcut to the tool folder for the respective case might be a good alternative in case I have to reference a specific case and navigate to it?

Shortcuts can work. I’m not sure what issue (if any) sparked your question. The end of a case can be one factor. I typically retain some of the admin items (contract, some notes, etc). I will usually wipe the evidence files and case folders. As MrStu suggested, I do typically export reports and files to an Export folder under my main case folder (vs a separate drive or parent folder). Also consider whether you keep your case notes separate in Google Drive or something mobile.

DFE Travis

Very good points, thank you. Do you think, then, that perhaps dropping a shortcut to the tool folder for the respective case might be a good alternative in case I have to reference a specific case and navigate to it?

I've always steered clear of shortcuts, I'd just rather know where that data is than delete a shortcut and have the frustration of having to go look for something anyway. If you've not already considered path lengths then please do - I've been caught out in the past creating a nice folder structure only to find out some forensic tool has put its own structure underneath it and exceeded path length or I can't copy the data somewhere because of path length.

uochaos

Have others seen a location shown in a different state when 1) pairing an apple watch 2) approving in person a child's app request? I've seen this in a few different client accounts. I suspect it is an apple server and not reflecting the actual location since the user is logging in just before the prompt. Can anyone confirm?

Possibly related to the iCloud Relay (Beta) VPN which is in iOS 15? This is an Apple+ feature an you can set it to general location, or time zone (different state).

WesDx_Stu

I've always steered clear of shortcuts, I'd just rather know where that data is than delete a shortcut and have the frustration of having to go look for something anyway. If you've not already considered path lengths then please do - I've been caught out in the past creating a nice folder structure only to find out some forensic tool has put its own structure underneath it and exceeded path length or I can't copy the data somewhere because of path length.

... path length - been there, done that got the

shirt.

(edited)

Thanks for all the insight. I'm a new DFE operationally; I've done the schooling but have very limited hands on experience.

I'm looking at a logical image of an iPhone 12 mini in Cellebrite PA. I have timestamps for the instant messages going back to early November 2021. All of the messages before that have a timestamp of 12/31/2000 6pm (UTC-6). Can anyone explain why the real timestamps aren't there?

Thats a "epoch" time (edited)

3:05 PM

so basically it's an epoch reference that a numerical value would reference upon

3:05 PM

12/31/2000 is the base and the "time" in the database would be something like the number of seconds from that date

3:05 PM

other epochs have different baselines

3:06 PM

so in your case, a blank value would likely reflect the reference date. Look in the database and see if those timestamp fields are empty

random question guys, anyone know how to "substract" one Qr code from another? Basically looking to check the leftovers of two qr codes or a good resource on QR steno

uochaos

This is a great question. I’m going to respond right now to say that I find putting all of the tool case folders under the main case folder is more difficult than having evidence files and tool case files under a separate parent folder (e.g. U:\EvidenceFiles\Case123 And V:\AxiomCase\Case123). This is based on how the tools use default directories.

I start with a case stored in a single location; T:\Cases\YYYY\K-YYYY-xxxx\ Case reference number. This folder contains Tool-specific folders (X-Ways, Axiom, etc) Acquisitions, Reports, Files, Temp. Even though an Axiom case may be nested (K-YYYY-xxxx\Axiom\Reference) I find it easier to keep track of everything in a case-specific folder, rather than a tool-specific folder.

Hey I have some questions about these tools Magnet Axiom Blackbag mobilize UFED cellebrite which channel should i use to ask?

Gene

Hey I have some questions about these tools Magnet Axiom Blackbag mobilize UFED cellebrite which channel should i use to ask?

You're jumping topics there. Usage? Licence cost? Capabilities? Maybe just ask the questions and someone will either answer or point you to the right channel.

5cary

You're jumping topics there. Usage? Licence cost? Capabilities? Maybe just ask the questions and someone will either answer or point you to the right channel.

Fair point. So I am in a digital forensics class at the masters level. Part of my class is to do a semester long research project with some sort of experiment or demonstration portion. I have stumbled around looking for about a week or so and I found some studies done on moble phone vault apps. There are studies done on how well the vaults actually protect data and what tools are good and bad at finding photos in them. A study that i found used those 3 tools. I was thinking about reproducing the study but with an updated version of the vaults, tools and phone OS. was wondering where i could get someone advice on this. Some of those tools have free trials, not sure if thats a good idea to do versus asking the school to buy it. Do not know if there are better tools or programs to use ect.

If you're focusing more so on the application itself, I'd be asking in #mobile-forensic-decoding for insight. You can do a lot with Android Studio/VD Manager/Emulator and DB Browser without any of the commercial tools.

awesome. ill post what i said above there

6:35 PM

thanks

DeeFIR 🇦🇺

If you're focusing more so on the application itself, I'd be asking in #mobile-forensic-decoding for insight. You can do a lot with Android Studio/VD Manager/Emulator and DB Browser without any of the commercial tools.

whats the difference between mobile forensic decoding vs extraction. sounds like the same thing to me

Extraction is acquiring the data itself, decoding it is decoding databases, trawling through records, assembling them, piecing together different artefacts etc

3

DFE Travis

does anyone have a template or a resource on how you should set up your file structure when you begin a case? For instance, the main folder being the case number, having a folder for each forensic tool [cellebrite, axiom, ftk, encase,etc]? Anything else?

I wrote a small python script that does the following: Create a parent folder with a user inputted case number Create sub-folders named for each user inputted item number Create a “reports” folder Create a work log txt file with headers for each item number Copy an established examination report template from a set location into the reports folder and rename it “<case number> examination report.docx”

8:21 PM

So in practice I double click my script, type the case number and hit enter, type the item numbers separated by a space and hit enter. That’s it and then my folder structure is all generated. Then I have places to save my acquisition files as I make them. (edited)

That's way fancier than me. I just have a template folder for my reports with a readme.txt, installers for .7zip and VLC, and a word document for my forensic summary report where everything is filled in except for the case number. All portable cases, UFED Reader reports, etc, go into the reports folder inside a folder with their item number. The report folder is ultimately copied to the flash drive for the officer requesting the exam. When making a new case, I copy the report folder to my case folder that was created using Ctrl + N (new folder, I use that hotkey very frequently) and labeled with the case number + agency requesting the exam + suspect name. Inside of my template word document / forensic summary report, all items that need to be changed for each case are designated with XXs. A part of my final proofreading is to do a Ctrl + F for 'XX' to make sure I haven't missed anything.

Just curious but did anybody investigate the forensic opportunities of the Whatsapp multi-device beta yet?

20% off GIAC cert renewal https://www.giac.org/mlp/renewal-2022/

GIAC Renewal 2022 Discount Offer

Save 20% when you renew your GIAC cybersecurity certification today

whee30

So in practice I double click my script, type the case number and hit enter, type the item numbers separated by a space and hit enter. That’s it and then my folder structure is all generated. Then I have places to save my acquisition files as I make them. (edited)

Would you be willing to share this script? I've been thinking of something like this for years and my scripting abilities stall after "Hello world."

Sure - I’ll comment it and post it soon. I’m not a coder so if it’s sloppy please keep that in mind.

whee30

Sure - I’ll comment it and post it soon. I’m not a coder so if it’s sloppy please keep that in mind.

Still better than what I

7:32 AM

would be able to do. Thanks!

Gene

Fair point. So I am in a digital forensics class at the masters level. Part of my class is to do a semester long research project with some sort of experiment or demonstration portion. I have stumbled around looking for about a week or so and I found some studies done on moble phone vault apps. There are studies done on how well the vaults actually protect data and what tools are good and bad at finding photos in them. A study that i found used those 3 tools. I was thinking about reproducing the study but with an updated version of the vaults, tools and phone OS. was wondering where i could get someone advice on this. Some of those tools have free trials, not sure if thats a good idea to do versus asking the school to buy it. Do not know if there are better tools or programs to use ect.

This blog is a good resource for you - things that the main tools aren't going to be automatically pulling for you https://theincidentalchewtoy.wordpress.com/

Forensics - One Byte at a Time

He used to byte, now its just a nibble

@Law Enforcement [UK] are there any outsourcing companies in the UK that would assist in preserving and extracting data from phones that have been recovered from the sea or a river, please? Particularly using the ultrasonic bath method?

ApC

@Law Enforcement [UK] are there any outsourcing companies in the UK that would assist in preserving and extracting data from phones that have been recovered from the sea or a river, please? Particularly using the ultrasonic bath method?

MD5 forensics offer this mate

1

A lot offer this service, have had quotes/service from CCL, Data Clinic and MD5

1

Pseudonym

A lot offer this service, have had quotes/service from CCL, Data Clinic and MD5

What he said ⬆️

DFE Travis

does anyone have a template or a resource on how you should set up your file structure when you begin a case? For instance, the main folder being the case number, having a folder for each forensic tool [cellebrite, axiom, ftk, encase,etc]? Anything else?

I wrote some VBA code to create a folder structure based on the parameters you put in the spreadsheet the code is embedded in. It's configured for our server but happy to share it

Remove if is not allowed Join this only if you are an AASP, IRP, or Inside Support. All whats needed for apple systems and support. https://discord.gg/zJRHTMJK

@A_A_Ron and anyone else who wants to scold me for shoddy code, here is my folder structure script I run before each case

1

1:27 PM

https://github.com/Whee30/Case-Management-script

GitHub - Whee30/Case-Management-script: A simple python script to g...

A simple python script to generate nested folders based on user input. The script will also name and place a template report document and generate a named worklog based on user input. - GitHub - Wh...

whee30

https://github.com/Whee30/Case-Management-script

SHAAAAAAAME!

5

1:27 PM

I threw it together just for me - I haven't done anything fancy like sanitize user input so use at your own risk if a special character is going to set your machine on fire.

Looks fine to be honest, should throw some tkinter at it and get a promotion

Ross Donnelly

This blog is a good resource for you - things that the main tools aren't going to be automatically pulling for you https://theincidentalchewtoy.wordpress.com/

i dont understand tbh

https://www.tethabyte.com/ Anyone know the creator of WinFi. I guess he is in Germany?

TethaByte

Official WinFi Distributor.

Tkinter version of script mentioned earlier on for people to tinker with

casefoldercreator.pyw

5.57 KB

2

whee30

@A_A_Ron and anyone else who wants to scold me for shoddy code, here is my folder structure script I run before each case

Specifically an adaptation of this one

Any recommendation on tools to scan a wordpress site for cc skimming?

1337bash

Any recommendation on tools to scan a wordpress site for cc skimming?

not a tool but do you know for certain it's got a skimmer on it?

randomaccess

not a tool but do you know for certain it's got a skimmer on it?

yea, they were notified from Visa with CC numbers that were compromised and were used on the site, and after the following days, some of their customers sent them emails saying they are seeing new chargers and the last thing the customers did was a purchase from this site. (edited)

1337bash

yea, they were notified from Visa with CC numbers that were compromised and were used on the site, and after the following days, some of their customers sent them emails saying they are seeing new chargers and the last thing the customers did was a purchase from this site. (edited)

is it a straight wordpress site, or does it run something like magento?

randomaccess

is it a straight wordpress site, or does it run something like magento?

It does have Magneto and they use Authorize.net for payment processing

Magento has a lot of problems in it, I had a case just recently where we found a malicious Google Tag Manager account within one of the structures through the Admin portal

2

7:40 PM

Have a flick through the admin portal and see if you can find any Script tags that no one recognises

2

randomaccess

Have a flick through the admin portal and see if you can find any Script tags that no one recognises

Thank you, we will checkout the admin console for this specific site. We were given access to the Linux box which hosts multiple sites, since it might be one of the sites affecting the other.

Yeah the magecart case i did recently there was nothing on the host because when the user accessed the page it would load the custom script on their endpoint

randomaccess

Yeah the magecart case i did recently there was nothing on the host because when the user accessed the page it would load the custom script on their endpoint

And that script was nowhere to be found on disk?

no because when the user accessed the site it would call out to an external location and load the JS

Gotcha, how did you find it?

luck?

1

7:55 PM

lots of reading, and going through the portal, found a script tag that no one recognised

7:55 PM

and it aligned iwth other IOCs from other reporting

Got it. Thank you so much for replying

magecart attacks can look like this https://decoded.avast.io/pavlinakopecka/web-skimming-attacks-using-google-tag-manager/

Pavlína Kopecká

Web Skimming Attacks Using Google Tag Manager - Avast Threat Labs

In this posting, we go over what web skimming attacks are and how they work. We then analyze a series of web skimming attacks that we found which were active from March 2021 to the present. These attacks abused the Google Tag Manager...

7:57 PM

and can take a lot of different formats

1

https://research.checkpoint.com/2022/invisible-cuckoo-cape-sandbox-evasion/

Invisible Sandbox Evasion - Check Point Research

Cuckoo and CAPE sandbox evasion in one legitimate Windows API function call? It is possible due to issues we found in Cuckoo and CAPE monitor.

General question for anyone. Does anyone use cardboard boxes to secure mobile devices (seizure/ transport) ...after a few products to trial , test after a revamp of procedures ? Any links to products would be welcome

monkpete

General question for anyone. Does anyone use cardboard boxes to secure mobile devices (seizure/ transport) ...after a few products to trial , test after a revamp of procedures ? Any links to products would be welcome

We recommend it, if only to protect the exhibit in transport. The benefit used to be that you could see the device through a plastic window on the cardboard box, that’s a mute point now there’s a faraday bag around it. The box along with cable ties to hold it steady, then considerations need to be made into how to tamper seal the box.

5:56 AM

I say we recommend it, most of the time it’s a clear evidence bag with some sodding tin foil around the phone…

Has anyone here ever examined a Steam Link device? It appears to be streaming device to play steam games on your TV. Would it have any relevant onboard storage that could be imaged or extracted?

Pseudonym

Tkinter version of script mentioned earlier on for people to tinker with

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

@0xSxS you could probable mount the EO1 with FTK Imager etc and then create a VHD with Arsenal Image Mounter (AIM)

Just wondering how other law enforcement agencies are storing large digital evidence. We still use disks and USB drives for most things. Computer and phones extractions are stored in a NAS (that keeps filling quickly). Our plan is to upgrade to a really large and scalable server for all digital evidence. The hardware is expensive enough but the some of the quotes for software are insane.

0xSxS

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

Doesn't Paladin have this facility built in, convert from eo1 to vmdk. @SUMURI (edited)

Adam Cervellone

Has anyone here ever examined a Steam Link device? It appears to be streaming device to play steam games on your TV. Would it have any relevant onboard storage that could be imaged or extracted?

I have one of these but I don't think there's any onboard storage... But I really don't know. Might be a teardown on ifixit or something

Dfdan

Doesn't Paladin have this facility built in, convert from eo1 to vmdk. @SUMURI (edited)

@0xSxS PALADIN could convert that E01 but not to a VMDK. Our current supported formats would be clone, dd, E01, Ex01, SMART, and DMG. But we’d likely be able to virtualize the image you have with CARBON. Just dm me if you want more info about CARBON

@Magnet Forensics Within Axiom, is there a way to "stack" hash duplicated images when traversing large swaths of images/videos/files? So that if one image shows up in 19 places it only occupies one thumbnail slot when I'm scrolling? I'm not aware if you already offer this, but I know I like the feature from cellebrite

9:33 AM

For example.... lots of repeat images. Axiom already hashes them, it'd be cool to be able to filter by md5 to only show uniques or something like that. If it's a feature already I must have just missed it

0xSxS

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

Md5 forensics offer a product called vfc which does this fairly seamlessly. Otherwise, it’s a hell of a time trying to mount it, DD and modify registries and dll’s for it to work. I think VFC automates and does all required changes in cache.

Joe Schmoe

Just wondering how other law enforcement agencies are storing large digital evidence. We still use disks and USB drives for most things. Computer and phones extractions are stored in a NAS (that keeps filling quickly). Our plan is to upgrade to a really large and scalable server for all digital evidence. The hardware is expensive enough but the some of the quotes for software are insane.

We’re running servers, but it’s getting to the point of being too expensive, they’re flirting with a cloud solution now. Depending on the size of your organisation, might work out cheaper than hiring a server admin plus getting the server, plus the additional storage in the future

0xSxS

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

Also OSForensics can boot E01s

9:40 AM

Could anyone from MSAB ping me pls?

Pseudonym

We’re running servers, but it’s getting to the point of being too expensive, they’re flirting with a cloud solution now. Depending on the size of your organisation, might work out cheaper than hiring a server admin plus getting the server, plus the additional storage in the future

Thank you for the reply. We first looked at Box.com which is much more reasonably priced for unlimited storage than I first thought (after getting the server quotes). The concerns where putting all of our evidence in the hands of a private company and also large file uploads brought our network to its knees in trying so it needs to be reworked.

9:47 AM

My ideal system would be a hybrid, locally stored but backed up to the cloud.

Joe Schmoe

Thank you for the reply. We first looked at Box.com which is much more reasonably priced for unlimited storage than I first thought (after getting the server quotes). The concerns where putting all of our evidence in the hands of a private company and also large file uploads brought our network to its knees in trying so it needs to be reworked.

Yeah absolutely the cloud provider would need to be accredited to a certain level, I swear I read a paper on digital forensics cloud providers that met all the governance

9:48 AM

But can’t remember where I would have found it, I remember Microsoft and aws, but there was some obscure providers on there too

9:48 AM

I want to say it was a UK GOV white paper

Pseudonym

But can’t remember where I would have found it, I remember Microsoft and aws, but there was some obscure providers on there too

They are CJIS compliant with solid encryption. I don’t know what would happen if they just closed shop one day though.

https://www.gov.uk/guidance/creating-and-implementing-a-cloud-hosting-strategy think this is where I started reading

Creating and implementing a cloud hosting strategy

This guidance outlines how to create and implement a cloud strategy, and when to consider a single, hybrid or multi-cloud solution.

Joe Schmoe

They are CJIS compliant with solid encryption. I don’t know what would happen if they just closed shop one day though.

Yeah fairsies with closing shop, but you would spend this much money without reviewing the contract bids business continuity plan

9:58 AM

Wouldn’t

whee30

@Magnet Forensics Within Axiom, is there a way to "stack" hash duplicated images when traversing large swaths of images/videos/files? So that if one image shows up in 19 places it only occupies one thumbnail slot when I'm scrolling? I'm not aware if you already offer this, but I know I like the feature from cellebrite

Media explorer will automatically stack by MD5 hash, and optionally by PhotoDNA if you have it enabled! https://www.magnetforensics.com/blog/the-all-new-media-explorer-in-magnet-axiom-5-0/

The Media Explorer in Magnet AXIOM - Magnet Forensics

We highlight the new Media Explorer found within AXIOM and how examiners can use it within their examination workflows.

2

0xSxS

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

If you want to launch E01s reliably into virtual machines, try Arsenal Image Mounter. You will also have access to extremely powerful (and unique) Windows authentication and DPAPI bypasses. We will send a temporary license via DM later today. (You can also use AIM for conversions, but why not launch E01s directly.) (edited)

Pseudonym

Yeah fairsies with closing shop, but you would spend this much money without reviewing the contract bids business continuity plan

What do you use for software? How would a patrol officer add digital evidence to a case?

@Mel_Hungate see - I knew there should be (and is) a solution. Thanks for the quick response, building the explorer now.

1

0xSxS

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

As someone else stated earlier, md5 have vfc, which I use quite a lot. But it can also be done using ftk and virtualbox, which I've also done several times: https://andreafortuna.org/2020/12/21/how-to-boot-an-encase-e01-image-using-virtualbox/

How to boot an Encase (E01) image using VirtualBox

Sometimes, during an incident analysis, you may need to replicate behaviours of a specific host, perhaps already acquired with a forensic method. In order to perform this test, you first need to create a VM starting from a forensic image, so today wee se how to convert an Encase (E01) image into a file that can be read from VirtualBox [1]. First...

12:06 PM

If you are using wmic in your's scripts, it is time to rewrite them. (edited)

Andrew Rathbun

I have one of these but I don't think there's any onboard storage... But I really don't know. Might be a teardown on ifixit or something

Thank you! I've already got what I need in this case so anything from the Steam Link would just be a bonus

1

Joe Schmoe

What do you use for software? How would a patrol officer add digital evidence to a case?

That’s a big question!

0xSxS

Is it at all possible to somehow convert a E01 to a vmdk to run it in a vm? (edited)

Why don't you just mount it (with AIM or FTK shudder), create a sparse VMDK (linking it to the mounted physical drive) and then attach that VMDK to a VM?

Hi everyone, Im a student and I was wondering if someone could help me understand something my Prof. couldn't explain. In Video Forensics, we're currently looking at different file formats and their Headers in hex. Can someone explain to me why it is standard for some files (like WAV) to switch between big endian and little endian? At first I thought it would be for some sort of efficiency/optimization, but I think any potential gain from this is mitigated by constantly switching back and forth. Can someone explain?

In what context does it switch? If it’s presenting ASCII text like in metadata, it makes sense for big endian since that’s how we read. In the context of offsets, numbers, dates etc. it makes sense to use little endian since the processor that needs/uses that info reads in that direction… I’m not big into video so if I’m way off base from your question I apologize.

Like, even within the first 12 bytes for the RIFF chunk, the first 4 for Chunk ID is in big endian, the Chunk Size is in little for the next 4, and the 4 following that for format switches back to big. That can't be more efficient than just picking one and sticking with it, can it?

Well the processor reads everything little endian so it does all technically go the same direction. The software interpreting the data is written to know how to read it and what to do with it. You’d probably have to find some documentation from the creators to know why.

Joe Schmoe

Just wondering how other law enforcement agencies are storing large digital evidence. We still use disks and USB drives for most things. Computer and phones extractions are stored in a NAS (that keeps filling quickly). Our plan is to upgrade to a really large and scalable server for all digital evidence. The hardware is expensive enough but the some of the quotes for software are insane.

Similar path for us, outgrew synology nas and now we use Linux servers utilizing ceph, has scaled amazingly well, just keep adding servers as needed, very resilient if you have it background and can maintain it yourself.

Not a CS question but here it goes. Does anybdy know if its possible to set a domain account to force password change on 2nd login instead of 1st login ?

Medi

Similar path for us, outgrew synology nas and now we use Linux servers utilizing ceph, has scaled amazingly well, just keep adding servers as needed, very resilient if you have it background and can maintain it yourself.

Interesting. I’m not familiar with Ceph but I will take a look.

Hello, when was FBE encryption adopted on iOS? (edited)

manuelevlr

Hello, when was FBE encryption adopted on iOS? (edited)

From iPhone 4. Its possible to obtain a physical from IPhone 4, after that you cant) (edited)

florus

From iPhone 4. Its possible to obtain a physical from IPhone 4, after that you cant) (edited)

there has never been a full disk encryption encrypted then? directly to the file based encrypted you passed? (it wasn't like android)

Does anybody know what the file signature is for the AFF4 format? I was excited to see the latest version of FTK Imager supported AFF4, but i'm very disappointed to see that it doesn't appear to actually image in AFF4 format, rather, it appears to still use the original AFF (I'm getting this from the file signature ASCII "AFF10", and the fact it was slower than molasses). Perhaps this means it can read AFF4.... don't have a way to test it though. (edited)

Forensic Software question: For those that have used or currently use Oxygen Forensic Detective, MSAB and Magnet Axiom, how do they compare head to head to head? Is there an overall advantage to one over the other, or does one do particular things better than the other. One of our biggest issues has been locked Android devices, and while I'm aware that is a difficulty for everyone, does one of these do a better job getting into more devices than the others? Also, has anyone found that one of them does a better job pulling the most data over the others? I'm curious to know thoughts on this, as we are comparing them currently.

Cole

Does anybody know what the file signature is for the AFF4 format? I was excited to see the latest version of FTK Imager supported AFF4, but i'm very disappointed to see that it doesn't appear to actually image in AFF4 format, rather, it appears to still use the original AFF (I'm getting this from the file signature ASCII "AFF10", and the fact it was slower than molasses). Perhaps this means it can read AFF4.... don't have a way to test it though. (edited)

Aff4 is a zip64 container. So probably PK as a header.

1

ntrsandman28

Forensic Software question: For those that have used or currently use Oxygen Forensic Detective, MSAB and Magnet Axiom, how do they compare head to head to head? Is there an overall advantage to one over the other, or does one do particular things better than the other. One of our biggest issues has been locked Android devices, and while I'm aware that is a difficulty for everyone, does one of these do a better job getting into more devices than the others? Also, has anyone found that one of them does a better job pulling the most data over the others? I'm curious to know thoughts on this, as we are comparing them currently.

When I was in LE I was very fortunate to have access to a few different tools. But the way that mobile support works, you almost need to to get the best coverage of device/operating system/file system/app data. Mobiledit had a blog post about a comlaritive study and showed that you need more than one for better coverage

1:27 PM

Whether they do a better job is relative. I did a job where oxygen was the only tool that supported a specific encrypted app. But couldn't produce. Areport of the contents with exif data. So out of one tool and into another

pretty much this ^. if the only tool you have is a hammer, everything starts to look like a nail - kinda thing. even in data recovery there's a substantial difference in which ones are better at what, even given that they are all operating on a pretty standard format device (say a spinning HDD) quite unlike Mobile Phones.

Hi! So I was doing a Shell bag analysis on UsrClass.data with SBECmd (Eric Zimmerman's tool) and saw that CSV file it generated gave me empty columns for Created Date and Modified date

8:33 PM

anyone has any experience with the tool and knows why is it happening?

ArcherL

Hi! So I was doing a Shell bag analysis on UsrClass.data with SBECmd (Eric Zimmerman's tool) and saw that CSV file it generated gave me empty columns for Created Date and Modified date

Did you get first interacted and last interacted timestamps?

Yeah

Good deal. Do you need anything more than that?

I was going through the issues on github of the tool, no mention of it

Andrew Rathbun

Good deal. Do you need anything more than that?

Yeah, I mean I have to compare in one of my assignments if the file was moved from one place to another and wanted to check it against created date

8:37 PM

one drive/external media*

ArcherL

I was going through the issues on github of the tool, no mention of it

There's no SBECmd repo so I'm guessing you're referring to his general issues repo

Yeah

8:37 PM

my bad

ArcherL

Yeah, I mean I have to compare in one of my assignments if the file was moved from one place to another and wanted to check it against created date

Where would you find timestamps of a file that could indicate a potential file copy took place?

as in, if a file created say x and the same file is elsewhere in another drive as well but with a Y timestamp which is after X

8:39 PM

I can hypothesize it might be copied from x timestamp place to Y timestamp place

8:39 PM

but I am just guessing

You're on the right track. Where would you find the timestamps for said files?

8:40 PM

And what dataset are you afforded for this assignment? An image?

Andrew Rathbun

You're on the right track. Where would you find the timestamps for said files?

createdON, ModifiedOn I guess? I am not really sure what information is LastWriteTime and FirstTimeINteracted is giving, is it like the same as the former two? (I mean they are synonymous but from the SBECmd wise)

Andrew Rathbun

And what dataset are you afforded for this assignment? An image?

Yeah, an image, I have extracted the NTUSER.dat, UsrClass.dat (and log files for both)

1

ArcherL

createdON, ModifiedOn I guess? I am not really sure what information is LastWriteTime and FirstTimeINteracted is giving, is it like the same as the former two? (I mean they are synonymous but from the SBECmd wise)

SBECmd is going to parse shellbags, which is indicative of folder traversal by a given user. First and last interacted are the first and last times the user traversed that folder

8:45 PM

It appears your assignment wants you to key in on timestamps of a specific file(s).

8:45 PM

https://www.sans.org/posters/windows-forensic-analysis

Windows Forensic Analysis | SANS Poster

The “Evidence of...” categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR500: Windows Forensic Analysis. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Wind...

ArcherL

Hi! So I was doing a Shell bag analysis on UsrClass.data with SBECmd (Eric Zimmerman's tool) and saw that CSV file it generated gave me empty columns for Created Date and Modified date

I mean the whole column for every entry is empty

Top section of the poster is relevant to your interest

8:46 PM

There's a very important NTFS metadata file that contains timestamps for every file on the file system

1

8:46 PM

I just gave you 2 and 2. Go find 4

1

8:47 PM

Best of luck

Got it, thanks for the help @Andrew Rathbun

Circle back if you get stuck only after reporting what you tried that failed

Hey has anyone here recently taken the SANS FOR500 (GCFE) Course on Demand? (edited)

8:56 PM

I'm trying to figure out how many hours of video content the course has

Andrew Rathbun

Circle back if you get stuck only after reporting what you tried that failed

I just had one doubt, why is the SBECmd giving me the whole createdON column empty!

9:09 PM

for my friend it has values for some items

Phill

I'm trying to figure out how many hours of video content the course has

It has about 24 hours of content (audio only, plus video/demos). That said, I always put in a caveat to say doing the course will take longer if done properly (review, note taking, doing the labs etc)

1

ArcherL

I just had one doubt, why is the SBECmd giving me the whole createdON column empty!

No idea man. Check your syntax when your friend's. Any differences? Hard to troubleshoot without showing debug console output, command etc

dn

Hi all, looking at potentially buying some new hardware for a new machine and was wondering what people are using or recommend. We currently use Griffeye, Cellebrite and XRY. As far as i'm aware non of the above are GPU accelerated so we would focus most of the budget in the CPU. But we are unsure if more cores are better or if clock speed is more important... Would like to hear what you guys have to say

Mornin! Griffeye does offer GPU processing options when it comes to the Griffeye Brain functionality. Cellebrite I would wonder if the media categorization processing option post ingestion utilizes GPU. I use the Forensic Computer PHANTYM line with pretty good success if it helps. Also use Talinos from Sumuri.

ByteSweep

Mornin! Griffeye does offer GPU processing options when it comes to the Griffeye Brain functionality. Cellebrite I would wonder if the media categorization processing option post ingestion utilizes GPU. I use the Forensic Computer PHANTYM line with pretty good success if it helps. Also use Talinos from Sumuri.

Yeah I believe the categorization addon program utilizes it. But I never actually looked at the resources when using it to see how well. Just going by the notes. (edited)

ArcherL

I just had one doubt, why is the SBECmd giving me the whole createdON column empty!

Are you both working from the same image? It should produce Created On timestamps for any entries of type Directory. Also be sure to be running SBECmd as Administrator (just in case there is a permissions issue)

More on aggressive surveillance and electronic evidence tampering in an ongoing criminal case that you should all be aware of by now... this time from SentinelOne: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/ (Full report at https://s1.ai/mod-elephant?lb-mode=overlay)

ModifiedElephant APT and a Decade of Fabricating Evidence

A previously unreported threat actor has been targeting civil society for over a decade. Read about how it operates and its relationships to other threats.

Modified Elephant APT and a Decade of Fabricating Evidence

ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.

Arsenal

More on aggressive surveillance and electronic evidence tampering in an ongoing criminal case that you should all be aware of by now... this time from SentinelOne: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/ (Full report at https://s1.ai/mod-elephant?lb-mode=overlay)

Something to keep in mind as you learn more - both public and private sector digital forensics practitioners have been effectively toyed with in this case. Don’t be like them. (edited)

1

This fragmentation of the leaks community produced by raidforums going down is driving me nuts

7:47 AM

Just keep it all in one place god damnit! It's the streaming platforms scenario all over again!

Hello everyone, I am currently pursuing Bachelors in Computer Science. I was willing to initiate a student chapter related to cyber security. Our college is in India. We wont be having too much members (initially not more than 15). It would be really helpful if I can get some suggestions for the organizations that I can reach to for the same. Thanks.

Chinz

Hello everyone, I am currently pursuing Bachelors in Computer Science. I was willing to initiate a student chapter related to cyber security. Our college is in India. We wont be having too much members (initially not more than 15). It would be really helpful if I can get some suggestions for the organizations that I can reach to for the same. Thanks.

#training-education-employment let's move this discussion here

Andrew Rathbun

#training-education-employment let's move this discussion here

Okay sure

Arsenal

More on aggressive surveillance and electronic evidence tampering in an ongoing criminal case that you should all be aware of by now... this time from SentinelOne: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/ (Full report at https://s1.ai/mod-elephant?lb-mode=overlay)

Interesting article, thank you for sharing! I like that the article provides a list of indicators of compromise file hashes. I know @Cellebrite includes their malware scanner in physical analyzer, are there other resources out there as far as IOC or malicious mobile file hashes? Especially recent ones?

Anyone got experience with some tools that can deobfuscate php?

Fierry

Anyone got experience with some tools that can deobfuscate php?

For people wanting to deobfuscate (malicious) php code I can recommend: https://sandbox.onlinephpfunctions.com/

PHP Sandbox, test PHP online, PHP tester

PHP Sandbox. Run, execute and test PHP code from your browser. Versions: 8.0.0, 7.4.13, 7.4.7, 7.4.0, 7.3.25, 7.3.19, 7.3.12, 7.3.5, 7.2.31, 7.2.25, 7.2.18, 7.2.4, 7.1.33, 7.1.29, 7.1.0, 7.0.14, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 5.6.29, 5.6.20, 5.6.19, 5.6.18, 5.6.17, 5.6.2, 5.5.34, 5.5.33, 5.5.32, 5.5.31, 5.5.18, 5.5.5, 5.5.0.a6, 5.5.0.a.5, 5....

whee30

Interesting article, thank you for sharing! I like that the article provides a list of indicators of compromise file hashes. I know @Cellebrite includes their malware scanner in physical analyzer, are there other resources out there as far as IOC or malicious mobile file hashes? Especially recent ones?

As far as we know, ModifiedElephant IOCs are specifically related to Indian targets. You can find some IOCs more recent than what you fill find our reports in the Amnesty article at https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/. Amnesty's article deals with ModifiedElephant attacks on the people who came to the defense of the defendants in our case.

zahraasifamnestyorg

India: Human Rights Defenders Targeted by a Coordinated Spyware Ope...

Amnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine human rights defenders (HRDs) in India. Eight of the nine HRDs have been calling for the release of other prominent activists, popularly known as the Bhima Koregaon 11, most of whom have been imprisoned in Maharashtra, India since 2018...

Arsenal

As far as we know, ModifiedElephant IOCs are specifically related to Indian targets. You can find some IOCs more recent than what you fill find our reports in the Amnesty article at https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/. Amnesty's article deals with ModifiedElephant attacks on the people who came to the defense of the defendants in our case.

Some of the IOCs are of limited value for reasons which include ModifiedElephant using a variety of different crypters in combination with a tendency to build things just prior to sending them to specific targets. A lot of care and feeding went into being able to track specific targets - e.g. the sheer volume of unique NetWire Host Ids/DarkComet Server IDs is fascinating.

Has anyone here put an axiom (cyber) dongle on a server to allow multiple people access to the software (my entire team is remote)? Looking to do something similar, however not sure how the dongle plays with RDP sessions? Can’t justify paying for their AWS offering or additional dongles. Anyone have any suggestions to the reduce the single man point of failure situation?

Seriously, the more i use Dopus... I'm not sure whether to mention other DR/DFIR folks how stupidly OP Flat view is, bc it feels like I'm giving away "my edge".

trickyricky

Has anyone here put an axiom (cyber) dongle on a server to allow multiple people access to the software (my entire team is remote)? Looking to do something similar, however not sure how the dongle plays with RDP sessions? Can’t justify paying for their AWS offering or additional dongles. Anyone have any suggestions to the reduce the single man point of failure situation?

Unsure but if it doesn't work they do have some sort of network licensing. Not sure if it's more expensive though

can anyone help me with a college assignment, i'm trying to track payments made possibly to a number of betting agency's is there a way of doing this without having a form of warrant or access to the suspected accounts. e.g. through an IP log ?

Reaper 22

can anyone help me with a college assignment, i'm trying to track payments made possibly to a number of betting agency's is there a way of doing this without having a form of warrant or access to the suspected accounts. e.g. through an IP log ?

what material / resources / direction have the college given you? (edited)

the background ive been given is just the reason why it being done and acess to basic stuff such as proDiscoer or the slueth kit autopsy

5:52 AM

the only thing is for me to use the autopsy part i need to physically be able to plug the phone into it but the phone has built in encryption

ah, you have a device

(edited)

i have the phone but roughly would only have about 8 hours of access so want to use it wisely

5:54 AM

so was thinking if there was a work around for this

sorry, "phones-Я-us" is totally not me, lol, maybe echo in #mobile-forensic-decoding too. some groovy dudes in there

5:57 AM

w/ any luck others will pop by here with pointers too

yeah might throw it into there, probably should have picked one of the assignments with a little less of a focus on phone work a computer would have been easier

Reaper 22

yeah might throw it into there, probably should have picked one of the assignments with a little less of a focus on phone work a computer would have been easier

it may be that once you are "in" you could check for any betting apps and see what info, if any, they hold.user might have been kind and also left login details which would support your case going forward if you, theoretically, needed to apply for a warrant. (you likely know to access other's priv info without a warrant, or similar, could get you in more trouble than the <accused> - check country/state laws etc) (edited)

yeah true ive definitely seen that i have to do a lot to tip toeing around this area i might just go more theoretical such as how'd i do it then actually give a demonstration on me doing it. just to aviod access something accidently and breaking laws especially with GDPR being so watched atm

Reaper 22

yeah true ive definitely seen that i have to do a lot to tip toeing around this area i might just go more theoretical such as how'd i do it then actually give a demonstration on me doing it. just to aviod access something accidently and breaking laws especially with GDPR being so watched atm

so, who owns the phone. the way you are talking sounds like its real data you're potentially messing with

the phone is owned by the college we've used it before for getting evidence of photos but its the first time being asked to get a form of transaction off a real company through the phone if the owner of the phone is aware in the sense of that were using the phone will that technically cancel out the GDPR part? the sense is the phone has been retrieved through an arrest but not for the reason in why were accessing this data we have cause to search the phone as were aware that the information is there. im starting to think writing in the assigment that it would be better to just use the prior knowledge and see if its enough to get granted access

6:24 AM

pretty much the background is the person arrested is being held on a different offence but we are and have been activly following the suspects activites in scams and money wiring through using peoples debit cards and then charing high amounts of transcations then when the money is cleared there using betting sites to wash the money between 2 accounts. the aim is to get the first account thrugh the transcations then using the info as a stepping stone to get the second account

sorry, i'm feeling particularly caffeine deficient here (dim)

are you saying that this phone is actually part of a real investigation, or has been explicitly "set up" by the college?

6:34 AM

theoretically, jurisdiction dependent, it might be be wise to seek legal counsel before going sideways. "we got <this>, but when we got in, we found <that>.

set up by college

1

Hey everyone. I’m wondering if you guys have any thoughts on Magnet Axiom v. FTK. We currently have axiom but our higher ups are looking at other options as well. Any thoughts are appreciated.

perez0951#1093

Hey everyone. I’m wondering if you guys have any thoughts on Magnet Axiom v. FTK. We currently have axiom but our higher ups are looking at other options as well. Any thoughts are appreciated.

What kind of cases do you normally work?

Andrew Rathbun

What kind of cases do you normally work?

We work mostly CP cases but we help with other things as well.

@perez0951#1093 for CP cases I would look at Xways and Griffeye

DCSO

@perez0951#1093 for CP cases I would look at Xways and Griffeye

I was reading up on Xways but didn’t see a much difference between it and Axiom. I may have just missed it. Is there any reason you would suggest those over the other two?

how can I find volume slack in fat16 file system?

perez0951#1093

Hey everyone. I’m wondering if you guys have any thoughts on Magnet Axiom v. FTK. We currently have axiom but our higher ups are looking at other options as well. Any thoughts are appreciated.

Axiom wins that.

11:19 AM

But you may want to stock up on tools I'd say. We have Inspector, X-Ways, Axiom and EnCase in our kit.

11:20 AM

Not every tool supports everything basically

perez0951#1093

I was reading up on Xways but didn’t see a much difference between it and Axiom. I may have just missed it. Is there any reason you would suggest those over the other two?

Axiom and XWays are very different approaches to forensics. Axiom presents you with interpreted data as artifacts which are categorized and sorted for you. You then follow the artifacts back to the source if you want more info. XWays is much more barebones, you need to manually dig through the file structure or know how to seek out specific files or file types that are pertinent to your case. I like Axiom for the speed at identifying artifacts and XWays for digging under the hood of the filesystem. The hex view in Axiom doesn't compare to XWays, though it also doesn't seem to be their intention to compete in that area.

11:30 AM

if you need to work in hex at all, XWays is the clear winner there

4

Rob

But you may want to stock up on tools I'd say. We have Inspector, X-Ways, Axiom and EnCase in our kit.

I get that. We usually only use axiom for our hard drives and cloud based services. We have Cellebrite for cellphones and other mobile stuff.

1

perez0951#1093

I get that. We usually only use axiom for our hard drives and cloud based services. We have Cellebrite for cellphones and other mobile stuff.

Mobile side is the same. We have Oxygen, XRY, Axiom and Cellebrite.

@Law Enforcement [USA] Hello all, can anyone tell me what kind of information Apple can offer if you provide them a UDID number? thank you

I do mostly CP cases with NCIS and use primarily Axiom with Cellebrite next. Multiple tools are good if you can afford but sometimes, you’re stuck with what you have. Personally, after several hundred cases, I prefer Axiom for computers and mobile devices. Cellebrite is sometimes easier to get into a phone with, but I will@usually take that image and run it into Axiom. For me, Axiom is still much better at any social media and chats than Cellebrite - and I prefer how it handles tagged items better.

What kind of info you looking for from Apple? I’ve had very bad luck with them. They are anti law enforcement and will make you jump through every possible hoop. Your better off using a grey key or similar to dump info.

Just looking to identify the owner of the device

anyone from berla or ive on the chat...

I've had good luck with Apple including UUID-based search warrants although that was a few years back (for a UUID search).

1:33 PM

@C. Russell If you serve them with a search warrant based on UUID you can get subscriber info, account info, payment, etc. Everything you normally get by iCloud ID or phone number.

@

Carrotney

are you local or federal?

1:58 PM

If federal 18 U.S.C. § 2703 articulates the steps that the government must take to compel providers to disclose the contents of stored wire or electronic communications (including e-mail and voice mail) and other information such as account records and basic subscriber information. Section 2703 offers five mechanisms that a "government entity" can use to compel a provider to disclose certain kinds of information. The five mechanisms, in ascending order of required threshold showing, are as follows: 1) Subpoena; 2) Subpoena with prior notice to the subscriber or customer; 3) § 2703(d) court order; 4) § 2703(d) court order with prior notice to the subscriber or customer; and 5) Search warrant.

1:59 PM

2703d is similar to a subpoena and provides the info you need.

How can you capture the decrypted packets in ic2kp?

I’m spearheading a plan at work to move us to using virtual machines for a majority of our analysis(dead disk forensics aside, mostly IR work). I have the choice to use either proxmox and ceph for storage, or Hyper-V and storage spaces direct. I have a mental list of pros and cons, and am leaning towards proxmox despite the downside of it being fully self supported by me… and basically being a bloody homelab. I guess the TLDR is Has anyone here actually run a forensics lab off of proxmox or should I stick to Hyper-V despite some of the pains it has? (Please ping me since I will probably forget about this in 10 seconds) (edited)

Turb0Yoda

I’m spearheading a plan at work to move us to using virtual machines for a majority of our analysis(dead disk forensics aside, mostly IR work). I have the choice to use either proxmox and ceph for storage, or Hyper-V and storage spaces direct. I have a mental list of pros and cons, and am leaning towards proxmox despite the downside of it being fully self supported by me… and basically being a bloody homelab. I guess the TLDR is Has anyone here actually run a forensics lab off of proxmox or should I stick to Hyper-V despite some of the pains it has? (Please ping me since I will probably forget about this in 10 seconds) (edited)

I run a personal lab in PVE, I don't use Hyper-V. It would be easier to provision/manage/destroy VMs if you're going to do it programmatically through PVE's API.

DeeFIR 🇦🇺

I run a personal lab in PVE, I don't use Hyper-V. It would be easier to provision/manage/destroy VMs if you're going to do it programmatically through PVE's API.

yeah- the plan is to use IaaS to deploy everything. I am not adverse to running proxmox, but putting it in prod is scaring me a little...

6:04 PM

and frankly, Hyper-Vs networking stack gives me an aneurysm.

Is there a reason ESXi isn't a contender?

DeeFIR 🇦🇺

Is there a reason ESXi isn't a contender?

want HA/clustering and unfortunately I was unable to push the vSphere HCI kit in the budget

Examinator

I do mostly CP cases with NCIS and use primarily Axiom with Cellebrite next. Multiple tools are good if you can afford but sometimes, you’re stuck with what you have. Personally, after several hundred cases, I prefer Axiom for computers and mobile devices. Cellebrite is sometimes easier to get into a phone with, but I will@usually take that image and run it into Axiom. For me, Axiom is still much better at any social media and chats than Cellebrite - and I prefer how it handles tagged items better.

I agree. Axiom is much better at finding artifacts than Cellebrite. Cellebrite is okay for verifying and acquiring data. Not for digging into the data for evidence.

We have Cellebrite in our lab, but most of us prefer XRY honestly.

umm how did @SPVQct2842 Eric topic get into #rules ?

- anyhoo, maybe this helps - GUID/Hash guides if you hadn't found already

    CoCreateGuid( (::GUID*)&GUID ); </source>

The Shareaza 2.0 code appears to be generating GGUID values without using CoCreateGUID. In Network.cpp, the CreateID method fills the value of a GGUID using the tick count, an incremented count, and the rand function.

not a coder myself but had spare time to go looking. hth

Digitalferret

umm how did @SPVQct2842 Eric topic get into #rules ?

- anyhoo, maybe this helps - GUID/Hash guides if you hadn't found already

    CoCreateGuid( (::GUID*)&GUID ); </source>

The Shareaza 2.0 code appears to be generating GGUID values without using CoCreateGUID. In Network.cpp, the CreateID method fills the value of a GGUID using the tick count, an incremented count, and the rand function.

not a coder myself but had spare time to go looking. hth

Looking into that

hehe, LE-37 c4n4d14|| |-|4><Or no doubt - even labels as LE

‍

️

Question for a blue teamer. How would you rank the following certifications? Comptia Pentest + Elearn eJPT EC Council Certified Pentester

You're asking a blue teamer to evaluate the quality of red teaming certificates?

No. For me. A blue teamer who knows nothing about pentest certs

4:31 PM

Sorry phrasing was confusing

conf1ck3r

Question for a blue teamer. How would you rank the following certifications? Comptia Pentest + Elearn eJPT EC Council Certified Pentester

#training-education-employment would be a good spot for that

1

4:41 PM

And @RandyRanderson might have some good input on that (edited)

conf1ck3r

Question for a blue teamer. How would you rank the following certifications? Comptia Pentest + Elearn eJPT EC Council Certified Pentester

If it isn’t OSCP or GPEN it’s too basic

1

7:15 PM

eJPT has some merit. But again, considered by many in the red team area as too basic.

1

RandyRanderson

If it isn’t OSCP or GPEN it’s too basic

How well is GPEN considered? Especially compared to the OSCP (which I see a lot more positions asking for)

Tcisaki

How well is GPEN considered? Especially compared to the OSCP (which I see a lot more positions asking for)

OSCP has become the de facto cert for network pen testing. Largely because it’s actually cheap to take, it’s now a proctored test, and they just updated it to make you steal the AD of a domain controller. Effectively you’re actually doing pen testing. GPEN has gotten WAY more involved. But what it hits on that makes it’s valuable is they talk about the admin side. I’ve done both OSCP and GPEN, among many others, and GPEN is much more a corporate cert. they’ve done great at advancing the material…but even in my SANS bias eyes Offensive Security has done a much better job

1

7:33 PM

I see GPEN more on CSIRT jobs than I do actual red team classes. But. There are other SANs classes that are stepping up the game

1

That was my thinking as well. Thanks Randy

Tcisaki

That was my thinking as well. Thanks Randy

Always mate!

New here so I hope my question isn't I'll formed. Seems like trying to inspect devices for hardware subversion/sabotage is particularly hard to go backwards and find all affected instances of. Would a kind of Circuit Board "OCR" be useful there? Like if you could throw the boards on a conveyor belt under camera trained to identify ICs. Maybe the bot could spot any boards that have components not in original design? Might be weird idea or wrong channel apologies if so.

xray and compare to known good?

1

tyl3rdurd3n

New here so I hope my question isn't I'll formed. Seems like trying to inspect devices for hardware subversion/sabotage is particularly hard to go backwards and find all affected instances of. Would a kind of Circuit Board "OCR" be useful there? Like if you could throw the boards on a conveyor belt under camera trained to identify ICs. Maybe the bot could spot any boards that have components not in original design? Might be weird idea or wrong channel apologies if so.

Possibly useful but how would you get the reference boards?

Mm true those are probably a bit coveted by companies designing them.

Not only that, you buy a Samsung galaxy s8 at two different times and they might have different components

5:03 AM

I just pulled apart two MacBook Pros with the same model number and they had different nvme drives with different connection ports internally

1

5:03 AM

Unfortunately for us, they don't care about us

Oh geez. Didn't realize that was the state of affairs.

5:11 AM

More thinking needed. So it's not totally absurd in theory though? Assuming we all played nice and stuck to consistent manufacturing processes

5:11 AM

Perhaps the last part is what makes it absurd

I've got CySA+ coming up in two weeks. Any of you guys taken it before?

silvanceknight

I've got CySA+ coming up in two weeks. Any of you guys taken it before?

#training-education-employment

Original message was deleted or could not be loaded.

Yes, using it but not a sysadmin for it, so I can only offer best effort advice. What are you seeing?

Curious if anyone recognizes this device based on camera pattern?

do you think the bottom opening is a camera lens or a button?

I was guessing a camera, looks like the flash maybe on the right of that lens?

yeah - so two cameras and that top one is suuuper close to the edge of the phone

If I were to guess, something close to HTC One M8

11:05 AM

That sorta style

11:06 AM

Not the exact same model, but kinda close.

dang it - i hjust found the one m8

11:07 AM

how were you searching? I was doing a feature search on gsm arena

https://www.akshatblog.com/list-of-smartphones-with-dual-camera-or-dual-lens-camera/

Akshat Verma

List of Smartphones with Dual Camera or Dual Lens Camera

List of Dual Lens Camera Phones and Advantages of Dual Camera Smartphones. Updated List of Dual Rear Camera and Dual Front Camera Mobile Phones based on Android, iOS & Windows Phone.

11:07 AM

nice! good hunting!

Could be it, very close! Its a mirror shot so flash would be on the other side like the one m8 is. Just wondering what that is in the top right of the flash, looks like an additional flash/sensor?

11:10 AM

Or maybe just some wierd artifact reflected off of the case

11:13 AM

Thanks @Rob & @whee30!

2

Has anyone had a judge order the return of a device prior to the case concluding? We have a judge saying we have a FFS of the device so there is no need to keep the phone as we have everything we are going to get. Anyone have valid argument points? I have a few which hinge on best evidence rule but maybe I am overlooking.

Ghosted

Has anyone had a judge order the return of a device prior to the case concluding? We have a judge saying we have a FFS of the device so there is no need to keep the phone as we have everything we are going to get. Anyone have valid argument points? I have a few which hinge on best evidence rule but maybe I am overlooking.

That doesn't seem to pass the common sense rule....why does this judge care?

He feels we should give it back and says we have an image of the phone so need to keep

Depends on the case

4:00 PM

Is it a requirement for that person to do their job Does it have CSAM on it Is it the victims or accessed

4:00 PM

Accused*

4:01 PM

Is the defense examiner going to want to examine the original device

It’s a bank robbery case and the defendant wants his phone back that’s the crux

Everyone wants their phones back ASAP because it's like their second brain, they can't live without it for 2 seconds

5

I have returned phones to their owner after extraction but before charges in some cases. It has either come directly from upper management or from my DA. I have not had a judge order me to do that, yet.

1

Could I say this, the extraction I have is only a FFS and not a physical. So I do not have everything from the device. Technology could advance in the future allowing for a physical extraction which would be more data than we currently have.

4:21 PM

I know we most likely will not get the ability to get the physical because it’s FBE but who knows what the brilliant minds of tomorrow will develope

Valid points and I totally agree with following the best practices of keeping the phone until the case is fully concluded. I also know who signs my paycheck and how to follow orders!

4:26 PM

I would document in your report the reason for releasing the evidence since it is against best practice. I always document in each report the date/time I received and released/booked each evidence item. I only document the reason why it was I did one of those things if it is out of the ordinary.

Is there a specific document I can reference for best practice on this?

Ghosted

Is there a specific document I can reference for best practice on this?

the principle of best evidence?

4

Most cases its probably ok to return after you've done your extraction. You're not likely to get more evidence in 6 months time. Maybe advancements etc but you're probably ok. You can still make a song and dance about it though and make sure the judge signs off on them being held responsible if something arises that requires the device

5:08 PM

Like, finding something that is truely easier for everyone to understand if demonstrated in court on the original device

Ghosted

Is there a specific document I can reference for best practice on this?

Don’t forget about acquired device data validation. Having the original device allows for the acquired data to be validated via hand scrolling on the physical device. My wife works in DNA and it makes me think…would a judge order LE to hand over a blood soaked t-shirt after DNA analysis is completed because it’s the defendants favorite shirt?

4

I have released items in the past when both prosecution and defense agree to accept the download as the best available evidence.

whee30

I have released items in the past when both prosecution and defense agree to accept the download as the best available evidence.

Yeah, if there's an undertaking that both parties agree to and they both understand the risks involved, then sure, it's out of the IO's hands.. but if they're uneducated, not adequately informed, and the issue of integrity/custody/interpretation/extraction/whatever is raised later - then guess who it's going to come back on.

Hello everyone. Are there any US persons in Europe who will testify for the defense? The Prosecutors office that I am testing for asked if I could supply them with a digital forensic expert that's in Europe like a co-worker or something... we don't do that so she asked if maybe OSI or CID or someone else has anyone.

Does anybody have a successful experience with obtaining Microsoft Teams data using Axiom?

Ghosted

Has anyone had a judge order the return of a device prior to the case concluding? We have a judge saying we have a FFS of the device so there is no need to keep the phone as we have everything we are going to get. Anyone have valid argument points? I have a few which hinge on best evidence rule but maybe I am overlooking.

We have had this argument over and over here, one example was do you give back a T-shirt after swabbing it for DNA, Swabbing a Gun ? Its original evidence blah blah ..... usually the judge will start to rethink it. They can have it back 90 days after the case is complete.

4

Carb0hydrates

Does anybody have a successful experience with obtaining Microsoft Teams data using Axiom?

No experience but I know that Axiom has an entire setup guide at https://www.magnetforensics.com/blog/investigating-microsoft-teams-with-magnet-axiom-cyber/

Investigating Microsoft Teams with Magnet AXIOM Cyber - Magnet Fore...

In this blog we’ll discuss the steps necessary for investigators to complete to acquire MS Teams data directly into AXIOM Cyber.

Thank you for the information. I was able to find this as well, but when we went through Azure, the Magnet application never showed up. Even when logged in as the global admin.

1:33 PM

I'll give it another go though, perhaps it was just delayed.

Hey is there anytool to convert timestamps like this 2019-01-20 21:11:38Z to EST (I know an offline tool like Dcode date time exists but I was hoping to get to know an alternative)

3:22 PM

I mean a simple -5 also works

3:23 PM

but I need to automate this, so I was hoping for a program

writing a python script is probably the easiest

Yeah, I was planning on doing that, but if something like it already exists why re-invent the wheel?

2

perez0951#1093

I was reading up on Xways but didn’t see a much difference between it and Axiom. I may have just missed it. Is there any reason you would suggest those over the other two?

I had a thumbdrive with a deleted zip container of photos. X ways was able to carve the contents inside the container, Axiom only parsed the file name of the zip container

ArcherL

Yeah, I was planning on doing that, but if something like it already exists why re-invent the wheel?

I have a python script that does that for Internet proxy logs. Just feed the dates in a loop (you'll have to pull them out yourself). Stack exchange was a big help. The relevant part for you is about 20 lines. I can make it stand alone.- I can paste here or dm you if you prefer. (are we allowed to paste code here?).

1

DM would be better! Thanks again for the help!!

Sent.

1

ArcherL

Hey is there anytool to convert timestamps like this 2019-01-20 21:11:38Z to EST (I know an offline tool like Dcode date time exists but I was hoping to get to know an alternative)

Is the data in a spreadsheet? If so you can just create a column and subtract the time.

Why didn't I think this lol!!

6:49 PM

but there are some text files as well, so a python script was better

ArcherL

Why didn't I think this lol!!

This is why we ask questions. To remember what we had previously forgotten

Is anyone here familiar with attempts to create some kind of standardised digital forensic import/export format (CASE)? The idea I assume is for all DF/cyber tools to support this to allow more efficient workflows, enhance testing/validation etc. I have some info about it, can see how it's a good idea but wondering if this is even still alive? I have not noticed this in the popular tools, but could be it has somehow passed me by!

This is why I always hash evidentiary items when copying to another volume!

10:59 AM

Copied the Axiom portable case and associated report items to a flash drive to give to the investigating officer, hashed everything with 7zip, and got two different values even though they are the exact same size down to the byte. Something somewhere flipped a bit.

Especially to usb flash drives!

FullTang

This is why I always hash evidentiary items when copying to another volume!

did you use the native Explorer to copy? Wondering if that messed something up along the way. Could try something like Teracopy to see if hashes get changed using another copy software (edited)

stark4n6

did you use the native Explorer to copy? Wondering if that messed something up along the way. Could try something like Teracopy to see if hashes get changed using another copy software (edited)

I did use native explorer. I have already deleted the copy, recopied, and rehashed. The hashes matched the 2nd time. This isn't the first time it has happened to me, but the previous time I wasn't 100% positive it wasn't somehow user error. This time I know all I did was copy and hash. It is a "Verbatim" USB so not the best quality.

FullTang

Copied the Axiom portable case and associated report items to a flash drive to give to the investigating officer, hashed everything with 7zip, and got two different values even though they are the exact same size down to the byte. Something somewhere flipped a bit.

Never use 7zip to hash a folder, I don't know why but it produce stranger and unreproducible results. Always calc the hash on files. I suggest you to use teracopy or fastcopy to copy and verify You can also use rapidcrc unicode (it's my favorite but you can use what you want, also a powershell/terminal command) to calc hashes of files and save a checksum file

Flavius

Never use 7zip to hash a folder, I don't know why but it produce stranger and unreproducible results. Always calc the hash on files. I suggest you to use teracopy or fastcopy to copy and verify You can also use rapidcrc unicode (it's my favorite but you can use what you want, also a powershell/terminal command) to calc hashes of files and save a checksum file

Interesting. Do you still trust the hashing function of 7zip on individual files?

FullTang

Interesting. Do you still trust the hashing function of 7zip on individual files?

Yes, never had any issue on individual files. Anyway, try using the software I've listed (they are also portable), I bet you'll never go back

wondering if its hashing any hidden system files in the folder?

Flavius

Yes, never had any issue on individual files. Anyway, try using the software I've listed (they are also portable), I bet you'll never go back

Do Taracopy and fastcopy automatically verify that the copy was successful and generate a checksum? I like removing steps from my workflow so if I only have to do one thing instead of having to come back to it and hash after copying it that is fantastic.

Hey guys, know of a solid repo or have a good resource on cybersecurity policy templates/examples(been googling but that I would ask)

Yes, you can turn on the verification and generate a checksum. Teracopy supports more hash types and has a better integration into the system IMO

Been playing with it, I like it. Thanks! (edited)

1

Hey, So I was going through one of my assignments and doing analysis for the Downloaded files, and I got Prefetch analysis, Autopsy and I am looking at the downloaded file via FTK Imager (I have the image file). The timestamps in all three (when it was created) are different!

3:02 PM

Like one time stamp is 1/21/2019 5:10 AM and other is 1/20/2019 7:19 PM and they other is like 1/21/2019 2:10 PM

3:03 PM

I am really very confused, anyone has any idea what am I or might be doing wrong?

ArcherL

Like one time stamp is 1/21/2019 5:10 AM and other is 1/20/2019 7:19 PM and they other is like 1/21/2019 2:10 PM

If the minutes and seconds are the same and just the hours are different (for the 5:10 and 14:10 timestamps) the chances are it's a timezone issue, with one tool reporting in UTC and the other your local timezone

1

All the timestamps are in UTC, actually (edited)

ArcherL

Like one time stamp is 1/21/2019 5:10 AM and other is 1/20/2019 7:19 PM and they other is like 1/21/2019 2:10 PM

But I got it cleared, I drew the whole timeline and pretty much got to a conclusion (ignored this one file with weird timestamps)

Hey all

7:28 PM

Can we have a blockchain channel?

7:32 PM

Crypto Issue: Just letting people here know, Do not click any links coming from discord or anyone on discord, OpenSea, Etherscan, Metamask & Revoke have had some issues and there is a huge amount of phishing links going around right now. Revoke all approvals from OpenSea if you think you may have interacted with a malicious website, any malicious website, in the past few months.

1

B74

Can we have a blockchain channel?

#darknet-virtual-currencies is probably the best we can do for now. If you want blockchain added to the channel name, then that can be arranged

I mean, it’s upcoming and most likely going to be discussed here at some point wether it’s security, audits, hacks or vulnerabilities etc.

B74

I mean, it’s upcoming and most likely going to be discussed here at some point wether it’s security, audits, hacks or vulnerabilities etc.

Gun to head though, that's currently the most appropriate channel for blockchain-related discussion with current channel naming convention. Either that or just a general question in #general-discussion-and-questions

‍♂️

is there any tool online/offline where we can draw the timeline for any forensic investigation?

9:35 AM

I was using white board, but it get very shabby and disoriented, so a software would be better, or everyone uses an excel sheet? (edited)

Excel is actually better

I use joplin for my running notes/timeline/abstract for IR; (cmd+shift+t, ctrl+shift+t) to drop in quick timestamps

10:04 AM

but the more formal version lives in our ticketing system

10:05 AM

spreadsheets are really good though

I am using excel but thing is the X axis is only taking dates @rayeh (edited)

10:54 AM

and not the time

10:54 AM

it looks like this, lol which is useless from an analysis stand point lol (edited)

Having trouble imaging an encrypted bit locker laptop using Paladin. Secure boot has been disabled. No error messages just a blank “_” icon. Has anyone encountered this?

Looking for some info in regards to email forensics. Some quick facts about the case. The suspect is spoofing the email domain to appear to work for a popular vacation rental company. The suspect is then setting up vacation rentals fraudulently and accepting deposits. When the victims arrive in town and go to speak with the vacation rental company, they obviously have no record of any of this.

2:59 PM

I am somewhat aware of how email domain spoofing works. One victim utilizes protonmail. My thought it to see if the victim can obtain the raw email to include header information and examine that for info. Short of being the victim being able to get the raw email from protonmail, I do not feel like there is much to go on short of chasing down the financial side of it.

2:59 PM

Any thoughts anyone?

When you're saying the suspect is spoofing the domain, are they actually spoofing it? Is it the exact same domain? Can you speak to the victims and ask for a copy of any emails they've received? You'd need to confirm it yourself before you start identifying the technical side of things.

Domain is EXACT. Not a close match.

Is it actually being sent from that account/domain? What makes you think it's spoofed and not a compromised account?

Vacation rental company has no record of this particular email ever existing.

You really need the headers to confirm where it's come from, not just the vanity/display name

Yep. This is what I figured, I just do not know if ProtonMail will allow the user to download the raw email. Ill go test this now

3:04 PM

I presume ProtonMail would likely not respond to my subpoena....

You don't need to subpoena them, the victim who uses protonmail can view it for themselves Go to the email, select 'more' then 'view headers'. Looks like this (edited)

2

3:09 PM

Im fairly sure you can get email header information from most email providers

ThatLukeGuy

I presume ProtonMail would likely not respond to my subpoena....

They're really not le friendly from experience

2

DeeFIR 🇦🇺

You don't need to subpoena them, the victim who uses protonmail can view it for themselves Go to the email, select 'more' then 'view headers'. Looks like this (edited)

https://mha.azurewebsites.net/ is helpful

Yep. Did some testing. Easily accessible from the UI. Thanks for the help guys.

ThatLukeGuy

Domain is EXACT. Not a close match.

Something to look into, if you haven't, is the DMARC configuration of the target domain to determine if it is in a "spoofable" state. This can be done through DNS without a sample message. If you can obtain a sample message, then you will be in a much better place to determine what happened. For instance, how DKIM and ARC played out, etc.

1

Arman Gungor

Something to look into, if you haven't, is the DMARC configuration of the target domain to determine if it is in a "spoofable" state. This can be done through DNS without a sample message. If you can obtain a sample message, then you will be in a much better place to determine what happened. For instance, how DKIM and ARC played out, etc.

Now if only there was an email forensics training class

2

Hey guys I have another quick question, I have been asked to list the newsgroups that the owner of the computer is registered with by analysing the same image file. So I looked at the web history within autopsy and found 2600.com, cnn.com, drudgereport.com etc. Will this be classes as newsgroups registered to the user eventhough he didnt sign up to the site? (edited)

6:54 AM

Sorry last thing from the screenshot below would it be correct in saying the time zone is central standard time? (edited)

6:54 AM

razzmountz

Click to see attachment 🖼️

if i recall right, the PC populates itself with a full list of Newsgroup topic names. once you click, or whatnot, it will populate the sub-topic with headers. then, client dependent i guess, you would download messages / attachments that you were interested in. maybe check for larger sized sub-folders?

7:03 AM

also, might be of use to find what the perp used as a client. with a view to what gets downloaded on auto

Just looking for some input on new lab workstations. We are looking at replacing our entire lab and these are the specs we've been quoted from Dell. Most case work is CP related and software used is primarily Axiom, Cellebrite, Griffeye, EnCase.

jaket2452

Just looking for some input on new lab workstations. We are looking at replacing our entire lab and these are the specs we've been quoted from Dell. Most case work is CP related and software used is primarily Axiom, Cellebrite, Griffeye, EnCase.

Precision 7820 Tower XCTO Base -2x Intel Xeon Silver 4210R 2.4GHz,(3.2GHz Turbo, 10C, 9.6GT/s, 2UPI,13.75MBCache,HT(100W) DDR4-2400) -NVIDIA Quadro P2000, 5GB -64GB 8x8GB DDR4 2933MHz RDIMM ECC Memory -M.2 2TB PCIe NVMe Class 40 Solid State Drive

finding actual content would certainly strengthen any argument: Mens rea

Thanks guys what about the screenshot am I correct in saying its central standard time sorry if it is a dumb question

jaket2452

Precision 7820 Tower XCTO Base -2x Intel Xeon Silver 4210R 2.4GHz,(3.2GHz Turbo, 10C, 9.6GT/s, 2UPI,13.75MBCache,HT(100W) DDR4-2400) -NVIDIA Quadro P2000, 5GB -64GB 8x8GB DDR4 2933MHz RDIMM ECC Memory -M.2 2TB PCIe NVMe Class 40 Solid State Drive

I have to ask why they're providing you with 2933MHz memory when the CPU can't do more than 2400MHz?

7:43 AM

Unless it's cheaper for the faster memory, that might be something worth querying if you don't plan on upgrading the CPUs in the future?

Matt

I have to ask why they're providing you with 2933MHz memory when the CPU can't do more than 2400MHz?

That's a good catch. I don't have an answer yet. Maybe it is cheaper, but I would bet it equates to higher profit on their end.

Also might be worth finding out what version of PCIe they're using for the m.2 drive, the CPUs don't support higher than 3.0, so make sure they're not trying to throw in 4.0

(edited)

Does anyone have a copy of a contract for doing DF work? I’m looking to do some work on the side for a lawyer. Thanks.

Does anyone know if there is a booklet for study, for the EC council cyber forensic associate by chance

jaket2452

Precision 7820 Tower XCTO Base -2x Intel Xeon Silver 4210R 2.4GHz,(3.2GHz Turbo, 10C, 9.6GT/s, 2UPI,13.75MBCache,HT(100W) DDR4-2400) -NVIDIA Quadro P2000, 5GB -64GB 8x8GB DDR4 2933MHz RDIMM ECC Memory -M.2 2TB PCIe NVMe Class 40 Solid State Drive

I would maybe move to RAID NVMe. That's what our beefiest rig has, other systems have RAID SSD.

we run AXIOM, EnCase, X-Ways for mostly IR, some deep dive dead disk stuff

9:21 PM

agreed with the mem speed and NVMe gen stuff tho

@A_A_Ron writing a novel?

jaket2452

Precision 7820 Tower XCTO Base -2x Intel Xeon Silver 4210R 2.4GHz,(3.2GHz Turbo, 10C, 9.6GT/s, 2UPI,13.75MBCache,HT(100W) DDR4-2400) -NVIDIA Quadro P2000, 5GB -64GB 8x8GB DDR4 2933MHz RDIMM ECC Memory -M.2 2TB PCIe NVMe Class 40 Solid State Drive

I recently got a 5820, with the Intel Xeon Processor W-2265 (12C 3.5GHz 4.8GHz Turbo HT 19.25MB 165W DDR4-2933), 64GB 4x16GB DDR4 2933MHz RDIMM ECC Memory, (2) M.2 1TB PCIe NVMe Class 40 Solid State Drive, and added two 4Tb SATA's on the intel Raid config (went to RAID 0 for 8tb). I went with the RTX A4000 16GB for the GPU, which is "the most powerful single-slot GPU for professionals, delivering real-time ray tracing, AI-accelerated compute, and high-performance graphics to your desktop." This was decided after talking with a Dell engineer. It was a few months ago, but if I recall, the price difference of upgrading the GPU was pretty negligible for the price of "future proofing" the rig. My ICAC counterparts were pricing out Dells at the same time and also did the upgrade. My only complaint with the Dell set up is that when running hashcat to crack passcode history files, it will overheat the GPU and shut down on a multiple pc file (think five hashes). Without the ability to manual control my fans from the desktop, I have to run them one or two at a time (for some reason, the main fans don't kick on when hashing). The RTX A4000, however, runs single passcodes much faster than my other machines. I have been pretty happy with the Dell, and the pricing was absolutely unbeatable (gov't contract, however) and we included the 3 year I break it they fix it protection plan. All this being said, 99% of my work is phones, so I'm usually doing "smaller" file sets.

DFE Travis

@A_A_Ron writing a novel?

It was more of a novela

Oh, I guess you were lmaoo

@Law Enforcement [UK] Those who currently use Griffeye, do you wait until the home office authorise a new release before using or do you go ahead and use it with the hope it doesn’t effect your CAID uploads?

AP95

@Law Enforcement [UK] Those who currently use Griffeye, do you wait until the home office authorise a new release before using or do you go ahead and use it with the hope it doesn’t effect your CAID uploads?

we wait

1

We use it. Hasn't affected caid uploads.

1

AP95

@Law Enforcement [UK] Those who currently use Griffeye, do you wait until the home office authorise a new release before using or do you go ahead and use it with the hope it doesn’t effect your CAID uploads?

@we wait in Sussex

1

We have internal caid export testing too beforehand for 2.0 Vics json

AP95

@Law Enforcement [UK] Those who currently use Griffeye, do you wait until the home office authorise a new release before using or do you go ahead and use it with the hope it doesn’t effect your CAID uploads?

We use new. Doesn’t effect any uploads.

1

The CAID team won't like that. If i remember correctly they have chased issues in the past that were caused by people updating to the newest version without giving them a chance to test it.

1

AP95

@Law Enforcement [UK] Those who currently use Griffeye, do you wait until the home office authorise a new release before using or do you go ahead and use it with the hope it doesn’t effect your CAID uploads?

we wait

1

In Northumbria we wait till given the go ahead

1

Same at herts

1

Can anyone help me with the dd command? I want to hide something in sector 4 of a device containing an MBR

Thanks everyone that’s brilliant

Henil

Can anyone help me with the dd command? I want to hide something in sector 4 of a device containing an MBR

You need a hexeditor for that. Not dd.

how can I go about doing that?

Henil

how can I go about doing that?

Just download a hex editor and edit the hex. 010 Editor is a good one. EditPad Pro is another capable tool. Really any text editor not named Notepad more than likely has hex editing capabilities. (edited)

Andrew Rathbun

Just download a hex editor and edit the hex. 010 Editor is a good one. EditPad Pro is another capable tool. Really any text editor not named Notepad more than likely has hex editing capabilities. (edited)

I'm using kali so is there any built-in hex editor?

Henil

I'm using kali so is there any built-in hex editor?

No clue but Google told me this: https://linuxconfig.org/how-to-install-and-use-hex-editor-on-kali-linux

How to install and use Hex editor on Kali Linux

In this guide, we show the step by step instructions to install and use hex editors on Kali Linux.

Andrew Rathbun

No clue but Google told me this: https://linuxconfig.org/how-to-install-and-use-hex-editor-on-kali-linux

okay I'll take a look at it. Thanks for sharing it. what should I do next after opening the disk in a hex editor?

Henil

okay I'll take a look at it. Thanks for sharing it. what should I do next after opening the disk in a hex editor?

Why don't you take a stab at it first and then come back and ask for help. Once you get into hex view, you'll be in a lot better position to attempt what you're trying to do

Andrew Rathbun

Why don't you take a stab at it first and then come back and ask for help. Once you get into hex view, you'll be in a lot better position to attempt what you're trying to do

I tried doing something like this

We wait too

but I get all 0's

There isn't an mbr then

I see

12:01 PM

Thanks!! I will try to find something with MBR

sudo dd if=/dev/sda count=1|hexdump -C
[sudo] password for user: 
1+0 records in
1+0 records out
512 bytes copied, 9.1899e-05 s, 5.6 MB/s
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001b0  00 00 00 00 00 00 00 00  47 f5 e1 5f 00 00 00 00  |........G.._....|
000001c0  01 00 ee fe ff ff 01 00  00 00 af 6d 70 74 00 00  |...........mpt..|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200

This is what my protective MBR looks like (GPT)

yea I was reading an article and it also had something like this

12:12 PM

but for some reason my MBR is all 0's

12:12 PM

is it because it's a virtual disk?

Don't think so. What makes you think it has an MBR?

cause I added the disk in my kali and it was mounted and when I do 'fdisk -l' it shows the disk so I thought it might have a MBR

12:14 PM

12:15 PM

if I change sdb to sda it does show me something like ^^^

I really need to see the latter half of the sector to tell if it has an MBR (edited)

12:16 PM

ending in 55 aa like mine did is a good sign

okay hold up let me go and grab the other half

12:17 PM

mine also ends in 55 aa

does it have two partitions?

It looks to me like a MBR with a GRUB bootloader

AmNe5iA

does it have two partitions?

I think 3

the 2nd one is an extended one so the rest of the partition information is stored in an EBR

so the sda2 is an extension of sda1?

I suspect the rest of the GRUB bootloader resides in the sectors after the MBR probably including sector 4. Before hiding anything there it is probably best to check. try increasing the count= to 5 or 6

Henil

so the sda2 is an extension of sda1?

No, it is a special partition that can hold an unlimited amount of other partitions. Without using an extended partition you are limited to 4 partitions with an MBR

AmNe5iA

I suspect the rest of the GRUB bootloader resides in the sectors after the MBR probably including sector 4. Before hiding anything there it is probably best to check. try increasing the count= to 5 or 6

what does increasing the count mean when we change it from 1 to 5 or 6?

so it will output 5 or 6 sectors rather than just 1

hmm the output is quite long this time

12:30 PM

how do I see what information is located in sector 4?

dd skip=4 if=/dev/sda count=1|hexdump -C

here, skip=4 means it will go to 4th sector and grab hex from there?

if I was going to hide a 512 byte file, hidefile, into the 4th sector of a drive the command i'd use would be dd if=hidefile of=/dev/sda seek=4 but I wouldn't recommend this at this stage cuz I think you'll damage your bootloader (edited)

Henil

here, skip=4 means it will go to 4th sector and grab hex from there?

skip=4 means it will skip to the 4th block (the default blocksize is 512 bytes which is the same size as a sector)

AmNe5iA

skip=4 means it will skip to the 4th block (the default blocksize is 512 bytes which is the same size as a sector)

so is 4th block same as 4th sector?

if you use the command man dd it'll give an explanation of the commands

Henil

so is 4th block same as 4th sector?

Yes unless you've changed the blocksize by using the bs=nnn argument

if I had put bs=446 then one block will be of 446 bytes right which is not the default size

Yes but that would be a strange number to use for this type of work

it should be a multiple of 512 right ex: 1024 etc...

sectors are normally 512 and sometimes 4096 bytes long

that's the standard?

yes

after hiding the data does it look something like this

12:50 PM

Yikes!!! I'm not sure you'll boot that VM again. Looks like you have overwritten the bootloader!

ohh dang

12:54 PM

any way to restore the changes?

12:54 PM

thank god I had a snapshot

I forgot you could do that with VMs. So the 1st partitions doesn't start until sector 2048 and I doubt the bootloader extends past the first couple of hundred sectors. I'd look to hide it somewhere after the bootloader but before sector 2048. Look for a massive gap of zeros before sector 2048 and put it in there somewhere

AmNe5iA

I forgot you could do that with VMs. So the 1st partitions doesn't start until sector 2048 and I doubt the bootloader extends past the first couple of hundred sectors. I'd look to hide it somewhere after the bootloader but before sector 2048. Look for a massive gap of zeros before sector 2048 and put it in there somewhere

so I would change skip from 4 to 2048 and if there's a bunch of 0's there then I can hide it there

no, I'd change the count to 2048 and look for somewhere where this happens

000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

note the offset, convert to decimal, then devide by 512 to get the sector count. (edited)

1:41 PM

Write to one of the sectors after this happens, as it indicates that it is all zeros after this point. (edited)

1:42 PM

i.e. the sectors don't hold any 'information'

1:45 PM

dd if=/dev/sda count=2048|hexdump -C

1:46 PM

whatever blank sector, X, you choose then use the command dd if=hidefile.txt of=/dev/sda seek=X

AmNe5iA

no, I'd change the count to 2048 and look for somewhere where this happens

000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*

note the offset, convert to decimal, then devide by 512 to get the sector count. (edited)

I don't understand the part where we convert to decimal and then divide by 512

1:54 PM

dd if=/dev/sda count=4608|hexdump -C tried doing something like this

1:54 PM

got a bunch of values

1:55 PM

4608? where did that come from?

2:04 PM

200ish <X <2048

Henil

I don't understand the part where we convert to decimal and then divide by 512

The offset given by hexdump is in hexidecimal so we need to convert to decimal and the divide by 512 to get the sector count.

AmNe5iA

4608? where did that come from?

I was trying to look for empty space. I think you're telling me to find empty space before 2048 right?

yes

I think it's fully packed can't find all 0's within 2048

I doubt the bootloader is really taking that many sectors so I'd probably try writing to sector 2047 and then see if it can actually reboot

I'll give it a shot cause none of the values gave me all 0's

can i access a dd file from a mac terminal?

Yea I think you can

pretty sure that it is simliar to linux. If the dd image is from a block device (not a partition) then you have to specify the offset of the partition you want to mount. ie: mount -o loop offset=1024 -t auto /path/to/image.dd /mount/point

Original message was deleted or could not be loaded.

first, go to #data-recovery

any suggestions for tool to parse thunderbird email messages? looking for an easy means to show dialogue between two parties only. personal job, one off, so not looking to spend as if it was going to be a daily workhorse (edited)

@Digitalferret try @Autopsy does a pretty good job at POP3 mail

1

its probably more about making some order out of the messages. i have direct access tio thunderbird but laying it out in some semblance of order like he said she said (imagine the scrolling chat pane on a phone message app) (edited)

3:20 PM

looks to be a complete PIA, but here's my "chance to excel" i guess, lol.

what about exporting the file, loading it in a VM with the thunderbird application and then screenshotting/exporting from the app itself?

whee30

what about exporting the file, loading it in a VM with the thunderbird application and then screenshotting/exporting from the app itself?

yep, i think its going to be an export and reformat job

thats what i had to do forever ago with google hangouts... none of the tools parsed it effectively so I had to use an email program and then export from within the email program to csv

i could save to a folder and export that out and open as an instance of a portable Tbrid

1

3:24 PM

maybe

3:24 PM

yeh, things starting to formulate... thanks for the sounding board guys (edited)

yeah - you still have your original evidence file and you're using the program that natively supports the data you're trying to display... seems reasonable to me

Hi everyone, wy would someone prefer propietary software for forensic analisys vs ope source tools??

mdogilvie

Hi everyone, wy would someone prefer propietary software for forensic analisys vs ope source tools??

forensicz wise the main criteria as i see it is tried and tested / recognised software than that which is not (which doesn't necessarily imply FOSS is either good or bad). Some might argue that proprietary is usually a much more streamlined, smooth operation. YMMV (edited)

mdogilvie

Hi everyone, wy would someone prefer propietary software for forensic analisys vs ope source tools??

Sometimes the big name tools just do the job "better" or more efficiently overall. A forensic suite you pay for will parse lots of different things in a consistent manner. A lot of open source tools are purpose built and great at what they do but the interfaces, uses and outputs of those tools might all be different.

1

3:44 PM

Some paid tools have abilities that open source tools don't, simply due to their high R&D budget, which is also why you'd be paying for it

Some orgs are backwards and need to use approved tools, and don't trust foss

5:12 PM

Because if they pay for it it has to be better

@Digitalferret did you try this addon in thunderbird : https://addons.thunderbird.net/en-us/thunderbird/addon/importexporttools/

ImportExportTools

Adds some tools to import and export folders and messages

1

Have people successfully evaded/bypassed detection within NDR solutions?

malrker

Have people successfully evaded/bypassed detection within NDR solutions?

Almost certainly if it can be used to transmit data it can be utilised by threat actors. But that might depend on your rules. For ex someone may know you use slack for corporate so they use slack as a c2

1:37 AM

https://twitter.com/bettersafetynet/status/1496704235697840128?t=MDXXE5oNjZJbZCvQv0UyLw&s=19 Lots of advice here

Mick Douglas (@bettersafetynet)

I've never had a tweet thread go super critical like this. I'm going to TRY to respond to as many DMs as I can. Please do not take it personally if it takes a while to respond. For each one I respond to, I'm getting 6-10 new ones. I can see the waves of shares by my DM backlog

@Magnet Forensics Hello. I think a have an issue related to 5.10, how can I download the full install for going back to 5.9 please ?

randomaccess

Almost certainly if it can be used to transmit data it can be utilised by threat actors. But that might depend on your rules. For ex someone may know you use slack for corporate so they use slack as a c2

Yeah thats living off the land binaries/programs, but it still picks it up based on correlation/timing/size of data transmitted etc.

2:20 AM

What I mean is someone able to remain undected throughout the whole time being on the network.

2:20 AM

With an NDR solution

2:21 AM

So through c2's, remote code execution,moving laterally, exfil etc (edited)

AnTaL

@Magnet Forensics Hello. I think a have an issue related to 5.10, how can I download the full install for going back to 5.9 please ?

DM'ing you now

Hi, we currently have a case where a guy prepare ''secured'' cellphone for a group of criminal people. The ''tech'' guy is willing to help the police and we have an opportunity to play in the cellphone before they are shipped to the criminal people for bad use. We are looking for a way to install an APK on these android phone before delivery for a Local Collection of chats database (signal, whatsapp, sms, etc.). We do not want any remote access to the device, we will gain physical access a couple month later and we are looking to collect the ''new'' DB with all the chats, wether they are deleted or not from original service provider (ex signal). All this process wont be disclosed for the court, as it is ''secret technique''. Im looking for people to DM me if you have an idea of a company/tool that could help. We have the money to invest in that kind of tool, so its not a problem. I saw many ''child'' surveillance app, but we are not looking for any remote access - and we do not want the bad guy to discover the app called ''Spy-your-kid'' lol, so... Anyway, if you have any info for me, Quick DM please.

What channel can i ask about ftk imager

@Gene probable #computer-forensics I would guess

DCSO

@Gene probable #computer-forensics I would guess

that would make sense =), thanks

SPVQct3207

@Digitalferret did you try this addon in thunderbird : https://addons.thunderbird.net/en-us/thunderbird/addon/importexporttools/

will give it a go dude, many thanks

does anyone know what channel would be good to ask about Spotify Car Thing forensics?

Gbear

does anyone know what channel would be good to ask about Spotify Car Thing forensics?

#iot-forensics or #vehicle-forensics imo

have some free time soon so I can download SIFT Workstation and finally get "hands on"

If viewing Google JSON in Cellebrite PA amd have a Q re timestamps the decoding forum is my best bet yeah? I joined about a year ago and have put up maybe 10 Q over that time that have all gone unanswered. Are there other Cellebrite user channels that people use?

Hey, so my laptop has; ESET Endpoint encryption, Forced Yubi Key (for startup and decryption) Then password and keyboard to login. For some bizarre reason USB driver is not working and I’m having trouble getting into my computer

‍

My drive is soldered onto the motherboard too

11:44 AM

Any ideas how to update USB driver or fix the driver so I can unlock.

B74

My drive is soldered onto the motherboard too

the usb device not being recognised might not be a driver issue?

I can plug my phone in and it gets power, my mouse and keyboard light up, but no input from multiple keyboards etc

All I need to do is press the button on my yubi key to unlock… but it doesn’t recognise it and I’m stuck

‍♀️

B74

All I need to do is press the button on my yubi key to unlock… but it doesn’t recognise it and I’m stuck

‍♀️

tried a manufacturers/hard reboot? like battery out, power key held down for a few seconds? maybe check the makers website for that specific instruction. something sounds corrupt or hanging for sure

Battery is inside laptop, warranty void if I open it (edited)

B74

Battery is inside laptop, warranty void if I open it (edited)

checked makers website for instructions? sounds like a netbook?

Hello everyone! I have to build a new forensic workstation for our lab. The budget is somewhere around 11k eur. We mostly run Cellebrite, Axiom, Oxygen, FTK, Belkasoft X. What do you recommend? Dual Xeon 5120 CPUs with 64GB RAM ECC and lower graphics, or single i9 129000K with 128GB RAM DDR5 and Nvidia RTX 3090? Is Xeon better than i9 for general forensics? Or do you have other suggestions? Thank you!

Cip

Hello everyone! I have to build a new forensic workstation for our lab. The budget is somewhere around 11k eur. We mostly run Cellebrite, Axiom, Oxygen, FTK, Belkasoft X. What do you recommend? Dual Xeon 5120 CPUs with 64GB RAM ECC and lower graphics, or single i9 129000K with 128GB RAM DDR5 and Nvidia RTX 3090? Is Xeon better than i9 for general forensics? Or do you have other suggestions? Thank you!

The latter option is the better one. You'd definitely feel the benefit. (edited)

I also feel that higher clock speed but with less cores are in fact better for general usage of these apps. However, I've seen that many forensic workstations are using Xeon CPUs and I'm wondering why.

I think at one point, dual xeon's were the way, but at least our unit has moved away and seen that reality is, they didn't figure well vs i9s

5:37 AM

It's about what your tool actually uses

5:37 AM

I think most its about 32 processes?

5:38 AM

Plus at least with Axiom, you need a good RAM/CPU combo

5:39 AM

Plus, more tools these days are using GPU for processing

I read that Axiom only uses GPU for some AI processing of the images. Most of the processing is still done by the CPU.

5:41 AM

Thanks for the tips @Rob

1

Cip

I read that Axiom only uses GPU for some AI processing of the images. Most of the processing is still done by the CPU.

OCR uses GPU afaik, plus if you use Griffeye, that uses GPU for processing. XRY uses nVidia CUDA to speed up image recognition. Plus, with a decent GPU you can have more fun cracking hashes etc

(edited)

I did not know that about OCR. We've used Griffeye on a case with 1,5 million images. It took its time on my current workstation (core i7 8700, 32 GB RAM, GTX 1660

). We don't do password cracking, but maybe there a dual Xeon could do better than a more potent GPU.... I don't know. Anyway... it seems that i9 is the way to go for my type of forensics. Thanks again

Don't forget fast storage. NVMe makes a huge difference

1

Ofcourse. I'll try to go with 3 NVMes: 2TB for OS and apps (maybe multiple OS, hashes etc), 4 TB for cache, some databases and cases data (the fastest), 8 TB for storage of images and maybe cases data. Hope the budget will suffice for this setup

1

Has anyone has to renew their CCPA or CCO with Cellebrite? It says there is no need for EXAMs for certifications? Is this normal?

@Digitalferret It's a Asus ROG Zephrus Duo, $4000 laptop.

9:39 AM

Warranty won't look at it as it needs to be unlocked first. And i can't trust my data to asus.

9:40 AM

There is a screw under a label that says warrenty void if broken

9:42 AM

B74

@Digitalferret It's a Asus ROG Zephrus Duo, $4000 laptop.

loool, my bad, sorry

9:45 AM

i have a netbook with similar sounding setup. hood pretty much welded shut

The 550 has a M.2 but the 551QS has the chip on the board with the 3080

9:45 AM

This one will open, But it's only a few months old.

9:46 AM

I've told asus about it, They said they can't test with encryption enabled.

9:46 AM

But i can't disable it without USB

figuratively i meant. had to wipe and start again w/ MX linux over a crippled Win 10

I can't even do that

B74

But i can't disable it without USB

yeh understood

I have to unlock the drive

just wondering if there's a means of getting into whatever subs for BIOS these days.

Keyboard, Touchpad + USB Keyboard & Mouse don't work

9:48 AM

ESET Full Disk Encryption is FIPS 140-2 validated with 256 bit AES encryption.

if it's locked, i can only think of escaping someway after powerup such as the Shift Restart trick

I have the Yubi Key to unlock, No way to unlock without USB

but if its not getting to any options at all... not much idea

9:48 AM

what screen do you get to after power on? (edited)

ESET Endpoint Encryption 1. Start System 2. Reset Password 3. Shutdown

B74

Warranty won't look at it as it needs to be unlocked first. And i can't trust my data to asus.

and 100% on that. neighbour was at similar with Toshiba. he would have lost data as they wanted to just re fit a new drive

B74

ESET Endpoint Encryption 1. Start System 2. Reset Password 3. Shutdown

ok. and there's no way to bail out prior? like to reset bios / check USB? (edited)

9:52 AM

wasn't sure regarding keyboard. you have some I/O at least with the built in one?

9:53 AM

thinking the others were just plugging in via usb socket

https://www.eset.com/uk/business/solutions/identity-data-protection/#encryption

Company identity & data protection | ESET

Seamless, fully validated encryption and two-factor authentication solutions to ensure data protection and regulatory compliance.

9:55 AM

Don't think it allows me to get into the bios without first putting in the code

hmm

9:59 AM

I also have the recovery key too but i need to put that on a USB key and plug it in lol

yeh i was gonna ask about rec key. but

9:59 AM

so, switch on, ESET first, then Yubikey unlock or vice versa, and do you have any input means at all. ie the inbuilt keyboard works ok

10:00 AM

even without giving it back to Asus, they should have some means to let users know how and if they can get into bios

10:07 AM

got to leave it for now dude, hopefully someone in here has more specific knowledge than my general. i can see the need to be careful if that data is the only copy you have

Press the power button, First thing pops up before bios or ROG logo or windows is the ESET and when i hit start system it asks for the key

10:09 AM

If i hit reset it would ask for the key or the backup recovery key

10:10 AM

If I had known the NVMe was soldered on the board I'd probably of not gotten the laptop.

There was a new article That was posted a few days ago about usb forensics and the serial number not meaning what we thought it meant. Anyone see this and can provide the link? I can’t find it anymore!

10:24 AM

https://www.computerpi.com/the-truth-about-usb-device-serial-numbers-and-the-lies-your-tools-tell/

jskramer

The Truth About USB Device Serial Numbers – (and the lies your tool...

You cannot trust what you think a USB device serial number is!

10:24 AM

Found it.

B74

If I had known the NVMe was soldered on the board I'd probably of not gotten the laptop.

yep, its getting harder to escape an ecosystem these days

10:27 AM

any chance with asking ESET how to bail prior? they must have an alt plan, surely (edited)

There is absolutely nothing that can be done to unlock it without USB functionality.

11:35 AM

And/or keyboard.

11:36 AM

Their first reply from ESET was remove the drive, And run the recovery unlocker on another device.. Thing is... It can't be done as it's soldered on the board. (edited)

11:37 AM

The only thing i can think of currently is hardware modification, Trying to bridge the NVME over to a USB-C by some how connecting each point on the board to a external NVMe caddy

11:38 AM

On the board, There are contacts next to the NVMe, Those contacts should be able to be touched. Asus probably has some hardware to troubleshoot the drive

11:39 AM

They could have some sort of connector to make it readable if the mb died

B74

Their first reply from ESET was remove the drive, And run the recovery unlocker on another device.. Thing is... It can't be done as it's soldered on the board. (edited)

roger that. one viable, depends on finance tho, is send to a reputable data recovery shop. I'm sure this won't be the first instance they've seen and might at least be able to offer advice on connection/removal or offer the service.

Asus suggest powering off the laptop, then pressing and holding the power button for 40 seconds to do a hard reset - some models with PSU connected, others with it disconnected so worth trying both. For entering BIOS, it's quite common for them to boot too fast to press a key. Asus say "While the computer isn't powered on yet, press and hold the [F2] button of the keyboard, and then press the [Power button] (Do not release F2 button until the BIOS configuration display.)" Have you also tried a powered USB hub?

Ross Donnelly

Asus suggest powering off the laptop, then pressing and holding the power button for 40 seconds to do a hard reset - some models with PSU connected, others with it disconnected so worth trying both. For entering BIOS, it's quite common for them to boot too fast to press a key. Asus say "While the computer isn't powered on yet, press and hold the [F2] button of the keyboard, and then press the [Power button] (Do not release F2 button until the BIOS configuration display.)" Have you also tried a powered USB hub?

that's what i was talking about. hard reset. I've used it to clear a stuck Toshiba Laptop before now. worth a go

12:12 PM

but also that the battery needed removing, if i remember right

12:13 PM

nothing to lose tho

Now you've mentioned it

12:23 PM

The power button is on the keyboard.

12:23 PM

12:24 PM

I tried F2

12:24 PM

F10 F12 etc all the standard options.

12:24 PM

Even del

12:24 PM

I tried everything, All three USB's + USB-C

other hard reset option is to just leave it on and run down? leave as much plugged in as possible in any and all USB sockets (edited)

Where might I look to determine when an android was first setup? Trying to determine what is preexisting cloud data that might be prior to phone setup.

Cole

Where might I look to determine when an android was first setup? Trying to determine what is preexisting cloud data that might be prior to phone setup.

#mobile-forensic-decoding

1

Is there any software that will monitor a folder for new files, hash them and log the results?

3:39 PM

I was thinking about trying to write something in Python but it’s a little more complicated than I hoped so hopefully there is already something like that.

Can someone explain exactly what this is?

ryuk0126

Can someone explain exactly what this is?

Looks like it's http://sleuthkit.org/autopsy/docs/user-docs/4.19.3/install_multiuser_page.html (edited)

Joe Schmoe

I was thinking about trying to write something in Python but it’s a little more complicated than I hoped so hopefully there is already something like that.

You could use Velociraptor for it but might be overkill

ryuk0126

Can someone explain exactly what this is?

Like Matt said, looks like autopsy running in kubernetes and set up to be distributed for performance. Uses products like Apache solr, kafka, spark, postgre and Amazon elastic file storage

randomaccess

You could use Velociraptor for it but might be overkill

Thank you. I’ll take a look. I haven’t used it yet.

https://www.automationworkshop.org/file-folder-watcher/

Freeware file monitor

Freeware file monitor can detect changes in files or folders and react by running the associated Task to perform a wide range of automated operations.

12:50 AM

you can execute a cmd command

12:50 AM

if it's triggered

12:51 AM

eg: new E01 file, process it with your favourite app

Murst

Like Matt said, looks like autopsy running in kubernetes and set up to be distributed for performance. Uses products like Apache solr, kafka, spark, postgre and Amazon elastic file storage

I could find that actual image on their site

Hello, i wanted to ask the viability of moving all our physical analysis server on VM instead of having physical servers for each indexing, analysis etc. would it be worth it ? will the virt overhead be an issue ?

2:49 AM

2 nodes connected to a san

vms are cool

3:24 AM

the bottleneck would be network

@Cellebrite anyone from CLB available for a quick question?

1

Deleted User

Hello, i wanted to ask the viability of moving all our physical analysis server on VM instead of having physical servers for each indexing, analysis etc. would it be worth it ? will the virt overhead be an issue ?

You have to take a look in the storage performance to

mdogilvie

You have to take a look in the storage performance to

Yes I’m looking at hybrid sans with an ssd cache

Does anyone have any experience with getting accounts shut down? Our specific case involves Cashapp and Squarespace. I'm unsure of what they are going to require from us.

Anyone know how to open a .ldb file? Looks to be a Microsoft access record locking file. I can view contents using notepad++ but not very pretty. Looking for more native way.

sounds like leveldb

https://www.cclsolutionsgroup.com/post/hang-on-thats-not-sqlite-chrome-electron-and-leveldb

Hang on! That’s not SQLite! Chrome, Electron and LevelDB

CCL's Principal Analyst Alex Caithness asks the question: After SQLite, what comes next? A must-read primer on LevelDB - tomorrow's ubiquitous format?

2

Ross Donnelly

https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f

We just had an air tag come in that was found on a persons vehicle. Do you have information on how to processed with getting information from the tracker.

digital Bowles

We just had an air tag come in that was found on a persons vehicle. Do you have information on how to processed with getting information from the tracker.

Search warrant to Apple to get associated devices, icloud accounts, and other stored data is probably your best bet.

1

12:02 PM

I haven't heard of anyone getting data off the airtag itself yet.

Fierry

sounds like leveldb

https://www.cclsolutionsgroup.com/post/hang-on-thats-not-sqlite-chrome-electron-and-leveldb

Yup that’s what it is!!

Do you know which type of LevelDB database it is? The name of the folder normally indicates if it’s IndexedDB or Local Storage

Matt

Do you know which type of LevelDB database it is? The name of the folder normally indicates if it’s IndexedDB or Local Storage

was going to ping you but here you are

beat me to it

1

Matt

Do you know which type of LevelDB database it is? The name of the folder normally indicates if it’s IndexedDB or Local Storage

Indexed I believe

Ah yeah that’s the most common type, you’ll want to use CCL’s Python toolkit (I’ve written a tool that works well with Local Storage DBs, but Indexed DBs are a different beast)

Matt

Ah yeah that’s the most common type, you’ll want to use CCL’s Python toolkit (I’ve written a tool that works well with Local Storage DBs, but Indexed DBs are a different beast)

I tried using this https://github.com/lxndrblz/forensicsim but it looks like it’s only targeting the log file and not the .ldb

GitHub - lxndrblz/forensicsim: A forensic open-source parser module...

A forensic open-source parser module for Autopsy that allows extracting the messages, comments, posts, contacts, calendar entries and reactions from a Microsoft Teams IndexedDB LevelDB database. - ...

1:30 PM

I’ll look into CCL more tomorrow thank you!

You might need to do some programming for that one

1:31 PM

If you ever come across a Local Storage DB, let me know and I’ll ping you over my tool

With physical analyzer - is there a way to ingest tags or a project session from a reader report back into the original extraction? For example, I generate a reader report for my detective, they tag stuff according to their case knowledge and then I ingest those tags into the full extraction to reap the benefit of his case knowledge and the database/backend of a full dump for a final report?

8:24 PM

like axiom's portable case system, but in physical analyzer

8:25 PM

I have tried loading the project session from the reader but that doesnt work

8:30 PM

I have figured out a way, it's just a bit cumbersome. I can add the reader report to the open main extraction and once it's loaded in I can open the saved project session from the reader report. It works, it's just more steps than I think it should take and results in "extra" extractions appearing since the reader report is now included as well.

There's discussion at work to take our current local workstations offline, and moving to a virtualised environment.

3:25 AM

Does anyone have any experience of this happening and what are your thoughts?

3:25 AM

I personally prefer the local workstations and don't really see the benefits from a virtualised environment

2

MrMacca (Allan Mc)

There's discussion at work to take our current local workstations offline, and moving to a virtualised environment.

bean counters involved by any chance?

1

@MrMacca (Allan Mc) using a virtualized environment is a tradeoff. If you're working remotely, virtualized may be the way to go, but there are performance considerations. If you do heavy processing, such as EnCase, Axiom or FTK, your virtualized system may not be up to the task. It's understood that the processing takes place on the virtualized system and the processing is not taking place on your local machine, but how much memory will your VM have? 16, 32, 64? How many other VMs are running on the server in the office? More my money, I would prefer a physical machine for forensic work.

1

Dear all, any one involved in Formobile EU project in here?

MrMacca (Allan Mc)

There's discussion at work to take our current local workstations offline, and moving to a virtualised environment.

i choose vms over physical machines

6:25 AM

they can be wiped, re-created

6:26 AM

but for the hypervisor part, i think it's better to use xenserver or vsphere

6:27 AM

you can keep all your cases and images in a network location and use the vms for processing only

6:27 AM

i prefer reverting to snapshots before i process a new case

6:27 AM

to avert cross-case contamination

6:28 AM

and re-allocating resources back to the vm

6:29 AM

the performance part is related to the network speed, cpu and ram dedicated to vms are easily managed

6:29 AM

imho, more ram, more cpu doesn't always end up faster examinations

6:30 AM

you can do your tests with your favourite forensic solution to see what works best

Dr. Kaan Gündüz

the performance part is related to the network speed, cpu and ram dedicated to vms are easily managed

You do physical usb controller passhrough for extractions?

MrMacca (Allan Mc)

There's discussion at work to take our current local workstations offline, and moving to a virtualised environment.

The upgrade cycle for a VM is likely to be longer than you might have for a number of physical machines. We used to buy top spec analyst machines and then roll those down to imaging machines or similar after a few years. You might not be able to upgrade part of your VM server, so can end up with lots of slower cores after a few years. As others have said RAM/CPU isn't so much of a concern as I would guess you'll be looking at a VM server that can accommodate at least 1TB RAM. Consider Disk speed as well and look at a sizeable chunk of NVMe storage for active case work, backed by spinning disks for general storage. This was the single biggest win for us, we moved from SSD to NVMe and the performance gains were like moving from HDD to SSD. You'll also need to consider anything that might need a graphics card for password cracking and whether that will be included or even compatible with the VM server and the virtualisation software.

Arcain

You do physical usb controller passhrough for extractions?

i create forensic images on the network storage, so it's a hybrid workplace

6:58 AM

evidence -> imaging -> nas <- processing vms -> nas case folder (edited)

Dr. Kaan Gündüz

i create forensic images on the network storage, so it's a hybrid workplace

I mean for extractions, but if i now understand, VMs are used for decoding and processing

indeed

7:23 AM

if you own high end servers, vms are the best option, but one can always use smaller computers dedicated to one job like Intel NUCs

7:23 AM

having an automation solution with lots of vms helped during the pandemic

7:24 AM

i could send the staff home

Jobbins

I tried using this https://github.com/lxndrblz/forensicsim but it looks like it’s only targeting the log file and not the .ldb

@Magnet Forensics any knowledge if decoding these DBs on the roadmap for Axiom?

Anyone have a search warrant template for CashApp?

Melrose142

@MrMacca (Allan Mc) using a virtualized environment is a tradeoff. If you're working remotely, virtualized may be the way to go, but there are performance considerations. If you do heavy processing, such as EnCase, Axiom or FTK, your virtualized system may not be up to the task. It's understood that the processing takes place on the virtualized system and the processing is not taking place on your local machine, but how much memory will your VM have? 16, 32, 64? How many other VMs are running on the server in the office? More my money, I would prefer a physical machine for forensic work.

I setup my own VPN to remote back to on the road to my analysis machines, never really had a performance issue, you can have a static machine for some work but VMs are definitely the way to go. Snapshots, upgrading , cloning and moving, sharing machines are much easier.

1

WesDx_Stu

The upgrade cycle for a VM is likely to be longer than you might have for a number of physical machines. We used to buy top spec analyst machines and then roll those down to imaging machines or similar after a few years. You might not be able to upgrade part of your VM server, so can end up with lots of slower cores after a few years. As others have said RAM/CPU isn't so much of a concern as I would guess you'll be looking at a VM server that can accommodate at least 1TB RAM. Consider Disk speed as well and look at a sizeable chunk of NVMe storage for active case work, backed by spinning disks for general storage. This was the single biggest win for us, we moved from SSD to NVMe and the performance gains were like moving from HDD to SSD. You'll also need to consider anything that might need a graphics card for password cracking and whether that will be included or even compatible with the VM server and the virtualisation software.

thank you for this

2:50 AM

i am looking into moving into a virtualised infrastructure

Any UK folk using UFED PA 9.53 beware if you're using filters to narrow down your reports, the latest update breaks this feature and it flips it to US date format so may not bring back the data you expect it to

2

I know this is probably one that gets brought up every once in a while, but does anyone have any sample reports they are able to share? I am looking at revamping how we write reports in our LE lab and would like to see what others are doing to streamline and/or be more efficient with them, while providing enough detail that it doesn't make it seem like you're being lazy. I've talked to some people who do very little (obtained device, imaged device, provided portable case to agent) to others who have multiple pages typed every device they do. I assume there has to be some in between, like check boxes for actions you took, tools you used, and notes of the extraction. Thanks for any help anyone can provide, and if you can, you can email them to me at awillmarth@cheyennepd.org.

A_A_Ron

I know this is probably one that gets brought up every once in a while, but does anyone have any sample reports they are able to share? I am looking at revamping how we write reports in our LE lab and would like to see what others are doing to streamline and/or be more efficient with them, while providing enough detail that it doesn't make it seem like you're being lazy. I've talked to some people who do very little (obtained device, imaged device, provided portable case to agent) to others who have multiple pages typed every device they do. I assume there has to be some in between, like check boxes for actions you took, tools you used, and notes of the extraction. Thanks for any help anyone can provide, and if you can, you can email them to me at awillmarth@cheyennepd.org.

If this is something we need to centralize on https://github.com/Digital-Forensics-Discord-Server/LawEnforcementResources as a #dfir-open-source-projects then let's do it. If anyone has any they can share, let me know and I can ensure they're here

GitHub - Digital-Forensics-Discord-Server/LawEnforcementResources: ...

Resources provided by the community that can serve to be useful for Law Enforcement worldwide - GitHub - Digital-Forensics-Discord-Server/LawEnforcementResources: Resources provided by the communit...

Andrew Rathbun

If this is something we need to centralize on https://github.com/Digital-Forensics-Discord-Server/LawEnforcementResources as a #dfir-open-source-projects then let's do it. If anyone has any they can share, let me know and I can ensure they're here

This would be a great place to share search warrant go-by's, contacts for other agencies and/or service providers, and other items which many of us are looking for, as well. I think this would be a great addition!

A_A_Ron

This would be a great place to share search warrant go-by's, contacts for other agencies and/or service providers, and other items which many of us are looking for, as well. I think this would be a great addition!

Yes, I know it would be, but I'm no longer a cop so I have to rely on others to generate this content, which is the hard part

help me help you all!

1

11:17 AM

I can only do so much from the outside so now I need help from those still on the inside, if they're able to. I don't expect a lot because of the sensitive nature of everything, and totally understand that. Everything I felt comfortable sharing is here: https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/

Greetings! I just posted this on Twitter & would love to hear from more people about it for a potential podcast or story: https://twitter.com/christammiller/status/1499827212152942607

Christa M. Miller (@christammiller)

I keep thinking about #DFIRforGood becoming a thing while people marched in the streets for George Floyd. I'd really like to see a continuation of that conversation. Obv a lot of sensitivity around the work esp now; anyone in #DFIR willing to talk abt what you can?

Derrick

Hi everyone, I was going through one of my assignments and I did a pre-fetch analysis. I noticed a exe file with name: MPAM-C74E2EB3.EXE (First I though it was something like WINDOWS-KB890830-X64-V5.58.EX which is documented online as a The Microsoft Windows Malicious Software Removal Tool (890830))

2:46 PM

can the "C74E2EB3" be something random?

2:46 PM

or should I assume this as a potential virus? It is 92820 in size (edited)

Do you have access to the exe? VirusTotal is always - provided you can distribute the file - a good go-to

3:08 PM

If not, then you can get the SHA-1 hash and check VT with the hash

@ArcherL Which tool(s) were you using for your analysis?

eric zimmerman pecmd @Tcisaki (edited)

Matt

Do you have access to the exe? VirusTotal is always - provided you can distribute the file - a good go-to

Oh yeah, totally forgot about running an amcahe analysis!! Thanks

2

i have a a wav file

5:47 PM

am playing ctf

5:47 PM

don't know what to do with it

5:47 PM

it's forensic challenge

5:47 PM

in the description the wrote smtgs like Goertzel

5:48 PM

any idea what could i do ?

5:48 PM

the wav file

Probably run strings over it

did it nothing found

Player V

it's forensic challenge

#challenges-and-ctfs

Hi all, I'm trying to set up a reverse engineering malware lab. I was following the guide on malwareunicorn.org but they want me to use VirtualBox VMs and I'm committed to ESXi VMs for now. Can anyone point me to a guide on how to set up a secure detonation VM and a good investigation VM for it? Mainly want to focus on hardening configs and recommended tools.

Lachrymosa

Hi all, I'm trying to set up a reverse engineering malware lab. I was following the guide on malwareunicorn.org but they want me to use VirtualBox VMs and I'm committed to ESXi VMs for now. Can anyone point me to a guide on how to set up a secure detonation VM and a good investigation VM for it? Mainly want to focus on hardening configs and recommended tools.

@RandyRanderson this might be a good one for you?

Lachrymosa

Hi all, I'm trying to set up a reverse engineering malware lab. I was following the guide on malwareunicorn.org but they want me to use VirtualBox VMs and I'm committed to ESXi VMs for now. Can anyone point me to a guide on how to set up a secure detonation VM and a good investigation VM for it? Mainly want to focus on hardening configs and recommended tools.

have you tried something preconfigured like https://github.com/mandiant/flare-vm ?

No, I haven't, I'll take a look though

Lachrymosa

No, I haven't, I'll take a look though

https://www.libhunt.com/r/flare-vm

Flare-vm Alternatives and Reviews (Nov 2021)

Which is the best alternative to flare-vm? Based on common mentions it is: ✅Commando-vm, ✅Radare2, ✅Drakvuf-sandbox, ✅Flare-fakenet-ng or ✅Binance-APK-Analysis

Thanks, I appreciate it!

Lachrymosa

Hi all, I'm trying to set up a reverse engineering malware lab. I was following the guide on malwareunicorn.org but they want me to use VirtualBox VMs and I'm committed to ESXi VMs for now. Can anyone point me to a guide on how to set up a secure detonation VM and a good investigation VM for it? Mainly want to focus on hardening configs and recommended tools.

Remnux is free and has all your fun stuff on it. It’s used in SANS FOR610. Far as a detonation you have locally - https://cuckoosandbox.org/ Hybrid analysis and any.run are web-based and can be useful if you don’t mind it being public to the webs

I've used any.run and joe sandbox before. The interest I have here is to prepare for FOR610 and also learn reverse engineering as a hobby/life-skill. I've enjoyed doing the hunting and remediation that GCFA teaches and I just want to learn more about the actual malware that causes the problems.

Player V

Click to see attachment 🖼️

Not going to do your CTF for you because that defeats the point, but they are DTMF tones. Find a decoder...you might extract a type of number....

1

A_A_Ron

I know this is probably one that gets brought up every once in a while, but does anyone have any sample reports they are able to share? I am looking at revamping how we write reports in our LE lab and would like to see what others are doing to streamline and/or be more efficient with them, while providing enough detail that it doesn't make it seem like you're being lazy. I've talked to some people who do very little (obtained device, imaged device, provided portable case to agent) to others who have multiple pages typed every device they do. I assume there has to be some in between, like check boxes for actions you took, tools you used, and notes of the extraction. Thanks for any help anyone can provide, and if you can, you can email them to me at awillmarth@cheyennepd.org.

Sent you an email.

Anyone ever had any success on a forensic exam in which the OS used was QubesOS?

7:59 AM

I’ve gotten absolutely no where with it lol

Player V

any idea what could i do ?

Google play store has a tone analyzer as a hint, that’s all you’ll get from me xD

hey guys

2:10 PM

so basically i want to get into cybersecurity

Do you know where you want to start?

I guess

2:12 PM

like i have some basic idea on where to start

2:12 PM

im planning to get my CCNA first

Networking is a great place to start

I've heard some people say that CCNA is actually kind of saturated and it won't even get you a basic IT job anywhere (edited)

I’d probably go more for the network+

2:13 PM

You could also try some ctf sand a few great books out there to get you going

How long does it usually take to become ccna certified?

Not long

ryd3v

I’d probably go more for the network+

so you prefer network+ over ccna?

CCNA is really a prerequisite but any networking experience definitely helps

2:15 PM

Yep

2:15 PM

CCNA is Cisco only

2:15 PM

Network + is everything you need really

I see

After network plus you could try security + maybe then OSCP

2:16 PM

If that’s the direction you decide to take

So network+, security+ and then OSCP

But before jumping into CCNA I’d maybe try some hack the box or something similar to see what your really interested in

these are all prerequisites?

No none are really prerequisite

2:17 PM

Just a organized path it’s really up to you

ryd3v

But before jumping into CCNA I’d maybe try some hack the box or something similar to see what your really interested in

I tried hack the box. Didn' really understand whats going on

Yeah so there you go

2:17 PM

Start with the basics maybe like over the wire bandit

2:18 PM

Cyber security is a huge field with many topics

2:18 PM

Depends what you like

2:18 PM

Some people like forensics , some people like red team some blue

2:18 PM

What interests you the most?

Hmm so now im kinda confused all over again lol

Yep

2:19 PM

Your probably not ready for the CCNA ether then

2:20 PM

I have a poorly written blog post here, that needs to be finished, but may help you get started on your journey https://6ixcode.com/blog/begin

Beginners start here..

6ixCode is a free online content project sharing information technology knowledge.

so heres a bit about myself

2:21 PM

I come from a business background, just graduated college with a BBA degree (a very generic degree indeed)

I’m case you don’t want to visit that link, here is the first one

and because of the current job crisis, i couldn't land a job in the marketing or HR sector. Also they kinda pay less to begin with. However i've noticed that networking, cybersecurity fields have more potential and growth

ryd3v

I’m case you don’t want to visit that link, here is the first one

yes ill visit that link

2:23 PM

its open on another tab

Start with the lab setup and being comfortable with the various operating systems, Linux and Windows. Next learn the basics of networking and understanding fundamentals of networking. Finally make a plan, how are you going to learn? Books, Courses? both?, set yourself some easy goals to begin with, for example the basics of the Linux command line. Certifications to go for at this level CompTIA Network+

(edited)

2:23 PM

It’s ok, today I can’t find backticks on my iPhone so it’s all good

2:24 PM

Found it

theDude

and because of the current job crisis, i couldn't land a job in the marketing or HR sector. Also they kinda pay less to begin with. However i've noticed that networking, cybersecurity fields have more potential and growth

maybe take a few steps back and ask yourself what really gives you a kick, in terms of reward, rather than trying to find a job that sounds like it might suit you pay/conditions/future wise?

1

Digitalferret

maybe take a few steps back and ask yourself what really gives you a kick, in terms of reward, rather than trying to find a job that sounds like it might suit you pay/conditions/future wise?

I really wish i could follow my passion and pursue what gives me a kick in terms of reward. But unfortunately, the country I live in is very laid back and the only way to thrive here is to actually hop on opportunities that can make you more money

2:29 PM

And networking, cybersecurity fields are booming here

Yeah if money is the motivation, cyber isn’t the way

2:29 PM

People do cyber for passion not money

other than living expenses, what are you looking for in terms of reward, that money can buy? <things?>

At least in my case

2:29 PM

For money , I’m a software engineer xD

ryd3v

People do cyber for passion not money

Idk about that but I've seen countless examples of people changing careers to cybersecurity just for the big bucks

Hahaha

ryd3v

For money , I’m a software engineer xD

funny how most software engineering jobs here are underpaid

Guess depends where here is

bc folks years ago derided others for say wanting to ride motorbikes. teacher smacked a pupil around the head with his motorbike magazine. said "dont.you.know.you.will.never.make.a.living..,.<etc>

Pretty high paid here

turned out to be Barry Sheene, later to become legend bike rider

2:32 PM

others, similar with "stop playng computer games..." now Twitch stars

I guess my point is that if your getting into cyber security for the money, that’s not the motivation that will give you the best success.

those are pretty low chance things, just saying don't be bound by convention

1

you never did say, what is it exactly that is your passion

That does it for me hahahaha

ryd3v

I guess my point is that if your getting into cyber security for the money, that’s not the motivation that will give you the best success.

i really can't say much about that mindset. I got into coding just for the money

2:35 PM

and i still remember busting my ass off learning it even though i didn't like every second of it

Well hey good luck on your journey

Digitalferret

you never did say, what is it exactly that is your passion

if i were to keep it real

2:39 PM

i actually don't like to work. I'd rather prefer to invest in a couple of stocks and just sleep at home lol

but what gives you the "kick". finding deals, making a profit, etc

ryd3v

Well hey good luck on your journey

Im actually going to follow the path you laid out. seems very organized

Thank you, I have to work on that post a bit, I did it in a rush lol

Digitalferret

but what gives you the "kick". finding deals, making a profit, etc

Making a profit.

There are never enough hours in the day to complete all the things I have to do

1

ryd3v

Thank you, I have to work on that post a bit, I did it in a rush lol

just take your time. Im sure the longer it takes, the more comprehensive its going to be

100%

2:42 PM

I built that site from scratch , so sometimes you get writers block lol

2:43 PM

I’m actually working on a comprehensive beginner training program right now for my local area(Canada) (edited)

2:43 PM

May take me a few weeks to get it all polished up but I think it’s going to be great

2:45 PM

I already made an online school for remote learning , just getting and writing all my curriculum now

theDude

Making a profit.

now there's synchronicity or what you call it. i was gonna recommend the story about the fisherman and businessman, and by pure chance, one of the many re-tellings is by someone that deals in investments http://www.livelearninvest.com/the-businessman-and-the-fisherman-story/

2:45 PM

simpler version https://bemorewithless.com/the-story-of-the-mexican-fisherman/

1

Digitalferret

simpler version https://bemorewithless.com/the-story-of-the-mexican-fisherman/

love it

2:47 PM

I’m saving that one

for me, i had no clue. tried many and sundry as wide a latitude as you can think of before eventually graduating with B.Eng in electronics. by pure chance, having fallen ill with ME/CFS i started again in something i could do from home, on pure interest level. then i realised what I'd know from being very young. the "finding" or "finding the / a solution" gave me the reward.

2:49 PM

"research was another, in similar veinn, bc it was "finding out"

For me it was the perpetual trying to break into everything. Started in ‘85 when I got my first computer, been breaking and fixing pcs since then

some of the best lessons i've had recently have been from having spare capacity here and "running info errands" for those that are in work overload, such as LEA. they have no real time to spend trawling through search engines.

Definitely, the past 11 days or so have been a bit of a whirlwind

ryd3v

For me it was the perpetual trying to break into everything. Started in ‘85 when I got my first computer, been breaking and fixing pcs since then

lol, pretty much same thing here, and i'm not going to admit, given the audience, what i was doing

2:52 PM

Well they say to be the best detective, you have to be a better criminal right

enough to say i was one of those taking all of the risks when others were getting all the rewards

XD

funny you should mention, i have that direct line, family wise

great grandfather was made the first detective chief inspector of <county>

Oh that’s sick

i did research on his history, and showed my nan his Obit in the local paper

I’m the opposite, all my ancestors were criminals , so I decided to be the good boy lmao

commended for <long list>

2:55 PM

she said he knew exactly who was who in the criminal fraternity, especially with regard to the towns famous Classic horse race week.

2:55 PM

because he let lodgings to most of them

I have a famous Irish last name. xD

2:55 PM

my fam history is similar. everything from card sharps, conmen, crooks and more. just as well, although the techniques interest me, that i don't see the acquisition of money "at any cost" as a reward

2:56 PM

if i did i'd either be very rich now, or very jailed

I always say it’s a good thing I’m a good guy, otherwise I’d be rich

2:57 PM

yup. roger that

2:57 PM

the old poacher turned gamekeeper

Yeah haha

now, the other traits, of our "type". some form or martial art, lockpicking (or cracking as it's digital couterpart), musical interest, if not actively playing an instrument...

2:59 PM

and oddly, i've found, sharpening things

Combat, check, lock picking , check lol

3:00 PM

Indeed, sharping one’s blade is also a great pastime

can't even begin to tell you the list of "you too?" i have with a dude stateside.

Haha

almost like Bladerunner and memory implants

Haha yeah that’s true

geh, best stop, i'll have some ^&*ing OSINT guys checking me out with all the data i just spilled

3:02 PM

I'm one of those that would too, lol

Hahahaha true

3:03 PM

I have to jet anyways , wife wants to go out , have a great afternoon lads

later dude, tc / enjoy

Anyone know how to find logs about if/when a group policy ran. In my example there is a Group policy that deletes userprofiles after 60 days of inactivty. I am trying to find a list of all the userprofiles that were deleted. Even if there is a just an event log on the endpoint where the userprofile was deleted that would still work. then I can just search endpoints for that event. Thanks in advance.

Jobbins

Anyone know how to find logs about if/when a group policy ran. In my example there is a Group policy that deletes userprofiles after 60 days of inactivty. I am trying to find a list of all the userprofiles that were deleted. Even if there is a just an event log on the endpoint where the userprofile was deleted that would still work. then I can just search endpoints for that event. Thanks in advance.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749336(v=ws.10)?redirectedfrom=MSDN#reading-the-events

Troubleshooting Group Policy Using Event Logs

9:06 AM

should be logged on the endpoint to both System and the Operational\GroupPolicy area

Hey guys is there any tool that can parse creation time, modification time, access time to a list (csv) of all files and folders on window pc? (just like forensic software filesystem UI) Need fast incident-response, no disk dump Previously I used the cmd command dir to save as csv, but he parsed out the format painfully And I know $MFT, but the content he saves is not complete (edited)

RX

Hey guys is there any tool that can parse creation time, modification time, access time to a list (csv) of all files and folders on window pc? (just like forensic software filesystem UI) Need fast incident-response, no disk dump Previously I used the cmd command dir to save as csv, but he parsed out the format painfully And I know $MFT, but the content he saves is not complete (edited)

what do you mean by the content he saves is not complete

10:32 PM

if you collect the $MFT file and parse it with mftecmd -f $mft --csv . --csv mftoutput.csv or something along those lines you'll get a CSV that has the files along with their MAC times and more

10:32 PM

there's even a KAPE module so you could pretty much go Run kape -> target file system, modules mftecmd.mkape and it should be done in a few minutes

randomaccess

there's even a KAPE module so you could pretty much go Run kape -> target file system, modules mftecmd.mkape and it should be done in a few minutes

I need these information and fields, $MFT can't have these details companyname,filedescription,fileversion,internalname,legalcopyright,originalfilename

Right. You didn't mention those.before...

1

1:29 AM

I'm not sure what you're trying to achieve? Maybe exiftool would be what youre after

RX

Hey guys is there any tool that can parse creation time, modification time, access time to a list (csv) of all files and folders on window pc? (just like forensic software filesystem UI) Need fast incident-response, no disk dump Previously I used the cmd command dir to save as csv, but he parsed out the format painfully And I know $MFT, but the content he saves is not complete (edited)

but i found the tools , KAPE's Module CrowdResponse can do this thank you , thank guys!!!

randomaccess

Right. You didn't mention those.before...

thank you! i will try that

RX

but i found the tools , KAPE's Module CrowdResponse can do this thank you , thank guys!!!

Isn't crowdresponse a collection tool? Making running kape redundant?

randomaccess

Isn't crowdresponse a collection tool? Making running kape redundant?

yap it is This is the tool I found so far that lists all the files, information, and details (edited)

Righto. Would recommend becoming familiar with what the tool is doing so you can understand where its getting the data from

1

thank you! respect

Win10 USB car readers / thumbdrives: hitting a regular problem in that PC doesn't recognise a swapout without having to go into device manager and remove the driver & reboot. even then that's kinda hit and miss. error is the usual

Windows cannot load the device driver for this hardware because a previous instance of the device driver is still in memory. (Code 38)
The driver could not be loaded because a previous version of the driver is still in memory.

3:25 AM

any ideas?

so far, removed drivers. reboots. 3 different card readers/cables. Nirsoft USBDview remove any and all old devices. update W10....

... anyone got a litre of "accelerant" spare? ima need some real soon, then

time

Digitalferret

... anyone got a litre of "accelerant" spare? ima need some real soon, then

time

Before you wipe the system, just to test to be sure it is not a hardware problem, run a live linux distro first and see if it works.

@Law Enforcement [UK] Anyone obtained and exmained logs from 3D printer/s ? Printer recieves files from SD card and not networked. If so drop me a PM, need to draw some information from you.

No but I’d be really interested what the outcome is

3

I'm dealing with that exact scenario - deciding on how to approach it. Anyone have a workflow/tips beyond just documenting the printer, checking for onboard storage, and imaging/processing the SD card?

That's about all you can do unless there is a pi onboard with octoprint on it

7:25 AM

Model dependant

Tcisaki

Before you wipe the system, just to test to be sure it is not a hardware problem, run a live linux distro first and see if it works.

thanks, already grabbing Parrot. any attempt to shove the SDXC card in any recognised card reader locks pretty much anything else up

What's the approach for gcode files located on the SD? Try to convert them to STL to see what the model looks like? Never tried it, but sounds like results are iffy that way... Try printing them?

Tcisaki

Before you wipe the system, just to test to be sure it is not a hardware problem, run a live linux distro first and see if it works.

got to keep at least one instance of W10 running someplace, bc PC3000 but other than that, i think i'm moving back to penguin land.

dfa_adam

What's the approach for gcode files located on the SD? Try to convert them to STL to see what the model looks like? Never tried it, but sounds like results are iffy that way... Try printing them?

You can render gcode in cura

Some printers have web UIs, that might hold volatile information about the last print?

dfa_adam

What's the approach for gcode files located on the SD? Try to convert them to STL to see what the model looks like? Never tried it, but sounds like results are iffy that way... Try printing them?

Open it in Cura Ultimaker and as @Aghast says it should render and display the 3D version fo the file.

Does anyone have a DF report template that I can use by chance? I am doing my senior year Capstone (which is a mock Digital investigation).

@codyp915 Have you looked at the Forensic Expert Witness Report examples available on the internet? They have some very good ones, and to be honest, many DF firms use them as a basis for their own templates.

quick question @Cellebrite we want to reset our Touch 2 as its been buggy. Anybody had issues using the reset switch on the back ? It's been a long time since we have done this.

Its possible, support has the exact instructions as they may vary depending on version

1

DCSO

quick question @Cellebrite we want to reset our Touch 2 as its been buggy. Anybody had issues using the reset switch on the back ? It's been a long time since we have done this.

Be careful with this - we had one reset unintentionally (don't ask!) and the version it reset to was too old to support the new format license files, so we couldn't re-apply the license and do the updates. There is a solution, provided by Cellebrite Support that solved the problem very neatly (Thanks, Fit@Cellebrite ANZ) but there was a bit more involved than just resetting and updating. Ask about the Touch 2 Re-Image Kit and guide if you strike this problem...

Noob Question, I'm building a forensic workstation, getting an I9-12900k, would I notice any significant differences going with ddr5 ram 4800 instead of ddr4, 3600 Cas 16? Mainly using Magnet Axiom and Cellabrite Thanks in advance (edited)

Hi ! I'm building a forensic process for a customer (company with around 3000 employees). They have a lot of cloud and industrial perimeter. Do you have 5-6 must have tools in mind ? I personally think of Axiom magnet and Cellebrite. Thank you in advance

Saucisson Slicer

Hi ! I'm building a forensic process for a customer (company with around 3000 employees). They have a lot of cloud and industrial perimeter. Do you have 5-6 must have tools in mind ? I personally think of Axiom magnet and Cellebrite. Thank you in advance

Entirely depends on what type of casework you're going to be doing. Can you go into further detail?

ExisT

Noob Question, I'm building a forensic workstation, getting an I9-12900k, would I notice any significant differences going with ddr5 ram 4800 instead of ddr4, 3600 Cas 16? Mainly using Magnet Axiom and Cellabrite Thanks in advance (edited)

I am by no means an expert on this, but law of diminishing returns is going to come into play at some point, especially for the price difference that exists between DDR4 and DDR5. I think higher volume of RAM is going to be more helpful than higher clock speeds of RAM for those particular forensic tools.

Andrew Rathbun

Entirely depends on what type of casework you're going to be doing. Can you go into further detail?

Well there is currently nothing about forensic process but the one I am developing. It is going to be done by the CSIRT so they have technical profiles (but not used to perform forensic). They want to be able to investigate on lots of cases. It can be a compromised EC2 instance to investigate (with a little bit of malware analysis). It can be a worker doing illegal stuffs on his workstation so they have to investigate to get elements to a disciplinary procedure. I can't be exhaustive but they want to be able to investigate on lots of cases, this is why I was thinking of Axiom. It seems to be great for working on different kinds of assets

@Cellebrite @Magnet Forensics @Griffeye Would we see any substantial performance improvements on your tools if we run it on the new Mac M1 Ultra chip?

Saucisson Slicer

Well there is currently nothing about forensic process but the one I am developing. It is going to be done by the CSIRT so they have technical profiles (but not used to perform forensic). They want to be able to investigate on lots of cases. It can be a compromised EC2 instance to investigate (with a little bit of malware analysis). It can be a worker doing illegal stuffs on his workstation so they have to investigate to get elements to a disciplinary procedure. I can't be exhaustive but they want to be able to investigate on lots of cases, this is why I was thinking of Axiom. It seems to be great for working on different kinds of assets

So this is likely deadbox forensics to enumerate user behavior that may or may not violate policy. Seems like Cellebrite and Magnet are a good start. For computer forensics, there's plenty of free tools out there on GitHub (even outside of Eric's tools) to squeeze more from the artifacts

Andrew Rathbun

So this is likely deadbox forensics to enumerate user behavior that may or may not violate policy. Seems like Cellebrite and Magnet are a good start. For computer forensics, there's plenty of free tools out there on GitHub (even outside of Eric's tools) to squeeze more from the artifacts

Yes ! That's it ! Yeah I already selected a bunch of free tools (automated like autopsy and some more manual). Buy the idea was to find tools to do "the most" in one. As my customer is more in this mindset and they do not have any experience in this field

Saucisson Slicer

Yes ! That's it ! Yeah I already selected a bunch of free tools (automated like autopsy and some more manual). Buy the idea was to find tools to do "the most" in one. As my customer is more in this mindset and they do not have any experience in this field

One thing to consider, is your washer and dryer the same unit? Or would you prefer to have them separate? I know my answer. Sometimes using tools that were made to do a single function is the best way to go for speed, results, etc, rather than a massive swiss army knife that has a lot of moving parts. Not talking in code here about any particular tools, but just because something does a lot of things doesn't mean it does them well. It all comes down to tool validation and understanding the artifacts. Learning how to use tools is a separate issue. Knowing artifacts will always reign supreme in my mind and knowing how to use a tool suite will be a secondary consideration, if that makes sense.

Andrew Rathbun

One thing to consider, is your washer and dryer the same unit? Or would you prefer to have them separate? I know my answer. Sometimes using tools that were made to do a single function is the best way to go for speed, results, etc, rather than a massive swiss army knife that has a lot of moving parts. Not talking in code here about any particular tools, but just because something does a lot of things doesn't mean it does them well. It all comes down to tool validation and understanding the artifacts. Learning how to use tools is a separate issue. Knowing artifacts will always reign supreme in my mind and knowing how to use a tool suite will be a secondary consideration, if that makes sense.

I totally agree with you on that point. I personally prefer to understand what am I searching for and why I am searching on a particular element to pick a tool to help me (like the tools nirsoft provide for windows artifacts). But my customer is more in a "easy and fast investigation" way of thinking and call an expert if needed on a harder case

Anyway, thank you for your help, I'm going to keep digging

forensicMouse

@Cellebrite @Magnet Forensics @Griffeye Would we see any substantial performance improvements on your tools if we run it on the new Mac M1 Ultra chip?

AXIOM runs on the windows platform and since there really hasn't been any progress on virtualizing Windows 11 on an M1 chip that may be a mistake. (edited)

7:02 AM

A google search as well to make usre I hadn't missed something is unless your running Parrallels then you are out on bootcamp and Fusion as well for Win10 (edited)

1

7:03 AM

I just bought new MACs and bought I9's and am very happy with performance

7:04 AM

dfa_adam

What's the approach for gcode files located on the SD? Try to convert them to STL to see what the model looks like? Never tried it, but sounds like results are iffy that way... Try printing them?

I personally use the PrusaSlicer G-Code Viewer to 3D render .gcode files.

Does anyone recommend any Certs for brand new examiners? I plan to go to Kent state for computer science with my specialization in information security, but I want to look into some Certs while I’m doing classes. I will be getting my bachelors of science

codyp915

Does anyone recommend any Certs for brand new examiners? I plan to go to Kent state for computer science with my specialization in information security, but I want to look into some Certs while I’m doing classes. I will be getting my bachelors of science

#training-education-employment

Hi all, Does anyone know what program I can use to certify that an audio file has not been manipulated and that it has no cuts?

AFAIK there is not an automated solution for that (edited)

8:53 AM

check this out: https://www.acustek.com/index.php/en/forensic-solutions

Audio Forensic Analysis Solutions - Acustek-Technical Surveillance...

General and comprehensive Audio Forensic Analysis Solutions for forensic departments and government agencies

Thanks! i will see.

1

depends on if you need dfr or software engineering

6:04 AM

probably easier to find jobs as a swe but both are in relatively high demand

timeline

Anyone aware of this site or how the results actually links to users?

https://www.hudsonrock.com/search?domain=bbc.com (edited)

Search Results

how can I know whether this photo has been tempered with and what online tools would you guys use to figure it out?

10:59 AM

Another question I would have is how to search for copies, or modified copies, of certain images? Assume this could be either on the forensic image of the same PC, or other devices. (edited)

Marcell

Another question I would have is how to search for copies, or modified copies, of certain images? Assume this could be either on the forensic image of the same PC, or other devices. (edited)

Have you tried hash vales and PhotoDNA?

ohh

11:24 AM

what hashes do you think could be useful in a case like this? cryptographic or perceptual?

Marcell

how can I know whether this photo has been tempered with and what online tools would you guys use to figure it out?

maybe give https://asecuritysite.com/forensics/ a go, under the [Graphics formats] header, and also https://29a.ch/photo-forensics/ including the Help page

Marcell

what hashes do you think could be useful in a case like this? cryptographic or perceptual?

Cryptographic will find untampered copies while perceptual should find slightly modified copies.

Thanks for that guys!

11:51 AM

11:52 AM

Any tips regarding this by any chance? (edited)

11:52 AM

other than the fact that it can match files transferred over the network to files in an image I can't really think of anything else

Btw does anyone here use Red Canary? Are they good? What has peoples experiences been with it? Red Canary is the 'wrapper' service that manages the Carbon Black alerts.

1:20 PM

MDR

Anyone using open source or low cost software for officers to upload digital evidence to a server? The commercial solutions are insanely expensive.

Joe Schmoe

Anyone using open source or low cost software for officers to upload digital evidence to a server? The commercial solutions are insanely expensive.

What kind of server? Is it a simple drag and drop onto a mounted network share or something fancier?

It’s all up in the air right now. The quotes were for full servers and software. I’m hoping just add storage to existing network shares if I can set up good controls. (edited)

2:40 PM

For example I debated writing a Python script to monitor an intake folder and hash the files added.

Original message was deleted or could not be loaded.

It can be if you plan on doing DFIR in the future as a career path, otherwise no.

hey guys, not sure if this is the right place to ask, but I wanted to get some advice on a job offer i just received. I currently work staff aug for this company so my salary is paid by a third party. My current total comp is ~150k (125base, 25k bonuses)as a red team engineer, but the client has been using me as an IR engineer for the last year or so. They gave me a full time offer with almost the exact same total comp (137 base, 10% bonuses, total comp ~150). Is this a generally fair offer? I would have thought getting hired by the client would result in a decent pay bump. Would it be unreasonable for me to ask for 150 base and 10% bonuses? I'm one of the most experienced people on a relatively small team, and my focus has been on creating tooling to automate large parts of IR work. they'd be wasting a lot of time without that infrastructure

my opinion? always negotiate

absolutely, i'm definetly going to try, but wanted to get some ideas on what might be considered reasonable. There isn't a whole lot of info out there on what an IR engineer salary averages

Joe Schmoe

Anyone using open source or low cost software for officers to upload digital evidence to a server? The commercial solutions are insanely expensive.

I use cross ftp to upload to aws govcloud. Single person shop so needs are low.

whee30

I use cross ftp to upload to aws govcloud. Single person shop so needs are low.

Just my stuff would be easy. I’m trying to find a system for everyone to use. It needs to be very straight forward.

Ah. My agency uses evidence.com for audio and video, some type of in house to manage physical evidence. Good luck!

Marcell

Another question I would have is how to search for copies, or modified copies, of certain images? Assume this could be either on the forensic image of the same PC, or other devices. (edited)

Autopsy plugin to detect media manipulation- https://github.com/saraferreirascf/Photo-and-video-manipulations-detector/blob/main/deepfake_photo/Windows/detect_deepfake_photos.py

Photo-and-video-manipulations-detector/detect_deepfake_photos.py at...

Autopsy plugins meant to detect photo and video manipulations. - Photo-and-video-manipulations-detector/detect_deepfake_photos.py at main · saraferreirascf/Photo-and-video-manipulations-detector

5:16 PM

Answer to first question

wedemmoez

hey guys, not sure if this is the right place to ask, but I wanted to get some advice on a job offer i just received. I currently work staff aug for this company so my salary is paid by a third party. My current total comp is ~150k (125base, 25k bonuses)as a red team engineer, but the client has been using me as an IR engineer for the last year or so. They gave me a full time offer with almost the exact same total comp (137 base, 10% bonuses, total comp ~150). Is this a generally fair offer? I would have thought getting hired by the client would result in a decent pay bump. Would it be unreasonable for me to ask for 150 base and 10% bonuses? I'm one of the most experienced people on a relatively small team, and my focus has been on creating tooling to automate large parts of IR work. they'd be wasting a lot of time without that infrastructure

If you're wondering about whether the number is good or not, it depends on where you live. In NYC you'd be lucky to afford a walk in closet at that salary. In the Midwest USA, you'd be sitting pretty.

Andrew Rathbun

If you're wondering about whether the number is good or not, it depends on where you live. In NYC you'd be lucky to afford a walk in closet at that salary. In the Midwest USA, you'd be sitting pretty.

I’m in Dallas

Joe Schmoe

Anyone using open source or low cost software for officers to upload digital evidence to a server? The commercial solutions are insanely expensive.

why not use owncloud on your own server? https://owncloud.com/download-server/

Download Server Packages - ownCloud

Download Server Packages for ownCloud, find the right package for you

Original message was deleted or could not be loaded.

it's all relative

my house in California goes for 6.3x the price I paid for it. Cost of living matters more than salary

3

Dr. Kaan Gündüz

why not use owncloud on your own server? https://owncloud.com/download-server/

I appreciate it. I’m not really familiar with it but I’ll take a look.

1

Are there any belkasoft employees here or some one who is attending belkasoft x mobile training?

Tejas

Are there any belkasoft employees here or some one who is attending belkasoft x mobile training?

@Belkasoft

am wondering how it is a training with few youtube videos and google form

9:11 PM

I'm finding it difficult to work with software and understand

you can also ping @elizavetabelkasoft in #belkasoft-ctf

9:12 PM

I'm guessing you're referring to the CTF going on in a few hours?

Andrew Rathbun

I'm guessing you're referring to the CTF going on in a few hours?

ah nope. https://belkasoft.com/free-mobile-forensics-training

Never complain about free training

I am messing with you but for the price, it's hard to nitpick. They certainly don't have to provide 2-3 free hours of training with a test. That's pretty generous

yep thats true

9:14 PM

maybe a little more details for newbies maybe

Also, plenty of great knowledge on YouTube or like platforms. Paid and free.

or was it intended only for those only working in a company cuz eligibility wasn't mentioned

If you have feedback for them, definitely let them know. Same for any vendor. They are generous enough to be here and be subject to feedback from end users so take advantage of that and help shape things for the better

Tejas

or was it intended only for those only working in a company cuz eligibility wasn't mentioned

That's beyond the scope of my knowledge. My job is to keep the water warm here for vendors and end users alike. Anything vendor specific, I defer to them.

okay

thanks tho. I ll wait for reply from belkasoft team maybe

Tejas

okay

thanks tho. I ll wait for reply from belkasoft team maybe

Best of luck

1

Any recommendations of software for moving and hashing evidence? People here say that Nuix evidence mover has/had issues and seem reluctant to use it.

Artea

Any recommendations of software for moving and hashing evidence? People here say that Nuix evidence mover has/had issues and seem reluctant to use it.

TaraCopy can move, hash after it moves the file, and then store a small file containing the hash all in one interaction from the user. https://www.codesector.com/teracopy

TeraCopy for Windows - Code Sector

Official site of TeraCopy, a free utility designed to copy files faster and more secure. It can verify copied files to ensure they are identical. It skips bad files during copy, not terminating the entire transfer. Seamless integration with Windows Explorer.

5

https://freefilesync.org/ is an alternative

FreeFileSync

Download FreeFileSync 11.18. FreeFileSync is a free open source data backup software that helps you synchronize files and folders on Windows, Linux and macOS.

2

Use those both. Both are great tools

This is great - I was also searching for a solution like this especially for copying large files like phone dumps and other image files. @Andrew Rathbun do you have a preference on which is better?

Tejas

Are there any belkasoft employees here or some one who is attending belkasoft x mobile training?

Yeap. Contact me or support@belkasoft.com

elizavetabelkasoft

Yeap. Contact me or support@belkasoft.com

I got 2 tickets open

6:43 AM

already

elizavetabelkasoft

Yeap. Contact me or support@belkasoft.com

Is it fine If I dm?

Tejas

Is it fine If I dm?

Yes, of course

Ok so my capstone project for my HS is a DF investigation, I am using FTK imager and such, does anyone know of any reporting software for the report phase? I HATE paperwork with a passion

codyp915

Ok so my capstone project for my HS is a DF investigation, I am using FTK imager and such, does anyone know of any reporting software for the report phase? I HATE paperwork with a passion

Well you might need to overcome that hatred or consider a new career path, frankly. Depending on which route you go, there's going to be paperwork. Administrative stuff isn't sexy but the pen is mightier than the sword. Administrative stuff keeps businesses running and your paychecks not bouncing. Microsoft makes some pretty decent reporting software. It's called Word

I honestly don't know of any fancy reporting software but reporting absolutely should not be automated or "pumped and dumped". AI may take over the world someday but anytime soon the world still needs humans to interpretively analyze data and draw reasonable conclusions, especially earlier into your career and education like you are so you get exposure and experience.

2

techforensic

This is great - I was also searching for a solution like this especially for copying large files like phone dumps and other image files. @Andrew Rathbun do you have a preference on which is better?

For your use case, probably TeraCopy. We used it in the US Federal Government for that very purpose. FreeFileSync I use to just sync files from my personal computer to my NAS on an automated basis

1

codyp915

Ok so my capstone project for my HS is a DF investigation, I am using FTK imager and such, does anyone know of any reporting software for the report phase? I HATE paperwork with a passion

It’s easier to report if you document along the way, I’ve moved to Obsidian for notes and then eventual conversion to PDF or work with markdown and Word Templates

tklane

It’s easier to report if you document along the way, I’ve moved to Obsidian for notes and then eventual conversion to PDF or work with markdown and Word Templates

Obsidian is all the rage lately. Markdown is an awesome format to document things. I don't know how it would work when it comes to final reporting that would go to a client or prosecutor, but absolutely for notes along the way it's a great solution. I hope it someday dethrones OneNote, if it hasn't already. Can't beat the amount of updates it gets, especially compared to OneNote. Their Discord server is very active, too.

Does anyone know how far back google takeout data goes? I am looking for location data possibly from 2+ years ago.

As far back as the user has data, albeit you have a wait on your hands

@CCC Perfect and why would there be a wait? It will be a consent to search with the users login/password.

dfir-rick

@CCC Perfect and why would there be a wait? It will be a consent to search with the users login/password.

Google Takeouts can take a long time to generate once you press the request button. Location data used to go back forever - now it depends on user settings. You can choose to set a retention period for the location data (I believe that retaining forever is still the default for new accounts but I'm not sure)

Ross Donnelly

Google Takeouts can take a long time to generate once you press the request button. Location data used to go back forever - now it depends on user settings. You can choose to set a retention period for the location data (I believe that retaining forever is still the default for new accounts but I'm not sure)

@Ross Donnelly thank you. The investigator stated the victim is pretty clueless when it comes to technology so I am hoping it is still set to the default option of forever. I will be receiving her device next week and if that doesn't pull the location data, I will let the investigator know about takeout data.

codyp915

Ok so my capstone project for my HS is a DF investigation, I am using FTK imager and such, does anyone know of any reporting software for the report phase? I HATE paperwork with a passion

Cherrytree, make a template, fill it in , export

Andrew Rathbun

Well you might need to overcome that hatred or consider a new career path, frankly. Depending on which route you go, there's going to be paperwork. Administrative stuff isn't sexy but the pen is mightier than the sword. Administrative stuff keeps businesses running and your paychecks not bouncing. Microsoft makes some pretty decent reporting software. It's called Word

I honestly don't know of any fancy reporting software but reporting absolutely should not be automated or "pumped and dumped". AI may take over the world someday but anytime soon the world still needs humans to interpretively analyze data and draw reasonable conclusions, especially earlier into your career and education like you are so you get exposure and experience.

The main reason I need to automate it as much as possible is because I have Cerebral Palsy and can only use my left hand (effectively), therefore taking me longer to write up reports. So I want to make it easier on myself.

codyp915

The main reason I need to automate it as much as possible is because I have Cerebral Palsy and can only use my left hand (effectively), therefore taking me longer to write up reports. So I want to make it easier on myself.

Totally understand. That would've been good context to know off the bat. I don't know much about what programs offer good accessibility features for that but hopefully someone else does

Andrew Rathbun

Totally understand. That would've been good context to know off the bat. I don't know much about what programs offer good accessibility features for that but hopefully someone else does

Oh, sorry, my bad

codyp915

Oh, sorry, my bad

You both arent wrong! Definitely lots of paperwork, unironically a not insignificant part of the gig is streamlining that kind of thing so automating it is just getting ahead of the game. Ry gave good advice, if you can make something a template, save yourself the trouble. I would also be sure that you save your reports because you will probably find yourself using similar language to describe similar situations/tools/findings/etc. Over time you can basically create your own database to take advantage of. Unfortunately so much of this stuff is niche so I would think speech to text tools must be a total coin toss lol, but Im sure you've already done that.

dfir-rick

Does anyone know how far back google takeout data goes? I am looking for location data possibly from 2+ years ago.

I had data from 2016 in there so probably as far as it can get data about you

I have doubt, how does image/files extraction work with software like autopsy/belkasoft/.... Once when I tried autopsy on my own machine as an experiment, I tried deleting few files and analyzing using autopsy to see if it can recover images/files. But it didn't. It shows some arbitrary images/files..

7:47 PM

Does it work all the time and it seem to not work for me?

7:47 PM

or am doing something wrong

Tejas

I have doubt, how does image/files extraction work with software like autopsy/belkasoft/.... Once when I tried autopsy on my own machine as an experiment, I tried deleting few files and analyzing using autopsy to see if it can recover images/files. But it didn't. It shows some arbitrary images/files..

Easy way to play around is to create a VHDX in disk management. And then move things around, delete things, and then go look in a forensic tool

3:55 AM

It also helps to read a bit about how the file systems are working at a high level

3:55 AM

And understanding at least at a high level what happens when a file is deleted

3:56 AM

But depending on the media a deleted file may last on disk a long time (until it's overwritten) or it may be gone once it's deleted

okay thanks

Any one here from Ohio?

12:11 PM

Specifically anyone who went for CS? What is better for DFIR Infosec concentration or no concentration and computer forensics minor?

12:12 PM

*at Kent

@codyp915#training-education-employment

randomaccess

Easy way to play around is to create a VHDX in disk management. And then move things around, delete things, and then go look in a forensic tool

@Tejas this is one of the first things I did on GitHub - https://github.com/AndrewRathbun/Anti-Forensics-VHDX I did the very same thing @randomaccess suggested here. Making a VHDX is effortless and then it can serve as your own experimental sandbox for toying around with whatever filesystem you format it with.

2

Thank you

codyp915

Specifically anyone who went for CS? What is better for DFIR Infosec concentration or no concentration and computer forensics minor?

Not from/did not go to Kent, but I can possibly help you decide. Do you know what you want to do long term in DFIR? because that may change what you do

Murst

Not from/did not go to Kent, but I can possibly help you decide. Do you know what you want to do long term in DFIR? because that may change what you do

Forensic analysis

codyp915

Forensic analysis

Boots on the ground doing the analysis? Or background identifying and developing new tools?

Murst

Boots on the ground doing the analysis? Or background identifying and developing new tools?

Actually doing the analysis

codyp915

Actually doing the analysis

Assumptions: This is the Minor: http://catalog.kent.edu/colleges/ap/computer-forensics-security-minor/#programrequirementstext This is the Major Concentration: https://www.kent.edu/cs/information-security Thats a rough decision, Based solely off course titles, it seems the Major concentration is more around Secure coding and crypto. So from that aspect I would think the minor might be more helpful. It looks like Kent also offers a Undergrad Cert in Forensics/Security and a BSIT with focus in Forensics/Security. Have you explored those options? Also, I would 100% recommend talking with your advisor. Some colleges let you do a build your own focus/Minor as well.

codyp915

The main reason I need to automate it as much as possible is because I have Cerebral Palsy and can only use my left hand (effectively), therefore taking me longer to write up reports. So I want to make it easier on myself.

Have you thought about using a dictation software suite?

Hello! My name is Mariam and I am a student in forensics. I am currently writing a research paper and need to collect some research. I have two surveys linked below that would be greatly appreciated if you took about five minutes of your day to help me out. Thank you so much! I promise they're short. https://forms.gle/WSRRKYQKzocurdkcA https://forms.gle/QReL4F62yS3BFk8e8

Forensics Survey About TV Shows (1)

Those in the field

Forensics + Technology

How technology evolving has affected forensics

Mariam™

Hello! My name is Mariam and I am a student in forensics. I am currently writing a research paper and need to collect some research. I have two surveys linked below that would be greatly appreciated if you took about five minutes of your day to help me out. Thank you so much! I promise they're short. https://forms.gle/WSRRKYQKzocurdkcA https://forms.gle/QReL4F62yS3BFk8e8

Assumption, when you say forensics, you mean digital forensics right?

Doing some research for a presentation I'm giving later in the month. I don't see a way to make a poll here, so my Twitter thread: https://twitter.com/christammiller/status/1503371084078497793 and for those not on Twitter, same questions on LinkedIn (you can access all 3 questions from my profile): https://www.linkedin.com/in/christammiller/ Thanks in advance!

Christa M. Miller (@christammiller)

Hey #DFIR Twitter: I'm giving a presentation soon & would like to know (1/3): What's your take on how news media report on digital forensics and/or incident response?

Hello! Can you help with some information about a GPS tracker, brand-Sinotrack model-AK-GT25. Some way using linux to access the equipment and read the memory?

Castrol

Hello! Can you help with some information about a GPS tracker, brand-Sinotrack model-AK-GT25. Some way using linux to access the equipment and read the memory?

I can't help you with the on board data, but is there a reason you need to know the local data? I've always had success in getting a warrant for the provider... the user of the device has to access the tracking data somewhere after all. Typically there is an online portal with plenty of good info available, unless its a different type of device I've not heard about yet.

whee30

I can't help you with the on board data, but is there a reason you need to know the local data? I've always had success in getting a warrant for the provider... the user of the device has to access the tracking data somewhere after all. Typically there is an online portal with plenty of good info available, unless its a different type of device I've not heard about yet.

The device is with me to do the forensic examination. The owner of the equipment is under arrest. The device has a SIM but no information, after a search with Cellebrite.

I have a case of identity theft/ harassment I'm investigating. I have a suspect who I believe is utilizing Apple Private Relay to access websites and put requests to buy items in my victims name. On one of the website I was able to subpoena for webserver logs associated with the connections. They provided an IP address that (according the ARIN) comes back to AKAMAI. Does anyone know if I can link this back to my suspect somehow? Also, included in this response is a Google Analytics ID, does anyone know if this ID would still be broadcast while utilizing Private Relay or if this information is some sorta of autogenerated number (similar to how Apple now provides burner emails within the same service) Thank you for any assistance. (edited)

right. Check the website for the manufacturer of the device, see if they service it. The SIM will have a provider code built into the ICCID written on the card, as well as the IMSI stored inside the card. What I have done in the past is provided those values to the service provider (spytec, most recently) and received a wealth of billing, activity and login info.

9:55 AM

@Castrol - it may be possible to get some type of data off of the device, but I got absolutely everything I needed from the site provided in nice neat excel docs and pdfs... I never looked into jtag to see if there was local info simply because I didn't need to. I know it doesn't directly answer your question but it may save you some time.

DMG

I have a case of identity theft/ harassment I'm investigating. I have a suspect who I believe is utilizing Apple Private Relay to access websites and put requests to buy items in my victims name. On one of the website I was able to subpoena for webserver logs associated with the connections. They provided an IP address that (according the ARIN) comes back to AKAMAI. Does anyone know if I can link this back to my suspect somehow? Also, included in this response is a Google Analytics ID, does anyone know if this ID would still be broadcast while utilizing Private Relay or if this information is some sorta of autogenerated number (similar to how Apple now provides burner emails within the same service) Thank you for any assistance. (edited)

Do you mean Akamai? If so then I would try subpoena them for log files. Surely since they are a huge load balancing/CDN there should be a session ID per IP address? If the Google Analytics ID starts with "UA-**-**" I would try Google dork for it to find the site(s) it is attached to and tracking.

Deleted User

Do you mean Akamai? If so then I would try subpoena them for log files. Surely since they are a huge load balancing/CDN there should be a session ID per IP address? If the Google Analytics ID starts with "UA-**-**" I would try Google dork for it to find the site(s) it is attached to and tracking.

Yes I do mean Akamai, not sure how I lost the A. I’ve fixed it now. I can’t seem to find there subpoena compliance department. Also referencing Apple info on the service they seem to split the traffic between themselves and cloud flare or Akamai or another company I’m not recalling this second . I’m wondering if anyone has patched these two together

Deleted User

Do you mean Akamai? If so then I would try subpoena them for log files. Surely since they are a huge load balancing/CDN there should be a session ID per IP address? If the Google Analytics ID starts with "UA-**-**" I would try Google dork for it to find the site(s) it is attached to and tracking.

The numbers starts with GA1.2.2

DMG

Yes I do mean Akamai, not sure how I lost the A. I’ve fixed it now. I can’t seem to find there subpoena compliance department. Also referencing Apple info on the service they seem to split the traffic between themselves and cloud flare or Akamai or another company I’m not recalling this second . I’m wondering if anyone has patched these two together

I think one could end up making calls to both services on the same site, but not certain. I checked and Akamai retains IP, browser and some telemetry. The best contact address I could find for LE was: privacy@akamai.com No idea about the GA1.2.2 but hopefully someone else on here can assist.

Hey everyone! Does anyone have a good way of upgrading from iOS 13.2.2 to iOS 14.5 or 14.8? I have an iphone 8 that is my test device, with iOS 13.2.2 that I am trying to upgrade to iOS 14.5 to see about getting access to the findMy app data. I have already tried some methods, but they didnt seem to work.

m1gr@n3

Hey everyone! Does anyone have a good way of upgrading from iOS 13.2.2 to iOS 14.5 or 14.8? I have an iphone 8 that is my test device, with iOS 13.2.2 that I am trying to upgrade to iOS 14.5 to see about getting access to the findMy app data. I have already tried some methods, but they didnt seem to work.

If you check here you can see which versions of iOS are still signed by Apple. The signature of the ipsw is verified during installation, and if it's not still signed, it will fail. https://idevicecentral.com/ios-signing-status/ The reason you need to pick the device type on this site is because it varies for older hardware which is not able to run the latest and greatest versions of things (e.g. iPhone 5 can only run up to iOS 10).

GeoSn0w

iOS Signing Status - iDevice Central

To view the current signed iOS versions, signed iOS Betas, as well as the versions that are no longer signed for your device, please select your device model from the list. You will be redirected automatically to the results page*. Please select your Device: ----- iPhone -----iPhone 13 Pro - iPhone14,2iPhone 13 Pro Max -

11:02 AM

As far as installing an iOS version that is not signed, I think you need shsh blobs. (I havent used them much) and you may also need to find an unsigned version of that IPSW rather than one you get from Apple. (edited)

forensicmike @Magnet

As far as installing an iOS version that is not signed, I think you need shsh blobs. (I havent used them much) and you may also need to find an unsigned version of that IPSW rather than one you get from Apple. (edited)

Thanks. I see that the OS that I want to go to is not signed. I just didnt want to go to the latest iOS from iOS 13.2.2.

DMG

Yes I do mean Akamai, not sure how I lost the A. I’ve fixed it now. I can’t seem to find there subpoena compliance department. Also referencing Apple info on the service they seem to split the traffic between themselves and cloud flare or Akamai or another company I’m not recalling this second . I’m wondering if anyone has patched these two together

I think the other company is Fastly. To go from the Akamai IP, you might have to request Apple and Akamai try to play ball. But from Apples doc (https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF) , they may not have info to help correlate:

Logging Private Relay’s design, combined with a minimal logging policy, ensures that proxy logs do not contain enough information to connect a user’s IP address or account information with their browsing activity. The information logged by Private Relay contains no unique identifiers and is limited to the following, for the sole purpose of operating and improving the service: • Connection properties and performance metrics • Network and region information derived from IP address • Anonymous token validation success rate and performance • Private Relay system resource usage The following fields related to anonymous token issuance are logged as a part of Private Relay’s fraud prevention and anti-abuse measures, but cannot be correlated with connection information: • iCloud account, software version, and request timestamp

@Cellebrite got this Qualcomm Live error, and doing a search I have not seen anything posted yet. Thoughts ? Error" 7F777DE7

nothing anormal, that can happen, keep trying @DCSO (edited)

1

Castrol

The device is with me to do the forensic examination. The owner of the equipment is under arrest. The device has a SIM but no information, after a search with Cellebrite.

I’m not familiar with this device but based on my experience in similar situations, onboard data is stored on a EEPROM/Flash chip or the GPS chip itself. Chip off or JTAG are your best bets.

https://cfreds.nist.gov/

Has anyone else renewed licensing with Cellebrite recently, after moving to a 'new subscription pricing' model in 2022? I am seeing price rises of UFED4PC and PA of 50% and Responder 60% rise on last year's bill. In some instances an increase of £2000 per annum per license. Subscription model seems to be short for prices going up, in a year that we have already seen big decoding errors in the tool with 2022 timestamps.

1

Anyone know how to get individual builds of MS Office 16 for Windows? macOS builds are easy enough to get (e.g. 16.43.20110804, 16.44.20121301, 16.46.21021202, etc.) but we haven't found the Windows builds.

i found these via google: https://macadmins.software/ (sorry just macs) https://tb.rg-adguard.net/public.php (edited)

TechBench by WZT (v4.1.1)

This website was created with simplicity in mind. Here you can easily download products directly from Microsoft. This website neither its author are not affiliated with Microsoft Corporation.

3:58 AM

"Not all previous versions of Windows or Microsoft Office can be downloaded. The site is limited to providing token download links to installation media that Microsoft still allows for downloading. If you can't find the version of the software you want using the drop-down selection arrows, it's not available. Windows 7 and earlier, for example, is not available. One is also limited regarding editions, e.g. no Windows Pro or Education editions can be downloaded for Windows 10. For Windows 8.1 only the Pro edition can be downloaded. All of that is out of TechBench's control. Not all software downloads will generate an expiring time stamp. That's normal and the reason for that is unknown. It is, however, normal behaviour and not a fault with the site. To be on the safe side, download your media at your earliest convenience lest it gets removed from availability by Microsoft."

Hi, does anyone know if I can skip the 2-step verification by SMS for a google drive account? I have access to two "backup security codes" but I never get the chance to use them. Any ideas?

Dr. Kaan Gündüz

"Not all previous versions of Windows or Microsoft Office can be downloaded. The site is limited to providing token download links to installation media that Microsoft still allows for downloading. If you can't find the version of the software you want using the drop-down selection arrows, it's not available. Windows 7 and earlier, for example, is not available. One is also limited regarding editions, e.g. no Windows Pro or Education editions can be downloaded for Windows 10. For Windows 8.1 only the Pro edition can be downloaded. All of that is out of TechBench's control. Not all software downloads will generate an expiring time stamp. That's normal and the reason for that is unknown. It is, however, normal behaviour and not a fault with the site. To be on the safe side, download your media at your earliest convenience lest it gets removed from availability by Microsoft."

At this point we have been collecting particular Office 16 builds (for Windows) by searching our own workstations for Office installations that haven't already been updated to later builds.

i'm sure NIST has all of them

it seems MS has a tool called office deployment tool

4:16 AM

"1. Download Office 2016 deployment tool at this page: Office 2016 Deployment Tool. 2. Unzip the tool to your computer, for example I unzip it to a folder named ODT on my desktop, then modify the configuration.xml file. you can copy the script below: <Configuration> <Add OfficeClientEdition="32" Channel="Broad" Version="16.0.8431.2270"> <Product ID="O365ProPlusRetail"> <Language ID="en-us" /> </Product> </Add> <Updates Enabled="FALSE" /> </Configuration> 3. Press Win+R to open Run, insert cmd to open Command window. 4. Type cd C:\Users\Administrator\Desktop\ODT to read the folder. Then type setup.exe /configure to download and install Office."

4:17 AM

it may be scripted, with a list of release numbers

Dr. Kaan Gündüz

it may be scripted, with a list of release numbers

I’m not sure if we’ve tried that… I’ll check and report back if it works! (Or, if it doesn’t.)

1

hi

Arsenal

I’m not sure if we’ve tried that… I’ll check and report back if it works! (Or, if it doesn’t.)

one alternative may be installing a WSUS server for office updates (edited)

hello everyone, advice on a free antivirus?

What platform are you trying to protect?

windows

manuelevlr

windows

Microsoft's built-in protections are actually pretty good. Defender used to be pretty useless, but they've made big improvements in the last few years. I'm perfectly happy running my own personal Windows machine with just what's built in.

Works pretty well for me too. Actually too good. Whenever I do some forensic testing with an image that has malware, I always end up getting detections.....

Arsenal

I’m not sure if we’ve tried that… I’ll check and report back if it works! (Or, if it doesn’t.)

We got errors when trying to request some builds we know existed… but we did get more with ODT than we had yesterday. Thanks!

1

Arsenal

We got errors when trying to request some builds we know existed… but we did get more with ODT than we had yesterday. Thanks!

It is possible those builds were pulled due to vulnerabilities (think superseeded updates). Sadly it not easy anymore with the continual change in the O365 version vs the desktop platform

1

Murst

It is possible those builds were pulled due to vulnerabilities (think superseeded updates). Sadly it not easy anymore with the continual change in the O365 version vs the desktop platform

We’ll hassle some people at MS as our last step before we move on.

On a much different note, we've had three suspicious purchases this last week involving Kyiv. (After not having any interaction with UA for years.) Bogus physical addresses, notorious bulletproof hosts used during purchase, inability to confirm identity when asked, etc. Have any DF software vendors here noticed anything similar? (edited)

Hi everyone, I hope y’all can point me in the right direction. I received this drive to be imaged and I have never seen this connection before and do not see any cables with my write blockers to connect to it. Browsing the internet I think it is a My Passport hard drive with its case removed. Can it be imaged using the micro USB port ? All of the My Passport drives I have seen use the USB micro data PC cable. Thanks in advance

Yes

yeah that looks like a drive that was shucked

Agreed. Standard external drive without a case

I am currently working in a SOC doing a little bit of everything. The biggest thing that I feel like I am lacking is learning resources, there are a ton making it really difficult to determine which one to follow. If there was one book or course you would recommend that would cover IR and DFIR, what would it be? (This is my first post. Please let me know if I need to post this somewhere else!) (edited)

R3V3R53

Hi, does anyone know if I can skip the 2-step verification by SMS for a google drive account? I have access to two "backup security codes" but I never get the chance to use them. Any ideas?

I recently had to do this, when it asks you to verify with the sms code there should be an option to say you no longer have the phone. If that option doesn’t appear you may have to click help and you should get the option. I believe at this point it will ask you to verify with a backup email or other method. FYI if you are trying to access the account from a device and or IP it has not connected to before, additional security verifications will be needed. If at all possible try to access the google account from a recognized IP or device.

Hutch

I am currently working in a SOC doing a little bit of everything. The biggest thing that I feel like I am lacking is learning resources, there are a ton making it really difficult to determine which one to follow. If there was one book or course you would recommend that would cover IR and DFIR, what would it be? (This is my first post. Please let me know if I need to post this somewhere else!) (edited)

Always depends on where you want to go and how much funding is. SANS courses are always good but expensive (5-8k). Depending on where you want to focus it might lead to different books.

Hutch

I am currently working in a SOC doing a little bit of everything. The biggest thing that I feel like I am lacking is learning resources, there are a ton making it really difficult to determine which one to follow. If there was one book or course you would recommend that would cover IR and DFIR, what would it be? (This is my first post. Please let me know if I need to post this somewhere else!) (edited)

Let's move this to #training-education-employment

for local file decryption a la mobile app file lockers etc... what are y'all using as a solution? Currently I'm using the local version of cyberchef but I'm curious if there are other options out there. For most use cases I just wouldn't risk putting unknown content encrypted files into a web application because I don't want to lose control of it.

8:13 PM

following the lead of this article: https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

theincidentalchewtoy

Decrypting the ‘Calculator’ App(s)

This week I have been looking at another Android application designed to keep files secure. ‘Calculator – hide photos’ has many features, including a vault ‘…Through t…

manuelevlr

hello everyone, advice on a free antivirus?

Windows defender

Totoro

Hi everyone, I hope y’all can point me in the right direction. I received this drive to be imaged and I have never seen this connection before and do not see any cables with my write blockers to connect to it. Browsing the internet I think it is a My Passport hard drive with its case removed. Can it be imaged using the micro USB port ? All of the My Passport drives I have seen use the USB micro data PC cable. Thanks in advance

looks like a proprietary connector from ~~seagate~~ WD external drive that was removed from the case, if you check your local computer supply store, they should be able to match that mini usb connector (edited)

Hello everyone! I acquired two disks from a computer (removed them from the computer and imaged them with a hardware write-blocker) and the report says that they are encrypted with Bitlocker. I mounted one of the disks with FTK Imager and then run this command in cmd: manage-bde -status. The picture shows the result (Conversion status: Used Space Only Encrypted, Protection status: Protection off, Lock status: Unlocked). The partition has only one folder with two files, so it's almost empty. Can someone please help me understand what am I looking at? Is the partition encrypted or not? Do I have all the data?

12:47 AM

I loaded the image in Axiom and it reports that it is a Clear Key Bitlocker and it will automatically decrypt the partition without the need for a password or recovery key. So I guess I do have all the data. But... what's the point of this encryption then?

Cip

I loaded the image in Axiom and it reports that it is a Clear Key Bitlocker and it will automatically decrypt the partition without the need for a password or recovery key. So I guess I do have all the data. But... what's the point of this encryption then?

So it probably shipped to the user like that. They are often shipped encrypted but "protected" with a clear key. The user then normally completes the setup procedure for the encryption and is prompted to save/print the bitlocker recovery key. Only after they have done this does the clearkey get deleted and the volume is normally unlocked using the TPM (Trusted Platform Module) from then on. The clearkey can also temporarily be written to the drive when doing a major upgrade between windows versions or if the user selects to suspend protection (i.e. when updating computer BIOS as this often causes the TPM to not release the decryption key). (edited)

2

Cip

I loaded the image in Axiom and it reports that it is a Clear Key Bitlocker and it will automatically decrypt the partition without the need for a password or recovery key. So I guess I do have all the data. But... what's the point of this encryption then?

That command you ran normally list the key protectors. Normally you'd see TPM and Numerical Password (AKA Recovery Key). What is listed in your case?

AmNe5iA

That command you ran normally list the key protectors. Normally you'd see TPM and Numerical Password (AKA Recovery Key). What is listed in your case?

So I was really lucky to find this type of "encryption". Maybe the computer was seized when the suspect was upgrading to Windows 11.

That command shows that there are no key protectors (None Found)

1:49 AM

Probably it is the first thing you said, about the incomplete setup and that's why it was unencrypted

Cip

Probably it is the first thing you said, about the incomplete setup and that's why it was unencrypted

Yes, that's what I think has happened.

AmNe5iA

So it probably shipped to the user like that. They are often shipped encrypted but "protected" with a clear key. The user then normally completes the setup procedure for the encryption and is prompted to save/print the bitlocker recovery key. Only after they have done this does the clearkey get deleted and the volume is normally unlocked using the TPM (Trusted Platform Module) from then on. The clearkey can also temporarily be written to the drive when doing a major upgrade between windows versions or if the user selects to suspend protection (i.e. when updating computer BIOS as this often causes the TPM to not release the decryption key). (edited)

Thank you for the clarification Salute

lol yeah luckily, otherwise SOL i think? Unless Bitlocker has a weak key

whee30

following the lead of this article: https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

Hashcat would be a good option for you. In this particular case, I'm almost sure that hashcat mode 26403 would be the one to use.

AmNe5iA

So it probably shipped to the user like that. They are often shipped encrypted but "protected" with a clear key. The user then normally completes the setup procedure for the encryption and is prompted to save/print the bitlocker recovery key. Only after they have done this does the clearkey get deleted and the volume is normally unlocked using the TPM (Trusted Platform Module) from then on. The clearkey can also temporarily be written to the drive when doing a major upgrade between windows versions or if the user selects to suspend protection (i.e. when updating computer BIOS as this often causes the TPM to not release the decryption key). (edited)

I'm confused. Basically, if during a windows update (we mean the blue screen "Update in progress .. DO NOT TURN OFF THE COMPUTER"?) And I had to remove the power, the disk would be unencrypted?

I'm not sure, as I haven't been keeping an eye on it the last few years but when you did a major version upgrade from say 1903 to 1909 then yes, it would write the clearkey to the disk during the upgrade.

10:01 AM

I don't think it did that for just normal patch Tuesday updates though

asd: D then he must have been very lucky to catch the "unencrypted" volume

No cuz you'd still have the TPM and numerical password protectors. His indicates the user never "enabled" the encryption. Never activated the TPM and never saved the recovery key.

b8vr

Hashcat would be a good option for you. In this particular case, I'm almost sure that hashcat mode 26403 would be the one to use.

Maybe I’m not asking the right question, I have the key to decrypt the files and strings, the article covers that bit. I’m just talking about decrypting an image or a video file, does hashcat decrypt files now? I’ve always used hashcat to break a code, not decrypt a file

whee30

Maybe I’m not asking the right question, I have the key to decrypt the files and strings, the article covers that bit. I’m just talking about decrypting an image or a video file, does hashcat decrypt files now? I’ve always used hashcat to break a code, not decrypt a file

If it's a local copy of cyberchef you are using why can't you use that to decrypt the files? It's not like you are sending them across the internet.

It works, I was just curious if there were other things out there. I’m just learning about this stuff now, it has worked the one time I’ve used it so far.

whee30

Maybe I’m not asking the right question, I have the key to decrypt the files and strings, the article covers that bit. I’m just talking about decrypting an image or a video file, does hashcat decrypt files now? I’ve always used hashcat to break a code, not decrypt a file

Nah, guess I just didn't understand the question properly. I thought you were speaking in more general terms and just used the calculator apps as an example. I was thinking you could use hashcat to crack those hashes, and then use the retrieved passwords for decryption.

whee30

It works, I was just curious if there were other things out there. I’m just learning about this stuff now, it has worked the one time I’ve used it so far.

If you have just one file cyberchef is probably the easiest. If you have a lot of files to decrypt at the same time you can do it fairly easily in python

1

Does anyone have resources for macOS forensics? Not particularly tools but knowledge of how the file system works, different forensic artifacts of interest etc.

i recover dd.file and i need to know the orginal file name f0016384.mp4 how

Deleted User

i recover dd.file and i need to know the orginal file name f0016384.mp4 how

if you haven't already, use a tool to scan for a filesystem, not just individual files.

ext4

which software did you use to look at the dd image?

scalpel

Digitalferret

which software did you use to look at the dd image?

scalpel

2:01 AM

sorry

2:01 AM

photorec

2:01 AM

not scalpel

Deleted User

scalpel

not used scalpel in years, so can't adivse only that what i remember is it carves files by header and footer. maybe try some proprietary software like Raise data recovery or UFS Explorer see if they can find a file table

2:01 AM

yes, Photorec is same. carved data

thank you sir

my pleasure, best of luck

2:03 AM

maybe also check https://www.turbogeek.co.uk/ext4-data-recovery/ for extra info. easy to read

1

whee30

for local file decryption a la mobile app file lockers etc... what are y'all using as a solution? Currently I'm using the local version of cyberchef but I'm curious if there are other options out there. For most use cases I just wouldn't risk putting unknown content encrypted files into a web application because I don't want to lose control of it.

Cyberchef is great, but if avoiding having to trust anyone is your goal, and you want to be able to decrypt 'anything', learning how to do it in a programming language (such as Python) is probably going to be a solid time investment for you.

Oscar

If you have just one file cyberchef is probably the easiest. If you have a lot of files to decrypt at the same time you can do it fairly easily in python

haha, just saw this.. looks like Oscar and I are on the same page.

whee30

for local file decryption a la mobile app file lockers etc... what are y'all using as a solution? Currently I'm using the local version of cyberchef but I'm curious if there are other options out there. For most use cases I just wouldn't risk putting unknown content encrypted files into a web application because I don't want to lose control of it.

if you are delving into reverse engineering, another option is to observe the app you are researching actually doing the decryption, helping to spill its secrets.

1

Has anyone had any issues with Axiom not pulling back all the results from a keyword search? Mine seems to be missing some, even when the keyword is simply in the file name, there is no pattern to what it is missing?

Cip

Probably it is the first thing you said, about the incomplete setup and that's why it was unencrypted

This is quite common. Probably about half of the bitlockered computers I have dealt with are clear key encrypted. I assume the majority are just from incomplete bitlocker setups. Seems unlikely to seize that many devices mid-update. Arsenal and Axiom both deal just fine with clear key.

1

malen123

Has anyone had any issues with Axiom not pulling back all the results from a keyword search? Mine seems to be missing some, even when the keyword is simply in the file name, there is no pattern to what it is missing?

So I’m not sure if this is what you’re experiencing, but I have observed that axiom will start to get choked up on “stacked” filters… like you search for a term and then filter on column within those results. At that point, axiom will sometimes be unable to revert back to a fully non-filtered state and will need to be turned off and on again. If you hit clear filters, you only go as far back as your first filter. Is that what you’re seeing or completely different?

whee30

So I’m not sure if this is what you’re experiencing, but I have observed that axiom will start to get choked up on “stacked” filters… like you search for a term and then filter on column within those results. At that point, axiom will sometimes be unable to revert back to a fully non-filtered state and will need to be turned off and on again. If you hit clear filters, you only go as far back as your first filter. Is that what you’re seeing or completely different?

Slightly different. The only filter I will have on is a keyword, it just doesn't highlight them all. For example of all the torrent files I extracted, "young" appears 10 times, when I do a keyword search for "young" it only filters out and highlights 6 of them. No other filters on other than that one keyword

Sounds like the indexing didn’t get done all the way maybe? Are the artifacts from different partitions or sources? Was the processing completed?

Does Carbon Black EDR Sensors use p2p to update? once one fetches it it'll share to another

whee30

Sounds like the indexing didn’t get done all the way maybe? Are the artifacts from different partitions or sources? Was the processing completed?

All artifacts on the same partition and the processing was completed successfully with no errors

Also, if I just use the search box in the top right to search for a single word it pulls back all the results, it just the keyword lists filter than isn't

Sorry for the cross-post the computer channel, but want as a varied of an opinion as possible. I have a case where all the images are located in the unallocated area of a hard drive. I have various sizes of the thumbnails and have images with meta data (phone/time and date/Geo). Is it safe to say that since I have both the various sized thumbnails and recovered images with metadata, that the images were previously located on this drive and not just cached? This is a Linux drive.

anyone from Secret Service here? I got a super weird LinkedIn request from someone claiming to be an Analyst, but stuff is seriously not adding up. I've been getting some weird LinkedIn requests lately so seems like this could be part of a campaign? (edited)

There’s a government US role that you could tag if you want to poke that nest

Update: I might be wrong. hahahaha

1

sholmes

Sorry for the cross-post the computer channel, but want as a varied of an opinion as possible. I have a case where all the images are located in the unallocated area of a hard drive. I have various sizes of the thumbnails and have images with meta data (phone/time and date/Geo). Is it safe to say that since I have both the various sized thumbnails and recovered images with metadata, that the images were previously located on this drive and not just cached? This is a Linux drive.

You mentioned this being an Ubuntu machine. I had mentioned previously checking the journal for to see if you could match blocks with inodes. That would be a monumental task with a large number of files and would be spotty at best. Another thought: Is this computer single user or multi user? If there are a limited number of users you could check home directories for the XML files that maintain recently used objects. I dont' use Ubuntu or have an Ubuntu box handy to test with, but Ubuntu's default GUI is GTK based IIRC, so you might find recently used artifacts (.xbel or .xml) under $HOME/.local (maybe .local/share?). It's worth a look.

1

6:09 PM

The amount of data you find in there is likely to be very limited, but here should be some access times if you have any way of correlating file activity (not easy, I know).

Thanks @5cary I’ll check those Monday. I think I have what I need, but if I can show further connection, it can’t hurt the case.

vulnerable web application project that OWASP wrote node.js any idea

Deleted User

vulnerable web application project that OWASP wrote node.js any idea

what are you asking?

Andrew Rathbun

what are you asking?

i find the anwser thank you for asking

Deleted User

i find the anwser thank you for asking

Care to report for the benefit of the rest of us?

I was studying one of the site rooms letsdefend

Deleted User

I was studying one of the site rooms letsdefend

Ok, well what did you find in case someone a year from now has the same "question" as you? Can you provide what solved your problem so someone else can benefit from it?

https://app.letsdefend.io/training/lesson_detail/owasp-web-attacks-101

12:57 PM

i was studing this room and there is a question What is the name of the vulnerable web application project that OWASP wrote with Node.js for security researchers to improve themselves? (Format: xxx_xxx)

12:58 PM

Juice_Shop

Andrew Rathbun

Ok, well what did you find in case someone a year from now has the same "question" as you? Can you provide what solved your problem so someone else can benefit from it?

sir

12:59 PM

i have a problem i am cisco in Instructor Test-Drive (Evaluation Academy) - globalacademy - 400056343 Instructor,

Alright, I was more interested in the methodology on how you got to the answer, not the answer itself, but I tried

‍♂️

sorry

1:00 PM

for that

1:00 PM

It just requires a simple search

1:01 PM

if you interested in website that you can practise blue team operation i can help you

Never lose sight of the fact that just because something is simple to you doesn't mean it's simple to everyone. Any time you can break something down and explain to others how you got to a certain answer is way more valuable that giving them the answer. It's the whole "give someone a fish vs teaching them how to fish" (edited)

4

3

okay

Deleted User

if you interested in website that you can practise blue team operation i can help you

Ye post the site

i was meaning other website (edited)

Hi all, Anybody worked with Mvision EDR?

malen123

Has anyone had any issues with Axiom not pulling back all the results from a keyword search? Mine seems to be missing some, even when the keyword is simply in the file name, there is no pattern to what it is missing?

I have found that the issue is that the "Artefact Only" keyword list search doesn't give us the option to turn case sensitive on or off and it appears to be on by default. This is why my search was missing some results. I have raised this with Magnet and they are looking into it but something to be aware of

what does VAD mean?

Tejas

what does VAD mean?

https://resources.infosecinstitute.com/topic/finding-enumerating-processes-within-memory-part-2/

Page tables, VAD and PEB - Infosec Resources

In this part of the series, we will understand how the process can be enumerated within memory. Just as a refresher in part 1 of this series we had a look

Thanks

Anyone have experience with Microsoft Onenote? I have a URL that was found with Axiom (carved) and can be viewed in hex. It has "label" :"https://url of interest". When I click on view source. But I dont see the link in the current onenote or the previous versions

2:26 PM

I didnt find a way to view labels within OneNote

Anyone have a good solution either via Cellebrite PA or other means to determine which phone number my phone has had the most text/instant messages with? For example, I want to be able to show the "top 5 numbers" that my phone has texted/instant messaged the most.

if you click on the various column headers, you can see how many of a specific contact there is... you can filter the columns this way too. Since many of the chats are fragmented among categories, you might be better served doing this type of filtering on timeline where everything is put together

whee30

if you click on the various column headers, you can see how many of a specific contact there is... you can filter the columns this way too. Since many of the chats are fragmented among categories, you might be better served doing this type of filtering on timeline where everything is put together

Yeah, I've been able to filter the columns, but when I filter it, i can only do it for one side of the conversation at a time. I'm trying to see which conversations have the most messages together, if that makes sense.

right. you may just have to do it for each column and then add up. I';ve never used analytics but that may be something that tool accomplishes

Look up Pivot table for excel

where are good places to look at research done on dating app forensics? Interested in it as a broad topic right now. Was going to do my own research on what information I can pull from a phone backup but want to know whats been done and if research done has suggestions as to what I can do to contribute to the topic.

Jay528

Anyone have experience with Microsoft Onenote? I have a URL that was found with Axiom (carved) and can be viewed in hex. It has "label" :"https://url of interest". When I click on view source. But I dont see the link in the current onenote or the previous versions

The DB is a mess for OneNote. It's just a SQLite databases. I'm guessing they're just running regex over the DB and calling it an artifact of interest? Get the DB and throw it into a SQLite tool so you can try to find the context surrounding that URL yourself

thanks

AMB

Anyone have a good solution either via Cellebrite PA or other means to determine which phone number my phone has had the most text/instant messages with? For example, I want to be able to show the "top 5 numbers" that my phone has texted/instant messaged the most.

These statistics are available by default with @Oxygen Forensics’s OFD (not OxyViewer). (edited)

3

Hello all, I was wondering if anyone here uses an Apple M1 Macbook to back up mobile devices (mobile-forensic). Of course the M1 can't run native Windows. We would use it with Parallels and a Windows 10 and only in case of need, as we otherwise have our workstations. We are currently in the procurement process and just want to decide whether it makes sense or not.

Manu182

Hello all, I was wondering if anyone here uses an Apple M1 Macbook to back up mobile devices (mobile-forensic). Of course the M1 can't run native Windows. We would use it with Parallels and a Windows 10 and only in case of need, as we otherwise have our workstations. We are currently in the procurement process and just want to decide whether it makes sense or not.

You can't as far as I know run win10 in parallels the way you're thinking

2:48 AM

You can run arm win10. But not many forensics tools are going to run out of the box. Interpreted ones would, and maybe dotnet6 core will run I haven't checked. But yeah, M1 is dramas for forensics

randomaccess

You can run arm win10. But not many forensics tools are going to run out of the box. Interpreted ones would, and maybe dotnet6 core will run I haven't checked. But yeah, M1 is dramas for forensics

Thank you for the answer. However, Parallels supports x86 & x64 Windows 10/11 for M1 as far as I know. The applications should therefore already run. It would only be important that connected USB ports are hardwired to the VM. Even if a mobile device comes with different hardware IDs.

Manu182

Thank you for the answer. However, Parallels supports x86 & x64 Windows 10/11 for M1 as far as I know. The applications should therefore already run. It would only be important that connected USB ports are hardwired to the VM. Even if a mobile device comes with different hardware IDs.

https://kb.parallels.com/125375 I'm not certain that's true

KB Parallels: Install Windows on a Mac with Apple M1 chip

To install a new virtual machine on a Mac with Apple M1 chip, you need to use an with a .

randomaccess

https://kb.parallels.com/125375 I'm not certain that's true

you're right, thank you. So the decision has been made.

hi, parallels supports the ARM version of windows

Andrew Rathbun

The DB is a mess for OneNote. It's just a SQLite databases. I'm guessing they're just running regex over the DB and calling it an artifact of interest? Get the DB and throw it into a SQLite tool so you can try to find the context surrounding that URL yourself

Looks like my user deleted the link and it was found in slack. I did some testing and i was able find the deleted link

1

Manu182

Thank you for the answer. However, Parallels supports x86 & x64 Windows 10/11 for M1 as far as I know. The applications should therefore already run. It would only be important that connected USB ports are hardwired to the VM. Even if a mobile device comes with different hardware IDs.

Nope, but UTM does support x86

11:00 AM

It’s what I use for x86 on the M1 https://getutm.app/

UTM

Run virtual machines on iOS

11:01 AM

Btw UTM runs really well, in some cases the x86 runs better than on bare metal in the case of windows xp xD

11:03 AM

With M1 there is also rosseta, not sure if that would work in your case for applications but it’s there nonetheless

hello everyone and thanks for giving me access to the server Salute

ryd3v

With M1 there is also rosseta, not sure if that would work in your case for applications but it’s there nonetheless

Ok thanks, that sounds a little bit like test enviroments. Not for really productifity mobile forensic. So the M1 isn`t the solution I searched for.

Cool! That’s too bad, it’s been great for me

2:21 PM

But I also have access to x86 machines if need be, but honestly 96% is on the M1

https://xwaysguide.com/2022/03/22/pre-order-the-x-ways-forensic-practitioners-guide-2e/

Brett Shavers

Pre-order the X-Ways Forensic Practitioner’s Guide/2E

Short version: Here is the link to pre-order: Long version: Pre-order to get your copy faster. Pre-order to get your copy cheaper ($10 off plus FREE shipping*) *For international (non-USA) orders, …

5:46 PM

pre order for X-Ways Practitioner guide 2.0 is out!

7

1

Nice! Easy money to spend

ryd3v

But I also have access to x86 machines if need be, but honestly 96% is on the M1

But can you really read smartphones with UTM? Can you hardwire a USB port so that the bootloader can be reloaded in an emergency? Just as an example. And why can UTM do that, but Parallels can't? There must be some restrictions.

DCSO

?? TCL A509DL MTK 6765 file based Android 11 - Patched October 2021 I tried MTK Live and filesystem MTK nothing

Thoughts ?

Any luck with this?

Does anybody know if a device receives new cookies every time you visit a website? On mobile or desktop. I have a case where suspect had multiple cookies from website on same date and then one on another date. Was asked if that meant he only visited the website on those two dates (not including the possibility of clearing cookie data).

Ghosted

Any luck with this?

Nope

1

Does anyone have a supplier for phone parts. We have an iPhone 12 with a broken screen. I can replace the screen myself, but need to find one at a good price.

Manu182

But can you really read smartphones with UTM? Can you hardwire a USB port so that the bootloader can be reloaded in an emergency? Just as an example. And why can UTM do that, but Parallels can't? There must be some restrictions.

When you say hardwire, do you mean USB pass through? Both support that, reloading bootloaders isn’t a problem, the only issue is using x86 software, and only UTM will run a x86 Based OS

RyanB

Does anybody know if a device receives new cookies every time you visit a website? On mobile or desktop. I have a case where suspect had multiple cookies from website on same date and then one on another date. Was asked if that meant he only visited the website on those two dates (not including the possibility of clearing cookie data).

I believe it depends on the website's cookie preferences.

8:50 AM

And of course whether the user deletes the cookies periodically or not.

RyanB

Does anybody know if a device receives new cookies every time you visit a website? On mobile or desktop. I have a case where suspect had multiple cookies from website on same date and then one on another date. Was asked if that meant he only visited the website on those two dates (not including the possibility of clearing cookie data).

might want to dig a bit deeper on returned values from whatever software you are using to analyse that.

RyanB

Does anybody know if a device receives new cookies every time you visit a website? On mobile or desktop. I have a case where suspect had multiple cookies from website on same date and then one on another date. Was asked if that meant he only visited the website on those two dates (not including the possibility of clearing cookie data).

it might also be worth emulating the site and browser setup, options permitting, and check. i just did a dry run with Firefox and bbc.co.uk. the cookies returned showed bbc.com and over several iterations of reload and clicking links on the site the number raised by 2 with bbc.co.uk appearing after several trips.

8:54 AM

this is just a short dummy run i tried. browser is Firefox and util is Nirsoft Cookie Viewer Edit: that's 4 and 6, i removed non-bbc lines (adsbexchange) (edited)

1

8:57 AM

ccleaner showed cookies slightly differently

RyanB

Does anybody know if a device receives new cookies every time you visit a website? On mobile or desktop. I have a case where suspect had multiple cookies from website on same date and then one on another date. Was asked if that meant he only visited the website on those two dates (not including the possibility of clearing cookie data).

the other goldmine you might want to check is an sqlite viewer. there's a lot of extra info there that will show visited websites despite data being cleaned by some regular "hide my history" packages

9:10 AM

this from recent visit to https://sqliteviewer.app find sqlite files with Everything file finder and just drag over to the web interface (edited)

Seeking information/knowledge on proper techniques and procedures for collection data on an Apple watch?

Looks like windows has a possible new artifact https://www.xda-developers.com/windows-10-build-is-out-search-highlights/

Rich Woods

Windows 10 build 19044.1620 is out with an actual new feature

Microsoft is releasing a new optional update for Windows 10, and it includes a new feature called Search Highlights, along with fixes.

1

nbh2493

Seeking information/knowledge on proper techniques and procedures for collection data on an Apple watch?

I know the first gens had a data port inside the wrist band attachment point. Beyond that I believe you are best off downloading the device it syncs to.

9:52 AM

The panel inside here has a six pin connector from what I’ve read. Never done it myself

9:54 AM

https://blog.elcomsoft.com/2021/08/apple-watch-forensics-the-adapters/

Apple Watch Forensics: The Adapters

How do you extract an Apple Watch? While several extraction methods are available, you need an adapter if you want to get the data directly from the device. There are several different options available on the market, some of them costing north of $200. We tested a large number of such adapters. How

Thanks Whee30 !

digital Bowles

Does anyone have a supplier for phone parts. We have an iPhone 12 with a broken screen. I can replace the screen myself, but need to find one at a good price.

https://www.fixez.com/ they are local here in Vegas.

Fixez | Smartphone and Tablet Replacement Parts

Find brand new smartphone and tablet replacement screens and parts at affordable prices. DIY repair resources including tools, videos, and teardown guides.

Looking for iOS Application UUID listing. This exist?

coastal4n6

Looking for iOS Application UUID listing. This exist?

I'm pretty sure the UUIDs are hashes of application and hardware ID. In PA, they're listed under installed applications so you can match them up.

Is there a product that people here use to show status of cases to detectives? I have a small office with 8-10 people that have cases with me at a given time. I don't have the budget for a $$$ solution, but the shared excel doc I currently use leaves something to be desired. Just not very polished. Ideally I would find a solution that I update on the backend and everyone else visits a web interface or something like that on the intranet.

9:46 AM

To give them an idea of where their project is in the queue or remind them I'm waiting on something.

whee30

Is there a product that people here use to show status of cases to detectives? I have a small office with 8-10 people that have cases with me at a given time. I don't have the budget for a $$$ solution, but the shared excel doc I currently use leaves something to be desired. Just not very polished. Ideally I would find a solution that I update on the backend and everyone else visits a web interface or something like that on the intranet.

You can try checking out Monolith, not sure what they're pricing looks like these days but I remember it being reasonable https://monolithforensics.com/ (edited)

Matt Danner

Monolith Forensics - Digital Forensics Case Management

Monolith Pro is a comprehensive case management system for digital forensics. Monolith can be used with many users across an organization.

I remember seeing this at IACIS, I think it was one dude doing all the programming etc?

whee30

I remember seeing this at IACIS, I think it was one dude doing all the programming etc?

yep, Matt Danner I think is his name

1

Got my demo, will install it later today. Thanks for the tip

1

Hi anyone, can i ask what is possible the way to trace back the transaction of crypto, i’m currently learning about the nth room case in Korea, as they said that they got the location of suspect by tracing back of the crypto transaction

7:03 PM

And i’m think it is quite interesting to see how it’s work

@whee30 You mean you telling them it will be done when I say it's done doesn't work for them ?

Is there any way to find out the initial startup of a smartphone (Android / iOS)? Artifacts, where resetting or wiping a smartphone can be analyzed, I have found from several articles. Is there a timestamp in a database that keeps the actual first startup despite multiple wipes or resets? thx lg

Bbteela

Hi anyone, can i ask what is possible the way to trace back the transaction of crypto, i’m currently learning about the nth room case in Korea, as they said that they got the location of suspect by tracing back of the crypto transaction

Trace back to where? Crypto currencies have a public ledger, so you can trace back any coin in its history from/to known addresses/exchanges etc

peMo

Is there any way to find out the initial startup of a smartphone (Android / iOS)? Artifacts, where resetting or wiping a smartphone can be analyzed, I have found from several articles. Is there a timestamp in a database that keeps the actual first startup despite multiple wipes or resets? thx lg

take a look at this blogs: https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/ https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Is here a way how to know the volumes names of the USBs?

wiener

Is here a way how to know the volumes names of the USBs?

There should be a plugin that resolves all of those. Use bookmarks to find it. There will be a second tab named after the plugin which will have the parsed output. You're looking at the raw output

wiener

Is here a way how to know the volumes names of the USBs?

USB Detective heh

11:35 PM

but also usb stuff can be a bit finicky because things get overwritten. So you may not be able to tell what that volume GUID relates to

hey guys i have a small question novice here

1:16 AM

i have a rootfs.ext4 filesystem data i mounted it and i changed content of a file

Hello everyone, between OXYGEN and UFED4pc, which of the two is better? or are they complementary to each other? I specify that I have never used oxygen.

Andrew Rathbun

There should be a plugin that resolves all of those. Use bookmarks to find it. There will be a second tab named after the plugin which will have the parsed output. You're looking at the raw output

hmm. ok. I will try to use the plugin if i will figure out how to do it. But i don't understand what you mean the second tab, which one?

manuelevlr

Hello everyone, between OXYGEN and UFED4pc, which of the two is better? or are they complementary to each other? I specify that I have never used oxygen.

Very similar, but both do things the other doesn't. There isn't a single tool in my opinion that'll cover everything so budget depending I'd have both at least

wiener

hmm. ok. I will try to use the plugin if i will figure out how to do it. But i don't understand what you mean the second tab, which one?

Right click copy key path of where you are in the hive and paste that here please

stark4n6

take a look at this blogs: https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/ https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Hi, thx - i have already studied these articles in detail and can only recommend them. I could not find any artifacts where, for example, an iPhone was put into operation for the very first time. The last reset did. Android (FFS image) has a clear advantage here.

Andrew Rathbun

Right click copy key path of where you are in the hive and paste that here please

Hi, which plugin do you mean?

Andrew Rathbun started a thread. 3/26/2022 12:34 PM

Andrew Rathbun

Right click copy key path of where you are in the hive and paste that here please

I already figured it out by my self. I was only in root\system\MountedDevices

1

@Cellebrite anyone able to provide some urgent assistance? Much appreciated

RP

@Cellebrite anyone able to provide some urgent assistance? Much appreciated

Hey

Hi, I'm thinking of taking up eCDFP - eLearn Security's Certified Digital Forensics Professionals. https://elearnsecurity.com/product/ecdfp-certification/ How is the standard.. Is it worth the money for a beginner (edited)

eCDFP Certification - eLearnSecurity

The eCDFP designation stands for eLearnSecurity Certified Digital Forensics Professional. eCDFP is the most practical and advanced certification available on the market on digital forensics. By passing the challenging exam and obtaining the eCDFP certificate, a digital forensics investigator can prove their advanced skills in the fast growing ar...

Hello guys Happy to meet this community A small question if i may, will be more then happy for answers Im searching after the best tool for automatic detection of malware or malicious (shells, Etc) activity from an infected machine dump. Iv used a few trials of Belkasoft and axiom but They dont realy doing anything special, Didnt even recognizing hashes of wannacry... Any advices? (edited)

Y8765

Hello guys Happy to meet this community A small question if i may, will be more then happy for answers Im searching after the best tool for automatic detection of malware or malicious (shells, Etc) activity from an infected machine dump. Iv used a few trials of Belkasoft and axiom but They dont realy doing anything special, Didnt even recognizing hashes of wannacry... Any advices? (edited)

try Thor-Lite (free) or Thor (paid). Use something like Chainsaw to leverage Sigma rules against the .evtx files

Andrew Rathbun

try Thor-Lite (free) or Thor (paid). Use something like Chainsaw to leverage Sigma rules against the .evtx files

There is a budget Looking for the most efficient one, or more then one:) (edited)

No offense to those tools mentioned and many common tools you didn't mention, but they are digital forensic tools, and great ones at that, but they are NOT IR tools, which your question specifically falls into the IR realm. If you're referring to an Exchange Server, then Thor-Lite will serve you very well.

8:40 AM

You want to leverage YARA, Sigma, and any other detection rules to try and identify evil that is present on that dump (edited)

Andrew Rathbun

No offense to those tools mentioned and many common tools you didn't mention, but they are digital forensic tools, and great ones at that, but they are NOT IR tools, which your question specifically falls into the IR realm. If you're referring to an Exchange Server, then Thor-Lite will serve you very well.

Regular Endoint inside of an organization

Andrew Rathbun

You want to leverage YARA, Sigma, and any other detection rules to try and identify evil that is present on that dump (edited)

Tnx for your edvices

Y8765

Regular Endoint inside of an organization

Run Thor-Lite against the mounted dump, see what it comes up with. Either that or Loki. One in the same, but Thor-Lite is the new hotness and made in Golang vs Python so it's faster and has better reporting functionality than Loki. https://github.com/EricZimmerman/KapeFiles/tree/master/Modules/Apps/Thor-Lite will give you a running start for syntax

8:42 AM

I just trialed Thor for a week and it was awesome. Definitely going to make a push to purchase at least one license for it.

Andrew Rathbun

Run Thor-Lite against the mounted dump, see what it comes up with. Either that or Loki. One in the same, but Thor-Lite is the new hotness and made in Golang vs Python so it's faster and has better reporting functionality than Loki. https://github.com/EricZimmerman/KapeFiles/tree/master/Modules/Apps/Thor-Lite will give you a running start for syntax

Oh, its in eric zimmerman tools Ive downloaded many tools and pre-ready work stations, Just there are too many and Didnt had the time yet to get into his tools, Tnx for the shurcut (edited)

Thor-Lite is not an EZ Tool. It's simply a Module in KAPE that I linked you to. If you use KAPE, then you can leverage Thor-Lite with the click of a button. If not, then that Module at least gives you a running start on what the syntax would look like for your use case (edited)

Sounds cool, will defintly try tommorow

Ping me if you have issues. Good luck

1

Andrew Rathbun

Ping me if you have issues. Good luck

Much appreciated

Andrew Rathbun

I just trialed Thor for a week and it was awesome. Definitely going to make a push to purchase at least one license for it.

Any idea the relative cost of a license? I cannot see anything on the website

Tcisaki

Any idea the relative cost of a license? I cannot see anything on the website

There's multiple licensing options available depending on your use case, i.e., deploying on client environment, only running against images, etc. I'll DM you

Question about SIM card extractions using Cellebrite, what is the voice mail number that’s stored in contacts? Is it a number that called the phone?

I don’t know that I’ve seen that, perhaps it’s the number that the user has to call to access voicemail? Is it stored as a contact?

Yes stored as a contact

My guess is that it’s what I suggested. You probably see some other default contacts too, right? Like 411 or similar? The user calls that number to access the voicemail

[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ .0

Hopefully that’s not a password

1

Looks like a toddler or a cat to me

2

Anybody using foreman forensics in an iso 17025 compliant lab? Looking for a case management tool that will tick the accreditation boxes. Anyone have any recommendations?

Pseudonym

Anybody using foreman forensics in an iso 17025 compliant lab? Looking for a case management tool that will tick the accreditation boxes. Anyone have any recommendations?

Is that still under development?

Looks like it’s released, with installation guides, no idea if if it’s usable yet, I’m still scoping out options

2:03 AM

Options include Lima and black rainbow, but the lab will only be small, don’t want to swamp funds with minimum spends with those companies

Pseudonym

Options include Lima and black rainbow, but the lab will only be small, don’t want to swamp funds with minimum spends with those companies

Look at monolith. It's relatively inexpensive

FullTang

Looks like a toddler or a cat to me

Russian Woodpecker.

1

FullTang

Looks like a toddler or a cat to me

Or one very dirty key

1

Original message was deleted or could not be loaded.

This might want deleting. It's a scam

4:47 AM

@Mistercatapulte (sorry for ping, only mod with online status)

@BritishBenjithx

1

Hi! I'm looking for a way to create a hashset from the content of a .zip file. Tried to create a program myself but running out of time. Any ideas?

callzor

Hi! I'm looking for a way to create a hashset from the content of a .zip file. Tried to create a program myself but running out of time. Any ideas?

Import to x-ways and export list of hashes maybe?

FullTang

Looks like a toddler or a cat to me

Can confirm, have 1 of toddler and 5 of cat. Happens more than I care to admit

2

1

Having a discussion with a colleague. what's the definitive way everyone gets the windows installation time. Do you trust the tools as X-Ways shows it as install time but Axiom shows it as Install / Update time. Windows and User folders can show dates that pre date this time too. What th one go-to way you get it for sure?

Majeeko

Having a discussion with a colleague. what's the definitive way everyone gets the windows installation time. Do you trust the tools as X-Ways shows it as install time but Axiom shows it as Install / Update time. Windows and User folders can show dates that pre date this time too. What th one go-to way you get it for sure?

Is it even needed to be known? But to answer your question, depends on version

Were discussing a Windows 10 pro machine. The Tools and system info are giving a date but the Windows / User created time is almost a year prior to this date. I have one camp that says the Windows folder is the original and one camp that says the Tools are correct. I'm curious for some more input from other people.

Majeeko

Were discussing a Windows 10 pro machine. The Tools and system info are giving a date but the Windows / User created time is almost a year prior to this date. I have one camp that says the Windows folder is the original and one camp that says the Tools are correct. I'm curious for some more input from other people.

Well it used to be you could use a registry value that stated the install date. However, with Windows 10, the registry install date indicates the date the latest Feature Update build that was installed. Could that be what is happening?

Majeeko

Were discussing a Windows 10 pro machine. The Tools and system info are giving a date but the Windows / User created time is almost a year prior to this date. I have one camp that says the Windows folder is the original and one camp that says the Tools are correct. I'm curious for some more input from other people.

Considering last install date for Win 10 typically corresponds to last update I would ignore it mostly. You could look for things such as creation timestamp for the user folder/registry files.

Can anyone shed some light on an issue I’m facing. My friends PC is not wanting to POST when any IDE devices are connected. It’s a new MOBO an everythin else works fine, just when connected to IDE HDD it refuses to work

Has anyone encountered payjoy on Samsung devices? Is it basically a MDM

ds275

Has anyone ever tried to do a data extraction from a Nintendo Switch?

Did you ever get a response to this question?

@Law Enforcement [Australia] Does anybody from Australia work for New South Wales Police? We have a software write blocker application that has a date on it from 2005 from NSW Police State Electronics Evidence Branch. Wondering if this tool has been updated since then? (edited)

obi95

Can anyone shed some light on an issue I’m facing. My friends PC is not wanting to POST when any IDE devices are connected. It’s a new MOBO an everythin else works fine, just when connected to IDE HDD it refuses to work

How are they connecting the IDE drive to the MOBO? Thought IDE connectors were mostly phased out on recent MOBOs. I'm assuming he's using a SATA > IDE connector of some sort?

If anyone here has experience setting up a small one or two man forensic lab, could you please DM me? I am in need of advice for evidence storage solutions

obi95

Can anyone shed some light on an issue I’m facing. My friends PC is not wanting to POST when any IDE devices are connected. It’s a new MOBO an everythin else works fine, just when connected to IDE HDD it refuses to work

same as Jaykay - check connection especially power. bad drives would sometimes force power protection / over-current and refuse to boot. if it's a converter or addon board, check that too.

Figured out the issue everyone. Turns out it was just the way the IDE cables were connected as I was unaware they had a preferred way. And the jumpers on the back were weird in that one of the drives had 2 connected in the shape of a T

12:30 PM

The computer is from 1996 I should mention

oh boy, the generation gap hits hard

1:07 PM

"white goes to pin one"

1:07 PM

or black

1:07 PM

the jumper settings are usually on the drive label

obi95

The computer is from 1996 I should mention

Jeez, that machine needs to be retired

whee30

My guess is that it’s what I suggested. You probably see some other default contacts too, right? Like 411 or similar? The user calls that number to access the voicemail

Yes, it is in the contacts section along with 411 & 611

1

randomaccess

Look at monolith. It's relatively inexpensive

Monolith has a great forensic notes application I only found out about last week as well. It’s free as well. I think I’m moving over from notepad++ for my case notes.

1

Cole

@Law Enforcement [Australia] Does anybody from Australia work for New South Wales Police? We have a software write blocker application that has a date on it from 2005 from NSW Police State Electronics Evidence Branch. Wondering if this tool has been updated since then? (edited)

Not from NSW, but im my experience most of those scripts just change some registry keys, not that hard to make one / modify it yourself. However all the ones I have seen do not fully pass write blocker tests (ie Weibetech) so should be used in emergencies only. Also typically they will not write protect USB HDD's which is something to keep in mind when using it. I dont use or endorse them as I think its fraught with danger.

callzor

Hi! I'm looking for a way to create a hashset from the content of a .zip file. Tried to create a program myself but running out of time. Any ideas?

Just shove it into your favourite forensic tool as a file and make sure it is set to unpack zips.

Cole

@Law Enforcement [Australia] Does anybody from Australia work for New South Wales Police? We have a software write blocker application that has a date on it from 2005 from NSW Police State Electronics Evidence Branch. Wondering if this tool has been updated since then? (edited)

It probably has. DM me and I can ask

facelessg00n

Not from NSW, but im my experience most of those scripts just change some registry keys, not that hard to make one / modify it yourself. However all the ones I have seen do not fully pass write blocker tests (ie Weibetech) so should be used in emergencies only. Also typically they will not write protect USB HDD's which is something to keep in mind when using it. I dont use or endorse them as I think its fraught with danger.

Yeah, the older ones used registry write blocking which is super easy to get around. It just stops.tje windows API. You can open a disk with a hex editor and write to it. If you use a software write blocker that uses its own custom driver that's different.

9:22 PM

For ex SAFEBLOCK which is not free

Rob

Considering last install date for Win 10 typically corresponds to last update I would ignore it mostly. You could look for things such as creation timestamp for the user folder/registry files.

Yeah, thats my thinking. I always like to double check things and find the inconstancies and explain them before the other person does. Thanks for the input.

1

Q: What are the "daily driver" distro's for folks on here? starting to feel like doing a Smith on Windows OS atm. so p*ssed with USB borking, updates failing and other niggly things. halp!

i use windows server 2016

1:44 AM

less nagging

1:44 AM

tried reactos 64 bit, but still needs work to be done

ReactOS is like stepping back in time

2

1:46 AM

Massive nostalgia feel

it is indeed

1:48 AM

I like linux mint these days. But at the end of the day one still needs a windows distro to run beloved forensic software.

Dr. Kaan Gündüz

I like linux mint these days. But at the end of the day one still needs a windows distro to run beloved forensic software.

yep, and hardware like pc3000 sadly. i'd keep a bare installation for use with that but for all else i'd move. mint was ok a while back, have a small machine with MX which has run incredibly reliably for over a year, minimal interaction needed. uptimes like 6mnth+ each iteration (edited)

2:49 AM

used to run Arch, but i'm getting too old to be configuring everything again.. and again lol

1

the only time i faced an issue with win server was, UFED didn't like it (installing wireless option to server resolved it btw) (edited)

Dr. Kaan Gündüz

the only time i faced an issue with win server was, UFED didn't like it (installing wireless option to server resolved it btw) (edited)

there's always gonna be a special snowflake tho

- just trying to limit the damage, so to speak. appreciate the info, thanks (edited)

1

Digitalferret

Q: What are the "daily driver" distro's for folks on here? starting to feel like doing a Smith on Windows OS atm. so p*ssed with USB borking, updates failing and other niggly things. halp!

I run Slackware on everything I use - from forensic workstations to Steam gaming boxes. With a Windows VM for things like Axiom and CPA, etc. Our lab has a dedicated workstation for the PC3000 for times when we need it. YMMV. I'm an old curmudgeon. For less work up front and more prevalent support, you'd do well to stay with an ubuntu derivative or the like. It all comes down to preference and, in the end, they can all be made to behave much the same (barring pkg management and preferences like system init stuff). One piece of advice - steer clear of "rolling distros" like Manjaro. My $.02

facelessg00n

Not from NSW, but im my experience most of those scripts just change some registry keys, not that hard to make one / modify it yourself. However all the ones I have seen do not fully pass write blocker tests (ie Weibetech) so should be used in emergencies only. Also typically they will not write protect USB HDD's which is something to keep in mind when using it. I dont use or endorse them as I think its fraught with danger.

It’s just a registry key flip. It’s not been updated in years. It also only works on ‘USB Mass Storage’. Will not work on memory cards, cameras, some USB SDD (SCSI) etc

parsec3point26

It’s just a registry key flip. It’s not been updated in years. It also only works on ‘USB Mass Storage’. Will not work on memory cards, cameras, some USB SDD (SCSI) etc

There's a version that uses diskpart from memory

5:37 AM

I actually have no idea how diskpart mounts things as read only though

5cary

I run Slackware on everything I use - from forensic workstations to Steam gaming boxes. With a Windows VM for things like Axiom and CPA, etc. Our lab has a dedicated workstation for the PC3000 for times when we need it. YMMV. I'm an old curmudgeon. For less work up front and more prevalent support, you'd do well to stay with an ubuntu derivative or the like. It all comes down to preference and, in the end, they can all be made to behave much the same (barring pkg management and preferences like system init stuff). One piece of advice - steer clear of "rolling distros" like Manjaro. My $.02

thanks, very useful, esp VM stuff. i also think dedicated WinOS machine for items that will only run via WinOS (properly) such as PC3000. Rolling - yep ok for enthusiasts, of which i was one, but there's a lot of RNG potential for FUBARs.

5:55 AM

recent "baby and bathwater" incident was having to use Device Manager to remove USB storage entries in order to just plug USB<whatever> device in at every instance and reboot (edited)

Greetings, with approval from Andrew Rathbun, the Calfornia Department of Justice CJIS Digital Forensics Group (mouthful i know), is conducting informal and anonymous (we are only asking for your agency name) research into best practices for Digital Forensics when it comes to network connectivity for forensic workstations, servers, and storage. As an expert in the field, we wanted to reach out and invite you to take the survey. If you could take three minutes to complete the linked survey below, it would be very much appreciated. It’s a Microsoft Form. The survey will be available until 4/8/2022. https://forms.office.com/r/6RSATY3JbW Please feel free to DM me if you have any questions.

Requesting some assistance with iPhone voicemails. I performed the extraction with UFED4PC and then was asked be a legal rep about deleted voicemails. I know there is nothing in the extraction that shows deleted voicemails on the surface. However, I stumbled upon voicemails in the file system in a DB (name of DB escapes me at the moment) I also believe voicemails are not stored in the iCloud back up (I think) I can confirm. anyone with iPhone Voicemail experience I woul d love to one on one and pick your brain.

nbh2493

Requesting some assistance with iPhone voicemails. I performed the extraction with UFED4PC and then was asked be a legal rep about deleted voicemails. I know there is nothing in the extraction that shows deleted voicemails on the surface. However, I stumbled upon voicemails in the file system in a DB (name of DB escapes me at the moment) I also believe voicemails are not stored in the iCloud back up (I think) I can confirm. anyone with iPhone Voicemail experience I woul d love to one on one and pick your brain.

#mobile-forensic-decoding #mobile-forensic-extractions

Any IACIS member in here available for general question.

Ghosted

Any IACIS member in here available for general question.

what?

Is it possible to identify a mobile device through an IP address. I received subpoena return with ip’s associated with a mobile device

@JNewman74 - hypothetically, you could walk the IP address to a mobile provider, potentially a phone number (damn natting router IPs) and from there a Google or Apple account attached to the phone number... I know Apple stores devices registered under an account. That doesn't solve an Android that hasn't been fully set up though.

JNewman74

Is it possible to identify a mobile device through an IP address. I received subpoena return with ip’s associated with a mobile device

If you can subpoena a known account of the possible target for the same date and time of the IP address in question you can tie the two together. But you have to have an external lead on your target. I don't know of any way to narrow down who the end-user might be with only a mobile IP address.

Hi all, I have question. For IR we are making kape module to automate collection of system information and we found one problem. If you have mounted network drives as a usere for example drive R:. And if you run command net use or Get-PSDrive in elevated powershell or cmd, you will not see mounted network shares. So question is, how can you list users mounted networkshares in this case.

sidi7

Hi all, I have question. For IR we are making kape module to automate collection of system information and we found one problem. If you have mounted network drives as a usere for example drive R:. And if you run command net use or Get-PSDrive in elevated powershell or cmd, you will not see mounted network shares. So question is, how can you list users mounted networkshares in this case.

Isn't that going to be in the registry and you can pull the hives and parse them offline?

1:20 AM

Not to say you shouldn't run PS on a host but if you're running kape anyways you can go the offline route

Yes you are right, but this module is fo quick IR info. Netstat, dns cache, sistem info etc ...

can you please elaborate? source of the installer (usb/dvd) or the options that were used while installing?

Can somebody from @Cellebrite ping me? I need to discuss a serious vulnerability in their customer portal.

1

2:42 AM

Also would be cool if this was a thing… https://cellebrite.com/.well-known/security.txt

1

“…During a close to 8-hour long trilogue (three-way talks between Parliament, Council and Commission), EU lawmakers agreed that the largest messaging services (such as Whatsapp, Facebook Messenger or iMessage) will have to open up and interoperate with smaller messaging platforms, if they so request. Users of small or big platforms would then be able to exchange messages, send files or make video calls across messaging apps, thus giving them more choice. As regards interoperability obligation for social networks, co-legislators agreed that such interoperability provisions will be assessed in the future” This sounds like a technical nightmare to actually implement? Could be a big change for digital forensics. https://www.europarl.europa.eu/news/en/press-room/20220315IPR25504/deal-on-digital-markets-act-ensuring-fair-competition-and-more-choice-for-users

Deal on Digital Markets Act: ensuring fair competition and more cho...

On Thursday evening, Parliament and Council negotiators agreed new EU rules to limit the market power of big online platforms.

Hi, @Law Enforcement [UK] are Avatu the only UK supplier for the Tableau TX1s?

1

ApC

Hi, @Law Enforcement [UK] are Avatu the only UK supplier for the Tableau TX1s?

afaik, yes.

1

https://www.opentext.com/products-and-solutions/partners-and-alliances/partner-directory?state=%7B%22orderBy%22%3A%22name%22%2C%22filters%22%3A%7B%22regions%22%3A%5B%22UK%22%5D%2C%22industries%22%3A%5B%22Computer%20Hardware%22%5D%7D%2C%22shownResults%22%3A0%7D

EIM Partner Directory Search | OpenText

Search OpenText's partner directory to fulfill your EIM objectives, drive new business, establish a competitive advantage and create business value.

I'm working on a group project about Bitwarden. We are currently looking for information on times it's been hacked and they have lost data. We can't seem to find anything on them. You think they have to have some type of breach.

Johnie

“…During a close to 8-hour long trilogue (three-way talks between Parliament, Council and Commission), EU lawmakers agreed that the largest messaging services (such as Whatsapp, Facebook Messenger or iMessage) will have to open up and interoperate with smaller messaging platforms, if they so request. Users of small or big platforms would then be able to exchange messages, send files or make video calls across messaging apps, thus giving them more choice. As regards interoperability obligation for social networks, co-legislators agreed that such interoperability provisions will be assessed in the future” This sounds like a technical nightmare to actually implement? Could be a big change for digital forensics. https://www.europarl.europa.eu/news/en/press-room/20220315IPR25504/deal-on-digital-markets-act-ensuring-fair-competition-and-more-choice-for-users

I would imagine those big companies are scrambling to pivot and find a loophole... how do you make a secure messaging program if any small platform needs to be provided access?

2

who will be hosting video conferences, who will respond to subpoenas, what will happen if one of the parties won't use end-to-end encryption... it first sounded like they want blackberry unified messaging back.

Hello, anyone got some tips to get a physical out of a Logicom fleep 178 ?

Hi @Oxygen Forensics any idea why a software license displays 2 different expiration dates on 2 different workstations? Thanks

sky

Hi @Oxygen Forensics any idea why a software license displays 2 different expiration dates on 2 different workstations? Thanks

Hello, please let me DM you regarding this issue

@lerti_sdu do you have any internal photos from FCC or EU so we can see the chipset ? Might be a EDL candidate.

https://www.sans.org/mlp/dfir-summit-cfp

SANS DFIR Summit 2022 | Call for Presentations

Speaking at a SANS Summit gives you the opportunity to engage with thousands of cybersecurity professionals, to share your expertise, and to expand your network. If you have original content to share with the community, we encourage you to submit a talk proposal.

I’m looking for fire suppression systems for a forensics lab buildout. Currently considering FM-200, any other viable options out there?

@forensicMouse

I bought my own fire extinguisher when one of the batteries started on fire. I've also read that a fire blanket is better as the lithium ion will still burn without oxygen.

DCSO

@lerti_sdu do you have any internal photos from FCC or EU so we can see the chipset ? Might be a EDL candidate.

hi, I got a physical dump with XRY 10.0.1 profile The Posh 170 with 40315 cable without magic button. Thanks for your help.

2

Anyone from @Griffeye able to assist with an issue i'm having when importing files please

Just realised I posted in the wrong chat

Is there anyway to tell what iOS a locked iPhone is?

thatboy_leo

Is there anyway to tell what iOS a locked iPhone is?

it may be, by checking iboot version, like here https://discord.com/channels/427876741990711298/427877097768222740/915958207644569630

Arcain

it may be, by checking iboot version, like here https://discord.com/channels/427876741990711298/427877097768222740/915958207644569630

Cheers!

I have no idea who the admin is, could someone tag the right person to inform that the #forensic-lunch channel is showing an error

@w00tzon I'll take a look later. Sometimes those YouTube feeds error out after a while or need to be renewed

1

So I understand that cybercrime can cost businesses a lot of money but I want to understand why? Why would a business would have to pay so much to sort cyber attack stuff?

The cost of retrieving your data so your business can run, the cost of the PR nightmare of losing your customers trust, the cost of class action lawsuits in the case you mismanage “secure” data…

1

10:59 AM

Paying off the ransomware group, paying the professionals to come in and figure out what happened, paying the professionals to recover data or to teach you to not get compromised again in the future. It’s all a lot of training and time you need to pay for. Gets very spendy.

swan

So I understand that cybercrime can cost businesses a lot of money but I want to understand why? Why would a business would have to pay so much to sort cyber attack stuff?

It’s also quantified under risk analysis: Average Loss Expectancy, Annual Rate of Occurence etc. A dollar amount can be assigned per minute or per hour of downtime.

1

swan

So I understand that cybercrime can cost businesses a lot of money but I want to understand why? Why would a business would have to pay so much to sort cyber attack stuff?

Think about if you were to buy something from your favorite website and you couldn't....for like 2 days. Think about how much business would be lost in those 48 hours for that retailer. There's a huge ripple effect in play. You're trying to buy something but the site is down, so what do you do? You go to their competitor to buy it. Many other things I won't break down further but you get the point. All great insights above, too

1

Thank you so much for useful & great insights! I see why that can get so expensive quickly.. I wonder if there are any known companies that arent willing to spend a lot of money on security

swan

Thank you so much for useful & great insights! I see why that can get so expensive quickly.. I wonder if there are any known companies that arent willing to spend a lot of money on security

Hint: almost all of them

12:48 PM

Ever see Office Space? If not, stop what you're doing and watch it. Most companies are like Peter Gibbons where they're doing the bare minimum to get by (aka just enough not to get fired). Either that, or they simply don't have the training to understand why making every user a local Admin is a horrible idea

‍♂️ Lots of variables in play and lots of variance in things within/not within the IT team's control

3

Andrew Rathbun

Hint: almost all of them

*All of them until a security incident happens

4

Insurance premiums very similar to Backing up : "Nobody wants backup. Everyone wants restore." (edited)

swan

So I understand that cybercrime can cost businesses a lot of money but I want to understand why? Why would a business would have to pay so much to sort cyber attack stuff?

on the “opportunity cost” side: Think about a manufacturing plant. They can track downtime costs in the tens of thousands per minute of unplanned down time. So if a cyber attack happens and effects their production line, that can get costly real fast. A similar thing could be said about most companies too. A 500 person company with an average person hour cost of 26 would experience 13k in loses per hour or 104k for a whole day.

Security is always seen as a cost center (a place you put money in) versus a revenue generator. Businesses always want to reduce costs and increase profits/shareholder value. We will ALWAYS be underfunded and have to justify our existence and spending to the infinite detail. That is the way things are. So the better we are able at communicating to upper management about the 'risk' and potential costs of cyber incidents, the more 'value' we will appear to bring.

Is there a way to enhance thumbnail images?

Hey guy im using autopsy right now to assess an image and was asked to find all files copied from a usb, how can i differentiate between normal files and files copied on to the system?

thatboy_leo

Is there a way to enhance thumbnail images?

The Semantics 21 Enhance app can increase the resolution x4 and our new Face enhance AI works well if that’s what you’re after. https://www.semantics21.com/s21-enhance

Semantics 21 | Enhance

We make award-winning software and cutting-edge algorithms for digital forensics. We specialise in building state-of-the-art intelligent tools, which enable law enforcement and associated agencies to conduct reliable and fast forensics investigations of digital media artefacts.

FunGuy

Hey guy im using autopsy right now to assess an image and was asked to find all files copied from a usb, how can i differentiate between normal files and files copied on to the system?

Depending on the OS you may find info in event viewer, recent docs or ADS zone identifier. But in reality, I don’t think you would find those

Murst

Depending on the OS you may find info in event viewer, recent docs or ADS zone identifier. But in reality, I don’t think you would find those

1 more thing i was asked to find the earliest operating system used on the suspects pc, and how it was installed. i found the system but cant find how i find how it was installed

3:53 PM

any tips for that?

Earliest OS would probably be the one from the manufacture. If it was a dell you could search the service tag and see a config usually

3:59 PM

Otherwise maybe an os sticker on the machine? But even those aren’t really good indicators

i just have a disk image to play with no physical machine, these are some of the question i had in an assignment i was given in university

DCSO

@forensicMouse

I bought my own fire extinguisher when one of the batteries started on fire. I've also read that a fire blanket is better as the lithium ion will still burn without oxygen.

nothing like having a phone explode in your face to increase hazard awareness is there.... i stank up the lab for a whole day once haha

1

funny you all mention this, I had to extract a balloon battery from a macbook pro last week. My lipo fire bag showed up today for holding those suckers for disposal.

1

@whee30 cheap insurance for those non-stable batteries.

Has anyone here use chocolatey(or some similar tool) to automate the update of forensic tools on forensic workstations? eg updating AXIOM or XWF

6:20 PM

ditto for building golden VM images for analysis, but with terraform/ansible/similar...

I have not used it, as in setting it up. But Flare-VM uses it extensively and I was planning on looking into it

The golden image thing is definitely beyond my current capabilities… but I got a majority of our ancillary tools(eg EZTools, notepad++, mobaxterm, etc) and other stuff all wrapped up in a simple powershell script utilizing chocolately and Invoke-WebRequest.. the harder part will be actual commercial tools like AXIOM and EnCase I think

10:46 PM

6:20PM->10PM… really not bad I think considering I haven’t touched powershell or chocolatey in bloody years and kept on skipping parts of the PoSH documents LOL… and dinner mmm (edited)

10:47 PM

“Why won’t this unzip damnit” “Didn’t specify the output file” I did that too many times

Hello, https://digitalintelligence.com/products/fred_c_workgroups im wondering if this worth it instead of doing HPE esxis connected through fiberchannel to a SAN (edited)

3:42 AM

or talino. Because we have the capability inhouse to manage our own servers and build a virtualized platform with forensic software windows images (edited)

Are you currently doing virtualization for your processing? Looking at that solution it seems like it would be a regular old workstation inside of a different style chassis and an attached tape drive If you have the capacity I’d suggest looking into trying out some of your tools in a virtual setup

4:54 AM

Depending on how your HPE/SAN is architected, it could allow for better redundancy and easier scaling out (assuming you don’t use dongles).

Is anyone having issues with freezing/not responding when using Axiom 5.10.0.30634?

Murst

Are you currently doing virtualization for your processing? Looking at that solution it seems like it would be a regular old workstation inside of a different style chassis and an attached tape drive If you have the capacity I’d suggest looking into trying out some of your tools in a virtual setup

for dongles in virtualized environments I have used the digi solution

Anyone have an extra Sans GCFA practice test?

Does anyone have an explanation that they use in court to explain what Epoch time is? I need to explain this and it just sounds nuts. lol

3:42 PM

This is what I plan to say. Epoch / Unix time format is s system for representing a point in time. It is the number of mili seconds that have elapsed since 1st January, 1970

Gumpoo

This is what I plan to say. Epoch / Unix time format is s system for representing a point in time. It is the number of mili seconds that have elapsed since 1st January, 1970

Number of seconds

Gumpoo

This is what I plan to say. Epoch / Unix time format is s system for representing a point in time. It is the number of mili seconds that have elapsed since 1st January, 1970

Don't forget it's on UTC as well

randomaccess

Number of seconds

Seconds... Right on!

4:49 PM

Yep. Good thing www.epochconverter.com converts to local time.

Hey all - anyone have any recommendations for forensic workstations? My team is looking at purchasing a new one and we want to evaluate more than just one vendor. At the end of the day, I feel like they are all just custom computers - nothing crazy special other than built in raids and/or built in write blockers, but I may be over looking something. Any suggestions would be great!

1

Essentially you are correct. I will say I use the Tableau ultra bay 4 in my tower constantly. A large raid is also super nice to have. I think for budget concerns, it’s a lot easier for admin to wrap their heads around a premade product versus giving me a budget to build my own. Also when my raid controller failed I had great tech support overnighting me a new one

Yeah, our leadership has no appetite for me or anyone on my team building from scratch due to support concerns. At this point, it's really a matter of "is there a vendor that is superior to others in product delivery as well as continued support."

Sci force makes good stuff

11:18 PM

Silicon forensics in SoCal is who we go thru- always top notch if we need help or drivers or anything

1

Morning all. Does anyone use Cellebrite Smart Translator? If so, what are your thoughts on your it? My team will be working with a lot of foreign devices and will need a quick turn arounds so looking for a solution.

Has anyone had experience with bodies who offer Digital Forensic Proficiency Testing? (Both computer and mobile) It appears that there isn't anyone in the UK that offer this - at least from my initial research. Or would anyone have experience with ILC/round robin that is ISO compliant? Any info anyone has would be appreciated

@Law Enforcement [UK] (edited)

Yoshi4N6

Has anyone had experience with bodies who offer Digital Forensic Proficiency Testing? (Both computer and mobile) It appears that there isn't anyone in the UK that offer this - at least from my initial research. Or would anyone have experience with ILC/round robin that is ISO compliant? Any info anyone has would be appreciated

@Law Enforcement [UK] (edited)

SANS has it but it's broadly "digital forensics" rather than computer or mobile specific. I think it was 150 a test sold in packs of 10

Yoshi4N6

Has anyone had experience with bodies who offer Digital Forensic Proficiency Testing? (Both computer and mobile) It appears that there isn't anyone in the UK that offer this - at least from my initial research. Or would anyone have experience with ILC/round robin that is ISO compliant? Any info anyone has would be appreciated

@Law Enforcement [UK] (edited)

CTS sell tests to the UK http://cts-forensics.com/

Collaborative Testing Services: Forensics Testing Program

Collaborative Testing Services offers the following proficiency tests: Forensic Biology, DNA (sample-specific), drug analysis, latent prints, imprints impressions, firearms, toolmarks, serial number restoration, paint analysis, glass analysis, fiber analysis, flammables analysis, questioned documents, handwriting examination, blood alcohol, brea...

1

Ross Donnelly

CTS sell tests to the UK http://cts-forensics.com/

Thank you for the info. If you've used them before, what was your experience with them?

randomaccess

SANS has it but it's broadly "digital forensics" rather than computer or mobile specific. I think it was 150 a test sold in packs of 10

Thanks for the info1 I didn't see much information on their website when I had a quick look?

Yoshi4N6

Thanks for the info1 I didn't see much information on their website when I had a quick look?

No complaints, found them to be slightly more polished than FPTS (which used to offer PTs in the UK but left the market). As always with PTs, there is the odd question which is a bit open for interpretation. The PTs we've had were all about the interpretation so were provided with extractions digitally - if you needed a PT to include the extraction I'm not sure if they offer actual devices to examine.

Ross Donnelly

No complaints, found them to be slightly more polished than FPTS (which used to offer PTs in the UK but left the market). As always with PTs, there is the odd question which is a bit open for interpretation. The PTs we've had were all about the interpretation so were provided with extractions digitally - if you needed a PT to include the extraction I'm not sure if they offer actual devices to examine.

Yes, our lab previously used FPTS. I'll certainly take a look and see what services they offer, I know with some of the outside sources; there was a few that came up in my searches, but not all favourable. I guess its like everything, it depends what you are looking for and everything is open to interpretation. Thanks again for the info

Yoshi4N6

Thanks for the info1 I didn't see much information on their website when I had a quick look?

https://www.sans.org/scholarship-academies/employment/ Cyber talent assessments

Cyber Talent for Employers | SANS Institute

Cybersecurity scholarship academies with SANS training and GIAC Certifications help employers find cyber talent.

1

Do we by any chance have any recent graduates that have gone through the UK security clearance process? I've got a couple of questions I'd like to ask. Reposted from #training-education-employment to hopefully target a wider audience aPES_Hide

Keepo

Do we by any chance have any recent graduates that have gone through the UK security clearance process? I've got a couple of questions I'd like to ask. Reposted from #training-education-employment to hopefully target a wider audience aPES_Hide

I can pass on your questions to a colleague who graduated and joined us last year (so went through clearance), if it helps

Ross Donnelly

I can pass on your questions to a colleague who graduated and joined us last year (so went through clearance), if it helps

That’d be helpful! I’m a bit caught up at the minute but will drop you a message later tonight/tomorrow morning

Can anyone suggest me books to prepare for eCDFP?

Can anybody recommend some reading material relating to preparing a Digital Forensic Readiness plan?

12:22 AM

And what recommendations there are for an organisation to maximise their evidence potential?

Looking for data storage recommendations. Currently we store forensic extractions and reports on 3 TB Western Digital portable hard drives. We also have 1 TB SanDisk portable ssds as well. With the size of phone extractions I’m concerned we are going to burn through them quickly. What solutions have you or your organizations come to for long term data storage that is stable and secure?

@Deleted User we do something simular to this https://www.amazon.com/dp/B085HZTTT9/ref=cm_sw_em_r_mt_dp_KJ5X10XYMGYK923V6EM2 or this https://www.amazon.com/dp/B082YK4YZ5/ref=cm_sw_em_r_mt_dp_94B5W1P1BZDSB6W60R6B?_encoding=UTF8&psc=1

Synology RackStation RS820+ Compact Rack Mount NAS Server Bundle wi...

Synology RackStation RS820+ Compact Rack Mount NAS Server Bundle with Rail Kit for economical and space saving deployment, advanced backup with snapshot replication technology, near unlimited file management and sharing, digital asset protection, and certified storage virtualization features; mad...

Dell PowerEdge R720xd Server 2X E5-2680 2.70Ghz 16-Core 96GB 12x 4T...

Model: R720xd 12-Bay Server with 3.5'' Drives Processors: 2x 2.70Ghz E5-2680 8 Core Processors - Total of 16x Cores Memory: 24x 4GB PC3-10600R RAM - Total of 96GB Memory Hard Drives: 12x 4TB 7.2K SAS 3.5'' 6G - Total Storage of 48.0TB Power Supplies: 2x 750W Platinum Power Supplies with 2x Power ...

1

Thanks for the quick response I’ll look through this.

I will say buy more than you think you need. I recently upped my working RAID to 21tb and I have quickly filled about 19tb in there right now waiting to be finished and archived.

2

Deleted User

Looking for data storage recommendations. Currently we store forensic extractions and reports on 3 TB Western Digital portable hard drives. We also have 1 TB SanDisk portable ssds as well. With the size of phone extractions I’m concerned we are going to burn through them quickly. What solutions have you or your organizations come to for long term data storage that is stable and secure?

Are you looking for silo type solutions or more central network file storage type? We have a few storage solutions. A ceph cluster for high performant storage that can scale (add more servers to the cluster) 45drives is a great vendor for this. then we also use synology which has been great but has single volume scale/size issues over 100-200tb and we are looking at qnap as a replacement.

1

@Magnet Forensics is there a way to do media explorer inside of a certain directory?

Last time I asked this they said the feature was pending and the current workaround was to do a search top right for the directory name

Oh nice. Let me try that. Thanks

9:28 AM

Thanks that worked

1

Does there exist an E01 mounter for Macs running Monterey?

Does anyone know if Magnet AXIOM or Encase 6.17/8.x have silent install options if executed via CMD/PoSH?

11:38 PM

Just offhand- ofc I’m thinking about this when I should be asleep

What is this sleep thing I keep hearing about?

Turb0Yoda

Does anyone know if Magnet AXIOM or Encase 6.17/8.x have silent install options if executed via CMD/PoSH?

axiom def does, encase dont know

1:28 AM

installer.exe /verysilent

1:28 AM

works for AXIOM and UFED PA, can always try it with other installers. can try things like installer.exe --h or /h and see what pops up

if the modified date is older then the creation date what would that suggest to you

Is there some good tool to reading exchange server edb database ? Or how to aproach it without turning on exchange server.

sidi7

Is there some good tool to reading exchange server edb database ? Or how to aproach it without turning on exchange server.

An email parsing tool. Nuix is good but expensive

And magnet axiom or belkasoft evidence center will not work with them ?

randomaccess

works for AXIOM and UFED PA, can always try it with other installers. can try things like installer.exe --h or /h and see what pops up

Tysm- encase I’m not too worried about since we have perpetual licenses. I think the real challenge is XWF

Turb0Yoda

Tysm- encase I’m not too worried about since we have perpetual licenses. I think the real challenge is XWF

XWF is just a bunch of files, your script to install just needs to copy the folder to wherever you want it - it doesn't need to be installed

XWF you can also use Eric's tool but I wish that had a way for me to package all that up easier ha commandline xways fim

Yeah I was gonna look into XWFIM

10:30 AM

I’m attempting to overhaul our entire lab in 2 months and automate all the updates on our physical boxes - in the past it’s been a manual download everything and do it manually

10:30 AM

I got most everything into a lil powershell script tho

@Magnet Forensics anyone happen to be around today?

Ghosted

@Magnet Forensics anyone happen to be around today?

Not in full capacity but what’s up?

Turb0Yoda

I got most everything into a lil powershell script tho

If that's sharable let me know, I know I usually make gold images of our forensics machines but it's burdensome when updates need to happen

stark4n6

If that's sharable let me know, I know I usually make gold images of our forensics machines but it's burdensome when updates need to happen

I can ask. It’s mostly just chocolatey with some invoke-https stuff to pull down EZTools and some GitHub stuff and unpacking them in our tools directory- super simple

1

11:20 AM

Choco handles most of the generic type stuff like 7-zip, N++, etc. I’m in between on if I want to make custom choco packages for things like axiom and etc or just pull from our NAS And have it grab from there

randomaccess

works for AXIOM and UFED PA, can always try it with other installers. can try things like installer.exe --h or /h and see what pops up

C:\Tools\Forensic_Tool_Updates\AXIOM*.exe /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /CLOSEAPPLICATIONS A bit of a long and this entire script is fairly crude... but it does work

Turb0Yoda

C:\Tools\Forensic_Tool_Updates\AXIOM*.exe /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /CLOSEAPPLICATIONS A bit of a long and this entire script is fairly crude... but it does work

I didn't think you need more than very silent

oh

2:31 PM

well

2:31 PM

let me modify it then rn.. doing another test run in this vm

Does anyone know of a CLI based tool that will grab the system and user registry hives (protected files) like FTK Imager does?

Kape will

1

randomaccess

I didn't think you need more than very silent

yep.. that alone works haha. Looks like that covers everything but encase and grabbing our internal tooling(but that'll be easy to fix).. oh well.

@Law Enforcement [UK] has anyone worked with this lady before? This is amazing https://youtu.be/N0vbYBWzNMk

VICE

Catching Pedophiles Using AI | Super Users

4

2

Amazing. Looks like we need to start taking hand shots with the mug shots when inmates are booked into our jail.

2

I have had sue black involved in a few of my cases. Each time she has been able to confirm from the hand shots that the accused was involved in the 1st gen content. This lead to long custodial sentences for the accused.

4

Ghoulgnome

I have had sue black involved in a few of my cases. Each time she has been able to confirm from the hand shots that the accused was involved in the 1st gen content. This lead to long custodial sentences for the accused.

That's amazing. Thank you for sharing

sounds like a great tool

5:42 AM

reminds me of the one where they can use background noises from the electric grid to catch crims https://www.youtube.com/watch?v=e0elNU0iOMY

Tom Scott

The hidden background noise that can catch criminals

@Ghoulgnome can anyone in LE UK use her? How do they go about using her services?

1

I'm not really sure to the answers to those questions, as I passed on my findings to the reporting officer who dealt with the rest of the process.

1

the problem with identification in common is in most of the cases investigators deal with low quality/SNR recordings. the vein identification algorithm sounds amazing. in addition to comparison, i'd also consider calculating LR scores.

6:40 AM

ENF is exactly what it's told in the video, it's either there or it's not. If you are a part of a synced grid and have enough samples, you can use it for both timestamping media and finding doctored/edited recordings. Very good indeed.

1

Sudo

reminds me of the one where they can use background noises from the electric grid to catch crims https://www.youtube.com/watch?v=e0elNU0iOMY

We discussed this internally, in reality this probably won’t be as useful as it seems unless you’re clutching at straws

^^ Veins AI / what the F ?!

Right?! So because she was able to control her emotions she was less believable? Doesn't make since to me.

That's not normal. She could have been under the affects of a psychiatric medicine or traumatized/shut. A psych evaluation should have taken place. She didn't break? That's unfair...

Andrew Rathbun

@Ghoulgnome can anyone in LE UK use her? How do they go about using her services?

We’ve dealt with a couple of cases which also involved a report from Sue Black. Not sure who instructed her initially though.

1

Matt

We discussed this internally, in reality this probably won’t be as useful as it seems unless you’re clutching at straws

We’ve used ENF in cases where the date/time a particular recording was made becomes important and is either not obvious by other means (clock of the recording device not set correctly for example) and/or is being questioned.

rojo

We’ve used ENF in cases where the date/time a particular recording was made becomes important and is either not obvious by other means (clock of the recording device not set correctly for example) and/or is being questioned.

That’s very interesting to know

A connection of mine is performing some research for their MSc if anyone wanted to contribute 10 minutes to a questionnaire. "What is the Purpose of the Study? The primary aim of this study is to explore the impact of child abuse investigations and identify possible protective factors in regard to coping strategies and personality traits. To our knowledge no study has exclusively explored these elements together, and this is a needed area of research not only to enhance understanding but to strengthen supportive practice for professionals." https://nclpsych.eu.qualtrics.com/jfe/form/SV_9MOpxbAXyS78LB4

Qualtrics Survey | Qualtrics Experience Management

Qualtrics makes sophisticated research simple and empowers users to capture customer, product, brand & employee experience insights in one place.

1

Greetings all! I just joined the server and I'm here mainly to lurk and learn. If you have any questions about intellectual property law or amateur radio I'll be much more useful.

3

1

Not sure if anyone here is familiar with RAID forums, but if someone wants to pass along some massive kudos, thank you. This place has cost me weekends and holidays. Well done taking this down. https://www.justice.gov/usao-edva/pr/us-leads-seizure-one-world-s-largest-hacker-forums-and-arrests-administrator

U.S. Leads Seizure of One of the World’s Largest Hacker Forums and ...

The U.S. Department of Justice today announced the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on January 31, at the United...

6

7:49 AM

conf1ck3r

Not sure if anyone here is familiar with RAID forums, but if someone wants to pass along some massive kudos, thank you. This place has cost me weekends and holidays. Well done taking this down. https://www.justice.gov/usao-edva/pr/us-leads-seizure-one-world-s-largest-hacker-forums-and-arrests-administrator

That’s a massive win, kudos to everyone involved

Woahh nice

Time to exploit the power vacuum. I’m going to start braid forums, combo hacking/hairstyling community

2

I am getting started in DF, what hardware would you recomend? I know it is "better" to plug the drive that is going to be cloned directly into the motherboard instead of using a usb. For laptop drives that you want to connect to a desktop.

whee30

Time to exploit the power vacuum. I’m going to start braid forums, combo hacking/hairstyling community

raidforums2.com is already a thing

2

12:00 PM

Beaten to it

Which windows registry hive shows deleted files and uninstalled software? (edited)

whee30

Time to exploit the power vacuum. I’m going to start braid forums, combo hacking/hairstyling community

power vacuum & hairstyling? don't forget the dye, son

(edited)

DDragneel

I am getting started in DF, what hardware would you recomend? I know it is "better" to plug the drive that is going to be cloned directly into the motherboard instead of using a usb. For laptop drives that you want to connect to a desktop.

I know it is "better" to plug the drive that is going to be cloned directly into the motherboard instead of using a usb ummmm....

12:09 PM

better using Native cables and hardware write blocker maybe, or dedicated imaging hardware w/hashing

12:10 PM

but what constitutes "starting"? amateur tries on ebay drives or actually supplying a service in forensics / LE etc

Yes sorry my terminology is off. When I say starting: I am teaching myself, Im on the ground level. I have old laptop ssds that I plan on cloning from my dektop. Im just trying to figure out what hardware is the most recomended to achieve this.

at that stage then, any cables will do, some form of write block would be nice, but if not going to court not really necessary. i'd prefer a Linux distro and utility to do a dd image, maybe hddsuperclone. then it depends what you want to look for in there. grab some free / FOSS forensic s/w like Autopsy, or free Data Recovery s/w maybe like DMDE / Testdisk/Photorec

12:21 PM

even inaging at this stage isn't critical, just good process. always protect the source.

12:21 PM

image and work on the clone

12:22 PM

but the world is your molusc. just play/have fun/find out

In that case you would connect the old hdd to a write blocker and then use FTK or any imaging software to make a .dd image right? so the integrity of original evidence is preserved?

absolutely nothing wrong with a dock and usb at that level. even the speeds are reasonable

12:25 PM

pretty much with <squiggle>^ start as you mean to go on

Digitalferret

absolutely nothing wrong with a dock and usb at that level. even the speeds are reasonable

Thank you for your advice, I plan on "practicing how I play" meaning having good process and procedures.

1

beware tho, it's a very deep wabbit hole. never mind taking the Red Pill, it can get to the entire party pack

12:29 PM

And if you go chasing rabbits
And you know you're going to fall
Tell 'em a hook-ed DFIR dude
Has given you the call

Matt

raidforums2.com is already a thing

Already taken out

Rf takedown was very obvious imo

2:44 AM

Early januari it went offline for a week. Came back, admins did not respond to some threatgroups I was talking to. And admin sections were viewable for every user

2:44 AM

Including a thread where admins ordered staff merch, listing their adresses

Trying out this new event feature on Discord https://discord.gg/AuQPSqns?event=963770132176453653

@here has anyone had experience running forensics with Apple AirTags? Does the paired phone contain any location data in a plist or can we just get user info from the AirTag via subpoena or LEO portal, etc.? Thanks!

Hello I have a question

just ask, don't ask to ask. we don't bite .. much

TCSkyKing

@here has anyone had experience running forensics with Apple AirTags? Does the paired phone contain any location data in a plist or can we just get user info from the AirTag via subpoena or LEO portal, etc.? Thanks!

I think Josh Hickman has a write up on this. If not him, someone else recently did a pretty good writeup on them, victim devices, and android apps to help view them. If I remember right, they are randomized MACs, so it may be a bit tricky to link them to a device, specifically. Apple can give you information on who they are registered to in iCloud.

A_A_Ron

I think Josh Hickman has a write up on this. If not him, someone else recently did a pretty good writeup on them, victim devices, and android apps to help view them. If I remember right, they are randomized MACs, so it may be a bit tricky to link them to a device, specifically. Apple can give you information on who they are registered to in iCloud.

Yes, @CLB_joshhickman1 does have a writeup here: https://thebinaryhick.blog/2022/01/08/androids-airtags-oof/

Binary Hick

Androids & AirTags. Oof.

Special thanks Jared Barnhart for his help with the AirGuard research. Last month I released an Android 12 public image, and if you looked, you would have seen an app that was added at the very end…

1

I’d also check this out, too, from Chris Vance. Hot off the presses… https://blog.d204n6.com/2022/04/airtag-youre-it.html

[Air]Tag You're It!

This is the accompanying blogpost to the Magnet User Summit 2022 talk: [Air]Tag You're It! Bluetooth Low Energy and You First, a primer on ...

1

11:14 AM

And this one… https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f

AirTags within iOS File Systems

A brief look at AirTag artifacts within an iOS Filesystem

1

I am looking for the file/path where iOS stores the Exchange Device ID that is used for ActiveSync as seen at the bottom of the Exchange account configuration screen.

Jerry Porter

I am looking for the file/path where iOS stores the Exchange Device ID that is used for ActiveSync as seen at the bottom of the Exchange account configuration screen.

I am thinking that this ID comes from the Exchange Server that this account is linked to. I remember having to remove these connections when users replaced their mobile devices. I could be missing what you are looking for though.

PatP

I am thinking that this ID comes from the Exchange Server that this account is linked to. I remember having to remove these connections when users replaced their mobile devices. I could be missing what you are looking for though.

So, it appears that the Exchange Device ID is generated by the iPhone and reset when the device iphone is factory reset. It is the same ID that gets linked on the Exchange server. I believe it is in a . plist or some other file somewhere on the phone. The screenshot that I shared has never been connected to exchange but still has the ID. (edited)

Jerry Porter

So, it appears that the Exchange Device ID is generated by the iPhone and reset when the device iphone is factory reset. It is the same ID that gets linked on the Exchange server. I believe it is in a . plist or some other file somewhere on the phone. The screenshot that I shared has never been connected to exchange but still has the ID. (edited)

Thank you for sharing - I had it in reverse then - my apologies...

PatP

Thank you for sharing - I had it in reverse then - my apologies...

No problem. Thanks for your input.

1

anyone know if it is possible on the iOS health app to "edit" (not add or delete) any of the entries?

Job posting has been moved to correct channel :) (edited)

@Deleted User #training-education-employment (edited)

1

DeeFIR 🇦🇺

@Deleted User #training-education-employment (edited)

Ty ill delete from here and move it :) :)

Hi folks Is there any tool that can list the ownership of a file ?(just like dir) Also, it can tell me when the file was created, modified, and accessed. Exiftool or crowdresponse or MFT can only list permissions(rwx) at most, but not ownership like dir. (edited)

1:19 AM

DIR parsering makes it difficult for me to analyze using excel or timeline explorer

1:22 AM

The reason for the need for ownership is that I want to know what kind of privileges the attacker had when he created or modified certain files.

1:25 AM

Thank you to everyone in the discussion Salute

RX

Hi folks Is there any tool that can list the ownership of a file ?(just like dir) Also, it can tell me when the file was created, modified, and accessed. Exiftool or crowdresponse or MFT can only list permissions(rwx) at most, but not ownership like dir. (edited)

you could try GOW - Gnu On Windows. you can then use basic unix applications. you can see ownerships and privs but MAC times, it would appear, can only be shown individually, not all at once. you can, both in DOS CMD window and the iteration of GOW inside it, redirect the output to a file (edited)

3:37 AM

https://github.com/bmatzelle/gow/releases

3:38 AM

then, for example, check the man pages for ls

3:38 AM

https://www.man7.org/linux/man-pages/man1/ls.1.html

3:43 AM

list of GOW commands : https://github.com/bmatzelle/gow/tree/master/bin and as usual, examples are only a few clicks away via <search-engine-of-choice>

Yo anyone with a PoC for that RPC runtime vuln everyone is talking about?

Pretty sure people aren't sharing any PoCs yet due to the criticality of the vuln

Would not be surprised

If I see a public one floating around, I'll ping it over

1

Digitalferret

you could try GOW - Gnu On Windows. you can then use basic unix applications. you can see ownerships and privs but MAC times, it would appear, can only be shown individually, not all at once. you can, both in DOS CMD window and the iteration of GOW inside it, redirect the output to a file (edited)

GOW seems to be as difficult to analyze as DIR, and parsing makes it hard for me to use EXCEL or Timeline Explorer to analyze.

But still, thank you very much.

RX

Hi folks Is there any tool that can list the ownership of a file ?(just like dir) Also, it can tell me when the file was created, modified, and accessed. Exiftool or crowdresponse or MFT can only list permissions(rwx) at most, but not ownership like dir. (edited)

Does anyone else know of any tools that can do this? This makes me very confused

RX

Does anyone else know of any tools that can do this? This makes me very confused

"GOW seems to be as difficult to analyze as DIR" - which part?

Digitalferret started a thread. 4/14/2022 5:20 AM

RX

GOW seems to be as difficult to analyze as DIR, and parsing makes it hard for me to use EXCEL or Timeline Explorer to analyze.

But still, thank you very much.

btw, what is the back story? is this a school/uni assignment, or you've been hacked, or someone asked you to do a job of work.. or?

5:35 AM

many pre-built tools / apps use fundamental commands and just wrap them up in an easy?-to-use interface. learning those fundamentals for yourself free's you from all the angst of trying to find an app that does exactly what you want on a single click.

5:36 AM

there is also a limiting factor to using such apps in that you often can't tweak the response

5:40 AM

full toolkits give you even more options but the learning curve can be quite steep (and fairly expensive). Autopsy is free and well worth a download, even just for a look at capabilities.

Autopsy® is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.

RX

Hi folks Is there any tool that can list the ownership of a file ?(just like dir) Also, it can tell me when the file was created, modified, and accessed. Exiftool or crowdresponse or MFT can only list permissions(rwx) at most, but not ownership like dir. (edited)

Powershell can do these things. There are two different commands involved: Get-ChildItem (Powershell's version of dir) and Get-Acl, which will list permissions. There are also plenty of ways to script these things together to get just the values you want, and Powershell can easily output to CSV or XML.

Digitalferret

"GOW seems to be as difficult to analyze as DIR" - which part?

I was hoping it could just export out a csv format, which would make timeline explorer or excel good for analysis. Because dir and ls, it seems that they can not export output to csv format, they look like a text, excel and timeline explorer can not be properly tabulated for sorting

RX

I was hoping it could just export out a csv format, which would make timeline explorer or excel good for analysis. Because dir and ls, it seems that they can not export output to csv format, they look like a text, excel and timeline explorer can not be properly tabulated for sorting

u realise CSV is just Comma Separated Variable? when you import the text file specify [Space] or [Tab] as the separator?

1

7:35 AM

1

Digitalferret

btw, what is the back story? is this a school/uni assignment, or you've been hacked, or someone asked you to do a job of work.. or?

IR job lol

My team will not image the hard drive, we are collect some necessary logs to do the investigation, when analyzing the file timeline, now we use MFT and dir, it is very tiring and inefficient to keep switching between the two files, so I am looking for a tool, it can list the ownership of a file ? (just like dir) Also, it can tell me when the file was created, modified, and accessed. (edited)

might want to invest in some pro tools maybe, make your whole operation more streamlined.

7:37 AM

IR not my main bag, sorry.

still thank you bro

7:39 AM

its fine!

Digitalferret

Click to see attachment 🖼️

is it a tool? or just EXCEL

above? it's Libre Office Calc. you output your list to a file with a csv extension, then open with a spreadhseet program, import as <space> variable

7:42 AM

like ls -alh > myfile.csv

im trying

7:46 AM

excel cant do that? did I do anything wrong? im already import as <space> variable

open the csv in a text editor first maybe, so you can see it without an excel formatting

7:48 AM

maybe make minor tweaks. you really need to experiment to get settings that work for you

7:50 AM

for instance, choose which arguments to pass in dir or ls for a particular output

Digitalferret

open the csv in a text editor first maybe, so you can see it without an excel formatting

well.. I have chosen to import csv from Excel and import as <space> variable, I don't know why, but EXCEL is working as shown above, but libre office is working well (edited)

7:57 AM

RX

IR job lol

My team will not image the hard drive, we are collect some necessary logs to do the investigation, when analyzing the file timeline, now we use MFT and dir, it is very tiring and inefficient to keep switching between the two files, so I am looking for a tool, it can list the ownership of a file ? (just like dir) Also, it can tell me when the file was created, modified, and accessed. (edited)

you can use UAC (github.com/tclahr/uac) to create a bodyfile of the file system, then use plaso or mactime to create a nice timeline of the file system. Or even load the bodyfile.txt output into an excel, since the bodyfile is just a piple | separated file. I mean, for *nix systems only. (edited)

1

Digitalferret

Click to see attachment 🖼️

When there are spaces in the date and time or spaces in the file name, the parsed format is still not easy to read, which is one of the most troubling factors for me, because dir, as text, can still be imported using delimiters, and will also have the problem of not easy to read

8:07 AM

Sorting can be a problem

tclahr

you can use UAC (github.com/tclahr/uac) to create a bodyfile of the file system, then use plaso or mactime to create a nice timeline of the file system. Or even load the bodyfile.txt output into an excel, since the bodyfile is just a piple | separated file. I mean, for *nix systems only. (edited)

nice!!, it's a pity he doesn't support windows

RX

Sorting can be a problem

then you need to do this with awk

8:11 AM

ls -alh | awk -v OFS="\t" "$1=$1" > awked.csv

1

8:11 AM

to get

8:12 AM

8:13 AM

that changes to Tab delimited file for output, and your spreadsheet will then ignore the leading spaces on file size

8:15 AM

health warning: these dopamine hits when you "get it" can be addictive. other staff will be bowing like they are unworthy and bring you free drinks and more

8:15 AM

well .... might have exaggerated the last bit

(edited)

Anyway, thanks a lot for this discussion, my English is not good, can't express very well, hope you don't mind, thank you!

RX

Anyway, thanks a lot for this discussion, my English is not good, can't express very well, hope you don't mind, thank you!

to me your English is excellent, and it's my pleasure. best of luck

1

RX

Anyway, thanks a lot for this discussion, my English is not good, can't express very well, hope you don't mind, thank you!

Wow, I wouldn’t have thought it wasn’t your first language tbh, good job

I had no clue you could import a text file to Excel (or Libre Office) using a different delimiter than a comma. Thanks for the heads up!

1

FullTang

I had no clue you could import a text file to Excel (or Libre Office) using a different delimiter than a comma. Thanks for the heads up!

Oh yeah, Data -> From Text/CSV. Use it all the time

Also there's Data -> Text to Columns that's really helpful whenever Excel pastes everything into a single column (edited)

1

FullTang

I had no clue you could import a text file to Excel (or Libre Office) using a different delimiter than a comma. Thanks for the heads up!

full disclosure: neither did i 'til i picked up the dude's question and ran with it

2

Digitalferret

full disclosure: neither did i 'til i picked up the dude's question and ran with it

Always learning!

2

The more you know, the more you know you don't know

3

2

sad but so very true, lol

11:36 AM

there's so much you gain for yourself by (trying at least) helping others. if you have spare time it's silly not to

Andrew Rathbun

The more you know, the more you know you don't know

Andrew I had a flashback to my younger years

1

iOS Notes app deleted by mistake. Person reinstalled the app but old notes are not showing. Notes were not set to sync with cloud. Anyone know if there is a way to get the notes back with forensic tools?

does anyone know a good way to crack the passwords of a locked doc file, i tried this https://null-byte.wonderhowto.com/how-to/crack-password-protected-microsoft-office-files-including-word-docs-excel-spreadsheets-0193959/ but it didn't give me anything and I've tried a bunch of apps like passfab but they all cost money to use lol

How to Crack Password-Protected Microsoft Office Files, Including W...

Microsoft Office files can be password-protected in order to prevent tampering and ensure data integrity. But password-protected documents from earlier versions of Office are susceptible to having their hashes extracted with a simple program called office2john. Those extracted hashes can then be cracked using John the Ripper and Hashcat.

Lurking

does anyone know a good way to crack the passwords of a locked doc file, i tried this https://null-byte.wonderhowto.com/how-to/crack-password-protected-microsoft-office-files-including-word-docs-excel-spreadsheets-0193959/ but it didn't give me anything and I've tried a bunch of apps like passfab but they all cost money to use lol

#password-encryption-cracking

thanks lol sorry im new here

no worries

m.bates

iOS Notes app deleted by mistake. Person reinstalled the app but old notes are not showing. Notes were not set to sync with cloud. Anyone know if there is a way to get the notes back with forensic tools?

I’ve had so much information thrown at me this week but I do know this was covered in SANS FOR585…..shameless plug. That said I don’t think there is a way to get those back but you could try carving the database. Otherwise if you know some of the wording you could keyword search the entire file and maybe get lucky that there are wear leveling artifacts left over of the note.

3:00 PM

Assuming you have a FFS.

Jerry Porter

So, it appears that the Exchange Device ID is generated by the iPhone and reset when the device iphone is factory reset. It is the same ID that gets linked on the Exchange server. I believe it is in a . plist or some other file somewhere on the phone. The screenshot that I shared has never been connected to exchange but still has the ID. (edited)

Replying to my own post to close out this question. I found what I was looking for. The Exchange Device ID can be found in /private/var/mobile/Library/DataAccess/DeviceSpecificInfo.plist.

2

burgers_N_bytes

I’ve had so much information thrown at me this week but I do know this was covered in SANS FOR585…..shameless plug. That said I don’t think there is a way to get those back but you could try carving the database. Otherwise if you know some of the wording you could keyword search the entire file and maybe get lucky that there are wear leveling artifacts left over of the note.

Thanks for your rapid response! Hope the week was entertaining...I'll give the database carving once I get me hand on the device.

any sanderson sqlite users here whom i can ask a question

RX

Hi folks Is there any tool that can list the ownership of a file ?(just like dir) Also, it can tell me when the file was created, modified, and accessed. Exiftool or crowdresponse or MFT can only list permissions(rwx) at most, but not ownership like dir. (edited)

In powershell you could do cd yourFolder Get-ChildItem -File -Recurse -Filter *.pdf | ForEach-Object { Get-Acl $_.FullName -Audit | Select-Object -ExpandProperty access -Property PSPath | export-CSV yourdestination.csv -Append } Inspired by https://pcnettips.blogspot.com/2012/07/powershell-v3-adding-sacl-auditing-to.html (edited)

PowerShell (v3) - Adding SACL Auditing to a File

Security, in Windows, can be a pretty large, complex subject, particularly from a developer's perspective. A few years ago I started explori...

SamJack

In powershell you could do cd yourFolder Get-ChildItem -File -Recurse -Filter *.pdf | ForEach-Object { Get-Acl $_.FullName -Audit | Select-Object -ExpandProperty access -Property PSPath | export-CSV yourdestination.csv -Append } Inspired by https://pcnettips.blogspot.com/2012/07/powershell-v3-adding-sacl-auditing-to.html (edited)

ownership working well but this command can show MAC time together?!

Ever thought of fls/istat?

RX

ownership working well but this command can show MAC time together?!

# From https://github.com/ili101/Join-Object/blob/master/README.md
# and https://devblogs.microsoft.com/powershell/join-object/
# Install module manually
# Install-Module -Name Join-Object -Scope CurrentUser
cd yourFolder

Get-ChildItem -File -Recurse -Filter *.pdf | ForEach-Object {
  $file = $_ | Select-Object FullName, CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc
  $acl = Get-Acl $_.FullName -Audit | Select-Object  -ExpandProperty access -Property @{name="FullName"; expression={"$fullName"}} 
  Join-Object -Left $file  -Right $acl -LeftJoinProperty FullName -RightJoinProperty FullName -KeepRightJoinProperty -Type OnlyIfInBoth -Prefix service_ | export-CSV yourDestination -Append
}

(edited)

Happy Easter everyone - hope the Easter Bunny brought you lots of forensic toys to play with!

6

SamJack

# From https://github.com/ili101/Join-Object/blob/master/README.md
# and https://devblogs.microsoft.com/powershell/join-object/
# Install module manually
# Install-Module -Name Join-Object -Scope CurrentUser
cd yourFolder

Get-ChildItem -File -Recurse -Filter *.pdf | ForEach-Object {
  $file = $_ | Select-Object FullName, CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc
  $acl = Get-Acl $_.FullName -Audit | Select-Object  -ExpandProperty access -Property @{name="FullName"; expression={"$fullName"}} 
  Join-Object -Left $file  -Right $acl -LeftJoinProperty FullName -RightJoinProperty FullName -KeepRightJoinProperty -Type OnlyIfInBoth -Prefix service_ | export-CSV yourDestination -Append
}

(edited)

# Install module manually
# Install-Module -Name Join-Object -Scope CurrentUser
cd yourFolder

Get-ChildItem -File -Recurse -Filter *.pdf | ForEach-Object {
  $file = $ | Select-Object FullName, CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc
  $acl = Get-Acl $.FullName -Audit | Select-Object  -ExpandProperty access -Property @{name="FullName"; expression={"$fullName"}} 
  Join-Object -Left $file  -Right $acl -LeftJoinProperty FullName -RightJoinProperty FullName -KeepRightJoinProperty -Type OnlyIfInBoth -Prefix service_ | export-CSV yourDestination -Append
}

1

hello @Cellebrite anyone know how to change the path to save a prelim report in PA. It seems like it remembers an extraction I did a week ago and I am not seeing a "save to" etc. ty in advance

Any forensic tools capable of converting .arc image files to E01s?

@thatboy_leo I'm not up to speed on what format an ".arc" is but if you can mount it with @Arsenal Arsenal Image Mounter as a drive and them create an E01 from it ?

DCSO

@thatboy_leo I'm not up to speed on what format an ".arc" is but if you can mount it with @Arsenal Arsenal Image Mounter as a drive and them create an E01 from it ?

If it’s an arc file from R-Drive Image, I don’t think we have ever been asked about that format before. Unless arc files are raw disk images, the OP may need to buy R-Drive Image to mount and convert. Caveat: Not familiar with R-Drive Image.

2:31 PM

If it’s the other kind of arc file, I’m having flashbacks to running a Renegade BBS.

Arsenal

If it’s the other kind of arc file, I’m having flashbacks to running a Renegade BBS.

Lol, I was thinking back to my BBS days too

Hi, is there a way to check the history of outbound connections on a Windows PC? I have a host that made connections to multiple destinations on port 445

Vendetta

Hi, is there a way to check the history of outbound connections on a Windows PC? I have a host that made connections to multiple destinations on port 445

Not really as windows doesn't typically log this. Do you have memory? You may have some luck in the app data depending on what's installed

Anyone know any good tools to compare two digital images, from the same system, just taken at different times?

thatboy_leo

Any forensic tools capable of converting .arc image files to E01s?

late to the party but R-Drive images use .rdr extension which i seem to remember are/can-be compressed . if i recall right previous versions would also let you create a bitwise image .dsk? . .arc format is possibly a Norton backup file. might need to do a restore and then image to .E01? (edited)

Ali

Anyone know any good tools to compare two digital images, from the same system, just taken at different times?

Suggest defining your questions otherwise that's really broad

Ali

Anyone know any good tools to compare two digital images, from the same system, just taken at different times?

if you are checking to see if they are different maybe just hash both images and compare that. if you are looking at specific file changes, new/old/deleted thats a different bucket of prawns (edited)

randomaccess

Suggest defining your questions otherwise that's really broad

For instance, I have a image of a system prior to installing a desktop-based crypto wallet, and I have an image of the same system after installing the wallet, and I don't want to manually identify all changes to the image, I was wondering if tool would be able to identify the specific changes to the system when looking at both images.

Digitalferret

if you are checking to see if they are different maybe just hash both images and compare that. if you are looking at specific file changes, new/old/deleted thats a different bucket of prawns (edited)

unfortunately looking for the bucket of prawns

Run procmon while installing

2:17 AM

But all things considered The wallet will likely create files in a few directories, and registry entries. So the few directories can be sorted by grabbing the Mft after install and then sorting by created

randomaccess

Run procmon while installing

that was my initial idea, however I am not allowed to analyze the system outside of its image format, weird rule but it is what it is

Ali

that was my initial idea, however I am not allowed to analyze the system outside of its image format, weird rule but it is what it is

That's fine. If you know when the item was installed you can still look at the registry and file system after that install date

Ali

that was my initial idea, however I am not allowed to analyze the system outside of its image format, weird rule but it is what it is

how large an image?

roughly 30gb

i'll defer to randomaccess, but if it's not ridiculously large, you might consider taking a file list of both and then perform some sort of comparison via commandline sort/uniq etc

2:25 AM

maybe like https://stackoverflow.com/questions/33214014/awk-file-compare

2:25 AM

bbl, irl calls. best of luck

Arsenal

If it’s the other kind of arc file, I’m having flashbacks to running a Renegade BBS.

I ran Renegade! It was great until the internet came and rounded all the fun.

Joe Schmoe

I ran Renegade! It was great until the internet came and rounded all the fun.

We are dating ourselves. Renegade SysOps should be retired by now.

Hello everyone! My name is George Ioannou and I am a research fellow at Brunel University, London. We are doing research on bringing together Explainable AI with Cyber Incident Response to create an agent that will work as a team with experts as well as novices. We are currently running a small exercise in the form of a survey for training the underlying model which is based on the NIST framework for incident response. The survey can be found in https://brunel.onlinesurveys.ac.uk/xaicsa-questionnaire and is completely anonymous. Your contribution would be very vital to our work. I hope you enjoy the survey and please do not hesitate to post any feedback! Salute

Human Like Computing survey

Online survey BOS

Arsenal

We are dating ourselves. Renegade SysOps should be retired by now.

It was a fork of Telegard I think. I had a pretty popular BBS for two reasons. One was long distance fees. There were only a few in the local calling area so not much competition. Most importantly my sister would use it occasionally. Girls were a rare sighting in that space.

Digitalferret

late to the party but R-Drive images use .rdr extension which i seem to remember are/can-be compressed . if i recall right previous versions would also let you create a bitwise image .dsk? . .arc format is possibly a Norton backup file. might need to do a restore and then image to .E01? (edited)

Thank you sir!

Hi everyone, I know threat actors for ransomware cases will rename rclone to prevent forensics (anti-forensics). If so, have you seen any of the renames and if so which ones?

Favorite tools for outlook forensics(PST dumps) that isn’t AXIOM or outlook? About to chuck this lab station into a bin right now

5:00 PM

Pretty sure autopsy is decent for PST forensics but it’s been a bit… no time like the present

not much out there. i know a few people who worked on this: https://github.com/bmalik4444/PST-Go-Phish it relies mainly on libpff and pretty much requires ubuntu. this one is for identifying phishing email candidates

GitHub - bmalik4444/PST-Go-Phish: The original script lets you auto...

The original script lets you automatically identify potentially suspicious emails based on a combination of message header heuristics. The modified version of the original script lets you leverage ...

5:11 PM

@Turb0Yoda

Thanks

5:12 PM

Will give it a good

5:12 PM

Go

the other smartest DFIR devs I know were writing pst output to json and using jquery to analyze it. this isnt their code but purports to do something similar with no guarantee: https://github.com/braintapper/pst_to_json/releases

Releases · braintapper/pst_to_json

Converts an Outlook PST to JSON. Contribute to braintapper/pst_to_json development by creating an account on GitHub.

5:18 PM

if you Google "dump pst file to json" there are some other results as well. ymmv

5:18 PM

unfortunately there weren't a whole lot of good options

Yeah- something is wonky with this axiom and this box is slated for a rebuild next Tuesday just like… cmon couldn’t wait a few days before crapping out?

Bulletproof (נתן צ'אן)

Hi everyone, I know threat actors for ransomware cases will rename rclone to prevent forensics (anti-forensics). If so, have you seen any of the renames and if so which ones?

Renaming rclone doesn't prevent forensics, at best it may prevent detection but that also depends on the monitoring in place. They'd likely also alter something in the binary so it doesn't have a hash match

6:51 PM

Why do you want to know about the rename? I've seen it once renamed, but, if it's for collating detections I'd be more inclined to look for the arguments in the command line than the binary name

Anyone know how to use an ftk imager

marco_polo076

Anyone know how to use an ftk imager

User Guide is the best meterial.

where

marco_polo076

where

Run FTK Imager -> F1 Button Clcik

randomaccess

Why do you want to know about the rename? I've seen it once renamed, but, if it's for collating detections I'd be more inclined to look for the arguments in the command line than the binary name

Hi @randomaccess, Thanks for the info. I have dissected some Sigma rules for this. If the command line contains the commands like: pass, user, copy, mega, sync, config, lsd, remote, and ls, they are usually tell-tale signs of usage. But, my question, what if the hacker deletes rclone? Then, what should we do?

9:50 PM

I have no forensic images, given the fact, only $MFT logs, but they are not detecting anything. I can't disclose any more than that. (edited)

We just had a TA rename rclone as 7-zip in a recent case, that was mildly annoying

10:15 PM

Am I tripping or did Microsoft literally change the edisco options in O365 from “basic” and “advanced” to “standard” and “premium” between yesterday and today

10:18 PM

I need to sleep

10:20 PM

Yeah it looks like they did

1

10:20 PM

Fml

Turb0Yoda

Am I tripping or did Microsoft literally change the edisco options in O365 from “basic” and “advanced” to “standard” and “premium” between yesterday and today

All good. Thanks for the tips.

Bulletproof (נתן צ'אן)

I have no forensic images, given the fact, only $MFT logs, but they are not detecting anything. I can't disclose any more than that. (edited)

$J?

Turb0Yoda

We just had a TA rename rclone as 7-zip in a recent case, that was mildly annoying

Oof. That's a rough one lol

Andrew Rathbun

$J?

What do you mean by $J?

Got it.

1:22 AM

@Andrew Rathbun Thanks.

1

Bulletproof (נתן צ'אן)

Hi @randomaccess, Thanks for the info. I have dissected some Sigma rules for this. If the command line contains the commands like: pass, user, copy, mega, sync, config, lsd, remote, and ls, they are usually tell-tale signs of usage. But, my question, what if the hacker deletes rclone? Then, what should we do?

If you only have a $mft then no you don't have enough to go off sorry

2:57 AM

Even if I told you I've seen an attacker name rclone to ABC.exe that doesn't mean that if you find ABC.exe that it's rclone

2:57 AM

Especially if they deleted it ....

2:58 AM

I'd be looking in the logfile or USN journal as @Andrew Rathbun mentioned but there are better artefacts to review....like...edr telemetry if it exists, event logs, amcache, shimcache

1

randomaccess

Especially if they deleted it ....

Thanks brother. This means so much to me.

If you are interested in investigating the PST (MAPI properties, intelligence on entities, MIME headers, etc.), then FEI might be a good fit. https://www.metaspike.com/forensic-email-intelligence/ On the other hand, if your goal is to just search and dump the emails, a forensic suite should be okay. @Turb0Yoda @Sha1_4n6 (edited)

Arman Gungor

Forensic Email Intelligence by Metaspike

Experts' choice for investigating email fraud, business email compromise (BEC), malware delivery, and CAN-SPAM Act violations.

Gaming console forensics question. Can anyone confirm that all of the user data on an Xbox 360 S, model 1439, is stored on the removable hard drive?

Arman Gungor

If you are interested in investigating the PST (MAPI properties, intelligence on entities, MIME headers, etc.), then FEI might be a good fit. https://www.metaspike.com/forensic-email-intelligence/ On the other hand, if your goal is to just search and dump the emails, a forensic suite should be okay. @Turb0Yoda @Sha1_4n6 (edited)

We were actually talking about buying it at work unfortunately it’s not something we’ll get anytime soon with how accounts works here ._.

Turb0Yoda

We were actually talking about buying it at work unfortunately it’s not something we’ll get anytime soon with how accounts works here ._.

Oh, I hear you. Feel free to DM if there is anything I can help with. Always happy to chat about email forensics

1

https://www.pcgamer.com/nvidias-gpu-powered-ai-is-creating-chips-with-better-than-human-design/

Nvidia's GPU-powered AI is creating chips with 'better than human d...

So, it's using AI accelerated by its GPUs to accelerate its GPU development.

stephenie

Has anyone come across AVG Photo Vault before? Since when were they encrypting and hiding media files?

Dredging up a very old post! https://theincidentalchewtoy.wordpress.com/2022/02/23/decrypting-the-avg-photo-vault/ for a write up of how it works and a link to the script that can be used to deal with PINs, pattern and encryption: https://github.com/4n6chewtoy/AVGPhotoVault

theincidentalchewtoy

Decrypting the ‘AVG’ Photo Vault

Screenshot of AVG Menu I have been holding onto this post for a while now, one of the first applications I attempted to decrypt which took a very long time. ‘AVG AntiVirus – Mobile Security &…

GitHub - 4n6chewtoy/AVGPhotoVault: A python script to decrypt media...

A python script to decrypt media files encrypted using the Android application 'AVG Antivirus''. Will identify PIN / pattern used. - GitHub - 4n6chewtoy/AVGPhotoVault: A pyt...

3

@Law Enforcement [UK] Anyone tried out the new Griffeye accessible/inaccessible paths yet? Is there any documentation for how to add to the inaccessiblePatterns JSON file? I just want to add file names but it looks like it works off paths only?

Lewis

@Law Enforcement [UK] Anyone tried out the new Griffeye accessible/inaccessible paths yet? Is there any documentation for how to add to the inaccessiblePatterns JSON file? I just want to add file names but it looks like it works off paths only?

We haven’t yet as we are still on 21.1 as it needs to be signed off by the Home Office prior to being used I believe

got signed off last week

Hey folks, Good morning. I am just wondering what are the most common ways you have seen data exfiltration from a server? For example, does the TA zip and compress everything, map new network shares so that it's easier to exfiltrate at a central endpoint, etc.? Thanks.

Bulletproof (נתן צ'אן)

Hey folks, Good morning. I am just wondering what are the most common ways you have seen data exfiltration from a server? For example, does the TA zip and compress everything, map new network shares so that it's easier to exfiltrate at a central endpoint, etc.? Thanks.

Often via PowerShell to some external IP, using rclone, Total Commander's FTP plugin, mega, web browser to ufile.io, etc. You name it!

1

8:53 AM

Think about how you would go about getting a file from your computer to me. Not using Discord or email (file size limits and plus there are many more lightweight, less noisy options than Discord to share files). That's pretty much the extent of the options haha

8:53 AM

the more command line the more likely the option will be considered for use by TAs

So, what you're saying is that anything is possible? I think the TA would have to compress it first, since sending file by file is hard. Would you say so?

Bulletproof (נתן צ'אן)

So, what you're saying is that anything is possible? I think the TA would have to compress it first, since sending file by file is hard. Would you say so?

PowerShell script to search for files of interest (i.e., finance, accounting, accounts receivable, etc), then use 7zip CLI to zip it up then exfil via rclone. All command line.

1

Are there 7zip forensics that you know of?

Bulletproof (נתן צ'אן)

Are there 7zip forensics that you know of?

Sure, there are some registry keys and values that get populated with 7Zip, much like WinRAR. They are pretty similar, in fact. But I honestly don't know if 7Zip CLI logs anything in the registry

Thanks man. Copy that.

Hey buddy's I'm wanna star in DFIR field but to start i don't know,can anyone help me

KeSHaV

Hey buddy's I'm wanna star in DFIR field but to start i don't know,can anyone help me

https://www.youtube.com/watch?v=-IUJnDs6rbE

SANS Digital Forensics and Incident Response

Getting started in DFIR: Testing 1,2,3 | Phill Moore

KeSHaV

Hey buddy's I'm wanna star in DFIR field but to start i don't know,can anyone help me

https://www.youtube.com/watch?v=H-735uP9nFg

SANS Digital Forensics and Incident Response

Securing Your Future in DFIR

KeSHaV

Hey buddy's I'm wanna star in DFIR field but to start i don't know,can anyone help me

check out my StartMe page, plenty of resources to get you going https://startme.stark4n6.com

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

1

Lewis

@Law Enforcement [UK] Anyone tried out the new Griffeye accessible/inaccessible paths yet? Is there any documentation for how to add to the inaccessiblePatterns JSON file? I just want to add file names but it looks like it works off paths only?

We are just about to install the 22.0.2 version approved by CAID across the force.

Bulletproof (נתן צ'אן)

Hey folks, Good morning. I am just wondering what are the most common ways you have seen data exfiltration from a server? For example, does the TA zip and compress everything, map new network shares so that it's easier to exfiltrate at a central endpoint, etc.? Thanks.

Accessing and browsing network shares, copying to one or multiple staging hosts, compressing and uploading to somewhere via rclone

Anyone know where to officially download DumpIt?

Jogoyo

Anyone know where to officially download DumpIt?

https://github.com/Crypt2Shell/Comae-Toolkit

GitHub - Crypt2Shell/Comae-Toolkit: Memory Dump

Memory Dump. Contribute to Crypt2Shell/Comae-Toolkit development by creating an account on GitHub.

2

does anyone here know how to rebuild a boot record? rhel 4 i got corrupted grub. the thing is i did a physical 2 virtual so i messed it up its something mkinit, work out the boot partition and lvm is correct but i know windows just not linux

does anyone here know what the best way is to test a new HDD on a windows machine before using?

Josephine Mama

does anyone here know what the best way is to test a new HDD on a windows machine before using?

if its new, what are you wanting to test?

Cellebrite Digital Collector Who thought it was a good idea to put ‘mount drive’ next to ‘format drive’

….Not done anything wrong…thank god but I feel any option that has the potential to erase data should be miles away from a mount option. I hope everyone is careful where they click.

3

D1g1talDan

Cellebrite Digital Collector Who thought it was a good idea to put ‘mount drive’ next to ‘format drive’

….Not done anything wrong…thank god but I feel any option that has the potential to erase data should be miles away from a mount option. I hope everyone is careful where they click.

@Cellebrite seems a very legit RFC.

D1g1talDan

Cellebrite Digital Collector Who thought it was a good idea to put ‘mount drive’ next to ‘format drive’

….Not done anything wrong…thank god but I feel any option that has the potential to erase data should be miles away from a mount option. I hope everyone is careful where they click.

Hi folks, I am doing some work around router downloads within my police force for some training.. and my manager has asked me “how we can/can’t use Mac addresses for attribution” as well as is there anything we can do if a Mac is randomised”. The second question I can be pretty sure If it’s a randomised MAC address then you are unable to get anything - potentially get something from a forensic download, if you’re lucky… but the first question I’m none the wiser, is there anyone who might be able to share their knowledge. Many thanks for your time!

Boiga

Hi folks, I am doing some work around router downloads within my police force for some training.. and my manager has asked me “how we can/can’t use Mac addresses for attribution” as well as is there anything we can do if a Mac is randomised”. The second question I can be pretty sure If it’s a randomised MAC address then you are unable to get anything - potentially get something from a forensic download, if you’re lucky… but the first question I’m none the wiser, is there anyone who might be able to share their knowledge. Many thanks for your time!

There is a plist from iOS devices that contains the randomized MAC addresses that it uses for different access points. Here is a link for more info. https://ciofecaforensics.com/2020/10/24/apple-private-addresses/

1

Attribution is a very tough subject. MAC randomization is easy for bad guys to do. If you’re dealing with a non-tech savvy perp, then MAC address attribution could be something you could use to attribute actions, but keep in mind that they can be randomized while doing so. If you are looking at actions within a short period of time, logical attribution can be achieved, however linking them to a physical device could be tricky. TLDR - Probably not useful (edited)

1

Does anyone know companies that are doing DFIR internships in Ohio?

malrker

does anyone here know how to rebuild a boot record? rhel 4 i got corrupted grub. the thing is i did a physical 2 virtual so i messed it up its something mkinit, work out the boot partition and lvm is correct but i know windows just not linux

Live boot into the Linux , chroot into your system, reinstall grub

just wanted to let people know there is a new phishing scam going on i just got the email but didn't activate it this was sent to me 2 times trying to claim i bought something when i never did and the account it emailed was a throw away email address.

12:42 PM

first off i do not have the funds for the transaction cause i am using most of it for college so my bank would never allow this just want you guys to be aware someone is trying to make it look official and be careful of this.

12:44 PM

2 first names and the email address is very fishy when i tried to look at the email it was alot of numbers and letters that made it look like it was auto generated.

For anyone that is running into issue with @Cellebrite Qualcomm live dumps on Samsungs and freezing at "sepolicy_version" it appears to be an issue with Samsung Health app, going back to Version 7.50.0.137 dumped successfully with no issues.

2

FullTang

There is a plist from iOS devices that contains the randomized MAC addresses that it uses for different access points. Here is a link for more info. https://ciofecaforensics.com/2020/10/24/apple-private-addresses/

Thank you so much for this. I will study it when I am back on monday to see if I can comprehend what the person is on about. Sounds really good though, potentailly something to implement within my force.

1

@DCSO ok - how do you know what version to revert back to? Was there a major change in QL after that version?

3:42 PM

I love the info I just want to know how to figure that out myself without banging my head on the desk for a day straight

attackd0gz

Attribution is a very tough subject. MAC randomization is easy for bad guys to do. If you’re dealing with a non-tech savvy perp, then MAC address attribution could be something you could use to attribute actions, but keep in mind that they can be randomized while doing so. If you are looking at actions within a short period of time, logical attribution can be achieved, however linking them to a physical device could be tricky. TLDR - Probably not useful (edited)

Thank you mate, it was useful. It's more information and credability I can go to my DS and explain that it's really fecking difficult, unless you know whats going on it's super tricky and potentially unable to attribute.... but router logs are always useful to get (if the router has them of course). Thank you again!

1

Hi everyone, the private sector where I'm working at has been kind enough to setup my training towards doing the EnCE, but due to the requirements of completing the EnCase DF-120 and DF-210 that should be completed first, I was wondering if anyone has great resources regarding to preparation, and would be kind enough sharing those. I've just jumped into this space recently so you could see me as fresh meat in this industry as you would say. Even recommendations of books would be great to start off with. (edited)

Been a minute (15 years) since I took EnCE but best resource is to understand file systems

7:07 AM

https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=nodl_

File System Forensic Analysis

3

Hi everyone, do you know some free material to get started in DFIR? I am relatively fresh out of university and in my first cybersecurity job.

tklane

https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=nodl_

Thank you so much!

STD1990

Hi everyone, do you know some free material to get started in DFIR? I am relatively fresh out of university and in my first cybersecurity job.

↖️ maybe check channels tabs under [DFIR NEWSFEED] - esp https://discord.com/channels/427876741990711298/645449956949491749 >> https://aboutdfir.com (edited)

1

does anyone have any peer reviewed information on using knoppix as digital forensics OS?

marlboro_jamez

Hi everyone, the private sector where I'm working at has been kind enough to setup my training towards doing the EnCE, but due to the requirements of completing the EnCase DF-120 and DF-210 that should be completed first, I was wondering if anyone has great resources regarding to preparation, and would be kind enough sharing those. I've just jumped into this space recently so you could see me as fresh meat in this industry as you would say. Even recommendations of books would be great to start off with. (edited)

Check out 13cubed on youtube

https://www.youtube.com/channel/UCy8ntxFEudOCRZYT1f7ya9Q

13Cubed

13Cubed is a side project maintained by me, Richard Davis. This channel covers information security-related topics including Digital Forensics and Incident Response (DFIR) and Penetration Testing, as well as tutorials and overviews of various apps and scripts I've written. ● Release Schedule: New videos are released on Mondays, at least once pe...

Fierry

Check out 13cubed on youtube

https://www.youtube.com/channel/UCy8ntxFEudOCRZYT1f7ya9Q

Thank you!! Will do.

Digitalferret

if its new, what are you wanting to test?

just to be better on the safe side to make sure i didn't receive a faulty drive

6:20 AM

just an extra precaution

6:20 AM

amazon is known for sending out bad drives

Josephine Mama

just an extra precaution

in that case, maybe check https://crystalmark.info/en/software/crystaldiskinfo/

Josephine Mama

just to be better on the safe side to make sure i didn't receive a faulty drive

https://www.hdsentinel.com/ is a decent one to test a drive

Hard Disk Sentinel - HDD health and temperature monitoring

Monitoring hard disk health and temperature. Test and repair HDD problems, predict disk failure.

1

For real this time. Looks the the new edition of X-Ways Practitioner's Guide will be launched in about 4 hours. https://order-dfir.com/optin1650476589319

X-Ways Forensics Practitioner's Guide/2E

Get notified when the 100-hour sale starts!

It is launched!

derekeiri

For real this time. Looks the the new edition of X-Ways Practitioner's Guide will be launched in about 4 hours. https://order-dfir.com/optin1650476589319

Cost of postage to Australia is the same as the book itself!

Hi everyone I'm looking for some advice, but I think it's best for me to give a bit of background to the situation; So the company where I'm employed had always outsourced DFIR services, and their planning to open up their own lab, where I've done the research regarding to hardware requirements and accessories that would be needed to conduct investigations. We are planning to make use of EnCase and I am aware of other open-source and software providers, but unfortunately Cellebrite isn't available in our country (South Africa) due to political reasons -_- The EnCase Training is a bit far from reach regarding their training dates, and this is something to be done ASAP. The major concern regarding to certification is to be representable in the court of law as a expert. EnCE requirements would be to cover DF-120 & DF-210 which we are still planning on doing but only in July, are there any other recommendations and solutions that I can look towards certifications to fulfil our needs in the meantime, as everything regarding to my studies will be sponsored through the company, as I'm grateful for the major opportunity. I know there are many workarounds to the use of not purchasing EnCase, but I would also appreciate anything regarding to that as well, I would really appreciate any guidance or advice. Best Regards

whee30

@DCSO ok - how do you know what version to revert back to? Was there a major change in QL after that version?

Trial and error here by our crew, I thought I would share with the group so we don't all bang out head on it. Cellebrite stated the more recent version is having errors with the Samsung Health / Keystore. I'm thinking the earlier version of the Q-Live it was not grabbing this at all hence why its not getting stuck. (untested)

1

derekeiri

For real this time. Looks the the new edition of X-Ways Practitioner's Guide will be launched in about 4 hours. https://order-dfir.com/optin1650476589319

I'm not a book guy but I would like to get the Kindle version of this if it ever came out.

1

marlboro_jamez

Hi everyone I'm looking for some advice, but I think it's best for me to give a bit of background to the situation; So the company where I'm employed had always outsourced DFIR services, and their planning to open up their own lab, where I've done the research regarding to hardware requirements and accessories that would be needed to conduct investigations. We are planning to make use of EnCase and I am aware of other open-source and software providers, but unfortunately Cellebrite isn't available in our country (South Africa) due to political reasons -_- The EnCase Training is a bit far from reach regarding their training dates, and this is something to be done ASAP. The major concern regarding to certification is to be representable in the court of law as a expert. EnCE requirements would be to cover DF-120 & DF-210 which we are still planning on doing but only in July, are there any other recommendations and solutions that I can look towards certifications to fulfil our needs in the meantime, as everything regarding to my studies will be sponsored through the company, as I'm grateful for the major opportunity. I know there are many workarounds to the use of not purchasing EnCase, but I would also appreciate anything regarding to that as well, I would really appreciate any guidance or advice. Best Regards

If you're open to taking an OnDemand/online course, OpenText has an online/passport program, which includes DF-120 and DF-210.

derekeiri

If you're open to taking an OnDemand/online course, OpenText has an online/passport program, which includes DF-120 and DF-210.

Yeah, I've had a look at that but the only issue is the Directors aren't willing to wait until July (upcoming dates), so they went ahead and told me to come up with a alternative solution in the meantime that can be done within 3-4 weeks, to look at a different certification that can still fill the requirements of being representable in court. Then when July comes I can go ahead and do the DF-120, DF-210 and then of course the EnCE. So I'm unsure if any GIAC certs would fill those needs -_- they honestly make it so frustrating, but yeah what can I do

maybe it's changed since i took it, but you can take the ondemand (recorded) course as soon as you pay and granted access. (edited)

@marlboro_jamez dose it have to be EnCase ? How about X-Ways ? Axiom ? etc

DeeFIR 🇦🇺

Cost of postage to Australia is the same as the book itself!

You have to pay extra in Australia for special boats to keep them from falling off the bottom of the earth

3

marlboro_jamez

Yeah, I've had a look at that but the only issue is the Directors aren't willing to wait until July (upcoming dates), so they went ahead and told me to come up with a alternative solution in the meantime that can be done within 3-4 weeks, to look at a different certification that can still fill the requirements of being representable in court. Then when July comes I can go ahead and do the DF-120, DF-210 and then of course the EnCE. So I'm unsure if any GIAC certs would fill those needs -_- they honestly make it so frustrating, but yeah what can I do

You can consider to get a Exterro ACE (FTK) certification. But I'm not sure this certification would fill needs in court.

DCSO

@marlboro_jamez dose it have to be EnCase ? How about X-Ways ? Axiom ? etc

Doesn't have to be EnCase at all, I'm open to anything that would fill the requirement as mentioned above

DCSO

@marlboro_jamez dose it have to be EnCase ? How about X-Ways ? Axiom ? etc

Would those be seen representable in court? I apologize for the inconvenience though, I thought it would be best to ask those who have been in the industry for ages.

I imagine that may be depend on the jurisdiction. I see that you’re in South Africa. Jason Jordaan is based out of South Africa. He has a five part series on LinkedIn, Re: thoughts on forensic regulation and the role of the Association of Certified Fraud Examiners. The latest refers to digital forensics specifically. Joradaan and that article series might be good resources. https://www.linkedin.com/pulse/trying-regulate-south-african-forensic-industry-acfe-sa-jason-jordaan

Trying to Regulate the South African Forensic Industry: ACFE SA: Pa...

I have been a member of the ACFE for over twenty years, and last year received my 20 year CFE pin from the ACFE. This was a really proud moment for me.

marlboro_jamez

Would those be seen representable in court? I apologize for the inconvenience though, I thought it would be best to ask those who have been in the industry for ages.

Yes - the above forensic tools are widely used in US and Europe . It may very for your county

derekeiri

I imagine that may be depend on the jurisdiction. I see that you’re in South Africa. Jason Jordaan is based out of South Africa. He has a five part series on LinkedIn, Re: thoughts on forensic regulation and the role of the Association of Certified Fraud Examiners. The latest refers to digital forensics specifically. Joradaan and that article series might be good resources. https://www.linkedin.com/pulse/trying-regulate-south-african-forensic-industry-acfe-sa-jason-jordaan

Thank you, I'll have a read on that, maybe I'll see if I can approach him as well. I really do appreciate everyone's insight and help on this!

Question for the general group: how are you seeing scams/frauds being committed in the metaverse? I found one indictment so far regarding someone falsely advertising games/services in Metaverse. https://www.justice.gov/usao-sdny/press-release/file/1486816/download

12:41 PM

I'm also looking into brand/reputational monitoring in metaverse spaces, so if you have any ideas I'm all ears, but also curious in any examples of how frauds and scams are presently occurring.

12:42 PM

Like, can I post a fake billboard with a link in metaverse that would lead to a fake sign-in for Paypal?

I wonder if some of the ones that do darknet/web scanning for such stuff would start doing this as well.

Yeah I'm gonna put some queries that direction as well

12:45 PM

Add that to their collections.

12:45 PM

I need to create an account on decentraland and go figure some of this out for myself, but I don't have it in me to create one more login for social media.

12:45 PM

If I had a livejournal I should be grandfathered in at this point.

Recorded Future comes to mind. And I am sure others might as well, if they think there is any business value in it

“After a deep security research by Cysource research team led by Shai Alfasi & Marlon Fabiano da Silva, we found a way to execute commands remotely within VirusTotal platform and gain access to its various scans capabilities. “ https://www.cysrc.com/blog/virus-total-blog

Hello! I'm writing a security SOP for MS SQL server integration with IBM qradar. So what kind of security logs should we enable on qradar to be monitored? By default some general logs are being forwarded to qradar like login failure, db creation etc. so my question is, are these logs enough or do I need to add something additional?

Hi again, For TAs, how do they usually exfiltrate? Is it through compression of the whole file sets (victim data) by .zip, .rar, or .7z?

3:42 PM

I can't seem to find it on the system; any hints?

3:44 PM

Or, where do I look for logs?

All of these above

2

4:12 PM

Commonly rars

1

I have seen it done as any of the above. Even non compressed individual files. Best thing is to look for deleted files (Journal files etc)

http://tietjenk.googlepages.com/APTM-unitionPack.zip

What's that?

Slides in the zip have common exfiltration artifacts for Rar

4:15 PM

Others items to look for in indx buffers, memory and unallocated space

4:15 PM

Old but still good

Do you mean in the $MFT?

4:15 PM

I can't find any .rars, .zips, or .7zs. That's the core problem.

4:16 PM

Have tried even UsnJrnl.

Bulletproof (נתן צ'אן)

I can't find any .rars, .zips, or .7zs. That's the core problem.

Usually they are deleted by the TA right after transfer, for obvious reasons.

Bulletproof (נתן צ'אן)

Have tried even UsnJrnl.

Do you have a date/time when you think the data might have been exfilled?

But, shouldn't they leave a trace, per $MFT?

4:17 PM

Yes, I do.

Bulletproof (נתן צ'אן)

But, shouldn't they leave a trace, per $MFT?

They can, but if a bit of time has gone by, or if the TA used any kind of file wiping (have seen it done in about 1/4 of my exfil cases) it will not.

I see @Tcisaki -- any where else I can look for logs?

4:22 PM

Or artifacts?

Well you can also look at items like the SRUM database (System Resource Usage) for signs of large transfers etc

4:23 PM

But file carving or memory (if the system has not been rebooted, and is fairly recent) may hold signs

Where do I look for file carving?

You would need a full disk image, and a tool for file carving. That would hopefully be able to find any deleted files, where the data is still on the HD

Like Autopsy right?

Autopsy can, yes.

4:28 PM

A tool like photorec can be useful too. Works very fast and you can set which file types you are interested in.

Does anyone have any resources for standing up/maturing a threat hunting team? Everything I'm finding online is just "tips" from different vendors. For background: I've been a threat hunter for several years, my last year in my last org I was the team lead and I was responsible for maturing the threat hunting team. Everyone on the team had been there for several years and knew the tools and network, made it pretty easy. I'm in a new org now that is trying to mature a threat hunting capability that basically just looks for hashes they find in intel reports. I'd like to get them to the point of both anomaly detection and proactively looking for activity based on the MITRE framework. I'm trying to find resources that lay out some detailed steps and best practices to start maturing the program, without entirely re-inventing the wheel. (edited)

I'm predy good at osint, and I do OSINT as a hobby, I'm a student in computer science in canada I was wondering if you know some companies that are looking for an internship.

Whats the most common distro people use IN DFIR?

BBRodriguez

Does anyone have any resources for standing up/maturing a threat hunting team? Everything I'm finding online is just "tips" from different vendors. For background: I've been a threat hunter for several years, my last year in my last org I was the team lead and I was responsible for maturing the threat hunting team. Everyone on the team had been there for several years and knew the tools and network, made it pretty easy. I'm in a new org now that is trying to mature a threat hunting capability that basically just looks for hashes they find in intel reports. I'd like to get them to the point of both anomaly detection and proactively looking for activity based on the MITRE framework. I'm trying to find resources that lay out some detailed steps and best practices to start maturing the program, without entirely re-inventing the wheel. (edited)

You might find some resources on one of these two servers. They are more focused on Threat Hunting over there. https://discord.gg/wJDxzwAhgU https://discord.gg/jeekfH9Ghs

There is a book called Practical Threat Intelligence and Data-Driven Threat Hunting which has a good blueprint for threat hunting teams and ops

SlyDaw

Whats the most common distro people use IN DFIR?

I tyhink that answer will change depending on who you ask. I used a combo of SIFT and Flare for a while. I am testing out a new one that was posted here a bit ago. https://discord.com/channels/427876741990711298/880235044873068574/962914518864891944

Tcisaki

I tyhink that answer will change depending on who you ask. I used a combo of SIFT and Flare for a while. I am testing out a new one that was posted here a bit ago. https://discord.com/channels/427876741990711298/880235044873068574/962914518864891944

are they primarily linux based?

SlyDaw

are they primarily linux based?

Flare is built on Windows, SIFT is built on Ubuntu.

The link I posted is Windows based. Using teraform I think. It includes ALOT of tools

The SIFT one seems to come up a lot, would that be appropriate for a beginner to use?

I think any of them would be. Really depends on the person using it, and their comfort.

6:51 PM

For forensics, I have been enjoying the Windows ones, as there are many more tools for it. However I still use SIFT whenever I am looking at malware etc. The other benefit of the Windows ones right now, is they use WSL (Windows Subsystem for Linux) so they have basically a Linux vm inside of the Windows VM. So a bit of both worlds

Makes sense, thanks for those

Hi folks, is there a tool that can recover file without a disk image? I know ntfstool seems to do it, but it doesn't seem to be able to automate the collection (set a specific path and file name and then recover) via batch commands, it almost requires a completely manual process and is a bit dumb to select the ID number to recover https://github.com/thewhiteninja/ntfstool#undelete (edited)

GitHub - thewhiteninja/ntfstool: Forensics tool for NTFS (parser, m...

Forensics tool for NTFS (parser, mft, bitlocker, deleted files) - GitHub - thewhiteninja/ntfstool: Forensics tool for NTFS (parser, mft, bitlocker, deleted files)

10:29 PM

RX

Hi folks, is there a tool that can recover file without a disk image? I know ntfstool seems to do it, but it doesn't seem to be able to automate the collection (set a specific path and file name and then recover) via batch commands, it almost requires a completely manual process and is a bit dumb to select the ID number to recover https://github.com/thewhiteninja/ntfstool#undelete (edited)

If you can select the path why are you doing file carving?

randomaccess

If you can select the path why are you doing file carving?

sorry i dont understand, you mean?

RX

sorry i dont understand, you mean?

Why are you trying to carve without a disk image. What are you trying to achieve etc

randomaccess

Why are you trying to carve without a disk image. What are you trying to achieve etc

I am doing IR ,because the attacker deleted the critical web access log and the client's hard disk is 2TB, I want to be able to recover the file without image disk, I also have some clients from different countries that need to be processed remotely, apparently disk image is impractical and will take very much time. (And of course my customers don't want the hard disk to be imaged) (edited)

RX

I am doing IR ,because the attacker deleted the critical web access log and the client's hard disk is 2TB, I want to be able to recover the file without image disk, I also have some clients from different countries that need to be processed remotely, apparently disk image is impractical and will take very much time. (And of course my customers don't want the hard disk to be imaged) (edited)

Bit silly but you can run things like bulk extractor locally. You'll stomp everywhere but that's their call I guess

12:55 AM

Velociraptor can be deployed and has the ability to carve for strings and stuff but yeah. Stomping

1

thank you very much, i will try

2:38 AM

hope its work

@RX Can you deploy forensic tools on the host itself, and browse it? Not ideal, but can you load X-Ways on the host? FTK Imager? Literally load FTK Imager, select the source disk and see if recently deleted items have been deleted? That may be a suitable approach given the constraints (edited)

RX

I am doing IR ,because the attacker deleted the critical web access log and the client's hard disk is 2TB, I want to be able to recover the file without image disk, I also have some clients from different countries that need to be processed remotely, apparently disk image is impractical and will take very much time. (And of course my customers don't want the hard disk to be imaged) (edited)

physical machine or VM? Would they be open to standing up a new VM for you with an iso you provide, and attaching the disk (or a copy) to that vm? (edited)

6:18 AM

so you can do things in a read-only state

DeeFIR 🇦🇺

@RX Can you deploy forensic tools on the host itself, and browse it? Not ideal, but can you load X-Ways on the host? FTK Imager? Literally load FTK Imager, select the source disk and see if recently deleted items have been deleted? That may be a suitable approach given the constraints (edited)

Yeah you can go that route too if you've got the ability. We've def put xways on a USB and loaded that up to identify whether we could do data recovery

Why are dictionary lists for bruteforcing passcodes not in numerical order?

thatboy_leo

Why are dictionary lists for bruteforcing passcodes not in numerical order?

Most popular codes at the beginning so it cracks faster?

1

Does anyone here know much about the imperva waf.. colleague is saying some customers are not getting links, but its fine for our infra team

FullTang

Most popular codes at the beginning so it cracks faster?

Thank you, I was having trouble finding an article or writing from my Google searches lol

1

Hi all - wanted to take the pulse of the community here and see what the various Digital Forensics teams have or are planning on building out for KPIs for their teams. My team is strictly DF in which we assist IR during more complex investigations on one arm and the other arm is conducting internal investigations for various internal stakeholders. Having a hard time coming up with valuable and actionable KPIs that I can either immediately implement or work towards implementing as we mature.

Mags42

Hi all - wanted to take the pulse of the community here and see what the various Digital Forensics teams have or are planning on building out for KPIs for their teams. My team is strictly DF in which we assist IR during more complex investigations on one arm and the other arm is conducting internal investigations for various internal stakeholders. Having a hard time coming up with valuable and actionable KPIs that I can either immediately implement or work towards implementing as we mature.

I also realize this is an extremely broad ask here. I'm simply looking for basic starter metrics that aren't your typical IR metrics like MTTR etc. Most of our investigations do not lead to any requirement of litigation, but we try to prepare as if it does go to litigation. We simply collect, process, analyze, report on whatever request is sent our way.

Mags42

Hi all - wanted to take the pulse of the community here and see what the various Digital Forensics teams have or are planning on building out for KPIs for their teams. My team is strictly DF in which we assist IR during more complex investigations on one arm and the other arm is conducting internal investigations for various internal stakeholders. Having a hard time coming up with valuable and actionable KPIs that I can either immediately implement or work towards implementing as we mature.

What are KPIs? That can mean different things to different people. Speaking for myself it would help to define that so I'm on the same page as you

Andrew Rathbun

What are KPIs? That can mean different things to different people. Speaking for myself it would help to define that so I'm on the same page as you

I’m referring to Key Performance Indicators. For example, simply saying “we handled X # of cases this month” isn’t very valuable because some cases can be open and shut, some may be extremely complex and be open for a very long time, and some may be simple but have large waiting times between points in your process due to 3rd party response lag time, amount of data being processed, etc.

Mags42

I’m referring to Key Performance Indicators. For example, simply saying “we handled X # of cases this month” isn’t very valuable because some cases can be open and shut, some may be extremely complex and be open for a very long time, and some may be simple but have large waiting times between points in your process due to 3rd party response lag time, amount of data being processed, etc.

KPI is way over my head but that's called "metrics" in my world in a previous life. Thank you for clarifying

Andrew Rathbun

KPI is way over my head but that's called "metrics" in my world in a previous life. Thank you for clarifying

Ahhh you might be right, actually. I’m getting KPI and metrics confused and was making them more interchangeable. Essentially I am looking for objective ways to measure my team’s performance on investigations.

Key Performance Indicator

8:35 PM

It’s your measurement

hello guys, I'm currently doing my assignment and i'm really stuck, so i need help :( 1. how do i know the cluster address and sector address of $MFT? 2. how to know the value of date run in $index_allocation_attribute? 3. how do i find which MFT entry contains the txt file? i have a dd file, i will share it out if you need it huge thanks for saving my life and my grades! :(

You may still consider case load and clearance if you have a few parameters in play. For example, say you have cases that are categorized by severity based on impact/risk to an org. Depending on the severity, a team may set standards when those cases reach specific phases. For ordinary cases (priority c), intake/consultation must occur within 4 business days from day of request. Priority A cases must have an intake/consult within 24 hours of request. Then you can calculate the % of cases where intake/consultation meets the expectation for priority a or c cases. Let’s say an imaginary baseline suggests a team can achieve priority c intake standard 95% of the time. You can then assess “performance.” If a team achieves 89% for priority c cases during a single calendar year, that might suggest poor performance or there might be other influential variables. If a team meets the expectation 99% of the time, that may indicate the team is exceeding performance. The challenge with this approach is documenting it consistently and objectively. It might help if you have case management software/solution to do this. @Mags42 (edited)

1

derekeiri

You may still consider case load and clearance if you have a few parameters in play. For example, say you have cases that are categorized by severity based on impact/risk to an org. Depending on the severity, a team may set standards when those cases reach specific phases. For ordinary cases (priority c), intake/consultation must occur within 4 business days from day of request. Priority A cases must have an intake/consult within 24 hours of request. Then you can calculate the % of cases where intake/consultation meets the expectation for priority a or c cases. Let’s say an imaginary baseline suggests a team can achieve priority c intake standard 95% of the time. You can then assess “performance.” If a team achieves 89% for priority c cases during a single calendar year, that might suggest poor performance or there might be other influential variables. If a team meets the expectation 99% of the time, that may indicate the team is exceeding performance. The challenge with this approach is documenting it consistently and objectively. It might help if you have case management software/solution to do this. @Mags42 (edited)

Another idea is to have the team members count the # of training hours (staying current), then tier performance from that, as appropriate.

Hello everyone! My name is George Ioannou and I am a research fellow at Brunel University, London. We are doing research on bringing together Explainable AI with Cyber Incident Response to create an agent that will work as a team with experts as well as novices. We are currently running a small exercise in the form of a survey for training the underlying model which is based on the NIST framework for incident response. The survey can be found in https://brunel.onlinesurveys.ac.uk/xaicsa-questionnaire and is completely anonymous. Your contribution would be very vital to our work. I hope you enjoy the survey and please do not hesitate to post any feedback! Salute

Human Like Computing survey

Online survey BOS

bc

hello guys, I'm currently doing my assignment and i'm really stuck, so i need help :( 1. how do i know the cluster address and sector address of $MFT? 2. how to know the value of date run in $index_allocation_attribute? 3. how do i find which MFT entry contains the txt file? i have a dd file, i will share it out if you need it huge thanks for saving my life and my grades! :(

https://youtu.be/_qElVZJqlGY https://youtu.be/xW5UwDztkX4 https://youtu.be/h8Mb55ox5OE https://youtu.be/iUbHzCAPUE0

13Cubed

Introduction to MFTECmd - NTFS MFT and Journal Forensics

Jonathan Adkins

NTFS Forensics and the Master File Table

ÆTHER Academy

NTFS and MFT

Masudur Rahman

MFT Tutorials - Analyse the header, name attribute and standard inf...

thanks! i'l have a look

5:03 AM

do u mind telling me where is $index_allocation_attribute tho

5:03 AM

i couldnt find it in my codes

FullTang

You might find some resources on one of these two servers. They are more focused on Threat Hunting over there. https://discord.gg/wJDxzwAhgU https://discord.gg/jeekfH9Ghs

Thanks @FullTang I’ll take a look!

1

@bc try using active disk editor on your own system to figure that out

is it for linux?

7:23 AM

because im doing in linux (edited)

RandyRanderson

Key Performance Indicator

Ugh I missed this. @randys KPI. Is number of courses taken divided by 10 plus number of simultaneous projects

question about O365 audit log exports: the web interface seems to be pretty unstable at times. sometimes it has good times and sometimes bad in a sense of throwing errors that the export takes too long even if you do it for a pretty little timeframe (e. g. logs for a particular user only covering like 4 hours). doing the export via powershell is more reliable in that regards but when comparing the logs you get via powershell and the logs via the webinterface (IF it actually runs through) the powershell ones contain tons of redundant rows with one event sometimes covering a lot of rows (also if you adjust the rows to match the one of the web interface and dedupe its basically the same as of the web interface). anyone knows how it is possible to already get rid of those redundant entries at the export phase? yeah I could run some operations on the created csv once the export completely ends. but due to the redundancy the files getting much bigger than they actually have to be. running some test cases basically using the following script https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-search-script?view=o365-worldwide and comparing the results with similar textcases exported via the web interface.

Use a PowerShell script to search the audit log - Microsoft Purview

Use a PowerShell script that runs the Search-UnifiedAuditLog cmdlet in Exchange Online to search the audit log. This script is optimized to return a large set of audit records each time you run it. The script exports these records to a CSV file that you can view or transform using Power Query in Excel.

Hello guys. I have mission to unlock Apple iPhone X. Not known what version is running on it. How to unlock the phone without losing data. Help me guys.

9:56 PM

I am using Cellebrite4PC.

Magneto

Hello guys. I have mission to unlock Apple iPhone X. Not known what version is running on it. How to unlock the phone without losing data. Help me guys.

#mobile-forensic-extractions

Hello everyone. Is it possible to find the identity of an Instagram account that was deleted 2 months ago? If yes, how ? How long does Instagram keep data?

If the account is actually deleted and not deactivated or simply renamed, probably not? You’d have to try and ask them unless someone here knows the answer. They make it tough to delete though. Your suspect (if you have one) may still have the confirmation emails in their account. (edited)

the account has been deleted

9:19 AM

instagram not responding

Ah I see you’re private sector. Not sure how you’d go about it, I would send a subpoena.

^^ Perfect example of why we have roles to help provide important context in everyday conversation

(edited)

whee30

Ah I see you’re private sector. Not sure how you’d go about it, I would send a subpoena.

i am freelance also

is there a name for this type of table?

12:28 PM

whats "unique" is the binary yes no answers

matrix?

1

@Magnet Forensics Axiom Process won't start, stuck on the loading screen, tried reinstalling the program without any success. Any tips on how to fix it.

Karl (karsil)

@Magnet Forensics Axiom Process won't start, stuck on the loading screen, tried reinstalling the program without any success. Any tips on how to fix it.

Do you have logging turned on? If so you can send me your crash logs and I can look over them to see what the issue is

rayeh

matrix?

yes lmao thank you.

1

We have a new Cellebrite CTF starting soon : ) Standby for details

️

9

2

1

@Cellebrite - I have noticed this line in the trace window... "Your CPU is not compatible with our media classification engines. Processing time will take much longer."

5:23 PM

I have the GPU support installed and I don't recall seeing this before. Is this a new thing?

whee30

@Cellebrite - I have noticed this line in the trace window... "Your CPU is not compatible with our media classification engines. Processing time will take much longer."

Let me check this. I recall seeing something about this recently. Ill get back to you. Which ver are you using ? (edited)

Does anyone know a script or tool that will convert a CSV file containing time/sender/receiver/text into a WhatsApp template pdf or sms styled template. Like for each entry in the CSV file produce a little text message box similar to what cellebrite/axiom produces

ccbdub

Does anyone know a script or tool that will convert a CSV file containing time/sender/receiver/text into a WhatsApp template pdf or sms styled template. Like for each entry in the CSV file produce a little text message box similar to what cellebrite/axiom produces

I'll add a feature request for us to support this in AXIOM via custom artifacts. Curious which app the csv file has come from to begin with, since perhaps it's one we should be supporting to begin with?

@Mel_Hungate thanks very much for the response, it's an SQL dump that I've converted to CSV for investigators. They now want it prepared for court and I think showing the messages as they would appear on device is preferable. It's not something we got from device

ccbdub

@Mel_Hungate thanks very much for the response, it's an SQL dump that I've converted to CSV for investigators. They now want it prepared for court and I think showing the messages as they would appear on device is preferable. It's not something we got from device

This free Magnet tool might be helpful for how you want to present evidence: https://www.magnetforensics.com/resources/magnet-app-simulator/

MAGNET App Simulator - Magnet Forensics

MAGNET App Simulator: What Does it Do? MAGNET App Simulator lets you load application data from Android devices in your…

@Deleted User thanks I'll take a look like I say these messages aren't from a device there from server side so I've a dump of db, then I went from SQL to csv

10:18 AM

A script that produced html bubbles like axiom does for Whatsapp etc.. would be ideal

Hello, anyone here work on insider threats / internal investigations? Working to formalize a program at my org and looking for resources. I have checked out the MITRE KB and also the guide from CISA.

caroline_l

Hello, anyone here work on insider threats / internal investigations? Working to formalize a program at my org and looking for resources. I have checked out the MITRE KB and also the guide from CISA.

What kind of resources are you looking for? I don't think CISA and MITRE would really apply to those types of cases, right? I think of insider threat as more like employee who is about to be fired steals confidential files before they leave, not so much deploying malware/ransomware, but I suppose those could be internal jobs as well

‍♂️ I guess it depends on the type of cases you perceive insider threats to be which would then determine what kind of resources you're looking for

Ransomeware gangs have tried to pay employees to install ransomeware on their corporate networks to get there foothold in the past. And it’s one of the oldest TTPs for nation state actors to pay or blackmail someone on the inside to get access so I would still look at those on a insider threat program. A mature insider threat program also needs to protect all aspects of the organization and not just the digital assists or assets threatened by network attacks. While our piece in it does revolve around network and host based detection methods it needs to look at low of the threats to the organization that could be detect from a users network behavior and chat/email conversations.

3:13 AM

You need to start with policy that is enforceable by the organizational leadership and then build technical controls around that. If there isn’t leadership buy in to take action then the detection tools don’t help that much other than let you know something will happen and you can’t do anything about it. User Activity Monitoring tools are also very invasive and can have privacy concerns so you need policy, consent to monitor, and acceptable use agreements for employees to sign to make it all legal. If the organization has a legal team they should be invoked in the process as a stakeholder to make sure everything is covered from a legal aspect. (edited)

1

caroline_l

Hello, anyone here work on insider threats / internal investigations? Working to formalize a program at my org and looking for resources. I have checked out the MITRE KB and also the guide from CISA.

Some more resources here as well https://www.sei.cmu.edu/our-work/insider-threat/

Insider Threat | Software Engineering Institute

The SEI conducts research, modeling, analysis, and outreach to develop data-driven, socio-technical solutions that help organizations reduce the impact and likelihood of insider threats.

1

Thank you @ApexPredator and @tklane

1:32 PM

@Andrew Rathbun CISA actually has a guide specific for Insider Threats and MITRE has developed an Insider Threat TTP knowledge base for it.

1:38 PM

We already have a lot things in place in terms of leadership/legal/privacy etc. just trying to formalize more.

1:39 PM

For reference here is a link to the MITRE KB: https://medium.com/mitre-engenuity/launching-a-community-driven-insider-threat-knowledge-base-20a249acb2f

Launching a community-driven insider threat knowledge base

Written by Adam Hlavek, Shelley Folk, Suneel Sundar, and Jon Baker.

Once upon a time I had seen a website with a huge pie chart showing the logos and names of a bunch of categorized social media services, it was DFIR/OSINT related but basically it just named and categorized a ton of services. Anyone have a clue? My Google-fu is failing.

caroline_l

Hello, anyone here work on insider threats / internal investigations? Working to formalize a program at my org and looking for resources. I have checked out the MITRE KB and also the guide from CISA.

Hi Caroline, I work in insider threats. Not so much from the strategic program point of view, but as an investigator. If there's anything I can help with, shoot me a PM.

1

whee30

Once upon a time I had seen a website with a huge pie chart showing the logos and names of a bunch of categorized social media services, it was DFIR/OSINT related but basically it just named and categorized a ton of services. Anyone have a clue? My Google-fu is failing.

conversation prism maybe? or if not, did it look like anything similar? https://www.uonsupportforbusiness.co.uk/wp-content/uploads/2018/05/JESS3_BrianSolis_ConvoPrism_Digital-Final_V3.2-02-2.png

1

2:54 AM

and multiple renditions using different graphics https://jess3.com/projects/brian-solis-conversation-prism-v5/ (looks like they used the prism to show off their design service tho) (edited)

@Magnet Forensics I am attempting to access your magnetidealab.com site for the chromebook acquisition assistant and its blocking my IP on mobile and hotspot. Do you have a direct download available?

Hello Ricardo, if you could DM me your IP address I can whitelist it for you (edited)

Hi, I'm working on documentation for a company. We wanted to go over all the different topics where DF might come up. I was writing an article on printer forensics. So far we have documentation on SPL file and EMF files, as well as some registry keys. Does anyone know any other files we should add?

Question for those archiving evidence and case files after case closure, what are your standard processes for keeping these files? And are they secured on an encrypted drive or share? Do you use physical locks like a safe or something?

Digitalferret

conversation prism maybe? or if not, did it look like anything similar? https://www.uonsupportforbusiness.co.uk/wp-content/uploads/2018/05/JESS3_BrianSolis_ConvoPrism_Digital-Final_V3.2-02-2.png

That’s the one! Thank you, I forgot to bookmark last time I saw it.

1

stark4n6

Question for those archiving evidence and case files after case closure, what are your standard processes for keeping these files? And are they secured on an encrypted drive or share? Do you use physical locks like a safe or something?

My prior agency had a workflow that went like this: CURRENT YEAR CASES U:/Workspace/Task Force Agency/Examiner (Current year cases stored on local lab server but backed up to off-site mirror) PRIOR 5 YEAR CASES U:/Archive/2021/TFA/Examiner (prior 5 year cases stored on main agency servers but backed up to off-site mirror) BEYOND 5 YEAR CASES Offsite Tape Vaulting (Iron Mountain or similar) Statutory storage minimum requirements also come into play depending on the type of case (Homicide, Sexual Assault, Property Crimes etc)

1

Tim F

My prior agency had a workflow that went like this: CURRENT YEAR CASES U:/Workspace/Task Force Agency/Examiner (Current year cases stored on local lab server but backed up to off-site mirror) PRIOR 5 YEAR CASES U:/Archive/2021/TFA/Examiner (prior 5 year cases stored on main agency servers but backed up to off-site mirror) BEYOND 5 YEAR CASES Offsite Tape Vaulting (Iron Mountain or similar) Statutory storage minimum requirements also come into play depending on the type of case (Homicide, Sexual Assault, Property Crimes etc)

thanks for the reference, looking more from a corporate side but still great info

1

S3 Glacier Archive works well and is fairly cheap for long term

Check your company's policy regarding PII and the cloud tho

Hi! I am currently performing an investigation with help of 365 audit logs. something that I noticed when looking at the details field are all the app IDs. I was wondering if it is possible to perform a mapping of app IDs to a friendly name. I managed to resolve some of them by checking enabled applications (PS: Get-App and Get-AzureADApplication) but still see many "blanks" that I cannot resolve. I also found a few lists of standard App-IDs. Sadly the microsoft documentation seems to not leave too many words about the different app IDs used in the audit logs (applicationID, appID, clientappID, application, ...) that would help in my search. But maybe someone did already a lot with them and can maybe help with some additional references.

.yuzumi.

Hi! I am currently performing an investigation with help of 365 audit logs. something that I noticed when looking at the details field are all the app IDs. I was wondering if it is possible to perform a mapping of app IDs to a friendly name. I managed to resolve some of them by checking enabled applications (PS: Get-App and Get-AzureADApplication) but still see many "blanks" that I cannot resolve. I also found a few lists of standard App-IDs. Sadly the microsoft documentation seems to not leave too many words about the different app IDs used in the audit logs (applicationID, appID, clientappID, application, ...) that would help in my search. But maybe someone did already a lot with them and can maybe help with some additional references.

We're in our infancy with the product so I'd be interested to see a mapping as well

@Cellebrite tried a couple times to get in touch with someone in sales with some questions I have about capabilities through the contact form to no avail. Can anyone PM me or point me in the right direction please? Thank you!

Hey

7:35 AM

send me a dm and I can it moving.

1

RyanAllegra

Hi, I'm working on documentation for a company. We wanted to go over all the different topics where DF might come up. I was writing an article on printer forensics. So far we have documentation on SPL file and EMF files, as well as some registry keys. Does anyone know any other files we should add?

Going to bump this- just wanted to make sure I have all the artifacts

RyanAllegra

Going to bump this- just wanted to make sure I have all the artifacts

When you say printers, does that include drivers?

Matt

When you say printers, does that include drivers?

Sure-- although I am not familiar on how you would go about doing that.

I was thinking purely from a “which printers might the user have used” perspective. I’ve not really come across printer drivers in DF but thought it might be worth throwing the idea in…

I've seen people use a file system timeline to infer printer usage but not much is logged as far as I can see about printing on windows

if you have internal network netflow, or edr, network connections by process or port might be useful to detect/audit printing activity

can anyone give me two good analysis tools to conduct a malware analysis? (edited)

Hi all. Has anyone had any luck with a Samsung A03s MTK 6765 android OS 11? Not having much luck with UFED or XRY

Hi! Is there a way to make the links (web history) in a PDF Cellebrite report not clickable ? I have looked in the settings and I can't find anything. Thanks @Cellebrite

bc

can anyone give me two good analysis tools to conduct a malware analysis? (edited)

any part of malware analysis in particular? Take a peek at the tools deployed with flare vm

bc

can anyone give me two good analysis tools to conduct a malware analysis? (edited)

Good morning! Axiom is an extremely powerful tool for analyzing malware/memory. Check out our high level view video's about Axiom's capabilities here:https://www.magnetforensics.com/resources/axiom-at-work-malware-investigations/

AXIOM at Work: Malware Investigations - Magnet Forensics

2

Hey, I'm having an issue with AXIOM. Creating a HTML report and it has videos. The report itself has a picture of the video in the 10 photo preview format, but there is no hyperlink to actually click and see the video. The video is in the attachments folder but it's not accessible from the HTML. This will be for court and I don't want to confuse the DA :). @Magnet Forensics

For those of you who need to keep multiple mobile devices on power and organized, what are you using? I'm considering a simple file organizer for the envelopes they're kept in with a long powerstrip mounted next to it. Getting them off of the desk seems like a nice space saving step.

1:22 PM

something like this... I'm sure there are all in one solutions somewhere

whee30

For those of you who need to keep multiple mobile devices on power and organized, what are you using? I'm considering a simple file organizer for the envelopes they're kept in with a long powerstrip mounted next to it. Getting them off of the desk seems like a nice space saving step.

I think you're looking for a multi device charging station like so: https://www.amazon.ca/Charging-Compatible-Multiple-Simultaneously-Upgraded/dp/B072BXXWDW?th=1

Unitek USB Charging Station for Multiple Devices, Charger Organizer...

Desktop USB Fast Charging Station Charges up to 10 USB devices simultaneously with 1 power supply. 11 baffles allow you to divide the area up to match your devices, holding a large number of gadgets. It is an ideal solution for you to charge all your power-hungry devices easily. It's suitable for...

marketloser

Hey, I'm having an issue with AXIOM. Creating a HTML report and it has videos. The report itself has a picture of the video in the 10 photo preview format, but there is no hyperlink to actually click and see the video. The video is in the attachments folder but it's not accessible from the HTML. This will be for court and I don't want to confuse the DA :). @Magnet Forensics

Hey @marketloser , When you're in the process of creating the HTML Report, there is a check box titled "Make External Links Clickable" when you're within the wizard itself (See Screen Shot). Once you check that box, navigate to the HTML Report, and when you scroll to the right, you should see the hyperlink that points to the file in the HTML Report folder structure. Let me know if this solves the issue!

So fancy and purpose built... I like it

1

whee30

So fancy and purpose built... I like it

This is what we use in our global CAS labs: https://ipadcarts.com/rack-mounts/

Dag Gonzalez

Rack Mount Solutions for Mobile Device Managers and UniDock Smart H...

Healthcare Rack Mount Solutions Mobile Device Managers and UniDock For the large scale storage, security and management of mobile devices, Datamation Systems has developed a 19″ rack mount system that is perfect for applications in healthcare, retail and hospitality

2

Tim F

Hey @marketloser , When you're in the process of creating the HTML Report, there is a check box titled "Make External Links Clickable" when you're within the wizard itself (See Screen Shot). Once you check that box, navigate to the HTML Report, and when you scroll to the right, you should see the hyperlink that points to the file in the HTML Report folder structure. Let me know if this solves the issue!

Thanks @Tim F , Apparently you cant do it from a portable case though, only through an actual case.

Anyone recommend a PDF password remover?

marketloser

Thanks @Tim F , Apparently you cant do it from a portable case though, only through an actual case.

Ok thanks for letting me know!

bc

can anyone give me two good analysis tools to conduct a malware analysis? (edited)

Ghidra, Ida

6:48 PM

If you can’t afford Ida , next would be Binary Ninja

hello all, can anyone tell me the difference between hard disk forensics and memory forensics?

‍♂️

whee30

something like this... I'm sure there are all in one solutions somewhere

Our lab uses, a laptop charging cart that looks similar to this

whee30

something like this... I'm sure there are all in one solutions somewhere

1

bc

hello all, can anyone tell me the difference between hard disk forensics and memory forensics?

‍♂️

One is analysing data stored on a hard disk. Generally less volatile One is analysing data stored in memory. Generally more volatile

4:07 AM

But, I don't know if that's answering your question

randomaccess

One is analysing data stored on a hard disk. Generally less volatile One is analysing data stored in memory. Generally more volatile

thank you, i'll try to understand more online

anyone in here have a background with Hikvision NVR's?

GrayTech

anyone in here have a background with Hikvision NVR's?

maybe echo in #dvr-multimedia-surveillance

Deleted User

Anyone recommend a PDF password remover?

Have not come across any but Hashcat may be able to crack it.

12:11 PM

@Deleted User thanks! We have Passware running agains it, just thought if I can remove it saves us the time...not evidence or anything

1

Deleted User

@Deleted User thanks! We have Passware running agains it, just thought if I can remove it saves us the time...not evidence or anything

I’ve had good success with Passware for password protected word documents in past cases.

How do I get into cyber forensics

Read books, study hard, learn lots of cool stuff.

Deleted User

How do I get into cyber forensics

and once you've done that, go buy some old drives from ebay or such ... grab some FOSS or trial s/w, see what you can find (check your country legals first) and be damn quiet about anything you do find

that's the data recovery part. if that "floats your boat" then start looking at what Law requires you do and how you do it. (edited)

Oh cool thanks so much!!!!

Also checkout some CTFs

12:07 AM

BTOL is great

Will do, thank you!!!

12:08 AM

Hack the box also has a forensics section

12:08 AM

Maybe to wet your whistle

12:08 AM

12:09 AM

https://blueteamlabs.online/

Blue Team Labs Online

A gamified platform for cyber defenders to test and showcase their skills

12:10 AM

https://www.hackthebox.com/

Hacking Training For The Best

From beginners to experts, this is where hackers level up! Join today and learn how to hack.

12:10 AM

There is also INE and Packt has some great content

12:10 AM

Packt is the cheaper option

@Deleted User now look, you've set Ry off

but that's the level of excitement you need to carry a career in this. being an incurable nosey bast*** helps too

(edited)

12:14 AM

I’m supposed to be sleeping but wifey snores like a wilderbeast and guess who forgot to buy earplugs xD

12:15 AM

Heading to Home Depot in the Morning that’s for sure

Lol

12:18 AM

I’m also supposed to be sleeping but oh well, I’ve got the entire day to now that I’m on summer break for college

Excellent! Perfect time to jump into some of those platforms

Yes!!!

2

ryd3v

I’m supposed to be sleeping but wifey snores like a wilderbeast and guess who forgot to buy earplugs xD

Dear Mrs Ry, so, your husband tells us.....

Lmao

Busted bahahahaha

of course mine does no such <cough> thing. <cough> at all <cough> .

The National Institute of Standards and Technology (NIST) has published Digital Investigation Techniques: A NIST Scientific Foundation Review. This draft report, which will be open for public comment for 60 days, reviews the methods that digital forensic experts use to analyze evidence from computers, mobile phones and other electronic devices. https://www.nist.gov/news-events/news/2022/05/nist-publishes-review-digital-forensic-methods

NIST Publishes Review of Digital Forensic Methods

Report documents the scientific foundations of digital evidence examination and recommends ways to advance the field.

1

Deleted User

How do I get into cyber forensics

Check out my page, lots to get you going https://startme.stark4n6.com

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

@Law Enforcement [UK] Afternoon all, have any UK LEA's come away from mass used mobile extraction kiosks?...or are kiosks in operation in your agency that are used by a large number of officers? Would you mind DM'ing me please

ApC

@Law Enforcement [UK] Afternoon all, have any UK LEA's come away from mass used mobile extraction kiosks?...or are kiosks in operation in your agency that are used by a large number of officers? Would you mind DM'ing me please

I'm unsure of the question, are you asking which Kiosks we use for routine data extraction?

stark4n6

Check out my page, lots to get you going https://startme.stark4n6.com

Cool thank you!!

1

Anyone got a good tool for opening and modifying large (>1GB) JSON files? Notepad++ is not up to the task

Lewis

Anyone got a good tool for opening and modifying large (>1GB) JSON files? Notepad++ is not up to the task

Try sublime text

Lewis

Anyone got a good tool for opening and modifying large (>1GB) JSON files? Notepad++ is not up to the task

Try VIM

splitting the json files could be an option

6:30 AM

https://github.com/superolmo/BigFiles

GitHub - superolmo/BigFiles: Notepad++ Plugin for reading large files

Notepad++ Plugin for reading large files. Contribute to superolmo/BigFiles development by creating an account on GitHub.

Lewis

Anyone got a good tool for opening and modifying large (>1GB) JSON files? Notepad++ is not up to the task

Vscode

Lewis

Anyone got a good tool for opening and modifying large (>1GB) JSON files? Notepad++ is not up to the task

maybe try the demo of EditPadPro :

Edit huge files without breaking a sweat, including files larger than 4 GB, even if your PC only has a few GB of RAM. Also, the maximum length of a single line is not limited, which is a problem with many editors claiming to support “unlimited” file sizes.

https://www.editpadpro.com/editpadpro.html

1

Digitalferret

maybe try the demo of EditPadPro :

Edit huge files without breaking a sweat, including files larger than 4 GB, even if your PC only has a few GB of RAM. Also, the maximum length of a single line is not limited, which is a problem with many editors claiming to support “unlimited” file sizes.

https://www.editpadpro.com/editpadpro.html

EditPad Pro is the truth. Use it everyday. For JSON, UltraEdit is already great. There's a really nice JSON and XML manager which helps deal with those structured data types

Anyone dealing with the BPFdoor malware?

Hey everyone, just wanted to know what you all think system specs should be for a cell-phone forensics specific workstation. Generally going to be primarily a machine for Cellebrite PA as most of our phones are done through this, but it is entirely possible for additional software.... Our current machine is 6+ years old and obviously a lot has changed over the last few years. It still does the job, but hopefully we can get something that will decode extractions a little faster since phones are getting bigger. basically looking for i7vsi9vsxeon sort of thing (obviously AMD is acceptable too). we know generally more ram is just better. video card worth it in a machine like this (does it support GPU accelerated processing, decoding, or loading of visuals/thumbnails/videos)? prebuilt from dell, hp, etc. or spec out parts (which is less desirable)? I tried finding general specs of forensic machines that Cellebrite offers but they are general "up to 128 gb of ram" type specs. and could not find what PA recommends, but did message @Cellebrite . Also, I am not sure if this is a "me issue" or whats happening but the form on the forensic workstation page does not load:

1:02 PM

kmacdonald1565

Hey everyone, just wanted to know what you all think system specs should be for a cell-phone forensics specific workstation. Generally going to be primarily a machine for Cellebrite PA as most of our phones are done through this, but it is entirely possible for additional software.... Our current machine is 6+ years old and obviously a lot has changed over the last few years. It still does the job, but hopefully we can get something that will decode extractions a little faster since phones are getting bigger. basically looking for i7vsi9vsxeon sort of thing (obviously AMD is acceptable too). we know generally more ram is just better. video card worth it in a machine like this (does it support GPU accelerated processing, decoding, or loading of visuals/thumbnails/videos)? prebuilt from dell, hp, etc. or spec out parts (which is less desirable)? I tried finding general specs of forensic machines that Cellebrite offers but they are general "up to 128 gb of ram" type specs. and could not find what PA recommends, but did message @Cellebrite . Also, I am not sure if this is a "me issue" or whats happening but the form on the forensic workstation page does not load:

128 GB of ram, then allocate enough of that RAM to a RAM disk, throw your .bin or whatever on there, parse it out at wrap speed* and then analyze off the RAM Disk

*this claim is purely theoretical and has not been tested, please do try out at home and let me know how it goes

Lol

Joking but not joking at the same time. Benchmarks don't lie. That'll just make it goes as fast as whatever you next bottleneck is, which definitely won't be your I/O speed from the RAM (edited)

So I have a friend in the Ukraine helping out, and they are using Drones (not military drones) just standard ones used for recon. does anyone here have any good ideas on OPSEC with regards to using these drones? Like OPSEC for poiloting drones, as they will be using that for supply runs and security, QRF and extractions. Artiterllery can be directed to RTH and controller posoitions so he will be securing those drones and training those guys and plug them into an aerial threat intel feed. Is anyone here good with drone security? As these drones are going to be flown on the frontline and my friend needs to make sure its as secure as possible. I understand these drones communicate over unencrypted radio frquencies, and there is no detecting and jammingcapabilities out there. Does anyone know of any implementable countermeasures i.e anti jamming and detection avoidance mechnaisms that could be integrated into the drone?Or any other hardening capabailities?Also in terms of DJI or any other commercial drone vendor obtaining real time GPS and usage data etc I suppose using a device with no SIM and never connecting it to any network for an uplink should mitigate that factor as RF is limited with its reach. seperatly, in terms of cellular opsec, can a foreign phone be used with a foreign SIM?or can the IMEI number and any other device ID's be correlated and idenitified as a foreign device? Or is it just the foreign SIM itself? Im unsure how these may be detected, either infiltration to Ukraines cellular/network porivider or with stingrays/dirtboxes. Im unsure what data stingrays or dirt boxes pull or how that equipment works but all i know is that russia has been directing strikes and artilerry to foreign phone locations.

2:34 PM

my friend is guessing getting a burner phone is probably the best idea. So what are peoples thoughts? Is anyone here good with cellular security/drone security?

Paint it black

6:53 PM

Disconnect leds

6:54 PM

Sorry I’m out of ideas as it’s a public product xD

6:55 PM

Everything your asking is basically upgrading it to reaper ,

6:56 PM

But when I get to my pc I’ll break that up into paragraphs and see if I get any ideas

Andrew Rathbun

128 GB of ram, then allocate enough of that RAM to a RAM disk, throw your .bin or whatever on there, parse it out at wrap speed* and then analyze off the RAM Disk

*this claim is purely theoretical and has not been tested, please do try out at home and let me know how it goes

Does PA really benefit from 128GB RAM? I’ve rarely seen it eat that much. We’ve just received some i9-12900k machines. Currently 64GB but could look to put more in if it could be justified

busted4n6

Does PA really benefit from 128GB RAM? I’ve rarely seen it eat that much. We’ve just received some i9-12900k machines. Currently 64GB but could look to put more in if it could be justified

He's not saying 128GB is needed for PA. He's saying have that much RAM so that you can create a RAM disk to process phone extractions from.

1

Can anyone from @MSAB spare some time to chat?

AmNe5iA

He's not saying 128GB is needed for PA. He's saying have that much RAM so that you can create a RAM disk to process phone extractions from.

Ahhhhh. Rtfm. That’s a good idea which we can try

busted4n6

Does PA really benefit from 128GB RAM? I’ve rarely seen it eat that much. We’ve just received some i9-12900k machines. Currently 64GB but could look to put more in if it could be justified

I have 64GB and it hardly uses that, unless you get greedy and simultaneously have 5x or so PA instances decoding.... The biggest RAM hogs seem to be things like AXIOM etc when they are unpacking stuff. (edited)

kmacdonald1565

Hey everyone, just wanted to know what you all think system specs should be for a cell-phone forensics specific workstation. Generally going to be primarily a machine for Cellebrite PA as most of our phones are done through this, but it is entirely possible for additional software.... Our current machine is 6+ years old and obviously a lot has changed over the last few years. It still does the job, but hopefully we can get something that will decode extractions a little faster since phones are getting bigger. basically looking for i7vsi9vsxeon sort of thing (obviously AMD is acceptable too). we know generally more ram is just better. video card worth it in a machine like this (does it support GPU accelerated processing, decoding, or loading of visuals/thumbnails/videos)? prebuilt from dell, hp, etc. or spec out parts (which is less desirable)? I tried finding general specs of forensic machines that Cellebrite offers but they are general "up to 128 gb of ram" type specs. and could not find what PA recommends, but did message @Cellebrite . Also, I am not sure if this is a "me issue" or whats happening but the form on the forensic workstation page does not load:

I would recommend against Dell / HP . Their off the shelf solutions are pretty hard to spec appropriately for DF work and you don't get much for your money. They also use weird proprietary parts. I would build your own or use a local vendor that can build you an appropriate machine with warranty. For example we use places like Metabox for our laptop builds. Get as much SSD as you can afford as storage is usually the bottleneck.

AdamB

Can anyone from @MSAB spare some time to chat?

Could do, what’s up?

busted4n6

Does PA really benefit from 128GB RAM? I’ve rarely seen it eat that much. We’ve just received some i9-12900k machines. Currently 64GB but could look to put more in if it could be justified

I haven't used PA in 3 years so

‍♂️ I didn't know about RAM disks back then but I do now yet I have no ability to test it on that specific software. Sorry!

5:12 AM

If you want to reduce I/O bottlenecks, get a large NVMe M.2 for your processing drive (and ideally OS drive). I think plenty of models of motherboards have 2x or more M.2 slots. If you look at the benchmarks for NVMe vs SATA, it's quite a difference. This speed chart gives you the general idea even though you could probably find more professionally tested benchmarks elsewhere.

Erumaro

Could do, what’s up?

Thanks Tobias, I have sent you a message

1

busted4n6

Does PA really benefit from 128GB RAM? I’ve rarely seen it eat that much. We’ve just received some i9-12900k machines. Currently 64GB but could look to put more in if it could be justified

In my opinion, yes having the RAM does help prevent crashing, but when the new version of PA is released, you shouldn’t need to max out the RAM.

ScottKjr3347

In my opinion, yes having the RAM does help prevent crashing, but when the new version of PA is released, you shouldn’t need to max out the RAM.

so the new pa will not put as much strain on the ram memory? do you know if PA 8.0 will released this month? (edited)

chrisforensic

so the new pa will not put as much strain on the ram memory? do you know if PA 8.0 will released this month? (edited)

It still requires RAM but isn’t a hog like the current version. I would still recommend getting as much ram as possible, but just wanted to mention it’s not as bad on the new version. I have no idea of the release date.

@kmacdonald1565 when looking at a new forensic machine, search this forum for issues with Intel Processors and the time it takes to process Android records vs AMD Threadripper's.

Anybody recognize this SIM card carrier? Orange on the back.

Cole

Anybody recognize this SIM card carrier? Orange on the back.

T-mobile possibly?

Rob

T-mobile possibly?

I'm guessing its a MVNO that uses tmobile networks. When I reverse Google image searched it, it came up with some Boost Mobile results, which matches the orange, but I have no way of comparing the two. I couldn't find the GD anywhere. (edited)

Cole

I'm guessing its a MVNO that uses tmobile networks. When I reverse Google image searched it, it came up with some Boost Mobile results, which matches the orange, but I have no way of comparing the two. I couldn't find the GD anywhere. (edited)

Should be able to find out either way via the full iccid

Gotcha. I don't have access to those fancy databases. Maybe I'll have one of the agents look it up and see if we can determine the MVNO.

2

so 89 is telecom standard, 01 is USA, 240 seems to be Tmobile based on the google machine

10:31 PM

http://phone.fyicenter.com/1155_ICCID_SIM_Card_Number_Checker_Decoder.html

ICCID/SIM Card Number Checker/Decoder

How to check and decode SIM Card Number? To help you to obtain detailed information from the SIM (Subscriber Identity Module)

1

10:33 PM

You can also download the SIM and decode the IMSI for the "current" service... The MCC and MNC should tell you who to reach out to

10:34 PM

ICCID really only gets you who issued the card originally, not who services the SIM currently

Cole

Gotcha. I don't have access to those fancy databases. Maybe I'll have one of the agents look it up and see if we can determine the MVNO.

<cough> the truth is out there ... <cough>

4

Have any of you done virtual world forensics? For example: SecondLife, GTA5 Online, IMVU, etc? It's something I've always been interested in, but the only real research I've seen was published in 2012.

DFE Travis

Have any of you done virtual world forensics? For example: SecondLife, GTA5 Online, IMVU, etc? It's something I've always been interested in, but the only real research I've seen was published in 2012.

That sounds very interesting, never heard of anyone even attempting it! What would you do forensics on? I guess you could pull local client files and information from a personal computer, but my understanding is most of the information is stored on the MMO server. So maybe you could find enough information to subpoena the company? I don't think chat logs would be stored anywhere, and stuff like player inventory is definitely server-side. Character name(s) and friends lists might have a copy client-side. This is all just off the top of my head combining my knowledge of digital forensics and my years of gaming experience lol.

DFE Travis

Have any of you done virtual world forensics? For example: SecondLife, GTA5 Online, IMVU, etc? It's something I've always been interested in, but the only real research I've seen was published in 2012.

AFAIK, SecondLife chat is an Axiom artifact but never seen anything useful from it.

Rob

AFAIK, SecondLife chat is an Axiom artifact but never seen anything useful from it.

A quick Google search says you are right. There are local logs of Second Life chat history saved client side. Who knew?

9:15 AM

Looks like Second Life stores quite a bit of info client side. Logs and such.

It does, which is good for us lol

1

9:20 AM

I spoke to my supervisor and he's okay with me doing some research on it, so this will be fun

Gaming for work to see what information is logged clientside. Good times!

FullTang

Gaming for work to see what information is logged clientside. Good times!

Adult websites and gaming are the 2 most common vectors I come across when profiling. Steam is like the Yellow Pages for threat actors.

Yeah I was going through our past case database and noticed a couple that involved ageplay on virtual worlds

9:51 AM

http://www.identatron.co.uk/papers/morris_2012.pdf

9:52 AM

^ This is the paper if anyone was curious

1

This has me going down a mental rabbit hole trying to figure out types of criminal activity that can occur over video games and information logged by the client of the video game to aid in the prosecution of that crime. The biggest thing would be chat logs for any video game because anything could be discussed related to any crime. Friends lists would be useful to identify other suspects or victims. CSAM cases are common, and sometimes fraudsters wash funds with the purchase and sale of digital currency/items. So any info showing the amount of in-game money or inventory an account has would be useful, but any game used for washing funds shouldn't have the info editable by the client, it could be logged somewhere though? Now I just need to figure out how to get a supervisor like @DFE Travis has who will approve me playing video games for work lol.

For Second Life specifically, it has its own exchange. So it's entirely possible to launder through that platform

Yep, never really played it and I just started reading the paper you linked, thanks!

It's a wild west over there, enjoy the rabbit hole haha

1

You might find this interesting -- a number of years ago (erm 2009, I'm aging myself here...), a Law Enforcement Guide leaked out of Blizzard for World of Warcraft. This appears to be a legitimate copy of the guide. https://cryptome.org/isp-spy/blizzard-spy.pdf

Anyone experiencing problems with ufed having trouble with partial logical extraction?

5:39 PM

Seems to be an issue with itune encrypted iphones

5:39 PM

And even if i reset the settings it'll fail

5:40 PM

3rd phone this week

@DefendingChamp #mobile-forensic-extractions

On the subject of games.. Something that's had my noggin joggin for a while, what options are available for extractions for modern consoles? I've been thinking mainly about the xbox one because I'd like to not have to think about anything beyond the Microsoft ecosystem for now to keep it simple. I was thinking it must be relatively simple to develop an app that could be sideloaded that may find more than just doing a manual review. I've since found there are some remote utilities as well to access storage (https://docs.microsoft.com/en-us/gaming/gdk/_content/gc/system/overviews/local-storage) however access to these utilities and their documentation are subject to an NDA, so I'd need to sign up as a partner to get access, which is for commercial entities not individuals, and my guess is that there would be difficulty in registering my force as a game developer

so my question, anyone else delved down this rabbit hole? I know we don't get many consoles seized, but I wonder if this is because historically the outcome has impacted the demand

Local storage on Xbox console - Microsoft Game Development Kit

Describes the temporary local storage available to titles on Xbox consoles and how to access temporary locally stored data, installed game data, and the developer scratch partition.

I got an Xbox 360 to examine on a CSAM case but I didn’t have a donor console for a manual examination. I made an .E01 of the removable HD and did a byte level carve for .jpg images. I found CSAM, but without the file system info it was the equivalent of carving photos from unallocated space. If the examiner were to find photos of a known victim on the suspect’s console (or via versa) that could be very useful, but fortunately I had other devices in this case that were better evidence than what I found on the console.

Played around with a PS4 once but the file system is encrypted. Found research where some folks simply went through the console and output it to a video card. I suspected the browser would be an Achilles heel and sure enough I found a YouTube video (forgotten it’s title) where a guy loaded an exploit via the browser.

@FullTang looks like the 360 uses FATX https://free60.org/FATX/

1

FullTang

I got an Xbox 360 to examine on a CSAM case but I didn’t have a donor console for a manual examination. I made an .E01 of the removable HD and did a byte level carve for .jpg images. I found CSAM, but without the file system info it was the equivalent of carving photos from unallocated space. If the examiner were to find photos of a known victim on the suspect’s console (or via versa) that could be very useful, but fortunately I had other devices in this case that were better evidence than what I found on the console.

360s can be examined via Axiom

1

10:12 AM

All other Xboxs and PlayStations you're stuck with doing a manual and then taking photos and reporting those photos.

1

CloudCuckooLand

@FullTang looks like the 360 uses FATX https://free60.org/FATX/

Great info, thanks guys! @Rob (edited)

We are starting to see a few consoles now as well. Would be a good little research project for someone. At the moment we are usually limited to capturing it via HDMI

I briefly started some research into getting a Rubber Ducky to interact with a PS4 console. I believe there is a GitHub repo for this server. Suggestion: those of us interested kick off a project to map and document DFIR for consoles.

Sorry if this has been asked. Any drawbacks to upgrading a forensics workstation to Windows 11? I wasn't sure if there have been any performance or compatibility issues identified with the usual set of tools (Axiom, Cellebrite, FTK, etc.)

Yep, probably the worse windows to date.

anecdotal but, based on (mainly domestic) customers experience of upgrading their machine with the older version of Win in situ, I'll normally give it a couple of years after initial release so MS can get their shit together w/ issues/patches/bugs etc. can't speak to brand new h/w pre-installed other than having to shore up the [Express Setup - trust us, no really - it'll be ok] settings that tailor it to MS monitoring/marketing rather than one that favours the client's privacy and so forth.

AtomicDI

Sorry if this has been asked. Any drawbacks to upgrading a forensics workstation to Windows 11? I wasn't sure if there have been any performance or compatibility issues identified with the usual set of tools (Axiom, Cellebrite, FTK, etc.)

I upgraded a laptop to test it out and have not had any issues with axiom or ftk. I briefly used Cellebrite PA on it with out issues.

@dfir_rick Thanks for the feedback!

I've been using Windows 11 since the beta in June 2021 or whatever. I'd suggest sticking to Windows 10 for a couple more years, honestly. It's overall a net feature loss plus there's some cool security features coming soon that may move the needle on my current opinion, but for now, Windows 10. Stay tuned for 22H2 and see how that turns out. Only yearly updates now instead of every 6 months.

3

AtomicDI

Sorry if this has been asked. Any drawbacks to upgrading a forensics workstation to Windows 11? I wasn't sure if there have been any performance or compatibility issues identified with the usual set of tools (Axiom, Cellebrite, FTK, etc.)

Cellebrite Physical Analyzer has been force closing on my two laptops since upgrading to Windows 11. Cellebrite could only suggest downgrading because it’s not officially supported. (edited)

@Joe Schmoe Thank you! I'll hold off for a while longer.

I’d say use a Linux host and if you need windows use a vm. At least you can do snapshots etc. imo windows 10 was better than 11

8:27 PM

I’ve de-windows my entire house now too. Even converted all servers to Linux

1

FullTang

This has me going down a mental rabbit hole trying to figure out types of criminal activity that can occur over video games and information logged by the client of the video game to aid in the prosecution of that crime. The biggest thing would be chat logs for any video game because anything could be discussed related to any crime. Friends lists would be useful to identify other suspects or victims. CSAM cases are common, and sometimes fraudsters wash funds with the purchase and sale of digital currency/items. So any info showing the amount of in-game money or inventory an account has would be useful, but any game used for washing funds shouldn't have the info editable by the client, it could be logged somewhere though? Now I just need to figure out how to get a supervisor like @DFE Travis has who will approve me playing video games for work lol.

I don't know if this is obvious or stupid, or whatever, but since there's a direct virtual <-> real money thing going on in Secondlife, is there a possibility this gets used for laundering?

1:15 AM

or at least, say, some obfuscation in the process of payments

1:16 AM

I guess it usually does require some form of bank details, or whatever though

You have a point. I think it is more known because it is directly supported by the game to convert fiat money to a virtual currency. I would imagine that it happens in other games as well, but it’s harder to detect because it is against the TOS for most games. Also, Second Life logs more than other games making it easier to locate forensic evidence for crimes that use its platform.

Not sure where to post but here is a good a spot as any. I have had to draw some network diagrams recently and was looking for something lighter weight than dragging out i2 and found DrawIO. Its pretty amazing and better yet, open source. Lots of DF related sysmbols such as HDD's etc baked in if you need to chart up where all your evidence came from as well. https://github.com/jgraph/drawio-desktop

GitHub - jgraph/drawio-desktop: Official electron build of diagrams...

Official electron build of diagrams.net. Contribute to jgraph/drawio-desktop development by creating an account on GitHub.

@Cellebrite question on maps/geo location. I’m working on installing the offline maps right now. If I make a report and hand it to one of our investigators who opens said report on a different computer, will they see maps corresponding to geo location data or will it only present maps on the offline computer that has the maps package installed?

Hey everyone! The Cellebrite CTF kicks off again on Monday. More information is available here: https://cellebrite.com/en/cellebrite-capture-the-flag-may-2022/

Cellebrite Capture the Flag – May 2022

What/Why a CTF? Cellebrite’s Capture the Flag event is a great way for the Digital Forensics and Incident Response (DFIR) community to come together and challenge themselves. Whether you are new to DFIR or a seasoned veteran, this CTF has something for everyone. The challenges were written so that some are easier, and some are … Continue reading...

2

4

Anyone here see anything dodgey on this mac? From this information?

netstat.txt

55.26 KB

2:18 PM

mac.txt

26.31 KB

Per chance, does anyone know an easy way to find the single license costs of most popular forensics tools (ballpark estimates) without having to go back and forth with the sales team of each company? Just trying to do some napkin math budgeting. (Axiom, EnCase, UFED 4PC & PA, DVR Examiner, Griffeye DI Pro, etc). Or if you manage purchase orders for a lab and could PM me, that would be great.

(edited)

AugustBurnsBlue

Per chance, does anyone know an easy way to find the single license costs of most popular forensics tools (ballpark estimates) without having to go back and forth with the sales team of each company? Just trying to do some napkin math budgeting. (Axiom, EnCase, UFED 4PC & PA, DVR Examiner, Griffeye DI Pro, etc). Or if you manage purchase orders for a lab and could PM me, that would be great.

(edited)

Based on my experience, yes dealing with sales can be annoying at times, but if you get to know your area sales person for each vendor while you are only inquiring it allows you to build a relationship. Then when you really NEED something you will get responses back a lot faster because they know you vs the first time talking with them. They understand your aren’t making a purchase every time you get a quote. I just built a budget 2-4 examiners. If you want some help dm me. But I still suggest getting quotes and getting to know your sales. It will benefit you in the future.

1

AugustBurnsBlue

Per chance, does anyone know an easy way to find the single license costs of most popular forensics tools (ballpark estimates) without having to go back and forth with the sales team of each company? Just trying to do some napkin math budgeting. (Axiom, EnCase, UFED 4PC & PA, DVR Examiner, Griffeye DI Pro, etc). Or if you manage purchase orders for a lab and could PM me, that would be great.

(edited)

Also for the less often used tools see if there are any neighbouring labs you can collab with.

is there something that can trace where the WOL is coming from?

5:11 AM

i have my computer with WOL enabled and it randomly turns on

nvm it's not my WOL, but powercfg command helped me figure it out

Would a Virtual World and Consoles channel be something we can do here?

DFE Travis

Would a Virtual World and Consoles channel be something we can do here?

@Moderators and I aren't opposed to adding channels for topics the community requests, it's just a matter of balancing the number of channels with the relevancy of said topics vs other channels/topics that already exist. Could this topic be implemented into a currently existing channel (and rename that channel to better reflect the new topic)? Should this channel exist on its own? Could this channel be added and we drop another that hasn't been touched in a long time? Trying to avoid channel creep while also serving you all the best we can. These are just a sample of questions we ask ourselves when we get new channel requests so let me know what you're thinking.

2

I will allow for others to input if they'd like to see a dedicated channel as well. Looking at the current channels the only one that might be applicable is #darknet-virtual-currencies , but it doesn't currently cover consoles. The reason for lumping virtual worlds and consoles together is perhaps for interoperability (i.e. Roblox, Fortnite). #iot-forensics might be an option if we consider expansion to virtual reality hardware and what it stores locally to the hardware themselves

DFE Travis

I will allow for others to input if they'd like to see a dedicated channel as well. Looking at the current channels the only one that might be applicable is #darknet-virtual-currencies , but it doesn't currently cover consoles. The reason for lumping virtual worlds and consoles together is perhaps for interoperability (i.e. Roblox, Fortnite). #iot-forensics might be an option if we consider expansion to virtual reality hardware and what it stores locally to the hardware themselves

maybe #iot-forensics could be changed to iot and other device forensics? Unless someone can think of a better name

9:54 AM

iot-console-forensics?

perhaps, though it doesn't quite encompass virtual worlds, which is a bit of an oddball. Could go to #darknet-virtual-currencies and consoles go to #iot-forensics ?

Any1 familiar with FAT Time Conversion

11:17 AM

Trying to convert manually but i seem too end up with the wrong answer

@Arlakossanwhat kind of raw value are you working with? Got an example?

Andrew Rathbun started a thread. 5/17/2022 11:56 AM

any @Law Enforcement [UK] from City of London?

Has anyone done any forensic analysis of a gopro video? I'm trying to understand how the file structure of the mp4 as well as how the GPS coordinates get embedded/encoded into the file.

m1gr@n3

Has anyone done any forensic analysis of a gopro video? I'm trying to understand how the file structure of the mp4 as well as how the GPS coordinates get embedded/encoded into the file.

Have you tried using 010 Editor's binary templates on the MP4 files to see how it's all laid out?

12:24 PM

https://www.sweetscape.com/010editor/repository/templates/file_info.php?file=MP4.bt&type=0&sort=

Sudo

any @Law Enforcement [UK] from City of London?

Do City even have a digital forensic team? Thought they relied on the Met to do everything forensic for them

12:31 PM

no clue lol

Andrew Rathbun

Have you tried using 010 Editor's binary templates on the MP4 files to see how it's all laid out?

I have not, but I will check it out now.

Sudo

any @Law Enforcement [UK] from City of London?

@MrTurdTastic

m1gr@n3

Has anyone done any forensic analysis of a gopro video? I'm trying to understand how the file structure of the mp4 as well as how the GPS coordinates get embedded/encoded into the file.

It’s been a while but from what I remember it is a standard mp4 wrapped file. GPS data is in a user defined box within the structure. (edited)

HSleep

Do City even have a digital forensic team? Thought they relied on the Met to do everything forensic for them

They have a high tech crime unit, not sure if they have their own DFU

Sudo

any @Law Enforcement [UK] from City of London?

Aye

HSleep

Do City even have a digital forensic team? Thought they relied on the Met to do everything forensic for them

We do indeed. Better than the met's one too

Matt

They have a high tech crime unit, not sure if they have their own DFU

HTCU is our DFU

MrTurdTastic

We do indeed. Better than the met's one too

Umm we all know the Met has the best DFU in the UK end of

Still rocking the old name htcu I see (edited)

HSleep

Umm we all know the Met has the best DFU in the UK end of

The met think they're the best at everything but if so then why are city the golden bois

MrTurdTastic

The met think they're the best at everything but if so then why are city the golden bois

Don't you guys just work for investment bankers though? You don't do any proper crimes

HSleep

Don't you guys just work for investment bankers though? You don't do any proper crimes

Money makes the world go round, rather bankers than facebook domestics and possession of class b!

1

HSleep

Umm we all know the Met has the best DFU in the UK end of

No prizes for guessing which force you work for then

3

I remember once I came across an australian website if i'm not wrong, it had list of all dfir tools. I can't find the site again, please help me if someone knows the one i'm talking about.

Humble#2244

I remember once I came across an australian website if i'm not wrong, it had list of all dfir tools. I can't find the site again, please help me if someone knows the one i'm talking about.

Pretty good list by @stark4n6 https://start.me/p/q6mw4Q/forensics

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

1

thanks for sharing

#doubt Please help me with this. After Full file system generation report from Physical analyzer Computer taking long time to copy the entire data in to Pendrive. It's HP 3.0 64 gb pendrive, I have windows 11, 8 gb ram.. When I'm using windows 10 os, getting error. Any tips friends to copy the data to pendrive. The size of data around 39 gb. in safe mode is it possible? I believe some files long name they take long time. Thanks in advance

Afeef

#doubt Please help me with this. After Full file system generation report from Physical analyzer Computer taking long time to copy the entire data in to Pendrive. It's HP 3.0 64 gb pendrive, I have windows 11, 8 gb ram.. When I'm using windows 10 os, getting error. Any tips friends to copy the data to pendrive. The size of data around 39 gb. in safe mode is it possible? I believe some files long name they take long time. Thanks in advance

what is the source drive (and does it have problems) and how much data are you trying to transfer over? you say you have Win11 but using Win 10 ?? . what exactly is/are the errors?

Afeef

#doubt Please help me with this. After Full file system generation report from Physical analyzer Computer taking long time to copy the entire data in to Pendrive. It's HP 3.0 64 gb pendrive, I have windows 11, 8 gb ram.. When I'm using windows 10 os, getting error. Any tips friends to copy the data to pendrive. The size of data around 39 gb. in safe mode is it possible? I believe some files long name they take long time. Thanks in advance

FAT32 filesystem with 4GB file size limit?

Digitalferret

what is the source drive (and does it have problems) and how much data are you trying to transfer over? you say you have Win11 but using Win 10 ?? . what exactly is/are the errors?

Error 0x80070570 This is the error. And when I transfer the Data using windows 11 os . it transferred but it will take 24+ hours. Main problem is our power back system where damaged. So, when I using win 8 os this error is prompting. Over all data from hard disk is around 39 gb. So, im try to transfer to 64 gb pendrive. Now, I have trying in safe mode in windows 8 os. (edited)

looks like you have corrupt file(s) or damaged drive.

3:26 AM

so far you have mentioned 3 different versions of Windows?

Digitalferret

looks like you have corrupt file(s) or damaged drive.

I have tried two Pendrive ls. Same result. Its take too much time in windows 11

so, you keep changing your main recovery PC hoping that it will recover files better?

Digitalferret

looks like you have corrupt file(s) or damaged drive.

May be there is a chance for corrupted files. But, as forensic examiner i need to transfer all the data to the pendrive

if it's forensic, first you need to make a complete image of the drive being examined

3:29 AM

if there are issues with the drive, they will show up at this stage

3:30 AM

if the drive is faulty, bad sectors or instability, you will need a solution to get past this, such as a hardware imager, or software that allows you to skip/bypass bad areas

3:30 AM

once you have the image on a new, stable, fresh drive, you can recover data

Digitalferret

if it's forensic, first you need to make a complete image of the drive being examined

Using ufed 4pc i have generated report as well as files. I believe there is problem with some files namely .so and lengthy type files names etc

also, with reference to @AmNe5iA suggestion, check if there are larger files than the filesystem can handle.

Digitalferret

also, with reference to @AmNe5iA suggestion, check if there are larger files than the filesystem can handle.

Okay, thank you.

is this a Mobile thing? i have no experience with UFED4 but it looks to be a mobile solution?

Digitalferret

is this a Mobile thing? i have no experience with UFED4 but it looks to be a mobile solution?

Yes, extracted data from mobile phone, full file system extraction

ah right, so you have imaged a phone....

1

3:36 AM

given the nature of this, i'll bow out. not general data recovery, and @AmNe5iAhas far more experience than me with regard to forensics

3:36 AM

best of luck

1

I think he's used PA to create some report. If you create a pdf report for example (rather than a ufdr one which is effectively a zip file with everything contained within) then it tends to produce lots of small linked files (pictures videos tumbnails, plist files etc.). He is then trying to copy all these files to a pendrive and is being impatient.

AmNe5iA

I think he's used PA to create some report. If you create a pdf report for example (rather than a ufdr one which is effectively a zip file with everything contained within) then it tends to produce lots of small linked files (pictures videos tumbnails, plist files etc.). He is then trying to copy all these files to a pendrive and is being impatient.

Exactly

So try zipping it all up and then transferring the zip file instead.

AmNe5iA

So try zipping it all up and then transferring the zip file instead.

But, Modified date will change right?

I'd probably reformat the pendrive to exFAT beforehand too. (edited)

AmNe5iA

I think he's used PA to create some report. If you create a pdf report for example (rather than a ufdr one which is effectively a zip file with everything contained within) then it tends to produce lots of small linked files (pictures videos tumbnails, plist files etc.). He is then trying to copy all these files to a pendrive and is being impatient.

roger that, thanks for the explanation, i get the gist now (edited)

AmNe5iA

I'd probably reformat the pendrive to exFAT beforehand too. (edited)

I have done in NTFS format, Also I have formated using tablue t2dtu device. pendrive is working. Actually i need to speedup th copying process.

Afeef

I have done in NTFS format, Also I have formated using tablue t2dtu device. pendrive is working. Actually i need to speedup th copying process.

Else I wish to fix the Error 0x80070570 and transfer the data from using windows 8 os.

You need to give context to the error. Surprisingly, I doubt anyone knows what 0x80070570 actually means. i could google but i'm not going to.

3:45 AM

So if the report files are corrupted then why not delete them, then create a new report? I assume you still have the original extraction to work from.

Afeef

But, Modified date will change right?

Why would zipping a file modify it?

AmNe5iA

You need to give context to the error. Surprisingly, I doubt anyone knows what 0x80070570 actually means. i could google but i'm not going to.

Yes. Thank you. I will do it.

Afeef

But, Modified date will change right?

It changes when you copy it. It is not changed when zipping

Humble#2244

I remember once I came across an australian website if i'm not wrong, it had list of all dfir tools. I can't find the site again, please help me if someone knows the one i'm talking about.

maybe https://thisweekin4n6.com/ from @randomaccess?

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

stark4n6

maybe https://thisweekin4n6.com/ from @randomaccess?

No, not this one. That had a very long list and each list further had myraid of tools listed. I remember it had some connection with Australia

Has anyone seen these type of phishing emails where it just contains a jpeg attachment of a fake invoice? What exactly is the goal of this type of email? Just to get a user to reply?

To bypass email controls

3:51 PM

Many tools assume marketing email and don’t take action. Worked an incident with single image for sextortion. Threat actor generated the image and included many character sets to try and throw off image to text converters.

Anyone know a good forensic workstation vendor outside of Sumuri and Digital Intelligence? I've been tasked with putting together quotes for a forensic workstation, and our policy requires us to have minimum three quotes from different vendors.

Hello, Is Axiom can process nsf (lotus notes) files ?

Silicon Forensics, Ace Computers, Avail Forensics, Forensic Computer inc

5:12 PM

@AugustBurnsBlue

1

whee30

For those of you who need to keep multiple mobile devices on power and organized, what are you using? I'm considering a simple file organizer for the envelopes they're kept in with a long powerstrip mounted next to it. Getting them off of the desk seems like a nice space saving step.

To follow up on this - I had some end of fiscal year cash and got a purpose built solution for this. I split the difference between the tabletop charging station and the large laptop rolling cabinet with a Tripp Lite 16 tablet locking cabinet.

1

8:18 PM

Tripp Lite 16 Port USB Charging Station Cabinet for Tablet, iPad & &roid, Charge & Sync, Wall Mount (CS16USB) https://www.amazon.com/dp/B00T0YYBF2/ref=cm_sw_r_cp_api_i_B185JQ5D8JZ7TSGNPQQ8 (edited)

Tripp Lite 16 Port USB Charging Station Cabinet for Tablet, iPad & ...

Tripp Lite 16 Port USB Charging Station Cabinet for Tablet, iPad & &roid, Charge & Sync, Wall Mount (CS16USB)

8:19 PM

This way I can keep items in/with their evidence envelope and close it all up to add some additional security.

whee30

For those of you who need to keep multiple mobile devices on power and organized, what are you using? I'm considering a simple file organizer for the envelopes they're kept in with a long powerstrip mounted next to it. Getting them off of the desk seems like a nice space saving step.

We have a couple Faraday boxes with ports inside

Hello there, is anyone here able to read Persian text?

Christiano

Hello there, is anyone here able to read Persian text?

https://www.languageline.com/s/ We used this in LE

1

AugustBurnsBlue

Anyone know a good forensic workstation vendor outside of Sumuri and Digital Intelligence? I've been tasked with putting together quotes for a forensic workstation, and our policy requires us to have minimum three quotes from different vendors.

Since you are in the states, I think Bitmindz might help you out - https://bitmindz.com/

Manny Kressel

Home

bizzlyg

Since you are in the states, I think Bitmindz might help you out - https://bitmindz.com/

I think they are associated with TeelTech, in case that adds some validity

inzeos

Many tools assume marketing email and don’t take action. Worked an incident with single image for sextortion. Threat actor generated the image and included many character sets to try and throw off image to text converters.

Were the images fake ?

AugustBurnsBlue

Anyone know a good forensic workstation vendor outside of Sumuri and Digital Intelligence? I've been tasked with putting together quotes for a forensic workstation, and our policy requires us to have minimum three quotes from different vendors.

You can also go through your IT and have Dell or HP provide a bid at the "forensic" level with comparable equipment to fulfill your third bid.

Hey guys I have been looking to get into DF where do I start?

ryuk0126

Hey guys I have been looking to get into DF where do I start?

ima bad. want to say "give up right now while ur ahead"

(edited)

1

9:52 AM

on behalf of LEA or a sideline to get you up and running?

1

Anyone in here part of a larger digital forensics unit (15-20+)?

tolsen

Anyone in here part of a larger digital forensics unit (15-20+)?

I am sure a lot of the folks in the UK are with their large LE DF units

Villano

Were the images fake ?

Threat actor leveraging data from have I been pwned

inzeos

Threat actor leveraging data from have I been pwned

What I mean is was the JPEG an image or was it an executable

Oh sorry, believe it was a PNG but static image file dynamically built with the image content

inzeos

Oh sorry, believe it was a PNG but static image file dynamically built with the image content

Sounds like IcedID to me?

tolsen

Anyone in here part of a larger digital forensics unit (15-20+)?

@Pacman @MrTurdTastic you guys have pretty big DFUs right?

Andrew Rathbun

Sounds like IcedID to me?

This was a specific target ring phishing campaign with obfuscated human readable sentences with demands for bitcoin payment or a release of alleged nsfw content of the targeted victim or accessed by the victim.

2:11 PM

The obfuscation was to use multiple character sets and fonts to try and make AI text detection from the images fail.

I know it's slipping my mind. Can anyone name a bootable forensic distribution that can queue up multiple drives and image one task after the other? The best solution I have this far is WinFe (awesome) with multiple X-Ways instances.

NibblesNBits

I know it's slipping my mind. Can anyone name a bootable forensic distribution that can queue up multiple drives and image one task after the other? The best solution I have this far is WinFe (awesome) with multiple X-Ways instances.

Paladin?

DeeFIR 🇦🇺

Paladin?

I thought about it also but thought I would have to open several instances. I'm going to a thorough look. If there isn't a built in functionality that would be an awesome addition I think. Image source A verify, then source B verify, source C etc. to one destination. All in one window as opposed to several instances.

5:11 PM

Trying to get a mass imaging station going

Can’t you just open multiple instances of the imager? Or am I missing what you’re trying to achieve

DeeFIR 🇦🇺

Can’t you just open multiple instances of the imager? Or am I missing what you’re trying to achieve

You are correct and I can accomplish this with WinFe and X-Ways but I was looking for something that has that functionality built into one session as opposed to several instances. It's not a problem to do several instances but something cleaner in one instance would be nice.

DeeFIR 🇦🇺

Can’t you just open multiple instances of the imager? Or am I missing what you’re trying to achieve

I'm not going for speed here so multiple destination drives isn't necessary single destination for all images in e01. I get multiple instances to different destination drives.

Wouldn’t be hard to roll your own Linux distro and make a script to accomplish that goal.

Can deleted MS Teams chats be recovered by attackers? Say fro example someone pastes a password in Teams chat, then deletes it, is an adversary able to recover deleted passwords/chats from Teams?

And if so, how can we prevent attackers from recovering deleted messages/passwords?

malrker

And if so, how can we prevent attackers from recovering deleted messages/passwords?

Overwrite the message first

MrTurdTastic

Overwrite the message first

Yeah but how can this be done for multiple users? If they put say a password or sensitive information in Teams?

I mean the best prevention for that is staff training

And what do you mean by overwrite?

Don't post passwords in teams lol

10:49 PM

And I mean using the edit function if teams has it? Can't recall

Like edit the message then delete?

Yep

10:50 PM

Most recoveries I've seen can only pull the most recent message from deletion

Is there no Automated way of doing this?

Not to my knowledge but I'm not the most technical bod out there, I'm an investigator. I'm sure one of my learned DFIR colleagues could advise on the feasibility of that

tolsen

Anyone in here part of a larger digital forensics unit (15-20+)?

Yeah, whats on

DCSO

You can also go through your IT and have Dell or HP provide a bid at the "forensic" level with comparable equipment to fulfill your third bid.

The Dell and HP builds they try and sell you for this are sh*t. Use the quotes they supply as leverage and get something else.

1

ryd3v

Wouldn’t be hard to roll your own Linux distro and make a script to accomplish that goal.

Ha maybe for you. Scripting isn't my strong point but this is a project and challenge so Im actually going to challenge myself with this one and give that a try. I think it's really the best way to get what you really want. Thx

2

For UK law enforcement. The Forensic Capability Network are looking to provide free computer ground truth date GTD (physical devices, files, and procedures) to forces. https://fcn.lets-go.live/news/2022-05/computer-ground-truth-data-gdt-expressions-interest

Computer Ground Truth Data (GDT) Expressions of Interest | FCN

Would your Force or area collaboration be interested in a free computer GTD package? We’re working on a proposal, and we’d like to know how many forces could potentially benefit.

What's the next step after mobile analyst? I was thinking of going into SOC

Livestream: CISA Combating Ransomware conference https://www.youtube.com/watch?v=p8SBvm-wv7w

Institute for Security and Technology

Combating Ransomware: A Year of Action

9:49 AM

https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape

DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cyberc...

By Yelisey Bogusalvskiy & Vitali Kremez (with special thanks to AdvIntel Intel Production Analyst Marley Smith) This is a redacted report that is based on our internal investigations. The full version of the report includes additional information, evidence, IOCs, and commentary for AdvIntel customers and Law Enforcement. Conti’s Death Notice On ...

Anyone who has some detailed insights into the Unified Audit Logs of Compliance Center and Microsoft Defender? Identified events labeled "FileCreatedOnRemovableMedia" and "FileCopiedToRemovableMedia" but looking at the filepaths it appears to me that the files were all originating from the same location if I match it against the local userfiles. So wondering what the difference could been especially if its evolving around 1k files that then also were deleted after on the local hard drive.

Does anyone know if Microsoft can identify which O365 account/Tennent made a PDF with MS Word 365, if they are given the DocumentID and InstanceID? (edited)

MrTurdTastic

Most recoveries I've seen can only pull the most recent message from deletion

What tool/or how did you recover deleted messages/passwords from teams by the way, just out of curiosity?

6:45 PM

And is it the same for teams Desktop app and teams web browser?

malrker

And is it the same for teams Desktop app and teams web browser?

Depends on how the tenant and license and tools are set up. Legal hold compliance center etc can dig out a lot of stuff even user deleted materials.

I have a memory dump file for a challenge from uni that I have to work out the implant framework the malware is generated from. I'm using volatility. Was done via dll injection. I am wondering how to work out the framework. I have run the dll hashes though virustotal but I am not sure what I am looking for. Any hints or pointers would be appreciated.

Ph03n1%

I have a memory dump file for a challenge from uni that I have to work out the implant framework the malware is generated from. I'm using volatility. Was done via dll injection. I am wondering how to work out the framework. I have run the dll hashes though virustotal but I am not sure what I am looking for. Any hints or pointers would be appreciated.

What port was the implant communicating on?

How often do you folks update your forensic rigs? I only have one so it’s not like I have a bunch to compare with. It’s a 2018 FRED, it’s no slouch but I’m sure there are bigger/better out there. Do you upgrade piecemeal like a new GPU or additional RAM or just buy a new box altogether?

@whee30 upgrade? What’s that?

whee30

How often do you folks update your forensic rigs? I only have one so it’s not like I have a bunch to compare with. It’s a 2018 FRED, it’s no slouch but I’m sure there are bigger/better out there. Do you upgrade piecemeal like a new GPU or additional RAM or just buy a new box altogether?

Obligatory download more RAM comment goes here

Andrew Rathbun

Obligatory download more RAM comment goes here

I tried that and now I have Norton antivirus and an AltaVista search toolbar on my Netscape browser

2

1

whee30

How often do you folks update your forensic rigs? I only have one so it’s not like I have a bunch to compare with. It’s a 2018 FRED, it’s no slouch but I’m sure there are bigger/better out there. Do you upgrade piecemeal like a new GPU or additional RAM or just buy a new box altogether?

Our entire rig gets updated every 5ish years.

whee30

I tried that and now I have Norton antivirus and an AltaVista search toolbar on my Netscape browser

What about Bonzi Buddy?

randomaccess

What port was the implant communicating on?

Port 53, DNS

If someone can think of a good emoji for Private Sector, Public Sector, and any other common roles I've missed, PLEASE let me know

1

whee30

How often do you folks update your forensic rigs? I only have one so it’s not like I have a bunch to compare with. It’s a 2018 FRED, it’s no slouch but I’m sure there are bigger/better out there. Do you upgrade piecemeal like a new GPU or additional RAM or just buy a new box altogether?

We don't upgrade our boxes; replacement schedule is staggered but around 5 years

Andrew Rathbun

If someone can think of a good emoji for Private Sector, Public Sector, and any other common roles I've missed, PLEASE let me know

7:18 AM

For public

Public Sector. doclock

Private Sector.

3

7:28 AM

MrTurdTastic

I think you mean

7:43 AM

B74

Public Sector. doclock

Private Sector.

That's a neat concept. Really like those sub-icons

Want me to grab the original icons for you?

Never mind

I was also thinking all LE roles could be blue now since we have flag designators now

8:00 AM

but, it's been the way it has been for 4 years now so if people think that's not a necessary change, then that's fine

^ Community vote?

B74

^ Community vote?

yeah i should probably do another Google Form for this so I can have pretty graphs and all that to present final results

I'd be up for that tbh, I always found the colours a bit too varied for the roles

You could just ask and then people can react with a

or

Matt

I'd be up for that tbh, I always found the colours a bit too varied for the roles

The primary color of a given country's flag is the color of that LE role

that was the best I had at the time but agreed it's a bit of a mess across the LE spectrum

I always found myself having to click on a user to see which role they had

8:04 AM

The flags is a really nice touch though, I'd forgotten they'd added that

With the server boosts we have, we can have emojis attached to roles, so thankfully they have every flag known to mankind, so that was a simple thing to add that IMO adds a lot of benefit. You can click on the emoji on mobile and it'll show you which role the person is. Or, on desktop, you can hover over it and you'll see the role. Saves you a click which nerds love so much

2

8:11 AM

Community Feedback Needed - Voting Thread

B74

^ Community vote?

https://discord.com/channels/427876741990711298/977951826504712292/977952257645621288

Andrew Rathbun pinned a message to this channel. 5/22/2022 8:24 AM

A bit late, but I picture a person bashing their head on a keyboard for public LOL At least it felt like that when I was in the space

2

Maybe just a roll of red tape will suffice... lol

3

Matt

Maybe just a roll of red tape will suffice... lol

Honestly not a bad idea...

what happens when an external hard drive formatted as exFAT runs out of space while downloading files on windows 10? asking because my hdd ran out of space and showed 0 bytes available while downloading videos with 4kvideodownloader(similar to youtube-dl) and all of a sudden few seconds later when i am about to free up some space it shows me 900mb available

12:11 PM

wondering if windows would ever delete or misplace files without my permission or knowledge to free up space

12:12 PM

i would greatly appreciate any insight on this

does that happen to coincide with the size of the failed download? Maybe you had 900mb available that filled up during the dl and the partial file was removed upon failure? I don't know - its purely speculation.

yes the downloads did fail once it the drive ran out of space but the files weren't deleted

inzeos

Depends on how the tenant and license and tools are set up. Legal hold compliance center etc can dig out a lot of stuff even user deleted materials.

Is that something you have seen attackers use before to recover deleted messages? Or is it pretty uncommon?

malrker

Is that something you have seen attackers use before to recover deleted messages? Or is it pretty uncommon?

In theory they could? But those user rights should be pretty guarded.

private sector emoji?

1

Is that the GCHQ office plan via drone? (edited)

3

Any tips for connecting a MAC address / OUI (9a:3c:fd) to a vendor? Tried several lookup services to no avail. Want to get in contact with vendor to retrieve IMEI

Ph03n1%

Is that the GCHQ office plan via drone? (edited)

Where’s the Greggs tho?

Dr. Kaan Gündüz

private sector emoji?

i think Wrathbunny would Block that in case it started a Cluster-xxxx of ideas from other tech Heads on the same Track (edited)

3

We have a distributed team and looking to put FTK on a Windows machine in Azure. Has anyone experience with this setup and are there any issues that we should consider (besides cost). E.g. how much scratch space needs to be allocated, type of system, etc. Thanks

With that length of time I think you'll be shit out of luck mate

1

I need a pithy snappy name for a copying tool that hashes either side

1:19 PM

All I’ve come up with so far is… hashinator

Pseudonym

I need a pithy snappy name for a copying tool that hashes either side

Cross-hash Hash2hash Copy-Hasher Hash/Copy Hashy McHashface

Hashy mchashface

5

1:34 PM

Hash-Copy-Hash could work

what is the tool built on

Python

HashCopy

PytchForC? python tool for copying haha

PyCopyHash PyCopy

Sha1_4n6

PytchForC? python tool for copying haha

Rolls off the tongue

ForenCopy

1:39 PM

Choppy?

1:40 PM

Copy and hash married together

Choppy is good one

CHoppy, C for Copy, H for Hash

coPYhash, if you wanted to play on the Python bit

HashCopy is taken (powershell script on GitHub)

Pseudonym

HashCopy is taken (powershell script on GitHub)

HashCoPy

1

1:42 PM

HashCoPyHash

Right, HashCoPyHash it is

1:45 PM

CHopPy could work too…

Pseudonym

Right, HashCoPyHash it is

I'll send you my invoice later this week

2

1:46 PM

I can send you… 1000 safemoon…

MrTurdTastic

With that length of time I think you'll be shit out of luck mate

Sigh, these messages are literally the smoking gun. The case will be pretty much open-and-shut if we were able to recover them. (edited)

Has anyone taken the new FOR608 class from SANS? Opinions? It seems interesting and useful for my line of work (SOC T3 guy)

Not yet, but will be doing on QC work on it in a couple of weeks

2:14 PM

@kime

I have a mac that I am trying to do some safari work on. I know that the particular web history I am looking at was synced from another device (history.db > history_visits > origin = 1). I know I can't determine was device it came from without finding the corresponding origin=0 for the same history.

3:09 PM

I'm trying to figure out if there is a PLIST or something that simply tells me what apple ID synced the info. I have three or four apple IDs on this device, trying to figure out which one to correlate the data to.

3:10 PM

I am not finding the answer in the same history.db but I am digging through the other files in the same directory structure to see if I can figure it out. My Googling is coming up empty so far.

what are people useing for google search warrant returns.. and not Axiom and Cellebrite.. these are all json files.. what are you using for json files.

Jetten_007

what are people useing for google search warrant returns.. and not Axiom and Cellebrite.. these are all json files.. what are you using for json files.

If you cant find anything, CyberChef can convert .json files into .csv files to make it a little easier.

@FullTang great idea...

1

Jetten_007

what are people useing for google search warrant returns.. and not Axiom and Cellebrite.. these are all json files.. what are you using for json files.

Does rleapp have support? https://github.com/abrignoni/RLEAPP

GitHub - abrignoni/RLEAPP: Returns Logs Events And Properties Parser

Returns Logs Events And Properties Parser. Contribute to abrignoni/RLEAPP development by creating an account on GitHub.

i did not... i can look again and make sure i the most current

(if it doesn't, it would be worth trying to add support)

i was thinking of asking brignoni... i could send him my dataset.

Jetten_007

i was thinking of asking brignoni... i could send him my dataset.

@Brigs

2

Jetten_007

i was thinking of asking brignoni... i could send him my dataset.

Send me an email. 4n6@abrignoni.com

Pseudonym

I need a pithy snappy name for a copying tool that hashes either side

a bit artyfarty but use the octothorpe/hash sign? #copy#

I was going to take a step further and suggest #cp# but… no…

4

i was tryna make something of welsh rarebit (a hash of sorts) but 'bit' . nm and lol, yeh might cause a stir that ^

Yeah, probably for the best…

For sure!

#copy# could be cool though!

Chuck a 0 in there for extra coolness

#C0Py# < edgy, unrememberable, it’s perfect

1

Pretty nifty

Pseudonym

I need a pithy snappy name for a copying tool that hashes either side

Have you considered something a bit warmer and personable?

1

3:53 AM

Like Frank?

no meaning behind it, we just happened to like the name Frank

3:55 AM

‘Kevin v0.01’

Pseudonym

‘Kevin v0.01’

Don't tell Mr Mansell, it'll go right to his head

ver-o-copy

Pseudonym

#C0Py# < edgy, unrememberable, it’s perfect

kinda reminds me of the "what's brown and sticky?" thing

Does anyone have any procedures they follow regarding eSIMs during a mobile device extraction process? Also does anyone have any information that they could provide regarding eSIMs in a forensic investigation

Lyndsay

Does anyone have any procedures they follow regarding eSIMs during a mobile device extraction process? Also does anyone have any information that they could provide regarding eSIMs in a forensic investigation

I believe all you are going to get for the eSIM during the extraction is the IMEI and the ph # assigned to it. I have not see a lot of people using them yet, I think it will take a while.

In terms of an esim connecting to a network while in lab, rather than an extraction?

Lyndsay

In terms of an esim connecting to a network while in lab, rather than an extraction?

A neighboring agency has a full on faraday room they can work inside of, the esim becomes a non-issue for them.... For me, either work inside of a cluttered faraday box or get it into airplane mode... It is definitely becoming more of a concern.

whee30

A neighboring agency has a full on faraday room they can work inside of, the esim becomes a non-issue for them.... For me, either work inside of a cluttered faraday box or get it into airplane mode... It is definitely becoming more of a concern.

The problem we are having is that we have several phones that can not be placed into airplane mode, and only have one faraday box

That is definitely a problem... I don't have a solution for you but I'm tagging along for any other advice

whee30

A neighboring agency has a full on faraday room they can work inside of, the esim becomes a non-issue for them.... For me, either work inside of a cluttered faraday box or get it into airplane mode... It is definitely becoming more of a concern.

Is the faraday room used for extraction/acquisition only? It would be slightly annoying not to have cell service for your own phones while at work.

yes that is correct. It's pretty awesome, I wish I had access to it.

1

I wish I had access to your budget lol. I had to spend my own money to buy a charging rack to store AFU and in-progress bruteforce phones and you are able to drop almost grand on a super fancy charging rack!

1

Lyndsay

The problem we are having is that we have several phones that can not be placed into airplane mode, and only have one faraday box

Its expensive but they do have forensics faraday bag, that have usb filtering https://www.amazon.com/dp/B07W3PMY6C?ref_=cm_sw_r_cp_ud_dp_1GDW0TGWF6W74KREDGTX

Mission Darkness Window Charge & Shield Faraday Bag for Phones // I...

The Mission Darkness Window Charge & Shield Faraday Bag for Phones allows a device to remain shielded from RF signals and powered after seizure, until it can be transferred to a forensic box, lab, or tool for data extraction. The bag includes a dual sided USB filter, NeoLok closure system for saf...

DCSO

Its expensive but they do have forensics faraday bag, that have usb filtering https://www.amazon.com/dp/B07W3PMY6C?ref_=cm_sw_r_cp_ud_dp_1GDW0TGWF6W74KREDGTX

Just spent some TFO money on their the XL block box and it was well worth the money. It was unexpected but they also threw in some bags for free with the purchase. It can hold multiple devices with no problem. Plenty of space to work.

Anyone fancy giving my script a quick try for me?

FullTang

I wish I had access to your budget lol. I had to spend my own money to buy a charging rack to store AFU and in-progress bruteforce phones and you are able to drop almost grand on a super fancy charging rack!

It was a surprise to me too, EOY thing. I am not complaining.

1

@whee30 @FullTang I was tempted to foil the walls of our server closet to make my own faraday room

I feel your pain

2

I have an image split up between two drives. (1.8TB on 2 1TB drives). How can I load the image into encase or FTK without combining them onto 1 drive?

5:17 PM

/ is it possible to do that.

5:18 PM

Reason for not combining them onto 1 drive is due to a time limitation and needing to verify the images file structure.

Pseudonym

Anyone fancy giving my script a quick try for me?

#dfir-open-source-projects might be a good place to post

AARC TASK FORCE

I have an image split up between two drives. (1.8TB on 2 1TB drives). How can I load the image into encase or FTK without combining them onto 1 drive?

You can’t do that with FTK, not sure about EnCase, I’m pretty sure you can do it with X-Ways if you have access to it

AARC TASK FORCE

I have an image split up between two drives. (1.8TB on 2 1TB drives). How can I load the image into encase or FTK without combining them onto 1 drive?

I would try using symbolic links to bring them all to one folder. That is, symlinks to each image segment on Drive 1 + symlinks to each image segment on Drive 2 all in one folder—perhaps on a third drive or network location.

7:15 PM

If your forensic tool follows the symlinks nicely, this should be plug and play. Perhaps some command line magic or batch file can be used to loop through the files and create the links with minimal effort.

Hello, I am trying to find something that has any reference to "50cent cryptolocker" but can't find much. Has anyone encountered this before?

Anyone using OneNote for your forensic / bench notes? Wondering if anyone has a good notebook they use and are willing to share. I am going to start creating one if not and will share mine.

Ghosted

Anyone using OneNote for your forensic / bench notes? Wondering if anyone has a good notebook they use and are willing to share. I am going to start creating one if not and will share mine.

Yeah I use OneNote for pretty much everything. Best advice I can give is to start typing then push TAB so you can get a table created and organized your thoughts that way. Bullet points help, too. OneNote is awesome but hopefully should be getting better in due time now that M$ cares about it again after abandoning it

@Andrew Rathbun I am really interested in putting it in my workflow. I have been watching some videos about it. I really like being able to put my incoming email / requests directly into the notes. This will allow me to keep everything together. I just need to make a template notebook that I can use to start each case. I didn't know if any examiners already have a template notebook they use for exams.

5:22 AM

@Andrew Rathbun thinking about making it so I can complete the intake on it and move into the photographing of the evidence all the way through to my bench notes. Right now all these are kind of all over the place and I pull them into a folder structure. Trying to streamline the flow to be more efficient.

I use Obsidian for note taking sometimes, you can format it with markdown which is super nice

1

Yes Obsidian is a really popular option. It's all local, too, so you own your notes, not insert cloud service here. I doubt it integrates with Outlook and all that stuff as OneNote does, but that's purely speculation on my part.

5:31 AM

Markdown is an awesome format to write anything in, so that's a plus.

Joplin is quite good as well

1

I use joplin pretty heavily; it has a few little things that annoy me with moving notes up/down, or I've killed it by dropping in a large chunk of code from malware i'm analyzing and the markdown renderer goes crazy (just have to edit the sqlite db directly)

6:27 AM

but I haven't found a replacement that is better yet

Anyone have direct experience creating new syntax high lighting for MD documents?

inzeos

Anyone have direct experience creating new syntax high lighting for MD documents?

as in three backticks then inputting the language of the syntax you want highlighted?

8:20 AM

Andrew Rathbun

as in three backticks then inputting the language of the syntax you want highlighted?

correct, there's a ton available but of course the one I was looking for in my latest project isn't there LOL. "spl" for Splunk Query Language"

Has anyone got a source they use for pre-populated handsets? Looking to get some for validation purposes. Thanks!

@King Pepsi https://thebinaryhick.blog/public_images/ (edited)

Binary Hick

Public Images

Below are links to my public images. If you find a link that isn’t working, please let me know! Android Android 7 (hosted by Digital Corpora) Android 8 (hosted by Digital Corpora) Android 9 …

Good morning all. I'm wondering if any of you out there know of any Forensic Identification forums or discord servers similar to this that deal with thigs such as crime scene investigation, fingerprinting etc.?

stps358

Good morning all. I'm wondering if any of you out there know of any Forensic Identification forums or discord servers similar to this that deal with thigs such as crime scene investigation, fingerprinting etc.?

https://www.reddit.com/r/forensics/

r/forensics

stps358

Good morning all. I'm wondering if any of you out there know of any Forensic Identification forums or discord servers similar to this that deal with thigs such as crime scene investigation, fingerprinting etc.?

https://discord.com/invite/4MHY6Ty here's the discord server that appears to be associated with r/forensics

2

Andrew Rathbun

https://discord.com/invite/4MHY6Ty here's the discord server that appears to be associated with r/forensics

Thanks

I’m curious, when checking a warrant return I found an India country code phone number. Are there any resources to check into numbers that are outside the US?

Deleted User

I’m curious, when checking a warrant return I found an India country code phone number. Are there any resources to check into numbers that are outside the US?

Check here: https://github.com/Digital-Forensics-Discord-Server/LawEnforcementResources and if such a resource doesn't exist, ask in #dfir-open-source-projects or make an issue in the repo for a request for such a thing and we can try to track one down

GitHub - Digital-Forensics-Discord-Server/LawEnforcementResources: ...

Resources provided by the community that can serve to be useful for Law Enforcement worldwide - GitHub - Digital-Forensics-Discord-Server/LawEnforcementResources: Resources provided by the communit...

Andrew Rathbun

Check here: https://github.com/Digital-Forensics-Discord-Server/LawEnforcementResources and if such a resource doesn't exist, ask in #dfir-open-source-projects or make an issue in the repo for a request for such a thing and we can try to track one down

Ty

Anyone know if you can set environment variables in WinFe? I am using PE bakery and haven't seen the option.

NibblesNBits

Anyone know if you can set environment variables in WinFe? I am using PE bakery and haven't seen the option.

Maybe ask Brett Shavers on Twitter?

1

11:09 AM

For those who weren't aware, members of this server are writing a book in #deleted-channel. If you want to vote on the book title, please take a moment to vote here: https://forms.gle/eZtkh5NZkzdjwaq66 https://discord.gg/J3fF7mVX?event=979592172267532288 (edited)

Vote for the CrowdsourcedDFIRBook's New Title! Round 1

The DFIR Community needs your input as to what should replace the placeholder CrowdsourcedDFIRBook title for the collaborative book being written and edited on GitHub (https://github.com/Digital-Forensics-Discord-Server/CrowdsourcedDFIRBook) and published on Leanpub! The options with the top 3 most votes will move on to the second and final rou...

Slightly off topic here, does anyone have experience within Anti-Piracy investigations here ? Highly doubt it xD (edited)

Do you mean investigations into piracy or anti-piracy?

Andrew Rathbun

For those who weren't aware, members of this server are writing a book in #deleted-channel. If you want to vote on the book title, please take a moment to vote here: https://forms.gle/eZtkh5NZkzdjwaq66 https://discord.gg/J3fF7mVX?event=979592172267532288 (edited)

Booky McBookface

9

El Libro Diablo!

OllieD

@King Pepsi https://thebinaryhick.blog/public_images/ (edited)

Amazing, thanks!

1

RandyRanderson

Booky McBookface

Winner.

3

1

Arman Gungor

I would try using symbolic links to bring them all to one folder. That is, symlinks to each image segment on Drive 1 + symlinks to each image segment on Drive 2 all in one folder—perhaps on a third drive or network location.

Thank you for replying to this. I had to do hardlinks instead of the symlinks and it worked flawlessly. I'm new to foirensics so I'm still learning. Thank you!

AARC TASK FORCE

Thank you for replying to this. I had to do hardlinks instead of the symlinks and it worked flawlessly. I'm new to foirensics so I'm still learning. Thank you!

You are very welcome. Glad it helped!

1

https://www.sans.org/mlp/ken-johnson-scholarship-2022/?msc=dfirsummit%3Futm_medium%3DSocial&utm_source=Twitter&utm_content=KEN%20JOHNSON%20SCHOLARSHIP_VMR&utm_campaign=Digital%20Forensics%20Summit%20Training

Ken Johnson Scholarship 2022 | SANS Institute

In memory of Ken Johnson, the SANS Institute and KPMG LLP created a scholarship that was introduced at the SANS DFIR Summit in June 2016 and will be awarded annually.

Starting my first job Monday as a junior analyst

13

3

lilD

Starting my first job Monday as a junior analyst

Congrats! Good luck!

lilD

Starting my first job Monday as a junior analyst

huge huge congrats! Let us know how it goes and don't be afraid to ask a "stupid" question here. We're all in this together

3

lilD

Starting my first job Monday as a junior analyst

Congratulations!

(edited)

@Cellebrite trying to get access to the iOS device package, not got usual resources... (dont have auth app with me)

RP

@Cellebrite trying to get access to the iOS device package, not got usual resources... (dont have auth app with me)

I've reached out

Non-forensic, personal help: Azulle Access3. attached to microUSB power, LED shows red (powered). power button doesn't flip the light to blue (on/booting). The website is awful, if it even works. Totally fanless, stick-style PC - any tips to diagnose - please DM. Thanks y'all

lilD

Starting my first job Monday as a junior analyst

Congratulations! Wishing you all the best success with your new role.

@lilD congratulations!!!

@Magnet Forensics I just got the dongle for axiom. The url for axiom download, the link is not working.

Jay528

@Magnet Forensics I just got the dongle for axiom. The url for axiom download, the link is not working.

Hey @Jay528 try this link here: https://support.magnetforensics.com/s/software-and-downloads

Hi @Tim F. I’m trying to get my dongle ID to register for an account.

10:31 AM

Is there an easier way other than installing the application ?

Jay528

Hi @Tim F. I’m trying to get my dongle ID to register for an account.

If you email Support@magnetforensics.com they can get it to you pretty quickly.

Thanks!

Anyone got any recommendation for budget commercial tools to complement X-Ways, that offers the best 'bang for the buck'? Axiom is out the question due to cost, and Encase/ FTK have not returned my request for a quote. Forensic Explorer and OSForensics are my contenders due to their perpetual licenses, and the ability to create VMs, but they don't seem to be very popular with the community. Has anyone used either for their casework recently? Would you recommend either software? Is there any reason as to why these are not as popular?

I'd be interested to hear why FEX isn't popular. I like it for basic work (coupled with X-Ways).

What tools are people using to forensically capture websites? After some recommendations. We currently use offline explorer.

MrMacca (Allan Mc)

What tools are people using to forensically capture websites? After some recommendations. We currently use offline explorer.

In my old job we had this - https://www.x1.com/products/x1-social-discovery/ . It was a good few years back now though since I used it, did the job.

site.admin

X1 Social Discovery - Social Media and Internet-Based Data Collection

X1 Social Discovery is the industry-leading solution for anyone who needs to collect and search data from social networks and the internet

MrMacca (Allan Mc)

What tools are people using to forensically capture websites? After some recommendations. We currently use offline explorer.

Also these guys in Germany - https://www.socialnetworkharvester.de/en/home/. Prob best to get some free trials and play around

dkd-thoma

Home

DE

Anyone got any recommendation for budget commercial tools to complement X-Ways, that offers the best 'bang for the buck'? Axiom is out the question due to cost, and Encase/ FTK have not returned my request for a quote. Forensic Explorer and OSForensics are my contenders due to their perpetual licenses, and the ability to create VMs, but they don't seem to be very popular with the community. Has anyone used either for their casework recently? Would you recommend either software? Is there any reason as to why these are not as popular?

I think FEX is very nice to have. It was (not sure if still currently) given to NCFI BCERT students and it is currently used for training at the IACIS basic computer class. Lots of people have it. I think their marketing strategies are different than AXIOM and other companies which may make it not as mainstream. If you ever have an issue with FEX, email support and most of the time, Zeke will quickly email you back and even offer to call you to help fix it. However, the main issue that most have with FEX is their reporting feature. Which, isn’t too big of a deal for me since I mainly use screen captures in my report. If you are the type of person that just dumps everything out to a tool-based repot, you may be disappointed. Another tool I use quite frequently is Autopsy. It is free-99 and even now has a certification process if that is required where you work. (edited)

Unoriginal_name

I think FEX is very nice to have. It was (not sure if still currently) given to NCFI BCERT students and it is currently used for training at the IACIS basic computer class. Lots of people have it. I think their marketing strategies are different than AXIOM and other companies which may make it not as mainstream. If you ever have an issue with FEX, email support and most of the time, Zeke will quickly email you back and even offer to call you to help fix it. However, the main issue that most have with FEX is their reporting feature. Which, isn’t too big of a deal for me since I mainly use screen captures in my report. If you are the type of person that just dumps everything out to a tool-based repot, you may be disappointed. Another tool I use quite frequently is Autopsy. It is free-99 and even now has a certification process if that is required where you work. (edited)

+1 for FEX. It has the ability to do Windows virtualization from an .E01 and custom carving tools but it loads the initial image very quickly. The renewal fees are quite reasonable. The negatives are the reporting feature is so customizable that it can be hard to get it to work how you want and it is not as user-friendly as other tools (like Axiom) because it has so many different options. It is good for an experienced examiner to use to find specific pieces of evidence, but it is not good for processing and turning all the evidence over for the investigating officer/detective to review.

MrMacca (Allan Mc)

What tools are people using to forensically capture websites? After some recommendations. We currently use offline explorer.

HTTrack

Thanks all for the recommendations. Will pass them on.

DE

Anyone got any recommendation for budget commercial tools to complement X-Ways, that offers the best 'bang for the buck'? Axiom is out the question due to cost, and Encase/ FTK have not returned my request for a quote. Forensic Explorer and OSForensics are my contenders due to their perpetual licenses, and the ability to create VMs, but they don't seem to be very popular with the community. Has anyone used either for their casework recently? Would you recommend either software? Is there any reason as to why these are not as popular?

I was one of the FEX deniers but to be fair I have spoken to more people that liked it than people who disliked it... Also there was a major update a month after my license expired years back. I would have to give it a second chance. OS Forensics has been on my wish list for a while, price is very reasonable, interface seems no nonsense and simple... maybe try to grab a trial of each and check it out? I love being able to virtualize an acquisition, Arsenal Image Mounter does that for me currently.

Hello, I'm running a weekly challenge called the SocVel Cybersecurity Quiz. It covers interesting cyber events from the past week in the form of 10 questions. Have a look over at https://quiz.socvel.com

SocVel Cybersecurity Quiz

Your weekly SocVel Cybersecurity Quiz. Play Now!

whee30

I was one of the FEX deniers but to be fair I have spoken to more people that liked it than people who disliked it... Also there was a major update a month after my license expired years back. I would have to give it a second chance. OS Forensics has been on my wish list for a while, price is very reasonable, interface seems no nonsense and simple... maybe try to grab a trial of each and check it out? I love being able to virtualize an acquisition, Arsenal Image Mounter does that for me currently.

@whee30 We had several licenses of FEX for years and did use it because it would give us the Blue Screen of death on us. What we did use it for was the emulation mode for hard drives it was a nice visual to show jury where the suspect had there folders of suspected items

Even flying out a rep to our office they could not locate the issue and it happened on several different machines. I hope they resolved this.

DE

Anyone got any recommendation for budget commercial tools to complement X-Ways, that offers the best 'bang for the buck'? Axiom is out the question due to cost, and Encase/ FTK have not returned my request for a quote. Forensic Explorer and OSForensics are my contenders due to their perpetual licenses, and the ability to create VMs, but they don't seem to be very popular with the community. Has anyone used either for their casework recently? Would you recommend either software? Is there any reason as to why these are not as popular?

What about Belkasoft? I use most DF tools and this has the simple interface for web/comms data recovery and review.

Microsoft Advisory & Remediation advice - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ Research - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e Example PoC - https://github.com/JohnHammond/msdt-follina/blob/main/follina.py Do you work for MSFT?

3:20 PM

Has SOC seen an uptick yet of this being actively exploited in the wild in the past few days or so?

3:20 PM

Or DFIR

⏰ Tempo v1.0.0 now released. ℹ️ Lightweight timestamp decoder for MacOS Now supports: ✅ Unix epoch ✅ Unix epoch / 1000 ✅ Cocoa Core Data ✅ Google Chrome ✅ Timezone modifiers ✅ History https://github.com/kibaffo33/Tempo/releases/tag/1.0.0

Release Version 1.0.0 · kibaffo33/Tempo

Tempo now supports Unix Epoch Unix Epoch / 1000 Cocoa Core Data Timestamp Google Chrome

kibaffo33

⏰ Tempo v1.0.0 now released. ℹ️ Lightweight timestamp decoder for MacOS Now supports: ✅ Unix epoch ✅ Unix epoch / 1000 ✅ Cocoa Core Data ✅ Google Chrome ✅ Timezone modifiers ✅ History https://github.com/kibaffo33/Tempo/releases/tag/1.0.0

#dfir-open-source-projects

1

MrMacca (Allan Mc)

What tools are people using to forensically capture websites? After some recommendations. We currently use offline explorer.

https://www.vortimo.com/

wordpress

Vortimo HomeP

What is Vortimo? Vortimo is software that helps you with online investigations. Vortimo turns your boring browser into a super browser. It overlays pages with a heads-up display while it records, recalls, scrapes, enrich, reports and finds web pages you've visited before. And it does it all locally on your computer. Who should use Vortimo? ...

1

Hey everyone, does anybody have some example reports, report templates, resources, etc... from a private sector/multi-box environment they can share or point me in the direction of? All of my experience comes from the public sector/Law Enforcement so this a different world.

goalguy

Hey everyone, does anybody have some example reports, report templates, resources, etc... from a private sector/multi-box environment they can share or point me in the direction of? All of my experience comes from the public sector/Law Enforcement so this a different world.

@holly this might be something to consider for the roadmap with your project in #dfir-open-source-projects (edited)

1

8:04 AM

wrong person, pinging @holly

Apologies if you already saw this, but we are pausing OSDFCon this year and instead doing an event focused on Investigating Ransomware Attacks. Same style event as OSDFCon (30-minute, technical talks), but with a focus on the type of attack vs. type of tool. In-person. DC(ish). Sept 13. The CFP is open until June 10, so please submit if you have Ransomware-related knowledge to share. https://cyberrespondercon.com/call-for-presentations/

mimi

Call for Presentations- Cyber Responder Con

We invite all cyber responders and DFIR investigators who have ransomware experience to submit a presentation by June 10, 2022. This is a unique opportunity to share your knowledge and help follow responders.

Got a micro sd from a Merkury security camera. Files show type “.data”. Shows on Cellebrite as uncategorized. Any idea how to open these files?

Deleted User

Got a micro sd from a Merkury security camera. Files show type “.data”. Shows on Cellebrite as uncategorized. Any idea how to open these files?

Amped FIVE can interpret some .data files.

Deleted User

Got a micro sd from a Merkury security camera. Files show type “.data”. Shows on Cellebrite as uncategorized. Any idea how to open these files?

I'll message you!

Brian Carrier

Apologies if you already saw this, but we are pausing OSDFCon this year and instead doing an event focused on Investigating Ransomware Attacks. Same style event as OSDFCon (30-minute, technical talks), but with a focus on the type of attack vs. type of tool. In-person. DC(ish). Sept 13. The CFP is open until June 10, so please submit if you have Ransomware-related knowledge to share. https://cyberrespondercon.com/call-for-presentations/

Will the talks still be recorded for viewing later by people who are unable to attend in person?

Tcisaki

Will the talks still be recorded for viewing later by people who are unable to attend in person?

Yes. We'll record and post them.

Brian Carrier

Yes. We'll record and post them.

Thanks! Always love the stuff that comes out of OSDFCon, so I am sure this will be the same

Does anyone have any good recommendations for good forensic office furniture? Looking for a desk that can accommodate two forensic computers, a laptop with monitors and docking station as well as some sort of work bench/desk for processing cell phones, DVRs, etc... Budget of $1500-$2000 give or take (edited)

@Adam Cervellone We use Workrite https://workriteergo.com/fundamentals-ex-lx-electric/, you can also just buy the sit/stand raise part and add it to any desk by removing the legs and at the power system too it.

admin

Fundamentals EX & LX Electric Sit Stand Desks - Workrite Ergonomics

Fundamentals sit stand desk features an integrated computerized control and is one of the most energy efficient tables in the industry.

1

Anyone have any information about Tile devices ? Extracting and obtaining information from the tile fobs ?

Anyone in the group uses Encase for their investigations?

Humble#2244

Anyone in the group uses Encase for their investigations?

Not anymore

should I assume that you are still familiar with it?

What question do you have? Someone surely can help you here

2:27 PM

also, would be a better question for #computer-forensics, I'm guessing

ok, I'll post in computer forensics section

2:28 PM

wasn't really sure where to ask so thought of general

Hey guys, quick one, I have to run a PowerShell script on some of our hosted boxes, and it requires us to allow remote signed. Do you think this will trigger Carbon Black EDR or red canary MDR?

malrker

Hey guys, quick one, I have to run a PowerShell script on some of our hosted boxes, and it requires us to allow remote signed. Do you think this will trigger Carbon Black EDR or red canary MDR?

Only one way to find out

2

Test it, in PRODUCTION!

2

Tcisaki

Test it, in PRODUCTION!

We actually do this

Matt

We actually do this

if Micro$oft do, everyone else should

1

Andrew Rathbun

@holly this might be something to consider for the roadmap with your project in #dfir-open-source-projects (edited)

Definitely. @goalguy, check it out and see if it might be of interest to you!

How do people Feel about AD Enterprise VS. Axiom Cyber? Any other tool/competitor out there you like more?

iOS sync question. If a user has a MacBook and an iPhone both signed into the same account, will the KnowledgeC.db sync across both devices? So if both devices are connected to the internet, would I see KnowledgeC.db entries on the MacBook from when they were using their iPhone?

1

Just a reminder that big tech will bow to totalitarian human rights abuses if the money is right. I'm tired of repeating the same rant. You get the idea. https://mobile.twitter.com/GossiTheDog/status/1533136202303516672

Kevin Beaumont (@GossiTheDog)

33rd anniversary of Tiananmen Square massacre. Bing vs Google.

Likes

414

Retweets

123

2

6:10 PM

Just google “tainanmen square meat pie” and look for the British embassy cable. It’s heartbreaking.

6:10 PM

The biggest threat to Chinese people is Chinese government but hey they’re the victims of the evil west so sure. Whatever.

conf1ck3r

Just a reminder that big tech will bow to totalitarian human rights abuses if the money is right. I'm tired of repeating the same rant. You get the idea. https://mobile.twitter.com/GossiTheDog/status/1533136202303516672

it's almost always about the money. so much on sexual child abuse, so little about child employment abuse; big names right down to subcontinent brick factories

12:17 AM

then "lobbying" .. you could cry

Hello everybody!! I was wondering what GPUs are you using for your forensic workstation? I was just researching the market but I also wanted to know your opinion about it. Thanks in advance :)

kartoffel4n6

How do people Feel about AD Enterprise VS. Axiom Cyber? Any other tool/competitor out there you like more?

Not a tool endorsement or saying that I like it better but F-Response has been around for awhile and may be good for your needs depending on what they are.

ZetLoke77

Hello everybody!! I was wondering what GPUs are you using for your forensic workstation? I was just researching the market but I also wanted to know your opinion about it. Thanks in advance :)

We're just upgrading our machines and getting NVIDIA T1000s. However we have a separate rig for password cracking so we don't need a crazy powerful GPU

Hi all, has anyone done research or case work into files held on iOS devices in the following location: Media/PhotoData/CPL/Storage/filecache/XXX This relates to iOS v15.1. I wish to understand this further for some case work I am working on, so if anyone can assist me then I would be most appreciative. Thank you!

8:33 AM

As a side note, I am aware that CPL relates to Cloud Photo Library, I just wish to understand the existence of this file path on the device better.

Alex Owen

Hi all, has anyone done research or case work into files held on iOS devices in the following location: Media/PhotoData/CPL/Storage/filecache/XXX This relates to iOS v15.1. I wish to understand this further for some case work I am working on, so if anyone can assist me then I would be most appreciative. Thank you!

#mobile-forensic-decoding

Looking for some feedback on a basic flowchart for my patrol officers. Could I get some feedback if there is something else that should be done differently? I am trying to keep it basic.

6

4

1

mitchlang

Looking for some feedback on a basic flowchart for my patrol officers. Could I get some feedback if there is something else that should be done differently? I am trying to keep it basic.

Really awesome, nice work!

Andrew Rathbun

Really awesome, nice work!

wow, thanks Andrew. Appreciate that.

mitchlang

Looking for some feedback on a basic flowchart for my patrol officers. Could I get some feedback if there is something else that should be done differently? I am trying to keep it basic.

Might be technical, but idk if you want to try and ascertain whether its in BFU or AFU mode by what's stated on the passcode entry screen?

2:25 PM

I would also suggest they turn off wifi / bluetooth where possible as those result in chances where a wipe signal could reach the phone. (edited)

Rob

I would also suggest they turn off wifi / bluetooth where possible as those result in chances where a wipe signal could reach the phone. (edited)

Yes, I couldn't agree more. I had a lot more in it about 30 mins ago and I considered just that. Then I was like just plug it in if it is on... I was going to make another based flow chart based on Lee Reiber's work. (edited)

mitchlang

Looking for some feedback on a basic flowchart for my patrol officers. Could I get some feedback if there is something else that should be done differently? I am trying to keep it basic.

I don't like turning the device off with a known password... The apps shut down and pending database changes are committed. Plus there's the chance that secure boot on android has a different passcode than the lock screen so you might be locking your device. I have my officers turn on airplane, turn wifi and bluetooth off and then still stick it in a faraday bag. Asking the officers to record IMEI may "force" them to pull a battery or remove a SIM to find the IMEI... might just include some CYA language like "If available without manipulating the device..." Other than that, just a few grammar things to look over to make it pretty

4

whee30

I don't like turning the device off with a known password... The apps shut down and pending database changes are committed. Plus there's the chance that secure boot on android has a different passcode than the lock screen so you might be locking your device. I have my officers turn on airplane, turn wifi and bluetooth off and then still stick it in a faraday bag. Asking the officers to record IMEI may "force" them to pull a battery or remove a SIM to find the IMEI... might just include some CYA language like "If available without manipulating the device..." Other than that, just a few grammar things to look over to make it pretty

Those are great points and replacements. I'll make some corrections.

mitchlang

Looking for some feedback on a basic flowchart for my patrol officers. Could I get some feedback if there is something else that should be done differently? I am trying to keep it basic.

Looks very cool, and simple! Also, thank you for all you do and for keeping people safe!! (edited)

mitchlang

Those are great points and replacements. I'll make some corrections.

Have you seen https://draw.io? It might help you break out some of the sub steps to make it easier to follow/visualise.

DeeFIR 🇦🇺

Have you seen https://draw.io? It might help you break out some of the sub steps to make it easier to follow/visualise.

Yeah, this is great. I use it for my python projects

Hey, shot in the dark, but does anybody have a search warrant to get a live intercept on Snapchat they'd be willing to share with me?

mitchlang

Looking for some feedback on a basic flowchart for my patrol officers. Could I get some feedback if there is something else that should be done differently? I am trying to keep it basic.

I'm thinking over this kind of thing for our own patrol -- is there money available to issue officers (or at least the shift) a little digital evidence response kit? Faraday bag, a couple cables, a battery? That cuts down a lot of your if-then

holly

I'm thinking over this kind of thing for our own patrol -- is there money available to issue officers (or at least the shift) a little digital evidence response kit? Faraday bag, a couple cables, a battery? That cuts down a lot of your if-then

I got around part of the budget on mine by issuing a few sets to the squad supervisors instead of outfitting every officer. Seems like the best time to ask is either right at the beginning of budget year when the coffers are full or right near the end when excess money needs to be spent.

holly

I'm thinking over this kind of thing for our own patrol -- is there money available to issue officers (or at least the shift) a little digital evidence response kit? Faraday bag, a couple cables, a battery? That cuts down a lot of your if-then

Sometimes, it really depends. I hear a lot of agencies do not commit a lot of a resources to DFIR evidence programs.

12:56 PM

So it depends.

hi guys, im new to this server and I have questions about forensics tools

7:15 PM

dont anyone ever still using rekall forensics?

7:15 PM

what is it nowadays?

7:16 PM

ill try in incident response or memory forensics

Anyone here familiar with setting up drone relays? DJI

Cyx2

hi guys, im new to this server and I have questions about forensics tools

Rekall is dead

Does anyone know of any script or program where i can scan/lookup hundreds of ip addresses and then filter by country? (edited)

R3V3R53

Does anyone know of any script or program where i can scan/lookup hundreds of ip addresses and then filter by country? (edited)

Hi, I can provide you with a Python script that I made last year as an assignment for a masters degree (so it's not extensively tested and I didn't maintain it since then). It scans all text files from a folder, extract unique valid IPs (v4 dot decimal notation and v6 standard notation) and check them against WhoIs, TOR and location (based on a free (and not too reliable) service). It outputs txt, csv and kml files. The script is not too complex and it has a little over 400 lines, including comments. You may need to adjust it to your needs and maybe fix some broken dependencies. Let me know if you don't find anything else and are interested in my script.

@Cip sounds interesting. Mind sharing this to others?

fraser

@Cip sounds interesting. Mind sharing this to others?

Sure! I also included the document that explains everything about the script.

OSIPs.zip

1.16 MB

3

2

1

Cip

Hi, I can provide you with a Python script that I made last year as an assignment for a masters degree (so it's not extensively tested and I didn't maintain it since then). It scans all text files from a folder, extract unique valid IPs (v4 dot decimal notation and v6 standard notation) and check them against WhoIs, TOR and location (based on a free (and not too reliable) service). It outputs txt, csv and kml files. The script is not too complex and it has a little over 400 lines, including comments. You may need to adjust it to your needs and maybe fix some broken dependencies. Let me know if you don't find anything else and are interested in my script.

Thanks Cip, appreciate your sharing. Will look into it

1

Thanks @Cip!

1

Thanks for the feedback. Here is what I have now. https://mtdfe.com/blogs/frequently-asked-questions/patrol-investigators-mobile-device-flowchart

Patrol/Investigators Mobile Device Flowchart

Click for full downloadable/printable image.

4

1

in NTFS tunneling, anyone know if overwriting file A with file B will inherit anything other than the file create timestamp and short name? ik it creates a new entry in the MFT so I assume it's treated as a separate file.

1

holly

I'm thinking over this kind of thing for our own patrol -- is there money available to issue officers (or at least the shift) a little digital evidence response kit? Faraday bag, a couple cables, a battery? That cuts down a lot of your if-then

If you can't get money for faraday bags, the Army approach is a roll of tinfoil and some duct tape. It's obviously not ISO approved but it's pretty cost effective (and may shame the bean counters into giving you Faraday bags). We just tell officers flight mode or SIM out since very few mobiles where losing AFU matters don't have externally accessible SIM cards. It also reduces the temptation to have a quick look when they have the phone unlocked.

babybat

in NTFS tunneling, anyone know if overwriting file A with file B will inherit anything other than the file create timestamp and short name? ik it creates a new entry in the MFT so I assume it's treated as a separate file.

I might be wrong but every file we create is a new file itself but in tunneling it just acquires some of filename and standard attributes of previous file

Humble#2244

I might be wrong but every file we create is a new file itself but in tunneling it just acquires some of filename and standard attributes of previous file

yes which is why I'm interested in if it acquires anything else outside of timestamp

Is it safe to say that the way mobile device's acquisition work, they don't need to be write blocked or in some cases can't be write blocked to acquire the physical or logical image?

babybat

yes which is why I'm interested in if it acquires anything else outside of timestamp

if you are concerned with data attribute then I would say no, every file has its own data

Humble#2244

if you are concerned with data attribute then I would say no, every file has its own data

less worried about the data itself, moreso interested in the metadata that's inherited

AngryRabbit

If you can't get money for faraday bags, the Army approach is a roll of tinfoil and some duct tape. It's obviously not ISO approved but it's pretty cost effective (and may shame the bean counters into giving you Faraday bags). We just tell officers flight mode or SIM out since very few mobiles where losing AFU matters don't have externally accessible SIM cards. It also reduces the temptation to have a quick look when they have the phone unlocked.

I have a roll of tinfoil at my desk. 5-7 wraps will do it

Humble#2244

Is it safe to say that the way mobile device's acquisition work, they don't need to be write blocked or in some cases can't be write blocked to acquire the physical or logical image?

Correct. Considering for example that logical/agent acquisitions actually involve writing data to the device (uploading an agent, or sending adb commands etc) then if you were to have something blocking that, you wouldn't be able to acquire any data.

Does anyone know, on Android, is there any other reason a Snapchat video would show up in the /Snapchat folder on the media share OTHER than holding the video down in your chat view and selecting save to gallery? I'm trying to find how some of these videos exist. All I can recreate is having the files on my phone when I do this action. Whether I sent a video to someone then saved my own video, or saved a video sent to me, it goes into that folder with a random number appended. Just curious if there are other ways for these files to exist?

Does an Apple Watch allow remote wipe? Should Apple Watches be removed from suspects upon entering residence during search warrant?

Question for @Cellebrite or if anyone knows the answer. Is there a quick guide floating around in how to use reader? I would like to give something to detectives as a quick reference in navigating the tool. I know there's a reader course but I'm just looking for a quick guide.

RyanB

Does an Apple Watch allow remote wipe? Should Apple Watches be removed from suspects upon entering residence during search warrant?

In the Settings>General>Reset it only shows the option to wipe the watch itself. Of course, on the iPhone you have the option to wipe the watch. There are no options on the watch to sign out of the Apple ID account or turn off Find My iPhone. Seems that the watch cannot wipe the iPhone...someone correct me if I'm wrong.

dfir-rick

Question for @Cellebrite or if anyone knows the answer. Is there a quick guide floating around in how to use reader? I would like to give something to detectives as a quick reference in navigating the tool. I know there's a reader course but I'm just looking for a quick guide.

I belive there is a "certification" under the cellebrite learning website just for reader. I'm not sure if that video is downloadable by saving it locally and distributing it otherwise everyone would need to sign up for the platform.

Neon

I belive there is a "certification" under the cellebrite learning website just for reader. I'm not sure if that video is downloadable by saving it locally and distributing it otherwise everyone would need to sign up for the platform.

@dfir-rick Everything is pretty old from what I recall, and the certification Cellebrite Reader has you have to pay for.

DCSO

@dfir-rick Everything is pretty old from what I recall, and the certification Cellebrite Reader has you have to pay for.

Really!? I could have sworn that was free but it has been several years since I've looked at it

DCSO

@dfir-rick Everything is pretty old from what I recall, and the certification Cellebrite Reader has you have to pay for.

Yep absolutely right $299 for reader. That's wild

https://youtu.be/7ZOhFqsrcwo

Cellebrite

Ask the Expert: UFED Reader Series by Heather Mahalik - Part 1

Neon

Really!? I could have sworn that was free but it has been several years since I've looked at it

That reader course was free not long ago. I appreciate the replies.

CLB-Paul

https://youtu.be/7ZOhFqsrcwo

Thanks Paul!

Do we have anyone who works for the US Postal Inspector on the server?

Hi guys, I am curious, does anyone know a viewer that can examine .RAW files generated from printers, other than a hex editor? The only programs I see are from cameras

if you run file or binwalk against the file, what does it say?

1

11:02 AM

I sort of expect them to be postscript files, but I am not familiar with the full context of where they came from

11:04 AM

so maybe a postscript renderer/viewer or alternatively maybe a PCL viewer

uochaos started a thread. 6/13/2022 1:10 PM

Besides DidierStevensSuite can anyone recommend any other good tooling to pull apart phishing emails ?

DeLF

Besides DidierStevensSuite can anyone recommend any other good tooling to pull apart phishing emails ?

https://github.com/decalage2/oletools is good. Plus sites like https://mxtoolbox.com/

GitHub - decalage2/oletools: oletools - python tools to analyze MS ...

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. - GitHub - decalage2/oleto...

MX Lookup Tool - Check your DNS MX Records online - MxToolbox

1

Does anyone know of any suicide keyword lists please?

1

pinball

Does anyone know of any suicide keyword lists please?

Maybe a good idea for another #dfir-open-source-projects

DeLF

Besides DidierStevensSuite can anyone recommend any other good tooling to pull apart phishing emails ?

before moving to cofense triage, I would usually use msgconvert if it was forwarded as msg, then emldump from didier to drop the objects out

1

Where I can learn about digital forensics physically tools is there any course, explain that thing I can't buy this equipment it is very expensive and not allowed in my country

MR.Falcon

Where I can learn about digital forensics physically tools is there any course, explain that thing I can't buy this equipment it is very expensive and not allowed in my country

Look at the #training-education-employment feed, you're questions might be answered in that. (edited)

MR.Falcon

Where I can learn about digital forensics physically tools is there any course, explain that thing I can't buy this equipment it is very expensive and not allowed in my country

on account of me obviously being too stupid to have noticed our DFIR-science channel content i'd just like to plug the entire site/channel. what a fabulous resource. https://dfir.science/ and https://www.youtube.com/c/DFIRScience #dfir-science this pinned anyplace @Andrew Rathbun

Digitalferret

on account of me obviously being too stupid to have noticed our DFIR-science channel content i'd just like to plug the entire site/channel. what a fabulous resource. https://dfir.science/ and https://www.youtube.com/c/DFIRScience #dfir-science this pinned anyplace @Andrew Rathbun

I already watched all the videos I want something different with all due respect

"all the videos" ?

12:52 PM

all?

12:53 PM

i have some catching up to do, maybe you should give links for me

1

MR.Falcon

I already watched all the videos I want something different with all due respect

maybe list what you have found and where it is short of information that you need. "all" is quite big

Is anyone familiar with any successful, in the wild criminal uses of NFC replay attacks targeting digital payment platforms?

Howdy! Does anyone here specialize in video enhancement? I have a Ring video we need enhanced, have footage of suspects but their faces are lower res than needed to identify. Interested in recommended video enhancement software, but would rather hire an expert to handle case instead

PM Me

data_grizzly

Howdy! Does anyone here specialize in video enhancement? I have a Ring video we need enhanced, have footage of suspects but their faces are lower res than needed to identify. Interested in recommended video enhancement software, but would rather hire an expert to handle case instead

PM Me

#dvr-multimedia-surveillance

Thank you @Andrew Rathbun !

I want to start analyzing a malware sample do you recommend any OS to do the analyzing process

11:40 PM

However, I have only 8GB of RAM

MR.Falcon

However, I have only 8GB of RAM

Linux Vms run on much less than windows so you should be fine. Download the remnux VM and work through some of the online tutorials for malware analysis

I want to do both DF and Malware analysis than you ( by the way)

Ok. Suggest picking something and starting with it. Rather than trying to do everything at once.

2:05 AM

Lots of free reading and watching material. The SANS ransowmare summit is today even and it's free

Thank you I will take remnux at the beginning (edited)

2:20 AM

One more thing

2:23 AM

I am watching a series CSI and in the second episode during the investigation, they found a laptop and put it in a weird device to scan the laptop using X-rays. does this happen in real life ?

MR.Falcon

I am watching a series CSI and in the second episode during the investigation, they found a laptop and put it in a weird device to scan the laptop using X-rays. does this happen in real life ?

I'm going to say no but the answer is technically "maybe in very specific cases that are likely not what they showed on tv" The only time I know x-rays are used are when assessing or reverse engineering electronics components

2:55 AM

CSI cyber showed a lot of stuff that isn't real. Maybe 1% of the stuff was close to right

1

The case was they found a photo burned on the laptop cover so they did the scan to extract that photo and print the photo after that but it in ice the hold the paper air so the photo will be seen

randomaccess

CSI cyber showed a lot of stuff that isn't real. Maybe 1% of the stuff was close to right

But forensics non-technology things are real right?

Absolutely no idea

2:59 AM

Mostly I'd ignore what you see on tv. Although Mr. Robot tried to be more legit in its hacking stuff

3

Digitalferret

"all the videos" ?

Not all but the last 10 videos talk about writer's block and other physical tools

randomaccess

Absolutely no idea

They seem to be real using biology science and a microscope

Hey has anyone taken SANS for401 course, have got it coming up in a month or so and would just like to pick the brains of someone who'd taken it

MR.Falcon

But forensics non-technology things are real right?

check youtube for videos about "what <some film> got wrong" . people joined up to fly off the back of the 1986 topgun before they realised it was pretty much fantasy. real forensic companies still make jokes about [Enhance] (when the actors say enhance and a pixel becomes a crystal clear picture of a mans face. and more

8:37 AM

laptops are picked up and an Intern says, "i'll just write a program in visual basic and get us in" <password hack> . the list is endless

8:38 AM

and whatever you do. DO NOT put electrical devices in a freezer to make them work again.

Is anyone using any creative ways to write reports and track stats? I have type reports in a (terrible) records manage system for every device. Right now I just use a word template and copy and paste it into the RMS. What I would like to do come up with a report template that will also track info such as statistics, make/models of unsuccessful phones, pins, etc. A big bonus would be if it could be used to fill out FPR’s. I looked at some of the commercial solutions but they were too expensive and duplicated some features (evidence intake) that I already have.

data_grizzly

Howdy! Does anyone here specialize in video enhancement? I have a Ring video we need enhanced, have footage of suspects but their faces are lower res than needed to identify. Interested in recommended video enhancement software, but would rather hire an expert to handle case instead

PM Me

Just PM'ed you

Digitalferret

and whatever you do. DO NOT put electrical devices in a freezer to make them work again.

Sorry can't find the original post asking about imaging multiple devices, but hopefully you'll see this post. We've now added image stacking (X-Ways) to the S21 Jedson Tech Streamline app. Image & Process in X-Ways Forensics, export via Jedson Tech and Review media in LASERi-X, all automated in one GUI. https://videos.semantics21.com/v/9OIROqUDVGzCDZ0GHmTuRanVW

Streamline.mp4

Shared with Jumpshare

I have a cold death case from 2018 brought to me. I have a possible cell phone number for the victim, if I check the number carrier now how likely would it be the same carrier from 2018? I may have follow questions to this post as it going. Thanks for any help, this is a learning experience for me and my agency.

Hi All, Is anyone here available in the Phoenix area to do some forensics work on a private matter? This is for a non-profit that a friend of mine is involved with. Please DM me if you are interested!

randomaccess

CSI cyber showed a lot of stuff that isn't real. Maybe 1% of the stuff was close to right

What about the episode of Bones where they scan bones and the markings upload malware into the system? I know a guy who is buddies with someone that happened to.

digital Bowles

I have a cold death case from 2018 brought to me. I have a possible cell phone number for the victim, if I check the number carrier now how likely would it be the same carrier from 2018? I may have follow questions to this post as it going. Thanks for any help, this is a learning experience for me and my agency.

Try FoneFinder and see what carrier owns that number NOW and then contact them asking if that number was owned by them back in 2018?

1:13 PM

I think I've had it before where I was able to ask a carrier if they owned a number and they said "no but X carrier does"

1

I tried using the global search but I cant find it. Does anyone have a flow chart for mobile devices? Basically something basic patrol can utilize.

dfir_rick

I tried using the global search but I cant find it. Does anyone have a flow chart for mobile devices? Basically something basic patrol can utilize.

this one? https://discord.com/channels/427876741990711298/537760691302563843/983822768929931306

trying to help out a BCERT buddy, i'll send him this one. Thank you!

1

dfir_rick

trying to help out a BCERT buddy, i'll send him this one. Thank you!

maybe ping Mitch or DM, i think it was a WIP, i found the next iteration but there's likely more. https://mtdfe.com/blogs/frequently-asked-questions/patrol-investigators-mobile-device-flowchart (edited)

Patrol/Investigators Mobile Device Flowchart

Click for full downloadable/printable image.

Digitalferret

maybe ping Mitch or DM, i think it was a WIP, i found the next iteration but there's likely more. https://mtdfe.com/blogs/frequently-asked-questions/patrol-investigators-mobile-device-flowchart (edited)

Perfect, thank you! I found a couple other things to help my buddy out. He's teaching a quick course to the new guys at his PD.

Hey everyone! Hoping someone has encountered this before. I am collecting records from a 3rd party medical software provider. They provided our client with a .bak of what I can only assume is a sqlite DB on their end. I have tried every software I have and cannot get this .bak file to open or to restore out. The company I'm collecting from says most people hire "Database Administrators" who restore the backup out to HTML format, but I have had no success. Any suggestions would be greatly appreciated!

Carb0hydrates

Hey everyone! Hoping someone has encountered this before. I am collecting records from a 3rd party medical software provider. They provided our client with a .bak of what I can only assume is a sqlite DB on their end. I have tried every software I have and cannot get this .bak file to open or to restore out. The company I'm collecting from says most people hire "Database Administrators" who restore the backup out to HTML format, but I have had no success. Any suggestions would be greatly appreciated!

I would start by looking at the file header to see if it is consistent with SQLite. If it's not SQLite, perhaps it is a database backup since they mentioned hiring a DB administrator.

Carb0hydrates

Hey everyone! Hoping someone has encountered this before. I am collecting records from a 3rd party medical software provider. They provided our client with a .bak of what I can only assume is a sqlite DB on their end. I have tried every software I have and cannot get this .bak file to open or to restore out. The company I'm collecting from says most people hire "Database Administrators" who restore the backup out to HTML format, but I have had no success. Any suggestions would be greatly appreciated!

.bak is typically MSSQL (of course a file extension can mean anything, obviously). Have a look at restoring backups with SQL Express (edited)

1

DeeFIR 🇦🇺

.bak is typically MSSQL (of course a file extension can mean anything, obviously). Have a look at restoring backups with SQL Express (edited)

That would be my first guess as well without additional context.

6:58 PM

You want context!?

1

lol well thank you guys for the suggestions! I'll get crackin' and see if I can't get SQL Express working

What's the file header first?

8:09 PM

Don't leave us hanging

whee30

What about the episode of Bones where they scan bones and the markings upload malware into the system? I know a guy who is buddies with someone that happened to.

I don't remember that episode. I do remember the one where the computer hacker rented books from the library and used that to hack things. That was weird

@DeeFIR 🇦🇺 You nailed it: "MSSQLBAK"

digital Bowles

I have a cold death case from 2018 brought to me. I have a possible cell phone number for the victim, if I check the number carrier now how likely would it be the same carrier from 2018? I may have follow questions to this post as it going. Thanks for any help, this is a learning experience for me and my agency.

I’ll send you a DM.

Carb0hydrates

@DeeFIR 🇦🇺 You nailed it: "MSSQLBAK"

Thanks for reporting back!

Anyone know anything about Google Drive File Stream? and if the cache files are readable? (edited)

Hello all. I used OSForensics to create a virtual machine of my E01 file and it booted to the BitLocker screen and says to "Plug in the USB drive that has the BitLocker key". I previously used Magnet Axiom to process the drive and did so without any issues and no mention of bitlocker. I searched Axiom for bitlocker recovery keys and found nothing of value. What's going on here?

Carb0hydrates

@DeeFIR 🇦🇺 You nailed it: "MSSQLBAK"

I just did a job with an mssql backend - installed mssql then imported the database. Used heidisql to connect to it and run queries.

6:39 PM

Took a bit of explaining to get my head around it but I couldn't use a viewer to "open the database" like you can with sqlite. Had to create a blank database with mssql and then reapply the backup to it, and tada it was there.

Oh my gosh!

6:57 PM

Thank you for your insight, I was struggling with this all day!

6:58 PM

@randomaccess

No worries. I wouldn't have figured it out without @Yogesh Khatri.

3

1

Ross Donnelly

Click to see attachment 🖼️

this is the way

this the way we connect people

I am new in digital forensics the question is what does digital devices counter look like ?

MR.Falcon

I am new in digital forensics the question is what does digital devices counter look like ?

I'm not sure what you mean by counter?

I mean the box you put digital devices in

MR.Falcon

I mean the box you put digital devices in

A faraday box?

unrelated but shout-out to @Arsenal Recon and AIM for letting us ressurect our on-prem DC long enough to get roles transferred over cleanly to another box. The launch VM from e01 is super neat and saved me like a week's worth of headache, I only wish I tried it sooner lol

3

DeeFIR 🇦🇺

A faraday box?

I guess so

You’re the one asking. What exactly are you asking?

Wait second sir

11:37 PM

I want to know what digital devices contender look like

MR.Falcon

I want to know what digital devices contender look like

Describe the process you're referring to? What's your desired outcome? Are you referring to something for mobile devices or computers or something else?

Mobile and computer

12:13 AM

Thank you sir for u help

We need a bit more info as to what you actually need to know about: are you looking for examples of how to package and store devices? Or something like a faraday environment to prevent a device connecting to some kind of network?

Sounds like how to get data to me from a mobile/computer via write blocker or similar?

Any UK sales reps for @Cellebrite here? Our old rep has left and I haven't been able to get a response elsewhere yet (admittedly it's only been a few days of trying)

1

OllieD

We need a bit more info as to what you actually need to know about: are you looking for examples of how to package and store devices? Or something like a faraday environment to prevent a device connecting to some kind of network?

Yeah that thing

4:51 AM

Sorry guys for distributing you and thank you for answering my question

MR.Falcon

Yeah that thing

You'll need to give a little more detail, which of the two options in my previous message do you need to know more about? Packaging? Or Faraday?

Packaging

4:57 AM

Sorry I didn't make the question clear for you it is my first time asking this kind of question most of the time I google it and find the answer alone

1

OllieD

You'll need to give a little more detail, which of the two options in my previous message do you need to know more about? Packaging? Or Faraday?

\\/// (edited)

MR.Falcon

Sorry I didn't make the question clear for you it is my first time asking this kind of question most of the time I google it and find the answer alone

That's ok!

5:12 AM

There are various options, two of which I've seen used are collapsible cardboard boxes, or weapons tubes

5:12 AM

https://scenesafe.co.uk/collections/evidence-storage/products/window-box-for-mobile-phone-insert

Window Box For Mobile Phone + Insert

180mm x 110mm x 65mm, Cardboard, clear plastic window, flat-packed with insert, mobile phone box. Used for the forensic recovery of a mobile telephone handset or similar type device. Can be provided as ISO 18385:2016 – Forensic DNA Grade. The boxes are in packs of 25, but can be purchased in varying quantities in heavy

5:12 AM

https://scenesafe.co.uk/collections/evidence-storage/products/weapons-tube

Weapons Tubes - Without Metal Ends

Clear Plastic, twist, cylindrical weapons tubes. Used for the collection of rigid evidence without pointed or sharp edges. The tubes are available as single items, but can be purchased in varying quantities in heavy duty re-sealable bags to assist in the conformity to ISO 17020:2012

5:13 AM

Those would work for mobiles

5:13 AM

For computers, I often see them seized just in a large plastic evidence bag with a security seal on it

Thank you sir for your help

1

5:29 AM

Do you mind if I ask one more question

1

5:34 AM

if I want to build my own tool for digital forensics what is the programming language you suggest to me and (ideas for tools already some people made ) I will try to build the same tools to improve my knowledge

For simple tools/scripts, python is a good way to go

5:36 AM

Depends on use case though: I've seen some great code written in Rust, Golang etc etc

5:37 AM

Plenty of people on here who are regular contributors to some great open-source projects who might have more experience with that topic

1️⃣ understood sir

anyone here from blueteamonline lab

Digitalferret

\\/// (edited)

you are insulting me sir

What is the best way to extract only a few emails (say 200) from a live system? The client has them in a folder in Outlook. Can't acquire the whole .pst for legal reasons. Much thanks.

MR.Falcon

you are insulting me sir

not at all. i was joking with Ollie. it's a Logical OR gate and very cleverly put

1️⃣

Luci

What is the best way to extract only a few emails (say 200) from a live system? The client has them in a folder in Outlook. Can't acquire the whole .pst for legal reasons. Much thanks.

If the same emails are available on an email server, you can target them with an in-place search directly on the email server. If you need to work off the local PST, then you can ingest it into a forensic tool (e.g., X-Ways, FTK, etc.), narrow it down to the messages you need, and create a logical image of just the emails you are after. I would be inclined to do this over the network if possible—throw an agent in there, mount the target's drive in read-only mode on your forensic laptop, and go from there. If this is not possible, you could bring a portable and lightweight forensic tool to the target, or pull the drive out and connect it to your forensic workstation through a write blocker if the target system can be stopped.

Luci

What is the best way to extract only a few emails (say 200) from a live system? The client has them in a folder in Outlook. Can't acquire the whole .pst for legal reasons. Much thanks.

Axiom via an IMAP/POP3 cloud data extraction?

Arman Gungor

If the same emails are available on an email server, you can target them with an in-place search directly on the email server. If you need to work off the local PST, then you can ingest it into a forensic tool (e.g., X-Ways, FTK, etc.), narrow it down to the messages you need, and create a logical image of just the emails you are after. I would be inclined to do this over the network if possible—throw an agent in there, mount the target's drive in read-only mode on your forensic laptop, and go from there. If this is not possible, you could bring a portable and lightweight forensic tool to the target, or pull the drive out and connect it to your forensic workstation through a write blocker if the target system can be stopped.

None of these options are really possible, as we're talking about a few mails that have been sorted by the client in his local outlook instance where all the other mails from the account are highly confidential legal correspondence. I can not do any kind of server-side acquisition because of that. The simplest way that I thought of is to drag-and-drop whatever is in that folder from the local client to some folder as .msg files. Of course this is not sound at all, but in this case it's not that important. However, I thought maybe there was a small tool that could open the local pst/ost on the fly to extract the mails in a more fancy matter?

9:00 AM

Like starting a tool from USB live on that machine, selecting the local .pst, exporting that specific folder and it's contents to some kind of container or even "partial" .pst - but I dont know too much about pst if something like this is even possible.

9:01 AM

(Thanks for your answers so far!)

Luci

Like starting a tool from USB live on that machine, selecting the local .pst, exporting that specific folder and it's contents to some kind of container or even "partial" .pst - but I dont know too much about pst if something like this is even possible.

This is along the lines of what I meant by "you could bring a portable and lightweight forensic tool to the target". X-Ways could be a good option there if you have access to it.

9:09 AM

You would be leaving quite a bit of contextual evidence behind that would be useful in investigating the emails. But, if this is largely a discovery exercise, perhaps you can get away with acquiring the email contents and high-level metadata.

9:10 AM

X-Ways wouldn't give you a partial PST, but a container with a subset of the messages.

@Luci you can use Outlook's built-in import/export options to select the folder you created with only the necessary emails in it and export these to a pst file. very simple, you just follow the export wizard, select the folder in the navigation window, select pst as the export type, and then finish

9:12 AM

https://support.microsoft.com/en-us/office/back-up-your-email-e5845b0b-1aeb-424f-924c-aa1c33b18833#:~:text=Select%20File%20%3E%20Open%20%26%20Export%20%3E,pst)%2C%20and%20select%20Next.

like Arman says, you will lose context about the emails like where they were originally stored but I you can record that with pictures or something too.

hey

3:49 PM

anyone here have experience with setting up wireguard using yubikey?

Arman Gungor

You would be leaving quite a bit of contextual evidence behind that would be useful in investigating the emails. But, if this is largely a discovery exercise, perhaps you can get away with acquiring the email contents and high-level metadata.

Thank you for the in-depth answer!

1

Sha1_4n6

@Luci you can use Outlook's built-in import/export options to select the folder you created with only the necessary emails in it and export these to a pst file. very simple, you just follow the export wizard, select the folder in the navigation window, select pst as the export type, and then finish

Thanks! This is probably the way to go here. It's just all about the content.

Anyone can guide me to setup DFIR lab and practice to learn

kladblokje_88

anyone here have experience with setting up wireguard using yubikey?

WireGuard is just a protocol, it doesn’t support things like YubiKeys

DRG3N

Anyone can guide me to setup DFIR lab and practice to learn

Intel put out a lab guideline document. Certainly overkill for what sounds like a one person startup but I’m sure you could trim it way down.

Matt

WireGuard is just a protocol, it doesn’t support things like YubiKeys

I c

Does any1 here know of a good list of search terms to use when investigating a case involving stolen login credentials? Im thinking maybe known websites for markets where logins are sold or dumped etc.

Johnie

Does any1 here know of a good list of search terms to use when investigating a case involving stolen login credentials? Im thinking maybe known websites for markets where logins are sold or dumped etc.

Raidforum dumps usually contained “*_RF” in their naming convention. “Combo List” is what I see from the script kiddies harvesting logins creds from proxies/free vpn.

1

Johnie

Does any1 here know of a good list of search terms to use when investigating a case involving stolen login credentials? Im thinking maybe known websites for markets where logins are sold or dumped etc.

pretty much what Howard said, but also if you do a wordsearch on the machine you are interrogating, for the usual type of email address, you might see the name of the file and work backwards from there ie "<combo-list-name>.txt / zip / rar and so on (edited)

1

DRG3N

Anyone can guide me to setup DFIR lab and practice to learn

easiest and cheapest, "acquire" old drives and then work with free tools to see what you can extract

Digitalferret

easiest and cheapest, "acquire" old drives and then work with free tools to see what you can extract

I just did this for a talk this summer/fall. Many more people are properly sanitizing disks these days. But not all of course. The only thing I will say, is if you have your tax data, pictures of your id, passport, medical cards etc etc etc.... For the love of all sanity, destroy your disks........

1

Cole

Even if I sort alphabetically its not usable because it orders it like this: chat1_screen1 chat1_screen10 chat1_screen100 .... chat1_screen199 chat1_screen2

Hi @Cole SGman1908, I also had this sorting issue in Chat capture, and found a way to do it right. On the ChatCapture extraction, in Physical Analyser, select Table View, and sort the images by the "Textual metadata" column. Doing so will sort the images correctly, Chat1_Screen1.png, Chat2_Screen2.png, and so on instead of ...screen1, screen10, screen11...

3

ct3374

Hi @Cole SGman1908, I also had this sorting issue in Chat capture, and found a way to do it right. On the ChatCapture extraction, in Physical Analyser, select Table View, and sort the images by the "Textual metadata" column. Doing so will sort the images correctly, Chat1_Screen1.png, Chat2_Screen2.png, and so on instead of ...screen1, screen10, screen11...

Thanks!!! I'll write that down to try when I have to do those again.

1

I am having trouble install volatility3 on windows

11:36 AM

anyone can help

ct3374

Hi @Cole SGman1908, I also had this sorting issue in Chat capture, and found a way to do it right. On the ChatCapture extraction, in Physical Analyser, select Table View, and sort the images by the "Textual metadata" column. Doing so will sort the images correctly, Chat1_Screen1.png, Chat2_Screen2.png, and so on instead of ...screen1, screen10, screen11...

Hopefully this feature gets more attention moving forward. Cool idea for otherwise unsupported apps but the current state just isn’t quite there.

Anyone from the forensic team at TikTok here? Can I get a DM please?

memory forensics tools for windows (Volatility) doesn't work

MR.Falcon

memory forensics tools for windows (Volatility) doesn't work

Can we get a bit more details? Are you running the pre-built volatility3 executable, or are you running it under Python directly? What errors are you getting etc?

python

Mind if you DM me the error you are getting?

Does anyone know if @Cellebrite can be installed on macs (m1)? besides Inspector. I can't find any info on the website, although all the pics are made to look like they are running natively on OS X

@trillian Windows only. You can use Parallels with Windows, but the adapter may not work. (edited)

2

Good morning all ... wondering if anyone has had any luck identifying artifacts from the Omegle chat site? Doing some searching it looks like there may have been an app in the past or some way to share photos, but not really seeing either of those things now?

There have been various 3rd party Omegle apps over the years, some of which I think integrated file sharing? All very sketchy and badly designed apps usually - I'm sure artefacts would vary greatly between them

Can anyone identify these programs just from their taskbar icons?

3rd is vueprint

Left might be R-Studio

8:25 AM

Well, it looks like the R Language symbol, R-Studio is the first IDE that comes to mind but it doesn't use the same logo

R-Studio/R was the first thing that came to mind for me as well, but the slope of the top right of the letter looks quite different to the reference logos that I could find

hmm, thats interesting

9:17 AM

theres a bit of grey on the middle left and top left, though the artifacting/compression makes it hard to see

9:17 AM

that i thought could be the big circle they place behind the R

The R could be Revit, but it's very generic https://bimchapters.blogspot.com/2017/07/changing-revit-2018-icon.html?m=1

Changing the Revit 2018 Icon

Architect and Revit guru Brian Payne recently had a clever idea and created a custom Revit 2018 icon; here is the Twitter link . He did ...

Ross Donnelly

The R could be Revit, but it's very generic https://bimchapters.blogspot.com/2017/07/changing-revit-2018-icon.html?m=1

i agree with this one, this is much stronger than my idea

jaket2452

Can anyone identify these programs just from their taskbar icons?

10:14 AM

I did some upscale/processing on the center image to try and make it more recognizable

10:14 AM

hope that helps

Anyone familiar with CrowdStrike Falcon FileCreateInfo events? I'm trying to determine why we are only seeing this event on some systems. Does anyone know what setting enables this? Is it created for any file or just specific types?

@Law Enforcement [USA] Has anyone served a search warrant on Apple using a UID to identify the device and received any useable result? If so, do you have a template that you would be willing to share?

@FullTang We have done it and that is how we do it with air tags, is pulling the number from the inside of the device.

dabeersboys

@FullTang We have done it and that is how we do it with air tags, is pulling the number from the inside of the device.

Perfect. Thank you!

pug4N6

Good morning all ... wondering if anyone has had any luck identifying artifacts from the Omegle chat site? Doing some searching it looks like there may have been an app in the past or some way to share photos, but not really seeing either of those things now?

I had a case in 2019 there was an Omegle app installed it stored chats and records in a different database plain text though was easy to identified headers and footers for the convo and then pointers to the pictures that matched by MD5 for tying back to the same chat thread.

jaket2452

Can anyone identify these programs just from their taskbar icons?

Could the 1st be this? https://www.r-project.org/

2:33 PM

MrMacca (Allan Mc)

Could the 1st be this? https://www.r-project.org/

That's what I thought at first as well

2:39 PM

i think @Ross Donnelly nailed it with Revit though

2:39 PM

coloration and angles look much closer for the Revit logo than the R logo, which is more solid blue

Yeah, I kind of agree looking again at it

the center one i spent some time look for earlier, tried similar processing as well

2:41 PM

no luck

Looks like a C I.

Yeah, that's what I see as well, was trying some searches with context earlier, assuming left is Revit and right is vueprint, what other program might someone have installed

the one at the middle looks like a dictionary/translation software icon, or bobba fett

jaket2452

Can anyone identify these programs just from their taskbar icons?

Middle one looks like the HP SMART logo

Is crss.exe a file that often changes (for example with updates) or can it’s integrity be confirmed with a known file filter?

rojo

Middle one looks like the HP SMART logo

Could well be on to something with that one. Hard to tell with compression artefacts. I also agree with @Ross Donnelly on Revit being a better suggestion than R

rojo

Middle one looks like the HP SMART logo

yep, it passes the "squint test" for me. well found (edited)

1

OllieD

Could well be on to something with that one. Hard to tell with compression artefacts. I also agree with @Ross Donnelly on Revit being a better suggestion than R

multiple iterations of resize-small-large-small, pixelate, gaussian blur etc. theres a likeness

3

Digitalferret

yep, it passes the "squint test" for me. well found (edited)

Years of fixing the parents printer have finally payed off

2

1

rojo

Years of fixing the parents printer have finally payed off

Were you usually drunk when fixing the printer? That's the only way you'd be able to recognise it that blurry....

rofl, but ooooh, that's below the belt

11:45 AM

all i have to do is take the specs off, blessed, far cheaper effect than having to buy alcohol

That's a really good call @Digitalferret

11:45 AM

i had looked at that app icon in my searches but i skipped over it because it didnt look quite close enough

11:45 AM

but your compressed version has convinced me

chick3nman

but your compressed version has convinced me

ty good sir //bow

11:47 AM

all down to rojo tho. i'd never have found that in a month of sunday's

1

oh yeah @rojo gets credit for finding it too

2

chick3nman

oh yeah @rojo gets credit for finding it too

totally OT, but do you have this moniker on Twitter? knew a guy when i was on yrs back, but checking there are so many chickenmen it's like maybe knowing Johhn Smith (edited)

11:56 AM

UK based here. usual crowd were data recovery set inc folks from Disklabs

11:56 AM

Lee whatsisface and Lord Steggles

https://twitter.com/Chick3nman512 (escaped so it doesnt populate as a link, dont want to self advertise too much :P)

lol, yeh its you

chicken logo

since years lol. i just don't go on that much

hahaha awesome, i'm not super active on there in terms of posting recently but i still have it open 24/7

12:01 PM

lot of security folks tend to center around twitter, makes keeping up with stuff a lot easier(or harder, depends on how you look at it)

yeh, its very current although i think some treat it like write only memory

12:02 PM

i started as this name, then wanted to split business and normal use. so swapped to this with uk appended...

12:02 PM

and carried on venting my personal opine about all sorts of shit, so just gave up the former account for dead

12:03 PM

some really genuine folks on there, just responded to Snipey and 4n6woman. absolutely BS free folks ftw

12:05 PM

and Snipey is very sweary, 4n6 has Akitas -both winners imho

haha i think i follow at least 4n6, if not the former

Ross Donnelly

Were you usually drunk when fixing the printer? That's the only way you'd be able to recognise it that blurry....

I’ve found that’s the best way when dealing with family IT issues!

rojo

I’ve found that’s the best way when dealing with family IT issues!

That is SO true

rojo

I’ve found that’s the best way when dealing with family IT issues!

https://twitter.com/TheAngularGuy/status/1466722937533353987?s=20&t=kmOIgEwZEC-2sM2zQhoYFg

Mustapha Aouas (@TheAngularGuy)

RELATIVE: So... I heard you are good with computers, right? ME (has a master's degree in CS): Nope #programming #meme

4

2

1

FullTang

https://twitter.com/TheAngularGuy/status/1466722937533353987?s=20&t=kmOIgEwZEC-2sM2zQhoYFg

yup. "sorry, I'm a bricklayer" or "all thumbs with that shit"

1

I just tell them I am good at breaking them. Or finding their deleted porn

4

Tcisaki

I just tell them I am good at breaking them. Or finding their deleted porn

seriously, once helped a relly, at my PC, go thro his camera card and he saw two things. 1: i had a folder of tools with the word Forensic on it. he shat. 2: he saw a directory which he patently thought he'd deleted and asked if i'd recovered it. he shat bricks., i hadn't and told him so and said that whilst his camera viewer might think they were deleted the PC did not. he was keen for us to move along swiftly. (edited)

10:08 AM

and yes, there were "those" sort of pictures in there

i'd already found and was discreet enough not to mention.

10:11 AM

seriously, if i were less than totally confidential and/or less that completely ethical, i'd either be very rich or very dead. i can say that of any and all work I've taken, the one's that had more "moral/ethical" standpoint, such as Pastors/Religious types, Councillors etc, the more sordid was the content.

FullTang

https://twitter.com/TheAngularGuy/status/1466722937533353987?s=20&t=kmOIgEwZEC-2sM2zQhoYFg

Haha, I just started doing this to my relatives lately. Awesome feeling. “No, I do CS aunty, thats a whole different field”

1

Hy geeks, What tools can recover deleted GoPro videos from SD card? The videos has been deleted directly from SD card (using DEL button) when it was attachet to card reader. I tried FTK imager and Recuva - no success.

Sounds like something for photorec

1

6:21 AM

It’s free

2numb3rs

Hy geeks, What tools can recover deleted GoPro videos from SD card? The videos has been deleted directly from SD card (using DEL button) when it was attachet to card reader. I tried FTK imager and Recuva - no success.

I just pulled an SD card out of a GoPro 7. It's exFAT. I was able to view/recover deleted jpgs and MP4s with fls and icat (from sleuthkit). Interesting that the fls command does not exit or return to prompt, but the entry numbers still return valid jpgs, MP4s or JSON data.

What tool for a Linux command line can be used to examine emails and email files?

Soda cool

What tool for a Linux command line can be used to examine emails and email files?

what specific data are you trying to extract, what have you tried so far?

Soda cool

What tool for a Linux command line can be used to examine emails and email files?

https://www.systranbox.com/how-to-read-files-in-linux-command-line/

Hello, I have a very specific question regarding KAPE and DFIR-Orc (french developed collection tool). DFIR-Orc is a tool able to embed other third parties binaries, enabling orchestration of a lot of tasks. I'd like to have some help to embed KAPE. I'm able to run KAPE from Orc, however kape tries to find the .tkape files in the /Targets directory. However since I'm not running Kape itself but from Orc, it's not able to find the targets. I tried embedding the targets in Orc thinking that kape would find it in its running context, but it doesn't work. I tried a lot more things but I can't make KAPE to find the targets. Is someone able to help? DFIR-Orc documentation : https://dfir-orc.github.io/index.html (edited)

АКСИПИТЭР13

Hello, I have a very specific question regarding KAPE and DFIR-Orc (french developed collection tool). DFIR-Orc is a tool able to embed other third parties binaries, enabling orchestration of a lot of tasks. I'd like to have some help to embed KAPE. I'm able to run KAPE from Orc, however kape tries to find the .tkape files in the /Targets directory. However since I'm not running Kape itself but from Orc, it's not able to find the targets. I tried embedding the targets in Orc thinking that kape would find it in its running context, but it doesn't work. I tried a lot more things but I can't make KAPE to find the targets. Is someone able to help? DFIR-Orc documentation : https://dfir-orc.github.io/index.html (edited)

Any reason why you're trying to do that? (Appreciate that might be the task and suggesting alternatives isn't what you're asking....but it sounds like it might be the hard way)

The reason is we want to have a certification from ANSSI. We think that we would have better chances to get it by using french tools. So we want to replace our velociraptor with DFIR-Orc. We know that Orc is able to do artifact collection, however it copies the artifacts byte for byte, and it would be easier for our analysis if we have the files as is, and not a series of bytes (edited)

@Magnet Forensics Is it possible to remove keywords or a keyword list from a case that has already been processed in Magnet AXIOM v6.2?

RyanB

@Magnet Forensics Is it possible to remove keywords or a keyword list from a case that has already been processed in Magnet AXIOM v6.2?

hi @RyanB, let me do a little digging and see how quickly I can get you an answer.

I have a question regarding my school project. So we basically have a victims laptop that got infected (like a roleplay not actual with a virus but a student instead who left behind some clues). The problem is my group is the only group where they deleted the entire system32 file (the task was to not let windows boot anymore, couldve simply deleted the bootloader file but hey the other group just straight up deleted everything

). Now thwt my group got access to the infected laptop, we need to find evidence. The other group left behind clues which unfortunately a lot of them they hid in the system32 folder. Now my question is if there is a way to retrieve this file? I have cloned the devices OS onto a HDD and used Osforensics to see some more detailed things. Now in OSforensics i see it got moved to the recylce bin, so not fully deleted. Is there a way i can retrieve this file resulting in me being able to boot the device again? @Magnet Forensics (edited)

RyanB

@Magnet Forensics Is it possible to remove keywords or a keyword list from a case that has already been processed in Magnet AXIOM v6.2?

I was told no, the last time I asked this question

Digitalferret

what specific data are you trying to extract, what have you tried so far?

Whats in the email without opening it, pretty much metadata, and I’ve tried exiftool.

Original message was deleted or could not be loaded.

Hi @RyanB and @Ross Donnelly: I spoke with one of our UX wizards and this is a known issue. I have also updated our eng team to let them know it's still an in-demand request. I'm still waiting to hear back from our examiner group too.

2

Celox

I have a question regarding my school project. So we basically have a victims laptop that got infected (like a roleplay not actual with a virus but a student instead who left behind some clues). The problem is my group is the only group where they deleted the entire system32 file (the task was to not let windows boot anymore, couldve simply deleted the bootloader file but hey the other group just straight up deleted everything

). Now thwt my group got access to the infected laptop, we need to find evidence. The other group left behind clues which unfortunately a lot of them they hid in the system32 folder. Now my question is if there is a way to retrieve this file? I have cloned the devices OS onto a HDD and used Osforensics to see some more detailed things. Now in OSforensics i see it got moved to the recylce bin, so not fully deleted. Is there a way i can retrieve this file resulting in me being able to boot the device again? @Magnet Forensics (edited)

Hey @Celox , I'm still new here and I can lean more on our Forensic analysts but, from what I do know, if you still have access to the drive and can take a full image of it, AXIOM should be able to carve your deleted space (depending how long it's been since "infection" and now - sectors could have been overwritten) and you should be able to recover your missing data. Happy hunting!

so what file exactly are you checking for the meail messages themselves? ie is it a specific format for a particular email client? i'm thinking maybe the answer has to take into account the email program. either that or try a generic toolkit like Sleuthkit/Autopsy (edited)

Digitalferret started a thread. 6/27/2022 12:33 PM

Michael Paleshi

Hey @Celox , I'm still new here and I can lean more on our Forensic analysts but, from what I do know, if you still have access to the drive and can take a full image of it, AXIOM should be able to carve your deleted space (depending how long it's been since "infection" and now - sectors could have been overwritten) and you should be able to recover your missing data. Happy hunting!

Luckily the drive is not being used so the files shouldnt be overwritten in theory right? (edited)

Celox

Luckily the drive is not being used so the files shouldnt be overwritten in theory right? (edited)

exactly. If the drive has been offline then the FAT shouldn't be overwriting yet.

Michael Paleshi

exactly. If the drive has been offline then the FAT shouldn't be overwriting yet.

in osforensics a tool we had to use for school, i could still see the recycle bin with the system32 folder right after i unplugged it. so ye should be fine thx for the help ill check axiom out tommorow and hopefully get that system32 recovered so i can boot the pc again or maken an vm from it

1

Celox

in osforensics a tool we had to use for school, i could still see the recycle bin with the system32 folder right after i unplugged it. so ye should be fine thx for the help ill check axiom out tommorow and hopefully get that system32 recovered so i can boot the pc again or maken an vm from it

Assuming a HDD and not an SSD with TRIM, then it’s likely recoverable. Do you know what kind of drive is in the laptop? Otherwise if you’re still seeing filesystem entries (FAT/NTFS) then the records could still exist, but the data relating to each entry may not exist (in the case of trim).

АКСИПИТЭР13

The reason is we want to have a certification from ANSSI. We think that we would have better chances to get it by using french tools. So we want to replace our velociraptor with DFIR-Orc. We know that Orc is able to do artifact collection, however it copies the artifacts byte for byte, and it would be easier for our analysis if we have the files as is, and not a series of bytes (edited)

Could you make a Velociraptor offline collector and package that within ORC?

Hi, does anyone have a mapping between Event ID and its meaning for SMB Connectivity Logs in Windows?

navant

Hi, does anyone have a mapping between Event ID and its meaning for SMB Connectivity Logs in Windows?

https://docs.netapp.com/us-en/ontap/nas-audit/smb-events-audit-concept.html

DeeFIR 🇦🇺

https://docs.netapp.com/us-en/ontap/nas-audit/smb-events-audit-concept.html

Thank you! Is there any documentation for Event ID above 30000?

randomaccess

Could you make a Velociraptor offline collector and package that within ORC?

We could, but I’m not sure it responds at the mission i have. My manager explicitely said that we have to quit using velo. Thanks for the answer anyway

1

АКСИПИТЭР13

We could, but I’m not sure it responds at the mission i have. My manager explicitely said that we have to quit using velo. Thanks for the answer anyway

Would be keen to know why you're moving away from velo - mostly curious because we use it a lot so good to know what the reason in so we can figure out if it's something we need to consider :)

randomaccess

Would be keen to know why you're moving away from velo - mostly curious because we use it a lot so good to know what the reason in so we can figure out if it's something we need to consider :)

May I redirect you to one of my earlier messages explaining our reasons : https://discord.com/channels/427876741990711298/537760691302563843/990950343674298378

АКСИПИТЭР13

May I redirect you to one of my earlier messages explaining our reasons : https://discord.com/channels/427876741990711298/537760691302563843/990950343674298378

Right so just "french tools == easier certification" no dramas. Might have the same issues with kape == Amercian tool as much as velo == Australian tool. So following on with that, probably best to use OFC for the entire collection process somehow isntead

randomaccess

Right so just "french tools == easier certification" no dramas. Might have the same issues with kape == Amercian tool as much as velo == Australian tool. So following on with that, probably best to use OFC for the entire collection process somehow isntead

You'd be right if I had more time. I only have two months left to configure, verify the collection, and test it. Would easily take a lot of time to create a lot of configuration files, so if we can, for now, use kape to collect, I could gain a lot of time. In the future we will use DFIR-Orc only, however i'm a bit short in time atm

1

navant

Thank you! Is there any documentation for Event ID above 30000?

https://github.com/nasbench/EVTX-ETW-Resources/blob/main/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220517_22000.675/Providers/Microsoft-Windows-SMBServer.csv

EVTX-ETW-Resources/Microsoft-Windows-SMBServer.csv at main · nasben...

Event Tracing For Windows (ETW) Resources. Contribute to nasbench/EVTX-ETW-Resources development by creating an account on GitHub.

Andrew Rathbun

https://github.com/nasbench/EVTX-ETW-Resources/blob/main/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220517_22000.675/Providers/Microsoft-Windows-SMBServer.csv

Thankyou!

What is everybody's time to parse an iPhone extraction with Cellebrite lately ? I have a newer PC Intel i9-10900x CPU 128GB of memory and running the case on an M2 and its taking 4-5 hours to parse a 66GB iPhone, @Cellebrite using 7.55.2.2

9:38 AM

Cellebrite is only using 7% of the CPU and 20% of the memory

FFS?

Location carving and photo/video classification takes a while too.

@CLB-Paul Yes FFS extraction

DCSO

What is everybody's time to parse an iPhone extraction with Cellebrite lately ? I have a newer PC Intel i9-10900x CPU 128GB of memory and running the case on an M2 and its taking 4-5 hours to parse a 66GB iPhone, @Cellebrite using 7.55.2.2

Not a great answer admittedly, but have you tried out the PA Ultra coming out? You can get the beta through design partners... it's supposed to reduce load time considerably. Like I said - not a great fix right now but certainly hope moving forward.

@Neon I don't have photo/video classification on at this time, I'll check location carving. I'm just baffled that its not cranking on the CPU/cores and memory .

DCSO

@Neon I don't have photo/video classification on at this time, I'll check location carving. I'm just baffled that its not cranking on the CPU/cores and memory .

Hmm. I know FFS takes mine a while too. My rig is xeon silvers but with less ram than yours

whee30

Not a great answer admittedly, but have you tried out the PA Ultra coming out? You can get the beta through design partners... it's supposed to reduce load time considerably. Like I said - not a great fix right now but certainly hope moving forward.

I'm really excited about Ultra. It's going to be nice not having to reparse data.

2

Neon

I'm really excited about Ultra. It's going to be nice not having to reparse data.

Does PA Ultra come with a normal license or is it extra?

If anyone wants to vote for the title of the book we're writing in #deleted-channel, today is the last day of voting! Vote here: https://forms.gle/eZtkh5NZkzdjwaq66

Vote for the CrowdsourcedDFIRBook's New Title! Round 1

The DFIR Community needs your input as to what should replace the placeholder CrowdsourcedDFIRBook title for the collaborative book being written and edited on GitHub (https://github.com/Digital-Forensics-Discord-Server/CrowdsourcedDFIRBook) and published on Leanpub! The options with the top 3 most votes will move on to the second and final rou...

@FullTang eventually it will replace PA and its the same $. (what I've read)

2

Hoping it's the same costs because PA licenses have skyrocketed the past 2 years

1

No extra cost for ultra. There’s FAQ at bottom of the page https://cellebrite.com/en/pa-ultra/

1

2

Fantastic. Looking forward to it!

On a somewhat related note, are there any plans for UFED4PC/Touch 2 supporting Smart Watch extractions?

Anybody have a recommendation for adding media Codec to @Cellebrite to play videos natively in PA, i usually have to export them to GOM player. Thanks

DCSO

Anybody have a recommendation for adding media Codec to @Cellebrite to play videos natively in PA, i usually have to export them to GOM player. Thanks

I've had this issue recently too. I have the klite codec pack installed and it hasn't helped. I've noticed most of the times the issue is more prevalent when the extraction is on a network storage location when parsing. That's anecdotal obviously. But PA should be able to natively play most of the video files on a phone. I have been exporting all of the photos and videos with the Griffeye format and importing it in there. It has many features that makes it better for reviewing videos.

1

2:40 PM

Griffeye is free too*

FullTang

On a somewhat related note, are there any plans for UFED4PC/Touch 2 supporting Smart Watch extractions?

Nothing in immediate future

1

Anyone @MSAB able to DM me re issue with Samsung A20e. Ta

CLB-Paul

No extra cost for ultra. There’s FAQ at bottom of the page https://cellebrite.com/en/pa-ultra/

Any reason we can't see it in our customer portal yet? The FAQ says it should be available for all PA users. Is it still in Beta or is it final product now?

1

anyone know if upgrading my workstation to Windows 11 affect any of the major Forensic softwares (X-Ways, Cellebrite, Axiom, EnCase etc)?

tony1815

Anyone @MSAB able to DM me re issue with Samsung A20e. Ta

Sure!

Ross Donnelly

Any reason we can't see it in our customer portal yet? The FAQ says it should be available for all PA users. Is it still in Beta or is it final product now?

Same here, too. I do not find the download in our customer portal, but I like to test it

whee30

Not a great answer admittedly, but have you tried out the PA Ultra coming out? You can get the beta through design partners... it's supposed to reduce load time considerably. Like I said - not a great fix right now but certainly hope moving forward.

Ultra will decrease the RELOAD time considerably for sure. Initial parse time is still going to take a while sadly. It’s still an awesome addition but I don’t want anyone to be disappointed that if they are expecting faster initial parse times. Making more use of resources is a common request and one that is being examined for later versions of ultra.

dinosaurdave

anyone know if upgrading my workstation to Windows 11 affect any of the major Forensic softwares (X-Ways, Cellebrite, Axiom, EnCase etc)?

I’ve not tested it but the release notes for Axiom 6.3 mentions ‘AXIOM now supports Windows 11’ - whether that means running it on Win 11 or support for processing Win 11 images I don’t know though.

I'll find out soon

When is the launch date of Ultra? Not seeing it in our Portal. @Cellebrite

5:24 AM

@Cellebrite is Ultra an addon or different PA product? This obviously causes issues for ISO!

5:27 AM

Or perhaps a name change?

Zhaan

When is the launch date of Ultra? Not seeing it in our Portal. @Cellebrite

PA is v7 etc, Ultra is v8. I think consider it similar to EnCase going from v6 -> 7 -> 8 (That's how I see it anyho!) (edited)

1

CLB_iwhiffin

Ultra will decrease the RELOAD time considerably for sure. Initial parse time is still going to take a while sadly. It’s still an awesome addition but I don’t want anyone to be disappointed that if they are expecting faster initial parse times. Making more use of resources is a common request and one that is being examined for later versions of ultra.

Fair point - thanks for the clarification.

Rob

PA is v7 etc, Ultra is v8. I think consider it similar to EnCase going from v6 -> 7 -> 8 (That's how I see it anyho!) (edited)

How DARE you compare Encase to the mighty PA! Disgraceful behaviour! No wonder you dont have Trevor!

6

1

Hi everyone, I am trying to analyse Windows 7 security configurations. Is there a guide you know that describes this? I'm specially interested in the settings which, enabled or disabled, can cause the OS to become completely vulnerable (e.g. disabling Firewall, Windows Defender, etc.). I'd really appreciate it if you could let me know.

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Security Compliance Toolkit and Baselines

This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.

1

1:30 PM

From 1st party, Microsoft provides this ^ @degent_

Dave

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Thanks a lot!

2:48 PM

Btw I'm trying to connect my guest VM (which is host-only and has a vboxnet I/F to connect to the internet) to my DNS VM (which uses a bridged-adapter). The guest VM can ping the DNS VM, however, the DNS VM can't ping the vboxneto I/F nor the guest VM. How may I fix this? I'd really appreciate it if anyone could help me out.

CIS also has baselines, couldn't spot the W7 standard though https://www.cisecurity.org/benchmark/microsoft_windows_desktop

CIS Microsoft Windows Desktop Benchmarks

Download our step-by-step checklist to secure your platform: An objective, consensus-driven security guideline for Microsoft Windows Desktop.

1

For those KAPE wizards out there, is there a magical set of flags that would automatically set the destination drive to the one that Kape is running off of? I am thinking, you plug this in and run Kape as admin and unplug when done.

Murst

For those KAPE wizards out there, is there a magical set of flags that would automatically set the destination drive to the one that Kape is running off of? I am thinking, you plug this in and run Kape as admin and unplug when done.

Maybe use %kapeDirectory% for your destination?

Murst

For those KAPE wizards out there, is there a magical set of flags that would automatically set the destination drive to the one that Kape is running off of? I am thinking, you plug this in and run Kape as admin and unplug when done.

I asked Eric. He said try .. \tout. . is KAPE directory. .. is a directory up from that. So you could do the above and have it go to your tout folder. Give it a try and let us know

4:42 PM

Or if you have KAPE.exe on the root of your flash drive, I suppose . would work for you

‍♂️

Posting to say AXIOM 6.3 is available. magnetforensics_alt

https://www.magnetforensics.com/blog/magnet-axiom-6-3-take-control-of-evidence-processing/ The TLDR is: 1. Parsing-Only Processing and Post-Processing Carving

2. Support for Find My Artifacts

️ 3. Better logging for PhotoDNA Hash Matching and Passwords #️⃣ 4. Windows 11 support Windows10B

->

(gotta get the windows 11 emoji added, but this one is pretty darn close lol) 5. Support for Windows Search Artifacts

p.s. we haven't really done this before, open to feedback. Is this helpful or just annoying?

(edited)

2

10

Hey all, how’s things going!

ahoy! better than yesterday.

PA ultra 8.1 is out today, I'm sure with such a big change in architecture there will be some kinks but it's exciting to see some fixes to one of my biggest complaints which is the repeated load times. With major software updates like this, are there independent bodies that evaluate and publish results based on known datasets (like NIST)?

whee30

PA ultra 8.1 is out today, I'm sure with such a big change in architecture there will be some kinks but it's exciting to see some fixes to one of my biggest complaints which is the repeated load times. With major software updates like this, are there independent bodies that evaluate and publish results based on known datasets (like NIST)?

I have not completed bit for bit comparison nor has my comparisons been published, but I’ve been using PA 8 in beta for over a year. Other than what CB has published as not currently supported, the recent beta parsing and PA 7 parsing results have been spot on. In the recent release I thought there was some parsing difference, but it was a setting error that I made. If you have any questions about the parsing differences I would suggest asking for or accessing the CB CTF acquisitions and do a comparison yourselves with PA 8 and PA 7. I think you will be pleasantly surprised. This is what I did when Magnet AXIOM release it’s new full version 6.0. I would imagine NIST will do a work up but I’m sure it’s going to take a year or so before they release results. I know that puts a lot on lab staff but it works if you work it (edited)

3

1

Has anyone done a law enforcement request from Snapchat and asked for/got back device information? I am wondering if they capture any IMEI or other identifying info. Trying to correlate a device that is logging into a specific account that isn't theirs.

A A

Has anyone done a law enforcement request from Snapchat and asked for/got back device information? I am wondering if they capture any IMEI or other identifying info. Trying to correlate a device that is logging into a specific account that isn't theirs.

@Law Enforcement [USA]

I ask but never get a device id, advertising id etc.

sirlane

I ask but never get a device id, advertising id etc.

same here

I feel like every warrant I get from Snap, Google, and Apple give different responses with the exact same language in their respective requests. My most recent Snap warrant was on a cybertip and snap administratively deleted the account and didn't even save the email or phone number used to sign up.

‍

You can try but, I wouldn't expect much. (edited)

I expected as much but figured I would double check with someone that's done one recently. Thanks everyone for the quick responses.

I have a recent one. Under ip_data.csv they provided the Android model and pda version with each app_login_username entry along with the snapchat version. No IMEI though. (edited)

1

Hi all, I have a project requiring real fake printers and wanted to know the best approach. These printers would exist in a virtual environment but need to be as digitally real as possible (can live without paper/ink levels but would be super nice to have). Looking for any advice or directions on where to begin to do this. Please and Thank You!

Lachrymosa

Hi all, I have a project requiring real fake printers and wanted to know the best approach. These printers would exist in a virtual environment but need to be as digitally real as possible (can live without paper/ink levels but would be super nice to have). Looking for any advice or directions on where to begin to do this. Please and Thank You!

Print to PDF presents itself as a virtual printer, guess it depends on exactly what you're testing

Ross Donnelly

Print to PDF presents itself as a virtual printer, guess it depends on exactly what you're testing

This specific use case is more of a honeypot with the potential of an adversary getting into the base OS of the printer/Printer FS. We didn't want them to realize at that point in their intrusion that it is fake. If I am understanding the FILE: option in creating a printer correctly, this just gives an interface for a host to ship a print job to, but no actual network location or resident OS on that network device.

Lachrymosa

This specific use case is more of a honeypot with the potential of an adversary getting into the base OS of the printer/Printer FS. We didn't want them to realize at that point in their intrusion that it is fake. If I am understanding the FILE: option in creating a printer correctly, this just gives an interface for a host to ship a print job to, but no actual network location or resident OS on that network device.

I think you're going to struggle to find something like that, as there is no use case (other than yours!) for anyone to have produced a system that does that, and it's unlikely to be a common format you can just rip and virtualise outside of the hardware. Good luck though!

Ross Donnelly

I think you're going to struggle to find something like that, as there is no use case (other than yours!) for anyone to have produced a system that does that, and it's unlikely to be a common format you can just rip and virtualise outside of the hardware. Good luck though!

Yea, the deeper I google, the more I'm realizing that this hasn't quite been done, and if it has, people aren't forthcoming about it. Appreciate the attempt! If anyone else is sitting on some secret techniques though, I'd be happy to hear them.

Didn't want to pollute the training channel, but.... Does anyone else, after completing a certification (or similar) feel a bit down afterwards. Like "Now what the heck do I do?" kind of feeling?

2

Lachrymosa

Yea, the deeper I google, the more I'm realizing that this hasn't quite been done, and if it has, people aren't forthcoming about it. Appreciate the attempt! If anyone else is sitting on some secret techniques though, I'd be happy to hear them.

Have you tried creating a virtual printer inside HyperV? I have no knowledge of HyperV but know it can create virtual switches, so why not virtual printers.

Fantastic the midnlunch crash lag of scopely

Just bought two VPS', gonna use one as a honeypot. The other one for personal stuff like a blog, Wireguard, password manager and note taking app. You guys got any recommendations on what software to use, or good/bad practices?

I'd avoid keeping a password manager on a public facing VPS. Same with Notetaking apps, unless they're encrypted at rest with a strong password. For a blog, Ghost is really good, and for a password manager, I use 1Pass, but Bitwarden is OSS

Agree, password manager in the cloud is a bad idea, unless fully encrypted, for blog react

React is a bit of effort though...?

Yeah for some true.

10:23 AM

Just don't use bloody Wordpress, you'll be fine

1

Lol 100%

Alternatively, use Wordpress on your honeypot

kladblokje_88

Just bought two VPS', gonna use one as a honeypot. The other one for personal stuff like a blog, Wireguard, password manager and note taking app. You guys got any recommendations on what software to use, or good/bad practices?

Also keep in mind a honeypot can generate a lot of traffic really fast. And if you’re paying for the vps, you could get a large bill rather quickly so keep that in mind.

Matt

I'd avoid keeping a password manager on a public facing VPS. Same with Notetaking apps, unless they're encrypted at rest with a strong password. For a blog, Ghost is really good, and for a password manager, I use 1Pass, but Bitwarden is OSS

seems legit, I will run those apps behind VPN

Matt

Alternatively, use Wordpress on your honeypot

HAHAHAHA

A vpn won’t help a compromise vps

10:26 AM

Just don’t put a password manager on a public vps

1

If you want it to be easily accessible, use a solution like 1Pass which handles that for you

Or Enpass which is what I use

If you're doing it yourself, with something like a password manager, one mistake would be extremely costly

100%

i see

Another thing to do with honeypots - if possible - would be to look into Docker, it would make it easier for you and it's a good technology to learn how to use

10:36 AM

You could also play around with shipping logs to your other/another VPS if you wanted to analyse the data you're getting from the honeypot, presuming you've thought ahead that far

Matt

Another thing to do with honeypots - if possible - would be to look into Docker, it would make it easier for you and it's a good technology to learn how to use

t-pot is docker containers galore

kladblokje_88

t-pot is docker containers galore

Good for learning

1

Anyone based in the UK and involved with Mobile Device Forensics, I would appreciate it if you participated in a survey to assist my Research Project. I would also appreciate if you could share this with your colleagues! https://forms.gle/Kxuai4jkAq31Zcyj9

UK Survey on Method Validation for Mobile Device Forensics

Aim of Survey: To capture the consensus amongst practitioners on the availability of standards, best practice guidelines for development and use of test devices, datasets and proficiency trials to support method validation for mobile device forensics. The survey is open to anyone involved in the forensic examination and/or tool and method testi...

Hi, does anyone know if the string "--Apple-Mail-<Numbers-&-letters>" that is found in the ".emlx" file is a unique value inside the Apple Mail application?

yoyoyo dude chill down

https://sleuthkit.org/autopsy/docs/user-docs/4.5.0/ds_page.html

1

Original message was deleted or could not be loaded.

why do you need our help lad. You are indexing

5:46 AM

we cant make it faster xDDD

Apologies to anyone who was tagged aggressively by those messages. @Dyno was a little slow and this person slipped through the cracks before we had time to assign them a proper role

2

OllieD

Apologies to anyone who was tagged aggressively by those messages. @Dyno was a little slow and this person slipped through the cracks before we had time to assign them a proper role

I’ll forgive you this time Salute

1

Hi, has anybody examined Raymarine ST6002 or MLR Valsta 03 maritime GPS devices?

OllieD

Apologies to anyone who was tagged aggressively by those messages. @Dyno was a little slow and this person slipped through the cracks before we had time to assign them a proper role

Wait what? Admins actually think they have a life outside of admining?

9

Hey all, I have a colleague doing his Masters who is struggling to come up with a dissertation topic. Any recommendations for forensic based topics?

dinosaurdave

Hey all, I have a colleague doing his Masters who is struggling to come up with a dissertation topic. Any recommendations for forensic based topics?

Take a look at the topics of interest here, hope this helps! https://www.sciencedirect.com/journal/forensic-science-international-digital-investigation/about/call-for-papers

Call for papers - Forensic Science International: Digital Investiga...

Read the latest articles of Forensic Science International: Digital Investigation at ScienceDirect.com, Elsevier’s leading platform of peer-reviewed scholarly literature

Ill pass this link to him, thanks

dinosaurdave

Hey all, I have a colleague doing his Masters who is struggling to come up with a dissertation topic. Any recommendations for forensic based topics?

I wrote a paper about manipulating Google Location data. He could take it much further and consider the accuracy of all the different variables recorded and how they might be spoofed or altered https://dfir.pubpub.org/pub/d39u7lg1/release/1

Can Google Takeout Location Data Be Trusted? · DFIR Review

1

Sorry if posted already but I didn't see it.... https://www.wired.com/story/apple-ios-16-lockdown-mode/

Apple’s Lockdown Mode Aims to Counter Spyware Threats

Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help.

A A

Sorry if posted already but I didn't see it.... https://www.wired.com/story/apple-ios-16-lockdown-mode/

Beat me to it, will be interesting to test this on extractions

11:04 AM

https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/

Apple expands commitment to protect users from mercenary spyware

Apple today detailed two initiatives to help protect users who may be personally targeted by sophisticated digital threats.

11:05 AM

Wired connections are blocked while iPhone is locked (edited)

Hello everyone! I'm trying to collect a Domino server and I've never run up against one before. Is it just like any other server, where I can just get a physical/logical image and then deal with the contents downstream? Or is there a problem with that approach? Unfortunately, I don't have too many details (like if it's used to host Email, or websites, or if it's just files), but I'm just wondering how the collection process might go.

A A

Sorry if posted already but I didn't see it.... https://www.wired.com/story/apple-ios-16-lockdown-mode/

Yeah we are screwed

1

DCSO

Yeah we are screwed

Not really... ask nicely for the passcode

(edited)

@Jay528 ha I wish that were the case

My guess is they will probably have some prompt to have it connect to iCloud and and verify the complex passcode vs the 6 digit pin, but who knows. (edited)

Trying to identify the chat application. Subject uses iPhone but I found bluestacks references on the machine, banner ad for Amazon across the top. Odd shape on the word bubbles (edited)

3:34 PM

I can give more context I just need to redact stuff

3:36 PM

Textme?

whee30

Trying to identify the chat application. Subject uses iPhone but I found bluestacks references on the machine, banner ad for Amazon across the top. Odd shape on the word bubbles (edited)

How are you not able to figure out the application? You have the phone.. You're obviously logged in. Very confusing post?

I don’t have the phone. It’s a screenshot on a laptop saved into a folder. The content of the message is relevant and I’m looking to see if I can send a paper to a company for more info

Ah

6:01 PM

Ok

6:02 PM

Context would be helpful

6:02 PM

Are you LE?

The shape of the word bubbles is unique and the row of buttons at the bottom might help… I’m just not finding the same setup on the apps I have

6:02 PM

Yes

Laptop in question, why does it possess a chain of custody item

6:02 PM

Can you not also obtain the phone or are you trying to be quiet?

6:03 PM

Can you also give context to the type of crime

6:03 PM

Certain pedos use X, while dealers use Y

6:03 PM

etc.

Without writing the whole report here, the phone is unavailable, the laptop was all that I had access to. All I’m trying to do is identify a chat application based on the characteristics of the icons in case someone is familiar. @conf1ck3r I will check out textme

Deleted User

Are you LE?

Look at this role. You can see it's LE [USA]. Sending paper is a way of saying serving a search warrant FYI

Andrew Rathbun

Look at this role. You can see it's LE [USA]. Sending paper is a way of saying serving a search warrant FYI

I know exactly what you meant, but I didnt bother clicking that handle

(edited)

Also, most in LE can only provide so much detail about their cases, so just understand that when trying to help LE as you may not be able to have answers to questions you have out of respect for the sensitivity of the case/people involved

Thats why Im askin context on the type of crime

6:05 PM

Also why Im being vague, I know you have to be

6:05 PM

But any context as to what the perp was doing would help slim out probable leads on the app of choice.

6:06 PM

Wanna fight in Ukraine as an example? Use telegram, etc.

6:06 PM

If you have a high quality image of the screenshot, I would isolate the icons and use a reverse image search

6:06 PM

@whee30 ^^

6:08 PM

@whee30 "had access to", if I follow this is a confiscated laptop and thus it would make sense there would perhaps be a record also of activity on that laptop perhaps of the same type of application. (edited)

Right - I get all your digging for answers… it’s a good trait to have. I’ve been there and done that on the device I have. There are devices I don’t have, what I’ve posted is what is available.

whee30

Right - I get all your digging for answers… it’s a good trait to have. I’ve been there and done that on the device I have. There are devices I don’t have, what I’ve posted is what is available.

Ok. Step 1 take that photo and slice up as clean as you can. From there use a couple reverse image engines

6:13 PM

If you get no hits, let me know and I'll spend some time checking for you.

6:13 PM

But do that at least.

6:13 PM

Spend my tax dollars good =)(

6:14 PM

1 recommend is https://tineye.com/

6:14 PM

If you do that and google... Yeah I'll help further.

@whee30 That looks like Kik to me

7

Sex then

6:54 PM

=/

abefroman

@whee30 That looks like Kik to me

Just re downloaded it, looks like it to me! Thank you for the assist.

5

Nice teamwork, all!

7

And we're back! Check out https://quiz.socvel.com for our latest weekly SocVel Cybersecurity Quiz.

SocVel Cybersecurity Quiz

Your weekly SocVel Cybersecurity Quiz. Play Now!

Forensic Friends... I am attempting to convince my unit managers to switch from EnCase to X-Ways and as a result I have been asked to prepare a document stating the benefits etc. Has anyone here ever prepared such a paper before? Or any case studies comparing the tools? My person experience with indecent image cases has shown X-Ways to be better at carving, so any comparisons of file carving would be of the utmost interest. I am of course intending to carry out tests myself and document the results, but just though I would check with the community first incase others have already done so.

A few things I would touch on is that xways is a lightweight program you can deploy from a USB in the field if needed, almost certainly less expensive (I don’t have encase), IME all of my training has mentioned encase as the old standard that has fallen out of favor (anecdotal), and without knowing your office you could possibly touch on the examiner vs the tool argument. If you’re the only examiner and you accomplish your job better with a specific tool, perhaps that’s the tool they should be buying. Lastly, we shouldn’t be relying on a single tool, if they’re stuck on encase it’s there an argument you can make for both?

We also have Axiom and Forensic Explorer licenses, so we can use them verify results etc

whee30

A few things I would touch on is that xways is a lightweight program you can deploy from a USB in the field if needed, almost certainly less expensive (I don’t have encase), IME all of my training has mentioned encase as the old standard that has fallen out of favor (anecdotal), and without knowing your office you could possibly touch on the examiner vs the tool argument. If you’re the only examiner and you accomplish your job better with a specific tool, perhaps that’s the tool they should be buying. Lastly, we shouldn’t be relying on a single tool, if they’re stuck on encase it’s there an argument you can make for both?

Thanks for your reply

Carb0hydrates

Hello everyone! I'm trying to collect a Domino server and I've never run up against one before. Is it just like any other server, where I can just get a physical/logical image and then deal with the contents downstream? Or is there a problem with that approach? Unfortunately, I don't have too many details (like if it's used to host Email, or websites, or if it's just files), but I'm just wondering how the collection process might go.

A couple of things to be mindful of in my experience: 1. You can run into encryption on many levels such as fields, documents, and databases. 2. If you preserve a running Domino server, it is possible to end up with some corrupt Notes databases in your forensic image. If the server can be stopped for imaging, this should be a non issue.

@Arman Gungor Thank you for the advice friend! I'll definitely keep my eye out!

1

dinosaurdave

We also have Axiom and Forensic Explorer licenses, so we can use them verify results etc

Axiom is awesome but the hex view is lacking. I love the combo of axiom and xways. I was just working across both programs on a case yesterday. Good luck. Here is one article with some benchmarks included: https://cloudyforensics.medium.com/encase-vs-ftk-vs-x-ways-review-2b7b075333ef

Encase vs FTK vs X-Ways Review

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.

Does anyone have a favorite timeline notes tool? I can use Google's or visio for report writing but would like something I can add events to as I go and then review as part of my work flow.

CyberChef incremented like 8 versions (and counting) today so far, be sure to update your local copies! https://github.com/gchq/CyberChef/blob/master/CHANGELOG.md

CyberChef/CHANGELOG.md at master · gchq/CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - CyberChef/CHANGELOG.md at master · gchq/CyberChef

5

Andrew Rathbun

CyberChef incremented like 8 versions (and counting) today so far, be sure to update your local copies! https://github.com/gchq/CyberChef/blob/master/CHANGELOG.md

plist and LZString support? Hell yeah

6

Hi everyone, I'm reading about NAT in GeeksforGeeks and came across this sentence, If NAT runs out of addresses, i.e., no address is left in the pool configured then the packets will be dropped and an Internet Control Message Protocol (ICMP) host unreachable packet to the destination is sent. But how can NAT run out of addresses? I thought the whole point of NAT was to translate private ipv4 addresses into one or various public ipv4 addresses. What do they mean then with this statement? Is it referring to how NAT is configured and how many devices need a public IPv4 address? (i.e. for a given network NAT can only provide 2 public IPv4 addresses but there are 3 devices that require their own public IPv4 address)? (edited)

whee30

Click to see attachment 🖼️

The read symbol looks alot like KiK I am not sure if you can customize the bubbles. It might be worth looking at.

degent_

Hi everyone, I'm reading about NAT in GeeksforGeeks and came across this sentence, If NAT runs out of addresses, i.e., no address is left in the pool configured then the packets will be dropped and an Internet Control Message Protocol (ICMP) host unreachable packet to the destination is sent. But how can NAT run out of addresses? I thought the whole point of NAT was to translate private ipv4 addresses into one or various public ipv4 addresses. What do they mean then with this statement? Is it referring to how NAT is configured and how many devices need a public IPv4 address? (i.e. for a given network NAT can only provide 2 public IPv4 addresses but there are 3 devices that require their own public IPv4 address)? (edited)

It means if NAT runs out of Private IP addresses. For example, if you set up NAT to use a 192.168.0.0/27 subnet you only have 30 private host IPs available for the one Public IP address. If there are 31 devices connected to that LAN at the same time all trying to use the same Public IP address then packets would be dropped.

NAT itself doesn’t ‘run out of’ addresses though. It’s simply mapping source/dest IP with source/dest port. If you exhaust the NAT table you wouldn’t be able to map additional connections, or if you had more than ~65,000 connections from a single internal host. If you consider your example about having a /27 subnet, that’s a relatively small office setup which may have a single internet connection/public IP. Are you saying 30 hosts wouldn’t be able to access the internet at the same time? What am I missing? Am I caffeine deprived?

I think that would be the difference between NAT and PAT. https://techdifferences.com/difference-between-nat-and-pat.html

Neha T

Difference Between NAT and PAT (with Comparison Chart, Advantages a...

The main difference between NAT and PAT is that NAT is used to map public IP addresses to private IP addresses, it could be a one-to-one or many-to-one relation. On the other hand, PAT is a type of NAT where the multiple private IP addresses are mapped into a single public IP (many-to-one) by using ports.

Halp! Do you know of, prefer, or maintain any blueteam-oriented repos of GPOs/ADMX files? Would LOVE to know about them! https://twitter.com/rj_chap/status/1545567139037229056

Ryan “Chaps” Chapman (@rj_chap)

Which repos of GPOs (ADMX) specific to #cybersecurity/#cyberdefense do you like? We #DFIR folks recommend Credential+Exploit Guard, LAPS, class handlers for bat/js/ps1 > notepad.exe, and more. Let's share examples! https://t.co/ufELejuy7i https://t.co/zDFX7Gm2HT @SwiftOnSecurity

dinosaurdave

Forensic Friends... I am attempting to convince my unit managers to switch from EnCase to X-Ways and as a result I have been asked to prepare a document stating the benefits etc. Has anyone here ever prepared such a paper before? Or any case studies comparing the tools? My person experience with indecent image cases has shown X-Ways to be better at carving, so any comparisons of file carving would be of the utmost interest. I am of course intending to carry out tests myself and document the results, but just though I would check with the community first incase others have already done so.

I believe Eric Zimmerman put together a side by side comparison of suites a few years back. May want to use that as a jumping point to formulate an up to date argument, along with whatever feedback you get from this group

HeavyVin

Does anyone have a favorite timeline notes tool? I can use Google's or visio for report writing but would like something I can add events to as I go and then review as part of my work flow.

Timesketch has stories. https://medium.com/timesketch/timesketch-2016-7-db3083e78156

Timesketch stories

Timesketch is an open source collaborative timeline analysis tool (source code) for for digital forensics and incident response. Using…

luis511_

I believe Eric Zimmerman put together a side by side comparison of suites a few years back. May want to use that as a jumping point to formulate an up to date argument, along with whatever feedback you get from this group

@dinosaurdave https://binaryforay.blogspot.com/p/other-stuff.html

Other stuff

Random links and other stuff Imaging speed tests My imaging speed test results can he found here Forensic programs testing My test...

1

Andrew Rathbun

@dinosaurdave https://binaryforay.blogspot.com/p/other-stuff.html

Interesting stuff! Wonder if he's done any comparisons recently as both have had some severe updates

Hi everyone, I have a situation where there was a break in and as part of break in robbers disconnected the G-pon terminal, is there a way to timestamp that event through ISP or any other means thanks.

what are the 5 frameworks used for digital forensic process

Rajeshwari

what are the 5 frameworks used for digital forensic process

.. (edited)

1

9:01 AM

like these or?

There's more than 5. But they're mostly all variations of the same thing

jaspatocat

Hi everyone, I have a situation where there was a break in and as part of break in robbers disconnected the G-pon terminal, is there a way to timestamp that event through ISP or any other means thanks.

Not my area of expertise but is there any chance there's connected devices that log networking failures?

Hi everyone, i'm wondering if anyone has any entry-level project ideas for a summer project - i'm a student so don't have access to costly tools, but would definitely love to challenge myself, cheers

Elliott

Hi everyone, i'm wondering if anyone has any entry-level project ideas for a summer project - i'm a student so don't have access to costly tools, but would definitely love to challenge myself, cheers

Can you code? If so, which language(s)?

Andrew Rathbun

Can you code? If so, which language(s)?

I can code in Python, would only say beginner level though

Elliott

I can code in Python, would only say beginner level though

Pick a popular endpoint application (Dropbox, google drive, chat apps, whatever) Do some testing about what you can find (plus google a lot) Write tool to decode and present the data For reference see OneDriveExplorer by Brian Maloney @Beercow

7:28 AM

(this is me definitely not mentioning two tools by name that primarily have sqlite databases and text based Configs that should be easily understandable and Id like timeline and information gathering parsers for)

randomaccess

Pick a popular endpoint application (Dropbox, google drive, chat apps, whatever) Do some testing about what you can find (plus google a lot) Write tool to decode and present the data For reference see OneDriveExplorer by Brian Maloney @Beercow

That's great i'll look into that and have a go thank you!

randomaccess

Pick a popular endpoint application (Dropbox, google drive, chat apps, whatever) Do some testing about what you can find (plus google a lot) Write tool to decode and present the data For reference see OneDriveExplorer by Brian Maloney @Beercow

Or if you are still not comfortable with writing the tools, document your findings. Research is STILL so important as it adds to our collective understanding. Tools can always come later as well

5

as per Mr SwearyVaynerchuk, maybe document something you do already and trace the install/artefacts/uninstall/deleteds and such, maybe if you torrent or smnthn (edited)

Thanks for all your help guys! Will be giving all that a good crack!

Can anyone with experience successfully serving a warrant to ProtonMail please share your experience. Feel free to DM, thanks.

Deleted User

Can anyone with experience successfully serving a warrant to ProtonMail please share your experience. Feel free to DM, thanks.

Not a warrant, but in general their LE approach is hard work and I found it likegetting getting blood from of a stone.

Rob

Not a warrant, but in general their LE approach is hard work and I found it likegetting getting blood from of a stone.

Thanks. Figured as much. Any advice on the right approach that got you that blood from said stone?

Deleted User

Thanks. Figured as much. Any advice on the right approach that got you that blood from said stone?

I had a single email reply from I believe their abuse email address to speak to their legal team whom then never replied and I then had no further replies.

10:59 PM

The way we got around it in a case of ours, the suspect was cooperative and once you have the password it's easyish mode to download

11:00 PM

Can't download the account in bulk via pop3/imap if it's a free account so we had to upgrade the account.

Rob

The way we got around it in a case of ours, the suspect was cooperative and once you have the password it's easyish mode to download

Thanks Rob. My task is a bit more daunting since the subject is unknown. Appreciate the response

Aha, best of luck!

11:02 PM

Should be possible from what I've heard/been told so I would imagine their dealings with official subpoenas etc are likely to be better than their email replying skills.

1

Does anyone have some prebuilt keyword/regex lists to use when processing different types of cases? I have one for CSAM cases, but I am looking for ones that can be used on drug cases, ID theft, etc.

FullTang

Does anyone have some prebuilt keyword/regex lists to use when processing different types of cases? I have one for CSAM cases, but I am looking for ones that can be used on drug cases, ID theft, etc.

https://www.dfir.training/search-term-lists

Search Term Lists - DFIR Training

digital forensics

1

My Google-Fu failed me. Thanks!

Best resource I have. If you wanna GitHub a wordlist for drugs or something else, let me know and we'll spin up a repo!

2

I've seen an Excel sheet that shows which artifact is available on Server or Workstations but I can't find it anymore. Does anyone know such a matrix?

Cyb3rMonk

I've seen an Excel sheet that shows which artifact is available on Server or Workstations but I can't find it anymore. Does anyone know such a matrix?

for program execution artefacts?

5:19 AM

https://blog.1234n6.com/2018/10/available-artifacts-evidence-of.html

Available Artifacts - Evidence of Execution

UPDATED 2019-01-04 This week I have been working a case where I was required to identify users on a Windows Server 2003 system who h...

yeah, this was the one. Thanks!

5:20 AM

hmm, is there something similar for network, and other activities?

not that im aware of if you think it would be useful you can probably get some folks here to help you compile it

I'll think about it. Just dumping ideas at the moment

Hey all weird question, but just wanted to see if I could get some input. In regards to MAC times... is the "Created" time updated when the file is saved or when the file is changed?

attackd0gz

Hey all weird question, but just wanted to see if I could get some input. In regards to MAC times... is the "Created" time updated when the file is saved or when the file is changed?

might be quicker just testing it?

1:13 PM

without googling, i'd go for Saved else there'd be a disparity later if it was changed and then not saved?

Ok, here is my usual answer. It depends

I have a file that the MAC times are in this order: Created: Jan 13 2021 2:30 AM Modified: Oct 1 2020 Accessed: Jan 12 2021 At first glance, I thought the file was copied, because in that operation, mod time is preserved, but then shouldn't the Create and Access time be the same date?

Digitalferret

might be quicker just testing it?

You right

3

attackd0gz

I have a file that the MAC times are in this order: Created: Jan 13 2021 2:30 AM Modified: Oct 1 2020 Accessed: Jan 12 2021 At first glance, I thought the file was copied, because in that operation, mod time is preserved, but then shouldn't the Create and Access time be the same date?

also, and alluded to by dsplice image - this example is on windows OS? (edited)

1:34 PM

my understanding is that Created time is when the file lands on <your> system

Yes Windows

so, the file could have been accesses (read) on the 12th and copide/moved to 'that' system on the 13th

1:36 PM

i'll be honest, MAC times have always bent my head, and splices chart made it hurt even more

Hahaha. Same here. I would assume the copy operation would then update the access time as well. I hate MAC times now that I am thinking about it again

"Test 5 - Move a file to another location in the same volume, drag-n-drop, via the Windows Explorer shell" might be a good one to test http://windowsir.blogspot.com/2014/07/file-system-ops-effects-on-mft-records.html?m=1

File system ops, effects on MFT records

I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the ...

2:28 PM

Something like X-Ways will also let you read the MAC times from both $Standard_Information and $Filename attributes which can be really helpful in figuring out what's going on

2

Ross Donnelly

Something like X-Ways will also let you read the MAC times from both $Standard_Information and $Filename attributes which can be really helpful in figuring out what's going on

MFTECmd too! I just wrote a blog post series covering doing this exact timestamp analysis. https://www.kroll.com/en/insights/publications/cyber/anti-forensic-tactics/detecting-analyzing-timestomping-with-kape

Anti-Forensic Techniques – Detecting and Analyzing Timestomping wit...

Timestomping can be detected by using a combination of KAPE, timeline explorer and MFTECmd. Learn more

2

Hi all. I’ve got a file which contains illegal characters and im unable to remove/rename/delete the file. I’ve tried using ROBOCOPY, powershell etc. but it says access denied, any idea on how I can get rid of it?

obi95

Hi all. I’ve got a file which contains illegal characters and im unable to remove/rename/delete the file. I’ve tried using ROBOCOPY, powershell etc. but it says access denied, any idea on how I can get rid of it?

maybe with fastcopy. or else boot a live linux?

leifsoren

maybe with fastcopy. or else boot a live linux?

can also maybe try TeraCopy

obi95

Hi all. I’ve got a file which contains illegal characters and im unable to remove/rename/delete the file. I’ve tried using ROBOCOPY, powershell etc. but it says access denied, any idea on how I can get rid of it?

left-field but maybe give Iobit unlocker https://www.iobit.com/en/iobit-unlocker.php a go, see if it enables the file for action

8:02 AM

there's also Unlocker for Windows 1.92 https://filehippo.com/download_unlocker/ . I've successfully used both before

Anyone familiar with what I assume is a Developer Scoped UUID (Apple)? We did a request to binance and they responded with some UUID's for devices. Just trying to see the best way to word the legal process to apple.

A new SocVel Cybersecurity Quiz is out! (W18) In this week's quiz, we cover everything from SQL servers getting popped to crypto hacks being topped. From cars being remotely hacked to ransomware having the education sector on its back. And much more! https://quiz.socvel.com

SocVel Cybersecurity Quiz

Your weekly SocVel Cybersecurity Quiz. Play Now!

I think someone had previously mentioned this but things to look forward to when encountering iOS 16 https://www.theverge.com/2022/7/6/23196978/apple-lockdown-mode-security-hacking-pegasus-macos-ios-ipados

Apple’s new feature adds ‘extreme’ protection to your devices

Protection against ‘state-sponsored mercenary spyware’

@Law Enforcement [UK] Does anyone have a keyword list that they may run on suicide jobs?

Rob

@Law Enforcement [UK] Does anyone have a keyword list that they may run on suicide jobs?

Colleague of mine created one, I’ll see if I can dig it out. DM me your email and if I find it I’ll send it over.

1

rojo

Colleague of mine created one, I’ll see if I can dig it out. DM me your email and if I find it I’ll send it over.

If you find it, could I possibly have a copy as well?

rojo

Colleague of mine created one, I’ll see if I can dig it out. DM me your email and if I find it I’ll send it over.

I know I am on the other side of the pond but could you send a copy my way?

@obi95 @FullTang Yes to both, DM your emails across and I’ll send it over. I just found it - it’s by no means extensive and is a few years old now so the websites listed may not be current anymore but it might hopefully be a good starting point at least.

3

stark4n6

Got some test images, tools and processes listed here https://startme.stark4n6.com

This is great!

1

B@man

This is great!

Hope you find it useful

What’s the general consensus on Sumuri Talino forensic laptops. Are they worth it if you’re going for a forensic workstation in a laptop form factor?

https://sumuri.com/product/talino-ka-l-alpha/

TALINO KA-L Alpha : SUMURI

The SUMURI TALINO KA-L Alpha is an extremely portable forensic Laptop specifically designed to perform faster than most desktop forensic workstations. The TALINO KA-L Alpha packs a tremendous amount of power in a small thin form factor. Like all of our other products, the KA-L Alpha is customizable to suit your needs and comes with our standard...

Fierry

What’s the general consensus on Sumuri Talino forensic laptops. Are they worth it if you’re going for a forensic workstation in a laptop form factor?

https://sumuri.com/product/talino-ka-l-alpha/

Seems expensive for the specs. Only viable if you're triaging on scene etc.

1

@Fierry I have one in the lab. the laptop works with 2 power supplies. Both power supplies must be connected for the battery to be powered. I find the laptop too big and cumbersome at the scene of a search warrant. There are a lot of unnecessary options like the colors of the keyboard and around the laptop. But in the lab the performance is there. Includes a powerful video card. I have a rtx3080 inside. But for the price, you can get more for less. (edited)

1

That’s what I was thinking as well. I was finding different similarity specked laptops far below the offered price point

https://twitter.com/shodanhq/status/1548472517731311620?t=5Y3Vpi2fEABqYt0U7k2WnA&s=19 Skip a trip to McDonald's and grab this for yourself today only!

Shodan (@shodanhq)

The Shodan Membership is on sale now for $5 until the end of Sunday, July 17th (GMT): https://t.co/0iqiq2MWrn

Likes

1473

Retweets

889

8

Hey guys Could anyone share any threat hunting reporting template, I would be really grateful ❤️

Andrew Rathbun

https://twitter.com/shodanhq/status/1548472517731311620?t=5Y3Vpi2fEABqYt0U7k2WnA&s=19 Skip a trip to McDonald's and grab this for yourself today only!

they only take credit cards

PS

they only take credit cards

And debit cards

Andrew Rathbun

https://twitter.com/shodanhq/status/1548472517731311620?t=5Y3Vpi2fEABqYt0U7k2WnA&s=19 Skip a trip to McDonald's and grab this for yourself today only!

And remember that if you're a student you can request a free academic upgrade! https://help.shodan.io/the-basics/academic-upgrade

2

Ooof thanks @DeeFIR 🇦🇺, seen after I already went the $5 route but I'll share this with my uni mates

nem'n'nem (nemz)

Ooof thanks @DeeFIR 🇦🇺, seen after I already went the $5 route but I'll share this with my uni mates

You still get more

like being able to use the vuln tag..

DeeFIR 🇦🇺

And remember that if you're a student you can request a free academic upgrade! https://help.shodan.io/the-basics/academic-upgrade

Thanks m8.

Amazing, I look forward to checking it out, cheers

Hello, I was wondering if any of you encountered the problem of a windows vm not booting, after you resize the virtual disk and the snapshots as well. I did the resize on another VM (also with the snapshots) and works perfectly fine but on this one it just keeps restarting. The hypervisor is VirtualBox.

ZetLoke77

Hello, I was wondering if any of you encountered the problem of a windows vm not booting, after you resize the virtual disk and the snapshots as well. I did the resize on another VM (also with the snapshots) and works perfectly fine but on this one it just keeps restarting. The hypervisor is VirtualBox.

Also used gparted as a live boot cd, allocated the unallocated space to the partition but still no results. (edited)

Fierry

What’s the general consensus on Sumuri Talino forensic laptops. Are they worth it if you’re going for a forensic workstation in a laptop form factor?

https://sumuri.com/product/talino-ka-l-alpha/

We think they're pretty great, but if you have a specific spec or budget to hit, we're known for working with people as needed. Please DM me if you need anything!

ZetLoke77

Hello, I was wondering if any of you encountered the problem of a windows vm not booting, after you resize the virtual disk and the snapshots as well. I did the resize on another VM (also with the snapshots) and works perfectly fine but on this one it just keeps restarting. The hypervisor is VirtualBox.

Had the exact same issue today

No idea why my primary partition would not expand. Busy re-installing after it failed to reboot and don’t have the patience to deal with Windows.

Any free tools for orphaned OST recovery or are they all paid?

9:08 AM

I don't mind paying again just curious if I was missing one that was out there

Any tools recommended to pull data from the HxStore.hxd and then export it to a PST/OST?

FX_Tymills

Any free tools for orphaned OST recovery or are they all paid?

Im fairly certain FTK imager will highlight orphaned files and folder. If you try it and it works I would love to know.

Deleted User

Had the exact same issue today

No idea why my primary partition would not expand. Busy re-installing after it failed to reboot and don’t have the patience to deal with Windows.

Yes windows is a real pain. I will try tonight to do a repair with an ISO image of win10 to see if it works. With chkdsk from the console didn't work as well. It said that the partition was read only... And clearing the attributes of read-only was not possible unfortunately

1

MrMacca (Allan Mc)

Any tools recommended to pull data from the HxStore.hxd and then export it to a PST/OST?

Latest versions of Axiom are supposed to support this, and can export to PST, but haven't tried it myself

@Ross Donnelly It does, however it removes the senders Email address at the moment, which I'm trying to retain. Magnet are looking into it as we speak Salute

MrMacca (Allan Mc)

@Ross Donnelly It does, however it removes the senders Email address at the moment, which I'm trying to retain. Magnet are looking into it as we speak Salute

Who needs the sender anyway....

Anyone in here from Germany? I am looking to emigrate after college, but I want to make sure DF is somewhat in demand over there.

Deleted User

Had the exact same issue today

No idea why my primary partition would not expand. Busy re-installing after it failed to reboot and don’t have the patience to deal with Windows.

Startup repair didn't work either

is this where i would ask regarding exif data ?

ZetLoke77

Startup repair didn't work either

Every day is a Monday with Windows

I am still rebuilding my VM.

Deleted User

Every day is a Monday with Windows

I am still rebuilding my VM.

Unfortunately I will have to do it as well. Next time when doing labs I will try to get enough storage capacity so I won't need to resize again :)))

1

rojo

Colleague of mine created one, I’ll see if I can dig it out. DM me your email and if I find it I’ll send it over.

Can I have one too?

CCC

Can I have one too?

Sure, send me your email and I’ll send it over

greggert

is this where i would ask regarding exif data ?

only one way to find out

Fierry

What’s the general consensus on Sumuri Talino forensic laptops. Are they worth it if you’re going for a forensic workstation in a laptop form factor?

https://sumuri.com/product/talino-ka-l-alpha/

Idk , seems like an unbranded Older MSI , nothing special about the specs tbh, I do see that they charge $6000+ for a $600 Mac Mini M1 so I don’t know if their software is really wicked or? Seems like a lot of money for nothing tbh (edited)

Just encountered an HDD which Windows doesnt see and it says it is like 0 bytes capacity. No problem viewing it in Linux, but when I try to delete some folders it says the file-system is read-only. Tried to solve the problem by using the remount option with read and write permissions or by specifying the file system ntfs-3g but it didn't work. Any idea how I can delete some of its contents taking in consideration this situation? (edited)

ZetLoke77

Just encountered an HDD which Windows doesnt see and it says it is like 0 bytes capacity. No problem viewing it in Linux, but when I try to delete some folders it says the file-system is read-only. Tried to solve the problem by using the remount option with read and write permissions or by specifying the file system ntfs-3g but it didn't work. Any idea how I can delete some of its contents taking in consideration this situation? (edited)

windows (your OS or the source system) might need to "release it" with a clean/full shutdown. force that in Windows by keeping the Shift key held down and using Shutdown also maybe check the power settings to see if it or any other drives have Power Button does <everything but shutdown> (sleep/hibernate ) etc (edited)

6:20 AM

and just to ask Windows doesnt see and it says it is like 0 bytes capacity - if windows can't see it... howso it reports zero bytes

Digitalferret

and just to ask Windows doesnt see and it says it is like 0 bytes capacity - if windows can't see it... howso it reports zero bytes

I wanted to say it doesn't see the content....my bad man. I will try what you said... Thanks

1

ZetLoke77

Just encountered an HDD which Windows doesnt see and it says it is like 0 bytes capacity. No problem viewing it in Linux, but when I try to delete some folders it says the file-system is read-only. Tried to solve the problem by using the remount option with read and write permissions or by specifying the file system ntfs-3g but it didn't work. Any idea how I can delete some of its contents taking in consideration this situation? (edited)

How do you connect the disk? Any external ports like USB?

Fierry

How do you connect the disk? Any external ports like USB?

Via SATA. It is an internal HDD.

You might want to try initializing it using the Windows Disk Management snap in

is anyone a wizard with the new @Griffeye html formats where i want to add a custom column to the html? (edited)

7:18 AM

Just wanna add the LensModel section (which shows it being taken with back camera)

Fierry

You might want to try initializing it using the Windows Disk Management snap in

you sure about that? he has files on there

Ah apologies, I made a mix up, I meant turning the disk offline/online

I already miss my snack times from SANS last week

1

was interested in exif codes through hexdump, i don’t understand how the math works from https://exiftool.org/TagNames/EXIF.html tags to tags on hexdump -c of a image

11:13 AM

for example a hexdump of a image with a sony make leads to this]

11:13 AM

0000-00a0: ac 00 00 00-54 02 00 00-53 4f 4e 59-00 00 48 44 ....T... SONY..HD

11:13 AM

but the "tag" for it is

11:13 AM

0x010f

11:14 AM

I want to make a parser but I dont fully understand it

11:17 AM

https://github.com/ianare/exif-samples/blob/master/jpg/Sony_HDR-HC3.jpg

exif-samples/Sony_HDR-HC3.jpg at master · ianare/exif-samples

Sample images for testing Exif metadata retrieval. - exif-samples/Sony_HDR-HC3.jpg at master · ianare/exif-samples

11:17 AM

This is the image I was referring to

greggert

0000-00a0: ac 00 00 00-54 02 00 00-53 4f 4e 59-00 00 48 44 ....T... SONY..HD

maybe read around : https://en.wikipedia.org/wiki/Exif Problems | Technical. some Maker notes / tags . but in general, go to as many different technical resources as possible, and pool the data to make your own understanding of it. beware also that some notes are proprietory

11:35 AM

also : https://exiftool.org/TagNames/Sony.html

ive looked around a lot, the main thing i want to understand is just how to get to 0000-00a0 from 0x010f

rubber duck me. what is 0000-00a0

its just the tag in the hexdump (edited)

11:44 AM

the hexdump i used displayed it weird

11:44 AM

one sec lemme see if i cna find another

11:44 AM

i believe there normally isnt dashs

000090 my bad

11:54 AM

is the tag where sony would be

greggert

0000-00a0: ac 00 00 00-54 02 00 00-53 4f 4e 59-00 00 48 44 ....T... SONY..HD

000090 or even 0000-00a0 is the address or hex displacement / offset

12:02 PM

The standard defines a MakerNote tag, which allows camera manufacturers to place any custom format metadata in the file. This is used increasingly by camera manufacturers to store camera settings not listed in the Exif standard, such as shooting modes, post-processing settings, serial number, focusing modes, etc. As the tag contents are proprietary and manufacturer-specific, it can be difficult to retrieve this information from an image or to properly preserve it when rewriting an image. Manufacturers can encrypt portions of the information; for example, some Nikon cameras encrypt the detailed lens data in the MakerNote data.

(edited)

12:03 PM

Sony Tags
The following information has been decoded from the MakerNotes of Sony cameras. Some of these tags have been inherited from the Minolta MakerNotes.

12:04 PM

MakerNote data
The "MakerNote" tag contains image information normally in a proprietary binary format. Some of these manufacturer-specific formats have been decoded:

12:06 PM

description : https://www.media.mit.edu/pia/Research/deepview/exif.html

12:12 PM

unless there's anyone else here who has explicit knowledge of the actual structure of exif/Makernotes a nd decoding etc, you might get more return in a Image/Graphics specific forum/group. i'd hazard a gues that most here just actually use the output data of the applications rather than DIY it from raw data

Digitalferret

unless there's anyone else here who has explicit knowledge of the actual structure of exif/Makernotes a nd decoding etc, you might get more return in a Image/Graphics specific forum/group. i'd hazard a gues that most here just actually use the output data of the applications rather than DIY it from raw data

yeah thats kinda what i was looking for when i found this server

greggert

yeah thats kinda what i was looking for when i found this server

you might be confusing the actual hex address with the offset from where Exif starts?

very possible , i still dont exactly follow lol

12:40 PM

i dont know why exif is so difficult for me to follow

im doing this on the hoof too

12:42 PM

cant g'tee how far Ill get, but i'll open a thread, save filling GenDisc

Here's a good question for DF - what's something that you technically understand, but still seems a bit like magic? I'd say public key encryption - I still find it incredible that you can negotiate a secure channel over the public internet without anyone being able to eavesdrop.

1

Ross Donnelly

Here's a good question for DF - what's something that you technically understand, but still seems a bit like magic? I'd say public key encryption - I still find it incredible that you can negotiate a secure channel over the public internet without anyone being able to eavesdrop.

1's and 0's and hex and all that crazy stuff going on underneath the hood with computers and mobile devices

3

Ross Donnelly

Here's a good question for DF - what's something that you technically understand, but still seems a bit like magic? I'd say public key encryption - I still find it incredible that you can negotiate a secure channel over the public internet without anyone being able to eavesdrop.

The shear speed at which all encoding and processing operations are performed. It’s one thing to know exactly how data is stored and transmitted, but to know those operations are literally performed BILLIONS of times per SECOND (GHz) with minimal to no errors is just baffling to me.

1

Is anyone familiar with what ‘onlineuser’ might be in terms of windows user events (4648) or SMB user activity? I thought it referred to the currently logged in user but I cannot find anything to support that.

2:13 PM

*anything to support meaning documentation or KB articles etc.

Ross Donnelly

Here's a good question for DF - what's something that you technically understand, but still seems a bit like magic? I'd say public key encryption - I still find it incredible that you can negotiate a secure channel over the public internet without anyone being able to eavesdrop.

Why someone thought it was a good idea to make sand think with lightning

2

Just for getting other opinions... recommendations for laptops for DFIR?

B@man

Just for getting other opinions... recommendations for laptops for DFIR?

Cores and RAM! SSDs! We use Sager at Kroll but there are plenty of other good options.

1

B@man

Just for getting other opinions... recommendations for laptops for DFIR?

We use HP Zbook's for laptops in the field. Haven't had an issue with them so far (knock on wood) https://www.hp.com/us-en/workstations/mobile-workstation-pc.html

Z Mobile Workstation PCs - Z by HP

HP most powerful, most secure mobile workstation PCs, designed and built for high-performance computing, allowing you to process large amounts of data, or render 3D graphics and videos

2

Carcino

Im fairly certain FTK imager will highlight orphaned files and folder. If you try it and it works I would love to know.

When I say orphaned here I just mean the OST is orphaned from Outlook, if the profile was active in outlook I could just export to a PST myself

FX_Tymills

When I say orphaned here I just mean the OST is orphaned from Outlook, if the profile was active in outlook I could just export to a PST myself

Ah ok, I don't have experience with that, good luck!

1

There are OST viewers out there. Javed used one by Kernel with good success

Tcisaki

There are OST viewers out there. Javed used one by Kernel with good success

same here, worked ok for me, but if i remember right (been a while) there must be a current/working/valid installation of Outlook on the machine that will be reading the recovered items

Digitalferret

same here, worked ok for me, but if i remember right (been a while) there must be a current/working/valid installation of Outlook on the machine that will be reading the recovered items

If you export items yes. To just view, no. Also libpff works good under Linux

1

has anyone been able to install and or fix a cracked screen on an iPhone WITHOUT power off the phone to ensure we don't lose AFU ?

@DCSO what model?

Hello team! Looking at starting up a personal DF Cellex gig. I am looking for a mentor to assist with some of the business details to bounce off once and a while.

Original message was deleted or could not be loaded.

There's not enough information here. How would someone from this server assist? I'm assuming whoever would potentially volunteer wouldn't work for your company so....how can they assist? Genuinely curious.

B@man

Just for getting other opinions... recommendations for laptops for DFIR?

I’ve been eyeing one of the Asus g15 laptops with a r9 and RAID 0 NVMe to match my workstation… maybe not the best idea to do RAID 0 on a laptop but :IOPs

1

@Andrew Rathbun From the business side I am wondering how they interact with clients. My background is nearly exclusive Mil & LE side the interactions are much different. I'm basically looking for someone to connect with and provide some clarity in this realm. (edited)

Sager/clevo is good tho as mentioned and has loads of@options

A good lecture on iOS device security from MIT, covers most things including checkra1n. PAC didn't get a mention though. https://www.youtube.com/watch?v=Fs3EghQRmAs

Nickolai Zeldovich

6.S060 Fall 2021 Lecture 18: Case study: iOS security

1

DCSO

has anyone been able to install and or fix a cracked screen on an iPhone WITHOUT power off the phone to ensure we don't lose AFU ?

I don't think I've tried that but at least some models it was just a single connection and the first you'd disconnect so you wouldn't have to power it off. But I'd test it first. Not sure whether the replacement touch ID might caught dramas (so you'd have to switch that too) and not sure if losing its connection to touchid would cause a problem

randomaccess

I don't think I've tried that but at least some models it was just a single connection and the first you'd disconnect so you wouldn't have to power it off. But I'd test it first. Not sure whether the replacement touch ID might caught dramas (so you'd have to switch that too) and not sure if losing its connection to touchid would cause a problem

I guess it sounds like we will have to test this out first, now just have to find an iPhone 11 to play with

Has anyone gone through the process of building a Faraday lab recently (last couple of years)? Either as a renovation or new build, or even as room within a room? I'm just looking for some very general info at this point, reputable vendors to consider, and ballpark pricing we might be looking at.

And a new SocVel Cybersecurity Quiz is out! https://socvel.com/quiz

Quiz - SocVel.com

The SocVel Cybersecurity Quiz [w19]Your Weekly Cybersecurity Quiz!Following a recent push to move public services to online platforms, which country's government was forced to take its websites offline following a cyberattack?SEKOIA IO researchers covered a smishing campaign targeting users in France. What credentials did it aim to steal from iP...

1

Darn developers.... Making a new version of a tool, not a problem. Deprecating the old one without notice, making users have to switch, AND changing around your standard option parameters is NOT cool! Time to fix a bunch of automation

Question for the UK residents: A Hutchinson 3G SIM card - can a person get one over the counter without providing any form of ID? Jump through any hoops to get the SIM? Thanks

Fellow forensicators, i'm proud to announce FEX-LAB. https://getdataforensics.com/product/fex-lab/ (edited)

11:16 PM

A short video showing how it works: https://www.youtube.com/watch?v=Ch5nou0Exd4

Forensic Explorer

FEX LAB - Hash Match Random Sample Report

What is the solution Samsung devices support forensic software How is MDM installed on them that does not allow to enter download mode

Deleted User

Question for the UK residents: A Hutchinson 3G SIM card - can a person get one over the counter without providing any form of ID? Jump through any hoops to get the SIM? Thanks

Yes, you can purchase a 'Pay as you go Sim card' over the counter. Most providers also offer an options for individuals to 'top up' (pay for phone credits) anonymously (edited)

DE

Yes, you can purchase a 'Pay as you go Sim card' over the counter. Most providers also offer an options for individuals to 'top up' (pay for phone credits) anonymously (edited)

As I suspected, thank you.

Hello all, I currently have an Apple iPhone X which will not power on. I have changed the screen, battery and charger port. I have identified that when I plug in the device to a external power supply and power monitor that it device will go to 0.50a and then straight back to 0.00 and will continuisly keep doing that. Any help or advice to diagnose the problem would be greatly appreciated.

Dr. Kaan Gündüz

Fellow forensicators, i'm proud to announce FEX-LAB. https://getdataforensics.com/product/fex-lab/ (edited)

Nice, this looks good. I'm always a fan of distributed processing. Do you know when RRP pricing will be made public?

very soon i hope

Hello all, a while ago I started to design and build a PoC regarding an increase in read/write performance with a new forensic file format. The PoC resulted in the specification of a first than a second improved version of a new file format for forensic images "zff" - as an alternative to the meanwhile quite outdated EWF, AFF, ... formats. Zff has the potential (depending on the input data) to provide significant speed increase (see benchmarks at https://github.com/ph0llux/zff). Furthermore, zff offers a massively expanded feature set:

physical and logical dumps
multiple dumps (both logical and physical) in one container keeping related evidence together
extension of existing containers (with both logical and physical dumps)
hashing algorithms used for integrity purposes considered most secure, fast and modern at the moment
optional data encryption (even partially, if desired) (for security purposes).
optional digital signature of stored data (for authenticity purposes; using a public-private key method).
great flexibility when adding descriptions to cases
and much more

The documentation of the file format can be found at https://zff.dev (website is work in progress). I've written also a reference implementation to create, analyze and handle files in zff format. The library is written in Rust and can be found at https://github.com/ph0llux/zff. You can try it out yourself using the tools zffacquire, zffmount and zffanalyze (see the github link). We've tested the tools ourselves, but if you find any errors in the reference library, please open a github issue.

Zff

Zff is a completly new designed forensic file format.

7

ph0llux

Hello all, a while ago I started to design and build a PoC regarding an increase in read/write performance with a new forensic file format. The PoC resulted in the specification of a first than a second improved version of a new file format for forensic images "zff" - as an alternative to the meanwhile quite outdated EWF, AFF, ... formats. Zff has the potential (depending on the input data) to provide significant speed increase (see benchmarks at https://github.com/ph0llux/zff). Furthermore, zff offers a massively expanded feature set:

physical and logical dumps
multiple dumps (both logical and physical) in one container keeping related evidence together
extension of existing containers (with both logical and physical dumps)
hashing algorithms used for integrity purposes considered most secure, fast and modern at the moment
optional data encryption (even partially, if desired) (for security purposes).
optional digital signature of stored data (for authenticity purposes; using a public-private key method).
great flexibility when adding descriptions to cases
and much more

The documentation of the file format can be found at https://zff.dev (website is work in progress). I've written also a reference implementation to create, analyze and handle files in zff format. The library is written in Rust and can be found at https://github.com/ph0llux/zff. You can try it out yourself using the tools zffacquire, zffmount and zffanalyze (see the github link). We've tested the tools ourselves, but if you find any errors in the reference library, please open a github issue.

Very cool! It looks like you covered macb times. I was wondering if it would be possible to accommodate both $STANDARD_INFORMATION and $FILE_NAME NTFS timestamps within a logical container.

Arman Gungor

Very cool! It looks like you covered macb times. I was wondering if it would be possible to accommodate both $STANDARD_INFORMATION and $FILE_NAME NTFS timestamps within a logical container.

Zff is very flexible at this point. You can add more file related metadata via "file metadata extended information" (https://zff.dev/docs/header_layout/#file-metadata-extended-information).

ph0llux

Zff is very flexible at this point. You can add more file related metadata via "file metadata extended information" (https://zff.dev/docs/header_layout/#file-metadata-extended-information).

That's good to know! If we implemented an imager that outputs to Zff and added those NTFS timestamps as File Metadata Extended Information, how would we communicate that to other third-party tools that ingest Zff images? I think that's where having standardized metadata could be helpful. Having said that, there are more than 8 timestamps associated with files on NTFS—so, I understand one has to draw the line somewhere

Arman Gungor

That's good to know! If we implemented an imager that outputs to Zff and added those NTFS timestamps as File Metadata Extended Information, how would we communicate that to other third-party tools that ingest Zff images? I think that's where having standardized metadata could be helpful. Having said that, there are more than 8 timestamps associated with files on NTFS—so, I understand one has to draw the line somewhere

I agree with you on all points. I had to draw a line somewhere, but then I was able to ensure that some flexibility and extensibility is given via the extended in metadata fields. I will add your question to the FAQ tomorrow. I'm afraid that you won't be the last one to ask such a question, unfortunately. In that case, the easiest way is to email me and I will list the appropriate metadata-keyword(s) in the appropriate table on the website (first come, first serve). Extended metadata is still optional - but if available, all tools should be able to read it accordingly. Thanks for the hint! ;)

1

ph0llux

I agree with you on all points. I had to draw a line somewhere, but then I was able to ensure that some flexibility and extensibility is given via the extended in metadata fields. I will add your question to the FAQ tomorrow. I'm afraid that you won't be the last one to ask such a question, unfortunately. In that case, the easiest way is to email me and I will list the appropriate metadata-keyword(s) in the appropriate table on the website (first come, first serve). Extended metadata is still optional - but if available, all tools should be able to read it accordingly. Thanks for the hint! ;)

Thanks for your work on this, and for sharing it with the community. On my short list of cool things to play with. I hope to use the library in a project in the near future

Arman Gungor

Thanks for your work on this, and for sharing it with the community. On my short list of cool things to play with. I hope to use the library in a project in the near future

Would be pretty cool if it will be used in more projects :)

Admittedly I have not been following this, and am jumping in at this very moment, but how does zff compare to afff4 as opposed to e01?

d05

Admittedly I have not been following this, and am jumping in at this very moment, but how does zff compare to afff4 as opposed to e01?

The main goal was to increase speed by applying more modern algorithms. Zff has the potential to enable faster read/write performance (see benchmarks on https://github.com/ph0llux/zff).
Zff offers a huge feature set, but most of it is optional, so fast dumps can be done in a very simple way.
It is simply structured and so also easy to understand (whereby such a thing is in principle rather relative... :D )
it is well documented.
It is very flexible in many places (see discussion above)
it has a dual open source license (MIT/Apache2.0) which is interesting for an open source community as well as for companies with proprietary software.
there is already a reference implementation that offers the full feature set - you can start programming and using it right away.
...

ph0llux

The main goal was to increase speed by applying more modern algorithms. Zff has the potential to enable faster read/write performance (see benchmarks on https://github.com/ph0llux/zff).
Zff offers a huge feature set, but most of it is optional, so fast dumps can be done in a very simple way.
It is simply structured and so also easy to understand (whereby such a thing is in principle rather relative... :D )
it is well documented.
It is very flexible in many places (see discussion above)
it has a dual open source license (MIT/Apache2.0) which is interesting for an open source community as well as for companies with proprietary software.
there is already a reference implementation that offers the full feature set - you can start programming and using it right away.
...

Interesting work - well done. It is, however, very hard to gain traction with a new format. There have been plenty of attempts over the years, yet the inefficient E01s are still dominant. For me as a practitioner there are two main issues - both much more important than performance and other features. Firstly is compatibility with the primary forensic tools - it's all good being able to capture something to ZFF, but it's not much good if I can't load it into XWF/Axiom/Encase etc. Secondly is the integrity of the evidence. I understand you refer to certain elements and algorithms that have been validated, but not the overall file format. Does your implementation have any weaknesses? Could it be potentially changed? Could I stand up in Court and swear that the data has not changed? I would need to see independent verification of the format - AFF4 for example published peer reviewed papers regarding the format and put a lot of work into proving that it does what it says. Extensibility also means different ways to do things. One Imager might capture certain information that another doesn't. This makes it very hard for tools to know what data to expect and present that to the user in a sensible fashion, and understanding the significance of something that's missing could be tricky - is it missing because it wasn't there or because it wasn't captured. All these are (not insurmountable) challenges that would need to be addressed to drive adoption of a new format - good luck!

Ross Donnelly

Interesting work - well done. It is, however, very hard to gain traction with a new format. There have been plenty of attempts over the years, yet the inefficient E01s are still dominant. For me as a practitioner there are two main issues - both much more important than performance and other features. Firstly is compatibility with the primary forensic tools - it's all good being able to capture something to ZFF, but it's not much good if I can't load it into XWF/Axiom/Encase etc. Secondly is the integrity of the evidence. I understand you refer to certain elements and algorithms that have been validated, but not the overall file format. Does your implementation have any weaknesses? Could it be potentially changed? Could I stand up in Court and swear that the data has not changed? I would need to see independent verification of the format - AFF4 for example published peer reviewed papers regarding the format and put a lot of work into proving that it does what it says. Extensibility also means different ways to do things. One Imager might capture certain information that another doesn't. This makes it very hard for tools to know what data to expect and present that to the user in a sensible fashion, and understanding the significance of something that's missing could be tricky - is it missing because it wasn't there or because it wasn't captured. All these are (not insurmountable) challenges that would need to be addressed to drive adoption of a new format - good luck!

I agree with you on the first point - but it's not up to me to change that. I have provided a recipe and cooked an example. If you want to make the pizza yourself, you now have all the instructions you need :) Regarding the integrity questions: the implemented code is open source ( transparency ) and my proposed solution uses independently audited implementations of cryptographic algorithms (and a wide community usage) - the hash algorithms are validated not only by reviews but by a wide community usage. I wouldn't write my own - especially when it comes to encryption. That can always go wrong. But even with 100 independent checks, you'll never have 100% certainty that there's no security hole - just like with E01. Hopefully enough people will find time and interest to check my implementation independently - but they are only found when I share the work on channels like this one ;)

4

ph0llux

I agree with you on the first point - but it's not up to me to change that. I have provided a recipe and cooked an example. If you want to make the pizza yourself, you now have all the instructions you need :) Regarding the integrity questions: the implemented code is open source ( transparency ) and my proposed solution uses independently audited implementations of cryptographic algorithms (and a wide community usage) - the hash algorithms are validated not only by reviews but by a wide community usage. I wouldn't write my own - especially when it comes to encryption. That can always go wrong. But even with 100 independent checks, you'll never have 100% certainty that there's no security hole - just like with E01. Hopefully enough people will find time and interest to check my implementation independently - but they are only found when I share the work on channels like this one ;)

I think preparing example projects (just as you did for Rust) for C# and Python would go a long way toward adoption—both for commercial tools and open-source projects. Since this is a new format, making it easy to integrate could sway teams to consider implementing Zff in their new projects.

1

This is not to say you should personally do all this. Hopefully, the community will step up with ports, wrappers, etc. where needed. I, for one, will take Zff for a spin and see if there is anything we can contribute

1

Ross Donnelly

Interesting work - well done. It is, however, very hard to gain traction with a new format. There have been plenty of attempts over the years, yet the inefficient E01s are still dominant. For me as a practitioner there are two main issues - both much more important than performance and other features. Firstly is compatibility with the primary forensic tools - it's all good being able to capture something to ZFF, but it's not much good if I can't load it into XWF/Axiom/Encase etc. Secondly is the integrity of the evidence. I understand you refer to certain elements and algorithms that have been validated, but not the overall file format. Does your implementation have any weaknesses? Could it be potentially changed? Could I stand up in Court and swear that the data has not changed? I would need to see independent verification of the format - AFF4 for example published peer reviewed papers regarding the format and put a lot of work into proving that it does what it says. Extensibility also means different ways to do things. One Imager might capture certain information that another doesn't. This makes it very hard for tools to know what data to expect and present that to the user in a sensible fashion, and understanding the significance of something that's missing could be tricky - is it missing because it wasn't there or because it wasn't captured. All these are (not insurmountable) challenges that would need to be addressed to drive adoption of a new format - good luck!

I also think a detailed comparison to AFF4 (not AFF) and benchmarks against the reference AFF4 implementation would be very helpful.

3

Hello

10:41 AM

Does someone has practiced an autopsy?

Deleted User

Does someone has practiced an autopsy?

Definitely not. Different kind of forensics

1

5:34 PM

Using autopsy however. There's a lot of information online and test images on digital corpora too!

Hi, I got a random pop-up that my phone was hacked, does anyone know how I can get to my logs on an iPhone I need to make sure there was no intrusion

5:56 PM

It is worth noting this happened to my personal phone

Is there any magnet forensics rep here?

Z3Y19

Is there any magnet forensics rep here?

@Magnet Forensics Do you have a particular question?

codyp915

It is worth noting this happened to my personal phone

You can start at by going to Settings -> Privacy -> Analytics & Improvements -> Analytics Data If you disable pop-ups and JavaScript in your phones browser you likely won’t see that message again (assumption is this is the standard “you have been hacked” ploy)

2

Deleted User

Does someone has practiced an autopsy?

lots of them back then.

Hi everyone does anyone know of a legit source describing (Windows 7) virtual machine stealth techniques so it looks more like a real machine? Online I only find pieces of information here and there but no definite guide describing what should be changed.

@degent_ understand how malware attempts to determine if it’s being analysed in a virtual environment and then design your VM/configure your OS with those countermeasures in mind https://evasions.checkpoint.com/

1

degent_

Hi everyone does anyone know of a legit source describing (Windows 7) virtual machine stealth techniques so it looks more like a real machine? Online I only find pieces of information here and there but no definite guide describing what should be changed.

https://safegroup.pl/attachment.php?aid=1161

1

Thank you very much to both of you. Has anyone ever changed the BIOS release date for a virtualbox VM? I'm trying to run the command listed for it but it causes no change in the VM BIOS relase date

degent_

Thank you very much to both of you. Has anyone ever changed the BIOS release date for a virtualbox VM? I'm trying to run the command listed for it but it causes no change in the VM BIOS relase date

https://www.reddit.com/r/windowsbetas/comments/kccbjs/how_to_change_bios_date_in_virtualbox/ does that help?

r/windowsbetas - How to change BIOS date in VirtualBox

5 votes and 5 comments so far on Reddit

DeeFIR 🇦🇺

https://www.reddit.com/r/windowsbetas/comments/kccbjs/how_to_change_bios_date_in_virtualbox/ does that help?

I already read it but that post only refers to system time and not to BIOS release date, which is different. But thank you though. (edited)

@degent_ try setting it as a string instead of a numeric value. <ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" value="string:01/01/2022"/>

6:53 PM

@Griffeye or anyone else know what this error is or if it can be corrected? Asking for a colleague that is reviewing some cases. Currently using Griffeye DI Core v 22.0.2

Majeeko

@Griffeye or anyone else know what this error is or if it can be corrected? Asking for a colleague that is reviewing some cases. Currently using Griffeye DI Core v 22.0.2

I had this error as well, I could solve it by replacing the case file (ANCF) from the Backup Folder within the Griffeye case.

1

Original message was deleted or could not be loaded.

I'm not sure how this is a forensics related product. Can you please elaborate? It seems like it's related to email spam filtering?

3

Is there someone from @Magnet Forensics I can chat with please

D1g1talDan

Is there someone from @Magnet Forensics I can chat with please

I’m happy to try and help.

Hello everyone, just needed some insights on what options are out there to store and archive large amounts of digital evidence. Any leads would be much appreciated.

Anyone have experience purchasing or using a man-sized faraday enclosure? We're building a new lab and have room to put a faraday enclosure big enough to step into and sit at a desk/work bench. Any insight would be greatly appreciated.

khushigupta0641

Hello everyone, just needed some insights on what options are out there to store and archive large amounts of digital evidence. Any leads would be much appreciated.

I recently saw a presentation from @Cellebrite for their tool Guardian. It's more of a case management suite, but it incorporates AWS gov cloud with a ton of storage.

Chris Myers

I recently saw a presentation from @Cellebrite for their tool Guardian. It's more of a case management suite, but it incorporates AWS gov cloud with a ton of storage.

Its not Just Case Management, but also evidence management, storage, . Online review and other features.

@Moderators https://discord.com/channels/427876741990711298/537760691302563843/1001180846151184545 looks to be generic marketing email seemingly unassociated with anything Forensic (edited)

4

1

Digitalferret

@Moderators https://discord.com/channels/427876741990711298/537760691302563843/1001180846151184545 looks to be generic marketing email seemingly unassociated with anything Forensic (edited)

sorted, thank you

7

2

Could an admin change my role from dfir student to private sector ?

1

4

Chris Myers

Anyone have experience purchasing or using a man-sized faraday enclosure? We're building a new lab and have room to put a faraday enclosure big enough to step into and sit at a desk/work bench. Any insight would be greatly appreciated.

Add about $200 of aluminum foil...

7

but when you open the door you let out the ~~smells~~ RF

At that scale I imagine you would just contract to have a solution built/engineered on site. A neighboring agency to me has a (very expensive) room built into the building. It also requires being recertified regularly.

2:39 PM

heck - even this tent is 25k: https://shop.faradaydefense.com/product/faraday-tents-rf-emi-shielding-enclosure-rooms/?utm_term=&utm_campaign=Faraday+Products+Shopping+Ads&utm_source=adwords&utm_medium=ppc&hsa_acc=1230616009&hsa_cam=9674511099&hsa_grp=132485810303&hsa_ad=584052335404&hsa_src=g&hsa_tgt=pla-1635749942294&hsa_kw=&hsa_mt=&hsa_net=adwords&hsa_ver=3&gclid=Cj0KCQjwof6WBhD4ARIsAOi65ajfKlyNFBnFYJENsWOgUhbxLdD86ruq94-3RPCmi-WwkRVxKrzZXBkaAo2PEALw_wcB

marketing

Large Faraday Tent - LX Black Shell RF/EMI Shielding Enclosure Room...

IN STOCK This Large RF shielding room is built to secure an entire area for you to work in a protected room that is free from any outside attempts at manipulating or interfering with your devices. The small tent measures at 318.5 cubic feet. This tent averages -85 dB attenuation in the range of 30 MHz to 1 GHz and an average of -90 dB attenuati...

Since we are on the topic of faraday enclosures, does anyone have an idea on how to extract an iPhone that is inside of a USB-filtered Faraday bag? I am thinking I would need a female-to-female lightning connector, but finding one that transfers data might be tricky. https://www.amazon.com/dp/B07W3PMY6C?ref_=cm_sw_r_cp_ud_dp_1GDW0TGWF6W74KREDGTX

Mission Darkness Window Charge & Shield Faraday Bag for Phones // I...

The Mission Darkness Window Charge & Shield Faraday Bag for Phones allows a device to remain shielded from RF signals and powered after seizure, until it can be transferred to a forensic box, lab, or tool for data extraction. The bag includes a dual sided USB filter, NeoLok closure system for saf...

3:10 PM

https://www.amazon.com/gp/product/B07GR5WC4M/ref=oh_archive_modal_asin_title?ie=UTF8&psc=1

iMangoo Adapter Compatible with iPad Pro Pencil Female to Female Co...

iMangoo Pencil Adapter Lightning Cable Connector Female to Female Convertor Pencil Charging Adapters for iPad Pro Pencil [2 Pack]

3:10 PM

I am thinking about trying the iMangoo one out, if it doesn't work its only $10.

Does the cable inside not pass data? If the cable inside passes data, it effectively translates the lightning into USB A doesn't it? Then you just need to connect your workstation to the female USB A on the outside of the bag?

6:04 PM

if you're speaking of a special tool that you need to have the lightning connection why not use something like this: https://www.amazon.com/Anker-Lightning-Certified-Headphones-Earphones/dp/B07W7YQT4S/ref=sr_1_3?crid=3D2UC9F3MF1YV&keywords=female+lightning+to+male+usb+a&qid=1658883825&sprefix=female+lightning+to+male+usb+a%2Caps%2C135&sr=8-3

Anker USB-A to Lightning Audio Adapter Cable, MFi Certified Female ...

Model Number: A8197 Anker USB-A to Lightning Audio Adapter The Lightning Adapter with Flawless Sound Keep Listening With this adapter, you don’t need to use separate headphones for your phone and laptop. Just connect the adapter to any USB port to instantly start using your Lightning headphones. ...

6:10 PM

that way you can have something like this... [BOX]---[male lightning] [female lightning]---[male USB A] [Bag input]---[Bag internal connection] [standard USB]---[lightning cable] [suspect device] if my ridiculous formatting makes any sense

Ok so I have a serious question, are professional organizations worth it? If so, what are some you guys recommend?

Yep the Police

12:37 AM

codyp915

Ok so I have a serious question, are professional organizations worth it? If so, what are some you guys recommend?

um, you mean Certs, or? just seemed an odd question, no context

Digitalferret

um, you mean Certs, or? just seemed an odd question, no context

No professional organizations like the International society of forensic computer examiners, as an example

codyp915

No professional organizations like the International society of forensic computer examiners, as an example

ah, sorry, my bad. UK generally called an Association or Professional body, like the IEEE. i mistook organisation for an employer (edited)

1:10 AM

i suppose it depends on which career path you are taking. some require continued professional development to progress, others just time served in a "professional" job, to gain rank. in the worst cases you just pay a monetary fee to stick a badge on your resume/vehicle. as to whether these will gain better employment prospects, maybe ask around in targetted establishments prior

codyp915

No professional organizations like the International society of forensic computer examiners, as an example

ISFCE is limited to those with a CCE certification. Do you just mean a professional body of peers without a qualification/certification requirement? Like the ACS in Australia?

DeeFIR 🇦🇺

ISFCE is limited to those with a CCE certification. Do you just mean a professional body of peers without a qualification/certification requirement? Like the ACS in Australia?

Yes

whee30

if you're speaking of a special tool that you need to have the lightning connection why not use something like this: https://www.amazon.com/Anker-Lightning-Certified-Headphones-Earphones/dp/B07W7YQT4S/ref=sr_1_3?crid=3D2UC9F3MF1YV&keywords=female+lightning+to+male+usb+a&qid=1658883825&sprefix=female+lightning+to+male+usb+a%2Caps%2C135&sr=8-3

This will work perfectly for what am thinking about for use with a special tool. Thanks!

I’m looking at pursuing a career in infosec, probably something like threat intel or digital forensics. Has anyone done the SANS undergrad program for something like this?

kswanalyst

I’m looking at pursuing a career in infosec, probably something like threat intel or digital forensics. Has anyone done the SANS undergrad program for something like this?

#training-education-employment

Oh worddddd

Hi, Quick question, is there a maximum display limit for Browsing history view from Nirsoft ?

CWolf

Hi, Quick question, is there a maximum display limit for Browsing history view from Nirsoft ?

There shouldn't be. Can always run the tool from the command line and produce a CSV, which definitely shouldn't have any display limitations.

Andrew Rathbun

There shouldn't be. Can always run the tool from the command line and produce a CSV, which definitely shouldn't have any display limitations.

Thank you, i will try this option to see if i have the same result

CWolf

Thank you, i will try this option to see if i have the same result

sample command: https://github.com/EricZimmerman/KapeFiles/blob/c542faf38020b2fe32e71744690a3515700bdd2f/Modules/Apps/NirSoft/NirSoft_BrowsingHistoryView.mkape#L11

KapeFiles/NirSoft_BrowsingHistoryView.mkape at c542faf38020b2fe32e7...

This repository serves as a place for community created Targets and Modules for use with KAPE. - KapeFiles/NirSoft_BrowsingHistoryView.mkape at c542faf38020b2fe32e71744690a3515700bdd2f · EricZimme...

I need an advise, client child mother took the child after the father applied for a custody. Here is the story according to the client and i need an advise on who can help in these type of cases. “ I am going through a custody battle in court to receive custody of my daughter the judge never ruled on the case because the mother of my child took off to another state with my child ,when my lawyer verified she was missing to the courts it was to late she have already submitted all false information to the courts so right now no one can find her. I need a way to trace her to serve her in order to server her the legal documents.” Please advise how I can help the client

Pretty sure that situation is out of the scope for this server. At least publicly anyways.

10:57 PM

I maybe wrong though.

Dr. Simba

I need an advise, client child mother took the child after the father applied for a custody. Here is the story according to the client and i need an advise on who can help in these type of cases. “ I am going through a custody battle in court to receive custody of my daughter the judge never ruled on the case because the mother of my child took off to another state with my child ,when my lawyer verified she was missing to the courts it was to late she have already submitted all false information to the courts so right now no one can find her. I need a way to trace her to serve her in order to server her the legal documents.” Please advise how I can help the client

Opinion: I would not touch this. If you quoted your client verbatim above I see 2 consistent indications they could be selling you a story. I believe most countries have laws about taking minors across borders/states = LE jurisdiction.

Dr. Simba

I need an advise, client child mother took the child after the father applied for a custody. Here is the story according to the client and i need an advise on who can help in these type of cases. “ I am going through a custody battle in court to receive custody of my daughter the judge never ruled on the case because the mother of my child took off to another state with my child ,when my lawyer verified she was missing to the courts it was to late she have already submitted all false information to the courts so right now no one can find her. I need a way to trace her to serve her in order to server her the legal documents.” Please advise how I can help the client

with Rydev and Howard - not really a Forensics topic, but if what you say is correct and if you need to act "over a border" i'd say this is a Law Enforcement Agency issue, check with your local/national authority

1:03 AM

maybe state your country in here, and ask for any LE officers if they can point you to the right authority as it sounds llike one of those false imprisonment/child abduction cases even if the adult is the child's parent. YMMV per country (edited)

1

Anyone using Recon ITR? (the imager tool from Sumuri). I would love to hear your thoughts! Also what storage size works best?

Take care. There is a discord server invite going around which points you to scan a QR code. Scanning the QR code authenticates a discord session and allows access to your account. Once authenticated it re-sends the invite & scrapes any server you are on. Remediation - requires the user to reset their password and kill the session. The invites have now timed out or discord are on the ball. example-

2

Hi all, anyone know what on earth this is and what connection this is? As it’s just come in for analysis and we have no idea what it is

obi95

Hi all, anyone know what on earth this is and what connection this is? As it’s just come in for analysis and we have no idea what it is

I think it’s related to Ubisoft and their uPlay offering. The “U” is consistent with their logo. Perhaps it was a drive as part of a promo.

Are you able to open it up? May just be an adapter connected to sata

6:26 AM

Tho double check you're getting readable data if it is.

FullTang

Since we are on the topic of faraday enclosures, does anyone have an idea on how to extract an iPhone that is inside of a USB-filtered Faraday bag? I am thinking I would need a female-to-female lightning connector, but finding one that transfers data might be tricky. https://www.amazon.com/dp/B07W3PMY6C?ref_=cm_sw_r_cp_ud_dp_1GDW0TGWF6W74KREDGTX

Pop it into a faraday box remove it from the back and pull the data through the faraday box when finished through it into the bag again ?

DCSO

Pop it into a faraday box remove it from the back and pull the data through the faraday box when finished through it into the bag again ?

Yep that would be ideal, but my faraday box does not have USB filtering.

trillian

Anyone using Recon ITR? (the imager tool from Sumuri). I would love to hear your thoughts! Also what storage size works best?

I use it for imaging on occasion, and I don't use the live triage option hardly ever. I personally think Macquisition is more intuitive and generates E01s, which is what a lot of opposing experts or contractors (when subcontracting) expect. ITR is less expensive, and I don't image a lot of Macs, which is why I started off with Recon Imager in the first place. Support for ITR is good, although you do typically hear on a support call how ITR is the only tool that actually works. I just noticed that they offer a rental program for about $150/week. That could work if you only plan to use on occasion (and can plan ahead enough to get the device shipped to you before the engagement) or want to try the tool out.

uochaos

I use it for imaging on occasion, and I don't use the live triage option hardly ever. I personally think Macquisition is more intuitive and generates E01s, which is what a lot of opposing experts or contractors (when subcontracting) expect. ITR is less expensive, and I don't image a lot of Macs, which is why I started off with Recon Imager in the first place. Support for ITR is good, although you do typically hear on a support call how ITR is the only tool that actually works. I just noticed that they offer a rental program for about $150/week. That could work if you only plan to use on occasion (and can plan ahead enough to get the device shipped to you before the engagement) or want to try the tool out.

Thank you for the info! The rental option is just for the US unfortunately. Do you happen to get anything from a locked Mac with ITR? In your experience, I mean

trillian

Anyone using Recon ITR? (the imager tool from Sumuri). I would love to hear your thoughts! Also what storage size works best?

Love it! and the Sumuri guys are really great support and answering questions.

Deleted User

I think it’s related to Ubisoft and their uPlay offering. The “U” is consistent with their logo. Perhaps it was a drive as part of a promo.

Logo matches this more than Ubisoft, so something to do with music streaming? https://apps.apple.com/us/app/id684183096

‎uPlay Stream

‎The QED uPlay Steam Hi-Fi Network Music Steamer brings together your digital music collection and your audio system. Simply connect the uPlay Stream to your audio system and enjoy streaming of uncompressed high resolution digital music using Wi-Fi or Ethernet. This free uPlay Stream App allows you…

Ross Donnelly

Logo matches this more than Ubisoft, so something to do with music streaming? https://apps.apple.com/us/app/id684183096

Indeed, nice find

The 20th SocVel Cybersecurity Quiz is out! Another quiz jam-packed with 10 of the most interesting infosec stories from the past week. Have a go now! https://socvel.com/quiz

Quiz - SocVel.com

The SocVel Cybersecurity Quiz [w20]Your Weekly Cybersecurity Quiz!A recent ZDNet report covered what they labelled "the most lucrative form of cybercrime". What were they referring to?Which country's tax agency did the LockBit ransomware group claim to have breached, stealing 100GB of data?Avast researchers detailed activities from a secretive s...

FullTang

Yep that would be ideal, but my faraday box does not have USB filtering.

ah gotcha, Mission Darkness sells USB filtering add ons for faraday boxes you just have to drill a hole and thread it on.

DCSO

ah gotcha, Mission Darkness sells USB filtering add ons for faraday boxes you just have to drill a hole and thread it on.

I had no idea. Ill have to look into that, thanks!

whee30

heck - even this tent is 25k: https://shop.faradaydefense.com/product/faraday-tents-rf-emi-shielding-enclosure-rooms/?utm_term=&utm_campaign=Faraday+Products+Shopping+Ads&utm_source=adwords&utm_medium=ppc&hsa_acc=1230616009&hsa_cam=9674511099&hsa_grp=132485810303&hsa_ad=584052335404&hsa_src=g&hsa_tgt=pla-1635749942294&hsa_kw=&hsa_mt=&hsa_net=adwords&hsa_ver=3&gclid=Cj0KCQjwof6WBhD4ARIsAOi65ajfKlyNFBnFYJENsWOgUhbxLdD86ruq94-3RPCmi-WwkRVxKrzZXBkaAo2PEALw_wcB

Is that a fancy hydroponics tent ?? I have seen them in a few houses and thought they were only for growing non flowering mexican tomatoes, not clandestine DF labs.

FullTang

I had no idea. Ill have to look into that, thanks!

Yeah we have the new ones with the ethernet and USB holes, the whole bag of stuff goes in and you then get to fumble around like a surgeon. Pro tip though, you can wirelessly charge through the bags with a good charger (Like Belkin) if you are in a pickle and your target device is going flat. (edited)

Sounds fancy and thanks for the tips! I knew the newer boxes had filtering, I just did know you could add filters to an existing box. I only recently found out (from a post on this server) about faraday bags with USB filters so that solved my problem about how to economically extract a new iPhone with BLE. The wireless charging thing is slick! I have been trying to find a really big wireless charging mat so that positioning wouldn’t be an issue if it was in a faraday bag but I haven’t found one yet.

FullTang

Sounds fancy and thanks for the tips! I knew the newer boxes had filtering, I just did know you could add filters to an existing box. I only recently found out (from a post on this server) about faraday bags with USB filters so that solved my problem about how to economically extract a new iPhone with BLE. The wireless charging thing is slick! I have been trying to find a really big wireless charging mat so that positioning wouldn’t be an issue if it was in a faraday bag but I haven’t found one yet.

Yeah I have found the Belkin ones quite good as the cheap ones don’t seem to get through the bag. It’s handy for when one comes in a bag and they forgot to connect a battery. Get your Faraday box checked after any Mods as well and the seals can wear out letting RF in. Our old one got to a point where you could make a video call out from inside it if the phone was with a certain local carrier. That was enough motivation to get them to get us a new one

1

I'm pursuing undergrad in cyber security. Looking for some internship or Part Time (edited)

If you have a minute. Literally. Gotta love Nill :). https://www.youtube.com/watch?v=zqSlKQSJTFo

Nill

When you log in to Windows (in under 60 seconds)

I have never before heard of Nill... is this a rabbit hole I'm about to go down?

Tejas

I'm pursuing undergrad in cyber security. Looking for some internship or Part Time (edited)

Internship or part time in what discipline of cyber exactly? DF?

DeeFIR 🇦🇺

Internship or part time in what discipline of cyber exactly? DF?

I'm looking mostly red team based. I'm open too blue teaming too. I have knowledge in web app pentesting, network pentesting (AD). Some memory forensics..

Which country? Have you applied anywhere? What do you need help with specifically? Or are you just hoping someone will throw an opportunity your way?

I'm in India. I'm trying to get some industry experience in the above said fields. I did apply for part time in few companies. Timing didn't work well...

whee30

I have never before heard of Nill... is this a rabbit hole I'm about to go down?

Strap yourself in buddy. If a furry and a Windows sys admin merged into an Uber driver.

2

anyone run an offline map server for use with Axiom

2:26 AM

just curious how big the map is on disk

@Law Enforcement [USA] Anyone has any experience with legal process on FOG Reveal for advertiser ID searching?

Nick Papagiorgio

@Law Enforcement [USA] Anyone has any experience with legal process on FOG Reveal for advertiser ID searching?

When we had the trail you just email them the device Ad Id. They will check and see if it matches their system. IF I REMEMBER RIGHT it really does not go much further then that. They do not collect or store device information.

digital Bowles

When we had the trail you just email them the device Ad Id. They will check and see if it matches their system. IF I REMEMBER RIGHT it really does not go much further then that. They do not collect or store device information.

Thanks

codyp915

Hi, I got a random pop-up that my phone was hacked, does anyone know how I can get to my logs on an iPhone I need to make sure there was no intrusion

Hi @codyp915 To pull the syslogs from iPhone you do the following or at least from what I know. Go to settings > Accessibility > Touch> Assistive Touch - “Turn on”> Custom Actions > Double Tap - “select Analytics” (this will place a button on your phone)… You will double tap the button you will see at the top of the screen where it says “generating logs/analytics”. To get the logs you will go to Settings > Privacy > scroll to bottom and select Analytics and improvements. Of course it is a lot! Hope this helps. If you found another way, please share.

Ross Donnelly

Logo matches this more than Ubisoft, so something to do with music streaming? https://apps.apple.com/us/app/id684183096

We found the part yesterday, turns out it’s a Bluetooth transmitter for old iPods

4

Sudo

anyone run an offline map server for use with Axiom

We do, i'll have to check the size when im back in the office. The only zoomed in tiles which we added were the local ones to our country though. As the global tileset to the building level (13? ) was quite large

TiffanyRbns

Hi @codyp915 To pull the syslogs from iPhone you do the following or at least from what I know. Go to settings > Accessibility > Touch> Assistive Touch - “Turn on”> Custom Actions > Double Tap - “select Analytics” (this will place a button on your phone)… You will double tap the button you will see at the top of the screen where it says “generating logs/analytics”. To get the logs you will go to Settings > Privacy > scroll to bottom and select Analytics and improvements. Of course it is a lot! Hope this helps. If you found another way, please share.

You can also press and hold volume up + volume down + side button for 1-1.5 seconds and release to trigger a sysdiagnose. The phone should take a screen shot and vibrate to let you know you were successful. If you call 9-1-1 you went to far. I find this way a bit simpler and faster but there have also been times where I thought I timed it right and didn’t, ending up waiting around 10 minutes for nothing followed by some choice words.

@Brandon E good to know!!! Thanks I knew what I had was long. Appreciate the tip!

Hi has someone used Cuckoo Sandbox before and confifgured it to route traffic through a VPN? Because I'm getting the following error: (edited)

Hey does recovered files from autopsy has its exif data changed?

8:52 AM

i recovered a png file , its meta data was changed,

8:52 AM

using exiftool

8:52 AM

i verified this

1

CyberJunkie

i recovered a png file , its meta data was changed,

What data was changed? Are you able to show screenshots? (never seen this before)

codyp915

Hi, I got a random pop-up that my phone was hacked, does anyone know how I can get to my logs on an iPhone I need to make sure there was no intrusion

Elcomsoft can pull the crash logs and sysdiagnose logs for you if you have a copy.

Hi everyone 1- what is best way (or best practices) to analysis and work with malware infected digital evidence? 2- how do you guys archive and secure malware infected digital evidence? Thanks

Yousha

Hi everyone 1- what is best way (or best practices) to analysis and work with malware infected digital evidence? 2- how do you guys archive and secure malware infected digital evidence? Thanks

This is a very vague question so it's difficult to answer. Are you asking for the best way to set up your analysis system to analyse malware affected disk images? Because you can setup your systems the same as any other forensic analysis system. Same rules apply - don't execute the malware

1:10 AM

Archiving and securing depends on your organisation. civil labs may operate differently to le. Regular organisations that have blue teams have different standards again

@Magnet Forensics Feature request for Axiom: Would it be possible to add a custom case type at the Case Details screen? In my current role I am often working officer involved shootings, death investigations, fatal vehicle collisions or hit and run accidents. I have been using the "Other" case type on these examinations but it would be nice to add in something more specific.

@Magnet Forensics - It's been a few years since I've used DVR Examiner, does it export out logs or would I still need to log into the system to export out the logs ?

Adam Cervellone

@Magnet Forensics Feature request for Axiom: Would it be possible to add a custom case type at the Case Details screen? In my current role I am often working officer involved shootings, death investigations, fatal vehicle collisions or hit and run accidents. I have been using the "Other" case type on these examinations but it would be nice to add in something more specific.

I'll forward that along, could really be useful for anything that doesn't fit with the listed choices.

Jay528

@Magnet Forensics - It's been a few years since I've used DVR Examiner, does it export out logs or would I still need to log into the system to export out the logs ?

I believe you'd still need to log into the unit to export the logs. Also a good opportunity to review the different settings - especially confirming time offsets.

Thanks @chriscone_ar

1

chriscone_ar

I'll forward that along, could really be useful for anything that doesn't fit with the listed choices.

Thank you!

1

Has anyone installed a Windows VM on an M1 Mac, using either vmware or parallels?

luis511_

Has anyone installed a Windows VM on an M1 Mac, using either vmware or parallels?

My understanding was that support was not available until very very recently when someone got arm windows running. I haven't tried it yet, my apple silicon macs are personally owned and I haven't had a reason to try yet

whee30

My understanding was that support was not available until very very recently when someone got arm windows running. I haven't tried it yet, my apple silicon macs are personally owned and I haven't had a reason to try yet

Thank you.

working on a Digital Forensics newsletter! I’m not as creative in this field. Anyone have any suggestions for creative newsletter name?

TiffanyRbns

working on a Digital Forensics newsletter! I’m not as creative in this field. Anyone have any suggestions for creative newsletter name?

Thinking DFIRently?

I like, just not IR related. Only DF

(edited)

TiffanyRbns

I like, just not IR related. Only DF

(edited)

DFIR is still the general umbrella term

‍♂️ but i get it!

TiffanyRbns

working on a Digital Forensics newsletter! I’m not as creative in this field. Anyone have any suggestions for creative newsletter name?

The Fuzzy Bits

1:56 PM

so many hooks with that

TiffanyRbns

I like, just not IR related. Only DF

(edited)

Nibbles of knowledge... Bytes of inspiration... Maybe I am not as creative either....

TiffanyRbns

working on a Digital Forensics newsletter! I’m not as creative in this field. Anyone have any suggestions for creative newsletter name?

The LastWritten Times

@Digitalferret

8:07 PM

@Jamey nice!

8:07 PM

@MeGaBiTe sounds like a criminal minds episode

but love it

Yousha

Hi everyone 1- what is best way (or best practices) to analysis and work with malware infected digital evidence? 2- how do you guys archive and secure malware infected digital evidence? Thanks

Sandboxed VM , isolated from networks (network disabled) usually a external drive. For malware samples a 7zip archive with the password “infected” also stored on an external drive.

12:57 AM

Usually you have a dedicated malware analysis machine, I like something like the older Thinkpad that has a hardware airplane mode switch that disables all networking , additionally you can even remove the wireless card.

1:00 AM

So the scenario would be to acquire the sample that’s zipped, copy to a thumb drive, plug the thumb drive into the analysis machine and pass the usb drive to the vm. Then copy the sample to the vm and then extract it there, then conduct your static analysis. You can also setup a proxy network if you also need some network analysis as well.

1:01 AM

I also usually do a snapshot before analysis, then revert to the “clean” state once analysis is completed.

1:02 AM

There are some vm escape methods, but generally you should be safe. That’s the reason for the dedicated device in the event that the host is also infected.

1:02 AM

In the event the host is infected, wipe the drive, reflags the bios and reinstall the host OS. You should be golden.

1:03 AM

Hopefully that’s a decent explanation in a short amount of time , and it’s what you’re looking for

1:04 AM

Here is a curated list of books, which also include a great selection on malware analysis https://ryd3v.rocks/posts/books

Hacking Books

Ryan Collins, Software Engineer, teaching programming, development, React, Next.js

1:05 AM

And if you’re just getting started in malware analysis, I can’t recommend any better book than this one. https://www.amazon.ca/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/ref=sr_1_1?dchild=1&keywords=Practical+Malware+Analysis&qid=1633494097&s=books&sr=1-1&dplnkId=19595930-5afe-4d13-966f-014b4d918962&nodl=1

Practical Malware Analysis: The Hands-On Guide to Dissecting Malici...

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

1:06 AM

Sorry for the long link. It’s not an affiliate link.

1:06 AM

But if you google the title on google you can check the link beforehand. I just copied the link google gave me.

Looking for some Cellebrite PA 8.1 assistance. I have created cases on individual extractions. Is there a way to add an additional extraction to a current case? I cant seem to find anywhere to do it.

tydras

Looking for some Cellebrite PA 8.1 assistance. I have created cases on individual extractions. Is there a way to add an additional extraction to a current case? I cant seem to find anywhere to do it.

#mobile-forensic-extractions try there

Hi everyone, I'm trying to find Botnet samples for Windows to gather results for the Sandbox Environment I'm developing but I'm having a hard time finding anything. I have checked Malwarebazaar but most botnets are ELF files (Linux). Therefore where can I find 100-200 botnet samples for Windows OS? Thanks in advance.

degent_

Hi everyone, I'm trying to find Botnet samples for Windows to gather results for the Sandbox Environment I'm developing but I'm having a hard time finding anything. I have checked Malwarebazaar but most botnets are ELF files (Linux). Therefore where can I find 100-200 botnet samples for Windows OS? Thanks in advance.

Probably vx underground

Morning everyone, I’m trying to determine origin of images held on an iOS device. In the file path CPLAssests is mentioned, OS research shows that it might be evidence of the iCloud synchronisation of some respect. \root\private\var\mobile\media\PhotoData\CPLAssests…… Any help at all would be lovely (edited)

Have you looked at the corresponding Photos.sqlite record for that file?

D1g1talDan

Morning everyone, I’m trying to determine origin of images held on an iOS device. In the file path CPLAssests is mentioned, OS research shows that it might be evidence of the iCloud synchronisation of some respect. \root\private\var\mobile\media\PhotoData\CPLAssests…… Any help at all would be lovely (edited)

Recommend running this over your job, may find some helpful artefacts - https://github.com/controlf/mift

GitHub - controlf/mift: mift - a mobile image forensic toolkit

mift - a mobile image forensic toolkit. Contribute to controlf/mift development by creating an account on GitHub.

1

OllieD

Have you looked at the corresponding Photos.sqlite record for that file?

I’ll have a look mate thanks

Rob

Recommend running this over your job, may find some helpful artefacts - https://github.com/controlf/mift

Running anything of GitHub is a no go from my organisation. Crazy! I know

D1g1talDan

Running anything of GitHub is a no go from my organisation. Crazy! I know

It's from Control-F, the training vendor

2:15 AM

So you could always contact them to see if they could supply you with a copy directly? (edited)

Yeah I might have to

You're on the right track with suspecting that the CPL assets are related to cloud synchronisation. I'm sure it's changed a lot since I last looked, but photos synced from iCloud to a device would be saved in those paths to then be displayed in the Photos app

2:20 AM

On a side note, deefinitely worth striking up a conversation with relevant stakeholders about relaxing your policy on GitHub, or creating a process for requesting access to a repo. There are sooooo many great open-source resources: MIFT, KAPE, Andriller, Mobile Revelator, Autopsy, iLEAPP, ALEAPP

2:20 AM

The list goes on

2:21 AM

Many other UK organisations will have designated standalone machines with a "dirty" internet connection, to facilitate accessing those resources if the corporate firewall blocks them

1

2:21 AM

With permissions from their relevant IT teams ofc. Sometimes easier/safer than whitelisting the site for the whole userbase!

Believe me…it’s an on going battle

1

D1g1talDan

Morning everyone, I’m trying to determine origin of images held on an iOS device. In the file path CPLAssests is mentioned, OS research shows that it might be evidence of the iCloud synchronisation of some respect. \root\private\var\mobile\media\PhotoData\CPLAssests…… Any help at all would be lovely (edited)

If you dm me with an email I can provide you with a SQLite query for photos.sqlite that will help. Another file to analyze is store.cloudphotodb I have a query for this also. This file should provide how the file was synced with iCloud photos. If you need documentation about the file path read through this blog and feel free to ask any specific questions: https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ (edited)

scottkoenig3347

Photos.sqlite Query Documentation & Notable Artifacts – 5/2/2022

As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data incl…

3

D1g1talDan

Morning everyone, I’m trying to determine origin of images held on an iOS device. In the file path CPLAssests is mentioned, OS research shows that it might be evidence of the iCloud synchronisation of some respect. \root\private\var\mobile\media\PhotoData\CPLAssests…… Any help at all would be lovely (edited)

I assume you've looked at the low hanging fruit of checking what type of device the photo was taken with to see if it's consistent and then checking the capture time against other photos in the standard DCIM folder to see if it makes sense... photos.sqlite is enormous, it's worth spending time in to see what's getting missed for sure. Report back with what you find!

whee30

I assume you've looked at the low hanging fruit of checking what type of device the photo was taken with to see if it's consistent and then checking the capture time against other photos in the standard DCIM folder to see if it makes sense... photos.sqlite is enormous, it's worth spending time in to see what's getting missed for sure. Report back with what you find!

Yes mate

my heart sunk the first time I opened photos.sqlite for a ‘quick look’

8:16 AM

Pandoras Box comes to mind

There's a table ZGENERICALBUM which tracks album names, multiple contributors enabled etc... I keep a txt file with some SQLite queries, although @ScottKjr3347 published way more in depth analysis by the time I caught on to try my hand at it

D1g1talDan

Yes mate

my heart sunk the first time I opened photos.sqlite for a ‘quick look’

Dan, you can also use the iOS runtime feature to establish which device the images came from. You just need a known image from the same device on the same power cycle. DM me if you need assistance, it's a feature in the S21 LASERi-X app, very awesome, especially as Apple doesn't apply the device serial numbers to image.

2

Semantics 21 (Tom)

Dan, you can also use the iOS runtime feature to establish which device the images came from. You just need a known image from the same device on the same power cycle. DM me if you need assistance, it's a feature in the S21 LASERi-X app, very awesome, especially as Apple doesn't apply the device serial numbers to image.

Is this proprietary to the software or do you have a white paper somewhere that shows how the correlation can be made manually?

whee30

Is this proprietary to the software or do you have a white paper somewhere that shows how the correlation can be made manually?

It's something i spotted that Semantics 21 offered in their products whilst i worked at BlackBag Tech, its not proprietary, they just have a clever way of displaying the linked images. I'll write up an article and post on the S21 case studies site: https://www.semantics21.com/case-studies/

Case Studies | Semantics 21

We are proud to showcase the success and experiences of others

1

10:59 AM

Heres a video of the iOS Runtime filtering: https://videos.semantics21.com/v/oegkMTP3Eumum1OXHSfQjTlPt

iOS Runtime.mp4

Shared with Jumpshare

D1g1talDan

Believe me…it’s an on going battle

are you able to write your own sequal statements ??? you can just copy an paste some of them.. I know that in Cellebrite PA you can paste a sql statement into it that you get from somewhere else..

Original message was deleted or could not be loaded.

mind moving this to #training-education-employment?

11:38 AM

should be a good discussion, but want to make sure we're keeping things organized as best we can

1

Of course, let me copy/paste and then I'll delete the ones here

11:41 AM

There, I moved it to #training-education-employment

1

D1g1talDan

Running anything of GitHub is a no go from my organisation. Crazy! I know

Ouch !

Jetten_007

are you able to write your own sequal statements ??? you can just copy an paste some of them.. I know that in Cellebrite PA you can paste a sql statement into it that you get from somewhere else..

Not something I’ve done before. I’ve had so much help now…time to digest (edited)

Best places to purchase a TX-1? Saved up some money for one of my own (edited)

shulgi

Best places to purchase a TX-1? Saved up some money for one of my own (edited)

I've use Digital Intelligence before https://digitalintelligence.com/store/products/d6280?taxon_id=21

shulgi

Best places to purchase a TX-1? Saved up some money for one of my own (edited)

I've used Silicon Forensics before too https://siliconforensics.com/products/forensic-hardware/tableau/tableau-kits/tableau-forensic-imager-tx1-tx1.html

Tableau Forensic Imager TX1 [TX1+]

In the lab, or in the field, the NEW Tableau Forensic Imager (TX1) acquires more data, faster, from more media types, without ever sacrificing ease-of-use or portability. Successor to the Tableau TD3 and redesigned from the circuit board up, the TX1 is built on a custom Linux kernel, making it lean and powerful. Every component is hand-selected ...

Thanks @stark4n6. Looks like I need to save up one more paycheck for it lol

shulgi

Thanks @stark4n6. Looks like I need to save up one more paycheck for it lol

prices may vary depending on vendor too because some offer extra cases and stuff

stark4n6

prices may vary depending on vendor too because some offer extra cases and stuff

Yeah I see that. Some of these extras may prove useful, so I’ll shop around

Does anyone know where I can buy a Tableau T4/T4es SCSI bridge? (Not SATA, not SAS -- must be SCSI) Looks like they stopped making them a loooong time ago, and I'm not seeing used ones sold anywhere. One sold on ebay a few months back, and that's it.

Hi everyone. I apologise if this question has been asked before... That being said, I just wondered if anyone in UK Law Enforcement could advise me how they validate their write blockers. We all use internal Tableau T356789iu devices but to maintain UKAS accreditation we have to prove that these work - I know they do but thats ISO/UKAS (sigh). We have a solution (it seems very antiquated > in-out-in-out shake it all about!!) however in my opinion it is very clunky. I think that this could be streamlined but I don't want to upset UKAS. Any help would be most appreciated. Thanks.

blake-ee

Hi everyone. I apologise if this question has been asked before... That being said, I just wondered if anyone in UK Law Enforcement could advise me how they validate their write blockers. We all use internal Tableau T356789iu devices but to maintain UKAS accreditation we have to prove that these work - I know they do but thats ISO/UKAS (sigh). We have a solution (it seems very antiquated > in-out-in-out shake it all about!!) however in my opinion it is very clunky. I think that this could be streamlined but I don't want to upset UKAS. Any help would be most appreciated. Thanks.

Here's a very brief overview of what we did back when I was LE: Step 1 - Populate a drive with known data (Having a pool of different types, and say using a known NIST image is a good idea). Confirm ground truth/Hash if possible Step 2 - Connect device to write blocker Step 3 - Take an image through write blocker Step 4 - Confirm data has not changed Step 5 - Try and write/alter data while connected to write blocker Step 6 - Again confirm that data has not changed. Repeat this for each individual write blocker, using a mix of drives that you image in your labs, so hard drives, SSDs, USBs, SD cards etc. It might be a pain but it is good to verify that these things work correctly, we have had some fail in the past so on-going testing should be required, but you won't need to do full re-validation each time. Feel free to DM for details, alternatively FCN should have some decent resources for this kind of thing.

K23

Here's a very brief overview of what we did back when I was LE: Step 1 - Populate a drive with known data (Having a pool of different types, and say using a known NIST image is a good idea). Confirm ground truth/Hash if possible Step 2 - Connect device to write blocker Step 3 - Take an image through write blocker Step 4 - Confirm data has not changed Step 5 - Try and write/alter data while connected to write blocker Step 6 - Again confirm that data has not changed. Repeat this for each individual write blocker, using a mix of drives that you image in your labs, so hard drives, SSDs, USBs, SD cards etc. It might be a pain but it is good to verify that these things work correctly, we have had some fail in the past so on-going testing should be required, but you won't need to do full re-validation each time. Feel free to DM for details, alternatively FCN should have some decent resources for this kind of thing.

For periodic checks (rather than a full revalidation eg after a firmware update) we use this tool. Works with anything (doesn't need weibetech hardware) and throws every possible write command at the drive to get full coverage. https://wiebetech.com/software/writeblocking-validation-utility/

H.G. Blakeman

WriteBlocking Validation Utility

3

Ross Donnelly

For periodic checks (rather than a full revalidation eg after a firmware update) we use this tool. Works with anything (doesn't need weibetech hardware) and throws every possible write command at the drive to get full coverage. https://wiebetech.com/software/writeblocking-validation-utility/

Now that looks cool, thanks for sharing!

Ross Donnelly

For periodic checks (rather than a full revalidation eg after a firmware update) we use this tool. Works with anything (doesn't need weibetech hardware) and throws every possible write command at the drive to get full coverage. https://wiebetech.com/software/writeblocking-validation-utility/

This is exactly what we used in our UK LE for 17025 validation. Pick a 'Random' disk out of 20 prefabbed empty/noncase drives, connect it to the write blocker, use wiebetech, pass/fail - if it fails (which it has done). We had to use a different disk for each 'technology' (HHD/SSD/Mem Card). It cut down our testing considerably. (edited)

1

Agreed that sounds much quicker. Only main benefit of populating/using known data is that you can use the same drives later on for analysis validation if that's the direction you're heading

Hey is leaving my first Cybersecurity job after only 6 months a bad look?

Ventose

Hey is leaving my first Cybersecurity job after only 6 months a bad look?

Can you explain why you left without sounding unprofessional? Could always say it wasn't a culture for or the job didn't end up being what you expected

Andrew Rathbun

Can you explain why you left without sounding unprofessional? Could always say it wasn't a culture for or the job didn't end up being what you expected

Yeah, I chose to leave a little while ago because the traveling was just too much. But I was just curious about how a 6-month stay at a company would look to interviewers

Ventose

Yeah, I chose to leave a little while ago because the traveling was just too much. But I was just curious about how a 6-month stay at a company would look to interviewers

As long as you can explain it when asked with a fair reason I don't think anyone will fault you

5

Thanks

Honesty is always the best policy.

1

ryd3v

Honesty is always the best policy.

unless ur in Govt and then ur gonna be SOL

4

Anyone in IR Consulting? Looking to transition into it from a SOC / MSSP role and would like a mentor

burytoes.

Anyone in IR Consulting? Looking to transition into it from a SOC / MSSP role and would like a mentor

Plenty of us are, if you have any questions, #training-education-employment might be the best place for it. Start a new thread, if needed

1

What are differences between modified date and changed date present in photo metadata in iOS

Hello... Can anyone recommend any website from where you can buy a dope badge related to digital forensics? Been searching but didn't come across sth that nice. Thanks!!

shedex

What are differences between modified date and changed date present in photo metadata in iOS

#mobile-forensic-decoding

ZetLoke77

Hello... Can anyone recommend any website from where you can buy a dope badge related to digital forensics? Been searching but didn't come across sth that nice. Thanks!!

dope badge or "dope" badge

Digitalferret

dope badge or "dope" badge

You know what kind of dope

. Didn't bother to use quotation marks anymore

5:33 AM

Still open to suggestions though

Make enough friends in the space and some folks have challenge coins specific to their agencies. I know the various vendors do as well, find them at trade shows and classes

whee30

Make enough friends in the space and some folks have challenge coins specific to their agencies. I know the various vendors do as well, find them at trade shows and classes

It's what I've missed the most during the pandemic - vendor swag!! (If any vendors are reading...

)

I am curious with regards to photographs forensics is it possible to bypass error level analysis by resaving it over and over? If not how can you tell if a image has been photoshopped/edited using forensics?

malrker

I am curious with regards to photographs forensics is it possible to bypass error level analysis by resaving it over and over? If not how can you tell if a image has been photoshopped/edited using forensics?

ELA can surely be fooled in my experience. The clone detection catches lots of false positives as well I’ve found. If I look at an image manually I look for artefacting and if there is text in a forged image of a document usually has the fonts in slightly differing lightness/darkness. I look at file naming convention as well for anomalies. If someone has deep etched an object I also look at any diagonal lines to see if there are unusual pixels.

Anyone got experience dumping data/getting root on a DJI Mini 2 Drone? Or parsing the DJI Assistant DAT files?

cygnusx

Anyone got experience dumping data/getting root on a DJI Mini 2 Drone? Or parsing the DJI Assistant DAT files?

maybe #drones

Is there a way to connect Cellebrite PA to a map tile server? I don not have a license for the offline package and wonder if there is a way to connect Cellebrite PA to a locally installed map server. Due to legal restrictions we are not allowed to connect our lab computers to the internet. I have read the manual and been poking around in the settings menu but nothing comes to mind

I don’t have an answer for you on the file server but perhaps a workaround could be installing google earth and then exporting your kml files on cases where location is important?

I wonder if we have a Target for KAPE for those KML files...

Deleted User

Is there a way to connect Cellebrite PA to a map tile server? I don not have a license for the offline package and wonder if there is a way to connect Cellebrite PA to a locally installed map server. Due to legal restrictions we are not allowed to connect our lab computers to the internet. I have read the manual and been poking around in the settings menu but nothing comes to mind

@facelessg00n where is this configured?

DeeFIR 🇦🇺

@facelessg00n where is this configured?

I’ll check when I get in the office. It’s in the settings tab somewhere

facelessg00n

I’ll check when I get in the office. It’s in the settings tab somewhere

whee30

I don’t have an answer for you on the file server but perhaps a workaround could be installing google earth and then exporting your kml files on cases where location is important?

Usually best to avoid the google especially if you have an offline map server.

DeeFIR 🇦🇺

Click to see attachment 🖼️

I miss u too.

1

why not have polls without collecting email IDs..

Tejas

why not have polls without collecting email IDs..

What are you referring to? The book cover vote? Doing it so it prevents votespam. I don't do anything with the emails. Who knows what Google does with it. Make a fake email or don't participate

‍♂️

Andrew Rathbun

What are you referring to? The book cover vote? Doing it so it prevents votespam. I don't do anything with the emails. Who knows what Google does with it. Make a fake email or don't participate

‍♂️

yep that one, okay

8:54 PM

can have discord IDs as an alternative maybe

8:54 PM

suggestion

Suggestion heard but I'm simply not doing all of that work. That sounds like a massive PITA. Most people probably don't know how to get their own ID whereas everyone has an email

1

okay thanks ✌️

I asked the website midjourney.com to generate a design for the book. It uses Artificial intelligence and keywords to create something unique. Here's the 4 designs it came up with...

MrMacca (Allan Mc)

I asked the website midjourney.com to generate a design for the book. It uses Artificial intelligence and keywords to create something unique. Here's the 4 designs it came up with...

can you post in #deleted-channel?

Ross Donnelly

"This new feature is based on Ultra Wideband (UWB) technology, which is part of Apple’s U1 chip. Only iPhone 11 and newer models (except for the second-generation iPhone SE) have the U1 chip, so that is why only these devices will work with Find My even when turned off." https://www.google.com/amp/s/9to5mac.com/2021/07/21/ios-15-here-are-the-devices-that-support-find-my-when-turned-off/amp/

Does anyone know if there are any breadcrumb's associated with this that could be viewed off a FFS of the location broadcasting iPhone? Scenario is a unknown burglar breaks into home, if subject had an iPhone 11 or higher either in a powered on or powered off state on his person, is it possible a victim's iphone 11 or higher could have seen this device and have a MAC address or associated ID that could be pulled off the victim's phone with a FFS? Ideally something that Apple would be able to provide if issued a subpoena.

Solec

Does anyone know if there are any breadcrumb's associated with this that could be viewed off a FFS of the location broadcasting iPhone? Scenario is a unknown burglar breaks into home, if subject had an iPhone 11 or higher either in a powered on or powered off state on his person, is it possible a victim's iphone 11 or higher could have seen this device and have a MAC address or associated ID that could be pulled off the victim's phone with a FFS? Ideally something that Apple would be able to provide if issued a subpoena.

I feel like router interrogation of the home router (even with MAC randomization on newer devices) or a Google Geofence warrant would yield better results. If the home is remote then a cell tower dump might be reasonable as well.

I suggested to do the geofence as well, I was kind of spitballng and the above idea kind of crossed my mind. Are you typically seeing devices on routers even if they didn't connect and make a handshake?

I think it depends on the model of the router and the type of WiFi protocol (802.11b, a, g, n, ac, ax) that is being used. My understanding is newer WiFi protocols would be less likely to store devices.

1

copy, thanks

1

FullTang

I think it depends on the model of the router and the type of WiFi protocol (802.11b, a, g, n, ac, ax) that is being used. My understanding is newer WiFi protocols would be less likely to store devices.

That is my understanding, the default logging of devices near the router has been turned off for years from what I've heard and seen.

1

Solec

I suggested to do the geofence as well, I was kind of spitballng and the above idea kind of crossed my mind. Are you typically seeing devices on routers even if they didn't connect and make a handshake?

If subjects Wi-Fi radio was turned on it should send probe requests with a random MAC. A router with very verbose logging might capture that request, but I doubt it.

hey everyone! how do you personally collect data (tools / methods) from an external sharepoint where you do not have access to compliance center?

We have an inquiry to have forensic collections (computer & mobile) done in South Africa. Must be in-country, no foreign travel. Travel within country OK. Onsite & in person acquisitions, no remote acquisition. We don’t have specific locations at this point. If anyone knows of a good outfit or contact located in South Africa, please IM me directly @ForensicDev .

ForensicDev

We have an inquiry to have forensic collections (computer & mobile) done in South Africa. Must be in-country, no foreign travel. Travel within country OK. Onsite & in person acquisitions, no remote acquisition. We don’t have specific locations at this point. If anyone knows of a good outfit or contact located in South Africa, please IM me directly @ForensicDev .

Contact Jason Jordaan. He's easy to find on Google. SANS instructor in South Africa

6:36 PM

@Jason Jordaan4N6

Hi all, We have a child sexual exploitation case with multiple victims. The platform used to get in contact was BuzzCast (previously named FaceCast). As far as I can tell this is an American company. I have tried reaching out to their support email address, but haven't gotten a response in over 3 weeks unfortunately, so I don't think that's going to happen. Is there anyone here that has experience with BuzzCast and what kind of info a warrant would return and how long the info is stored on BuzzCast servers, before we are going to walk this painstaking path? We have only a username/nickname, ID and signature/status of the contacts, and no other details. We would like to know what information we could get when we're going through the proper international legal channels. In particular we are interested in identifying information like an email address, phone number, IMEI number, IP address, as well, if possible, chat contents of this user. We suspect there are more victims we don't yet know about. Thanks for any information you might be able to provide me with.

Peacekeeper

Hi all, We have a child sexual exploitation case with multiple victims. The platform used to get in contact was BuzzCast (previously named FaceCast). As far as I can tell this is an American company. I have tried reaching out to their support email address, but haven't gotten a response in over 3 weeks unfortunately, so I don't think that's going to happen. Is there anyone here that has experience with BuzzCast and what kind of info a warrant would return and how long the info is stored on BuzzCast servers, before we are going to walk this painstaking path? We have only a username/nickname, ID and signature/status of the contacts, and no other details. We would like to know what information we could get when we're going through the proper international legal channels. In particular we are interested in identifying information like an email address, phone number, IMEI number, IP address, as well, if possible, chat contents of this user. We suspect there are more victims we don't yet know about. Thanks for any information you might be able to provide me with.

Any chance you emailed support@buzzcast.info and asked for the direct email to their legal department/counsel?

Andrew Rathbun

Any chance you emailed support@buzzcast.info and asked for the direct email to their legal department/counsel?

Hi Andrew, I have emailed that support mailaddress but unfortunately haven't gotten any response.

Peacekeeper

Hi all, We have a child sexual exploitation case with multiple victims. The platform used to get in contact was BuzzCast (previously named FaceCast). As far as I can tell this is an American company. I have tried reaching out to their support email address, but haven't gotten a response in over 3 weeks unfortunately, so I don't think that's going to happen. Is there anyone here that has experience with BuzzCast and what kind of info a warrant would return and how long the info is stored on BuzzCast servers, before we are going to walk this painstaking path? We have only a username/nickname, ID and signature/status of the contacts, and no other details. We would like to know what information we could get when we're going through the proper international legal channels. In particular we are interested in identifying information like an email address, phone number, IMEI number, IP address, as well, if possible, chat contents of this user. We suspect there are more victims we don't yet know about. Thanks for any information you might be able to provide me with.

BuzzCast is listed in the Play store as being a VPB live video streaming app. The address for VPB is 611 Wilshire Blvd #1008 Los Angeles, CA 90017. (Which is the same address the SEARCH ISP List has for the former FaceCast entry (https://www.search.org/resources/isp-list/). I found an email address for VPB of support@vpb.com and a phone number of +1-909-485-3844. Maybe try one of those?

3

1

laurenw

BuzzCast is listed in the Play store as being a VPB live video streaming app. The address for VPB is 611 Wilshire Blvd #1008 Los Angeles, CA 90017. (Which is the same address the SEARCH ISP List has for the former FaceCast entry (https://www.search.org/resources/isp-list/). I found an email address for VPB of support@vpb.com and a phone number of +1-909-485-3844. Maybe try one of those?

@Search.org to the rescue

1

Peacekeeper

Hi all, We have a child sexual exploitation case with multiple victims. The platform used to get in contact was BuzzCast (previously named FaceCast). As far as I can tell this is an American company. I have tried reaching out to their support email address, but haven't gotten a response in over 3 weeks unfortunately, so I don't think that's going to happen. Is there anyone here that has experience with BuzzCast and what kind of info a warrant would return and how long the info is stored on BuzzCast servers, before we are going to walk this painstaking path? We have only a username/nickname, ID and signature/status of the contacts, and no other details. We would like to know what information we could get when we're going through the proper international legal channels. In particular we are interested in identifying information like an email address, phone number, IMEI number, IP address, as well, if possible, chat contents of this user. We suspect there are more victims we don't yet know about. Thanks for any information you might be able to provide me with.

Because it’s a U.S. company, obviously the best way to get info from them is a request for records from a US based LEA. I see you are not US, but is there any chance one or more of the victims is in the US? If so, maybe a US LEA can partner with you, and serve legal process on buzzcast. Would be much quicker than an MLAT.

MeGaBiTe

Because it’s a U.S. company, obviously the best way to get info from them is a request for records from a US based LEA. I see you are not US, but is there any chance one or more of the victims is in the US? If so, maybe a US LEA can partner with you, and serve legal process on buzzcast. Would be much quicker than an MLAT.

Hi Megabite, So far we only know of Dutch victims, so it's probably going to be an MLAT. But since we had no experience with BuzzCast, and an MLAT is going to take time, I wanted to get some more info first.

1

Peacekeeper

Hi Megabite, So far we only know of Dutch victims, so it's probably going to be an MLAT. But since we had no experience with BuzzCast, and an MLAT is going to take time, I wanted to get some more info first.

Good luck, and don’t give up!

MeGaBiTe

Good luck, and don’t give up!

We never do, certainly not with CSA/CSE cases. Thanks for the help all! (edited)

5

Hello! anyone know of a tool that will open a SAGE Backup file?

skysafe-josh

Hello! anyone know of a tool that will open a SAGE Backup file?

As far as I was aware to review SAGE data you have to use the SAGE application

Hi everyone! I’d like to know if you can share some ways/tools to collect DFIR related data. This is our use case: there is an incident in a remote business unit. We request the team in charge of that business unit to collect relevant logs, disk images and so on and send them to the main team in charge of DFIR. What tools can be leverage to send such large files? SFTP? Next cloud? O other tools? (edited)

oareont

Hi everyone! I’d like to know if you can share some ways/tools to collect DFIR related data. This is our use case: there is an incident in a remote business unit. We request the team in charge of that business unit to collect relevant logs, disk images and so on and send them to the main team in charge of DFIR. What tools can be leverage to send such large files? SFTP? Next cloud? O other tools? (edited)

As far as collection I can recommend FTK Imager (Free) or X-ways (paid), both can make disk images and logical images (however Imager's logical images are in the AD1 format which is proprietary to Access Data). Also, x-ways, while it requires a subscription, is a full forensic suite, so it can process the images as well.

J05H

As far as I was aware to review SAGE data you have to use the SAGE application

It was quite a few years ago, but this is what we ended up doing. I vaguely recall having to deal with a SAGE licensing issue, perhaps because we were virtualizing the disk image from the finance person’s workstation.

oareont

Hi everyone! I’d like to know if you can share some ways/tools to collect DFIR related data. This is our use case: there is an incident in a remote business unit. We request the team in charge of that business unit to collect relevant logs, disk images and so on and send them to the main team in charge of DFIR. What tools can be leverage to send such large files? SFTP? Next cloud? O other tools? (edited)

What are the security requirements? Is it business sensitive data of any kind?

oareont

Hi everyone! I’d like to know if you can share some ways/tools to collect DFIR related data. This is our use case: there is an incident in a remote business unit. We request the team in charge of that business unit to collect relevant logs, disk images and so on and send them to the main team in charge of DFIR. What tools can be leverage to send such large files? SFTP? Next cloud? O other tools? (edited)

Are you geographically dispersed? Do you host any of your own infrastructure? Are you looking to host your own server/s, or are you relying on cloud resources? Any bandwidth limitations at each site?

DeeFIR 🇦🇺

Are you geographically dispersed? Do you host any of your own infrastructure? Are you looking to host your own server/s, or are you relying on cloud resources? Any bandwidth limitations at each site?

We are geographically dispersed. We have dedicated infrastructure to host any tools and we don’t have bandwidth limitations at each site. Currently what we do is that when an incident occurs in a remote geographically dispersed business unit, we request the team managing that particular business unit to collect all the necessary data and we setup a SFTP server where they can upload the collected data. I was wondering if there is a better scalable solution instead of setting up a SFTP server every time when there is an incident. (edited)

oareont

We are geographically dispersed. We have dedicated infrastructure to host any tools and we don’t have bandwidth limitations at each site. Currently what we do is that when an incident occurs in a remote geographically dispersed business unit, we request the team managing that particular business unit to collect all the necessary data and we setup a SFTP server where they can upload the collected data. I was wondering if there is a better scalable solution instead of setting up a SFTP server every time when there is an incident. (edited)

Yes. You can use kape and upload to sftp/S3 or predeploy Velociraptor. You could also use whatever edr you have but ymmv

2:07 AM

You can get a lot done without needing a disk image

Question for the US based folks: how do courts generally view screenshots of messages from smart phones in regards to validity? Thanks.

I would imagine it's all down to your documentation of how you came to possess screenshots vs a download of the device. Pictures of a cellphone screen used to be the standard before forensic software became commonplace... I still screen record on apps that are not supported by the software available to me.

3

Deleted User

Question for the US based folks: how do courts generally view screenshots of messages from smart phones in regards to validity? Thanks.

While not exactly the same, the courts seem split on this with most case law applying to screen shots of social media posts- but I can see that parallel to other digital evidence. Some courts are ok with screen shots and testimony (Texas rule) but others really frown upon it (Maryland rule). Here is a decent article addressing it in more detail https://www.jdsupra.com/legalnews/authenticating-social-media-evidence-at-33843/ (edited)

Authenticating Social Media Evidence at Trial | JD Supra

Social media is ubiquitous in our cyber-connected world. For many, the first thing a person does when they wake up, and the last thing that person...

1

oareont

We are geographically dispersed. We have dedicated infrastructure to host any tools and we don’t have bandwidth limitations at each site. Currently what we do is that when an incident occurs in a remote geographically dispersed business unit, we request the team managing that particular business unit to collect all the necessary data and we setup a SFTP server where they can upload the collected data. I was wondering if there is a better scalable solution instead of setting up a SFTP server every time when there is an incident. (edited)

What about using cloud hosted object storage? Something like MinIO if you want to host it yourself, or something else which is S3 compatible? You can use an S3 browser at each site, provide pre-signed URLs (for tools which allow them) and also user credentials for operators.

1

Need to borrow some brain power. Working an intrusion case. Victim observes computer takeover (mouse moves, opens emails, uses Windows search bar, etc.). So not the stuck mouse-button that causes random activity. We triage the system, pivoting backwards from the time the takeover was observed. We run the system through AV/AM scans - no hits. We do a DFIR triage timeline on the standard items that would show browsing, download, execution, persistence - nothing obvious either. So my question is. Assuming the observed behavior is truly a 3rd party taking control of the system. By what means can the computer be controlled remotely, not RDC since they observed the screen, if no artifacts of dropper/payload is present? Trying to figure out how this can be accomplished from an attacker's side. The system had TeamViewer installed by default for IT support, yet its logs did not show any connections that raise suspicion. Any thoughts/ideas on how this "takeover event" could have been done, would be greatly appreciated.

ForensicDev

Need to borrow some brain power. Working an intrusion case. Victim observes computer takeover (mouse moves, opens emails, uses Windows search bar, etc.). So not the stuck mouse-button that causes random activity. We triage the system, pivoting backwards from the time the takeover was observed. We run the system through AV/AM scans - no hits. We do a DFIR triage timeline on the standard items that would show browsing, download, execution, persistence - nothing obvious either. So my question is. Assuming the observed behavior is truly a 3rd party taking control of the system. By what means can the computer be controlled remotely, not RDC since they observed the screen, if no artifacts of dropper/payload is present? Trying to figure out how this can be accomplished from an attacker's side. The system had TeamViewer installed by default for IT support, yet its logs did not show any connections that raise suspicion. Any thoughts/ideas on how this "takeover event" could have been done, would be greatly appreciated.

I would get the user to go over their story again to see if it changes and then review all USB devices inserted into machine. A Rubber Ducky like device may be able to execute what you mention above. I would also review all network traffic and ports to see what was talking to what. Anecdote: experienced same issue, user filmed desktop on phone. Turned out to be internal IT staff trying to loot their machine because said user dealt with million dollar accounts. IT guy connected via something similar to TeamViewer (can’t recall exact app but it was their preferred and vetted remote access solution)

Deleted User

I would get the user to go over their story again to see if it changes and then review all USB devices inserted into machine. A Rubber Ducky like device may be able to execute what you mention above. I would also review all network traffic and ports to see what was talking to what. Anecdote: experienced same issue, user filmed desktop on phone. Turned out to be internal IT staff trying to loot their machine because said user dealt with million dollar accounts. IT guy connected via something similar to TeamViewer (can’t recall exact app but it was their preferred and vetted remote access solution)

This all happened in a hotel while the user was traveling, which makes this all a bit more of a strange situation. Will dig a bit more on the remote connection. Most of the Windows EVTX have rolled over since the incident.

ForensicDev

Need to borrow some brain power. Working an intrusion case. Victim observes computer takeover (mouse moves, opens emails, uses Windows search bar, etc.). So not the stuck mouse-button that causes random activity. We triage the system, pivoting backwards from the time the takeover was observed. We run the system through AV/AM scans - no hits. We do a DFIR triage timeline on the standard items that would show browsing, download, execution, persistence - nothing obvious either. So my question is. Assuming the observed behavior is truly a 3rd party taking control of the system. By what means can the computer be controlled remotely, not RDC since they observed the screen, if no artifacts of dropper/payload is present? Trying to figure out how this can be accomplished from an attacker's side. The system had TeamViewer installed by default for IT support, yet its logs did not show any connections that raise suspicion. Any thoughts/ideas on how this "takeover event" could have been done, would be greatly appreciated.

I just recently had something like this - there was one hit in event logs because the malware set an AV exclusion and then the rest was tracked by the AV/EDR which was limited but useful standard artifacts had all degrees of nothing

12:33 AM

id be checking for AV exclusions (evtx/registry), any logging associated with whatever AV was installed, as well as any application that provides remote access/management capability (usually youll find a couple) and then you may be out of luck if the artifacts have rolled

ForensicDev

Need to borrow some brain power. Working an intrusion case. Victim observes computer takeover (mouse moves, opens emails, uses Windows search bar, etc.). So not the stuck mouse-button that causes random activity. We triage the system, pivoting backwards from the time the takeover was observed. We run the system through AV/AM scans - no hits. We do a DFIR triage timeline on the standard items that would show browsing, download, execution, persistence - nothing obvious either. So my question is. Assuming the observed behavior is truly a 3rd party taking control of the system. By what means can the computer be controlled remotely, not RDC since they observed the screen, if no artifacts of dropper/payload is present? Trying to figure out how this can be accomplished from an attacker's side. The system had TeamViewer installed by default for IT support, yet its logs did not show any connections that raise suspicion. Any thoughts/ideas on how this "takeover event" could have been done, would be greatly appreciated.

Similar to Howard, see if anything here fits the bill https://shop.hak5.org/ . Hotel environment could be set up to farm anyone "plugged in".

Digitalferret

Similar to Howard, see if anything here fits the bill https://shop.hak5.org/ . Hotel environment could be set up to farm anyone "plugged in".

Hotel=digital Petri dish. Transparent proxy could cause issues for sure.

Deleted User

Hotel=digital Petri dish. Transparent proxy could cause issues for sure.

lol Digital petri dish

so true

3

Thanks all. Will go back and have another look. The user is an experienced and aware of cyber threats/phishing, etc. He was not even using the computer when the takeover took place and noticed the activity after walking past it in the room. He used WiFi connect. Thanks again for all the ideas.

2

My friends project if anyone wishes to contribute: https://github.com/freeload101/DIGGER

GitHub - freeload101/DIGGER: Bash Scripts to query CBR,Cloud API's ...

Bash Scripts to query CBR,Cloud API's and generally automate the IR process. - GitHub - freeload101/DIGGER: Bash Scripts to query CBR,Cloud API's and generally automate the IR process.

Original message was deleted or could not be loaded.

I’m guessing it’s android based? Try #mobile-forensic-extractions

Fierry

I’m guessing it’s android based? Try #mobile-forensic-extractions

Ah, I thought i was in right channel ^^

R3V3R53

Ah, I thought i was in right channel ^^

You’ll find that people specialized in certain topics tent to frequent certain channels

Hey folks, have a question. We have a 256Bit AES encrypted File. We know the password. How you would decrypt it? OpenSSL?

Yeah OpenSSL would be one of the go-to’s. If you want a more user friendly version, GCHQ’s CyberChef tool has AES decryption as an input https://gchq.github.io/CyberChef/

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

1

2

Does anyone know if Threema is worth to subpoena data for? Are they keeping anything on the server?

chauan

Does anyone know if Threema is worth to subpoena data for? Are they keeping anything on the server?

3:19 PM

Gotta love FOIA

1

Hi. I’m interested in talking with any LEOs who are doing ICAC cases, are part of a unit of four or less, and working forensic requests from surrounding agencies. I’m an LEO as well. I’m interested in hearing about your agency’s capacity and strategy used to work cases on multiple fronts. Please DM me if possible. Thanks!

Hey everyone! Glad to be here and looking forward to learning from you all (edited)

Hey all, thanks for letting me in! Sorry I got confused with the entry system, managed to work it out eventually lol

3:47 PM

Quick intro, I am Will aka BushidoToken on Twitter, I’m a CTI analyst that supports our CERT/DFIR team, in my spare time, I write blogs on https://bushidotoken.net and help run Curated Intel CTI research group https://curatedintel.org (edited)

@BushidoToken Threat Intel

CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security

Curated Intelligence

You’ll love #cyber-threat-intelligence

1

3:48 PM

Also I see your stuff circulated internally at work, big props for your work

Hey thanks!

What am I missing here? Trying to have log2timeline (v.20220724) process a ZIP file that contains triage data sets. Running Ubuntu 22.04. When I run log2timeline.py timeline.plaso /path/to/my/project/data.zip it is telling me unrecognized arguments: /path/to/my/project/data.zip. The data.zip file is not password protected.

ForensicDev

What am I missing here? Trying to have log2timeline (v.20220724) process a ZIP file that contains triage data sets. Running Ubuntu 22.04. When I run log2timeline.py timeline.plaso /path/to/my/project/data.zip it is telling me unrecognized arguments: /path/to/my/project/data.zip. The data.zip file is not password protected.

Resolved: log2timeline.py --storage-file timeline.plaso /path/to/my/project/data.zip

Spoke too early. While the command line now starts the processing it seems that log2timeline does not support reading native ZIP files as a source. The error log shows: filestat unable to parse file: data.zip with error: [Errno 95] Operation not supported Just seems strange, because ZIP files seem to be supported, unless I am reading the documentation wrong. Anyone came across this?

ForensicDev

Spoke too early. While the command line now starts the processing it seems that log2timeline does not support reading native ZIP files as a source. The error log shows: filestat unable to parse file: data.zip with error: [Errno 95] Operation not supported Just seems strange, because ZIP files seem to be supported, unless I am reading the documentation wrong. Anyone came across this?

Found a workaround by mounting the ZIP file and feeding the mount point into log2timeline.

Anyone had problems when enabling psremoting on some clients that are part of a domain? Just enabled psremoting on the client and on the remote host and added them to the trustedclients on both pcs. But still I can not invoke any commands remotely neither start a powershell session on the remote host. Also winrm traffic was added on the firewall rules to be allowed.

Hey Folks! Thanks for letting me in to your community. I'm currently working in Threat Intelligence at Verizon for the DBIR and am excited to connect with folks from the DFIR and Threat Intel world. This seems like an awesome community/resource and I'm excited to learn more from y'all.

2

Are we ok to hand out invite links to colleagues?

Absolutely

TomZon

Are we ok to hand out invite links to colleagues?

It's a public server! Just make sure they read the readme

Hello Everyone, I have an other "quick question"... When your windows session is locked, do you know which process is involved when you move your mouse ? when your screen get out of your screensaver to the windows "welcome page" before you did ctrl+alt+del ?

ZetLoke77

Anyone had problems when enabling psremoting on some clients that are part of a domain? Just enabled psremoting on the client and on the remote host and added them to the trustedclients on both pcs. But still I can not invoke any commands remotely neither start a powershell session on the remote host. Also winrm traffic was added on the firewall rules to be allowed.

You could try a port scanning on 5985 or 5986 from both ends to double check that's been successfully implemented

HEYOOOOOO!!!! Congrats on the win!

1

ZetLoke77

Anyone had problems when enabling psremoting on some clients that are part of a domain? Just enabled psremoting on the client and on the remote host and added them to the trustedclients on both pcs. But still I can not invoke any commands remotely neither start a powershell session on the remote host. Also winrm traffic was added on the firewall rules to be allowed.

Just a reminder that by default only members of the local Administrators group on the target computer can connect inbound to that computer via PowerShell remoting, so that would be the first thing I’d check

ZetLoke77

Anyone had problems when enabling psremoting on some clients that are part of a domain? Just enabled psremoting on the client and on the remote host and added them to the trustedclients on both pcs. But still I can not invoke any commands remotely neither start a powershell session on the remote host. Also winrm traffic was added on the firewall rules to be allowed.

Also if you manually enable PowerShell remoting on client systems with the command ‘enable-psremoting -force’ then this will configure the WinRM service and inbound firewall rules. No need to mess with the firewall to allow WinRM traffic unless you’re enabling Remoting through Group Policy. (edited)

https://github.com/0vercl0k/CVE-2022-21971 So we have Checkpoint (NGFW) zero cloud protection thing it should detect that macro or w/e embedded into that word doco right? and in theory not let anyone download it or Clean up the file(changed hash/file size)

GitHub - 0vercl0k/CVE-2022-21971: PoC for CVE-2022-21971 "Windows R...

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability" - GitHub - 0vercl0k/CVE-2022-21971: PoC for CVE-2022-21971 "Windows Runtime Remote Code Execu...

https://www.checkpoint.com/downloads/products/sandblast-appliances-datasheet.pdf

I need to show whether the user had Telegram auto download enabled and don’t have access to the (Android) phone. Does anyone know where I’d find the relevant Telegram configuration info within the data extraction? Thanks @Law Enforcement [UK] (edited)

If I am writing a partial filepath, whats the best way to denote its a partial path? I wrote .\File\Path\Here\file.ext. Is that a good way to do it?

Have a case processed with Axiom, exported findings out to a portable case. Agent has over 50 keywords to search. Whenever we load the list the portable case displays fails to complete the search. Any insight as to why this happens? @Magnet Forensics

rdubu

Have a case processed with Axiom, exported findings out to a portable case. Agent has over 50 keywords to search. Whenever we load the list the portable case displays fails to complete the search. Any insight as to why this happens? @Magnet Forensics

You're adding the keyword list in for processing from the main case, right?

The agent wants to run their own keywords, so this is done on the portable case. The search starts, and after we check hours later there is a failed keyword search down on the bottom

Have any of you had a good experience (or, a bad one) trying to work with TinyURL to deal with malicious activity?

Arsenal

Have any of you had a good experience (or, a bad one) trying to work with TinyURL to deal with malicious activity?

In a private capacity, I’ve had good experiences with them when reporting malicious URLs. Clear and concise abuse notifications are actioned quickly.

1

can anyone recommend any sources besides NIST or SWGDE for model/example forensics SOPs?

2:19 PM

or dfs.dc.gov

crash

can anyone recommend any sources besides NIST or SWGDE for model/example forensics SOPs?

maybe echo in #policies-and-procedures ?

1

Original message was deleted or could not be loaded.

#mobile-forensic-extractions

Good evening looking to see if anyone has some preferred advice on mobile device forensic tools?

Which kind of devices are you expecting to examine?

fangoutbang

Good evening looking to see if anyone has some preferred advice on mobile device forensic tools?

what do you need to know

Android and IOS I believe is the target. I am being asked about options from a second hand.

Does anyone have a quick and easy way to break down large wordlists into 20 or 50mb files? To add to brute forces agents etc

Gladros

Does anyone have a quick and easy way to break down large wordlists into 20 or 50mb files? To add to brute forces agents etc

maybe try #password-encryption-cracking

1

Gladros

Does anyone have a quick and easy way to break down large wordlists into 20 or 50mb files? To add to brute forces agents etc

Have a look at “man split” on your Linux box. Breaks down files into smaller ones defined by line count.

Deleted User

Have a look at “man split” on your Linux box. Breaks down files into smaller ones defined by line count.

Legend - thanks!

1

Hi Everyone, I was just searching for info on CMMAssets in IOS file systems, any information will be much appreciated. Thank you

usermobiles

Hi Everyone, I was just searching for info on CMMAssets in IOS file systems, any information will be much appreciated. Thank you

#mobile-forensic-decoding

1

@ScottKjr3347 wondering if you had any info regarding CMM assets? Many thanks

Yes they are called Cloud Master Moments in Photos.sqlite. They are also called iCloud Share links. I recently posted a specific query for these artifacts on my GitHub I would have posted the specific query for you here but you didn’t mention an iOS version. https://github.com/ScottKjr3347/iOS_Photos.sqlite_Queries/tree/main Information can be found in other artifacts depending on how the link was shared. I believe @cScottVance#0659 is currently working on that aspect of iCloud links in messages. There is some information about them in my Photos.sqlite documentation blog if you search for Cmm you should find the documentation also if you look around Figure #18 there should be an example video I’ll be updating the specific query for these but I’m working on some related stuff and they won’t be ready for awhile. The ones posted should get you started. Dm if you have any specific questions.

GitHub - ScottKjr3347/iOS_Photos.sqlite_Queries: iOS Photos.sqlite ...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

2

rdubu

The agent wants to run their own keywords, so this is done on the portable case. The search starts, and after we check hours later there is a failed keyword search down on the bottom

Is it possible to run a keyword search within the portable case environment? I would like to think - Yes. It would be the same as automating repeat-single-keyword searches. Is the list in a plain txt file?

Yes its a plain .txt file

ScottKjr3347

Yes they are called Cloud Master Moments in Photos.sqlite. They are also called iCloud Share links. I recently posted a specific query for these artifacts on my GitHub I would have posted the specific query for you here but you didn’t mention an iOS version. https://github.com/ScottKjr3347/iOS_Photos.sqlite_Queries/tree/main Information can be found in other artifacts depending on how the link was shared. I believe @cScottVance#0659 is currently working on that aspect of iCloud links in messages. There is some information about them in my Photos.sqlite documentation blog if you search for Cmm you should find the documentation also if you look around Figure #18 there should be an example video I’ll be updating the specific query for these but I’m working on some related stuff and they won’t be ready for awhile. The ones posted should get you started. Dm if you have any specific questions.

Just for full clarity, today I’ve been asked the same questions almost verbatim by a few different people, so in fairness I won’t be answering questions about CMM via private messages. If you have a question please feel free to post it to the #mobile-forensic-decoding channel and I’ll do my best to answer. (edited)

2

Deleted User

Have a look at “man split” on your Linux box. Breaks down files into smaller ones defined by line count.

my mind. when i read "man split" .. sorry, i'll see myself out

Edit: possibly NSFW - BORДT (edited)

SPOILER

2

Digitalferret

my mind. when i read "man split" .. sorry, i'll see myself out

Edit: possibly NSFW - BORДT (edited)

Thank you for the <spoiler> tags!

2

OllieD

Thank you for the <spoiler> tags!

~~wasn't sure if it was NSFW - can add if needed~~ (edited)

2

Andrew Rathbun pinned a message to this channel. 8/18/2022 4:46 PM

ScottKjr3347

Just for full clarity, today I’ve been asked the same questions almost verbatim by a few different people, so in fairness I won’t be answering questions about CMM via private messages. If you have a question please feel free to post it to the #mobile-forensic-decoding channel and I’ll do my best to answer. (edited)

Thanks for helping out as always

A friend of mine is looking for a mobile forensics analyst(image acquisition and analysis). The role is in one of big IT companies. The office is located in Virginia. If you are interested or know someone, please let me know.

So I have a file system location I've not seen before and I was wonder if anyone is able to confirm what it is related to/used for? com.sec.android.app.sbrowser\files\images\share-images I know its related to the Samsung Native Browser but not sure what the share-images folder is for? I'm currently assuming it when a user has sent an image from the browser and the handset has cached it? The location is not accessible on the handset

dfsub

A friend of mine is looking for a mobile forensics analyst(image acquisition and analysis). The role is in one of big IT companies. The office is located in Virginia. If you are interested or know someone, please let me know.

maybe echo in the mobile ~~ner~~ specialist and/or #training-education-employment subs

MD5/VFC_Aaron D

So I have a file system location I've not seen before and I was wonder if anyone is able to confirm what it is related to/used for? com.sec.android.app.sbrowser\files\images\share-images I know its related to the Samsung Native Browser but not sure what the share-images folder is for? I'm currently assuming it when a user has sent an image from the browser and the handset has cached it? The location is not accessible on the handset

similarly, maybe worth hitting the Mobile subs too? #mobile<xxxx>

@Digitalferret read my mind on both of these. Thank you for saving me the effort

Andrew Rathbun

@Digitalferret read my mind on both of these. Thank you for saving me the effort

all good, bud. Full Turing disclosure, i am not a bot, and i do actually have a life outside of the ~~matrix~~ this Discord server

1

Digitalferret

all good, bud. Full Turing disclosure, i am not a bot, and i do actually have a life outside of the ~~matrix~~ this Discord server

I try to as well haha

Hello! I don't know if this is the right place.

8:24 AM

I am looking for the search warrant for : https://www.justice.gov/usao-sdca/pr/russian-botnet-disrupted-international-cyber-operation

Russian Botnet Disrupted in International Cyber Operation

8:25 AM

(rsocks malicious reverse proxies)

8:25 AM

It has been unclassified but since I am Canadian, I can't access it on the justice.gov system

8:25 AM

Let me know if this is the right place and someone can help

SynneR

Hello! I don't know if this is the right place.

Search Warrant affidavits are usually not made public. Just because it’s unclassified does not mean it wasn’t sealed by a court. “Sealed” prevents disclosure. Your best chance at finding it (if it’s not sealed) is using a US court records account like Pacer.

Thanks!

9:26 AM

it is on pacer.

2

9:27 AM

But I cant access it from Canada.

SynneR

But I cant access it from Canada.

Is that based on IP? If so, VPN might work?

Andrew Rathbun

Is that based on IP? If so, VPN might work?

It is based on the credit card location

SynneR

It is based on the credit card location

Can you buy a U.S. based preloaded credit card and use that?

1

Cole

If I am writing a partial filepath, whats the best way to denote its a partial path? I wrote .\File\Path\Here\file.ext. Is that a good way to do it?

I do a similar thing, but use an ellipsis: ... \File\Path\Here\file.ext

SynneR

It is based on the credit card location

You can send them a money order or cheque, you can get a US money order at any Canadian bank xD

8:18 PM

Also Visa usually is international, maybe send them an email to see if they accept it.

Anyone here knows if subsriber numbers from at&t phone numbers (last 4 digits of a phone number) are geographically bound?

3:05 AM

I am not from the US, but I am researching a phone number that is used by a developer of stealer malware

I think the last 4 numbers are generally randomized and not tied to a geographical domain. At the very least, the area code is probably what you'd care about most. For instance, the area code of my phone number that was assigned to me like 20 years ago resolves back to where I grew up aka where I lived at the time I got the phone number.

Any have a list of Splunk queries that you typically use in your investigations? For example, when looking for lateral movement, persistence, code execution .

anyone has some good news articles / reports about dawn raid related fines received when the raided company wasnt technically able to comply with the demands of the dawn raid due to lack of enough IT support or remarkable cases where companies had internal investigations going on but failes to provide the right evidence due to a lack of in house forensic support / too late involvement of externals?

Hey. is there any way at all to attempt recovery of VMWare files that got conti'ed?

@malrker do you have more information? Was a wiper used?

Andrew Rathbun

I think the last 4 numbers are generally randomized and not tied to a geographical domain. At the very least, the area code is probably what you'd care about most. For instance, the area code of my phone number that was assigned to me like 20 years ago resolves back to where I grew up aka where I lived at the time I got the phone number.

I see, can I find somewhere when a phonenumber was handed out?

1:48 AM

Btw the combination of the first six numbers of the phone number is only found for three places in Oxford Mississippi, which are all in the west of the city, hence my question about geographical boundries

1:48 AM

Here is more context @Andrew Rathbun https://twitter.com/kladblokje_88/status/1561333018983292929?t=Z4m5ZM9lautt0ZMKLtG_yA&s=19

kladblokje_88 (@kladblokje_88)

AT&T, probably West Oxford, but dont know who is the owner of subscription 2379 @ATTPolicyMS

kladblokje_88

Btw the combination of the first six numbers of the phone number is only found for three places in Oxford Mississippi, which are all in the west of the city, hence my question about geographical boundries

Their IP address is Googles recursive name server??? Run the number through PhoneInfoga but at a guess I would say this is a VOIP number. That’s usually the MO.

1

Deleted User

Their IP address is Googles recursive name server??? Run the number through PhoneInfoga but at a guess I would say this is a VOIP number. That’s usually the MO.

Its landline

1

3:07 AM

That google part is funny indeed

3:07 AM

Could be dummy data, could be opsec failure. Idk for sure

@Magnet Forensics is there a way to DELETE the keywords I have used in a case when creating a new portable case? Once I export it, the keywords come with the case and I can't have it like that.

trillian

@Magnet Forensics is there a way to DELETE the keywords I have used in a case when creating a new portable case? Once I export it, the keywords come with the case and I can't have it like that.

Unfortunately, not in portable case. Once you've added keywords they are part of the case database.

chriscone_ar

Unfortunately, not in portable case. Once you've added keywords they are part of the case database.

Thank you for the quick answer!

trillian

Thank you for the quick answer!

Happy to help!

kladblokje_88

Btw the combination of the first six numbers of the phone number is only found for three places in Oxford Mississippi, which are all in the west of the city, hence my question about geographical boundries

You were born after cellphones became the norm I take it? But yes, the area code is state specific. The next three digits, the exchange code, are smaller locations in the area code. Depending on the the size and amount of users, a city may have one or more exchange codes. With moving away from land lines to cellphones, you can carry the number with you anywhere. And the carrier can pick from a pool of numbers that are not in your city. With that said. If the person got a cellphone, has never moved, and the telephone company has not added any area or exchange codes, you might be close to their location.

4

Beercow

You were born after cellphones became the norm I take it? But yes, the area code is state specific. The next three digits, the exchange code, are smaller locations in the area code. Depending on the the size and amount of users, a city may have one or more exchange codes. With moving away from land lines to cellphones, you can carry the number with you anywhere. And the carrier can pick from a pool of numbers that are not in your city. With that said. If the person got a cellphone, has never moved, and the telephone company has not added any area or exchange codes, you might be close to their location.

I was born in 2001, had a phone at home for pretty much my entire life. Got a mobile phone when I was 12, which was a Samsung E1272. First smartphone was an HTC Desire C when I went to high school at 13. I am sorry I am not old xD

7:31 AM

I was aware of most of it indeed

7:32 AM

Had already plundered the numbering plan

kladblokje_88

I was born in 2001, had a phone at home for pretty much my entire life. Got a mobile phone when I was 12, which was a Samsung E1272. First smartphone was an HTC Desire C when I went to high school at 13. I am sorry I am not old xD

You calling me old?

All good, just figured you were more familiar with cellphones by the question.

Beercow

You calling me old?

All good, just figured you were more familiar with cellphones by the question.

are you old? makes me less wrong for calling it out xDDDDD

kladblokje_88

are you old? makes me less wrong for calling it out xDDDDD

If 43 is old.

‍♂️

Nah ur not stone age old, you are twice my age sure. But you keep up with the young folks

Little off topic for DFIR. Anyone have a party line growing up?

Anyone from @Magnet Forensics available? Not a technical question but contact need in a hurry.

Ghosted

Anyone from @Magnet Forensics available? Not a technical question but contact need in a hurry.

How can I help?

Ghosted

Anyone from @Magnet Forensics available? Not a technical question but contact need in a hurry.

Also available if you need help

Beercow

Little off topic for DFIR. Anyone have a party line growing up?

Lol you never called those did ya?

Beercow

Little off topic for DFIR. Anyone have a party line growing up?

party as in BT / UK. 2 callers sharing 1 bit of copper? (lol, not PartyParteh)

2:26 PM

yeh, i am that ancient

ryd3v

Lol you never called those did ya?

I don’t think we’re talking about the same thing.

1

ah right. over here there ended up with more callers than the phone lines could cope with, so the get-by was pairing your line with the neighbour. if they were on and you picked up, you had full access to their convo, inc saying "wups, sorry" before hanging up

2:29 PM

talikng like 70s/80s

Beercow

I don’t think we’re talking about the same thing.

what did you mean by Party?

Digitalferret

what did you mean by Party?

Phone would ring at multiple houses because they were all on the same line.

yeh, thats the thing

2:32 PM

but i think with us, your number only made your own ring, but there was usually a brief tinkle to be heard. (i think) on the neighbours

I was thinking more like

2:34 PM

2:35 PM

Call now, only $22.99 per min

2:35 PM

Lol

On android, Anyone know if the primary key for messaging gets reset when you restore a new phone from an old one. In other words can I tell if a message has been deleted from the old phone once the data is restored to a new phone?

OregonDFIR

On android, Anyone know if the primary key for messaging gets reset when you restore a new phone from an old one. In other words can I tell if a message has been deleted from the old phone once the data is restored to a new phone?

#mobile-forensic-decoding

mentioned the DFIR book on my Twitch stream tonight... Bought a copy and am looking forward to going through it for the malware analysis portions.

3

Excuse me for doubling up on this post but I figured it would be relevant here as well: Anyone recently ran into very convincing iPhone 13 Pro Max fakes? Just had one cross my desk with no apparent way to extract - Thinks its a removable USB drive in device manager, and both UFED Console and XRY can't detect it. Any insights?

Hello, i'm trying to import a raw (dd) image into Axiom Process. Unfortunately the image is on a read only storage and has no file extension. Axiom throws a "unsupported format" error, I think because the missing file extension as identifier. Is there a way to say "open this file as raw image"? I would like to avoid copying the images from the read only storage to rename them.

@Magnet Forensics anyone available to grant a trial license on short notice?

Fierry

@Magnet Forensics anyone available to grant a trial license on short notice?

I should be able to help with that

Can I DM you for some details on what you're looking for?

Caveira

Hello, i'm trying to import a raw (dd) image into Axiom Process. Unfortunately the image is on a read only storage and has no file extension. Axiom throws a "unsupported format" error, I think because the missing file extension as identifier. Is there a way to say "open this file as raw image"? I would like to avoid copying the images from the read only storage to rename them.

Just saw this - in Axiom Process have you changed the "Select the image" drop-down menu from "All Support Images" to "All Files"? And if so, that's when you're seeing the unsupported format error?

I set the filter to all files to see the image file in the file browser. But when I select the image to add this to the case it says unsupported format (my guess is that the format is chosen by the extension) (edited)

Caveira

I set the filter to all files to see the image file in the file browser. But when I select the image to add this to the case it says unsupported format (my guess is that the format is chosen by the extension) (edited)

Let me DM you and we'll see if we can't figure out what the problem is.

On a Win10 machine is there a good way to audit when a Network Interface's static IP was set or changed?

12:05 PM

I would figure this info would be in the event log somewhere but having the darndest time figuring it out

FX_Tymills

On a Win10 machine is there a good way to audit when a Network Interface's static IP was set or changed?

https://github.com/EricZimmerman/RECmd/blob/e3f5b24485eebc3c623f696019e9f5a676b6c5db/BatchExamples/Kroll_Batch.reb#L1042 try here. Check the last write timestamp. Also, if its domain joined, check a domain controller that has the Active Directory Domain Services (ADDS) role assigned and view the DnsInfo table for historical IP resolution

RECmd/Kroll_Batch.reb at e3f5b24485eebc3c623f696019e9f5a676b6c5db ·...

Command line access to the Registry. Contribute to EricZimmerman/RECmd development by creating an account on GitHub.

1

it is not domain joined but thanks for the info I will check that out (edited)

Do 12th gen intel CPUs play nicely with forensic software? Possibly moving away from Xeons and going high end desktop.

They play best with Windows 11 from what I know due to the custom scheduler for those CPUs...

In other words, if the forensics software is compatible with Windows 11, it should hopefully work - but it's not a guarantee. The main thing I've heard of having problems is around virtualization use cases, though, with both HyperV and VMWare. There are some reports that users have to turn off the efficiency cores for HyperV to work, or for VMWare to resort to manually editing configuration files to be able to utilize some cores. I've not tested. Another thing to keep in mind is that AMD's current 5000 series, and their upcoming 7000 series, still does not utilize the new BIG.little architecture, which is where most of the problems seem to come up around compatibility (i.e. AMD should in theory work 'better' for virtualization scenarios). However, rumor is that the 7000 series has been delayed due to some firmware issues around PCIe5 support, but should still launch by the end of September. Also, keep in mind Intel's 13th gen processors are supposed to release next month as well, though that will be more of an iterative release from the drastic changes in their 12th gen architecture. (edited)

This will be AMD's last big release before they, too, switch to BIG.little, according to their roadmap.

Good morning, im looking for methods and tools that can be used to examine an Amazon echo show, now tv stick and ring cameras (door bell and stick up cam) chip off could be an option on the echo show but looking for none destructive methods first. We aren’t able to access the cloud accounts to pull down the data. Can anyone help?

I made a cable (USB<->SERIAL) and connected it to the TKSTAR TK-905 GPS Tracker. After inserting the SIM card (turning on the device) I get only Bootloader information through Putty. Maybe someone has more experience and knows if it is possible to get additional information, IMEI, device configuration settings, etc. Video from my test https://youtu.be/_HhW97Owf5U

can we image a bitlocker enc HDD?

Sea9

In other words, if the forensics software is compatible with Windows 11, it should hopefully work - but it's not a guarantee. The main thing I've heard of having problems is around virtualization use cases, though, with both HyperV and VMWare. There are some reports that users have to turn off the efficiency cores for HyperV to work, or for VMWare to resort to manually editing configuration files to be able to utilize some cores. I've not tested. Another thing to keep in mind is that AMD's current 5000 series, and their upcoming 7000 series, still does not utilize the new BIG.little architecture, which is where most of the problems seem to come up around compatibility (i.e. AMD should in theory work 'better' for virtualization scenarios). However, rumor is that the 7000 series has been delayed due to some firmware issues around PCIe5 support, but should still launch by the end of September. Also, keep in mind Intel's 13th gen processors are supposed to release next month as well, though that will be more of an iterative release from the drastic changes in their 12th gen architecture. (edited)

Thanks! Due to contracts we're forced to buy HP, and they only sell Intel CPUs right now. Think its worth waiting a month or so and see if we can get a 13th gen? Also, we have to run Windows 10, so what kind of problems could we expect with that?

@chreswenn #dvr-multimedia-surveillance (edited)

my bad, sry

8:35 AM

done

Doofenshmirtz

can we image a bitlocker enc HDD?

You can image it, but without the key it will be gibberish. If the system is turned on, you can do a logical image, or export the recovery key, then get a physical image.

Cole

Thanks! Due to contracts we're forced to buy HP, and they only sell Intel CPUs right now. Think its worth waiting a month or so and see if we can get a 13th gen? Also, we have to run Windows 10, so what kind of problems could we expect with that?

If there is a representative at HP that your department or organization works with, you might be able to reach out to them to see if they know when workstations or desktop product lines with 13th generation Intel CPUs will be available. It's just a pure guess on my part, but I would not expect them to be available before November, even if they release some product lines with the new parts quickly. Not to mention organizations tend to evaluate and negotiate to approve new systems, which can be a very, very long process (over a year at one company that I worked for)... so if you have a need for a new system in a time-frame like a month or two, it almost definitely does not make sense to wait. Intel's 12th gen processors will 'work' on Windows 10, but users won't be able to recognize the full benefit of the new architecture providing separate performance (P) and efficiency (E) cores. Windows 10 unfortunately does not fully support Intel's 'Thread Director', which was introduced to help handle the additional scheduling considerations that come with having separate P and E cores. Testers have verified that Windows 10 does sometimes allocate intensive or high-priority tasks to E cores, which can sporadically impact performance when compared to Windows 11. This becomes more noticeable if you are running multiple applications at a time. A Windows 10 system with Intel 12th gen processors may expect to see approximately a 15-20% performance hit in these cases (if encountered) when compared with Windows 11. There is somewhat of a workaround that users can use for heavily-used processor-intensive applications, since you can still pin those processes to P cores. That helps to prevent those applications from slowing down, but it's obviously not a magic bullet, as any new threads do not always inherit the affinity set by the parent (though child processes should), and it's simply unrealistic for users to apply this to every intensive process all the time.

Sea9

If there is a representative at HP that your department or organization works with, you might be able to reach out to them to see if they know when workstations or desktop product lines with 13th generation Intel CPUs will be available. It's just a pure guess on my part, but I would not expect them to be available before November, even if they release some product lines with the new parts quickly. Not to mention organizations tend to evaluate and negotiate to approve new systems, which can be a very, very long process (over a year at one company that I worked for)... so if you have a need for a new system in a time-frame like a month or two, it almost definitely does not make sense to wait. Intel's 12th gen processors will 'work' on Windows 10, but users won't be able to recognize the full benefit of the new architecture providing separate performance (P) and efficiency (E) cores. Windows 10 unfortunately does not fully support Intel's 'Thread Director', which was introduced to help handle the additional scheduling considerations that come with having separate P and E cores. Testers have verified that Windows 10 does sometimes allocate intensive or high-priority tasks to E cores, which can sporadically impact performance when compared to Windows 11. This becomes more noticeable if you are running multiple applications at a time. A Windows 10 system with Intel 12th gen processors may expect to see approximately a 15-20% performance hit in these cases (if encountered) when compared with Windows 11. There is somewhat of a workaround that users can use for heavily-used processor-intensive applications, since you can still pin those processes to P cores. That helps to prevent those applications from slowing down, but it's obviously not a magic bullet, as any new threads do not always inherit the affinity set by the parent (though child processes should), and it's simply unrealistic for users to apply this to every intensive process all the time.

Awesome thank you! We're planning on purchasing one desktop for a forensic workstation to test the i9 CPUs in comparison to Xeons. Significantly cheaper and in my research most of the programs in forensics benefit from fewer, faster cores, than more, slower cores. It'll be a test workstation to run benchmarks on and see if it is good enough to upgrade more workstations down the road. I'm guessing the scheduler won't be a major issue for our workload (especially if each E core is faster than a single Xeon core), but I can see how it certainly could be a problem for other applications, eg. gaming.

Hello all Which forensic products have inbuilt computer vision/object detection capabilities? Also, what keywords should I use to find papers around this topic? I’ve been trying since past few months but haven’t been able to find many papers. Please advise

custard

Hello all Which forensic products have inbuilt computer vision/object detection capabilities? Also, what keywords should I use to find papers around this topic? I’ve been trying since past few months but haven’t been able to find many papers. Please advise

As a starter since group members will have even more: Tsurugi Linux distro has several OCR tools as well as facial recognition. https://tsurugi-linux.org/

Tsurugi Linux | Digital Forensics, Osint and malware analysis Linux...

Welcome to TSURUGI Linux world a DFIR open source distribution to perform your digital forensics analysis and for educational pourposes

1

Deleted User

As a starter since group members will have even more: Tsurugi Linux distro has several OCR tools as well as facial recognition. https://tsurugi-linux.org/

I see, will look into it

Doofenshmirtz

can we image a bitlocker enc HDD?

Just be careful if its a machine using TMP there is the potential to trip BitLocker recovery Mode. Its up to you but it may be wiser to power on the device and get the recovery key first. You will need logon credentials though.

Cole

You can image it, but without the key it will be gibberish. If the system is turned on, you can do a logical image, or export the recovery key, then get a physical image.

Also, if you get the physical@image first it will acquire all the data, preserving it. You can then use the recovery key to decrypt the image in tools such as Pass-ware and axiom

1

Ryan-G

Also, if you get the physical@image first it will acquire all the data, preserving it. You can then use the recovery key to decrypt the image in tools such as Pass-ware and axiom

Axiom will decrypt the image and put a decrypted file in the case folder, that can be then be opened in tools that don't support decryption like X-Ways.

Majeeko

Axiom will decrypt the image and put a decrypted file in the case folder, that can be then be opened in tools that don't support decryption like X-Ways.

That’s right, I’ve got one running at the moment.

custard

Hello all Which forensic products have inbuilt computer vision/object detection capabilities? Also, what keywords should I use to find papers around this topic? I’ve been trying since past few months but haven’t been able to find many papers. Please advise

A lot of categorisation software has this sort of thing built in as a feature. Have a look at semantics 21 and griffeye. Also, ADF pro has a classifier feature that runs after a scan.

1

Ryan-G

A lot of categorisation software has this sort of thing built in as a feature. Have a look at semantics 21 and griffeye. Also, ADF pro has a classifier feature that runs after a scan.

Will look into them

Anyone have a good contact RE swatting investigations? I saw some earlier (2019) posts about FBI being a good place to start but maybe in the last 3 years someone new has emerged as an expert

Hello all, I was looking into setting up Magnet Review for my department to aid in getting evidence to detectives faster but I can't afford the setup cost. Does anyone have advice on a in house alternative for sharing of portable cases?

@Magnet Forensics does Axiom support cli? I haven't found any info other than older versions of IEF having supported it. If so is there any documentation I can reference? I'm trying to automate some workflows.

Base AXIOM does not have CLI, for CLI you need the Automate product.

Has anyone recently been on instructor-led Cellebrite CPO and CPA course?

Pacman

Has anyone recently been on instructor-led Cellebrite CPO and CPA course?

We're doing some huge overhauls of our courses, including CASA

Pacman

Has anyone recently been on instructor-led Cellebrite CPO and CPA course?

Chance of training for you? Long overdue

Matt

Chance of training for you? Long overdue

hurhurhur had some questions about it - done mine about 5 years ago lol

Pacman

hurhurhur had some questions about it - done mine about 5 years ago lol

Time for a refresher

Does anyone know if WhatsApp messages are retained on WhatsApp desktop installations? It’s a Windows 7 PC, WhatsApp 0.3.4679 I have located some databases just waiting to in-jest them into an SQL viewer.

Anyone available to give me a DM about a rough cost for @Magnet Forensics Review. I have a message into my sales, but I got a late night notification I have some

to spend and working on a request doc that’s needed in the morning?

Yep I’ve got ya

1

So how popular is Autopsy Digital Forensics oppose to paid stuff like Encase and XWays?

Is anyone willing to share the core skill set a junior staff vs a senior staff in digital forensics should have ?

5:27 PM

I have a general list but looking to see if I can update or move around the skillset to the appropriate section

Odysseus

So how popular is Autopsy Digital Forensics oppose to paid stuff like Encase and XWays?

I think i'ts good backup and an analyst should be familiar with it

12:54 AM

It post processes Windows hosts quite well and is extensible to a degree

Jay528

Is anyone willing to share the core skill set a junior staff vs a senior staff in digital forensics should have ?

Can you share the list so I can elaborate?

(edited)

custard

Hello all Which forensic products have inbuilt computer vision/object detection capabilities? Also, what keywords should I use to find papers around this topic? I’ve been trying since past few months but haven’t been able to find many papers. Please advise

The semantics21 LASERi-X product has a document detection for passports, credit card, forms. Along with facial, object, scene, OCR, QR, CSAM. You can also search for any similar object you feed into the search.

2

Semantics 21 (Tom)

The semantics21 LASERi-X product has a document detection for passports, credit card, forms. Along with facial, object, scene, OCR, QR, CSAM. You can also search for any similar object you feed into the search.

Thanks! These features will be really helpful

9:33 AM

@Fierry - this is what I have so far

1

I'll send you a Pm as to not clog this channel

Is there a macOS forensic channel?

Kadesu-か

Is there a macOS forensic channel?

Not specifically. You can post in #computer-forensics

Is there a way to access an Android phone's contents without a password? A colleague's son died suddenly and his family would like to get information off of his Android phone (for memory purposes, not for any criminal investigation). Any suggestions appreciated.

seattleebm

Is there a way to access an Android phone's contents without a password? A colleague's son died suddenly and his family would like to get information off of his Android phone (for memory purposes, not for any criminal investigation). Any suggestions appreciated.

what model phone and tools do you have available? also what type of passcode? (edited)

seattleebm

Is there a way to access an Android phone's contents without a password? A colleague's son died suddenly and his family would like to get information off of his Android phone (for memory purposes, not for any criminal investigation). Any suggestions appreciated.

Usually depends on the device. Maybe mention state or location, there might be someone from the private sector that can assist you/the family.

Jay528

Click to see attachment 🖼️

Seems like the jr gotta know more than the senior xD

1

custard

Hello all Which forensic products have inbuilt computer vision/object detection capabilities? Also, what keywords should I use to find papers around this topic? I’ve been trying since past few months but haven’t been able to find many papers. Please advise

X-Ways Forensics, starting with 20.5, has an add-on module called Excire PhotoAI. https://www.x-ways.net/excire.html

1

Anyone able to help me with aws on how to create an ec2

John Ksi

Anyone able to help me with aws on how to create an ec2

Anything in particular? This guide should get you 90% of the way https://www.guru99.com/creating-amazon-ec2-instance.html

How to Create EC2 Instance in AWS: Step by Step Tutorial

An EC2 instance is nothing but a virtual server in Amazon Web Services terminology. It stands for Elastic Compute Cloud. It is a web service where an AWS subscriber can request and provision a compute

derekeiri

X-Ways Forensics, starting with 20.5, has an add-on module called Excire PhotoAI. https://www.x-ways.net/excire.html

Hi - if you are on LinkedIn please see my post on Excire PhotoAI or please see video on X-Ways YouTube channel. https://www.linkedin.com/posts/jim-metcalfe_xways-xwaysforensics-forensics-activity-6956255680718594048-tPBN?utm_source=share&utm_medium=member_desktop

Jim Metcalfe on LinkedIn: Identifying Objects in Pictures using X-...

Please see my article on Identifying Objects in Pictures with X-Ways Forensics and Excire PhotoAI. #xways #xwaysforensics #forensics #ExcirePhotoAI #photography...

1

UFED PA found gps coordinates in a dump of an iPhone 12 pro. The source file is com.google.Maps.plist and the description in PA is "Last Viewed Place". I need to verify if the device was actually at this location but I don't have a lot to go on. Has anybody done research on this subject? We don't have cellular history of this device so that's a dead end.

Sockmoth

UFED PA found gps coordinates in a dump of an iPhone 12 pro. The source file is com.google.Maps.plist and the description in PA is "Last Viewed Place". I need to verify if the device was actually at this location but I don't have a lot to go on. Has anybody done research on this subject? We don't have cellular history of this device so that's a dead end.

Check #mobile-forensic-decoding

Has anyone attempted an extraction while lockdown mode is enabled on iOS 16 beta? I have tried it using cellebrite and BFU it says that the USB accessory is disabled. After unlocking though, I'm able to proceed as normal. Can anyone else running iOS 16 beta confirm this? (edited)

Have you also confirmed this on beta 8? It might be the final beta which. might be used as the RC

Sockmoth

UFED PA found gps coordinates in a dump of an iPhone 12 pro. The source file is com.google.Maps.plist and the description in PA is "Last Viewed Place". I need to verify if the device was actually at this location but I don't have a lot to go on. Has anybody done research on this subject? We don't have cellular history of this device so that's a dead end.

https://cellebrite.com/en/episode-17-i-beg-to-dfir-was-it-actually-there-location-education-on-ios-and-android/ Check out this webinar.

I Beg to DFIR – Was it actually there? Location education on iOS an...

Aired: November 30, 2021 Duration: 1 hour Download our Location Cheat Sheet here Let’s be honest and agree that locations on mobile devices can be a nightmare. How do we know what we can trust? What are the ways to validate the artifact and most importantly, what if a location on the device is the only … Continue reading "I Beg to DFIR – Was it ...

thatboy_leo

what model phone and tools do you have available? also what type of passcode? (edited)

I got information on the make and model. It's actually an LG V35 ThinQ. I believe the phone is in Illinois.

seattleebm

I got information on the make and model. It's actually an LG V35 ThinQ. I believe the phone is in Illinois.

Depending on the Android OS and SPL, LockPick with UFED could work and allow you to get a FFS extraction with Qualcomm Live.

Curious if anyone has tried this out. Thoughts/feedback. https://cybercentrecanada.github.io/assemblyline4_docs/

I made a little thing with midjourney

4:21 PM

https://twitter.com/kladblokje_88/status/1564754661961306113?t=Ew6stO35tFsQpL7VOCy0rg&s=19

4:21 PM

I have a question about a procedure. We have found a Word file which can no longer be opened. The file was read into X-Ways and Axiom and still no content could be extracted. We tried to manually zip the file once to get to the Document.XML to view the content. The file can be zipped but not unzipped. Does anyone here have a tip on how else we can get to the content?

Hey fellow cyber sec experts I have a question can one be able to track a stolen phone and how can it be done cause I am from being robbed and they took my phone it has all my business contacts please I need you help

root

Hey fellow cyber sec experts I have a question can one be able to track a stolen phone and how can it be done cause I am from being robbed and they took my phone it has all my business contacts please I need you help

Were none of those contacts stored in the cloud like Google Contacts or whatever Apple has (not an

person myself)?

Andrew Rathbun

Were none of those contacts stored in the cloud like Google Contacts or whatever Apple has (not an

person myself)?

Nope not at all and to make the matter worse I have three clients today that I had to contact so now I can't even complete my orders am stuck

Anyone at @Magnet Forensics able to provide me with a trial licence for the MCFE assessment?

I can do that, DM me an email address and I’ll be happy to forward you one.

root

Hey fellow cyber sec experts I have a question can one be able to track a stolen phone and how can it be done cause I am from being robbed and they took my phone it has all my business contacts please I need you help

iPhones have the "find my" feature if you enable it, otherwise you will probably need the good graces of a law enforcement agency or the cell provider in order to track it. If that doesn't help and you want to be petty you can have the IMEI blacklisted (if you know it) so it cannot connect to towers, rendering the phone a bit useless.

1

root

Hey fellow cyber sec experts I have a question can one be able to track a stolen phone and how can it be done cause I am from being robbed and they took my phone it has all my business contacts please I need you help

If its an android phone, google has a platform where you can log in to the google account of your phone and if connected to the internet you can find its approximate location: https://www.google.com/android/find?u=0 (edited)

Fierry

Have you also confirmed this on beta 8? It might be the final beta which. might be used as the RC

it was beta 7.

Beercow

Curious if anyone has tried this out. Thoughts/feedback. https://cybercentrecanada.github.io/assemblyline4_docs/

It’s a good start but I prefer strekla or laikaboss over it, Strekla’s built into security onion now and LB has had some updates

Beercow

Curious if anyone has tried this out. Thoughts/feedback. https://cybercentrecanada.github.io/assemblyline4_docs/

I have not used or seen it in action. But I can speak for the people behind it. Our national CERT team and a very good group of people.

quick question about log file parsing: what tools are you usually using to perform log file parsing? especially if it contains data (e. g. urls) that have a high chance to just break the loading process due to having the same special characters as the delimiters

.yuzumi.

quick question about log file parsing: what tools are you usually using to perform log file parsing? especially if it contains data (e. g. urls) that have a high chance to just break the loading process due to having the same special characters as the delimiters

https://www.logviewplus.com/ Give this a shot. Might work out well for you

Realtime Log Viewer

Professional log viewer that can parse files in a variety of different formats.

open source tools for MAC os parsing? like we have eric zimmerman tools, alternative equivalent to MAC

Doofenshmirtz

open source tools for MAC os parsing? like we have eric zimmerman tools, alternative equivalent to MAC

Yogeshs macapt is probably the closest all in one

1

+1 for mac_apt

1:12 AM

Macs are notoriously painful for examination. I know that Axiom does lots of automatic parsing but it will cost you

1

Hi all, Would someone have some recommendations for Linux Forensics courses (preferably with certifications but course quality is more important). (I talk about Forensics for Linux workstations, not forensics with a Linux as analysis computer)

Vergas

Hi all, Would someone have some recommendations for Linux Forensics courses (preferably with certifications but course quality is more important). (I talk about Forensics for Linux workstations, not forensics with a Linux as analysis computer)

Hi Vergas, I found the Certified Linux Forensic Practitioner course by 7Safe to be quite informative (https://www.7safe.com/our-courses/certified-digital-forensics-courses/details/clfp-linux-forensic-investigation) and would recommend this

1

1

Anyone got any experience with successfully processing an Xbox Series X SSD for artifacts/videos/pictures etc? (edited)

2:50 AM

@Law Enforcement [UK] anyone got experience of the above? Thanks in advance!

3X3

@Law Enforcement [UK] anyone got experience of the above? Thanks in advance!

My experience with the Xbox One X found that the best tactic is for a live analysis using a video capture card. As far as I am aware there are no workarounds for ‘dead’ forensics on the new Xbox hardware

4

cdbandit

My experience with the Xbox One X found that the best tactic is for a live analysis using a video capture card. As far as I am aware there are no workarounds for ‘dead’ forensics on the new Xbox hardware

Thanks, that's our usual examination tact, just wondered if there was some magic new method, haha. Thanks bandit!

3X3

Thanks, that's our usual examination tact, just wondered if there was some magic new method, haha. Thanks bandit!

No problem

Afternoon all, is anyone able to share any solutions for digital note taking that has been implemented for when you are out on scene etc.

Artea

Afternoon all, is anyone able to share any solutions for digital note taking that has been implemented for when you are out on scene etc.

OneNote is great for this IMO

Shoutout to Aurora if you want to keep it local (for instance , due to sensitive data)

Hi Guys ! I guess this is a question that you've already answered, but I wanted to ask : what do you think of XWay forensics ? Compared to ftk Imager for exemple ? XWay seems pretty hard to get used to it

Saucisson Slicer

Hi Guys ! I guess this is a question that you've already answered, but I wanted to ask : what do you think of XWay forensics ? Compared to ftk Imager for exemple ? XWay seems pretty hard to get used to it

FTK Imager and X-Ways aren't comparable in functionality. If you're talking FTK vs X-Ways, that's more reasonable. FTK Imager is just a free imaging program and X-Ways is a forensic suite. X-Ways is great but it has a high learning curve, no doubt.

FTK Imagers free, that's one of the things going for it

6:02 AM

Its ok as an imaging tool

6:02 AM

It's ok as a viewer

6:02 AM

And I'd be sad if they stopped supporting it

6:02 AM

but....you get a lot more for your money out of xways....as long as you have the money

Andrew Rathbun

FTK Imager and X-Ways aren't comparable in functionality. If you're talking FTK vs X-Ways, that's more reasonable. FTK Imager is just a free imaging program and X-Ways is a forensic suite. X-Ways is great but it has a high learning curve, no doubt.

Yes sry I meant FTK, I typed faster than I thought

randomaccess

but....you get a lot more for your money out of xways....as long as you have the money

Well money isn't really an issue right now, since this is a company investment. Plus XWay isn't that expensive compared to other forensics solutions on the market haha

i havent used ftk so it's hard to comment on it but i think it depends on the use case i use xways on most investigations though - as with any tool need to be aware of what it does well, and what it doesnt

Saucisson Slicer

Well money isn't really an issue right now, since this is a company investment. Plus XWay isn't that expensive compared to other forensics solutions on the market haha

How many people are going to be using the tool, are they experienced forensicators or just starting out?

Artea

Afternoon all, is anyone able to share any solutions for digital note taking that has been implemented for when you are out on scene etc.

Trusted Camera and pen and paper

is how I do it atm. ISO wise I think there's a Memorandum (edited)

randomaccess

i havent used ftk so it's hard to comment on it but i think it depends on the use case i use xways on most investigations though - as with any tool need to be aware of what it does well, and what it doesnt

Oh OK, I was told the search functions are particularly good within this tool. Since you use it, do you agree ?

Fierry

How many people are going to be using the tool, are they experienced forensicators or just starting out?

Hum a low amount of people. Like 2-3. They are more used to perform pure incident response. They already ran some forensics investigations, but not too deep. Still learning a lot every time

FTK has index search, it takes a whie to build the index during ingestion but afterwards searches are nearly instant

6:32 AM

Then they might get used to X-Ways

If they were really junior I would recommend other tooling

Saucisson Slicer

Oh OK, I was told the search functions are particularly good within this tool. Since you use it, do you agree ?

Yeah xways search is great. I don't use the indexing feature that often though.

@Project VIC Is anyone available for a simple question who can DM me? (edited)

Hey there! I sent you a message

1

Fierry

Then they might get used to X-Ways

If they were really junior I would recommend other tooling

OK I see. Thank you

randomaccess

Yeah xways search is great. I don't use the indexing feature that often though.

Oh ok, thank you !

Saucisson Slicer

Hi Guys ! I guess this is a question that you've already answered, but I wanted to ask : what do you think of XWay forensics ? Compared to ftk Imager for exemple ? XWay seems pretty hard to get used to it

My opinion: xways - good for single experienced examiner who needs a fast tool with great drive level/hex level analysis. If you stick with xways you can learn to do just about anything with an image, but it is not a quick learn. (also great for live forensic as it is under a gig in size) FTK Lab - good for someone who needs to provide a platform for investigators to review material and collaborate. Bonus Axiom - great if your case revolves around internet artifacts and it also parses phone extractions. Certainly has the best interface and allows for portable cases which you can give to investigators.

Carcino

My opinion: xways - good for single experienced examiner who needs a fast tool with great drive level/hex level analysis. If you stick with xways you can learn to do just about anything with an image, but it is not a quick learn. (also great for live forensic as it is under a gig in size) FTK Lab - good for someone who needs to provide a platform for investigators to review material and collaborate. Bonus Axiom - great if your case revolves around internet artifacts and it also parses phone extractions. Certainly has the best interface and allows for portable cases which you can give to investigators.

Oh great thank you for your opinion. Yes, I'm almost sure we are going to take Axiom (or similar). The idea is to take another tool for checking results, being able to investigate when we have a non-recognized file system or a corrupt image, and also to perform more in-depth investigation with things such as data carving etc.

Saucisson Slicer

Oh great thank you for your opinion. Yes, I'm almost sure we are going to take Axiom (or similar). The idea is to take another tool for checking results, being able to investigate when we have a non-recognized file system or a corrupt image, and also to perform more in-depth investigation with things such as data carving etc.

Hearing that I saw xways all the way

OK thanks for your help !

Hello all

9:27 AM

I am conducting some forensics on a laptop and was interested in a WiFi network the laptop connected to. I detected it by looking at the "netsh wlan show all" command, which listed it as a WiFi profile. Now I wanted to prove the time and date when someone connected to this network, and went to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles location in the registry, however I could not find proof of the network on there. I also checked the managed/unmanaged section, which listed many networks but not the suspicious one I wanted. Main question: How is "netsh wlan show profiles" getting information about this previously connected network if its not stored in the registry? The event logs are also no help as they were stored just for 1 day

Doofenshmirtz

open source tools for MAC os parsing? like we have eric zimmerman tools, alternative equivalent to MAC

Apollo is another good open source option

stan

I am conducting some forensics on a laptop and was interested in a WiFi network the laptop connected to. I detected it by looking at the "netsh wlan show all" command, which listed it as a WiFi profile. Now I wanted to prove the time and date when someone connected to this network, and went to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles location in the registry, however I could not find proof of the network on there. I also checked the managed/unmanaged section, which listed many networks but not the suspicious one I wanted. Main question: How is "netsh wlan show profiles" getting information about this previously connected network if its not stored in the registry? The event logs are also no help as they were stored just for 1 day

You might try posing in #computer-forensics as well.

stan

I am conducting some forensics on a laptop and was interested in a WiFi network the laptop connected to. I detected it by looking at the "netsh wlan show all" command, which listed it as a WiFi profile. Now I wanted to prove the time and date when someone connected to this network, and went to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles location in the registry, however I could not find proof of the network on there. I also checked the managed/unmanaged section, which listed many networks but not the suspicious one I wanted. Main question: How is "netsh wlan show profiles" getting information about this previously connected network if its not stored in the registry? The event logs are also no help as they were stored just for 1 day

I saw Josh Wright's response in another place where this question was posted. Grab the SRUM database and parse with SrumECmd to see what some of the network profiles on the box were. SRUM is basically the backend database for Task Manager

9:48 AM

https://github.com/EricZimmerman/Srum#repairing-the-srudbdat for instructions on repairing the DB. SRUM-Dump is really slow and SrumECmd is a lot faster, so that's just another option

Brilliant thanks. If the connection is over 30 days old though, then I'm out of luck?

stan

Brilliant thanks. If the connection is over 30 days old though, then I'm out of luck?

yeah SRUM only records about 30 days of data

1

Hello All, we have to grab a Facebook Messenger chat group for an investigaton. One of the participants will let us access his account so we can grab what we need. But the conversation has been going on for over a year, any tool recommend to proceed or it will be SnagIT kinda of a thing ??? Axiom won’t let us grab only a specific group chat conversation!!

dfir_rook [CA]

Hello All, we have to grab a Facebook Messenger chat group for an investigaton. One of the participants will let us access his account so we can grab what we need. But the conversation has been going on for over a year, any tool recommend to proceed or it will be SnagIT kinda of a thing ??? Axiom won’t let us grab only a specific group chat conversation!!

Facebook will let you download only messages directly from your account settings page, but it doesn't look like you can select which message threads to grab. https://www.facebook.com/dyi/?referrer=yfi_settings

Log in or sign up to view

See posts, photos and more on Facebook.

To all: What is your preferred 0n-scene Mac preview/triage tool?

RyanB

To all: What is your preferred 0n-scene Mac preview/triage tool?

https://discord.com/channels/427876741990711298/537760691302563843/1014767257135616002 Guessing it'll be the same answer but I'm the wrong person to answer this, admittedly

FullTang

Facebook will let you download only messages directly from your account settings page, but it doesn't look like you can select which message threads to grab. https://www.facebook.com/dyi/?referrer=yfi_settings

Whilst you can't select which ones to download, they are usually downloaded as separate HTML files for each thread - so it would be quite easy to download all messages then scrap the threads that aren't the chat of interest

dfir_rook [CA]

Hello All, we have to grab a Facebook Messenger chat group for an investigaton. One of the participants will let us access his account so we can grab what we need. But the conversation has been going on for over a year, any tool recommend to proceed or it will be SnagIT kinda of a thing ??? Axiom won’t let us grab only a specific group chat conversation!!

Yeah we get a takeout then pump it into Axiom to further parse the thread of interest only. I think all tools will require a full messenger takeout as a first step. Alternately the Cellebrite Live message capture might have FB for your phone model? The resulting screen grabs aren't searchable though so depends on your later required steps.

Does anyone have any idea how long an Apple iPhone 12 will keep on allowing tracking via ‘find my phone’ using UWB when in power reserve mode please?

1

Ross Donnelly

Whilst you can't select which ones to download, they are usually downloaded as separate HTML files for each thread - so it would be quite easy to download all messages then scrap the threads that aren't the chat of interest

Exactly what I did today finally, dump all the message and scrap what’s not needed. Also try the dump to json and import into Axiom. Work well also and I was also able to do a portable case like that … thanks all for your help much appreciate

1

Hello, I'm hoping to build my own forensic machine in the near future (likely a desktop). I'm not looking for specific builds, but I'm wondering if anyone has experience doing this and has any advice? Should I focus on powerful processor? More memory? Tons of storage? What would you consider a minimum for cases today? Thank you

skinnyfrenchman

Hello, I'm hoping to build my own forensic machine in the near future (likely a desktop). I'm not looking for specific builds, but I'm wondering if anyone has experience doing this and has any advice? Should I focus on powerful processor? More memory? Tons of storage? What would you consider a minimum for cases today? Thank you

I guess it depends a bit on what kind of forensics you'll be doing on it. You'll probably want it to be able to comfortably run some VMs, both for analysis (i.e. SIFT Workstation, FlareVM, etc), and for sandboxing (combustion chamber for malware analysis, etc). More processor cores and memory tends to help the most with those use-cases. If you'll be handling lots of device/disk images on it, more disk space is useful for that case. If you'll regularly be performing any kind of brute forcing or credential auditing (i.e. hashing/cracking) on it, then faster processor/gpu can be helpful (depending on what you're running to perform the audit)

12:38 PM

I'm sure there's other use cases that might have different requirements, too.

skinnyfrenchman

Hello, I'm hoping to build my own forensic machine in the near future (likely a desktop). I'm not looking for specific builds, but I'm wondering if anyone has experience doing this and has any advice? Should I focus on powerful processor? More memory? Tons of storage? What would you consider a minimum for cases today? Thank you

Definitely focus on cores/threads for processing power. If you're cracking passwords, you want GPU power. If you're doing anything else, CPU power should reign supreme. Threadripper would be pretty awesome but it's expensive. I wouldn't go any less than 8 cores nowadays and for futureproofing your build. Ideally, get an Intel or AMD CPU that has double digit cores, i.e., 16 Cores/32 Threads. That should last you quite a bit yet still not be as expensive as a 32 core/64 thread Threadripper.

1

12:42 PM

@skinnyfrenchman thank you for the idea, I should've done this a long time ago https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions/blob/main/README.md#im-looking-to-build-a-new-forensic-computer-what-considerations-should-i-be-aware-of-when-speccing-out-a-build

12:43 PM

If you GitHub and want to add to these answers, please do a PR and I'll merge. Let's get these fleshed out so we can just link to these answers moving forward for the myriad of questions we get often. Please PR other questions that need to be answered, as well! We can work on answers over time

Andrew Rathbun

If you GitHub and want to add to these answers, please do a PR and I'll merge. Let's get these fleshed out so we can just link to these answers moving forward for the myriad of questions we get often. Please PR other questions that need to be answered, as well! We can work on answers over time

Ha, i figured someone would have asked this before. Thanks, i'll take a look

Hello! Peeps is there any media player other than Windows media player you guys recommend for opening PA audio files. Thanks for the help. (edited)

Borderbingo

Hello! Peeps is there any media player other than Windows media player you guys recommend for opening PA audio files. Thanks for the help. (edited)

VLC?

8

Andrew Rathbun

Definitely focus on cores/threads for processing power. If you're cracking passwords, you want GPU power. If you're doing anything else, CPU power should reign supreme. Threadripper would be pretty awesome but it's expensive. I wouldn't go any less than 8 cores nowadays and for futureproofing your build. Ideally, get an Intel or AMD CPU that has double digit cores, i.e., 16 Cores/32 Threads. That should last you quite a bit yet still not be as expensive as a 32 core/64 thread Threadripper.

Have you tried the new intel hybrid core architecture chips yet? I hear there are lots of problems with virtualization software and hybrid cores. Personally I’d go for the newer AMD Ryzen chip with up to 16 normal cores. (edited)

1

Sensei

Have you tried the new intel hybrid core architecture chips yet? I hear there are lots of problems with virtualization software and hybrid cores. Personally I’d go for the newer AMD Ryzen chip with up to 16 normal cores. (edited)

same

Borderbingo

Hello! Peeps is there any media player other than Windows media player you guys recommend for opening PA audio files. Thanks for the help. (edited)

Potplayer has always played most file types I've thrown at it that Vlc struggled with.

4

MrMacca (Allan Mc)

Potplayer has always played most file types I've thrown at it that Vlc struggled with.

nice one, never even heard of it. my 2 are VLC and MediaPlayerClassic. added

Anyone know of a website similar to Phonescoop, that would have schematics and diagrams for hard disks and other electronics we come across in DFIR?

skinnyfrenchman

Hello, I'm hoping to build my own forensic machine in the near future (likely a desktop). I'm not looking for specific builds, but I'm wondering if anyone has experience doing this and has any advice? Should I focus on powerful processor? More memory? Tons of storage? What would you consider a minimum for cases today? Thank you

Get the latest motherboard you can afford, Intel or AMD doesn’t really matter, focus on the highest core count (physical cores) you can afford, at least 1 nvme boot drive for your host and at least one large ssd fir data, images can be dumped to a good HDD like a red. Get the most amount of ram you can afford. In my opinion you should have a solid host OS , I’d use Ubuntu. Then run everything else in a VM. Also a good nic and wireless built in would be great. I’d also water cool the cpu with a good aio

3:45 PM

I’ve had good success with Asus motherboard in the past and I’d probably start with this and build out from there. https://www.asus.com/ca-en/Motherboards-Components/Motherboards/Workstation/Pro-WS-WRX80E-SAGE-SE-WIFI/

ASUS Pro Workstation motherboards are designed for professionals in AI training, deep learning, animation, or 3D rendering. Featuring expandable graphics, storage, impressive connectivity and reliability, an ASUS Pro Workstation motherboard is the ideal solution for creative professionals and IT administrators.

ryd3v

I’ve had good success with Asus motherboard in the past and I’d probably start with this and build out from there. https://www.asus.com/ca-en/Motherboards-Components/Motherboards/Workstation/Pro-WS-WRX80E-SAGE-SE-WIFI/

ooh i thought, thats worth a look, right up until ...

3:59 PM

Make ya tingle in ya dingle

1

3:59 PM

I usually start with the motherboard since this is the nervous system

3:59 PM

Then pick the best cpu I can afford

4:00 PM

Then pick the fastest memory the cpu can run with the lowest latency

4:00 PM

Then populate some drives.

4:00 PM

I use pcpartpicker to plan out builds

4:01 PM

Of course budget is the actual starting point. What’s the budget. xD

4:02 PM

For me that board is

4:02 PM

Tbh $1289.00 isn’t that much for an examiner workstation as an investment

4:02 PM

I should work sales at Asus xD

4:04 PM

Imagine having 7x titan cards in that xD

1

ryd3v

Imagine having 7x titan cards in that xD

techpr0n, lol. nah, for me that much speed/capability wouldn't make much if any return. I'd be better, maybe with more PC's not an UberPC

4:31 PM

a lot of folks, non pro, waste so much money on spec they simply don't need

True. XD

ryd3v

Get the latest motherboard you can afford, Intel or AMD doesn’t really matter, focus on the highest core count (physical cores) you can afford, at least 1 nvme boot drive for your host and at least one large ssd fir data, images can be dumped to a good HDD like a red. Get the most amount of ram you can afford. In my opinion you should have a solid host OS , I’d use Ubuntu. Then run everything else in a VM. Also a good nic and wireless built in would be great. I’d also water cool the cpu with a good aio

Avoid Xeons in my opinion, may have a ton of cores but it's about utilisation and processing power. Reality is, not many tools will use all those cores.

2

Haven’t really had any issue with Xenon’s in the past , but the above board is AMD xD

ryd3v

Haven’t really had any issue with Xenon’s in the past , but the above board is AMD xD

think its more about matching the hardware to the job, looking at bottlenecks etc. some dudes just go for tactical nukes bc well why not spend thousands.

true

@ryd3v next time your building something i'd suggest picking which cpu you want first over the mobo, then you know which socket you'll need etc and can filter the features a bit easier too

Yeah usually motherboard dictates the CPU as motherboards usually come out with features first

Pretendigator

@ryd3v next time your building something i'd suggest picking which cpu you want first over the mobo, then you know which socket you'll need etc and can filter the features a bit easier too

If you pick the CPU first, your kinda setting yourself in a box with only a motherboard that supports that CPU

@ryd3v would appreciate any insight you can provide on https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions#im-looking-to-build-a-new-forensic-computer-what-considerations-should-i-be-aware-of-when-speccing-out-a-build

1

100% will definitely take a look as soon as I wake up

no HW guru here, but for me it would be checking with your main-job software vendors spec to see their basic recommendations and how/where to optimise that going forward. for certain DR hardware, years back, improving the spec of the PC didn't really matter a jot as it wasn't the bottleneck

Digitalferret

no HW guru here, but for me it would be checking with your main-job software vendors spec to see their basic recommendations and how/where to optimise that going forward. for certain DR hardware, years back, improving the spec of the PC didn't really matter a jot as it wasn't the bottleneck

indeed, our forensic network is abysmal, fancy fast rigs being choked by terrible infrastructure.

Andrew Rathbun

@ryd3v would appreciate any insight you can provide on https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions#im-looking-to-build-a-new-forensic-computer-what-considerations-should-i-be-aware-of-when-speccing-out-a-build

as for forensic software requirements: EnCase; utilises around 10-15% of CPU while running 'standard' processing options, all 24 logical cores are active. (Xeon E5-2620 v3 @2.4GHz (currently boosting to 2.8GHz), old and getting replaced once the ISO committee allows...) In terms of RAM EnCase is taking around 5GB out of the available 128GB (8 slots in use @1866 MHz) The cache while processing 'average' HDDs, (laptops with around 1tb storage) will occasionally exceed 1TB during processing. One issue I've encountered is our 1tb SSD cache drive maxing out and encase falling over if you don't set a secondary cache location. Might be worth mentioning to consider a high speed + capacity for cache/temp files etc. separate to OS & storage. Needless to say, I'm quite excited for our new workstations in the coming months.

3

Pretendigator

as for forensic software requirements: EnCase; utilises around 10-15% of CPU while running 'standard' processing options, all 24 logical cores are active. (Xeon E5-2620 v3 @2.4GHz (currently boosting to 2.8GHz), old and getting replaced once the ISO committee allows...) In terms of RAM EnCase is taking around 5GB out of the available 128GB (8 slots in use @1866 MHz) The cache while processing 'average' HDDs, (laptops with around 1tb storage) will occasionally exceed 1TB during processing. One issue I've encountered is our 1tb SSD cache drive maxing out and encase falling over if you don't set a secondary cache location. Might be worth mentioning to consider a high speed + capacity for cache/temp files etc. separate to OS & storage. Needless to say, I'm quite excited for our new workstations in the coming months.

Thank you!

1

Digitalferret

no HW guru here, but for me it would be checking with your main-job software vendors spec to see their basic recommendations and how/where to optimise that going forward. for certain DR hardware, years back, improving the spec of the PC didn't really matter a jot as it wasn't the bottleneck

This is actually on my to-do list for the FAQs repo

Original message was deleted or could not be loaded.

Have you toyed around with Active Disk Editor?

Original message was deleted or could not be loaded.

Looks like you are US law enforcement. Reach out to your local USSS office and request to go to the basic classes at NCFI in Alabama. They cover all costs associated with the travel.

2

Pretendigator

as for forensic software requirements: EnCase; utilises around 10-15% of CPU while running 'standard' processing options, all 24 logical cores are active. (Xeon E5-2620 v3 @2.4GHz (currently boosting to 2.8GHz), old and getting replaced once the ISO committee allows...) In terms of RAM EnCase is taking around 5GB out of the available 128GB (8 slots in use @1866 MHz) The cache while processing 'average' HDDs, (laptops with around 1tb storage) will occasionally exceed 1TB during processing. One issue I've encountered is our 1tb SSD cache drive maxing out and encase falling over if you don't set a secondary cache location. Might be worth mentioning to consider a high speed + capacity for cache/temp files etc. separate to OS & storage. Needless to say, I'm quite excited for our new workstations in the coming months.

I’m wondering and assuming that you’re using Windows, in your power settings is it set to balanced or performance , high performance?

Digitalferret

no HW guru here, but for me it would be checking with your main-job software vendors spec to see their basic recommendations and how/where to optimise that going forward. for certain DR hardware, years back, improving the spec of the PC didn't really matter a jot as it wasn't the bottleneck

I design differently. Most customers don’t use just one software, and as software improves over time , and developers take more advantage of better hardware , I always like to have the future proof option, I never design with just the best minimum, I always design with the best components in mind for the tasks at hand. Or at least what the machine will mostly be used for.

ryd3v

I design differently. Most customers don’t use just one software, and as software improves over time , and developers take more advantage of better hardware , I always like to have the future proof option, I never design with just the best minimum, I always design with the best components in mind for the tasks at hand. Or at least what the machine will mostly be used for.

yeh, roger that. i'm a "design to a quality, not a price" type of guy. just i see so many people needlessly blowing a lot of cash not really knowing if they need it (the spec). i mean, more must be better, right?

(edited)

Haha yeah, wait till you read the post I’m making for Andrew xD

6:17 PM

My methodology will all make sense xD

ryd3v

My methodology will all make sense xD

grrovy, i'll check it out for sure. for me, across all fields not just tech, one should always start with diagnosis. what's the point of a solution if it doesn't match the need?

Yeah understandable, with tech it can be hard sometimes with the wealth of options and the frequency that innovation takes place, what’s good today doesn’t always == good tomorrow

6:20 PM

Age old question does it run Crysis? Lol

6:20 PM

My favorited builds are@for flight sims lol

all those farmers tho. proof of work v proof of stake

1

hi everyone, working on some weblog analysis (access to the users workstation does currently not exist). since we cannot see directly particular pages that the user accessed through the logs I was wondering if the links pushed through the facebook CDN (video-lga3-1.xx.fbcdn.net/v/... ; scontent-lga3-1.xx.fbcdn.net/v/... ; ...) could be translated in some static content / potions of the URLs could be translated into page IDs / user IDs / message IDs etc. if so, anyone who has some documentation available around that?

Ok, until I do a pull request, I'll post my blog link here https://ryd3v.rocks/posts/wrkstnbuild

Forensics Workstation Build

Ryan Collins, Software Engineer, teaching programming, development, React, Next.js

1

Pull request submitted

1

ryd3v

Pull request submitted

Thank you. I had added a blurb pointing to the link above as well. It's not finalized yet and it's a bit of a mess, but the README will be cleaned in short order

thank you again for doing that!

1

Andrew Rathbun

Thank you. I had added a blurb pointing to the link above as well. It's not finalized yet and it's a bit of a mess, but the README will be cleaned in short order

thank you again for doing that!

My pleasure

ryd3v

Ok, until I do a pull request, I'll post my blog link here https://ryd3v.rocks/posts/wrkstnbuild

Decent read! I'd probably suggest for a forensic workstation watercooling isn't needed but I see an advantage of it.

1

Rob

Decent read! I'd probably suggest for a forensic workstation watercooling isn't needed but I see an advantage of it.

Thank you so much, yes, I mostly like a quiet workspace xD

ryd3v

Thank you so much, yes, I mostly like a quiet workspace xD

lol, me too, but the soul feels there's something quite wrong about having water go through a box of electrickery (a bit like shoving pineapple on top of pizza)

1

lol

12:50 AM

most AIO's are filled with a mixture of ethylene glycol and distilled water or a mineral oil mix that is somewhat safe for modern electronics, providing they are powered down fast enough, I had one leak once, on a video card, and surprising, the PC stayed on, and when I turned it off, it cleaned up nicely, and no damage occurred.

12:51 AM

I mean obviously you don't want to purposely spill the fluid on your rig, but I've shipped pre-built systems globally, never had one leak xD

so you admit they are faulty and have urinated inside thy machine, like a scared rabbit, when put under duress?

Lol no, I accidentally cut a tube once while testing and removing a second video card 100% my fault

‍♂️

1:40 AM

I was doing some testing on a new custom loop and was using some tubes of rubber. Was trying a SLI setup and got to hurried lmao

1:41 AM

Nowadays though the AIO tubes come wrapped in nylon to parent that sort of thing. This must have been over ten years ago when the custom loop thing first started xD

all is as ~~god~~ Bob wills it

(edited)

Hahahaha

1:42 AM

Don’t think I’ve done a all air system in over ten years tbh

you tried those Ergo Mouse things? ball under thumb? this old Razer Naga is R-Click starting to fail

Oh no. They look interesting though

had one of the first trackerball mice, Logitech, 2 button ball in middle. was ok for only certain things

Yeah. I remember cleaning the balls lol

yep, Red Ball with micro dots. balanced on 3 tiny ball bearings.

1:45 AM

oh the old Razer tho. rubber ball, iirc 2000DPI, boy did those fluff up

1:45 AM

boomslang?

Lol yeah

1:55 AM

Tech has definitely come a long way since then that’s for sure

1:57 AM

I better get myself to bed or the morning is gonna be rough xD

laters dude, tc

Basic "digital forensic specialist" roadmap

2

ryd3v

I’m wondering and assuming that you’re using Windows, in your power settings is it set to balanced or performance , high performance?

set to ultimate performance but im sure IT have set some weird policy to mess with it. We don't even have the ability to disable screen timeouts or change our desktop wallpaper...

ryd3v

Ok, until I do a pull request, I'll post my blog link here https://ryd3v.rocks/posts/wrkstnbuild

nice post! I believe you have a typo at 'This motherboard isn't available on PCPARTPICKER at the moment, so we will just add the other components to our final build list, that are compatible with the CPU selected.' replace CPU with MOBO? Either that or dyslexia is tying my shoelaces I also still disagree with your mobo first philosophy but I won't say anything more

Pretendigator

set to ultimate performance but im sure IT have set some weird policy to mess with it. We don't even have the ability to disable screen timeouts or change our desktop wallpaper...

Surprised your IT department has any control over them

3

Rob

Surprised your IT department has any control over them

With the amount of arguments we've had with them over the last 5 years, so am I.

3

Pretendigator

set to ultimate performance but im sure IT have set some weird policy to mess with it. We don't even have the ability to disable screen timeouts or change our desktop wallpaper...

Interesting, I wonder if balanced profile would make a difference? Maybe like you said some policy affecting performance somewhere

Pretendigator

nice post! I believe you have a typo at 'This motherboard isn't available on PCPARTPICKER at the moment, so we will just add the other components to our final build list, that are compatible with the CPU selected.' replace CPU with MOBO? Either that or dyslexia is tying my shoelaces I also still disagree with your mobo first philosophy but I won't say anything more

Thank you, could be a few typos in there lol

1

Digitalferret

had one of the first trackerball mice, Logitech, 2 button ball in middle. was ok for only certain things

I use trackball (thumb ball) exclusively now. Never regretted it

1

+1 for a trackball over here

Before i boot up a test device and 'get busy' with it; Has anyone got much experience with CCleaner specifically it 'cleaning' $logfile entries? I have a file that im looking into, however the first entry related to it in the $logfile has the operation of 'delete'. Low and behold, CCleaner has a last run time of around 15 minutes prior to the delete entry in the $logfile. My assumption is, yes, ccleaner is cleaning up $logfile entries but I wouldn't mind someone confirming this or providing any other reasons / hypothesis on why im missing $logfile records.

Pretendigator

Before i boot up a test device and 'get busy' with it; Has anyone got much experience with CCleaner specifically it 'cleaning' $logfile entries? I have a file that im looking into, however the first entry related to it in the $logfile has the operation of 'delete'. Low and behold, CCleaner has a last run time of around 15 minutes prior to the delete entry in the $logfile. My assumption is, yes, ccleaner is cleaning up $logfile entries but I wouldn't mind someone confirming this or providing any other reasons / hypothesis on why im missing $logfile records.

possibly not if this is anything to go by. 2011 but should still be valid. any other cleaners on there?

6:04 AM

https://community.ccleaner.com/topic/32585-logfile-ntfs-volume-log/ (edited)

Digitalferret

possibly not if this is anything to go by. 2011 but should still be valid. any other cleaners on there?

I did do quite a bit of googling and reading their forum posts but couldn't see anything about $logfile past 2016, the current version shows a tickbox under the OS options to clean 'windows log files'. Currently pulling the logfile off my research machine, after that ill be running CCleaner and comparing the logfiles. I'll post an update incase anyone in the future searches for $logfile / ccleaner etc. (edited)

1

Pretendigator

I did do quite a bit of googling and reading their forum posts but couldn't see anything about $logfile past 2016, the current version shows a tickbox under the OS options to clean 'windows log files'. Currently pulling the logfile off my research machine, after that ill be running CCleaner and comparing the logfiles. I'll post an update incase anyone in the future searches for $logfile / ccleaner etc. (edited)

yeh, i took that to mean "other" log files, but haven't tested myself.

Digitalferret

yeh, i took that to mean "other" log files, but haven't tested myself.

exactly my interpretation too, I'll make sure to let you know

umm, im not sure I've got the gist properly mate. you are looking at a file, it has been deleted, CCleaner was run prior. would this not indicate the the logfile is simply showing that the file was deleted? cleaners will often then clean residual traces... if it's any use, cross pollinating from the other top cleaners: Bleachbit and Privaz, who mention which/what etc

7:18 AM

learning as i go, but happy to share the legwork, if

1

ccleaner ran at 15:15, $logfile record indicating file 'XXX' deleted at 15:20. there are a few entries in the $logfile relating to the file after 15:20 but none prior. I was expecting to have entries within the $logfile relating to file 'XXX' prior to 15:20 (file deleted entry) i.e an entry indicating file 'XXX' created. Started as curiosity as to why i'm missing entries that I believe should be there. Hopefully, this is making some sense...

Hello everyone, has anyone worked in a certified forensic lab before? I have some questions on what the pros and cons are to having a lab certified

4n6s7oth

Hello everyone, has anyone worked in a certified forensic lab before? I have some questions on what the pros and cons are to having a lab certified

not much changed, just now theres specific ways to do things i.e using a sticker to reference a HDD rather than using a sharpie to write on it. It's also delayed rollout of new hardware because it needs to be 'validated' which has taken 6 months... I imagine a 'pro' of it would be that the standard of work would be very consistent among each member of the team. I will say we are only accredited for imaging of HDDs so the actual examination is unaffected for now. I've also made the assumption that when you say 'certified' you are refering to ISO? - sorry if not

Pretendigator

not much changed, just now theres specific ways to do things i.e using a sticker to reference a HDD rather than using a sharpie to write on it. It's also delayed rollout of new hardware because it needs to be 'validated' which has taken 6 months... I imagine a 'pro' of it would be that the standard of work would be very consistent among each member of the team. I will say we are only accredited for imaging of HDDs so the actual examination is unaffected for now. I've also made the assumption that when you say 'certified' you are refering to ISO? - sorry if not

This helps! I am referring to ISO. Some senior members are telling management that they do not think having a certified lab is a good idea and I am trying to understand why not.

4n6s7oth

This helps! I am referring to ISO. Some senior members are telling management that they do not think having a certified lab is a good idea and I am trying to understand why not.

I've been in UK LE digital forensics since 2015, witnessing the start of the process and the current result over that time. HUGE HUUUGE waste of money/time/resources for essentially a badge that says your lab has a hygiene rating of 5*. You would think that time and money could be invested in to making sure investigators are properly trained, rather than dictating what colour sticker to use to cover a selfie cam... I'd love for some actual certs to give me weight in court, but in todays climate it seems better to stand up and say you blindly followed the ISO guidelines so your evidence is of 'higher' quality...

7:49 AM

You might be able to tell how I feel about it.

(edited)

2

paper for papers sake, makes it look like someone's doing something. pretty much like the Govt here, lol. as long as someone can tick boxes that have been pre-arranged you can have a shite product but as long as it's done according to [standards] it all be good

1

8:09 AM

goldplate:turd

Pretendigator

ccleaner ran at 15:15, $logfile record indicating file 'XXX' deleted at 15:20. there are a few entries in the $logfile relating to the file after 15:20 but none prior. I was expecting to have entries within the $logfile relating to file 'XXX' prior to 15:20 (file deleted entry) i.e an entry indicating file 'XXX' created. Started as curiosity as to why i'm missing entries that I believe should be there. Hopefully, this is making some sense...

@Digitalferret did that make sense?

Pretendigator

@Digitalferret did that make sense?

brains chewing on it, having a senior moment rn, grabbing coffee

8:29 AM

does the logfile not just register changes? ie the file lived there quite happily, disturbing no-one until it was deleted?

8:31 AM

i'm sure there's some Windows system ~~egghead~~ guru sat watching this, if so please chime in

1

Digitalferret

does the logfile not just register changes? ie the file lived there quite happily, disturbing no-one until it was deleted?

there are 'normally' create or modify etc. entries in the logfile. which you would definitely expect to see for a 'user created' file because for it to be deleted, it must have first been created. Now im starting to feel like yoda or mr miyagi

ah, right, i think. in my poor head i thought it would be sequential log, ie created would be way back. Who said that "Better to remain silent and be thought a fool than to speak and to remove all doubt"

yes the created entry should be way back, but its just not their atall. ~~I dont believe it writes over itself in a cyclical way~~ overwrites itself/cyclical recording (edited)

oh!

8:41 AM

um, i think it actually does

ohhh snap

8:45 AM

just re-opening axiom to check how far back the entries go, although the created date on the file itself is on the same day as deletion (its in recycle bin)

Pretendigator

just re-opening axiom to check how far back the entries go, although the created date on the file itself is on the same day as deletion (its in recycle bin)

so, basically it landed in the target drive, and got deleted same day. not entirely sure, but i couldn't see the log file going on to infinity over an age

8:53 AM

if you like reading https://dfir.ru/2019/02/16/how-the-logfile-works/

I believe I may have embarrassed myself a small amount here... the only entries (except one, 2 months prior) are all from the same day in question. although the existing other entries pre-date the created date on the file Going to have a read over of that link and head home. Today has not been my day

‍

nah, it's the fear of f*&king up that prevents folks from sharing that "we are all learning" moments. props for putting your thoughts into view so we can all benefit

1

Digitalferret

if you like reading https://dfir.ru/2019/02/16/how-the-logfile-works/

Update (2019-02-17): How long does it take for old data to become overwritten with new data? In one of my tests with Windows 10, it took 16 minutes. In another test with Windows 10, it took 5 hours and 20 minutes. In both tests, mouse movements were the only user activity.

yup

just got to the end of it, should have just skipped ahead

lol, thats my problem, getting too far ahead of myself and missing the bloody obvious in the first paragraph. we should team up, lol

1

9:12 AM

"scuse me, can you tell me where the train station is" : woman says nothing but stares above my head. yup I'm under a big sign that says ...

Digitalferret

nah, it's the fear of f*&king up that prevents folks from sharing that "we are all learning" moments. props for putting your thoughts into view so we can all benefit

it was also partly useful to just explain the case 'outloud' but im always happy to embarrass myself if it means im going to learn or someone else is

1

Digitalferret

"scuse me, can you tell me where the train station is" : woman says nothing but stares above my head. yup I'm under a big sign that says ...

me stood next to the eggs in the shop: "ey lad, do you know where the eggs are" you could tell he was already having a long day from the sigh he gave...

1

Pretendigator

I've been in UK LE digital forensics since 2015, witnessing the start of the process and the current result over that time. HUGE HUUUGE waste of money/time/resources for essentially a badge that says your lab has a hygiene rating of 5*. You would think that time and money could be invested in to making sure investigators are properly trained, rather than dictating what colour sticker to use to cover a selfie cam... I'd love for some actual certs to give me weight in court, but in todays climate it seems better to stand up and say you blindly followed the ISO guidelines so your evidence is of 'higher' quality...

Thank you for the insight, I appreciate your perspective !

1

I have a cool project going on in my biomedical class, does anyone wanna try solving a crime scene?

i think its more a DFIR group mate, rather than biological CSI

12:13 PM

someone may jump in tho

okay i’ll ask in the dfir group

12:13 PM

thank you

12:15 PM

wait is the dfir group the right group to ask to help me solve a crime scene

12:15 PM

not real body or anything it’s just a class project that’s worth a lot and it would help

12:16 PM

i see multiple dfir channels

just a clue, D.F.I.R (Digital Forensics Incident Response)

Oh!

12:17 PM

Okay thank you very much

all good

No more SIM tray on the iPhone 14. I know the Razr also doesn't have one. I would imagine they'll start dropping like flies, probably saves a few cents in manufacturing

1

whee30

No more SIM tray on the iPhone 14. I know the Razr also doesn't have one. I would imagine they'll start dropping like flies, probably saves a few cents in manufacturing

Interestingly I noted that this is a US-only feature

*and Canada

I expect it to make more headway in Europe starting next year

1

Apple: Round edge upgrades to square edge updates to round edge upgrades to square edge updates to round... more re-runs than Police Academy

An open question, what do we all use for our contemporaneous notes?

4JSN6🇬🇧

An open question, what do we all use for our contemporaneous notes?

non-forensic (these days) here, but for me it's a Mk1 pencil & paper, accurate watch (ok ...mobile phone). Carry it any/everywhere, zero setup time, sod all to go wrong. Use double spaced. it's possibly the cheapest and most effective means as it can be seen if records were amended later. there's the usual shill for the wrting software equivalent of a NEAL audio setup I'm sure, but that gets as close to contemporaneous as one can get. Plus a camera (phone) for things not written (for me, cable layouts, hardware setups etc) (edited)

4JSN6🇬🇧

An open question, what do we all use for our contemporaneous notes?

Word to stay inline with our iso stuff, then copy pasted to one note when finished. (one notes indexing/searching is just

)

2

Notion for general DFIR stuff

Anyone using LGUP at all for firmware downgrade? (edited)

Hello

I'm a freshman in college currently working towards an AS in Cybersecurity, where I plan to transfer to the SANS Bachelor program. I have a severe interest in Digital Forensics and am wondering what recommendations you may have for learning/practicing skills outside the usual school coursework. I firmly believe I learn best when it is hands-on, and I can apply the general knowledge I've learned to real situations and learn from there, rather than just taking notes and calling it a day.

3

Grab a really good recommended book and jump in and go through all the examples and exercises , practice all the theory imo is the best way.

Any book recommendations yourself?

Hi, I'd like to know if there are any free alternatives to encase imager tool.

Ftk imager

1:38 AM

But, what do you need it for?

1:38 AM

(just in case ftki isn't suitable)

@PryWaySeeProf as above FTK Imager (has nice ability to mount image files too) or a Forensic Live Boot like WinFE if you want to configure your own forensic edition of windows (useful for driver issues etc) or there are plenty of others to play with such as " CAINE 11.0 - Wormhole is out! that has imaging tool too and some other nice features"

what are you wanting to capture and in what format?

dfir-ent

Hello

I'm a freshman in college currently working towards an AS in Cybersecurity, where I plan to transfer to the SANS Bachelor program. I have a severe interest in Digital Forensics and am wondering what recommendations you may have for learning/practicing skills outside the usual school coursework. I firmly believe I learn best when it is hands-on, and I can apply the general knowledge I've learned to real situations and learn from there, rather than just taking notes and calling it a day.

Yep, do not just read them but actually perform it and do not read ahead

dfir-ent

Any book recommendations yourself?

I’ll link you a few titles when back to pc

Fierry

Yep, do not just read them but actually perform it and do not read ahead

ryd3v

I’ll link you a few titles when back to pc

Thank you, much appreciated!

in order to create a DIY Faraday bag, is it just as simple as completely enclosing the device with multiple layers of aluminum?

pi0

in order to create a DIY Faraday bag, is it just as simple as completely enclosing the device with multiple layers of aluminum?

Yep, just wrap it up with tin foil and make sure there are no gaps. You can’t have a charging cord connected to the phone and coming out of the tin foil because it would act as an antenna, but if you connect the phone to a battery pack and wrap up both of them then you should be good. You can always test the enclosure by wrapping up a test phone and trying to send the test phone a text message.

understood, thank you very much!

1

pi0

understood, thank you very much!

Thank that you're wrapping a burrito and you don't want any of the juice leaking out.

When generating an excel or XML report in Physical Analyser is there a way to generate just the file and not export the Data Files to speed things up?

I was looking at shell bags in autopsy, and in the path column it said My Computer{numbers-and-letters-here}\file.zip. What is that inside the {}? I'm assuming it's a volume GUID, and I'm wondering how I can see what that volume was?

11:15 AM

Trying to find evidence of exfil using an E01 of the target machine

11:15 AM

Checked usbstor but timestamp was older than the file

clockwork

I was looking at shell bags in autopsy, and in the path column it said My Computer{numbers-and-letters-here}\file.zip. What is that inside the {}? I'm assuming it's a volume GUID, and I'm wondering how I can see what that volume was?

Any other artifacts that point to file.zip?

Andrew Rathbun

Any other artifacts that point to file.zip?

The ones I found were with the keyword search, regRipper results, lnk files, webcache

11:46 AM

Locations point to downloads, and that guid

C:\Users\User\Downloads\file.zip My Computer\{GUID}\file.zip /Users/User/AppData/Local/Temp/file.zip (edited)

clockwork

The ones I found were with the keyword search, regRipper results, lnk files, webcache

If you have X-Ways try searching the E01 for file.zip

Andrew Rathbun

If you have X-Ways try searching the E01 for file.zip

Ill try the evaluation version

clockwork

C:\Users\User\Downloads\file.zip My Computer\{GUID}\file.zip /Users/User/AppData/Local/Temp/file.zip (edited)

Are you able to give the guid as an example at all?

Tcisaki

Are you able to give the guid as an example at all?

Do you have a way to get info from it?

clockwork

Do you have a way to get info from it?

I was just wondering if this was one of those 'well known' guid locations. eg Appendix B https://www.giac.org/paper/gcfa/9576/windows-shellbag-forensics-in-depth/128522

Tcisaki

I was just wondering if this was one of those 'well known' guid locations. eg Appendix B https://www.giac.org/paper/gcfa/9576/windows-shellbag-forensics-in-depth/128522

Haven't seen that before that's pretty neat, no it isn't any of those sadly.

clockwork

Haven't seen that before that's pretty neat, no it isn't any of those sadly.

Those are very out of date. If you are not worried about the guid itself, could always google it, just to see

Tcisaki

Those are very out of date. If you are not worried about the guid itself, could always google it, just to see

It's the guid for the downloads folder

1:37 PM

Now I'm back to no leads lol

clockwork

Now I'm back to no leads lol

So both a good thing and a bad thing then.

The scenario here is disgruntled employee is fired, and on their last day they download a bunch of corporate files to a zip. I gotta figure out what the method of exfil was.

1:40 PM

I just have an E01

1:41 PM

I've checked usbstor, email pst files, and web History for file upload sites

And no additional shellbags to help?

Only what's on the e01, should I pull and parse them outside of autopsy?

1:45 PM

Maybe I didn't parse the emails well enough, what's your workflow for checking psts? I only have access to freeware stuff tho lol

You can export the PST/OST using Autopsy and then use linux utilities to look through them (like readpst)

1:51 PM

And no worries about freeware stuff. I focus alot of my preaching and such, for using it

Tcisaki

You can export the PST/OST using Autopsy and then use linux utilities to look through them (like readpst)

Do pst/ost files contain attachments too

clockwork

Do pst/ost files contain attachments too

Yup. OST for instance is the file that is used by outlook for all it's offline stuff (so will have Calendar, notes, Emails etc etc)

Tcisaki

Yup. OST for instance is the file that is used by outlook for all it's offline stuff (so will have Calendar, notes, Emails etc etc)

Awesome! I appreciate all the help. Thanks everyone

Outlook is a really good PST/OST viewer

Bloatware

clockwork

The scenario here is disgruntled employee is fired, and on their last day they download a bunch of corporate files to a zip. I gotta figure out what the method of exfil was.

Don’t forget cloud storage: Dropbox, Onedrive etc.

Some enterprises don't allow encryption in zip files so they can see what's being sent out (bit of a double edged sword right there). They also allowed the use of KeePass and encouraged encryption. So... people could export their keepass kdbx file which had a lot of work attachments inside the database...

Heyhey, anyone knows if there is a way to access CDN links from facebook (example below; just blanked out some parts). just cutting out the actual link to the content or removing the timestamp information etc usually leads to "URL signature expired", "URL signature mismatch", "Bad URL hash" or "Bad URL timestamp". Two years ago it appeared that you were just able to modify the link to have direct access to the content but it appears to not work anymore. Any workaround for this? (edited)

Hey... Any idea of how to place a random string inside a specific sector of a disk in Linux? For example I want to place "Hello" inside sector nr. 15000. (edited)

Any recommended software or tools to view the data from an MSSQL full backup .BAK file? (edited)

1

1:20 PM

Wondering what everyone's offices are thinking with the pending release of the iPhone 14 into the wild. With the removal of the physical SIM card, what are all your plans for isolation if you are unable to place it into Airplane mode without a PIN code. I guess our only option now is Faraday bags? If this is the way of the future, we might need more bags!

Oh yeah.. I guess this only affects the US for now.

camdeezee.

Wondering what everyone's offices are thinking with the pending release of the iPhone 14 into the wild. With the removal of the physical SIM card, what are all your plans for isolation if you are unable to place it into Airplane mode without a PIN code. I guess our only option now is Faraday bags? If this is the way of the future, we might need more bags!

1:42 PM

Buy stock in aluminum foil!

10

Invest in microwaves, good for lunch and limited usage of blocking signals

camdeezee.

Wondering what everyone's offices are thinking with the pending release of the iPhone 14 into the wild. With the removal of the physical SIM card, what are all your plans for isolation if you are unable to place it into Airplane mode without a PIN code. I guess our only option now is Faraday bags? If this is the way of the future, we might need more bags!

You can 'remove' an eSIM by removing the cellular plan from iOS settings > cellular. However, just as with removing a physical SIM, the device will still be able to use emergency cellular services, bluetooth, and wifi (so simply removing a SIM doesn't fully isolate a phone). Enabling airplane mode does prevent even emergency cellular services, but doesn't always turn off bluetooth either (but it will remember if you manually turn it off when in airplane mode).

Sea9

You can 'remove' an eSIM by removing the cellular plan from iOS settings > cellular. However, just as with removing a physical SIM, the device will still be able to use emergency cellular services, bluetooth, and wifi (so simply removing a SIM doesn't fully isolate a phone). Enabling airplane mode does prevent even emergency cellular services, but doesn't always turn off bluetooth either (but it will remember if you manually turn it off when in airplane mode).

Yeah we do all of that now. I'm referencing seizing phones via Search Warrants and if the control center is disabled unless the phone is unlocked, then we aren't able to place the phone in Airplane mode/disable eSIM... our only option is Faraday or Foil.

1

camdeezee.

Yeah we do all of that now. I'm referencing seizing phones via Search Warrants and if the control center is disabled unless the phone is unlocked, then we aren't able to place the phone in Airplane mode/disable eSIM... our only option is Faraday or Foil.

Ah OK. I suppose there are already a lot of phones that support eSIM (in addition to a physical SIM), I guess those might just not be commonly encountered yet. Sounds like some standard operating procedures are going to need to be tweaked a bit. (edited)

1

I need to figure out how to find the funds for the adaptors to modify my faraday cage to support the extraction of phones while they are inside the cage.

1

Wrap everything in foil?

yes, blocks all signals

FullTang

I need to figure out how to find the funds for the adaptors to modify my faraday cage to support the extraction of phones while they are inside the cage.

Turn the crime lab into a huge faraday cage

1

Sea9

Turn the crime lab into a huge faraday cage

Brilliant! When the boss/wife/investigators try to call me on my cell phone I will be unreachable because I am in my office! Just need to wear headphones and no one will ever bother me ever again lol.

3

FullTang

Brilliant! When the boss/wife/investigators try to call me on my cell phone I will be unreachable because I am in my office! Just need to wear headphones and no one will ever bother me ever again lol.

1

FX_Tymills

Any recommended software or tools to view the data from an MSSQL full backup .BAK file? (edited)

I haven't done mssql but assuming the principle still applies. For MSSQL I had to install the database server on my local machine and import the backup. It's not the same as an sqlite db which is self contained and the viewer opens it

camdeezee.

Yeah we do all of that now. I'm referencing seizing phones via Search Warrants and if the control center is disabled unless the phone is unlocked, then we aren't able to place the phone in Airplane mode/disable eSIM... our only option is Faraday or Foil.

Perhaps a signal jammer is the solution but comes with its own set of issues.

chauan

Thank that you're wrapping a burrito and you don't want any of the juice leaking out.

understood! thank you!

9:14 PM

is rooting an android device legal?

9:14 PM

in the US?

9:15 PM

I recently purchased a few prepaid devices for an android dev course, but noticed that the vendor does not unlock the bootloader

9:16 PM

the motivation is to run frida on an actual device rather than an android vm

pi0

is rooting an android device legal?

As long as it is your own device or you have legal authority to do so, I don’t know of any US laws restricting rooting an Android device. I don’t know every law in the US, but I would be very surprised if there was a law preventing you from rooting your own phone lol.

i thought it would be Ok, but i figured it would be wise to ask first, and yep i own these devices.

Deleted User

Perhaps a signal jammer is the solution but comes with its own set of issues.

Is there a circumstance where those are not just blanket illegal? I had thought those were a FCC no-no

1

11:19 PM

Like the drone jammer guns etc

whee30

Is there a circumstance where those are not just blanket illegal? I had thought those were a FCC no-no

Good question and I think illegal in most countries. I would think under certain circumstances (controlled environment with jammer emitting small footprint) it might be practical for our use. Android devices will surely follow suit with Apples changes.

whee30

Is there a circumstance where those are not just blanket illegal? I had thought those were a FCC no-no

one reason FlipperZero device has standard firmware and those that you download at your own risk, given it's wide latitude of capable transmitting frequencies https://flipperzero.one/

Deleted User

Perhaps a signal jammer is the solution but comes with its own set of issues.

100% will wind you in jail lol

1:48 AM

*assuming you live or are in NA

At least you can question the other inmates to see if they know anything about your case

2:26 AM

YMMV

randomaccess

I haven't done mssql but assuming the principle still applies. For MSSQL I had to install the database server on my local machine and import the backup. It's not the same as an sqlite db which is self contained and the viewer opens it

Yes that's what I ended up doing, it worked a charm

5:16 AM

Thank you

pi0

is rooting an android device legal?

Legal in the US... yes no law prohibiting you from modifying what you purchased. Voids the warranty on the devices... possibly/probably. If you care about that maybe read the fine print? I know Apple definitely says if you Jailbreak/root the phone it voids all warranties.

camdeezee.

Legal in the US... yes no law prohibiting you from modifying what you purchased. Voids the warranty on the devices... possibly/probably. If you care about that maybe read the fine print? I know Apple definitely says if you Jailbreak/root the phone it voids all warranties.

Depends on the specific manufacturer but yes this is true for all of them.

Going start a project, downloaded Autopsy but my windows 11 is saying it doesn’t recognize the file

yet another reason to ditch 11

. sorry, i'll see myself out

1

Microsoft literally has the worst os (edited)

8:20 AM

I had less problems on windows 6 tbh

agreed. if i hadn't got recovery hardware that requires Win to operate, i'd pretty much bin it overnight

I needed to upgrade from my chromebook for school so it was W11 or Macbook

FullTang

I need to figure out how to find the funds for the adaptors to modify my faraday cage to support the extraction of phones while they are inside the cage.

You can always retro fit this USB filter that misson darkness sells. I inquired about just getting the filter awhile back and adding it to our farday box by drilling a hole and screwing it in. I think they quoted $300 https://www.amazon.com/Mission-Darkness-Transparent-Shielding-Enforcement/dp/B07W3PMY6C?th=1

Mission Darkness Window Charge & Shield Faraday Bag for Phones // I...

The Mission Darkness Window Charge & Shield Faraday Bag for Phones allows a device to remain shielded from RF signals and powered after seizure, until it can be transferred to a forensic box, lab, or tool for data extraction. The bag includes a dual sided USB filter, NeoLok closure system for saf...

Raines

Going start a project, downloaded Autopsy but my windows 11 is saying it doesn’t recognize the file

From services.msc, do you see the Windows Installer service, and it's startup type is not Disabled (Manual is OK). If that's OK, try to run msiexec /i "file.msi" from a command line (in the same path as the file). If that still doesn't work, can you screenshot the error?

Sea9

From services.msc, do you see the Windows Installer service, and it's startup type is not Disabled (Manual is OK). If that's OK, try to run msiexec /i "file.msi" from a command line (in the same path as the file). If that still doesn't work, can you screenshot the error?

8:40 AM

I’ve downloaded the file but it’s stuck on the installation menu now

Try doing the same command with a command prompt opened as an administrator, and see if the error is the same. (Run as Administrator is, for whatever reason, removed from MSI's right-click options in Windows 11, but can be added back to the registry manually if needed).

Sea9

Try doing the same command with a command prompt opened as an administrator, and see if the error is the same. (Run as Administrator is, for whatever reason, removed from MSI's right-click options in Windows 11, but can be added back to the registry manually if needed).

Weird so I updated my os and I can’t even uninstall the file for redownloading (edited)

9:20 AM

Okay I got it running

Raines

Okay I got it running

nice one

- did you work out why it was failing ?/ (edited)

Digitalferret

nice one

- did you work out why it was failing ?/ (edited)

Have no clue what happened tbh

DCSO

You can always retro fit this USB filter that misson darkness sells. I inquired about just getting the filter awhile back and adding it to our farday box by drilling a hole and screwing it in. I think they quoted $300 https://www.amazon.com/Mission-Darkness-Transparent-Shielding-Enforcement/dp/B07W3PMY6C?th=1

I saw that posted here a while back and bought one for the office, but I can't seem to figure out how to connect an iPhone that is inside of that faraday bag to a forensic tool (namely GK). @whee30 suggested a USB-A to female lightning adaptor and I purchased one from Amazon but GK will not recognize the device through the USB filter. I was thinking about getting an Ethernet (RJ-45) filter for the faraday cage and putting the GK inside of the faraday cage, do you have any thoughts or ideas? https://www.amazon.com/gp/product/B07W7YQT4S/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

Anker USB-A to Lightning Audio Adapter Cable, MFi Certified Female ...

Model Number: A8197 Anker USB-A to Lightning Audio Adapter The Lightning Adapter with Flawless Sound Keep Listening With this adapter, you don’t need to use separate headphones for your phone and laptop. Just connect the adapter to any USB port to instantly start using your Lightning headphones. ...

Raines

Have no clue what happened tbh

Gremlins

What channel do I go for project ideas?

Raines

What channel do I go for project ideas?

like...on GitHub? or something else?

Andrew Rathbun

like...on GitHub? or something else?

On autopsy I want to work on a investigation. This would be my first project

Raines

On autopsy I want to work on a investigation. This would be my first project

by project do you mean investigation? Are you looking for test images to learn on? Or something else? I am a bit confused with the terminology used here

Andrew Rathbun

by project do you mean investigation? Are you looking for test images to learn on? Or something else? I am a bit confused with the terminology used here

Just learn on. I have a internship in CF next year that deals with analyzing potential fraud and some threads I’ve seen online suggest start with Autopsy

Raines

Just learn on. I have a internship in CF next year that deals with analyzing potential fraud and some threads I’ve seen online suggest start with Autopsy

Nothing against Autopsy, but that's probably because it's freely available. I don't know many companies that use Autopsy as a daily driver but it's perfectly fine to learn on. Others may have different opinions though

Andrew Rathbun

Nothing against Autopsy, but that's probably because it's freely available. I don't know many companies that use Autopsy as a daily driver but it's perfectly fine to learn on. Others may have different opinions though

I’m open to all tools to use. Anything that I can learn on and replicate to real life experience

9:56 AM

I’ve gotten my certs and doing my degree and all but my classes don’t let students try first hand and make projects so we have to find how to do it else where if that makes sense

"make projects" seems to mean "do an investigation" in your terms, is that correct?

I say investigation cause that’s the position for my internship I’ll be working in

camdeezee.

Legal in the US... yes no law prohibiting you from modifying what you purchased. Voids the warranty on the devices... possibly/probably. If you care about that maybe read the fine print? I know Apple definitely says if you Jailbreak/root the phone it voids all warranties.

thank you for the clarification, this is good to hear! unfortunately these devices do not seem to be root-able, even tho they are several years old.

1

Raines

Weird so I updated my os and I can’t even uninstall the file for redownloading (edited)

And that’s why we use a virtual machine to work on and not our host OS.

Raines

I’m open to all tools to use. Anything that I can learn on and replicate to real life experience

you found 13Cubed yet? https://www.13cubed.com/, then there's a raft of other kit like CAINE/Tsurugi/Paladin/Parrot/Kali etc. good selection of LiveCD/USB kit. but as wRathbunny said, it's usually proprietory software once you get "out there". Fundamentals remain the same, different machinery though, often to streamline processes (edited)

12:18 PM

then grab some old drives from ebay/craigs? see what you can work through, tools wise

1

Halfway through the Autopsy walkthrough, do I need to use hash database

It’s good for looking for known files such as CSE, classified/sensitive documents and more. You can download DBs of hashes iirc and use that to include or exclude files eg windows system files

Raines

Halfway through the Autopsy walkthrough, do I need to use hash database

You can download images from here to practice on as well: https://digitalcorpora.org/

simsong

Home

Anyone had any issues with Bitlockered forensic machines? We are getting new kit and IT are insisting they are Bitlockered, so just putting it out there in case there are any 'quirks'. I have contacted MSAB and Cellebrite... (edited)

"IT are insisting they are Bitlockered" ... no idea but I'd probably be the cynic asking them what their contingency plan is when SHTF

3

Digitalferret

"IT are insisting they are Bitlockered" ... no idea but I'd probably be the cynic asking them what their contingency plan is when SHTF

Not likely to leave it in a taxi...

oh M$ screwed that: https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15

Zhaan

Not likely to leave it in a taxi...

lol nah, but having seen "halp, my drive died and it's bitlockered" a few times I'm wondering about te balance of it all. i mean, who are they hiding the drive data from when it's off?

what recommended certs are for blue teaming , mainly computer forensics to land good role. yes SANS ones are great but they are very costly.

Doofenshmirtz

what recommended certs are for blue teaming , mainly computer forensics to land good role. yes SANS ones are great but they are very costly.

When wondering about public certifications, I usually take a look at this: https://pauljerimy.com/security-certification-roadmap/ It's not perfect, but offers a good overview of popular certifications (unfortunately, it doesn't include SANS courses, but since you're excluding SANS anyway that is OK). Additionally, if you are in law enforcement, you may have an option to take NCFI courses that are not listed. There are a lot of GIAC courses in the forensics category, those are the ones that are usually paired up with SANS courses and are popular in the government sphere... they are expensive, but they are not the only option. If interested in clearance or government work, be sure to check the list of approved courses for the role you are interested in. DoD/Military: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/ FBI: https://www.tlglearning.com/wp-content/uploads/2020/07/FBI_CyberPage_AdditionalCertificates.pdf (typos are on this list, but couldn't find a list on the FBI's official site) National White Collar Crime Center: https://www.nw3c.org/certifications/nw3c-recognized-certifications. GIAC's GCFA ticks the most boxes for traditional forensics, generally. But for blue teaming, you may want to consider the BTL1 or BTL2 (also pricey), or eLearnSecurity's eCTHPv2. Currently, eLearnSecurity is a more budget-friendly option, which makes it great for people who are advancing their own careers or exploring their interests - but the price has been creeping up. Neither of those are on the 'approved certifications' lists referenced above, but are still good options for blue teaming.

3

6:38 AM

Speaking of certifications and training, does anyone know if NCFI courses are exclusively available to law enforcement, or can people in the public sector enroll too?

Sea9

Speaking of certifications and training, does anyone know if NCFI courses are exclusively available to law enforcement, or can people in the public sector enroll too?

I know that courses are offered for judges and prosecutors, but the selection process for who attends the courses is entirely handled by the USSS. I would contact your local USSS field office and let them know you are interested and see what they have to say.

2

#dfir-discussion-forum created! Discord just rolled out the Forums feature to us, so let's check it out and see how we like it

2

1

Good morning, anyone have a basic cellphone PowerPoint investigation course for LE they would be willing to share?

Thumbs up or down if a channel for cell-site-analysis would be beneficial.

24

2

uochaos

Thumbs up or down if a channel for cell-site-analysis would be beneficial.

@Law Enforcement [USA] or any other countries (sorry not as familiar if this is a thing outside of the US, frankly)

mitchlang

Good morning, anyone have a basic cellphone PowerPoint investigation course for LE they would be willing to share?

Check out NDCAC for local training, they put one on with their CAST team utilizing CASTviz.

Sea9

Speaking of certifications and training, does anyone know if NCFI courses are exclusively available to law enforcement, or can people in the public sector enroll too?

You have to be working for a law enforcement agency if you wish to attend the examiner courses. I know a civilian examiner who works for a suburban agency just went to a few courses.

uochaos

Thumbs up or down if a channel for cell-site-analysis would be beneficial.

#cell-site-analysis the people have spoken

3

so, anyone had issues with Win accessing drives? weird one for me: writing to a USB pen last night and it balks, saying can't write to device. ok, usual crap, USB pen is dying, methinks.

12:16 AM

before bed, i'm copying a half full 2TB drive to another using PC-3000 as the first drive made a few odd noises. set it all going, went to bed at say 30%

12:17 AM

get up this morning, and it got not much further. error with Targte drive, not source. same as USB cannot create folder/file on target. coincidence?

are they on the same network?

12:20 AM

make a simple python server and transfer live over copper xD

its on the same machine (edited)

12:25 AM

and i get the speed/economy thing of Assembler/C/Python thing. i was nerding on Python. i can't barely write 10 lines of the stuff. Assembler for me goes back to programming PIC back in the 90s

Digitalferret

get up this morning, and it got not much further. error with Targte drive, not source. same as USB cannot create folder/file on target. coincidence?

Have you tried checking the USB drive for errors with chkdsk /x /f or by the drive Properties in Windows Explorer? I'd also uncheck the power management boxes for each of the USB Hubs in Device Manager, like this:

Xenotype

Have you tried checking the USB drive for errors with chkdsk /x /f or by the drive Properties in Windows Explorer? I'd also uncheck the power management boxes for each of the USB Hubs in Device Manager, like this:

properties are all good, but thanks. just odd that the same happened with a SATA connected drive, later

Digitalferret

properties are all good, but thanks. just odd that the same happened with a SATA connected drive, later

Hmm... Yeah, that's strange.

Xenotype

Hmm... Yeah, that's strange.

think i found the issue with the SATA copy. PC-3000 see's system files like $Extend and $RECYCLE.BIN - think Win was balking by protecting the ones already on there and preventing writes.

Digitalferret

think i found the issue with the SATA copy. PC-3000 see's system files like $Extend and $RECYCLE.BIN - think Win was balking by protecting the ones already on there and preventing writes.

Oh, that makes sense. Glad you found it out

can someone help me out with a plaso command? I've been banging my head against a wall trying to get this to work on a triage folder

10:57 AM

log2timeline.py -z 'Europe/Amsterdam' --parsers 'win7' plaso.dump /mnt/c/Users/User/Downloads/c70-AD-101/AD-101/Collection/D/

10:58 AM

but every time it returns unrecognized argument: /mnt/c/Users/User/Downloads/c70-AD-101/AD-101/Collection/D/

Digitalferret

its on the same machine (edited)

One line python -m http.server

11:27 AM

If you want a special port add it as an argument python -m http.server 8080

11:27 AM

Transfer files all day long.

Digitalferret

its on the same machine (edited)

Oh I just read that wrong. Same machine xD so I guess you don’t need a network then , just disk to disk. My bad

11:29 AM

ur on a python mission aren't you, lol.

Lol

11:32 AM

Sometimes the smallest details slip us by lmao (edited)

11:32 AM

Especially as you get older

11:32 AM

Even dudes in my dreams are calling me an old man now it’s wild.

Fierry

can someone help me out with a plaso command? I've been banging my head against a wall trying to get this to work on a triage folder

your version may require --storage_file

hmm let me try

e.g. log2timeline.py --parsers win7_slow --status_view none --storage_file /out/plaso.body /in

even the basic version

it was a recent change (during the pandemic, where time is a blur)

log2timeline.py plaso.dump AD.E01 didnt work

yeah throw --storage_file before your plaso intermediary file

11:35 AM

definitely not before the input data, or it will overwrite

11:35 AM

sorry it might be --storage-file not underscore

it worked

1

the --status_view none you can omit, that's just something I throw on when running inside a docker container to avoid filling up the docker logs

I'll update my documentation because even the log2timeline help textt doesnt include this in its default example (edited)

yeah... it did make it to their readthedocs but I think I ran into a similar thing with it not in the help text

https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html

11:39 AM

The command I used was adapted from the FOR508 courseware and i was really struggling to see why it didnt work

breaking changes seem to be a fact of life with a lot of these tools

11:40 AM

libbde versions required by plaso vs other tools frequently caused headaches for us in the past, which is why we run it in a docker container

11:41 AM

for bitlocker decryption

sounds like a good idea

nice on Rayeh

1

Eyyyy check this out https://forensic4cast.com/forensic-4cast-awards/2021-awards/

Lee Whitfield

2021 Awards

8:25 PM

Congrats on resource of the year @Andrew Rathbun

That was actually last years! 2022's has not been added to the site yet, but thanks

it was a threepeat for this community and that's all YOUR fault

8:27 PM

It's also confusing because even though the link you provided above says 2021, it's actually the awards for calendar year 2020, but those awards occur in 2021, yet they're called the 2021 awards but they're for calendar year 2020 haha

Lol

8:44 PM

Well preemptive congrats then

5

https://twitter.com/hacker_/status/1570582547415068672

Corben Leo (@hacker_)

Apparently there was an internal network share that contained powershell scripts... "One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite"

Likes

410

Classic

Breach of the year so far I reckon

Today we made a Intel build as last time we used AMD https://ryd3v.rocks/posts/intelwrkstn I will post to GitHub asap

Intel Forensics Build

Ryan Collins, Software Engineer, teaching programming, development, React, Next.js

2

Did you see this? https://www.msn.com/en-au/video/sport/adelaide-man-challenging-nab-over-failure-to-act-on-scam-that-claimed-his-life-savings/vi-AA11YzeI?ocid=msedgdhp&cvid=42a3da908d734409b425b480e5e19a61 Spoofing Names, Gov/NAB should be responsible you get taught smishing/phising to look out for Tellsigns but this is almost hard to tell apart even for a Techincal person

Adelaide man challenging NAB over failure to act on scam that claim...

on another note how did them TA's manage to spoof SMS names like 'NAB'?

blkho

Did you see this? https://www.msn.com/en-au/video/sport/adelaide-man-challenging-nab-over-failure-to-act-on-scam-that-claimed-his-life-savings/vi-AA11YzeI?ocid=msedgdhp&cvid=42a3da908d734409b425b480e5e19a61 Spoofing Names, Gov/NAB should be responsible you get taught smishing/phising to look out for Tellsigns but this is almost hard to tell apart even for a Techincal person

thats nothing. twice in 3 months I've been spear phished over a property i own, from legal professionals. Actual Solicitors (attorneys) registered with professional trade bodies. they go to land registry and then send out speculative generic paperwork asking where i want papers served because <reason>.

Hello... Did anyone try to send any requests to Tutanova till now to find more info about some email accounts? I'm asking because I have seen they don't have any specific point of contact for law enforcement, just a regular email address for contact support.

ZetLoke77

Hello... Did anyone try to send any requests to Tutanova till now to find more info about some email accounts? I'm asking because I have seen they don't have any specific point of contact for law enforcement, just a regular email address for contact support.

this would indicate it's at least possible. https://tutanota.com/blog/posts/transparency-report/

8:22 AM

there's also <abuse@tutao.de>

1

hello! where to start mobile device forensics suggests me a book and practice material ( as cyber defenders, BTLO for Blue team content )

You can look around for some books for the basic concepts... I have "practical mobile forensics" on my shelf next to me. As far as current artifacts and how to interpret the trendy apps, find some blogs to follow. Smart folks are doing solid research all the time and I stand on their shoulders to work my cases.

10:14 AM

Also check out #training-education-employment . @stark4n6 has a great list of resources at https://start.me/p/q6mw4Q/forensics

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

3

Hello everyone, Any idea of what user manipulation can initiate a 4647 event id ?

What do you mean by manipulation? 4647 is the standard Windows User Logoff

Tcisaki

What do you mean by manipulation? 4647 is the standard Windows User Logoff

For example, when your session is locked, when you press "ctrl+alt+del" , you have any option to " disconnect" or "logoff". You just have the option to reboot, shutdown or sleep

CWolf

For example, when your session is locked, when you press "ctrl+alt+del" , you have any option to " disconnect" or "logoff". You just have the option to reboot, shutdown or sleep

So i was curious if there was any manipulation can create this event

can anyone help with a icloud SW... I got the production and downloaded all the gpg files. I now have a bash file to asssit in decompressing all the gpg files... I cant figure out the bash thing...

Any good book recommendations regarding NSIT CSF, FAIR, or just risk management in general? The ones I've seen had some reviews that have left me questionable

Jetten_007

can anyone help with a icloud SW... I got the production and downloaded all the gpg files. I now have a bash file to asssit in decompressing all the gpg files... I cant figure out the bash thing...

how exactly do you decompress a gpg key? usually those are not compressed in any way, do you mean jpg?

anyone ever come across Snagscope?

6:08 AM

Periscope capturing app before Periscope was shut down

Jetten_007

can anyone help with a icloud SW... I got the production and downloaded all the gpg files. I now have a bash file to asssit in decompressing all the gpg files... I cant figure out the bash thing...

are you using the script provided by Apple? If so have you set up all the pre-requisites in the Read Me document they provide? Once you do that, the script should work great. It will download all the GPG files, unencrypt them, and then unzip all the zip files and then delete all the .zip files. You don't even need to download all the .gpg files manually first.

So Snapchat for Web seems to be a new thing that’s just launched. Text only but potentially a food source of evidence, especially given how elusive Snapchat can be to investigators

Hey guys, how does one find lateral movement with Event logs?

8:38 AM

Can it be done?

0xSxS

Hey guys, how does one find lateral movement with Event logs?

RDP events (TS-LSM: 21, 24, 25) can show connect, disconnect, and reconnect events. We use that all the time in IR to track where the threat actor has gone within the environment with compromised accounts

APFS test image? Anyone got one? Need one to validate software. Don’t want to reinvent the wheel if someone already has a good one.

What would be the best way to upload NIST hashset to PA? I can't view the entire list on excel so worried I may lose data after converting the file from .txt to .csv and removing the duplicates from excel

thatboy_leo

What would be the best way to upload NIST hashset to PA? I can't view the entire list on excel so worried I may lose data after converting the file from .txt to .csv and removing the duplicates from excel

You don't need to convert from txt to csv. Just select text then point to the txt file.

1

Has anyone had any experience analysing the /log/sdp_log file within Android? or does anyone have any useful resources to help digest what all of the logs mean?

1:28 AM

I am currently looking to identify whether a device had a lock on it at a specific date/time (not when the extraction itself was completed). So figured this is going to be the best place to start albeit I cannot find much documentation online as to how to analyse it.

Is It Done Yet?

Has anyone had any experience analysing the /log/sdp_log file within Android? or does anyone have any useful resources to help digest what all of the logs mean?

#mobile-forensic-decoding

Looking for suggestions for Forensic Case Management systems. We presently pay for a product, but are looking to see if there is anything else out there for tracking cases. I am looking for a product that will track the case, devices, software/hardware used, hours, etc. Any suggestions? I know a lot of people use custom made software, but we are not in a place to make our own. I have numerous spreadsheets I am using currently, to validate the case management system we currently own. However, I am looking for something which is customizable and allows me to run reports to obtain my data. TIA

sholmes

Looking for suggestions for Forensic Case Management systems. We presently pay for a product, but are looking to see if there is anything else out there for tracking cases. I am looking for a product that will track the case, devices, software/hardware used, hours, etc. Any suggestions? I know a lot of people use custom made software, but we are not in a place to make our own. I have numerous spreadsheets I am using currently, to validate the case management system we currently own. However, I am looking for something which is customizable and allows me to run reports to obtain my data. TIA

Theres a lot of them out there. Magnet has Atlas, cellebrite has one I can't remember the name. Monolith has been good when Ive used it and it's a bit cheaper than atlas from memory.

randomaccess

Theres a lot of them out there. Magnet has Atlas, cellebrite has one I can't remember the name. Monolith has been good when Ive used it and it's a bit cheaper than atlas from memory.

Thanks for that info. I looked into Atlas, and that is a bit more than what I want. I don't need the ability to collaborate on cases in an application. I am looking for something more along the line of a case tracking system, which will document chain of custody, examiner notes on cases, software/hardware used on each device in a case, etc. I hadn't checked into Monolith before. It might be more in line with what I am thinking. They are VERY proud of their product at $1,200 per user. Not sure what their enterprise fees are, but it might be worth reaching out to them.

@randomaccess have you ever heard of Lima software?

sholmes

@randomaccess have you ever heard of Lima software?

Heard of, never used

1

sholmes

Thanks for that info. I looked into Atlas, and that is a bit more than what I want. I don't need the ability to collaborate on cases in an application. I am looking for something more along the line of a case tracking system, which will document chain of custody, examiner notes on cases, software/hardware used on each device in a case, etc. I hadn't checked into Monolith before. It might be more in line with what I am thinking. They are VERY proud of their product at $1,200 per user. Not sure what their enterprise fees are, but it might be worth reaching out to them.

Search Kirjuri Forensic

1

JBGA-BR

Search Kirjuri Forensic

This Kirjuri? Archived and hasn’t been updated in 2 years.

Hey everyone, I majored in IT and minored in DF in Minnesota. For my DF minor I read allot about computer law and I feel fairly strong on the basics from an academic standpoint. After one of my law classes I asked the professors about how several websites I had noted which host probably millions of copyrighted games, software or books in digital format can still exist. However, the professor basically chose not to answer. The only thing I see mentioning copyright is a link labeled DMCA at the bottom of the page that brings one to a disclaimer which basically states: "if you are the copyright owner of something here, please make a formal request if you'd like it taken down". My question was how does a mere disclaimer behind a link affect the legality of such a website to operate? (edited)

Caleb

Hey everyone, I majored in IT and minored in DF in Minnesota. For my DF minor I read allot about computer law and I feel fairly strong on the basics from an academic standpoint. After one of my law classes I asked the professors about how several websites I had noted which host probably millions of copyrighted games, software or books in digital format can still exist. However, the professor basically chose not to answer. The only thing I see mentioning copyright is a link labeled DMCA at the bottom of the page that brings one to a disclaimer which basically states: "if you are the copyright owner of something here, please make a formal request if you'd like it taken down". My question was how does a mere disclaimer behind a link affect the legality of such a website to operate? (edited)

Sometimes the DMCA related contact is just for show. One revenge porn matter I worked on the site owner gave zero response and never had any intent of honoring any request. Some sites will adhere while others might respond like the PirateBay team used to by saying that they do not fall under antiquated US law and (loophole) they did not physically host any copyrighted data. The documentary on it all is quite interesting and is on YouTube. The Aaron Schwartz doc is also worth a watch RE copyright.

I recently did some pen test ctf and where I got shell as ‘www-data’ on linux machine. After the ctf I got thinking of this from a forensic perspective, is the commands run as www-data stored anywhere?

d0uch3bag

I recently did some pen test ctf and where I got shell as ‘www-data’ on linux machine. After the ctf I got thinking of this from a forensic perspective, is the commands run as www-data stored anywhere?

Shell history.

Deleted User

Shell history.

Where is that file stored for www-data? (For normal user I know about the .bash_history file) but for other users?

d0uch3bag

Where is that file stored for www-data? (For normal user I know about the .bash_history file) but for other users?

Should be home dir unless I am missing something. The sys log should also capture events.

Does www-data have a home dir ?

(edited)

11:29 PM

I never encountered it thus far

Not usually, just a user that is created to run the web server with low priv instead of running as root

That’s my thought too but I’m happy to be proven wrong

(edited)

11:30 PM

It’s always nice to get new artifacts

@Fierry ye same here. Will try and look into this a bit more once I get the time to do it

this is maybe a stupid question, but #rules says i need to read #readme and post in #role-assignment for complete access to the discord server, but i do not see either of those channels. what am i missing?

Fierry

Does www-data have a home dir ?

(edited)

var

That’s a probable path to the logging folder

is it a linux box?

namreeb

this is maybe a stupid question, but #rules says i need to read #readme and post in #role-assignment for complete access to the discord server, but i do not see either of those channels. what am i missing?

You just have to read the rules, then select role

ryd3v

You just have to read the rules, then select role

all good, he couldn't see the chans. fixed our side

5

ryd3v

is it a linux box?

Yes, its a linux box

sholmes

@randomaccess have you ever heard of Lima software?

I used to use this in my old organisation, worked well but I am not sure of their pricing models now. I don't remember it being expensive though! I will also add, it formed a large part of our ISO 17025 accreditation and met the requirements for that pretty well. (edited)

1

sholmes

@randomaccess have you ever heard of Lima software?

I think our lab uses this but I've never used it

1

What is y'alls preferred methods/tools for on-scene mobile device triage?

10:02 AM

Our current method is either manual preview (not ideal) or dumping the phone with Cellebrite, opening dump in Physical Analyzer, tagging the necessary artifacts, creating a quick report, copying to results flashdrive, and giving to Agent so they can obtain arrest warrant. With how big phones are getting, that has started to take way too long, even if we do a logical partial and limit to Photos and Videos. Is there a tool out there that would make this process faster or easier? For mobile devices, most of the time we're mostly focusing on pictures and videos. (CSAM). Applications, chats, and web history are of secondary interest too.

RyanB

What is y'alls preferred methods/tools for on-scene mobile device triage?

https://www.cyacomb.com/

Cyacomb

1:02 PM

https://www.adfsolutions.com/mobile-device-forensics

The best Mobile Device Forensics Tools for smartphones and tablets

ADF Solutions makes the best mobile device forensics tools for smartphone and tablet triage with instant mobile preview, screenshots and fast phone imaging

1:04 PM

For reference I have only used Cyacomb in a trial capacity - but the concept is intriguing

Both good tools, but as with all approaches relying on some form of Hash/PhotoDNA matching, you will miss a lot of CSAM when only relying on those methods (anything first gen, anything modified too much, anything not in your version of the hash DB (CAID, VIC etc). We are soon to release a new CSAM classifier which reaches 80% + CSAM recall with low false positives (we can get close to 100% but the FP increases, so this is a trade off) - in my opinion going forwards, people should be thinking about combining hash/pDNA and classifier methods together, to limit the chance of missing a lot of stuff on that initial scan.

Anybody know a good solution for offline version virustotal or similar?

d0uch3bag

Anybody know a good solution for offline version virustotal or similar?

Virustotal polls something like 70 AV programs, not sure how you'd do that offline unless you also had that many

d0uch3bag

Anybody know a good solution for offline version virustotal or similar?

There is/was Malice. The repo has been archived though.

https://github.com/maliceio/malice

GitHub - maliceio/malice: VirusTotal Wanna Be - Now with 100% more ...

VirusTotal Wanna Be - Now with 100% more Hipster. Contribute to maliceio/malice development by creating an account on GitHub.

d0uch3bag

Anybody know a good solution for offline version virustotal or similar?

Irma is still active. https://irma-oss.quarkslab.com/index.html

IRMA

how do these work offline if it's showing need to upload files? are you hosting your own (VT clone) essentially?

Digitalferret

how do these work offline if it's showing need to upload files? are you hosting your own (VT clone) essentially?

https://irma.readthedocs.io/en/latest/install/requirements.html#hardware-requirements

yep, ELI5 though? are you essentially hosting your own Virustotal type server and then linking to live databases online? trying to get my head round this as a lot of AV's now still have to d/l defns from the web.

Does Microsoft 365 business Premium have any out of the box audit logging? An account has been abused to send phishing mails but the client doesnt seem to have it set up :/ so no UAL (edited)

6:32 AM

Alternatively, are there any other logging sources I can use to track mail activity? (edited)

Is It Done Yet?

For reference I have only used Cyacomb in a trial capacity - but the concept is intriguing

I’m familiar with ADF so I reached out for a trail of the mobile version. Haven’t gotten it yet. Hadn’t heard of Cyacomb though, so thank you for that! I will reach out to them for a trial.

does anyone use any kind of over-arching timelining tools?

10:20 AM

so ingesting from multiple sources to create a central timeline of events

Does anyone know what this small pouch is for? Headphones? Makeup? (Or, maybe it's just a generic pouch.) Google has not been helpful, so far at least.

Sudo

does anyone use any kind of over-arching timelining tools?

Plaso can work well for that. (edited)

Arsenal

Does anyone know what this small pouch is for? Headphones? Makeup? (Or, maybe it's just a generic pouch.) Google has not been helpful, so far at least.

I think it's the 24-7 bag from flip & tumble. It's opens to a full-sized pouch. https://flipandtumble.com/products/24-7-bag?variant=23709218051

1

5cary

Plaso can work well for that. (edited)

yeah I was looking at that but not sure it'll do what I'm lookin for

laurenw

I think it's the 24-7 bag from flip & tumble. It's opens to a full-sized pouch. https://flipandtumble.com/products/24-7-bag?variant=23709218051

That’s almost certainly it… in compact form it looks identical to the evidence photo. Thank you!

Sudo

so ingesting from multiple sources to create a central timeline of events

Multiple sources as in multiple hosts?

12:53 PM

As an alternative I think you can monitor certain folders and kick of a script as soon as a file enters the directory

12:53 PM

And kick of another script when a plaso.dump file is created etc

Another alternative would be case management software. A free tool is Aurora which allows you to manage a case, create notes, track lateral movement and create an overall manual timeline

Fierry

Multiple sources as in multiple hosts?

forensic tool exports

1:14 PM

CSVs probably

CSV files can be imported by Aurora. I think you need to match a certain format but that’s doable with scripting

1:16 PM

I’m unsure if plaso can take the values contained within the CSV and use those as data. Most likely not

1:17 PM

Another tool ( this one I haven’t used) is the hive https://thehive-project.org/

TheHive Project

Scalable, Open Source Security Incident Response Solutions designed for SOCs & CERTs to collaborate, elaborate, analyze and get their job done

thanks!

1:19 PM

I figured I might have to ingest or convert with python

1:19 PM

but most of the tools do export the date in the same format I think

Finally some standardization

Sudo

CSVs probably

What about Timesketch? https://osdfir.blogspot.com/2022/09/timesketch-header-mapping-for-csv.html?m=1

Open Source DFIR

Timesketch, Header Mapping for CSV imports Introduction Timesketch is an open-source tool for collaborative forensic timeline analysis. T...

Ooh nice

1:05 AM

That’s a really recent blog

Hello, everyone

5:50 AM

I'm a newbie, want a help please

juba0x00 🇵🇸

I'm a newbie, want a help please

Can you be a little more specific?

Beercow

Can you be a little more specific?

I want to start studying Digital Forensics, Could you please suggest me a good road map. Should I study Microsoft Certified Solutions Associate and Certified Network Defender before starting Digital Forensics ? (edited)

juba0x00 🇵🇸

I want to start studying Digital Forensics, Could you please suggest me a good road map. Should I study Microsoft Certified Solutions Associate and Certified Network Defender before starting Digital Forensics ? (edited)

What do those acronyms mean? Just so we are on the same page. They can mean different things to different people

Andrew Rathbun

What do those acronyms mean? Just so we are on the same page. They can mean different things to different people

Sorry, I've edited the message

Well, to be honest, what area of forensics are you looking to get into? Forensics is a pretty broad field. Are you thinking network, endpoint, cloud, etc… These can also be broken down further.

Could Digital Forensics be my first job, or Digital Forensics is not an entry-level job and I should have an experience in Cyber Security ?

I can recommend a broad base of Linux/Windows, networking and general sysadmin knowledge

1:44 AM

Also, digital forensics can be done in law enforcement and incident response. Both cover different fields and generally handle different types of cases

juba0x00 🇵🇸

Could Digital Forensics be my first job, or Digital Forensics is not an entry-level job and I should have an experience in Cyber Security ?

I’m probably not the best person to answer this because I kind of lucked out. I went from building doors, going back to school, then interning on a soc. They hired me on and invested in their people. I was able to take SANS courses and hear I am.

Yep, SOC is a good way to get into it

Beercow

I’m probably not the best person to answer this because I kind of lucked out. I went from building doors, going back to school, then interning on a soc. They hired me on and invested in their people. I was able to take SANS courses and hear I am.

Also you have an affinity for pulling apart binary formats and writing tools

so not entirely luck

1

Is there a good detailed road map you would suggest please @Fierry @randomaccess @Beercow

My biggest thing is genuine curiosity. In other words, not just using a tool, running a command, pushing a button. Why is it telling me this, where is the data coming from.?

3

juba0x00 🇵🇸

Is there a good detailed road map you would suggest please @Fierry @randomaccess @Beercow

I can give you the roadmap I followed. The only thing planned in this was a general IT education everything else kinda just happened:

General IT education
Did a bachelor focused on computer networks with a major in digital forensics
did a masters in criminology
Joined a DFIR/SOC employer
Switched to pentesting for a few years
Now combining the two fields

1

Beercow

My biggest thing is genuine curiosity. In other words, not just using a tool, running a command, pushing a button. Why is it telling me this, where is the data coming from.?

Seconded

2

There is no roadmap

2:31 AM

There's a variety of paths

dig, dig, dig, dig. school report as a kid said i had "an unquenchable thirst for knowledge" - PC speak for an irritatingly and irrepressably nosey bastage of a kid (edited)

I went University straight into law enforcement df lab

2:32 AM

But some fall into it after working in IT as an admin etc

I think it's very important to not spending too much energy into thinking how exactly to get into the field but rather spending that energy more on actually doing something in this field. As with many things in life there is no shortcut here and really spending time reading on the subject, trying tools or playing ctf is going to be much more valuable than any given "get into the field fast" approach.

2

Agree, there is no roadmap per say. Example of curiosity. Did a deep dive on Symantec Quarantine files because there were issues where some would not get decrypted. For years there was thought to be only two types and discovered a third. Left with a better understanding of the format and figured out in some cases, there was extra data around the binary being quarantined. Fairly confident that 99.9% of Symantec’s quarantine files can be decrypted now. It was endless hours looking in a hex editor like watching Netflix’s because no one was going to do it for me. Be curious!

2:43 AM

Sorry. Kind of long.

basically, good advice from all. get your hands dirty. to excel you really need to have a pathological need to find things out, uncover, discover, enjoy puzzles etc.

7

2:47 AM

FOSS, free tools, drives from craigs/ebay etc

And if you happen to find company data, notify the company in a proper way

Fierry

And if you happen to find company data, notify the company in a proper way

i'd say just wipe it, there are some complete sh*t's of companies (and individuals) out there, especially one's like banks that don't want any indication that they have insecurities. They will wipe the floor with you, even with your well intentioned communications. the news is littered with such stories. but yeh confidentiality (edited)

Digitalferret

i'd say just wipe it, there are some complete sh*t's of companies (and individuals) out there, especially one's like banks that don't want any indication that they have insecurities. They will wipe the floor with you, even with your well intentioned communications. the news is littered with such stories. but yeh confidentiality (edited)

this

Good point

My degrees are in Criminal Justice, Sociology, and Human Resources Administration. There's absolutely no right or wrong way to get into this field. What you do now and moving forward is more important than what you've done in the past IMO. Also, luck = preparation meets opportunity. Make your own luck by doing things in the meantime while that opportunity has yet to present itself, and it will. Learn some coding. Make a simple parser. Research an artifact and blog about it. Do one of those things a few times and boom you've made a name for yourself. Doors will open and people will want to work with you

https://12ft.io/ - paywall bypass

12ft – Hop any paywall

Show me a 10ft paywall, I’ll show you a 12ft ladder.

@juba0x00 🇵🇸 and to @Andrew Rathbun point about blogging. Don’t worry about people saying “it’s already been done before.” (they usually don’t put out content or are trying to be gatekeepers) Do it to document your learning and what you are capable of. Who knows, you might find something that has been overlooked or misinterpreted.

2

Just cause it’s been done before doesn’t mean you can’t do it better

Beercow

@juba0x00 🇵🇸 and to @Andrew Rathbun point about blogging. Don’t worry about people saying “it’s already been done before.” (they usually don’t put out content or are trying to be gatekeepers) Do it to document your learning and what you are capable of. Who knows, you might find something that has been overlooked or misinterpreted.

Thank you

2 of the most used excuses to avoid work usually at management meetings and from old gnarly ne'er-do-wells We can't do this because 1: it has been done before. or 2: it has not been done before.

4

Good morning community. I am new!

8:52 AM

I am taking a cyber sec program focused for penetration testers and love it so far!

8:55 AM

I came looking for forensics because it is something that interests me and cause I have tons of questions

BabyRaptorJesus

I came looking for forensics because it is something that interests me and cause I have tons of questions

You’ve come to the right place

1

I had seen you were recently promoted? Congrats! Thanks for the welcoming! Say, I have a question about data recovery, is it okay to just shoot away in that channel? Cheers!

9:00 AM

It is about a personal matter

9:00 AM

or device

BabyRaptorJesus

I had seen you were recently promoted? Congrats! Thanks for the welcoming! Say, I have a question about data recovery, is it okay to just shoot away in that channel? Cheers!

Cheers. Yeah if you’ve got specific questions there are several channels.

Great!

BabyRaptorJesus

It is about a personal matter

How do you mean exactly? Is it for personal study?

well yes, tbh. but more specifically I have a personal usb device, and I lost some data on it, and I have to recover it somehow.

9:01 AM

So its not school related*

9:02 AM

I will be asking my professors tomorrow, first day of the fall term yea! But I thought maybe I can ask here too.

9:04 AM

There is so much to learn here, I am amazed tbh how much there is to computerization. Tomorrow I will be starting routing and switching, and Tuesday is python and sql. I just passed my linux intro and cisco intro networking, as well as web / Internet infrastructure and wireless security, which was super fun imo. I never knew how complex and detailed, or deep this subject has gotten.

9:05 AM

My goal is to earn myself a 2 year degree to start, at my local community college.

9:06 AM

I may start making websites or something on the side, maybe take an internship with something security related, I really don't know. I have already went to school twice for other professions, Im middle aged now. No rush, just fulfilling a desire to understand more about computers and in time, earn myself a new career within the subject, somewhere . . . hehe

BabyRaptorJesus

well yes, tbh. but more specifically I have a personal usb device, and I lost some data on it, and I have to recover it somehow.

I think we had a similar discussion for that a while back, check #computer-forensics

1

Okay, I will do this. I appreciate the tip! And good luck with your new duties as moderator Matt!

cheers

1

anyone know any good OSINT (or cheap proprietary) resources for bitcoin address attribution that don't cost $1000? chainalysis reactor and ciphertrace both cost $1000 (edited)

@michael` I am curious, I can only find information regarding attribution analysis in terms of marketing, or market performing for traders, investors, etc. Wallet attribution is what, exactly?

BabyRaptorJesus

@michael` I am curious, I can only find information regarding attribution analysis in terms of marketing, or market performing for traders, investors, etc. Wallet attribution is what, exactly?

for example, law enforcement does wallet attribution to identify the addresses of criminal organizations

cool

1:02 PM

I don't know anything about this, sorry bud lol I wish I could help. Im reading an article right now about tracking crypto transactions for real world attribution.

1:03 PM

How do these tools work? They find unique patterns or identifiers and they are assigned attributes and possibly, software analyzes them to formalize patterns, tell where the money came from, possibly where its going?

1:03 PM

https://crystalblockchain.com/investigations/tracking-crypto-transactions-for-real-world-attribution/

Tracking crypto transactions for real-world attribution

Extortion never pays off in crypto. Here are some of the ways that blockchain analytics can be used to track crypto transactions.

BabyRaptorJesus

I don't know anything about this, sorry bud lol I wish I could help. Im reading an article right now about tracking crypto transactions for real world attribution.

thanks for trying. I'm sure there's decent research on wallet attribution somewhere

@michael` I will ask my teachers tomorrow at school.

BabyRaptorJesus

@michael` I will ask my teachers tomorrow at school.

thank you!

michael`

for example, law enforcement does wallet attribution to identify the addresses of criminal organizations

Try https://www.breadcrumbs.app/ but it won’t have the same datasets as a tool like Chainanalysis. They will cluster wallets together and some will be flagged eg for terrorism or ransomware gangs. Here is a list of sanctioned wallets as an idea: https://www.opensanctions.org/search/?q=Bitcoin%20

Breadcrumbs - Blockchain Investigation Tool

Breadcrumbs is a blockchain analytics platform accessible to everyone. It offers a range of tools for investigating, monitoring, tracking and sharing relevant information on blockchain transactions.

Search OpenSanctions

Provide a search term to search across sanctions lists and other persons of interest.

IOS 16 FFS ?? anyone ..... we have a school threat with an airdrop image I would like to get info from. We have the passcode but looking for ideas on how to pull the data so we can look at AirDrop artifacts.

Dunebug

I’m familiar with ADF so I reached out for a trail of the mobile version. Haven’t gotten it yet. Hadn’t heard of Cyacomb though, so thank you for that! I will reach out to them for a trial.

Hi There if you haven any questions on Cyacomb Forensics please feel free to DM me

DCSO

IOS 16 FFS ?? anyone ..... we have a school threat with an airdrop image I would like to get info from. We have the passcode but looking for ideas on how to pull the data so we can look at AirDrop artifacts.

Grab the syslogs and use rleapp on it. @Brigs made a parser for it regarding ios airdrop. It was a collaboration with... cant recall her name. Edit: gforce4n6 dot blogpost dot com. (edited)

1

florus

Grab the syslogs and use rleapp on it. @Brigs made a parser for it regarding ios airdrop. It was a collaboration with... cant recall her name. Edit: gforce4n6 dot blogpost dot com. (edited)

Thanks, i just saw this article. We might have to do that. Thanks !

1

really odd question here, is there any practical use cases of smart TV forensics, like what kind of information can it prove or validate in this use case ? Only reason I can think is intellectual property theft and pirating streams etc. (edited)

$CozyBear

really odd question here, is there any practical use cases of smart TV forensics, like what kind of information can it prove or validate in this use case ? Only reason I can think is intellectual property theft and pirating streams etc. (edited)

Mh that's an odd one indeed. But I could think of analysing "time in use" or devices that were used for casting media onto the tv? Since they sometimes come with microphones, maybe they even store some recordings on the device? But that is pure speculation of me rn tbh.

$CozyBear

really odd question here, is there any practical use cases of smart TV forensics, like what kind of information can it prove or validate in this use case ? Only reason I can think is intellectual property theft and pirating streams etc. (edited)

I'm neither an LE person nor a lawyer but I'm pretty sure pirating streams would never result in a criminal investigation including digital forensics

einwickler

I'm neither an LE person nor a lawyer but I'm pretty sure pirating streams would never result in a criminal investigation including digital forensics

majority of the people who pirate streams are under suspicion of IP theft leading to illegal broadcast revenue :)

11:09 AM

Staying along the lines intellectual property theft and DF I would assume most modern smart TV's run like ubuntu OS, Android TVs, Firefox os, from what I've read people can reverse engineer STBs (set top boxes) but I'm wondering if a forensic analysis went under to identify or to prove if these video streams being pirated were actually being watched or coming from that origin (IP of the smart TV, history of video stream) but I can't seem to really validate this ????

11:09 AM

https://www.fact-uk.org.uk/six-men-sentenced-for-virgin-media-set-top-box-piracy-ring/

FACT

Six men sentenced in Virgin Media piracy | FACT

Six men have been handed prison sentences for their part in a multi-million piracy ring which allowed thousands of people to watch Virgin Media for free.

it will most likely be looking at browser history, proving a person was in the house at the time, etc

this is where my question came from ^ https://www.fact-uk.org.uk/four-years-and-six-month-jail-sentence-for-pirate-tv-supplier/ (edited)

Eddy Leviten

Four years and six-month jail sentence for pirate TV supplier | FACT

On 16 June 2022 at Minshull Street Crown Court, Manchester, Michael Hornung, formerly of Hyde, Greater Manchester was sentenced to four years and six months imprisonment following conviction by a jury…

LE can get connections records from your ISP if they so choose

11:12 AM

you'll also get installed apps on the box, assuming an image can be made at all

$CozyBear

really odd question here, is there any practical use cases of smart TV forensics, like what kind of information can it prove or validate in this use case ? Only reason I can think is intellectual property theft and pirating streams etc. (edited)

in any potential crime scene, any and all material could be critically useful as evidential material. one would have to know how and what is recorded (in order to train <our> voice recognition.) but i understand some tv manufacturers have advised customers not to mention "sensitive" material in front of the TV. i can imagine this for violence/cruelty cases where audio could incriminate or clear parties involved. how one would retrieve that material is another matter

they generally don't go after customers who paid for this either (as far as they know, it was legal). it's up to the person providing the content to license it. If you're just watching, you don't know if it is licensed

recent child cruelty/murder case in UK used (i think) the miscreants own phones/securtiy cam footage?

$CozyBear

https://www.fact-uk.org.uk/six-men-sentenced-for-virgin-media-set-top-box-piracy-ring/

Okay so they configured those stb and sold them. So why would LE analyse the TVs of the suspects? Or are you talking about the customers who bought these custom stbs? I don't really see a reason to analyse any TV regarding these type of crimes tbh. Am I missing something?

Digitalferret

in any potential crime scene, any and all material could be critically useful as evidential material. one would have to know how and what is recorded (in order to train <our> voice recognition.) but i understand some tv manufacturers have advised customers not to mention "sensitive" material in front of the TV. i can imagine this for violence/cruelty cases where audio could incriminate or clear parties involved. how one would retrieve that material is another matter

I mean you could a chip off forensics, as smart TVs incorporate eMMc chips, which require manual De-soldering to remove and then analyse the data to identify origin of the pirate stream in the context of intellectual property theft (edited)

what does it store?

ya, it won't be easy and definitely not doing it for all the subscribers when the service providers are who you really want anyway

ur all talking piracy? if it's a recording device data have to be stored someplace

Digitalferret

in any potential crime scene, any and all material could be critically useful as evidential material. one would have to know how and what is recorded (in order to train <our> voice recognition.) but i understand some tv manufacturers have advised customers not to mention "sensitive" material in front of the TV. i can imagine this for violence/cruelty cases where audio could incriminate or clear parties involved. how one would retrieve that material is another matter

I totally agree to this

️

Digitalferret

ur all talking piracy? if it's a recording device data have to be stored someplace

piracy and the use case of forensics, how would you forensically identify piracy from a SmartTV to aid intellectual property theft from a cybercrime perspective. I often read news on piracy about these pirates get fined £200,00 and get 4 years of jail time (edited)

11:19 AM

through the use of set top boxes, though they never go into any technical detail (edited)

Digitalferret

what does it store?

I would assume network related information as they are smartTVs. Just finding article so everyone can read about it xD. (edited)

i'm making like the progressive undertaker: thinking outside the box. film piracy for me is pretty low on any real criminality prio list. and given the heinous means some Co's went to in order to frighten people with speculative prosecution letter, afaic they can burn

11:22 AM

potential recordings of real crime activity can be trawled from almost any source, but given tVs record sound, it makes it a potential gold mine. what of those with cameras?

my main advice on imaging iot type things is "try your hardest to never have to be that guy". but I understand it may already be too late for a lot of people, in which case, I'm sorry

1

Sha1_4n6

my main advice on imaging iot type things is "try your hardest to never have to be that guy". but I understand it may already be too late for a lot of people, in which case, I'm sorry

nothing more than a chance to excel

1

Digitalferret

i'm making like the progressive undertaker: thinking outside the box. film piracy for me is pretty low on any real criminality prio list. and given the heinous means some Co's went to in order to frighten people with speculative prosecution letter, afaic they can burn

That's why I said I think piracy (as normal "user" and not distributor) will never result in digital forensics. It's just not worth it

1

Digitalferret

i'm making like the progressive undertaker: thinking outside the box. film piracy for me is pretty low on any real criminality prio list. and given the heinous means some Co's went to in order to frighten people with speculative prosecution letter, afaic they can burn

https://www.fact-uk.org.uk/illegal-streaming-service-shut-down-and-man-arrested/ https://www.itv.com/news/granada/2022-09-14/man-flees-after-conviction-for-illegal-pay-per-view-for-set-boxes - I guess how these LE agencies identify the source of these pirates stream using DF from set top boxes will a journey of my own field; I will write up article if I do manage to find something :) Here's an interesting read for everyone enjoy. (edited)

Eddy Leviten

Illegal streaming service shut down and man arrested | FACT

A West Mercia police operation working closely with FACT have arrested a man in Shrewsbury in connection with suspected illegal streaming of premium television channels, and other copyrighted material.

Man flees after conviction for illegal 'pay-per-view' for set boxes...

A man from Tameside has fled to Cyprus after his conviction for selling illegal 'pay-per-view' set boxes | ITV News Granada

einwickler

That's why I said I think piracy (as normal "user" and not distributor) will never result in digital forensics. It's just not worth it

agreed, the distributor is the victim or often the ring leader of the organised pirate groups. (edited)

multi million dollar organised crime industry around all that - argument is that co's lose revenue. but not if folks have turned to piracy bc they couldd't afford the sevices anywya

Digitalferret

multi million dollar organised crime industry around all that - argument is that co's lose revenue. but not if folks have turned to piracy bc they couldd't afford the sevices anywya

Agreed but piracy is much a bigger issue then affording services, people often generate profit for themselves whilst everyone pays for paid subscription, organised ring leaders make business out of it because it's an easier option and also by fooling victims through social engineering to perform credential theft. Operation 404 is one of the first known piracy groups to undergo piracy theft in the metaverse (whilst I dangerously stay from that crap, it's still rather interesting) (edited)

11:39 AM

https://izoologic.com/2022/07/05/brazils-operation-404-hunted-malicious-sites-and-piracy-apps/#:~:text=In%20related%20news%2C%20the%20currently%20vague%20concept%20of,illegal%20broadcast%20channels%20and%20deactivate%2090%20pirated%20videos.

iZOOlogic

Brazil’s Operation 404 hunted malicious sites and piracy apps

The joint effort of Brazil and the US authorities dubbed Operation 404 had approached its fourth wave, seizing hundreds of piracy sites worldwide.

einwickler

Okay so they configured those stb and sold them. So why would LE analyse the TVs of the suspects? Or are you talking about the customers who bought these custom stbs? I don't really see a reason to analyse any TV regarding these type of crimes tbh. Am I missing something?

I didn't see this, pirates who buy custom STBs and sell them and have then have access to all premium channels. Here's what I mean on reverse engineering stbs. https://www.youtube.com/watch?v=lhbSD1Jba0Q (edited)

media.ccc.de

How Do I Crack Satellite and Cable Pay TV? (33c3)

I got what you meant by that. I just don't see why this would involve analysing smart tvs in an investigation if the crime itself lies more in the "cracked" stbs? But maybe we are just still talking about different things

einwickler

I got what you meant by that. I just don't see why this would involve analysing smart tvs in an investigation if the crime itself lies more in the "cracked" stbs? But maybe we are just still talking about different things

very good point, but they do go hand in hand just like we need multiple sources of investigative sources other then carrying out a cell site analysis of mobile phones, not sure if that's a good analogy. Manage to find this, very interesting stuff. https://www.dataforensics.org/smart-tv-forensics/ (edited)

Dexter Morgan

Smart TV Forensics Implementation For Data Acquisition

This article explains and guide to perform the Smart TV Forensics operation. Explains the method to extract data from a Smart TV

$CozyBear

Agreed but piracy is much a bigger issue then affording services, people often generate profit for themselves whilst everyone pays for paid subscription, organised ring leaders make business out of it because it's an easier option and also by fooling victims through social engineering to perform credential theft. Operation 404 is one of the first known piracy groups to undergo piracy theft in the metaverse (whilst I dangerously stay from that crap, it's still rather interesting) (edited)

not ikely to catch those on smart tv tho. bit like prosecuting individual dope smokers

$CozyBear

I didn't see this, pirates who buy custom STBs and sell them and have then have access to all premium channels. Here's what I mean on reverse engineering stbs. https://www.youtube.com/watch?v=lhbSD1Jba0Q (edited)

years back, an actual mate, did the pirate sky tv cards. loophole was that he made the circuit boards with an unpopulated DIL socket for a PIC micro. sold it as "educational" but folks then just went on newsgroups and d/l the code to a PIC. hey presto. 50c circui boards selling for $50. he was approaching a million GBP in the end. then he got greedy and started ripping into set top boxes and got busted big time

12:09 PM

another mate, impressed by how much a dude just made down the pub, realised i had all the PIC kit (uni stuff) and could program a bit. said the guy cleared 40 boards at £100 inside minutes. i declined. said, what do you think is gonna happen the following week when Sky shut the codes down and all those punters are left with dead cards and 100 out of pocket.

weeks and months later you had punters, who actually knew they were defrauding SKY, complaining on TV news how they'd been ripped off bby the shops selling them

(edited)

3

Digitalferret

another mate, impressed by how much a dude just made down the pub, realised i had all the PIC kit (uni stuff) and could program a bit. said the guy cleared 40 boards at £100 inside minutes. i declined. said, what do you think is gonna happen the following week when Sky shut the codes down and all those punters are left with dead cards and 100 out of pocket.

weeks and months later you had punters, who actually knew they were defrauding SKY, complaining on TV news how they'd been ripped off bby the shops selling them

(edited)

that's some crazy stuff, I would assume those would be called Anti Piracy numbers they flash on the screen do identify the origin of the STBs location allowing them to shut down the operations of piracy streaming : ) acts a forensic watermarking technology, interesting enough that's very slowly moving to the DF world for the use CSAM identification but in China though, it's still a experimental theory for now as its does require machine learning. (edited)

https://www.digitalinformationworld.com/2022/09/social-media-apps-in-china-are-adding.html?m=1

Social Media Apps In China Are Adding ‘Hidden Watermarks’ To Screen...

After the screenshot had been outlined, users were quick to notice how a few modifications to tones and hues provided a long string of digits.

1:30 PM

not exactly csam, do apologise.

does ciphertrace allow sharing of purchased licenses?

DCSO

IOS 16 FFS ?? anyone ..... we have a school threat with an airdrop image I would like to get info from. We have the passcode but looking for ideas on how to pull the data so we can look at AirDrop artifacts.

GK should have their support for 16 out soon. Not sure about Premium...

$CozyBear

really odd question here, is there any practical use cases of smart TV forensics, like what kind of information can it prove or validate in this use case ? Only reason I can think is intellectual property theft and pirating streams etc. (edited)

I know your general conversation went down the rabbit hole of piracy and IP theft, but here is one real world case that used smart TV forensics. https://discord.com/channels/427876741990711298/735956575151194233/946776184610492426

1

FullTang

I know your general conversation went down the rabbit hole of piracy and IP theft, but here is one real world case that used smart TV forensics. https://discord.com/channels/427876741990711298/735956575151194233/946776184610492426

I remember reading that Smart TVs send select 'pixels' from time to time back to manufacturers. These pixels are then correlated with a big database of content to determine what content is being displayed, and create advertising profiles. I'd imagine it would not be difficult for a Smart TV manufacturer to do the same thing for CSAM content, or for the FBI to provide 'pixel' databases it could match the pixels to for such purposes, which providers could use to determine whether the content being viewed may be illegal. I am not sure, however, if the pixels that are viewed are stored though... I'd think they are probably just ephemeral, but might be an avenue for investigation (subpoena the manufacturer to see if any viewership tracking data is retained, and consult with the FBI to see if they can correlate it with their databases). Practically every TV sold nowadays is a 'smart' TV, but they don't all have internet connectivity all the time. Source: https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/ Now that companies like Apple are launching initiatives to recognize CSAM content, maybe some other companies might be convinced to jump on board with different programs like that too. (edited)

2

Sea9

I remember reading that Smart TVs send select 'pixels' from time to time back to manufacturers. These pixels are then correlated with a big database of content to determine what content is being displayed, and create advertising profiles. I'd imagine it would not be difficult for a Smart TV manufacturer to do the same thing for CSAM content, or for the FBI to provide 'pixel' databases it could match the pixels to for such purposes, which providers could use to determine whether the content being viewed may be illegal. I am not sure, however, if the pixels that are viewed are stored though... I'd think they are probably just ephemeral, but might be an avenue for investigation (subpoena the manufacturer to see if any viewership tracking data is retained, and consult with the FBI to see if they can correlate it with their databases). Practically every TV sold nowadays is a 'smart' TV, but they don't all have internet connectivity all the time. Source: https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/ Now that companies like Apple are launching initiatives to recognize CSAM content, maybe some other companies might be convinced to jump on board with different programs like that too. (edited)

As a general rule, it amazes me how much data big companies can gather from private citizens for “market research” and how restrictive it is for law enforcement to have access the same class of data. Exceptions exist, but that is just my biased opinion.

4

FullTang

As a general rule, it amazes me how much data big companies can gather from private citizens for “market research” and how restrictive it is for law enforcement to have access the same class of data. Exceptions exist, but that is just my biased opinion.

If you wanted to be sneaky, I'm sure a device could be compromised in such a way so as to send similar data to law enforcement as well, once a valid warrant is obtained. Getting any such data retroactively would be entirely up to relationships/programs with those other companies, though.

Sea9

If you wanted to be sneaky, I'm sure a device could be compromised in such a way so as to send similar data to law enforcement as well, once a valid warrant is obtained. Getting any such data retroactively would be entirely up to relationships/programs with those other companies, though.

For sure, and to be fair, CyberTips from big companies can provide useful data to catch criminals. It just amazes me that as a society we give up all our rights to privacy so that big business can make a buck but we won’t take reasonable steps to protect our children. It’s frustrating is all.

@Cellebrite anyone have time for a DM, I built a new machine and PA is throwing errors left and right

@SectorZero do you have windows 11 installed? and latest cumulative update? because with this update, my PA had troubles too, shooting one error message after the other when opening an extraction.... deinstalled the update and PA running fine again

(edited)

chrisforensic

@SectorZero do you have windows 11 installed? and latest cumulative update? because with this update, my PA had troubles too, shooting one error message after the other when opening an extraction.... deinstalled the update and PA running fine again

(edited)

Still on Windows 10 and fully updated, but good to know! I’ll try going backwards.

I don’t have a screenshot on me right now but it was saying no object reference set on the cloud capability, but I didn’t install cloud on this machine. All hashes are good etc

good, try PA after deinstalling the last update

$CozyBear

really odd question here, is there any practical use cases of smart TV forensics, like what kind of information can it prove or validate in this use case ? Only reason I can think is intellectual property theft and pirating streams etc. (edited)

Adding to some of the other use cases, I'd say pattern of life analysis. If someone's alibi is that they were at home watching TV but their TV has no record of being interacted with in that time frame, perhaps that undermines their story. Lots of applications when you think about how it reflects on someone's habits

4

most all <customer> tracking devices are marketed as customer convenience and/or QoL improvements, usually with an associated FUD clause. "are you afraid of dying on the loo? you need the new crAppApp to check your movements (movements, lol) download the App now of buy the full CD/DVD set from K-Tel/Ronco/JML. Never be sh*tscared again!"

2

1:43 AM

basically if it has storage, it can be interrogated. you do sh*t, it can be discovered (edited)

in that light, I got to share this cautionary tale, from the 80's-ish. i' normally post in off-duty but it is actually 'evidential' and kinda relative to FullTangs post aboutthe creativity of some folks in incriminating themselves. (edited)

2:03 AM

So, this dude is prepping to go to Amsterdam, a big thing when just popping over to EU wasn't that common. He wants to share this with work colleagues (male AND female), and likely show off that he's been there and had the experience, so takes himself a recording device. Place already had a reputation for being hard-core p0rn tolerant, sex shops, massage etc whereas in UK it was pretty much only shrink wrap top shelf of 'liberated' newsagents and used (eww) book/magazine exchange stores.

2:03 AM

So once there he grabs a handful of adult videos from the local smut shop, sets himself down in the hotel room and pops the camera on a tripod to pirate some stuff. Dude gets back to workplace and gets to work on his macho rep by passing the recordings to workmates. Takes a week to get round the factory.

2:03 AM

At some point the dude is approached by a concerned colleagu and asked "did you watch this video mate?" "Nah, i saw the originals, why would I?" "i think you should"

2:04 AM

What the guy hadn't realised was that at the angle he'd set the video, one could see the faint but clear reflections on the hotel TV screen and, to borrow a Borat-ism, it was plain to see him having a "hand party" on the room sofa :/

2

FullTang

I know your general conversation went down the rabbit hole of piracy and IP theft, but here is one real world case that used smart TV forensics. https://discord.com/channels/427876741990711298/735956575151194233/946776184610492426

Simply beautiful, just reading about this as a actual real world existing case literally gives me goosebumps xD. Thanks for this @FullTang (edited)

1

https://rusi.org/explore-our-research/projects/piracy-and-organised-crime

Piracy and Organised Crime

This project is the first of its kind to explore options for the financial disruption of organised crime networks involved in audio-visual piracy.

Has anyone experienced and then found a solution to Cellebrite reader exporting a selection of emails into a MASSIVE PDF document. Emails exported as HTML is 10mb, word is 12mb, PDF is 32gb. I've currently got an open support ticket we are working through, but just wanted to see if anyone had found a solution themselves in the mean time.

7:39 AM

We tend to have alot of officers exporting to PDF, and want to eradicate any potential issues in the future with larger files that are taken at face value.

Question about encryption. I am working on my Masters in DFIR and I am taking an encryption class. How often do y'all work or see Kerberos in investigations?

Anyone aware of Windows telemetry that records specifically what policy was changed when GPO is modified?

Not super knowledgeable, but I'm aware of a few things that I usually check (also some items I found). eventlog/Microsoft-Windows-GroupPolicy/Operational.evtx looking for errors on syncing (preventing changes, e.g.) https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry Event IDs listed in there may be of use. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy Coordinating with prefetch or similar on MMC has yielded me some success for determining if things have been changed, event logs (if available) will also show what changed. Backup-related (VSS): VSS: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist There may be other software that generates logs. https://learn.microsoft.com/en-us/windows/win32/vss/registry-backup-and-restore-operations-under-vss https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772100(v=ws.10) https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/applying-group-policy-troubleshooting-guidance (edited)

medusa

Question about encryption. I am working on my Masters in DFIR and I am taking an encryption class. How often do y'all work or see Kerberos in investigations?

Have worked a few investigations where kerberoasting was used to get service accounts to move around with

Villano

Anyone aware of Windows telemetry that records specifically what policy was changed when GPO is modified?

Haven't test it but there's a group policy event log on the DC that might have something valuable in it

Augment

Not super knowledgeable, but I'm aware of a few things that I usually check (also some items I found). eventlog/Microsoft-Windows-GroupPolicy/Operational.evtx looking for errors on syncing (preventing changes, e.g.) https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry Event IDs listed in there may be of use. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy Coordinating with prefetch or similar on MMC has yielded me some success for determining if things have been changed, event logs (if available) will also show what changed. Backup-related (VSS): VSS: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist There may be other software that generates logs. https://learn.microsoft.com/en-us/windows/win32/vss/registry-backup-and-restore-operations-under-vss https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772100(v=ws.10) https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/applying-group-policy-troubleshooting-guidance (edited)

Thanks. I'm aware of the registry events but these are super noisy and usually disabled.

randomaccess

Haven't test it but there's a group policy event log on the DC that might have something valuable in it

There is an event but it's fairly generic and doesn't actually tell you what was changed.

Villano

There is an event but it's fairly generic and doesn't actually tell you what was changed.

That sounds like windows event logs doesn't it ha What tool are you using to view the events?

randomaccess

That sounds like windows event logs doesn't it ha What tool are you using to view the events?

Splunk

Hmm ok so it should be getting the full XML.

3:26 PM

You could always collect the directory and compare it with VSS or backups with beyondcompare

1

3:26 PM

Object tracking may also help

randomaccess

Object tracking may also help

Thanks

What should be added?

can someone private message i have a few questions about A Distributed Denial of Service attack

Does anyone have any experience working with RCFL (Regional Computer Forensic Labs)? This is our first time working with them and I want to make a list of things to analyze, but I am not sure if that's needed. We do not have much information about the systems.

1

DB

Does anyone have any experience working with RCFL (Regional Computer Forensic Labs)? This is our first time working with them and I want to make a list of things to analyze, but I am not sure if that's needed. We do not have much information about the systems.

I'm sure a lot of people here do. What's on your list so far?

marco_polo076

can someone private message i have a few questions about A Distributed Denial of Service attack

What is this in relation to? Prevention/mitigation?

I want to prevent it for happening because it is happening everyday and I’m not sure what to do @Matt

Which kind of service is it? Web?

Here's what I have so far: • Thumb drives • SD cards • External hard drives/NAS • Computer hard drives • Virtual machine storage • CCTV footage • Cloud storage for offsite records I am going to break it down in a bit more detail, but I want to make sure I am not missing anything or if there are things they don't really process that will be low value for us. (edited)

DB

Here's what I have so far: • Thumb drives • SD cards • External hard drives/NAS • Computer hard drives • Virtual machine storage • CCTV footage • Cloud storage for offsite records I am going to break it down in a bit more detail, but I want to make sure I am not missing anything or if there are things they don't really process that will be low value for us. (edited)

That all seems good, but I'd also be more curious as to what tools and processes they're using to analyze each of those various storage mediums

https://www.rcfl.gov/services - I am guessing they just do all of the analysis and then sends the agency the data they extract? I am wondering how it works if they use network based storage. Then they would have to go onsite with the serving agency?

Service Offerings | Regional Computer Forensics Laboratory

can anyone help me with a bitcoin forensics problem?

michael`

can anyone help me with a bitcoin forensics problem?

#darknet-virtual-currencies

(noob alert) if a vhdx, vhd etc is given, can we perform carving on it? (edited)

Do you know what kind of acquisition was performed? Physical or logical?

11:21 PM

If it’s logical my money would be on no because then you only copied the specifically selected files instead of the file system (edited)

and then how to physically acquire a VHDX? only exporting from the hyperV be enough or not.

If you’re exporting from a VM then copying the VMDK/VHDX file will do but keep in mind that you’ll potentially get a lot of false positives when performing file carving

1

Yep you can carve inside a virtual disk. Take a copy of it, mount it as a drive letter and run photorec over it no dramas

Does anyone know of an online simulated environment to practice digital forensics? Same idea as metasploitable but then more focused on investigating how said vm was breached.

loln00b

Does anyone know of an online simulated environment to practice digital forensics? Same idea as metasploitable but then more focused on investigating how said vm was breached.

I'd say doing CTF's?

florus

I'd say doing CTF's?

Yes, good point. This case is more for an educational type of setting. (HBO education)

I know that SANS NetWars offers this in the most recent edition but it might be outside the skill and price range of HBO educational institutions

1:21 AM

One really good local ctf is https://dfirmadness.com/the-stolen-szechuan-sauce/

James

Case 001 - The Stolen Szechuan Sauce - DFIR Madness

The Stolen Szechuan Sauce is a digital forensics lab with you in mind. Share with your students or security team for scenario training.

1:22 AM

Difficulty can be adjusted based on the number of artifacts provided to the class

(edited)

There are many more at https://cyberdefenders.org/ (including The Stolen Szechuan Sauce).

CyberDefenders: Blue Team CTF Challenges

Training platform for #BlueTeams to test and advance their #CyberDefense skills..

yep linked to the source specifically because there are a ton of walkthroughs pertaining to different artifacts

Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design "In this work, we examined the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. By an extensive reverse engineering effort, we were able to analyze the Keymaster TA in multiple TZOSs (TEEGRIS, Kinibi, and QSEE). To the best of our knowledge, we are the first to explore the details of the Keymaster TA implementation in TEEGRIS." https://eprint.iacr.org/2022/208.pdf

New unpatched Exchange zero day going around https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

Warning: New attack campaign utilized a new 0-day RCE vulnerability...

Anyone got some NUIX experience? I have the field 'Item Date' showing and exporting data in the format 'Monday 1 January 2022 12:00:00 Greenwich Mean Time' when I would really like it to display and export as '01/01/2022 12:00:00'. Anyone know how or if I can change it?

loln00b

Does anyone know of an online simulated environment to practice digital forensics? Same idea as metasploitable but then more focused on investigating how said vm was breached.

Have you tried blue teams online labs?

1

2:46 AM

https://blueteamlabs.online

Blue Team Labs Online

A gamified platform for cyber defenders to test and showcase their skills

Majeeko

Anyone got some NUIX experience? I have the field 'Item Date' showing and exporting data in the format 'Monday 1 January 2022 12:00:00 Greenwich Mean Time' when I would really like it to display and export as '01/01/2022 12:00:00'. Anyone know how or if I can change it?

You can change it. From memory it's in the column profiles. Right click on the top bar in the middle pane. But...I might be wrong, I haven't done it in a while

1

randomaccess

You can change it. From memory it's in the column profiles. Right click on the top bar in the middle pane. But...I might be wrong, I haven't done it in a while

Ive got an export running at the mo but I will have a look when its done. Been sort of thrown in at the deep end a bit and trying to fild ways to make the whole process easier.

Usually the help docs will walk you through what you need to know

hello

7:01 AM

BianLian wants to do an interview (Ask-Me-Anything), if you have any questions you want to ask them please PM me or respond to this message. The questions and answers will be posted on this blog: http://the-key.tk/2022/09/29/start-here/

Start here

Hi.

7:02 AM

questions submitted before sunday will be asked to BianLian

@michael` Unfortunately, my professors don't do much with crypto and didn't share any knowledge or insight in BTC wallet Attribution OSINT software. I am sorry but I have nothing to help you with at this time. I will keep reading and if I see anything, I will shoot you a mention here bud.

How is everyrhing guys? Have you guys ever investigated a mac with Cellebrite Inspector? Or does anyone have a dfir guide for Mac investigation? (edited)

BabyRaptorJesus

@michael` Unfortunately, my professors don't do much with crypto and didn't share any knowledge or insight in BTC wallet Attribution OSINT software. I am sorry but I have nothing to help you with at this time. I will keep reading and if I see anything, I will shoot you a mention here bud.

thanks for trying!

Hi everyone. Brand new member here.

4

Welcome

Thanks. The server looks interesting so far.

We’re a friendly bunch

Seems like it. I too am friendly. ADHD, so I'm a little inconsistent in communicating though. However, I love to learn and I've developed quite fascination with OSINT technique.

2

AnarchySnoop

Seems like it. I too am friendly. ADHD, so I'm a little inconsistent in communicating though. However, I love to learn and I've developed quite fascination with OSINT technique.

Join the ADHD club. The water is warm. Cheers

3

All, I just wanted to share an important announcement on behalf of HTCIA- Announcement: HTCIA’s International Board of Director’s voted to remove restrictions on for-profit defense work. Bylaws on the site will be updated soon.

11:46 AM

Feel free to at me if any questions

Digital forensics student here; I've been given an assignment wherein I have to discuss IMSI Catchers / Cell-Site Simulators, specifically any impact the technology has on DFIR cases, professionals, and the digital forensics field at large. It's obviously a rather broad/vague scope. Any ideas on specific directions I could go with this?

Sweet, I just realized there's Irish Law Enforcement here on the server. AGS Cyber Crime Unit? J2?

AnarchySnoop

Sweet, I just realized there's Irish Law Enforcement here on the server. AGS Cyber Crime Unit? J2?

@Law Enforcement [Ireland]

hello everyone, an off topic question: do you know where to download the ISO of Windows 10 pro for workstation? from the Microsoft site I can not find it. only the normal one comes out.

hi @manuelevlr u can use this windows-iso-downloader

5:10 AM

chrisforensic

hi @manuelevlr u can use this windows-iso-downloader

I have to download the DELL one but it seems that the link is not valid: /

1

manuelevlr

I have to download the DELL one but it seems that the link is not valid: /

which region are you?

Italy

https://www.microsoft.com/en-gb/software-download/windows10ISO Not the Italian version but try that link,

using the normal ISO of Windows 10 pro it seems that the license associated with the machine is not recognized. probably because it is associated with version 10 for workstation.

manuelevlr

using the normal ISO of Windows 10 pro it seems that the license associated with the machine is not recognized. probably because it is associated with version 10 for workstation.

my apologies, I did not realise that win 10 pro Workstation was different!

So windows 10 pro for workstation should be a windows 10 pro ISO

6:42 AM

It is my understanding that it is just a software unlock

6:43 AM

For stuff like Direct SMB etc

just did some brief googling on it, advice seems to be to install win 10 pro, then use your workstation key to upgrade... No idea if that will actually get you anywhere though.

@manuelevlr use the link provided by @Pretendigator to download the multi edition iso and when installing you can select on windows installer which version do you like

7:18 AM

that link is also in italian

7:18 AM

https://www.microsoft.com/it-it/software-download/windows10ISO

7:19 AM

if you want you can dm me and i can help you with the process of installation

Thanks

I've got a phone (unk make/model) coming in for which the owner gave consent for 1 single video. Can someone tell me how they go about forensically obtaining that one specific video without having to pull all videos on a logical?

thank you guys. in the end I solved with the multiedition.

JayB1rd

I've got a phone (unk make/model) coming in for which the owner gave consent for 1 single video. Can someone tell me how they go about forensically obtaining that one specific video without having to pull all videos on a logical?

We've been accepting that, yes we will take a 'full forensic image' of the device, however when providing the extraction to the officer we would create a 'portable case' or report with only the authorised content included.

There are some tools that accomplish the pick and choose download method... I think the Cellebrite Kiosk does and, without having used it yet, I've been told DataPilot also does this.

9:30 AM

There may be others

anyone online familiar with manual email dkim checksum calculating using relaxed canonicalization?

JayB1rd

I've got a phone (unk make/model) coming in for which the owner gave consent for 1 single video. Can someone tell me how they go about forensically obtaining that one specific video without having to pull all videos on a logical?

@Susteen The DataPilot can do this quickly for logical item extractions. It is a very simple process. On the other side of this, if you need to use UFED you can select only that specific file type extraction like "photos" and deselect everything else and jump to that file in the extraction export it as a PDF for evidence.

spicy_caveman

@Susteen The DataPilot can do this quickly for logical item extractions. It is a very simple process. On the other side of this, if you need to use UFED you can select only that specific file type extraction like "photos" and deselect everything else and jump to that file in the extraction export it as a PDF for evidence.

That's what I've done in the past on 4PC. I collected just images, created a reader report with just that specific image, then saved the file from PA.

1

JayB1rd

That's what I've done in the past on 4PC. I collected just images, created a reader report with just that specific image, then saved the file from PA.

The DataPilot makes it super easy to pull just that video or photo out by itself. If you haven't played with one- well worth the investment for it's portability.

Pretendigator

We've been accepting that, yes we will take a 'full forensic image' of the device, however when providing the extraction to the officer we would create a 'portable case' or report with only the authorised content included.

Did you retain the full dataset or just the file in question?

For DataPilot you can choose a lot of different ways of getting specific data. They have a date slice, content slice, and a type of file explorer for the phone as it is connected live to it. If you want just the file itself with the metadata attached it will do that, if you want the last 30 minutes of timeline activity on the phone it will grab that. if you want just between 1am and 2:30am it will grab whatever specific files you check the box to and run a HTML report in pretty simple to follow data.

whee30

There are some tools that accomplish the pick and choose download method... I think the Cellebrite Kiosk does and, without having used it yet, I've been told DataPilot also does this.

4PC asnd the kiosk can select categories of files, but not individual files. Don't have access to DataPilot.

If it is an android- what you could do is plug into a write blocker and file explorer the phone DCIM folder to grab the file that way.

9:59 AM

or an iPhone really.

Right - UFED does categories... last time I had hands on with a Kiosk (a year and a half ago?) There was a feature called quick copy which acted like a USB disk... pick and choose a file.

spicy_caveman

For DataPilot you can choose a lot of different ways of getting specific data. They have a date slice, content slice, and a type of file explorer for the phone as it is connected live to it. If you want just the file itself with the metadata attached it will do that, if you want the last 30 minutes of timeline activity on the phone it will grab that. if you want just between 1am and 2:30am it will grab whatever specific files you check the box to and run a HTML report in pretty simple to follow data.

You know what? 4PC now has a Timeline selection during the extraction process. Thank you for bumping my brain awake, lol! edit: I can't type so good (edited)

whee30

Right - UFED does categories... last time I had hands on with a Kiosk (a year and a half ago?) There was a feature called quick copy which acted like a USB disk... pick and choose a file.

THANK YOU! 4PC has the same function, but I've never even used it or really explored what it does. QuickCopy!

10:10 AM

Thanks everybody for the input. This really is the best, quickest, and nicest place to get insight and help in mobile forensics.

5

Sure thing, it's definitely convenient when you need it. I don't often need the functionality so I had glossed over the fact in my brain that it was also in UFED

1

10:14 AM

which of course makes sense. Same software, different package

whee30

There are some tools that accomplish the pick and choose download method... I think the Cellebrite Kiosk does and, without having used it yet, I've been told DataPilot also does this.

Can confirm that Datapilot will allow for a very specific extraction.

1

11:04 AM

And I just got to the bottom of the thread, looks like it all got sorted!

spicy_caveman

anyone online familiar with manual email dkim checksum calculating using relaxed canonicalization?

These python scripts should be able to do that - not needed to use them myself though so can't tell you the commands! https://pypi.org/project/dkimpy/

dkimpy

DKIM (DomainKeys Identified Mail), ARC (Authenticated Receive Chain), and TLSRPT (TLS Report) email signing and verification

1

Ross Donnelly

These python scripts should be able to do that - not needed to use them myself though so can't tell you the commands! https://pypi.org/project/dkimpy/

If anyone knows how to validate dkim in an msg file lmk. Everything I've found assumes an eml

randomaccess

If anyone knows how to validate dkim in an msg file lmk. Everything I've found assumes an eml

Arman from Metaspike once told me it wasn't possible, as MSG makes too many changes to the structure

Anyone found a workaround to the significant locations issue when thumbing through an iPhone? Seems like they no longer list the locations since iOS 15.x. Was hoping there was a way to still see it without having to open up Google maps. (edited)

Jack Frost

Anyone found a workaround to the significant locations issue when thumbing through an iPhone? Seems like they no longer list the locations since iOS 15.x. Was hoping there was a way to still see it without having to open up Google maps. (edited)

I haven’t found a way to view them on the device as we were able to do in iOS 14.

spicy_caveman

anyone online familiar with manual email dkim checksum calculating using relaxed canonicalization?

We have a manual DKIM verification walkthrough here: https://www.metaspike.com/leveraging-dkim-email-forensics/

Arman Gungor

Leveraging DKIM in Email Forensics

DKIM signatures contain valuable information, such as body hash and signature, that forensic examiners can utilize in email forensics.

6:11 PM

Let me know if any questions come up. We've also done quite a few DKIM exercises in our Email Forensics CTF solutions. https://www.youtube.com/playlist?list=PLvOFsJ3VdHa_USZuhzIjDFk_EYA5pRP9Z

Email Forensics

Arman Gungor

Let me know if any questions come up. We've also done quite a few DKIM exercises in our Email Forensics CTF solutions. https://www.youtube.com/playlist?list=PLvOFsJ3VdHa_USZuhzIjDFk_EYA5pRP9Z

But not on MSG files

There's an idea for next year's CTF

8:15 PM

Didn't see mention of that in the OP's question

‍♂️

Nah, might not be. Just something I mentioned as a caveat

8:43 PM

But After last ctf...where dkim failed because microsoft uselessly manipulated an email I don't know what to believe any more

hello everyone, an information. do all Samsungs show the "network notch" icon even in the absence of the SIM card inserted in its slot? Does the field that is shown indicate only that which is necessary for any emergency calls?

Good morning! Has anyone done Yahoo mail collections and run into a recent issue with the Generate an App Password feature not being available?

manuelevlr

hello everyone, an information. do all Samsungs show the "network notch" icon even in the absence of the SIM card inserted in its slot? Does the field that is shown indicate only that which is necessary for any emergency calls?

Well not all, but this occurs, what i have seen. Quite confusing sometimes.

Fox-IT just released their Dissect framework. https://www.fox-it.com/nl-en/dissect/

1

florus

Well not all, but this occurs, what i have seen. Quite confusing sometimes.

so actually it's a bit weird as a thing. leads to errors, as if there is actually the SIM inside.

florus

Well not all, but this occurs, what i have seen. Quite confusing sometimes.

so actually it's a bit weird as a thing. leads to errors, as if there is actually the SIM inside.

Is anyone available to assist with a DFI application form (it’s for UK public sector)? Really don’t wanna screw this up

Beercow

Fox-IT just released their Dissect framework. https://www.fox-it.com/nl-en/dissect/

Very nice.

which is the right channel to discuss the UAC tool? The documentation links here for discussion about it.

Do any of you know which malware groups are closed-affiliate?

bashNinja

which is the right channel to discuss the UAC tool? The documentation links here for discussion about it.

hey dude, don't need to ask to ask, just ask

likely given https://github.com/tclahr/uac (at)tclahr will pick up if no-one else does

Ha. Alright. Just asking where the right discussion place is.

2:26 PM

I'm looking to extend UAC to use a LiME kernel module for memory collection instead of AVML, if the system has the necessary headers. I was wondering if there was a channel where others might have discussed build/contributing to the project so I can review the channel history to gain some insight about the project without having to pester people with questions?

2:27 PM

I didn't see a channel dedicated to UAC, so is that discussion just intermixed throughout the whole discord?

bashNinja

I didn't see a channel dedicated to UAC, so is that discussion just intermixed throughout the whole discord?

there's such a wide and varied topic base here it would be difficult to allocate channels for each and every one. maybe try Search utility top right ↗️ and enter UAC as a term

3:06 PM

shoudl get you more than a few historic comments / Q&A's

2

So Okta, reaached out to us for a chat, anyone here used/uses them? Securely enable remote working without security concerns, Adopt a Zero Trust security model, Improve M&A agility by centralizing IAM and providing day-one access for all, Reduce IT friction & minimise costs while fostering innovation. In my opinion, They're similar to Duo but does it better, Zero trust model will be Okta all all devices and mobile to authorise any signins. Also think they integrate with lots of third parties. it woudln't hurt to replace Duo with Okta, thats the only thing i can think of right now as a use for them. if they're cheaper than Duo, I would go with them. What are people's thoughts Okta VS Duo?

Our CactusCon 11 (2023) CFP is open for another 12 days. We'd love to hear from you and/or your team. I ran this conference the past two years (CC9/CC10). I have now transitioned to a new Sponsor/Community Liaison role (just too busy is all). My primary task involves working with potential sponsors, but I'm also a general community advocate for the con. I'll limit this to my one "Hey submit a talk at our conference!" But I couldn't help myself. So get the lead out! https://cactuscon.com/cfp

CFP — CactusCon

Call for Papers

9:56 PM

Oddly enough I don't see @Andrew Rathbun's submission yet...

1

I always feel like CactusCon is missing an opportunity to host in Tucson... given that Tucson is in the name. Maybe I'll finally make it out to one, @conf1ck3r has been bugging me to for a while.

1

https://twitter.com/hodgesmr/status/1577650545107533826

Matt Hodges (@hodgesmr)

Well this is something ... I think I just discovered that macOS is background scanning images on my computer and, when those images are QR codes that point to URLs, it's decoding the codes and requesting the URL... 1/

Likes

5779

Retweets

1648

11:07 AM

autonomous link opening seems not great

Update: https://twitter.com/hodgesmr/status/1577739222412312578

Matt Hodges (@hodgesmr)

Well, I was wrong. I now believe the canary token was triggered not by macOS decoding the QR, but by Firefox’s “recent” shortcuts on the home screen. I gave too much trust to a Stack Exchange answer. I have deleted the incorrect information. I regret the error.

Likes

215

Thanks for the update, haven't been back on twitter yet due to "work" and "being productive"

3

jurisprudence "I regret"

For future reference here's how you can tell not to trust technical information. (edited)

1

3:14 PM

https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/

4:27 PM

Uber CISO found guilty of hiding breach.

Hey guys, just a quick question. Would it consider “OK” to zip compress evidence files? Will there be any corrupted files when we extract the zip again?

spyr0

Hey guys, just a quick question. Would it consider “OK” to zip compress evidence files? Will there be any corrupted files when we extract the zip again?

I think I've had an issue with compressing ewf files before

1:02 AM

But I don't remember specifics

randomaccess

I think I've had an issue with compressing ewf files before

Ah ok then, so it’s not that good after all

1:03 AM

Thanks for your reply

You can compress the ewf file

1:08 AM

So there's not much point in doing it again

How is the Elevation (Vertical ) Angle yellow rod is calculated with maths? I know that the azimuth angle is AzimuthAngle =asin(length of minor axis/length of major axis)=asin(width/length) [Question]

xarisole

How is the Elevation (Vertical ) Angle yellow rod is calculated with maths? I know that the azimuth angle is AzimuthAngle =asin(length of minor axis/length of major axis)=asin(width/length) [Question]

Hi dude, not that anyone won't answer but, this Discord is for Digital Forensics / Incident Response.

Digitalferret

Hi dude, not that anyone won't answer but, this Discord is for Digital Forensics / Incident Response.

thanks, Is there any channel you think it can help me?

xarisole

thanks, Is there any channel you think it can help me?

If it isn't a question about digital devices/data then you may want to look for a wet forensics community rather than DFIR (digital forensics incident response), like @Digitalferret said, someone may answer you but it's not our area of expertise.

@Law Enforcement [UK] any forces using Semantics21 for viewing/grading?

Merseyside use it.

3

Pretendigator

@Law Enforcement [UK] any forces using Semantics21 for viewing/grading?

I'd be interested in hearing people's views also. As we are exploring S21 as a replacement for LACE.

1

blake-ee

I'd be interested in hearing people's views also. As we are exploring S21 as a replacement for LACE.

is LACE the bluebear viewing suite?

Pretendigator

is LACE the bluebear viewing suite?

Yes, we use it to carve and view

Pretendigator

@Law Enforcement [UK] any forces using Semantics21 for viewing/grading?

Trialling it now in Sussex & Surrey

Pretendigator

@Law Enforcement [UK] any forces using Semantics21 for viewing/grading?

We briefly looked at it but ended up using Griffeye Processing Engine with lace to carve then DI for viewing. Again interested in hear others views of S21

1

xarisole

thanks, Is there any channel you think it can help me?

maybe check google for maths/science Discords or find an online forum / reddit. best wishes

cdbandit

Trialling it now in Sussex & Surrey

would love to know how you get on in the next month or so

No problem. It seems quite intuitive so far!

Pretendigator

@Law Enforcement [UK] any forces using Semantics21 for viewing/grading?

Yup, I have been using it for a while now. (edited)

I use it on scene and also in lab. It’s difficult to cover everything it can offer but overall I would say it is a good product.

If anyone needs a trial of any S21 products please feel free to message me tom@semantics21.com. You’re welcome to a long term trial to make sure the app meets your requirements.

2

A video called FullSizeRender.mov was identified relevant (iPhone running iOS 14) It is currently sitting in file path Media/Mutations/PhotoData/CPLAssets/groupx/UID/Adjustments. I understand that the original video has been adjusted (possibly cropped) - I'm struggling to find the original video. Does anyone know if the render video will remain on the handset if the original video has been deleted? I've seen someone mention that if you delete the original video, the FullSizeRender video will also disappear?

2:29 AM

Well, I literally just found the video just as I sent the above message. Urgh.

5

Pacman

Well, I literally just found the video just as I sent the above message. Urgh.

it is possible the edited video was saved on a new folder so that the originals can be deleted from the gallery

2:38 AM

there is also a solution if it was not moved to a new folder(saved as a new video) you need to open the video click edit and at the botom right is revert

2:38 AM

i am not sure tho as i dont have experience with iphone devices

@Law Enforcement [Ireland] Lads, I need a little advice on information disclosure. Can one of ye DM me? It partains to crypto scams and passing that information on to an international authority.

xarisole

thanks, Is there any channel you think it can help me?

Yep the channel that does homework for you

5

ryd3v

Yep the channel that does homework for you

They ask for money, that's why I am here

Who’s they? Think you’re in the wrong server

Pacman

A video called FullSizeRender.mov was identified relevant (iPhone running iOS 14) It is currently sitting in file path Media/Mutations/PhotoData/CPLAssets/groupx/UID/Adjustments. I understand that the original video has been adjusted (possibly cropped) - I'm struggling to find the original video. Does anyone know if the render video will remain on the handset if the original video has been deleted? I've seen someone mention that if you delete the original video, the FullSizeRender video will also disappear?

Thanks for the question! I have tested & written about this but only with assets being saved locally on the device. In your scenario it appears the device might have been restored/synced from iCloud Photos or the local storage is full hence the CPLAssets location. I can check this weekend to see if the unedited video might be in iCloud Photos or if the original video is synced with the device along with the adjusted/mutated asset. As @Deleted User stated it’s possible that the user captured a video, edited the length of the video then saved as new asset. This creates a new adjusted asset with a new file name and leaves the original asset unadjusted. Keep in mind that if that happens the edited asset will have indicators of adjustments/mutations. The original asset will not and also will have a different file name compared to the adjusted asset. You can use the photos.sqlite to find the original assets using file names and uuids but only if it hasn’t been deleted. These items are discussed in the documentation blog search for the following to find the sections: Adjustments / Mutations stored files and file paths Timelapse Video Captured then a new asset was created by editing the length of the original video For testing is the suspect device using download and keep originals or optimized storage? (edited)

ScottKjr3347

Thanks for the question! I have tested & written about this but only with assets being saved locally on the device. In your scenario it appears the device might have been restored/synced from iCloud Photos or the local storage is full hence the CPLAssets location. I can check this weekend to see if the unedited video might be in iCloud Photos or if the original video is synced with the device along with the adjusted/mutated asset. As @Deleted User stated it’s possible that the user captured a video, edited the length of the video then saved as new asset. This creates a new adjusted asset with a new file name and leaves the original asset unadjusted. Keep in mind that if that happens the edited asset will have indicators of adjustments/mutations. The original asset will not and also will have a different file name compared to the adjusted asset. You can use the photos.sqlite to find the original assets using file names and uuids but only if it hasn’t been deleted. These items are discussed in the documentation blog search for the following to find the sections: Adjustments / Mutations stored files and file paths Timelapse Video Captured then a new asset was created by editing the length of the original video For testing is the suspect device using download and keep originals or optimized storage? (edited)

Thanks - I saw your blog on this and it really did help me understand what's going on here. I'm not currently working on it right now but I did think of a question - How accurate are the timestamps (creation etc) for the CPLAssets videos?

ScottKjr3347

Thanks for the question! I have tested & written about this but only with assets being saved locally on the device. In your scenario it appears the device might have been restored/synced from iCloud Photos or the local storage is full hence the CPLAssets location. I can check this weekend to see if the unedited video might be in iCloud Photos or if the original video is synced with the device along with the adjusted/mutated asset. As @Deleted User stated it’s possible that the user captured a video, edited the length of the video then saved as new asset. This creates a new adjusted asset with a new file name and leaves the original asset unadjusted. Keep in mind that if that happens the edited asset will have indicators of adjustments/mutations. The original asset will not and also will have a different file name compared to the adjusted asset. You can use the photos.sqlite to find the original assets using file names and uuids but only if it hasn’t been deleted. These items are discussed in the documentation blog search for the following to find the sections: Adjustments / Mutations stored files and file paths Timelapse Video Captured then a new asset was created by editing the length of the original video For testing is the suspect device using download and keep originals or optimized storage? (edited)

you have a nice blog i gotta say that

2

Apologies if this timestamp is already covered in your blog, will get back to reading it when I can.

Pacman

Thanks - I saw your blog on this and it really did help me understand what's going on here. I'm not currently working on it right now but I did think of a question - How accurate are the timestamps (creation etc) for the CPLAssets videos?

That’s a very broad question, several different timestamps to consider, so…it depends… In most cases, they should be accurate. But there are a few scenarios that I can think of where they might not be accurate, haven’t tested this but if a user adjusted the capture timestamp of the original then synced to iCloud Photos then restored same or new device, then you might only have the adjusted capture timestamp. You might be able to see other dates that are prior to the adjusted capture time that allow you to say it might be adjusted. Also might be difficult if the user is changing the device time zone. Yes some of these are in there. But happy to provide additional feedback.

Since I'm Irish, I've tried contacting the Irish Law Enforcement here on the server, but they probably think I'm a little sus. I'm wondering if anyone after conducting OSINT on a scammer, turned over the information to their clients local authorities for further investigation?

2:35 PM

I've been helping a couple from Canada who invested money in a crypto trading platform, and of course, we all know the scams going around, but people are still getting fooled. This couple unfortunately feel victim and lost $15k, pretty much all their savings in the belief that they would expect a decent return in a short period of time. Yes, I know they were duped and should have known better.

2:36 PM

So again, my question is, is there a procedure for handing over evidence for an international police force to continue the investigation, since they have tools and resources I don't.

AnarchySnoop

Since I'm Irish, I've tried contacting the Irish Law Enforcement here on the server, but they probably think I'm a little sus. I'm wondering if anyone after conducting OSINT on a scammer, turned over the information to their clients local authorities for further investigation?

Tried contacting the Garda through more official means?

Well I can, but I was looking for advice, as the clients affected are from Canada and the US.

What about providing all of your evidence (mostly documents and other intel I assume?) to the victims so they can contact their local/federal law enforcement? That would make the most sense to me for a US victim and I would assume it would be similar for a Canadian victim but maybe someone from Canada could chime in.

1

That I suppose is a better idea.

A bit of a specific question but, what do you folks typically like to see when it comes to forensic data entry regarding tags and fields on databases storing those records? Things like the timestamp for when the record was added for example. I ask because I've recently worked with an in-development product that stores an MD5 hash of the binary content of the entire record for some reason. I don't think anyone could really rely on that from a chain of custody perspective and the database it uses checks for errors internally, so it was odd to me.

AnarchySnoop

Well I can, but I was looking for advice, as the clients affected are from Canada and the US.

You can have those clients file reports via their agency equivalent to the US FBI. If that's not a workable process, the FBI will take complaints from non-citizens and even refer those back to international law enforcement if needed. https://www.ic3.gov/Home/ComplaintChoice is where they can submit those complaints.

AnarchySnoop

I've been helping a couple from Canada who invested money in a crypto trading platform, and of course, we all know the scams going around, but people are still getting fooled. This couple unfortunately feel victim and lost $15k, pretty much all their savings in the belief that they would expect a decent return in a short period of time. Yes, I know they were duped and should have known better.

RE "Yes, I know they were duped and should have known better." - Preferably the scammer should just not have been scamming. They were victimized by a criminal, remember.

mooseous

RE "Yes, I know they were duped and should have known better." - Preferably the scammer should just not have been scamming. They were victimized by a criminal, remember.

The point of contention with these things is that it’s a difficult prosecution. The suspects almost always warn “investors” in a sly manner as to the dangers of investing and that they are not financial advisors and so forth.

Definitely valid but still worth reporting.

1

mooseous

RE "Yes, I know they were duped and should have known better." - Preferably the scammer should just not have been scamming. They were victimized by a criminal, remember.

I'm not trying to be dismissive of them and they don't need further victimization. If I can prevent one more person from being scammed, I'd be happy.

2

Hi there everyone. I hope you’re all doing well. I’d like to introduce myself if that is okay. I am a recent cyber security graduate who has become very fascinated and honestly obsessed with digital forensics to the point where I based my masters project on it in terms of analysing a Linux server.

1:04 PM

I have a job interview for the role of a graduate digital forensic analyst. Part of the interview will consist of a test they say. I was just wondering if someone here has any idea what kind of questions may be asked to a graduate to test them and their knowledge? I’m just trying to prepare so that it goes well. Thanks

grimy1928

I have a job interview for the role of a graduate digital forensic analyst. Part of the interview will consist of a test they say. I was just wondering if someone here has any idea what kind of questions may be asked to a graduate to test them and their knowledge? I’m just trying to prepare so that it goes well. Thanks

Maybe re-read the job spec and glean all you can, then go read up or practice?

1:13 PM

any other guidance is only going to be generic "best guess" as it's only you that read the advert and applied.

Digitalferret

Maybe re-read the job spec and glean all you can, then go read up or practice?

Appreciate the advice but what I know is very limited as I got the interview through a recruiter. All I know is that the role is a Junior PC Analyst and it involves a lot of classroom based training as well as exposure to the labs and software and techniques. I guess a bit more research specifically into this type of role in general could be beneficial however

grimy1928

Appreciate the advice but what I know is very limited as I got the interview through a recruiter. All I know is that the role is a Junior PC Analyst and it involves a lot of classroom based training as well as exposure to the labs and software and techniques. I guess a bit more research specifically into this type of role in general could be beneficial however

poke the recruiter to do his job right ~~(or bribe him )~~ chat to the guy, ask his advice as you want to present that cliche "my best self" (edited)

1:27 PM

lesson one: don't take second hand advice. with the best will in the world it gets to "Chinese Whispers"

1:28 PM

is he a recruiter employed by the school, a job agency, the employer???

1:30 PM

surely there's a job description he's been given

Is anyone here conducting R&D on fake biometrics? I'm working part-time on reproducing fingerprints with liveliness detection bypass capabilities. If someone can share insights I would be grateful.

Who else is coming to FS-ISAC conference this week?

Can anyone from @Magnet Forensics able to DM me regarding where to find the source of metadata relating to iOS photos that have been uploaded onto Cloud Photos Library?

Pacman

Can anyone from @Magnet Forensics able to DM me regarding where to find the source of metadata relating to iOS photos that have been uploaded onto Cloud Photos Library?

Users\USERNAME\Photos Library.photoslibrary\database\Photos.sqlite I believe, thats where you want to go I believe but I don't have any test data on hand to confirm but it might be worth a dig. Give me a shout if you want someone to help you muddle through it with

Wow, what a server... My server list is kept minimal, I don't want to be in too many servers, but I think I'll be sticking around here.

3

Pretendigator

Users\USERNAME\Photos Library.photoslibrary\database\Photos.sqlite I believe, thats where you want to go I believe but I don't have any test data on hand to confirm but it might be worth a dig. Give me a shout if you want someone to help you muddle through it with

Yes I got that - I'm looking at a photo in particular and axiom has reported it came from snapchat. Source file is photos.sqlite I don't see anything in database that says this - so I was curious where it pulled that info from.

its from something like ZbundledID or something, photos db keeps track of where files came from, ill try to find which table it was in once my machine reboots

1

Pretendigator

its from something like ZbundledID or something, photos db keeps track of where files came from, ill try to find which table it was in once my machine reboots

That's the odd thing, it's reporting different app - not snapchat.

1

4:20 AM

Yeah, thought I'd get Magnet to have a look and see where it has come from.

1

Pacman

Yeah, thought I'd get Magnet to have a look and see where it has come from.

I'm happy to help - can you send me the source link and location link for the photo you're interested in?

@Sanderson Forensics Anyone available for a quick DM?

Moderator approved message and request for your input. Hi everyone, Magnet forensics is kicking off their annual DFIR Industry Report survey and it would be great to have feedback from this community! Survey information and link are below: #DFIR professionals—Magnet Forensics wants to hear what you think of the state of DFIR in today’s businesses! Take the following survey before Nov 1 to let us know your thoughts, and you can win an Amazon gift card or a prize pack from Magnet Forensics: https://www.surveymonkey.com/r/MF-industry-report

State of Enterprise DFIR Survey - 2023

Take this survey powered by surveymonkey.com. Create your own surveys for free.

2

Anyone from @Grayshift available to give me a PM? Thanks!

any IR people able to talk me through some 'basic' steps on a hacking/stalking case? Not our usual kind of thing Devices: Windows PC, Macbook, iPad

sure

4:00 AM

sent you a PM

1

anyone (maybe from Magnet) know if you can exclude case data from keyword searching in Axiom?

6:16 AM

doing regex for crypto and it's matching the MD5s of the actual file, could just be me being a sillums

Sudo

anyone (maybe from Magnet) know if you can exclude case data from keyword searching in Axiom?

Happy to help - I'll DM you for some details.

@Cellebrite can you pm me please

1

I also have a question for @Cellebrite , regarding Inspector. Pm please?

1

I have a question about Insurance fraud and E Discovery as it relates to Comp Forensics. Anyone familiar with Special Investigation Units with Insurance Companies?

Is anyone from @Cellebrite able to indicate whether it is actually necessary to remove a SIM card before performing an extraction of a mobile device? (edited)

Corey

Is anyone from @Cellebrite able to indicate whether it is actually necessary to remove a SIM card before performing an extraction of a mobile device? (edited)

We've discovered with some Sony devices that the phone will reboot when the SIM is removed; other Huawei, Alcatel, Oppo will lock the screen. One Oppo rebooted when the SIM was re-inserted. It's really hit or miss so best practice is to leave SIM in the phone but use RF shielding to block network connectivity - - not always practicable, at minimum airplane mode (edited)

1

Has anyone had an iPhone wiped via bluetooth? (I know it can be done over wifi). I’ve attended two classes where they claim it can be done. I haven’t seen any white papers on it or spoken to anyone who has seen it first hand.

dcs453

Has anyone had an iPhone wiped via bluetooth? (I know it can be done over wifi). I’ve attended two classes where they claim it can be done. I haven’t seen any white papers on it or spoken to anyone who has seen it first hand.

Not possible as far i am aware

dcs453

Has anyone had an iPhone wiped via bluetooth? (I know it can be done over wifi). I’ve attended two classes where they claim it can be done. I haven’t seen any white papers on it or spoken to anyone who has seen it first hand.

They're probably thinking of this (spoiler: doesn't wipe over Bluetooth) https://thebinaryhick.blog/2021/10/27/ios-15-powered-off-tracking-remote-bombs/

Binary Hick

iOS 15 Powered-Off Tracking & Remote Bombs

If you are not a member of DFIR Discord you are really missing out. It is a fantastic resource. I am constantly learning stuff from the practitioners there and it helps me keep up with trends in ar…

2

Corey

Is anyone from @Cellebrite able to indicate whether it is actually necessary to remove a SIM card before performing an extraction of a mobile device? (edited)

one reason why you may want to image the sim card every time is that some phones (from other countries, usually) may have a weird os. I've seen the sim card be the only piece of evidence cellebrite has that contains the phone number. sometimes it also has contacts saves to it.

dcs453

Has anyone had an iPhone wiped via bluetooth? (I know it can be done over wifi). I’ve attended two classes where they claim it can be done. I haven’t seen any white papers on it or spoken to anyone who has seen it first hand.

If the phone has no internet connection no wipe will be possible, even on newer iPhones with ultra wide BT. You can track them tho.

1

dcs453

Has anyone had an iPhone wiped via bluetooth? (I know it can be done over wifi). I’ve attended two classes where they claim it can be done. I haven’t seen any white papers on it or spoken to anyone who has seen it first hand.

This presentation covers this topic: https://www.magnetforensics.com/resources/offline-ios-tracking-and-remote-wiping-webinar-oct5/ 1. iOS devices cannot CURRENTLY be remotely erased without being powered on and "connected to a data network [i.e. Internet], such as 3G, 4G, LTE, or Wi-Fi" (https://support.apple.com/guide/icloud/aside/mme7d5999a/1.0/icloud/1.0#:~:text=An%20iOS%20or,or%20Wi%2DFi); 2. A device will participate in the "Find My" mesh network, regardless of the device or "Find My" being turned on or off (https://support.apple.com/guide/icloud/remove-devices-and-items-from-find-my-mmdc23b125f6/icloud#:~:text=Turn%20off%20Find%20My%20on%20an%20iPhone%2C%20iPad%2C%20or%20iPod%20touch&text=On%20your%20iPhone%2C%20iPad%2C%20or%20iPod%20touch%2C%20go%20to,off%20Find%20My%20%5Bdevice%5D), unless the Bluetooth radio is disabled via "Settings > Bluetooth" (not the "Control Center"), "Network and Wireless" services are disabled via "Settings > Privacy > Location Services > System Services > Networking and Wireless", or the device is externally shielded. For mesh network location tracking, older iOS devices utilize Bluetooth Low Energy (BLE), whereas newer (iPhone 11-14) devices also utilize Ultra-Wideband (UWB) via Apple's proprietary "U1" chip (https://www.ifixit.com/News/33257/inside-the-tech-in-apples-ultra-wideband-u1-chip). What was interesting to me about the findings in the presentation, was that Airplane Mode (whether the device was on or off) alone didn't prevent the use of UWB with "Find My" - this appears contradictory to Apple's documentation for iOS 13-16: https://support.apple.com/guide/iphone/ultra-wideband-information-iph771fd0aad/16.0/ios/16.0. So...to make sure a device isn't remotely erased or its location tracked, keep it radio frequency shielded via the applicable iOS settings mentioned above and/or utilize a trusted shielded (aka "Faraday") enclosure.

4

I'm looking for some help / suggestions with acquiring data from Android set top boxes (used for IPTV). If anyone has any experience with this please can you DM me for a chat?

Has anyone served a search warrant on uber before? If so can you PM me? I just want to know what type of data they retain.

Neon

Has anyone served a search warrant on uber before? If so can you PM me? I just want to know what type of data they retain.

https://www.uber.com/legal/en/document/?name=guidelines-for-law-enforcement&country=great-britain&lang=en-gb

Legal | Uber

Uber Terms and Policies

@Ross Donnelly thank you. That's exactly what I needed

1

@Metaspike Hi, Anyone from you guys available right now? Can I DM you for a few questions about FEC? Thank you.

anyone knows why the folder "AppData\Local\Microsoft\Outlook" contains tons of .msg files instead of a .OST / .PST? maybe an outdated outlook version? (I do not have access to the device, just a file listing of some folders). all message files have a numeric file name e. g. 2114308.msg (edited)

.yuzumi.

anyone knows why the folder "AppData\Local\Microsoft\Outlook" contains tons of .msg files instead of a .OST / .PST? maybe an outdated outlook version? (I do not have access to the device, just a file listing of some folders). all message files have a numeric file name e. g. 2114308.msg (edited)

what are the created dates looking like for the msg files?

Does anyone have a point of contact at Meta (Facebook) for investigating a child trafficking case? It involves data from Facebook Messenger. (edited)

pazzone

Does anyone have a point of contact at Meta (Facebook) for investigating a child trafficking case? It involves data from Facebook Messenger. (edited)

I assume you have done preservation requests for all accounts? https://www.facebook.com/records/login/

pazzone

Does anyone have a point of contact at Meta (Facebook) for investigating a child trafficking case? It involves data from Facebook Messenger. (edited)

@Search.org should have what you need. Make sure to do a preservation request!

1

FullTang

I assume you have done preservation requests for all accounts? https://www.facebook.com/records/login/

Federal LE is still trying to determine if they have jurisdiction. Unclear if local LE knows the process, but I will pass the message along. I am not LE. This is for my friend's child.

pazzone

Federal LE is still trying to determine if they have jurisdiction. Unclear if local LE knows the process, but I will pass the message along. I am not LE. This is for my friend's child.

Preservation letter ASAP above all, then they'll have 90 days to submit a search warrant if they're able to procure one based on probable cause

1

^ This this this ^ Preservation requests to Facebook take very little time, are very easy, and are critical to the investigation.

3

leifsoren

@Metaspike Hi, Anyone from you guys available right now? Can I DM you for a few questions about FEC? Thank you.

Sure! Please feel free to reach out with any questions.

FullTang

^ This this this ^ Preservation requests to Facebook take very little time, are very easy, and are critical to the investigation.

Dare I say it's even road patrol doable, we created a PDF on how the road guys can preserve the data for us vs waiting overnight or all weekend to say "hey here is the facebook profile" and we click on it and its gone !

2

Andrew Rathbun

@Search.org should have what you need. Make sure to do a preservation request!

Thanks @Andrew Rathbun - yes, @pazzone please have whatever law enforcement entity is investigating check out https://www.search.org/isp for contact information for over 2500 companies. Also, if you need quick access to law enforcement portals to submit legal process (including Facebook for preservation order), check out the 'Law Enforcement Portals' tab (last one) at https://www.search.org/toolbar.

1

2

Andrew Rathbun

Preservation letter ASAP above all, then they'll have 90 days to submit a search warrant if they're able to procure one based on probable cause

Speaking of preservation letters: does anyone have any experience with a US based company NOT preserving data when given a LEO preservation letter? I’ve been told that the US based companies are just “playing nice” and there is no legal requirement to force them to hold the data. I have no experience with this, just heard the above in a class and wanted to see if anyone has had trouble with it.

Unoriginal_name

Speaking of preservation letters: does anyone have any experience with a US based company NOT preserving data when given a LEO preservation letter? I’ve been told that the US based companies are just “playing nice” and there is no legal requirement to force them to hold the data. I have no experience with this, just heard the above in a class and wanted to see if anyone has had trouble with it.

I've never had an issue with preservation. The legal requirement is spelled out explicitly in 18 USC 2703(f).

1

6:14 PM

18 USC 2703(f): A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. (edited)

5cary

18 USC 2703(f): A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. (edited)

Great info! Thanks for sharing

Hey, does anyone have experience with the PS5 web browser? Specifically, if web history is stored on the console

Anyone know if Nuix can process AD1 images? it's processing at the mo so I can't check.

Majeeko

Anyone know if Nuix can process AD1 images? it's processing at the mo so I can't check.

https://www.teeltech.com/mobile-device-forensic-tools/nuix/nuix-investigator-workstation/

Extract data from:
Loose files and folders
Single-user (PST, OST, NSF, mbox) and multiple-user (EDB, Domino, Groupwise) email databases
Forensic images including dd, EnCase E01 and L01 and Access Data AD1

1

@Andrew Rathbun Thanks. Saves me the ball ache of exporting all the files.

1

Sam

Hey, does anyone have experience with the PS5 web browser? Specifically, if web history is stored on the console

Didn’t realise there was a web browser in the 5! I’ve got one and tried to get one on it a while back but failed unless they have released one.

Zhaan

Didn’t realise there was a web browser in the 5! I’ve got one and tried to get one on it a while back but failed unless they have released one.

You can access it either by linking your twitter account or simply sending a Web link via message. It's pretty basic, but there doesn't appear to be a way to view history so concern it can be used to view unsavoury parts of the net

Sam

You can access it either by linking your twitter account or simply sending a Web link via message. It's pretty basic, but there doesn't appear to be a way to view history so concern it can be used to view unsavoury parts of the net

I didn’t really try that hard as the browser on the PS4 was poor so wasn’t losing sleep over it but can understand your concerns! But I will take another look after what you said to see how compatible it would be with current sites.

Zhaan

Didn’t realise there was a web browser in the 5! I’ve got one and tried to get one on it a while back but failed unless they have released one.

Might be wrong, but isn't the Web Browser no longer a default app for PlayStations?

Rob

Might be wrong, but isn't the Web Browser no longer a default app for PlayStations?

Spot on

9:27 AM

It was a dreadful app on the 4 so in some ways I wasn’t to sad when it didn’t appear at all in its previous format on the 5.

Zhaan

Spot on

The only reason I figured this out was trying to triage one once and getting so confused

Rob

The only reason I figured this out was trying to triage one once and getting so confused

Yeah, it wasn’t pretty. If you think of the functionality of most browsers, yes even Edge, it didn’t come close so I wouldn’t of thought most current sites would play to well with it but I am more than happy to be proven wrong and I will sit down and shut my stupid mouth.

1

Hello! I’m trying a different route since my DC dongle is out of commission. I have built a drive with WinFE on it following the instructions at winfe.net/build. When booting to that thumb drive, the only thing that comes up is an admin command prompt. Has anyone come across that before?

Hi All, Please bear with me as I'm pretty new in forensics. What are the tools that companies/standard industry uses when collecting evidences from clients?

tetracyclinetuna

Hi All, Please bear with me as I'm pretty new in forensics. What are the tools that companies/standard industry uses when collecting evidences from clients?

Some tools to get you started would be Cellebrite or Magnet for mobile devices, Guymager or FTK for desktop/laptop.

Deleted User

Some tools to get you started would be Cellebrite or Magnet for mobile devices, Guymager or FTK for desktop/laptop.

Awesome! I appreciate this. Looks like Cellebrite and/or Magnet would require getting licences and Guymager and FTK are free. Thank you!

1

spicy_caveman

Good morning! Has anyone done Yahoo mail collections and run into a recent issue with the Generate an App Password feature not being available?

Did you find a work around ? I am running into the same issue

anyone know a couple of best Social Media Collection tools?

Hello all, I don't know if this is the right place to post this but I have been trying to find jobs elsewhere but I am being unsuccessful and I don't know what I'm doing wrong. I currently work as a Digital Forensic Examiner within my national law enforcement organisation and due to being undervalued and unappreciated for the work that I do, I am looking for jobs elsewhere. Since there are no companies with whom I can apply that are related to my line of work I would need to find jobs outside of my country which is fine and I would be willing to relocate. Thank you for reading this and your time. Matt

Check out #dfir-job-postings

1

1:24 AM

I hope you find a good spot somewhere

Fierry

I hope you find a good spot somewhere

Thank you

I’ve started doing some forensic work on the side…does anyone have tips for marketing to lawyers or getting new clients? Thanks.

ltrain1029

I’ve started doing some forensic work on the side…does anyone have tips for marketing to lawyers or getting new clients? Thanks.

RE Lawyers: demonstrate how you can articulate the technical aspects of your work into layman’s terms.

Getting licensed in your operating country is a good start

5:17 AM

Different countries have different licenses

Hi Guys, what do you guys think of the best Email Collector? I've used Aid4Mail Investigator and Aid4Mail Enterprise, but do you guys have an alternative favorite?

Metaspikes FEC

3

Any Infosec auditors over here please dm me. I need help with something. Thank you in advance

Anyone from @Cellebrite for a quick question about licensing?

nachito 4n6s

Anyone from @Cellebrite for a quick question about licensing?

sure send me a dm

Anybody have any ideas what this is ? Was left at a scene of a burglary, I only have photos at this point.

2

DCSO

Anybody have any ideas what this is ? Was left at a scene of a burglary, I only have photos at this point.

Second pic could be https://www.adafruit.com/product/5360 ?

DIY Magnetic Connector - Right Angle Three Contact Pins

If you love power adapters or toys & gadgets that have magnetic connections, you can now experiment with these futuristic connectors easily. It's sorta like a DIY ...

1

DCSO

Anybody have any ideas what this is ? Was left at a scene of a burglary, I only have photos at this point.

tineye could be of use here.

DCSO

Anybody have any ideas what this is ? Was left at a scene of a burglary, I only have photos at this point.

I posted this to my internal work chat and another comment was modular low bandwidth sensor

1

Yeah, magnetic quick connector. 3-pin layout. The porting on the large fascia is interesting. If not a microphone, I would anticipate LEDs there

Could it be an alarm contact of sorts?

Also a wear pattern, striations across that flat surface perpendicular to the porting

DCSO

Anybody have any ideas what this is ? Was left at a scene of a burglary, I only have photos at this point.

Any other photos or markings?

Andrew Rathbun

I posted this to my internal work chat and another comment was modular low bandwidth sensor

If it is a modular low bandwidth sensor that could indicate that the burglar was using it to detect low bandwidth frequencies like those that are used in home security systems to see if there was a security system in place at the home or to see if a particular entry point had a sensor nearby.

FullTang

If it is a modular low bandwidth sensor that could indicate that the burglar was using it to detect low bandwidth frequencies like those that are used in home security systems to see if there was a security system in place at the home or to see if a particular entry point had a sensor nearby.

Another suggestion, maybe a way to bypass an electronic lock?

RFID cloner? Could be...

would like to see the circuit if possible

1

$CozyBear

tineye could be of use here.

I tried Google Lens, but i'll try Tinyeye and see if it spots anything different.

1

FullTang

If it is a modular low bandwidth sensor that could indicate that the burglar was using it to detect low bandwidth frequencies like those that are used in home security systems to see if there was a security system in place at the home or to see if a particular entry point had a sensor nearby.

Form factor is right for a handheld RFID reader antenna.

rayeh

would like to see the circuit if possible

Thats my next step, I only have photos at this point.

DCSO

Thats my next step, I only have photos at this point.

maybe also ask what security devices the house had, see if there's a potential technology match (edited)

Digitalferret

maybe also ask what security devices the house had, see if there's a potential technology match (edited)

it was a pole shed outbuilding the owner stated it did not belong to them and was left by the suspect, more questions than answers at this point

DCSO

it was a pole shed outbuilding the owner stated it did not belong to them and was left by the suspect, more questions than answers at this point

ah rigfht, maybe "going equipped" pocket spill

2

it sort of reminds me of those scam ultrasound bug repellent devices

11:09 AM

but the magnetic mount for charging and/or quick attach on another device doesn't match that

New theory, it was an intentional plant to keep us nerds busy

6

Dave

New theory, it was an intentional plant to keep us nerds busy

Candid Camera "gangle pin"

(edited)

DCSO

I tried Google Lens, but i'll try Tinyeye and see if it spots anything different.

Try Yandex rather since it will pattern match the object as opposed to looking for an image.

Deleted User

Try Yandex rather since it will pattern match the object as opposed to looking for an image.

Yandex for the win, this has to be it without markings. https://autopresent.com.ua/ua/bezopasnost-i-komfort/videoregistratory/avtomobilnij-videoregistrator-globex-ge-114w

Автомобільний відеореєстратор Globex GE-114W купити в Україні - Хме...

Автомобільний відеореєстратор Globex GE-114W купити за вигідною ціною в Хмельницькому в інтернет-магазині - Авто Презент. Автомобільний відеореєстратор Globex GE-114W оптом зі складу з доставкою по всій Україні - Київ, Харків, Дніпро, Одеса

4

11:52 AM

nice. i ran yandex first and got nothing like!

1

12:05 PM

dashcam with GPS and radar detector

nice work all!

1

DCSO

Thats my next step, I only have photos at this point.

btw is it illegal, in your state, to use Radar Detection to avoid speed traps? wondering if the property owner wanted to distance himself from the clip on article. maybe check if he has a dashcam with similar connectors? (edited)

12:42 PM

What's going on everyone

Calculating the Incalculable here

Deleted User

Sometimes the DMCA related contact is just for show. One revenge porn matter I worked on the site owner gave zero response and never had any intent of honoring any request. Some sites will adhere while others might respond like the PirateBay team used to by saying that they do not fall under antiquated US law and (loophole) they did not physically host any copyrighted data. The documentary on it all is quite interesting and is on YouTube. The Aaron Schwartz doc is also worth a watch RE copyright.

Thanks a ton, this is exactly what I was interested in.

1

Anyone work in eDiscovery?

d0uch3bag

Anybody know a good solution for offline version virustotal or similar?

This website allows one to export a database of virus hashes if that interests you https://bazaar.abuse.ch/

MalwareBazaar - Malware sample exchange

Share malware samples with the community

Raines

Anyone work in eDiscovery?

Yeah, ping me

Digitalferret

Click to see attachment 🖼️

Nah I don't think so, we can use fuzz busters in this state. More likely this suspect was putting the stolen items into his vehicle and it dropped out of it.

1

Any of you know what "I'm tod" would mean in a conversation among young people?

DFE Travis

Any of you know what "I'm tod" would mean in a conversation among young people?

Do you have more context leading up to or right after this?

It's all very sort 'what are you up to' and 'hbu' and 'me to'

10:25 AM

Not sure if it relates to drug use or not

Interesting, hasn't come up verbatim in any slang that I've looked through recently

yeah these conversations are much more truncated than I'm used to, haha. I feel like I lose a brain cell every time I read one

3

Any chance it's British slang, re: "On my tod"?

Idk if 25 is considered young but I haven’t heard of this in any context, even the good old urban dictionary doesn’t seem to have good suggestions. The region may help as well

1

My next best guesses are, depending on immediate context, it's either some sort of phonetic in-joke that sounds like something else(e.g. "on god") or "tod" has a meaning to them that is not going to be easy to decipher without more "personal" info/context

Does UFED have such weak security features ?

Either way, I'm sure it's not just there to lure you into infecting your computer...

4

thatboy_leo

Idk if 25 is considered young but I haven’t heard of this in any context, even the good old urban dictionary doesn’t seem to have good suggestions. The region may help as well

I have a good lead for what it may be

10:49 AM

https://www.tiktok.com/@llcoolj/video/7104826435185184046 Check this out, this seems highly likely to be what they are referencing in my opinion

chick3nman

I have a good lead for what it may be

could check out, my tik tok knowledge is slim haha

chick3nman

Any chance it's British slang, re: "On my tod"?

Sounds like this.

netix

Does UFED have such weak security features ?

it may be fake (edited)

DFE Travis

Any of you know what "I'm tod" would mean in a conversation among young people?

In context to narcotics a guess would be “Tripping On D__”.

Also something I configured. The way these two talk its honestly either sexual or drug related

If a file is copied to USB, will the original file on the computer have a new last accessed date?

This is a general thought and also a question for all. What is the technical advantage and/or disadvantage to perform an analysis on a redacted data container only. For example, you are only given a Cellebrite Reader / Axiom Portable with files of interest are redacted. You can't have access to the original extraction. The one downside I can think right off the bat is me unable to use additional tool to parse for additional information. For example, use APOLLO for iOS devices, etc.. With the original files being unavailable, I can't do block hash, etc..

From a forensic examiner's perspective, there are lots of reasons why a redacted copy would be less than ideal. The one point that stands out in my mind is that with a redacted copy you have no ability to prove or disprove either additional artifact based evidence or even exculpatory data. I cannot imagine trying to provide conclusive probative opinions on partial or redacted data.

kartoffel4n6

If a file is copied to USB, will the original file on the computer have a new last accessed date?

Just fyi, last I knew the Last Accessed Date is turned off in Windows 7 and newer.

good morning @MSAB_Sofia ... how do i get access to beta versions of xry? didn´t find "early access beta" option in customer portal... it was mentioned in a presentation by a msab employee at the "Digital Investigation Conference" in vienna on 13th october...

chrisforensic

good morning @MSAB_Sofia ... how do i get access to beta versions of xry? didn´t find "early access beta" option in customer portal... it was mentioned in a presentation by a msab employee at the "Digital Investigation Conference" in vienna on 13th october...

That is a feature that is implemented in XAMN only. If you go to 'Options' in the Ribbon bar in XAMN and select 'MSAB Early Access' in the left hand menu - you can enable the option to give you access to features that are still in beta stage. If any of this functionality is too unstable, or not to your liking, you can switch this off again. But there is no separate beta version available on the Customer Portal. (edited)

thanks @MSAB_Sofia for this info ! now i checked it

DFE Travis

Not sure if it relates to drug use or not

could it be a germanic ref "I'm dead" if there's drug / hangover / illicit deals going on?

Does pentesting go kinda hand in hand with dfir

medjay

Does pentesting go kinda hand in hand with dfir

I would say yes, to a degree. Pentesting is red team, whereas reactive digital forensics and incident response is blue team. Purple team is one who dabbles in both. Anyone can feel free to correct me if I'm off base, though

1

I'd like to start my own service one day... doing both for small businesses seems like its beneficial to learn both

If offense (pentesting) does not feed into the defense (blue) then it is just authorized hacking. Needs to have a purpose (checkboxes are not a purpose) and feed into a process to improve security. That is where purple teaming excels

Digitalferret

could it be a germanic ref "I'm dead" if there's drug / hangover / illicit deals going on?

I think that’s “tot” or “totten” in German.

Deleted User

I think that’s “tot” or “totten” in German.

indeed. just working loosely, like folks said hbu (how bout you), me to(o) . i have hangover, hbu? - " like death. " etc

1

medjay

Does pentesting go kinda hand in hand with dfir

I would say yes, I perform both at the place I work

11:13 AM

be aware that you need alot of knowledge to perform both, they're entirely different fields without a lot of overlap

11:15 AM

also note there is a difference between pen testing and red teaming, red teaming is an assignemnt for an extended period of time with set goals/flags and a stealthy approach

5cary

From a forensic examiner's perspective, there are lots of reasons why a redacted copy would be less than ideal. The one point that stands out in my mind is that with a redacted copy you have no ability to prove or disprove either additional artifact based evidence or even exculpatory data. I cannot imagine trying to provide conclusive probative opinions on partial or redacted data.

Thank you

Question about “sanitizing”. Recently we have had a lot of juveniles sending and receiving obscene photos to each other, of each other. As such, we have been seizing their phones and getting consent from parents to “sanitize” them. Best I can tell, disabling cloud backup and doing a factory reset is the only option we have for any kind of wipe. This goes for both Android and Apple platforms. I’ve found some programs such as “iMyFone Umate Pro” that claim to do a wipe but nothing I’ve seen seems to be a true forensic wipe. Any suggestions if a better method would be appreciated!

Factory reset and go.

Hello, I am looking for advice on finding evidence of anti-forensic activities. I am working a case where DLP software is installed on the local computer and it reports back to its network based DLP server. Reports from the Network DLP server show thousands of files copied to a USB device on a particular day. The only artifact I have is the USB device being removed around the time the copy completed. There are no .lnk, jumplist or shellbags found on the local computer that would indicate anything was copied to this USB device. Additionally, this user did do quite a bit of cleanup that I found...uninstalled onedrive, deleted all files from his home, documents and download folders...so the user was working to erase tracks.

DFIS721

Question about “sanitizing”. Recently we have had a lot of juveniles sending and receiving obscene photos to each other, of each other. As such, we have been seizing their phones and getting consent from parents to “sanitize” them. Best I can tell, disabling cloud backup and doing a factory reset is the only option we have for any kind of wipe. This goes for both Android and Apple platforms. I’ve found some programs such as “iMyFone Umate Pro” that claim to do a wipe but nothing I’ve seen seems to be a true forensic wipe. Any suggestions if a better method would be appreciated!

It’s sounds like you have good intentions but I don’t think a factory reset or wipe apps (haven’t used them) will destroy all items. Most devices, apps and users are using some type of cloud storage. My fear is that once they do a reset or wipe the data can be restored from cloud storage. I feel if you want to ensure that all contraband items are never recoverable, you will have to delete all user accounts for apps like Snapchat and WhatsApp, then you will also have to permanently delete user accounts for gmail or Apple ID accounts. This would delete the cloud data for those apps and accounts. This also has a caveat that the user doesn’t perform an account recovery after you are not interacting with them.

CyberTend

Hello, I am looking for advice on finding evidence of anti-forensic activities. I am working a case where DLP software is installed on the local computer and it reports back to its network based DLP server. Reports from the Network DLP server show thousands of files copied to a USB device on a particular day. The only artifact I have is the USB device being removed around the time the copy completed. There are no .lnk, jumplist or shellbags found on the local computer that would indicate anything was copied to this USB device. Additionally, this user did do quite a bit of cleanup that I found...uninstalled onedrive, deleted all files from his home, documents and download folders...so the user was working to erase tracks.

Do you keep a log of their browsing history?

CyberTend

Hello, I am looking for advice on finding evidence of anti-forensic activities. I am working a case where DLP software is installed on the local computer and it reports back to its network based DLP server. Reports from the Network DLP server show thousands of files copied to a USB device on a particular day. The only artifact I have is the USB device being removed around the time the copy completed. There are no .lnk, jumplist or shellbags found on the local computer that would indicate anything was copied to this USB device. Additionally, this user did do quite a bit of cleanup that I found...uninstalled onedrive, deleted all files from his home, documents and download folders...so the user was working to erase tracks.

Did you check the MFT Journal?

DFIS721

Question about “sanitizing”. Recently we have had a lot of juveniles sending and receiving obscene photos to each other, of each other. As such, we have been seizing their phones and getting consent from parents to “sanitize” them. Best I can tell, disabling cloud backup and doing a factory reset is the only option we have for any kind of wipe. This goes for both Android and Apple platforms. I’ve found some programs such as “iMyFone Umate Pro” that claim to do a wipe but nothing I’ve seen seems to be a true forensic wipe. Any suggestions if a better method would be appreciated!

could give Redkey a shout, or i can contact directly from here. also hit me up if you want to buy, i got a discount code on behalf of the server: https://redkeyusb.com/products/redkey-usb-ultimate?_pos=1&_sid=eead316b0&_ss=r (edited)

Maybe some sort of exfil folder was used

So I left this out of the first post but before doing the factory reset, we go into cloud settings and delete each app’s data from their cloud backup. So even if they restore it, there won’t be anything there.

3

Digitalferret

could give Redkey a shout, or i can contact directly from here. also hit me up if you want to buy, i got a discount code on behalf of the server: https://redkeyusb.com/products/redkey-usb-ultimate?_pos=1&_sid=eead316b0&_ss=r (edited)

Have you used this on a mobile device? I was reading the product info on their site and it says it supports Apple and Android, I just wonder what it’s actually doing.

DFIS721

Have you used this on a mobile device? I was reading the product info on their site and it says it supports Apple and Android, I just wonder what it’s actually doing.

not tested on phones just yet, doing a batch of hard drive erasures with it right now. will let you know though. I've also popped them a mail on this topic (phones) awaiting reply. they are UK TZ so hoping they'll get back soon as they usually do

4:30 AM

my brief read is that it leaves the phone OS intact and erases what would be considered the users data

Digitalferret

not tested on phones just yet, doing a batch of hard drive erasures with it right now. will let you know though. I've also popped them a mail on this topic (phones) awaiting reply. they are UK TZ so hoping they'll get back soon as they usually do

Awesome I appreciate that. I might go ahead and buy it anyway. Seems pretty handy

DFIS721

Awesome I appreciate that. I might go ahead and buy it anyway. Seems pretty handy

DM incoming - redkey replied

Unable to find an appropriate room for discussions in regards to vulnerability scanners/vulnerability assessments. Thought I would try my luck in this room. Has anyone experience with Tenable? I am new to the product and some things are confusing, would love to discuss the matters with someone with more experience.

Deleted User

Do you keep a log of their browsing history?

Yep, nothing showing up in there...I have two snapshots as well

Does the iCloud retain geolocation data for a users device? My SA is asking what he should be asking Apple in a search warrant and I am sadly still iPhone dumb.

Fierry

Did you check the MFT Journal?

Thanks Fierry, I had started looking through $J and $MFT, but I probably did not spend enough time looking through them. Doing that today. Not sure if there would be anything in particular to zero in on or not...but I will look around the time the employee left the company.

Fierry

Did you check the MFT Journal?

Another interesting artifact came up on a new ingest I did via carving and searching for hidden encrypted volumes...one has shown up in unallocated space

Cool!

12:37 PM

Guess someone’s plan is in tatters

Fierry

Cool!

Yes, I just have to figure out how the heck to get to it

Looking for some testers before I release the next version of OneDriveExplorer. This is a significant update and would like some feedback. DM me if interested.

The newly released EZTools manual on Leanpub mentioned it is also possible to run the tools on Linux due to .NET 6 portability. is it also possible to run Timeline Explorer in such a way? As it stands I can't find the .NET6 Desktop Runtime for Linux, it only seems to be available for Windows

Fierry

The newly released EZTools manual on Leanpub mentioned it is also possible to run the tools on Linux due to .NET 6 portability. is it also possible to run Timeline Explorer in such a way? As it stands I can't find the .NET6 Desktop Runtime for Linux, it only seems to be available for Windows

No

1

1:31 AM

Because of the windows runtime as you mentioned

2:12 AM

too bad

More incentive to work on SOF-ELK ingestions

Never had an opportunity to use it yet, it’s on my list of stuff to check out with a lot of other things

Fierry

The newly released EZTools manual on Leanpub mentioned it is also possible to run the tools on Linux due to .NET 6 portability. is it also possible to run Timeline Explorer in such a way? As it stands I can't find the .NET6 Desktop Runtime for Linux, it only seems to be available for Windows

I'll have to clarify that. Thanks for bringing it up

1

does anybody know if anything ever came of NISTs forensic examiner evaluation study? it has been done for a long time and no results ever came out that I can find. kind of concerning...

Sha1_4n6

does anybody know if anything ever came of NISTs forensic examiner evaluation study? it has been done for a long time and no results ever came out that I can find. kind of concerning...

https://www.nist.gov/publications/results-black-box-study-digital-examiners ?

Results from a Black-Box Study for Digital Examiners

The National Institute of Standards and Technology (NIST) conducted a black-box study in conjunction with a scientific foundation review documented in NISTIR 83

lol. thanks.

5:33 PM

I guess I didn't look hard enough, my bad.

5:36 PM

I was sure this would be all over reddit or Twitter when it came out and the last time I searched for it I didn't find it

Best DFIR Linux os?

medjay

Best DFIR Linux os?

blue team? red team?

Blue team

7:13 PM

Both actually lol

Well, I don't think it's a great idea to have my washer also be a dryer, so I keep them as separate appliances lol

7:14 PM

That being said, doesn't mean you can't make a VM that has tools for both use cases

7:14 PM

Kali Linux is probably up there for red teams, I'd imagine

Yeah I thought about getting parrot

medjay

Best DFIR Linux os?

Ubuntu , install the tools you need yourself.

In a VM tho right

medjay

In a VM tho right

Yeah why not? You can leverage snapshots with VMWare Workstation Pro, for instance

Andrew Rathbun

I'll have to clarify that. Thanks for bringing it up

@Fierry I just added a sentence that'll go out with next update that addresses this, thanks again for flagging

1

ryd3v

Ubuntu , install the tools you need yourself.

id agree, im doing this and its helping me learn and not be so overwhelmed with all the tools preinstalled on things like kali or parrot

medjay

In a VM tho right

Yes

10:08 AM

You can also use virtual box and it’s free. Does all the same things VMware does

Yeah I may do the Ubuntu route with tools much easier

10:16 AM

I'm looking for a new laptop that will allow me to run multiple VMs

medjay

Best DFIR Linux os?

Paladin from @SUMURI…..shameless plug lol

1

Is it free

medjay

Is it free

https://sumuri.com/product-category/brands/paladin/

10:35 AM

yes, but ima charge you for googling it

1

Donationware + Pro version for $$

That's pretty cool

10:39 AM

Need a better laptop

wts the day when Gamers say they need a Forensic laptop

Hacker laptops are better than forensics laptops lol

nah, i've seen the typing on them, |-|4c|<3r'5 |<3Y|304Rd's R |3oR|<3D

Lol

Digitalferret

nah, i've seen the typing on them, |-|4c|<3r'5 |<3Y|304Rd's R |3oR|<3D

Hackers keyboard's are borked For those that don't want to manually translate it but are curious!

2

medjay

Need a better laptop

What kind of laptop do you have now?

An HP with Ubuntu on it 8gbRam

I can really recommend the thinkpads from lenovo... E.g. the x1 carbon is really lightweight and has a lot of power(in top spec configuration) or also the p-series

X1 carbon sounds expensive lol

medjay

An HP with Ubuntu on it 8gbRam

That’s probably fine!

3:16 PM

+1 for Thinkpad, I got a T470 and it’s awesome as a forensics machine

It's not good for running from VMs

You probably want to have at least 16GB RAM for good day to day performance

Yea 16 is ideal, but ram is cheaper than a new laptop xD

1

Anyone else have a hard time getting trial licenses for software when just a student? Finding it hard to get vendors to accept a non business email.

Yeah that’s hard, maybe .edu might have better luck

dsplice

Anyone else have a hard time getting trial licenses for software when just a student? Finding it hard to get vendors to accept a non business email.

create business email, issue solved

10:35 PM

dsplice

Anyone else have a hard time getting trial licenses for software when just a student? Finding it hard to get vendors to accept a non business email.

what's the reply from said vendors; or are you just trying to enter on a form? - for one off's I've used disposablemail as their domians aren't often added to the generic gmail/hotmails etc

I always use johnnyappleseed@apple.com

other than that, try [Contact Us] or a .edu or ask your faculty?

And 4169671111 for phone number

hard if they send a link back for download and it's not your email

Yeah in that case it wouldn’t work but I wonder how many emails he gets ? Lol betcha a lot

ryd3v

Yeah in that case it wouldn’t work but I wonder how many emails he gets ? Lol betcha a lot

not with you mate; he gets a lot of emails from what?

Johnyappleseed@apple.com is like a email example from Apple devices so I’m sure many people pick that address lol

dear vendor, can i get a trial please? or just enter a disposablemail.com - any trials i get are either a simple <yeh you filled an email address for us to spam> or <here's your down;load link> . for pro s/w i'd contact the Co direct and just say how it is. mostly they're trying to avoid scraping or bots

ryd3v

Johnyappleseed@apple.com is like a email example from Apple devices so I’m sure many people pick that address lol

ah right, got it.

12:44 AM

not much good tho if they send you the d/l to that addy

Yeah no would not work if they have to email you a download link

dsplice

Anyone else have a hard time getting trial licenses for software when just a student? Finding it hard to get vendors to accept a non business email.

Twitter DMS work some times

tklane

Yeah that’s hard, maybe .edu might have better luck

A lot of vendors are secretive about their software. (And for good reason). I’ve signed multiple NDA over the years.

dcs453

A lot of vendors are secretive about their software. (And for good reason). I’ve signed multiple NDA over the years.

can vouch. but offering (NDA) and a proper application / expression of interest goes a long way. from just checking some erasure s/w & h/w to asking about purchase, to using, I got invited to focus group in a matter of days.

Anyone have recommendations for Intel v. AMD for processors while running forensic software? We are building a new computer and are looking at some of the AMD Threadrippers out there, but wanted to see if anyone had positives or negatives going one way or the other. We are primarily running Cellebrite with some FTK and Axiom sprinkled in.

SgtMoose114

Anyone have recommendations for Intel v. AMD for processors while running forensic software? We are building a new computer and are looking at some of the AMD Threadrippers out there, but wanted to see if anyone had positives or negatives going one way or the other. We are primarily running Cellebrite with some FTK and Axiom sprinkled in.

Great morning. I guess the main question is are you building a dual purpose station? As in primarily used for imaging, or primarily used for analysis tools like PA? When I was LEO I started with an i7 and a decent video card. The most important piece to the puzzle is your write speed so focusing on like a M.2 SSD is a must have. I think getting into whether people are rocking Ryzen 7 or 9 versus the 12th gen i7-i9 is like arguing 9mm vs .40 ammo or religion to some people. You should check your clock speeds for what you are building on top of. So your motherboard- what is it supporting and what is available in the upper echelon tier processor kits. I have read that the Ryzen 7 can out perform an i9 in some cases- but I don't know if that is enough to justify a swap. (edited)

spicy_caveman

Great morning. I guess the main question is are you building a dual purpose station? As in primarily used for imaging, or primarily used for analysis tools like PA? When I was LEO I started with an i7 and a decent video card. The most important piece to the puzzle is your write speed so focusing on like a M.2 SSD is a must have. I think getting into whether people are rocking Ryzen 7 or 9 versus the 12th gen i7-i9 is like arguing 9mm vs .40 ammo or religion to some people. You should check your clock speeds for what you are building on top of. So your motherboard- what is it supporting and what is available in the upper echelon tier processor kits. I have read that the Ryzen 7 can out perform an i9 in some cases- but I don't know if that is enough to justify a swap. (edited)

We use one rig for both imaging and analysis. Imaging tends to run pretty smoothly, and we are trying to increase our parsing speeds in PA. Right now it is taking a full day to load up and run reports on large extractions (50GB+). And considering phones are just getting bigger, I don't think it's going to get any better. A big part of our downfall is the image categorization, and we don't have a great GPU right now. But overall speed improvements would also be great. We also have the money to do a build right now, so I'm trying to spec out a computer that will serve us well for 5+ years.

SgtMoose114

We use one rig for both imaging and analysis. Imaging tends to run pretty smoothly, and we are trying to increase our parsing speeds in PA. Right now it is taking a full day to load up and run reports on large extractions (50GB+). And considering phones are just getting bigger, I don't think it's going to get any better. A big part of our downfall is the image categorization, and we don't have a great GPU right now. But overall speed improvements would also be great. We also have the money to do a build right now, so I'm trying to spec out a computer that will serve us well for 5+ years.

sent PM

It'd also be important to know how many cores/ threads your programs are using or how much multitasking you'd be using on your system when doing case work. Could get a threadripper with 128 threads but iirc a program like axiom would currently only utilize up to 32 of those.

Solec

It'd also be important to know how many cores/ threads your programs are using or how much multitasking you'd be using on your system when doing case work. Could get a threadripper with 128 threads but iirc a program like axiom would currently only utilize up to 32 of those.

Great point, I'll do some digging into that.

SgtMoose114

Anyone have recommendations for Intel v. AMD for processors while running forensic software? We are building a new computer and are looking at some of the AMD Threadrippers out there, but wanted to see if anyone had positives or negatives going one way or the other. We are primarily running Cellebrite with some FTK and Axiom sprinkled in.

We have two build guides here -> https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions/tree/main (edited)

GitHub - Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuesti...

A repository to store answers to some of the most commonly asked questions within the Digital Forensics Discord Server - GitHub - Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions: A re...

9:49 AM

Easy on the eyes version here, https://ryd3v.rocks/posts/wrkstnbuild

Forensics Workstation Build

Ryan Collins, Software Engineer, teaching programming, development, React, Next.js

9:50 AM

AMD was slightly more expensive in my build guides but some new chips and boards are on the horizon

ryd3v

We have two build guides here -> https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions/tree/main (edited)

cheers to that! This will be a huge help - Thank you!

My pleasure

9:52 AM

If you need any help let me know

9:52 AM

The motherboard on the AMD build could be swapped with a more readily available board of course.

9:53 AM

Also intel launched the 13 gen chips

9:54 AM

https://www.intel.com/content/www/us/en/newsroom/news/13th-gen-core-launch.html#gs.gmhfnj

9:54 AM

And they are quite good, so may have to update the build guide

9:55 AM

So in reality a new system should have the 13900K and DDR5 with mobo to match

1

Digitalferret

what's the reply from said vendors; or are you just trying to enter on a form? - for one off's I've used disposablemail as their domians aren't often added to the generic gmail/hotmails etc

Usually the form itself just rejects it. Sometimes if a human is looking at it, they just say that I need to use a business email

dsplice

Usually the form itself just rejects it. Sometimes if a human is looking at it, they just say that I need to use a business email

Buy a domain, something like mycoolbusinessname.com then use a protonmail email and link the domain to the email, instant business email

10:46 AM

You can even make yourself a little landing page to make it look even more legit

10:46 AM

dsplice

Usually the form itself just rejects it. Sometimes if a human is looking at it, they just say that I need to use a business email

yeh, i find disposablemail dot com or similar has enough randomness to the name that they get accepted

Just hack they server and grab your goods

8:17 PM

That’s a joke pls don’t ban me

Anyone have encountered a file with the extension .meta? Small 20b file, first thought the hex was timestamps but doesn't decode well. (edited)

@LuisV85 can i dm You ?

juan21_15

@LuisV85 can i dm You ?

Si claro

OggE

Anyone have encountered a file with the extension .meta? Small 20b file, first thought the hex was timestamps but doesn't decode well. (edited)

Have you tried Cyber Chef?

5cary

Have you tried Cyber Chef?

Not yet, have tried Decode (LE and BE), binwalk and x-ways data interpreter

OggE

Anyone have encountered a file with the extension .meta? Small 20b file, first thought the hex was timestamps but doesn't decode well. (edited)

is the filename 40 characters hex?

9:06 AM

e.g. AD03A494B5F94A2FF28B5806882D81D3338B2FB5.meta

chick3nman

is the filename 40 characters hex?

No its the name of a video from telegram on iOS, i saw somewhere that it might be metadata from the file but i dont understand how

hmm interesting

9:30 AM

i was guessing it could be the .meta format you see for torrents

telegramvideo.mp4 telegramvideo.meta

9:32 AM

the name had something like "telegram-cloud-video-<numbers>_partial", already checked the numbers they are not a timestamp either

not sure about that, not the format i was hoping it would be

chick3nman

not sure about that, not the format i was hoping it would be

thanks anyway

perhaps its a partial file?

Random question - Anyone got a reliable / safe source to download 20H2 build of windows? (We have licences for it!) (edit: Rufus <3) (edited)

Hi there do you have any recommendations for good forensic conferences ? On my list I have already Sans Summit, DFRWS, OSDF Con and Virusbulletin

I have a list of addresses in an excel sheet. I am trying to find there Lats and Longs then map the addresses without entering each address. If that makes sense. Is there a way to do this?

digital Bowles

I have a list of addresses in an excel sheet. I am trying to find there Lats and Longs then map the addresses without entering each address. If that makes sense. Is there a way to do this?

Give this a try with its bulk upload feature: https://www.mapcustomizer.com/

Create a map | Mapcustomizer.com

Plot multiple locations on Google Maps

Thank you.

1

Hours of googling and checking each site I came across the batchgeo.com. You can drag and drop the excel file and direct it with which columns hold what data. It then sent me a link to an email address (not the agency one yet). The link opened a nice map with each location identified.

1

2

It’s ok to share that data with a 3rd party website?

Rob

Random question - Anyone got a reliable / safe source to download 20H2 build of windows? (We have licences for it!) (edit: Rufus <3) (edited)

https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool

Microsoft Windows and Office ISO Download Tool

This new tool allows an easy and comfortable way to download genuine Microsoft Windows 7, 8.1 and 10, as well as Office 2007, 2010, 2013 and 2016 disk images (ISO) directly from Microsoft's servers.

1

Rob

Random question - Anyone got a reliable / safe source to download 20H2 build of windows? (We have licences for it!) (edit: Rufus <3) (edited)

https://github.com/AveYo/MediaCreationTool.bat

GitHub - AveYo/MediaCreationTool.bat: Universal MCT wrapper script ...

Universal MCT wrapper script for all Windows 10/11 versions from 1507 to 21H2! - GitHub - AveYo/MediaCreationTool.bat: Universal MCT wrapper script for all Windows 10/11 versions from 1507 to 21H2!

2

Does anyone have a Lenovo ThinkPad X1 Nano Gen 2 laptop (12th Gen Intel i7-1280P) accessible? This is relatively new hardware with some "interesting" (aggravating?) security features that we are testing. We would like to see if our findings can be replicated and are happy to throw in an Arsenal license for the help.

Fierry

Did you check the MFT Journal?

So in the MFT journal, I am showing "Last Record Change0x10" on the date the file was copied to this USB in question 7/31/2022. No other journal entries have changed. "last Record Change0x30" is a much much earlier date, back to 3/22/2021. I thought these two should match?? Also, path associated is: .\PathUnknown\Directory with ID 0x0000D029-00000A0B. This case I have a signature hit for TrueCrypt/Veracrypt/DriveCrypt volume in unallocated space.

CyberTend

So in the MFT journal, I am showing "Last Record Change0x10" on the date the file was copied to this USB in question 7/31/2022. No other journal entries have changed. "last Record Change0x30" is a much much earlier date, back to 3/22/2021. I thought these two should match?? Also, path associated is: .\PathUnknown\Directory with ID 0x0000D029-00000A0B. This case I have a signature hit for TrueCrypt/Veracrypt/DriveCrypt volume in unallocated space.

Looks like you're looking at the $MFT? That PathUnknown artifact means the directory is not currently present. I'm guessing you're using MFTECmd? If you're using TLE, make sure you have the subseconds on your timestamp values enabled. If you have no idea what I'm talking about, let me know

Sorry to ask this question all, is there a universal device that could replicate any devices screen output? Basically a mirror for changing settings to do a device download but without buying and replacing the screen

Andrew Rathbun

Looks like you're looking at the $MFT? That PathUnknown artifact means the directory is not currently present. I'm guessing you're using MFTECmd? If you're using TLE, make sure you have the subseconds on your timestamp values enabled. If you have no idea what I'm talking about, let me know

Yes sir, $MFT and using Eric Z's Timeline Explorer. I am not seeing how to enable subseconds...current Date format is set to: yyyy-MM-dd HH:mm:ss. So the PathUnknown, this is an issue where we know these files were copied to a USB drive. The Network DLP application shows this. All I have in the registry is an artifact showing the USB drive removal about the time the network DPL reported the files copied to the USB completed. I have no lnk, shellbags, jumplists or recent documents showing these files accessed on the local machine. So I am trying to, somehow, correlate the $MFT listing of files to this particular USB and prove that both Network DLP and local computer artifacts support the fact the files were indeed copied.

CyberTend

Yes sir, $MFT and using Eric Z's Timeline Explorer. I am not seeing how to enable subseconds...current Date format is set to: yyyy-MM-dd HH:mm:ss. So the PathUnknown, this is an issue where we know these files were copied to a USB drive. The Network DLP application shows this. All I have in the registry is an artifact showing the USB drive removal about the time the network DPL reported the files copied to the USB completed. I have no lnk, shellbags, jumplists or recent documents showing these files accessed on the local machine. So I am trying to, somehow, correlate the $MFT listing of files to this particular USB and prove that both Network DLP and local computer artifacts support the fact the files were indeed copied.

Change it to yyyy-MM-dd HH:mm:ss.fffffff and exit and reingest the CSV

Andrew Rathbun

Change it to yyyy-MM-dd HH:mm:ss.fffffff and exit and reingest the CSV

Thanks I will do that now.

CyberTend

Thanks I will do that now.

https://github.com/AndrewRathbun/TimelineExplorerSettings here's my TLE settings file, for reference

GitHub - AndrewRathbun/TimelineExplorerSettings: A public repo to h...

A public repo to host and maintain my settings file for Timeline Explorer - GitHub - AndrewRathbun/TimelineExplorerSettings: A public repo to host and maintain my settings file for Timeline Explorer

CyberTend

Yes sir, $MFT and using Eric Z's Timeline Explorer. I am not seeing how to enable subseconds...current Date format is set to: yyyy-MM-dd HH:mm:ss. So the PathUnknown, this is an issue where we know these files were copied to a USB drive. The Network DLP application shows this. All I have in the registry is an artifact showing the USB drive removal about the time the network DPL reported the files copied to the USB completed. I have no lnk, shellbags, jumplists or recent documents showing these files accessed on the local machine. So I am trying to, somehow, correlate the $MFT listing of files to this particular USB and prove that both Network DLP and local computer artifacts support the fact the files were indeed copied.

Have you looked at the SANS poster that shows timestamps for file copy, file move, etc events?

6:49 AM

https://www.sans.org/white-papers/36842/ by @RandyRanderson and https://www.sans.org/posters/windows-forensic-analysis/ may be helpful

Filesystem Timestamps: What Makes Them Tick? | SANS Institute

Filesystem Timestamps: What Makes Them Tick?

Windows Forensic Analysis | SANS Poster

The “Evidence of...” categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR500: Windows Forensic Analysis. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Wind...

Andrew Rathbun

https://www.sans.org/white-papers/36842/ by @RandyRanderson and https://www.sans.org/posters/windows-forensic-analysis/ may be helpful

Thanks, I do have all of those and will study them today. Picked them up recently at the Austin SANS DFIR summit

1

CyberTend

Thanks, I do have all of those and will study them today. Picked them up recently at the Austin SANS DFIR summit

and you didn’t even say hi while there?!

RandyRanderson

and you didn’t even say hi while there?!

Next time....Great show, very well worth taking a few days to come down to Austin

1

TetsuoAR

Sorry to ask this question all, is there a universal device that could replicate any devices screen output? Basically a mirror for changing settings to do a device download but without buying and replacing the screen

Most devices that support USB-C to HDMI or OTG have to be logged into to replicate the screen output. I typically bite the bullet and buy a cheap screen on Amazon to get us through the extraction, i'm not concerned how long it last after that

1

What does everyone use to view levelDB?

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

burgers_N_bytes

What does everyone use to view levelDB?

@Matt

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

Our evidence tech just takes a sledge hammer to them, not sure if that is what you are looking for lol.

2

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

I know my former PD outsourced old hard drives being shredded to some local company. Thoughts on doing the same?

1

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

Depends if your talking data or device. Device, shredding to dod spec (I think 1/125" is the standard), if it's magnetic media degausing is also an acceptable option to us.

1

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

If it's any kind of hard disk media, we tend to DOD wipe them (can do with a standard computer, though I can't remember off the top of my head which program), but we have a special (and noisy) piece of tech that does it for us. Then we drill holes and hand them off

Google confidential shredding for places in your area @sholmes

1

️

burgers_N_bytes

What does everyone use to view levelDB?

What application’s database are you viewing?

Telematics system using in commercial transportation vehicles so not your typical application lol

9:31 AM

Used*

burgers_N_bytes

Used*

up arrow key after you post a message will go into edit mode of your most recent message, btw

1

Andrew Rathbun

up arrow key after you post a message will go into edit mode of your most recent message, btw

Thank you for that!

1

Nanotech Norseman

If it's any kind of hard disk media, we tend to DOD wipe them (can do with a standard computer, though I can't remember off the top of my head which program), but we have a special (and noisy) piece of tech that does it for us. Then we drill holes and hand them off

who do you hand them off to?

burgers_N_bytes

Telematics system using in commercial transportation vehicles so not your typical application lol

Is it in an IndexedDB folder or leveldb folder?

I believe it’s a levelDB folder but don’t have it in front of me at the moment

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

7

4

2

burgers_N_bytes

I believe it’s a levelDB folder but don’t have it in front of me at the moment

Sweet, I’ll DM you

sholmes

who do you hand them off to?

Our inventory control guy handles post-destruction disposals for us. We get the fun job of destruction XD

4

1

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

Our procedure is to wipe hard drives and phones, then crush them with one of these https://purelev.com/ (batteries removed of course). I'm not sure what happens to them after they are destroyed. That's the IT department's problem!

1

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

How many pieces are you destroying

lxwarhammerxl

How many pieces are you destroying

couple hundred

Ooooof…..we three hole punch platter drives, smash cellphones with sledges, snap NVME drives, and 3 pass wipe thumb drives (flash media). If we had a couple hundred I would at least get a quote from shred it (any disposal company will do). When we use a third party we watch them shred the evidence though.

1

We use Acitve Kill disk (paid version) to DOD wipe hare drives, unless the order is for physical destruction. Our State Police has a hard drive shredding machine. Cell phones are factory wiped and then a Sledgehammer to them (since you can't shred lithium batteries). Our local university just did a mass purchase of cell phones from propertyroom.com and found almost half the devices unlocked and still with user data...... Don't be them!

1

We use Shredit. They scan serial numbers then provide a certificate of destruction. We also watch to kill time.

1

sholmes

@Law Enforcement [USA] Looking to see if anyone has a procedure on destroying electronic evidence devices. We have court orders to destroy items, and looking for best ways to destroy them. Businesses that would take and destroy them.

Crusher so I'm told

2

burgers_N_bytes

What does everyone use to view levelDB?

for the wiping side I'm using Redkey USB. having checked all the other 'usual suspects' it offers great value, wipes multiple devices in parallel to intl standards (I'm using NIST 800-88 Purge) and produces reports. can also wipe mobile devices altho they are working on certification for that rn. one off price per USB device, no extras or per drive costs.

Does anyone know of a site either on the clear or deep web where I can check for identities that are in credit card dumps. I have a list of victims and their PII and I'm wondering if it is just from a cc dump or some other source.

Neon

Does anyone know of a site either on the clear or deep web where I can check for identities that are in credit card dumps. I have a list of victims and their PII and I'm wondering if it is just from a cc dump or some other source.

Pastebin

luis511_

Pastebin

Great idea, thanks

Neon

Great idea, thanks

NP. Also, if you’re able to contact an investigator at the cc company, and the company has the Intel, they might be able to give you a lead on how the pII was compromised

1

Does anyone know why FTK Imager wouldn't show me my deleted files? I'm using a virtual machine to test this out, and it only shows me files that were just deleted right before an image was captured. If I wait a few seconds and take the image again, these deleted files are not shown anymore. I can't find the answer anywhere online? Thank you for any help in advance

q3

Does anyone know why FTK Imager wouldn't show me my deleted files? I'm using a virtual machine to test this out, and it only shows me files that were just deleted right before an image was captured. If I wait a few seconds and take the image again, these deleted files are not shown anymore. I can't find the answer anywhere online? Thank you for any help in advance

Is the VM on a SSD or a HDD and is the allocated space static or dynamic?

Allocated space is dynamic and solid state drive

Both of those would contribute to not being able to see your data. Garbage collection on the SSD would recycle the unallocated data over time, but most likely the dynamic space is what is really causing you to not see the data because once a file is deleted that unused portion of the drive will no longer be assigned to the VM.

1

8:34 PM

For the best results (while on a budget) for tinkering with deleted files, you could use an external rotational hard drive. One of those annoying external hard drives that require an additional power source and are the size of a small book.

3

Thank you so much, this information helps a lot

!!

1

I know this is generally a blue team server, but has anyone found any reasonable articles and research on ProxyNotShell beyond the high level analysis?

misterturtle

I know this is generally a blue team server, but has anyone found any reasonable articles and research on ProxyNotShell beyond the high level analysis?

If there is demand for a penetration testing channel, just speak up. That being said there's a SANS red team server that is probably a better fit unless there's a whole group of red teamers here that I'm not aware of

Good morning. Is there anyone from @Magnet Forensics available to talk about picture categorization?

stps358

Good morning. Is there anyone from @Magnet Forensics available to talk about picture categorization?

I’m happy to help

Hello I need help, how could I find a file executed with process ghosting?

Deleted User

Hello I need help, how could I find a file executed with process ghosting?

https://pentestlaboratories.com/2021/12/08/process-ghosting/

Administrator

Process Ghosting

Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…

2

Andrew Rathbun

Change it to yyyy-MM-dd HH:mm:ss.fffffff and exit and reingest the CSV

OK!!!! It looks like the list of files this individual stole ALL have timestamps with Last Modifiedx10 .000000 subseconds, the first part of the date looks to be somewhat randomized.

5:35 PM

Well I need to add one more f, but 5 zeros anyway here

5:41 PM

@Andrew Rathbun Also this:

CyberTend

@Andrew Rathbun Also this:

Are these malicious files, per chance?

Andrew Rathbun

Are these malicious files, per chance?

Nope, just highly proprietary company owned intellectual property

Andrew Rathbun

Are these malicious files, per chance?

So all of these are .pdf, .docx, .xlsx. The files we believe were taken do have the SI<FN & u Sec all zeros

Andrew Rathbun

Are these malicious files, per chance?

And all of these do have values in the Created (0x30). Obviously this is a different time than in Created(0x10)

Nanotech Norseman

If it's any kind of hard disk media, we tend to DOD wipe them (can do with a standard computer, though I can't remember off the top of my head which program), but we have a special (and noisy) piece of tech that does it for us. Then we drill holes and hand them off

Dban?

Digitalferret

yeh, i find disposablemail dot com or similar has enough randomness to the name that they get accepted

I tried using my custom domain (managed to get email working on it). But no dice. I guess Magnet and X-ways do not like me LOL (CANNOT imagine why </sarcasm>)

dsplice

I tried using my custom domain (managed to get email working on it). But no dice. I guess Magnet and X-ways do not like me LOL (CANNOT imagine why </sarcasm>)

SMH, when email paranoia overtakes the desire to do business.

1:14 AM

nearly as bad as call centre for national Co "your call is important to us... <glacial wait times> .. Hello your through to Tier one, which queue would you like to wait i next?"

Hi! I’m a student currently working on a big project for my forensics class and have some questions I need to ask, is anyone familiar with ballistics or even works as a ballistics/firearms expert?

This is a server more for digital forensics, not the traditional forensics work

Ah okay thank you!!

Shot in the dark, are any of you out of Hawaii?

has anyone seen a SDL file within a GPS unit ? It looks like its maping data but just dont know how to decode it.

Jetten_007

has anyone seen a SDL file within a GPS unit ? It looks like its maping data but just dont know how to decode it.

you think it might be worth giving Rand McNally a call?

That may work... it may take some time to find the right person..

1

Do you guys have antivirus software on your personal and/or work devices? Im curious as considering theres a lot of government workers here id assume your workplaces would have SOCs or SEIMs an all that so do you guys not bother with antivirus or are they super important in workplaces and personal devices ontop of these other tools and resources?

Atom

Do you guys have antivirus software on your personal and/or work devices? Im curious as considering theres a lot of government workers here id assume your workplaces would have SOCs or SEIMs an all that so do you guys not bother with antivirus or are they super important in workplaces and personal devices ontop of these other tools and resources?

We have a mixture of networked and open source devices, including computers, laptops and mobile devices. The networked devices are managed internally by IT with their processes and policies, the open source devices don't see the internal network so stuff like antivirus is not something we have to worry about in that regard.

Is It Done Yet?

We have a mixture of networked and open source devices, including computers, laptops and mobile devices. The networked devices are managed internally by IT with their processes and policies, the open source devices don't see the internal network so stuff like antivirus is not something we have to worry about in that regard.

Thank you for your answer:D Say a policy is breached i.e user falls victim to phishing, plugs in a rouge device etc, wouldnt an antivirus be helpful to prevent and/or flag any malware? Or would internal IT processes pick up on that and then IT just looks into it thus removing the need for the warning part that antiviruses usually have?

Atom

Thank you for your answer:D Say a policy is breached i.e user falls victim to phishing, plugs in a rouge device etc, wouldnt an antivirus be helpful to prevent and/or flag any malware? Or would internal IT processes pick up on that and then IT just looks into it thus removing the need for the warning part that antiviruses usually have?

I work mainly in the open source world, as I do digital forensics which is not done on the networked side of things, so cannot give you a definitive answer. That said, all network machines are monitored internally by IT so any malware etc would be identified. As for our digital forensic machines etc like our laptops we use for open source we just accept there is a risk.

Is It Done Yet?

I work mainly in the open source world, as I do digital forensics which is not done on the networked side of things, so cannot give you a definitive answer. That said, all network machines are monitored internally by IT so any malware etc would be identified. As for our digital forensic machines etc like our laptops we use for open source we just accept there is a risk.

Ahh ok cool, thank you! Love learning about this stuff

Atom

Do you guys have antivirus software on your personal and/or work devices? Im curious as considering theres a lot of government workers here id assume your workplaces would have SOCs or SEIMs an all that so do you guys not bother with antivirus or are they super important in workplaces and personal devices ontop of these other tools and resources?

Malwarebytes on a vm that deals with downloading samples , on windows usually just defender is sufficient, on Linux clamav if it’s also a device for downloading files, on Mac, Malwarebytes as it’s the easiest to scan files coming from or going to Windows.

1:43 AM

Other than that I use https://www.ossec.net/

W2 Communications

OSSEC - World's Most Widely Used Host Intrusion Detection System - ...

OSSEC is a multiplatform, open source and free Host Intrusion Detection System (HIDS). You can tailor OSSEC for your security needs through its extensive configuration options, adding custom alert rules and writing scripts.

Does anyone have any good resources on stegoanalysis? I've found this great research paper, https://d1wqtxts1xzle7.cloudfront.net/75266670/j.dsp.2010.02.00320211127-13535-4t709s-with-cover-page-v2.pdf?Expires=1667300496&Signature=FAkFJEiBk7TNGEICkRHkkxg5US~DMg6W91lzbsnvvInskTKp-~V8gZ0kiuOUFp6jO6zweTRXAxsN4A8nCQM66NNzVmITtcaCJBRnKZpsQ7QV7A2tj8kV-JQfoLyRGE34Z0Rgqt47dpBPmkEa9HnJxsp2z-djGsJ8f8wuM5bPlUoLkLVapadkuh3K2dtfY3wK68raB5y3tGtBrvOUA68GVE2t7kQnY0cyuYd8K~S3A4SM0SwLxA479ocS1kEEUqlj~JpNU6o8goltZBc19aWnZZisoJMtbjwhR9IlTjX~Eufxmw9ZApr6QMbyrME9KdvYovSqx5TEl-MySnDmEK741Q__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA , but I'm looking for something with a bit more math to replicate in code

Atom

Do you guys have antivirus software on your personal and/or work devices? Im curious as considering theres a lot of government workers here id assume your workplaces would have SOCs or SEIMs an all that so do you guys not bother with antivirus or are they super important in workplaces and personal devices ontop of these other tools and resources?

One thing I’ve noticed is my AV doesn’t flag any malware during the extraction process. However, if I zip a final extraction/report with malware in it, my AV screams at me.

dcs453

One thing I’ve noticed is my AV doesn’t flag any malware during the extraction process. However, if I zip a final extraction/report with malware in it, my AV screams at me.

Yeah, that sucks. I've tried using Capev2 and Cuckoo sandboxes with limited success. Still takes a bit to setup right to have malware running on windows 7. Wish it was a bit easier to turn off security on windows, but then it'd be easier for malware too.

@Cellebrite morning - I was wondering why some of our workstations have blank 'New Computer ID's' in the licensing section of UFED PA, but not all of them. Is there a fix? Thanks in advance

Can I ask anyone here a question about a DFIR job posting. I really want to build my skills up to selling myself in interviews but I don’t know what kind of entry level jobs to go for (edited)

Raines

Can I ask anyone here a question about a DFIR job posting. I really want to build my skills up to selling myself in interviews but I don’t know what kind of entry level jobs to go for (edited)

#training-education-employment

SANS Difference Makers Awards voting is now open. Please vote for me in Open Source Tool Creator of the Year! https://survey.sans.org/jfe/form/SV_eXuwVrkCVdeoKMu

SANS Difference Makers 2022 - community vote

Make your selection for the winner in each of 11 categories!

1

Don't forget about the Hitchhikers Guide to DFIR

4

1

Fierry

Don't forget about the Hitchhikers Guide to DFIR

Got my vote.

1

Can anyone recommend a program to pull text msg/iMessages off iPhones for an IT networking area for HR or ER type of investigation ? They are trying to avoid using us which is fine with me

any @Magnet Forensics sales can chat? i want to understand Magnet Review

DCSO

Can anyone recommend a program to pull text msg/iMessages off iPhones for an IT networking area for HR or ER type of investigation ? They are trying to avoid using us which is fine with me

Itunes backup then examine the backup with 3utools and there is messages section which can be exported to PDF

1

10:24 AM

https://www.3u.com/news/articles/5378/how-to-search-message-in-3utools-backup-viewer

How to Search Message in 3uTools Backup Viewer?

3uTools V 2.19 has been released for several days, have you experience the latest update? This tutorial will show you how to quickly search a message in 3uTools backup viewer.

@Magnet Forensics or anyone that knows... Which command line arguments I can use with the axiom installer? (v671) Also the same for @Griffeye installer? Can't find the documentation

(edited)

Speaking of @Magnet Forensics, any chance someone can help a brother get a trial license? Not working currently and looking to do some self education.

RX

any @Magnet Forensics sales can chat? i want to understand Magnet Review

hey @RX - Has anyone reached out to you? If not, I can get someone to touch-base with you

Dsplice, glad you asked for a trial license. I have found myself in the same position now that I am retired, but participating in the CTF’s from Magnet and Cellebrite is a great and free way to grab a license for a limited time I am a also coach for IACIS so we received licenses for Belkasoft, FEX and OSTriage this year so if you are a CFCE being a coach is another way to grab a few licenses and really help a brother or sister out by volunteering.

sean4597

Dsplice, glad you asked for a trial license. I have found myself in the same position now that I am retired, but participating in the CTF’s from Magnet and Cellebrite is a great and free way to grab a license for a limited time I am a also coach for IACIS so we received licenses for Belkasoft, FEX and OSTriage this year so if you are a CFCE being a coach is another way to grab a few licenses and really help a brother or sister out by volunteering.

I will look into that. Unfortunately I am not a CFCE, but likely should look into it as well!

Hi, maybe someone here can help me. Does anyone know what data can be asked at Facebook / Google considering search query or profile views? Is that even a possible? I'm doing this with a warrant.

Walter_Ego

is there a way to write out an ecryptfs volume as a block image? i have opened one using ecryptfs-recover-private and have it mounted but it doesn't appear to have a block device i can slurp with dd or similar

Hi, I had the same situation. I mounted .Private folder. In order to use Xways, I created an empty .IMG file with dd and I copied the contents of .Private folder in the .IMG file in order to import it in Xways. (edited)

1

cheers mate

I was wondering if anyone might know of a website or source that I could find detailed pictures of different models of cars and specifically changes between model years without searching for each model individually? Lately I find myself doing a lot of vehicle identification work with pretty shoddy security cam footage. A page where I could compare a few different models say headlight shape at a time would be immensely helpful.

gizmobeans

I was wondering if anyone might know of a website or source that I could find detailed pictures of different models of cars and specifically changes between model years without searching for each model individually? Lately I find myself doing a lot of vehicle identification work with pretty shoddy security cam footage. A page where I could compare a few different models say headlight shape at a time would be immensely helpful.

I typically use www.edmunds.com after i have an idea of the vehicle make, and I've also had good luck using google lens or simular to get a model/type

gizmobeans

I was wondering if anyone might know of a website or source that I could find detailed pictures of different models of cars and specifically changes between model years without searching for each model individually? Lately I find myself doing a lot of vehicle identification work with pretty shoddy security cam footage. A page where I could compare a few different models say headlight shape at a time would be immensely helpful.

The FBI has a resource called DAIS (Digital Automotive Image System) that you can get as law enforcement. That might be what you're looking for.

melissa_at_amped

The FBI has a resource called DAIS (Digital Automotive Image System) that you can get as law enforcement. That might be what you're looking for.

@DCSO I've been using Edmonds for a lot but I was hoping for something a little more streamlined. I hadn't thought of using Lens though, I'll see if that gets me anywhere. Thanks!

melissa_at_amped

The FBI has a resource called DAIS (Digital Automotive Image System) that you can get as law enforcement. That might be what you're looking for.

That sounds perfect, thank you!

1

is anyone aware of software that can monitor/record all of the various USB dongle licenses that are being actively used within an office?

i think its just possible through a kind of dongle share like virtualhere. (maybe i am wrong)

2

Utn manager

Gorp

is anyone aware of software that can monitor/record all of the various USB dongle licenses that are being actively used within an office?

I’d probably use https://github.com/snovvcrash/usbrip or modify it for my use case with regards to a specific file.

GitHub - snovvcrash/usbrip: Tracking history of USB events on GNU/L...

Tracking history of USB events on GNU/Linux. Contribute to snovvcrash/usbrip development by creating an account on GitHub.

Any interest in a adding a channel for blockchain forensics?

Gorp

is anyone aware of software that can monitor/record all of the various USB dongle licenses that are being actively used within an office?

Most people seem to use Virutalhere server software, you can use a raspberry pie etc to do it. Search "dongle server" on here and you will see a lot of talk about it.

1

Dave

Any interest in a adding a channel for blockchain forensics?

Probably #darknet-virtual-currencies

https://sif.org.uk/ - as UK going through tough times (interest rates increasing etc) anyone working in security is protected by FIS (never head of, until now xD) and is automatically discounted for food, clothing, gym and legal coverage, monthly subscription is involved. Thought I'd share as it maybe useful to others. (edited)

richard

Home

1

Anyone at dfw bsides today?

@Magnet Forensics - im creating my second portable case file and it has run for over 24 hours. The first one I ran contained larger evidence and more records. I see tmp files are still being created and still running. Is this normal to take over 24 hours or longer ?

8:41 AM

one of the evidence is a mac, might this be a cause ?

Jay528

@Magnet Forensics - im creating my second portable case file and it has run for over 24 hours. The first one I ran contained larger evidence and more records. I see tmp files are still being created and still running. Is this normal to take over 24 hours or longer ?

Not Magnet, but how big is the extraction and what type of PC are you running it on ?

750 gb mac and 500 gb windows

10:46 AM

The first was 3 windows

Original message was deleted or could not be loaded.

#challenges-and-ctfs

Oh snap, sorry! moving it it now. Thank you!

Jay528

@Magnet Forensics - im creating my second portable case file and it has run for over 24 hours. The first one I ran contained larger evidence and more records. I see tmp files are still being created and still running. Is this normal to take over 24 hours or longer ?

Evidence source really shouldn't have much impact since the evidence files aren't aren't included in the portable case . Can I DM you for some specifics and we'll see if we can figure it out? Definitely shouldn't be taking that long!

yes, thanks

chriscone_ar

Evidence source really shouldn't have much impact since the evidence files aren't aren't included in the portable case . Can I DM you for some specifics and we'll see if we can figure it out? Definitely shouldn't be taking that long!

Since few months some portablecases take several hours to create and are a little bit huge (I had a 300gb portableCase for a 500gb drive)

AnTaL

Since few months some portablecases take several hours to create and are a little bit huge (I had a 300gb portableCase for a 500gb drive)

Hi @AnTaL - I thought you were busy fighting with password protected Word documents

I'd be interested if you could share what the content of the portable cases were that are taking longer to complete. Just an example - if they mostly consist of media items that could make for a rather large portable case compared to a portable case consisting of other more text-based items, like operating system artifacts. If you see a pattern similar to that example, we may be at the mercy of copying 300gb of data to whatever location you are creating the portable case - drive type and case data location plays a role here. However, if you're seeing portable cases of all types taking several hours to complete - even when they aren't chock-full of media items, then something else may be at issue and we need to loop support in and get it looked at.

I have so much fights @chriscone_ar (edited)

1

10:09 AM

Indeed that's what I suspected, often linked to huge amount of medias. Anyway I had a doubt when you said "evidence files are not included" in the PortableCase

AnTaL

Indeed that's what I suspected, often linked to huge amount of medias. Anyway I had a doubt when you said "evidence files are not included" in the PortableCase

Ah - let me clarify what I was thinking instead of what I typed. The evidence containers (E01, DD, etc.) are not included in the portable case. Those media items are included, as you've found. Sorry for the confusion, totally my fault!

No worry, understood, it was clear after your reply about medias

1

@Magnet Forensics does AXIOM support a sparsefile as a disk image? I imaged a mac using SUMURI's and it ended up creating a sparsefile.

Any interest in a Melbourne (Australia) DF community night? We are going to start a monthly community night in Feb 2023. If you are interested in joining, or even better speaking, please send me a DM! Cheers, Dave (CDFS)

anyone know of a write blocker for a NVME 2230 ssd ?

7:18 AM

Jay528

Click to see attachment 🖼️

depends what your budget is but Deepspar miight be compatible. Guardonix/USB-Stabiliser range

thank you

yw. the main device is the blocker, then it's just the set of adapters (or buy your own)

might be out of budget

yeh, they aren't a cheap co, but the gear is good. otherwise check a DR co and se eif they'll image for you?

The SSD will connect to write blocker I have but it isnt held down securely

7:26 AM

I wasnt sure if there was a company who already made the 2230 ssd w/b

dude, engineer it

blue tac

sounds like you have some free time and I can be your marketing agent

hehe

7:28 AM

most gear started of as some sort of kludge, then got refined. if it's just the length, do you not just need an adapter?

7:29 AM

and the Guardonix/Stabiliser - you could likely get your money back in a couple of recoveries if you are friends with any tech shops over there

I am looking for adapter if it exists

7:37 AM

this one doesnt fit the 30 mm (edited)

Jay528

this one doesnt fit the 30 mm (edited)

For most M.2 SSDs I have had to use a USB to M.2 SSD adaptor and then attach it to a write-blocked USB port.

1

7:46 AM

NVME https://smile.amazon.com/gp/product/B07MNFH1PX/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

SSK Aluminum M.2 NVME SSD Enclosure Adapter, USB 3.1 Gen 2 (10 Gbps...

SSK Aluminum M.2 NVME SSD Enclosure Adapter, USB 3.1 Gen 2 (10 Gbps) to NVME PCI-E M-Key Solid State Drive External Enclosure (Fits only NVMe PCIe 2242/2260/2280)

7:46 AM

SATA https://smile.amazon.com/gp/product/B076DCNZM3/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

M.2 SATA SSD to USB 3.0 External SSD Reader Converter Adapter Enclo...

M.2 SATA SSD to USB 3.0 External SSD Reader Converter Adapter Enclosure with UASP, Support NGFF M.2 2280 2260 2242 2230 SSD with Key B/Key B+M

7:48 AM

My TX1 has issues reading M.2 SSDs and that has been the best solution. You should be able to use other adapters, those are just the ones I bought.

thank you

FullTang

My TX1 has issues reading M.2 SSDs and that has been the best solution. You should be able to use other adapters, those are just the ones I bought.

I dont know if this is something you have considered, but my experience using the m.2 adapter for the TX1 requires booting the TX1 after it is plugged in (cant hot swap). Otherwise a normal USB m.2 adapter has shown to be hot swappable.

1

Carcino

I dont know if this is something you have considered, but my experience using the m.2 adapter for the TX1 requires booting the TX1 after it is plugged in (cant hot swap). Otherwise a normal USB m.2 adapter has shown to be hot swappable.

Thanks for the tip. Even when connecting some M.2 SSDs to the TX1 while the TX1 is turned off, then powering on the TX1, it still fails to detect some M.2 SSDs. Anything that the TX1 fails to detect with its adaptors so far has been detected with those two M.2 adaptors I listed on the write-blocked USB on the TX1.

FullTang

Thanks for the tip. Even when connecting some M.2 SSDs to the TX1 while the TX1 is turned off, then powering on the TX1, it still fails to detect some M.2 SSDs. Anything that the TX1 fails to detect with its adaptors so far has been detected with those two M.2 adaptors I listed on the write-blocked USB on the TX1.

Thats good to know, I will make a note of that. Do you happen to know if there is any commonality between the ones which the TX1 could not read?

Carcino

Thats good to know, I will make a note of that. Do you happen to know if there is any commonality between the ones which the TX1 could not read?

Great question. I have not kept track of the specs of each hard drive to try and find out why the TX1 won't read them. I think most of my issues have been with SATA M.2 SSDs, NVME tends to work on the TX1.

1

Jay528

Click to see attachment 🖼️

I’ve used this before with either some kapton tape or a (not too heavy duty) rubber band around it to hold it down

rojo

I’ve used this before with either some kapton tape or a (not too heavy duty) rubber band around it to hold it down

i did the same as a bootable distro didnt work

1

anyone with contacts to gmail? Got a threat actor doing MX-only abuse.

conf1ck3r

anyone with contacts to gmail? Got a threat actor doing MX-only abuse.

I’ve got a contact, unless it’s a large amount might be awhile before it’s addressed but I’ll send details either way (edited)

tklane

I’ve got a contact, unless it’s a large amount might be awhile before it’s addressed but I’ll send details either way (edited)

Much appreciated thanks! It’s thousands of domains at the moment.

conf1ck3r

Much appreciated thanks! It’s thousands of domains at the moment.

DM me the deets and I can forward on

@Law Enforcement [UK] What does everyone use to store/charge devices in PIN decryption? We currently have ours spread out on a counter top in trays and I'm looking into more practical space-saving solutions. My initial thought was a 'charging trolley' like they have in schools. I'd be interested in any suggestions. Cheers!

Rich Mahogany

@Law Enforcement [UK] What does everyone use to store/charge devices in PIN decryption? We currently have ours spread out on a counter top in trays and I'm looking into more practical space-saving solutions. My initial thought was a 'charging trolley' like they have in schools. I'd be interested in any suggestions. Cheers!

Locker cabinets with chargers inside (https://www.manutan.co.uk/en/key/blue-portable-charging-locker-mobile-laptops-10-cabinets-probe-a623771?shopping=true&gclid=EAIaIQobChMIg5yJk-Kg-wIVD5ntCh1XrQP6EAQYAiABEgLT3PD_BwE) (edited)

Laptop Charging Locker | Blue 10 Door | Manutan UK

Laptop charging lockers by Probe. Perfect for schools. Portable and anti-bacterial Free delivery from Manutan UK.

Rich Mahogany

@Law Enforcement [UK] What does everyone use to store/charge devices in PIN decryption? We currently have ours spread out on a counter top in trays and I'm looking into more practical space-saving solutions. My initial thought was a 'charging trolley' like they have in schools. I'd be interested in any suggestions. Cheers!

We use these

1

blake-ee

We use these

Same here

Something like this with cables running into the back and a laminated label on the front to write in dry wipe marker. Not sure how ISO17025 friendly that is though.

1:20 AM

Charging cables were just off the shelf cables with multi usb chargers.

1:20 AM

You can stack them on top of each other if you get the right brand.

2

Nice one. Thanks for the getting back everyone. I’ll put forward some different options management and see what they prefer

1:31 AM

Shouldn’t see any issues with ISO as long as everything is labelled correctly and within our secure lab

blake-ee

We use these

We had these and it was deemed a risk to batteries/fire issue. Moving to cabinet. Taking a while to be delivered.

blake-ee

We use these

We had these is previous job. ISO people were fine with it.

We had a steel cabinet affixed to the wall.

3:06 AM

https://www.manutan.co.uk/en/key/charging-lockers-clear-cabinet-doors-antibacterial-coating-probe-a623686?shopping=true&gclid=CjwKCAiAvK2bBhB8EiwAZUbP1OCkduOSWW503Aw6BLnfQmZIUbqhwmOwJLhv4_MhiyZraUn6nnhmgxoCO7UQAvD_BwE

Media Charging Locker | USB & 3-pin Plug | 10 Or 15 Clear Doors

Probe media charging personal effect lockers from Manutan UK. USB port and 3-pin plug inside all cabinets. 10 or 15 vision doors. Free delivery.

3:06 AM

Something like this

Rich Mahogany

@Law Enforcement [UK] What does everyone use to store/charge devices in PIN decryption? We currently have ours spread out on a counter top in trays and I'm looking into more practical space-saving solutions. My initial thought was a 'charging trolley' like they have in schools. I'd be interested in any suggestions. Cheers!

90 locker cabinets with usb hub power cables to all running from 3 UPS. 10 of the cabinets have usb c and micro USB connectors for the phones that are using the tool that cannot be mentioned (Trevor). Cabinets like @Corey and @Steve2609 have already screenshot. Had the cabinets running for about 3 years with no issue. The cabinets are just big enough for the average iPad. (edited)

1

Does anyone have any idea if we can remove an evidence from the Nuix processed case? @Nuix

Can anyone confirm that chat capture in 4PC does not work on the newer iOS versions? I don't have a newer iphone available to test. @Cellebrite (edited)

Does anyone knows if Samsung high end devices support 2 eSIM active at the same time ?

WyzMan

Can anyone confirm that chat capture in 4PC does not work on the newer iOS versions? I don't have a newer iphone available to test. @Cellebrite (edited)

I havent tried chat capture but screen capture did not work with iOS 16

Jay528

I havent tried chat capture but screen capture did not work with iOS 16

Thanks Jay.

WyzMan

Can anyone confirm that chat capture in 4PC does not work on the newer iOS versions? I don't have a newer iphone available to test. @Cellebrite (edited)

Let me check into this.. ill get back to you

Morning all, I've been tasked with setting up Electro Static Discharge protection within our imaging lab. Looking for any company recommendations that produce high quality Anti static equipment at good prices. I'm UK based. Also what hardware are you guys currently using in your work place? I'm leaning towards anti static mats, wrist straps, but if there's something you feel is a high recommendation please do say. Are gloves overkill? Thanks in advance.

MrMacca (Allan Mc)

Morning all, I've been tasked with setting up Electro Static Discharge protection within our imaging lab. Looking for any company recommendations that produce high quality Anti static equipment at good prices. I'm UK based. Also what hardware are you guys currently using in your work place? I'm leaning towards anti static mats, wrist straps, but if there's something you feel is a high recommendation please do say. Are gloves overkill? Thanks in advance.

i'd add some sort of Ed/Training to that list. much like security, ESD protection is as much mindset as a (set of) products. Gearwise, my last pro lab was milspec and all about ESD. flooring, heelstraps, lab coat, wrist straps, full ESD bench (know the difference between conductive and dissipative) and also wall mounted test station and a daily/per-shift sign in sheet. any and all gear on those benches had to be ESD considered too.

3:41 AM

I proudly made the biggest contribution to ESD safety in our place. i got a hair cut. QA measured 3.5kv on me head prior, big hair kinda thing. think Bryan May but blown dry.

2

Well since having a daughter and working in forensics...ive lost my hair

5

might as well embarrass meself here as in public

(edited)

4

3:47 AM

2

3:48 AM

got s spot of cash for a local charity too, so all good

If it’s for charity it’s worth it

yeh, it was for me, but there's no sense wasting an opportunity. StMartins kids hospice/Respite was a favourite as a work colleague had a kid in there

3:51 AM

only wish I'd have considered contacting them first, they might have raised thosuands more (you've seen the things on TV etc)

3:52 AM

aaaaaaaaaaaanyway. ESD

In the 1st picture I thought a sloth was sat on your head....

hdehe, pretty much

WyzMan

Can anyone confirm that chat capture in 4PC does not work on the newer iOS versions? I don't have a newer iphone available to test. @Cellebrite (edited)

So i missed the iOS part. Chat Capture is for Android, screenshot method has a bug in it for iOS 16, but is getting fixed in upcoming release of 7.60 (edited)

CLB-Paul

Let me check into this.. ill get back to you

Thank you sir.

CLB-Paul

So i missed the iOS part. Chat Capture is for Android, screenshot method has a bug in it for iOS 16, but is getting fixed in upcoming release of 7.60 (edited)

Roger that. The CANSOF guys I am sitting next to say hello.

Solid group of guys.. and long over due for a

1

anyone know where I can get some practice E01’s?

CasaJaguar

anyone know where I can get some practice E01’s?

https://digitalcorpora.org/corpora/disk-images/ and https://cfreds.nist.gov/ are good resources

Simson Garfinkel

Disk Images

@Cellebrite hello I'm having a problem doing an extraction on an Samsung SM-S367VL. I'm getting malfunction 54 error. What does this error mean?

CasaJaguar

anyone know where I can get some practice E01’s?

A bunch of links on my page under Test/CTF Images https://startme.stark4n6.com/

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

2

mitchlang

@Cellebrite hello I'm having a problem doing an extraction on an Samsung SM-S367VL. I'm getting malfunction 54 error. What does this error mean?

#mobile-forensic-extractions

1

@stark4n6 , I noticed a link that was not working on the page. Just wondering if you would like it reported (in what manner if yes, is most convenient)?

dsplice

@stark4n6 , I noticed a link that was not working on the page. Just wondering if you would like it reported (in what manner if yes, is most convenient)?

What one is broken?

stark4n6

What one is broken?

https://defcon2019.ctfd.io/

dsplice

https://defcon2019.ctfd.io/

Will take a look, most likely the site finally expired

stark4n6

Will take a look, most likely the site finally expired

No worries!

dsplice

No worries!

thanks for the heads up

stark4n6

thanks for the heads up

Thanks for all the information!

1

@Cellebrite I was curious since I called multiple times what days you guys are open. I left 2 messages today

ChadlyThicc

@Cellebrite I was curious since I called multiple times what days you guys are open. I left 2 messages today

Our support lines are not avail via phone one weekend. Via email but not phone

10:25 AM

Who are you trying to reach support or sales ?

Sales team for my free trial

ChadlyThicc

Sales team for my free trial

If you don’t get answer by next week send me a Dm and I can send it along.

Really sorry kids usage

When I erase my phone and click start from backup will it show the backups I manually did

8:45 AM

Like I clicked the backup now button on the iCloud or will it just still be the most recent one

8:45 AM

Because I don’t want to accidentally erase my phone

Would be the latest backup , unless you did full backups on a desktop

Because this one video I looked up the guys phone looked like this

10:08 AM

10:09 AM

I’m looking at the latest iPhone backups how there’s 3

Pick one

1

Oh this isn’t my phone this is the example the guy used lol

1

1.what is the best tool to recover recent deleted call logs and messages of whatsapp and whatsapp bussiness from mobile, either logical or physical extraction? (if physical not supported then) android and why official WA bussiness app not supported in logical and FFS? (edited)

Hi all, we have a few spare hi spec PC’s that we are going to use for experiments but we aren’t sure what to use them for. Anyone have any suggestions? They don’t have any hi spec graphics just 1050ti’s and 8th GEN (I believe) Intel extreme CPU’s

obi95

Hi all, we have a few spare hi spec PC’s that we are going to use for experiments but we aren’t sure what to use them for. Anyone have any suggestions? They don’t have any hi spec graphics just 1050ti’s and 8th GEN (I believe) Intel extreme CPU’s

What about turning them into sandbox VMs you can use for testing unseen software? You can use that to identify relevant DF artefacts

12:16 PM

Granted it is a bit of a waste of 1050Tis

obi95

Hi all, we have a few spare hi spec PC’s that we are going to use for experiments but we aren’t sure what to use them for. Anyone have any suggestions? They don’t have any hi spec graphics just 1050ti’s and 8th GEN (I believe) Intel extreme CPU’s

Esxi boxes.

I erased all contacts because I though my manually backup was still there

4:12 PM

It wasn’t

4:12 PM

Would the NAND be fully erased

For the SIs and hardware nuts here, my main rig(5950x) has a fried mobo, and I’m looking at jumping to either the 7950x or a 13900k, leaning towards the former… anyone have real world insight on what might be better for forensic processing?

ChadlyThicc

Would the NAND be fully erased

The storage is encrypted, once the erase is completed the key to read the data is erased and the content not recoverable , iirc

Turb0Yoda

For the SIs and hardware nuts here, my main rig(5950x) has a fried mobo, and I’m looking at jumping to either the 7950x or a 13900k, leaning towards the former… anyone have real world insight on what might be better for forensic processing?

13900k

ryd3v

13900k

Any specific reason?

The intel chip is faster according to all the recent benchmarks

10:48 PM

Really boils down to your budget. If money isn’t a concern I’d go with the best mobo you could get for the intel chip.

10:49 PM

The AMD looks great but Intel is always king.

My understanding was that they trade blows

10:49 PM

I’m also not entirely fond of the P/E cores

10:49 PM

Yeah Intel is not always king lol

Well the Intel has the higher clock and top max GHz so, in regards to processing power at the end of the day a higher GHz is going to perform better

No

10:50 PM

The right measurement is IPC there

10:50 PM

Not clock speed

Ok lol

If 1 CPU had 5 IPC at 3 GHz, and another 10 IPC at 2Ghz, that slower CPU will still get more work done

Depends if your application is using multi threading

True

10:52 PM

Even then, with intel using a mix of core types, that’s my main reason why I ask

So in a real world scenario and based on all the tests and comparisons so far of both chips the intel has been the best

Specific to forensic tasking or in general

In general, which forensics tasks would be more towards the tasks that have been tested.

10:53 PM

Just my opinion , if it was me, I’d probably go for the intel Chip.

10:54 PM

The intel chips seem to have better motherboard options and performance as well. Also

10:55 PM

The intel chips have a higher ram speed so in forensics scenario higher cpu and ram speed would definitely be a major factor.

10:55 PM

https://www.tomshardware.com/reviews/intel-core-i9-13900k-i5-13600k-cpu-review/3

Intel Core i9-13900K and Core i5-13600K Review: Raptor Lake Beats R...

The Raptors are out of the cage!

Tbh with DDR5 and PCIe 5.0, they all seem hilariously overkill, mobo choice isn’t a concern, it’ll be an ASRock Taichi all day either way

10:56 PM

I’m mostly hoping this mobo limps along until the 3D v-cache stuff in January

10:56 PM

I made a mistake ditching my Taichi for asus

Yeah guess it personal preference, I don’t particularly like asrock myself.

10:56 PM

I tend to stick with Asus or gigabyte

10:57 PM

Also like MSI depending on the budget

10:57 PM

I’d probably go with a workstation board. By Asus tbh

I’ve had 10 years of bad experiences with asus

10:58 PM

Current mobo is a proart and bios is unstable and has uhh

10:58 PM

The visual lines… I’m blanking out

10:58 PM

Like screen tear and glitching…

10:59 PM

Last job also had all the asus mobos onboard raid card die

That could be many things.

10:59 PM

Gigabyte is solid. Never had one bad gigabyte board.

It could, but swapping GPU, putting in a 5900x instead of my 5950, and a fresh kit of RAM did nothing

10:59 PM

Neither did a bios flash or reset

Have had a lot of bad experiences with asrock, even when customers request them, I try to talk them out if it

So RMA it is, paid for the warranty at microcenter (edited)

Turb0Yoda

It could, but swapping GPU, putting in a 5900x instead of my 5950, and a fresh kit of RAM did nothing

Could be power delivery, bad hdmi cable etc. not necessarily the mobo (edited)

The three Taichi boards I had had 0 issues and are still running

11:00 PM

Not the cables either

11:01 PM

Persisted with both the Sf750 and the 1kw silverstone it has now

11:01 PM

Not much else to blame

Hard to say, I don’t know your specific setup and would be hard to diagnose over discord but could also be a faulty board. Not all Asus boards are top notch. Did you try a bios update?

Turb0Yoda

Neither did a bios flash or reset

Yep

11:01 PM

Like I said, had issues with asus since x58

Yeah I’ve had a few bad Asus boards in the past. Depends if all the components are actually supported by the board itself

I just avoid their products if I can

I’m the same with asrock

I’m the opposite

Had a few since the 90’ never bought another since

11:02 PM

I also don’t particularly like the asrock company

Was that when they were still apart of asus?

But I do like Asus and gigabyte

Meh, arguments can be made that MSI is worse id imagine

Oh yeah have had a few bad MSI as well

11:04 PM

Honestly never had 1 bad gigabyte board yet

They’re… 60/40 good/bad for me iirc

I think the world record for GHz was with the gigabyte intel combo

I haven’t personally had a gigabyte mobo since… core 2 duo?

Oh really wow

11:05 PM

Yeah they are great

C2D or the first gen intel

11:05 PM

I’ve done builds with them with way more recent stuff

11:05 PM

10th/12Th gen intel

11:05 PM

Mixed bag

yeah lots of factors

11:06 PM

depends on the build, for me, customization bios, and easy fan control, with water cooling support. Japanese caps, and dual bios roms

11:07 PM

also price, of course, what you get spec wise for what you're paying and general availability

Yeah

11:07 PM

Would be surprised if you find anything less than NCC/Rubycon on high end mobos… they tend to cheap out on PSUs

11:07 PM

Teapo caps everywhere

Intel Core i9-13900K Blasts Off to 8.8GHz ~~ https://www.tomshardware.com/news/i9-13900k-world-record-overclock

Intel Core i9-13900K Blasts Off to 8.8GHz, Breaking World Record

Raptor Lake finally dethrones AMD FX!

11:08 PM

not that it's a flex, there is still chip lottery but

lol

https://hwbot.org/submission/5102721_elmor_cpu_frequency_core_i9_13900k_8812.85_mhz

elmor`s CPU Frequency score: 8812.85 MHz with a Core i9 13900K (8P)

The Core i9 13900K (8P) @ 8812.8MHzscores getScoreFormatted in the CPU Frequency benchmark. elmorranks #1 worldwide and #1 in the hardware class. Find out more at HWBOT.

11:09 PM

Asus INtel combo

11:10 PM

obviously you won't run nitro in your forensics lab, but still lol

11:10 PM

just the fact these clocks are possible is mind blowing

11:11 PM

asrock can suck it lmao

11:11 PM

11:15 PM

here his specs, impressive

11:15 PM

https://valid.x86.fr/k3dwcu

Intel Core i9 13900K @ 8812.85 MHz - CPU-Z VALIDATOR

[k3dwcu] Validated Dump by elmor (2022-10-14 07:15:16) - MB: Asus ROG MAXIMUS Z790 APEX - RAM: 32768 MB

Good morning. Does anyone know of an Android system log that tracks sim card insertion and removal?

5:47 AM

I've read that simcard.dat will track it if it is found on the device, but is not always present.

@Cellebrite question re PA 7.57. Is there a way to sort images in thumbnail view based on filepath? (edited)

@P4perTrails yes. when your in images tab, switch to file view. Highlight just the file path you want. go back to thumbnail view and select just the selected. I can send you some screen shots in a few if your having problems.

Ghosted

@P4perTrails yes. when your in images tab, switch to file view. Highlight just the file path you want. go back to thumbnail view and select just the selected. I can send you some screen shots in a few if your having problems.

I'd appreciate a screenshot if you can... As I've tried something similar like that and it didn't seem to do anything.

@P4perTrails ok will DM you a few. Loading an extraction now. when done I will send. (edited)

Thank you for accepting me here

digital forensic examiner from Philippines

Welcome

2

𝗖𝗮𝗶𝘁 | 𝗣𝗵𝗶𝗹𝗶𝗽𝗽𝗶𝗻𝗲𝘀 👮🏻

Thank you for accepting me here

digital forensic examiner from Philippines

Welcome

1

@𝗖𝗮𝗶𝘁 | 𝗣𝗵𝗶𝗹𝗶𝗽𝗽𝗶𝗻𝗲𝘀 👮🏻 yw mate

1

@Law Enforcement [USA] what solution are you using for digital evidence storage, that covers both localized data redundancy and disaster recovery (e.g., ransomware, etc)? My lab size is 2-3 people, but we have a sizeable grant we can tap into for proper and secure storage.

I am just running a small LAN (NAS) synology

1

Drobo

1:48 PM

with no remote connection capabilities on any computers that are attached to the LAN

I also have a small NAS Synology connected to my forensic LAN. I tend to keep it physically unplugged from the network/offline when not in use just to be extra safe.

AugustBurnsBlue

@Law Enforcement [USA] what solution are you using for digital evidence storage, that covers both localized data redundancy and disaster recovery (e.g., ransomware, etc)? My lab size is 2-3 people, but we have a sizeable grant we can tap into for proper and secure storage.

We've got a petabyte SAN of some sort and I don't know much about it other than it's expensive. It is also airgapped, like others have said here.

AugustBurnsBlue

@Law Enforcement [USA] what solution are you using for digital evidence storage, that covers both localized data redundancy and disaster recovery (e.g., ransomware, etc)? My lab size is 2-3 people, but we have a sizeable grant we can tap into for proper and secure storage.

You might look into Evidence.com. I have heard rumors that they have cloud storage available and might integrate well if your agency uses Axon body cameras.

1

Anyone can tell me more about the map: com.facebook.Facebook.MosaicGImageDiskCache

Mako

Anyone can tell me more about the map: com.facebook.Facebook.MosaicGImageDiskCache

#mobile-forensic-decoding maybe?

1

Anyone familiar with google logs ? Under activities - a list of google services accessed by, Product Name "Account Central". Anyone know what Account Central is ?

Hi, anyone knows if It's able to modified a sent mail or fake It in Yahoo email count if you acquire the emails from the server?

i was not able to find a channel for this but is there a list of recommended vms for FOR I am mainly looking for a windows vm not linux for windows forensics

10:08 AM

and i have only found flares malware FOR

A Windows VM will most likely be difficult to find due to Windows license fees

Fierry

Did you check the MFT Journal?

@Andrew Rathbun Hi guys, I am back digging in deeper on this case. This screenshot has to do with some of the files the user is believed to have exfiltrated. This is output in TLE for LECmd.

short recap?

1

If you want to solve the case, you have to use Dark Mode

3

Fierry

short recap?

:), I am investigating a user who recently left a very high profile company and position and went to a competitor. This individual indeed copied a large amount of proprietary documents off to a USB device that was a corporate approved device. No other USB's were allowed, per DLP, besides this Kingston DT2000. The user claims they never have owned or inserted such a USB. DLP clearly shows the user indeed inserted this USB on the last two days of employment and copied the files over. The local machine image I obtained, unfortunately, did not show these files copied out to the Kingston USB, but I have evidence this USB was inserted. This user was very technically savvy, so we believe he used ccleaner, timestomping, or some other means to cover his tracks. We know, on the surface, he deleted all the files in documents, desktop, downloads and such, uninstalled OneDrive. What the company is asking me is if I can determine exactly what was executed to obfuscate the files copied out from the local machine perspective, vs. what is shown in DLP. So, I have grabbed KAPE, I am actually taking the December 8th class to understand more. My day-to-day application is Belkasoft, but it did not reveal what I needed to present to the corporate investigators.

1

CyberTend

:), I am investigating a user who recently left a very high profile company and position and went to a competitor. This individual indeed copied a large amount of proprietary documents off to a USB device that was a corporate approved device. No other USB's were allowed, per DLP, besides this Kingston DT2000. The user claims they never have owned or inserted such a USB. DLP clearly shows the user indeed inserted this USB on the last two days of employment and copied the files over. The local machine image I obtained, unfortunately, did not show these files copied out to the Kingston USB, but I have evidence this USB was inserted. This user was very technically savvy, so we believe he used ccleaner, timestomping, or some other means to cover his tracks. We know, on the surface, he deleted all the files in documents, desktop, downloads and such, uninstalled OneDrive. What the company is asking me is if I can determine exactly what was executed to obfuscate the files copied out from the local machine perspective, vs. what is shown in DLP. So, I have grabbed KAPE, I am actually taking the December 8th class to understand more. My day-to-day application is Belkasoft, but it did not reveal what I needed to present to the corporate investigators.

Nice, I'll see you there as I'll be teaching the first part of KAPE

1

What filesystem was present on the USB drive?

12:47 PM

Also, kape is awesome

Andrew Rathbun

Nice, I'll see you there as I'll be teaching the first part of KAPE

awesome, this particular case prompted me to sign up for the class

Fierry

Also, kape is awesome

Yes sir, I am absolutely loving this application

Fierry

What filesystem was present on the USB drive?

Because if it uses NTFS you can use the MFT or carved MFT records to determine which files have been copied

12:50 PM

Additionally, have you looked at shellbags?

Fierry

What filesystem was present on the USB drive?

Looking to find where the FS would be listed for the Kingston.

Fierry

Additionally, have you looked at shellbags?

Yes, on shellbags load, shellbag explorer loaded but threw errors several errors...Error parsing shellbag, extension block count mismatch, Unmapped GUID. most loaded though. The above error messages had this in them: More extension block signatures were found in the ShellBag than have been processed! Please send the hive to saericzimmerman@gmail.com so support can be added

I know Eric is also on this server

I did indeed compress and send the hive

1

12:55 PM

The unmapped GUID relates to the Kingston

12:56 PM

COOL, yes the FS is indeed NTFS

12:57 PM

Do you know what the user has done with it previously in regards to potentially destructive actions?

Fierry

No this is what I am hunting for now actually. I need to figure out how he used any application that would require local administrator privilege's. This user did not have such, but, he could have got the local administrator password from someone...potentially.

Hmm

1:01 PM

The Security Log would be able to help you out there

Fierry

Hmm

Yes, I will look...now that I know the Kingston was NTFS, I should be able to carve that out of $MFT, or filter on it somewhow?

Fierry

The Security Log would be able to help you out there

Event ID 4648 will be able to tell you if RunAs has been used, 4672 will also be present if Administrator was used

CyberTend

Yes, I will look...now that I know the Kingston was NTFS, I should be able to carve that out of $MFT, or filter on it somewhow?

It should have its own MFT file

I did also just find out there was no restrictions for the user to run powershell scripts

along with its own journal, if the file activity is limited enough, it might contain traces of the file copy

Fierry

along with its own journal, if the file activity is limited enough, it might contain traces of the file copy

Ok, any idea where to look for that $MFT...KAPE parsed the image from the root for $MFT and $MFTMirr. I have those

CyberTend

I did also just find out there was no restrictions for the user to run powershell scripts

KAPE can also collect the $J file, this is what you're looking for if you're intending to use the journal

1:07 PM

and KAPE can also call MFTeCmd to parse it

Ok, yes I see that under ../$Extended from the KAPE extract

Ok, I have not parsed the $J, I will do that now

You've got this

1

1:09 PM

If the journal doesnt work out, refer back to the MFT, it might contain data runs which indicate a file copy

Fierry

You've got this

Thanks for the assist. I do see in MFT, and through reading the docs, the copy column checked for many of these files.

1:13 PM

@Andrew Rathbun Looking forward to the class. I am executing your PowerShell_MFTECmd_J-MFTParsing script as well :).

CyberTend

Thanks for the assist. I do see in MFT, and through reading the docs, the copy column checked for many of these files.

anytime

CyberTend

Yes, on shellbags load, shellbag explorer loaded but threw errors several errors...Error parsing shellbag, extension block count mismatch, Unmapped GUID. most loaded though. The above error messages had this in them: More extension block signatures were found in the ShellBag than have been processed! Please send the hive to saericzimmerman@gmail.com so support can be added

use SBECmd instead. Output to CSV. sbecmd.exe -d "path" --csv "outputpath"

CyberTend

I did also just find out there was no restrictions for the user to run powershell scripts

Check the consolehost_history.txt for that user. Also, PowerShell:400 events

1

Andrew Rathbun

use SBECmd instead. Output to CSV. sbecmd.exe -d "path" --csv "outputpath"

Will do, thanks

4104/4105 in powershell logging might also show malicious powershell

(edited)

CyberTend

@Andrew Rathbun Looking forward to the class. I am executing your PowerShell_MFTECmd_J-MFTParsing script as well :).

that plus !EZParser Module should serve you well

such a timesaver

1:18 PM

SANS/KAPE triage > EZParser

CyberTend

Thanks for the assist. I do see in MFT, and through reading the docs, the copy column checked for many of these files.

Just remember, that's just a simple logic check. If you filter on that checked, you'll likely see thousands of files but that doesn't mean they've been copied. It just means those files fit the logic commonly found with copied files. Same for the u Sec Zeroes column. Doesn't mean those were all timestomped

1

I believe there's a 13Cubed video

1:20 PM

https://www.youtube.com/watch?v=_qElVZJqlGY&t=5s

13Cubed

Introduction to MFTECmd - NTFS MFT and Journal Forensics

Fierry

https://www.youtube.com/watch?v=_qElVZJqlGY&t=5s

Thanks, yes I am a member on 13Cubed...I will pause and go watch this...thanks

@CyberTend Also check out $I30 files (Indx files). They sometimes have deleted file entries still in their slack space. https://github.com/harelsegev/INDXRipper

GitHub - harelsegev/INDXRipper: Carve file metadata from NTFS index...

Carve file metadata from NTFS index ($I30) attributes - GitHub - harelsegev/INDXRipper: Carve file metadata from NTFS index ($I30) attributes

1

dsplice

@CyberTend Also check out $I30 files (Indx files). They sometimes have deleted file entries still in their slack space. https://github.com/harelsegev/INDXRipper

Thanks, I will grab it. I probably should have added earlier for @Fierry and @Andrew Rathbun that I do not have the Kingston DT2000 USB. No one does evidently, not even the user who was clearly using it

CyberTend

Thanks, I will grab it. I probably should have added earlier for @Fierry and @Andrew Rathbun that I do not have the Kingston DT2000 USB. No one does evidently, not even the user who was clearly using it

Then likely you are interested in file knowledge (aka shellbags), file existence (usually MFT), and file deletion (usually journal/$I30

dsplice

Then likely you are interested in file knowledge (aka shellbags), file existence (usually MFT), and file deletion (usually journal/$I30

Thanks, much appreciated

Actually, probably a dumb question for anyone familiar with it here. But has anyone run MFTECmd against a mounted image? I managed to get the $MFT to work, but cannot get it to find the journal ($J)?

Nevermind, managed to find my own answer

dsplice

Nevermind, managed to find my own answer

Glad to hear it

CyberTend

:), I am investigating a user who recently left a very high profile company and position and went to a competitor. This individual indeed copied a large amount of proprietary documents off to a USB device that was a corporate approved device. No other USB's were allowed, per DLP, besides this Kingston DT2000. The user claims they never have owned or inserted such a USB. DLP clearly shows the user indeed inserted this USB on the last two days of employment and copied the files over. The local machine image I obtained, unfortunately, did not show these files copied out to the Kingston USB, but I have evidence this USB was inserted. This user was very technically savvy, so we believe he used ccleaner, timestomping, or some other means to cover his tracks. We know, on the surface, he deleted all the files in documents, desktop, downloads and such, uninstalled OneDrive. What the company is asking me is if I can determine exactly what was executed to obfuscate the files copied out from the local machine perspective, vs. what is shown in DLP. So, I have grabbed KAPE, I am actually taking the December 8th class to understand more. My day-to-day application is Belkasoft, but it did not reveal what I needed to present to the corporate investigators.

If the user initiated a drag 'n drop copy of folder(s) onto the USB drive, yet never accessed any such folders/data on the USB drive, there will not be much, if any, indication on the Windows system a copy occurred. Does the Windows Registry and other logs on the computer show the USB drive was inserted? Are any AV programs installed that may have scanned the USB destination as data was written to it? In regards to execution, look at Prefetch data and UserAssist keys.

ForensicDev

If the user initiated a drag 'n drop copy of folder(s) onto the USB drive, yet never accessed any such folders/data on the USB drive, there will not be much, if any, indication on the Windows system a copy occurred. Does the Windows Registry and other logs on the computer show the USB drive was inserted? Are any AV programs installed that may have scanned the USB destination as data was written to it? In regards to execution, look at Prefetch data and UserAssist keys.

On newer versions of windows 10 There should be a jumplist entry created. Should list the USB, and your Mac times should reflect the copy (modified before creation)

Any reccomendations on free security stacks for analysing event logs? I'm making a little DFIR lab and I'm thinking of using ELK at the moment but haven't been sold on one yet

Does anyone have experience with legal requests to Fitbit? Is there something to 'get'? If yes, what and does someone have contact-details? (edited)

CyberTend started a thread. 11/18/2022 6:48 AM

Original message was deleted or could not be loaded.

Depends... would need to see what kind of drive is it, does it use additional controllers.. might be good for #data-recovery

@Magnet Forensics is there anyone I can contact re: inquiring about suggesting an API for cloud licensing? There's gotta be a better way to monitor the licenses within an organization and maybe we're not aware of something that already exists, but just want to bark up the right tree. Can someone pass on an email or DM me? Happy to do things the "official" way so the decision makers can hear this feedback. Definitely something we're struggling with.

Andrew Rathbun

@Magnet Forensics is there anyone I can contact re: inquiring about suggesting an API for cloud licensing? There's gotta be a better way to monitor the licenses within an organization and maybe we're not aware of something that already exists, but just want to bark up the right tree. Can someone pass on an email or DM me? Happy to do things the "official" way so the decision makers can hear this feedback. Definitely something we're struggling with.

I can put you in touch with someone on the team - interested in your feedback on this, also!

chriscone_ar

I can put you in touch with someone on the team - interested in your feedback on this, also!

Please do. Thank you!

Andrew Rathbun

@Magnet Forensics is there anyone I can contact re: inquiring about suggesting an API for cloud licensing? There's gotta be a better way to monitor the licenses within an organization and maybe we're not aware of something that already exists, but just want to bark up the right tree. Can someone pass on an email or DM me? Happy to do things the "official" way so the decision makers can hear this feedback. Definitely something we're struggling with.

We can definitely get the info/suggestion to the right place.

8:13 AM

Dang @chriscone_ar always hitting the finish line first

Tim F

Dang @chriscone_ar always hitting the finish line first

It's that rural Arkansas fiber connection

You know it is a good community when the vendors fight with themselves to help you the fastest.

3

I live in “Gig city”, I shouldn’t be losing!

dsplice

You know it is a good community when the vendors fight with themselves to help you the fastest.

Maybe we're just in a rush to avoid a Microsoft Teams meeting

‍♂️

8

1

Hi all a question regarding Windows Event ID: 4672. I see these in windows event viewer and timeline explorer. This is the text: Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT-AUTORITÄT Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege I presume the Account Name: SYSTEM means a local Administrator account login was used?

9:56 AM

And/Or is this something like Linux su or sudo? There are a ton of these one right after the other with just seconds separating the events.

SYSTEM is the root level equivalent of Administrator

9:59 AM

It supersedes Administrator

10:00 AM

AV vendors for instance, can spawn system level services for scanning but it is also often used by adversaries

Fierry

SYSTEM is the root level equivalent of Administrator

Ah, ok..makes sense. The user logged in say at 8:32:52(4648), then all of these SYSTEM level logon's(4672 and 4624) scroll after that. I do see a weird one for 4624--Subject; Security ID: NULL SID, Logon Information Logon Type 3(network), New Logon Security ID: Anonymous logon, Account Name Anonymous-ANMELDUNG. Also another where Security ID: is system, type is 2(interactive), Account name DWM-1 The rest are type 5--System Services starting I do believe.

As well, I do see the user login trigger event ID: 4672, with elevated privilege of: Privileges: SeLoadDriverPrivilege

10:39 AM

HA, this user local language is German, the ANMELDUNG means LOGON in german

Does anyone have any intel on when and if we can expect the fourth edition of Incident Response and Computer Forensics - by Jason Luttgens and Matthew Pepe?

We are doing some research to understand and discover some habits as it pertains to mobile device. Quick questionnaire https://cellebrite.iad1.qualtrics.com/jfe/form/SV_2mB0tXId88j9Q8e

Qualtrics Survey | Qualtrics Experience Management

The most powerful, simple and trusted way to gather experience data. Start your journey to experience management and try a free account today.

1

Original message was deleted or could not be loaded.

I have a big issue with SIFT, cant manage to start it up normaly

3:27 PM

End up setting up my own Windows machine with Linux on WSL

What is the preferred method of opening .dd files on Windows?

You can try FTK Imager

https://twitter.com/directory_opus/status/1594492237697908738?t=J0mpMkarHRqa50IZ5i-m-A&s=19 It's on sale usually once a year and that time is now. Ping me with questions, if needed

GP Software (@directory_opus)

Back by popular demand... Black Friday 2022 Sale Is Now On! Use coupon code BF2022NOV for 40% off everything (new licences, upgrades, optional features) at the Directory Opus store. Valid until end of November. https://t.co/C2vLBikDBl

1

Any recommendations on a DFIR PC build?

equation

Any recommendations on a DFIR PC build?

https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions/blob/main/README.md

FrequentlyAskedDFIRQuestions/README.md at main · Digital-Forensics-...

A repository to store answers to some of the most commonly asked questions within the Digital Forensics Discord Server - FrequentlyAskedDFIRQuestions/README.md at main · Digital-Forensics-Discord-S...

Andrew Rathbun

https://github.com/Digital-Forensics-Discord-Server/FrequentlyAskedDFIRQuestions/blob/main/README.md

aha thanks mate

The Washington Post recently won the South Asian Journalists Association's Daniel Pearl Award (https://www.saja.org/page-935554/12994098) for a series of articles covering our digital forensics reports in an ongoing Indian case involving terrorism-related allegations. You can read the articles at https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8087f172-61e0-11eb-a177-7765f29a9524_story.html, https://www.washingtonpost.com/world/2021/07/06/bhima-koregaon-case-india/, and https://www.washingtonpost.com/world/2021/07/20/indian-activists-surveillance. If you are a digital forensics practitioner and concerned about the integrity of electronic evidence, please get familiar with this case. As a reminder, our first four reports (and their exhibits) are available from our website: First Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip Second Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-II.zip Third Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip Fourth Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip

5

3

2

Just reading the first one.... WOW! Amazing work!

same: mind blown. fabulous work. Kudos

When people ask me about CSI level forensic stuff, that is what I imagine it would look like

Does anyone know how much Mobilogy recovery cost is (edited)

@dsplice @Digitalferret Thank you both! It will take some time to read through our reports (especially if going back and forth with exhibits), but we are pretty sure you won’t be bored.

ChadlyThicc

Does anyone know how much Mobilogy recovery cost is (edited)

not sure what you mean? cellebrite service?

Welcome to Mobilogy Mobilogy - a Cellebrite company, offers solutions that enable operators, retailers, aftermarket service providers, and enterprises to provide enhanced customer experience, increase revenue, improve productivity, enhance security, and reduce cost.

Yes

9:00 AM

can’t find their website or any information about them online

looks more to me like a means of managing clients, not recovering data

9:03 AM

is that what you were after? maybe ping Cellebrite in here

Yes

maybe I was mistaking your data recovery posts in with this

It’s alright I opened another inquiry with the via email waiting for a replay back

1

Digitalferret

not sure what you mean? cellebrite service?

Welcome to Mobilogy Mobilogy - a Cellebrite company, offers solutions that enable operators, retailers, aftermarket service providers, and enterprises to provide enhanced customer experience, increase revenue, improve productivity, enhance security, and reduce cost.

Would you mind directing me to where you found this?

9:09 AM

And also when I called them they put in a ticket and to wait for it to be reviewed

Digitalferret

not sure what you mean? cellebrite service?

Welcome to Mobilogy Mobilogy - a Cellebrite company, offers solutions that enable operators, retailers, aftermarket service providers, and enterprises to provide enhanced customer experience, increase revenue, improve productivity, enhance security, and reduce cost.

I think that's just the ufed touch now.

1

good night everyone how can i do mobile imagine without tools

MR.Falcon

good night everyone how can i do mobile imagine without tools

#mobile-forensic-extractions

thx sir

Any @Law Enforcement [UK] DF units bought in Cellebrite Premium Enterprise Solution (ES) ?

Yep

Yup

Yep

yeah

Yep

Question for the group, I have an agency that is inquiring about a stalking case, the victim blocked the suspect on her iPhone but was getting threating messages on her iWatch. They want to know if we can download the iWatch, I know the soultions out there are not good so i'm asking myself how this happened if she blocked him on her iPhone why did she get them on her iWatch ?

2:03 PM

I tried to duplicate this and when we blocked a contact on a test iPhone it would not send it to the iWatch.

DCSO

Question for the group, I have an agency that is inquiring about a stalking case, the victim blocked the suspect on her iPhone but was getting threating messages on her iWatch. They want to know if we can download the iWatch, I know the soultions out there are not good so i'm asking myself how this happened if she blocked him on her iPhone why did she get them on her iWatch ?

It sounds like the watch is not syncing correctly.

1

DCSO

Question for the group, I have an agency that is inquiring about a stalking case, the victim blocked the suspect on her iPhone but was getting threating messages on her iWatch. They want to know if we can download the iWatch, I know the soultions out there are not good so i'm asking myself how this happened if she blocked him on her iPhone why did she get them on her iWatch ?

Is the iwatch tied to a different AppleID then the iPhone? Sending iMessages to the AppleID receiving on the watch, but a different AppleID in phone blocked the number. Just a thought.

1

Hi All, can anyone point me in a direction where I can find proper analysis on Word Document forensics? I am particularly interested in the "Content Created" metadata field but I am struggling to find anything relevant on it in a forensic manner. Any assistance would be much appreciated ! (edited)

Reinard

Hi All, can anyone point me in a direction where I can find proper analysis on Word Document forensics? I am particularly interested in the "Content Created" metadata field but I am struggling to find anything relevant on it in a forensic manner. Any assistance would be much appreciated ! (edited)

https://www.sciencedirect.com/topics/computer-science/document-metadata might be of some use, even if indirectly?

florus

Does anyone have experience with legal requests to Fitbit? Is there something to 'get'? If yes, what and does someone have contact-details? (edited)

@Law Enforcement [USA]

florus

Does anyone have experience with legal requests to Fitbit? Is there something to 'get'? If yes, what and does someone have contact-details? (edited)

https://www.search.org/resources/isp-list/

SEARCH

ISP List and LE Guides - SEARCH

The ISP List is a database of Internet service and other online content providers that will help you get the information you need for your case. For each Internet Service Provider listed, you’ll find the legal contact information and instructions needed to serve subpoenas, court orders, and search warrants. The ISP List is a law … ISP List and L...

You sir/madame saved the day. Thanks!

florus

You sir/madame saved the day. Thanks!

No problem buddy

DCSO

Question for the group, I have an agency that is inquiring about a stalking case, the victim blocked the suspect on her iPhone but was getting threating messages on her iWatch. They want to know if we can download the iWatch, I know the soultions out there are not good so i'm asking myself how this happened if she blocked him on her iPhone why did she get them on her iWatch ?

If the watch has cellular, it has its own phone number through a carrier. I’ve never tried to contact myself with that number, but now I’m curious if it would work. (edited)

1

SectorZero

https://www.search.org/resources/isp-list/

@Search.org can help too

1

JLindmar (83AR)

It sounds like the watch is not syncing correctly.

I've inquired with the Detective working the case, I'll wait and see what he has to say.

Hello folks! I have “Apple MacBook Pro” A2338 (EMC 3578) which based on M1 Silicon chip and it's is locked with user's password which I don't know. What is the possibilities to acquire forensics image of this Macbook?

2numb3rs

Hello folks! I have “Apple MacBook Pro” A2338 (EMC 3578) which based on M1 Silicon chip and it's is locked with user's password which I don't know. What is the possibilities to acquire forensics image of this Macbook?

Are you able to boot into Digital Collector? That'll tell you if filevault is actually turned on. If filevault is NOT on, I think you can acquire it without needing the password. We've found from experience that a few of the M1 devices we have encountered have had filevault turned off. Otherwise, if filevault is on you'll need to get some passwords from any other devices (such as phones, other computers) and try those.

Anyone by any chance have an Excel formula to extract valid IP addresses from columns? Got a bunch of unnecessary data within one column mixed in with IP addresses, and my Google-Fu has failed me

Fr0stByt3

Are you able to boot into Digital Collector? That'll tell you if filevault is actually turned on. If filevault is NOT on, I think you can acquire it without needing the password. We've found from experience that a few of the M1 devices we have encountered have had filevault turned off. Otherwise, if filevault is on you'll need to get some passwords from any other devices (such as phones, other computers) and try those.

In my case I attach Cellebride Digital Collector USB stick to MacBook and hold down the power button, then the boot environment appears. Then I choose “DC ARM Boot”. After that Recovery Mode appears and there is prompted select an admin user which known password. In my case I don’t know a passowrd.

If encryption is on, your sol

Matt

Anyone by any chance have an Excel formula to extract valid IP addresses from columns? Got a bunch of unnecessary data within one column mixed in with IP addresses, and my Google-Fu has failed me

No worries, given up and writing a Python script

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

3

Oh god, some one grab the can of worms

19

1

dinosaurdave

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

8

dinosaurdave

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

In my opinion, it serves a purpose, without it I'm sure a good handful of people would be operating like it's the wild west. However it depends on who's writing your SOPs, I think there's a fine balance between documenting processes to enforce common sense practice and being so strict that it restricts the freedom to research and innovate. So... it depends

1

Pseudonym

Oh god, some one grab the can of worms

Too late! Its already been opened

dinosaurdave

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

1

dinosaurdave

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

I have DMed but wanted to also add why it isnt a standard process for all of us to follow, I dont know, its like they enjoy 43 different versions of things so they are forced to charge us for 43 different versions with 43 visits, poor UKAS...

I think tbf it'll depend on whoever made your SOPs

3:15 AM

If it's anything like ours, best of luck.

Rob

I think tbf it'll depend on whoever made your SOPs

Anything under 300 pages is barely worth an index.

1

Rob

I think tbf it'll depend on whoever made your SOPs

Definitely depends on the quality of your quality team

Zhaan

Anything under 300 pages is barely worth an index.

Joking BTW

I think some of ours are 30+ pages and even still barely understandable

I think the Welsh forces should do it in Welsh and English.

4

Zhaan

I think the Welsh forces should do it in Welsh and English.

Not sure which would be harder to understand

Matt

Not sure which would be harder to understand

Encryption

3

Wait until you get mind blowing questions from UKAS. When reviewing working instruction around testing Faraday box UKAS: "I can see you're testing mobile data, WiFi, Bluetooth, NFC and nothing penetrates this Faraday box - it works as intended. Good job. What about UV Rays?"

7

1

3:48 AM

We are essentially having it forced on us by a team of people who do not understand nor appreciate what we do. So it is not looking good. Thanks for the replies haha

dinosaurdave

We are essentially having it forced on us by a team of people who do not understand nor appreciate what we do. So it is not looking good. Thanks for the replies haha

I think this is basically 99% of uk forces

3:50 AM

I would just say, if you can, keep SOPs vague

1

I dont even know who will be writing the SOPs

Then you're not tied down to any specifically named software for any processes

3:51 AM

I say that because our SOP does just this and it's chaos for "going outside the scope"

Pacman

Wait until you get mind blowing questions from UKAS. When reviewing working instruction around testing Faraday box UKAS: "I can see you're testing mobile data, WiFi, Bluetooth, NFC and nothing penetrates this Faraday box - it works as intended. Good job. What about UV Rays?"

I did raise the point that as gravity/mass effects time dilation should we also record the altitude at which we acquire images when it comes to time checks.

1

baggins

I did raise the point that as gravity/mass effects time dilation should we also record the altitude at which we acquire images when it comes to time checks.

Pacman

Click to see attachment 🖼️

Well i got told our SOP was updated to say we must calibrate our clocks.. by dialing the speaking clock. Just another time wasting exercise

2

baggins

Well i got told our SOP was updated to say we must calibrate our clocks.. by dialing the speaking clock. Just another time wasting exercise

Speaking clock??

baggins

Well i got told our SOP was updated to say we must calibrate our clocks.. by dialing the speaking clock. Just another time wasting exercise

We use radio clocks (not the clocks with radios)

Pacman

Speaking clock??

Yup, not a trusted NTP server or something sensible like that

dinosaurdave

We are essentially having it forced on us by a team of people who do not understand nor appreciate what we do. So it is not looking good. Thanks for the replies haha

You're having something forced on you? Isnt there a law for something along those lines...

baggins

Well i got told our SOP was updated to say we must calibrate our clocks.. by dialing the speaking clock. Just another time wasting exercise

In fact, our radio clocks had their own little write up because they were so clocky and accurate, we clapped that day, good times

Rob

I say that because our SOP does just this and it's chaos for "going outside the scope"

dont be such a digital forensic baby, where's your spirit of adventure man?!?!?!

1

4:03 AM

I love out of scope, thats why me and Mavis Beacon are best buds, my typing speed is amazing because of ISO

Zhaan

dont be such a digital forensic baby, where's your spirit of adventure man?!?!?!

Tell that to our quality team

Rob

Tell that to our quality team

No thanks, since ISO, I talk to no-one in fear of a non compliance

2

dinosaurdave

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

Definitely makes it harder but more consistent, until the software changes and all the sops have to be re written

baggins

Well i got told our SOP was updated to say we must calibrate our clocks.. by dialing the speaking clock. Just another time wasting exercise

Time.is Or timeanddate.com should suffice

You guys are really filling me with joy - cant wait

You should search the server for previous ISO discussions

. This is definitely not the first rodeo

I would but I dont want to put myself on an even bigger downer

1

I still cannot believe how open to interpretation it is

5:19 AM

The differences between what is acceptable varies so much between all of our forces

Rob

I would just say, if you can, keep SOPs vague

pretty much your take on VHDL , your "V" being Vague i guess

ie describe what a <process> does before it gets translated into an actual <solution/hardware/software>

1

dinosaurdave

@Law Enforcement [UK] Any UK forces gone through ISO accreditation for their forensic labs? If so, whats your opinion on it? Does it benefit your work or make it harder for you?

I'm in the US, and I understand you have much more regulation in the UK (e.g. UKAS, Forensic Science Regulator) that is still being navigated, but you are also light years ahead of many other countries as far as implementing and adopting quality requirements in digital forensics. I'm an ISO 17025 technical assessor in digital forensics for an accrediting body, and most of the issues I see revolve around a lack of understanding and guidance on how to best apply ISO requirements within digital forensics. Universally, those labs with more complex SOPs almost always have the biggest problems following their own SOPs. In the UK, are you provided any guidance on how to implement ISO requirements, and if so, is the same guidance given to everyone or is everyone expected to figure it out on their own?

Thank you

Andrew

Pacman

Wait until you get mind blowing questions from UKAS. When reviewing working instruction around testing Faraday box UKAS: "I can see you're testing mobile data, WiFi, Bluetooth, NFC and nothing penetrates this Faraday box - it works as intended. Good job. What about UV Rays?"

Do you think they meant IR rather than UV?

AmNe5iA

Do you think they meant IR rather than UV?

I kid you not, they meant UV Rays.

Pacman

I kid you not, they meant UV Rays.

Need to block everything. Schrödinger's Faraday box!

The phone is both dead and alive

3

Pacman

I kid you not, they meant UV Rays.

Well, there is the 0.00000001% chance... https://iopscience.iop.org/article/10.1088/1674-4926/42/8/081801/meta

9:48 AM

https://phys.org/news/2017-12-high-speed-based-ultraviolet.html

High-speed communication systems based on ultraviolet radiation

Military and civil authorities could benefit from secure optical communication systems that use light to carry messages between moving vehicles. Researchers at KAUST have now demonstrated rapid data transfer using ultraviolet-B (UV-B) light, which provides many advantages over visible light.

9:51 AM

Personally, I would be more worried about Walter White and Jesse Pinkman with an electromagnet truck than UV-B communications.

1

I feel dumb asking this, but could I use the Tableau TD3 Forensic Imager as a write blocker connected to a computer to preview a device on scene? As opposed to connecting a device to a forensic bridge then my computer.

11:09 AM

And am I thinking in a way that overcomplicates it?

numbersevenfan

I feel dumb asking this, but could I use the Tableau TD3 Forensic Imager as a write blocker connected to a computer to preview a device on scene? As opposed to connecting a device to a forensic bridge then my computer.

I don't think the TD3 can, but I know the falcon can as I've done it: https://www.logicube.com/shop/forensic-falcon-neo/

Falcon®-NEO - Logicube

The Falcon-NEO is a future-focused, next-generation digital forensic imager. Unmatched performance designed to streamline evidence collection processes.

Sha1_4n6

I don't think the TD3 can, but I know the falcon can as I've done it: https://www.logicube.com/shop/forensic-falcon-neo/

Thank you for the sanity check!

the falcon will connect via USB and show the drive over iscsi. never seen the td3 do that

11:26 AM

it's pretty sweet honestly

1

dinosaurdave

We are essentially having it forced on us by a team of people who do not understand nor appreciate what we do. So it is not looking good. Thanks for the replies haha

This is the same situation we are in here.

JLindmar (83AR)

I'm in the US, and I understand you have much more regulation in the UK (e.g. UKAS, Forensic Science Regulator) that is still being navigated, but you are also light years ahead of many other countries as far as implementing and adopting quality requirements in digital forensics. I'm an ISO 17025 technical assessor in digital forensics for an accrediting body, and most of the issues I see revolve around a lack of understanding and guidance on how to best apply ISO requirements within digital forensics. Universally, those labs with more complex SOPs almost always have the biggest problems following their own SOPs. In the UK, are you provided any guidance on how to implement ISO requirements, and if so, is the same guidance given to everyone or is everyone expected to figure it out on their own?

We're in the early stages and us lowly analysts are pretty much kept in the dark, so I can't quite answer your question. But from what I can tell thus far, some boss has mentioned 'ISO', and everyone else has said 'that sounds fancy, lets do it'.

1:27 AM

The SOPs will likely be written by people in a 'project team' that have no forensic experience.

1:28 AM

And they are likely just groping blindly in the dark in an attempt to figure out how to do it. But it will no doubt end in some boss being promoted as it was their idea, and that was likely their end goal.

1

I understand the pain for the UK LE guys with this. Having also done this in past life and written prob 50% or more of the SOPs I would say, like others have said, that you absolutely need someone writing them with realistic knowledge of the actual workflows and processes involved. Having bad or unreasonable SOPs will slow everything down or could even prevent some functions/analysis methods which you simply need/have to use. I would say @dinosaurdave it will be a bit painful at first but some parts will have some benefit (depending on how you do things currently) or will least make sense in terms of why they are needed. (edited)

Hello Folks, Any open source tools to perform bulk scan to identify the potential steganography documents/Media files.

DeepDiveForensics

Hello Folks, Any open source tools to perform bulk scan to identify the potential steganography documents/Media files.

how "bulk" is it? have you been through these yet? https://www.google.com/search?q=FOSS+steganography+detection

Digitalferret

how "bulk" is it? have you been through these yet? https://www.google.com/search?q=FOSS+steganography+detection

"Bulk" means scan multiple files in one go to identify those files, whether it is images, audio etc.

sorry, my bad. i understand bullk, i meant it to mean, 10 files, a directory, an entire 16TB drive? etc (edited)

8:52 AM

and, did you check the regular google search that showed those results?

Digitalferret

sorry, my bad. i understand bullk, i meant it to mean, 10 files, a directory, an entire 16TB drive? etc (edited)

Yeah, right from a directory

numbersevenfan

I feel dumb asking this, but could I use the Tableau TD3 Forensic Imager as a write blocker connected to a computer to preview a device on scene? As opposed to connecting a device to a forensic bridge then my computer.

I think you can. If you connect to the TD3 via ethernet to the Web Portal, you can browse the source disk. I think you may be able to download isolated files for analysis. It is not particularly efficient, but I believe it is possible.

@Griffeye anyone available for a DM in regards to the bluebear carver plugin?

https://github.com/0x90n/InfoSec-Black-Friday

GitHub - 0x90n/InfoSec-Black-Friday: All the deals for InfoSec rela...

All the deals for InfoSec related software/tools this Black Friday - GitHub - 0x90n/InfoSec-Black-Friday: All the deals for InfoSec related software/tools this Black Friday

All of our course are on sale at https://networkdefense.io for the next few days.

Applied Network Defense

Affordable, effective, online information security training. Made by analysts, for analysts.

I will add that the courses are really good!

1

dsplice

I will add that the courses are really good!

Agreed. I've bought 2 myself

1

dinosaurdave

We are essentially having it forced on us by a team of people who do not understand nor appreciate what we do. So it is not looking good. Thanks for the replies haha

Well we were all supposed to be accredited by 2017, so it was bound to be forced on you at some point

@dsplice @Andrew Rathbun any recommendations?

Fierry

@dsplice @Andrew Rathbun any recommendations?

For? (sorry if I missed it, multitasking)

Which AND course?

Hi everyone! I have a discounts list I keep updated year-round. I tried to get all of the DFIR training, book, and software discounts for Black Friday & Cyber Monday. It can be filtered by "DFIR Related Deals" https://training.dfirdiva.com/current-discounts

Current Discounts - Updated Year-Round

Current Sales on DFIR, IT, & Cybersecurity Training and Books. Updated year-round including Black Friday and Cyber Monday.

3

Fierry

@dsplice @Andrew Rathbun any recommendations?

I did Building Virtual Labs and Demystifying Regular Expressions. Both on the cheaper side and they were really good.

1

5:28 PM

I want to take the CyberChef one eventually

Fierry

Which AND course?

Ah. Ok took Investigation Theory (I have all my junior IR people take it), OSQuery, ELK for Security Analysis, and Practical Packet Analysis

Good to know :). I’m indeed thinking about investigation theory or practical threat hunting

I found Investigation Theory a very good 'level setting' course. Many times we would get technical people into the entry level jobs, but without alot of actual analysis experience. This course helped get them into the mindset of following the data, and how to watch for bias and other pitfalls

dont see SANS blackfriday discount (course & exam cert)

dsplice

I found Investigation Theory a very good 'level setting' course. Many times we would get technical people into the entry level jobs, but without alot of actual analysis experience. This course helped get them into the mindset of following the data, and how to watch for bias and other pitfalls

Guess it’s settled then

dsplice

I found Investigation Theory a very good 'level setting' course. Many times we would get technical people into the entry level jobs, but without alot of actual analysis experience. This course helped get them into the mindset of following the data, and how to watch for bias and other pitfalls

It's on my list to take when I have time! Looks like a useful one

DFIRDiva

Hi everyone! I have a discounts list I keep updated year-round. I tried to get all of the DFIR training, book, and software discounts for Black Friday & Cyber Monday. It can be filtered by "DFIR Related Deals" https://training.dfirdiva.com/current-discounts

maybe add R-Studio, they do sales during the year as well as Black Friday. genuine 25% off inc yearly subs

2:25 AM

oooh, first time i've ever seen, UFSExplorer fam 20% discount too. https://www.ufsexplorer.com/

Digitalferret

oooh, first time i've ever seen, UFSExplorer fam 20% discount too. https://www.ufsexplorer.com/

I added both. Thank you!

1

What's your take if public defender's offices (or your equivalent) starting to having their own DF people? Probably not doing extraction but to interpret reports and data? Do you feel this is not good for the job? Or prefer to see the proper check and balance introduced to the system?

chauan

What's your take if public defender's offices (or your equivalent) starting to having their own DF people? Probably not doing extraction but to interpret reports and data? Do you feel this is not good for the job? Or prefer to see the proper check and balance introduced to the system?

Some do This is good for the job. You have people on the accused side explaining the evidence and get them to make informed decisions. Plus even just recently heard of a case where the prosecution really acted inappropriately and claimed things not backed up by evidence

2

Hello, I am looking for current quality assurance processes used in digital forensics. Can you recommend websites that I can use?

Andrew Rathbun pinned a message to this channel. 11/28/2022 5:02 AM

Hi everyone! Does anyone know how the check characters of a UK drivers license is generated? They are the 15th and 16th characters of the license number and are automatically generated through an algorithm, but that algorithm does not appear to be widely known.

maxabo

Hello, I am looking for current quality assurance processes used in digital forensics. Can you recommend websites that I can use?

Here is a good and recent US resource: https://www.ignet.gov/sites/default/files/files/Quality_Standards_for_Digital_Forensics_2019.pdf If you have specific questions, feel free to contact me directly. (edited)

JLindmar (83AR)

Here is a good and recent US resource: https://www.ignet.gov/sites/default/files/files/Quality_Standards_for_Digital_Forensics_2019.pdf If you have specific questions, feel free to contact me directly. (edited)

Thanks a lot.

Any good resources on APFS? I want to learn how to interpret Apple systems

Is it possible to downgrade an iPhone's OS version need to test a specific version of iOS. Same thing with applications, is it possible to download an old version of an application and if so where can I get my hands on that? If it isn't possible to downgrade the iOS version, does anybody know of a place that sells iPhones running specific iOS versions?

ar1195

Is it possible to downgrade an iPhone's OS version need to test a specific version of iOS. Same thing with applications, is it possible to download an old version of an application and if so where can I get my hands on that? If it isn't possible to downgrade the iOS version, does anybody know of a place that sells iPhones running specific iOS versions?

https://www.iphonelife.com/content/how-to-downgrade-software-versions-iphone

How to Downgrade iOS & Return to the Previous iPhone Software

Struggling with buggy software or simply dislike the latest features? Apple doesn't make it easy to revert back to a previous software version. Before you begin, we'll cover some important things you need to know before you reinstall iOS software, then we'll walk you through how to downgrade iOS versions.

shulgi

Any good resources on APFS? I want to learn how to interpret Apple systems

https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010672-CH1-SW1

JLindmar (83AR)

https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010672-CH1-SW1

Thanks

shulgi

https://www.iphonelife.com/content/how-to-downgrade-software-versions-iphone

Thank you. This article mentions making sure the OS version is still signed by Apple. The version that I need is no longer signed by Apple which according to the article means we cannot install the OS via iTunes. Do you happen to know if there is anything else we can use to install it?

ar1195

Thank you. This article mentions making sure the OS version is still signed by Apple. The version that I need is no longer signed by Apple which according to the article means we cannot install the OS via iTunes. Do you happen to know if there is anything else we can use to install it?

I’m not an expert on the subject. All I know is the iTunes rollback method. Maybe others here can assist

Has anyone done any pen register type warrant for for facebook? Situation: bad guy doesn't have service, ditch his cell phone likely got a new one. uses FB and Whats app to do all his communication. he has an active arrest warrant. we are looking for a way to use facebook and the ip addresses he logs in with or accesses with to be report to us so we can track him down.

As far as the device, Here are a few resources: https://discord.gg/sileo-odyssey-team-468422899716456498 https://discord.gg/palera1n https://www.reddit.com/r/jailbreak/ In most cases to roll back to an unsigned version you must have saved SHSH2 blobs for your specific device for the iOS version that you want to rollback to. Other peoples/devices blobs will not work for your device. You can then use some open source tools (futurestore) to make this happen. Not sure about where to get old application versions. (edited)

I have a few PDFs with ID photos in them, I need to be able to identify the persons likeness to compare to another record. The PDFs are "printed" from a program. However, they are VERY poor. It looks as if they were scanned with the exposure turned all the way up like 3 times over and over again to make them hard to read/ID the photos. The provider said this is what they have in their system. I don't believe that. There is URLs and titles very close to the edges of the PDFs that are perfectly lined up. The documents are VERY proportional & square. It looks like they post-processed them to blur things. Is there anything I can look at in the PDFs metadata to see if it's been done? The reports have a 'run' date and time, and a saved date and time that are a few hours apart, but that's obviously not any kind of evidence of an issue.

Is it possible to detect if the time on a file has been changed using touch? (edited)

Excuse my ignorance, we are behind the times, is "touch" a piece of software? I don't have any DiFi tools unfortunately, just what you can do through standard Windows devices.

just the standard terminal command: https://en.wikipedia.org/wiki/Touch_(command)

Touch (command)

In computing, touch is a command used to update the access date and/or modification date of a computer file or directory. It is included in Unix and Unix-like operating systems, TSC's FLEX, Digital Research/Novell DR DOS, the AROS shell, the Microware OS-9 shell, and ReactOS. The command is also available for FreeDOS and Microsoft Windows.

You could look at the terminal history if it is available, if other files were modified at different times you can start to construct a timeline (edited)

Thank you @AR.C and @Matt! This should send me down a rabbit hole for a bit.

1

Matt

You could look at the terminal history if it is available, if other files were modified at different times you can start to construct a timeline (edited)

do you mean a history file like .bash_history or .zsh_history? thank you.

11:10 AM

until recently, I thought the only use of touch was to create an empty file and only recently found out about its ability to change timestamps

AR.C

do you mean a history file like .bash_history or .zsh_history? thank you.

Yeah exactly, whichever file the terminal command history is stored within

11:14 AM

@DB This article should be helpful https://mattcasmith.net/2022/02/22/bash-history-basics-behaviours-forensics

Linux .bash_history: Basics, behaviours, and forensics | MattCASmith

1

awesome, thanks again

1

Matt

@DB This article should be helpful https://mattcasmith.net/2022/02/22/bash-history-basics-behaviours-forensics

fab article from a fellow Ctrl-R user

1

Anyone an EnCase 6.19 and EnCase 7/8/22 user ? Can I ask a question ?

Jay528

Anyone an EnCase 6.19 and EnCase 7/8/22 user ? Can I ask a question ?

@Melrose142

Is that your second profile

2

Nah it's a coworker

Thanks ! I also bought the Kape manual today

1:39 PM

I will have a lot of fun with 300+ pages

Jay528

Thanks ! I also bought the Kape manual today

EZ Tools? Regardless, thank you for the support! Much appreciated

yup, EZ tools

sweet! Let me know if you have any feedback or requests

i do, will DM yo

1:40 PM

you

if a company (3rd party IT support) comes in to your business and deletes your data as a result of wiping your c: drive are there any GDPR or DPA issues/breaches ?

ddf_dude

if a company (3rd party IT support) comes in to your business and deletes your data as a result of wiping your c: drive are there any GDPR or DPA issues/breaches ?

in what way? that they came in? that they (3rd party) wiped? that they read the drives? that they weren't supposed to? etc

Has anyone used Kon-Boot for bypassing login screens on windows or Mac? I can't tell if it's legit or not

Neon

Has anyone used Kon-Boot for bypassing login screens on windows or Mac? I can't tell if it's legit or not

I've used it several times on Windows. It's legit.

1

ddf_dude

if a company (3rd party IT support) comes in to your business and deletes your data as a result of wiping your c: drive are there any GDPR or DPA issues/breaches ?

"A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals." https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

Personal data breaches

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority

1

DFIRDiva

I've used it several times on Windows. It's legit.

Do you have to run the Kon-Boot on a live machine or would this work with an image some how ? (edited)

You could use it against an E01 or similar format

1

Neon

Has anyone used Kon-Boot for bypassing login screens on windows or Mac? I can't tell if it's legit or not

Something to keep in mind, if you aren’t already aware: https://discord.com/channels/427876741990711298/427936091220344833/1004437420323905667

1

Does anybody know if there is any digital data left in a currency counter machine that we can acquire ? I recall hearing something about this and I searched Discord but came up empty handed. I have a Detective that is inquiring, I gave them the old forensic" its depends" answer

Just because it's on the internet doesn't make it legal https://www.espn.com/college-football/story/_/id/35149554/florida-qb-jalen-kitna-jailed-child-pornography-counts

Florida QB Kitna jailed on child porn counts

Florida's Jalen Kitna, the son of ex-NFL QB Jon Kitna, has been jailed on multiple felony complaints involving child pornography. He has been suspended.

2

What organization is the European equivalent of NIST?

JonasWanobi

What organization is the European equivalent of NIST?

Nevermind. I literally just googled that exact question and found this. LOL "The European Union Agency for Network and Information Security is the equivalent of NIST"

2

Police overwhelmed by digital forensics as 25,000 devices await checks – report https://www.standard.co.uk/news/uk/police-home-office-crown-prosecution-service-b1043999.html?amp

Police overwhelmed by digital forensics as 25,000 devices await che...

Inspectors examined how effective the police are at capturing evidence from digital devices, including smartphones and computers.

1

Cuts have consequences unfortunately…

3

DFIRDiva

I've used it several times on Windows. It's legit.

I had never even heard of it before... sounds like a tool I need to try out

whee30

I had never even heard of it before... sounds like a tool I need to try out

they had a discount over Black Friday, we used to have a license of it, not sure if it's any good now. This was probably 4-5 years ago

Seems like the license is sufficiently cheap that I wouldn't need to hunt a sale... for anyone who uses it, what are the significant limitations? What CANT it get into?

10:35 AM

I have Arsenal for mounting/VM/bypass goodness, but the ability to live boot a system and bypass could def. come in handy. Especially if the mac stuff works...

whee30

I have Arsenal for mounting/VM/bypass goodness, but the ability to live boot a system and bypass could def. come in handy. Especially if the mac stuff works...

I assume there are certain situations where it's limited like SecureBoot or full disk encryption loaded

Hello everyone I have a question I would appreciate it if anyone could help me; the SIEM team had an alert saying that there is a brute force attack on one of the clients using the client username. I looked at Security Event Log in the Event 4625 I found nothing suspicious so I followed the SIEM rule that generates this alert it points to the id 4648 (A logon was attempted using explicit credentials) in this Event ID I found a significant number of records generated form the Exchange server like in one second there is 10 records and all of them in the Executable info field show OUTLOOK.EXE, anyone has an idea why this data exist?

@Cellebrite having issues with installing UFED for PC, uninstalled the previous version and restarted multiple times but nothing works

stark4n6

@Cellebrite having issues with installing UFED for PC, uninstalled the previous version and restarted multiple times but nothing works

umm.. there's a for install in %temp%.. we'd need to see whats up

CLB-Paul

umm.. there's a for install in %temp%.. we'd need to see whats up

let me know if there is anything specific to look at

Colman

Police overwhelmed by digital forensics as 25,000 devices await checks – report https://www.standard.co.uk/news/uk/police-home-office-crown-prosecution-service-b1043999.html?amp

Developing examiners the right way should be the true answer...but usually the shortcuts win the budget.

1

Hi everyone, currently working on a couple of log files provided by a DLP solution indicating copy processes from a laptop to an external drive. I realized that in the recorded mass-copy processes that e. g. last for 30seconds it appears that some single files appear several times within that time frame. same origin, destination, hash value just different time stamp within those 30 seconds. are there any technical explanations behind that? Also potential (technical) explanations why a device-mount or unmount operation might be encountered without the corresponding counterpart? The DLP not able to "catch" it fast enough? The mount not being recorded within the screened logs, e. g. event logs?

Sam8763Ze

Hello everyone I have a question I would appreciate it if anyone could help me; the SIEM team had an alert saying that there is a brute force attack on one of the clients using the client username. I looked at Security Event Log in the Event 4625 I found nothing suspicious so I followed the SIEM rule that generates this alert it points to the id 4648 (A logon was attempted using explicit credentials) in this Event ID I found a significant number of records generated form the Exchange server like in one second there is 10 records and all of them in the Executable info field show OUTLOOK.EXE, anyone has an idea why this data exist?

it could just be that the service is trying impersonate which is not uncommon It is great when an adversary goes to a privileged account or changes account and etc

3:04 AM

what you originally did looking for 4625 is the way to check for brute force attacks It could just be a misconfiguration or maybe its not definitely take a closer look (edited)

oh yah just found it Outlook will use Microsoft accounts to authenticate to the mail server Computer accounts also use this as well (edited)

avesta

oh yah just found it Outlook will use Microsoft accounts to authenticate to the mail server Computer accounts also use this as well (edited)

Thank you so much

One of users have complained that their computer Just started typing stuff out while she had opened Outlook. I tried looking at the event logs if there have been any remote connections with eventID 4624, looked at the prefetch logs to see any programs being run when this event occurred. Unable to find any clue as to what happened. What else should I be looking for? There are no firewall logs with the company.

Evidence of execution artifacts, prefetch shimcache, Amcache

6:02 AM

Also perhaps installed services event 7045

indianadmin

One of users have complained that their computer Just started typing stuff out while she had opened Outlook. I tried looking at the event logs if there have been any remote connections with eventID 4624, looked at the prefetch logs to see any programs being run when this event occurred. Unable to find any clue as to what happened. What else should I be looking for? There are no firewall logs with the company.

Must be some remote access tool/backdoor in play

How much is a Cellebrite renewal licence for a UEFD touch?

Also as well an a Cellebrite UEFD scan a factory reseted phone

indianadmin

One of users have complained that their computer Just started typing stuff out while she had opened Outlook. I tried looking at the event logs if there have been any remote connections with eventID 4624, looked at the prefetch logs to see any programs being run when this event occurred. Unable to find any clue as to what happened. What else should I be looking for? There are no firewall logs with the company.

another alternative to check (which doesn't rule out malware), is the device in a shared space with wireless keyboards that get mixed up/re-used by staff (e.g. during cleaning/sanitizing)

10:47 AM

we had an occasion where multiple keyboards were paired to the same device

indianadmin

One of users have complained that their computer Just started typing stuff out while she had opened Outlook. I tried looking at the event logs if there have been any remote connections with eventID 4624, looked at the prefetch logs to see any programs being run when this event occurred. Unable to find any clue as to what happened. What else should I be looking for? There are no firewall logs with the company.

I reckon additional information is warranted, such as whether it's typing gibberish (like consecutive letters vs readable stuff), is it having at specific time(range) or when outlook is opened only? When did it began? What if any did the user do before all this began? Did the user downloaded/executed/installed/clicked on something?

deetnutz

I reckon additional information is warranted, such as whether it's typing gibberish (like consecutive letters vs readable stuff), is it having at specific time(range) or when outlook is opened only? When did it began? What if any did the user do before all this began? Did the user downloaded/executed/installed/clicked on something?

Individual words are proper, but overall sentence is gibberish. This happened for the first time, and as soon as it was seen, the laptop was taken off the network. A new laptop has been given to the user and no issues on the new one.

deetnutz

I reckon additional information is warranted, such as whether it's typing gibberish (like consecutive letters vs readable stuff), is it having at specific time(range) or when outlook is opened only? When did it began? What if any did the user do before all this began? Did the user downloaded/executed/installed/clicked on something?

Nothing was downloaded by the user. i see radskman which seems to be a remote access tool by HP. Will have to check with the company if this is something they use.

indianadmin

Nothing was downloaded by the user. i see radskman which seems to be a remote access tool by HP. Will have to check with the company if this is something they use.

RAT could be a possibility, but I like to get teh low hanging fruit out of the way. What have you done so far if any to check if the machine is compromised?

8:51 PM

Also @rayeh theory is plausible

deetnutz

RAT could be a possibility, but I like to get teh low hanging fruit out of the way. What have you done so far if any to check if the machine is compromised?

Checked event logs for any incoming remote access. Prefetch for any executions around the time of incident. Checking scheduled tasks. USB is blocked.

indianadmin

Checked event logs for any incoming remote access. Prefetch for any executions around the time of incident. Checking scheduled tasks. USB is blocked.

What's your rational behind checking EventID 4624 when looking for any remote connections? What other event id did you check? Are you checking it against the event viewer on the machine or are you using SIEM? Do you have EDR in place at the organization?

deetnutz

What's your rational behind checking EventID 4624 when looking for any remote connections? What other event id did you check? Are you checking it against the event viewer on the machine or are you using SIEM? Do you have EDR in place at the organization?

Event viewer. And there is no EDR or SIEM. I looked at event IDs to see if therenwas incoming remote connection.

indianadmin

Event viewer. And there is no EDR or SIEM. I looked at event IDs to see if therenwas incoming remote connection.

Look at 4688 (if you haven't done so yet), perform MFT analysis, review ASEP and start gathering evidence of execution artifacts and reviewing them as well (edited)

deetnutz

Look at 4688 (if you haven't done so yet), perform MFT analysis, review ASEP and start gathering evidence of execution artifacts and reviewing them as well (edited)

Thanks. Will start this first thing Monday

1

Remote desktop logs are ok... But there's less of a chance that someone would have an rdp session and start typing without logging off the user Looking at installed applications and all program execution artefacts as suggested is a good start

it being gibberish... were any speech to text applications active? (MS or otherwise). It might explain why it was only dictionary words (if I understand correctly), but the grammar/sentence had no meaning (edited)

1

Anyone good with regex?

3:00 AM

Got 1 that works, and then copying the format doesn't work for another

Rob

Anyone good with regex?

2

3:01 AM

What are you using the regex for?

3:01 AM

IP/Bitcoin wallet/custom?

Removing a false positive.

3:02 AM

Using the [^false]positive format

3:02 AM

i.e I want false to be matched, but not falsepositive etc. (edited)

Are there delimiters like a space or colon? You could try to match something like ^false\s

You could chain two grep together one looking for false and the other excluding falsepositive from the result

We took it to DMs and came up with this ([^a-zA-Z\n]+|^)<term>([^a-zA-Z\n]+|$). Needed it to avoid coming up with subsets such as rapist being a word within therapist - feedback or improvements appreciated

1

Matt

We took it to DMs and came up with this ([^a-zA-Z\n]+|^)<term>([^a-zA-Z\n]+|$). Needed it to avoid coming up with subsets such as rapist being a word within therapist - feedback or improvements appreciated

good call, butI'm so old i can remember that being a skit on the Benny Hill Show. signwriter split the sign wrong so it said

John Smith 
the
Rapist

not John Smith - Therapist. You wouldn't go near that with a bargepole these days.

1

It did the job

1

6:04 AM

Should say, it's spurred several other ideas but that can be saved for a rainy day

6:04 AM

Issue with Regex, it's addictive and you always want to then keep going

Rob

Issue with Regex, it's addictive and you always want to then keep going

nah, thats fibs that is. do regex, get result, close the box, lock the lid, throw the key

3

Digitalferret

nah, thats fibs that is. do regex, get result, close the box, lock the lid, throw the key

But there's almost more fine tuning for the same result!

6:21 AM

It needs to look visually pleasing!!!

lol, elegant regex; an oxymoron if ever there was one

1

Matt

We took it to DMs and came up with this ([^a-zA-Z\n]+|^)<term>([^a-zA-Z\n]+|$). Needed it to avoid coming up with subsets such as rapist being a word within therapist - feedback or improvements appreciated

I suppose the same thing can be achieved with \b

Steve2609

I think you can. If you connect to the TD3 via ethernet to the Web Portal, you can browse the source disk. I think you may be able to download isolated files for analysis. It is not particularly efficient, but I believe it is possible.

I will try this, thank you!

I had some fun with ChatGPT - this is actually pretty solid; I'll have to try some more complex prompts and see how detailed it can get.

1

I wonder, with the sophistication of this type of chat bot, will there be telltale signs of use? Or will universities have to start doing more oral presentation type exams?

I think that can be alleviated by citing sources, though maybe the bot can provide those too if asked.

Matt - Monolith Forensics

I think that can be alleviated by citing sources, though maybe the bot can provide those too if asked.

All the sources I've seen provided by the bot have been fabricated, so... PepeLaugh

There was a recent LTT video where they requested it cite sources and it cited things formatted correctly but made up the actual pages... it would be incumbent on the evaluator to check sources

9:45 AM

I've never graded college papers though, I would imagine checking every source against every paper would be extremely tedious

I'd like to think you'd get used to seeing the same sources time and time again, so you could spot unusual or bogus references

We are also seeing this tech in its infancy - its only going to get better over time. I have no doubt it will be optimized for things like citing correct sources - especially if its linked to real data repositories. This is also from a generic chat bot - we will probably be able to use AI like this that has been trained in specific disciplines like chemistry, computer science, digital forensics, etc..

https://twitter.com/vxunderground/status/1599882730862305280

vx-underground (@vxunderground)

Surprise! Another ChatGPT tweet! Except this time it is people making ChatGPT punch itself in the face *Images via @Kevin2600

Likes

333

3:03 PM

Any police officer from OPP (ontario

) here ? DM if you are, thanks

SPVQct3207

Any police officer from OPP (ontario

) here ? DM if you are, thanks

@Law Enforcement [Canada]

@Magnet Forensics can you have someone contact me regarding a renewal please

Neon

@Magnet Forensics can you have someone contact me regarding a renewal please

Sending you a DM for info

https://twitter.com/HeatherMahalik/status/1600110902572744704?s=20&t=AWWgU8xDDfxjDHJHiYfqJw We got a great show planned for tomorrow @ScottKjr3347 on Life has no Ctrl Alt Delete

Heather Mahalik (@HeatherMahalik)

Tomorrow at 12:30 Eastern we have @Scott_Kjr on Life Has No Ctrl+Alt+Del. Don’t miss it. https://t.co/OURuhA2Ej4 Last show in 2022

#DFIR @Cellebrite

SPVQct3207

Any police officer from OPP (ontario

) here ? DM if you are, thanks

Sup

1

6:08 AM

(I'm a DF analyst/investigator with OPP Cyber Operations Section - DM me directly)

I am not able to open checkpoint firewall logs anyone who can help me ?

7:08 AM

I tryed in notepad and exel but none worked

SamuraiPwn

I am not able to open checkpoint firewall logs anyone who can help me ?

What format are they in? Also, use Notepad for nothing. Get a better text editor. Literally anything. Notepad++, EditPad Pro, UltraEdit, Sublime Text, etc, there's so many better options

I love notepad++... I'm sad when I have to open regular notepad for something on someone else's computer

4

Andrew Rathbun

What format are they in? Also, use Notepad for nothing. Get a better text editor. Literally anything. Notepad++, EditPad Pro, UltraEdit, Sublime Text, etc, there's so many better options

I use notepad++ only --__--

Andrew Rathbun

What format are they in? Also, use Notepad for nothing. Get a better text editor. Literally anything. Notepad++, EditPad Pro, UltraEdit, Sublime Text, etc, there's so many better options

in .log

ok, so flat text file then? or is it like a binary file?

Andrew Rathbun

What format are they in? Also, use Notepad for nothing. Get a better text editor. Literally anything. Notepad++, EditPad Pro, UltraEdit, Sublime Text, etc, there's so many better options

VSCode :^)

ig its binary bcz its just rubbish on opening in notepad or hex editor

SamuraiPwn

ig its binary bcz its just rubbish on opening in notepad or hex editor

It could be a .log.gz file, in which case you'll need to uncompress

nahh

7:19 AM

its .log

Just to troll..... VI!!

1

Matt

It could be a .log.gz file, in which case you'll need to uncompress

I know this much

SamuraiPwn

its .log

.log is normally a text file, and it wouldn't be the first time a file has been mis-extensioned

1

Matt

.log is normally a text file, and it wouldn't be the first time a file has been mis-extensioned

Oh

file extensions are largely meaningless

Yea but I got them in .log only

Have you come across CyberChef before?

7:21 AM

https://gchq.github.io/CyberChef

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

I wonder what the unix 'file' command would say about it

1

dsplice

I wonder what the unix 'file' command would say about it

data sir

7:21 AM

I tryed that too

Then likely pure binary output. Only suggestion is google to see if anyone has written a parser for it

I can view them in the application but when I downloaded them and tryed opening in notepad++ but dint worked

dsplice

Then likely pure binary output. Only suggestion is google to see if anyone has written a parser for it

Oh

SamuraiPwn

Oh

Many applications (and especially networking devices that deal with a lot of data) often output in a binary format for speed. (thinking of snort/suricata and the binary logging)

dsplice

Many applications (and especially networking devices that deal with a lot of data) often output in a binary format for speed. (thinking of snort/suricata and the binary logging)

Gotya

7:26 AM

I think you are dammn right bcz on running strings i get readable data

1

Original message was deleted or could not be loaded.

WTF

7:31 AM

@Moderators spam going on

member since jan 27, playing the long con

Thanks I just deleted it

1

Another hacked account...

Matt

Another hacked account...

lol

well that was fun

2

Consider this your reminder to enable 2FA folks

4

Andrew Rathbun

well that was fun

can say tho

See if binwalk returns anything usefulv

deetnutz

See if binwalk returns anything usefulv

on .log file okay I will try

might need to grab it from Linux repo, if you don't have it installed (edited)

I have it

7:43 AM

7:44 AM

nothing useful ig

deetnutz

See if binwalk returns anything usefulv

7:46 AM

I think foremost is better then binwalk

are those IIS logs?

SamuraiPwn

nothing useful ig

I concur. How did you stumble on that "log" file?

Andrew Rathbun

are those IIS logs?

firewall log

Naming convention reminded me of IIS logs, only reason I asked haha

Oh

7:51 AM

Well its of checkpoint like the the firewall was of checkpoint

7:51 AM

so the company gave me the logs in native formate not in readable format

7:52 AM

and now those are overwritten (edited)

Do i smell xor obfuscation in play?

lol I think Nope

7:54 AM

bcz strings gave me readable text

7:54 AM

So not xor ig

Gotcha. I'm leaning towards native format as well.

deetnutz

Gotcha. I'm leaning towards native format as well.

Cool

Matt

Consider this your reminder to enable 2FA folks

Have ChatGPT write up a MFA policy for the channel

6

whee30

Have ChatGPT write up a MFA policy for the channel

1

7:59 AM

If only Discord supported HSK/PSKs

@SamuraiPwn mind if I take a peek if you can share one?

lol ChatGPT

That’s what Arvind Narayanan, a computer science professor at Princeton, pointed out in a tweet: “People are excited about using ChatGPT for learning. It’s often very good. But the danger is that you can’t tell when it’s wrong unless you already know the answer. I tried some basic information security questions. In most cases the answers sounded plausible but were in fact BS.”

and they just farmed your mobile no. source https://venturebeat.com/ai/the-hidden-danger-of-chatgpt-and-generative-ai-the-ai-beat/

Digitalferret

lol ChatGPT

That’s what Arvind Narayanan, a computer science professor at Princeton, pointed out in a tweet: “People are excited about using ChatGPT for learning. It’s often very good. But the danger is that you can’t tell when it’s wrong unless you already know the answer. I tried some basic information security questions. In most cases the answers sounded plausible but were in fact BS.”

and they just farmed your mobile no. source https://venturebeat.com/ai/the-hidden-danger-of-chatgpt-and-generative-ai-the-ai-beat/

Yeah I didn’t like that it needed my mobile number

9:17 AM

Burner phones ftw

2

Does anyone run a public instance of OpenCTI and allow users to apply to create them a personal account to leverage the platform? Just curious if someone has already done this for folks in a somewhat closed group like this

I am curious what everyone is using for Faraday boxes. We have had a Mission Darkness XL and its leaking. I’ve sent it back for repair and it's leaking again.

SamuraiPwn

Well its of checkpoint like the the firewall was of checkpoint

If those are from a Check Point firewall, you can't open them in a text editor. You have to run a command from the firewall to use their logexport tool to get them in a readable format. Check Point logs outside of using their native tools are a real pain

1

11:06 AM

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39573

Does anyone know if it is possible to pre-fill the case information input boxes when creating a new image in FTK Imager? Getting tired of writing my own name everytime

tecnex

Does anyone know if it is possible to pre-fill the case information input boxes when creating a new image in FTK Imager? Getting tired of writing my own name everytime

Could you script it from the command line?

That would be possible but as I also examine the device through the gui version, I would prefer to stay in that version and not having to switch to a different program. The handling of custom content images which we use a lot at my department is also more user friendly in the gui version.

tecnex

That would be possible but as I also examine the device through the gui version, I would prefer to stay in that version and not having to switch to a different program. The handling of custom content images which we use a lot at my department is also more user friendly in the gui version.

Maybe the paid version does But also do you do the examination in the free ftki or paid ftk?

Forgedmom

I am curious what everyone is using for Faraday boxes. We have had a Mission Darkness XL and its leaking. I’ve sent it back for repair and it's leaking again.

Curious what wireless signal is it leaking ? Are you leaving the box open when not using it to extend the life of the seals ? I've heard of some boxes blocking everything but bluetooth signals.

Basic cellular signal is leaking. And yes it’s open when not in use.

what determines the hash of powershell.exe itself? Does it changed based on the windows version? (edited)

Ghost

what determines the hash of powershell.exe itself? Does it changed based on the windows version? (edited)

Probably depends on the version installed on Windows at the time of hashing

@Ghost https://strontic.github.io/xcyclopedia/

xCyclopedia | The Encyclopedia for Executables

Security. Automation. Analytics.

2

Beercow

@SamuraiPwn mind if I take a peek if you can share one?

its like 2 gb

CyberGhost

If those are from a Check Point firewall, you can't open them in a text editor. You have to run a command from the firewall to use their logexport tool to get them in a readable format. Check Point logs outside of using their native tools are a real pain

Thx

SamuraiPwn

its like 2 gb

That explains why notepad++ won’t open it. It’s too big.

Notepad++ has size limits like that?

Use Glogg if 2GB

Andrew Rathbun

Notepad++ has size limits like that?

yep, 2GB but there are workarounds https://www.auslogics.com/en/articles/open-a-file-too-big-for-notepad/

Not a forensic question, but has anyone had an issue, and resolved a Windows 11 Machine unable to RDP to a device due to the logon attempt failing? The username and password work on a windows 10 machine remoting in. Any ideas?

MrMacca (Allan Mc)

Not a forensic question, but has anyone had an issue, and resolved a Windows 11 Machine unable to RDP to a device due to the logon attempt failing? The username and password work on a windows 10 machine remoting in. Any ideas?

https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-windows-11-22h2-remote-desktop-issues/ https://answers.microsoft.com/en-us/windows/forum/all/issues-with-remote-desktop-on-windows-11-after/2f0b90c8-9549-46bb-bede-41c2d3990380

"Until Redmond provides official mitigation measures, you can address the problems by rolling back the Windows 2022 Update or disabling UDP connections on affected clients. To disable UDP connections, you have to go to HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client using the Registry Editor, create a new DWORD entry named fClientDisableUDP with a value of 1, and restart the device."

(edited)

Microsoft investigates Windows 11 22H2 Remote Desktop issues

Microsoft is investigating user reports of issues with Remote Desktop on Windows 11 systems after installing the Windows 11 2022 Update.

randomaccess

Maybe the paid version does But also do you do the examination in the free ftki or paid ftk?

I wasn't very clear on that

We (=IT department) use FTK Imager to image the devices we deem "image-worthy". We are taking part in search warrants and need to decide on-scene if a device is image-worthy. This decision is mostly done by looking at the files through FTK Imager. The images later get put into the full FTK for the investigating officer (=not IT) to analyse all the files we acquired.

11:00 AM

As we acquire multiple images per search warrant and are on-scene regularly I wondered if I could somehow get "default values" into those case information input boxes.

JLindmar (83AR)

https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-windows-11-22h2-remote-desktop-issues/ https://answers.microsoft.com/en-us/windows/forum/all/issues-with-remote-desktop-on-windows-11-after/2f0b90c8-9549-46bb-bede-41c2d3990380

"Until Redmond provides official mitigation measures, you can address the problems by rolling back the Windows 2022 Update or disabling UDP connections on affected clients. To disable UDP connections, you have to go to HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client using the Registry Editor, create a new DWORD entry named fClientDisableUDP with a value of 1, and restart the device."

(edited)

Thanks I'll give this a read

tecnex

As we acquire multiple images per search warrant and are on-scene regularly I wondered if I could somehow get "default values" into those case information input boxes.

I used to just setup a text file and copy stuff out since a lot of stuff would be similar. Might be worth looking into xways since it's faster. Might have the ability to store stuff

MrMacca (Allan Mc)

Thanks I'll give this a read

Let me know if this solved your issue, as I'll have some systems "upgraded" to Windows 11 within the next few days. (edited)

1

Beercow

That explains why notepad++ won’t open it. It’s too big.

For similar cases, I use PSPAD. It accepts better big files and it can work on files without opening them. It also has many option like "operations on lines" (delete duplicates lines, delete blank lines, etc...) It also can compare two files. In short, it's a good notepad !

Digitalferret

yep, 2GB but there are workarounds https://www.auslogics.com/en/articles/open-a-file-too-big-for-notepad/

You can also load large files if you install the "BigFiles" plugin that's available via Plugins > Plugins Admin.

1

https://youtu.be/AuL3HoEFzBQ

Magnet Forensics

Magnet Spotlight: Los Angeles Police Department, Internet Crimes Ag...

7

1

5:41 PM

Nice work @Magnet Forensics

@Magnet Forensics or anyone. Can anyone direct me to documentation or other information on correctly processing an Apple search warrant return. I've already done the download and decrypting. I've tried processing but I just want to verify.

NibblesNBits

@Magnet Forensics or anyone. Can anyone direct me to documentation or other information on correctly processing an Apple search warrant return. I've already done the download and decrypting. I've tried processing but I just want to verify.

I’ll DM you a couple of links that may help.

Hi everyone I'm looking for a GIAC Certified Forensic Analyst (GCFA) exam guide. do you have any recommendation?

Sam8763Ze

Hi everyone I'm looking for a GIAC Certified Forensic Analyst (GCFA) exam guide. do you have any recommendation?

Are you looking for an index for the books?

Beercow

Are you looking for an index for the books?

yes

Sam8763Ze

yes

You’re better off creating it yourself but here is one. https://github.com/mformal/FOR508_Index

GitHub - mformal/FOR508_Index: FOR508 Index - GCFA

FOR508 Index - GCFA. Contribute to mformal/FOR508_Index development by creating an account on GitHub.

Does any1 know how to best handle cases where we for example take a phone from a suspect where cloud extractions are needed later but the suspect gets released after say an interrogation and might go home and change passwords on his accounts. Law is still fresh here in Sweden. Im guessing speed is the name of the game here or maybe freeze the accounts somehow?

Johnie

Does any1 know how to best handle cases where we for example take a phone from a suspect where cloud extractions are needed later but the suspect gets released after say an interrogation and might go home and change passwords on his accounts. Law is still fresh here in Sweden. Im guessing speed is the name of the game here or maybe freeze the accounts somehow?

In the US we have "preservation orders" authorized by the Electronic Communications and Privacy Act. I'm sure Europe has the same thing. I found this, but I'm not a European law expert (though I do dabble in it for teaching purposes). Does this apply to your situation: https://www.eumonitor.eu/9353000/1/j9vvik7m1c3gyxp/vknmikug1xz0 (edited)

5cary

In the US we have "preservation orders" authorized by the Electronic Communications and Privacy Act. I'm sure Europe has the same thing. I found this, but I'm not a European law expert (though I do dabble in it for teaching purposes). Does this apply to your situation: https://www.eumonitor.eu/9353000/1/j9vvik7m1c3gyxp/vknmikug1xz0 (edited)

This was my thinking aswell! So a preservation order would preserve still allow us to use the cloud tokens without issue? Can they still log in but not alter any data im guessing? Also do you know how fast these orders are executed in practice? (edited)

Johnie

This was my thinking aswell! So a preservation order would preserve still allow us to use the cloud tokens without issue? Can they still log in but not alter any data im guessing? Also do you know how fast these orders are executed in practice? (edited)

My understanding of how preservation orders work is the cloud provider saves a backup of all data so anything the user may delete, edit, or change is still preserved. The provider will then release all data including the original, unaltered data to law enforcement upon proper legal process (ie: search warrant or subpoena). The user is unaware of any changes to their account, so they would be able to change passwords and delete items so that those items are not visible to them in their account, but the backup still exists. As far as how fast they are executed, the sooner LE can serve them the better, but I think it is fairly quick once the order is received.

1

8:08 AM

So I would be surprised if a user changed a password and your cloud token still worked.

Once caveat, at least here in the US is that some providers are now notifying users upon the receipt of a preservation order UNLESS a court order specifying "no notification" is included. Depends on the provider.

2

Hi everyone I have a question regarding Linux environments, what distro would you recommend for all round digital forensic work?

NibblesNBits

@Magnet Forensics or anyone. Can anyone direct me to documentation or other information on correctly processing an Apple search warrant return. I've already done the download and decrypting. I've tried processing but I just want to verify.

Hi Kenobyte, using the Apple Warrant Return Assistant might help get the format needed to process. https://www.magnetforensics.com/resources/magnet-apple-warrant-return-assistant/ The tool downloads, organizes and zips the WR for you.

MAGNET Apple Warrant Return Assistant - Magnet Forensics

MAGNET Apple Warrant Return Assistant is a one-click solution to download and prepare Apple warrant return data for processing.

GwenD

Hi Kenobyte, using the Apple Warrant Return Assistant might help get the format needed to process. https://www.magnetforensics.com/resources/magnet-apple-warrant-return-assistant/ The tool downloads, organizes and zips the WR for you.

Yes I performed the download, decryption, decompression etc using the magnet tool which is great. I'm just trying to ensure I loaded it into axiom correctly. I added all the unencrypted zips using the search warrant option in Axiom and processed. Just want to make sure this is the correct way. Thank you

1

@Cellebrite Can anyone DM with me about CAS?

2

MrSadface

Hi everyone I have a question regarding Linux environments, what distro would you recommend for all round digital forensic work?

Look at Paladin, Cali, Caine, Deft

MrSadface

Hi everyone I have a question regarding Linux environments, what distro would you recommend for all round digital forensic work?

Tsurugi

So, just saw this post regarding SOC

8:54 AM

The future is here

8:55 AM

this is based of Chatgbt from my understanding

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

Good question. I haven't dealt with this yet

Some Detective just called themselves to get a telephone number. But if there is nothing in my lab we put stickers on phones we receive to identify them properly

3

An advanced unlock tool may or may not give you the identifying numbers you need to process the device.

To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started

10:46 AM

haven't dealt with a 14 yet either

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

We’ve just been doing the color and that’s basically it. 1 silver apple iPhone with no visible IMEI

3

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

All of our evidence is assigned an evidence number when it is taken by and officer. We will probably end up getting the warrant by describing the phone and the evidence number

4

Can you scan it for a BT MAC address gives you something?

Yeah, simple description and just hope no one takes more than one phone out of its bag at the same time. (edited)

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

Just put an evidence sticker on it with a barcode or number.

1

Has anyone heard of TIMETRAVELERSVPN or TimeTravelersWiFi? As an SSID. I think it’s some sort of rental travel hotspot but would like to confirm somehow.

DanMaher

We’ve just been doing the color and that’s basically it. 1 silver apple iPhone with no visible IMEI

That’s what made me ask the question, lol. I just received “1 purple iPhone”

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

I just document where the device was located, etc. “iPhone 14 located on master bedroom nightstand with phone number xxx-xxx-xxxx” and log chain of custody on the system. When referring to the phone in search warrants. etc, we list it as “black iPhone 11 currently stored as item number x under case number 22-xxxx which was located on master bedroom nightstand….”

hardrain

Can you scan it for a BT MAC address gives you something?

You probably could but then you run the risk of remote wipe

Unoriginal_name

That’s what made me ask the question, lol. I just received “1 purple iPhone”

We normally include 4 photos with every report. Front, back, SIM card and imei number… my last report I just made with 2 photos. Nothing else to photograph on these specific phones

That’s a good question, hadn’t realized the 14s did away with SIM cards

kaulel83

You probably could but then you run the risk of remote wipe

Not with just BT..right?

Heck, it might be smarted to keep it vague. I have a suppression hearing I have to testify at next week because the warrant imei was 1 digit incorrect from the actual device imei. It’s called good faith, people make mistakes. Lol

3

Murk

That’s a good question, hadn’t realized the 14s did away with SIM cards

Yeah you need to have a faraday option ready

Neon

Yeah you need to have a faraday option ready

Big fact!

DanMaher

Heck, it might be smarted to keep it vague. I have a suppression hearing I have to testify at next week because the warrant imei was 1 digit incorrect from the actual device imei. It’s called good faith, people make mistakes. Lol

That's not getting suppressed friend

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

There is a potential it will have multiple IEMI numbers if it is using multiple eSIM cards. They are only accessible by unlocking the phone so as others have mentioned it’s a case of putting a sticker on it or barcode or other identifying sticker

I wonder if coming up with an explainable numbering system could work, for example simply number I know phones in chronological order just like OCA numbers, or maybe make it unique with the date and time received

Neon

That's not getting suppressed friend

Dude has been throwing poop at the wall trying to make anything stick since 2020. Looking at life in prison w/o the possibility of parole because of what I recovered. He’s trying everything

DanMaher

Dude has been throwing poop at the wall trying to make anything stick since 2020. Looking at life in prison w/o the possibility of parole because of what I recovered. He’s trying everything

Sounds like a good guy who is misunderstood

Neon

Sounds like a good guy who is misunderstood

Very misunderstood. Google photos cache will get you every time

‍♂️

5

J Harder

Some Detective just called themselves to get a telephone number. But if there is nothing in my lab we put stickers on phones we receive to identify them properly

This sounds like a great way to alter evidence and get it thrown out in court. A good defense attorney would have a field day on the detective.

1

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

How would your lab describe a bloody knife?

12

pdog

How would your lab describe a bloody knife?

Unfortunately, our laws dictate that we have to describe the electronic device to a particular device. In the past, we have had issues describing a phone as a “black Samsung” or “red iPhone”. Our laws (in my jurisdiction) state that the electronic item must be described in a particular way in the search warrant. Good thought, though

Unoriginal_name

Unfortunately, our laws dictate that we have to describe the electronic device to a particular device. In the past, we have had issues describing a phone as a “black Samsung” or “red iPhone”. Our laws (in my jurisdiction) state that the electronic item must be described in a particular way in the search warrant. Good thought, though

Maybe you need to start putting verbiage in the warrant saying that the manufacturer does not allow for specific identification of an electronic device without a search of the digital contents of the device. Hopefully the courts will catch up with technology?

2

Unoriginal_name

Unfortunately, our laws dictate that we have to describe the electronic device to a particular device. In the past, we have had issues describing a phone as a “black Samsung” or “red iPhone”. Our laws (in my jurisdiction) state that the electronic item must be described in a particular way in the search warrant. Good thought, though

regarding your comment on search warrants, have you considered describing the phone in item(s) to be searched as best you can and then adding photographs of the device in your search warrant? I have done that in the past when there was no identifiable information (edited)

pdog

This sounds like a great way to alter evidence and get it thrown out in court. A good defense attorney would have a field day on the detective.

A forensic examiner can articulate that action and that is was a Detectives action. It would just require articulation but not a reason to throw out a device. No Documentation would result in it. Also, removing a SIM card or placing a device in DFU are changes to a device that when articulated correctly will stand in a trial proceedings. Just like a live computer that requires a obscene collection.

Unoriginal_name

Unfortunately, our laws dictate that we have to describe the electronic device to a particular device. In the past, we have had issues describing a phone as a “black Samsung” or “red iPhone”. Our laws (in my jurisdiction) state that the electronic item must be described in a particular way in the search warrant. Good thought, though

Purple Apple iPhone 14 in a _ in color Otterbox case identified as agency name case number evidence item #1, then attach screen shots with it

Does anyone have a good contact for GrayShift they can DM me. Filled out the online for sometime ago and no contact.

Serial numbers should be printed on the back and pcb, can’t those also be recorded since it’s unique ?

1:49 PM

Even if you can’t unlock a device, even in download mode an apple device can grab a serial number from the command line

Unoriginal_name

Unfortunately, our laws dictate that we have to describe the electronic device to a particular device. In the past, we have had issues describing a phone as a “black Samsung” or “red iPhone”. Our laws (in my jurisdiction) state that the electronic item must be described in a particular way in the search warrant. Good thought, though

Sharpie something on it. “…iPhone 14 identifiable by [case number]/[detective initials and date]”

unc05_4n6

regarding your comment on search warrants, have you considered describing the phone in item(s) to be searched as best you can and then adding photographs of the device in your search warrant? I have done that in the past when there was no identifiable information (edited)

That’s what we do, even with IMEI, I put pictures on all my warrants

1

ryd3v

Serial numbers should be printed on the back and pcb, can’t those also be recorded since it’s unique ?

To access the PCB could technically constitute an intrusive search of the physical internals of the device depending upon the prosecutor or judge’s interpretation of the 4th amendment…

Revo

To access the PCB could technically constitute an intrusive search of the physical internals of the device depending upon the prosecutor or judge’s interpretation of the 4th amendment…

Oh, yes that would be true, I suppose plugging it into a PC is ok though right?

1

ryd3v

Oh, yes that would be true, I suppose plugging it into a PC is ok though right?

Not really. I know a state requires a SW before you can remove the SIM card from the phone. (edited)

Oh wow, sorry I'm Canadian xD

ryd3v

Oh wow, sorry I'm Canadian xD

Don't you have more detailed process? Like everything is discoverable? (edited)

ryd3v

Oh, yes that would be true, I suppose plugging it into a PC is ok though right?

It’s a hot mess here, depending on the day of the week, the weather, the prosecution’s mood, and the judge’s dog’s eating habits it could change…

1

chauan

Don't you have more detailed process? Like everything is discoverable? (edited)

Yes, I’d imagine it’s not as bad as the states

I heard you (Canada) are the champs on making everything discoverable. We are not there...yet.

yall know if there is a way I can recover this mp3 file and be able to actually listen to contents?

Unoriginal_name

How are all of the @Law Enforcement [USA] logging iPhone 14 phones in evidence if the phone is locked and the passcode is unknown? Since there is no SIM, there is no SIM card tray to put the IMEI on. Essentially, unless I am mistaken, there are no unique #s on the outside of the phone. Has anyone figured out a good way to list that particular phone in evidence? To be clear, I’m talking when logging the phone in evidence. This is before any analysis is started (edited)

The 4th amendment requires that you particularly describe the place and thing to be searched. There are lots of ways to get that done without an IMEI. If I don’t have that, I describe what I do have and then describe the device’s exact location (example: in my locking faraday box in my lab located at 123 Main St). I also include a statement why I don’t have an IMEI.

3

NotIronManBTW

yall know if there is a way I can recover this mp3 file and be able to actually listen to contents?

Did you try DMDE?

NotIronManBTW

yall know if there is a way I can recover this mp3 file and be able to actually listen to contents?

that looks like a tesdisk/photorec carve? go to the Hex tab. . your main problem is fragmention and it may have found a header for mp3 and then the file is gibberish after that. likely it wont be playable unless as rydev said you find a file table with something like DMDE or a free R-Studio app https://www.r-undelete.com/ .

Sorry just got back and saw this ya that’s sorta what I was thinking. I’m new to this as it’s for a class though so I’ll look into it. Thank you very much

Hey so Im working on my final final project for a class. I have my image in Autopsy and I found a zipped file that I need to find the password for. It is hidden somewhere in thousands of photos, mp3,or even plain text. What would be my best way to go about this

NotIronManBTW

Hey so Im working on my final final project for a class. I have my image in Autopsy and I found a zipped file that I need to find the password for. It is hidden somewhere in thousands of photos, mp3,or even plain text. What would be my best way to go about this

how big is the image?

2:10 PM

oh, cross posted, nm

Hey im extremely new to digital forensics and in my first year of studies and i just wonder how hard is it to decrypt windows encrypted files?

El Schizo

Hey im extremely new to digital forensics and in my first year of studies and i just wonder how hard is it to decrypt windows encrypted files?

dead easy

2:41 PM

if you have the PW of course

1

As long as you have the key

^

Otherwise that can make it a smidge trickier

Digitalferret

if you have the PW of course

what is PW?

password / key / pass / etc

2:47 PM

L:P

2:47 PM

login:password

2:48 PM

it's why LEA/Govt trail Crooks in terms of security. u mess with a cartel and they want a "key" they dangle you over a pit of vipers. LE read you your rights

1

2:55 PM

If you’ve got the key, you can decrypt windows files relatively easily. What’s this for @El Schizo?

I experienced an issue earlier where i had to reset my pc and forgot that my certificate/key wasn't backed up externally

2:57 PM

@Matt

2:57 PM

so i got to researching but came to nothing

2:57 PM

so it sparked an interest genereally speaking

Ah okay, yeah if you don’t have it then you won’t be able to recover it

yeah drew that conclusion sort off

There are some attacks but they rely on small keyspaces or generally know factors about the key

2:58 PM

Hope it wasn’t for anything too important

it was sentinementally important sadly (edited)

1

2:58 PM

but nevertheless learned a lesson

If it's a regular HDD and not an SSD, you might get lucky if you run a file recovery tool, if the old cert is not overwritten. It would be in %userprofile%\Application Data\Microsoft\SystemCertificates. The odds of that working are pretty low, but might be worth a try.

Sea9

If it's a regular HDD and not an SSD, you might get lucky if you run a file recovery tool, if the old cert is not overwritten. It would be in %userprofile%\Application Data\Microsoft\SystemCertificates. The odds of that working are pretty low, but might be worth a try.

sadly ssd was os drive

1

anyone have a good general template for chain of custody and a forensic report?

Do any of you folks use sed and awk regularly to manipulate/edit log files? I'm just wondering if these are tools that are part of people's toolkits

yeah, I regularly use tools like grep, cut, wc, sort, uniq, sed, awk, etc (and additionally python, powershell) to massage data between tools or for quick insights

1

8:15 AM

parallel is really nice also

Does anyone know the cost for a 1 Year Axiom Dongle license for a Local PD? Getting the run around by Magnet representatives at the moment.

Potentially dumb question. I need to recreate some scenarios for testing some artifacts found in an exam. Is there a repository with older still signed apple ios? Specifically looking for 15.4.1 for an iPhone 7 or 8 (not sure if they are model specific)

Palazar82

Potentially dumb question. I need to recreate some scenarios for testing some artifacts found in an exam. Is there a repository with older still signed apple ios? Specifically looking for 15.4.1 for an iPhone 7 or 8 (not sure if they are model specific)

#mobile-forensic-decoding might be your best bet?

1

Tpalermo18

Does anyone know the cost for a 1 Year Axiom Dongle license for a Local PD? Getting the run around by Magnet representatives at the moment.

If you want to DM me some contact info, I'll get you in touch with someone who can provide the details you're looking for.

What do you guys do with digital devices marked for destruction? Particularly cellphones. Previously I've been keeping them for tear downs and testing if needed, usually one of every model I can get my hands on. Since the days of ISP etc are kind of a foregone conculsion there's not much of a need for me to keep most android devices and so now I just keep Apple devices to use for spare parts incase I have to do a repair to get an extraction. All that being said, stuff is piling up and I need to clean house. Is hammering a screwdriver through the PCB and tossing in the bin sufficient in terms of not letting people personal info just go out in the wild or are there other ways of handling this?

1

10:06 AM

I used to just send them down to be incinerated but they don't take them anymore for ...reasons

(edited)

rayeh

yeah, I regularly use tools like grep, cut, wc, sort, uniq, sed, awk, etc (and additionally python, powershell) to massage data between tools or for quick insights

Thanks!

Beefhelmet

What do you guys do with digital devices marked for destruction? Particularly cellphones. Previously I've been keeping them for tear downs and testing if needed, usually one of every model I can get my hands on. Since the days of ISP etc are kind of a foregone conculsion there's not much of a need for me to keep most android devices and so now I just keep Apple devices to use for spare parts incase I have to do a repair to get an extraction. All that being said, stuff is piling up and I need to clean house. Is hammering a screwdriver through the PCB and tossing in the bin sufficient in terms of not letting people personal info just go out in the wild or are there other ways of handling this?

I used to keep them for JTAG/Chip-Off reference devices but the ones I couldn't use for those purposes, we wiped and gave to a local women's shelter (edited)

Palazar82

Potentially dumb question. I need to recreate some scenarios for testing some artifacts found in an exam. Is there a repository with older still signed apple ios? Specifically looking for 15.4.1 for an iPhone 7 or 8 (not sure if they are model specific)

Out of curiosity, which artifacts are you researching? Or which scenarios?

luis511_

Out of curiosity, which artifacts are you researching? Or which scenarios?

Restoring from a backup do certain cache files get transferred with it.

Hello, does anyone have any experience in, or can point me to, resources that would assist me in working with Safeback? Many thanks in advance.

Beefhelmet

What do you guys do with digital devices marked for destruction? Particularly cellphones. Previously I've been keeping them for tear downs and testing if needed, usually one of every model I can get my hands on. Since the days of ISP etc are kind of a foregone conculsion there's not much of a need for me to keep most android devices and so now I just keep Apple devices to use for spare parts incase I have to do a repair to get an extraction. All that being said, stuff is piling up and I need to clean house. Is hammering a screwdriver through the PCB and tossing in the bin sufficient in terms of not letting people personal info just go out in the wild or are there other ways of handling this?

Keep for spare parts (screens, batteries...) then drill the NANDs

1

Beefhelmet

What do you guys do with digital devices marked for destruction? Particularly cellphones. Previously I've been keeping them for tear downs and testing if needed, usually one of every model I can get my hands on. Since the days of ISP etc are kind of a foregone conculsion there's not much of a need for me to keep most android devices and so now I just keep Apple devices to use for spare parts incase I have to do a repair to get an extraction. All that being said, stuff is piling up and I need to clean house. Is hammering a screwdriver through the PCB and tossing in the bin sufficient in terms of not letting people personal info just go out in the wild or are there other ways of handling this?

I used them as practice phones.

1

Hey guys! New to digital forensics and im in my first year. If you guys could of changed about your mindset or general choices before you started studying or working what would it be? I'd prefer responses to be sent in dms so i can keep the answers organised

1

@Cellebrite Is it possible to get PA v8.1 anywhere on the MyCellebrite portal?

1

Heads up for anyone involved, in any way, with digital forensics: https://www.washingtonpost.com/world/2022/12/13/stan-swamy-hacked-bhima-koregaon/

1

Any other LE in the US have contact info to Hotwire's legal division? I need to send them a subpoena. Several requests for contact through their customer service line have gone unreturned.

Leonidas

Any other LE in the US have contact info to Hotwire's legal division? I need to send them a subpoena. Several requests for contact through their customer service line have gone unreturned.

I imagine you checked @Search.org? Have you tried calling them?

2

Andrew Rathbun

I imagine you checked @Search.org? Have you tried calling them?

Thank you so much. I'm not familiar Search.org. For future reference, how did you locate that on search.org? I searched for "hotwire" in the search bar at the top and received no results.

Leonidas

Thank you so much. I'm not familiar Search.org. For future reference, how did you locate that on search.org? I searched for "hotwire" in the search bar at the top and received no results.

https://www.search.org/resources/isp-list/ Also check out https://www.search.org/resources/search-investigative-and-forensic-toolbar/ The toolbar installs as an extension in your browser and is an awesome reference tool.

SEARCH

ISP List and LE Guides - SEARCH

The ISP List is a database of Internet service and other online content providers that will help you get the information you need for your case. For each Internet Service Provider listed, you’ll find the legal contact information and instructions needed to serve subpoenas, court orders, and search warrants. The ISP List is a law … ISP List and L...

SEARCH

SEARCH Investigative and Forensic Toolbar - SEARCH

The SEARCH Investigative and Forensic Toolbar gives investigators and forensic examiners quick links for finding people, and finding out what they’re up to on Facebook, Twitter, and Instagram. It also includes resources for cell phone forensics, the backbone of any modern-day investigation. The Toolbar offers IP address lookup tools, wireless ho...

Thank yall so much! This is a great resource. I'm going to send it out to all the other detectives in my unit as well.

2

1

Leonidas

Thank you so much. I'm not familiar Search.org. For future reference, how did you locate that on search.org? I searched for "hotwire" in the search bar at the top and received no results.

Search.org under Resources, there's the ISP List. That's where you get this from

9:52 AM

@Leonidas I wrote a little bit about it here, too - https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/

Preservation Letter/Search Warrant Templates - AboutDFIR - The Defi...

This section is a work in progress. This part of the site will contain template boilerplate language to include on various forms of legal process. It is highly advised to check with your local prosecutor and mind your local laws when serving legal process. These templates are purely meant to give you a running start […]

9:53 AM

Does anyone have any sort of list of physical SIM cards and their associated carriers? Specifically MVNOs as the Big 3 clearly mark theirs. It's easy enough to see the carrier code in the ICCID, but for MVNOs if the name isn't on the SIM card, sometimes it's very tough or near impossible to figure it out. It's not a big deal but it drives me crazy sometimes.

JayB1rd

Does anyone have any sort of list of physical SIM cards and their associated carriers? Specifically MVNOs as the Big 3 clearly mark theirs. It's easy enough to see the carrier code in the ICCID, but for MVNOs if the name isn't on the SIM card, sometimes it's very tough or near impossible to figure it out. It's not a big deal but it drives me crazy sometimes.

You gents are great. Thanks again!

deepdive4n6

@Bclark Yup. Hope you like writing warrants. ; ) Message sent in PM. (edited)

My shop is in deep discussion if this can be investigated. Have you had success?

JayB1rd

Does anyone have any sort of list of physical SIM cards and their associated carriers? Specifically MVNOs as the Big 3 clearly mark theirs. It's easy enough to see the carrier code in the ICCID, but for MVNOs if the name isn't on the SIM card, sometimes it's very tough or near impossible to figure it out. It's not a big deal but it drives me crazy sometimes.

I don't have that type of resource, the one's I typically encounter I just recognize now, but when trying to figure this exact thing out I first identify the parent carrier, then look at the list of MVNOs under that carrier, (https://en.wikipedia.org/wiki/List_of_United_States_mobile_virtual_network_operators), and then narrow it down from there.

JLindmar (83AR)

I don't have that type of resource, the one's I typically encounter I just recognize now, but when trying to figure this exact thing out I first identify the parent carrier, then look at the list of MVNOs under that carrier, (https://en.wikipedia.org/wiki/List_of_United_States_mobile_virtual_network_operators), and then narrow it down from there.

Yeah, that's where I start if I can't find anything with a Google image search. But without any other identifiers on the card, it's impossible to say which one it is. No biggie. Thanks for the input, though!

StarWail

My shop is in deep discussion if this can be investigated. Have you had success?

My understanding of the workflow is to start with a subpoena/CDR to the victim's phone number. Use that to identify the actual suspect phone number (not the displayed number) and work forward from there.

FullTang

My understanding of the workflow is to start with a subpoena/CDR to the victim's phone number. Use that to identify the actual suspect phone number (not the displayed number) and work forward from there.

Thank you, unfortunately Verizon provided us the spoofed number and an internal 172. IP address. We’re back to square 1.

JayB1rd

Yeah, that's where I start if I can't find anything with a Google image search. But without any other identifiers on the card, it's impossible to say which one it is. No biggie. Thanks for the input, though!

This website (https://bestmvno.com/mvnos/) has carrier logos and colors that can be helpful.

1

Hey guys! New to digital forensics and im in my first year. If you guys could of changed about your mindset or general choices before you started studying or working what would it be? I'd prefer responses to be sent in dms so i can keep the answers organised

can we make image file of a locked phone?

Ismail

can we make image file of a locked phone?

it depends

florus

it depends

in phone brand?

@Magnet Forensics Can someone from your team pm me? I have a question about running axiom under win11 and about dongle activation

Ismail

in phone brand?

It depends, yes.

florus

It depends, yes.

for samsung?

Ismail

for samsung?

Same answer.

leifsoren

@Magnet Forensics Can someone from your team pm me? I have a question about running axiom under win11 and about dongle activation

Doing it now.

Ismail

for samsung?

You're going to need to be waaaay more precise. Model, SPL, OS etc.

@Cellebrite who could I contact regarding the SMS analysis more precisely Read status and read status time, thanks

thaconnecter

@Cellebrite who could I contact regarding the SMS analysis more precisely Read status and read status time, thanks

Do you mind sending details to our mailing list. A few of us are on there. Stump-us@cellebrite.com

Thanks Paul

Have you all seen this big oops? https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up…

Does anyone have any thoughts or able point me in the right direction regarding legal policy with respect to how website scraping businesses stay in business (ie https://www.dexi.io/ https://www.zyte.com/) given many website terms prohibit scraping? (edited)

DFE Travis

Have you all seen this big oops? https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/

It's not the first time if I remember correctly; LulzSec got them a few years ago too I believe

@Magnet Forensics Hi I'm trying to export a portable case with Telegram info, but it keeps failing. Log indicates that it is having issues exporting sqlite aspects as the cause of failure. Is there a quick fix? Thanks

turns out running in admin mode fixes it

Is anyone here a ninja on Cisco Secure Endpoint (amp)?

Arsenal

Heads up for anyone involved, in any way, with digital forensics: https://www.washingtonpost.com/world/2022/12/13/stan-swamy-hacked-bhima-koregaon/

Wired (Andy Greenberg) coverage with additional details: https://www.wired.com/story/modified-elephant-stan-swamy-hacked-evidence-frame-bhima-koregaon-16/

Hackers Planted Files to Frame Indian Priest Who Died in Custody

And new evidence suggests those hackers may have collaborated with the police who investigated him.

Caleb

Does anyone have any thoughts or able point me in the right direction regarding legal policy with respect to how website scraping businesses stay in business (ie https://www.dexi.io/ https://www.zyte.com/) given many website terms prohibit scraping? (edited)

I'll help myself: this was a decent read: https://www.scraperapi.com/blog/is-web-scraping-legal/

Zoltan Bettenbuk

Is Web Scraping Legal? The Complete Guide - Scraper API

Is web scraping legal? It depends on the data you’re scraping and how it’s used. Our updated 2021 guide helps ensure that your scraping is legal and ethical.

Hey everyone. I've got what's going to be considered a noob question, but I don't know the answer. On a FFS extraction of an iPhone, the same picture (with matching hashes) is located in several places all over the phone such as DCIM, file cache, attachments, etc. Axiom recognizes them as different files, are they actually duplicates of the same file, or are they just symbolic links to thr original photo? I need to be able to explain why the image is in all of these different directories. Hope this makes sense.

Neon

Hey everyone. I've got what's going to be considered a noob question, but I don't know the answer. On a FFS extraction of an iPhone, the same picture (with matching hashes) is located in several places all over the phone such as DCIM, file cache, attachments, etc. Axiom recognizes them as different files, are they actually duplicates of the same file, or are they just symbolic links to thr original photo? I need to be able to explain why the image is in all of these different directories. Hope this makes sense.

Here is an article that might help. It’s a long one, but most of them are going to be internal resource assets and are related to the full-sized asset. If the full-sized asset is in the local photo library, photos.SQLite can provide you with some insights. Attachments and plug-in kit cache files are are a little different. Tip-focus on and analyze one asset at a time. narrow your scope and it should allow you to answer some of the questions. If you look/analyze multiple assets at one time it could be more difficult to answer the question. https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/

ScottKjr3347

Here is an article that might help. It’s a long one, but most of them are going to be internal resource assets and are related to the full-sized asset. If the full-sized asset is in the local photo library, photos.SQLite can provide you with some insights. Attachments and plug-in kit cache files are are a little different. Tip-focus on and analyze one asset at a time. narrow your scope and it should allow you to answer some of the questions. If you look/analyze multiple assets at one time it could be more difficult to answer the question. https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/

I forgot about this article, thanks. My concern was the hash matching so it's an exact duplicate. But i think you are saying is they are references to the sql entry, is that about right?

Does anyone have experience with the Identifier for Vendors (IDFV) on mobile devices and whether this can be used to identify and track a device? Thanks.

Neon

I forgot about this article, thanks. My concern was the hash matching so it's an exact duplicate. But i think you are saying is they are references to the sql entry, is that about right?

Depends…you could have an attachment and a full-sized asset saved to local photo library DCIM that are a hash match. You could have an attachment and a shared with you linked asset that are a hash match. of course they are going to have different file names and file paths. In my opinion, they are hash match duplicates but that’s it. Even though these can be hash matches, in my opinion these are different files/assets. I don’t remove either of these as duplicates because they can show different user actions. Hash match = same content Hash match in different file paths = same file content but could indicate user actions The thumbnails assets, metadata assets, optimized assets and others will be related to a primary/original full-sized asset but will not have a matching hash. So it depends, again I focus on one asset at a time and try not to make generalizations when I’m analyzing media assets.

ScottKjr3347

Depends…you could have an attachment and a full-sized asset saved to local photo library DCIM that are a hash match. You could have an attachment and a shared with you linked asset that are a hash match. of course they are going to have different file names and file paths. In my opinion, they are hash match duplicates but that’s it. Even though these can be hash matches, in my opinion these are different files/assets. I don’t remove either of these as duplicates because they can show different user actions. Hash match = same content Hash match in different file paths = same file content but could indicate user actions The thumbnails assets, metadata assets, optimized assets and others will be related to a primary/original full-sized asset but will not have a matching hash. So it depends, again I focus on one asset at a time and try not to make generalizations when I’m analyzing media assets.

Thanks for your help. I understand what you are saying. It's in different places because of user interaction. That makes sense. I'll focus on one in particular and go from there.

Neon

Thanks for your help. I understand what you are saying. It's in different places because of user interaction. That makes sense. I'll focus on one in particular and go from there.

Both system actions and user interactions.

ScottKjr3347

Both system actions and user interactions.

Gotcha. Thanks again

1

Hello. Anyone from @Oxygen Forensics around from a quick question?

Flavius

Hello. Anyone from @Oxygen Forensics around from a quick question?

Hello, sorry for the late reply. Please DM me how we can help you

Anyone know if GK update was pushed out yet?

12:56 PM

Don’t want to head back to lab if I don’t have to

Ghosted

Anyone know if GK update was pushed out yet?

i believe it has been pushed yeah

1

eamundson

Does anyone have experience with the Identifier for Vendors (IDFV) on mobile devices and whether this can be used to identify and track a device? Thanks.

You can read this : https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor And https://www.adjust.com/glossary/idfv/ The second link says : " The value in this property remains the same while the app (or another app from the same vendor) is installed on the iOS device. The value changes if the user deletes all apps from that vendor from the device and then reinstalls one or more of them." Maybe, Apple can say you what account match with this id. As you're American you must surely have access, from Apple, to more data than I who am in France.

What is the identifier for vendor (IDFV)? | Adjust

Do you know what IDFV is? Learn what does IDFV stand for and everything else you need to know about identifier for Vendor with Adjust.

Original message was deleted or could not be loaded.

Assuming it is a string value, are you replacing one value or a list of values? (edited)

4:32 PM

I’d lean toward python. DM if you want to discuss a rough sketch of a script.

Original message was deleted or could not be loaded.

I don't understand why you want to replace SQLITE database but if it helps you, I wrote a python script that transforms blob in text inside SQLite database: https://github.com/chpe1/blob_sqlite (edited)

GitHub - chpe1/blob_sqlite

Contribute to chpe1/blob_sqlite development by creating an account on GitHub.

Ok. I understand better. Yes, with python you can do it. You parse each element to sqlite dB and you replace the data that matches with your regex. I let you to do it but if you need, I can help you, don't hesitate.

However, when you're meeting a Blob type field, you will have to know what it is made of. If it's a plist, no worries, but if it's a mix of several formats it's going to be complicated. I'm thinking in particular of Snapchat, which stores the user's name and profile image in its field.

Anyone very good at Excel formulas?

Anyone willing to ADMIT that? LOL

4

1

Rob

Anyone very good at Excel formulas?

What are you trying to do?

Calculate whether the sum of 5 rows is greater or equal to 32.6 and if less report "Negative Hours" and if greater report "Over Credit Limit"

Rob

Calculate whether the sum of 5 rows is greater or equal to 32.6 and if less report "Negative Hours" and if greater report "Over Credit Limit"

uuh, i can't remember specifics, i'll have to check my work, but watch for using time format to calculate totals above 24hrs it's not the standard time format.

1

Sorry if this has been asked a bunch, but can someone tell me what this blueish-white bar is in AXIOM? I don't recall seeing these until recently. @Magnet Forensics

Rob

Calculate whether the sum of 5 rows is greater or equal to 32.6 and if less report "Negative Hours" and if greater report "Over Credit Limit"

yeh, here's the time function part of it https://www.wallstreetmojo.com/time-excel-function/

1

Digitalferret

yeh, here's the time function part of it https://www.wallstreetmojo.com/time-excel-function/

Thanks, currently stumbling my way around this: =IF(SUMIFS(TIME(0,0,V474:V478),TIME(0,0,V474:V478),"=32.6")<32.6,"Negative Hours","Over Credit Limit")

1

my issue was the usual excel check v manual mark one eyeball check as the numbers didn't seem right. i was totalling the seen hours for a local aircraft over the period of a year. much like bachelors engineering noites, you look at your work and it's "did i write this? who wrote this?" shock

7:38 AM

as if that wasn't enough i had to calculate BST against UTC too, so mere mortals understood

1

7:43 AM

found it! the "thing" was putting the h's in a sq bracket https://www.mrexcel.com/board/threads/difference-between-h-mm-and-h-mm-format.555898/

[h]:mm:ss shows the total number of hours, even if the number of hours is 24 or more.
hh:mm:ss effectively only shows the excess hours over and above complete multiples of 24.

7:45 AM

dude explains it far better than i can. only a few responses to read

@Cellebrite if an Examiner’s CCO and CCPA certifications expired this past September, can they just take them exam or do they have to repeat the courses?

Rob

Thanks, currently stumbling my way around this: =IF(SUMIFS(TIME(0,0,V474:V478),TIME(0,0,V474:V478),"=32.6")<32.6,"Negative Hours","Over Credit Limit")

Chatgpt could assist as well, you may know the specific formula you need for your desired output

chatgpt has helped me with python scripts for generating numeric dictionary files, and having the output text files not exceed 200MB in size

1

thatboy_leo

Chatgpt could assist as well, you may know the specific formula you need for your desired output

Will give it a go!

1

Hey! I have a pretty generic question. We are in the process of building some analysis towers and we're set on parts to buy, but we're still debating on the utility of the GPU in those towers. I know Passware and Hashcat uses GPUs to increassing decryption performance, and I also know @Magnet Forensics and @Cellebrite uses GPUs to increase processing time of picture and chat categorization. The question I have is how much upgrading that GPU should help? Do some of you guys have some kind of benchmarks? Like how could I justify the price going from a 3070 to a 3090 Ti? And do you know other uses for the GPUs other than what I mentionned? All the articles I find on the web are dating a lot! Thanks!

11:54 AM

I also looked into the KBs of Magnet and Cellebrite but the examples provided are pretty vague!

S Cote / SQ

Hey! I have a pretty generic question. We are in the process of building some analysis towers and we're set on parts to buy, but we're still debating on the utility of the GPU in those towers. I know Passware and Hashcat uses GPUs to increassing decryption performance, and I also know @Magnet Forensics and @Cellebrite uses GPUs to increase processing time of picture and chat categorization. The question I have is how much upgrading that GPU should help? Do some of you guys have some kind of benchmarks? Like how could I justify the price going from a 3070 to a 3090 Ti? And do you know other uses for the GPUs other than what I mentionned? All the articles I find on the web are dating a lot! Thanks!

Here are some GPU benchmarks unrelated to forensic software performance: https://www.videocardbenchmark.net/ (edited)

PassMark Software - Video Card (GPU) Benchmark Charts

Video Card Benchmarks - Over 1 Million Video Cards and 1200 Models Benchmarked and compared graphically - Updated with new system benchmarks daily!

S Cote / SQ

Hey! I have a pretty generic question. We are in the process of building some analysis towers and we're set on parts to buy, but we're still debating on the utility of the GPU in those towers. I know Passware and Hashcat uses GPUs to increassing decryption performance, and I also know @Magnet Forensics and @Cellebrite uses GPUs to increase processing time of picture and chat categorization. The question I have is how much upgrading that GPU should help? Do some of you guys have some kind of benchmarks? Like how could I justify the price going from a 3070 to a 3090 Ti? And do you know other uses for the GPUs other than what I mentionned? All the articles I find on the web are dating a lot! Thanks!

Even a modest NVIDIA-based GPU contributes huge performance gains for the Magnet.AI features that utilize them - like image categorization. The link @JLindmar (83AR) posted is a great resource, find a card that strikes the right price / performance balance and you're all set. I've got some comparison numbers, if you're interested.

chriscone_ar

Even a modest NVIDIA-based GPU contributes huge performance gains for the Magnet.AI features that utilize them - like image categorization. The link @JLindmar (83AR) posted is a great resource, find a card that strikes the right price / performance balance and you're all set. I've got some comparison numbers, if you're interested.

very interested! The main question I have is would those softwares benefit from higher end GPUs like a 3090 Ti instead of buying a 3070 for example. Thanks again

S Cote / SQ

very interested! The main question I have is would those softwares benefit from higher end GPUs like a 3090 Ti instead of buying a 3070 for example. Thanks again

Will they benefit? Sure. But diminishing returns and all. I think if you're looking for a solid discrete GPU to install in a general purpose workstation that you'll run a variety of software on, get something that offers high bang-for-your-buck. If it's a dedicated password cracking multi-GPU rig that you can smoke meat on in the lab while it's running, that's another story

chriscone_ar

Will they benefit? Sure. But diminishing returns and all. I think if you're looking for a solid discrete GPU to install in a general purpose workstation that you'll run a variety of software on, get something that offers high bang-for-your-buck. If it's a dedicated password cracking multi-GPU rig that you can smoke meat on in the lab while it's running, that's another story

Yeah we have dedicated CUBIX multi-GPU rigs for that

The GPU in the analysis towers would be mainly for very small Passware/Hashcat tasks and AI classification.

S Cote / SQ

very interested! The main question I have is would those softwares benefit from higher end GPUs like a 3090 Ti instead of buying a 3070 for example. Thanks again

Unscientific test - 135k images to categorize, no GPU 72+ minutes, NVIDA Quadro P1000 16 minutes. That was with an uncalibrated flux capacitor, but same settings, same data set, same system, just an A/B test with and without the GPU.

1

chriscone_ar

Unscientific test - 135k images to categorize, no GPU 72+ minutes, NVIDA Quadro P1000 16 minutes. That was with an uncalibrated flux capacitor, but same settings, same data set, same system, just an A/B test with and without the GPU.

Very interesting. I suppose for media classification (obv we don'T do gaming on those towers), we would have a better bang for the buck with a Quadro instead of a GeForce

S Cote / SQ

Yeah we have dedicated CUBIX multi-GPU rigs for that

The GPU in the analysis towers would be mainly for very small Passware/Hashcat tasks and AI classification.

For what you're describing I'd say go for a high value GPU - something in the $300-ish range instead of top of the line and put the money saved towards more local flash-based storage that you can benefit from on every case.

chriscone_ar

For what you're describing I'd say go for a high value GPU - something in the $300-ish range instead of top of the line and put the money saved towards more local flash-based storage that you can benefit from on every case.

We've built a RAID 0 of 2x 4Tb NVMe Gen 4, running at 13 Gb/s read/write for cases, and we got massive speed increases for sure!

1

Random question, has anyone ever done an extraction on a leapfrog epic tablet

I've got one that was submitted that has information relevant to the case stored on it. I've looked online and found it's running android 4.4 so I wanted to run out through cellebrite, but dev options seems to be locked down

S Cote / SQ

Hey! I have a pretty generic question. We are in the process of building some analysis towers and we're set on parts to buy, but we're still debating on the utility of the GPU in those towers. I know Passware and Hashcat uses GPUs to increassing decryption performance, and I also know @Magnet Forensics and @Cellebrite uses GPUs to increase processing time of picture and chat categorization. The question I have is how much upgrading that GPU should help? Do some of you guys have some kind of benchmarks? Like how could I justify the price going from a 3070 to a 3090 Ti? And do you know other uses for the GPUs other than what I mentionned? All the articles I find on the web are dating a lot! Thanks!

Looks like you got some great answers from others already but if you are looking for a deeper dive into exactly what hardware is best for your use case, let me know and I can help you work through it (edited)

chick3nman

Looks like you got some great answers from others already but if you are looking for a deeper dive into exactly what hardware is best for your use case, let me know and I can help you work through it (edited)

I would love to! Feel free to contact me in private for not cluttering this thread, thanks!

1

WRX_A_Lot

Random question, has anyone ever done an extraction on a leapfrog epic tablet

I've got one that was submitted that has information relevant to the case stored on it. I've looked online and found it's running android 4.4 so I wanted to run out through cellebrite, but dev options seems to be locked down

We’ll be expecting a write up.

thatboy_leo

Chatgpt could assist as well, you may know the specific formula you need for your desired output

Worked like a treat

1

Random question what’s the best forensic approach to analyzing .7z files? Currently there contained on a bit locker drive that I’ve encrypted behind a write blocker. It would freeze a ton behind imaged so I just used Tera copy with verification to get the files to my staging media. Kinda stumped what to do next as each .7z contains something different. Thought maybe create a AD1 image of the files to preserve the “original evidence” but just was opinions

maddie

Random question what’s the best forensic approach to analyzing .7z files? Currently there contained on a bit locker drive that I’ve encrypted behind a write blocker. It would freeze a ton behind imaged so I just used Tera copy with verification to get the files to my staging media. Kinda stumped what to do next as each .7z contains something different. Thought maybe create a AD1 image of the files to preserve the “original evidence” but just was opinions

.7z is the extension for 7-Zip archives, use 7-Zip (https://www.7-zip.org/) or forensic software that can decompress these.

2

Is there someone from @Cellebrite and/or @Magnet Forensics AI team (photo classification) who could reach me please? I contacted your support teams and the questions I have aren't really answered, thanks!

S Cote / SQ

Is there someone from @Cellebrite and/or @Magnet Forensics AI team (photo classification) who could reach me please? I contacted your support teams and the questions I have aren't really answered, thanks!

Hello @S Cote / SQ I will send you a DM to get more info.

1

I was replying but got distracted and I don't see it now. But re: the GPS tracker carrier question. I've had luck looking up the FCC ID and getting carrier info from the device manufacture. Sometimes the manuals on fccid.io have clues about what carrier as well. Looks like that one is from Connected Holdings, which is now a Phillips Connet company.

S Cote / SQ

We've built a RAID 0 of 2x 4Tb NVMe Gen 4, running at 13 Gb/s read/write for cases, and we got massive speed increases for sure!

You got a screen shot of those read wrote speeds? I never understand why people use raid0 on nvme drives.

Does anyone know if SANS will provide a copy of just the lab VM for a course I took? I'm hoping the email response would be favorable given that I'm an alumni of said course.. but I figured I ask before blasting off an email.

10:50 PM

I renewed the certification this year. Don't have access to the lab VM any more on their dashboard. Just looking for the lab VM

deetnutz

Does anyone know if SANS will provide a copy of just the lab VM for a course I took? I'm hoping the email response would be favorable given that I'm an alumni of said course.. but I figured I ask before blasting off an email.

I thought you get the isos when you renew but I'm not certain. I'd def email and say you didn't download it during the time you had access.

I think it's all on the ISO usually with SANS they give you 50GB ISO files now when you get the course material. You download them, mount and extract what you need. Kind of sucks because I have to keep freeing up disk space everytime I do a SANS course now

randomaccess

I thought you get the isos when you renew but I'm not certain. I'd def email and say you didn't download it during the time you had access.

That's correct. I lost the iso file hence requesting a copy. Thanks

3pil0gu3#112

I think it's all on the ISO usually with SANS they give you 50GB ISO files now when you get the course material. You download them, mount and extract what you need. Kind of sucks because I have to keep freeing up disk space everytime I do a SANS course now

That's the exact reason why i couldn't find the image file lol.. (edited)

Just gauging opinion. Would you consider the review of an axiom portable case/ufed reader etc to be forensic analysis?

Obi-Wan-IP

Just gauging opinion. Would you consider the review of an axiom portable case/ufed reader etc to be forensic analysis?

Opinion Alert Good question! I think this is a good place to start regarding this discussion:

"The concerns with clarity primarily centered on reports that lacked analysis. Reports were often solely the output of a forensic tool or tools, and customers were left to figure out what the data meant." (NIST, 2022, pg. 23) https://www.nist.gov/system/files/documents/2022/12/19/OSAC%20DE%20Quality%20Task%20Group%20Report_Dec2022.pdf

Given that many investigators who are not trained in digital forensics, or analysis are being expected to review and produce digital evidence to courts following an extraction of a device, there is most certainly concern in the international dialog about this exact issue. So to answer your question with another question: Are untrained investigators conducting forensic analysis of digital evidence, that is being produced in courts? Simply put, I think the answer is yes. But it has to have a defined scope, there is a basic element of "forensic analysis" - how to view, navigate and interpret a Cellebrite Reader report that is not officially taught, but is passed down through more experienced officers. When this aligns to the NPCC principles of digital evidence, the bar for competence is not particularly high in this regard. It should be expected that deeper and more intrusive levels of forensic analysis should be conducted by someone who is competent, e.g. a Digital Forensic Examiner who has advanced training and certification to underpin their competency. The fact that new officers and investigators are expected to simply understand digital evidence is beyond me, and presents a massive threat area... Is a review of an Axiom Portable Case / UFED Reader considered a forensic analysis, I would say yes. But with a big and underlying caveat. (edited)

1

Obi-Wan-IP

Just gauging opinion. Would you consider the review of an axiom portable case/ufed reader etc to be forensic analysis?

Yes, albeit we don't really utilise Portable Cases

1

Obi-Wan-IP

Just gauging opinion. Would you consider the review of an axiom portable case/ufed reader etc to be forensic analysis?

Assuming the question to be related to accreditation, I think when you read the FSR's definition of Digital Data Analysis it would be hard to argue that reviewing data in a portable case would NOT be analysis. The only wiggle room I could see was if you were performing the analysis, and the portable case was just your way of presenting the relevant data. If it's a data dump for someone else to analyse - I'd say that was analysis. https://www.gov.uk/government/consultations/forensic-science-draft-statutory-code-of-practice/code-of-practice-consultation-draft-accessible-version#fsa-definition--digital-data-analysis

Code of practice consultation draft (accessible version)

1

Ross Donnelly

Assuming the question to be related to accreditation, I think when you read the FSR's definition of Digital Data Analysis it would be hard to argue that reviewing data in a portable case would NOT be analysis. The only wiggle room I could see was if you were performing the analysis, and the portable case was just your way of presenting the relevant data. If it's a data dump for someone else to analyse - I'd say that was analysis. https://www.gov.uk/government/consultations/forensic-science-draft-statutory-code-of-practice/code-of-practice-consultation-draft-accessible-version#fsa-definition--digital-data-analysis

Yes this is exactly where I was going with this. Here we pass on various review packs from DF to investigators who have no training in digital forensics, they are tasked with reviewing the material and either sub exhibiting artefacts themselves or tagging and passing back to forensics for them to evidence. I know many forces that use this model so my concern is falling foul of the FSR codes as you refer to. In order to comply then all the investigators would have to be part of an accredited system (17025) in this case, which lets be honest is never going to happen

1

deetnutz

Does anyone know if SANS will provide a copy of just the lab VM for a course I took? I'm hoping the email response would be favorable given that I'm an alumni of said course.. but I figured I ask before blasting off an email.

In my experience they won't after your access to the initial class material has expired.

Obi-Wan-IP

Just gauging opinion. Would you consider the review of an axiom portable case/ufed reader etc to be forensic analysis?

IMO, yes and no. It would depend on what data was added to the portable case and is it enough to verify a critical finding and/or make a determination about the existence of inculpable or exculpable information. When my lab returns a report document and/or portable case, we advise our user agency to review the information and to get back with us with any questions about how to interpret something, or whether additional information, outside the report(s), may be available. We also make it clear what we are NOT returning in a result and what will require additional work to produce. As far as investigators and/or attorneys reviewing DF results and then acting as a DF examiner when trying to interpret things, this is absolutely happening. Obviously, many things, a text message for example, may not require in-depth interpretation, but if trying to determine the accuracy of a location artifact, or what sequence of events led to an artifact being created, that would absolutely need the input from a DF examiner and shouldn't be left to an unqualified person to make those determinations. (edited)

5

4

1

Anyone mind reviewing my Free ebook I am building https://docs.google.com/document/d/1_DaciFToZjitG4tLCqOKKQPJvRAZ_gpobjHuoj_sjaY/edit#heading=h.9e6a59o45mi1

Prevention and detection of advanced cyber threats V32

Prevention and detection of advanced cyber threats Author: Wolf Co-author: cybersecurity Community Date: 22-12-2022 Version 30.0 “Despite knowing that perfect security cannot be achieved, we strive to come as close to it as we can.” — Anonymous security researchers About the author For...

10:29 PM

if you have any thoughts or comments feel free to dm or put them on the Doc

Here is our curated list of digital forensics events in 2023. We'll keep it updated monthly or even more often. https://blog.atola.com/top-digital-forensic-conferences/

Yulia Samoteykina

Top digital forensics conferences in 2023

A comprehensive list of top digital forensics conferences in 2023. Check conference links, registration fees, locations. We keep it updated!

1

2

Vitaliy Mokosiy

Here is our curated list of digital forensics events in 2023. We'll keep it updated monthly or even more often. https://blog.atola.com/top-digital-forensic-conferences/

Techno Security is moving from Myrtle Beach to Wilmington this year.

dcs453

Techno Security is moving from Myrtle Beach to Wilmington this year.

Thank you! It's a typo, fixed it. TechnoSecurity is one of our favorite shows every year

Vitaliy Mokosiy

Here is our curated list of digital forensics events in 2023. We'll keep it updated monthly or even more often. https://blog.atola.com/top-digital-forensic-conferences/

I think you might also have a typo for the NSA Annual Conference in June. I clicked the link and it says Grand Rapids, Michigan instead of Phoenix

1

melissa_at_amped

I think you might also have a typo for the NSA Annual Conference in June. I clicked the link and it says Grand Rapids, Michigan instead of Phoenix

Definitely

Thanks a lot Melissa!

):

8:48 AM

nobody commented yet

Wolf

nobody commented yet

For what?

8:49 AM

oh the ebook thing above?

ye

8:49 AM

have been working on it for the last 2 years

8:49 AM

it recently started to take up steam

it looks pretty comprehensive. You're welcome to post it in #dfir-open-source-projects since it appears you're open sourcing it in some way by sharing it like this

Wolf

):

You posted this earlier today, and it's over 180 pages long. Substantive comments might take awhile. I've been reading through some of it. Quite a history lesson so far.

1

Thank you I am trying to write a non biase piece

9:30 AM

for educational purposes

again, @Wolf if you don't want this to get lost in an active discussion channel, move it on over to #dfir-open-source-projects where it's a bit slower and technically a better channel to discuss this

Thank you @Andrew Rathbun it's a honour

Hey Guys, What tool you guys using for create image from Mac book storage. ? for the forensic.

Digital Collector by Cellebrite

2:00 AM

although I've used Sumuri's tool before and that was fine too - at the time it was cheaper than DC but had fewer features

1

randomaccess

although I've used Sumuri's tool before and that was fine too - at the time it was cheaper than DC but had fewer features

can i send DM ?

sure

Wishing all our friends here a Merry Christmas, onwards to the new year

4

11

Merry Christmas

1

https://twitter.com/kladblokje_88/status/1606665418239795200?s=20

kladblokje_88 (@kladblokje_88)

@Hetzner_Online tell me why, please wtf is this

1

Merry Christmas everyone! Wishing all a wonderful holiday from my family to yours.

1

6

Is it recommended to work, exclusively within an VM environment for day-to-day acitivites (eg web surfing, opening email attachments etc) instead of on the Host Machine, to avoid Host Machine infection from Malware and Viruses ?

armin1855

Is it recommended to work, exclusively within an VM environment for day-to-day acitivites (eg web surfing, opening email attachments etc) instead of on the Host Machine, to avoid Host Machine infection from Malware and Viruses ?

depend on you

6:25 PM

do you know about the APT campaign that targeted 0days researchers?

6:27 PM

yup, my friend who using VM environment for reseach, each for persional activities (like what you say, twitter, opening email attachments etc)

6:27 PM

win p2o

6:27 PM

still hacked

1

Thanks for replying @MartinInDFIRland What sort of Malware was it and how did it occur ?

MartinInDFIRland

do you know about the APT campaign that targeted 0days researchers?

I think I may have heard that in Darknet Diaries https://www.youtube.com/watch?v=s6Q7SfI1bHE

Jack Rhysider

Her Never-Ending Quest to make Zero Days Hard

Darknet Diaries Ep. 1...

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

New campaign targeting security researchers

Details on an ongoing campaign, which we attribute to a government-backed entity based in North Korea, targeting security researchers working on vulnerability research and development.

1

MartinInDFIRland

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

I think this was mentioned in the Darknet Dairies. The Researcher was from Google's Project "X" and there was talk about North Korea

armin1855

Is it recommended to work, exclusively within an VM environment for day-to-day acitivites (eg web surfing, opening email attachments etc) instead of on the Host Machine, to avoid Host Machine infection from Malware and Viruses ?

no, really depends what you're doing though

armin1855

I think this was mentioned in the Darknet Dairies. The Researcher was from Google's Project "X" and there was talk about North Korea

oh looks like we are rambling a bit, back to your question

MartinInDFIRland

depend on you

this is my answer

Someone from @Cellebrite available for a dm?

1

Hey guyes I was thinking how do we capture our printer packets like I am using a usb cable to send print packets so how will I capture them ? ( using wireshark might be

) .

SamuraiPwn

Hey guyes I was thinking how do we capture our printer packets like I am using a usb cable to send print packets so how will I capture them ? ( using wireshark might be

) .

https://www.hhdsoftware.com/ Could try one of these tools?

HHD Software: Hex Editor, Serial/USB/Network Sniffer, Virtual Seria...

We are the software development company focused on providing reliable and high-performance solutions for software and hardware developers. For over 20 years we have been offering our customers the best data editing and Serial, USB, Network communications analysis software, as well as advanced virtual serial port tools.

right some usb moniters hmm I will give them a try

Hmm its working but I think I will need to learn it a bit really new to this kind of software

1

SamuraiPwn

Hmm its working but I think I will need to learn it a bit really new to this kind of software

You can capture usb traffic with Wireshark also. https://wiki.wireshark.org/CaptureSetup/USB

If I had a question about career advice where would be the best channel to ask?

voidBox

If I had a question about career advice where would be the best channel to ask?

#training-education-employment

Andrew Rathbun

#training-education-employment

Thanks!

anyone familiar with what this format is for a file open via Internet Explorer? This is from LNK files: Internet Explorer (Homepage)\dctmctf:10857:20220810092351234_13087740681263661234:wss:lb

7:36 PM

I have a bunch of these they all start with dctmctf: and end with :wss:lb

Does someone know why Event Log Explorer appears to show timestamps at the beginning of each hour? I'm using the forensic edition, Event Viewer shows the correct timestamps. I'm not too familiar with this software (edited)

CyberTend

I have a bunch of these they all start with dctmctf: and end with :wss:lb

"Documentum" : https://www.opentext.com/products/documentum-platform Per https://documentum103.rssing.com/chan-59762241/latest-article9-live.php, it looks like "dctmctf" may stand for the "Documentum Content Transfer Framework"; "wss" should be the "WebSockets Secure" protocol, and "lb" looks to be the Documentum "Lockbox" password storage component.

JLindmar (83AR)

"Documentum" : https://www.opentext.com/products/documentum-platform Per https://documentum103.rssing.com/chan-59762241/latest-article9-live.php, it looks like "dctmctf" may stand for the "Documentum Content Transfer Framework"; "wss" should be the "WebSockets Secure" protocol, and "lb" looks to be the Documentum "Lockbox" password storage component.

Thanks so much

1

Original message was deleted or could not be loaded.

https://commons.erau.edu/cgi/viewcontent.cgi?article=1093&context=jdfsl this is very old but may still be relevant

9:37 AM

Also, https://link.springer.com/chapter/10.1007/978-3-030-23547-5_9 might be a bit more recent

Forensic Analysis on Kindle and Android

In this chapter, we conduct a forensic analysis of Amazon’s Kindle Fire HD and report on our findings.

9:38 AM

may not be a bad idea to ask in #mobile-forensic-extractions too since Kindle runs on Android

Andrew Rathbun

https://commons.erau.edu/cgi/viewcontent.cgi?article=1093&context=jdfsl this is very old but may still be relevant

Thank you sir, I think that might be the same document I found last night when I was doing some digging. Thanks

Hi friends, one of the interview panel yesterday asked me one tricky question,. Q) Is mobile phone hashing (hash value generation ) possible? please help me with the details. Thank you.

Well that depends, phone have some unique identifiers, and those identifiers could be hashed. But some of those identifiers could be altered resulting in a different hash, so in reality I’d say you need more detail about what part of the device.

Afeef

Hi friends, one of the interview panel yesterday asked me one tricky question,. Q) Is mobile phone hashing (hash value generation ) possible? please help me with the details. Thank you.

Not in the same sense that you can hash a "dead box" hard drive. If you hash the contents of a hard drive while doing dead box forensics it should remain the same every time. This is in contrast to phones which require you to power them on in order to extract them, and typically requires the tools to interact with the phone while extracting. This inherently means that the data on the phone is changing even as you are extracting it, so if you perform another extraction and compare the hash of the first to the hash of the second it will always be different.

5

2

much better way to say it xD

Afeef

Hi friends, one of the interview panel yesterday asked me one tricky question,. Q) Is mobile phone hashing (hash value generation ) possible? please help me with the details. Thank you.

Mobile phones will change between collections, for the reasons noted above. However, a hash of the final archive file is useful to show that the data has not changed. This is useful for defending handling of evidence and chain of custody defense.

1

Greg Kutzbach

Mobile phones will change between collections, for the reasons noted above. However, a hash of the final archive file is useful to show that the data has not changed. This is useful for defending handling of evidence and chain of custody defense.

Agreed and good summary of my answer. I like to think in analogies and to me phone hashing is like hashing an SSD

I like the question from the interviewer. It tests to see if people actually know what the underlying technologies are doing.

1

ryd3v

Well that depends, phone have some unique identifiers, and those identifiers could be hashed. But some of those identifiers could be altered resulting in a different hash, so in reality I’d say you need more detail about what part of the device.

Complete hashing they have asked. Hash value of entire data of any mobile phone

Original message was deleted or could not be loaded.

no, but have you tried the usual suspects?

Original message was deleted or could not be loaded.

check a known good one before you do. ie make sure the readings you get aren't somehow false

Is there a specific section for OT networks or ICS/SCADA?

Hello everyone, I have a simple question. If I am a student who is about to enter the military academy in crime investigation sciences, what book do you recommend for me, knowing that I do not have a background on it and I am bad at biology, but if you can add a book to help, I will be happy and thank you.

Deleted User

Hello everyone, I have a simple question. If I am a student who is about to enter the military academy in crime investigation sciences, what book do you recommend for me, knowing that I do not have a background on it and I am bad at biology, but if you can add a book to help, I will be happy and thank you.

Hi - Your question may be better placed in #training-education-employment, however, to be honest I am struggling to understand exactly what it is you are asking for here. This server is primarily focused on the digital forensics and cyber security sector? (edited)

Is It Done Yet?

Hi - Your question may be better placed in #training-education-employment, however, to be honest I am struggling to understand exactly what it is you are asking for here. This server is primarily focused on the digital forensics and cyber security sector? (edited)

yes i know sir my question about books teach you how to think like detective or digtel forensics detective

5 years on, Bhima Koregaon violence accused yet to get 60% of clone copies: https://www.thehindu.com/news/national/other-states/5-years-on-bhima-koregaon-violence-accused-yet-to-get-60-of-clone-copies/article66320657.ece

5 years on, Bhima Koregaon violence accused yet to get 60% of clone...

Despite directions given by the special court to NIA to provide all the evidence, only 40% has been shared, says advocate for some of the accused in the case

6:07 PM

Well example of how digital forensic scientists can give investigate in scientific way. Kudoos to USA Arsenal forensic firm

Anyone knows if a playstations logs information what network it got connected to? So: a ps4 gets stolen, suspect connects it to his own wifi-network to play or set it up. Can i, as owner, in my playstation account, see what network (ip) my ps4 gets connected to. I am not a gamer myself, so i have no idea wat options i have.

florus

Anyone knows if a playstations logs information what network it got connected to? So: a ps4 gets stolen, suspect connects it to his own wifi-network to play or set it up. Can i, as owner, in my playstation account, see what network (ip) my ps4 gets connected to. I am not a gamer myself, so i have no idea wat options i have.

I highly doubt you as the account owner can tell. But, Sony may. Do an account takeout and see if your serial number is associated with your account in some way. Then if someone else logged into their account on your PS then sony could pull the account details for that and provide it to LE

1

I had a question recently I wanna shop around and see what the consensus is Is it easier to make high paying wages as a red team or blue team? At 5 years of experience as a pen tester or security analyst who would expect higher salaries?

Can I start with the inevitable? It depends.... In my experience it has tended to be higher in the pentest world. But then again, the ones I usually see are on the higher end of the skill and experience spectrum.

conf1ck3r

I had a question recently I wanna shop around and see what the consensus is Is it easier to make high paying wages as a red team or blue team? At 5 years of experience as a pen tester or security analyst who would expect higher salaries?

Red Team, obv, but that may not be the case if he wants to stay legal

Problem is to get the 5 year salary job, you need 20 years experience and a PHD

So I did this sentinel one ctf and got sent a hint for next step that has some binary on it. Ive tried very hard to figure it out someone else wanna look over it? if you like puzzles you may wanna try

someone remind me of the infosec mastadon server? for au/oceania?

I know the main one is https://infosec.exchange

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.

@Magnet Forensics can anyone do me a solid and hit me up with a DL link to the latest Axiom. The guy with the portal login in off and it's a mild emergency. Thanks in advance.

Majeeko

@Magnet Forensics can anyone do me a solid and hit me up with a DL link to the latest Axiom. The guy with the portal login in off and it's a mild emergency. Thanks in advance.

Sent you the link

"what unique problems that different file systems pose in the digital forensic process?" Can anybody provide resources to this question?

maxabo

"what unique problems that different file systems pose in the digital forensic process?" Can anybody provide resources to this question?

For example and to get the ball rolling, what are the differences between NTFS & FAT32?

10:59 AM

https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

File System Forensic Analysis

maxabo

"what unique problems that different file systems pose in the digital forensic process?" Can anybody provide resources to this question?

https://github.com/mikeroyal/Digital-Forensics-Guide#file-systems

GitHub - mikeroyal/Digital-Forensics-Guide: Digital Forensics Guide...

Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics. - GitHub - mikeroyal/Digital-Forensics-Guide: Dig...

maxabo

"what unique problems that different file systems pose in the digital forensic process?" Can anybody provide resources to this question?

https://www.sciencedirect.com/science/article/pii/S2666281722001573 (edited)

It is about time–Do exFAT implementations handle timestamps correct...

Digital forensic investigations require that file metadata are interpreted correctly. In this paper we focus on the timestamps of the exFAT file syste…

Does anyone know any good map-related software tools or forensic tools that allow you to enter a series of coordinates/locations, pick a central location, and the output is a map showing how the distance between each coordinate from the central location? Asking for a potential case.

ShinDaddison

Does anyone know any good map-related software tools or forensic tools that allow you to enter a series of coordinates/locations, pick a central location, and the output is a map showing how the distance between each coordinate from the central location? Asking for a potential case.

Google Earth?

ShinDaddison

Does anyone know any good map-related software tools or forensic tools that allow you to enter a series of coordinates/locations, pick a central location, and the output is a map showing how the distance between each coordinate from the central location? Asking for a potential case.

Excel https://www.contextures.com/excellatitudelongitude.html

How to Calculate Distance in Excel Latitude and Longitude

How to calculate distance in Excel from Latitude and Longitude. Download sample file with code base on Vincenty's formula..

1

K23

We've got a process @Artea, I'll DM.

Hi, that's an old question but if you still have a process that you can share I am also interested

Is Ryan Benson from unfurl active here? Edit: found him. @Ryan Benson (edited)

Anyone around that can help me with an Apple return? I'm following to guide for using powershell to extract the logs but having trouble getting p7zip to install via powershell as the instructions say

Disregard, running update on ubuntu then doing the install command worked

Did someone encounter till now problems booting a macOS (Big Sur in my case) in VirtualBox after enabling FileVault? Encountered this problem twice till now.

Good day, all! We are in the design phases of a new lab. We are going to do a faraday room or enclosure. Our contractor picked out the following 8x8 enclosure. https://shop.faradaydefense.com/custom-modular-hardwall-enclosures/. The other option is to build a room/enclosure. So, is there anyone on here with experience with either this specific company/enclosure, or do you have any experience with a builder in the Rocky Mountain Region? Thanks in advance!

marketing

Custom Modular Hardwall Faraday Enclosures

Custom Modular Hardwall Faraday Enclosure Room. RF/EMI Shielding Chamber. Block Signal. Custom Built Enclosures.

My understanding about faraday "rooms" is that they are very expensive and need to be serviced/recertified regularly... An agency local to me has a fantastic faraday room but they basically constructed their building around it, retrofitting it wasn't apparently an option. Good luck! Certainly a lot nicer than a cramped faraday box with way too many phones inside of it.

Good Morning, Could anyone tell me the prices of the CCPA course with cellebrite, CERT-F With cellebrite and the CCOF course with cellebrite please. Thank you in advance

Catherine

Good Morning, Could anyone tell me the prices of the CCPA course with cellebrite, CERT-F With cellebrite and the CCOF course with cellebrite please. Thank you in advance

@Cellebrite ^

Catherine

Good Morning, Could anyone tell me the prices of the CCPA course with cellebrite, CERT-F With cellebrite and the CCOF course with cellebrite please. Thank you in advance

do you mind sending me a dm, and i can place you in touch with our Training team.

Anyone see Sextortion: The Hidden Pandemic? https://sextortionfilm.com/

SEXTORTION FILM | The Hidden Pandemic | 2022 | The Hidden Pandemic

With unique, unrestricted access to government files, victim families, and investigators, Sextortion: The Hidden Pandemic documentary uncovers the hidden world of online enticement and exploitation of children--and what we can do to stop it.

1

@Cellebrite My supervisor was contacted by a sales rep by phone claiming to be from cellebrite. The inquiry was over a software renewal, which was odd that they contacted my Lt. instead of me, their usual point of contact at least over the last few years. The invoice they sent was from a company called Carahsoft which I've never heard of. Can you confirm if this is a valid quote? (edited)

Carahoft is a government clearing house and is legit for cellebrite. Likely they reached out instead of cellebrite

Forensic@tor

Carahoft is a government clearing house and is legit for cellebrite. Likely they reached out instead of cellebrite

So effectively like an authorized dealer? (edited)

Beefhelmet

So effectively like an authorized dealer? (edited)

Yes. If you need to validate the source I would Google Carahsoft and contact them via the number on their website. I go through Carahsoft to renew all of my Cellebrite licenses and I just recently got a quote for additional Cellebrite licenses/training through them.

FullTang

Yes. If you need to validate the source I would Google Carahsoft and contact them via the number on their website. I go through Carahsoft to renew all of my Cellebrite licenses and I just recently got a quote for additional Cellebrite licenses/training through them.

copy that

@Beefhelmet not a reseller per SE. A clearing house is used to allow for government sectors to use POs or other billing practices. Prevents sellers from jumping through hoops that some agencies require.

@Magnet Forensics Rumor has it Axiom supports the FATX file system to allow for the parsing of an Xbox 360 hard drive. Can you confirm? I am getting the No known file system found when I try to add the .E01 to a new case.

FullTang

@Magnet Forensics Rumor has it Axiom supports the FATX file system to allow for the parsing of an Xbox 360 hard drive. Can you confirm? I am getting the No known file system found when I try to add the .E01 to a new case.

FATX - not specifically, but using the option for sector level search will likely recover items of interest.

chriscone_ar

FATX - not specifically, but using the option for sector level search will likely recover items of interest.

Trying it now, thank you!

FullTang

Trying it now, thank you!

Glad to do it, let me know if you run into any issues.

Has anyone come across IPv6 EUI-64? More specifically, the ability to query MAC addresses from a service provider? I need to do some tested but wanted to check first as this might already be solved... Curious if the RFC (4291) pulls the actual MAC or the MAC provided by the OS (i.e. the MAC randomization).

chriscone_ar

Glad to do it, let me know if you run into any issues.

It worked like a charm! Axiom primarily parsed out web history and images, two beneficial types of artifacts in a CSAM case. There were even images of the user(s) using Kinect. Thanks!

1

FullTang

It worked like a charm! Axiom primarily parsed out web history and images, two beneficial types of artifacts in a CSAM case. There were even images of the user(s) using Kinect. Thanks!

That’s great to hear! Glad it worked out.

FullTang

It worked like a charm! Axiom primarily parsed out web history and images, two beneficial types of artifacts in a CSAM case. There were even images of the user(s) using Kinect. Thanks!

Did you choose the Xbox specific artifacts as well when processing?

9:53 AM

I can't remember the name of it but there's a website one for 360

Rob

Did you choose the Xbox specific artifacts as well when processing?

I selected all artifacts it allowed me to select. It didn't take that long, and yes I did get XBox 360 Internet Explorer Favorites/Recent/Featured Items artifacts in the web history.

That's the one!

1

@everyone Anyone know how to change your email address in discord if you no longer have access to that email anymore?

adam2817

@everyone Anyone know how to change your email address in discord if you no longer have access to that email anymore?

Everyone is a user here btw lol. Maybe contact Discord support?

1

Andrew Rathbun

Everyone is a user here btw lol. Maybe contact Discord support?

user? but I've been clean for ... uuh nm

Howdy gents. If I had a file that I wanted to run, but before running I changed the name of that file, to one that was already existing on my computer, ran it, deleted it, and put the file that I named it to in its place, can I detect that name-change somehow?

LFR

Howdy gents. If I had a file that I wanted to run, but before running I changed the name of that file, to one that was already existing on my computer, ran it, deleted it, and put the file that I named it to in its place, can I detect that name-change somehow?

What file system?

char|i3

What file system?

good ol NTFS

6:19 PM

i was looking thru EZTools but prob missed it

LFR

good ol NTFS

Love it. I will just assume Recycle Bin has been addressed. Depending on your timeline there may be evidence in the USNJournal for file name and other changes. You may also see entries in the master file table $MFT that could help with the deleted file information . I’d also check the $I30 for the folder of interest to see what was there related to the files you are investigating.

2

straight legend! Time for research

LFR

Howdy gents. If I had a file that I wanted to run, but before running I changed the name of that file, to one that was already existing on my computer, ran it, deleted it, and put the file that I named it to in its place, can I detect that name-change somehow?

Usn journal tracking the MFT entry and sequence number

9:09 PM

If it's tracking the entire period you'd see that all quite clearly. Especially when combined with recycle bin and program exeuction artefacts

randomaccess

If it's tracking the entire period you'd see that all quite clearly. Especially when combined with recycle bin and program exeuction artefacts

turns out that this exe disables itself from being found in: Prefetch User Assist msmp Recycle Bin & USN Journal So this is gonna be a fun one (edited)

10:15 AM

But maybe I can use the data from the exe that the professor is renaming the file to to see if it was modified. If not there we go

Are the hexordia (I doubt I spelled that correctly) courses any good (specifically in mobile forensics, which I have 0 experience in)

1

The free courses I have taken with them are pretty decent, but I have not taken any of their paid courses.

1

codyp915

Are the hexordia (I doubt I spelled that correctly) courses any good (specifically in mobile forensics, which I have 0 experience in)

ask @b1n2h3x

randomaccess

ask @b1n2h3x

Will do, I am just a student and even the lower cost certs are outside of my budget range, but also want to be a well rounded examiner when done with my degree

To any watching Law Enforcement in the US, can you talk about CellHawk, if you use it, and is it helpful?

LFR

To any watching Law Enforcement in the US, can you talk about CellHawk, if you use it, and is it helpful?

Manual parsing of CDR returns is possible, but any automated tool that assists in that process be it CellHawk or NightHawk saves hours and allows for data to be compiled in a way that would be very difficult to do manually even with hours of time invested in it.

codyp915

Will do, I am just a student and even the lower cost certs are outside of my budget range, but also want to be a well rounded examiner when done with my degree

I am a little biased to answer here. But the reviews from students for the live and On Demand have been quite good. Happy to share them with you. I have been teaching mobile forensics for 6 years at GMU with very high ratings before I started this course. Please try some of the free classes to get a feel. Feedback always welcome!

For a Samsung handset.. Do we know the main difference between DCIM/.thumbnails and gallery3d/cache? I understand that the cache directory is used for the gallery app to improve performance. However, does the gallery app not also use thumbnails directory? Any input greatly appreciated.

anyone of you who got a good overview / diagram of the general order of typical activities that are performed at machine startup / windows 10 boot / user login to display the order and influence of having applications registered as different types of services, in a users autostart, the OS performing file system operations without user interaction etc? to support visualizing that there are things happening on a system even before a user enters his credentials / to differentiate what is happening at boot and before / after user logon. (edited)

LFR

To any watching Law Enforcement in the US, can you talk about CellHawk, if you use it, and is it helpful?

Another option is Zetx that was purchased by LexisNexis, just to add another comparison.

What are folks using for case notes these days - personal notes, not a full fledged case management system, I don't need that. I'm sick of OneNote, been giving me too many issues over there years. Preferably something that doesn't require a cloud sync..

I'm very low tech... notepad++

classic lol

I have a python script that builds my directory structure the same way for every case and then produces a .txt file inside with headers for the various item numbers... it's obviously not tracked or timestamped so that is a deficiency

9:57 AM

I have tried monolith notes in the past, it seems like a really cool tool (and it's free), I just found it to be too many extra steps and I went back to txt.

9:58 AM

https://www.monolithforensics.com/free-tools

Free Tools

Free forensic software provided by the team at Monolith or others in the digital forensics community.

Nice, I'll give that a look.

10:02 AM

Seems nifty for quick stuff, one thing it's missing I'd love though is to have a template to re-use for each case. And ability to have tables. (edited)

Same here. Notepad++ and markdown files. That way, if I switch to something else, I can convert them to a different format.

Does anyone have a custom carver for encase (.e01) files for FTK, or know of another vendor who carves them out? Exterro (FTK) says it’s “outside of the scope of support to write them for you”. It’s that level of support that makes me want to evaluate another vendor. PhotoRec can recover them and even has C code to do it: (https://git.cgsecurity.org/cgit/testdisk/tree/src/file_e01.c) The footer seems to be the hardest part to match. <snip> Header (hex) : 455646090D0AFF Footer (text): next.............Õÿ.....................................................«.v.

LincolnLandForensics

Does anyone have a custom carver for encase (.e01) files for FTK, or know of another vendor who carves them out? Exterro (FTK) says it’s “outside of the scope of support to write them for you”. It’s that level of support that makes me want to evaluate another vendor. PhotoRec can recover them and even has C code to do it: (https://git.cgsecurity.org/cgit/testdisk/tree/src/file_e01.c) The footer seems to be the hardest part to match. <snip> Header (hex) : 455646090D0AFF Footer (text): next.............Õÿ.....................................................«.v.

Probably outside the scope of all vendors...

1:44 PM

You may need to figure out whether there's a footer for each chunk.

1:45 PM

Does each segment have that footer?

randomaccess

Does each segment have that footer?

I'm looking at an E01 set (27 chunks), only consistent thing I can see in the footer for each segment/chunk is a next indicator for all segments apart from the ending segment. E01 (next - FF FF) E03 (next - FF FF) E04 (next - FD FF) E27 (done) Could you carve for start/non-ending segments using the 45 56 46 / EVF header, and the 6E 65 78 74 footer (next + 72 bytes?), then re-carve for ending segments using the same header, and the 64 6F 6E 65 footer (done + 72 bytes?) Edit: oops, should've read your comment carefully, you've already mentioned this

looks like if you modify any data after the next/done marker, the image itself won't appear valid. I've only tried to open it in FTK, I haven't tried x-ways/axiom yet.. YMMV. (edited)

nicastronaut

Seems nifty for quick stuff, one thing it's missing I'd love though is to have a template to re-use for each case. And ability to have tables. (edited)

Checkout Cherrytree https://www.giuspen.net/cherrytree/ (edited)

randomaccess

Probably outside the scope of all vendors...

Magnet allows custom file types. Both carving and parsed. Can be read as hex header, and parsed with python.

Greg Kutzbach

Magnet allows custom file types. Both carving and parsed. Can be read as hex header, and parsed with python.

Sure - ftk will likely allow you to add your own carving logic as well From the OP post their response is that they won't write them for you as part of their support agreement

Does AXIOM or X-Ways allow you to import/inspect a segmented E01 image with incomplete/invalid footer data? FTK imager fails to recognise the image if any data after next/done is modified.

DeeFIR 🇦🇺

Does AXIOM or X-Ways allow you to import/inspect a segmented E01 image with incomplete/invalid footer data? FTK imager fails to recognise the image if any data after next/done is modified.

Ftk imager is really picky about that. If you want an easy way to mount, use recon imager. Once mounted, you can throw any program at it. To answer your question.. yes, axiom and xways both can deal with completely fubar’d e01’s.

9:00 PM

For truly fubar’d e01’s where the partition tables are either corrupted, hidden, nested, or inside virtual disks, I’ve also had great luck with R-Studio.

randomaccess

Sure - ftk will likely allow you to add your own carving logic as well From the OP post their response is that they won't write them for you as part of their support agreement

I missed that. Custom carving sounds like a special services contract. Gotta pay the coder, no matter the company. In axiom, it’s pretty easy to write custom carving and artifacts in house. Not sure how easy ftk makes it to write them in house.

LincolnLandForensics

Does anyone have a custom carver for encase (.e01) files for FTK, or know of another vendor who carves them out? Exterro (FTK) says it’s “outside of the scope of support to write them for you”. It’s that level of support that makes me want to evaluate another vendor. PhotoRec can recover them and even has C code to do it: (https://git.cgsecurity.org/cgit/testdisk/tree/src/file_e01.c) The footer seems to be the hardest part to match. <snip> Header (hex) : 455646090D0AFF Footer (text): next.............Õÿ.....................................................«.v.

I just tried a few things. 1 - modified data after the next/done footer in each E01 segment, still mounts in AIM. 2 - zeroed out all data after the next/done footer in each segment, still mounts in AIM. 3 - removed all data after the next/done footer in each segment, also mounts in AIM. So going by that logic, you should only have to match the footer (up to next/done) and it'll mount fine in AIM.

9:11 PM

Thanks for the pointer @Greg Kutzbach

2

DeeFIR 🇦🇺

I just tried a few things. 1 - modified data after the next/done footer in each E01 segment, still mounts in AIM. 2 - zeroed out all data after the next/done footer in each segment, still mounts in AIM. 3 - removed all data after the next/done footer in each segment, also mounts in AIM. So going by that logic, you should only have to match the footer (up to next/done) and it'll mount fine in AIM.

Cool experimenting! Thank You

Belkasoft allows custom carving as well, both header+max size or header+footer, you can also import kff/scalpel sets

Given the general size of E01s, there is probably a good chance they will be fragmented (unless they were put onto a sterile drive) - in which case carving is going to be a dead end.

Does anyone know any free tools that can be used to decrypt a bitlockered drive with a clear text Volume Master Key?

lockbee

Does anyone know any free tools that can be used to decrypt a bitlockered drive with a clear text Volume Master Key?

Use @Arsenal image mounter

2

lockbee

Does anyone know any free tools that can be used to decrypt a bitlockered drive with a clear text Volume Master Key?

And, it goes without saying, Windows will do it if you know the PIN/password. Connecting the drive to any modern Windows machine should give you the option to decrypt it or at least open it in an unencrypted state.

Greg Kutzbach

I missed that. Custom carving sounds like a special services contract. Gotta pay the coder, no matter the company. In axiom, it’s pretty easy to write custom carving and artifacts in house. Not sure how easy ftk makes it to write them in house.

My experience with FTK is that building a carver isn't hard, but their not very smart. For my money, I like X-Ways. Many carvers and adding new carvers is very easy--they are stored in a TSV file and easy to modify and add.

Hey all. Long time lurker, but I wanted to pop in with a quick question. Anyone set up a self-hosted case management system for local casework? I'm looking to implement something for our lab on our air-gapped network for managing workflow, something similar to a kanban board. I'm relatively proficient in Docker (self-taught homelab experience). Something like a FOSS-y (and understandably less enriched) version of Magnet ATLAS or xBit

11:45 AM

I've played with Wekan and Mattermost (Wekan at home, Mattermost as a trial setup), but I'm trying to find something that I can tinker with enough that our lab can use

Probably not what you were looking for @Nanotech Norseman but I ended up writing our case tracker in python (forensicsReporter.exe) https://github.com/LincolnLandForensics/HodgePodge. I'd also like to find the same thing. but this was better than nothing. It also writes my reports, which I like.

That's pretty dope, not gonna lie. I'm fairly proficient in Python, so this may lead me on a wild goose chase (I love wild goose chases). I'll check it out, thanks for the recommendation! (If you get a fork, it was probably me)

@Nanotech Norseman Fork away. The google translater script worked great and helped us make our case by translating thousands of lines of Chinese. Geek away.

Oh hell yeah! Thanks again man

1

DeeFIR 🇦🇺

Thanks for the pointer @Greg Kutzbach

Wow thanks for the research. I think I could write an FTK custom carver if I don't have to worry about the 72 characters after next/done.

I'm using Timeline Explorer to view the output of MFT parsing by MFTecmd. Is it better to sort by the entry number or file creation time when trying to analyze files created around the same time?

Others can chime in here. But I think you kind of answered your own question. If you are looking for files created around the same time, then creation time would be what you would focus on and use as your pivot point.

1

Villano

I'm using Timeline Explorer to view the output of MFT parsing by MFTecmd. Is it better to sort by the entry number or file creation time when trying to analyze files created around the same time?

sort on file creation time

hub

Thank you

dsplice

Others can chime in here. But I think you kind of answered your own question. If you are looking for files created around the same time, then creation time would be what you would focus on and use as your pivot point.

I wasn't sure because Entry numbers are supposed to be sequential but when I sort by creation time the entry numbers can be all over the place.

Villano

I wasn't sure because Entry numbers are supposed to be sequential but when I sort by creation time the entry numbers can be all over the place.

MFT entries are capable of being reused. I haven't dug too much into it but found this https://andreafortuna.org/2018/06/04/using-mft-anomalies-to-spot-suspicious-files-in-forensic-analysis

Using MFT anomalies to spot suspicious files in forensic analysis

A typical NTFS filesystem contains hundreds of thousands of files. Each file has its own $MFT entry, and all $MFT entries are given a sequential address starting from zero, zero being the $MFT entry itself. Each MFT entry is addressed using an 6 byte number, additionally the preceding 2 bytes contains the MFT Sequence number, these two numbers c...

dsplice

MFT entries are capable of being reused. I haven't dug too much into it but found this https://andreafortuna.org/2018/06/04/using-mft-anomalies-to-spot-suspicious-files-in-forensic-analysis

Yes that's true. Thanks.

Villano

Yes that's true. Thanks.

Interestingly, you can use the different 'sequentiallity' of the results to some conclusions (like there were files deleted in a directory or such). TMYK

Nanotech Norseman

I've played with Wekan and Mattermost (Wekan at home, Mattermost as a trial setup), but I'm trying to find something that I can tinker with enough that our lab can use

Mattermost is great but I wouldn’t say it’s really case management, more of a self-hosted slack

Matt

Mattermost is great but I wouldn’t say it’s really case management, more of a self-hosted slack

Yeah, that's somewhat what I came to after fiddling with it a bit. I was hoping to expand more on the kanban style for workflow, but with some kind of case management and ownership aspect. I did find one that I'm still working on building out by Aam-digital, though it's more for NGO casework. I'm wondering if I can modify it extensively to get what I want out of it, but I'm hesitating due to the work involved in such a project.

Yeah you really want something you can fire up and crack on with.

That's pretty much what I'm looking for, but I doubt I'll find something that easy XD. A coworker discussed xBit a good bit, their previous lab used that extensively. I'm trying to skirt the line of staying within budget and still getting a full amount of usefulness in what we have (and free is great for internal use -- if it works). Still, I appreciate the response

I'll keep researching. If I find a solution (or modify a solution enough to be viable), I'll post back in here at a later point

1

Say I was a poor student with forensics homework, where would I go and ask for help? (edited)

Narnuk

Say I was a poor student with forensics homework, where would I go and ask for help? (edited)

Google?

yupyup

Rob

Google?

yet she remains a cruel mistress

Narnuk

yet she remains a cruel mistress

are you looking for a learning platform or the answers to your quiz questions?

what would be helpful for me would be a workflow for autopsy

1:34 PM

as I have many 60+ GB of data and no real plan of how to go through them

https://www.youtube.com/watch?v=Dlrn3ZRzn2I like a walkthrough?

1:35 PM

i like to approach my cases with an objective in mind so i don't get lost in the sauce. what questions are you looking to answer with the data?

there are a total of 7 ppl whose name and username we need to find

what kind of data do you have available?

4 total data sources, a recovered pc, recovered server, 2 recovered sticks

you've got the goldmine then! have you dug through autopsy videos at all? THM walk-throughs, cases, etc? youtube will be your best friend on this

I'm somewhat familiar with the software, but in my hubris I think most things are self explanatory in the software, I have not seen any specific walkthroughs

1:39 PM

what are THM walkthroughs?

1:40 PM

I google, nvrmind

1

it's a little self explanatory, once you've got an idea of what you're looking for. are you familiar with the data sources themselves ( not the software )? (edited)

1:42 PM

sometimes finding answers to your questions are as simple as a string search, which i think autopsy supports? super rusty with it, been a while since i've used it

I think its not supposed to be super difficult, one list I found so far has been encrypted however

1:43 PM

but the password was just hidden in a txt document autopsy found easily

1

1:45 PM

whatchama callit when you hide a string in a random file

sounds like it should be fairly easy then. if you're interested in learning forensics methodology, i always like to recommend 13cubed's intro to forensics course: https://www.youtube.com/playlist?list=PLlv3b9B16ZadqDQH0lTRO4kqn2P1g9Mve you can easily pick & choose the videos you think you'll need here (such as the introduction to usb detective)

1

thank you

np

Hello all. Hope you all had a good start for the new year

.... Wish to ask if there is anyone who can recognize or can suggest what to use to recognize the model and make of a car pls.

Aikon

Hello all. Hope you all had a good start for the new year

.... Wish to ask if there is anyone who can recognize or can suggest what to use to recognize the model and make of a car pls.

maybe https://carnet.ai/ ?

Digitalferret

maybe https://carnet.ai/ ?

thanks!

Hi all. Does anyone here know any resources that could help me in preparing for INE's eCDFP? Thanks in Advance for the lead.

Aikon

Hello all. Hope you all had a good start for the new year

.... Wish to ask if there is anyone who can recognize or can suggest what to use to recognize the model and make of a car pls.

If the computers fail and you know any cops, you probably know a cop who’s pretty good at it too! Lots of them are car nerds who also look at tons of crappy images and videos of suspect vehicles (unfortunately it’s not my wheelhouse) (edited)

1

I got excepted into Akron yesterday for Cyber Forensics ladies and gentlemen, transferring from Kent State

6

8:13 PM

Also, does anyone know what certifications are offered through their program?

Could someone update my role to Private Sector please? Can't seem to access role assignment channel anymore and I have been employed since joining this group. Thanks very much.

1

Thank you Matt

1

holly

If the computers fail and you know any cops, you probably know a cop who’s pretty good at it too! Lots of them are car nerds who also look at tons of crappy images and videos of suspect vehicles (unfortunately it’s not my wheelhouse) (edited)

Alethe Denis, in one of her OSINT workshops stressed that there is no replacement for the human eye. Tools are great, but can’t beat scrolling on screen and a practiced eye.

2

Is there any known method to decrypt static data from modern gaming consoles (Playstation 3, 4, and 5 / Xbox One S)? The only method for analysis would be to use an HDMI splitter and recording software after putting a cloned drive back into the console keeping the original drive (or an .E01 of the original drive) as evidence, right?

Along the same lines, what would be the method for examining a Nintendo Switch other than a pure manual examination? It looks like a fairly simple process to change settings in the Switch to allow for browsing the internet, so it is a possible platform for doing all those criminal things. (edited)

FullTang

Is there any known method to decrypt static data from modern gaming consoles (Playstation 3, 4, and 5 / Xbox One S)? The only method for analysis would be to use an HDMI splitter and recording software after putting a cloned drive back into the console keeping the original drive (or an .E01 of the original drive) as evidence, right?

Can't speak from experience but that seems pretty reasonable and best effort, in my eyes

1

FullTang

Is there any known method to decrypt static data from modern gaming consoles (Playstation 3, 4, and 5 / Xbox One S)? The only method for analysis would be to use an HDMI splitter and recording software after putting a cloned drive back into the console keeping the original drive (or an .E01 of the original drive) as evidence, right?

I don't think any of the tools can parse the proprietary file system of PlayStation's. I've always done a manual examination. Chat data is generally online also so it needs to be connected to the web. I think PS3s had the data on the machine. Web history is probably the only other useful thing. Although a colleague did have a case where CSE material was being downloaded to an Xbox. Can't remember what one though

1

FullTang

Is there any known method to decrypt static data from modern gaming consoles (Playstation 3, 4, and 5 / Xbox One S)? The only method for analysis would be to use an HDMI splitter and recording software after putting a cloned drive back into the console keeping the original drive (or an .E01 of the original drive) as evidence, right?

we've even down lower tech of using a video camera capturing the tv screen. all you can do at this point.

DCSO

we've even down lower tech of using a video camera capturing the tv screen. all you can do at this point.

I was thinking about doing that. Considering my department’s resources I think I’ll capture it with a normal Axon body camera.

FullTang

Is there any known method to decrypt static data from modern gaming consoles (Playstation 3, 4, and 5 / Xbox One S)? The only method for analysis would be to use an HDMI splitter and recording software after putting a cloned drive back into the console keeping the original drive (or an .E01 of the original drive) as evidence, right?

Ps4 user area can be decrypted with a chip dump, but you arent likely to get much more than via screenshot (perhaps a bit more internet history)

1

Andrew Rathbun

Can't speak from experience but that seems pretty reasonable and best effort, in my eyes

I know if you jailbreak/root the device you can sparse through the file system or even edit it, as far as getting useful information from a dump or cloning the drive, it gets a bit more sticky.

Does anyone know anything about criminalip.io or security.criminalip.com

7:32 AM

I have a fresh build of ubuntu on a new VPS i ordered, And there are multiple outgoing requests to there

B74

Does anyone know anything about criminalip.io or security.criminalip.com

Do a dns search

7:33 AM

They have a search systemm.. Surely this isn't legit.

7:34 AM

https://blog.criminalip.io/

Home

We offer CTI analysis featuring recent cybersecurity vulnerabilities and threats, and also other latest updates and useful guidelines about Criminal IP.

I guess I am missing something. Is this a box for school or legit web address you need information on?

7:36 AM

Or dns address I should say

I am concerned that there are requests TO this organisation on a fresh ubuntu installation.

7:37 AM

Is this something installed by ubuntu or the ISP..

7:38 AM

Think it poses a bit of a security risk to have your entire systems port mappings, services running, IP's etc etc sent to a third party on a fresh ubuntu install. Sounds like something installed by the host

7:39 AM

It may be something installed by the ISP to ensure that the VPS's are compliant with their terms perhaps but i've never seen this before.

What process is making the requests

I wasn't able to capture it.

Stormphoenix

What process is making the requests

^

7:42 AM

Give me a bit I’m looking for any info

7:44 AM

No dns records whatsoever, site is unreachable. Unfortunately without further info I can’t tell you what exactly is up.

Which site is unreachable?

Security.criminalip.Io is not a valid address. And there’s no dns information on it. Not even censys has information regarding it.

security.criminalip.com

7:45 AM

But then their main website is criminalip.io

I apologize one sec.

7:48 AM

7:50 AM

It’s a AWS bucket

7:50 AM

Interesting

7:52 AM

Where did you get the Ubuntu install?

7:58 AM

Not sure what else I can say brotha. Good luck

Has anyone done an extraction on an Oculus 2 recently?

FullTang

Along the same lines, what would be the method for examining a Nintendo Switch other than a pure manual examination? It looks like a fairly simple process to change settings in the Switch to allow for browsing the internet, so it is a possible platform for doing all those criminal things. (edited)

Quick update to this. I found a white paper giving an overview of a forensic analysis of a Switch, but it appears to require the use of PIN outs to force the switch to sideload software. Here is some of the data that can be forensically extracted: Connected Displays Last 50 Error Codes Save Time & Game Title Access Time & Game Title 300 users last played with Last Boot Time & Power State Changes .JPG,.MP4 &.PNG screenshots with Timestamps Birth Date, Email, Gender & Location MAC Addresses, NAT, Passwords & SSIDs https://www.sciencedirect.com/science/article/pii/S2666281721000044 On a lower level (and more practical for most purposes) the DNS settings are saved on a per access point basis and will even save if changed from automatic to manual DNS settings. Examining the saved WiFi settings to see if they have been altered to allow the Switch to connect to switchbru DNS (45.55.142.122 under manual DNS settings) should indicate if the user was frequently using the Switch to browse the internet to see if a more advanced analysis is needed.

Dead Man's Switch: Forensic Autopsy of the Nintendo Switch

The Nintendo Switch is a popular handheld gaming console that is used for a variety of purposes. The most common is that of gaming, however, there are…

2

Joe Schmoe

Has anyone done an extraction on an Oculus 2 recently?

Here is some recent research from DTSL https://mailchi.mp/403067ebd9cd/digital-forensic-bulletin-edition-19-novel-rf-in-smartphones-9210025?e=280cc7c3bf

Dstl Digital Forensics Bulletin - Edition 20 - Oculus Quest 2 Evalu...

arforensic

I made a cable (USB<->SERIAL) and connected it to the TKSTAR TK-905 GPS Tracker. After inserting the SIM card (turning on the device) I get only Bootloader information through Putty. Maybe someone has more experience and knows if it is possible to get additional information, IMEI, device configuration settings, etc. Video from my test https://youtu.be/_HhW97Owf5U

Did you get further with this device?

@ctr I find some working AT commands. However, this did not significantly benefit the research

I wanted to make a full memory copy (dump) but unsuccessfully. (edited)

Anyone familiar with Facebook Messenger records. Wondering if they can provide historical communication logs between users. I have the devices from suspect and victim however they have both deleted the communications. I do have screen shots taken by someone involved in the case however I would like if possible to obtain the logs showing the communication took place between the two accounts.

@ManishDTS Depends what youre bruteforcing. Think a bit outside the box. "Okay Im bruteforcing a websites index, Im going to use a directory specific wordlist", understand you can use any wordlist but some are not optimized for what you are doing. Rockyou.txt is one of the largest around but, thats used when no other wordlist is available and I desperately need the credentials. Kali comes preinstalled with a variety of wordlists in /usr/share/wordlists/ if youre simulating an APT, take all words from employees social medias, etc. There is no outline to tell you to "do this and you get this result"

Rock3t

@ManishDTS Depends what youre bruteforcing. Think a bit outside the box. "Okay Im bruteforcing a websites index, Im going to use a directory specific wordlist", understand you can use any wordlist but some are not optimized for what you are doing. Rockyou.txt is one of the largest around but, thats used when no other wordlist is available and I desperately need the credentials. Kali comes preinstalled with a variety of wordlists in /usr/share/wordlists/ if youre simulating an APT, take all words from employees social medias, etc. There is no outline to tell you to "do this and you get this result"

got it

ManishDTS

got it

I hope I was able to help

anyone have recommendations on standing/counter height work benches or desks? looking for something that isnt crazy priced that is better on my back than leaning over a card table to take things apart and examine them

kmacdonald1565

anyone have recommendations on standing/counter height work benches or desks? looking for something that isnt crazy priced that is better on my back than leaning over a card table to take things apart and examine them

Not sure what crazy priced is, but maybe something like this? https://www.amazon.com/WEN-WB4723T-48-Inch-Workbench-Outlets/dp/B08ZW1KYZN?source=ps-sl-shoppingads-lpcontext&ref_=fplfs&psc=1&smid=ATVPDKIKX0DER

WEN WB4723T 48-Inch Workbench with Power Outlets and Light

Remember when you had a reliable and attractive storage solution? The WEN Work Bench provides organization, power, and light. What more could you want? This spacious works station measures in at 62 inches tall with a 25 by 48-inch footprint. The included pegboard combined with the two 20 by 18-in...

in true government fashion, i dont know my own budget so i was trying to be semi-moderate

1

10:06 AM

i need to take measurements to see what will fit but that sort of thing should work. just looking for options and opinions

I don't have the space or need for that type of workbench right now, but I figure a heavy-duty, workshop-style bench with all the storage and lighting would be excellent for any DF lab.

we just got a ~~new building~~ repurposed building. a bunch of desks and offices for people, but the lab space is ...not ready... but at least we got a semi-green light to start that (edited)

1

Hello EVERYONE - Hope all is well. I wanted to ask a very general question. All input/info is welcome. Salute

I've been working as a Forensic Analyst for a few years now, most of my experience came from working for one of the big 4. Eventually I got good enough to start doing forensics work on the side. Any work I do on the side is mostly done for cash. I have started a company but I have not marketed myself in anyway. Looking for some advice on how to better market myself and get more solidified as a private contractor in DFIR. Looking for advice, personal branding ideas/websites or really just any thoughts on the matter. THANKS

kmacdonald1565

we just got a ~~new building~~ repurposed building. a bunch of desks and offices for people, but the lab space is ...not ready... but at least we got a semi-green light to start that (edited)

In a prior role, I had good luck ordering from: https://benchdepot.com/ and https://uline.com plenty of size/configuration options with anti-static surfaces, electrical outlets, lighting, parts bins, etc. Probably a bit higher priced than what @FullTang suggested, but they held up well to a bunch of cops breaking evidence apart on them

Benchdepot.com | Industrial Workbenches & Chairs

Supplier of standard formica and solid maple workbenches. Also cleanroom, static control (ESD) and chemical resistant workbenches.

ULINE - Shipping Boxes, Shipping Supplies, Packaging Materials, Pac...

Uline stocks over 38,500 shipping boxes, packing materials, warehouse supplies, material handling and more. Same day shipping for cardboard boxes, plastic bags, janitorial, retail and shipping supplies.

1

thank you for your suggestions. i will be putting a few packages together to try and meet my budgeted amount

Hey friends. Just wanted to share that we released Another free tool - Hexordia Sysdiagnose Log Toolkit - the both does extraction of Sysdiagnose Logs and can run our Syslog Monitor Tool (it is built in) for live monitoring. More info here: https://www.hexordia.com/blog-1-1/introducing-the-hexordia-sysdiagnose-log-toolkit

Introducing the Hexordia Sysdiagnose Log Toolkit — Hexordia

Introducing the Hexordia Sysdiagnose Log Toolkit

3

1

Original message was deleted or could not be loaded.

#training-education-employment

@Andrew Rathbun got it didn’t see that chat I’ll move that their. Thanks

https://investors.magnetforensics.com/news/press/news-details/2023/Magnet-Forensics-Inc.-Enters-into-Definitive-Agreement-to-be-Acquired-by-Thoma-Bravo/default.aspx

Magnet Forensics Inc. Enters into Definitive Agreement to be Acquir...

Magnet Forensics Inc. (the “ Company ” or “ Magnet ”) (TSX: MAGT), developer of digital investigation solutions for more than 4,000 enterprises and public safety organizations, is pleased to announce that it has entered into a definitive arrangement agreement (the “ Arrangement Agreement ”) with Morpheus Purchaser Inc. (the “ Purchaser ”), a new...

11

3

Andrew Rathbun

https://investors.magnetforensics.com/news/press/news-details/2023/Magnet-Forensics-Inc.-Enters-into-Definitive-Agreement-to-be-Acquired-by-Thoma-Bravo/default.aspx

Hmmm guess they won't be getting any cheaper on their licenses.

Andrew Rathbun

https://investors.magnetforensics.com/news/press/news-details/2023/Magnet-Forensics-Inc.-Enters-into-Definitive-Agreement-to-be-Acquired-by-Thoma-Bravo/default.aspx

Thoma Bravo Forensics, sounds interesting!

Ross Donnelly

Here is some recent research from DTSL https://mailchi.mp/403067ebd9cd/digital-forensic-bulletin-edition-19-novel-rf-in-smartphones-9210025?e=280cc7c3bf

Thanks for sharing this, I’ve signed up to the newsletter from this link. Good to see Dstl are still sharing info. I was at CAST briefly as a student!

1

What exactly is this hardware? And what's this software doing?

malrker

What exactly is this hardware? And what's this software doing?

Looks like a script or something is processing some kind of bin dump (maybe an image of the OS or image of the firmware running on that device) and it's pulled the admin password? As for the device, a network access control device? https://support.trustwave.com/kb/KnowledgebaseArticle20749.aspx

Trustwave Support

Trustwave helps businesses fight cybercrime, protect data and reduce security risk through cloud and managed security services, integrated technologies and a team of consultants, ethical hackers and security researchers.

So what's the superior file system out side FAT and NTFS

Cougra

So what's the superior file system out side FAT and NTFS

the one that suits the job at hand

1

Hi everyone, our free on-demand SQLite forensics course is now opened and will be offered for the next 30 days. You can find more details at https://www.linkedin.com/posts/yurigubanov_dfir-digitalforensics-mobileforensics-activity-7023303305330122752-9GFF

Yuri Gubanov on LinkedIn: #dfir #mobileforensics #computerforensics...

The SQLite Forensics course by Belkasoft is now officially open! The course is free (terms apply) to the followers of our LinkedIn group. You can follow up and…

@Yuri Gubanov (Belkasoft) any other way to follow the course without following you on LinkedIn, i dont have an account and to create a spam one just for this seems to miss its cause? (edited)

florus

@Yuri Gubanov (Belkasoft) any other way to follow the course without following you on LinkedIn, i dont have an account and to create a spam one just for this seems to miss its cause? (edited)

Yes, you can follow us on Twitter or Facebook. DM me if you do not have any.

3

Anyone able to spare 30-60 mins reviewing a framework I am developing as a quick evaluation platform for DF tools using remote agents? Feedback is via answering 6 questions about the framework (e.g. have I missed anything :-)) (part of a PhD project) (edited)

anyone know how to deal with sesparse vmdks?

Hello, this is a pretty generic question. In general, do there exist laws that prevent developing opensource DFIR solutions using DFIR tactics previously only used by the government? Assuming I didn't sign any NDA or NCA? (edited)

open

Hello, this is a pretty generic question. In general, do there exist laws that prevent developing opensource DFIR solutions using DFIR tactics previously only used by the government? Assuming I didn't sign any NDA or NCA? (edited)

Depends on the country you live in, I'd imagine. I can only speak (but not about this particular issue) for US and it looks like you're not from the US, correct? (edited)

Well, in the US context for example. Let's say I heard from someone that the government uses some tactics for DFIR that aren't that popular within opensource space. Am I allowed to develop an opensource tool of the similar functionality ?

Andrew Rathbun

Depends on the country you live in, I'd imagine. I can only speak (but not about this particular issue) for US and it looks like you're not from the US, correct? (edited)

To be frank, I think only a lawyer would be to answer this definitively, but in general, is it ok or not ok

open

To be frank, I think only a lawyer would be to answer this definitively, but in general, is it ok or not ok

I mean, unless an idea is trademarked, copyrighted, classified or what have you, someone who works in the government and someone who doesn't can come up with the same idea and it's not illegal so

‍♂️ but I'm not a lawyer so take it with a pound of salt (edited)

1

RichardA

Anyone able to spare 30-60 mins reviewing a framework I am developing as a quick evaluation platform for DF tools using remote agents? Feedback is via answering 6 questions about the framework (e.g. have I missed anything :-)) (part of a PhD project) (edited)

maybe #dfir-open-source-projects ?

Andrew Rathbun

maybe #dfir-open-source-projects ?

Thanks Andrew

Cougra

So what's the superior file system out side FAT and NTFS

btrfs or xfs if you don’t care about data integrity

ryd3v

btrfs or xfs if you don’t care about data integrity

FS wars, flame bait, lol

1

Hello, does anyone know why when receiving some details about the billing info from Google, some credit cards are shown with full details and some of them not (it just appears the date when they were added to GPay). It is because they were deleted/disassociated from the app?

Are there documented cases of an attacker abusing IMAP append? For example, an attacker with IMAP access to a victim’s email account inserting themselves into an ongoing conversation by appending (technically, replacing) an existing message?

Arsenal

Are there documented cases of an attacker abusing IMAP append? For example, an attacker with IMAP access to a victim’s email account inserting themselves into an ongoing conversation by appending (technically, replacing) an existing message?

Sounds like a question for @Metaspike

1

Don't know where to post this, but if someone has an LG Smart TV can you please test something. I know you can insert a USB drive and can browse images/videos. When you do this it appears to make a folder called "LG Smart TV\TN" which contains .tn3 thumbnails of the images/videos. I am curious of two things: 1. if you have the USB plugged in and browse the internet, can you download images to the USB? 2. if you unplug the thumbdrive and plug it back in to browse the images, does it update the timestamps on thumbnail files?

Has anyone encountered the issue where your USBs all crap out at random? Seems to have something to do with a Cellebrite USB driver. I get the following Windows Event Log:

Event 0, hcmon
Detected unrecognized usb driver  \driver\cbrtfltr

hi, does any know a solutions to acquire web pages and social networ evidence or to preserve a webpage for example

mdogilvie

hi, does any know a solutions to acquire web pages and social networ evidence or to preserve a webpage for example

Magnet Web Page Saver - https://www.magnetforensics.com/resources/web-page-saver/

1

Ryan W

Magnet Web Page Saver - https://www.magnetforensics.com/resources/web-page-saver/

thanks yes i tries it but does not works as i expect, it only takes snapshots and i need to download content of what i can

Where do we post questions about CDR Mapping? Mobile forensic decoding?

mdogilvie

hi, does any know a solutions to acquire web pages and social networ evidence or to preserve a webpage for example

You can check out FAW (its a forensics software for acquisition and preservation of website and social network data)

mdogilvie

hi, does any know a solutions to acquire web pages and social networ evidence or to preserve a webpage for example

https://www.socialnetworkharvester.de/en/home/ or https://www.x1.com/products/x1-social-discovery/

Freezingdata Team

Home

site.admin

X1 Social Discovery - Social Media and Internet-Based Data Collection

X1 Social Discovery is the industry-leading solution for anyone who needs to collect and search data from social networks and the internet

Thanks i looked both and they dont get what i need, i need support for p2p and download ftp and sftp sites

hardrain

Where do we post questions about CDR Mapping? Mobile forensic decoding?

#cell-site-analysis

2

Quick Q for the mobile analysts out there. While a user has been using the application Telegram, what is the difference between a file saved as -m and one that ends with m_partial in terms of their contents and accessibility? from what I have read, the flag -m would indicate that the file has been completely downloaded and may be in an accessible location to the user. The flag m_partial is a partially downloaded file that may not be accessible? How accurate is that?

Hello, I'm testing a multitude of tools to do forensic on *nux servers. I'd like to know if Velociraptor is good for linux or if it works mostly for Windows? (edited)

Hey everyone hope you are all doing well. Does anyone have experience with decrypting Telegram Desktop Cache Files? Could someone please point me in the right direction on this?

Wyrox

Hello, I'm testing a multitude of tools to do forensic on *nux servers. I'd like to know if Velociraptor is good for linux or if it works mostly for Windows? (edited)

https://github.com/golang/go/wiki/MinimumRequirements @randomaccess may have more insight too

MinimumRequirements

The Go programming language. Contribute to golang/go development by creating an account on GitHub.

It will work on both. You may need to add to the functionality

4:03 AM

I don't do much Linux analysis but it does work. And thankfully most Linux logs are text

Anyone here has experience with mt-next?

Hi DFIR folks, I am new to this channel.looking forward to learn and contribute more to the community

1

Anyone know what happened to the LE Technology Guide? Used to be distributed by the Oregon Homicide Detectives Association. Looks like its now behind some type of paywall. https://www.orhia.com/le-technology-guide (edited)

LE Technology Guide

Arsenal

Are there documented cases of an attacker abusing IMAP append? For example, an attacker with IMAP access to a victim’s email account inserting themselves into an ongoing conversation by appending (technically, replacing) an existing message?

Not a case as such but the principle explored here: https://www.metaspike.com/forensic-examination-manipulated-email-gmail/

Arman Gungor

Forensic Examination of Manipulated Email in Gmail

Forensic examination of a manipulated email in Gmail to determine how it differs from the original. Both server metadata and email header are utilized.

hardrain

Anyone know what happened to the LE Technology Guide? Used to be distributed by the Oregon Homicide Detectives Association. Looks like its now behind some type of paywall. https://www.orhia.com/le-technology-guide (edited)

I'm pretty sure a few years ago the guy who made it was retired. I wonder if he turned the site over to Cellhawk/LeadsOnline?

1

1:09 PM

I have old versions laying around

I have a 2020 Version. but there are a bunch of dead links in it. Specifically looking for some information for a homicide we are working involving an alexa. Lead is looking for some SW Language.

hardrain

I have a 2020 Version. but there are a bunch of dead links in it. Specifically looking for some information for a homicide we are working involving an alexa. Lead is looking for some SW Language.

https://www.amazon.com/alexa-privacy/apd/home brings me to this page, so this could be a start

1:15 PM

looks like voice recordings, detected sounds, anything related to third-party smart home devices linked via Alexa

1:15 PM

is Ring involved at all here? If so, you may have some good stuff in here

Thanks Man! Always appreciate you guys!

hardrain

Thanks Man! Always appreciate you guys!

Ping us if you need a second set of eyes. Good luck getting the bad guy

TreeRge

Not a case as such but the principle explored here: https://www.metaspike.com/forensic-examination-manipulated-email-gmail/

That is a really good article. I can confirm that at least one attacker has been using the technique described in this article for quite a few years. The article refers to the technique being used by someone maliciously editing an email they have received, but I am referring to a scenario involving an attacker using it against victims whose email credentials have been compromised. The MIME boundaries are effectively smoking guns. This is nasty and very easily missed if you aren’t looking specifically for it. (edited)

Arsenal

That is a really good article. I can confirm that at least one attacker has been using the technique described in this article for quite a few years. The article refers to the technique being used by someone maliciously editing an email they have received, but I am referring to a scenario involving an attacker using it against victims whose email credentials have been compromised. The MIME boundaries are effectively smoking guns. This is nasty and very easily missed if you aren’t looking specifically for it. (edited)

As mentioned previously, @Metaspike is your go to guy on this one.

hardrain

Anyone know what happened to the LE Technology Guide? Used to be distributed by the Oregon Homicide Detectives Association. Looks like its now behind some type of paywall. https://www.orhia.com/le-technology-guide (edited)

Hawk Toolbox now leads online here is the registration link: https://www.leadsonline.com/main/register.php https://support.hawkanalytics.com/

Hi, does anyone here have any tips or suggestions for recovering, from a jailbroken iPhone, URLs or top-level-domains of web pages that were viewed on the iPhone in Safari in private browsing mode?

James Pedersen

Hi, does anyone here have any tips or suggestions for recovering, from a jailbroken iPhone, URLs or top-level-domains of web pages that were viewed on the iPhone in Safari in private browsing mode?

maybe #mobile-forensic-extractions or #mobile-forensic-decoding depending on how far into the phone you are?

Hi, Anybody have docs on apple watch s7 data extraction? I'm looking for technical docs and info on the characteristics of the materials used. Thank you.

1

Does anyone know if it is possible to rename an evidence source in @Magnet Forensics AXIOM after it was processed? I know you can change it at the time of going through the Processing workflow. (edited)

ForensicDev

Does anyone know if it is possible to rename an evidence source in @Magnet Forensics AXIOM after it was processed? I know you can change it at the time of going through the Processing workflow. (edited)

No, sorry it’s not. But that’s on purpose.

1

MO

Hey everyone hope you are all doing well. Does anyone have experience with decrypting Telegram Desktop Cache Files? Could someone please point me in the right direction on this?

Belkasoft X has this function but one should be aware that no history is stored there, only pic/video thumbnails and things like emoji

b1n2h3x

Hey friends. Just wanted to share that we released Another free tool - Hexordia Sysdiagnose Log Toolkit - the both does extraction of Sysdiagnose Logs and can run our Syslog Monitor Tool (it is built in) for live monitoring. More info here: https://www.hexordia.com/blog-1-1/introducing-the-hexordia-sysdiagnose-log-toolkit

Is the Hexordia Sysdiagnose Log Toolkit able to decode the hashes of redacted data in the sysdiagnose logs? Or if not, @b1n2h3x , do you know of any tool or software that can be used to accomplish this? (edited)

@b1n2h3x Also, if you'd like, feel free to direct message me about this.

Hey everyone. I'm currently documenting incident response actions in an excel spreadsheet because that's what I have access to, but I'd be interested to learn what you folks use for documentation. Is there any software designed specifically for incident response documentation for example?

1:33 AM

If I can get some ideas I can raise that as a need to my superiors and hopefully get away from excel which is very clunky for this use.

James Pedersen

Is the Hexordia Sysdiagnose Log Toolkit able to decode the hashes of redacted data in the sysdiagnose logs? Or if not, @b1n2h3x , do you know of any tool or software that can be used to accomplish this? (edited)

No decoding in the tool… yet

returnip

Hey everyone. I'm currently documenting incident response actions in an excel spreadsheet because that's what I have access to, but I'd be interested to learn what you folks use for documentation. Is there any software designed specifically for incident response documentation for example?

Excel was specifically designed for IR engagements, do people use it for other stuff!?

6

Someone from the US LE that might be interested in a crypto fraud regarding a malicious NFT airdrop that leads to a website to "exchange" the NFT for some USDC? Ping-ed that particular web page, did a lookup and it gave me some US results and this is why. If interested please DM me. (edited)

ZetLoke77

Someone from the US LE that might be interested in a crypto fraud regarding a malicious NFT airdrop that leads to a website to "exchange" the NFT for some USDC? Ping-ed that particular web page, did a lookup and it gave me some US results and this is why. If interested please DM me. (edited)

https://www.ic3.gov/ try reporting here

Internet Crime Complaint Center(IC3) | Home Page

The Internet Crime Complaint Center, or IC3, is the Nation’s central hub for reporting cyber crime. It is run by the FBI, the lead federal agency for investigating cyber crime.

1

I am tasked with updating some processes for physical evidence handling (private sector), and I'd like to understand the current best practice before I make my recommendations. What is the current preferred container for storing/ transporting laptops - Plastic evidence bag or cardboard box (sealed with tamper proof labels)? How is the real evidence (ie: physical laptop) stored, in anticipation of litigation? Should the evidence be stored with the investigations team, or with legal (per any existing legal hold processes)? Any links to current guidelines/ best practices would be greatly appreciated.

Hi folks. Has anyone examined a PS2? If so do you have any pearls of wisdom please?

Never done a #DFIR #CTF before? No reason to be intimidated - it is a fun hands-on learning experience! Plus @KevinPagano3 and I have a workshop to help you prepare! Join us ow.ly/cTBo50Mwfxa

Does anyone have experience collecting data from a Meta Quest 2 VR headset? (edited)

7:57 AM

I understand the the device uses a variant of Android, has anyone been able to image it successfully using Cellebrite?

secluding

Does anyone have experience collecting data from a Meta Quest 2 VR headset? (edited)

Came across this the other day - https://dfir.science/2022/04/Oculus-Quest-2-First-Impressions-and-Research-Notes

Oculus Quest 2 First Impressions and Research Notes

Recently the DFIR Community Hardware Fund purchased a Meta Oculus Quest 2 VR headset. Unboxing and device images can be found here. I finally had time to set the device up and play with it a bit to see what it’s all about and possible forensic implications. All data, updates and documents for Oculus Quest 2 Forensics can be found here.

1

Hi, I am trying to recover some internet history. I had the idea to contact AT&T directly about it since we can prove that AT&T was the ISP being used at the time. Has anyone here ever successfully obtained internet history-related records from AT&T? Is this feasible? Thank you, James Pedersen

Need help from law enforcement friend in australia? (edited)

I have a question regarding handling laptops and phones where there is a swollen or physically damaged battery involved. We currently don’t have a good work space to handle these units with proper safety. So I was wondering what kind of equipment and safety precautions do you implement at your forensic labs? My gut feeling is that a lot of people just work on these units and hope for the best but we are looking for a long term solution.

BlackID

Need help from law enforcement friend in australia? (edited)

What do you need?

Andrew Rathbun

What do you need?

I will send you a dm

Johnie

I have a question regarding handling laptops and phones where there is a swollen or physically damaged battery involved. We currently don’t have a good work space to handle these units with proper safety. So I was wondering what kind of equipment and safety precautions do you implement at your forensic labs? My gut feeling is that a lot of people just work on these units and hope for the best but we are looking for a long term solution.

@Johnie This is something I take seriously. When my section encounters a swollen battery, we remove it from the device and temporarily store it in this: https://brimstonefireprotection.com/collections/fire-containment-bags/products/heavy-duty-battery-fire-and-smoke-containment-kit-large-laptop-preventer-and-preventer-plus-20-000-mah-tested ...until we can move it to our fireproof disposal container, that is filled with vermiculite, that our e-waste provider (https://www.veolianorthamerica.com/what-we-do/waste-capabilities/battery-recycling) will then take. All of our evidence items that contain a lithium battery is stored in one of these: https://cellblockfcs.com/battery-cabinets/ In the event we have a battery fire while an evidence item is out of the storage cabinet, we have several of these kits throughout our section: https://cellblockfcs.com/wall-mounted-libik/

Battery Fire and Smoke Containment Kit - Large Laptop Preventer™ HD...

We Are The Best Value Fire Containment Bag On The Market! SAFETY ORANGE, 4 LAYERS WITH VELCRO CLOSURE, AND 1 PAIR FIRE RESISTANT GLOVES (IN

Battery Recycling

Read more about how we can help your organization use innovative solutions to recycle batteries and help reduce waste.

Judy Thibeau

CellBlock Battery Storage Cabinets - Store lithium-ion batteries sa...

CellBlock Battery Storage Cabinets are a superior solution for the safe storage of lithium-ion batteries and devices containing them.

Judy Thibeau

Wall-Mounted LIBIK - CellBlock FCS

JLindmar (83AR)

@Johnie This is something I take seriously. When my section encounters a swollen battery, we remove it from the device and temporarily store it in this: https://brimstonefireprotection.com/collections/fire-containment-bags/products/heavy-duty-battery-fire-and-smoke-containment-kit-large-laptop-preventer-and-preventer-plus-20-000-mah-tested ...until we can move it to our fireproof disposal container, that is filled with vermiculite, that our e-waste provider (https://www.veolianorthamerica.com/what-we-do/waste-capabilities/battery-recycling) will then take. All of our evidence items that contain a lithium battery is stored in one of these: https://cellblockfcs.com/battery-cabinets/ In the event we have a battery fire while an evidence item is out of the storage cabinet, we have several of these kits throughout our section: https://cellblockfcs.com/wall-mounted-libik/

That kit looks great! And when you examine a laptop for example do you use safety googles and thinner type gloves in a ventilated area at the removal stage? Or do you have some other sort of protection between you and the device?

We do have a ventilation hood and PPE, but the need for there use is determined by the examiner on a case by case basis. More often, when a swollen battery is encountered, the kits are moved into the area for quick access and a second examiner is present to help if need be.

Does anyone have any recommendations for laptops that can have flexible/swappable storage options that are also easy to access? Looking at framework laptops but hoping for something a little less proprietary.

JLindmar (83AR)

We do have a ventilation hood and PPE, but the need for there use is determined by the examiner on a case by case basis. More often, when a swollen battery is encountered, the kits are moved into the area for quick access and a second examiner is present to help if need be.

Thanks for the great resources and response, currently working on upping our safety here at the lab as this has not been adressed before by the management...

Johnie

Thanks for the great resources and response, currently working on upping our safety here at the lab as this has not been adressed before by the management...

Honestly, I didn't think of addressing it until our Evidence Receiving Program Manager asked about lithium battery fire prevention measures. They had learned about a lab that lost the entire contents of their evidence storage vault due to a lithium battery fire, and wanted some prevention measures to be put in place. It is something I think most of us overlook because we deal with batteries so frequently. But until you have a problem, you may not think about prevention.

JLindmar (83AR)

Honestly, I didn't think of addressing it until our Evidence Receiving Program Manager asked about lithium battery fire prevention measures. They had learned about a lab that lost the entire contents of their evidence storage vault due to a lithium battery fire, and wanted some prevention measures to be put in place. It is something I think most of us overlook because we deal with batteries so frequently. But until you have a problem, you may not think about prevention.

Disaster is the best catalyst for change, sadly. Thanks again!

Hi all, just on the off chance, does anybody here use Faraday bags (or cases) from Sumuri?

Hi all, new to the channel so hi

. Is there any known process for offering feedback for Cellebrite UFED? I am interested in offering feedback about a feature request. Mainly having the ability to generate a search warrant return from the Extraction Summary.

SBcyberCop

Hi all, new to the channel so hi

. Is there any known process for offering feedback for Cellebrite UFED? I am interested in offering feedback about a feature request. Mainly having the ability to generate a search warrant return from the Extraction Summary.

@Cellebrite may be able to best advise you

1

spadart

Hi all, just on the off chance, does anybody here use Faraday bags (or cases) from Sumuri?

We use these cases: (edited)

1

spadart

Hi all, just on the off chance, does anybody here use Faraday bags (or cases) from Sumuri?

https://www.mtdfe.com

MTDFE.com Faraday Case Solutions | 100% Veteran Owned and Operated

MTDFE.com offers Faraday solutions for personal, military and law enforcement operations. MTDFE Faraday Solutions is 100% veteran owned and operated and offers high quality signal blocking | anti-tracking solutions to protect against hackers and preserve investigations.

1

Hey, I am looking for a full time cyber security research job. Anyone got something cool at a company that is centered around cyber security (or government)? I am dutch, so the netherlands would be nice. But not needed

Hi @Cellebrite, I was curious to know if there's any standard way to request a feature or provide feedback for Physical Analyzer. I serve about 3 to 4 search warrants a day with 3 to 6 devices per warrant. Search warrants require a return to search warrant detailing what was "seized." Is there any way to export the Extraction Summary to include it as a search warrant return to the court? For instance, our standard search warrant return is attached below. It allows for data to be entered on the form or attached. It would be nice if analyzer would allow a list showing the counts of artifacts recovered. "text messages: 5, images: 64, etc..."

2:24 PM

2:27 PM

Are you looking to report to the court on the items extracted from the phone or the items included in a UFED Reader report?

Both. In my case, the information contained in the UFED report is what is classified as "evidence"

SBcyberCop

Both. In my case, the information contained in the UFED report is what is classified as "evidence"

So are the courts concerned when you perform an FFS when you could have performed an advanced logical and only targeted the items listed in the warrant? Just curious about your procedure.

FullTang

So are the courts concerned when you perform an FFS when you could have performed an advanced logical and only targeted the items listed in the warrant? Just curious about your procedure.

The court specifically has not been concerned either way. Yet, at least. They are only concerned that the data inside the scope of the warrant is provided and reported. The rest is sealed.

1

SBcyberCop

Hi @Cellebrite, I was curious to know if there's any standard way to request a feature or provide feedback for Physical Analyzer. I serve about 3 to 4 search warrants a day with 3 to 6 devices per warrant. Search warrants require a return to search warrant detailing what was "seized." Is there any way to export the Extraction Summary to include it as a search warrant return to the court? For instance, our standard search warrant return is attached below. It allows for data to be entered on the form or attached. It would be nice if analyzer would allow a list showing the counts of artifacts recovered. "text messages: 5, images: 64, etc..."

Can you send me a Dm. I’d be curious to hear more about this

Quick question, our lab runs two types of work stations right now, both custom builds. We have 3 systems with I9-12900k and 128GB of ram. We also have 3 systems with 24 core 3960x Threadrippers and 256GB of ram. Recently we ran into a case with Axiom where it kept crashing the I9 system that it was running on due to extensive memory use. The threadrippers were able to process the same image without ever using more than 60GB of memory.

5:16 AM

Does anyone have any idea why, or if turning down the number of available cores in the I9 system might allow it to remain running without memory crashing. The I9's are secondary systems and sheer speed isnt as important as stability.

Kienn

Quick question, our lab runs two types of work stations right now, both custom builds. We have 3 systems with I9-12900k and 128GB of ram. We also have 3 systems with 24 core 3960x Threadrippers and 256GB of ram. Recently we ran into a case with Axiom where it kept crashing the I9 system that it was running on due to extensive memory use. The threadrippers were able to process the same image without ever using more than 60GB of memory.

What do the Axiom logs say? Someone with @Magnet Forensics might be able to assist.

Kienn

Does anyone have any idea why, or if turning down the number of available cores in the I9 system might allow it to remain running without memory crashing. The I9's are secondary systems and sheer speed isnt as important as stability.

Hi there! Getting the logs would be our first step in figuring out what’s up. DM incoming!

Kienn

Quick question, our lab runs two types of work stations right now, both custom builds. We have 3 systems with I9-12900k and 128GB of ram. We also have 3 systems with 24 core 3960x Threadrippers and 256GB of ram. Recently we ran into a case with Axiom where it kept crashing the I9 system that it was running on due to extensive memory use. The threadrippers were able to process the same image without ever using more than 60GB of memory.

I'm curious what the outcome of this is.

Will let you know, sent the logs, and waiting to pull them from second system.

SBcyberCop

Hi @Cellebrite, I was curious to know if there's any standard way to request a feature or provide feedback for Physical Analyzer. I serve about 3 to 4 search warrants a day with 3 to 6 devices per warrant. Search warrants require a return to search warrant detailing what was "seized." Is there any way to export the Extraction Summary to include it as a search warrant return to the court? For instance, our standard search warrant return is attached below. It allows for data to be entered on the form or attached. It would be nice if analyzer would allow a list showing the counts of artifacts recovered. "text messages: 5, images: 64, etc..."

Our returns just state that a "search and forensic examination of [device description] related to this search warrant was executed and electronic data obtained".

1

Does someone has spare servers? I wanted to build a full fledged cyber range and emulate threat actors, eventually threat hunt for them as well. If you have such facilities then do lemme know, I don't have such on my end, so I want some.

Hello all. Any tips on where I can find tethering/hotspot activation or usage logs from an iPhone 13 Pro? I have a full file system extraction

@Cellebrite is there any way to filter Trace Window events? Specifically hiding normal information ℹ️ logs and only showing warnings

️

rickster33

Hello all. Any tips on where I can find tethering/hotspot activation or usage logs from an iPhone 13 Pro? I have a full file system extraction

I think, don't have a extraction or phone in front of me, it's in the phone under Cellular in settings. Cellular Data, Personal Hotspot.

hi all, I am working a case where there are older artifacts of the target user running ccleaner64.exe. Most recent was Feb2022. I dont really have faith in this being the last date as I am sure ccleaner has improved its artifact cleanup in the past year. On my current image I am missing a ton of artifacts. I did a complete HD carve and have back quite a number of artifacts...many of them corrupt as you might suspect. An example of missing artifacts on the mounted image is %users%/appdata/chrome folder does not even exist. Although through a carve I discovered the user was using chrome actively. Any thoughts on how to identify if ccleaner64.exe was actively running, or other similar types of applications?

@Cellebrite I’m preparing for the CCME. My textbooks for CCO/CCPA are over 5 years old. Do I need to acquire new text books to study from?

SBcyberCop

I think, don't have a extraction or phone in front of me, it's in the phone under Cellular in settings. Cellular Data, Personal Hotspot.

Thank you. Yes that’s how to turn it off or on in the device. I was hoping to find a log of past connections in the phone extraction. Like a particular database or plist

SBcyberCop

@Cellebrite is there any way to filter Trace Window events? Specifically hiding normal information ℹ️ logs and only showing warnings

️

No there isn’t.

1

dcs453

@Cellebrite I’m preparing for the CCME. My textbooks for CCO/CCPA are over 5 years old. Do I need to acquire new text books to study from?

There likely has been changes. But not sure if it would warrant new books. Im not sure if you could get them without redoing the course.

DE

I am tasked with updating some processes for physical evidence handling (private sector), and I'd like to understand the current best practice before I make my recommendations. What is the current preferred container for storing/ transporting laptops - Plastic evidence bag or cardboard box (sealed with tamper proof labels)? How is the real evidence (ie: physical laptop) stored, in anticipation of litigation? Should the evidence be stored with the investigations team, or with legal (per any existing legal hold processes)? Any links to current guidelines/ best practices would be greatly appreciated.

I personally prefer plastic bags over boxes as the bags are easier for storage. I've seen clear plastic bags because it's easier to see the contents. I've also seen non-clear bags because it's meant to keep the contents private. So I guess as long as you can come up with a (reasonable) justification that satisfy your bosses is a good solution. And I've also seen brown paper bags as evidence bags...because they are cheaper comparing to the plastic ones. As for storage, a locked room with limited access or a safe with a log book is good enough for storage. The laptop should be only out for the examination and all the work should be done on the forensic images.

Hi all, quick question about how you use KAPE - What target do you typically collect? I've been using KapeTriage but wondered what else people recommend

Biscuit

Hi all, quick question about how you use KAPE - What target do you typically collect? I've been using KapeTriage but wondered what else people recommend

Yeah that one. I add wer and wmi

Biscuit

Hi all, quick question about how you use KAPE - What target do you typically collect? I've been using KapeTriage but wondered what else people recommend

I use the SANS_Triage and then EZParser as my first run

Thanks guys, I'll look into these

Biscuit

Hi all, quick question about how you use KAPE - What target do you typically collect? I've been using KapeTriage but wondered what else people recommend

If you're doing IR, would strongly recommend KapeTriage as a starting point. SANS_Triage IMO isn't production ready unless you're 100% certain what it's pulling is what you want. I think BasicCollection is probably a better fit for deadbox and KapeTriage is a better fit for IR. At the very least as starting points, from a Target perspective. SANS_Triage is simply meant to be a Compound Target that doesn't point to other Targets so students could see all the paths to files that the Target pulls. It's largely unmaintained unlike KapeTriage. It's just meant to be a spelled out version of a Compound Target that probably was constructed back in 2019 when KAPE came out. Whereas, KapeTriage has been updated with at least 3 significant artifacts in the past couple of years (I know because I was involved with all 3) so that's the one I'll stand behind, personally, for IR.

4

@Andrew Rathbun Just wondering, is there a way (I am thinking likely Powershell) to see from one or more compound targets, what the end targets all are? I am thinking this would be good for education, plus maybe working with LE or lawyers

dsplice

@Andrew Rathbun Just wondering, is there a way (I am thinking likely Powershell) to see from one or more compound targets, what the end targets all are? I am thinking this would be good for education, plus maybe working with LE or lawyers

https://github.com/AndrewRathbun/DFIRMindMaps/tree/main/Tools/KAPE/KapeTriage here's one for KapeTriage, is this what you're talking about?

Andrew Rathbun

https://github.com/AndrewRathbun/DFIRMindMaps/tree/main/Tools/KAPE/KapeTriage here's one for KapeTriage, is this what you're talking about?

YES, I knew something like it must have already been developed. Would still love to be able to do something like that programically for a set of targets (if you selected several compound ones) and would output everything that would run. But that helps alot, to visualize

1

dsplice

YES, I knew something like it must have already been developed. Would still love to be able to do something like that programically for a set of targets (if you selected several compound ones) and would output everything that would run. But that helps alot, to visualize

Something like this? Could make improvements to it, if you like. https://gist.github.com/Beercow/5e13282541f79580405f96364baca8d5

Python script to dump all fields in KAPE targets and modules, inclu...

Python script to dump all fields in KAPE targets and modules, including documentation - kape_info.py

I just need to figure out how to run it LOL

dsplice

I just need to figure out how to run it LOL

pip install PyYAML kape_info.py -d <targets dir> —target kape_info.py -d <modules dir> —module

Gives me an idea though to have better output on compound targets. See if I can make an update by the weekend. Time permitting of course.

1

LOL

Hallo, I am looking for an easy way to log shell commands that are used in live forensics. I encountered this once during a lecture on Mac OSX, but I can quite recall the name of the command. It worked something like this: 1) Enter the log command with target path. 2) From now on every executed shell command is executed and logged to the target path.

Andrew Rathbun

If you're doing IR, would strongly recommend KapeTriage as a starting point. SANS_Triage IMO isn't production ready unless you're 100% certain what it's pulling is what you want. I think BasicCollection is probably a better fit for deadbox and KapeTriage is a better fit for IR. At the very least as starting points, from a Target perspective. SANS_Triage is simply meant to be a Compound Target that doesn't point to other Targets so students could see all the paths to files that the Target pulls. It's largely unmaintained unlike KapeTriage. It's just meant to be a spelled out version of a Compound Target that probably was constructed back in 2019 when KAPE came out. Whereas, KapeTriage has been updated with at least 3 significant artifacts in the past couple of years (I know because I was involved with all 3) so that's the one I'll stand behind, personally, for IR.

As the author of basic collection, I don't use it lol

1

KillSwitchX7

Does someone has spare servers? I wanted to build a full fledged cyber range and emulate threat actors, eventually threat hunt for them as well. If you have such facilities then do lemme know, I don't have such on my end, so I want some.

That’s a tall ask, wouldn’t be cheap, I’d suggest the cheapest option, Linode

12:33 AM

Or check your local buy and sell. For example I bought a used server 3 years ago, been running 24/7 since then and I only paid $140 CAD. Which is like $40 USD

@Deleted User - Start-Transcript and Stop-Transcript Using PS?

MSAB_Adam

@Deleted User - Start-Transcript and Stop-Transcript Using PS?

Thank you! But I'm actually i looking for something that works for linux.

Deleted User

Thank you! But I'm actually i looking for something that works for linux.

Asking the dumb question, but .bash_history?

I'm aware of that. I just thought there was a little commandline tool for that.

Deleted User

I'm aware of that. I just thought there was a little commandline tool for that.

Ok, there is the Linux script command. Not sure if that would work fully for your situation. In the past, when doing red/blue team engagements, I had the offensive sec guys record everything inside of putty.

Keep in mind with bash, the history will only be saved on a normal exit of bash, if it crashes or is not closed the history will not be updated

8:09 AM

but you can configure it to record timestamps

8:10 AM

same mostly applies for zsh, but I think the default is to update the history file immediately and not on exit

8:11 AM

and what they may have been doing was redirecting which file is used for the history file by updating the environment variable HISTFILE (edited)

8:17 AM

You could set these environment variables at beginning of working the incident (applies to the current shell only)

export HISTTIMEFORMAT="%F %T "
export HISTSIZE=-1
export HISTFILESIZE=-1
export HISTFILE="/path/to/incident/bash_history"

and periodically run history -a to append current session history to the file if worried about crashes

1

8:20 AM

actually you may also be able to do the following to periodically save the history per http://northernmost.org/blog/flush-bash_history-after-each-command/ export PROMPT_COMMAND='history -a'

Flush bash_history after each command - All things sysadmin

If you, like me, often work in a lot of terminals on a lot of servers, or even a lot of terminals on the same one, you may recognise the frustration …

1

@Andrew Rathbun Odd question, but I have an analysis report from a homicide investigation. I've never put so much into one document and was wondering if there was anyone that could review or go through it before I submit it to the prosecutor's office? Phones, CDRs, a vehicle download, and some surveillance video.

I forget how to do log2timeline on multiple E01 files. Does anyone have a procedure on how to do that? I've only done it on one E01 file before..

PlastikPistol

@Andrew Rathbun Odd question, but I have an analysis report from a homicide investigation. I've never put so much into one document and was wondering if there was anyone that could review or go through it before I submit it to the prosecutor's office? Phones, CDRs, a vehicle download, and some surveillance video.

I'm happy to take a look and keep things confidential, but frankly if it's relating to phones, I'd suggest asking someone else. At the very least, I can sanity check it. Anything I can do to help on serious cases!

PlastikPistol

@Andrew Rathbun Odd question, but I have an analysis report from a homicide investigation. I've never put so much into one document and was wondering if there was anyone that could review or go through it before I submit it to the prosecutor's office? Phones, CDRs, a vehicle download, and some surveillance video.

I'd be interested in taking a peak just for reference and learning.

I'd recommend using something equivalent to the FBI Teleporter for sending it tho.

Hello all. I'm looking for some opinions on the best way to install Magnet Axiom. I currently have it installed on the same m.2 as the OS ( is this bad?). I have the temp folder set to a separate m.2 drive and I process from an m.2 array in RAID 0. I feel like I'm getting less performance than I should and am just looking for some opinions.

stps358

Hello all. I'm looking for some opinions on the best way to install Magnet Axiom. I currently have it installed on the same m.2 as the OS ( is this bad?). I have the temp folder set to a separate m.2 drive and I process from an m.2 array in RAID 0. I feel like I'm getting less performance than I should and am just looking for some opinions.

Honestly the thing that matters most with Axiom is probably the cores and threads of your CPU. Make sure you check your settings in process to make sure it’s set to use all available cores. (If you’re referring to performance when processing)

Fr0stByt3

Honestly the thing that matters most with Axiom is probably the cores and threads of your CPU. Make sure you check your settings in process to make sure it’s set to use all available cores. (If you’re referring to performance when processing)

It is set to use all 16 cores (32 logical). I'm using a Threadripper, I'm wondering if maybe that is the problem? (edited)

stps358

It is set to use all 16 cores (32 logical). I'm using a Threadripper, I'm wondering if maybe that is the problem? (edited)

Hey @stps358 can you remind me which CPU model that AMD is in your machine? And @Fr0stByt3 is right on core/thread count + clock speed = winner. So long as there's enough RAM to keep it all fed with instruction. Evidence read speed is the next big bottleneck.

chriscone_ar

Hey @stps358 can you remind me which CPU model that AMD is in your machine? And @Fr0stByt3 is right on core/thread count + clock speed = winner. So long as there's enough RAM to keep it all fed with instruction. Evidence read speed is the next big bottleneck.

Hey. Its a Threadripper Pro 3955WX. 256GB RAM. GPU 3080TI. All drives are nvme.

dfir-jesseee

I forget how to do log2timeline on multiple E01 files. Does anyone have a procedure on how to do that? I've only done it on one E01 file before..

hmm doing it wrong I guess

@stps358 that Threadripper Pro 3955WX is a decent processor for case work. That's sitting on an sWRX80 motherboard correct? Is that on an Asus Pro WS WRX80E motherboard or a different motherboard. That board is great for processing, and it needs ECC RAM. Are you using ECC RAM? What are the images looking like? Compressed or non-compressed? Also, what NVMe's? That setup should be going through some data fairly quick. Any way you can share some times on the front end processing speed from start to stop? It might not be the hardware at all.

dfir-jesseee

hmm doing it wrong I guess

rebooted and now its working

@Law Enforcement [USA] I've been asked a lot lately to be the traveling presenter for Cyber Bullying, Sexting etc for middle school to high schools. Is anybody willing to share there presentations so I can have an idea want to present on ? I'm not the creative type would help to have some ideas. DM me if you have anything, Thanks

DCSO

@Law Enforcement [USA] I've been asked a lot lately to be the traveling presenter for Cyber Bullying, Sexting etc for middle school to high schools. Is anybody willing to share there presentations so I can have an idea want to present on ? I'm not the creative type would help to have some ideas. DM me if you have anything, Thanks

I can shoot you a DM, I used to do similar presentations

1

Manny

@stps358 that Threadripper Pro 3955WX is a decent processor for case work. That's sitting on an sWRX80 motherboard correct? Is that on an Asus Pro WS WRX80E motherboard or a different motherboard. That board is great for processing, and it needs ECC RAM. Are you using ECC RAM? What are the images looking like? Compressed or non-compressed? Also, what NVMe's? That setup should be going through some data fairly quick. Any way you can share some times on the front end processing speed from start to stop? It might not be the hardware at all.

Yes that is the board. I don’t believe the memory is ecc though. Nvmes are Samsung evo

Anyone have some suggestions to help parse a huge (90GB) text file? All I want to do is extract out the numbers only lines to a new file. So anything with a letter or symbol can be ignored. Python? etc? Been trying to research python to help but I haven't gotten far...

@stps358 That's a nice setup on the system. What are you getting for processing times for "x" number of gigabytes or terabytes? Samsung 980 Pro or 990 Pro? Program is running off of the OS, Temp is on an NVMe, Cases is on an NVMe, and what's the source data sitting on? NVMe, RAID NVMe, 3.5" rotational?

Manny

@stps358 That's a nice setup on the system. What are you getting for processing times for "x" number of gigabytes or terabytes? Samsung 980 Pro or 990 Pro? Program is running off of the OS, Temp is on an NVMe, Cases is on an NVMe, and what's the source data sitting on? NVMe, RAID NVMe, 3.5" rotational?

I don’t have any times at this moment. Drives are 980 pros. Source is on nvme in raid 0.

@stps358 you're on 6.10? That system should be wicked fast for processing times. When you process a case do you see anything in Task Manager that looks like it's getting "bogged" down? Axiom will chew up some resources, but with that system you are probably good. Samsung 980 Pros (or 990 Pros) are the way to go. Is that NVMe RAID off of the board or on something like a HighPoint 7505 Controller? Is that image compressed? Sorry for the load of questions. Trying to help isolate anything.

@DCSO check NCMEC they have tons of stuff from handouts to presentations. You can tweak the presentations to fit your length of time and what your seeing in your community

chauan

I personally prefer plastic bags over boxes as the bags are easier for storage. I've seen clear plastic bags because it's easier to see the contents. I've also seen non-clear bags because it's meant to keep the contents private. So I guess as long as you can come up with a (reasonable) justification that satisfy your bosses is a good solution. And I've also seen brown paper bags as evidence bags...because they are cheaper comparing to the plastic ones. As for storage, a locked room with limited access or a safe with a log book is good enough for storage. The laptop should be only out for the examination and all the work should be done on the forensic images.

Amazing, thank-you for the insight!

Manny

@stps358 you're on 6.10? That system should be wicked fast for processing times. When you process a case do you see anything in Task Manager that looks like it's getting "bogged" down? Axiom will chew up some resources, but with that system you are probably good. Samsung 980 Pros (or 990 Pros) are the way to go. Is that NVMe RAID off of the board or on something like a HighPoint 7505 Controller? Is that image compressed? Sorry for the load of questions. Trying to help isolate anything.

No need to apologize. It’s driving me nuts that the system is slow. Raid is off the board. Images are mostly mobile .zips from GK. I can handle the longer processing time. What kills me is clicking through different artifacts etc. it always goes “not responding” before it switches or applies a filter etc.

@stps358 The 3080 is in the top slot (x16_1) like usual? (I know, it's a stupid question). How many other PCIe cards are installed?

A A

Anyone have some suggestions to help parse a huge (90GB) text file? All I want to do is extract out the numbers only lines to a new file. So anything with a letter or symbol can be ignored. Python? etc? Been trying to research python to help but I haven't gotten far...

Have you thought about using grep? I have done something similar and might have some examples that could help.

Manny

@stps358 The 3080 is in the top slot (x16_1) like usual? (I know, it's a stupid question). How many other PCIe cards are installed?

Yes. And just the Asus raid adaptor for the m.2s

@stps358 Makes sense. What about running one of the demos from GPU Caps Viewer just to make sure it's running at x16? I'm sure it is, but sometimes cards or slots get flaky. If you run the demo in GPU Caps Viewer there is a box in the corner that gives the PCIe bandwidth speed. https://www.techspot.com/downloads/4618-gpu-caps-viewer.html Also, maybe log in through IPMI on the motherboard and make sure the slot is set to x16? I've seen boards do all sorts of crazy things over the years. It's also a toss up with 4G Decoding Enabled or Disabled. I can help with the login through IPMI, but I'm sure you already did that to configure the RAID. Are you using the Nvidia Geforce Drivers or the Nvidia Studio Drivers? I've had better luck sometimes with workstation motherboards and the Nvidia Studio Drivers. I don't think that's the issue, but it's definitely something "weird" because that CPU, board, and GPU combination should be smoking through graphics and processing. (edited)

GPU Caps Viewer

GpuCapsViewer is an OpenGL graphics card utility for Windows.

2:48 PM

@stps358 Also, I'm sure you ran Passmark's Performance Test tool to benchmark the system, but sometimes running it again can identify sources of "lag" with the system. That GPU should be benchmarking fairly high in the charts. https://www.passmark.com/products/performancetest/index.php

Download PassMark PerformanceTest - PC Benchmark Software

Benchmark the speed of your PC computer hardware, then compare the result to other machines. Includes disk, 3D and CPU tests.

C. Russell

I can shoot you a DM, I used to do similar presentations

If possible please share a copy with me. I had this discussion today about working on something for next school year.

DCSO

@Law Enforcement [USA] I've been asked a lot lately to be the traveling presenter for Cyber Bullying, Sexting etc for middle school to high schools. Is anybody willing to share there presentations so I can have an idea want to present on ? I'm not the creative type would help to have some ideas. DM me if you have anything, Thanks

Check out the netsmartz series by ncmec

https://docs.google.com/document/d/1_DaciFToZjitG4tLCqOKKQPJvRAZ_gpobjHuoj_sjaY/edit#heading=h.u5b1frhb4jgk

Oops just saw other people suggested the same

Finally version 43 is out for my book

> Still in development > The art of purple teaming (edited)

2

A A

Anyone have some suggestions to help parse a huge (90GB) text file? All I want to do is extract out the numbers only lines to a new file. So anything with a letter or symbol can be ignored. Python? etc? Been trying to research python to help but I haven't gotten far...

I’m not sure how much hate I’ll get here for suggesting this but, you could literally reword this question a little and paste it into ChatGPT. It’s great for getting quick python code for tasks like this. As long as you are savvy enough to run the script, it should solve your problem quick.

MeGaBiTe

I’m not sure how much hate I’ll get here for suggesting this but, you could literally reword this question a little and paste it into ChatGPT. It’s great for getting quick python code for tasks like this. As long as you are savvy enough to run the script, it should solve your problem quick.

Wouldn't even need python Cat file | sed 's/a-z//g' But replace a-z with the regex you want to remove. For that chatgpt would likely get you close if not the exact string you need to put in there

11:28 PM

tr would also work but I can't remember what the characters for :letter: is, if might be that

randomaccess

Wouldn't even need python Cat file | sed 's/a-z//g' But replace a-z with the regex you want to remove. For that chatgpt would likely get you close if not the exact string you need to put in there

Sorry I should have specified that I was looking for a windows solution

MeGaBiTe

I’m not sure how much hate I’ll get here for suggesting this but, you could literally reword this question a little and paste it into ChatGPT. It’s great for getting quick python code for tasks like this. As long as you are savvy enough to run the script, it should solve your problem quick.

This is interesting if it works lol. I'll try something when I can get in to it....

FullTang

Have you thought about using grep? I have done something similar and might have some examples that could help.

I havent, and dont have much experience with it. Any examples you could provide would be appreciated!

A A

This is interesting if it works lol. I'll try something when I can get in to it....

I’ve shamelessly used it for far more complicated. I never have enough time, so anything to save a little.

3

A A

Sorry I should have specified that I was looking for a windows solution

Heh wsl is on windows

A A

I havent, and dont have much experience with it. Any examples you could provide would be appreciated!

You should be able to do it with the following command grep -x -E ‘[0-9]+’ OriginalList.txt > NumbersOnly.txt.

7:24 AM

I know that grep -x -E -v ‘[0-9]+’ Wordlist.txt > Alphanumeric.txt will pull out all alphanumeric lines into a new file and -v is the flag for reverse selection. I might be missing something as + might not be needed for your situation so testing would be required.

awesome! thank you! I'll let you know how it goes after I finish testing this chatgpt case haha

Hi all, I have a case where I am trying to recover Edge cleared browsing history and I would like to document what the users settings are as well. The settings for edge are edge://settings/privacy --> edge://settings/clearBrowsingDataOnClose I have looked in the registry for the user settings here, but perhaps I am missing it. On the cleared browsing history, I did a carve and got some back, but much is corrupt. Anyone know of another method to attempt?

CyberTend

Hi all, I have a case where I am trying to recover Edge cleared browsing history and I would like to document what the users settings are as well. The settings for edge are edge://settings/privacy --> edge://settings/clearBrowsingDataOnClose I have looked in the registry for the user settings here, but perhaps I am missing it. On the cleared browsing history, I did a carve and got some back, but much is corrupt. Anyone know of another method to attempt?

C:\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default\Preferences might have it? It should be a SQLite database so throw it into a SQLite viewer and poke around. If it's something you want a query written for, ping me and I'll do it (edited)

MeGaBiTe

I’ve shamelessly used it for far more complicated. I never have enough time, so anything to save a little.

The first iteration took too much memory and failed because it tried to load the whole 90GB into memory so I asked it for something less memory intensive and it came up with something else that worked awesome. Great suggestion, I will definitely be using that for other things in the future, as long as it's free lol

FullTang

I know that grep -x -E -v ‘[0-9]+’ Wordlist.txt > Alphanumeric.txt will pull out all alphanumeric lines into a new file and -v is the flag for reverse selection. I might be missing something as + might not be needed for your situation so testing would be required.

Since the other thing worked I didnt get to even try your suggestion but I appreciate you posting it regardless!

No worries, glad you figured it out!

Andrew Rathbun

C:\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default\Preferences might have it? It should be a SQLite database so throw it into a SQLite viewer and poke around. If it's something you want a query written for, ping me and I'll do it (edited)

Thanks I will look at that file and let you know.

Andrew Rathbun

C:\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default\Preferences might have it? It should be a SQLite database so throw it into a SQLite viewer and poke around. If it's something you want a query written for, ping me and I'll do it (edited)

Interesting on the preferences file. It appears to be just a text file. I found the string with the settings for this here: clear_data":{"edge_uwp_browsing_data":true,"form_data":true,"mf_protected_media_data":true,"passwords":true,"site_settings":true,"time_period":4

1

My agency has a DP10. Works great for on scene quick needs. Question is can I load the DP10 extraction into cellebrite PA.

digital Bowles

My agency has a DP10. Works great for on scene quick needs. Question is can I load the DP10 extraction into cellebrite PA.

Just sent you DM

Sharing for the wider group - Loading DP-10 extraction into other analysis tools-

DATAPILOT_10_Data_3rd_Party_Extraction_Tool_Import_Instructions_1.pdf

467.22 KB

hello

12:15 PM

is stenography used in real life scenarios ?

strategic

is stenography used in real life scenarios ?

FYI, this is digital forensics, not forensic science. Just making sure you're aware

Andrew Rathbun

FYI, this is digital forensics, not forensic science. Just making sure you're aware

you never heard of steganography tools on linux ?

strategic

you never heard of steganography tools on linux ?

Not really my wheelhouse

@strategic When you first asked the question, I was going to say "Stenography is used in court all the time"...But now I see you mean Steganography. I had one case where steganography was alleged, but we could not find it with any tools (this was 8 or 10 years ago). The problem with steganography is that if you don't find it, it does not mean it wasn't there....So anyone who says "I've never seen it in the wild" really just means they've never found it in the wild.

2

5cary

@strategic When you first asked the question, I was going to say "Stenography is used in court all the time"...But now I see you mean Steganography. I had one case where steganography was alleged, but we could not find it with any tools (this was 8 or 10 years ago). The problem with steganography is that if you don't find it, it does not mean it wasn't there....So anyone who says "I've never seen it in the wild" really just means they've never found it in the wild.

my bad on the typo, and thanks

I think of steganography as an obscure form of encryption, but the problem is it is file-based. So if someone was using steganography there should be traces of activity on the device(s) being examined. The examiner could find the steganography program, prefetch files showing the program ran (assuming Windows), deleted files pre-embedding or post-embedding into/outof other files, or other indicators that would prompt them to dig deeper. I also have never found it in the wild, just my way of looking at it.

Yeah steganography broadly speaking tends to be the realm of CTFs more than real DF. There will have been someone who’s probably done it to hide something, illegal or otherwise

1:19 PM

Having said that, recognising the telltale signs of stego isn’t necessarily bad, a 10MB file size for a 1080p image is quite an easy spot

1:19 PM

And CTFs are awesome

CyberTend

Interesting on the preferences file. It appears to be just a text file. I found the string with the settings for this here: clear_data":{"edge_uwp_browsing_data":true,"form_data":true,"mf_protected_media_data":true,"passwords":true,"site_settings":true,"time_period":4

Ya it's JSON

I was asked to create a directory/file inventory on a live MacBook. We have Recon ITR, yet I don't see any option to just grab a directory/file inventory. How would I accomplish such a task? I am not afraid to use CLI if that is what needs to happen. Ideally, the output should be a CSV where one line represents the full path (incl. file name), size, MACBs, etc.

You could try this https://github.com/jamf/aftermath

GitHub - jamf/aftermath: Aftermath is a free macOS IR framework

Aftermath is a free macOS IR framework. Contribute to jamf/aftermath development by creating an account on GitHub.

Does every electronic device use linux kernel, if i simply ask Does railway engine use linux kernal?

Is anyone available from @Cellebrite to explain the generated coding on the Watch Lists?

f1e19fbc-7500-4f52-8128-3d288af86e6a

(edited)

7:46 AM

03/02/2023 11:39:29
f1e19fbc-7500-4f52-8128-3d288af86e6a
Amphetamines

N
autofill,chat,contact,email,instantmessage,mms,note,searcheditem,sms,socialmediaactivity,webbookmark,visitedpage,text
N"N"#ffff00"Amy
N"N"#ffff00"Amps
N"N"#ffff00"Bam
N"N"#ffff00"B-Bombs
N"N"#ffff00"Beans
N"N"#ffff00"Bennies
N"N"#ffff00"Benz

7:47 AM

From what I can tell, it only changes when the name of the list changes. But I cant decode it.

SBcyberCop

Is anyone available from @Cellebrite to explain the generated coding on the Watch Lists?

f1e19fbc-7500-4f52-8128-3d288af86e6a

(edited)

Can you send me a Dm and we can take a look. Ill need to involve our coding group for this.

p2pexpert

Does every electronic device use linux kernel, if i simply ask Does railway engine use linux kernal?

Highly likely but you may run to something like Windows IoT here and there. Best way is to find documentations from the company or talk to the engineers.

I don't see the "perfect" channel to post this in so I'll start here

I love the idea of Plaso/Log2Timeline or that other solution that Google Devs built up, especially during IR or user activity reconstruction where you're dealing with large amounts of redundant data but I just haven't found the right mix of tooling to really help tell a story. Just curious how everyone else is presenting this kind of information. For example, a compromised web server with web logs and system logs intact but then i also have firewall logs to support and maybe theres some other backend windows system somewhere with some SQL transaction logs in the shape of windows events. I want to be able to combine all of that information, mute the baseline and build a timeline out of the anomalies lol

Hi, has anyone here ever successfully obtained a wiretap from AT&T before? Just curious. No need to provide case details, I'm just wondering how commonplace this is. (edited)

James Pedersen

Hi, has anyone here ever successfully obtained a wiretap from AT&T before? Just curious. No need to provide case details, I'm just wondering how commonplace this is. (edited)

depends how high you climb the ladder to ask

and those higher up are unlikely to give any info whatsoever https://www.theverge.com/2012/4/4/2925053/att-verizon-us-carriers-wiretap-charges AT&T declined to comment <cough> (edited)

p2pexpert

Does every electronic device use linux kernel, if i simply ask Does railway engine use linux kernal?

Good chance it is a SCADA system. Likely something proprietary and very simple as they generally are.

n3tl0kr

I don't see the "perfect" channel to post this in so I'll start here

I love the idea of Plaso/Log2Timeline or that other solution that Google Devs built up, especially during IR or user activity reconstruction where you're dealing with large amounts of redundant data but I just haven't found the right mix of tooling to really help tell a story. Just curious how everyone else is presenting this kind of information. For example, a compromised web server with web logs and system logs intact but then i also have firewall logs to support and maybe theres some other backend windows system somewhere with some SQL transaction logs in the shape of windows events. I want to be able to combine all of that information, mute the baseline and build a timeline out of the anomalies lol

This is a very difficult thing to get right with raw investigation data due to the number of events that are going to be present in the timeline. I'd recommend building a timeline based on your case notes and the questions you're asking during the investigation. One tool that can aid in this regard is Aurora, developed by Matthias Fuchs https://github.com/cyb3rfox/Aurora-Incident-Response

GitHub - cyb3rfox/Aurora-Incident-Response: Incident Response Docum...

Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders - GitHub - cyb3rfox/Aurora-Incident-Response: Incident Response Documentation made easy. Develope...

1

Hello everyone, I was wondering if you can view a https handshake communicating with a restful API endpoint (Firebase), using Wireshark of a particular video streaming based app on android for investigative purposes. Is there any document around this, struggling to find some resources around this ? (edited)

if the app doesn't use certificate pinning, you could place your own certificate on the device and mitm

2

2:19 PM

or you could use something like frida injected into the app to examine memory or mitm function calls

1

rayeh

or you could use something like frida injected into the app to examine memory or mitm function calls

could you elaborate on MITM (Man in the Middle) function calls as in the source code of the app ? (edited)

I can't go into great detail as my exposure is limited to conference talks, but you can use it to debug functions the program defines- so for example if you identified the function that does the HTTP request you could inspect what URL, cookies, etc are passed to that function- or the returned object.

$CozyBear

Hello everyone, I was wondering if you can view a https handshake communicating with a restful API endpoint (Firebase), using Wireshark of a particular video streaming based app on android for investigative purposes. Is there any document around this, struggling to find some resources around this ? (edited)

Depends

1

$CozyBear

could you elaborate on MITM (Man in the Middle) function calls as in the source code of the app ? (edited)

Install interceptor-ng on your android device to carry out a MITM and get you started. Package lives on the Kali Nethunter store app.

Hey guys. I have two exhibits. A micro Sd card and a PC. I am trying to prove that the micro Sd card has been plugged into the PC in the past but I’m struggling to prove that as searches for the serial number don’t appear on the PC exhibit. May I ask what procedure you guy’s generally do for providing external devices were connected in the past? Maybe some key under registry?

does anyone knows a cloud GPU solution where hashcat is allowed ?

Yuto

does anyone knows a cloud GPU solution where hashcat is allowed ?

Have you tried https://shadow.tech/en-gb/ ? I am not sure if they allow hashcat though

will look into that, thx

Yuto

will look into that, thx

Monthly subscription fee, obviously dependent on your needs.

looks pretty expensive compared to other solutions. also, we won't need any graphical interface, and shadows seems to be pretty "gamer" driven

1

2:26 AM

but since it looks like a "personal computer", I guess I should be able to use whatever software (hashcat) I want

maybe look at aws idk if hashcat is allowed but i guess it should... https://aws.amazon.com/ec2/elastic-graphics/pricing/?nc1=h_ls

Amazon Elastic Graphics - Pricing

2:31 AM

https://www.eiken.dev/blog/2022/03/cracking-with-hashcat-in-the-cloud/ This guy did some hashcat on aws so i guess it should be ok ^^

Cracking With Hashcat in the Cloud

Thanks to the global chip shortage, for about two years certain electronic items are really hard to buy. This includes graphics cards, those things that make your display useful. They’re also beasts at cracking password hashes. Admittedly, I waited for the situation to resolve so I can buy a graphics card for a sane price and improve my hashcat ...

yeah, that looks more suited to our need

Yuto

does anyone knows a cloud GPU solution where hashcat is allowed ?

I've used AWS, in a similar way that is described in this SANS article. https://www.sans.org/blog/password-hash-cracking-amazon-web-services/

Password Hash Cracking in Amazon Web Services | SANS Institute

This article will discuss the use of cracking cloud computing resources in Amazon Web Services (AWS) to crack password hashes.

6:06 AM

I have not used this other then in a lab, but NPK is another potential solution: https://github.com/c6fc/npk . It also uses AWS

GitHub - c6fc/npk: A mostly-serverless distributed hash cracking pl...

A mostly-serverless distributed hash cracking platform - GitHub - c6fc/npk: A mostly-serverless distributed hash cracking platform

Has anyone had any success obtaining a secure folder password from a Samsung using the cellebrite extraction?

Yuto

does anyone knows a cloud GPU solution where hashcat is allowed ?

I usually use AWS

8:46 AM

though for less critical stuff, Vast.ai is cheaper

Is there a way to use a physical axiom dongle to verify licensing for an Azure VM? I find that with bigger cases, having an expanding drive is nice so I don’t have to have a dedicated server. Unless anyone else has any tips or tricks they’d like to offer. I’m at a loss at this point

Telegram..anyone have Law Enforcement contact info for this application. I need to serve a search warrant.

ForensicDev

I was asked to create a directory/file inventory on a live MacBook. We have Recon ITR, yet I don't see any option to just grab a directory/file inventory. How would I accomplish such a task? I am not afraid to use CLI if that is what needs to happen. Ideally, the output should be a CSV where one line represents the full path (incl. file name), size, MACBs, etc.

Hey there, ITR wouldn’t necessarily be able to export a file listing like that on its own, but you should be able to do that with RECON LAB using its super timeline feature. If you DM me I can send over a list of instructions on how to accomplish it or point you in the right direction

JNewman74

Telegram..anyone have Law Enforcement contact info for this application. I need to serve a search warrant.

Good luck! Telegram doesn't work with LE so far as I know (edited)

3

Hi all, probably @Andrew Rathbun I am reviewing a case where it is believed an individual downloaded company data and sent the data elsewhere. The file in question is Downloads.zip. I am looking in $MFT_Output in TLE, I have that file with .lnk only. Should I not see the actual(target) file show up in $MFT? I looked in $J as well and see no hits for downloads.zip. No zone identifier on this file either

CyberTend

Hi all, probably @Andrew Rathbun I am reviewing a case where it is believed an individual downloaded company data and sent the data elsewhere. The file in question is Downloads.zip. I am looking in $MFT_Output in TLE, I have that file with .lnk only. Should I not see the actual(target) file show up in $MFT? I looked in $J as well and see no hits for downloads.zip. No zone identifier on this file either

Do you have SRUM on that system? If so, and the event happened in the last 30 days or so, check SRUM Network Usages output to see if you see bytes outgoing via some proces of interest

11:46 AM

Does $J go back far enough to cover the timeframe of the event?

11:49 AM

Any third party storage providers in play, like OneDrive, Dropbox, Google Drive, etc?

Andrew Rathbun

Do you have SRUM on that system? If so, and the event happened in the last 30 days or so, check SRUM Network Usages output to see if you see bytes outgoing via some proces of interest

Ok, I will check SRUM, this is within the last 30 days of the image. Image date is 18NOV, Day in question is 27OCT. You are correct on $J, it does not go back that far. OneDrive is in play. No dropbox or Google Drive

CyberTend

Ok, I will check SRUM, this is within the last 30 days of the image. Image date is 18NOV, Day in question is 27OCT. You are correct on $J, it does not go back that far. OneDrive is in play. No dropbox or Google Drive

Possibly check out OneDrive Explorer by @Beercow as maybe that can help make better sense of those artifacts. One other idea is to check Volume Shadow Copies and see if $J will go further back. Long shot, but answer is no if you don't try

11:55 AM

If there's no Zone.Identifier, then maybe the data wasn't downloaded? Downloads.zip to me sounds like selecting a bunch of files in your Downloads folder, adding to archive, and not changing the filename. Maybe the zip file itself was created on disk, and not downloaded. Unless you know something I don't haha

CyberTend

Ok, I will check SRUM, this is within the last 30 days of the image. Image date is 18NOV, Day in question is 27OCT. You are correct on $J, it does not go back that far. OneDrive is in play. No dropbox or Google Drive

You could also check the $MFT shadow copies maybe...

Villano

You could also check the $MFT shadow copies maybe...

@Andrew Rathbun Shadow copies are another weird item noted in this investigation. The shadow copies are 11OCT, 13OCT, 17OCT and 24OCT. None of these produced a $J. They are all exactly the same size. I am looking for artifacts on 27OCT... I will pull the data into OneDrive Explorer as well.

CyberTend

@Andrew Rathbun Shadow copies are another weird item noted in this investigation. The shadow copies are 11OCT, 13OCT, 17OCT and 24OCT. None of these produced a $J. They are all exactly the same size. I am looking for artifacts on 27OCT... I will pull the data into OneDrive Explorer as well.

OneDrive should have up to 30 days worth of data. If you need any assistance, I’d be happy to help.

1

One other thing I can think of is to throw all the NTUSER, SOFTWARE, SYSTEM, etc hives into Registry Explorer and search for Downloads.zip and hope you find something you can pivot on in relation to that file and what might've been done with it

Andrew Rathbun

One other thing I can think of is to throw all the NTUSER, SOFTWARE, SYSTEM, etc hives into Registry Explorer and search for Downloads.zip and hope you find something you can pivot on in relation to that file and what might've been done with it

Thanks guys, I will give both of these a shot

JNewman74

Telegram..anyone have Law Enforcement contact info for this application. I need to serve a search warrant.

It's highly likely that you will not get any data from them. Their policy is they only give IP and phone number, and it has to be a confirmed terror suspect to get that info.

Mr.Robot

Good luck! Telegram doesn't work with LE so far as I know (edited)

K thanks..that's what I getting

1

CyberGhost

It's highly likely that you will not get any data from them. Their policy is they only give IP and phone number, and it has to be a confirmed terror suspect to get that info.

Copy that..thanks

Hey guys quick question. I’m unsure if this is the right channel, but I have an external hard drive that mount anymore but it shows in disk utility and such. Basically I used TestDisk and this is what I now see. I bought a new drive in an attempt to transfer the data so how would I go about this? I’m confused on how to copy the sectors or whatever to a new drive cus when I clicked “P” from the first image it wouldn’t allow me to see my files.

bengaka

Hey guys quick question. I’m unsure if this is the right channel, but I have an external hard drive that mount anymore but it shows in disk utility and such. Basically I used TestDisk and this is what I now see. I bought a new drive in an attempt to transfer the data so how would I go about this? I’m confused on how to copy the sectors or whatever to a new drive cus when I clicked “P” from the first image it wouldn’t allow me to see my files.

Could you repost in #data-recovery?

Will do thanks

1

Hi! Do anyone know of any good offline tool that can transcript (speech to text) the Arabic language? I have a lot of WA voice messages that I need to translate later on. Please tag me in your response so I don't miss out on your answer. Thanks!

hello!

1

nj_crtn

Has anyone had any success obtaining a secure folder password from a Samsung using the cellebrite extraction?

I believe Premium is the only method to BF it.

Yuto

yeah, that looks more suited to our need

AWS does not let you create large instance by default. I had to submit a ticket to identify the instances I want with justifications. This took couple days...so don't count on any instant access to super powerful instances. (edited)

Anyone in here experienced with Blind SQLi Injection? and mind giving me a little bit of direction on what to try next?

Rock3t

Anyone in here experienced with Blind SQLi Injection? and mind giving me a little bit of direction on what to try next?

I'm not saying you can't talk about red team stuff here but you may have better luck on the SANS Red Team server or some of the other more offensive minded servers. This is largely a blue team server but maybe someone will know!

Rock3t

Anyone in here experienced with Blind SQLi Injection? and mind giving me a little bit of direction on what to try next?

is it for a CTF? we can chat in #challenges-and-ctfs if it is

hey all, I'm trying to trace what injected into svchost.exe in M365 Defender logs. Anyone here familiar with what exactly should I look for?

@wadde - Have a look at Whisper - https://openai.com/blog/whisper/ (edited)

Introducing Whisper

We’ve trained and are open-sourcing a neural net called Whisper that approaches human level robustness and accuracy on English speech recognition. Read Paper View Code View Model Card Whisper examples: Reveal Transcript Whisper is an automatic speech recognition (ASR) system trained on 680,000 hours of ...

MSAB_Adam

@wadde - Have a look at Whisper - https://openai.com/blog/whisper/ (edited)

I will, thank you!

Sent you a DM @wadde

chick3nman

I usually use AWS

thx for the advice

SpaceInvader 🇦🇺

hey all, I'm trying to trace what injected into svchost.exe in M365 Defender logs. Anyone here familiar with what exactly should I look for?

Local logs on the endpoint or EDR logs via the defender portal?

DeeFIR 🇦🇺

Local logs on the endpoint or EDR logs via the defender portal?

the EDR logs in Microsoft 365 Defender portal

1:50 AM

I was looking for a comprehensive doco on the event logs Defender collects on process injection techniques

Hello everyone!

6

1

Evening all, just a quick one. I’m trying to see mobile devices with location data. If I connect these devices to my mobile hotspot, will they get the location from their own GPS or via the WiFi and GPS? Thanks

11:55 AM

And if anyone knows a great way to seed data on mobiles such as iOS and Android, let me know as I’m creating some validation devices for use in our lab

Fierry

This is a very difficult thing to get right with raw investigation data due to the number of events that are going to be present in the timeline. I'd recommend building a timeline based on your case notes and the questions you're asking during the investigation. One tool that can aid in this regard is Aurora, developed by Matthias Fuchs https://github.com/cyb3rfox/Aurora-Incident-Response

Thanks, definitely checking this out! I don’t mind doing my own tools and dev but there are so many lesser known jewels in forensics especially, I knew it was worth asking around lol

obi95

Evening all, just a quick one. I’m trying to see mobile devices with location data. If I connect these devices to my mobile hotspot, will they get the location from their own GPS or via the WiFi and GPS? Thanks

Depends. There are many ways mobile devices obtain their location. GPS. Wifi / Bluetooth or other network artifacts. If the phone is not in flight mode etc I would hazard a guess it would get a fix from the towers it can see and then a fine fix from Bluetooth beacons / wifi it can see

Just to make sure this group is for all digital forensics personnel correct? So say civilians who do digital forensics are allowed?

There’s no additional validation of roles beyond what users say at this moment in time. As a result you should refrain from discussions of sensitive TTPs. However if you want to collaborate with other members, LE or otherwise, we suggest you validate who they are and communicate privately through methods of your own choosing.

2

Understood. I just wanted to invite a friend who does digital forensics for police but she is a civilian and wanted to make sure that’s okay. She’s a certified forensic examiner and deals with the same sensitive data but I know it asked me when I joined.

Oh yeah we don’t make the distinction between sworn or unsworn

Many of us are unsworn, I swear! Lol

4

Does anyone know if there is a way to set export templates for @Cellebrite PA, or can we use Python for this? I need a template just to export certain categories of data (I.e. calls, contacts, messages , device info ) to excel so the user doesn’t have to tick the boxes every time.

facelessg00n

Does anyone know if there is a way to set export templates for @Cellebrite PA, or can we use Python for this? I need a template just to export certain categories of data (I.e. calls, contacts, messages , device info ) to excel so the user doesn’t have to tick the boxes every time.

If you find a way please share. I have been doing it very long way. A short cut would be great

Does anyone have experience with com.apple.rapport? Trying to verify what the Service: RPIdentity-FriendAccount is for. We have our theory but trying to see if we can find documentation regarding same

Surprised at how low detection rate Carbon Black is compared to the rest

5:24 PM

theres some new products out there I never heard of https://www.youtube.com/watch?v=NcVnDL_S9qQ&t=152s&ab_channel=MinervaLabs https://minerva-labs.com/armor-platform/armor-byond/

For events in Microsoft 365 defender that are tagged "Multiple failed user logon", is it possible to find information about the credentials used? Etc. is it possible to see if it is different password for each request?

Beyond the microsd card, does anyone here have experience forensically imaging a flipper zero with an enabled pin lock?

1

Is anyone from iPad Rehab on this channel or generally on this server? Does anyone know?

luis511_

Is anyone from iPad Rehab on this channel or generally on this server? Does anyone know?

@Jessa is, might ask her via PM

Ok. Thanks.

With Window 10+ updating the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate when the feature updates are installed and clearing out event logs, it clearly messes with the identification of the original OS install date/time. Has any one identified any other registry keys that maintain the original and true OS install date? For reference, I came across this article some time ago (https://az4n6.blogspot.com/2017/02/when-windows-lies.html). Unfortunately the suggested registry key "Setup\Source OS" in the SYSTEM hive does not exist on the machine in question.

When using a test device to validate findings, are you submitting anything from the test device to evidence or just reporting on what you found?

@luis511_@Arcain https://discord.gg/knqkXntQZT might be an option, too

Invite to join a server

Mobile Repair

rules

1

d0uch3bag

For events in Microsoft 365 defender that are tagged "Multiple failed user logon", is it possible to find information about the credentials used? Etc. is it possible to see if it is different password for each request?

Not that I am aware of

FullTang

When using a test device to validate findings, are you submitting anything from the test device to evidence or just reporting on what you found?

I’d personally archive the relevant artefacts (if possible and within reason), as well as your examination/analysis notes. That way your process and results are verifiable and reproducible if it’s brought into question (by referencing results of your own experiment). As to whether the entire device is entered as evidentiary property, I figure that would depend on the nature of the job, the difficulty in reproducing that data or constructing the same environment again. If you’re relying on multiple artefacts across an entire device and not just a singular artefact like a database or a config file or whatever, then again, depending on the complexity and nature of the job I’d consider entering the entire device into property.

1

ForensicDev

With Window 10+ updating the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate when the feature updates are installed and clearing out event logs, it clearly messes with the identification of the original OS install date/time. Has any one identified any other registry keys that maintain the original and true OS install date? For reference, I came across this article some time ago (https://az4n6.blogspot.com/2017/02/when-windows-lies.html). Unfortunately the suggested registry key "Setup\Source OS" in the SYSTEM hive does not exist on the machine in question.

There is also a 4-byte encoded timestamp at offset 33 in the "DigitalProductId" value that reflects when the OS install process started (InstallDate & InstallTime reflect when the OS installation process reaches a point requiring user input). I don't recall if it remains static, and it will also be dependent on the accuracy of the system clock when the installation process started. (edited)

1

Hi there, is anybody out there who has access to Sony TISS portal? I need a "LOCAL.UPG" file.

Hi, external xbox extended storage, can it be plugged into any xbox to be read or does it need to be the same model as the home device?

1

Does anyone know how to get ftkimagercli these days? seems to be gone from access data site

mack3701

Does anyone know how to get ftkimagercli these days? seems to be gone from access data site

I can send you a 32-bit CLI version if you want.

1

FullTang

I can send you a 32-bit CLI version if you want.

That would be great

mack3701

That would be great

DM incoming

Andrew Rathbun

I'm not saying you can't talk about red team stuff here but you may have better luck on the SANS Red Team server or some of the other more offensive minded servers. This is largely a blue team server but maybe someone will know!

copy that.

Hi, does anyone know a software i can use to securely extract a youtube video for purposes of preserving it forensic evidence?

Witty_anns

Hi, does anyone know a software i can use to securely extract a youtube video for purposes of preserving it forensic evidence?

https://www.4kdownload.com/34 I've used this before for YouTube. Worked great. Cheap too

4K Download – Free and useful applications for PC, Mac and Linux

Free and useful applications for all modern platforms. Download video, audio, subs from YouTube, grab photos from Instagram, make slideshows and much more!

2

Andrew Rathbun

https://www.4kdownload.com/34 I've used this before for YouTube. Worked great. Cheap too

Thank you so much Andrew. Let me check it out.

Witty_anns

Hi, does anyone know a software i can use to securely extract a youtube video for purposes of preserving it forensic evidence?

how do you mean, like, download from youtube site, or extract a saved / cached video from device? i use this addon in Firefox. it opens up a clickable pane multi format/quality, and you can copy the link if you want to download via alternate means. i use aria2c which seems to be quicker thandirectly from the browser (edited)

11:34 AM

Hey, what's the most viable VM for Forensics tests / practice / investigations?

Witty_anns

Hi, does anyone know a software i can use to securely extract a youtube video for purposes of preserving it forensic evidence?

https://github.com/yt-dlp/yt-dlp

GitHub - yt-dlp/yt-dlp: A youtube-dl fork with additional features ...

A youtube-dl fork with additional features and fixes - GitHub - yt-dlp/yt-dlp: A youtube-dl fork with additional features and fixes

3:17 PM

Best way to download anything over the net, works with Packt too

Deleted User

Hey, what's the most viable VM for Forensics tests / practice / investigations?

The one you’re most comfortable with

3:18 PM

Ubuntu, Kali, Fedora, Debian they all good.

3:20 PM

For me personally, Kali. I’m most comfortable with it and I can use it for anything , red team blue team, osint , malware analysis, development , you name it , as a rolling distro and a great kernel it’s a great choice. But to each their own, I also use flare vm on a windows dev box too.

3:21 PM

I also like Ubuntu and Fedora. Opensuse and Arch. Debian of course.

3:21 PM

One distro I do not like is ParrotOS

3:22 PM

Sounds like UwUntu linux

3:23 PM

;D

Ubuntu is great. If that’s what you’re comfortable using

I'll go for Kali, do you have any light weight hosts?

3:24 PM

Uh, for hosting Kali in a VM that isn't vmbox

I’m not sure what you mean by light weight hosts

I find it complicated to set up an os in

I use VMware workstation pro but virtualbox is just fine

3:25 PM

I’d probably just recommend virtualbox

3:25 PM

It’s pretty easy to use

Unless you’re on a Mac

3:25 PM

Then UTM

1

Gotcha, thanks for recommendations :)

No problem

3:26 PM

Back to my nap

Deleted User

Sounds like UwUntu linux

BTW look this one up later, it's the funniest ubuntu ripoff

No I’m ok thanks

3:27 PM

I don’t view anything with uwu included in the name

1

3:27 PM

;D

Even typing that out just now was cringe

Worth it

Unlikely

ryd3v

Ubuntu, Kali, Fedora, Debian they all good.

Dont forget tsurugi, New Kid on the block

2

Never tried. But I’ll check it out

Hey, got a question about OneDrive Personal vault Forensics (if any) The computer has a OneDrive personal vault with a malware in it, I don't know the PID to unlock it but I know the path of the .exe, is there any way to extract it from there to c:\temp for example? And let's per say the executable has been replaced from a different device (like a phone), what could be done about it?

Deleted User

Hey, got a question about OneDrive Personal vault Forensics (if any) The computer has a OneDrive personal vault with a malware in it, I don't know the PID to unlock it but I know the path of the .exe, is there any way to extract it from there to c:\temp for example? And let's per say the executable has been replaced from a different device (like a phone), what could be done about it?

That is something I have not looked into. May not be helpful now but time for some more research.

2

Deleted User

Hey, what's the most viable VM for Forensics tests / practice / investigations?

SANS SIFT workstation is a good start, Ubuntu based. Comes preinstalled with many opensource DFIR tools. https://www.sans.org/tools/sift-workstation/

SIFT Workstation | SANS Institute

Download the SIFT Workstation to receive free open-source incident response and digital forensic tools designed to perform detailed digital forensic examinations in a variety of settings.

1

The latest Macbook with Apple M1/M2 seems to have issues with virtualisation (fusion/virtualbox etc.). SIFT not working on latest Apple M2 processors- Any suggestions ?

The M1/M2 chips are a different architecture. Until Apple gets good at x64 cpu emulation, they will not work. Been an issue for a while. Only thing I can suggest, if you are only Mac, is get one just before they went to the M1 chipset.

Witty_anns

Hi, does anyone know a software i can use to securely extract a youtube video for purposes of preserving it forensic evidence?

https://github.com/ytdl-org/youtube-dl/

venkat

The latest Macbook with Apple M1/M2 seems to have issues with virtualisation (fusion/virtualbox etc.). SIFT not working on latest Apple M2 processors- Any suggestions ?

You can run SIFT in a docker instance. https://github.com/teamdfir/sift-dockerfiles

GitHub - teamdfir/sift-dockerfiles: A collection of Dockerfile inst...

A collection of Dockerfile instruction files uses to build docker images that pertain to SIFT - GitHub - teamdfir/sift-dockerfiles: A collection of Dockerfile instruction files uses to build docker...

6:52 AM

You can also install SIFT via CLI on top of an existing distro, but I'm not sure if it'll work on top of say a ubuntu or debain ARM install on Apple Silicon.

1

6:52 AM

https://github.com/teamdfir/sift-cli

GitHub - teamdfir/sift-cli: CLI tool to manage a SIFT Install

CLI tool to manage a SIFT Install. Contribute to teamdfir/sift-cli development by creating an account on GitHub.

Does anyone know approximately how much it costs them to add the ability to use their Cellebrite dongle while connected to their machine via RDP? (edited)

@abefroman pretty sure it's free, although that was the case during covid-19

venkat

The latest Macbook with Apple M1/M2 seems to have issues with virtualisation (fusion/virtualbox etc.). SIFT not working on latest Apple M2 processors- Any suggestions ?

Use UTM

Question, would there be any particular need to convert pcap data to JSON ? Like I get it's for reporting for wtv. What are the benefits of converting it when you already have PCAP data given in the file itself ? (edited)

actually wait you convert into HAR file format in debugger which is essentially based on a JSON schema ? but this is PCAP, that's a no go.

Anyone using M.2 NVMe in a RAID configuration? I'm in the process of rebuilding my analysis computers, have three, 2TB M.2 NVMe and I'm going back and forth with either using them as independent disks or configuring them as a RAID0. I already have a 12TB HDD RAID10 onboard, so the NVMe's will be used for temp processing (e.g. XWF, Physical Analyzer, etc.), etc. Trying to avoid parity configurations (e.g. RAID5) in order to limit program/erase cycles.

dsplice

The M1/M2 chips are a different architecture. Until Apple gets good at x64 cpu emulation, they will not work. Been an issue for a while. Only thing I can suggest, if you are only Mac, is get one just before they went to the M1 chipset.

Got to know about this incompatibility after purchasing M2

ryd3v

Use UTM

Tried it- no success

venkat

Got to know about this incompatibility after purchasing M2

Honestly the M1 and M2 chips have surprised me (in very good ways) but it reminded me of when Apple went from PowerPC chips, to intel

hamish_the_piper

You can run SIFT in a docker instance. https://github.com/teamdfir/sift-dockerfiles

Thanks, will give it a try

5:42 PM

Just happened to see this statement from SANS Website: " CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course."

venkat

Tried it- no success

What did you try? I’ve used it with no issues.

5:44 PM

I even have YouTube videos using it , even with older vulnhub images

That's great ! Would you mind sharing few tips how you did it, please

5:57 PM

@ryd3v

venkat

That's great ! Would you mind sharing few tips how you did it, please

Sure you can start with this one https://youtu.be/bLMALCIeVb0

ryd3v

Installing Kali on Mac M1 with UTM

did anyone solved ssrf in vAPI

ManishDTS

did anyone solved ssrf in vAPI

Probably won't find a lot of help in here for a bug bounty (assuming that's what you're asking about). If it's not, perhaps a little more context to your question would help.

vAPI is vulnerable API lab in which there is one challenge name ssrf. i was unable to solve that

2

ManishDTS

vAPI is vulnerable API lab in which there is one challenge name ssrf. i was unable to solve that

What does ssrf stand for?

Server side request forgery

ManishDTS

vAPI is vulnerable API lab in which there is one challenge name ssrf. i was unable to solve that

#challenges-and-ctfs

1

ryd3v

Sure you can start with this one https://youtu.be/bLMALCIeVb0

Thanks

No problem

DeeFIR 🇦🇺

Server side request forgery

I was trying to help without directly giving the answer. I guess I should have pointed to the proper channel lol. (edited)

FullTang

I was trying to help without directly giving the answer. I guess I should have pointed to the proper channel lol. (edited)

Oh sorry, I thought you were genuinely asking

DeeFIR 🇦🇺

Oh sorry, I thought you were genuinely asking

I can totally see that now when I reread my original post!

Does anybody know what the following file does, or how it is created on a Hauwei device? \data\user_de\0\com.huawei.systemmanager\files\o_c_utc.dat The contents of the file is basically a list files that are no longer present on the device, and folder structures which are no longer on the device. However they are all folders relating to a wide variety of communication applications that we are interested in. Is it an index of files that were present on the device at the time? Any advice is greatly appreciated.

good evening @Oxygen Forensics will there be a new version released in the next days?

i saw, the driverpack was updated yesterday... so maybe (edited)

abefroman

Does anyone know approximately how much it costs them to add the ability to use their Cellebrite dongle while connected to their machine via RDP? (edited)

During COVID, I asked Cellebrite Support and they activate the dongle for RDP. Dont know if it still free.... (edited)

JLindmar (83AR)

Anyone using M.2 NVMe in a RAID configuration? I'm in the process of rebuilding my analysis computers, have three, 2TB M.2 NVMe and I'm going back and forth with either using them as independent disks or configuring them as a RAID0. I already have a 12TB HDD RAID10 onboard, so the NVMe's will be used for temp processing (e.g. XWF, Physical Analyzer, etc.), etc. Trying to avoid parity configurations (e.g. RAID5) in order to limit program/erase cycles.

@JLindmar (83AR) Why would you use RAID0? You don't get any fault-tolerance when you use RAID0: See https://en.wikipedia.org/wiki/Standard_RAID_levels (edited)

Standard RAID levels

In computer storage, the standard RAID levels comprise a basic set of RAID ("redundant array of independent disks" or "redundant array of inexpensive disks") configurations that employ the techniques of striping, mirroring, or parity to create large reliable data stores from multiple general-purpose computer hard disk drives (HDDs). The most com...

James Pedersen

@JLindmar (83AR) Why would you use RAID0? You don't get any fault-tolerance when you use RAID0: See https://en.wikipedia.org/wiki/Standard_RAID_levels (edited)

I wasn't necessarily as interested in fault tolerance as I was in speed and capacity, while again trying to reduce the number of program/erase cycles on the SSDs to avoid premature wear out. I am open to other suggestions, but my RAID controller is limited on the configurations it supports.

chrisforensic

good evening @Oxygen Forensics will there be a new version released in the next days?

i saw, the driverpack was updated yesterday... so maybe (edited)

Hello, I am back, sorry for the late reply

The update will come out today morning EST time Salute

1

Other than Cellebrite and Spreadsheet viewers, what other tools can open Discord warrant returns in a more readable format? (edited)

Oxygen Forensics

Hello, I am back, sorry for the late reply

The update will come out today morning EST time Salute

thanks

downloading right now

1

Hi folks! Suggest me please free software which has capability to upload persons photo and it search similar images in the forensics image or physical drive?

GRIZZ

Other than Cellebrite and Spreadsheet viewers, what other tools can open Discord warrant returns in a more readable format? (edited)

I haven't tried it, but RLEAPP does have scripts to parse Discord returns. https://github.com/abrignoni/RLEAPP/tree/main/scripts/artifacts

RLEAPP/scripts/artifacts at main · abrignoni/RLEAPP

Returns Logs Events And Properties Parser. Contribute to abrignoni/RLEAPP development by creating an account on GitHub.

1

FullTang

I haven't tried it, but RLEAPP does have scripts to parse Discord returns. https://github.com/abrignoni/RLEAPP/tree/main/scripts/artifacts

@GRIZZ depends on the output file but RLEAPP should handle CSV and some other attachment types, I've never seen how the return files look but I know @Brigs has (edited)

thanks fly to @Oxygen Forensics for support decoding modified whatsapp versions oxygen

and ofcourse for the new bruteforce things

(edited)

3

chrisforensic

thanks fly to @Oxygen Forensics for support decoding modified whatsapp versions oxygen

and ofcourse for the new bruteforce things

(edited)

Where can i read the release note. I cant find it in an obvious place. (edited)

florus

Where can i read the release note. I cant find it in an obvious place. (edited)

Hello, newsletter been sent and What's New is available within the software

https://blog.oxygen-forensic.com/oxygen-forensic-detective-v-15-3/?utm_source=mailchimp&utm_medium=email&utm_campaign=release_15.3&utm_content=ofd_15.3&ct=t(EMAIL_CAMPAIGN_42_COPY_01)&goal=0_68d50c7459-c9b135f976-265069821&mc_cid=c9b135f976&mc_eid=6dfccb8fab (edited)

Courtney Reiber

Oxygen Forensic® Detective v.15.3

Check out the new updates and features that have been added to v.15.2: Brute force for Samsung and Huawei devices, enhanced support for Huawei devices, LastPass cloud extraction, import of Tinder archives, and support for modified WhatsApp versions

GRIZZ

Other than Cellebrite and Spreadsheet viewers, what other tools can open Discord warrant returns in a more readable format? (edited)

Sent you a PM

1

Please can someone from ICAC DM me. Need an assist. Thanks.

Deleted User

Please can someone from ICAC DM me. Need an assist. Thanks.

@ICAC

Which ICAC?

region would be helpful to narrow down the legal scope of responsibility

Hoping someone can help me find the minimum/recommended system requirements for celebrite premium? Unable to locate on the website.

Jam1e480

Which ICAC?

Thanks Andrew. USA region please.

Fuzz

Hoping someone can help me find the minimum/recommended system requirements for celebrite premium? Unable to locate on the website.

May want to ask #mobile-forensic-extractions

Deleted User

Thanks Andrew. USA region please.

We don't have that granularity with the ICAC roles, unfortunately. Hopefully someone reaches out

1

Andrew Rathbun

We don't have that granularity with the ICAC roles, unfortunately. Hopefully someone reaches out

Thanks everyone checking DM now. Appreciated.

if my windows 10 is version 2H22, is that effectively win11 ??

Anyone know if media files in a snapchat warrant return have the original date and time stamps maintained, or does snapchat strip this material similar to Facebook?

Hello! I'm currently a third year student at Teesside University studying Digital Forensics and as part of my dissertation I am running a survey based around the area of Cloud Forensics. It's a relatively short survey with mostly "tick the box" style questions. If you want to participate please read the attached document and click the survey link attached inside, thank you for your time.

Participant_Information_Sheet.pdf

169.01 KB

ddf_dude

if my windows 10 is version 2H22, is that effectively win11 ??

No, it's still Windows 10, it's just the 22H2 code base

1

Ghosted

Anyone know if media files in a snapchat warrant return have the original date and time stamps maintained, or does snapchat strip this material similar to Facebook?

Are you able to email them to confirm? IIRC they used to be very responsive to questions

1

Howlo

Hello! I'm currently a third year student at Teesside University studying Digital Forensics and as part of my dissertation I am running a survey based around the area of Cloud Forensics. It's a relatively short survey with mostly "tick the box" style questions. If you want to participate please read the attached document and click the survey link attached inside, thank you for your time.

I was going to complete this for you, but noted it's for law enforcement only

1

Howlo

Hello! I'm currently a third year student at Teesside University studying Digital Forensics and as part of my dissertation I am running a survey based around the area of Cloud Forensics. It's a relatively short survey with mostly "tick the box" style questions. If you want to participate please read the attached document and click the survey link attached inside, thank you for your time.

maybe add the criteria?

To be able to take part though you must be a forensic practitioner who works with or
for law-enforcement.
Unfortunately, you can't take part if you are not currently working with or for law-
enforcement.

Hi, I know that there will be a presentation on this subject at the next Magnet Summit in March, but I wanted to ask on Discord to learn about some of your experiences... What hardware is best for mainly using Physical Analyzer and AXIOM? Xeon? Threadripper? i9? Ryzen 7000 x3d?

JSDurand

Hi, I know that there will be a presentation on this subject at the next Magnet Summit in March, but I wanted to ask on Discord to learn about some of your experiences... What hardware is best for mainly using Physical Analyzer and AXIOM? Xeon? Threadripper? i9? Ryzen 7000 x3d?

Whatever I get from NCFI since I can't buy my own gear...

2

secluding

Does anyone have experience collecting data from a Meta Quest 2 VR headset? (edited)

Any luck with acquiring the Quest 2? Sounds like one might be coming my way

dfa_adam

Any luck with acquiring the Quest 2? Sounds like one might be coming my way

I was able to do 2 collections

1. I connected it to a write blocker and reviewed the file system, following the steps from this guide: https://dfir.science/2022/04/Oculus-Quest-2-First-Impressions-and-Research-Notes 
2. I was able to image the device using axiom's mobile android collection capability

Each of the different imaging methods obtained different artifacts. The axiom image had files showing what times games were launched/paused/closed

(edited)

1

secluding

I was able to do 2 collections

1. I connected it to a write blocker and reviewed the file system, following the steps from this guide: https://dfir.science/2022/04/Oculus-Quest-2-First-Impressions-and-Research-Notes 
2. I was able to image the device using axiom's mobile android collection capability

Each of the different imaging methods obtained different artifacts. The axiom image had files showing what times games were launched/paused/closed

(edited)

That's helpful, thanks. I assume yours didn't have an unlock pattern to bypass?

Nah, I don't think it is very common. The user has to manually enable it from the settings menu.

Okay. Did you try to enable developer mode as well, or just power on, plug in, allow access, and image?

I had to enable developer mode to perform the Axiom collection

okay, so power on, Settings>System>About>Pairing Code, download app, create and register an oculus developer account, create an organization, refresh app, pair quest 2, Menu>Devices>Developer Mode, restart quest2, plug into writeblocker, allow access, image?

I would recommend first imaging on a write blocker without enabling dev mode, and then would enable dev mode and perform the axiom collection (edited)

Yep, that makes sense. I'll aim to proceed like that then. May get a tester to run through the process as well. Thanks a lot!

I want a test Oculus as well. I don't have a suspect device to download (yet) but I'm supposed to always be prepared, right?

JLindmar (83AR)

I wasn't necessarily as interested in fault tolerance as I was in speed and capacity, while again trying to reduce the number of program/erase cycles on the SSDs to avoid premature wear out. I am open to other suggestions, but my RAID controller is limited on the configurations it supports.

@JLindmar (83AR) This might be of interest to you: http://www.storagesearch.com/ssdmyths-endurance.html (edited)

1

https://www.twitch.tv/producerwolf I am live guys!! just doing some writing and AMA feel free to hop in ((: and dont be afraid to ask -Infosec content

Morning/afternoon everyone. Is there a way to recover a users deleted browsing history? In particular for Edge ?

Calyx

Morning/afternoon everyone. Is there a way to recover a users deleted browsing history? In particular for Edge ?

Since it is based on Chromium, I believe the same SQLite recovery methods should work as for any other SQLite databases

Calyx

Morning/afternoon everyone. Is there a way to recover a users deleted browsing history? In particular for Edge ?

Looking to see if the system has a shadow copy volume would be my first try, might be able to recover it from a point in time before they deleted it.

6:00 AM

(That's assuming it's a Windows system)

What kind of madman would install Edge on Linux xD

1

ryd3v

What kind of madman would install Edge on Linux xD

There are some strange people in this world

1

ryd3v

What kind of madman would install Edge on Linux xD

you could have ended at ..install Edge

1

5

Guys I have a question about transaction regarding NTFS data loss. What does it mean exactly? One definition my professor gave me was that it ensures that volume altering operations are "completed in their entirety or not at all". Still confused and would appreciate an explanation

Woomir

Guys I have a question about transaction regarding NTFS data loss. What does it mean exactly? One definition my professor gave me was that it ensures that volume altering operations are "completed in their entirety or not at all". Still confused and would appreciate an explanation

Older filesystems don't keep a journal of pending write operations, which can lead to data loss if the system is powered off unexpectedly in the middle of a write to disk. Volatile RAM is much much faster than spinning hard drives, and even SSDs. Writes to disks are not immediate, so ntfs implements a journal of transactions so if the system is unexpectedly powered off on the next boot it can check for transactions in that journal that aren't marked completed and attempt to fix issues that may have been caused by an incomplete write to disk

1

7:40 AM

Impressed with the chatgpt answer though NTFS (New Technology File System) uses a system journal to prevent data corruption in the event of a system crash or unexpected power failure. The system journal is a log file that records all changes made to the file system before they are committed to disk. The journal is stored in a dedicated area of the disk and contains a record of all metadata updates made to the file system. This includes changes to the Master File Table (MFT), file and folder attributes, and security descriptors. When a change is made to the file system, it is first recorded in the journal. The change is not considered complete until it has been recorded in the journal, ensuring that the file system is always in a consistent state. In the event of a system crash or power failure, NTFS can use the information in the journal to roll back any incomplete transactions and restore the file system to a consistent state. The journal is used to complete any transactions that were in progress at the time of the crash, and any incomplete transactions are undone to ensure data consistency. In summary, the NTFS system journal is used to record changes to the file system and ensure that all transactions are completed before they are committed to disk. In the event of a system crash, the journal is used to restore the file system to a consistent state and prevent data corruption.

2

Hey, so basically I was asked to help the law enforcement in my country, it's about bank transactions; In short - we have the suspect's PC and a list of individual bank transactions that isn't just theirs I managed to filter the suspect's transactions and extract the data they were looking for, but I noticed they transferred money to multiple different accounts so now the enforcements asked me if I could check their conversations within telegram / messenger / Viber, they're logged out from Telegram and Viber, is there a way to export chat data from logged out accounts?

@Deleted User if the suspect is using a browser you can't. If the law enforcement agency seized the phone you could access those chat with an acquisition of the suspect phone. If the warrant allow it you could check the saved password in the browser and try to connect remotely and do a takeout. Or you could do a mirror copy of the drive and start the computer with the copy and try to connect to viber, whats app, messenger, etc... and then do a takeout. Good luck

8:53 AM

*if the suspect's using a web browser to access those chat you can't

Yep, they have Viber and Telegram both installed, at least I can try these, thanks for the help!

Which forensic tool are you using

Will Magnet ram capture be useful for this?

has the pc been turned off since the seizure?

Yeah, it's a laptop that's been used multiple times after

who used it?

The law enforcement, not sure what they did with it during that time

9:11 AM

ram capture wont help you

Anything with disk manager?

i'll dm you

Alright

In the meantime, there seems to be an issue with some characters displaying in excel, any clue how to fix these?

Deleted User

In the meantime, there seems to be an issue with some characters displaying in excel, any clue how to fix these?

Specify encoding

As in, what's the current encoding?

10:41 AM

Or do I have to specify a different encoding

is there a section where you can annouce when your stream infsec content?

Wolf

is there a section where you can annouce when your stream infsec content?

Do it here I guess. Probably the best option (edited)

Im torn between my current role as an infrastructure engineer, and a job opportunity i received for active directory management for a hospital. My end goal is to be set in a digital forensics position, so im trying to see if it makes sense to transition to a healthcare environment. My question essentially, are there digital forensic positions in healthcare? Its a pretty big hospital name with several locations. I am just trying to see if working i.t. in a hospital would bring me closer to my goal of becoming a digital forensic examiner, and if it makes sense to stick with the position hoping to pivot into a SOC role, and then into DFIR at the hospital (if they have DFIR), or if im better off building my skills hoping for a DFIR role in the future. Thanks!

GligarCounter

Im torn between my current role as an infrastructure engineer, and a job opportunity i received for active directory management for a hospital. My end goal is to be set in a digital forensics position, so im trying to see if it makes sense to transition to a healthcare environment. My question essentially, are there digital forensic positions in healthcare? Its a pretty big hospital name with several locations. I am just trying to see if working i.t. in a hospital would bring me closer to my goal of becoming a digital forensic examiner, and if it makes sense to stick with the position hoping to pivot into a SOC role, and then into DFIR at the hospital (if they have DFIR), or if im better off building my skills hoping for a DFIR role in the future. Thanks!

I've seen DFIR roles with hospitals. Some of the larger healthcare networks in my area that are also connected to a University have in house DFIR people. They are a very small group, but that's just my one sample. Every situation is different, but I don't see how it can hurt. If you have IT/infrastructure experience can potentially help you if your goal is to move into digital forensics eventually. Make friends with whoever does IR works now if they do it in house, let it be known you are interested in digital forensics.

https://www.twitch.tv/producerwolf

12:04 PM

almost at 24 hours lol

GligarCounter

Im torn between my current role as an infrastructure engineer, and a job opportunity i received for active directory management for a hospital. My end goal is to be set in a digital forensics position, so im trying to see if it makes sense to transition to a healthcare environment. My question essentially, are there digital forensic positions in healthcare? Its a pretty big hospital name with several locations. I am just trying to see if working i.t. in a hospital would bring me closer to my goal of becoming a digital forensic examiner, and if it makes sense to stick with the position hoping to pivot into a SOC role, and then into DFIR at the hospital (if they have DFIR), or if im better off building my skills hoping for a DFIR role in the future. Thanks!

In my experience working for an academic medical center we have had large, continuing growth in cybersecurity headcount over the last decade. I suspect that is similar for for-profit healthcare systems, but it depends on the scale- some may outsource to an MSSP. Internally, there are roles related to incident response and forensics (with a heavy focus on malicious ioc identification for purposes of containment and access of sensitive material). There are also some roles that do digital forensics for the purpose of investigating academic misconduct for example In terms of "is it worth taking the spot just for a path into DFIR", it's hard to make a judgement call on that (edited)

Hello. How to bypass bootloader lock of samsung device? Oxygen Detective does it.

5:32 PM

Exynos.

5:33 PM

I think I need to push some code with Odin.

밍코 (dead,legacy)

Hello. How to bypass bootloader lock of samsung device? Oxygen Detective does it.

#mobile-forensic-extractions

ok

Hi there, new to this Discord so I apologise if this is the wrong place to ask. Does anyone have any experience examining Xiaomi devices? Specifically the Xiaomi POCO 3 in my case, and the Mi Gallery app?

1

exFAT

Hi there, new to this Discord so I apologise if this is the wrong place to ask. Does anyone have any experience examining Xiaomi devices? Specifically the Xiaomi POCO 3 in my case, and the Mi Gallery app?

#mobile-forensic-decoding if you post the Android version, device, and APK version you might have some luck.

DeeFIR 🇦🇺

#mobile-forensic-decoding if you post the Android version, device, and APK version you might have some luck.

Thanks very much!

Hi, can anyone suggest to me the relevant study materials for Ec council's CHFI V10 certification exam? I am opting for self study and sit for the exams right away.

I am looking for those who have experience with Magnet’s Automate Enterprise. Easy to use? Effective? Issues? Anybody use it to collect full forensic images? Thank you

@rayeh @CyberGhost thank you so much. This information actually helped me a lot in my decision, and I appreciate you reaching out!

2

Wolf

almost at 24 hours lol

CyberGhost

SANS SIFT workstation is a good start, Ubuntu based. Comes preinstalled with many opensource DFIR tools. https://www.sans.org/tools/sift-workstation/

Last time I used that, it was buggy as hell and a nightmare to update xD

Because I can

rayeh

Impressed with the chatgpt answer though NTFS (New Technology File System) uses a system journal to prevent data corruption in the event of a system crash or unexpected power failure. The system journal is a log file that records all changes made to the file system before they are committed to disk. The journal is stored in a dedicated area of the disk and contains a record of all metadata updates made to the file system. This includes changes to the Master File Table (MFT), file and folder attributes, and security descriptors. When a change is made to the file system, it is first recorded in the journal. The change is not considered complete until it has been recorded in the journal, ensuring that the file system is always in a consistent state. In the event of a system crash or power failure, NTFS can use the information in the journal to roll back any incomplete transactions and restore the file system to a consistent state. The journal is used to complete any transactions that were in progress at the time of the crash, and any incomplete transactions are undone to ensure data consistency. In summary, the NTFS system journal is used to record changes to the file system and ensure that all transactions are completed before they are committed to disk. In the event of a system crash, the journal is used to restore the file system to a consistent state and prevent data corruption.

Hi everyone, I created a mini-book on ChatGPT in DFIR. No rocket science inside, but I hope it is entertaining to read. You can request your download at https://belkasoft.com/download-your-free-ebook-on-chatgpt-in-dfir

2

Yuri Gubanov (Belkasoft)

Hi everyone, I created a mini-book on ChatGPT in DFIR. No rocket science inside, but I hope it is entertaining to read. You can request your download at https://belkasoft.com/download-your-free-ebook-on-chatgpt-in-dfir

image 100% nailed it .. across the board, not just DFIR. to err is human, to really %^&k up takes a PC ChatGPT

1

Digitalferret

image 100% nailed it .. across the board, not just DFIR. to err is human, to really %^&k up takes a PC ChatGPT

Thanks

i suspect this is old(er than we think) technology though , i mean, I've seen political speeches for decades now, in the same vein. sounds great, but factuality can be somewhat hit-&-miss: thruthiness comes to mind

ryd3v

Last time I used that, it was buggy as hell and a nightmare to update xD

I use it pretty much every day, no more issues when a normal system

1

Hey, does anyone know what Appsglobals.txt stores?

9:36 AM

Is it evidence of execution or installed executables and so on

I have an iPhone 12 Pro Max from a case from person A. There are 2 chats that contain persons A,B and C. A and B are using the same devices and same numbers for both. However, C has 2 phones and in 1 chat is using his 1st device and in the other chat he's using his 2nd device. In the software they show up as 2 separate chats. Person A had previously provided screen shots to my client that shows messages that came from the separate chats combined together in one "chat". I found out that person A was using iMessage on his iMac to produce the screenshots. I haven't been a Mac user for years, but am wondering how that is possible with 2 separate chats. Does iMessage on the Mac go off the contact names somehow not the chat? My client is looking for an explanation as to how it happened. Anyone have thoughts?

Deleted User

Hey, does anyone know what Appsglobals.txt stores?

Looks like possibly process IDs? Do any of those correlate with what you're seeing in Task Manager?

Seems like it stored some processes with their IDs, although it dates far back in 11/08/2022

11:29 AM

And some executables as well

Anyone knows how to extract NTFS/Journal data from a .raw ram capture? (I'm on Kali)

volatility dumpfiles is probably your best bet. list the files, get the offset, -q (offset) --dumpdir=(directory) note: may vary by windows and volatility version (edited)

thanks!

1:52 PM

*

1:53 PM

Oops nvm :)

ah volatility 3. good luck

Hahaha yeah, heard vol2 is better...

1:58 PM

Seems like sudo apt install python3-capstone did the trick

@Deleted User #memory-forensics for future reference

yeah was wondering where to ask ;D

hi, anyone already use this ? https://github.com/DvorakDwarf/Infinite-Storage-Glitch.

Hey everybody, I hope you're all well

3:05 AM

f you removed a file by shift delete then wanted it to be unrecoverable Should you recover it first then remove it by the tool or what?

Deleted User

f you removed a file by shift delete then wanted it to be unrecoverable Should you recover it first then remove it by the tool or what?

lol, sounds like a "how do i cover my tracks" post. we're about how to recover evidence, not how to cover it up

hahaha

3:15 AM

I just speak in case if you sell your PC

3:15 AM

or something

and the short answer is "it all depends" - too many variables to ensure you destroyed whatever it was you deleted. it may even already be gone if you have SSD/Trim etc

or use somone's PC

3:16 AM

it wasn't saved on SSD

if you sell your PC you do a secure wipe and re install (OS) from scratch

it was saved on HDD

Deleted User

or use somone's PC

alright, what about this?

it also depends on who you are trying to hide data from. if it's a relative just using an undelete program, you are likely ok. if it's a National Agency and you have done bad things, you are likely screwed, unless you nuke the device (edited)

National Agency and asking on Discord

3:19 AM

bloody hell

https://www.groovypost.com/howto/7-free-ways-securely-delete-files-windows/

Seven Free Ways to Securely Delete Files in Windows

When you delete a file normally in Windows, it's not really gone for good. Learn how to securely erase files and folders so they're unrecoverable.

the link doesn't open

3:20 AM

plus I know how to delete them without being recoverable

3:20 AM

but I want to know

3:21 AM

should I recover them

3:21 AM

then delete them?

With sdelete from sysinternals tools

because I already deleted them by shift delete

skyg4mb

With sdelete from sysinternals tools

yeah I know

3:21 AM

on powershell

3:21 AM

but they already deleted shift delete

3:21 AM

so?

No, with tools like blkls maybe is possible recover it

yeah, that's what I'm talking about

3:23 AM

it's already deleted shift delete

3:23 AM

so it might be recoverable

3:23 AM

so what should I do to ensure that it won't be recovered? (edited)

Rewrite the unallocated space

how could I do that?

3:27 AM

by sdelete?

https://www.groovypost.com/howto/securely-wipe-free-space-windows-pc/

How to Securely Wipe the Free Space on Your Windows PC

Are you selling, giving away, or disposing of a Windows PC? Learn how to securely wipe its hard drive so your data cannot be recovered.

3:27 AM

There is the answer

thanks

skyg4mb

https://www.groovypost.com/howto/securely-wipe-free-space-windows-pc/

last question which might be stupid

3:41 AM

when I use ccleaner

3:42 AM

to wipe the free space

3:42 AM

it won't delete things in the disk

3:42 AM

right?

3:43 AM

because there are things I don't want to delete it

i'm on the floor here, lol.

4:07 AM

there are so many artefacts on a PC, whatever you do you'll leave traces all over the place. again, it depends on so many things; content, OS, shadowcopy, edits, temp files, shellbags, backstory etc. (edited)

4:09 AM

ccleaner will, if set up correctly, wipe free space only

4:10 AM

but, in terms of covering tracks, no cleaner is a magic wand / silver bullet.

I understand that he doesn't want to cover tracks, he just wants to guarantee that a file has been completely deleted.

Honestly it's so subjective, depends on your threat model. Your average person won't be able to recover something once it's gone from the Recycle Bin. Other end of the scale is (so I've been told) the NSA degaussing their HDDs, then grinding them down to metal dust and storing this in a secure storage facility...

Deleted User

bloody hell

seriously, we get allsorts here, lol. some are barely disguised "how do i hack this" type of questions

2

Some aren't disguised at all...

Digitalferret

but, in terms of covering tracks, no cleaner is a magic wand / silver bullet.

gotcha

skyg4mb

I understand that he doesn't want to cover tracks, he just wants to guarantee that a file has been completely deleted.

defo

skyg4mb

I understand that he doesn't want to cover tracks, he just wants to guarantee that a file has been completely deleted.

guarantee that a file has been completely deleted you can only best guess that. don't forget you don't make the actions yourself, you request tat the OS does the job. and that's where it goes to pot

I see a big stories here

4:54 AM

I'm not hacking NSA for all of that I think

4:54 AM

it's simple as @skyg4mb said

skyg4mb

I understand that he doesn't want to cover tracks, he just wants to guarantee that a file has been completely deleted.

here

Digitalferret

seriously, we get allsorts here, lol. some are barely disguised "how do i hack this" type of questions

I think it would be kinda weird to get asked here how to hack lol

2

4:57 AM

because here people work for gov

4:57 AM

plus

4:57 AM

it's here how to secure

4:57 AM

not a place for even Ethical hacking

4:58 AM

with all respect you all might have experience in Ethical hacking but I don't think it would be as someone that's all what they do

4:58 AM

the same goes for them

4:58 AM

they might have experience in Blue team

4:59 AM

but they're not experts

5:02 AM

plus my question, I think is helpful for people who aren't into CyberSec at all too

5:02 AM

because for example you have the right to be sure you even private pics are not recoverable (edited)

5:03 AM

there are lots of free programs that even people who know nothing (edited)

5:03 AM

could download it to recover some stuff

5:03 AM

and it works

in the words of my step-son "super sus"

12

I may have used the phrase “sus” in a professional setting before

1

Does anyone know if would guest SID be different from administrator SID?

The SID for Administrator should be 500 and Guest 501 if memory serves me right

1

yeah admin is 544 but I can't find guest

9:16 AM

and I only have reg file, sam, security, ntuser, and software so I have to use reg explorer

can someone provide me with beginner material from which I can study?

11:45 AM

I just can't find anything deep and long enough on youtube

Marko nije Darko

can someone provide me with beginner material from which I can study?

#training-education-employment

thanks!

Hey folks! Does anyone have / know of a list, cheat sheet or reference of the default filepath for access logs of the various web server technologies out there? Digging through said technology's documentation works but less than ideal during an active incident. TIA!

Deleted User

but they're not experts

Some of us are Red team experts yes, but this is a DFIR based server, you’d probably have a better time asking that in a cybersecurity based server

but to answer your question, start with the basics and fundamentals of networking. Knowing how to google or use your favourite search engine is a big plus. Hope that helps.

Hi, I have questions kawaiiheartbeat

Do you guys use AUTOPSY or any other FREE SOFTWARE to extract data and submit the report to court? kawaiiheartbeat

Does the court accept the digital forensic results exported by the free software? thank you in advance. (edited)

12:57 AM

Do you guys have a Standard Operating Procedures (SOP) or any documents stating that only commercial digital forensic tools is the only allowed tools to be used in conducting Digital Forensic Examination?

Morning all! Does anyone have any experience with iOS conference calls (merging an incoming call with an outgoing call)? Hoping to find a record somewhere like the knowledgeC.db

Logan

Hey folks! Does anyone have / know of a list, cheat sheet or reference of the default filepath for access logs of the various web server technologies out there? Digging through said technology's documentation works but less than ideal during an active incident. TIA!

I have some. But I need to find like a month to get my sh together to publish my repo

ryd3v

Some of us are Red team experts yes, but this is a DFIR based server, you’d probably have a better time asking that in a cybersecurity based server

but to answer your question, start with the basics and fundamentals of networking. Knowing how to google or use your favourite search engine is a big plus. Hope that helps.

Thanks for your message but I think you didn't know what the whole conv was about

2:48 AM

I'd recommend you to read from very up

Deleted User

Hey everybody, I hope you're all well

From here

Deleted User

From here

Yep, now I understand, sorry about that, I didn’t start further up

2:57 AM

In that case #counter-forensics is your friend

2:58 AM

Also ccleaner I’d avoid, checkout bleachbit instead.

Hello

3:56 AM

Does anyone know what tools to use to investigate discord?

Wighty

Does anyone know what tools to use to investigate discord?

ChromeCacheView will help with the Electron Cache, and LevelDBDumper can help with the Local Storage LevelDB

Wighty

Does anyone know what tools to use to investigate discord?

if you have the access-token for discord-account, you can use this tool...

4:12 AM

https://github.com/Tyrrrz/DiscordChatExporter

Okay thanks

works very well, really

You can get the access token from the Local Storage LevelDB

1

Yes

𝗖𝗮𝗶𝘁 | 𝗣𝗵𝗶𝗹𝗶𝗽𝗽𝗶𝗻𝗲𝘀 👮🏻

Hi, I have questions kawaiiheartbeat

Do you guys use AUTOPSY or any other FREE SOFTWARE to extract data and submit the report to court? kawaiiheartbeat

Does the court accept the digital forensic results exported by the free software? thank you in advance. (edited)

I always have those tools in my kit. What is important is how you present the exported forensic report to the court. The court accepts evidence that is acceptable for the rules of evidence, so it doesn't matter if you use FTK or Cellebrite. For SOP you may consider SWDG models for the lab you are in. (edited)

1

anyone here knows how to deal with .realm ? Looking for something to parse data in a .realm file using python or js or anything

6:03 AM

or something to convert .realm in sqlite

Can you find evidence on discord with software like FTK imager? (edited)

You can extract the relevant files yes, and a KAPE module exists for discord in the event you have an .E01 that you can mount

1

ryd3v

Yep, now I understand, sorry about that, I didn’t start further up

no worries

ryd3v

Also ccleaner I’d avoid, checkout bleachbit instead.

alright, thanks mate

This battery is still safe right?

3

1

Matt

You can extract the relevant files yes, and a KAPE module exists for discord in the event you have an .E01 that you can mount

Any tutorial on that?

kmacdonald1565

This battery is still safe right?

Uhhh... I would get that to a safe space ASAP! https://discord.com/channels/427876741990711298/537760691302563843/1069975362374737991 (edited)

I thought this was a safe space…

lol just so its clear, this is a safe space. i do dangerous stuff for a living

8:27 AM

also </sarcasm>. and that kit looks legit, but our county has stuff to take care of batteries like this, we just turn them over.

kmacdonald1565

lol just so its clear, this is a safe space. i do dangerous stuff for a living

2

GirthBrooks7899

Click to see attachment 🖼️

Ha!

kmacdonald1565

lol just so its clear, this is a safe space. i do dangerous stuff for a living

Are there multiple batteries in that? That looks like a weird bloat.

Wighty

Any tutorial on that?

Not to hand, but you want to run the Discord KAPE module and then that’ll pull out the files you need.

Matt

Not to hand, but you want to run the Discord KAPE module and then that’ll pull out the files you need.

https://github.com/EricZimmerman/KapeFiles/blob/80392290121ca5b7fda866c0c16669cfffae6f8a/Targets/Apps/Discord.tkape

1

JLindmar (83AR)

Are there multiple batteries in that? That looks like a weird bloat.

It was from a laptop. Cells looked like 3 phone battery cells stitched together.

1

I just bought a $20 lipo bag on amazon last time I had a laptop battery like that... no idea if it "works", don't really want to test it.

was going to say lets test it!

kmacdonald1565

was going to say lets test it!

https://youtu.be/atkgUwGHL_k I caught up watching some of these videos on the bag tests.

Angry Zeppelin

Lipo Bag Tests - Round 1

Ooooh, I was going through my donor phones today and threw a few sold swollen batteries in a bag like this. Watching now.

DCSO

https://youtu.be/atkgUwGHL_k I caught up watching some of these videos on the bag tests.

well that certainly gives me something to watch on a friday when i should be working. thanks!

3:44 PM

</sarcasm> i swear

Hey, all! Please forgive me for what is certainly a dumb question, but I have been unable to find a suitable answer on Google. Context: In my efforts to learn digital forensics, I have been doing Ali Hadi's Web Server challenge (https://www.ashemery.com/dfir.html, Challenge #1) and using a few write ups to guide me on things to look at. Those write ups, however, all seem to use Volatility 2, and make heavy use of the cmdscan plugin. However, Volatility 3's windows.cmdline plugin, which seems to be the replacement for cmdscan, does not provide the command history. Instead it provides the switches that were used for each process that was run. Questions: 1. Am I missing something in Volatility 3 that would allow me to get this information? 2. If not, is Autopsy the next best alternative on a Windows machine? 3. Are any of you sticking with Volatility 2? And if so, how did you install all of the dependencies? pip yelled at me saying it couldn't find everything it needed. 4. Are there other things I should consider? I appreciate your help/insight on this!

Any good free .pst file analyzers not systools?

SynthSlicer

Any good free .pst file analyzers not systools?

https://www.nucleustechnologies.com/pst-viewer.html

PST Viewer - Free tool to open and view content of PST files withou...

Kernel PST Viewer is a free tool to browse through your PST files without using MS Outlook.

Andrew Rathbun

https://github.com/EricZimmerman/KapeFiles/blob/80392290121ca5b7fda866c0c16669cfffae6f8a/Targets/Apps/Discord.tkape

Thanks

potentpwnables

Hey, all! Please forgive me for what is certainly a dumb question, but I have been unable to find a suitable answer on Google. Context: In my efforts to learn digital forensics, I have been doing Ali Hadi's Web Server challenge (https://www.ashemery.com/dfir.html, Challenge #1) and using a few write ups to guide me on things to look at. Those write ups, however, all seem to use Volatility 2, and make heavy use of the cmdscan plugin. However, Volatility 3's windows.cmdline plugin, which seems to be the replacement for cmdscan, does not provide the command history. Instead it provides the switches that were used for each process that was run. Questions: 1. Am I missing something in Volatility 3 that would allow me to get this information? 2. If not, is Autopsy the next best alternative on a Windows machine? 3. Are any of you sticking with Volatility 2? And if so, how did you install all of the dependencies? pip yelled at me saying it couldn't find everything it needed. 4. Are there other things I should consider? I appreciate your help/insight on this!

I think cmdscan from Volatility 2 works differently than windows.cmdline from Volatility 3, because there is also a cmdline plugin for Volatility 2. Volatility 3 still misses many plugins from Volatility 2 so it would be the easiest to use Volatility 2 in this case and it's plugins cmdscan and consoles, here you can find a reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#cmdscan I am using Volatility 2 and 3 both in Remnux VM, there are several ways to get this Linux distro: https://docs.remnux.org/install-distro/get-virtual-appliance (edited)

Get the Virtual Appliance

Command Reference

An advanced memory forensics framework. Contribute to volatilityfoundation/volatility development by creating an account on GitHub.

3:17 AM

And if you have more questions regarding Volatility or Memory Forensics, then it would be best to ask in the specific channel #memory-forensics

1

Any reason I would have Activity Sensor / Health data displayed in PA for a timeframe a person did not have any type of Watch/Apple Watch? Wondering if the watch was stolen or not seized.

Ghosted

Any reason I would have Activity Sensor / Health data displayed in PA for a timeframe a person did not have any type of Watch/Apple Watch? Wondering if the watch was stolen or not seized.

Don't iPhones have their own internal mechanism to count steps? Maybe that is what you are seeing?

@FullTang Pulling the .db now to see if it was paired with watch or something. I don't see heart rate or other things I expected so you are probably right just the phone moving thanks.

1

If any mods see this you can add me to the private sector role

2

avesta

If any mods see this you can add me to the private sector role

https://discord.com/channels/427876741990711298/921468778003443772/921469045323206667

1

10:20 AM

fyi

10:21 AM

i post that as 2 mods give you a thumbs up

I'm trying to image a PCMCIA card. The only way I have right now is with an Omnidrive, however that is not working with the Weibetech USB write blocker, has anyone else had any luck with the Omnidrive and write blocker or have a suggestion on other PCMCIA to USB readers that will work with a writeblocker?

LEO - I have a child abduction that just occured does anyone have a contact for a live snapchat rep please DM. @Law Enforcement [USA]

DCSO

LEO - I have a child abduction that just occured does anyone have a contact for a live snapchat rep please DM. @Law Enforcement [USA]

Their emergency response people are pretty quick had a similar situation.

1

I’d you’re worried about life and safety I would go straight with an emergency ping through the suspect’s phone carrier as well

1

Might not have that info, might only have snap

HTTPS://lawenforcement.Snapchat.com/en-US/emergency

2

DCSO

LEO - I have a child abduction that just occured does anyone have a contact for a live snapchat rep please DM. @Law Enforcement [USA]

https://www.search.org/resources/isp-list/

SEARCH

ISP List and LE Guides - SEARCH

The ISP List is a database of Internet service and other online content providers that will help you get the information you need for your case. For each Internet Service Provider listed, you’ll find the legal contact information and instructions needed to serve subpoenas, court orders, and search warrants. The ISP List is a law … ISP List and L...

HTTPS://less.snapchat.com/submit/edr This is the direct link to submit emergency requests. (edited)

1

️yes, this is their new exigent link. You will get very fast response

1

2

1

I'll forward that to our detective working it, he said nobody is getting back to them. Thank you !

Make sure it’s not going to spam. Agency emails are a pain filtering that.

1

The emergency team took about an hour on ours. This was 2 years ago

1

Good work, all! Best of luck @DCSO

1

2

i can honestly say, i have had terrible luck with snap, but this was a few years ago. runaway 13-15 year old, would literally only update us 2x a day, with information that was a few hours old. she made it like 100 miles away before we found her.

Andrew Rathbun

Good work, all! Best of luck @DCSO

Good to go, just in time for HH

have a good weekend all.

9

awesome

1:37 PM

happy friday then

randomaccess

I have some. But I need to find like a month to get my sh together to publish my repo

Awesome

, if you ever get around to doing it feel free to give me a ping. Also happy to share my notes and contribute to a repo

kmacdonald1565

i can honestly say, i have had terrible luck with snap, but this was a few years ago. runaway 13-15 year old, would literally only update us 2x a day, with information that was a few hours old. she made it like 100 miles away before we found her.

Back in like 2017, I used to get 2 hour turnarounds on search warrants. It was awesome. Then they got bigger and therefore much slower, but they were still months faster than Google

Andrew Rathbun

Back in like 2017, I used to get 2 hour turnarounds on search warrants. It was awesome. Then they got bigger and therefore much slower, but they were still months faster than Google

very true i had a suicidal missing person, left behind a phone. google took 2 days from their exigent stuff to get back to me :/

1

Hi! new to the server and still figuring out things, hope this is an okay place to ask a question of this type: I am new to CyberSec and am in the middle of a Certificate program for Introductory Cybersecurity at Colorado University of Boulder. I am excited to learn more and absorb what I can from here! My long term goal is a career in Cyber Forensics, so I'm here to get a better understanding of what the job truly entails and what sub-categories may exist in the field... Question: Should I be looking out for any specific entry level jobs to boost me into Cyber Forensics? What sort of Entry-Level positions exist in Forensics, and Are there specific certs often sought after by those hiring in those positions? I kinda just don't have a solid understanding of the path options that will best land me where I want to be, and Im not even sure I know where I want to be. Edit: A better question might be, Should I lurk here a bit longer until I understand my options a little better before asking such an open ended question

(or am I asking a reasonable question?) (edited)

netherlilly

Hi! new to the server and still figuring out things, hope this is an okay place to ask a question of this type: I am new to CyberSec and am in the middle of a Certificate program for Introductory Cybersecurity at Colorado University of Boulder. I am excited to learn more and absorb what I can from here! My long term goal is a career in Cyber Forensics, so I'm here to get a better understanding of what the job truly entails and what sub-categories may exist in the field... Question: Should I be looking out for any specific entry level jobs to boost me into Cyber Forensics? What sort of Entry-Level positions exist in Forensics, and Are there specific certs often sought after by those hiring in those positions? I kinda just don't have a solid understanding of the path options that will best land me where I want to be, and Im not even sure I know where I want to be. Edit: A better question might be, Should I lurk here a bit longer until I understand my options a little better before asking such an open ended question

(or am I asking a reasonable question?) (edited)

its the "I've been witgh <partner> x days/months/decades, should i get married? signed Unsure Eric." question. If you aren't sure, then no, don't nail your colours to the mast. keep it general and wait 'til something in you says "this is it". ofc that may never happen and you'll have to best guess until it does, but, early days, keep it as broad as possible.

Digitalferret

its the "I've been witgh <partner> x days/months/decades, should i get married? signed Unsure Eric." question. If you aren't sure, then no, don't nail your colours to the mast. keep it general and wait 'til something in you says "this is it". ofc that may never happen and you'll have to best guess until it does, but, early days, keep it as broad as possible.

Thank you! I expected jokes about my question. I notice a lot of the job listings posted here prefer bachelors degrees, assuming in Forensics? I need a good hand holding, It's difficult to know where to even begin haha. So starting in CyberSec, I understand I should have understanding of networking and of course deep knowledge of OS and methods of analysis.... But to get into the Law side of things.... Im starting to think i maybe can't afford to dip my toes in here

7:42 AM

Would knowledge of CyberSec land me a position willing to aid in getting clearance or law school if necessary?

7:48 AM

I enjoy following True-crime, I'm sure you hear that a ton, and I'd love to be in a position such as analyzing digital evidence, My brain summons the idea of hacking into password blocked devices for evidence as example... was starting in CyberSec Ideal for that? (edited)

netherlilly

I enjoy following True-crime, I'm sure you hear that a ton, and I'd love to be in a position such as analyzing digital evidence, My brain summons the idea of hacking into password blocked devices for evidence as example... was starting in CyberSec Ideal for that? (edited)

i'm afraid that it's another "it depends" answer. who knows what any prospective employer wants? don't tailor anything you do on what you may see in any TV show though. those are the edited highlights and the best bits. if you are aiming at a true forensic (ie following the framework law requires) hacking/cracking anything is a small part of what is a lengthy and arduous job. it's like seeing the meal presented on a TV chef show but they miss out the full day of peeling veg, prepping meat, cleaning up, and tidying down, whilst the head chef is shouting about time constraints, and throwing a meal out if even the tiniest bit of peel is left on something. (edited)

1

Digitalferret

i'm afraid that it's another "it depends" answer. who knows what any prospective employer wants? don't tailor anything you do on what you may see in any TV show though. those are the edited highlights and the best bits. if you are aiming at a true forensic (ie following the framework law requires) hacking/cracking anything is a small part of what is a lengthy and arduous job. it's like seeing the meal presented on a TV chef show but they miss out the full day of peeling veg, prepping meat, cleaning up, and tidying down, whilst the head chef is shouting about time constraints, and throwing a meal out if even the tiniest bit of peel is left on something. (edited)

That's a great way to visualize and I understand there's a lot that goes into getting the results, writing reports, getting approvals etc... What I've gotten out of this is: Keep studying, Learn more and be able to prove my knowledge, and wait for the right opportunity

1

netherlilly

Hi! new to the server and still figuring out things, hope this is an okay place to ask a question of this type: I am new to CyberSec and am in the middle of a Certificate program for Introductory Cybersecurity at Colorado University of Boulder. I am excited to learn more and absorb what I can from here! My long term goal is a career in Cyber Forensics, so I'm here to get a better understanding of what the job truly entails and what sub-categories may exist in the field... Question: Should I be looking out for any specific entry level jobs to boost me into Cyber Forensics? What sort of Entry-Level positions exist in Forensics, and Are there specific certs often sought after by those hiring in those positions? I kinda just don't have a solid understanding of the path options that will best land me where I want to be, and Im not even sure I know where I want to be. Edit: A better question might be, Should I lurk here a bit longer until I understand my options a little better before asking such an open ended question

(or am I asking a reasonable question?) (edited)

I don't know about any specific entry level job that would get you anymore then your cert program. Maybe an internship if that is offered . Or try and connect/network with any one local or local groups that could give you more insight. You might get into this and decide you never want to see a computer again, especially after staring at a progress bar for what feels like 100000 hours waiting on something to process. They don't show that part in the TV shows

1

11:06 AM

A lot of people are fans of TryHackme and Hack The Box for general cyber skills. I think TryHackme has some Digital forensics labs, maybe check those out for hands on where to start practice.

1

Thanks for your Time/feedback guys, I know I'm asking the stupid questions here, I just feel really unsure, I enjoy the need to be constantly learning and don't mind some progress bars haha, but I am intimidated I think. The fear that I can't or won't be seen as above average or minimum in this industry if it turns out my brain can't speak computer lol

I love computers and have used them since I can remember but not to the extent I've noticed most have been, I interacted most with setting up game servers and minecraft command blocks/redstone and I jokingly relate the concepts but I feel I understand command lines decently well because of such experience. I know there's always a language to it and being able to learn the command lines as quickly as I understand how to spawn a custom entity in vanilla settings of minecraft leads me to think I have a chance at doing well, but I get intimidated by all the updates happening so quickly right now. A.I. Cloud and Threat Actors popping up more frequently, It's a lot to keep up with....So Im lead to believe im thinking WAY too hard and coming here am confirmed to say I need to hammer in the basics

2:56 PM

sorry for the insane run on sentences

Hi folks. Does anyone know the significance of a PDF being recovered from the Adobe Reader flattening temporary file path? This was the location of a PDF recovered from a Samsung running Android. Unfortunately I don’t have any version details to hand.

netherlilly

Thanks for your Time/feedback guys, I know I'm asking the stupid questions here, I just feel really unsure, I enjoy the need to be constantly learning and don't mind some progress bars haha, but I am intimidated I think. The fear that I can't or won't be seen as above average or minimum in this industry if it turns out my brain can't speak computer lol

Late to the party. Don't solely focus on speaking computer. Speak business also. At the end of the day, it's all business. It's good that you can be very technical but better if you can be the bridge in between.

1

Here's a little conundrum. I have had a case where the client has built their AD environment on AWS. During the investigation I noticed that on at least one of the DCs in Windows logs there are multiple hostnames (logs generated on the same host) such as EC2AMAZ-ABCABCD but also log entries that correctly identify the correct hostname of the DC. Is this something specific to AWS or could it be a misconfiguration in the environment? The client themselves did not recognize these EC2 hostnames.

Morning! (First time posting here) we have a HP Chromebook 14a-na0503sa in the lab relating to a CSAM investigation. This is the suspects second device to be examined, the first of which (android phone) had several hits on CAID. I’m hoping people could share potential solutions to performing an extraction from the Chromebook, OSR is nudging me towards manual examination but I didn’t want to overlook any potential tools that could assist. I appreciate chromebooks depend heavily on cloud storage however because of information we have from the investigator this exhibit may prove pertinent to the specific incident he was reported for.

CH.uk?!

Morning! (First time posting here) we have a HP Chromebook 14a-na0503sa in the lab relating to a CSAM investigation. This is the suspects second device to be examined, the first of which (android phone) had several hits on CAID. I’m hoping people could share potential solutions to performing an extraction from the Chromebook, OSR is nudging me towards manual examination but I didn’t want to overlook any potential tools that could assist. I appreciate chromebooks depend heavily on cloud storage however because of information we have from the investigator this exhibit may prove pertinent to the specific incident he was reported for.

Magnet Chromebook Acquisition tool (MCAA). You need to sign up to their IdeaLab page. You need to know the password of the Chromebook though, but since you have another exhibit you could find potential passwords from that. (edited)

3:00 AM

https://magnetidealab.com

We are currently at the limit (well, way over the limit) of how much pro bono time we can burn at Arsenal on behalf of generally high-value targets like journalists. Aside from The Citizen Lab and Amnesty Tech, is anyone familiar with organizations that perform aggressive digital forensics pro bono/off-the-clock for high-profile and high-value targets like journalists? I recall seeing some kind of press release for a non-profit (other than Citizen or Amnesty) that intended to specialize in this kind of service, but I can't find it now that it would be useful.

(edited)

1

How to get discord cache from browser?

3:48 AM

Also does using MOBILedit works to investigate mobile version of discord?

I bought a WD Green 2tb about a week ago, I was on an absolute hurry so I bought a sketchy box to convert my 3.5 inch HDD to an external one. I formatted it with NTFS and used to store some data. After the data was copied by another person, I plugged it in my Windows PC and it didn't seem to recognize it. So I went ahead and used a software name Paragon NTFS on my mac and backed up the data. The software worked flawlessly in transferring the data. Then I went ahead and removed the HDD from the box and connected it to my PC via SATA. I couldn't get it working because my windows PC said that it failed to due to some hardware error. And I couldn't even format it due to that error. So I booted into my Arch Linux installation and formatted it there successfully to NTFS via mkfs.ntfs. This made it possible for my windows installation to recognize it but after a few hundred megabytes of transfer, it gave me 0 transfer speed and got disconnected after a while. So I just tried and formatted it to ext4 and now I can use the drive flawlessly on my linux installation. I wanted to know that can this be due to the sketchy box messing up the firmware of the HDD or something like that? I will be trying to return it but I wanted to know if that's a possible problem

CH.uk?!

Morning! (First time posting here) we have a HP Chromebook 14a-na0503sa in the lab relating to a CSAM investigation. This is the suspects second device to be examined, the first of which (android phone) had several hits on CAID. I’m hoping people could share potential solutions to performing an extraction from the Chromebook, OSR is nudging me towards manual examination but I didn’t want to overlook any potential tools that could assist. I appreciate chromebooks depend heavily on cloud storage however because of information we have from the investigator this exhibit may prove pertinent to the specific incident he was reported for.

Before using any "automated" tool, have a look at what those tools do behind the scene. They are likely based on the following write-up, which you can follow step by step and accomplish the same results. HTH. https://dfir.pubpub.org/pub/inkjsqrh/release/2

Chromebook Forensic Acquisition

Arsenal

We are currently at the limit (well, way over the limit) of how much pro bono time we can burn at Arsenal on behalf of generally high-value targets like journalists. Aside from The Citizen Lab and Amnesty Tech, is anyone familiar with organizations that perform aggressive digital forensics pro bono/off-the-clock for high-profile and high-value targets like journalists? I recall seeing some kind of press release for a non-profit (other than Citizen or Amnesty) that intended to specialize in this kind of service, but I can't find it now that it would be useful.

(edited)

While they are not a non-profit, I know that Rexxfield will help with some cyber investigations on a pro bono basis. https://rexxfield.com/customer-reviews/

Michael Roberts

Customer Reviews - Rexxfield Cyber Investigation Services

chauan

Late to the party. Don't solely focus on speaking computer. Speak business also. At the end of the day, it's all business. It's good that you can be very technical but better if you can be the bridge in between.

Yes! You must know what the business needs/how it functions to understand how to best protect it!

Question, should I be keeping my "analysis copy" of a forensic image, after I complete my analysis? I already keep a "gold copy" which I don't work on. If so, and assuming it matches the original hash , then why?

APetro

Question, should I be keeping my "analysis copy" of a forensic image, after I complete my analysis? I already keep a "gold copy" which I don't work on. If so, and assuming it matches the original hash , then why?

I don't personally see much reason to

‍♂️

APetro

Question, should I be keeping my "analysis copy" of a forensic image, after I complete my analysis? I already keep a "gold copy" which I don't work on. If so, and assuming it matches the original hash , then why?

Do you retain the "gold copy" long term?

JLindmar (83AR)

Do you retain the "gold copy" long term?

Yep, I do keep those.

APetro

Yep, I do keep those.

If they are accessible if need be, then I would agree with @Andrew Rathbun that there may not be a reason to keep an additional "analysis copy". (edited)

FullTang

While they are not a non-profit, I know that Rexxfield will help with some cyber investigations on a pro bono basis. https://rexxfield.com/customer-reviews/

Thank you! I'll contact them now and see if they are interested in taking on a potentially compromised journalist.

2

I am in the process of getting as much hands-on experience as possible in the cyber field, so I am seeking a cyber security internship or volunteer work in the Orleans region. I can also do it remotely. Please connect me, or advise me and much appreciated in advance

DFIR_tist

I think cmdscan from Volatility 2 works differently than windows.cmdline from Volatility 3, because there is also a cmdline plugin for Volatility 2. Volatility 3 still misses many plugins from Volatility 2 so it would be the easiest to use Volatility 2 in this case and it's plugins cmdscan and consoles, here you can find a reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#cmdscan I am using Volatility 2 and 3 both in Remnux VM, there are several ways to get this Linux distro: https://docs.remnux.org/install-distro/get-virtual-appliance (edited)

Apologies for the delayed response here, but thank you for your insights. I was able to solve my issues with Python2/Volatility 2 and am up and running. I've also installed a REMnux VM to play around with that. I appreciate your help on this!

Anyone know if Magnet Acquire of mobile devices can be parsed with Cellebrite PA ?

Hi, I'm picking up a project for someone who has left. I'm using FTK 7.1.0.290 and when I open the software I'm getting "please authenticate enter username and password". Googling around I see that creds might have been entered during install and setup? Is that correct? Is there a way to reset that? it is licensed but can't seem to find a support contact on the web? Thanks

ISOM

Hi, I'm picking up a project for someone who has left. I'm using FTK 7.1.0.290 and when I open the software I'm getting "please authenticate enter username and password". Googling around I see that creds might have been entered during install and setup? Is that correct? Is there a way to reset that? it is licensed but can't seem to find a support contact on the web? Thanks

I am guessing you have a support portal login, so can log a ticket here - https://support.exterro.com/support/home

Support

1

Anyone's agency use cloud based storage for evidence? If so who do you go through? Looking for different storage options that provide streamline way of sharing information to prosecutors and other agencies

ExisT

Anyone's agency use cloud based storage for evidence? If so who do you go through? Looking for different storage options that provide streamline way of sharing information to prosecutors and other agencies

evidence.com we use axon for bodycams, discovery, and some other stuff, so we just throw our reports on there if they aren't ridiculously huge.

kmacdonald1565

evidence.com we use axon for bodycams, discovery, and some other stuff, so we just throw our reports on there if they aren't ridiculously huge.

Thanks for the response, can you store a phone extraction through them?

so as far as cloud storage goes, they are expensive...but we opted for the unlimited storage through them. I don't see why you couldn't. but if you don't cross over that unlimited threshold, you will run out of space fairly quick. the one thing is, you have to zip stuff before putting it on there. if you dont, you have to download and reorganize the files individually

8:05 AM

ie you have a logical that has 2000 files, you are downloading 2000 items, and placing them in appropriate folders, or you are deleting 2000 files, also individually, and trying again

kmacdonald1565

so as far as cloud storage goes, they are expensive...but we opted for the unlimited storage through them. I don't see why you couldn't. but if you don't cross over that unlimited threshold, you will run out of space fairly quick. the one thing is, you have to zip stuff before putting it on there. if you dont, you have to download and reorganize the files individually

We looked at using Evidence.com, from what i recall they have have a max size limit on the upload anywhere from 4GB to 20 GB, on a single file zip, i think you would have to 7Zip it and choose split files into chunks. This could of changed though.

DCSO

We looked at using Evidence.com, from what i recall they have have a max size limit on the upload anywhere from 4GB to 20 GB, on a single file zip, i think you would have to 7Zip it and choose split files into chunks. This could of changed though.

They have a program called sync which would allow you to upload any filesize directly to evidence.com. The issue why we stopped uploading exam results (besides capacity and $$$) is it became too hard for people to unzip files

‍♂️ , plus some agencies apparently still have 15kbps modems from the 1990s. (edited)

1

DCSO

We looked at using Evidence.com, from what i recall they have have a max size limit on the upload anywhere from 4GB to 20 GB, on a single file zip, i think you would have to 7Zip it and choose split files into chunks. This could of changed though.

i 100% have uploaded more than that. the browser based one is like 2 or 4 gb but the program i have is called evidence upload...great unique name there... and i think my biggest one is somewhere around 20 - 30 gb. anything bigger we feel bad making detectives download that large. <sarcasm> defense attorneys on the other hand </sarcasm>

Solec

They have a program called sync which would allow you to upload any filesize directly to evidence.com. The issue why we stopped uploading exam results (besides capacity and $$$) is it became too hard for people to unzip files

‍♂️ , plus some agencies apparently still have 15kbps modems from the 1990s. (edited)

at this point, we have straight up told agencies and defense attorneys this is how we are doing things now. so far push back has gone /okay/ but continuing as planned thus far. it has been like 2 years or so. it is important to note we are the "head LE agency" of our county but we do try to work with people as much as possible instead of being jerks about it. we have taught even defense attorneys how to open them up if needed.

I have a question

1:38 PM

It’s about wireless printers

marco_polo076

I have a question

https://dontasktoask.com/

Don't ask to ask, just ask

4

marco_polo076

I have a question

Wireless and printer....those are nightmare words for any IT person

DeeFIR 🇦🇺

https://dontasktoask.com/

i am saving that badboy. thats up there with lmgtfy

2

kmacdonald1565

i am saving that badboy. thats up there with lmgtfy

SAME

Hey, could anyone complete this questionnaire for his dissertation for a digital forensic student is completing at the University of South Wales - https://forms.office.com/Pages/ResponsePage.aspx?id=fP6q5RuXt0qwORQa02rOwHo4qslUzmRKsC2nmOTGYsxUNkFZMkM3VTZCUFgyRjNDTjlNREVMSUZRVC4u

Hey! is here someone who transfers Cellebrite Reader Data (ufdr) through a VPN connection? We are doing this since years, but since some weeks we always receive a network error while copying the ufdr file. When we zip the file we don't have problems.

Hi fellow examiners, I have a general question about RAID mounting. I'm wondering what success anyone has had with interpreting and mounting forensic images for RAIDS. I currently had had success with FEX and EnCase for interpreting. EnCase can mount as a Disc but this is logical. FEX does not mount the images at all. I would like to process in Axiom as well but if fails interpretation. Any ideas appreciated.

Joshua Michel

Hi fellow examiners, I have a general question about RAID mounting. I'm wondering what success anyone has had with interpreting and mounting forensic images for RAIDS. I currently had had success with FEX and EnCase for interpreting. EnCase can mount as a Disc but this is logical. FEX does not mount the images at all. I would like to process in Axiom as well but if fails interpretation. Any ideas appreciated.

What kind of RAID structure? Was it based on a physical controller? Software RAID? Some kind of bastardised LVM/LVM2 from a NAS?

DeeFIR 🇦🇺

What kind of RAID structure? Was it based on a physical controller? Software RAID? Some kind of bastardised LVM/LVM2 from a NAS?

I don't know those details, this is a case where I received no documentation on the setup, only forensic images of two sets of SSDs for two systems but they appear to be setup the same way: to interpret, i choose Type: Hardware, Format: 0 Striping and stripe size 64kb.

3:46 PM

For reference, this is late 2015 early 2016 timeframe.

nicolasBE

Hey! is here someone who transfers Cellebrite Reader Data (ufdr) through a VPN connection? We are doing this since years, but since some weeks we always receive a network error while copying the ufdr file. When we zip the file we don't have problems.

I would always Zip the file before transfering, if you burn or transfer a Cellebrite case to media etc you might run into file name to long errors etc. Just my 2 cents.

OK so looking for a solution to asset tracking and note taking for our lab. I don't need anything too heavy, I'd like be able to run some metrics so I can produce reports. We're currently evaluating Atlas from Magnet. Anyone have any suggestions?

We use lastpass at our business/corp. What are the most important security considerations from this document to implement/apply from this document they reccomend? https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators

Your organization’s security is vital to our mutual success, so we’ve created this guide to help you respond to the recent LastPass security incident in a way that meets your security posture and environment’s needs.

Hey I had a question about Scanner and doc rasterization? Mainly the legitimacy of noise artifacts in documents that arent consistent and rooting out if its scanner error or not

I am live on twitch infosec stream ❤️

Anyone have any sample wechat or QQ extractions? (edited)

Does anyone know a good way to convert a large SQLite.db file (30+ GB) into a flat file so categorized hash files can be exported?

Hey guys what kind of research questions can i get from cloud forensics when making a literature review to content related to it? If my question is confusing, let me know I'd appreciate to elaborate rather than getting ignored due to confusion.

Hey, any good sources for all fsutil usn reasons? (which sequences refer to Data Overwrite / Stream Change) etc

Nevermind, found it https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2

USN_RECORD_V2 - Win32 apps

Contains the information for an update sequence number (USN) change journal version 2.0 record.

keving3047

Does anyone know a good way to convert a large SQLite.db file (30+ GB) into a flat file so categorized hash files can be exported?

Are you thinking of SQLite query to extract out the info? SQLECmd can do that once a query is made for it. If you need help with it let me know

hi hi

2

Does anyone still use https://github.com/AnttiKurittu/kirjuri or maybe even developed it further? (edited)

GitHub - AnttiKurittu/kirjuri: Kirjuri is a web application for man...

Kirjuri is a web application for managing cases and physical forensic evidence items. - GitHub - AnttiKurittu/kirjuri: Kirjuri is a web application for managing cases and physical forensic evidenc...

Andrew Rathbun

Are you thinking of SQLite query to extract out the info? SQLECmd can do that once a query is made for it. If you need help with it let me know

That should work but I’ve got no experience with writing the queries and I struggle to find time to figure it out haha

keving3047

That should work but I’ve got no experience with writing the queries and I struggle to find time to figure it out haha

Navicat's query builder makes it pretty simple. If you need help, ping me. If you can provide a sample of the DB itself, I can spin something up.

Hello, is anyone aware of any resources that offer downloadable digital forensics oriented challenges? Mainly challenges similar to https://www.ashemery.com/dfir.html and https://dfirmadness.com/the-stolen-szechuan-sauce/. I am aware of Blue Team Labs, however, I would prefer a platform that allows for the download of artifacts so one can use their own tools and environment

Ali Hadi, Ph.D.

Dr. Ali Hadi personel website

James

Case 001 - The Stolen Szechuan Sauce - DFIR Madness

The Stolen Szechuan Sauce is a digital forensics lab with you in mind. Share with your students or security team for scenario training.

1

Hey guys

6:04 AM

sorry for the newbiness here, but one question: is it valid in forensic terms, to do an image from a drive that is already an image from the original one?

6:04 AM

for instance: the original drive is in very bad shape and it will eventually fail for good

6:04 AM

I should create a 2nd copy, right?

6:05 AM

if the original is dead, is it valid to do a 2nd copy from the 1st copy?

Larbac

sorry for the newbiness here, but one question: is it valid in forensic terms, to do an image from a drive that is already an image from the original one?

is this a theoretical or an actual forensic job, ie going to court? (edited)

theroretical only

6:15 AM

still learning the tricks

don't sweat it then, as long as the hashes match you should be good

6:15 AM

some forces might even make 2 direct copies

just wanted to be sure, that there's no problem not doing from the first "original" one

6:16 AM

as long as the hashes are the same, all is good then?

again, it depends. i'm not LE so someone else will chip in, but there will be cases like yours that will need more than one copy. i would say it's better to take 2 copies on the original imaging pass. also, laws may be different between countries and jurisdictions

6:18 AM

but whatever you do, maintain a full record of actions

6:18 AM

and preserve the source drive.

got it

6:19 AM

thanks

1

We are running our last episode of @Cellebrite Life Has No Ctrl Alt Del this coming Wednesday. Over 155 episodes. !! Join if you can https://cellebrite.com/en/series/ctrl-alt-del/

Life has no ctrl alt del Archives

Want to virtually meet and collaborate with members of the DFIR community? Join Heather Mahalik, Cellebrite’s Sr. Director of Digital Intelligence, with guest speakers for live Meetups the first Wednesday of every month from 12:30 PM to 1 PM EST.

4

2

Hey all, I have a question I hope someone can answer. I've received a QBX file with a note stating it's password protected. My research indicates this is a Quicken Accountant Transfer file. Has anyone had any experience with this type of file or breaking the password? Passware doesn't seem to cover this file-type and Intuit doesn't seem too keen on providing trial software to assist with the investigation.

Nanotech Norseman

Hey all, I have a question I hope someone can answer. I've received a QBX file with a note stating it's password protected. My research indicates this is a Quicken Accountant Transfer file. Has anyone had any experience with this type of file or breaking the password? Passware doesn't seem to cover this file-type and Intuit doesn't seem too keen on providing trial software to assist with the investigation.

https://blog.elcomsoft.com/2020/11/breaking-intuit-quicken-and-quickbooks-passwords-in-2021/

Breaking Intuit Quicken and QuickBooks Passwords in 2021

Intuit Quicken is one of the oldest tools of its kind. Over the years, Quicken had become the de facto standard for accounting, tax reporting and personal finance management in North America. Finances is an extremely sensitive area that demands adequate protection of the user data. However, prior

9:37 AM

some info here

9:38 AM

if it turns out it needs to be cracked, I don't believe we have a mode for it yet in hashcat but it can always be added

Beat me to it...just about to paste that link haha

1

Haha, I'll give it a whirl. I thought I read an article of that nature, but QBX seems to be the strange one out compared to something like QBB or similar. Thanks though! I'll deep dive into this.

Nanotech Norseman

Hey all, I have a question I hope someone can answer. I've received a QBX file with a note stating it's password protected. My research indicates this is a Quicken Accountant Transfer file. Has anyone had any experience with this type of file or breaking the password? Passware doesn't seem to cover this file-type and Intuit doesn't seem too keen on providing trial software to assist with the investigation.

From very specific systems, QBX files can be video files as well. If you find that it doesn't end up being a QuickBooks file, let me know and I'll give it a shot.

1

Also....

9:44 AM

https://www.passware.com/quickbooks/

Recover lost passwords for QuickBooks

Fast and easy to use software to remove password protection from QBW and QBA files. Instant password recovery with no technical skills required.

Larbac

as long as the hashes are the same, all is good then?

I’d explain why you did what you did. If you explained that the drive was failing/faulty, you created an image, then made a clone of that image (and both image hashes matched/were identical), and kept the original drive, then I can’t see an issue. As @Digitalferret said, maintain a chain of custody/integrity document, and document all your actions. Nothing wrong with what you’ve done, I’d do the same thing (and preserve the original image in addition to the original exhibit) if it was for a court case or subject to some kind of legal dispute/hold.

1

This was only a rhetorical question

1:47 PM

A doubt

1:47 PM

Thanks for answering

1

Hello quick question, we have a victim business that states someone created a similar website to theres with a different play on the business name. The suspect is using textnow #'s to create the domain name, and to use to communicate. The victim stated the suspect is trying to take out loans or credit by using their business info. They have requested the website be marked as fraudulent. So far the suspect has not been successful yet. From a law enforcement perspective I'm drawing a conclusing this person is out of the US and will be a pain to locate and stop. Thoughts ? @Law Enforcement [USA] Send me a DM if you want to talk via official email. Thanks guys

DCSO

Hello quick question, we have a victim business that states someone created a similar website to theres with a different play on the business name. The suspect is using textnow #'s to create the domain name, and to use to communicate. The victim stated the suspect is trying to take out loans or credit by using their business info. They have requested the website be marked as fraudulent. So far the suspect has not been successful yet. From a law enforcement perspective I'm drawing a conclusing this person is out of the US and will be a pain to locate and stop. Thoughts ? @Law Enforcement [USA] Send me a DM if you want to talk via official email. Thanks guys

Should be able to find out who the provider of the domain for the fraudulent website is and do a search warrant for their records to get an IP address and subscriber information

1

DCSO

Hello quick question, we have a victim business that states someone created a similar website to theres with a different play on the business name. The suspect is using textnow #'s to create the domain name, and to use to communicate. The victim stated the suspect is trying to take out loans or credit by using their business info. They have requested the website be marked as fraudulent. So far the suspect has not been successful yet. From a law enforcement perspective I'm drawing a conclusing this person is out of the US and will be a pain to locate and stop. Thoughts ? @Law Enforcement [USA] Send me a DM if you want to talk via official email. Thanks guys

I lack experience with TextNow, but they may have IP information. You should also be able to get IP information from the domain name provider. (edited)

DCSO

Hello quick question, we have a victim business that states someone created a similar website to theres with a different play on the business name. The suspect is using textnow #'s to create the domain name, and to use to communicate. The victim stated the suspect is trying to take out loans or credit by using their business info. They have requested the website be marked as fraudulent. So far the suspect has not been successful yet. From a law enforcement perspective I'm drawing a conclusing this person is out of the US and will be a pain to locate and stop. Thoughts ? @Law Enforcement [USA] Send me a DM if you want to talk via official email. Thanks guys

Or just see what IP the domain has an A record for, and serve process on the provide of the IP address

@DCSO text now will give you the ip of the original account creation. You might beable to run a whois on the domain name. Some time people do or don't pay for privacy.. if they do you also get an idea of who is hosting the page and if they are foregin.

I recently served GoDaddy for information on a fraudulent website scheme that was similar and they provided really good info. Took a while to get the return from them but it worked. (edited)

Then you an issue a subpoena to them for account holder info. It might be a giant circle

May be useful to download an evidence copy of the offending site before if its taken down. Ive used winhttack

1

Have you looked into HTTrack?? It’s a free software tool. Allows you to clone the entire site into a file system. Sometimes the guys who put up the site will leave useful metadata in their public facing uploads to page. Additionally, check the public facing source code. While you shouldn’t need legal process with the first suggestion, check with your prosecutor or DA first.

2

Now would be a good time to register for the inteliquent portal. Sounds like you already know that it’s a TextNow user, but inteliquent is involved in almost all of my fraud that involves VOIP. Portal users don’t have to subpoena to get wholesaler info, but it takes a little time to get registered

3

True - this portal is useful-used last week

Matt Chack

Now would be a good time to register for the inteliquent portal. Sounds like you already know that it’s a TextNow user, but inteliquent is involved in almost all of my fraud that involves VOIP. Portal users don’t have to subpoena to get wholesaler info, but it takes a little time to get registered

This where I got it from, super useful as it use to take awhile and they would just point us into a different direction.

1

dabeersboys

@DCSO text now will give you the ip of the original account creation. You might beable to run a whois on the domain name. Some time people do or don't pay for privacy.. if they do you also get an idea of who is hosting the page and if they are foregin.

The whois is made up, points to a university and the Ph number is also a textnow

@DCSO another strand to pull on

DCSO

The whois is made up, points to a university and the Ph number is also a textnow

Do you mind sharing the domain?

Hello i'd love to get more insight into the actual workload of a DFIR investigator, for example do Digital forensic examiners for law enforcement present evidence in court regularly? As opposed to private sector roles? Or would it be designated based on different tiers of the job like having an individual member of a team assigned to attend court proceedings, or like soc analysts how they are layered in different tiers based on primary incident responders etc. Or if they have the responsibilities for other roles more specific to ediscovery and evidence processing, very curious as to if these duties are typically involved in being an examiner. Also would they be visiting the crime scene and acquiring/seizing devices and evidence often? Or just analysing it once other departments/units transport it back to the lab? Just wondering what other potential duties the job would entail in terms of crime scene visits, and court visits. Sounds interesting for sure. Im aware it could vary per job title or department for each agency/company, but still sharing any of your own personal experience and knowledge is much appreciated.

Hi I am a big fan of SANS for their teaching materials. I've been to a couple of free online events from them and really enjoyed them

5:31 PM

I am currently getting into cloud security as my career. However, at the university I study at, I am part of a club that deals with cybersecurity. I am running to take over a research team for next academic year. If I do not get into the Infrastructure team lead positiion, I owe the room a speech for another role. For this reason, I am choosing to run for the Digital Forensics and Incident Response team lead. I only know a fair amount about Wireshark and some bits and pieces about FTK imager and Autopsy.

5:33 PM

If I am to result to plan B, are there any books that you can recommend for having a general overview of DFIR things so I can have a larger view of what kind of project I would do, should I get elected?

DCSO

The whois is made up, points to a university and the Ph number is also a textnow

If you’re comfortable enough with Kali, run Spiderfoot against the domain. There’s a ton of built in domain tools. You can also do some json digging on the site if it’s poorly built to find host info. You’d be surprised, I’ve found just plaintext IPs sitting in json before. HTTrack is okay but very finicky, especially if it hits a paywall or credential wall. WEcapture does the same thing and it’s just a browser extension. There are ways to trace VOIP but you gotta be an osint wizard

morning everyone, could only point me to an article or advice on what causes the iphone's safari app save web pages in a pdf format in this container: \private\var\mobile\Containers\Data\Application\0B8CC322-C371-4B6C-9580-AD7E898D543A\tmp\450DC57D-C4F1-479F-B1D5-2F92209012BC.pdf otherwise I'll be playing with a test device for a week trying to find a possible answer

testermonkey

morning everyone, could only point me to an article or advice on what causes the iphone's safari app save web pages in a pdf format in this container: \private\var\mobile\Containers\Data\Application\0B8CC322-C371-4B6C-9580-AD7E898D543A\tmp\450DC57D-C4F1-479F-B1D5-2F92209012BC.pdf otherwise I'll be playing with a test device for a week trying to find a possible answer

#mobile-forensic-decoding

today i learned what a key logger is Its used when someone wants to secretly monitor your keystrokes

Rabbit

today i learned what a key logger is Its used when someone wants to secretly monitor your keystrokes

And it comes in many varieties. Software, hardware, video, and even acoustic: https://github.com/shoyo/acoustic-keylogger !

1

I was given a micro sd card from a Geeni (Merkury) door bell camera. No access to the physical camera or the device app. It is an encrypted file. When attempting to open the file it will not play on any of the players I have. I have GTS several terms with no luck. How can I go about finding the needed player?

I am looking for a case management system for free use, on premise and offline. any recommendations?

digital Bowles

I was given a micro sd card from a Geeni (Merkury) door bell camera. No access to the physical camera or the device app. It is an encrypted file. When attempting to open the file it will not play on any of the players I have. I have GTS several terms with no luck. How can I go about finding the needed player?

We might want to move this over to #dvr-multimedia-surveillance but on first glance, everything I see talks about downloading from the app which is obviously a no-go. What format are the files?

.data

digital Bowles

.data

I'll DM you

Hello all, I was just wondering if someone may have some insight here. I work in the private sector doing digital forensics and we are rapidly growing as a team. We are therefore considering an office move and I wanted to know what are the security measures needed to satisfy UKAS et al with regards to access control and exhibit security overnight etc. Does anyone have any advice to spare? Thanks!

tapatiosec

If I am to result to plan B, are there any books that you can recommend for having a general overview of DFIR things so I can have a larger view of what kind of project I would do, should I get elected?

It's a little dated now, but I liked the book Incident Response & Computer Forensics that Kevin Mandia coauthored. Don't focused so much on the tools mentioned as some are probably dated now, but more on the over all process and methodology

does anyone know if you can purchase Physical Analyzer as a standalone, or is it only available with UFED Ultimate, which includes 4PC and PA? can it be purchased solely by itself? or would you need at least one UFED license? I guessn im just trying to figure out if you have 1 UFED, but would need 5 PA licenses. Of if as an agency, you rely on another agency to do your extractions and you ONLY want to purchase PA to parse the data after they give you the extraction

#training-education-employment

1

Thank you, I'll post it there!

Leonidas

I lack experience with TextNow, but they may have IP information. You should also be able to get IP information from the domain name provider. (edited)

ive seen a case w/ a request to textnow come back with great info, even when the suspect deleted the phone number shortly after sending the messages.

Textnow holds the record for my fastest non-emergency subpoena response of 6 hours

1

Larbac

Hey guys

Just curious about your terminology. If you have an image of a damaged drive, and you want to create a backup, why not simply copy those files? Usually, an image is in the form of .E01 or .DD, and comes with a hash in a text file that the imaging software spits out, or you can manually hash the files. So if you make a copy, you can then hash the copied files and confirm you have a true copy by comparing the hashes. If you create another image, for example, using an .E01 format, you will get additional data in your header and then the hash will not match the original hash, even though you may have a proper 'image'.

rfar

Just curious about your terminology. If you have an image of a damaged drive, and you want to create a backup, why not simply copy those files? Usually, an image is in the form of .E01 or .DD, and comes with a hash in a text file that the imaging software spits out, or you can manually hash the files. So if you make a copy, you can then hash the copied files and confirm you have a true copy by comparing the hashes. If you create another image, for example, using an .E01 format, you will get additional data in your header and then the hash will not match the original hash, even though you may have a proper 'image'.

I'm more of a data recovery guy. Usually I don't care about hashes, just want to get the data out. Of course, on a forensic case, this is not the way...

Sea9

And it comes in many varieties. Software, hardware, video, and even acoustic: https://github.com/shoyo/acoustic-keylogger !

I dont understand what I'm looking at but this is so cool! It seems like it can determine keystrokes through an audio file whaaaaaaaat

Rabbit

I dont understand what I'm looking at but this is so cool! It seems like it can determine keystrokes through an audio file whaaaaaaaat

Recordings of keyboard sounds. MIT worked on that years and years ago as well. (edited)

https://discordapp.com/channels/427876741990711298/537760691302563843/1082701655209938962 - if anyone here has any input/advice, i'd really appreciate! Thanks

Catherine

https://discordapp.com/channels/427876741990711298/537760691302563843/1082701655209938962 - if anyone here has any input/advice, i'd really appreciate! Thanks

no joy contacting ukas directly?

Catherine

https://discordapp.com/channels/427876741990711298/537760691302563843/1082701655209938962 - if anyone here has any input/advice, i'd really appreciate! Thanks

When I dealt with this previously we implemented the following: Forensic office/lab access was by controlled by ID card (RFID) access (individually assigned) and also with a physical lock for overnight/extended periods of staff absence and all entry and exit times were electronically logged and archived monthly. The key for the physical lock was kept in a combination lock attached to an outside wall of the lab (general open plan office area). The server room holding the data storage /DF servers was also keycard access only, and since this also included some general IT personnel, the DF racks were kept locked and the key for that was kept in the lab (controlled by keycard access as mentioned). Visitors had to sign in and out of a book also kept in the lab and could not be left unattended. Exhibits were kept in a locked cabinet and assigned specific locations within the cabinet, with their position in the cabinet and any internal movement tracked by a case management system. Any exhibits coming in or out of the lab were also tracked by a case management system & booking in/out forms including signatures (generated from the CMS and signed copies later scanned back in). We had all of this nicely written up as a few SOPS and we had no issues from UKAS with this procedure. Also all of it had to be audited at set intervals and the results of those audits shown to UKAS. (edited)

2

bizzlyg

When I dealt with this previously we implemented the following: Forensic office/lab access was by controlled by ID card (RFID) access (individually assigned) and also with a physical lock for overnight/extended periods of staff absence and all entry and exit times were electronically logged and archived monthly. The key for the physical lock was kept in a combination lock attached to an outside wall of the lab (general open plan office area). The server room holding the data storage /DF servers was also keycard access only, and since this also included some general IT personnel, the DF racks were kept locked and the key for that was kept in the lab (controlled by keycard access as mentioned). Visitors had to sign in and out of a book also kept in the lab and could not be left unattended. Exhibits were kept in a locked cabinet and assigned specific locations within the cabinet, with their position in the cabinet and any internal movement tracked by a case management system. Any exhibits coming in or out of the lab were also tracked by a case management system & booking in/out forms including signatures (generated from the CMS and signed copies later scanned back in). We had all of this nicely written up as a few SOPS and we had no issues from UKAS with this procedure. Also all of it had to be audited at set intervals and the results of those audits shown to UKAS. (edited)

Thank you so much for this insight! I have been thinking along the same lines, but with RFID key fob types as we are a very small outfit at the moment, ID passes may not be applicable to us. Glad to know I'm thinking in the right way though!

1

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

7:50 AM

not critical in this case but figured i would ask as we run into similar problems occasionally

7:51 AM

@ICAC

kmacdonald1565

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

maybe mpv ?

8:40 AM

seems like a good project idea though, either recovery or try to identify keyframe structures and process (edited)

VoidOfOne

Beyond the microsd card, does anyone here have experience forensically imaging a flipper zero with an enabled pin lock?

Following this if you have any additional information about the topic?

kmacdonald1565

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

When you say partial video files, do you mean a video that is not fully wrapped/containerized into a single file? Like some part of a video was found but not playable? There is a solution but it is not automated (at least not yet

). We cover the approach in some of our Medex training courses, including the AVF course at IACIS in April. If you have a specific case need shoot me a DM and I will see how we can help.

kmacdonald1565

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

I wonder if that is something that software from @Amped Software or @iNPUT-ACE could handle?

kmacdonald1565

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

I'd absolutely be willing to give it a try! I can drop you a DM.

Happy to help!

Hey friends, I feel like im blanking on an easy solution… good ways to capture a webpage that is utilizing JavaScript? Catch is, must be done in a way that the user is not viewing the page at capture (so in a similar fashion to wget.) Thanks in advance!

unc05_4n6

does anyone know if you can purchase Physical Analyzer as a standalone, or is it only available with UFED Ultimate, which includes 4PC and PA? can it be purchased solely by itself? or would you need at least one UFED license? I guessn im just trying to figure out if you have 1 UFED, but would need 5 PA licenses. Of if as an agency, you rely on another agency to do your extractions and you ONLY want to purchase PA to parse the data after they give you the extraction

Just had a conversation with my Cellebrite rep today. They do not offer it as a standalone option. He literally said, “It’s like Left Twix and Right Twix”. If you just need to be able to parse extractions from other agencies/labs, I would suggest getting familiar with Autopsy. It’s free and can get the job done. Doesn’t have all the bells and whistles but again… it’s free.

‍♂️ (edited)

Brandon E

When you say partial video files, do you mean a video that is not fully wrapped/containerized into a single file? Like some part of a video was found but not playable? There is a solution but it is not automated (at least not yet

). We cover the approach in some of our Medex training courses, including the AVF course at IACIS in April. If you have a specific case need shoot me a DM and I will see how we can help.

partial as in P2P was involved but the video was incomplete

11:58 AM

so it has pieces of the files as p2p downloaded them

11:59 AM

some of the files are quite large, but just wouldnt play. i am checking out some players and other software

MeGaBiTe

Hey friends, I feel like im blanking on an easy solution… good ways to capture a webpage that is utilizing JavaScript? Catch is, must be done in a way that the user is not viewing the page at capture (so in a similar fashion to wget.) Thanks in advance!

so, i dont know how it might work for your use case, but i know in PHP and Python (and other languages, just never needed other ones) you can get information from webpages that can be parsed into those languages. this allows someone to fully load a webpage behind the scenes and pull out information. I cant remember how extensive it was, but i know it didnt work with everything...depending on what you are trying to accomplish they might be viable

kmacdonald1565

so, i dont know how it might work for your use case, but i know in PHP and Python (and other languages, just never needed other ones) you can get information from webpages that can be parsed into those languages. this allows someone to fully load a webpage behind the scenes and pull out information. I cant remember how extensive it was, but i know it didnt work with everything...depending on what you are trying to accomplish they might be viable

I did try a small python script using selenium that grabbed some of the page source but it didn’t seem to get me over the JavaScript hurdle. So I’m missing a lot of data.

DFIS721

Just had a conversation with my Cellebrite rep today. They do not offer it as a standalone option. He literally said, “It’s like Left Twix and Right Twix”. If you just need to be able to parse extractions from other agencies/labs, I would suggest getting familiar with Autopsy. It’s free and can get the job done. Doesn’t have all the bells and whistles but again… it’s free.

‍♂️ (edited)

Can you send me a Dm. I want to get to bottom of this.

kmacdonald1565

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

usually thats a .mp4 issue? as far as I'm aware, pretty difficult to reconstruct but may be some headway if you have complete files from the same production device (unlikely but possible on p2p?) or could you check the p2p client's recorded hash value for that file against a database or check for a title?

1

Digitalferret

usually thats a .mp4 issue? as far as I'm aware, pretty difficult to reconstruct but may be some headway if you have complete files from the same production device (unlikely but possible on p2p?) or could you check the p2p client's recorded hash value for that file against a database or check for a title?

It sounds like a .partial file so the file just hasn't been fully downloaded. In cases where this happens to us if we can't get it to play, then we use the hash values against csam databases and use that as confirmation that the file is known etc and what category

1

Rob

It sounds like a .partial file so the file just hasn't been fully downloaded. In cases where this happens to us if we can't get it to play, then we use the hash values against csam databases and use that as confirmation that the file is known etc and what category

yep, having gone grey trying to reconstruct my own mp4's after a crash, it looks to be the best way forward in ID'ing the miscreants file/intent/mens rea

1

unc05_4n6

does anyone know if you can purchase Physical Analyzer as a standalone, or is it only available with UFED Ultimate, which includes 4PC and PA? can it be purchased solely by itself? or would you need at least one UFED license? I guessn im just trying to figure out if you have 1 UFED, but would need 5 PA licenses. Of if as an agency, you rely on another agency to do your extractions and you ONLY want to purchase PA to parse the data after they give you the extraction

If you need to divide analysis job to multiple persons, perhaps you could let the person doing extractions also do the parsing with PA and then do a Report of all relevant data in ufdr format + Cellebrite reader included. Reader works well for analysis, it lets you to create new tags and do new Reports according to analysts findings. Not exactly what you asked, I know, but those Cellebrite licence fees are a good incentive to try to find alternative solutions...

MeGaBiTe

I did try a small python script using selenium that grabbed some of the page source but it didn’t seem to get me over the JavaScript hurdle. So I’m missing a lot of data.

Are you trying to save a screenshot, a select amount of data, or as an "html" copy ? I've used selenium a bit, and have had the best results when using it to walk the elements I care about and parse

another strategy is to identify what api's the javascript is calling, then hit those yourself. If it requires a csrf token, I've used selenium to steal the csrf token by running javascript in the page; then you can use normal python requests (edited)

Does anyone on here know of anything that replaces NSRLserver and NSRLLookup since NSRL is now a SQLite3 db? Or if Axiom or Encase are supporting the SQLite3 databases?

fcha256

Does anyone on here know of anything that replaces NSRLserver and NSRLLookup since NSRL is now a SQLite3 db? Or if Axiom or Encase are supporting the SQLite3 databases?

NIST's RDSv3 minimal files can be used with AXIOM via the Hash Sets Manager.

Belkasoft X also supports the new NIST format

Is there any tool that generates random data for filesystem testing purposes?

9:34 AM

I'm trying to populate a ssd with some junk folders/files/etc.. and I hate doing it manually

nvm, I found a python library called faker which does the job

9:43 AM

thanks anyhow

Hello! I'm currently a third year student at Teesside University studying Digital Forensics and as part of my dissertation I am running a survey based around the area of Cloud Forensics. It's a relatively short survey with mostly "tick the box" style questions. If you want to participate please read the attached document and click the survey link attached inside, thank you for your time. (Please note this Survey is aimed at current practitioners working for or within law enforcement, Thank you) **Thank you for all those who have participated so far, this is the last time I will be advertising this survey as the paper is in on the 20th, anyone wanting to read it just let me know and I will happily share it after grading! (edited)

Participant_Information_Sheet.pdf

169.01 KB

https://krebsonsecurity.com/2023/03/whos-behind-the-netwire-remote-access-trojan

Who’s Behind the NetWire Remote Access Trojan?

A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of…

Arsenal

https://krebsonsecurity.com/2023/03/whos-behind-the-netwire-remote-access-trojan

More news soon (especially relevant to DFIR practitioners) on the NetWire front. (edited)

1

If any of you have dealt with NetWire victims, and still have disk images obtained from compromised computers, you may want to DM us.

im so done with my current school

2:13 AM

its horrid

kladblokje_88

im so done with my current school

#training-education-employment talk about education stuff there if you don't mind

Does anyone have a good go-by warrant for Reddit? Trying to get IP/email/etc of a user.

kmacdonald1565

anyone have recommendations for video players to play partial video files? long story short, CSAM partial downloads. VLC and K-Lite are not working.

As part of the just finished Magnet Virtual Summit, there was a session titled: From Codecs to Containers: The Basics of Working With Video Files. Presenter talked about FFPlay & Media Player Classic as alternatives to VLC.

@kmacdonald1565 you could try potplayer, I've had luck with that playing files others couldn't.

Hello everyone I’m new! Any tips for someone new to digital forensics, such as any books or topics I should look upon? Thank you!!!

Big Crab

Hello everyone I’m new! Any tips for someone new to digital forensics, such as any books or topics I should look upon? Thank you!!!

What areas are you interested in so we can narrow it down for you.

Beercow

What areas are you interested in so we can narrow it down for you.

Ooh im completely new so probably the identification, collection and reporting processes of data

Got some buds from Silicon Valley Bank looking for gigs as of tonight. If you got anything let me know.

hi im new to data recovery.. guys i have a WDC WD10SPCX-24HWST0 unable to format to full. could it be a firmware problem?

6:48 PM

is there any tool to update firmware for wd hard diskz?

added to the list thanks @craigcilley and @MrMacca (Allan Mc)

Digitalferret

usually thats a .mp4 issue? as far as I'm aware, pretty difficult to reconstruct but may be some headway if you have complete files from the same production device (unlikely but possible on p2p?) or could you check the p2p client's recorded hash value for that file against a database or check for a title?

less likely to work for me in my case, id be better off contacting someone that had the completed downloads but thanks for the option

1

Big Crab

Ooh im completely new so probably the identification, collection and reporting processes of data

plenty of resources on my page, from starting out to tools to podcasts, to blog rolls and so much more check it out https://startme.stark4n6.com

Forensics - start.me

A startpage with online resources about Forensics, created by Stark 4N6.

Big Crab

Ooh im completely new so probably the identification, collection and reporting processes of data

https://www.sans.org/cyber-security-training-events/new2cyber-summit-march-2023/?utm_medium=Social&utm_source=Twitter&utm_content=Home&utm_campaign=SANS%20New2Cyber%20Summit%202023%20Reskilling%20Edition%20-%20Live%20Online

New2Cyber Summit 2023 | SANS Institute

Cybersecurity is a fast-growing, dynamic field and SANS mission is to equip you with the skills you need to succeed in the industry. This free live-online event brings together leading experts prepared to share their first-hand knowledge on building a successful career in the field of cyber security. This two day summit will provide you with a c...

1

Evening all, I have a question about autopsy. I am a cyber security student, but have very little experience in data forensics and recovery. A "Customer" asked me if I could recover the information on a windows box that was returned to the default settings. Could someone point me in the right direction to recover some files off this machine. I have not received the computer yet, but I am assuming it is either Windows 7 or Windows 10.

stark4n6

plenty of resources on my page, from starting out to tools to podcasts, to blog rolls and so much more check it out https://startme.stark4n6.com

Thank you !

Beercow

https://www.sans.org/cyber-security-training-events/new2cyber-summit-march-2023/?utm_medium=Social&utm_source=Twitter&utm_content=Home&utm_campaign=SANS%20New2Cyber%20Summit%202023%20Reskilling%20Edition%20-%20Live%20Online

Thank you’!

Thanks for the information, I will begin to sort through it, that is a gold mine, but I was hoping for something like a .pdf describing the set up for imaging a drive in the proper format and beginning to analyze it with something like autopsy to give me a place to start. Is there a better way to analyze Windows boxes for files that may be deleted by setting the machine back to factory default?

8:58 AM

I was also curious once I open the machine, if it is Windows 10, will all the files be encrypted with a SAM database that no longer exists?

blackfootsec

Thanks for the information, I will begin to sort through it, that is a gold mine, but I was hoping for something like a .pdf describing the set up for imaging a drive in the proper format and beginning to analyze it with something like autopsy to give me a place to start. Is there a better way to analyze Windows boxes for files that may be deleted by setting the machine back to factory default?

When you say "returned to the default settings", was it reformatted and Windows reinstalled?

Major update today to our popular Insights article "BitLocker for #DFIR - Part I" - https://ArsenalRecon.com/insights/bitlocker-for-dfir-part-i. (edited)

6

Window was returned to factory default. I am still confirming the information provided by the client, but it appears the system had a factory reset performed on it to return the system to the out-of-the-box initial state.

https://www.bleepingcomputer.com/news/security/casper-attack-steals-data-using-air-gapped-computers-internal-speaker/

CASPER attack steals data using air-gapped computer's internal speaker

Researchers at the School of Cyber Security at Korea University, Seoul, have presented a new covert channel attack named CASPER can leak data from air-gapped computers to a nearby smartphone at a rate of 20bits/sec.

1

4:41 AM

New cyber attack

Any indian (especially in NCR region) who work in DFIR company and it might have internship opportunities for students?

Deleted User

https://www.bleepingcomputer.com/news/security/casper-attack-steals-data-using-air-gapped-computers-internal-speaker/

thats pretty cool

Browny

Any indian (especially in NCR region) who work in DFIR company and it might have internship opportunities for students?

#training-education-employment

What is the best software for recovering large mp4 videos from a while ago ?

11:42 AM

On PC

miota

What is the best software for recovering large mp4 videos from a while ago ?

#data-recovery

Hi everyone, I would like to ask if there is any parameter in MFTECmd that allows me to append the original disk drive letter when exporting to a CSV file? Or is there a way to customize the drive letter? I seem to be unable to find any parameter that can do this. It seems that I can only find the option to specify the drive letter using "--bdl" when outputting as a bodyfile. (edited)

RX

Hi everyone, I would like to ask if there is any parameter in MFTECmd that allows me to append the original disk drive letter when exporting to a CSV file? Or is there a way to customize the drive letter? I seem to be unable to find any parameter that can do this. It seems that I can only find the option to specify the drive letter using "--bdl" when outputting as a bodyfile. (edited)

I imagine you're talking about when you're parsing an MFT from a live system? Because if you parse an offline, loose MFT, there's no way for MFTECmd to know which drive letter it belongs to.

2:47 AM

If you want to make a feature request for this when parsing a live system, try your luck here: https://github.com/EricZimmerman/MFTECmd

GitHub - EricZimmerman/MFTECmd: Parses $MFT from NTFS file systems

Parses $MFT from NTFS file systems. Contribute to EricZimmerman/MFTECmd development by creating an account on GitHub.

1

Andrew Rathbun

I imagine you're talking about when you're parsing an MFT from a live system? Because if you parse an offline, loose MFT, there's no way for MFTECmd to know which drive letter it belongs to.

It is offline MFT, but I know its actual drive letter, so I want to assign it a drive letter. (I collected the $MFT of three disk partitions: C, D, E)"

2:50 AM

just want to know if I missed any command parameters, but I think I can easily write a Python code to achieve it

2:50 AM

thank you

RX

It is offline MFT, but I know its actual drive letter, so I want to assign it a drive letter. (I collected the $MFT of three disk partitions: C, D, E)"

I'm guessing that's why the ParentPath column starts with .\ for each folder, which would represent the root of the drive, regardless of letter. In that scenario, I just rename the CSV to include _D or _E so I know which drive letter the output from each is. Multiple ways to go about it!

1

Andrew Rathbun

I'm guessing that's why the ParentPath column starts with .\ for each folder, which would represent the root of the drive, regardless of letter. In that scenario, I just rename the CSV to include _D or _E so I know which drive letter the output from each is. Multiple ways to go about it!

You are right, there are many ways to achieve it. Thank you for your help and sharing your experience! Sir

1

Kali, a well known pentesting distribution, has released a variant dedicated to purple and blue teaming

https://www.kali.org/blog/kali-linux-2023-1-release/

Kali Linux 2023.1 Release (Kali Purple & Python Changes) | Kali Lin...

Today we are releasing Kali 2023.1 (and on our 10th anniversary)! It will be ready for immediate download or updating by the time you have finished reading this post. Given its our 10th anniversary, we are delighted to announce there are a few special things lined up to help celebrate. Stay tuned for a blog post coming out Wednesday 15th March 2...

3

Hey people! Does anyone knows how can one protect excel file from being copied from a CD/DVD disk? Or set a protection on a disk to prevent copying files from it?

ilinor

Hey people! Does anyone knows how can one protect excel file from being copied from a CD/DVD disk? Or set a protection on a disk to prevent copying files from it?

if anything is readable, surely it's copy-able? what are you trying to protect? would you not be better encrypting?

Digitalferret

if anything is readable, surely it's copy-able? what are you trying to protect? would you not be better encrypting?

Thanks for the reply! I got asked this question by my friend, he only wants an option to prevent copying the file from the CD, unsure why he didn't want to look into any other alternative. Encryption seems like the best option, but the friend isn't happy with that one, unsure of the reason. He found some software, hasn't replied which one it is, but consider this resolved.

1

Does anyone have info on US based federal grants that would provide persistent funding for DF equipment and licensing for smaller agencies? Looking to implement new tech in our lab and our city funding for DF is tapped out for the next 5 years on other “more important” projects…

Revo

Does anyone have info on US based federal grants that would provide persistent funding for DF equipment and licensing for smaller agencies? Looking to implement new tech in our lab and our city funding for DF is tapped out for the next 5 years on other “more important” projects…

I don't know of any federal grants, but I can ask around. We have some local agencies that go after grants a lot. Does your state have any grants? Several local agencies in my area have received grants for new tech from the state. The other thing we have done is obtain substantial discounts from some vendors because of being LE. That of course is up to the vendor, some it was a hard "here is our pricing"

CyberGhost

I don't know of any federal grants, but I can ask around. We have some local agencies that go after grants a lot. Does your state have any grants? Several local agencies in my area have received grants for new tech from the state. The other thing we have done is obtain substantial discounts from some vendors because of being LE. That of course is up to the vendor, some it was a hard "here is our pricing"

Yeah I’ve worked with the vendors to get a discount and other funding sources but NGO non profits only fund for a year to get you started, unfortunately it’s a pricey improvement and we’ll need perpetual funding

3:44 PM

And out state grants are past the due date in February

3:44 PM

Our*

Revo

Does anyone have info on US based federal grants that would provide persistent funding for DF equipment and licensing for smaller agencies? Looking to implement new tech in our lab and our city funding for DF is tapped out for the next 5 years on other “more important” projects…

OT: i am shocked - no budget for the next 5 years?? How are you supposed to work? That's absolutely not going to work <.< I really hope you get some funding!

hopscotch

OT: i am shocked - no budget for the next 5 years?? How are you supposed to work? That's absolutely not going to work <.< I really hope you get some funding!

Tell me about it… Fortunately we have operational budget for licenses we already have but no expansion budget…

Yeah funding is a big issues for small agencies here. The only thing that allows us to even have access to some specific tools and tech is that other local agencies share some of their resources. We have a state lab and they are great, but they can be extremely backed up on case work.

CyberGhost

Yeah funding is a big issues for small agencies here. The only thing that allows us to even have access to some specific tools and tech is that other local agencies share some of their resources. We have a state lab and they are great, but they can be extremely backed up on case work.

That’s why we expanded as much as we have, but as time goes on we need to remain ahead of the technology curve. I’m fortunate enough to have an admin that sees that but when there’s no money, there’s no money

We were in the same boat when I moved us to get a great DF workstation, upgrade to our Cellebrite, and got a GrayKey. But now we’re falling behind on storage of evidence, and still don’t have a way to process computers, only mobile devices…

Revo

That’s why we expanded as much as we have, but as time goes on we need to remain ahead of the technology curve. I’m fortunate enough to have an admin that sees that but when there’s no money, there’s no money

We were in the same boat when I moved us to get a great DF workstation, upgrade to our Cellebrite, and got a GrayKey. But now we’re falling behind on storage of evidence, and still don’t have a way to process computers, only mobile devices…

Same here lol. Since phones are more the focus usually, we went that route. If it's a computer/laptop/other device, have to get assistance from elsewhere.

Revo

That’s why we expanded as much as we have, but as time goes on we need to remain ahead of the technology curve. I’m fortunate enough to have an admin that sees that but when there’s no money, there’s no money

We were in the same boat when I moved us to get a great DF workstation, upgrade to our Cellebrite, and got a GrayKey. But now we’re falling behind on storage of evidence, and still don’t have a way to process computers, only mobile devices…

Have you reached out to your local USSS office? They are known to help with finding, training, and equipment.

Whoops, typo. I meant to say funding, lol.

Original message was deleted or could not be loaded.

#training-education-employment

1

Does anyone know if Dropbox notifies the user if their account was flagged for CSAM? Trying to ascertain why an older user would have Developer Mode on and ZERO picture/video files on the phone. Also no sign of the DropBox app. Thanks!

TCSkyKing

Does anyone know if Dropbox notifies the user if their account was flagged for CSAM? Trying to ascertain why an older user would have Developer Mode on and ZERO picture/video files on the phone. Also no sign of the DropBox app. Thanks!

as far as i know, the user isn't given a reason as to why their data was removed. historically, db also reports the user immediately to NCMEC to handle it. re: https://gizmodo.com/dropbox-refuses-to-explain-its-mysterious-child-porn-de-1722573363

6:51 AM

at most, they should get an email saying your content violated our policy, it's been removed but it might not even be a warning if it's specifically CSAM

babybat

as far as i know, the user isn't given a reason as to why their data was removed. historically, db also reports the user immediately to NCMEC to handle it. re: https://gizmodo.com/dropbox-refuses-to-explain-its-mysterious-child-porn-de-1722573363

That’s good reason. It was definitely forwarded from NCMEC to DB for flagging. I’m curious to look at the timeline from the phone dump now. Thanks for the reply!

1

New kali distro for Blue Teams https://gitlab.com/kalilinux/kali-purple/documentation/-/wikis/home

Home · Wiki · Kali Linux / kali-purple / Documentation · GitLab

The ultimate SOC-in-a-box community project

1

Anyone having trouble launching Hubstream Intelligence Agent from @Project VIC ?

where I can find old forensics case puplished online

Has anyone ever sent a geofence-esqe warrant to Nissan Connect?

Anyone got any experience capturing from an Endeavour EN10 voice recorder?

DHillTCSO

Has anyone ever sent a geofence-esqe warrant to Nissan Connect?

Some folks in #vehicle-forensics might have? Or maybe give some info if that kina of data is available

Cøre

New kali distro for Blue Teams https://gitlab.com/kalilinux/kali-purple/documentation/-/wikis/home

Is there going to be a way to "upgrade" a standard kali installation to purple as it seems to be an additional set of tool more than anything and I don't want to have to reinstall kali if I can help it

Alexsaurus

Is there going to be a way to "upgrade" a standard kali installation to purple as it seems to be an additional set of tool more than anything and I don't want to have to reinstall kali if I can help it

You can edit the source list file and do a full-upgrade

Does anyone have any good software for cleaning up an audio recording to make it easier to hear people talking?

Cøre

New kali distro for Blue Teams https://gitlab.com/kalilinux/kali-purple/documentation/-/wikis/home

surprise no Velociraptor, huh.

Is it possible to detect polyglot ? Can we depend on the hex values for Magic keys and the EOL for specific files?

I've got a device with a Qualcomm Snapdragon 617 (a scanner, not a mobile phone, but with android) which I just can't boot into EDL Mode. Not via various button combination and there's no "boot into bootloader" option in recovery mode. I've reached out to the manufacturer and they said "EDL is not supported". My question: is it really possible to disable/ remove EDL Mode? I thought that's not possible..?

It can be locked by software, even via OTA update, but there should be a hardware way to get that mode still, either via some testpoint, or via eMMC fault mode (blocking communication with the storage)

1

I haven't been here very long time

Hi all, currently seeding our new mobile devices with GTD, but im wondering if there is an easier way to do this rather than seeding manually. I have 3 iPhones, 3 androids and 1 burner. I did think of doing a backup but this will also update the OS which I’d rather keep on different versions. Anyone have any suggestions?

1

Anyone have a keyword list of common external email domain names for searching?

stark4n6

Anyone have a keyword list of common external email domain names for searching?

https://gist.github.com/ammarshah/f5c2624d767f91a7cbdc4e54db8dd0bf https://gist.github.com/mavieth/418b0ba7b3525517dd85b31ee881b2ec https://email-verify.my-addr.com/list-of-most-popular-email-domains.php

JLindmar (83AR)

https://gist.github.com/ammarshah/f5c2624d767f91a7cbdc4e54db8dd0bf https://gist.github.com/mavieth/418b0ba7b3525517dd85b31ee881b2ec https://email-verify.my-addr.com/list-of-most-popular-email-domains.php

perfect thanks

Hey, anyone knows how I could contact Nirsoft? or does anyone know how to fix this exception in LAV

Exception C0000005 at address 0040E0CB in module LastActivityView.exe
Registers: 
EAX=00000000 EBX=00000000 ECX=02500000 EDX=00000000
ESI=00000000 EDI=00197D44 EBP=00196218 ESP=00195590
EIP=0040E0CB
Stack Data:   44 7D 19 00   00 00 00 00   2C 6F 19 00   43 00 3A 00   5C 00 55 00   53 00 45 00   52 00 53 00   5C 00 44 00   49 00 41 00   47 00 54 00   52 00 41 00   43 00 4B 00   5C 00 44 00   45 00 53 00   4B 00 54 00   4F 00 50 00   5C 00 44 00   55 00 53 00   4B 00 2E 00   41 00 53 00   44 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
Code Data: 81 3B 4D 41 4D 04 0F 85 E5 00 00 00 8B 7B 04 89 75 98 89 75 A0 89 75 A4 89 75 A8 89 75 9C 89 75 AC 89 75 B0 89 75 B4 89 75 B8 8D 75 C8 89 7D FC E8 EB 80 FF FF 33 FF 8D 75 98 89 7D D8 89 7D 0C 89 7D D4 E8 DD 48 00 00 39 7D B8 74 0D 8D 45 D4 50 8D 45 0C 50 6A 04 FF 55 B8 39 7D 0C 75 07 C7 45 0C FF FF 00 00 89 7D BC 89 7D C0 8B 7D 0C 8D 75 BC C7 45 C4 88 13 00 00 E8 A2 80 FF FF 8D 75

Deleted User

Hey, anyone knows how I could contact Nirsoft? or does anyone know how to fix this exception in LAV

Exception C0000005 at address 0040E0CB in module LastActivityView.exe
Registers: 
EAX=00000000 EBX=00000000 ECX=02500000 EDX=00000000
ESI=00000000 EDI=00197D44 EBP=00196218 ESP=00195590
EIP=0040E0CB
Stack Data:   44 7D 19 00   00 00 00 00   2C 6F 19 00   43 00 3A 00   5C 00 55 00   53 00 45 00   52 00 53 00   5C 00 44 00   49 00 41 00   47 00 54 00   52 00 41 00   43 00 4B 00   5C 00 44 00   45 00 53 00   4B 00 54 00   4F 00 50 00   5C 00 44 00   55 00 53 00   4B 00 2E 00   41 00 53 00   44 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
Code Data: 81 3B 4D 41 4D 04 0F 85 E5 00 00 00 8B 7B 04 89 75 98 89 75 A0 89 75 A4 89 75 A8 89 75 9C 89 75 AC 89 75 B0 89 75 B4 89 75 B8 8D 75 C8 89 7D FC E8 EB 80 FF FF 33 FF 8D 75 98 89 7D D8 89 7D 0C 89 7D D4 E8 DD 48 00 00 39 7D B8 74 0D 8D 45 D4 50 8D 45 0C 50 6A 04 FF 55 B8 39 7D 0C 75 07 C7 45 0C FF FF 00 00 89 7D BC 89 7D C0 8B 7D 0C 8D 75 BC C7 45 C4 88 13 00 00 E8 A2 80 FF FF 8D 75

http://www.nirsoft.net/contact-new.html

1

I've heard he's very responsive to inquiries about his tools via email/the contact form on his website.

I'm glad, been having the same error with WinPrefetch on some devices

Hello, which is easier to gain info of discord accounts for cybercrime between Microsoft Edge and Chrome?

Hi, I would need advice for the acquisition of a software. I need to improve the quality of a soundtrack, but I can't find anything really relevant to this type of processing. Could someone advise me? Thanks for your help

KR-4n6

Hi, I would need advice for the acquisition of a software. I need to improve the quality of a soundtrack, but I can't find anything really relevant to this type of processing. Could someone advise me? Thanks for your help

#dvr-multimedia-surveillance try asking here

1

We are looking into buying a dongle server. Anyone care to share their experience with it?

FirePhil

We are looking into buying a dongle server. Anyone care to share their experience with it?

https://www.seh-technology.com/services/downloads/download-dongleserver/myutn-80.html

Download myUTN-80

10:10 AM

That is the server we used. It worked ok. Didn’t like Cellebrite dongle.

10:11 AM

Wasn’t too bad to get setup instructions were pretty good.

Jobbins

Wasn’t too bad to get setup instructions were pretty good.

Any issues with Magnet?

Alexsaurus

Does anyone have any good software for cleaning up an audio recording to make it easier to hear people talking?

Use Audacity and fiddle with 500mhz on the EQ to bring voice up and clearer in the mix.

FirePhil

Any issues with Magnet?

I've had success with axiom and cellebrite

FirePhil

Any issues with Magnet?

Nope no issues with magnet

Has anyone noticed that NirSofts browserhistoryview.exe trips AV?

Villano

Has anyone noticed that NirSofts browserhistoryview.exe trips AV?

Likely because threat actors use it

1:08 PM

I usually add an exclusion for my tools and cases directories

randomaccess

Likely because threat actors use it

I was thinking the same thing. It lights up VirusTotal. There are some comments about APT. But when I read the references, no actual mention of NirSofts tools.

Villano

Has anyone noticed that NirSofts browserhistoryview.exe trips AV?

pretty much all Nirsoft tools trigger AV. damned annoying as mine gets deleted on unzip

#whitelist/ignore

2

FirePhil

We are looking into buying a dongle server. Anyone care to share their experience with it?

https://discord.com/channels/427876741990711298/537760691302563843/1038189659425091604

1

Hi! Is there someone who know how to convert "reg_binary" value (in Windows registry) to string or something like that? I'm trying to export values with Python script but I'm blocked on reg_binary value.

non0

Hi! Is there someone who know how to convert "reg_binary" value (in Windows registry) to string or something like that? I'm trying to export values with Python script but I'm blocked on reg_binary value.

I am sure 01 00 00 00 means something in Windows land, so you'd have to figure out what that is. Highly depends on the key/path/value in question

Andrew Rathbun

I am sure 01 00 00 00 means something in Windows land, so you'd have to figure out what that is. Highly depends on the key/path/value in question

Yes, 01 00 00 00 is an example but I got a key/value about Access rights (certificate) : read/write/full control for 4 differents groups. I don't have it now but it's a loooong value.

non0

Hi! Is there someone who know how to convert "reg_binary" value (in Windows registry) to string or something like that? I'm trying to export values with Python script but I'm blocked on reg_binary value.

Isn’t it all in hex? You would have to know the encoding scheme, if it’s even something that can be converted to a string.

I thought so but it does not give a comprehensible chain, I didn't know "each" app using reg_binary could use their own encoding or something like that. i need to search harder, thanks!

non0

I thought so but it does not give a comprehensible chain, I didn't know "each" app using reg_binary could use their own encoding or something like that. i need to search harder, thanks!

The Registry is very fragmented IMO. Different artifacts log different things. Different artifact's timestamps are more reliable than others. Some even record their own timestamps within the subkey as a value, separate from the LastWriteTimestamp. The Registry is the wild, wild west at times. And that's just the opinion I've gathered from my extensive yet overall limited adventures in the Registry. Third-party applications do whatever they need or want to do in the Registry. Same with Event Logs. Some third-party applications log to event logs (usually into Application.evtx). Some do it well. Some do it in a barely passable/lazy manner (almost like malicious compliance lol). If that 01 00 00 00 is not a Windows-based artifact (aka some third-party application), then who knows what encoding mechanism is being used unless it appears to be in a structure similar to other known artifacts (FILETIME, etc) (edited)

1

Jobbins

That is the server we used. It worked ok. Didn’t like Cellebrite dongle.

Cellebrite blocks remote access to dongles, so even if you have two computers in the same room off network you can not use a remote connection to the computer next to you to share the same monitors. They have been granting RDP during covid on select dongles and every update to the dongle requires a phone call or email to Cellebrite.

Hey! any PowerShell "nerds" here

- I need help with my script

$dateString = Read-Host "Enter a date (MM-dd-yyyy) to filter the Prefetch files"

$date = [DateTime]::ParseExact($dateString, "MM-dd-yyyy", $null)

$prefetchPath = "C:\Windows\Prefetch"
$pfFiles = Get-ChildItem -Path $prefetchPath -Filter "*.pf" | Where-Object {$_.CreationTime -ge $date}
$exeFiles = foreach ($pfFile in $pfFiles) {
    # Get the file name without the extension and hash value
    $fileName = $pfFile.Name -replace '\.pf$', '' -replace '-[A-F0-9]{8}$', ''
    # Use where.exe to search for the .exe file on the system
    $whereCommand = "where.exe /r C:\ $fileName"
    $exePath = Invoke-Expression $whereCommand
    # Return the file name and path as a custom object
    [PSCustomObject] @{
        FileName = $fileName
        ExePath = $exePath
    }
}
$exeFiles

12:33 PM

I'm trying to create a script that'll first clear .pf of all hashes etc and leave just names of files based on their creation date & use where.exe to locate all the files it finds but it won't work, do I need to specify cmd.exe before where.exe?

12:34 PM

Also wondering if there's a tool that'll use scripts like these against memory captures, I'm trying to do something like that

Deleted User

I'm trying to create a script that'll first clear .pf of all hashes etc and leave just names of files based on their creation date & use where.exe to locate all the files it finds but it won't work, do I need to specify cmd.exe before where.exe?

If you parse the prefetch files with pecmd, you could grab the file path from the output.

Ahh, yeah!

1:31 PM

I came up with a different approach

1:31 PM

WinPrefetchView for it!

Deleted User

WinPrefetchView for it!

That would also work.

Hello! I would like your guys/girls opinion on which degree is necessary and worth taking. This is because I can not really decide my self so I would really like the opinion from people that is in the industry now. I am currently taking my bachelor degree in digital forensics. I have 2 months left before I am done and I am doing very well in my studies with top grades. When I am done my goal is to work for law enforcement as an investigator, if I am going in the private sector it would be for companies providing digital forensics support for law enforcement. So my question is: Should I try getting a job after completing my bachelor and focus on doing certifications or should is a master degree a better option to go with? Thanks for all opinions!

Panda

Hello! I would like your guys/girls opinion on which degree is necessary and worth taking. This is because I can not really decide my self so I would really like the opinion from people that is in the industry now. I am currently taking my bachelor degree in digital forensics. I have 2 months left before I am done and I am doing very well in my studies with top grades. When I am done my goal is to work for law enforcement as an investigator, if I am going in the private sector it would be for companies providing digital forensics support for law enforcement. So my question is: Should I try getting a job after completing my bachelor and focus on doing certifications or should is a master degree a better option to go with? Thanks for all opinions!

You can focus on getting a job. There are plenty of positions currently open. You can always add the certifications and additional education later and have the agencies pay for it.

3

So I have a follow up question. In the county where I am from they have very limited positions for digital investigators. But I would mind moving to the US and work there. But to be able to work in law enforcement in a different country you would need to be a citizen of that country. So for the US, what other options are there available?

Panda

So I have a follow up question. In the county where I am from they have very limited positions for digital investigators. But I would mind moving to the US and work there. But to be able to work in law enforcement in a different country you would need to be a citizen of that country. So for the US, what other options are there available?

There are plenty of positions within the U.S for foreign nationals in Law Enforcement, you just have to go thru the process. Obtain citizenship is the first start. Or try some of the European countries they are always looking.

chiprop

There are plenty of positions within the U.S for foreign nationals in Law Enforcement, you just have to go thru the process. Obtain citizenship is the first start. Or try some of the European countries they are always looking.

Sorry for asking a lot of questions here but do you have any names of those kind of companies or something like I could try to contact them and discuss my options?

1:40 AM

Screens cropped on Google Pixels in 2017-2022 can be un-cropped

1:41 AM

This is due to an undocumented change to open() on Android that stopped automatically trimming the file on overwrite unless specifically requested (which Google’s Markup app didn’t).

1

eSko

This is due to an undocumented change to open() on Android that stopped automatically trimming the file on overwrite unless specifically requested (which Google’s Markup app didn’t).

Scary stuff. There is a POC website too https://acropalypse.app/ if anyone wants to play with it. Seems to have been fixed now on the Pixel 7 (I noted you say 2017-2022).

acropalypse screenshot recovery utility

Panda

Sorry for asking a lot of questions here but do you have any names of those kind of companies or something like I could try to contact them and discuss my options?

I have a different opinion on this one. It's a small field for criminal-side of DF jobs here in the US, especially for civilians. These jobs are usually (almost always) asking you to have a either a permanent resident or citizen status due to the nature of LE work. It's very rarely to see someone that's is willing to take someone only with a visa status.

5:47 AM

It may be easier for you to look for DFIR jobs on the civil side with only a visa...but then you're also competing with people who has long-term status....

chauan

I have a different opinion on this one. It's a small field for criminal-side of DF jobs here in the US, especially for civilians. These jobs are usually (almost always) asking you to have a either a permanent resident or citizen status due to the nature of LE work. It's very rarely to see someone that's is willing to take someone only with a visa status.

Ye that is what my previous research has learned me as well

You may try to join military or some local LE who are willing to take a foreign national...but then you'll start as a regular LEO and unlikely to get you to do any DF work right away.

5:50 AM

You can try major tool vendors, like MSAB, Cellebrite, etc..you may be doing tech support but kinda get you in the DF industry....but this may not be what you're looking for though. (edited)

chauan

You can try major tool vendors, like MSAB, Cellebrite, etc..you may be doing tech support but kinda get you in the DF industry....but this may not be what you're looking for though. (edited)

Ok thanks! One of my teachers works for a company that does DF and data recovery work for LE (Not in the US). I was thinking if there is any of those companies in the US where one could work with just VISA status. But working for vendors is also I good idea! Thanks!

chauan

You may try to join military or some local LE who are willing to take a foreign national...but then you'll start as a regular LEO and unlikely to get you to do any DF work right away.

US MIL requires citizenship. Security clearances will be an issue.

Deleted User

US MIL requires citizenship. Security clearances will be an issue.

The program for non-citizen to join then naturalized no longer exists?

Security clearances often come with residency requirements

chauan

The program for non-citizen to join then naturalized no longer exists?

Was not aware that existed, it may still be a thing but not when I last looked.

1

Blocking use of the owner's mobile phone until user submits a received message confirmation is a strange tactic, particularly as cell broadcasting can do the same job in issuing an alert at the local level. "Public emergency alerts to be sent to all UK mobile phones" https://www.bbc.co.uk/news/uk-64999417

Public emergency alerts to be sent to all UK mobile phones

The government will send people loud, siren-like warnings to alert them when there is a risk to life.

Colman

Blocking use of the owner's mobile phone until user submits a received message confirmation is a strange tactic, particularly as cell broadcasting can do the same job in issuing an alert at the local level. "Public emergency alerts to be sent to all UK mobile phones" https://www.bbc.co.uk/news/uk-64999417

yep, misdirection (under the guise of keeping you all safe) reads as Govt: we can block all your fones yo (edited)

Jobbins

That is the server we used. It worked ok. Didn’t like Cellebrite dongle.

We just updated our Cellebrite dongles when we got RDP capability added to them. We have ours on a proMax dongleserver from the same company and have no issues

Digitalferret

yep, misdirection (under the guise of keeping you all safe) reads as Govt: we can block all your fones yo (edited)

So if everyone switched off their mobiles on the 23rd April the day of the test and everyone didn't switch them back on until the 24th, what then?

Colman

So if everyone switched off their mobiles on the 23rd April the day of the test and everyone didn't switch them back on until the 24th, what then?

a blessed miracle, lol. but I dunno, give it a go

1

Is project VIC even a thing anymore? Seems like all support for Hubstream is non existant and the Intelligence Agent isnt working for many people. Not to mention the "updated" hash set is saying +108 days ago when it was working. Am I just out of touch with the latest system to store and compare hash sets?

SBcyberCop

Is project VIC even a thing anymore? Seems like all support for Hubstream is non existant and the Intelligence Agent isnt working for many people. Not to mention the "updated" hash set is saying +108 days ago when it was working. Am I just out of touch with the latest system to store and compare hash sets?

@Project VIC

SBcyberCop

Is project VIC even a thing anymore? Seems like all support for Hubstream is non existant and the Intelligence Agent isnt working for many people. Not to mention the "updated" hash set is saying +108 days ago when it was working. Am I just out of touch with the latest system to store and compare hash sets?

Same, havent gotten an update from @Project VIC in over 100 days, maybe a slow down?

SBcyberCop

Is project VIC even a thing anymore? Seems like all support for Hubstream is non existant and the Intelligence Agent isnt working for many people. Not to mention the "updated" hash set is saying +108 days ago when it was working. Am I just out of touch with the latest system to store and compare hash sets?

If you have access to S21 LASERi-X, you can download the S21 Global Alliance Database (1.4 billion records) for free. www.semantics21.com, we’ve seen lots of users switching over. (edited)

SBcyberCop

Is project VIC even a thing anymore? Seems like all support for Hubstream is non existant and the Intelligence Agent isnt working for many people. Not to mention the "updated" hash set is saying +108 days ago when it was working. Am I just out of touch with the latest system to store and compare hash sets?

Let me ask around for you. As far as I know ICAC Cops is still updating ProjectVIC Hashes, but that's a question for them. ProjectVIC is just the framework in which the hashes are stored, ICAC and NCMEC maintains the hash sets and distributes them through Hubstream.

Personally feel like icac cops and project vic need a little updating

9:50 AM

But that's the web developer in me haha

Semantics 21 (Tom)

If you have access to S21 LASERi-X, you can download the S21 Global Alliance Database (1.4 billion records) for free. www.semantics21.com, we’ve seen lots of users switching over. (edited)

What's the difference from Project Vic database and the "S21 Global Alliance Database" ?

DCSO

What's the difference from Project Vic database and the "S21 Global Alliance Database" ?

Similar idea, the GAD contains hash values, notes, tags, exif data, user info and case info. Plus it’s encrypted and has over 1.4 billion records from our global community of users. It’s designed to deal with extremist and CSAM intelligence.

Just took a look at the website. Definitely lookin much more professional than project vic, icac cops or hubstream so far.

SBcyberCop

Just took a look at the website. Definitely lookin much more professional than project vic, icac cops or hubstream so far.

I don't doubt it, ProjectVIC and ICAC are run by volunteers and former/current law enforcement in conjunction with NCMEC and ICMEC. ProjectVIC isn't our day job, but we're trying to keep it up as much as we can.

1

@Magnet Forensics Anyone know why only one of my tagged categories will not register in a portable case? All the others are showing up. Very Strange.

Hi everyone, any law enforcers here? I have a question, do you have a Digital Forensic Van?

Hi DFIR Community, I am currently in the process of assessing the safety and security concerns of buying an Enote taker. The specific Company in Question is "Onyx Boox International Inc." and Considering the current geopolitical tensions between the NA and CH, I would appreciate help in this assessment. The General Plight concerns the possibility of either PII misuse and/or the possibility for intrusive surveillance and data gathering. A current example I look at is Tik Tok and the huge security and mental health concerns currently apparent in the world. I will post the research I've done so far in #osint as a google drive link. https://discord.com/channels/427876741990711298/493868860601139200/1087580304392323092 This current project is without the purchase or access to a device for an in-depth analysis, on the hardware and software. I will also have to say that I am in no way a professional or experienced enough to conduct a proper investigation on the hardware or software for artifacts and processes of possible malpractice. How should I go about this process and what should I be looking for to make a final assessment on the safety of owning such a device for personal productivity? As a last note It might take me awhile to get back to anyone who helps, so I apologize in advance for the time taken. (edited)

𝗖𝗮𝗶𝘁 | 𝗣𝗵𝗶𝗹𝗶𝗽𝗽𝗶𝗻𝗲𝘀 👮🏻

Hi everyone, any law enforcers here? I have a question, do you have a Digital Forensic Van?

Yes - can DM me if needed

OregonDFIR

@Magnet Forensics Anyone know why only one of my tagged categories will not register in a portable case? All the others are showing up. Very Strange.

Agree, very strange. I'm not aware of a known issue that causes that but would be happy to take a look and see if we can determine the cause.

@Cellebrite Are you guys gonna release iPhone 12 Pro Max Bruteforce support in the next update for premium? Or is that not planned for v7.63 (edited)

1

Leux

@Cellebrite Are you guys gonna release iPhone 12 Pro Max Bruteforce support in the next update for premium? Or is that not planned for v7.63 (edited)

Just curious, if there is support, for what kind of ios versions?

Mr.Robot

Just curious, if there is support, for what kind of ios versions?

Support of IOS for premium types of services will most likely not be talked about here. You would have to contact Cellebrite support. (edited)

DCSO

Support of IOS for premium types of services will most likely not be talked about here. You would have to contact Cellebrite support. (edited)

Thnx! Will do that

I'm guessing there's something wrong with my workstation causing Hubstream to not work properly. One of my partners is able to run it and download the hashes

still waiting on hubstream to provide any sort of support

Hey, does anyone know if SAPIEN Script Packager compiled Windows applications will stop working after the trial period runs out?

Deleted User

Hey, does anyone know if SAPIEN Script Packager compiled Windows applications will stop working after the trial period runs out?

I doubt it, but I don't know for certain

3:50 PM

Shoot them an email, they are normally pretty responsive @Deleted User

Sure! thanks :)

Hey all, has anyone had any trouble uploading files to Cellebrite support in the last week? Had a log file with 0% upload. Tried on different machines and networks. (edited)

House Whiskey

Hey all, has anyone had any trouble uploading files to Cellebrite support in the last week? Had a log file with 0% upload. Tried on different machines and networks. (edited)

Ah, it seems to be having issues when uploading to the master thread. I was still able to attach files to new comments. (edited)

Morning all. Anyone have experience or able to point me in the right direction for browser forensics if a user has used incognito mode? Is this possible to prove? Hindsight and pulling the browsing history has not given me what I need.

4:00 AM

No file so cant even look at streams

Calyx

Morning all. Anyone have experience or able to point me in the right direction for browser forensics if a user has used incognito mode? Is this possible to prove? Hindsight and pulling the browsing history has not given me what I need.

Is it a computer or phone you are looking at?

Johnie

Is it a computer or phone you are looking at?

Computer

Calyx

Computer

if you got a pagefile.sys you could maybe find information there if the browser was based on webkit. I know ive seen Axiom parse out browser history from that file. Not sure if this could be incognito history tho

Hi I have my first interview for a digital forensics investigator role tomorrow, does anyone have any tips for me? Or any questions they think I should practice for? (edited)

squarey

Hi I have my first interview for a digital forensics investigator role tomorrow, does anyone have any tips for me? Or any questions they think I should practice for? (edited)

I had ChatGPT generate interview questions for me the other week. Here's what it came up with:

 - How did you become interested in digital forensics and incident response, and what inspired you to pursue this career?
 - Can you tell us about your experience in conducting digital forensic investigations and incident response in a corporate or government environment?
 - What tools and software do you use to collect and analyze digital evidence during an investigation?
 - How do you keep up with the latest developments and trends in the digital forensics and incident response field?
 - How do you ensure the integrity and preservation of digital evidence during an investigation?
 - Can you walk us through a recent incident response case you handled, including the steps you took to contain and mitigate the incident?
 - How do you communicate complex technical information to non-technical stakeholders, such as executives or legal counsel?
 - How do you approach a digital forensic investigation when the evidence is spread across multiple devices or systems?
 - Can you explain your experience with forensic analysis of network traffic and logs?
 - How do you ensure that your work complies with applicable laws, regulations, and industry standards, such as GDPR or PCI-DSS?
 - Can you describe your experience with forensic analysis of mobile devices, including both iOS and Android?
 - How do you prioritize and manage your workload when handling multiple investigations simultaneously?
 - How do you balance the need for speed and efficiency with the need for accuracy and completeness in a digital forensic investigation?
 - How do you maintain your technical proficiency in digital forensics and incident response, including any relevant certifications or training?

(edited)

8

@Andrew Rathbun Thankyou so much!

1

If anything, it's a good set of questions to practice on for yourself

Andrew Rathbun

I had ChatGPT generate interview questions for me the other week. Here's what it came up with:

 - How did you become interested in digital forensics and incident response, and what inspired you to pursue this career?
 - Can you tell us about your experience in conducting digital forensic investigations and incident response in a corporate or government environment?
 - What tools and software do you use to collect and analyze digital evidence during an investigation?
 - How do you keep up with the latest developments and trends in the digital forensics and incident response field?
 - How do you ensure the integrity and preservation of digital evidence during an investigation?
 - Can you walk us through a recent incident response case you handled, including the steps you took to contain and mitigate the incident?
 - How do you communicate complex technical information to non-technical stakeholders, such as executives or legal counsel?
 - How do you approach a digital forensic investigation when the evidence is spread across multiple devices or systems?
 - Can you explain your experience with forensic analysis of network traffic and logs?
 - How do you ensure that your work complies with applicable laws, regulations, and industry standards, such as GDPR or PCI-DSS?
 - Can you describe your experience with forensic analysis of mobile devices, including both iOS and Android?
 - How do you prioritize and manage your workload when handling multiple investigations simultaneously?
 - How do you balance the need for speed and efficiency with the need for accuracy and completeness in a digital forensic investigation?
 - How do you maintain your technical proficiency in digital forensics and incident response, including any relevant certifications or training?

(edited)

These aren't bad at all! Do you recall your exact phrasing for ChatGPT? I want to try it in Google Bard to see how it compares. (edited)

JLindmar (83AR)

These aren't bad at all! Do you recall your exact phrasing for ChatGPT? I want to try it in Google Bard to see how it compares. (edited)

generate X interview questions for a digital forensics examiner candidate, something like that

Andrew Rathbun

generate X interview questions for a digital forensics examiner candidate, something like that

Me: "Generate interview questions for a digital forensics examiner candidate." Bard: "Here are some interview questions for a digital forensics examiner candidate: What is your experience with digital forensics? What tools and software have you used in your work? What are your strengths and weaknesses? How would you handle a difficult situation? What is your approach to data recovery? What is your experience with encryption? What is your understanding of the law as it pertains to digital forensics? What is your experience with testifying in court? What is your experience with customer service? What is your experience with teamwork? What is your experience with project management? What is your experience with budgeting? What is your experience with scheduling? What is your experience with quality control? These questions will help you assess the candidate's skills and experience, as well as their ability to meet the demands of the position." And this is the difference when I changed it to "...job candidate." Here are some interview questions for a digital forensics examiner job candidate: What is your experience with digital forensics? What are your strengths and weaknesses? What are some of the challenges you have faced in your career? How would you deal with a difficult situation? What is your knowledge of computer forensics tools and techniques? What is your understanding of the legal aspects of digital forensics? What is your experience with data analysis and interpretation? What is your experience with report writing and presentation? What is your experience with working in a team environment? What are your salary expectations? These questions will help you assess the candidate's qualifications and experience for the position. Bard also gives you three (3) drafts of it's answer. (edited)

1

JLindmar (83AR)

Me: "Generate interview questions for a digital forensics examiner candidate." Bard: "Here are some interview questions for a digital forensics examiner candidate: What is your experience with digital forensics? What tools and software have you used in your work? What are your strengths and weaknesses? How would you handle a difficult situation? What is your approach to data recovery? What is your experience with encryption? What is your understanding of the law as it pertains to digital forensics? What is your experience with testifying in court? What is your experience with customer service? What is your experience with teamwork? What is your experience with project management? What is your experience with budgeting? What is your experience with scheduling? What is your experience with quality control? These questions will help you assess the candidate's skills and experience, as well as their ability to meet the demands of the position." And this is the difference when I changed it to "...job candidate." Here are some interview questions for a digital forensics examiner job candidate: What is your experience with digital forensics? What are your strengths and weaknesses? What are some of the challenges you have faced in your career? How would you deal with a difficult situation? What is your knowledge of computer forensics tools and techniques? What is your understanding of the legal aspects of digital forensics? What is your experience with data analysis and interpretation? What is your experience with report writing and presentation? What is your experience with working in a team environment? What are your salary expectations? These questions will help you assess the candidate's qualifications and experience for the position. Bard also gives you three (3) drafts of it's answer. (edited)

As someone who remembers the work it took to get the original 8-bit Creative Labs Sound Blaster to pronounce "guitar" correctly, this is a really fascinating time

It might also be interesting to see the results of posing the generated questions back to ChatGPT or Bard to see the answer given. If you're involved in hiring, I'd suspect it's a matter of time (already happening

‍♂️) before those are the answers some candidates start spouting out in an interview.

All of you interested in recent developments in AI… I direct you to the latest episode of South Park. Enjoy. https://southpark.cc.com/episodes/8byci4/south-park-deep-learning-season-26-ep-4 (edited)

South Park - Deep Learning | South Park Studios US

Stan is reeling when a cheating scandal hits the school.

1

2

Looking for lab equipment/ software recommendations. My agency is rather progressive and I’ve been tasked with looking into what we need to be considered leading edge. Our current set up is 1 forensic tower (10 years old with no hardware updates.) 2 forensic laptops purchased within the last two years Hardware / software includes: Graykey Premium, Magnet AXIOM (1 dongle), Cellebrite (2 dongles with UFED and Physical Analyzer), Redkey (for forensic wiping). For storage of forensic images,we are using up old 1TB hard drives but would like to move to a NAS system. Any recommendations would be greatly appreciated. (edited)

JLindmar (83AR)

These aren't bad at all! Do you recall your exact phrasing for ChatGPT? I want to try it in Google Bard to see how it compares. (edited)

The thing I don't like about ChatGPT is that you can ask exactly the same question twice and get a completely different answer. With my forensics hat on, I need repeatability!

DFIS721

Looking for lab equipment/ software recommendations. My agency is rather progressive and I’ve been tasked with looking into what we need to be considered leading edge. Our current set up is 1 forensic tower (10 years old with no hardware updates.) 2 forensic laptops purchased within the last two years Hardware / software includes: Graykey Premium, Magnet AXIOM (1 dongle), Cellebrite (2 dongles with UFED and Physical Analyzer), Redkey (for forensic wiping). For storage of forensic images,we are using up old 1TB hard drives but would like to move to a NAS system. Any recommendations would be greatly appreciated. (edited)

Just worked on some Magnet Virtual Summit sessions comparing the performance of different CPU options. Broadly, the newer-generation Intel i9 and AMD Ryzen CPUs that support PCIe 4.0 and DDR5 RAM will show massive performance improvements to a system from only a couple of years ago. Adding core count means lower clock speed, but a newer 16-core/32-thread high clock speed CPU would be my suggestion - great balance of available threads/clock speed there. Combined with fast RAM and dedicated local storage for OS, evidence files, temporary files, and case files, plus a decent GPU and you'll have a really nice system. Tons of options out there from different manufacturers. Move what you want to keep quickly available to a NAS when you're done working with it and determine what your answer is for long term storage and evidence retention requirements. I'm also a fan of using a dedicated machine for disk imaging and leaving the high-spec machine for processing. Happy to talk more, if I can help - it's one of my favorite topics! Adding - I've personally had reliable performance with Synology NAS units and they're very easy to configure and can be expanded as needed, There are other options out there, but cost/performance/intended use all factor into the decision. (edited)

2

Hi everyone, I'm currently making a CTF challenge for the forensics category of my club's CTF at the moment that deals with seeing the data in the XML of a powerpoint. I'm currently stuck on getting the powerpoint put back together. The following are the steps I am using to do this 1: make a backup of the pptx file. 2: Change the file extension to zip then extract 3: change the XML in files. 4: zip again and change the xip to PPTX The last step in this process results in a pptx shorter in length on disk than the original. How do I ensure that the size is correct so that it can be read? (I'm not sure if this question is appropriate for general. Let me know where it goes if it is not for general. :)) (edited)

tapatiosec

Hi everyone, I'm currently making a CTF challenge for the forensics category of my club's CTF at the moment that deals with seeing the data in the XML of a powerpoint. I'm currently stuck on getting the powerpoint put back together. The following are the steps I am using to do this 1: make a backup of the pptx file. 2: Change the file extension to zip then extract 3: change the XML in files. 4: zip again and change the xip to PPTX The last step in this process results in a pptx shorter in length on disk than the original. How do I ensure that the size is correct so that it can be read? (I'm not sure if this question is appropriate for general. Let me know where it goes if it is not for general. :)) (edited)

There is a #challenges-and-ctfs channel, just for future reference.

FullTang

There is a #challenges-and-ctfs channel, just for future reference.

Ahh didn't see that

3:14 PM

thanks for the info

1

3:15 PM

Also I managed to find a way to make it work. Saw a video on youttube

tapatiosec

Also I managed to find a way to make it work. Saw a video on youttube

Nice. Good work!

Can someone from @Magnet Forensics please pm me.

1

Morning all, can anyone confirm their process for counting IIOC media as accessible or inaccessible? Many thanks.

beansidebean2020

Morning all, can anyone confirm their process for counting IIOC media as accessible or inaccessible? Many thanks.

Computer or Mobile?

Apologies, both!

Rob

Computer or Mobile?

Apologies both!

1

Good morning. Can an individual user with a business Office 365 account (not the admin) download their entire account? I've done this with Axiom Cloud but can the user themselves do this? Thanks.

DFIS721 started a thread. 3/23/2023 9:40 AM

I am in my infancy of digital forensics career and have a question about employment. Is there a preferred way to approach local LEO or court systems to offer your services and to land a job? Talking with local police departments I have not had many leads as to how to get in touch with their forensics departments..maybe they do not have one as im surrounded by small towns... Also I would prefer not having to be a beat cop before "promoting" to forensics type work. Just looking for some guidance on best route to begin a career working with law enforcement.

crystalcity

I am in my infancy of digital forensics career and have a question about employment. Is there a preferred way to approach local LEO or court systems to offer your services and to land a job? Talking with local police departments I have not had many leads as to how to get in touch with their forensics departments..maybe they do not have one as im surrounded by small towns... Also I would prefer not having to be a beat cop before "promoting" to forensics type work. Just looking for some guidance on best route to begin a career working with law enforcement.

If you are surrounded by small local agencies I wouldn't be surprised if they sent their devices to a larger local agency, state agency, or even a federal office for analysis. Also, unless you have an inside source they probably won't tell you what they do with their devices. If you don't want to be a beat cop most likely you will need to look at bigger cities to get a DF job as a civilian. Some background in IT would be good, a 4-year degree in computers of some sort would be good, but if you are willing to pay for the CFCE out of pocket I think that would really help you. Also, if you are able to show proof of work by starting a blog examining forensic artifacts that you have researched on your own time or a GitHub showing scripts you have written to contribute to the DF community to help fill gaps that would help as well.

FullTang

If you are surrounded by small local agencies I wouldn't be surprised if they sent their devices to a larger local agency, state agency, or even a federal office for analysis. Also, unless you have an inside source they probably won't tell you what they do with their devices. If you don't want to be a beat cop most likely you will need to look at bigger cities to get a DF job as a civilian. Some background in IT would be good, a 4-year degree in computers of some sort would be good, but if you are willing to pay for the CFCE out of pocket I think that would really help you. Also, if you are able to show proof of work by starting a blog examining forensic artifacts that you have researched on your own time or a GitHub showing scripts you have written to contribute to the DF community to help fill gaps that would help as well.

Thanks for the input! I am trying to convince my current employer (my first cyber related job) a sans course would be a value add, but I have to be creative because it really isn't so I don't have high hopes. Would you recommend GCFE or GCFA? I was shooting for the latter. I have a degree in cyber intelligence and a top secret clearance and wounded veteran...slowly adding pieces to the puzzle to make myself more marketable!

crystalcity

Thanks for the input! I am trying to convince my current employer (my first cyber related job) a sans course would be a value add, but I have to be creative because it really isn't so I don't have high hopes. Would you recommend GCFE or GCFA? I was shooting for the latter. I have a degree in cyber intelligence and a top secret clearance and wounded veteran...slowly adding pieces to the puzzle to make myself more marketable!

I have heard great things about the SANS courses but they are outside of my own personal budget and my agency's budget so I can't speak to those. There are plenty of SANS graduates and instructors on this server that can answer that. It looks like you are LE in some capacity, you could also look into NW3C trainings as those are completely free to law enforcement. (edited)

1

crystalcity

Thanks for the input! I am trying to convince my current employer (my first cyber related job) a sans course would be a value add, but I have to be creative because it really isn't so I don't have high hopes. Would you recommend GCFE or GCFA? I was shooting for the latter. I have a degree in cyber intelligence and a top secret clearance and wounded veteran...slowly adding pieces to the puzzle to make myself more marketable!

If you’re in LE, I’d recommend GCFE. GCFE is designed with insider threats in mind (one user’s system). GCFA is designed more for external threats (multiple systems/incident response).

1

Summon the beast and he shall answer your SANS queries @randomaccess (edited)

What's the question

crystalcity

Thanks for the input! I am trying to convince my current employer (my first cyber related job) a sans course would be a value add, but I have to be creative because it really isn't so I don't have high hopes. Would you recommend GCFE or GCFA? I was shooting for the latter. I have a degree in cyber intelligence and a top secret clearance and wounded veteran...slowly adding pieces to the puzzle to make myself more marketable!

Sans does a bunch for veterans, but I don't know a lot about the ins and outs. Suggest looking round on the website for that. Otherwise work study is a thing. As a vet you may have a better in through that route

crystalcity

I am in my infancy of digital forensics career and have a question about employment. Is there a preferred way to approach local LEO or court systems to offer your services and to land a job? Talking with local police departments I have not had many leads as to how to get in touch with their forensics departments..maybe they do not have one as im surrounded by small towns... Also I would prefer not having to be a beat cop before "promoting" to forensics type work. Just looking for some guidance on best route to begin a career working with law enforcement.

ummm, what's your current position?

crystalcity

Thanks for the input! I am trying to convince my current employer (my first cyber related job) a sans course would be a value add, but I have to be creative because it really isn't so I don't have high hopes. Would you recommend GCFE or GCFA? I was shooting for the latter. I have a degree in cyber intelligence and a top secret clearance and wounded veteran...slowly adding pieces to the puzzle to make myself more marketable!

https://www.ice.gov/hero Just going to drop this here. I am not involved with the program but I’ve trained a lot of folks hired through this initiative. It is an interesting concept and seems to match your goals.

HERO Child-Rescue Corps Program

1

char|i3

https://www.ice.gov/hero Just going to drop this here. I am not involved with the program but I’ve trained a lot of folks hired through this initiative. It is an interesting concept and seems to match your goals.

That's is exactly what I want, I've tried applying in the past with not much luck but will keep on it

randomaccess

Sans does a bunch for veterans, but I don't know a lot about the ins and outs. Suggest looking round on the website for that. Otherwise work study is a thing. As a vet you may have a better in through that route

Yeah I applied for the vetsuccess program but didn't make it, but will apply next tike it comes around as well.

Digitalferret

ummm, what's your current position?

I'm a research analyst for gvmnt. When I signed up for discord I was a cop. I want to do dfir at Leo capacity.

1

crystalcity

Thanks for the input! I am trying to convince my current employer (my first cyber related job) a sans course would be a value add, but I have to be creative because it really isn't so I don't have high hopes. Would you recommend GCFE or GCFA? I was shooting for the latter. I have a degree in cyber intelligence and a top secret clearance and wounded veteran...slowly adding pieces to the puzzle to make myself more marketable!

SANS has a work study program, that can make that cost of the classes a little less. Although it's a competitive process for it. In my option, I would start with GCFE. I took SANS FOR500 (training for the GCFE) before taking SANS FOR508 (training for the GCFA). In my opinion already having some exposure to the topics and tools when taking 508 really helped. I don't know where you are located, but your clearance alone can be a foot in the door in some areas if you are interested in working for the federal government or as contractor.

1

Do you also use alcohol to remove residue from the USB-C connector?Are there any good tools to buy on Amazon? (edited)

crystalcity

Yeah I applied for the vetsuccess program but didn't make it, but will apply next tike it comes around as well.

SANS edu also accepts the GI bill. (as a non American I have a vague idea of what this means, but there's FAQs about it online)

randomaccess

SANS edu also accepts the GI bill. (as a non American I have a vague idea of what this means, but there's FAQs about it online)

Great point. It's almost like there are too many options, idint do well with that. I will check out how the gi works for sans, I used it for college and they paid for it all, while also paying me for being a student, not a bad deal.

randomaccess

SANS edu also accepts the GI bill. (as a non American I have a vague idea of what this means, but there's FAQs about it online)

Just had to sacrifice my younger years and go thru a divorce...no biggie...lol

Hello everyone, Do you know if software like Volatility3 have mechanisms to avoid altering the integrity of the memory image? Or even if it is possible to alter the integrity of the image with Volatility3. This is a question I didn't ask myself until now and it seems quite relevant. Thanks !

Have you used any write blocking software/hardware before copying/extracting? There are a lot of options for whatever use case.

rtificial

Have you used any write blocking software/hardware before copying/extracting? There are a lot of options for whatever use case.

No, I don't think so. For the image, it's basically an image made with LiME.

Admirakk

No, I don't think so. For the image, it's basically an image made with LiME.

I haven’t heard of lime before. After looking it up, it sounds pretty cool. From what I read it extracts the volatile memory in the least intrusive way possible on Linux/android devices.

10:21 AM

I’d write block that image before copying and diving in.

rtificial

I haven’t heard of lime before. After looking it up, it sounds pretty cool. From what I read it extracts the volatile memory in the least intrusive way possible on Linux/android devices.

Indeed for the extraction as such I had searched about the alteration. I probably misspoke, I was talking about the analysis software of these images after the extraction. Can the softwares (here Volatility3) alter the image? Assuming that there is only one copy. When you say "I would block the image", is it possible to manually block the image after extraction? (innocent question, I'm not very familiar with all this yet) (edited)

See if this answers some questions. https://youtu.be/uQP8jmm1Sqo

BlueMonkey 4n6

Write-protect USB and hard drives on Windows

Admirakk

Indeed for the extraction as such I had searched about the alteration. I probably misspoke, I was talking about the analysis software of these images after the extraction. Can the softwares (here Volatility3) alter the image? Assuming that there is only one copy. When you say "I would block the image", is it possible to manually block the image after extraction? (innocent question, I'm not very familiar with all this yet) (edited)

And no worries. We all have to learn somewhere. I’m still learning too

1

Admirakk

Indeed for the extraction as such I had searched about the alteration. I probably misspoke, I was talking about the analysis software of these images after the extraction. Can the softwares (here Volatility3) alter the image? Assuming that there is only one copy. When you say "I would block the image", is it possible to manually block the image after extraction? (innocent question, I'm not very familiar with all this yet) (edited)

One more video. This one addresses how to identify data using hashes to later see if it has been altered. We do this A LOT in digital forensics. Hashes let us uniquely identify any data set and they allow us to show our data hasn’t changed. https://m.youtube.com/watch?v=9miEFSs1lk0

TheDFTVideos

Beginner's Guide to Digital Forensics: Hash Values

Does anyone know if there's some journal or article explaining what the key challenges are when doing forensics on cloud storage such as dropbox? trying to complete this assignment right now but its a headache since the info I keep finding is so broad rather than specific.

Woomir

Does anyone know if there's some journal or article explaining what the key challenges are when doing forensics on cloud storage such as dropbox? trying to complete this assignment right now but its a headache since the info I keep finding is so broad rather than specific.

Look for some security+ videos on cloud and compliance. One of the headaches I remember is for example a company/individual being located in a certain country BUT the cloud data being held on a server in a different country with different data/privacy laws.

12:21 PM

Also troubles with who is responsible for what. Ie. The cloud provider or the individual/company. There’s a whole list of things both parties need to get outlined in writing before doing business

12:22 PM

It’s Gives me anxiety just thinking about all the red tape and lawyers something probably requires

Admirakk

Hello everyone, Do you know if software like Volatility3 have mechanisms to avoid altering the integrity of the memory image? Or even if it is possible to alter the integrity of the image with Volatility3. This is a question I didn't ask myself until now and it seems quite relevant. Thanks !

Volatility shouldn't be altering your memory image. Work on a copy of it anyways because you need a backup. Hash it at the beginning and end and that'll show nothing changed. If you really want, audit the code and there shouldn't be anything that intentionally alters the data. You could put it on a drive and access that through a write blocker but eh wouldn't bother

randomaccess

Volatility shouldn't be altering your memory image. Work on a copy of it anyways because you need a backup. Hash it at the beginning and end and that'll show nothing changed. If you really want, audit the code and there shouldn't be anything that intentionally alters the data. You could put it on a drive and access that through a write blocker but eh wouldn't bother

That's what I thought, but I had a slight doubt. I didn't really see how it could have changed the data, but since you have to work on a copy, etc., there is still a risk, but I don't see how. And that's why I was wondering if there were any mechanisms either for the image (it seems that there are, according to your different answers) or mechanisms on tools like Volatility3.

We have a load of iPhones we have seized for agency use (testing only). I have been able to rest the phones, but many are locked with iTunes activation. The most recent information I found was from 2019 about Apple doing it with court orders. Is that still the only way?

digital Bowles

We have a load of iPhones we have seized for agency use (testing only). I have been able to rest the phones, but many are locked with iTunes activation. The most recent information I found was from 2019 about Apple doing it with court orders. Is that still the only way?

I don't think there was a good way. They're good for spare parts to repair incoming devices to get extractions through

randomaccess

I don't think there was a good way. They're good for spare parts to repair incoming devices to get extractions through

Thank you. They have been great for spare parts.

1

Woomir

Does anyone know if there's some journal or article explaining what the key challenges are when doing forensics on cloud storage such as dropbox? trying to complete this assignment right now but its a headache since the info I keep finding is so broad rather than specific.

Have you looked at https://csrc.nist.gov/Projects/cloud-forensics ?

NIST Cloud Computing Forensic Science | CSRC | CSRC

NIST has defined cloud computing in NIST SP 800-145 document as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider i...

1

@digital Bowles I kept a file of removed screens. I just made sure I used the EXACT screen if the device I was examining had a broken screen. And then I would DOCUMENT the shit out of it because, you know, some wise ass defense attorney will go bonkers if you don't. But all the phones made for good parts and learning the hardware side of the devices.

Happy Birthday

Hey, does anyone know how to fix this? there is no Security tab when I access the USB too

Just a FYI. The latest version of "TCU Live" (2023MAR26) has been released. It's running the latest Debian sid packages, the Linux 6.1.0 kernel for modern hardware support, and updated third party packages such as the Tor Browser, volatility, etc. See the README in the link for more information: https://drive.google.com/drive/folders/0B8zx3qPcj9rJVjJrcnB4aXl1VG8?resourcekey=0-gjI_o4MHtiCvsjet9TCygw&usp=sharing If you haven't used the distro before, it's built to be fairly lean and extensible and is great for in-house forensics, OSINT, field work, or if you just need to quickly spin up a Linux box. The default boot mode loads the entire OS into memory, so if you are on a machine with limited USB ports, you can unplug the TCU Live key after it boots to free up a USB port. It's also UEFI shimmed so it'll boot machines without having to adjust anything in the BIOS such as enabling legacy boot mode. If you are looking for something that'll boot on almost all x86-64 (AMD64) hardware give it a shot and DM me if you have any comments or issues.

3

1

HTCIA International Conference CFP is open till March 31 - if you have knowledge to share, submit! https://www.htcia.org/2023-international-conference-and-expo/

micronetkristan.green-bettes

2023 International Conference and Expo

September 19-21, 2023 Phoenix, Arizona REGISTRATION COMING SOON Platinum Sponsor: Micro Focus is not Open Text Bronze Sponsors: 2023 Sponsor Prospectus Be a Sponsor! 39th ANNUAL HTCIA Conference and EXPO! ⬅️ Check out the 2022 highlight Video Join us September 19-21, 2023 only in-person in Phoenix, AZ for timely educational sessions, engaging ne...

1

hello everyone

3:15 AM

It's nice to see you here Autopsy

@bquanman

51LV3R KN16H7 KM4

It's nice to see you here Autopsy

@bquanman

Lol :v

Hi all, i'm feeling like i'm missing something obvious here... but I was given a SHA1 hash value that has non hexadecimal characters (Z, P, X, etc) in it. Can SHA1 have those characters?

8:01 AM

And if not, then is there some kind of obvious conversion/decoding you would think to do? (edited)

8:04 AM

And lastly, if there is... why would someone convert/encode it like this if the purpose of giving it to me is to look for matches?

8:04 AM

(In other words, they're not trying to hide/obfuscate this hash) (edited)

numbersevenfan

And if not, then is there some kind of obvious conversion/decoding you would think to do? (edited)

My first one to check would be Base64 (edited)

8:38 AM

You could use something like CyberChef for a quick on-the-fly conversion

8:39 AM

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

numbersevenfan

Hi all, i'm feeling like i'm missing something obvious here... but I was given a SHA1 hash value that has non hexadecimal characters (Z, P, X, etc) in it. Can SHA1 have those characters?

Potentially, as @Matt pointed out it could be Base64, in theory the output of SHA1 can be encoded however you like, as long as it retains the 20 bytes correctly. If you still need help identifying it, let me know and I can take a look.

Thank you @Matt @chick3nman, definitely a good idea. Seems like it was a bit of a red herring. All the various base decodes were garbage, but I was able to get the original file and hash it myself and the SHA1 I computed did not match any decoder output using a mass decoder. I think I'm going to have to ask the provider how they got this value...

1

numbersevenfan

Thank you @Matt @chick3nman, definitely a good idea. Seems like it was a bit of a red herring. All the various base decodes were garbage, but I was able to get the original file and hash it myself and the SHA1 I computed did not match any decoder output using a mass decoder. I think I'm going to have to ask the provider how they got this value...

DM me and I can double check if its just a different encoding scheme. There's a few ways that it's commonly done.

1

Andrew Rathbun

The Registry is very fragmented IMO. Different artifacts log different things. Different artifact's timestamps are more reliable than others. Some even record their own timestamps within the subkey as a value, separate from the LastWriteTimestamp. The Registry is the wild, wild west at times. And that's just the opinion I've gathered from my extensive yet overall limited adventures in the Registry. Third-party applications do whatever they need or want to do in the Registry. Same with Event Logs. Some third-party applications log to event logs (usually into Application.evtx). Some do it well. Some do it in a barely passable/lazy manner (almost like malicious compliance lol). If that 01 00 00 00 is not a Windows-based artifact (aka some third-party application), then who knows what encoding mechanism is being used unless it appears to be in a structure similar to other known artifacts (FILETIME, etc) (edited)

A feedback from my question about how to parse reg_binary. Real key was Security Descriptor (ACL for AD object) for certificate template ==> a registry key created by Windows so I check Microsoft documentation (product doc & data type sheet) and after a lot of coffee & hours I finally understood how it's stored. "Find and read documentation" is always a good advice

3

2

Wondered what everyone was using for Domestic Router Extraction ? I'm aware of the Forensic Compass from First Forensic. Looking for something Open Source if possible.

Steve2609

Wondered what everyone was using for Domestic Router Extraction ? I'm aware of the Forensic Compass from First Forensic. Looking for something Open Source if possible.

The only thing I can think of off hand is NAFT but it hasn’t been updated in 8 years. https://blog.didierstevens.com/my-software/#NAFT

Didier Stevens

My Software

This list is a work in progress (i.e. it will never be completely up-to-date). It will list all my published software with cross-referenced blogposts. I try to update it monthly (last update 2021/0…

numbersevenfan

Hi all, i'm feeling like i'm missing something obvious here... but I was given a SHA1 hash value that has non hexadecimal characters (Z, P, X, etc) in it. Can SHA1 have those characters?

Maybe a bit late… is this a csam case by any chance? There is an le tool which stores sha1 hashes of files of interest in non-hex format. I think it was base64 but would need to check. Cyberchef will do it but you need to chain two filters - from hex and then to base64

7:58 AM

Or from base64 and then to hex to go the other way. Using a straight base64 decoded/encode will not work or rather may not give you what are expecting

busted4n6

Maybe a bit late… is this a csam case by any chance? There is an le tool which stores sha1 hashes of files of interest in non-hex format. I think it was base64 but would need to check. Cyberchef will do it but you need to chain two filters - from hex and then to base64

It is. That is good to know and would make sense in this case. It did turn out to need exactly that, base32 to raw to hex. Thank you, this sounds a good explanation as any!

numbersevenfan

It is. That is good to know and would make sense in this case. It did turn out to need exactly that, base32 to raw to hex. Thank you, this sounds a good explanation as any!

Ah yes. Then it’s definitely from the tool I’m thinking of

https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai/ Quite interesting, the reverse engineering capability seems cool, wonder how good it will actually be.

Introducing Microsoft Security Copilot: Empowering defenders at the...

The odds are against today’s defenders Today the odds remain stacked against cybersecurity professionals. Too often, they fight an asymmetric battle against prolific, relentless and sophisticated attackers. To protect their organizations, defenders must respond to threats that are often hidden among noise. Compounding this challenge is a global ...

I am trying to set up a new computer and it keeps asking for a cloud account.. I want to set it without the cloud setting.. anyone have a link to the procedure.??

1:48 PM

darn Microsoft.

Jetten_007

I am trying to set up a new computer and it keeps asking for a cloud account.. I want to set it without the cloud setting.. anyone have a link to the procedure.??

Select personal account, then when it asks for your email/security key, there’s an option in the bottom left which says limited experience or offline account or something similar. Select that and follow the prompts. (edited)

ok.. thanks.

Jetten_007

darn Microsoft.

set the PC up without ethernet plugged in?

Rufus can also enable local account only while creating a USB drive

Not sure which channel would be best for this. Working on a 13 inch 2019 MacBook Pro. While experimenting the flip connector came off the board. It looks like it is tied to the battery. Any chance of being able to reconnect it.

I'm taking some practice tests for CHFI and it mentions some powershell cmdlets that I can't find in my system. BingAI nor google have helped me find these. Does anyone know what module these come from? Get-BootSector: This command that can help the investigator parse GPTs of both types of hard disks including the ones formatted with either UEFI or MBR. Get-GPT: This command helps the investigator analyze the GPT data structure of the hard disk. Get-PartitionTable: This command analyzes the GUID partition table to find the exact type of boot sector (Master Boot Record or GUID PartitionTable) and displays the partition object. Get-MBR: This command displays the MBR Partition Table of a GPT formatted disk. Edit: I've also run Find-(Command) to no avail. (edited)

TheMaddMaverick

I'm taking some practice tests for CHFI and it mentions some powershell cmdlets that I can't find in my system. BingAI nor google have helped me find these. Does anyone know what module these come from? Get-BootSector: This command that can help the investigator parse GPTs of both types of hard disks including the ones formatted with either UEFI or MBR. Get-GPT: This command helps the investigator analyze the GPT data structure of the hard disk. Get-PartitionTable: This command analyzes the GUID partition table to find the exact type of boot sector (Master Boot Record or GUID PartitionTable) and displays the partition object. Get-MBR: This command displays the MBR Partition Table of a GPT formatted disk. Edit: I've also run Find-(Command) to no avail. (edited)

https://github.com/Invoke-IR/PowerForensics

GitHub - Invoke-IR/PowerForensics: PowerForensics provides an all i...

PowerForensics provides an all in one platform for live disk forensic analysis - GitHub - Invoke-IR/PowerForensics: PowerForensics provides an all in one platform for live disk forensic analysis

1

This is a privacy related question. My client has suffered data exfiltration and is considering whether to purchase identity protection for former employees in addition to current employees. What is the standard practice for determining how far back in time do they have to go for former employees? 2 years, 3 years? In cases of massive data leakage due to exfiltration by the ransomware group, it is difficult to determine what exactly was lost.

indianadmin

This is a privacy related question. My client has suffered data exfiltration and is considering whether to purchase identity protection for former employees in addition to current employees. What is the standard practice for determining how far back in time do they have to go for former employees? 2 years, 3 years? In cases of massive data leakage due to exfiltration by the ransomware group, it is difficult to determine what exactly was lost.

Does it matter how long ago they worked if it's something like a social security number that got exposed? People only get one of those, regardless of whether they worked there 2 years or 25 years ago. I guess it depends on the PII in question but I am not a lawyer

Good morning, all. I am looking to identify tooling from a process creation event.. the format of the ImagePath is:

%COMSPEC% /C echo net user fred p@ssword /add ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.txt > \\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.bat & %COMSPEC% /C start %COMSPEC%\\Temp\\xxxxxxxxxxxxxxxx.bat

Any thoughts on what tool that is? Seen that pattern before? (edited)

dis0wn

Good morning, all. I am looking to identify tooling from a process creation event.. the format of the ImagePath is:

%COMSPEC% /C echo net user fred p@ssword /add ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.txt > \\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.bat & %COMSPEC% /C start %COMSPEC%\\Temp\\xxxxxxxxxxxxxxxx.bat

Any thoughts on what tool that is? Seen that pattern before? (edited)

ChatGPT says:

The format of the ImagePath you provided looks like a batch file that creates a new user account named "fred" with a password "p@ssword". It seems to be using the Windows Command Prompt (cmd.exe) to execute the batch file and create the user account.

Based on the format of the ImagePath, it's possible that the process creation event is associated with a malware or a malicious script that is attempting to create a new user account on the compromised system. The use of a temporary batch file and the redirection of output to a temporary file in the system drive could be an attempt to evade detection by security software.

It's recommended that you investigate further to determine the source of the process creation event and take appropriate action to mitigate any potential security risks.

It very well could just be a script. Not sure why a malicious binary would be created to do the above when a simple script/one-off commands can handle that. (edited)

1

dis0wn

Good morning, all. I am looking to identify tooling from a process creation event.. the format of the ImagePath is:

%COMSPEC% /C echo net user fred p@ssword /add ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.txt > \\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.bat & %COMSPEC% /C start %COMSPEC%\\Temp\\xxxxxxxxxxxxxxxx.bat

Any thoughts on what tool that is? Seen that pattern before? (edited)

And here is what Google Bard says:

The command creates a new user account called "fred" with the password "p@ssword". It then creates a batch file called "xxxxxxxxxxxxxxxx.bat" that contains the following command: net user fred p@ssword /add The batch file is then started. When it runs, it adds the new user account to the system. The command uses the following syntax: %COMSPEC% /C command The %COMSPEC% variable is replaced with the path to the current user's command prompt. The /C flag tells the command to run in a console window and then terminate. The echo command prints the specified text to the console. The net user command creates a new user account. The /add flag tells the command to add the user account to the system. The p@ssword parameter is the password for the new user account. The /%SYSTEMDRIVE%\WINDOWS\Temp\xxxxxxxxxxxxxxxx.txt parameter is the path to the file that will be created. The > symbol tells the command to redirect the output of the echo command to the file. The %COMSPEC%\Temp\xxxxxxxxxxxxxxxx.bat parameter is the path to the batch file that will be created. The & symbol tells the command to start the batch file in the background. The command creates a new user account and then creates a batch file that adds the new user account to the system. The batch file is then started, which adds the new user account to the system.

JLindmar (83AR)

And here is what Google Bard says:

The command creates a new user account called "fred" with the password "p@ssword". It then creates a batch file called "xxxxxxxxxxxxxxxx.bat" that contains the following command: net user fred p@ssword /add The batch file is then started. When it runs, it adds the new user account to the system. The command uses the following syntax: %COMSPEC% /C command The %COMSPEC% variable is replaced with the path to the current user's command prompt. The /C flag tells the command to run in a console window and then terminate. The echo command prints the specified text to the console. The net user command creates a new user account. The /add flag tells the command to add the user account to the system. The p@ssword parameter is the password for the new user account. The /%SYSTEMDRIVE%\WINDOWS\Temp\xxxxxxxxxxxxxxxx.txt parameter is the path to the file that will be created. The > symbol tells the command to redirect the output of the echo command to the file. The %COMSPEC%\Temp\xxxxxxxxxxxxxxxx.bat parameter is the path to the batch file that will be created. The & symbol tells the command to start the batch file in the background. The command creates a new user account and then creates a batch file that adds the new user account to the system. The batch file is then started, which adds the new user account to the system.

And here is what I got back from ChatGPT:

The command you provided is a Windows command prompt command, which performs the following tasks: 1. It uses the %COMSPEC% environment variable to reference the command interpreter executable (usually cmd.exe). 2. It runs the echo command to output the string "net user fred p@ssword /add > %SYSTEMDRIVE%\WINDOWS\Temp\xxxxxxxxxxxxxxxx.txt" to the console. 3. It uses the > symbol to redirect the output of the echo command to a file named xxxxxxxxxxxxxxxx.txt located in the C:\WINDOWS\Temp directory (%SYSTEMDRIVE% is a reference to the drive where Windows is installed, typically C:). 4. It uses the ^ symbol to escape the > character so that it is treated as a literal character rather than as a redirection operator. 5. It uses the & symbol to concatenate multiple commands on a single line. 6. It runs another instance of the command interpreter using %COMSPEC%, passing it the /C parameter to run the command specified as an argument and then exit. 7. It runs the start command to launch the batch file xxxxxxxxxxxxxxxx.bat located in the %COMSPEC%\Temp directory, which executes the command written in step 2 and saves the output to xxxxxxxxxxxxxxxx.txt in the C:\WINDOWS\Temp directory. Overall, the command appears to create a new user account named "fred" with the password "p@ssword" and saves the output of the command to a text file in the C:\WINDOWS\Temp directory. However, the purpose and context of the command are unclear, and it should be used with caution as it could potentially be used for malicious purposes.

(edited)

yep.. That's the same conclusion I came to.. I'm more looking for someone that might recognize the specific TTP of "echo string to txt and to bat, then start" It's a bit redundant and thought it might be a signature of crackmapexec or ntlmrelayx tooling..

I found the answer! It's a signature for metasploit's ms17_010_command.rb module.. creates a txt and bat version, then executes it..

1

@chick3nman lol.. small world!

no kidding

I have no clue why it creates both a text file and a batch file but the source code certainly does that. Start at line 96 https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/smb/ms17_010_command.rb

metasploit-framework/ms17_010_command.rb at master · rapid7/metaspl...

Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.

dis0wn

Good morning, all. I am looking to identify tooling from a process creation event.. the format of the ImagePath is:

%COMSPEC% /C echo net user fred p@ssword /add ^> %SYSTEMDRIVE%\\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.txt > \\WINDOWS\\Temp\\xxxxxxxxxxxxxxxx.bat & %COMSPEC% /C start %COMSPEC%\\Temp\\xxxxxxxxxxxxxxxx.bat

Any thoughts on what tool that is? Seen that pattern before? (edited)

That could be smbexec (edited)

deetnutz

That could be smbexec (edited)

Looks like.it could be that too

1:02 PM

Search " command = self.__shell" in https://github.com/fortra/impacket/blob/master/examples/smbexec.py

impacket/smbexec.py at master · fortra/impacket

Impacket is a collection of Python classes for working with network protocols. - impacket/smbexec.py at master · fortra/impacket

1:03 PM

For impacket stuff look for a service "btobto"

Looking around line 277 in that source code, smbexec only creates the .bat file.. my event created a .txt and a .bat file.. smbexec doesn't quite match but it's close.. (edited)

1:06 PM

The msf module is an exact match since it creates an exactly-16-chr file name.. smbexec only creates up to 8 chr.

1:06 PM

(my event had a 16 chr .txt and .bat file)

It outputs to whatever this line is " self.output = '\\127.0.0.1\' + self.share + '\' + OUTPUT_FILENAME" So mostly I see people not change it and you get the loop IP. But they could have. If it was an exact match with the metasploit module I'd probably go with that than someone changing the defaults

1

Hi, when using FTK imager on a sample how can you tell what a user has deleted?

6:42 PM

I don't really see an easy indicator. I see unallocated spaces, and then also like the recycle bin

6:42 PM

but thats it

GodLy

Hi, when using FTK imager on a sample how can you tell what a user has deleted?

FTK Imager isn't a forensic suite and shouldn't be used to do forensics, per se. Check the recycle bin and parse the artifacts in there to see what the original filenames were and the time they were deleted

Whats good to use for deleted files for a fake forensic case then?

6:43 PM

I have encase and a few other tools. just FTK is what I know the best hence why im using it

GodLy

Whats good to use for deleted files for a fake forensic case then?

RBCmd by Eric Zimmerman is a good choice for parsing files within the recycle bin

1

6:43 PM

I'm sure other tools, paid and free, parse the same artifacts but that's the answer you're getting from me

(edited)

GodLy

Whats good to use for deleted files for a fake forensic case then?

Autopsy might be worth a shot for what you're trying to do.

2

GodLy

Hi, when using FTK imager on a sample how can you tell what a user has deleted?

Other than the x mark, you can pull out $J from there, parse it with MFTECmd and filter the UpdateReasons column for deleted files. RBCmd too for recycle bin, just make sure you know the SID of the specific user if multiple users are logged in there.

1

ping @CLB-dan.techcrime - see this?

1

The Computer Science department at Louisiana State University (LSU) is currently hiring for many faculty positions related to applied cyber security. Courses taught inside this department include reverse engineering, malware analysis, binary exploitation, memory forensics and other intensive courses related to incident response and offensive security. Ideal candidates will have significant experience with deeply technical areas of cybersecurity. LSU was recently granted the CAE-CO designation and is one of only 21 schools nation-wide to hold it as it is the most technical designation granted by NSA and DHS. The department also runs a large SFS program for cyber security students. If you are interested in one of these positions, then please see the following link. I also ask my industry contacts to please spread the word within academic communities that you have access to: https://lsu.wd1.myworkdayjobs.com/en-US/LSU/job/3325-Patrick-F-Taylor-Hall/Assistant-Professor_R00074211?q=computer%20science%20cybersecurity The cybersecurity effort at LSU has strong support from the highest levels of the school and is rapidly expanding – so now is the perfect time to join. PS: I am not employed by LSU, but do work very closely with the CS department to ensure the courses are relevant to industry and rigorous enough for students to leave with real-world, hands-on experience. If you have questions related to the position, then please direct them to Dr. Golden Richard at LSU: https://www.cct.lsu.edu/~golden/ (edited)

Assistant Professor in Computer Science

All Job Postings will close at 12:01a.m. CST (1:01a.m. EST) on the specified Closing Date (if designated). If you close the browser or exit your application prior to submitting, the application progress will be saved as a draft. You will be able to access and complete the application through “My Draft Applications” located on your Candidate Home...

Hello! I am currently working on a case study of a Steam game. On steam all user accounts have a user ID (9 digit number). In the game there is, however, a "cached_userId" which consists of letters. When investigating the chatlog within the game, the chatlog will refer to the cached userid together with the players Steam Name. I am having trouble differentiating between the user ID(9 digit number) and the cached_userId. Google is really not helping much at all, so any explanation or logic would be much appreciated.

The Call for Papers (CFP) for HTCIA international conference closes tomorrow March 31. Submission is easy (abstract and title) - If you have been doing any research, interesting case studies, labs, etc - please submit to share your knowledge! https://hightechnologycrimeinvestigationassociation.growthzoneapp.com/ap/Form/Fill/Lx4YEixL (edited)

8:02 AM

We just announced our keynote speakers for HTCIA conference are Heather Mahalik and David Cowen! https://www.einpresswire.com/article/624957140/htcia-announces-keynote-speakers-for-2023-annual-international-conference-expo

HTCIA Announces Keynote Speakers for 2023 Annual International Conf...

Registration now open and a limited number of sponsorship opportunities remain

1

Wild_West

Hello! I am currently working on a case study of a Steam game. On steam all user accounts have a user ID (9 digit number). In the game there is, however, a "cached_userId" which consists of letters. When investigating the chatlog within the game, the chatlog will refer to the cached userid together with the players Steam Name. I am having trouble differentiating between the user ID(9 digit number) and the cached_userId. Google is really not helping much at all, so any explanation or logic would be much appreciated.

Perhaps they resolve to each other. Feed the cached ID into CyberChef and see what type of data it is?

Deleted User

Perhaps they resolve to each other. Feed the cached ID into CyberChef and see what type of data it is?

I hadn't tried that, but it didn't give any result. When I look into the chatlog, all of the cached_userid's begin with KU. After that it is just a random mix of 8 small and capital letters with digits. For instance: (KU_q4h6LPNr) username

Fire up Wireshark and interact with Steam. Maybe that reveals what you are looking for. Good luck

(edited)

I just might do that, and the luck is needed

could someone give me a dm regarding install hanging at instal of iman service @MSAB

1

Seeing if anyone has experienced this…. We have extractions of 2 phones with conversations and one phone is missing a section of the text back and forth in the conversation. No indication the text were deleted per the extraction. Seems as though this person is creating incoming/outgoing spoof text. Does anyone know of any specific apps/tools/website that can do this? Example text shows timestamps of 1:57:00pm, 2:54:00pm, 4:30:00pm.

Hey all. I am pulling video off of a camera server and need a 12TB hard drive to submit into evidence. Am I better off putting it on an internal or external drive for submitting into long term evidence? It'll either be a WD Red Pro or a WD My Book. In a perfect world it would go on solid state drives, but that's not in our budget.

Anyone in the Financial sector using Magnet Axiom Cyber open to sharing there thoughts with me in DM? Thank you!

wcso_pete

Hey all. I am pulling video off of a camera server and need a 12TB hard drive to submit into evidence. Am I better off putting it on an internal or external drive for submitting into long term evidence? It'll either be a WD Red Pro or a WD My Book. In a perfect world it would go on solid state drives, but that's not in our budget.

neither may be 'the best' . what are your priorities? fast download, reliable storage, ease of connection in passing it to a 3rd party for viewing, will it actually be in a NAS device etc. maybe check https://www.westerndigital.com/solutions/color-drives . anecdotal, but I'd avoid portable drives unless you actually need to prioritise portability.

Digitalferret

neither may be 'the best' . what are your priorities? fast download, reliable storage, ease of connection in passing it to a 3rd party for viewing, will it actually be in a NAS device etc. maybe check https://www.westerndigital.com/solutions/color-drives . anecdotal, but I'd avoid portable drives unless you actually need to prioritise portability.

Our priority is potential long term storage. We are being nice and not submitting the whole $20k+ camera server into evidence. It’s a case involving a school employee so we have to keep it in case other victims come forward.

1

check the WD site i linked. red may not be the best as its for a one-off store and save.

8:25 AM

I'd always prefer native cables, not USB, but i guess that depends how whoever is going to view wants to hook it up, ie Laptop

Digitalferret

I'd always prefer native cables, not USB, but i guess that depends how whoever is going to view wants to hook it up, ie Laptop

That's my thought as well. I was originally going to do the SATA drive. I have docks available if anyone ever needs to access the content. Obviously the ideal solution is to try and talk command into getting me an LTO5 tape drive but I'll take what I can get!

wcso_pete

That's my thought as well. I was originally going to do the SATA drive. I have docks available if anyone ever needs to access the content. Obviously the ideal solution is to try and talk command into getting me an LTO5 tape drive but I'll take what I can get!

" talk command into getting me.." lol, PDs the world over. Officer: we need dis! Command/Accounts: GTFO won't a floppy do?

wcso_pete

Hey all. I am pulling video off of a camera server and need a 12TB hard drive to submit into evidence. Am I better off putting it on an internal or external drive for submitting into long term evidence? It'll either be a WD Red Pro or a WD My Book. In a perfect world it would go on solid state drives, but that's not in our budget.

6TB NAS drives is what my sister who does photography/video uses? Most attorneys will usually be happy to get you a shrinkwrapped drive so their copy it isn't out of your budget.

wcso_pete

That's my thought as well. I was originally going to do the SATA drive. I have docks available if anyone ever needs to access the content. Obviously the ideal solution is to try and talk command into getting me an LTO5 tape drive but I'll take what I can get!

with 12TB required, and sticking with WD internal, it's looking like Red Pro v Gold. might be worth consiodering this though. NAS drives designed for RAID use -

8:51 AM

similarly nuanced tech issues when folks go for the (sometimes) cheaper AV drives over regular desktop drives.

This is a first

some custom rom based on Samsung fw? (edited)

Hello everyone! I am just inquiring what everyone uses for secure file sharing? This would be for mostly legal files that also may include.pst files, PDFs, excel, etc

dozadown

Hello everyone! I am just inquiring what everyone uses for secure file sharing? This would be for mostly legal files that also may include.pst files, PDFs, excel, etc

you can use 7zip and 256 bit encrypt the files into a folder and either email them or share a folder. The passcode would be transmitted differently.

3

I'm looking for some organization/extraction software that will help me create a timeline from chat and email messages... preferably media as well.

12:14 PM

I'm trying to corelate various discussions over a long period of time

12:15 PM

So, the goal would be so search for a key word... and slice across a day through multiple streams

12:17 PM

I might be able to use something like obsidian... but I'm hoping to find something more specialized so that my focus can be on the research rather than the tools

Arcain

some custom rom based on Samsung fw? (edited)

Customer said it is like this from the first boot

TiffanyRbns

Seeing if anyone has experienced this…. We have extractions of 2 phones with conversations and one phone is missing a section of the text back and forth in the conversation. No indication the text were deleted per the extraction. Seems as though this person is creating incoming/outgoing spoof text. Does anyone know of any specific apps/tools/website that can do this? Example text shows timestamps of 1:57:00pm, 2:54:00pm, 4:30:00pm.

Try one of the mobile channels #mobile-forensic-extractions #mobile-forensic-decoding

Andrew Rathbun

Try one of the mobile channels #mobile-forensic-extractions #mobile-forensic-decoding

Thanks will do.

1

Any suggestions on where to look or what that type of software would be called?

1:28 PM

I've had no luck finding something that matches the requirements

Hi everyone! I'm a PhD research student at Teesside University exploring the use of keyword list searches in CSAM cases. The aim is to develop a search strategy which would lead to more effective searches. I'm hoping to find practitioners on here who would do a quick anonymous survey to help with my research. Originally, I was only seeking participants from police DFUs in England and Wales but would now like to get input from various sources, such as private labs and those in law enforcement outside England and Wales to see how the keyword list is used in practice. If you are willing to participate, please read the attached document where you will find information about the project and the links to the survey... one for England and Wales, and a global one for those outside the area. Thanks for your help, please contact me if you have any questions.

Discord_Research_Participation_Request.pdf

99.05 KB

@DCSO thank you so much!

So when is Cellebrite, Magnet or someone else coming out with a GPT-4 enhanced forensics tool that will be able to ingest a warrant, the search request, all the case reports and then go through all the data and automatically tag all the relevant artifacts that are in the scope of the search warrant? The technology exists now so get to work!

2

JSDurand

So when is Cellebrite, Magnet or someone else coming out with a GPT-4 enhanced forensics tool that will be able to ingest a warrant, the search request, all the case reports and then go through all the data and automatically tag all the relevant artifacts that are in the scope of the search warrant? The technology exists now so get to work!

Are you trying to be unemployed?

Because that's how you get unemployed!

Well, I am pretty sure that it's coming whether we like it or not. I see it as a good thing. We will be able to handle more evidence, concentrate on the real forensics aspect instead of reading text messages and looking at photos and used properly, I think it would be extremely powerful.

Hey Guys. Senior Cybersecurity student here at The University of Texas in San Antonio. During my time here I’ve really enjoyed Digital Forensics and want to focus on this field for my career! Can someone help me or provide guidance in what I should be doing or how to get started in this field?

10:45 PM

What should I learn first? Where are the best resources? I have lots of questions and would appreciate any help from experienced professionals. Thank you all!

10:46 PM

Please feel free to PM me so as not to clog up this channel.

quin3089

What should I learn first? Where are the best resources? I have lots of questions and would appreciate any help from experienced professionals. Thank you all!

What part of digital forensics do you want to learn? Check out the channels on the left if you don't know what you don't know about digital forensic sub-topics so we can get an idea of what resources to refer you to.

@FullTang Wow, I didn’t even know there was more sub fields. Well, in school I’ve done Malware Analysis and also learned about Parsing through MFT entries and finding artifacts like deleted files and email headers. I’ve enjoyed it all so I’m not sure yet but I’ll research the sub fields. (edited)

Hello everyone, Is there a way to detect what kind of encryption is used on a file?

khushigupta0641

Hello everyone, Is there a way to detect what kind of encryption is used on a file?

what kind of file are we talking about? if it's an archive it will likely have metadata to indicate which encryption algorithm is used

I have an image of the encrypted file

what do file, or binwalk indicate about it ? (edited)

The file is a .enc file

I recommend running binwalk against it for a first triage; binwalk is similar to the file command in that it looks at "magic bytes" but does so throughout the file https://en.wikipedia.org/wiki/List_of_file_signatures https://github.com/ReFirmLabs/binwalk

List of file signatures

This is a list of file signatures, data used to identify or verify the content of a file. Such signatures are also known as magic numbers or Magic Bytes. Many file formats are not intended to be read as text. If such a file is accidentally viewed as a text file, its contents will be unintelligible. However, sometimes the file signature can be re...

GitHub - ReFirmLabs/binwalk: Firmware Analysis Tool

Firmware Analysis Tool. Contribute to ReFirmLabs/binwalk development by creating an account on GitHub.

8:30 AM

This is what I get

Loof

I'm looking for some organization/extraction software that will help me create a timeline from chat and email messages... preferably media as well.

I might be missing the point, but any commercial DFIR software which supports artifact extraction will help you to build a timeline and slice using various filters, e.g. ours Belkasoft X

JSDurand

So when is Cellebrite, Magnet or someone else coming out with a GPT-4 enhanced forensics tool that will be able to ingest a warrant, the search request, all the case reports and then go through all the data and automatically tag all the relevant artifacts that are in the scope of the search warrant? The technology exists now so get to work!

Would you be willing to share case data with Microsoft/OpenAI?

3:22 AM

* * *

How Good of a DFIR Investigator Are You? — an All Fools’ Day quiz from Belkasoft. Can you score 10/10? https://belkasoft.com/how-good-dfir-investigator-are-you Have fun!

@Yuri Gubanov (Belkasoft) Obviously it will require a locally run version.

JSDurand

@Yuri Gubanov (Belkasoft) Obviously it will require a locally run version.

This is not provided by OpenAI - repeating that would involve costs higher than Cellebrite and Magnet valuation altogether multiple times

5:42 AM

I mean repeating the model training -- but there are also significant hardware costs to be spent by an agency

@Yuri Gubanov (Belkasoft) you're right, but there is also a lot of work being done to democratize the technology, for example with Meta's LLaMA.

Weird question and maybe it doesnt matter really, but would you rather have the users download folder locally or mapped to a network share? One con I noticed is we cant see the file in the mft and we dont get it when we image the computer, on the other hand we can ask another team to pull the files for us and we get backups on downloaded files.

janice2858

Hi everyone! I'm a PhD research student at Teesside University exploring the use of keyword list searches in CSAM cases. The aim is to develop a search strategy which would lead to more effective searches. I'm hoping to find practitioners on here who would do a quick anonymous survey to help with my research. Originally, I was only seeking participants from police DFUs in England and Wales but would now like to get input from various sources, such as private labs and those in law enforcement outside England and Wales to see how the keyword list is used in practice. If you are willing to participate, please read the attached document where you will find information about the project and the links to the survey... one for England and Wales, and a global one for those outside the area. Thanks for your help, please contact me if you have any questions.

Rather than a keyword list you probably want a corpus of messages used for transmitting links - then train a GPT on it. You can then use that to crawl messages. This is isomorphic to looking for consumers of electric tea kettles - hence I would use that dataset - then repurpose the workflow to any topic of interest to the detective.

isvak

Weird question and maybe it doesnt matter really, but would you rather have the users download folder locally or mapped to a network share? One con I noticed is we cant see the file in the mft and we dont get it when we image the computer, on the other hand we can ask another team to pull the files for us and we get backups on downloaded files.

In general, I prefer federation over forensics. If an attacker can't get at the data then you don't have a breach to investigate.

JSDurand

@Yuri Gubanov (Belkasoft) you're right, but there is also a lot of work being done to democratize the technology, for example with Meta's LLaMA.

I'm giving a talk on this to Central Iowa Linux User Group on April 19th, should be posted to youtube. Lots in our F500 need localhost large language models. I'll wrap what I have in a command line utility so you can shell out to it and a python flask app you can call from whatever.

1

Yuri Gubanov (Belkasoft)

I mean repeating the model training -- but there are also significant hardware costs to be spent by an agency

You usually don't have to retrain the entire model, in several domains they were able to tune LLaMA for just a few hundred dollars. I'll try to add that to my talk.

Yuri Gubanov (Belkasoft)

* * *

How Good of a DFIR Investigator Are You? — an All Fools’ Day quiz from Belkasoft. Can you score 10/10? https://belkasoft.com/how-good-dfir-investigator-are-you Have fun!

I had to explain to a manager modulo Microsoft's horrid Azure security, you shouldn't be putting sensitive things into Google the past 20 years either.

quin3089

Hey Guys. Senior Cybersecurity student here at The University of Texas in San Antonio. During my time here I’ve really enjoyed Digital Forensics and want to focus on this field for my career! Can someone help me or provide guidance in what I should be doing or how to get started in this field?

Get an internship in automotive dev. Tesla, John Deere, doesn't matter. You will get blasted with the entire tech stack and learn how to investigate darn near anything.

1

khushigupta0641

The file is a .enc file

Probably one of the openssl supported formats. Most have headers? Should be able to inject into test code and see which header parser doesn't barf. https://github.com/openssl/openssl/tree/master/test Roll this into a command line program and lots would probably use it.

chadbrewbaker

You usually don't have to retrain the entire model, in several domains they were able to tune LLaMA for just a few hundred dollars. I'll try to add that to my talk.

Well, “retrain” means you have the model, which I don’t think OpenAI is going to give you.

hi @conf1ck3r ... I think political content has no place here, right?

skype.raidercom.

Queen-L

skype.raidercom.

?

Original message was deleted or could not be loaded.

possibly better in #off-duty unless there's a DFIR component.

1

Digitalferret

possibly better in #off-duty unless there's a DFIR component.

I’ll double check on this too

1

Hi all, I'm looking for recent research on forensic methods to detect spyware. Any pointers at all would be helpful

Hello, I am currently doing a dissertation where i am doing an extraction from a mobile phone, but currently I'm trying to populate the phone with data. I got recommended from my teacher to just download a bunch of PDF's and whatever to the phone, is there any websites for such purposes?

Original message was deleted or could not be loaded.

While we all love bangers, maybe post any song recommendations in #off-duty?

Matt

While we all love bangers, maybe post any song recommendations in #off-duty?

Specifically, there is a thread for Music, I'll resurrect it - https://discord.com/channels/427876741990711298/927621348677804072

2

Yuri Gubanov (Belkasoft)

Well, “retrain” means you have the model, which I don’t think OpenAI is going to give you.

https://github.com/ggerganov/llama.cpp is probably the best available right now to self-host.

1

From embarrassment? It's okay, we all post things by mistake

FYI, we've reached out to that user and people they associate with in other servers and are handling it

Trond

Hello, I am currently doing a dissertation where i am doing an extraction from a mobile phone, but currently I'm trying to populate the phone with data. I got recommended from my teacher to just download a bunch of PDF's and whatever to the phone, is there any websites for such purposes?

Lol. Arxiv? What are you trying to do with the data?

chadbrewbaker

Lol. Arxiv? What are you trying to do with the data?

Just to fill up the phone's drive so the "evidence" I planted isn't as easily discovered (edited)

Go to a local cell repair shop - offer $50 for phones that havent' been wiped.

It's a good idea, but couldn't get University permission to do that because of ethical reasons in my dissertation, so had to lend a freshly wiped one from school, but Arxiv, Buldata, and Openlibrary will be plenty for now I believe, thank you though! (edited)

Do you think Walmart is ethical in the cell phone bin they have out front? Probably more ethical to write scripts that carefully preserve privacy for your experiment then properly wipe the phone before recycling.

11:38 AM

Obviously don't use anything network connected with creds on the phone.

11:43 AM

Should be able to do it black box - script A injects what you want - script B detects (make sure it is localhost w no data leaks). Do 100 random injections and the original filesystems. Should give you the probability density function you want.

chadbrewbaker

Should be able to do it black box - script A injects what you want - script B detects (make sure it is localhost w no data leaks). Do 100 random injections and the original filesystems. Should give you the probability density function you want.

I will do some research on this, thank you for the tips!

You can also try some tricks similar to stable diffusion - randomly deleting or modifying files to get a good idea of the state space script B does and does not work for.

11:50 AM

The pile is great if you want non-malicious files of real world content for false positive testing https://huggingface.co/datasets/EleutherAI/the_pile

Might be a bit to advanced compared to what I'm currently doing, but I'll for sure check it out!

can someone suggest me a best p/p EDR/XDR?

7:05 PM

my goal is to be as fast as possible to detect and then response (auto) to prevent users

Any reason @Griffeye and @Magnet Forensics Axiom would have different hash values for images from the same forensic image?

sholmes

Any reason @Griffeye and @Magnet Forensics Axiom would have different hash values for images from the same forensic image?

I've seen this issue recently depending on the image type. Shooting you a DM.

Thanks @cScottVance

sholmes

Any reason @Griffeye and @Magnet Forensics Axiom would have different hash values for images from the same forensic image?

I assume they are carved images? We regularly see different tools recovering the same images with a few more or less bytes in length - meaning different hash values.

Ross Donnelly

I assume they are carved images? We regularly see different tools recovering the same images with a few more or less bytes in length - meaning different hash values.

That is what I was banking on, but wanted verification from someone who uses Griffeye. I don't use it, nor do I have access to it to check. Thanks for the response!

Any suggestions for a faraday box to fit inside a faraday box? Boxception? I have a mission darkness XL but currently have around 7 phones inside of it. Maneuvering things into bags to open the lid is a PITA, I'm wondering if theres an easy little box I can use for this temporary shielding. Any ideas?

Does anyone here know how to obtain the derived AES keys (key 0x85, key 0x86, etc, see https://www.theiphonewiki.com/wiki/AES_Keys ) from a jailbroken iPhone 6? (edited)

AES Keys

whee30

Any suggestions for a faraday box to fit inside a faraday box? Boxception? I have a mission darkness XL but currently have around 7 phones inside of it. Maneuvering things into bags to open the lid is a PITA, I'm wondering if theres an easy little box I can use for this temporary shielding. Any ideas?

Ramsey has Faraday enclosure. Size is about 4.5"H x 7.2"W x 9.7"D. https://ramseytest.com/ste2200f2

RAMSEY ELECTRONICS

Perfect size but at $500 I'll have to keep fiddling with bags... I just had to cram a bunch into some bags to add something new and it's doable but frustrating

Ramsey has better build qaulity than MD...but yes...it's expensive. How about foils?

a box with an easy to open/close lid would be great but all im seeing so far is a molle pouch from mission darkness, which is effectively a different shaped bag, the ramsey box and a host of cheap "faraday" boxes on amazon

4:03 PM

I agree about the build quality! I have a ramsey box and a mission darkness... if ramsey made a larger box with more working room it would be my favorite

4:04 PM

https://ramseytest.com/ste6000

RAMSEY ELECTRONICS

4:04 PM

Well heck, I guess they do make a bigger box...

Anyway here who uses Cellebrite Digital Collector and is available per DM to discuss their experience with it?

I’ve used it off and on for a few years. No real problems beyond what most tools have, lag in updates etc. bought it back when t2 was the new “big deal” and I had a major case. I am fine with the tool, though I’ve never used Sumuri for any length of time. I think finding someone who has experience with both would be a good idea.

I'm evaluating it right now. Our main usage would be to have something easier for doing logical copies of modern (m1, t2 encrypted) Macs. But it seems to fail on those because of Apple's Security Integrity Protection. So I'm not really sure about it's usefulness compared to a more manual approach.

Hey guys, has anyone looked into plaso and possibility to improve it's performance?

7:50 AM

I am playing with cylr->plaso->timesketch. Checking what is the time since generating plaso file and tagging it with plaso tags. I see that for couple of minutes some workers are doing something but like after 2-3 min just one "main" worker is utilizing just one CPU rest of them is sitting in idle...

7:51 AM

Mybe someone has nice reading material regarding such things?

GoblinJu

I am playing with cylr->plaso->timesketch. Checking what is the time since generating plaso file and tagging it with plaso tags. I see that for couple of minutes some workers are doing something but like after 2-3 min just one "main" worker is utilizing just one CPU rest of them is sitting in idle...

Any reason to use CyLR? I thought that project was abandoned?

Andrew Rathbun

Any reason to use CyLR? I thought that project was abandoned?

No special reason. Mostly for poking reasons.

8:21 AM

I guess plaso does not realy care if i am giving cyler package or Kape package…

GoblinJu

I guess plaso does not realy care if i am giving cyler package or Kape package…

That would be my guess, but I don't really use Plaso so I can't say for sure

At the moment we are playing mostly with forensic packages not full disk image. Just to see how it all works.

leifsoren

I'm evaluating it right now. Our main usage would be to have something easier for doing logical copies of modern (m1, t2 encrypted) Macs. But it seems to fail on those because of Apple's Security Integrity Protection. So I'm not really sure about it's usefulness compared to a more manual approach.

part of the acquisition process includes rebooting and disabling SIP, is this not an option for you?

1

What's going on with Cellebrite

2

GoblinJu

Hey guys, has anyone looked into plaso and possibility to improve it's performance?

Biggest improvement is not using win7_slow (use win7), and running mft separately so there's something ready to analyze in the meantime (edited)

1:32 PM

otherwise, it'll happily use a ton of sub-processes so having more threads available on the cpu helps (edited)

rayeh

Biggest improvement is not using win7_slow (use win7), and running mft separately so there's something ready to analyze in the meantime (edited)

MFT seperetly you say... Hmmm

whee30

part of the acquisition process includes rebooting and disabling SIP, is this not an option for you?

I understand better now how collector works. Disabling SIP means changing things on the device, not sure yet about the tradeoffs. I will try the product more during the next days. It doesn't seem bad so far. Found a few bugs on MacOS 13. Do you have any experience comparing it to Sumuri Recon ITR? I will be trying that one soon aswell to see which of the two is more interesting.

I don’t, unfortunately. I do know that Sumuri has been very generous with demos and advice in the past, I like them as a company. I just havent had the time to try an apples to apples comparison.

OK thanks. Cellebrite Collector is more expensive so I'm not sure it's worth it. (edited)

Hi all, maybe a long shot but does anyone know what the "-mm" args mean on sdbinst.exe?

1:54 AM

Potential application shimming and these args were used but there's nothing online explaining what they do exactly

Hey. Got a question; My Professor somehow accidentally deleted (with shift+del) their Doctoral works of nearly 2 years now, apparently they've recovered the files but they're corrupt, unable to be read. I told them to not touch the device till tomorrow for safety. What's a good way to recover / fix these files (assuming they're a .txt / .pdf / .doc etc)

Does anyone have a reference document to explain the different XML fields on a contact export for @Cellebrite ?

    <model type="Contact" id="15114428-c630-4d8b-bb16-xxxxxxxxx" deleted_state="Intact" decoding_confidence="High" isrelated="False" source_index="41238" extractionId="0">
    <field name="UserMapping" type="DecodingSourceOptions">
      <value type="DecodingSourceOptions"><![CDATA[Decoding]]></value>
    </field>
    <field name="Source" type="String">
      <value type="String"><![CDATA[Snapchat]]></value>
    </field>
    <field name="Name" type="String">
      <value type="String"><![CDATA[Eric🤩]]></value>
    </field>
    <multiModelField name="Photos" type="ContactPhoto" />
    <multiModelField name="Entries" type="ContactEntry">
      <model type="UserID" id="873a814d-ff21-4994-adf7-xxxxxxxxx" deleted_state="Intact" decoding_confidence="High" isrelated="False" source_index="41239" extractionId="0">
        <field name="Category" type="String">
          <value type="String"><![CDATA[User ID]]></value>
        </field>
        <field name="Value" type="String">
          <value type="String"><![CDATA[14bd076b-b6de-49e8-9474-xxxxxxxxxxxx]]></value>
        </field>
        <field name="Domain" type="String">
          <value type="String"><![CDATA[User ID]]></value>
        </field>
      </model>

10:49 AM

      <model type="UserID" id="d72a1091-8b2f-4538-97a7-xxxxxxxxxxxx" deleted_state="Intact" decoding_confidence="High" isrelated="False" source_index="41240" extractionId="0">
        <field name="Category" type="String">
          <value type="String"><![CDATA[Username]]></value>
        </field>
        <field name="Value" type="String">
          <value type="String"><![CDATA[erict_xxxxxxxxxxxxx]]></value>
        </field>
        <field name="Domain" type="String">
          <value type="String"><![CDATA[User ID]]></value>
        </field>
      </model>
    </multiModelField>
    <field name="Group" type="String">
      <empty />
    </field>
    <field name="Type" type="ContactType">
      <value type="ContactType"><![CDATA[Friend]]></value>
    </field>
    <field name="Account" type="String">
      <value type="String"><![CDATA[b752662f-90e7-4fd2-88d2-xxxxxxxxx]]></value>
    </field>
    <multiField name="InteractionStatuses" type="ContactType">
      <value type="ContactType"><![CDATA[Friend]]></value>
      <value type="ContactType"><![CDATA[ChatParticipant]]></value>
    </multiField>
   </model>

10:51 AM

Just trying to get explination on the data fields and what is useful. For instance, with this snapchat export, is the <value type="String"><![CDATA[14bd076b-b6de-49e8-9474-xxxxxxxxxxxx]]></value> useful for serving snap with a search warrant to identify a target? What is the string actually called, User ID or Username? Because User ID is defined twice.

SBcyberCop

Does anyone have a reference document to explain the different XML fields on a contact export for @Cellebrite ?

    <model type="Contact" id="15114428-c630-4d8b-bb16-xxxxxxxxx" deleted_state="Intact" decoding_confidence="High" isrelated="False" source_index="41238" extractionId="0">
    <field name="UserMapping" type="DecodingSourceOptions">
      <value type="DecodingSourceOptions"><![CDATA[Decoding]]></value>
    </field>
    <field name="Source" type="String">
      <value type="String"><![CDATA[Snapchat]]></value>
    </field>
    <field name="Name" type="String">
      <value type="String"><![CDATA[Eric🤩]]></value>
    </field>
    <multiModelField name="Photos" type="ContactPhoto" />
    <multiModelField name="Entries" type="ContactEntry">
      <model type="UserID" id="873a814d-ff21-4994-adf7-xxxxxxxxx" deleted_state="Intact" decoding_confidence="High" isrelated="False" source_index="41239" extractionId="0">
        <field name="Category" type="String">
          <value type="String"><![CDATA[User ID]]></value>
        </field>
        <field name="Value" type="String">
          <value type="String"><![CDATA[14bd076b-b6de-49e8-9474-xxxxxxxxxxxx]]></value>
        </field>
        <field name="Domain" type="String">
          <value type="String"><![CDATA[User ID]]></value>
        </field>
      </model>

These should mirror the fields found in PA or Reader for Contacts. Check out Cellebrite's "Supported models and fields" document that can be found under the "Technical Data Sheet" dropdown within the Physical Analyzer or Reader download areas on MyCellebrite. It is a GREAT resource, that unfortunately hasn't been updated since Dec. 2019 (nudge @Cellebrite), that supplements the user manual in explaining what some of the fields are.

1

Deleted User

Hey. Got a question; My Professor somehow accidentally deleted (with shift+del) their Doctoral works of nearly 2 years now, apparently they've recovered the files but they're corrupt, unable to be read. I told them to not touch the device till tomorrow for safety. What's a good way to recover / fix these files (assuming they're a .txt / .pdf / .doc etc)

#data-recovery But at a high level, remove the drive, stop using it, physical image, then parse/carve and if it has an SSD, fingers crossed TRIM hasn’t hurt you.

just a reminder to watch for Easter Sales : R-Studio Data Recovery : 20% off https://www.r-studio.com/

Trying to get an image of a Garmin DriveSmart 71. Tried imaging on FTK Imager, no dice as FTK doesn't recognize it. Tried imaging as a Mass Storage Device on Touch2, again, no dice. Touch2 won't connect to the device. Tried using the Generic Garmin Profile on Touch2 but still no connection. Anybody have any ideas?

House216

Trying to get an image of a Garmin DriveSmart 71. Tried imaging on FTK Imager, no dice as FTK doesn't recognize it. Tried imaging as a Mass Storage Device on Touch2, again, no dice. Touch2 won't connect to the device. Tried using the Generic Garmin Profile on Touch2 but still no connection. Anybody have any ideas?

Have you tried Axiom? And to confirm you were able to enter diagnostic mode and enable mass storage mode?

Hi all, does anyone know of a program which can transfer files to an iPhone while maintaining the creation date/time and file hash? I know iTunes and AnyTrans won’t. I’m trying to seed data to my validation devices

11:37 PM

Including file name as well would be needed

Specifically to the DCIM folder itself and not any sync folder

Did someone see The Night Agents on Netflix? This reminds me of something hmmmmmm

(edited)

3

1

I have a question about an IceID pcap from malware traffic analysis about is this the right room ?

psudojo

I have a question about an IceID pcap from malware traffic analysis about is this the right room ?

#network-forensics or #malware-analysis

DeeFIR 🇦🇺

#data-recovery But at a high level, remove the drive, stop using it, physical image, then parse/carve and if it has an SSD, fingers crossed TRIM hasn’t hurt you.

No way Trim did not work for 2 years

Yuri Gubanov (Belkasoft)

No way Trim did not work for 2 years

The Doctoral work was over a period of 2 years, not a file which was deleted 2 years ago. That’s how the question is written anyway. (edited)

DeeFIR 🇦🇺

The Doctoral work was over a period of 2 years, not a file which was deleted 2 years ago. That’s how the question is written anyway. (edited)

Ah, got it

Maddino

Did someone see The Night Agents on Netflix? This reminds me of something hmmmmmm

(edited)

And then later they use exiftool!

pug4N6

And then later they use exiftool!

Yes, saw this too. Quite a good technical background for an action series.

Maddino

Yes, saw this too. Quite a good technical background for an action series.

Didn’t they say something about the MasterKey was supposed to be only for law enforcement too?

pug4N6

Didn’t they say something about the MasterKey was supposed to be only for law enforcement too?

I think so. They had a short discussion how she got the "MasterKey"

Maddino

I think so. They had a short discussion how she got the "MasterKey"

^ It was in her severance package from her startup cybersecurity firm lol

Maddino

Did someone see The Night Agents on Netflix? This reminds me of something hmmmmmm

(edited)

I literally did the same thing and sent it to my team. Good show tho

Does anyone from europe here have experience with the le portal from Microsoft? For me, one request for records has been on "in progress" for almost 3 months... Before that, I only submitted priority issues to them and they were ready after a few days... is this normal?!

Does anyone know a way to export chat threads from either Cellebrite or Axiom where IIOC is redacted but a marker is left to indicate what that file has been graded as? Thanks

Does INDXRipper only parse $I30 or does it parse $MFT too?

pinging @Cellebrite & @Magnet Forensics ^^ beansidebean

Digitalferret

pinging @Cellebrite & @Magnet Forensics ^^ beansidebean

Thanks

beansidebean2020

Does anyone know a way to export chat threads from either Cellebrite or Axiom where IIOC is redacted but a marker is left to indicate what that file has been graded as? Thanks

There is an option in the report creation process to 'blur previews for items in illegal categories' but that does not leave an indicator in the generated chat thread of grading.

beansidebean2020

Does anyone know a way to export chat threads from either Cellebrite or Axiom where IIOC is redacted but a marker is left to indicate what that file has been graded as? Thanks

What format are you exporting to?

Any that will work! HTML or PDF ideally but CSV if needed

For the PDF, you will get a tag marker for any tagged message, but no description of the tag (I can bring this feature request to our devs). If you export to Excel, there is column "Tag Note - Instant Message" that will contain the tag name, along with when it was created/modified.

https://www.swgde.org/documents/draft-released-for-comment

SWGDE - Draft Released For Comment

SWGDE encourages stakeholder participation in the preparation of documents. The following documents are draft versions being provided for comment by all interested parties for a minimum period of 60 days. Suggestions for modifications are welcome and must adhere to all requirements as stated in

Is there an appropriate channel for announcing digital forensics hardware for sale?

David Kovar

Is there an appropriate channel for announcing digital forensics hardware for sale?

I'd think here is fine unless @Andrew Rathbun has other plans for a Yard Sale channel haha

3

I have a brand new, in a hard case, CRU Wiebetech Ditto DX up for sale on eBay: https://www.ebay.com/itm/204302732210

CRU Wiebetech Ditto DX - new, in hard case. | eBay

Find many great new & used options and get the best deals for CRU Wiebetech Ditto DX - new, in hard case. at the best online prices at eBay! Free shipping for many products!

stark4n6

I'd think here is fine unless @Andrew Rathbun has other plans for a Yard Sale channel haha

lol dfir-yard-sale, if there's enough demand for it, sure, this server is community-driven!

7

My options seem to be Forensic Focus, CCE mailing list, and eBay. And eBay doesn't really have a DFIR category. I told one of these to a guy just starting out in New Zealand via the CCE list. Not sure how much other DFIR gear is just sitting around in people's closets that might be of interest to people just getting started.

Andrew Rathbun

lol dfir-yard-sale, if there's enough demand for it, sure, this server is community-driven!

could do, with a forum style channel

1

Hello, I made a Windows VM that transfered a malware to a android phone, on the windows machine I then cleared the event logs. I am now currently trying to investigate the Windows event logs on the VM machine through Magnet Examine, is there any event code that is related to connecting a phone through USB? Just to see if I can find any remaining evidence of these two devices connecting (Not sure if that's the correct way to do it) (edited)

Trond

Hello, I made a Windows VM that transfered a malware to a android phone, on the windows machine I then cleared the event logs. I am now currently trying to investigate the Windows event logs on the VM machine through Magnet Examine, is there any event code that is related to connecting a phone through USB? Just to see if I can find any remaining evidence of these two devices connecting (Not sure if that's the correct way to do it) (edited)

check Registry, too. Also, maybe consider USB Detective, too

1

I'll look into that,Thank you! (edited)

Is there a way for alert to trigger IFF there is 0 results? SIEM is Splunk. Here me out. Here is a dummy splunk query trying to show what I am trying to do

index=email_security [search index=email action=delivered [search index=thtreat_intel indicator_type=email | rename indicator as sender | format] | rename sender as from | format]

Threat intel IOC filters on email address, uses the addresses to search in our email for any delivered hits, and then use the result to pass it into my emailsecurity (think armorblox, checkpoint), which doesn’t just scans for known bad IOC (phishing, malware, commercial spam) but takes a behavioral analysis, ML approach to detect and remediate attacks yada yada yada, basically it _should pick up the email (well in theory) that was delivered that was sen in threat_intel. So going back to my question, if there is results, great and well.. bag it and don’t alert on it — this is an indication that email_security did it’s job and mitigated, otherwise if result is empty alert. Any thoughts? Open to better and new ideas that is efficient too. (edited)

Hi everyone. Has anyone encounter any of the scenarios below? 1. SRUM sent bytes is a reasonable approximate to bytes sent seen at the FW level. 2. SRUM bytes sent out does not match the sent bytes at the FW level. SRUM is reporting way less bytes being sent out than the bytes sent out at the FW level. I am particularly interested in scenario #2. Any insights as to why that would happen are appreciated. I am currently working a #2 scenario. I’ve never had both logs present to do a 1:1 comparison. I was under the impression that SRUM was a “reliable” artifact. System has more entries in SRUM after the date of interest. System was rebooted 5 days after the last day of interest. If any other info is needed lmk. Thanks! (edited)

SRUM can be plus or minus an hour depending on database writes.

True. But the times align on both SRUM and FW. Also, the discrepancy is big, ~800GB off. (edited)

SRUM is the backend database for Task Manager, so really the artifacts recorded there are only as accurate as Microsoft coded them to be. I know that's not a great answer, but I guess you have to figure out who you trust more, Microsoft or the FW vendor. Should be pretty easy to test, though. Upload something somewhere and do nothing else for ~61ish minutes and wait for SRUM to update and see how the bytes outbound compare to the file size actually uploaded

Yeah I thought the same thing about who to trust more. I’ll test this a few times to see if it’s repeatable or not. Thanks for your answer!

Hello everybody, i have an ipad pro 12,9 inch 5 gh Generation from 2021. Now i have found a time stamp from May 2020 in the wireless connections. How can this happen? Will this data be synced from another device?

tost

Hello everybody, i have an ipad pro 12,9 inch 5 gh Generation from 2021. Now i have found a time stamp from May 2020 in the wireless connections. How can this happen? Will this data be synced from another device?

Do the wireless connections appear associated with user or system activity? If system, it may be a relic from the manufacturer's provisioning; if user, perhaps the system clock was incorrect, a time zone difference - are the timestamps in local or UTC?

JLindmar (83AR)

Do the wireless connections appear associated with user or system activity? If system, it may be a relic from the manufacturer's provisioning; if user, perhaps the system clock was incorrect, a time zone difference - are the timestamps in local or UTC?

The data is from the com.apple.wifi.known-networks.plist Time stamp is May 2020. The last connection time stamp is from march 2021 and the last automatically connection from march 2023. Perhaps there must have been a sync. It is local time UTC+2 (edited)

I have an android and being parsed from usage stats, I have an entry that states “standby bucket changed” & the package name has an email address of interest. What can I derive from usage stats type of “standby bucket change”? What causes this to happen?

Hello everyone

6:57 AM

I’m a senior student in Bloomsburg University of Pennsylvania

6:58 AM

Studying Data Science and Digital Forensics (double major) and graduating in a month

6:58 AM

It’s so good to be here!

felloffthebarstool98

I have an android and being parsed from usage stats, I have an entry that states “standby bucket changed” & the package name has an email address of interest. What can I derive from usage stats type of “standby bucket change”? What causes this to happen?

Might want to try the decoding channel

Does anyone know a good free software that can parse RAID? Parameters of the RAID is unknown

Anyone have a link to a narcotics keyword list I can run through Axiom?

TIL - ChatGPT4 knows the Crowdstrike REST API.

8:32 AM

I'm guessing Microsoft's security co-pilot is just a facade on ChatGPT4 to extract another $$$ monthly.

Leonidas

Anyone have a link to a narcotics keyword list I can run through Axiom?

Someone else posted this a while back (can’t find original post) and might be of use: https://github.com/SBCyberCop/LawEnforcementResources/tree/main/Cellebrite%20Watch%20Lists

LawEnforcementResources/Cellebrite Watch Lists at main · SBCyberCop...

Resources provided by the community that can serve to be useful for Law Enforcement worldwide - LawEnforcementResources/Cellebrite Watch Lists at main · SBCyberCop/LawEnforcementResources

Leonidas

Anyone have a link to a narcotics keyword list I can run through Axiom?

https://www.dea.gov/sites/default/files/2018-07/DIR-020-17%20Drug%20Slang%20Code%20Words.pdf https://www.dea.gov/sites/default/files/2018-07/DIR-022-18.pdf I would also suggest including any local slang terms.

1

chadbrewbaker

TIL - ChatGPT4 knows the Crowdstrike REST API.

It also knows the virustotal API

chadbrewbaker

I'm guessing Microsoft's security co-pilot is just a facade on ChatGPT4 to extract another $$$ monthly.

Some companies have started to apply policies on using ChatGPT in the practice. Microsoft selling an “enterprise grade” version of the product might sway those against it from reconsidering.

12:09 PM

Although there are some very practical reasons why you wouldn’t want to use it.

JLindmar (83AR)

https://www.dea.gov/sites/default/files/2018-07/DIR-020-17%20Drug%20Slang%20Code%20Words.pdf https://www.dea.gov/sites/default/files/2018-07/DIR-022-18.pdf I would also suggest including any local slang terms.

Thank you!

Deleted User

Someone else posted this a while back (can’t find original post) and might be of use: https://github.com/SBCyberCop/LawEnforcementResources/tree/main/Cellebrite%20Watch%20Lists

Thank you!

1

Hello! I am currently writing my dissertation for my bachelor degree in digital forensics. I done a analyze of the application Spotify on iOS where I located where data is stored and what kind of data you can find. I have written a walkthrough of the data I was able to find. I am now looking for people that wants to take a look at the this guide, you can test it yourself and compare or just have a look at it and provide feedback on your opinion. This is a marking criteria so I really appreciate everyone that wants to take a look at it and give feedback! Just message me or like this post and I will send it! Thanks!

(edited)

1

RDS Hash Sets with Cellebrite PA

Panda

Hello! I am currently writing my dissertation for my bachelor degree in digital forensics. I done a analyze of the application Spotify on iOS where I located where data is stored and what kind of data you can find. I have written a walkthrough of the data I was able to find. I am now looking for people that wants to take a look at the this guide, you can test it yourself and compare or just have a look at it and provide feedback on your opinion. This is a marking criteria so I really appreciate everyone that wants to take a look at it and give feedback! Just message me or like this post and I will send it! Thanks!

(edited)

I did something along those lines if you want a reference for the older version of the app https://thinkdfir.com/2019/01/11/what-did-i-listen-to-on-spotify-for-ios/

Phill Moore

What Did I Listen To On Spotify For iOS?

I had a recent examination where I was asked what music was someone listening to at a point in time on an iOS device. Here’s what I found! (TLDR at the bottom)

2

Panda

Hello! I am currently writing my dissertation for my bachelor degree in digital forensics. I done a analyze of the application Spotify on iOS where I located where data is stored and what kind of data you can find. I have written a walkthrough of the data I was able to find. I am now looking for people that wants to take a look at the this guide, you can test it yourself and compare or just have a look at it and provide feedback on your opinion. This is a marking criteria so I really appreciate everyone that wants to take a look at it and give feedback! Just message me or like this post and I will send it! Thanks!

(edited)

This may be something you can get dfirreview to help with. @b1n2h3x may have an opinion here

randomaccess

This may be something you can get dfirreview to help with. @b1n2h3x may have an opinion here

Thanks @randomaccess . @Panda, if you are looking to@share it and have it peer reviewed - DFIRReview is a great choice. But the process at this point may not be complete for your end of term. DM me and we can discuss

1

Anyone have any classified documents they can share? Asking for a friend....

Tim F

Anyone have any classified documents they can share? Asking for a friend....

I’m all out at the moment. Any of them I had are already in the public domain.

5

@Cellebrite Anyone know what this error is.? I have some colleagues that are accessing UFDRs via a VM and network storage, its been working fine previously, but now they are getting the above error. Anyone know if there is a simple solution or should they open a support ticket?

Majeeko

@Cellebrite Anyone know what this error is.? I have some colleagues that are accessing UFDRs via a VM and network storage, its been working fine previously, but now they are getting the above error. Anyone know if there is a simple solution or should they open a support ticket?

Any time there are exception errors like this would be best to go through support.

CLB-Paul

Any time there are exception errors like this would be best to go through support.

Thanks Paul, I will suggest that to them.

Does anyone here use Azure Sentinel and actually like it?

Ey, are there any ways of extracting contents of a .wim file?

Deleted User

Ey, are there any ways of extracting contents of a .wim file?

mount it?

Yeah figured a minute after I sent the msg

1

static_idle

Does anyone here use Azure Sentinel and actually like it?

Yes and no. Lol

Current challenges in digital forensics

usermobiles

Current challenges in digital forensics

Storage space for extractions from modern digital devices.

2

10:22 AM

Wtf?

10:23 AM

Lmao

You’re on a list

2:51 PM

tost

The data is from the com.apple.wifi.known-networks.plist Time stamp is May 2020. The last connection time stamp is from march 2021 and the last automatically connection from march 2023. Perhaps there must have been a sync. It is local time UTC+2 (edited)

In the plist does it have an ‘AddReason’ key? If it’s an iCloud sync it should say ‘Cloud Sync’.

Any of my fellow forensic homies going to the @Magnet Forensics User Summit this week?!?!

See you there!

dabeersboys

Any of my fellow forensic homies going to the @Magnet Forensics User Summit this week?!?!

See ya Monday!

Patrick.Beaver

See you there!

Looking forward to your Oculus presentation Patrick!

1

@Tim F I asked your company to give me a trial of your product since I’m a student

7:18 PM

They refused

7:18 PM

So sad

7:19 PM

Not very student friendly of them

7:20 PM

I was planning to use it for my final project this semester

DMd you @⭐Jigglypuff⭐

⭐Jigglypuff⭐

Not very student friendly of them

Never occurred to you there was a valid business reason.

⭐Jigglypuff⭐

I was planning to use it for my final project this semester

Perhaps a better approach would have been to compile a list of appropriate tools, approach the vendors for a trial license with a use case (and highlight the benefits for them instead of just your own project), then select a tool? For what it's worth, many of us have dealt with Magnet staff and requested trial licenses for CTFs, personal projects, etc, and they've always been friendly and helpful. Perhaps there was a miscommunication which resulted in your request being denied..

7

rojo

In the plist does it have an ‘AddReason’ key? If it’s an iCloud sync it should say ‘Cloud Sync’.

Thanks for the answer. I have to look on monday when i am back in office.

1

⭐Jigglypuff⭐

@Tim F I asked your company to give me a trial of your product since I’m a student

dude, that smacks to me of trying to shame a co in public. please don't do it again. if you get a refusal from anyone here, please take it gracefully and accept it or communicate your displeasure directly

4

1

⭐Jigglypuff⭐

@Tim F I asked your company to give me a trial of your product since I’m a student

request ours

https://belkasoft.com/trial and put your academic email

If you haven't seen it yet: see the video of Micah Sturgis of Barefoot Professional Investigations testimony relating to the forensic analysis of iOS smartphone's functionality in the Alex Murdaugh case. As it involves iOS it is always worth noting the tech points to see if they cross-correlate with a number of iOS forensic examination books out there. https://rumble.com/v2ba18c-alex-murdaugh-trial-micah-sturgis-defense-cellphone-expert.html

DFIR

Alex Murdaugh trial | Micah Sturgis Defense Cellphone Expert

Trial: Alex Murdaugh Double Homicide Testimony: Cellphone forensic expert witness for the defense Micah Sturgis.

Thank you @Yuri Gubanov (Belkasoft)

9:12 AM

I appreciate it

9:19 AM

Is there anyone in cyber security field here rather than digital forensics?

9:19 AM

I’m graduating in a month and I can’t decide what to pursue yet

9:19 AM

I find cyber security fascinating but digital forensics is fun too

Hey all, I am trying to find an image that has zoom data on it for my forensics class, can anyone help me? I tried to image my own phone but no joy..

⭐Jigglypuff⭐

Is there anyone in cyber security field here rather than digital forensics?

My undergrad was Digital forensics but I’ve been working on a red team for the past few years

⭐Jigglypuff⭐

I find cyber security fascinating but digital forensics is fun too

Generally speaking there will be overlap. If you enjoy more policy making and security process development with threat intel collection and that sort of stuff it’s more in the cyber security area; but so is red team stuff. You can be hands on in both but forensics more so usually.

11:33 AM

It’s worth learning enough about both that you find a clear winner for yourself.

I really wanted to work for the US government but me being a dual citizen is a jeopardy. My family still resides in Turkey. @mooseous

3:10 PM

I was talking to my professor and he said it would be difficult for me to work in NSA considering I still have connections in Turkey

A ton of government positions allow for dual citizens or non citizens on visas even

Isn’t it dangerous tho? What if Turkish government tried to hurt my family cuz I work for The US government

Just not a lot of the positions that deal with certain information or have certain authority

3:11 PM

I’m not sure about the politics of Turkey specifically. My impression is that they wouldn’t care and you should use discretion either way about that kind of work.

I know NSA CIA and FBI are desperately looking for Turkish speaking agents (edited)

It would be an issue if any of your family holds positions there though, depending on the work you’re looking to do.

3:12 PM

I think every agency in every nation just about are looking for multilingual people who want to help.

1

Yeah

3:12 PM

NSA has this lie detector test I heard

3:12 PM

My friends told me horror stories about NSA hiring process

3:13 PM

Like how they ask you if you downloaded music illegally

I’d be wary of anyone claiming to know the process and also those disclosing it.

3:14 PM

Generally people don’t talk about the things.

Maybe they are lying?

3:15 PM

I’m not sure tho

They might be or they might know someone who claimed to know.

Oh damn

It’s also possible they were simply a contractor.

3:15 PM

A lot of people glorify the idea of working at NSA because they want to seem as if they have access

3:15 PM

All that does is endanger them honestly, which is why discretion is usually asked for or preferred.

I agree

3:16 PM

I would like to work for government

3:16 PM

But people scared me off

3:16 PM

Told me if I ever downloaded illegal music as a youngester, stay away (edited)

I wouldn’t even tell people you’re interested, or rather which agencies you’re interested in specifically

I know! I was confused that people shared that information in classroom setting @mooseous

3:19 PM

Like one girl in my class said everyone that she was interning in FBI

3:19 PM

I was like hmm. I thought you weren’t supposed to disclose

3:20 PM

I’d rather keep it secret if I ever get hired

3:21 PM

Also since you are here, @mooseous do you happen to know any free software that does RAID reconstruction? I don’t know the parameters of the RAID but I need to reconstruct a RAID to use it as an image

Unfortunately I don’t, I’m more on the intelligence side of things. OSINT is my jam.

What’s that?

3:22 PM

Oh wow

3:23 PM

I just googled it

3:23 PM

It’s cool

3:23 PM

It looks very complex tho

3:23 PM

Looks like you need to know both cyber security and digital forensics

medusa

Hey all, I am trying to find an image that has zoom data on it for my forensics class, can anyone help me? I tried to image my own phone but no joy..

A mobile image? Have you checked the images made by @CLB_joshhickman1?

⭐Jigglypuff⭐

Like how they ask you if you downloaded music illegally

Anyone who says they've not is either lying or has been cryogenically frozen the past 3 decades. If the government cared that much about people downloading music illegally, the government would have no staff. Rather, it's the largest employer in the US. I have a TS clearance through my time at the US government and I don't recall ever being asked about downloading music

1

Thanks for clarification @Andrew Rathbun

6:51 PM

That was one of the reasons I was hesitant about applying for government positions

6:51 PM

I’ve been literally driven away

6:54 PM

I am a double major student. I am also finishing my Data Science with ML/AI bachelor's degree along with my Digital Forensics degree. I also got minors in Statistics and Information Systems Analytics

6:54 PM

It's been a tough 5 years

6:54 PM

I am hoping to land a job upon graduation

6:54 PM

I also have a bachelor's in Linguistics

6:54 PM

lol

6:59 PM

Im proficient in Python and R and upper intermediate in Java as well

6:59 PM

per required by my degrees

6:59 PM

⭐Jigglypuff⭐

I’ve been literally driven away

There is no reason to avoid applying for any job, pretty much ever anywhere, unless there is a cost involved in applying.

7:38 PM

You either get it, or you don't. It helps you understand and become familiar with any processes, too.

I hope to combine both of my digital forensics and data science skills

Never tell yourself your not qualified for a job either. You may miss out on a great opportunity.

Applying for jobs is a skill just like any other skill. You can be the most qualified applicant in the world but if you don’t know how to communicate that to get past the HR firewall you won’t get hired. Keep trying and keep applying and one day they will say yes.

1

Does anyone use native arch linux with virtualbox? Happens that with the latest lts kernel updates all VMs get stuck at 20% of starting process… Someone experienced that and has a workaround? (edited)

rojo

In the plist does it have an ‘AddReason’ key? If it’s an iCloud sync it should say ‘Cloud Sync’.

The add reason is „Wifi settings“. There are no information with „cloud“ in the plist. But this information not important anymore. I have the information that i have needed. But thanks for your idea. (edited)

1

⭐Jigglypuff⭐

That was one of the reasons I was hesitant about applying for government positions

The answer is no if you don't apply

2

you are guaranteed to miss every goal you don't take a shot at - kinda thing

@Cellebrite anyone available for a PM regarding one of your tools?

1

Tommy

Does anyone use native arch linux with virtualbox? Happens that with the latest lts kernel updates all VMs get stuck at 20% of starting process… Someone experienced that and has a workaround? (edited)

@Tommy, try turning of indirect branch tracking in the kernel at boot (ibt=off). This might work depending on your CPU (later model Intel). I had the same happen with one of my Slackware machines using a custom kernel. (edited)

5cary

@Tommy, try turning of indirect branch tracking in the kernel at boot (ibt=off). This might work depending on your CPU (later model Intel). I had the same happen with one of my Slackware machines using a custom kernel. (edited)

will try it out - thanks!

⭐Jigglypuff⭐

Told me if I ever downloaded illegal music as a youngester, stay away (edited)

Hi, I'm new to this disc. I think someone may have severely mislead you on this particular point. Some people here probably know what I mean when I say, I think you'd be surprised, and I hope that encourages you to apply to govt. positions because they need good people. Have a great day guys

Anyone have issues with Axiom not exporting all the items from Media Explorer that you've selected? I've noticed, even unstacked, that the number of Matching Results and the number I get after I export are not equal. Additionally, when I export an MP4, DMG, or other video file, I only get a .jpg of that item.

⭐Jigglypuff⭐

Told me if I ever downloaded illegal music as a youngester, stay away (edited)

Yeah definitely don't worry about this. I have engaged in more questionable things than piracy in the past, but for gov positions that require a clearance, they generally only care that you're honest about it, that it's in the past, that you're trustworthy and reliable now, and that you can't be blackmailed or manipulated. (edited)

Indeed thanks a lot @v3izy

11:52 AM

I feel more confident to apply government positions now

11:52 AM

I recently became a us citizen too

11:52 AM

So I can get all the clearance I need

11:54 AM

I just had my mock testimony for my digital forensics class. Those testimonies get me nervous

⭐Jigglypuff⭐

Indeed thanks a lot @v3izy

Get used to testifying if you're going to do this for LE!

Are there other departments where I can do more like red hat stuff? @Leonidas

12:44 PM

Rather than testifying

⭐Jigglypuff⭐

Are there other departments where I can do more like red hat stuff? @Leonidas

Not sure, I'd assume some intelligence agencies, CIA or NSA.

I see

12:46 PM

I’m going to invite my college professor here

12:47 PM

He was really interested in this server

12:47 PM

Do you guys allow teachers in this server? @Andrew Rathbun

12:48 PM

Disregard my question I apologize

12:48 PM

I see you do

⭐Jigglypuff⭐

Do you guys allow teachers in this server? @Andrew Rathbun

Yep

Are there any frameworks relating to digital forensics? Assuming ISO 27001 covers most of it.

5:30 AM

If I have to advise someone to keep logs for a particular period, or ask them to keep various types of logs, I would like to match it to sections as per the framework

indianadmin

Are there any frameworks relating to digital forensics? Assuming ISO 27001 covers most of it.

ISO/IEC 17025 covers quality management in forensic testing laboratories, then you've got 27037, 27038, 27040, 27041, 27042, 27043, 30121, and 27050 that all cover DF in some aspect. What kind of "logs" are you thinking? Most likely 17025 would cover that. If you can give me specifics I can point you to a particular section. (edited)

As a company, I want to know what are the best practices that should be followed so that any forensic analysis is possible. For example, I can mandate that critical applications provide authentication logs to the SIEM within 15 minutes. Similarly windows servers should provide event logs among other things for a minimum of 6 months or whatever the period is as per the appropriate standard. Firewall logs should be kept for a max of 1 year.

⭐Jigglypuff⭐

I am a double major student. I am also finishing my Data Science with ML/AI bachelor's degree along with my Digital Forensics degree. I also got minors in Statistics and Information Systems Analytics

You can always be like Halvarflake and go into performance engineering - exact same skill set, just hunting for why code is running slow.

indianadmin

Are there any frameworks relating to digital forensics? Assuming ISO 27001 covers most of it.

RE the ISO 27K standards that @JLindmar (83AR) referenced, this site gives a good rundown of each: https://www.iso27001security.com/html/27050.html

1

Has anyone heard of Magellan Research group? Research firm reached out to me paid compensation to share my knowledge of Cellebrite, GreyShift and AccessData…not going to do to it, seems fishy. But curious if anyone else got it.

Does anyone know life examples using hardware implant like LAN Turtle? Cases from 2022 will be ideal.

Jobbins

Has anyone heard of Magellan Research group? Research firm reached out to me paid compensation to share my knowledge of Cellebrite, GreyShift and AccessData…not going to do to it, seems fishy. But curious if anyone else got it.

Sounds like some business is paying to research the competition ?

Hello everyone

10:01 AM

Happy Tuesday!

Android question: Is it possible to configure the DND profile to let "Unknown caller ID" pass through, like stared contacts? I haven't found any solution to this on Google and if its possible

Does anyone know how to unblur this image, especially the text on it?

bill15025

Does anyone know how to unblur this image, especially the text on it?

I can’t find it right now but dig around on GitHub. There was a repo on there that had a tool that did interpolation with blurred text. However I think only an act of god could recover the text from this image.

perhaps https://github.com/Y-Vladimir/SmartDeblur

GitHub - Y-Vladimir/SmartDeblur: Restoration of defocused and blurr...

Restoration of defocused and blurred photos/images - GitHub - Y-Vladimir/SmartDeblur: Restoration of defocused and blurred photos/images

2

Thanks, I will try this

Anyone here ever play around with pci-leech or TPM sniffing? I've always been curious but never took the plunge. I understand that specialized equipment may be necessary

I remember seeing that article about sniffing the private key from a TPM a year or two back

12:29 PM

As far as I’m aware it’s feasible but highly technical

I was hoping by now there would be a little snap-on "hat" for the chip. I thought I remembered seeing such a device but it may have just some kind of fever dream

If you ever find that please let me know

1

It depends on the motherboard

1:56 PM

but ftpm prevents that

1:58 PM

I always meant to give it a try with used hardware, you mostly need a digital logic analyzer (like a saleae, but there are cheaper clones and lower spec offerings) (edited)

Hi, I have a query regarding Windows OS Forensics course I enrolled on Coursera, My query is that some videos refers to MBR.vhd and GPT.vhd files but there are no links mentioned to download the images from in the platform ( I believe because the course originally belongs to InfoSecinstitute and they will be having links on their website ( which I don't have membership of )) If anyone here has completed this course, please reach out to me, or direct me in the right direction....

SPOILER

Jobbins

Has anyone heard of Magellan Research group? Research firm reached out to me paid compensation to share my knowledge of Cellebrite, GreyShift and AccessData…not going to do to it, seems fishy. But curious if anyone else got it.

I feel like I have. Possibly they run surveys on behalf of other companies (like the various vendors on this channel)

im so bad, i was thinking thats got to be an inkblot behind the [Spoiler] mask

1

wh1sper 🍃

Hi, I have a query regarding Windows OS Forensics course I enrolled on Coursera, My query is that some videos refers to MBR.vhd and GPT.vhd files but there are no links mentioned to download the images from in the platform ( I believe because the course originally belongs to InfoSecinstitute and they will be having links on their website ( which I don't have membership of )) If anyone here has completed this course, please reach out to me, or direct me in the right direction....

Why not just ask either Coursera or InfoSecInstitute regarding the vhd files?

chauan

Why not just ask either Coursera or InfoSecInstitute regarding the vhd files?

yups, already doing it but its taking time

I managed to run tensorflow on M2

8:50 PM

Impressive

@ICAC I was having a conversation at work today about the potential (inevitability?) of AI generated CSAM. I know current publicly available image generators have some safeguards implemented but at some point the floodgates are going to open on that stuff. Beyond the issue of prosecuting simulated CSAM, what are your thoughts on articulating genuine vs "simulated" CSAM in those locations where simulated has not been criminalized? Are there tools to reliably check for hallmarks of AI generated images?

whee30

@ICAC I was having a conversation at work today about the potential (inevitability?) of AI generated CSAM. I know current publicly available image generators have some safeguards implemented but at some point the floodgates are going to open on that stuff. Beyond the issue of prosecuting simulated CSAM, what are your thoughts on articulating genuine vs "simulated" CSAM in those locations where simulated has not been criminalized? Are there tools to reliably check for hallmarks of AI generated images?

Photorealistic images of CSAM are already available, and have been for some time. No AI needed. The answers to your questions of how it will be criminalized can be answered by looking for instances of those cases.. if you can find any. Everyone who’s ever had a federal CSAM case knows that it ultimately depends on the district it’s prosecuted in. Some take it more seriously than others. I think some very few tools have started trying to detect fakes, but not at the scale and volume of the numerous AI generators. Detection reliability will probably depend on which version of AI it can keep up with.

whee30

@ICAC I was having a conversation at work today about the potential (inevitability?) of AI generated CSAM. I know current publicly available image generators have some safeguards implemented but at some point the floodgates are going to open on that stuff. Beyond the issue of prosecuting simulated CSAM, what are your thoughts on articulating genuine vs "simulated" CSAM in those locations where simulated has not been criminalized? Are there tools to reliably check for hallmarks of AI generated images?

It’s also important to remember that even though the images are not real CSAM (and May not be subject to CSAM laws), it’s still considered obscene material. Which are different but very similar laws with very similar penalties. They are not frequently prosecuted because they’re less prioritized, however maybe this will be a popular avenue for prosecutors going forward who are worried about whether the “fake” argument will hold. Obviously this all only applies to the USA. (edited)

@MeGaBiTe @whee30 Federal statues statues state that any images depicting CSAM is illegal even if there is no real victim. That being said even as a federal ICAC investigator I have had issues with prosecution being very weary of pushing this subsection if there is not a real victim due to differences in judges and locations. It however is often used in sentencing to show patterns of behavior.

1

For those UK prosecution and defence experts who are concerned that as single-person businesses (SPBs) or Small to Medium Sized Enterprises (SMEs) who consider that by October 2023 can be excluded from giving or comments on evidence if not registered which requires compliance to ISO17025. I have produced a draft for comment so that it can be raised again, if not to the FSR then maybe the Law Society and/or Bar Council. I am not driving this work merely comments upon posts I keep seeing about the lost or closure for service from SPBs and SMEs.

whee30

@ICAC I was having a conversation at work today about the potential (inevitability?) of AI generated CSAM. I know current publicly available image generators have some safeguards implemented but at some point the floodgates are going to open on that stuff. Beyond the issue of prosecuting simulated CSAM, what are your thoughts on articulating genuine vs "simulated" CSAM in those locations where simulated has not been criminalized? Are there tools to reliably check for hallmarks of AI generated images?

Lets be honest, while reviewing this material, are you examining it that closely to pinpoint that it is fake(AI generated)? Particularly with images, determining one is fake is going to take a high level of scrutiny and most of the time, it is not just a one image case. Playing the odds/statistics, most people who deal with CSAM wouldn't even know (or care for its use purpose) they have a fake image anyway and will likely be contained with actual CSAM. I get it is not optimal for all of us, depending on jobs and roles within those jobs, but part of building the case is finding the CSAM forensically, suspect interview/interrogation, gathering info from NCMEC (cybertip, victim identification, etc.), if applicable p2p information, and so on. Many of the times we are put on to suspects is because of identified CSAM, or a tip that was believed to be CSAM which can be relatively scrutinized ahead of a warrant. But it cannot be understated the importance of getting suspect statements on what the suspect thinks of the material he/she views. obviously a defense attorney can take their time, hire an expert and try to dispute every image. 1. the suspect statement very much goes to state of mind which is hard to counter, especially when genuine images exist 2. disputing every image looks really bad to the jury when your saying "hey this kid getting assaulted is just pretend" as they show the images 3. some state laws don't need to differentiate. i can tell you from my own cases, we had underage victims photoshopped to be made into CSAM and that qualifies as manufacturing CSAM in my state, which is where i would advise my prosecutors to argue AI generated CSAM. My state is more the purpose behind the picture, than the picture solely by itself. a recent appeals case basically said that erotica does not equal CSAM however the law still has the ability to be interpreted as erotica is CSAM when it is with CSAM. it is absolutely new territory but i feel not much will change

@Arman Gungor - Can I DM you a question about FEC ?

From your experience, which digital forensic case management system would use for a small lab? From my initial research it seems that Monolith, xBit and Lima are the main players. Thanks.

Jay528

@Arman Gungor - Can I DM you a question about FEC ?

Sure!

Arman Gungor

Sure!

I sent an email and you answered already. Thank you !

1

forensicres

From your experience, which digital forensic case management system would use for a small lab? From my initial research it seems that Monolith, xBit and Lima are the main players. Thanks.

Plus 1 for Monolith, but I’m a little biased haha. Sign up for a trial on our website and you can take Monolith for a spin.

1

Hi all! I'm searching a in-depth course or resources about digital image/video forensics. Deepfakes (but not only), tampered videos, this kind of things. Any advice? Thanks!

yeoj112689

@MeGaBiTe @whee30 Federal statues statues state that any images depicting CSAM is illegal even if there is no real victim. That being said even as a federal ICAC investigator I have had issues with prosecution being very weary of pushing this subsection if there is not a real victim due to differences in judges and locations. It however is often used in sentencing to show patterns of behavior.

Conversations like this are why I'm so glad we split out all LE roles by country

Tesven

Hi all! I'm searching a in-depth course or resources about digital image/video forensics. Deepfakes (but not only), tampered videos, this kind of things. Any advice? Thanks!

Hey! I'll send you a DM!

whee30

Anyone here ever play around with pci-leech or TPM sniffing? I've always been curious but never took the plunge. I understand that specialized equipment may be necessary

I've done TPM sniffing for bitlocker successfully once via a saleae logic analyzer. The TPM was a QFN package that I couldn't solder to, so I hooked into an SOIC8 chip that was also on the SPI bus. They do sell a clip for this. I'd had no prior experience with a logic analyzer, so there was a lot of trial and error with settings, but I eventually was able to pull out the bitlocker key successfully. There are a few good writeups online that show 95% or so of the process. I also have a lattice icestick to attempt via the LPC bus, but haven't found the time to muddle my way through that method. I also tried 3d printing a clip for a TSSOP TPM package, but had trouble with keeping the pin channels from staying clear of resin. It was a low-priority side project, so I didn't keep at it.

1

Tesven

Hi all! I'm searching a in-depth course or resources about digital image/video forensics. Deepfakes (but not only), tampered videos, this kind of things. Any advice? Thanks!

It may be last minute but… https://www.iacis.com/training/avf-advanced-video-forensics-course/ or https://medexforensics.com/training/

IACIS - AVF: Advanced Video Forensics Course

The Advanced Video Forensics Course (AVF) is a five-day course designed to give investigators, forensic examiners and analysts a deep understanding of

bertramlyons

Training - Medex Forensics

sales@medexforensics.com | 1-917-522-4852 Increase your team's expertise in digital video investigations Medex offers certification and training in basic and advanced digital video authentication and provenance examination, including source detection and modification analysis. Medex Forensics understands that complex digital video files can gene...

1

Anyone attending IACIS BCFE for the first time in just a few days? If you see me, stop me and say Hi. I'm a row coach again this year. (edited)

3

Any Symantec Endpoint Security Users?

11:25 AM

If usb is blocked and files are deleted from it, will it still show mounted device in registry?

@Beercow might be able to provide some expertise

Jobbins

If usb is blocked and files are deleted from it, will it still show mounted device in registry?

Not sure on that one. Are you trying to figure out what usb it was that was plugged in?

Hello all, I have what is probably an easy one for many of you, but I have not been able to find a solution. I do ediscovery but also conduct audits for things like possible HIPAA breaches. I am wondering if there is an open source and free tool that can parse/filter audit logs efficiently. Or even aggregate the audit logs? Or any free open source tool that you may think would be helpful? Any and all advice is much appreciated! I am up to my nose in audit logs!

dozadown

Hello all, I have what is probably an easy one for many of you, but I have not been able to find a solution. I do ediscovery but also conduct audits for things like possible HIPAA breaches. I am wondering if there is an open source and free tool that can parse/filter audit logs efficiently. Or even aggregate the audit logs? Or any free open source tool that you may think would be helpful? Any and all advice is much appreciated! I am up to my nose in audit logs!

If the logs are normalized, perhaps Microsoft's Log Parser?

Thank you Jlindmar! I will look this up now!

dozadown

Thank you Jlindmar! I will look this up now!

If you want a gui for it, check out Log Parser Lizard https://lizard-labs.com/log_parser_lizard.aspx#:~:text=With%20Log%20Parser%20Lizard%2C%20you,on%20all%20versions%20of%20Windows.

Log Parser Lizard gives Microsoft Log Parser 2.2 a great user inter...

Download this ETL log parser for automated SQL querying any text based data or system logs like Web Server logs, Windows System Events and application log files.

Beercow

If you want a gui for it, check out Log Parser Lizard https://lizard-labs.com/log_parser_lizard.aspx#:~:text=With%20Log%20Parser%20Lizard%2C%20you,on%20all%20versions%20of%20Windows.

Microsoft also has/had a GUI with Log Parser Studio: https://techcommunity.microsoft.com/t5/exchange-team-blog/introducing-log-parser-studio/ba-p/601131

Hey everyone, got a quick iPhone question. I have a photo with significant evidentiary value. I have several factors that indicate the photo was taken with the device it was recovered from including exif info matching, filename sequence, os version etc. I need to get as close to 100 percent sure the photo was taken with that phone as I can. The photo was stored in the usual location photos from the devices camera are stored. My question is, if you receive a phot as an attachment or through social media, is the end user able to store the photo to the photo directory on iOS? Or does apple only allow you to store it in a certain location. I know with android you can specify where you want to save files when you download them.

Neon

Hey everyone, got a quick iPhone question. I have a photo with significant evidentiary value. I have several factors that indicate the photo was taken with the device it was recovered from including exif info matching, filename sequence, os version etc. I need to get as close to 100 percent sure the photo was taken with that phone as I can. The photo was stored in the usual location photos from the devices camera are stored. My question is, if you receive a phot as an attachment or through social media, is the end user able to store the photo to the photo directory on iOS? Or does apple only allow you to store it in a certain location. I know with android you can specify where you want to save files when you download them.

Check out PRNU forensics if you have the energy and time (and $$$ to buy sample devices)

CLB-dan.techcrime

Check out PRNU forensics if you have the energy and time (and $$$ to buy sample devices)

Oh that's neat I'll learn about this . I was hoping the answer would be you couldn't save downloads to DCIM though

Neon

Oh that's neat I'll learn about this . I was hoping the answer would be you couldn't save downloads to DCIM though

Basically in simple terms, you buy 9 matching iPhones and take sample pictures and do PRNU on 10 pictures from each phone and then do the same with 10 existing photos on the evidence device... defect pixels in the camera sensors will appear in the same location on each of the pictures... then testify that the chance of the same random pixel appearing in the same location on a different phone is essentially impossible (edited)

CLB-dan.techcrime

Basically in simple terms, you buy 9 matching iPhones and take sample pictures and do PRNU on 10 pictures from each phone and then do the same with 10 existing photos on the evidence device... defect pixels in the camera sensors will appear in the same location on each of the pictures... then testify that the chance of the same random pixel appearing in the same location on a different phone is essentially impossible (edited)

Yeah thats pretty neat. I've never even thought about that being possible

2:25 PM

It makes sense though

Thank you Beercow and Jlindmar! I really very much appreciate it! I am checking these all out tonight!

Neon

Yeah thats pretty neat. I've never even thought about that being possible

I will note that if you have the questioned device to create exemplars from for PRNU analysis it may not require many other exemplars. Will also say that PRNU has gotten more difficult lately as cell phones employ more digital processing of images which reduces the sensor pattern noise relied on by PRNU. Not saying not to try, just mentioning for context.

Brandon E

I will note that if you have the questioned device to create exemplars from for PRNU analysis it may not require many other exemplars. Will also say that PRNU has gotten more difficult lately as cell phones employ more digital processing of images which reduces the sensor pattern noise relied on by PRNU. Not saying not to try, just mentioning for context.

We don't deal with this very often, we wouldn't have much use for it. It is a cool technology though. I wasn't even aware it existed. Now I'm going to go down a rabbit hole of learning

SBcyberCop started a thread. 4/20/2023 4:04 PM

Beercow

Not sure on that one. Are you trying to figure out what usb it was that was plugged in?

Yeah - didn’t see it under mounteddevices. But did find the guid in the alert then matched the guid to a drive in USBStor

Jobbins

Yeah - didn’t see it under mounteddevices. But did find the guid in the alert then matched the guid to a drive in USBStor

I was going to mention that. If you ever need a tool to parse the logs on the endpoint. https://github.com/Beercow/SEPparser

GitHub - Beercow/SEPparser: Script for parsing Symantec Endpoint Pr...

Script for parsing Symantec Endpoint Protection logs, VBNs, and ccSubSDK database. - GitHub - Beercow/SEPparser: Script for parsing Symantec Endpoint Protection logs, VBNs, and ccSubSDK database.

8:11 PM

Or any of your Symantec needs. https://malwaremaloney.blogspot.com/p/all-things-symantec.html (edited)

All Things Symantec

This post contains information on my research into Symantec Endpoint Protection logs, quarantine, and ccSubSDK files. Content will be update...

Beercow

I was going to mention that. If you ever need a tool to parse the logs on the endpoint. https://github.com/Beercow/SEPparser

Awesome, thank you!

Getting real sick of Meta suspending my test accounts. They’ve closed down 3 out of 5 of them I was going to use for validation testing. Any one have any idea how to prevent this from occurring?

obi95

Getting real sick of Meta suspending my test accounts. They’ve closed down 3 out of 5 of them I was going to use for validation testing. Any one have any idea how to prevent this from occurring?

Are you using a VPN ? (edited)

DCSO

Are you using a VPN ? (edited)

Nope just using normal WiFi uploaded 1 picture and followed 3 accounts and didn’t even message anyone or anything yet

obi95

Nope just using normal WiFi uploaded 1 picture and followed 3 accounts and didn’t even message anyone or anything yet

It might be associating your IP address to Gov or state agency and booting you, just a random guess. Try using a VPN or covert line.

Can anyone please give me some guidance how to find the real name of user of this twitter account :https://twitter.com/jeiffara36503?t=quGmJabhjktiOCf-fZSMnw&s=09 Thanks guys, any hint how to achive this will help

Snofear

Can anyone please give me some guidance how to find the real name of user of this twitter account :https://twitter.com/jeiffara36503?t=quGmJabhjktiOCf-fZSMnw&s=09 Thanks guys, any hint how to achive this will help

how would you do that if even Twitter don't check for real names? unless you can bring legals to bear and start chasing down IP addresses, (private hidden) mobile numbers etc (edited)

2:52 PM

i mean, you could always mention them and ask, but if they aren't wanting to be known ... /shrug (edited)

Twitter will not reveal information unless via a legal request possibly only from LE and even then its possibly for someone to use a false name.

Wrote a script that converts the RDSv3 .db files into RSD 2.xx Text File Format if anyone is interested. #deleted-channel

1

Digitalferret

i mean, you could always mention them and ask, but if they aren't wanting to be known ... /shrug (edited)

Yes i know that... it is a challenge for CTF event

Asking for a friend. What can I do to sort per conversation group and extract text from screenshots if there are 1) too many screenshots 2) multiple groups and 3) DB contained no messages at all...

3:08 PM

I know manually sort and OCR works...but wanna know if there is a easier way...

3:09 PM

Screenshots are mixed of WhatsApp/SMS/Messenger

Snofear

Yes i know that... it is a challenge for CTF event

you might have said. what other info have you? and #challenges-and-ctfs would be the place (edited)

Snofear I would run the username through dehashed, spiderfoot, and maltego to see if you get any hits. May not show anything... But...you never know

3:42 PM

I just read CTF event, so never mind sorry!

@Digitalferret @dozadown thanks for that.... this is the whole description: Hello agent, we want to look for someone who manages a cyber cafe and uses some of that gaming stuff to contact his victims only thing we could find is this 76561199495313518 can you find us his real name? from there, lead goes to that link: https://steamid.io/lookup/76561199495313518 and from there to https://steamcommunity.com/id/TheSASO25/ and if you look to groups he joined you came across this poem : https://steamcommunity.com/groups/GamersForEverrrr/discussions/0/3825286682757961164/ that leads to that Twitter name and from there i don't know what else to do...https://twitter.com/jeiffara36503?t=quGmJabhjktiOCf-fZSMnw&s=09 if you have any info. where else to look and do i would be greatfull

STEAM_0:0:767523895 - STEAMID I/O

steamID output for STEAM_0:0:767523895 (76561199495313518)

Steam Community :: SASOOO

Interesting lyrics from SASOOO :: GamersForEverrrr

HAHA I'm THE BEST OF ALL. I'm staring at the stars tonight, Wondering if you're out jhere too. I know we're worlds apart, but meybe, Just maybe, we'll find a way through. I'll keep hilding on, To the hope that we'll meet someday. And I'll keep singing this song, Until we find our way. Cause lofe is a journey, That takes us to the sfars. And I'll...

Geohot? George Holtz? Turkey? That's all I got from the lyrics. Lol I am just pulling at straws though

silly question, would Carlos Jeiffara @jeiffara36503 not be whta they are lookin g for? like that's the end of the trail you just walked? (edited)

2

i already got twitter account from poem...if you look for mistakes from that poem like the first one: (j)here you take j and then you go for next one m(e)ybe: its e you eventually get jeiffara36503.. now it is something else it needs to be looked to find out real first and last name.. here it is where i dont realy now what to do

3:57 PM

yes from here you need to somehow find the right name

3:57 PM

i am lost

3:58 PM

and yes Carlos Jeiffara is not the right name

sounds like torture. have you considered other ways to entertain yourself?

3

You are going to get me sucked into this lol

3

4:04 PM

If it was not a CTF it would be much easier. This person is covering their tracks lol

4:04 PM

You may need to visit republic of hackers on discord to get some ideas

yea i thought of giving up.. it's quite a hard challenge but I will try harder haha @dozadown thanks for info. i will look into it

Snofear don't give up! And please let us know how you figured it out! You got this!

Are there any good free alternatives to magnet axiom on mac?

12:51 AM

Asking for a friend who has Mac. I currently have axiom installed on my windows box

tapatiosec

Asking for a friend who has Mac. I currently have axiom installed on my windows box

Unfortunately, all major commercial tools are tied to Windows.

tapatiosec

Are there any good free alternatives to magnet axiom on mac?

maybe start with what you are trying to acheive and then ask about free/FOSS tools?

dozadown

Snofear don't give up! And please let us know how you figured it out! You got this!

ohh waybackmachine, all i can say

1

Any good resources for practising event log analysis?

LαȥყTσɯɳTҽƈԋιҽ★

Any good resources for practising event log analysis?

https://youtu.be/mCfkFO0xs34

13Cubed

Event Log Forensics with Log Parser

Also note that Timeline Explorer can open any CSV (log) file

Why would an identical file saved in a different directory have a different hash value?

Jaegger

Why would an identical file saved in a different directory have a different hash value?

because they arent identical?

2

What's identical about the files? The filename? Content matters when it comes to hashes

verify yourself by copying a file to two directories and run the command

Does that particular method of hashing factor in the file path? Probably a stupid question but if they are truly 1:1 identical files then I can't think of any other reason why they'd have different hashes

Andrew Rathbun

Does that particular method of hashing factor in the file path? Probably a stupid question but if they are truly 1:1 identical files then I can't think of any other reason why they'd have different hashes

path, doesn't matter, i just tested to verify

1

Andrew Rathbun

What's identical about the files? The filename? Content matters when it comes to hashes

The data on the files are identical only saved in 2 different directories

Jaegger

The data on the files are identical only saved in 2 different directories

test it then by opening a cmd window in each directory and run on the file

1:41 PM

if the hashes are the same then there's an issue maybe in how you issued the command, as AR said, but for my test, it shows the same hash

1:42 PM

wups , just deleted wrrong msg my abd

1:43 PM

[ @Andrew Rathbun -Wondered if it was like Prefetch where command line arguments are factored in the hash] (edited)

Jaegger

The data on the files are identical only saved in 2 different directories

how would you test that they are identical, to come to that conclusion?

one can always try diff command

BzdoOREK

one can always try diff command

ssssshhhhhhhhhhhh! lol

1:51 PM

File Compare on windows / diff on Linux

Could by an internal metadata modification

Jaegger

The data on the files are identical only saved in 2 different directories

Not to be hung up on semantics, but they’re not the same file. You appear to want them to be the same file, and you want an explanation as to why they would produce different hash values.. which is simple, because they are different files. Those files contain differing data, resulting in a different hash value. Can you explain a little bit more about how they were produced, why they’re in different locations, etc? That would help the rest of us try and understand what’s happening without making a range of (likely) incorrect assumptions. For example, if you’ve downloaded the for an assignment, is it possible the download/transfer process itself was interrupted and the file is incomplete or modified in some other way? Do you have a hash value from the source which you can compare it with? Or if you’re transferring/copying/duplicating files on your own machine and it results in a different hash, maybe you have a failing drive with read/write issues. Again, who knows, these are all assumptions.

Hi everyone, I am planning to create a home lab for malware analysis and digital forensics. I am not entirely sure where to start. Can anyone recommend any good resources to start off with? Thanks in advance.

SaltedEgg

Hi everyone, I am planning to create a home lab for malware analysis and digital forensics. I am not entirely sure where to start. Can anyone recommend any good resources to start off with? Thanks in advance.

For malware it's probably better to ask in #malware-analysis. I'd suggest a separate VM for malware analysis, separate from doing digital forensics

Andrew Rathbun

For malware it's probably better to ask in #malware-analysis. I'd suggest a separate VM for malware analysis, separate from doing digital forensics

Thanks

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed! | Mandiant https://www.mandiant.com/resources/blog/flare-vm-the-windows-malware

FLARE VM: The Windows Malware Analysis Distribution You’ve Always N...

1

11:42 AM

or https://remnux.org

Hello everyone, I'm attempting to reverse engineering an app in the case of IP infringement (source code leak.) Let's suppose the app is using TLS pinning bundled into the application source code. Could you reverse engineer the app by using JADX (only if it's obfuscated) could you create a forged CA to match the root CA within the apps code base and potentially intercept the apps traffic via charles or mitmprox ? (edited)

does anyone know where can i find more information about Apple/iOS Biome? Also, is the pronunciation "bi-oh-me" or "bio-mee" or neither?

trillian

does anyone know where can i find more information about Apple/iOS Biome? Also, is the pronunciation "bi-oh-me" or "bio-mee" or neither?

https://bluecrewforensics.com/2022/03/07/ios-app-intents/ i found a specific forensics article breaking down how some of the biome stuff works. and i assume they want it pronounced as bi-ohm, same ending as home or chrome

1

6:21 AM

https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/ oh and looks like magnet wrote it up recently too cat_smile

1

Both Magnet AXIOM and Cellebrite Physical Analyzer started decoding Biome data. A good software to look at the raw files is "Mushy" by Ian Whiffin (https://doubleblak.com/).

1

$CozyBear

Hello everyone, I'm attempting to reverse engineering an app in the case of IP infringement (source code leak.) Let's suppose the app is using TLS pinning bundled into the application source code. Could you reverse engineer the app by using JADX (only if it's obfuscated) could you create a forged CA to match the root CA within the apps code base and potentially intercept the apps traffic via charles or mitmprox ? (edited)

If it‘s about the traffic have a look at frida (https://frida.re/docs/android/). You will need to have an android virtual device with your own certificate and patch the apk. There are several other ways to do it. If that‘s what you‘re looking for we could dig deeper (edited)

1

What do you all do for storing forensic cases long term?

Jason

What do you all do for storing forensic cases long term?

This is a topic that interests me - and one I struggled with when I was still in LE. Our state evidence retention requirements for felony level cases ranged from 25 years to indefinitely. The lab I was in also supported all criminal appeal cases which meant we sometimes had to go back in the evidence room and find that dusty, old, cobweb covered case from long, long ago, which had been archived to a media type nobody had seen since MTV still played actual music

So depending on how long you mean by "long term" and volume of data, I have different suggestions. (edited)

chriscone_ar

This is a topic that interests me - and one I struggled with when I was still in LE. Our state evidence retention requirements for felony level cases ranged from 25 years to indefinitely. The lab I was in also supported all criminal appeal cases which meant we sometimes had to go back in the evidence room and find that dusty, old, cobweb covered case from long, long ago, which had been archived to a media type nobody had seen since MTV still played actual music

So depending on how long you mean by "long term" and volume of data, I have different suggestions. (edited)

7 years +

trillian

does anyone know where can i find more information about Apple/iOS Biome? Also, is the pronunciation "bi-oh-me" or "bio-mee" or neither?

here: https://blog.d204n6.com/search/label/Biomes?m=1

D20 Forensics

1

9:28 AM

and use ileapp or aleapp

Jason

7 years +

There's a lot of variables depending on number and size of cases, case type, etc. and no singular approach, but what worked for me was a tiered approach. Each workstation had a local RAID for evidence files in active use and a drive for case files. Those got pushed to a NAS every Friday night, so data loss was a week (at most) if something happened. This NAS went to tape monthly. When an examiner was done actively working on a case, everything was stored together on a second NAS that was used to store those files for quick retrieval until the case was adjudicated - also helpful when new things popped up or to answer follow up questions about a case since everything was located together in a parent folder named for the case and readily accessible. This NAS also went to tape. Once adjudicated and depending on size, it either went to LTO tape or an archival-grade media (like M DISC), where it could happily live out its evidence retention requirements. I hate tape but hate re-imaging and re-doing casework even more. I'm also not a fan of storing something on a hard disk and throwing it in a box and expecting that drive to work in five or ten years. Archival-tier cloud storage for data you don't expect to need access to but need to keep for compliance is something worth considering.

chriscone_ar

There's a lot of variables depending on number and size of cases, case type, etc. and no singular approach, but what worked for me was a tiered approach. Each workstation had a local RAID for evidence files in active use and a drive for case files. Those got pushed to a NAS every Friday night, so data loss was a week (at most) if something happened. This NAS went to tape monthly. When an examiner was done actively working on a case, everything was stored together on a second NAS that was used to store those files for quick retrieval until the case was adjudicated - also helpful when new things popped up or to answer follow up questions about a case since everything was located together in a parent folder named for the case and readily accessible. This NAS also went to tape. Once adjudicated and depending on size, it either went to LTO tape or an archival-grade media (like M DISC), where it could happily live out its evidence retention requirements. I hate tape but hate re-imaging and re-doing casework even more. I'm also not a fan of storing something on a hard disk and throwing it in a box and expecting that drive to work in five or ten years. Archival-tier cloud storage for data you don't expect to need access to but need to keep for compliance is something worth considering.

Thank you for this. I was thinking along the lines of Tape and debating archive storage for retention

1

First time imaging an android, using Magnet Axiom, how long should it take? Samsung Galaxy S21

you can try magnet acquire to

sorry, yes I am using magnet acquire to do it.

11:48 AM

it's going on 2 and 1/2 hours so far

medusa

it's going on 2 and 1/2 hours so far

Depends on how large the devices storage is. Can take from 2 hours to 12 hours in my experience.

1

okay, thank you. it is 128 gbs.

1

so it's going to take some time... but it's free

1

Hey is there any sort of like WHOIS/ARIN lookup service for non-LE that can figure out if a crypto wallet is held in a major US exchange that would have KYC data for sending off a subpoena/SW?

Hello thank you for the add. I am excited to learn more.

4:25 PM

I hope to get a job doing this.

FunkeDope

Hey is there any sort of like WHOIS/ARIN lookup service for non-LE that can figure out if a crypto wallet is held in a major US exchange that would have KYC data for sending off a subpoena/SW?

You can try Breadcrumbs which if you get lucky will indicate an Exchange along the TX chain: https://www.breadcrumbs.app/

Breadcrumbs - Blockchain Investigation Tool

Breadcrumbs is a blockchain analytics platform accessible to everyone. It offers a range of tools for investigating, monitoring, tracking and sharing relevant information on blockchain transactions.

what do you all do when you have a phone that is going through password breaking (premium/GK/etc) for an extended period of time/years and the battery significantly swells? lets say to the point of the screen coming up.

2

@Law Enforcement [UK] Question: who here read the recent Baroness Casey report? https://www.met.police.uk/police-forces/metropolitan-police/areas/about-us/about-the-met/bcr/baroness-casey-review/ I'm deeply curious about how the culture issues described in the report may or may not have factored into efforts over the years, especially recently, to have more frontline officers hands-on with digital evidence and victim response. I.e. technology seen as a solution to austerity measures at the expense of training and other elements of complex responses? Also how these culture issues might have factored into the Forensic Science Regulator's report(s) and/or broader standardization efforts? Please forgive me if I'm overgeneralizing, I'm US-based and so I'm not sure if I'm correctly piecing together fragments I've received over the years (another being the 2021 issues with disclosure)...

The Baroness Casey Review

Read about the Baroness Casey Review of Met culture and standards of behaviour.

kmacdonald1565

what do you all do when you have a phone that is going through password breaking (premium/GK/etc) for an extended period of time/years and the battery significantly swells? lets say to the point of the screen coming up.

If you've got an iPhone, definitely remove the screws next to the charge ports. The screen will eventually lift but it seems to relieve some of the short term pressure a swollen battery puts it under. Unfortunately everything else is on a case by case basis. Most Androids pop their back covers themselves over time if the battery starts to swell.

kmacdonald1565

what do you all do when you have a phone that is going through password breaking (premium/GK/etc) for an extended period of time/years and the battery significantly swells? lets say to the point of the screen coming up.

Luckily with GK you can just pop battery from connectors and it will restart from where it was, when another battery is entered. Premium however is not as friendly let's say. It will restart the brute force, however there is no reason you cannot contact cellebrite for their dictionary and remove the codes already tried. It's obviously easier if it's a user inputted dictionary as you can manually remove the codes tried. (edited)

1

We have a 120 day policy in our force. It's unlikely for a device that's submitted for a 4-6 digit pin unlock to take longer than that

8:30 AM

Even so, 120 days isn't enough for a battery to suddenly go haywire and explode on us

We have had some going for years, no policy with that regard, but we can talk about that for sure. 6 digit iPhones can take a while for sure. thank you all for your input.

What job do you think I qualify for? Took have GCFR, GCDA, GCFA, GCFE, GREM, Splunk Core User, Sec+, Net+, A+ and a BS in CompSc. I am in the military and took courses i believed had the most useful depending on my job. I always saw myself as a IR lead. That is what I do now. (edited)

a better question is probably what job do you want

What he said lol

Rick

What job do you think I qualify for? Took have GCFR, GCDA, GCFA, GCFE, GREM, Splunk Core User, Sec+, Net+, A+ and a BS in CompSc. I am in the military and took courses i believed had the most useful depending on my job. I always saw myself as a IR lead. That is what I do now. (edited)

The certs are great but probably get grilled on actual experience in those areas, lead might be a stretch right out but excellent team member working towards the lead (edited)

kmacdonald1565

We have had some going for years, no policy with that regard, but we can talk about that for sure. 6 digit iPhones can take a while for sure. thank you all for your input.

If you have a phone running for years, maybe it's interesting to update the client on that phone. Sometimes it helps to speed up things

tklane

The certs are great but probably get grilled on actual experience in those areas, lead might be a stretch right out but excellent team member working towards the lead (edited)

The only thing I dont have a lot of experience is cloud forensics, though we did forensics on a hypervisor once.

a hypervisor doesn't necessarily have anything to do with "cloud forensics", which most people interpret as forensic analysis of cloud providers such as AWS, GCP, Azure, Cloud-based Services like Box/DropBox/SalesForce, etc. (edited)

1

6:29 AM

I actually hate the term cloud forensics because it makes people think there is some major distinctions between examining a host onprem and examining an AWS EC2 instance - same concepts, same types of tools, just different approaches/logging/availability/restrictions/etc (I'm aware there are also major differences in certain areas such as the underlying infrastructure, possibilities for escalation/lateral movement/implications/etc). I also want to add here that of course there are some huge concepts to learn and understand with respect to analyzing things like AWS Cloudtrail data - but I guess to me, that's no different than analyzing your own internal application logs - you have to have a deep understanding of how the providing application functions and integrates in it's ecosystem (edited)

1

Mr.Robot

If you have a phone running for years, maybe it's interesting to update the client on that phone. Sometimes it helps to speed up things

some may qualify for that for sure, but with no policy or procedure in place we really only look if it is requested by investigators or needed for court

kmacdonald1565

some may qualify for that for sure, but with no policy or procedure in place we really only look if it is requested by investigators or needed for court

Totally understand that! On our place we have a Excel / Word sheet with all bruteforce listed. On that sheet we see all the important information like os version. When we see there is new update which improve some things, we take a look at that list and see which bruteforce needs an update. Can save a lot of time sometimes

I have a question I was hoping someone could help me with. A member in my circle on life360 app has an iPhone SE, alot of time the 360 updates, it'll be hours before "Find my phone" under devices will update or match life 360. How does this happen? Is this an indication of spoofing the gps somehow? T.I.A.!

Hey all, not sure where to look but I've been in forensics a long time and I'm still working with my forensic tools on local boxes. I'm looking into building forensic investigation environment in Azure and want to spin up a machine per investigation. Are there any resources out there I can use to set this up ?

💀Raggnar💀

I have a question I was hoping someone could help me with. A member in my circle on life360 app has an iPhone SE, alot of time the 360 updates, it'll be hours before "Find my phone" under devices will update or match life 360. How does this happen? Is this an indication of spoofing the gps somehow? T.I.A.!

I’m not familiar with life360 but could it just be that the different apps involved have different GPS permissions, eg ‘use always’ vs ‘only when using app’ and also precise location allowed?

💀Raggnar💀

I have a question I was hoping someone could help me with. A member in my circle on life360 app has an iPhone SE, alot of time the 360 updates, it'll be hours before "Find my phone" under devices will update or match life 360. How does this happen? Is this an indication of spoofing the gps somehow? T.I.A.!

Also, is find my phone a ‘when asked app’ - it’ll only update when someone uses the app to ask where the device is?

Blacklynx

Hey all, not sure where to look but I've been in forensics a long time and I'm still working with my forensic tools on local boxes. I'm looking into building forensic investigation environment in Azure and want to spin up a machine per investigation. Are there any resources out there I can use to set this up ?

https://github.com/swimlane/CLAW

GitHub - swimlane/CLAW: A packer utility to create and capture DFIR...

A packer utility to create and capture DFIR Image for use AWS & Azure - GitHub - swimlane/CLAW: A packer utility to create and capture DFIR Image for use AWS & Azure

1

Apologies to all and especially @Law Enforcement [UK] for the entirely random question about the Baroness Casey report the other day. It was far from the first awkward group interaction I've ever initiated, but I should have contextualized the question. For those who don't know me, I worked in DFIR vendor marketing for many years and more recently DFIR journalism (which is actually where I started my career). As a non-practitioner I lurk a lot, but I'm looking to change that, hopefully a lot less awkwardly. At any rate, my latest project is a Medium publication examining the intersection between tech and the law. You can catch our first newsletter here https://medium.com/forensic-horizons/april-2023-the-way-things-have-always-and-never-been-done-4d87752192ea (including a brief mention of the Casey report) -- would love comments, suggestions, subscribers, etc. if this project is of interest!

April 2023: The Way Things Have Always, and Never, Been Done

Where tech and the law meet over the horizon lie dragons: the unknown of what it all means to society. Follow us as we navigate!

1

Hi does anybody know if it’s possible to compromise a printer to distribute malware and if it posible to do a forensic analysis to a printer??

mdogilvie

Hi does anybody know if it’s possible to compromise a printer to distribute malware and if it posible to do a forensic analysis to a printer??

yes - printers are just another computer at the end of the day. forensics really depends on your level of access and the hardware/software being run but anything is possible.

1

busted4n6

Also, is find my phone a ‘when asked app’ - it’ll only update when someone uses the app to ask where the device is?

No, its a find my device app. Basically I'm suspecting someone of using a burner device for life 360, and turning off location services on the actual iPhone. Just need somebody that's really tech savvy to confirm this is possible, or I'm just losing my mind lol. Alot riding on this.

💀Raggnar💀

No, its a find my device app. Basically I'm suspecting someone of using a burner device for life 360, and turning off location services on the actual iPhone. Just need somebody that's really tech savvy to confirm this is possible, or I'm just losing my mind lol. Alot riding on this.

is this for a personal thing (family member) or a professional thing?

Personal, family..

I'm looking to network with individuals who are criminal analysts with smaller sized agencies (125 or fewer officers) to learn more about your daily work, tools you use, and what type of analysis you typically end up doing. This may not be the appropriate place for this, but I like shooting buckshot at a problem then narrowing down from there.

1

💀Raggnar💀

No, its a find my device app. Basically I'm suspecting someone of using a burner device for life 360, and turning off location services on the actual iPhone. Just need somebody that's really tech savvy to confirm this is possible, or I'm just losing my mind lol. Alot riding on this.

this has come way away from your intro in new members for iPhone troubles and data recovery, has it not? (edited)

Digitalferret

this has come way away from your intro in new members for iPhone troubles and data recovery, has it not? (edited)

Well, when you put it like that, Yes I suppose. But I figured it is a tech question none the less so thought I'd ask. If not allowed I apologize.

💀Raggnar💀

Well, when you put it like that, Yes I suppose. But I figured it is a tech question none the less so thought I'd ask. If not allowed I apologize.

it's actually starting to sound like you are trying to track someones whereabouts and want to know if they know and are trying not to be tracked?

I'm trying to use a program called autopsy but im having a few problems. When I load it up and try create a new case it feels really slow and sluggish. The same happens with any interaction with the UI. And also when I want to open a existing case it takes forever to navigate the file dialog window. So I'm wondering if anyone else has experienced this.

Digitalferret

it's actually starting to sound like you are trying to track someones whereabouts and want to know if they know and are trying not to be tracked?

That is absolutely correct. I have a teenage daughter in a ridiculous world. I hope you can understand.

indeed. is it her phone or someone stringing her along?

No idea. I believe she's far smarter than she makes herself out to be. Just a ton of odd coincidences way to often and I've been studying up on spoofing and from what I can tell, it is alarmingly possible. That, scares the crap out of me.

so, i'd suggest stopping what you are doing right now, in terms of tracking or whatever. it's quite possible you are breaking the law, country dependent of course.

4:51 PM

i'd also suggest looking up professional help/services/sympathetic friend to find out if she is safe

4:51 PM

and urgnecy/suspicon dependent, possibly LE if the "other guy" has "reputation

4:52 PM

unfortunately we cannot go any further here, because we could be complicit in helping you break the law

4:53 PM

i must say i completely sympathise/empathise, I'd go berserk. but don't make matters worse for yourself and end up being the one in court

Oceanboi

I'm trying to use a program called autopsy but im having a few problems. When I load it up and try create a new case it feels really slow and sluggish. The same happens with any interaction with the UI. And also when I want to open a existing case it takes forever to navigate the file dialog window. So I'm wondering if anyone else has experienced this.

tried https://www.sleuthkit.org/autopsy/docs/user-docs/4.0/performance_page.html ?

hey there

5:02 PM

I was wondering if some people could help me understand a jpeg compression signature

Digitalferret

tried https://www.sleuthkit.org/autopsy/docs/user-docs/4.0/performance_page.html ?

Looked at it but seems to be optimizing for file ingestion, the problem I have is it takes forever to click or do anything :/

basically I want to understand what it means. I used jpegsnoop on a file

5:02 PM

5:03 PM

When I google the signature I get other files that have the exact same signature but I'm not sure what process they all go through to get that signature

5:03 PM

I know for a fact the picture was taken on a phone but the compression signature suggests it was taken on a sony cybershot u camera ?

5:03 PM

And likewise with the other photos I googled with the same signature, none of them were actually taken on a sony cybershot u camera

Oceanboi

Looked at it but seems to be optimizing for file ingestion, the problem I have is it takes forever to click or do anything :/

Autopsy is a pig when it comes to memory consumption. What are the specs of the machine you’re running it on? How much memory is autopsy using?

16gb ram, Ryzen 7 5800x and nvme ssd (edited)

6:49 PM

Iirc task manager said about 40% was being used in total by the system.

6:50 PM

Autopsy was using about 500mb with no case loaded

6:55 PM

There was also an error in the logs saying solr service failed to respond to status request. Which was being used by the keyword search plugin from what I could find. So I disabled that plugin but made no difference (edited)

6:57 PM

Tried downgrading from 4.20.0 to 4.19.3 but same issue (edited)

Is anyone familiar with methods of associating phishing websites with the attack group/product? I find there is a very frequent number of phishing campaigns that have the same landing page/source, but are too new to be found in any threat feed. It would be nice if I could tie them to a specific kit or phishing as a service.

iargue

Is anyone familiar with methods of associating phishing websites with the attack group/product? I find there is a very frequent number of phishing campaigns that have the same landing page/source, but are too new to be found in any threat feed. It would be nice if I could tie them to a specific kit or phishing as a service.

I think the problem here is how loosely the phish kits are deployed, there's a ton of re-use between different groups. It's not uncommon at all as an analyst to find their zip archive on compromised websites by traversing one directory up. If you are able to grab the php sourcecode through previously mentioned zip it will indicate what e-mail address is receiving the phished data (or telegram service, file, etc) (edited)

Hope this is the right room. I'm hoping someone can explain how the relationship between the iPhone message retention setting and deletion date of messages works?

7:20 AM

Say I have messages from 6 months ago, and I set the retention setting to 30 days, would all messages outside of this period be deleted with an identical deletion date?

In addition, do these messages still remain as marked for deletion for 30 days like usual before vacuum?

@Moderators Can I post a link to my Github project that I created. It converts the RDSv3 to CSV files.

SBcyberCop

@Moderators Can I post a link to my Github project that I created. It converts the RDSv3 to CSV files.

Yes - recommend posting in the channel: #dfir-open-source-projects

2

5:56 PM

Thank you for sharing with the community!!

1

[Digital Forensics] WPS Office another cloud based office service available. Got back into the office to find a new download office suite made available run in the cloud. Yet another stop off point for digital forensics to investigate! #law enforcement #digital forensics #dfir #cybercrime #barristers #solicitors #digital #evidence #office suite #office365administration

Have a few Mac devices and had a best practice question. I know disk 1 is usually physical drive disk 2 in my case at least is the APFS container and disk3 is the synthesized APFS drive combo of 1 and 2. Which is the best practice to image...no encryption in this case

Two questions - 1) We would like to move away from carbon triplicate evidence receipt books, is anyone using an electronic solution for evidence receipts / chain of custody forms? 2) What are you using for a team knowledge base, we utilise M365 so SharePoint would be one option. TIA (edited)

return2zero

Two questions - 1) We would like to move away from carbon triplicate evidence receipt books, is anyone using an electronic solution for evidence receipts / chain of custody forms? 2) What are you using for a team knowledge base, we utilise M365 so SharePoint would be one option. TIA (edited)

maybe echo in #policies-and-procedures

1

Anyone have any advice on getting a seat at NCFI?

SBcyberCop

Anyone have any advice on getting a seat at NCFI?

Do your FPRs, put in for everything, take what you can get, and don’t hold your breath for MDE, BCERT, or NITRO. If you are not on the FPR system yet it should be easier to get into a virtual class/presentation over an in person class.

1

SBcyberCop

Anyone have any advice on getting a seat at NCFI?

Introduce yourself to your Secret Service RAC. Also put in for online classes. You are more likely to get more competitive classes if you have taken a class before and fill out FPR’s.

1

Where can I get more information about circuit boards and electrical understanding

Ahmedl21

Where can I get more information about circuit boards and electrical understanding

"circuit boards": can you narrow that down a bit? and what electrical systems/theory do you need to understand. on a full scale answer, anything from Hobbyist Electronics class to a full HND or HNC (or whatever the quals are called these days) in Electrical and Electronic Engineering

Working a case where the crime was committed using an XBox. Looking for some guidance on the best way to conduct an exam on it.

Deleted User

Working a case where the crime was committed using an XBox. Looking for some guidance on the best way to conduct an exam on it.

maybe scroll back to this. might be of use? https://discord.com/channels/427876741990711298/537760691302563843/1060943853126942762

Deleted User

Working a case where the crime was committed using an XBox. Looking for some guidance on the best way to conduct an exam on it.

If it’s anything after an Xbox360 best bet is a manual review and video/photograph the screen.

Hey all, we have a new model of Faraday Case out now. If you go to the site you can request a free Faraday case. We have a few in stock and are working on getting more in. Basically these cases are super effective and have a lower bottom line because we direct source. We also support operation teams for human trafficking victims, so if you are involved with that field please let me know.

9:14 AM

https://mtdfe.com/products/preorder-halcyon-faraday-case-with-rolltop-seal-10-x-10

New! - Halcyon Faraday Case with Rolltop Seal 10" x 10"

️【TOP FARADAY SOLUTION】LAB TESTED DUAL LAYER SHIELDING

️

️ Blocks Efficiency :70-80DB, Frequency range: 10KHZ-30GHZ

【VERSATILE】 Protect your CELLPHONE

, KEY FOB

, CREDIT CARDS

, ID BADGE

【MILITARY-GRADE FARADAY SOLUTION】 Military | Law Enforcement Missions➕【EXTA SPACE】 Large storage with 10"x10" case.

[RUGGED S

mitchlang

Hey all, we have a new model of Faraday Case out now. If you go to the site you can request a free Faraday case. We have a few in stock and are working on getting more in. Basically these cases are super effective and have a lower bottom line because we direct source. We also support operation teams for human trafficking victims, so if you are involved with that field please let me know.

Have you looked into producing bags with shielded USB ports? Phones dying is the biggest problem with these and the portable battery packs don't last very long either. My faraday box has way too many phones in it already so a staging area where I could keep bags plugged in and shielded would be great. Mission darkness makes a bag like that but it costs around $400. Curious if you've looked into the practicality of competing in that space.

Digitalferret

"circuit boards": can you narrow that down a bit? and what electrical systems/theory do you need to understand. on a full scale answer, anything from Hobbyist Electronics class to a full HND or HNC (or whatever the quals are called these days) in Electrical and Electronic Engineering

I need the basic information to get me started to learn about it. The components and how it works

whee30

Have you looked into producing bags with shielded USB ports? Phones dying is the biggest problem with these and the portable battery packs don't last very long either. My faraday box has way too many phones in it already so a staging area where I could keep bags plugged in and shielded would be great. Mission darkness makes a bag like that but it costs around $400. Curious if you've looked into the practicality of competing in that space.

Yes, I need a solid USB plug with a filter, but yes this is underway!!

10:30 AM

If anyone has a reference I have a case that is ready to go. I'm hoping to have the first 50 ready by the end of June.

Ahmedl21

I need the basic information to get me started to learn about it. The components and how it works

college / youtube / books ... (edited)

FullTang

Do your FPRs, put in for everything, take what you can get, and don’t hold your breath for MDE, BCERT, or NITRO. If you are not on the FPR system yet it should be easier to get into a virtual class/presentation over an in person class.

I’m on pace for 500 FPRs this year and can’t even get an online class.

‍♂️

1

Can someone from @Cellebrite DM me reference a sales question.

digital Bowles

Can someone from @Cellebrite DM me reference a sales question.

Not sales but will get you a connect

Yes. I’ve been waiting to hear from someone for a couple of weeks.

Sent you a dm@

Digitalferret

college / youtube / books ... (edited)

Got any suggestions on where tho

Ahmedl21

Got any suggestions on where tho

Where have you looked?

1

Ahmedl21

Got any suggestions on where tho

YouTube is a good resource and you can shop online for basic electronic build kits complete with breadboards, resisters and solder to help you learn.

Can anyone help me with combining json files for project VIC ?

Does anyone know if there is a factory reset artifact in android that would show date of last restore?

Neon

Does anyone know if there is a factory reset artifact in android that would show date of last restore?

This article might be of use. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

1

Neon

Does anyone know if there is a factory reset artifact in android that would show date of last restore?

data\misc\bootstat\factory_reset

2

Thank you both

FullTang

This article might be of use. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

there's a new one: https://thebinaryhick.blog/2023/04/02/wipeout-part-deux-determining-how-an-android-was-setup/

Binary Hick

Wipeout! Part Deux – Determining How an Android Was Setup

I hope everyone has had a great first quarter of 2023. For me, it has been a busy one with settling into a new role at a new employer. As things continue to settle I hope to get back into a bloggin…

2

1

I am drawing a blank on VSC. I was given the VSC files from a file server as a logical image (AD1). Inside the "System Volume Information" folder of the AD1, I see the VSCs. I exported the files and removed the "system, hidden" flag. Now I am trying to mount the 50+ VSCs to browse the folders. VSCmount and AIM only work on full disk images, not logical file captures. Are there any tools that can mount the 50+ in "bulk"?

Well this might cause some havoc with usernames https://www.theverge.com/2023/5/3/23710259/discord-new-username-discriminators-number-tag

Discord is growing up, so everyone needs to pick a new username

Discord is dropping the four-digit suffix that followed each username.

I got an email about that

ForensicDev

I am drawing a blank on VSC. I was given the VSC files from a file server as a logical image (AD1). Inside the "System Volume Information" folder of the AD1, I see the VSCs. I exported the files and removed the "system, hidden" flag. Now I am trying to mount the 50+ VSCs to browse the folders. VSCmount and AIM only work on full disk images, not logical file captures. Are there any tools that can mount the 50+ in "bulk"?

Have you tried FTK Imager? AD1 is proprietary to AccessData. Not sure if it can do it in bulk but I'd start there

‍♂️

Andrew Rathbun

Have you tried FTK Imager? AD1 is proprietary to AccessData. Not sure if it can do it in bulk but I'd start there

‍♂️

FTK Imager mounts the AD1 as a "file system" just fine, yet the VSC contained within are not mounted. For example using Eric Zimmerman's VSCMount will create mount points to VSC on forensic images that are mounted via AIM or FTK Imager. However, this tool only seems to work against an actual forensic image, not a logical file folder capture inside an AD1. I am trying to mount the individual VSC files {GUID}{GUID} inside the System Volume Information folder I received in the AD1. So far no luck in getting them to a mount point where I can browse their folder structure.

ForensicDev

FTK Imager mounts the AD1 as a "file system" just fine, yet the VSC contained within are not mounted. For example using Eric Zimmerman's VSCMount will create mount points to VSC on forensic images that are mounted via AIM or FTK Imager. However, this tool only seems to work against an actual forensic image, not a logical file folder capture inside an AD1. I am trying to mount the individual VSC files {GUID}{GUID} inside the System Volume Information folder I received in the AD1. So far no luck in getting them to a mount point where I can browse their folder structure.

Maybe @Eric Zimmerman has ideas for tools that might do the job?

Ad1 does not support VSC afaik. You can try mounting it as a raw in frk to see what it can do but ad1 is a terrible thing that should never be used. If it isn't emulating an ntfs volume windows won't see the vscs

6:37 PM

An ad1 is logical only. Ie no vscs.

DeeFIR 🇦🇺

Where have you looked?

You know how there a lot online but doesn’t mean it is useful. So far it’s YouTube but they be doing advance things not for beginners

Deleted User

YouTube is a good resource and you can shop online for basic electronic build kits complete with breadboards, resisters and solder to help you learn.

How did you get started and okay got any suggestions on which ones I should get

Ahmedl21

How did you get started and okay got any suggestions on which ones I should get

I'll use GeoHotz's advice: Find something you want to do or build and start from there. This can work as a starter project for your needs: https://camjam.me/?page_id=236 or look around on Amazon: https://www.amazon.com/Electronics-Dummies-Cathleen-Shamieh/dp/1119117976 If none of our replies have answered your question we might not have the answers you are looking for. Good luck.

Michael Horne

CamJam EduKit 1 – Starter

Electronics For Dummies

Deleted User

I'll use GeoHotz's advice: Find something you want to do or build and start from there. This can work as a starter project for your needs: https://camjam.me/?page_id=236 or look around on Amazon: https://www.amazon.com/Electronics-Dummies-Cathleen-Shamieh/dp/1119117976 If none of our replies have answered your question we might not have the answers you are looking for. Good luck.

Both are good got anything for learning about gears, speed they go, and the math behind it

Does anyone have experience comparing MDE devicenetworkevents to more traditional proxy logs? Like, do you need to have a proxy to have the same visibility?

Tr4pSec 🇳🇴

Does anyone have experience comparing MDE devicenetworkevents to more traditional proxy logs? Like, do you need to have a proxy to have the same visibility?

You don’t have the full URI in the network events table, but you have more verbose process events. They’re different but complimentary. It would be great if you had both proxy logs and endpoint telemetry. (edited)

1

Can you supplement with sysmon for example?

3:45 AM

I havent used sysmon before, not sure what events you can pull from networking

Tr4pSec 🇳🇴

I havent used sysmon before, not sure what events you can pull from networking

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events

Sysmon - Sysinternals

Monitors and reports key system activity via the Windows event log.

I've been given an ITunes backup and an oxygen export of messages, and I've generated another export of messages through Cellebrite and somehow they both have messages the other is missing

5:03 AM

I'd have assumed Cellebrite would pick up everything oxygen had picked up - and more

Neon

Does anyone know if there is a factory reset artifact in android that would show date of last restore?

use aleapp

Naga

I've been given an ITunes backup and an oxygen export of messages, and I've generated another export of messages through Cellebrite and somehow they both have messages the other is missing

Hello! That is the main reason most people (if possible) use multiple tools. But it is not satisfactory if some messages are missed by Oxygen

I would like to DM you and ask some questions, if you don't mind

Sure

Naga

I'd have assumed Cellebrite would pick up everything oxygen had picked up - and more

same thing with regard to data recovery programs and as OF said, why Co's use a whole array of programs.

Original message was deleted or could not be loaded.

even with multiple software packages, it's still a possibility. there's also really no replacement for experienced operators who understand fundamentals. it's usually a company cost saving exercise trusting to best-guess push-button solutions.

10:04 AM

and then employing Tier One operatives to do the job

betting LE be like: wish i could work privately, so I wouldn't have to spend so much time doing pointless things for <superiors> while smiling

1

Yeah, there is no difference here. Everyone works for someone.

6

Original message was deleted or could not be loaded.

you ever worked in LE?

11:16 AM

grass is always greener

1

11:18 AM

"lots of cases of officers demanding urgent work and being told they will have to wait for the backlog" worldwide. it's an actual thing, you can't overtime imaging. the bottleneck is the hardware and even further categorizing images, which no one externally wants to do

11:19 AM

i've seen LE on here practically begging for large scale co to take drives

11:21 AM

yeh, there are gross generalisations made. but essentially shit rolls downhill. in every co, regardless of sector

11:21 AM

lol

11:22 AM

i'm in UK, and the LE/Emergency sectors have worked on goodwill for so lomng it's completely eroded. from cops to ambulance to doctors, they work incredibly long hours on the back of government emotional blackmail.

11:23 AM

they have fewer resources, equipment, manpower, beds etc. the Govt drives are for efficiency. let me chop off 9 of your fingers and then give you an efficiency guide

11:24 AM

yup ^ always the guys above, shouting the odds.

11:25 AM

i hear you, but please don't think LE is a universal panacea. it isn't. work out what turns your cogs in terms of work, baloance that against its pay prospects (and figure out why some countries are saturated with accountants and lawyers

)

For sure

i'm reluctant to ping UK LE but have plenty of chats with someone in the job you think you are wanting. "LE is better than working private sector" tell me i'm worng, kinda thing

11:29 AM

but yeh, here's me shitting up Gen chan, lol. best of luck going forward

Last I checked our DMI has a six month backlog?

Digitalferret

betting LE be like: wish i could work privately, so I wouldn't have to spend so much time doing pointless things for <superiors> while smiling

Said that.

Random question, what's everyone's go-to portable drive for acquisition purposes? Something I've been meaning to throw out there

SanDisk 2TB Extreme PRO Portable SSD

1

Austin || Lukrativ🔎

Random question, what's everyone's go-to portable drive for acquisition purposes? Something I've been meaning to throw out there

We use a lot of the Samsung T7 drives

1

Austin || Lukrativ🔎

Random question, what's everyone's go-to portable drive for acquisition purposes? Something I've been meaning to throw out there

WD Black NVMe in external usb-c case

1

I am in need of a new forensic laptop for work needing it to do both video forensics, mobile and computer forensics. Do you all have any suggestions on processor, AMD vs Intel and which model specifically? I’m looking at 13th gen Intel and 7000 series AMD Ryzen and will have to get an Alienware as my agency already has them on our purchasing agreement. I am most interested in the best processor for video work. The model options all come with a NVIDIA RTX 4080 or 4090 GPU

@Law Enforcement [UK] Anyone around that has knowledge on server specs / contacts for trusted providers? pm if so!

Rob

@Law Enforcement [UK] Anyone around that has knowledge on server specs / contacts for trusted providers? pm if so!

Sent you a message

1

Rob

@Law Enforcement [UK] Anyone around that has knowledge on server specs / contacts for trusted providers? pm if so!

We’re currently doing a lot of infrastructure work so have a good knowledge.

1

Adam Cervellone

I am in need of a new forensic laptop for work needing it to do both video forensics, mobile and computer forensics. Do you all have any suggestions on processor, AMD vs Intel and which model specifically? I’m looking at 13th gen Intel and 7000 series AMD Ryzen and will have to get an Alienware as my agency already has them on our purchasing agreement. I am most interested in the best processor for video work. The model options all come with a NVIDIA RTX 4080 or 4090 GPU

Can you get Dell Precision Mobile Workstations? We have found that while not quite as fast, enterprise workstations have better stability and support. We have some HP ZBook and Lenovo workstation laptops that are good.

busted4n6

Can you get Dell Precision Mobile Workstations? We have found that while not quite as fast, enterprise workstations have better stability and support. We have some HP ZBook and Lenovo workstation laptops that are good.

We should be able to purchase any dell/alienware product with ease. Anything outside of Dell is like pulling teeth

Hello

2

Working an attempted Homicide, suspect dumped phone. Have cell phone towers but no rtt data as it is AT&T. The phone collision detection called 911. Phone is dead. Got 911 call with a 911 ping. Is the data from that ping actually from the phone gps? So far the pings we got from AT&T before the phone died are too broad an area.

AT&T doesn't have rtt, but the last time I did a search warrant on them, they have NELOS, which estimates the phone's actual location. As for GPS, as I understand it, when it sends auto crash data, it sends the actual location of the phone, but I'm not 100% sure about that.

Ok we’re sending a team to do a search right now. Here’s hoping it’s gps from the phone.

I assume that you're looking for the vehicle?

No the phone. Suspect was dumping burner phones

Do you have the vehicle?

This phone was the original however and was present with the suspect at the scene

6:59 AM

While is several states away. Seized so it isn’t available yet for forensics

7:00 AM

Vehicle*. Not “while”

Gotcha. Good luck finding the phone!

Just got info from 911 claiming its within 5 meters HAS to be gps. I’ll let you all know if we find it as it’s good info for future reference.

2

7:09 AM

Fyi when Apple auto calls 911 it’s dictates the the dispatcher the gps coordinates of the device.

2

@mxNinja17best of luck!

Device found almost immediately.

Hi everyone, I have an old iPhone 6. What software do you recommend to force the update to iOS > 13? Thank you

There's no iOS 13 for iPhone 6. 12.5.7 is the last available one

Isn't there a way to force this?

there's nothing to force. Apple did not make iOS 13 for iPhone 6

Hello community! Does anyone have experience with rights protected messages of O365? I already know that you can’t decrypt them after its collection through the eDiscovery tool but, what if I have the .pst file from the laptop? Is there anything I can do?

I have a PUP sample that wont install on any.run or tria.ge. I tried running it in a normal w10 vm which works but then I dont get the reporting obviously. What can I use to check which files it writes etc? Or is there some way to get it working in anyrun/triage?

isvak

I have a PUP sample that wont install on any.run or tria.ge. I tried running it in a normal w10 vm which works but then I dont get the reporting obviously. What can I use to check which files it writes etc? Or is there some way to get it working in anyrun/triage?

The classic suggestions here would probably be to use procmon/procdot to easily visualize the activity that related processes are generating

1

javanzato

The classic suggestions here would probably be to use procmon/procdot to easily visualize the activity that related processes are generating

Thanks! Trying out procmon right now so I seem to be on the right track!

Apologize if this isn't the right place to ask. But for those in law enforcement does anyone have a search warrant for Amazon to get video and logs from a Ring or Blink door bell camera? I don't mind typing one up but I was just curious for one to use as a go by.

Great guest post from Christopher Collins sharing about Cloud Storage and Digital Forensic Evidence. If you needed to see the research regarding the differences between keeping evidence storage on prem or in the cloud - Chris's paper has got you covered! https://www.hexordia.com/blog-1-1/cloud-storage-and-digital-forensic-evidence

Cloud Storage & Digital Forensic Evidence — Hexordia

The Future of Digital Forensics How Cloud Storage is Revolutionizing the Digital Industry Abstract: How can we leverage cloud-based storage solutions for digital evidence in a laboratory setting and is it safe? Technology is forever evolving, and one fact remains, storage is a finite resource.

5

1

Thanks for sharing, my agency is looking into a digital evidence management system, so far we have looked into axon and fileonq. Anyone use those systems and how do you like it? Any others to check out?

ExisT

Thanks for sharing, my agency is looking into a digital evidence management system, so far we have looked into axon and fileonq. Anyone use those systems and how do you like it? Any others to check out?

Cellebrite Guardian is worth checking out too

1

ExisT

Thanks for sharing, my agency is looking into a digital evidence management system, so far we have looked into axon and fileonq. Anyone use those systems and how do you like it? Any others to check out?

Take a look at Monolith Forensics. It's flexible to deploy through on-prem and cloud, good case management and reporting.

"data\sec\photoeditor\0\storage\emulated\0\DCIM\Screenrecordings" Does anyone have an explanation for this file path please?

Hey Everyone, I could really use some help. I have a situation that I am trying my best to work out in my personal life. Situation: A family friend (25yo) was diagnosed with Cancer, a week later got married to her bf, they went on a destination wedding/honeymoon. All photos were taken on iPhone. They were then backed up to a MacBook 2015, and removed from the iPhone. Then from the MacBook to an external drive which is formatted as HFS for whatever reason and removed from the MacBook. I have never worked on Mac file systems before and so I could use some help. What I have done so far is used the external drive in Autopsy, here I can see some photos approximately 2/3 are accessible but they insist that all photos should be there, there is no references to any deleted files at all and all additional storage volumes are completely blank. So I dont think they got copied to the drive. They are offering their laptop, that the files were deleted but it hasnt been used enough that it likely hasnt been overwritten. What help I need is: To do this, my thought is to remove the drive and treat it the same as an external drive. Is this going to cause issues with the OS if I then try to reinstall it? Typically for work while on Windows, I collect evidence of specific files, not entire disks. I am just trying to do my best with this as I initially referred them to some professional services but they quoted a $1k analysis fee and $4k recovery if they find anything. So any advise anyone can provide would be much appreciated.

don’t know if a free hfs reader for windows can help you: https://hfsexplorer.en.softonic.com/?ex=DINS-635.2

HFSExplorer

Free tool for HFS files

9:03 AM

and if you want to convert heic files to jpg another free tool: https://imazing.com/fr/converter

iMazing Converter | Outil gratuit pour la conversion de photos HEIC...

iMazing Converter est une application gratuite pour Mac et PC permettant de convertir des photos HEIC en JPEG ou PNG, et des vidéos HEVC en MPEG-4.

9:05 AM

tell me if useful.

9:06 AM

to recover deleted files you can try photorec

9:07 AM

https://www.cgsecurity.org/wiki/PhotoRec_FR

PhotoRec FR

Establishing a local cyber lab. What wishlist items should we request?

A pay raise

Computers

if you foresee any password cracking, might be good to wishlist some workstations with decent GPUs or perhaps a bit of cloud spend budget

Multi year software license subscriptions so you're only pulling your hair out every few years dealing with purchasing instead of every year

2

sstallm2

Establishing a local cyber lab. What wishlist items should we request?

Depends on what your ‘cyber’ tasks look like. Software/tools/storage/covert infrastructure/training/labs, the list is potentially endless.

Check with any other agencies or departments in your area if you can that already have some type of DFIR/cyber lab. See what they like, don't like, what challenges they've had (besides budget, b/c I think we all have that problem

). It really also depends on what your in-house technical capabilities are. If you are going to focus on mobile forensics that looks different then trying to outfit something focusing on more computer/network forensics. Although pretty much all the departments in my area start with getting the capabilities to do mobile forensics, since that pretty much dominates most cases they see locally. Whatever software you go with, make sure to also including training for it

sstallm2

Establishing a local cyber lab. What wishlist items should we request?

data storage

1

having set up 2 huge labs and spent a lot of money, all i can say is you should decide what is important to you. if you are going to deal with X, buy stuff for X. if you won't, don't spend your budget on one thing that you will never use. storage gets cheaper, computers get better, it's best to invest in people and training. (edited)

4

1

Dr. Kaan Gündüz

having set up 2 huge labs and spent a lot of money, all i can say is you should decide what is important to you. if you are going to deal with X, buy stuff for X. if you won't, don't spend your budget on one thing that you will never use. storage gets cheaper, computers get better, it's best to invest in people and training. (edited)

storage gets cheaper, computers get better, it's best to invest in people and training. Excellent advice, I love it.

I am performing a facebook messenger download directly from Facebook as HTML format. Does anyone know of an app that can ingest the data and make it look pretty ?

if it’s html use a web browser

1

When exported, theyre in 2.5 GB zip files, I wanted to consolidate everything

found this don’t know if it’s what you want : https://socialdata.site/chapter_04/

Chapter 4 — Scraping Your Own Facebook Data

The social web has become an ever-more important part of people’s lives. This book provides its readers with an understanding of the kind of data that can be mined from the social web, of the insights that can be gained from it, and of the limitations of its scope.

Thanks, I used the step to download directly from FB.

12:25 PM

Just looking into a tool to consolidate and display the contents

Anybody have any knowledge on the status of the AFF4 image format? I heard about it a couple years back and was really excited, but haven't seen much about its development since.

when you use digital collector on newer macs, it saves as aff4

1

Cole

Anybody have any knowledge on the status of the AFF4 image format? I heard about it a couple years back and was really excited, but haven't seen much about its development since.

what do you mean by status ?

Heimdall4N6K

what do you mean by status ?

Support for imaging in the AFF4 format as well as processing AFF4 formats in forensic tools. I'm wondering when we might be able to use AFF4 as our standard image format vs RAW or E01.

this article is useful: https://www.forensicfocus.com/webinars/the-aff4-evidence-container-why-and-whats-next/

The AFF4 Evidence Container: Why and What's Next - Forensic Focus

Well, good day. My name is Bradley Schatz, I’m from Evimetry. Today I’m here, it’s my distinct pleasure to be ... Read more

12:42 PM

axiom, autopsy… support aff4 format

Cole

Anybody have any knowledge on the status of the AFF4 image format? I heard about it a couple years back and was really excited, but haven't seen much about its development since.

Like @Jay528 says, digital collector on modern Mac’s use AFF4 as standard. Most forensic tools work with this format such as X-Ways, Axiom, inspector, I heard EnCase does (or planning to release) support for it also.

arsenal image mounter support aff4 to

Heimdall4N6K

this article is useful: https://www.forensicfocus.com/webinars/the-aff4-evidence-container-why-and-whats-next/

Yeah that's the webinar I attended. Lots of advantages to AFF4. I was hoping that X-Ways, Axiom, and FTK Imager would support imaging in AFF4 by now. Does anyone know if there is a reason why it hasn't become more widespread yet? I am happy to see several tools support it now, though. Last time I looked it was about one or two tools could image to the format.

Hey DFIR gurus, what would be your wishlist of applications running on an endpoint at the time of an intrusion? Would sysmon / windows event log suffice?

Cole

Yeah that's the webinar I attended. Lots of advantages to AFF4. I was hoping that X-Ways, Axiom, and FTK Imager would support imaging in AFF4 by now. Does anyone know if there is a reason why it hasn't become more widespread yet? I am happy to see several tools support it now, though. Last time I looked it was about one or two tools could image to the format.

Things have progressed a bit strange with AFF and then AFF4, especially in terms of awkward implementations by third parties and project-related pages scattered in various places. We didn’t have much luck finding tools that support the creation of AFF4 disk images. (See https://discord.com/channels/427876741990711298/427936091220344833/959032798642049054)

Discord - A New Way to Chat with Friends & Communities

Discord is the easiest way to communicate over voice, video, and text. Chat, hang out, and stay close with your friends and communities.

1

1:53 PM

It has great potential, probably just needs someone to focus all the resources in one place and be an implementation cheerleader.

Logan

Hey DFIR gurus, what would be your wishlist of applications running on an endpoint at the time of an intrusion? Would sysmon / windows event log suffice?

EDR &| sysmon for sure, extended retention for other windows logs (edited)

Has anyone here used socradar/socradar.io in their organization? Whats peoples thoughts on it?

5:24 PM

Specifically their Digital Risk Protection services/aspect? Is it any good?

5:26 PM

"Credential detection technologies"

Logan

Hey DFIR gurus, what would be your wishlist of applications running on an endpoint at the time of an intrusion? Would sysmon / windows event log suffice?

Sysmon for sure, but it has to be tuned. And that the logs are shipped to a central location like a SIEM.

@Magnet Forensics is it possible to get a Trial License for Magnet Axiom? if yes, what information do you need?

DFIR_tist

@Magnet Forensics is it possible to get a Trial License for Magnet Axiom? if yes, what information do you need?

I will DM you magnetforensics

Got a question relating to a little python script I've created (chatgpt :P) that basically converts all audio containing speech within a folder to text. I want to introduce it to investigators so that they can search the text, but what are the stumbling blocks of using this to find evidence, if and when it goes to court? Not that the text would be used as evidence, but mainly to point towards things of interest. In my testing, accuracy was amazing, however when I started processing some actual evidence of scam calls...accuracy was pretty bad. This is because the audio was horrendous to begin with. So it has it's pitfalls. I strongly believe it could be a game changer, allowing videos and audio to be key word searched. The script logs all of the text and links it to the original audio with some rough time stamps.

MrMacca (Allan Mc)

Got a question relating to a little python script I've created (chatgpt :P) that basically converts all audio containing speech within a folder to text. I want to introduce it to investigators so that they can search the text, but what are the stumbling blocks of using this to find evidence, if and when it goes to court? Not that the text would be used as evidence, but mainly to point towards things of interest. In my testing, accuracy was amazing, however when I started processing some actual evidence of scam calls...accuracy was pretty bad. This is because the audio was horrendous to begin with. So it has it's pitfalls. I strongly believe it could be a game changer, allowing videos and audio to be key word searched. The script logs all of the text and links it to the original audio with some rough time stamps.

I think it would be like any other form of parsing evidence, the source would need to be verified. It sounds very similar in practice to OCR tools that pull the text out of images and PDF documents. The actual item of interest is still the image or PDF, it just allows for quick searching. Are you able to share the script? I am sure others could benefit from it.

Yeah that's how i was interpreting it too. I've seen OCR of images produce some hilarious outputs, yet it does also work amazing. I'll have to speak with my managers to see if it can be shared, I'd be happy to if given the green light.

2

MrMacca (Allan Mc)

Got a question relating to a little python script I've created (chatgpt :P) that basically converts all audio containing speech within a folder to text. I want to introduce it to investigators so that they can search the text, but what are the stumbling blocks of using this to find evidence, if and when it goes to court? Not that the text would be used as evidence, but mainly to point towards things of interest. In my testing, accuracy was amazing, however when I started processing some actual evidence of scam calls...accuracy was pretty bad. This is because the audio was horrendous to begin with. So it has it's pitfalls. I strongly believe it could be a game changer, allowing videos and audio to be key word searched. The script logs all of the text and links it to the original audio with some rough time stamps.

[ stumbling blocks of using this to find evidence] - i used Audiate from Techsmith on a trial basis. i think for general speech and language they do ok, but put in anything that doesn't fit the standard model or uses niche/tech language, slang, it falls well short. i used air traffic audio and it was absolutely hopeless. Maybe biasing an AI model might help if the language has a regularly used specific set of words / grammar.

MrMacca (Allan Mc)

Got a question relating to a little python script I've created (chatgpt :P) that basically converts all audio containing speech within a folder to text. I want to introduce it to investigators so that they can search the text, but what are the stumbling blocks of using this to find evidence, if and when it goes to court? Not that the text would be used as evidence, but mainly to point towards things of interest. In my testing, accuracy was amazing, however when I started processing some actual evidence of scam calls...accuracy was pretty bad. This is because the audio was horrendous to begin with. So it has it's pitfalls. I strongly believe it could be a game changer, allowing videos and audio to be key word searched. The script logs all of the text and links it to the original audio with some rough time stamps.

I have been working on testing and utilizing whisper to script out processing the text output and then searching the output with a keyword list. So far I have been just explaining to others that it is just a speculative tool to help you get an idea as to what is going on in say an interview. It is still up to the investigator to make a full review and verify/validate the efforts/findings of the tool. So far it has been a pretty positive work. I can see it really helping to chop down the output quickly then if the investigator populates a keyword list based on their particular investigation such as street addresses and names/nicknames it can at least help you possibly pinpoint areas of interest in an interview

MrMacca (Allan Mc)

Got a question relating to a little python script I've created (chatgpt :P) that basically converts all audio containing speech within a folder to text. I want to introduce it to investigators so that they can search the text, but what are the stumbling blocks of using this to find evidence, if and when it goes to court? Not that the text would be used as evidence, but mainly to point towards things of interest. In my testing, accuracy was amazing, however when I started processing some actual evidence of scam calls...accuracy was pretty bad. This is because the audio was horrendous to begin with. So it has it's pitfalls. I strongly believe it could be a game changer, allowing videos and audio to be key word searched. The script logs all of the text and links it to the original audio with some rough time stamps.

To be more direct with the potential stumbling blocks I think they are the same with any tool/script/operation and that should be made clear to all of those who you demonstrate the process to that it is incumbent on the end user of the tool to verify and validate the work product and to not rely on it. I have told others "you are the ones that would testify to this, so you need to do your homework and not completely rely on this tool(s)". hope this helps

Cole

Support for imaging in the AFF4 format as well as processing AFF4 formats in forensic tools. I'm wondering when we might be able to use AFF4 as our standard image format vs RAW or E01.

OSForensics parses AFF4 beautifully.

@ByteSweep @Digitalferret Thanks for the information. Yeah whisper is also the tool i've utilised too. Good stuff

1

Jay528

Just looking into a tool to consolidate and display the contents

if you or your agency are part of NDCAC, you can download .social to help parse it

thanks, private company now

1:54 PM

I am currently working for a LE agency. Does anyone work for a LE agency full-time, and maybe part-time with a private attorney using their digital ninja skills. I have a couple of questions?

I previously was moonlighting on the side, non criminal cases

Jay528

I previously was moonlighting on the side, non criminal cases

What I am looking to do in my area. Who paid for the tools used? Was it more just case review or actual extractions? (edited)

guysssss

1

4:19 PM

Im graduating tomorrow

5

digital Bowles

What I am looking to do in my area. Who paid for the tools used? Was it more just case review or actual extractions? (edited)

The consulting company I worked for paid for the tools.

4:23 PM

Depending on the cost, you pass it onto the client

digital Bowles

I am currently working for a LE agency. Does anyone work for a LE agency full-time, and maybe part-time with a private attorney using their digital ninja skills. I have a couple of questions?

might want to run that outside employment by your agency counsel...not as big a deal if you are not a sworn officer, but still worth checking first

compufuzz

might want to run that outside employment by your agency counsel...not as big a deal if you are not a sworn officer, but still worth checking first

For sure this. Just on the Face I’d say a major conflict of interest.

I’m hoping I can land a job soon

9:28 PM

Graduating always makes me nervous

9:30 PM

I’m looking at the job postings here. Is there any entry level jobs available?

⭐Jigglypuff⭐

I’m looking at the job postings here. Is there any entry level jobs available?

#training-education-employment might help to let people know which country/region you’re in

Hello

Hey has anyone dealt with the windows based application for slack? I’m looking to recover chats from the application itself. I believe they’re stored in cache since I’m seeing all the media involved in the chats. If you’ve dealt w this before do you remember the file ext or am I in the completely wrong place

maddie

Hey has anyone dealt with the windows based application for slack? I’m looking to recover chats from the application itself. I believe they’re stored in cache since I’m seeing all the media involved in the chats. If you’ve dealt w this before do you remember the file ext or am I in the completely wrong place

Might be worth looking into https://www.logikcull.com/blog/how-to-obtain-slack-data-for-discovery

How to Obtain Slack Data for eDiscovery and Investigations

A guide to handling Slack data in litigation and internal investigations, this guide lays out the basics of Slack, from an introduction to the app, to Slack preservation settings, how to export data from Slack, and tips for efficient, effective review.

10:31 AM

Anyone doing anything interesting with AI and incident response? (edited)

10:32 AM

Thinking of doing a master's program in AI and I'm interested in specialising in IR or detection & response artificial intelligence

LαȥყTσɯɳTҽƈԋιҽ★

Anyone doing anything interesting with AI and incident response? (edited)

I've used ChatGPT to write some scripts, that's about it. It's not perfect, but it does better then my poor python skills

1

ChatGPT feels like it has gotten worst or something, could be wrong

It will be interesting if somethings can be automated with AI in the future. I don't think many things in DFIR can ever be fully automated when it comes to analyzing data.

1

LαȥყTσɯɳTҽƈԋιҽ★

ChatGPT feels like it has gotten worst or something, could be wrong

It's for sure hit or miss with what you get from it

LαȥყTσɯɳTҽƈԋιҽ★

ChatGPT feels like it has gotten worst or something, could be wrong

There's been a lot of alignment work to keep it from saying objectionable things. Perhaps that's impacting quality?

CyberGhost

It will be interesting if somethings can be automated with AI in the future. I don't think many things in DFIR can ever be fully automated when it comes to analyzing data.

I don't think full automation is feasible because the hallucination/false positive problem seems unlikely to be fully solved. It could be useful for flagging things for later analysis, though.

1

CyberGhost

It will be interesting if somethings can be automated with AI in the future. I don't think many things in DFIR can ever be fully automated when it comes to analyzing data.

Things don't need to be fully automated imo, I think the future of AI will be tools that assist experts rather than replace them

IHave

I don't think full automation is feasible because the hallucination/false positive problem seems unlikely to be fully solved. It could be useful for flagging things for later analysis, though.

Bingo

10:41 AM

I think the industry needs to shift away from the idea of replacing workers and instead focus on support and assistance (edited)

10:41 AM

A lot of the AI industry is hype too

IHave

I don't think full automation is feasible because the hallucination/false positive problem seems unlikely to be fully solved. It could be useful for flagging things for later analysis, though.

Agree 100 percent. Too much of DFIR needs a human to review the data. I'm thinking more in like automated parsing data, etc. We already have a ton of tools that can do a lot of this, but stringing them all together to get data "ready for review" for an analysis.

CyberGhost

Agree 100 percent. Too much of DFIR needs a human to review the data. I'm thinking more in like automated parsing data, etc. We already have a ton of tools that can do a lot of this, but stringing them all together to get data "ready for review" for an analysis.

Very true!

Github seems to be moving that direction in software development. They're currently expanding copilot (ML-powered multi-line code autocomplete) to have a series of additional tools to augment software developers, not replace them entirely. Github is owned by Microsoft, which de-facto owns OpenAI. See https://githubnext.com/

GitHub Next

GitHub Next investigates the future of software development

Yeah some people, and mostly from people that are not technical from my experience, hear about AI and they think it's going to replace every humans job lol

CyberGhost

Yeah some people, and mostly from people that are not technical from my experience, hear about AI and they think it's going to replace every humans job lol

Yeah this is very true, I feel like a lot of creativity people are sort of over reacting to all this AI hype, nobody is going to want their serious art works be done by an AI

Not trying to stop the conversation in this channel, but there were a few links and good thoughts about AI for DFIR shared in this thread.

3

11:24 AM

https://discord.com/channels/427876741990711298/1102737723149791282

LαȥყTσɯɳTҽƈԋιҽ★

Might be worth looking into https://www.logikcull.com/blog/how-to-obtain-slack-data-for-discovery

Very helpful! Thank you! I guess I’m interested to see if which logs hold the settings for the retention of these messages… maybe it’ll make more sense to why I’m not finding the messages

1

Anyone here still use FREDs?

2

As part of an investigation into a phishing scheme, I'd like to get access to a virustotal file. However, special access is required to get this file. Does anyone have experience getting this type of access, or know anyone I can talk to about this? Ref: https://developers.virustotal.com/reference/files-download

Download a file

This endpoint is similar to GET /files/{id}/download_url, but it redirects you to the download URL. The download URL you are redirected to can be reused as many times as you want for a period of 1 hour. After that period the URL expires and can't be used anymore.

Hey, are there any fast tools that can parse the C:\$MFT or $i30 of the whole system where we can specify the date range to output the results?

Deleted User

Hey, are there any fast tools that can parse the C:\$MFT or $i30 of the whole system where we can specify the date range to output the results?

maybe eric zimmerman tools, not sure for date range…

1

Deleted User

Hey, are there any fast tools that can parse the C:\$MFT or $i30 of the whole system where we can specify the date range to output the results?

Zimmermans tools for sure, MFTECmd + Timeline Explorer

Ty both :)

Mftecmd won't work for i30 at scale

Deleted User

Hey, are there any fast tools that can parse the C:\$MFT or $i30 of the whole system where we can specify the date range to output the results?

Use indxripper for the whole file system

3:34 PM

If you want to use mftecmd at scale for this you basically need to export all the $i30 files and then use kape

3:34 PM

I run bulk extractor to dump out $i30s and then kape+mftecmd in ransomware cases on encrypted disks. It is very slow

Indxripper is what I like for this to be fair

3:34 PM

It's just that

Yep it's cool

I made a powershell tool to read .csv, find files by their paths and check their contents for specific strings

3:36 PM

But it's slow on 300k+ kb

3:36 PM

Does it have an option to maybe only parse by Last Accessed to be current date

Use timeline explorer

3:38 PM

But yeah checking the content is going to be a bit hard with the

3:38 PM

Tle*

3:38 PM

Xways would work, if you've got the path list you can filter for all of them at once and then run a string search over the filtered files

Deleted User

Does it have an option to maybe only parse by Last Accessed to be current date

You may need to use a few steps. Run indxripper, and then run a python script to ingest the CSV and filter for your dates

Oh I haven't thought about a script to separate dates, that might actually do the trick

If you do it regularly enough Otherwise I'd just use TLE, so a search for the date string and then save the result out to xlsx

Yup, thank you!

Deleted User

Hey, are there any fast tools that can parse the C:\$MFT or $i30 of the whole system where we can specify the date range to output the results?

I have always been a fan of OSForensics

1

Looking for training (online/in-person) for evidence handling which would be appropriate for everyone from field technician to evidence room staff. Any suggestions? We are presently looking at the International Associate of Property and Evidence (IAPE) courses, but thought I would see if there was anything else available.

sholmes

Looking for training (online/in-person) for evidence handling which would be appropriate for everyone from field technician to evidence room staff. Any suggestions? We are presently looking at the International Associate of Property and Evidence (IAPE) courses, but thought I would see if there was anything else available.

Have you looked at NW3C? They have some short online "first responder"/evidence collection offerings, and some in-person as well: https://www.nw3c.org/UI/CourseDetails.html?courseId=248

1

@5cary I haven't, but great lead.

Anyone on that's any good with CCNA/PacketTracer?

https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ So if I'm reading this correctly and Microsoft is bruteforcing or otherwise cracking passwords in order to expand and scan the contents of zip files, I wonder if "successes" are stored somewhere? Like when you write a paper to MS for a OneDrive account, can you now ask for any calculated passcodes for encrypted containers found in the account?

Microsoft is scanning the inside of password-protected zip files fo...

If you think a password prevents scanning in the cloud, think again.

whee30

https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ So if I'm reading this correctly and Microsoft is bruteforcing or otherwise cracking passwords in order to expand and scan the contents of zip files, I wonder if "successes" are stored somewhere? Like when you write a paper to MS for a OneDrive account, can you now ask for any calculated passcodes for encrypted containers found in the account?

this is probably only for really simple passwords like "infected"

1:39 PM

Virustotal, for example, will populate/store the password to some zip files that get uploaded, assuming they can open it, but most often "infected" is the password if there is one reported

whee30

https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ So if I'm reading this correctly and Microsoft is bruteforcing or otherwise cracking passwords in order to expand and scan the contents of zip files, I wonder if "successes" are stored somewhere? Like when you write a paper to MS for a OneDrive account, can you now ask for any calculated passcodes for encrypted containers found in the account?

Lowest hanging fruit, other than "infected", is probably using the passwords that the bad actors include in the email bodies for the victims to then use when they open the "extremely important and properly secured" attachments? If Microsoft is doing more creative things that would be interesting. (edited)

Does anyone know if an iPhones mobile ad ID can be found in the system files?

what system files are you talking about?

As in the searching the file system provided through a GK extract

Just Scott

Anyone on that's any good with CCNA/PacketTracer?

I have used it some and I do have my CCNA.

Arsenal

Lowest hanging fruit, other than "infected", is probably using the passwords that the bad actors include in the email bodies for the victims to then use when they open the "extremely important and properly secured" attachments? If Microsoft is doing more creative things that would be interesting. (edited)

Could also be checking the CRC-32 hash of the files in the zip.

Is it possible to get access to a free trial of Cellebrite or Oxygen as a student? I'm a cybersecurity student and am looking to get hands-on training with these tools as I explore forensics as a career, and I know that Axiom, Cellebrite, and Oxygen are well regarded.

4:04 PM

I don't believe that my college provides access to these tools as their degree programs focus more on other parts of cybersecurity and networking-- things that CompTIA certs would cover basically.

@Cellebrite @Oxygen Forensics @Magnet Forensics ^ (edited)

1

voidBox

Is it possible to get access to a free trial of Cellebrite or Oxygen as a student? I'm a cybersecurity student and am looking to get hands-on training with these tools as I explore forensics as a career, and I know that Axiom, Cellebrite, and Oxygen are well regarded.

^

#Unknown ?

1

4:18 PM

also thanks, ferret!

Talmidim

As in the searching the file system provided through a GK extract

Ok - it took forever to open the iPhone DL I had handy, but one source for the advertising ID appears to be: /private/var/mobile/Containers/Data/Application/52E924F9-C42E-4C37-9319-4257346CBFB3/Library/Application Support/com.crashlytics/CLSUserDefaults.plist

4:32 PM

another is listed as: /private/var/containers/Shared/SystemGroup/D9C558FA-FBD2-4EA2-A6AA-6064DEB73691/Library/Caches/com.apple.lsdidentifiers.plist

4:36 PM

the 52E9 path is likely a specific app, listed as "SquareAspect" which I am not familiar with, the D9C55 path seems to be the system path.

whee30

Ok - it took forever to open the iPhone DL I had handy, but one source for the advertising ID appears to be: /private/var/mobile/Containers/Data/Application/52E924F9-C42E-4C37-9319-4257346CBFB3/Library/Application Support/com.crashlytics/CLSUserDefaults.plist

You are amazing. That's it. It appears to be in each .plist for every app

4:50 PM

It's in the .plist under MCMMetadataUserIdentity [2] personaUniqueString

Probably a bit late now haha just about to sit my skills exam and I'm guessing you will be asleep! Haha ill just have to take 99 out of 100 rather than the full 100 lol

voidBox

I don't believe that my college provides access to these tools as their degree programs focus more on other parts of cybersecurity and networking-- things that CompTIA certs would cover basically.

Hello! The access to demos is limited for students. It is possible to acquire a demo if your course professor or someone from Uni emails us at sales@oxygenforensics.com and asks about issuing a demo. It should also include why it is needed, from what date to what date, etc. It is reviewed case-by-case basis.

Talmidim

Does anyone know if an iPhones mobile ad ID can be found in the system files?

PA displays the IDFA

Just Scott

Probably a bit late now haha just about to sit my skills exam and I'm guessing you will be asleep! Haha ill just have to take 99 out of 100 rather than the full 100 lol

Yep, I was definitely asleep and I do remember those being picky! I used Jeremy’s IT Lab videos on YouTube to study for my CCNA and can definitely recommend it. His Discord server is fairly active but I can’t say I am active over there that much.

5:37 AM

https://discord.gg/XcASzq8M

@Cellebrite Hi! I have a problem opening a case in inspector after updating the SW from 10.5 to 10 .7.2. It says the case document is from an older version and needs to get updated. I get this message every time I try to open the case, eventough it has been updated. Any clues to what I need to do?

Try to reinstall the previous version to see if you could open your case so 10.5

Do you guys think I can get a position as Incident Response Consultant at Google Mandiant or CrowdStrike? They were hiring in my area and I don't know if I should go for it. Is there anything bad on my resume?

mika

Do you guys think I can get a position as Incident Response Consultant at Google Mandiant or CrowdStrike? They were hiring in my area and I don't know if I should go for it. Is there anything bad on my resume?

Just go for it. You got this! Worst thing that can happen you wont get accepted. Thats there loss isnt it?

Thanks! I'm kind of worried if I don't get the job now, they will flag me on their automated system to reject future applications from me. So I want to give it all on my first try

mika

Thanks! I'm kind of worried if I don't get the job now, they will flag me on their automated system to reject future applications from me. So I want to give it all on my first try

A lot of people apply more than once to the big name companies. Unless you did something inappropriate, I wouldn't worry about. Go for it!

CyberGhost

A lot of people apply more than once to the big name companies. Unless you did something inappropriate, I wouldn't worry about. Go for it!

definitely do this- some (many?) orgs HR require an applicant apply to an individual HR job ID. E.g. you applied for only one of the 3x slots in our team? We can't hire you for the other 2 if you didn't apply.

I just got back a 150 page pdf of gps coordinates from Lyft. Anyone have any tools I can dump this in to plot the route on a map? My go to (nighthawk) won't work

Pizzantelope

I just got back a 150 page pdf of gps coordinates from Lyft. Anyone have any tools I can dump this in to plot the route on a map? My go to (nighthawk) won't work

Sent you a DM

Hello Can we search social media profile of a suspect if we have his photo only.

@Cellebrite anyone online for a quick question regarding testversions? Thanks in advance

1

JC🧐🧐

Hello Can we search social media profile of a suspect if we have his photo only.

Your best bet is to try Pimeyes.

Deleted User

Your best bet is to try Pimeyes.

Is there any trial version for this website

JC🧐🧐

Is there any trial version for this website

They give you some free lookups but obfuscate the URL on any hits you get. Try it first, if you get a hit then consider paying. Option 2 is to crop the suspects image to mugshot proportions and then run a reverse image lookup on Yandex.

Does anybody know if Encase Imager has gone end of life? I can't find any reference to it on the OpenText website and their customer support is spectacularly useless.

2

PeteB

Does anybody know if Encase Imager has gone end of life? I can't find any reference to it on the OpenText website and their customer support is spectacularly useless.

I think v20.3 is still the latest, and has been for a few years.

2:41 AM

https://www.opentext.com/products/tableau-download-center

OpenText Tableau Forensic Download Center

2:41 AM

Tableau Forensic Imager

2:42 AM

Assuming that's the one you're referring?

Rob

Assuming that's the one you're referring?

No, way back in the Guidance Software days there were (for the purposes of this discussion) 3 different products. Encase Forensic the full analysis software which required licensing. Encase Imager, a freeware (as far as we knew) standalone program which was just the acquisition capability from within Encase Forensic And Tableau Imager, the standalone acquisition program optimised for use with Tableau Forensic hardware and originally produced by Tableau before they were bought by GS. When OpenText bought GS all 3 were still available and remained available for several years. I've just gone looking for a fresh copy to Encase Imager to see if it has been updated since the last time we checked and can now find no mention of it on the OpenText website. I've been in touch with OpenText's customer support but despite asking about what was previously a freeware program they have said they can't help us because we don't have a current Encase licence (their customer support system is also failing to let me look at my own raised cases but that's a different issue). So I was hoping somebody might know whether they'd sundowned the standalone program in favour of just having the full licenced suite and Tableau Imager.

PeteB

No, way back in the Guidance Software days there were (for the purposes of this discussion) 3 different products. Encase Forensic the full analysis software which required licensing. Encase Imager, a freeware (as far as we knew) standalone program which was just the acquisition capability from within Encase Forensic And Tableau Imager, the standalone acquisition program optimised for use with Tableau Forensic hardware and originally produced by Tableau before they were bought by GS. When OpenText bought GS all 3 were still available and remained available for several years. I've just gone looking for a fresh copy to Encase Imager to see if it has been updated since the last time we checked and can now find no mention of it on the OpenText website. I've been in touch with OpenText's customer support but despite asking about what was previously a freeware program they have said they can't help us because we don't have a current Encase licence (their customer support system is also failing to let me look at my own raised cases but that's a different issue). So I was hoping somebody might know whether they'd sundowned the standalone program in favour of just having the full licenced suite and Tableau Imager.

News to me they had 3

1

Hey, if I obtained both the private and public key, is it possible to derive a decryptor from that?

7:11 AM

Or, what else would I need to do so?

7:11 AM

Am in the process of verifying some of the additional payloads I have, making sure the public matches across them. (edited)

Definitely in a better position to do so when compared to not having either of those - you need to reverse the encryption binary and determine how it is performing encryption of files, what algorithm it is using, etc - it is likely that at some point in the process it uses those PKI components to decrypt the symmetric key (often AES or similar) from memory/the sample itself - once you have any relevant symmetric keys and fully understand the encryption algorithm, theoretically sure, you can write a decryptor

7:13 AM

if you have 0 experience reverse engineering, it will be extremely difficult

So might want to drop the payload into something like IDA?

7:15 AM

Pro is like 6k. Am willing to spend that, but if there are some less expensive alternatives, I'm open to that.

if you've never used IDA/Ghidra before, buying it won't be of much use

Everything we've gotten so far has been mostly obtained through process explorer, a hex editor, and some Ghidra stuff I've been working on.

it's not a one-click tool

Oh don't I know...lol

7:15 AM

If only it was so.

7:16 AM

I've used Ghidra the last few years, but IDA is really nice too lol

to write a decryptor, you need two things: 1. The keys used for encryption 2. The algorithm used for encryption

Got it, I think it may be AES, and we know it's intermittent, likely for speed.

and when I say algorithm, I don't just mean AES

7:17 AM

I also mean, what else is the encryptor doing, for example, are file types treated differently? Is it only doing certain sections of files? etc

1

We are also working to determine where the intermittent encryption is taking place, it looks like some in the beginning, and some in the end, with the middle mostly l;eft alone.

1

7:17 AM

Oh shit, good call

7:19 AM

@javanzato thank you for taking the time to answer my questions, and providing good, insightful help. I really do appreciate that. (edited)

of course - writing a decryptor is very difficult honestly - takes a lot of effort reversing the payloads to fully understand the complete algorithm, then of course writing the reverse

1

Well I presently think with what I have currently, it's quite feasible, and will continue working on it with my team. If it can help anyone else affected by this blight, it's worth the efforts.

1

government agencies sometimes have decryptors available for some common strains of malware - worth checking if you've already engaged law enforcement

7:57 AM

at least twice I've had federal agencies step in with a decryptor when I was assisting a client (US that is) (edited)

PeteB

No, way back in the Guidance Software days there were (for the purposes of this discussion) 3 different products. Encase Forensic the full analysis software which required licensing. Encase Imager, a freeware (as far as we knew) standalone program which was just the acquisition capability from within Encase Forensic And Tableau Imager, the standalone acquisition program optimised for use with Tableau Forensic hardware and originally produced by Tableau before they were bought by GS. When OpenText bought GS all 3 were still available and remained available for several years. I've just gone looking for a fresh copy to Encase Imager to see if it has been updated since the last time we checked and can now find no mention of it on the OpenText website. I've been in touch with OpenText's customer support but despite asking about what was previously a freeware program they have said they can't help us because we don't have a current Encase licence (their customer support system is also failing to let me look at my own raised cases but that's a different issue). So I was hoping somebody might know whether they'd sundowned the standalone program in favour of just having the full licenced suite and Tableau Imager.

version 7.10 is their most recent version of Imager

jaket2452

version 7.10 is their most recent version of Imager

Cheers, Do you have a current link? (edited)

PeteB

Cheers, Do you have a current link? (edited)

https://www.opentext.com/products/tableau-download-center#tableau-imager

OpenText Tableau Forensic Download Center

10:05 AM

DCSO

https://www.opentext.com/products/tableau-download-center#tableau-imager

Thanks but that's Tableau Forensic Imager, not Encase Imager

PeteB

Thanks but that's Tableau Forensic Imager, not Encase Imager

Appears you need a login to access that area.

PeteB

Does anybody know if Encase Imager has gone end of life? I can't find any reference to it on the OpenText website and their customer support is spectacularly useless.

You are correct, and they do not offer it any more. Latest version I have is 7.10 and I can tell you that it actually was a life saver in a recent case where the evidence was acquired by a 3rd party through EnCase enterprise.

Good for evidence! Make sure if phone seized run evidence extraction and harvest before detained person, who might claim never seen the phone before, looks at seized phone. Could possibly contest evidence of face on phone due to detained person being asked to look at phone whilst switched on prior to examination. https://www.linkedin.com/posts/trewmte_did-you-know-that-your-iphones-face-id-silently-activity-7065772761201156096-uMtF?

Greg Smith - MTEB, IDF, UNI on LinkedIn: #lawenforcement #digitalev...

Good for evidence! Make sure if phone seized run evidence extraction and harvest before detained person, who might claim never seen the phone before, looks at…

@Cellebrite has anyone gotten certified with CMFF, CCO, CCPA recently? I know they had a content change in jan 2023. I am wondering how long they typically take and how the course content is done (modality, online? asynchronous? etc.)

theshark

@Cellebrite has anyone gotten certified with CMFF, CCO, CCPA recently? I know they had a content change in jan 2023. I am wondering how long they typically take and how the course content is done (modality, online? asynchronous? etc.)

Do you mean how long does the course take to complete. We have several training styles. Self paced online. Instructor led live online or in person

CLB-Paul

Do you mean how long does the course take to complete. We have several training styles. Self paced online. Instructor led live online or in person

Ok thanks. How long does an average candidate take to complete the self paced online version u think ?

Really depends. The course itself is ~5 days in total in person. So depends how has you go

11:30 AM

If you want send me a Dm and ill put you in touch with our training group who have a much better sight of that

1

does anyone have experince in AI for analyzing data? I am writing my capstone and would love to pick some brains..

medusa

does anyone have experince in AI for analyzing data? I am writing my capstone and would love to pick some brains..

define 'AI' - I've done some projects using neural networks/text classification machine learning for malware analysis

Does anyone have experience with electronic lock embedded system forensics? I have a lock and would like to see if it is possible to determine the last time a cell phone was connected to the device.

secluding

Does anyone have experience with electronic lock embedded system forensics? I have a lock and would like to see if it is possible to determine the last time a cell phone was connected to the device.

Would this web-link help give you some lines of enquiry? https://www.newelectronics.co.uk/content/features/debug-forensics

New Electronics - Debug Forensics

The CSI approach to optimising your debug development. By Dunstan Power.

@ICAC Our office received a NCMEC tip from Snapchat that contained a single .jpg file. No program has opened it up. we tried playing around with a few things but no luck. The file header shows C3 BF C3 98 C3 BF C3 A0 followed by the normal JFIF part of the header...instead of the normal header FF D8 FF E0 followed by the JFIF. In desperation, I tried playing with the hex to get it to open in no avail. I was not assigned this case specifically but was asked to help get this open. Anyone have any ideas or run into a similar thing? cross posted in #computer-forensics

kmacdonald1565

@ICAC Our office received a NCMEC tip from Snapchat that contained a single .jpg file. No program has opened it up. we tried playing around with a few things but no luck. The file header shows C3 BF C3 98 C3 BF C3 A0 followed by the normal JFIF part of the header...instead of the normal header FF D8 FF E0 followed by the JFIF. In desperation, I tried playing with the hex to get it to open in no avail. I was not assigned this case specifically but was asked to help get this open. Anyone have any ideas or run into a similar thing? cross posted in #computer-forensics

Reach out to NCMEC and let them know. They will resend it. This happens all the time.

I think that the other detective did, but i will double check. he said something like this is the second time it was sent, but that might have been him logging in to download it again

10:16 AM

FWIW i found this when researching the issue also https://stackoverflow.com/questions/34391134/send-a-binary-buffer-to-client-through-http-serverresponse-in-node-js

Send a binary Buffer to client through http.ServerResponse in Node.js

I have a binary data(like image file) in Buffer object(not file), and want to serve the raw binary data to client through http.ServerResponse. How can I do it ?

Yes typically they will send it via email encrypted

okay

10:16 AM

thanks!

1

Hi all, I'm looking for participants to help me with my PhD research into use of keyword list searching. If you could spare a few minutes to complete an online survey I would be very grateful. Full details are posted in the training-education channel using this link https://discord.com/channels/427876741990711298/427982915230498826/1110255803996315668

1

@here Calling all fellow forensicators! With the permission of admins, I'm asking for anyone who's a user of Axiom to take a couple minutes to fill out this short survey. We're trying to get/maintain an up to date idea of what examiners are seeing in their day to day work in order to better support what you're facing! New apps you're encountering, favorite tools etc. https://forms.office.com/r/5R6s0N3vCs Thank you for all the support!

@here ^^ Any Axiom users, your feedback will help make a difference

14

7

5

2

5

2

1

javanzato

define 'AI' - I've done some projects using neural networks/text classification machine learning for malware analysis

Thank you for replying. I have read that some investigations can use google gpt or something similar to analyze data, like pictures, meteadata, emails, etx.

FYI, anyone can post surveys for grad research, vendors, etc, just run it by one of us to make sure we get it in the right channel so we avoid spam. Equal opportunity for all and every

2

Hello! Been looking into new machines for our Computer investigators, anyone got any recommendations on specs nowadays

Howlo

Hello! Been looking into new machines for our Computer investigators, anyone got any recommendations on specs nowadays

There was a thread a short time ago covering some good builds around AMD and Intel, if you have a search you should be able to find it. I think it was either here or in the computer forensics channel. What’s your budget per machine?

rojo

There was a thread a short time ago covering some good builds around AMD and Intel, if you have a search you should be able to find it. I think it was either here or in the computer forensics channel. What’s your budget per machine?

Oh great thanks, 4k per machine is the current budget

Hi all, has anybody here attended (or did online) any training courses from QA (www.qa.com)? If so, were you satisfied with the content/quality? Thanks in advance! PS: Hope it's okay for me to post this question here!

Does anyone use software to identify spoken language? Google translate can't Detect Language from audio clips. I am unable to figure out what language this is before moving on to getting a translator. The group is medium-olive skin individuals with dark hair. The women had head scarves (not worn) and males had no head coverings. (edited)

Anyone have some SANS (or other) courses to recommend? I work as a general blue teamer, I have taken the FOR508/GCFA. Recently started to get more interested in detection engineering and purple teaming. I have considered the GPEN to get more ”red” experience perhaps but I am open to suggestions!

I accidentally deleted neovim config lua. Can I recover?

7:09 AM

Ubuntu, deleted due to oem installation

GRIZZ

Does anyone use software to identify spoken language? Google translate can't Detect Language from audio clips. I am unable to figure out what language this is before moving on to getting a translator. The group is medium-olive skin individuals with dark hair. The women had head scarves (not worn) and males had no head coverings. (edited)

Sent you a DM

GRIZZ

Does anyone use software to identify spoken language? Google translate can't Detect Language from audio clips. I am unable to figure out what language this is before moving on to getting a translator. The group is medium-olive skin individuals with dark hair. The women had head scarves (not worn) and males had no head coverings. (edited)

can try this i don’t know if it’s what you need: https://github.com/openai/whisper

GitHub - openai/whisper: Robust Speech Recognition via Large-Scale ...

Robust Speech Recognition via Large-Scale Weak Supervision - GitHub - openai/whisper: Robust Speech Recognition via Large-Scale Weak Supervision

Howlo

Hello! Been looking into new machines for our Computer investigators, anyone got any recommendations on specs nowadays

We are using Fujitsu Celsius workstations. I am very contented. You can configure it a bit to your wishes. (edited)

1

Howlo

Oh great thanks, 4k per machine is the current budget

I screenshotted this last time it came up, to remind when our refresh comes round

1

Ross Donnelly

I screenshotted this last time it came up, to remind when our refresh comes round

Cheers for the help!

Howlo

Hello! Been looking into new machines for our Computer investigators, anyone got any recommendations on specs nowadays

DM me if you'd like to chat, but we actually now produce systems for investigators vs examiners. Specs that I think work are quick CPUs, healthy RAM, and maybe a dedicated GPU, but for most that's probably overkill.

Someone from @Cellebrite available for a DM?

1

Same here. Someone from @Cellebrite available for a DM?

1

Howlo

Hello! Been looking into new machines for our Computer investigators, anyone got any recommendations on specs nowadays

I have used Silicon Forensics for a decent build at the price point.

Howlo

Hello! Been looking into new machines for our Computer investigators, anyone got any recommendations on specs nowadays

If you aren't already, try using PCPartPicker (https://pcpartpicker.com) to build your machines - it makes it easy to see compatible parts and general pricing. I just rebuilt my teams analysis machines right now. Here are the specs (and per item cost) I went with, which should be a nice balance of price and performance: 1 Intel Core i9-12900K 3.2 GHz 16-Core Processor $409.99 1 Noctua NH-D15 chromax.black 82.52 CFM CPU Cooler (I'm not a fan of water cooling) $109.95 1 Asus ProArt Z690-CREATOR WIFI ATX LGA1700 Motherboard $419.99 2 G.Skill Ripjaws S5 32 GB (2 x 16 GB) DDR5-6000 CL38 Memory $169.99 3 Samsung 980 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive (Temp data for specific tools) $199.99 2 Samsung 870 Evo 2 TB 2.5" Solid State Drive (1 OS | 1 Programs) $159.99 1 Phanteks Enthoo Primo ATX Full Tower Case $289.99 I'm reusing the following parts from a previous build: 1 EVGA SuperNOVA 1000 T2, 80+ TITANIUM 1000W $297.63 1 GeForce GTX 1060 GPU 4 Western Digital Ultrastar 6TB (RAID 10) $189.00 You will save significant $ if you can build (and troubleshoot) yourself, but if you prefer having something that just works out-of-the-box and the tech. support to go with it, buying a pre-built system may be a better choice.

1

wondering if anyone has any law enforcement contact for Google Canada?

JLindmar (83AR)

If you aren't already, try using PCPartPicker (https://pcpartpicker.com) to build your machines - it makes it easy to see compatible parts and general pricing. I just rebuilt my teams analysis machines right now. Here are the specs (and per item cost) I went with, which should be a nice balance of price and performance: 1 Intel Core i9-12900K 3.2 GHz 16-Core Processor $409.99 1 Noctua NH-D15 chromax.black 82.52 CFM CPU Cooler (I'm not a fan of water cooling) $109.95 1 Asus ProArt Z690-CREATOR WIFI ATX LGA1700 Motherboard $419.99 2 G.Skill Ripjaws S5 32 GB (2 x 16 GB) DDR5-6000 CL38 Memory $169.99 3 Samsung 980 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive (Temp data for specific tools) $199.99 2 Samsung 870 Evo 2 TB 2.5" Solid State Drive (1 OS | 1 Programs) $159.99 1 Phanteks Enthoo Primo ATX Full Tower Case $289.99 I'm reusing the following parts from a previous build: 1 EVGA SuperNOVA 1000 T2, 80+ TITANIUM 1000W $297.63 1 GeForce GTX 1060 GPU 4 Western Digital Ultrastar 6TB (RAID 10) $189.00 You will save significant $ if you can build (and troubleshoot) yourself, but if you prefer having something that just works out-of-the-box and the tech. support to go with it, buying a pre-built system may be a better choice.

Only 32gb memory? Would suggest 128 min but looks good otherwise

Rob

Only 32gb memory? Would suggest 128 min but looks good otherwise

2 x 32 packages ( 4 x 16 GB) for 64 total. For the applications we are typically using I rarely see that amount being fully utilized. In my experience, maximizing I/O by segregating OS, programs, data, etc. on fast storage has this most impact on processing performance. (edited)

JLindmar (83AR)

2 x 32 packages ( 4 x 16 GB) for 64 total. For the applications we are typically using I rarely see that amount being fully utilized. In my experience, maximizing I/O by segregating OS, programs, data, etc. on fast storage has this most impact on processing performance. (edited)

Ah gotcha. Was gonna say! Axiom and PA love to rinse memory

Rob

Ah gotcha. Was gonna say! Axiom and PA love to rinse memory

My preference per workflow is PA, and it typically processes an average full filesystem in about 20ish min on our machines. Again, storage I/O optimization seems to have the most impact for me. I toyed with going from 64 to 128 on these builds, but 64 on our previous machines didn't seem to be a bottleneck. Plus, I figured I'd just upgrade the memory in year 3 if need be. XWF is extremely efficient, as is other tools we use. I agree that Axiom and PA (v7 at least) is memory-hungry! I also lean more toward price considering I'm building multiple machines at the same time and I need to stretch my budget for other needs that pop up throughout the year. (edited)

1

JLindmar (83AR)

If you aren't already, try using PCPartPicker (https://pcpartpicker.com) to build your machines - it makes it easy to see compatible parts and general pricing. I just rebuilt my teams analysis machines right now. Here are the specs (and per item cost) I went with, which should be a nice balance of price and performance: 1 Intel Core i9-12900K 3.2 GHz 16-Core Processor $409.99 1 Noctua NH-D15 chromax.black 82.52 CFM CPU Cooler (I'm not a fan of water cooling) $109.95 1 Asus ProArt Z690-CREATOR WIFI ATX LGA1700 Motherboard $419.99 2 G.Skill Ripjaws S5 32 GB (2 x 16 GB) DDR5-6000 CL38 Memory $169.99 3 Samsung 980 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive (Temp data for specific tools) $199.99 2 Samsung 870 Evo 2 TB 2.5" Solid State Drive (1 OS | 1 Programs) $159.99 1 Phanteks Enthoo Primo ATX Full Tower Case $289.99 I'm reusing the following parts from a previous build: 1 EVGA SuperNOVA 1000 T2, 80+ TITANIUM 1000W $297.63 1 GeForce GTX 1060 GPU 4 Western Digital Ultrastar 6TB (RAID 10) $189.00 You will save significant $ if you can build (and troubleshoot) yourself, but if you prefer having something that just works out-of-the-box and the tech. support to go with it, buying a pre-built system may be a better choice.

We are also putting together a new PA machine and it looks quite similar to this, decide to go for 2x32GB for the ram (giving expansion options in the future) and the 13700 (with liquid because I'm a fan) but otherwise quite similar. Not currently planning on getting a GPU as we don't really use the image processing features.

isn't a good GPU good for cracking password hashes? I guess if you are not buying it it is not used often enough to be worth the investment?

BzdoOREK

isn't a good GPU good for cracking password hashes? I guess if you are not buying it it is not used often enough to be worth the investment?

Just use a distributed hash brute forcing system instead.. aka post it on discord and let people fight for brownie points

5

12

5

2

Alexsaurus

We are also putting together a new PA machine and it looks quite similar to this, decide to go for 2x32GB for the ram (giving expansion options in the future) and the 13700 (with liquid because I'm a fan) but otherwise quite similar. Not currently planning on getting a GPU as we don't really use the image processing features.

The reason why I went with 4 x 16GB is that I typically replace all four DIMMs at upgrade, but I can see where leaving room to expand existing RAM also makes sense. Same thoughts on GPU. I don't typically use PA's media classification in favor of XWF's. If we routinely needed complex password cracking, I'd go distributed or build a dedicated system as opposed to installing a high-end GPU(s). I've personally not been a fan of liquid cooling (always had a fear of a leak), and typically don't overclock, so traditional coolers are what I stick with. LTT recently had a video comparing liquid and traditional coolers: https://youtu.be/1YFR20MmvpM, including the Noctua NH-D15, which was enlightening. (edited)

Linus Tech Tips

Almost Everyone is Wasting Their Money On CPU Coolers

2

DeeFIR 🇦🇺

Just use a distributed hash brute forcing system instead.. aka post it on discord and let people fight for brownie points

it works

5

1

2

chick3nman

it works

can confirm, My aged machines still get the job done when I have access to @chick3nman via Discord.

2

JLindmar (83AR)

The reason why I went with 4 x 16GB is that I typically replace all four DIMMs at upgrade, but I can see where leaving room to expand existing RAM also makes sense. Same thoughts on GPU. I don't typically use PA's media classification in favor of XWF's. If we routinely needed complex password cracking, I'd go distributed or build a dedicated system as opposed to installing a high-end GPU(s). I've personally not been a fan of liquid cooling (always had a fear of a leak), and typically don't overclock, so traditional coolers are what I stick with. LTT recently had a video comparing liquid and traditional coolers: https://youtu.be/1YFR20MmvpM, including the Noctua NH-D15, which was enlightening. (edited)

I use a closed loop AIO liquid cooler more for the sound reduction. My FRED already sounds like a jet engine idling haha.

I feel like finding an entry level job in digital forensics is really hard... Ive been applying for jobs but all of them require at least 5 years of experience lol

⭐Jigglypuff⭐

I feel like finding an entry level job in digital forensics is really hard... Ive been applying for jobs but all of them require at least 5 years of experience lol

I basically waited for a year to get to the position I'm in now and hating every second week of it due to environment. Love the work and industry but dear god the people I've met in the industry lack basic management skills

Omg a year?! @Picker That’s crazy. I hope I don’t have to wait that long (edited)

6:29 PM

I have double major double minor so I’m applying both Cybersecurity and Data Science with AI positions @Picker

⭐Jigglypuff⭐

I have double major double minor so I’m applying both Cybersecurity and Data Science with AI positions @Picker

At least in my country cyber security is a bit easy to get into. That is more testing or GRC roles. Forensics is a lot more narrow/more word of mouth options

⭐Jigglypuff⭐

I feel like finding an entry level job in digital forensics is really hard... Ive been applying for jobs but all of them require at least 5 years of experience lol

You'll be doing a disservice to yourself if you don't apply. Don't say no to yourself, let the company say no. You have nothing to lose. I would rather pick a candidate with personality any day, you can teach them but you can't teach personality (edited)

3

2

Plus demonstrate what you know....if someone's taking a risk in hiring someone with no experience then do everything you can do demonstrate that the risk is lower. If you've got no work experience, start there. Help desk is always a good place, and supplement by creating a website and using that as a portfolio. It's rough but it'll work in the end

2

I have a question. If I am collecting logs, say windows event viewer logs (EVTX), and in the process of doing so, it changes the log files modified and created at time, is it bad form to allow that, or does that metadata not really matter since the log entries within the file reflect the correct dates and times for an action or activity that's logged?

Modifying the MAC times of the actual EVTX files themselves wouldn't really have an impact on an investigation of their contents (typically) - I guess this depends more on the context - for an investigation that may go to court I might be more concerned but for most cyber-attack investigations I don't think this would really matter (edited)

javanzato

Modifying the MAC times of the actual EVTX files themselves wouldn't really have an impact on an investigation of their contents (typically) - I guess this depends more on the context - for an investigation that may go to court I might be more concerned but for most cyber-attack investigations I don't think this would really matter (edited)

Okay yeah, I had some of those same thoughts as well. My concern is the court admissibility and all that if needed. But yeah for sure, I appreciate your thoughts and answers!

Pianist

Okay yeah, I had some of those same thoughts as well. My concern is the court admissibility and all that if needed. But yeah for sure, I appreciate your thoughts and answers!

can always just make sure to preserve the originals via a system image or otherwise, then you will always have the source

1

For sure!

Examiners could be missing out on understanding where evidence can be generated by pseudo-embedded SIM cards (eSIM). Having spoken to quite a few people about this it appears there is a general unawareness based upon believing they had not had exposure to it/them (pseudo-eSIM). Pseudo-eSIMs are actually physical SIMs that trick Android mobile handset circuitry to believe an eSIM is presented and active. Pseudo-eSIMs use the same handset slots as form factor 2FF (mini) micro (3FF) nano (4FF). Because pseudo-embedded SIM cards have a built-in eUICC, which means it meets the consumer eSIM specifications as published by GSMA. Here is a link to an example pseudo-embedded SIM cards is you are unaware https://esim.me/eSIM-for-your-smartphone/#234784-manage_on_any_esim_me_compatible_android-

eSIM.me Card

Equip your smartphone with the eSIM.me Card and start downloading eSIM profiles online! Check eSIM.me compatibility Download the free eSIM.me APP from the Playstore to verify eSIM.me compatibily of your very own smartphone. Then simply insert the eSIM.me Card in the SIM card slot of your sma

2:06 AM

Just in case anyone is unaware. [https://en.wikipedia.org/wiki/Mobile_country_code] and [https://en.wikipedia.org/wiki/International_mobile_subscriber_identity]

NAME_THAT_IMSI.pdf

62.17 KB

And by the way, upcoming Belkasoft X 2.0 supports extraction of Android eSims

1

Still on going since 2007 even if ePOST is no longer under active development. "ePOST is a cooperative, serverless email system. Each user contributes a small amount of storage and network bandwidth in exchange for access to email service." https://www.epostmail.org/ New developments are being built, too. "The most used email systems rely on a central server that receives, stores and forward the messages: FlowingMail is decentralized and does not rely on a central server to deliver the encrypted emails. The scope of the FlowingMail protocol is to hide the information being transmitted and the parties involved in the communication. The main component of the FlowingMail protocol is a Kademlia Distributed Hash Table (DHT), which is responsible for storing the encrypted emails while they are in transit and the certificates of the participants in the FlowingMail network." https://flowingmail.com/

paolo

FlowingMail: a P2P, secure, encrypted email system

A P2P (decentralized), secure, encrypted email system. Hides the message and the parties involved in the communication.

If anyone here is using bitbucket for repositories and you weren't aware: https://bitbucket.org/blog/ssh-host-key-changes

Bala Sathiamurthy

ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys - Bitbucket

Hello Bitbucket Cloud users, We recently learned that encrypted copies of Bitbucket’s SSH host keys were included in a data breach…

Dumb question: what actually happens when a linux CVE is used in wsl and are there any notable case where an attacker has successfully compromised a windows system through wsl?

1

So for an assignment I have to decrypt an encrypted disc image file. I’ve never done this before. We aren’t given the encryption type that is used. We were also given a string of 5 letters, but I do not think that is the password because I’ve tried using it and it doesn’t work. The extension is .img. Any ideas are much appreciated.

Dany

So for an assignment I have to decrypt an encrypted disc image file. I’ve never done this before. We aren’t given the encryption type that is used. We were also given a string of 5 letters, but I do not think that is the password because I’ve tried using it and it doesn’t work. The extension is .img. Any ideas are much appreciated.

My first thought for trying to identify the encryption used is to just use the Linux ‘file’ command, but I am sure that the people over in #password-encryption-cracking have a better idea.

3

yep, file triage first: file, binwalk, mmls would be good starts

2

Anyone have any suggestions on apps to utilize the mp3 files from SANS to listen to in the car? Traveling in the next few days and would like to listen to those while having google maps open.

burytoes.

Anyone have any suggestions on apps to utilize the mp3 files from SANS to listen to in the car? Traveling in the next few days and would like to listen to those while having google maps open.

VLC I think would do it, but I think Spotify may also support local file playback as well.

1

Pianist

VLC I think would do it, but I think Spotify may also support local file playback as well.

exactly what I was looking for!

1

burytoes.

Anyone have any suggestions on apps to utilize the mp3 files from SANS to listen to in the car? Traveling in the next few days and would like to listen to those while having google maps open.

MP3 are supported in a number of apps. I've listened to them with Apple Music and Spotify

Hey! About building forensic workstations, and using them for "basic" forensic things like Physical Analyzer / Axiom processing, image acquisition, Nuix Workstation and things like that, would you go with the intel way (i9-13900KS) or with the AMD way (Ryzen 9 7950X)? And why? Thanks!

What alternative password lists do you use with Cellebrite Premium? I exhausted the default one with cellebrite and want to try another.

dcs453

What alternative password lists do you use with Cellebrite Premium? I exhausted the default one with cellebrite and want to try another.

Sent you a DM

Looking for a good resource for email header analysis. Looking to see if we can trace potential fraudulent emails back to a source. I only have an excel spreadsheet which contains the header information for all incoming emails of concern. Not case related, just an inhouse fishing expedition.

sholmes

Looking for a good resource for email header analysis. Looking to see if we can trace potential fraudulent emails back to a source. I only have an excel spreadsheet which contains the header information for all incoming emails of concern. Not case related, just an inhouse fishing expedition.

13Cubed did a video a while back about email header analysis, I still use the plugin he created for Sublime Text. You can also paste email headers into the tool on MXToolBox to make them easier to read. https://www.youtube.com/watch?v=nK5QpGSBR8c

13Cubed

Email Header Analysis and Forensic Investigation

5

4:51 PM

https://mxtoolbox.com/EmailHeaders.aspx

Email Header Analyzer, RFC822 Parser - MxToolbox

S Cote / SQ

Hey! About building forensic workstations, and using them for "basic" forensic things like Physical Analyzer / Axiom processing, image acquisition, Nuix Workstation and things like that, would you go with the intel way (i9-13900KS) or with the AMD way (Ryzen 9 7950X)? And why? Thanks!

In that comparison, the intel. Higher clock speed overall, I didn’t check the price , but I’m assuming price doesn’t matter.

1

Not entirely related to DF, once again I find myself not sure where to drop this question... I've been tasked with building fake social media profiles on all major platforms (instagram, facebook, tiktok, snapchat). Does anyone have any good resources for doing it properly in terms of building content, and a solid identity?

CyberGhost

13Cubed did a video a while back about email header analysis, I still use the plugin he created for Sublime Text. You can also paste email headers into the tool on MXToolBox to make them easier to read. https://www.youtube.com/watch?v=nK5QpGSBR8c

Thanks

1

hallux

Not entirely related to DF, once again I find myself not sure where to drop this question... I've been tasked with building fake social media profiles on all major platforms (instagram, facebook, tiktok, snapchat). Does anyone have any good resources for doing it properly in terms of building content, and a solid identity?

I've had great success with fastmail.us and I pick a very common name, I usually start with Facebook, no vpn, then do, Instagram, Twitter, etc usually with a few days in between, and I regularly log into my soc and post like a random bloke would xD Not sure if that's what youre looking for, but that's what I do anywyas xD

Anyone have access to the berla app? Want to know if a make / model might have anything worth trying to dump

Hello all, I'm looking for general information about the Likee app: On what can be discovered on a device Know if certain services have already obtained information from Likeme Pte.Ltd and the kind of data. Feel free to DM me. thx

ryd3v

I've had great success with fastmail.us and I pick a very common name, I usually start with Facebook, no vpn, then do, Instagram, Twitter, etc usually with a few days in between, and I regularly log into my soc and post like a random bloke would xD Not sure if that's what youre looking for, but that's what I do anywyas xD

More so content like images. I obviously don’t want to snag someone’s real images and engage in some identity theft.

Pizzantelope

Anyone have access to the berla app? Want to know if a make / model might have anything worth trying to dump

What vehicle do you have?

hallux

More so content like images. I obviously don’t want to snag someone’s real images and engage in some identity theft.

Thispersondoesnotexsist , or use unsplash xD

ryd3v

Thispersondoesnotexsist , or use unsplash xD

Haha I did see those, I was hoping to find some sort of AI tool of some sort that could replicate the person in various backdrops and locations and such to help build that in depth persona before dumping out vague content.

It’s that could be an option

burgers_N_bytes

What vehicle do you have?

Disregard just got my account activated

1

hallux

Not entirely related to DF, once again I find myself not sure where to drop this question... I've been tasked with building fake social media profiles on all major platforms (instagram, facebook, tiktok, snapchat). Does anyone have any good resources for doing it properly in terms of building content, and a solid identity?

Here are a few to get you started http://www.fakenamegenerator.com https://name-fake.com https://this-person-does-not-exist.com https://proton.me/mail

Get a whole new identity at the Fake Name Generator

The most advanced fake name generator. Generate random names, addresses, usernames, passwords, email addresses, and more. Use for software testing, social media, or anything else.

Fake Name Generator - random registration data

Fake name generator - generates random identity to register for different resources and sites. We will help you stay anonymous online. Do not use a real name if you can use fake name.

ThisPersonDoesNotExist - Random AI Generated Photos of Fake Persons

Generate random human face in 1 click and download it! AI generated fake person photos: man, woman or child.

Proton Mail - Get a private, secure, and encrypted email | Proton

Proton Mail is the world’s largest secure email service with over 70 million users. Available on Web, iOS, Android, and desktop. Protected by Swiss privacy law.

2

1

hallux

Not entirely related to DF, once again I find myself not sure where to drop this question... I've been tasked with building fake social media profiles on all major platforms (instagram, facebook, tiktok, snapchat). Does anyone have any good resources for doing it properly in terms of building content, and a solid identity?

For disposable emails, there's also: https://www.sharklasers.com/ https://temp-mail.org/en/ (I find this one to be most useful and working best when certain services detect that emails are generated by Shark Lasers) For disposable phone numbers (useful when signing up and it requires 2FA): https://smsreceivefree.com/info/15715472492/ https://freephonenum.com/ Otherwise, everything that @Beercow sent are also great resources! Good luck!

✉ SharkLasers.com

Don't want to give them your real email? Use a temporary email. No registration, lasts 60 mins. Protection from Spam

Temp Mail - Disposable Temporary Email

Keep spam out of your mail and stay safe - just use a disposable temporary email address! Protect your personal email address from spam with Temp-mail

SMS Receive Free | Temporary Phone Number

smsreceivefree.com is a free website to receive SMS online. Virtual phone numbers from USA and Canada to receive SMS for free.

Send and Receive Text and SMS online for developers

1

Piggy backing off that, is there like a typical phrase or phrases that can be associated with "temp" emails/numbers etc. Just looking to expand existing keyword lists we run with atm.

Those links are perfect

might spin up a Midjourney account if I can get the prompts right to generate consistent content.

1

Rob

Piggy backing off that, is there like a typical phrase or phrases that can be associated with "temp" emails/numbers etc. Just looking to expand existing keyword lists we run with atm.

Hey Rob, I am not sure if I am reading your question correctly, otherwise I apologize! So, do you mean like another way of saying "Temp" when we're talking about disposable identities? I would also say "Burner emails/numbers", "throwaway" or you can probably use transient as well. Not sure if this is what you are looking for.

1

@ICAC Hey, i need some advice on moving forward with a case. Long story short, was part of a NCMEC cybertip search warrant recently and it ended with an arrest but we trying to really nail down some better evidence. suspect phone had a FFS done back at the office where no CSAM was located on this device, but user accounts for TOR sites were found with the URL in place (that were partially descriptive). My question is, what can we get from other forensic programs that might get us to some CSAM related charges (distribution, enticement, etc)? Is there anything else that can be parsed?

Thor

Hey Rob, I am not sure if I am reading your question correctly, otherwise I apologize! So, do you mean like another way of saying "Temp" when we're talking about disposable identities? I would also say "Burner emails/numbers", "throwaway" or you can probably use transient as well. Not sure if this is what you are looking for.

If you have a user trying to use a service such as a temp/burner email what would a keyword look like that would find this if run in axiom etc.

Rob

Piggy backing off that, is there like a typical phrase or phrases that can be associated with "temp" emails/numbers etc. Just looking to expand existing keyword lists we run with atm.

“10 minute mail”

1

Rob

If you have a user trying to use a service such as a temp/burner email what would a keyword look like that would find this if run in axiom etc.

I looked into it and I found Sock puppets, or sock puppet account, to be close to what you may be looking for. This term is "often used to refer to alternative online identities or user accounts used for purposes of deception." or "as a fictitious online identity created for the purposes of deception." Here's a good resource from Norton Labs on the subject, should you wish to dig further into this: https://www.nortonlifelock.com/blogs/norton-labs/identifying-sockpuppet-accounts-social-media Though, I'm not sure if you already have that term in your keyword lists. Hope this helps and what you were looking for!

Identifying Sockpuppet Accounts on Social Media Platforms

Evolution of Disinformation Campaigns from 2016 - Present

1

hallux

Not entirely related to DF, once again I find myself not sure where to drop this question... I've been tasked with building fake social media profiles on all major platforms (instagram, facebook, tiktok, snapchat). Does anyone have any good resources for doing it properly in terms of building content, and a solid identity?

IntelTechniques has been my go to resource for OSINT and this kind of stuff. Highly recommend Michael's book on OSINT techniques. Don't feel like you have to read to book cover to cover, I use it mostly as a reference guide. It can take a lot of setup and maintenance of your sock puppet accounts, Facebook likes to nix accounts it thinks are fake. Usually happens when they are new accounts. https://inteltechniques.com/

IntelTechniques by Michael Bazzell

kmacdonald1565

@ICAC Hey, i need some advice on moving forward with a case. Long story short, was part of a NCMEC cybertip search warrant recently and it ended with an arrest but we trying to really nail down some better evidence. suspect phone had a FFS done back at the office where no CSAM was located on this device, but user accounts for TOR sites were found with the URL in place (that were partially descriptive). My question is, what can we get from other forensic programs that might get us to some CSAM related charges (distribution, enticement, etc)? Is there anything else that can be parsed?

Have you gone after the clouds? Dropbox, OneDrive, Google Drive.

CyberGhost

IntelTechniques has been my go to resource for OSINT and this kind of stuff. Highly recommend Michael's book on OSINT techniques. Don't feel like you have to read to book cover to cover, I use it mostly as a reference guide. It can take a lot of setup and maintenance of your sock puppet accounts, Facebook likes to nix accounts it thinks are fake. Usually happens when they are new accounts. https://inteltechniques.com/

Thanks! While I don’t think the folks I’ll be monitoring will be smart enough to catch on super quick I’m just hoping to set myself up for success.

spicy_caveman

Have you gone after the clouds? Dropbox, OneDrive, Google Drive.

cloud sources are in the works, not sure how fruitful they will be directly

kmacdonald1565

cloud sources are in the works, not sure how fruitful they will be directly

Usually there will be multiple email accounts you can find, I have had enormous success in getting more evidence from these burner emails where they store csam on that particular google drive account. I collected around 7 drive accounts from different burner Gmails for a suspect and had years of data recovered.

we will check it out. without getting into too much detail, he had accounts for suspected CSAM websites (.onion and one or two .coms) that we believe were created using "3rd party" mail sites and seprately he had accounts that were personal use that used more traditional things like google drive/dropbox which were not used for CSAM. we are doing warrants for that stuff anyway, but thats why my question was more leaning towards what was available regarding tor artifacts and similar. we are working with our prosecutors to see what can be done with the accounts that we have that wont respond to court orders.

kmacdonald1565

we will check it out. without getting into too much detail, he had accounts for suspected CSAM websites (.onion and one or two .coms) that we believe were created using "3rd party" mail sites and seprately he had accounts that were personal use that used more traditional things like google drive/dropbox which were not used for CSAM. we are doing warrants for that stuff anyway, but thats why my question was more leaning towards what was available regarding tor artifacts and similar. we are working with our prosecutors to see what can be done with the accounts that we have that wont respond to court orders.

artefacts may be slim even with FFS, but you could consider (safely) following those .onion links to document that they take you to CSAM to support a charge for access with intent to view under 18 U.S. Code § 2252A(a)(5)(b)

1

karver

artefacts may be slim even with FFS, but you could consider (safely) following those .onion links to document that they take you to CSAM to support a charge for access with intent to view under 18 U.S. Code § 2252A(a)(5)(b)

We are working on that too, thanks

some were a bit old, according to what Axiom parsed....i imagine they have since been relocated or taken down by now, thats an adventure for tomorrow

karver

artefacts may be slim even with FFS, but you could consider (safely) following those .onion links to document that they take you to CSAM to support a charge for access with intent to view under 18 U.S. Code § 2252A(a)(5)(b)

Curious you can get a charge for that since its possible the content has changed since your user viewed it?

karver started a thread. 5/31/2023 1:56 PM

Does anyone have a tool their use to monitor traffic for users working remotely? We blocked a few sites at our firewall but when users disconnect from the vpn they can access it

Cisco umbrella can help address this

4:16 PM

Or any other like product, zscaler, windows defender network protect etc

expose a dns server to the public that does NOT include internal objects, but with the dns filtering you may already be using

ECIR

Does anyone have a tool their use to monitor traffic for users working remotely? We blocked a few sites at our firewall but when users disconnect from the vpn they can access it

pretty much any proxy/dns product will help you with this - I liked ZScaler for this since you can log and monitor all network traffic at the firewall and proxy levels

Are product likes zscaler and Cisco umbrella able to provide internet usage reports for users or devices?

4:35 PM

To be able to provide for example, what websites a specific user visited in a certain timespan

Yes

4:44 PM

Will have to offload the logs somewhere else for longing retention but get 30 days usually in portal based on license

1

I am looking to learn more about cyber forensics, are there any recommended books, that anyone in the industry should read?

2:16 AM

Also any good resources to study up on all the tools that are avalable to the public that are indsutry standard? I have taken a class and have a very basic understanding of the field, but I find it often hard to find info on tools such as paladins disk imaging tool.

ECIR

To be able to provide for example, what websites a specific user visited in a certain timespan

To add to tklane answer, you can get any type of reports you want out of the logging, especially if you push it into splunk or similar - it will give you extremely detailed web traffic information including app categorization, bytes sent/received, HTTP metadata (methods, referer, etc) and many other pieces of detailed data that is extremely useful, especially so for security teams (edited)

I am looking for an open source tool that will capture and download Instagram videos, does anyone have any recommendations?

4n6s7oth

I am looking for an open source tool that will capture and download Instagram videos, does anyone have any recommendations?

In the past, I've used instaloader

segumarc

In the past, I've used instaloader

Thanks for the suggestion!

1

Is there a dedicated discord for MSAB/Celebrite/Oxygen?

tapatiosec

Is there a dedicated discord for MSAB/Celebrite/Oxygen?

Dont think so. This is the best place i guess

Hello Everyone I am applying for masters in Cyber security in USA and I have decided two Universities 1)North Eastern University 2)University of Maryland college park This two universities provide Digital Forensics / Incident response as electives so I found it interesting! So If you guys can suggest me some more Universities in USA, it would be very helpful! Also, If anyone had any views good or bad for above mentioned Universities please share! So I can apply accordingly!

Hello everyone, does anyone know what the purpose is of files contained in the following file location? Data/data/com.android.chrome/app_textures The file path is self-explanatory, I'm just trying to figure out what the "app textures" part is. Thank you!

tapatiosec

Is there a dedicated discord for MSAB/Celebrite/Oxygen?

Not yet, at least.

Alex Owen

Hello everyone, does anyone know what the purpose is of files contained in the following file location? Data/data/com.android.chrome/app_textures The file path is self-explanatory, I'm just trying to figure out what the "app textures" part is. Thank you!

Would recommend #mobile-forensic-decoding

I am a 1 person lab. I have been working on a way to track the status of the devices that come in, but do not need a large (expensive) program. I just need our evidence tech and myself to update it and allow investigators to view it. I have an excel sheet I have been playing with, but no one else can view it. With the number of great minds here is there any ideas. Sorry for the long post and if not allowed I will delete. Thanks

digital Bowles

I am a 1 person lab. I have been working on a way to track the status of the devices that come in, but do not need a large (expensive) program. I just need our evidence tech and myself to update it and allow investigators to view it. I have an excel sheet I have been playing with, but no one else can view it. With the number of great minds here is there any ideas. Sorry for the long post and if not allowed I will delete. Thanks

I have heard of other agencies using a Google Sheet with shared permissions. Maybe that would work well for your case because you are already using an Excel spreadsheet.

2

digital Bowles

I am a 1 person lab. I have been working on a way to track the status of the devices that come in, but do not need a large (expensive) program. I just need our evidence tech and myself to update it and allow investigators to view it. I have an excel sheet I have been playing with, but no one else can view it. With the number of great minds here is there any ideas. Sorry for the long post and if not allowed I will delete. Thanks

Something like this ? https://github.com/AnttiKurittu/kirjuri the project is no longer active but you can still use it, you need a web server liké lamp

GitHub - AnttiKurittu/kirjuri: Kirjuri is a web application for man...

Kirjuri is a web application for managing cases and physical forensic evidence items. - GitHub - AnttiKurittu/kirjuri: Kirjuri is a web application for managing cases and physical forensic evidenc...

Does anyone perform hiring here?

3:05 PM

If so is there anyone I can talk to about my resume?

hrec

Something like this ? https://github.com/AnttiKurittu/kirjuri the project is no longer active but you can still use it, you need a web server liké lamp

Thank you. I love the collection of minds here.

digital Bowles

I am a 1 person lab. I have been working on a way to track the status of the devices that come in, but do not need a large (expensive) program. I just need our evidence tech and myself to update it and allow investigators to view it. I have an excel sheet I have been playing with, but no one else can view it. With the number of great minds here is there any ideas. Sorry for the long post and if not allowed I will delete. Thanks

Excel spreadsheet for incoming phones. Whiteboard for phones that are unsupported AFU or brute force phones that will be staying for a while.

I've heard of others using excel or Google sheets

digital Bowles

I am a 1 person lab. I have been working on a way to track the status of the devices that come in, but do not need a large (expensive) program. I just need our evidence tech and myself to update it and allow investigators to view it. I have an excel sheet I have been playing with, but no one else can view it. With the number of great minds here is there any ideas. Sorry for the long post and if not allowed I will delete. Thanks

make a private github repo, add your friends, push pull updates xD

2

Hi

2:25 AM

anyone have a velociraptor client deployment tool thats kinda like CB EDR sensors deployer , thinking of working on one

Anyone know what type of device this is?

This was found lying in the woods in our area. I have unfortunately only one picture of it... Tineye and Google Image Search negative

Hans Leißner

Anyone know what type of device this is?

This was found lying in the woods in our area. I have unfortunately only one picture of it... Tineye and Google Image Search negative

are those antennas?

Yeah. 8 of it. (edited)

digital Bowles

I am a 1 person lab. I have been working on a way to track the status of the devices that come in, but do not need a large (expensive) program. I just need our evidence tech and myself to update it and allow investigators to view it. I have an excel sheet I have been playing with, but no one else can view it. With the number of great minds here is there any ideas. Sorry for the long post and if not allowed I will delete. Thanks

i recommend designing one with filemaker (excel on steroids) or using onlyoffice community. oo is like google docs but can be self hosted.

Hans Leißner

Anyone know what type of device this is?

This was found lying in the woods in our area. I have unfortunately only one picture of it... Tineye and Google Image Search negative

Looks almost like a signal jammer?

hallux

Looks almost like a signal jammer?

Anti UAV signal jammer?

2:48 PM

Looks like some water proof Signal jammer which can be equiped with some high power system

2:48 PM

I've seen some look like that sold by Chinese merchants

Deleted User

Anti UAV signal jammer?

I'm not sure exactly what kind but it looks like some sort of signal jammer for sure.

⭐Jigglypuff⭐

Does anyone perform hiring here?

Shoot me a link and I can provide feedback, let me know what type of position you are looking for

Thanks for the answers! I have not yet thought of a jammer. I'll do some more research. Edit: those "display" are actually solar panels. (edited)

Hans Leißner

Thanks for the answers! I have not yet thought of a jammer. I'll do some more research. Edit: those "display" are actually solar panels. (edited)

I say it’s unlikely to be a signal jammer because there are no vents. Jammers generate a lot of heat. The placement and size of the solar panels makes no sense at all. The only logical design implementation here is the spacing of the antennas as to not detune each others frequency. The antennas just seem wrong for TX as well.

2

Deleted User

I say it’s unlikely to be a signal jammer because there are no vents. Jammers generate a lot of heat. The placement and size of the solar panels makes no sense at all. The only logical design implementation here is the spacing of the antennas as to not detune each others frequency. The antennas just seem wrong for TX as well.

Thank you for the input

1

Hans Leißner

Yeah. 8 of it. (edited)

how sure are you that those are antennas? to me the placement looks more like a physical device, like spring loaded legs, to ensure the box is off the ground whichever way it lands, unless they are actual antenna's with that job in mind.

1

This might be a helpful online tool to have in your toolbox: https://redirectdetective.com/ (edited)

1

Would also be a possibility

unfortunately I could not yet see the thing itself. The dimensions are somewhere around 10x10 centimeters (cube). It is only important to us that there is no danger from the thing or that we are not spied on. (edited)

Hans Leißner

Would also be a possibility

unfortunately I could not yet see the thing itself. The dimensions are somewhere around 10x10 centimeters (cube). It is only important to us that there is no danger from the thing or that we are not spied on. (edited)

-DANGER- yeh, lol, i was gonna say looks quite like a Mine but ...

Fortunately not

Apologies, i saw you are from Austria and the mischief in me took over having seen recent news article regarding Train announcements Could it be a device for transmitting a random speech from a certain deceased politician? I'll see myself out

6:10 AM

thank the lord, lol

6:10 AM

interesting though, do ffed back if you get a result.

1

Discord bugs .. my message is sending itself again and again

same here, was just running a line check

1

6:15 AM

at least it's not the internet (edited)

Hans Leißner

Anyone know what type of device this is?

This was found lying in the woods in our area. I have unfortunately only one picture of it... Tineye and Google Image Search negative

Can you go grab it to take it apart? Do you have any other pictures, or great clarity photos?

Hi guys ! Searching for help here. I am working on a case when I'll have to retreive data on 3 corrupted disks mounted in RAID 5. As I don't have the disks right now, I don't know how corrupted they are. I have a Tableau TX1 so i'm gonna image each disk individually. However, I would like to know: what are your advices/ressources for reassembling images and retrieving data ? Thank you in advance

Saucisson Slicer

Hi guys ! Searching for help here. I am working on a case when I'll have to retreive data on 3 corrupted disks mounted in RAID 5. As I don't have the disks right now, I don't know how corrupted they are. I have a Tableau TX1 so i'm gonna image each disk individually. However, I would like to know: what are your advices/ressources for reassembling images and retrieving data ? Thank you in advance

"corrupt" covers a multitude of sins. first run tests to check none are physically damaged. should you get to the stage of having taken images you could have UFSExplorer take a look.

Hans Leißner

Thanks for the answers! I have not yet thought of a jammer. I'll do some more research. Edit: those "display" are actually solar panels. (edited)

This looks similar to some high altitude balloon payloads i've seen

1

9:12 AM

though if that were the case, i wouldn't expect it to be sitting nicely in the forest, it would have had to fall a great distance to get there

9:14 AM

also similar looking to many small cube sats, though those would not be so rugged and the solar panels would likely be larger

@Cellebrite - I used Digital Collector for Windows to update my dongle, it ended crashing and now the 1 TB drive needs to initialized.

1

10:00 AM

Any work around ?

Saucisson Slicer

Hi guys ! Searching for help here. I am working on a case when I'll have to retreive data on 3 corrupted disks mounted in RAID 5. As I don't have the disks right now, I don't know how corrupted they are. I have a Tableau TX1 so i'm gonna image each disk individually. However, I would like to know: what are your advices/ressources for reassembling images and retrieving data ? Thank you in advance

What box did you pull the disks from as some eg Drobo can be a right PITA> As above or newer iterations of R Studio if you have

Hans Leißner

Anyone know what type of device this is?

This was found lying in the woods in our area. I have unfortunately only one picture of it... Tineye and Google Image Search negative

Think it's an audio capture device no? those are legs to keep the mics off the ground? could have parachute down from a weather ballon or some sheet, just a guess, be nice to open it, to see what's inside

I will contact the clerk today to get more details. In the meantime, thank you for your help !

Digitalferret

"corrupt" covers a multitude of sins. first run tests to check none are physically damaged. should you get to the stage of having taken images you could have UFSExplorer take a look.

OK I'll check this ! Thank you !

@Magnet Forensics I’m getting an error when trying to reply to support@magnetforensics.com telling me your inbox is full and can’t accept messages

busted4n6

@Magnet Forensics I’m getting an error when trying to reply to support@magnetforensics.com telling me your inbox is full and can’t accept messages

Thanks for the heads up on the email issue, I’ll let the support team know. Is there anything I can help with?

chriscone_ar

Thanks for the heads up on the email issue, I’ll let the support team know. Is there anything I can help with?

I have an issue getting Thorn to activate on PROCESS Cyber. I’ve resent the email now, will see if it goes through

1

Question: Law enforcement only tools, is there anyway for a non-law enforcement company or person to be able to get access to those legally?

If they are LE only....

5

1

florus

If they are LE only....

understood, i answered my own question. I guess i was thinking along the lines of private investigators getting any access to more software than the public

Hey everyone! I'm currently trying to fill out gaps in my knowledge and was wondering what free or affordable courses (in anything DFIR related) avaliable for an individual to enroll on.

Howlo

Hey everyone! I'm currently trying to fill out gaps in my knowledge and was wondering what free or affordable courses (in anything DFIR related) avaliable for an individual to enroll on.

https://cyber5w.com/ and https://dfirdiva.com/free-and-affordable-training/ have free low cost options

Cyber5W

Digital Forensics Courses and Training

Free and Affordable DFIR/Blue Team Focused Training

Hundreds of free and affordable training resources with a focus on DFIR & Blue Team. Search only the free training or search it all. There is also a free Incident Response training plan starting from complete beginner to IT.

3

Robert_C

understood, i answered my own question. I guess i was thinking along the lines of private investigators getting any access to more software than the public

Many digital forensics tools can be open source. One of my search tools I use; I have entered a search question for you the results of which maybe of interest to you. https://grep.app/search?q=forensic

grep.app | code search

Search across a half million git repos. Search by regular expression.

2

Has anyone come across a CSAM series with "N.E. Inc." as a text logo in the lower right corner of the images?

iNDO_o

Has anyone come across a CSAM series with "N.E. Inc." as a text logo in the lower right corner of the images?

send you a DM

Anyone have example language for compelling biometrics in a search warrant? I've got a pretty serious sexual assault case and while my research backs it being legal (in the US anyway) I can't find a good example of the actual language for the warrant and would love to see what someone else has used as our local judges haven't been presented with it before.

BadgerBacon

Anyone have example language for compelling biometrics in a search warrant? I've got a pretty serious sexual assault case and while my research backs it being legal (in the US anyway) I can't find a good example of the actual language for the warrant and would love to see what someone else has used as our local judges haven't been presented with it before.

DM you

BadgerBacon

Anyone have example language for compelling biometrics in a search warrant? I've got a pretty serious sexual assault case and while my research backs it being legal (in the US anyway) I can't find a good example of the actual language for the warrant and would love to see what someone else has used as our local judges haven't been presented with it before.

Not sure if you already have phone or planning on seizing but biometric unlocks expire after 2 days from last unlock on iphone, 3 days on Android last I checked.

1

2:27 PM

Relevant if you also have prosecutors that take 3 weeks to review a warrant

Solec

Relevant if you also have prosecutors that take 3 weeks to review a warrant

Thanks for the heads up, seized the phones this morning and should be signing warrants tomorrow morning, suspect is still in custody so we should be good, but I actually wasn't aware of this.

2:33 PM

My 3d printing of another suspect's thumbprint is gonna be a problem then as my lab's printer isn't precise enough for what I need and my agency isn't going to fund a resin printer on the theory that it works. Though I suppose I can 3d print my own print and open my own phone with it as a proof of concept that can take as long as needbe,

Is anyone from @MSAB availabe for a DM? (edited)

FullTang

Is anyone from @MSAB availabe for a DM? (edited)

You can DM me.

1

Anyone have experience pulling data from DoorDash? Working a homicide and the suspect DoorDashes. Wondering if it constantly records location data or only when the app is active

Anyone ever work with a Money Counter (Cummins)? Working a Money Laundering case and have multiple money counters. I k now that when they are plugged in, you can print a log if you have an ethernet printer attached.

Poking around my co.puter today I found my browser is "managed by my organization" this is my home computer...there should be no organization. Maybe I'm just a complete idiot but in very confused. Attached is a screen shot of what my policy is....

crystalcity

Poking around my co.puter today I found my browser is "managed by my organization" this is my home computer...there should be no organization. Maybe I'm just a complete idiot but in very confused. Attached is a screen shot of what my policy is....

Go open your Edge Browser and put in edge://extensions/ and see what extensions are added, remove them and see what it says after that.

1

Hey, does anyone have a source that includes at least some info about sandboxes, most known / common ways of "bypassing" the isolation & their patch, much appreciated.

Anyone from @Cellebrite around for a Trevor question?

1

How often do you guys find osint useful being in a "blue team" or just in general being in the side of defence, forensics and everything?

Pizzantelope

Anyone have experience pulling data from DoorDash? Working a homicide and the suspect DoorDashes. Wondering if it constantly records location data or only when the app is active

Only when the app is open (background or otherwise).

So if it's in the background and you're waiting for an order DoorDash is recording that? Is all that info able to be pulled from them?

Robert_C

Question: Law enforcement only tools, is there anyway for a non-law enforcement company or person to be able to get access to those legally?

Yes, join your local law enforcement department

1

3

7:57 PM

See sometimes the answer is right in front of you

Anyone having issues with Cellebrite PA getting stuck at 54% when loading up

Hi everyone, I'm really stuck in configuring a simple elasticsearch + kibana instance using certificates generated from my internal Windows CA.. keeps complaining about keystores, and I have no idea how to get it working.. anyone did something similar in the past?

I know this is likely a difficult question to answer but what is the average number (approximate) of devices a Tech Crimes Examiner gets assigned within a year - how many reports do they generate? In generalities... for the average device that we're seeing in 2022/2023 (iPhone/Android).

rjay4380

I know this is likely a difficult question to answer but what is the average number (approximate) of devices a Tech Crimes Examiner gets assigned within a year - how many reports do they generate? In generalities... for the average device that we're seeing in 2022/2023 (iPhone/Android).

Really depends on the case, type of crime, etc. If it's something like healthcare fraud, then you can easily have 50+ devices, mobile, computer, servers, etc in one case at a single office building, or between multiple pharmacies. If you're working a CSAM case, prob a phone or two, however many external hard drives, computers, etc. I would like to imagine the number would be 3 digits, maybe 4, depending on case volume. I can't imagine it'd be a 2 digit number though. I hope that helps

‍♂️

Andrew Rathbun

Really depends on the case, type of crime, etc. If it's something like healthcare fraud, then you can easily have 50+ devices, mobile, computer, servers, etc in one case at a single office building, or between multiple pharmacies. If you're working a CSAM case, prob a phone or two, however many external hard drives, computers, etc. I would like to imagine the number would be 3 digits, maybe 4, depending on case volume. I can't imagine it'd be a 2 digit number though. I hope that helps

‍♂️

Thank you! Definitely helps quantify it. Would you be able to estimate a rough estimate of average # of devices by an average examiner for a year? Like how many they would run and generate reports on. Again, just generalities as I know there are a lot of variables at play in terms of size, content available, device type, etc.

rjay4380

Thank you! Definitely helps quantify it. Would you be able to estimate a rough estimate of average # of devices by an average examiner for a year? Like how many they would run and generate reports on. Again, just generalities as I know there are a lot of variables at play in terms of size, content available, device type, etc.

I mean, I'd mention every piece of evidence involved in a case in a report. It's just a matter of does the evidence have relevant data on it or not? I'm not going to write a novel on something that has nothing on it, but it'll get mentioned. So I guess it depends on what you mean by "generate reports". If you're talking about portable cases or UFED reports, I guess that differs from examiner to examiner. But does generating those reports mean you did analysis on it? Regardless, if you seize a piece of digital evidence, it'll get mentioned in the report and any relevant findings will be properly enumerated and detailed for every applicable device. Does that make sense? Hard to quantify

rjay4380

Thank you! Definitely helps quantify it. Would you be able to estimate a rough estimate of average # of devices by an average examiner for a year? Like how many they would run and generate reports on. Again, just generalities as I know there are a lot of variables at play in terms of size, content available, device type, etc.

There are too many variables to provide an answer here

10:15 PM

I can pump through thousands of devices a year as long as they're all delivered to the lab, I only have to image and process and dump out an automated report, and have all the equipment (you'll be much slower if you have one cellebrite and 1000 phones etc). If you're just extracting data and sending it off without analysis you'll get through more If you're in consulting you may not have a steady stream of devices or the equipment. You may work in an area that has a lot of competition so you have enough to keep you busy but not enough to overwork your hours. Is a threat hunt across an org of 1000 devices counted as examining 1000 devices or only the ones you spend more than a few hours looking at? Tldr It's hard to quantify this number without guard rails

3

Hi all, I would like to know what is the most responsible role of hunting Hackers in Blue Team in CyberSec?

Deleted User

Hi all, I would like to know what is the most responsible role of hunting Hackers in Blue Team in CyberSec?

Have you asked ChatGPT? This sounds like a homework question...

Andrew Rathbun

Have you asked ChatGPT? This sounds like a homework question...

I did and it's not homework question. I am not even in cybersec uni

6:03 AM

Listening to one opinion isn't a good idea

6:04 AM

So why would I just take chatgpt answers if they're holy words (edited)

Deleted User

Hi all, I would like to know what is the most responsible role of hunting Hackers in Blue Team in CyberSec?

It’s hard to answer that question as there are many moving parts to cybersecurity, but if I had to pick one based on your parameters, I’d say threat hunting. Hunting is in the name

ryd3v

It’s hard to answer that question as there are many moving parts to cybersecurity, but if I had to pick one based on your parameters, I’d say threat hunting. Hunting is in the name

Thanks bro, I appreciate it

You’re very welcome

@Cellebrite has anyone had any memory leak issues with the newest Cellebrite PA release ? On two seprate computers it seems to be freezing our systems, with completed extractions its using 69GB of 128 of memory when its done processing the extraction ?

DCSO

@Cellebrite has anyone had any memory leak issues with the newest Cellebrite PA release ? On two seprate computers it seems to be freezing our systems, with completed extractions its using 69GB of 128 of memory when its done processing the extraction ?

Hi which version are you talking about ?

CLB_4n6s_mc

Hi which version are you talking about ?

7.62

I can't seem to pass the 18% mark when processing ONLY videos from a folder (since the E01 didn't pass 3% for days) and I keep getting this error @Griffeye . Anyone knows how to fix it?

hi, anyone a hint why Cellebrite Reader is so damn slow when showing images with geolocation metadata? (no offline maps installed, no internet connection on workstation, settings in reader are "use ofline maps" and "diable network traffic") @Cellebrite

1

1:43 AM

if i install ofline maps, last time i had to clean registry cause reader wont start anymore so i would like to not install the map services

Anyone have a go to site to check IMEI against blacklisted?

Ghosted

Anyone have a go to site to check IMEI against blacklisted?

off the top of my head swappa.com i think does it or use to for free

Hello, I updated Digital Collector with the windows updater and it occurs an error during the process. After that everything is messed up and can't recreate the partitions. Another one had the same issue ? Someone from @Cellebrite could have an idea ?

1

AnTaL

Hello, I updated Digital Collector with the windows updater and it occurs an error during the process. After that everything is messed up and can't recreate the partitions. Another one had the same issue ? Someone from @Cellebrite could have an idea ?

Make sure you always turn off all your Anti-Virus tools before updating. Cellebrite has a FAQ document on how to fix this in their Knowledge Base.

hello @Elcomsoft you hit the point

https://blog.elcomsoft.com/2023/06/what-forensic-vendors-dont-like-to-tell-their-customers-part-2/

1

99% sure I know the answer, but does @Cellebrite Premium unlock a disabled iPhone?

coastal4n6

99% sure I know the answer, but does @Cellebrite Premium unlock a disabled iPhone?

What IOS

coastal4n6

99% sure I know the answer, but does @Cellebrite Premium unlock a disabled iPhone?

Followup question. Do you just need an extraction or do you actually need it unlocked for some reason. I used Graykey to process two disabled iphones (only BFU because of the iOS version)

I DM’d you

@Neon did you actually get much of use out of a BFU extraction? I ask because as I understand it, BFU only allows access to a limited amount of data from the device (edited)

Neon

Followup question. Do you just need an extraction or do you actually need it unlocked for some reason. I used Graykey to process two disabled iphones (only BFU because of the iOS version)

I'm still not sure the iOS, but it is an iPhone 13. Either option would work, unlocked or just get the data

bizzlyg

@Neon did you actually get much of use out of a BFU extraction? I ask because as I understand it, BFU only allows access to a limited amount of data from the device (edited)

No, it's useful if you need to get an icloud Id or determine the owner of a phone left at a crime scene

1

coastal4n6

I'm still not sure the iOS, but it is an iPhone 13. Either option would work, unlocked or just get the data

Is it AFU

I just emailed client to ask if they've kept the device powered on

Neon

Is it AFU

I don't believe so.

10:08 AM

Further, they stated the device says "Unavailable"

https://twitter.com/M4UR8R/status/1669042443570798600

M4UR8R (@M4UR8R)

Russian Cyber Criminals walking around ex-soviet countries, knowing putin has their back

@coastal4n6 I'll dm

So, I recently purchased a new Talino forensic workstation... POWERHOUSE! Very excited to get to using it. I also purchased two 43" Samsung CU8000 4K TV's as "monitors" (plan on wall mounting them one on top of another). Anyone have any insight on if this is a good idea? Meaning using TV's as opposed to true computer monitors?

Speaking as a nerd and someone who works for SUMURI (enjoy the new TALINO!), it's not bad, per se. But there are a lot of creature comforts you lose when you go to TVs. Like how they power off when left untouched for a long period of time, usually need a remote, and sometimes don't play nice with sleep mode, depending on the TV.

2:26 PM

I am also a monitor nerd

2:27 PM

You can DM me if you have any questions, though!

coastal4n6

So, I recently purchased a new Talino forensic workstation... POWERHOUSE! Very excited to get to using it. I also purchased two 43" Samsung CU8000 4K TV's as "monitors" (plan on wall mounting them one on top of another). Anyone have any insight on if this is a good idea? Meaning using TV's as opposed to true computer monitors?

What are the specs?

Hey, I was pondering this article on my phone...You'll not need to use the URL, it's in the top 10 recent articles on bleeping computer.com. What are people's thoughts on this, and how does it work exactly? Is this a pretty common TTP? https://www.bleepingcomputer.com/news/security/chinese-hackers-use-dns-over-https-for-linux-malware-communication/

Chinese hackers use DNS-over-HTTPS for Linux malware communication

The Chinese threat group 'ChamelGang' infects Linux devices with a previously unknown implant named 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers.

I'm a little confused. Were they using DOH to query for their command and control hosts? Or using DOH for the communication channel to the hosts? If the second one, then why not just use https.

Anyone know how to mount a raid VPS with 2 disks in FTK?

2:06 AM

Doing my nut

@Cellebrite LearningCenter down?

1

@Magnet Forensics Got an issue with axiom v7.1.0.35864 When exporting windows mail to a csv. The entries are all wrong. Record is a weird collection of <div> entries rather than just a numerical number. Tags are filled with random data when there isn't any tags in the case. If exported to excel file, they appear fine. Just wanted to give a heads up.

masqu3rade_1

What are the specs?

PRODUCT DESCRIPTION • Intel Xeon W5-2465X 3.1 GHz (4.7 GHz Max Turbo) 16-Core LGA 4677 Processor • High End Active Air Cooling for the CPU Providing Maximum Performance • 256GB of DDR5 5600MHz RAM • One (1) 1TB SSD for the Operating System • One (1) 1TB M.2 NVMe SSD for Temporary Files • One (1) 1TB M.2 NVMe SSD for Database(s) • Four (4) 18TB Hard Drives configured in RAID 10 for Evidence • One (1) High End RAID Controller Card with 12 Gb/s Processing • One (1) RTX A4500 with 20GB GDDR6 ECC VRAM Graphics Processing Unit • One (1) 2.5” Hot Swap Bay with Four (4) Removable Trays • One (1) 3.5” Hot Swap Tray with Five (5) Removable Bays • One (1) Blu-Ray 16x BD-R 4MB Cache SATA Blu-Ray Burner • Front Panel Forensic Card Reader • One (1) 4 Port USB 3.0 Hub • One (1) 10 Port USB 2.0 Hub • Tableau T3iu Forensic Bridge • One (1) 1300 Watt Power Supply Unit • High End Whisper Quiet Fans throughout the Entire System (Hydraulic Fluid Ball Bearing rated at 300,000 hour lifespan) • Microsoft Windows 11 Pro 64 Bit • Three (3) Year Standard Warranty • Additional Specifications o Size: 15″W x 19.06″H x 20.06″D (381mm x 484mm x 510mm) o Open 5.25″ Bays = 10 o Fan size(s) = 120mm o PCI Chassis Expansion Slots = 8 o Aluminum Thickness = 0.118″ (or 3.00mm) o Finish = Powder Coated Black with Black Appointments

1

Hi everyone. I'm on the hunt for hardware for a forensic lab. Currently I'm looking for advice on a good read/write blocker. What are your opinions?

5:30 AM

I found one from logicube, which comes with adapters for PCIe etc. That sounded pretty neat, but I've never used it myself.

MrMacca (Allan Mc)

@Magnet Forensics Got an issue with axiom v7.1.0.35864 When exporting windows mail to a csv. The entries are all wrong. Record is a weird collection of <div> entries rather than just a numerical number. Tags are filled with random data when there isn't any tags in the case. If exported to excel file, they appear fine. Just wanted to give a heads up.

Thanks for the heads up! I'll take a look and get it reported to the team.

returnip

Hi everyone. I'm on the hunt for hardware for a forensic lab. Currently I'm looking for advice on a good read/write blocker. What are your opinions?

I use a TX1 and it serves most of my needs. https://security.opentext.com/tableau/hardware/details/tx1

Tableau Details

1

FullTang

I use a TX1 and it serves most of my needs. https://security.opentext.com/tableau/hardware/details/tx1

Do you remember how much it was?

returnip

Do you remember how much it was?

It was free thanks to the NCFI!

1

6:31 AM

No idea how much they normally cost, I have never had to price them out.

Does it require you to use any specific software or does it work with any imaging software?

returnip

Does it require you to use any specific software or does it work with any imaging software?

It’s a standalone solution. One side is write-blocked and the other side is not. It can create forensic images (.E01, dd, “clones”) or securely wipe and verify the wipe with multiple drives at the same time.

Oh. Gotcha. I'm looking for something that will never leave a lab though.

6:37 AM

But thanks for the recommendation. I'll put that on the list of candidates.

returnip

Do you remember how much it was?

~£3000 for a TX1 in UK as a rough guide. About £1500 for a similar that's fixed into a computer.

6:59 AM

Summary: Not cheap (edited)

7:01 AM

Turns out the forensic bridge is slightly cheaper than I recalled. https://avatu.co.uk/collections/forensic-bridges/products/tableau-t356789iu-r2-bridge

T356789iu R2 Universal Forensic Bridge

SUMMARY The Tableau Forensic Universal Bridge is an integrated write-blocker that mounts in a drive bay of a forensic workstation and supports forensic acquisitions of SATA, USB 3.0, PCIe, SAS, FireWire 800, and IDE. A second-generation Tableau product, replacing the Tableau Forensic Combo Bridge [T35689iu]. FEATURES M

Rob

Summary: Not cheap (edited)

That's fine. I'm not paying. But the person paying will want to know.

Hello everyone. I just joined the server and would like to see if anyone in digital forensics and incident response would be willing to chat with me. I would like to know about the work life environment and see if it’s a specialization that would actually be compatible with my life . I will appreciate any feedback. Thank you.

is there a sift equivalent for Windows?? like flarevm Directly running on windows and not using WSL or do I have to install my forensics tools one by one on the system?

avesta

is there a sift equivalent for Windows?? like flarevm Directly running on windows and not using WSL or do I have to install my forensics tools one by one on the system?

Have a look at winfe.net

1

oh thats for acquisition not analysis Still cool though

avesta

is there a sift equivalent for Windows?? like flarevm Directly running on windows and not using WSL or do I have to install my forensics tools one by one on the system?

check out WIN-FOR, it's an installer for pulling down tools https://github.com/digitalsleuth/WIN-FOR

GitHub - digitalsleuth/WIN-FOR: Windows Forensics Environment Builder

Windows Forensics Environment Builder. Contribute to digitalsleuth/WIN-FOR development by creating an account on GitHub.

3

2

1

stark4n6

check out WIN-FOR, it's an installer for pulling down tools https://github.com/digitalsleuth/WIN-FOR

ohhhh thats amazing

10:45 AM

so many options

How do you conduct a physical extraction using Cellebrite UFED 3? Also, how much does Cellebrite Physical Analyzer typically cost?

sstallm2

How do you conduct a physical extraction using Cellebrite UFED 3? Also, how much does Cellebrite Physical Analyzer typically cost?

Send you a DM

Andrew Rathbun

I mean, I'd mention every piece of evidence involved in a case in a report. It's just a matter of does the evidence have relevant data on it or not? I'm not going to write a novel on something that has nothing on it, but it'll get mentioned. So I guess it depends on what you mean by "generate reports". If you're talking about portable cases or UFED reports, I guess that differs from examiner to examiner. But does generating those reports mean you did analysis on it? Regardless, if you seize a piece of digital evidence, it'll get mentioned in the report and any relevant findings will be properly enumerated and detailed for every applicable device. Does that make sense? Hard to quantify

Yes it does. I meant more generating portable cases or UFED reports vs. analysis on the content itself.

stark4n6

check out WIN-FOR, it's an installer for pulling down tools https://github.com/digitalsleuth/WIN-FOR

xleapp family and kape inside … what else ?

1

Hello all, rather simple question I am certain someone here will know, In regards to child abuse we have deciphered multiple emojis but one is remaining.

- The american football? -- Any one have any idea? Its bugging us to be honest haha. Cheers!

hello

5:41 AM

Can anyone suggest me some prefetch forensics tools ?

5:42 AM

I used Rifiuti and Pftriage but nothing is helping

oed1pus

I used Rifiuti and Pftriage but nothing is helping

Try https://github.com/EricZimmerman/PECmd

GitHub - EricZimmerman/PECmd: Prefetch Explorer Command Line

Prefetch Explorer Command Line. Contribute to EricZimmerman/PECmd development by creating an account on GitHub.

3

PECmd all the way. pecmd.exe -d "C:\temp\PrefetchFilesHere" --csv "c:\temp\WhereverYouWantOutputToGo" --mp, simple as that (edited)

7:21 AM

--mp will give you more precise timestamps, if you care, aka subsecond values, but really not necessary, but I just wanted to explain that extra flag

hello folks @Cellebrite ... i registered here with my LE-email days ago, but got no answer... do you have any infos ? thanks (edited)

1

Hello Chris will ask marketing. Have a great week-end

CLB_4n6s_mc

Hello Chris will ask marketing. Have a great week-end

thanks

KAPE is free to use for personal use right? Is there a way to download other than through Kroll's website since it errors for me

Coco

KAPE is free to use for personal use right? Is there a way to download other than through Kroll's website since it errors for me

Yeah it’s free for personal use. Try using incognito browser as it has no cookies and plugins

6:20 AM

If you’re using DNS ad-blocking, try disabling that temporarily too

Coco

KAPE is free to use for personal use right? Is there a way to download other than through Kroll's website since it errors for me

Ad blockers and other privacy extensions will prevent successful submission of the request form. Disable those or use incognito as @Matt stated

Yeah you right, just had to refresh incognito session cause I modified mine so it does run certain things like that

Matt

Yeah it’s free for personal use. Try using incognito browser as it has no cookies and plugins

actually.... just found this now you mention Browsers. https://mullvad.net/en/browser it's the Dog's, mate

6:23 AM

+ https://mullvad.net/en/browser/hard-facts

Guess the next part will be hoping the e-mail comes through .-.

Check junk mail I think mine ended up there

I wish, just didn't get sent I assume

Original message was deleted or could not be loaded.

Because RAM

Original message was deleted or could not be loaded.

Upon a user unlocking a device, they've authenticated themselves and in relation to encryption this authentication will decrypt the user data. When the phone is locked, the user data is still decrypted. If the phone restarts, the user data is encrypted until the user unlocks the phone again. Data you won't get in an AFU iOS extraction is Apple Health, Apple Email and Apple Location. "Backups" of these can be obtained if you have a 3rd party app syncing either. Bruteforcing is exactly the sane regardless of state

12:00 AM

https://cellebrite.com/en/what-can-be-recovered-from-bfu-data-collection/#:~:text=When%20an%20iPhone%20is%20seized,after%20it%20was%20powered%20on

DFIR-Geek

Try https://github.com/EricZimmerman/PECmd

Thank you mannn

Could someone assist me in understanding the process of conducting forensic analysis on a router (access point), modem, and switch? Additionally, I would appreciate guidance on acquiring an image of these devices.

Does anyone know where I can download the NIST Hacking Case? Their page is under maintenance, I don't know if anyone has the disk image saved and can share it, thanks!

Opresor

Does anyone know where I can download the NIST Hacking Case? Their page is under maintenance, I don't know if anyone has the disk image saved and can share it, thanks!

mirror

10:05 AM

https://docs.dissect.tools/en/latest/usage/first-steps/index.html

Digitalferret

mirror

thank you very much!!

Opresor

thank you very much!!

all groovy, best of luck

Could someone assist me in understanding the process of conducting forensic analysis on a router (access point), modem, and switch? Additionally, I would appreciate guidance on acquiring an image of these devices.

oed1pus

Could someone assist me in understanding the process of conducting forensic analysis on a router (access point), modem, and switch? Additionally, I would appreciate guidance on acquiring an image of these devices.

You asked the same question yesterday, that @Digitalferret answered.....

florus

You asked the same question yesterday, that @Digitalferret answered.....

ummm, not sure that was me mate. i answered the Q just after his

1

@florus @Digitalferret answered to @Opresor

1

oed1pus

@florus @Digitalferret answered to @Opresor

best chance might be Youtube, mate. try https://www.youtube.com/watch?v=yOgQGdoFawU and then go outwards from there?

4:12 AM

there's a router one by another, but for some reason his video is rotated by 90degrees which makes reading awkward

4:17 AM

Digitalferret

best chance might be Youtube, mate. try https://www.youtube.com/watch?v=yOgQGdoFawU and then go outwards from there?

haha. Thanks man. I will watch them.

@ICAC So i am reaching out for some help. i found a file that was a zip that was inside another file with potential for a descriptive file name, albeit a single word, and inside of that zip was another zip file named 579_video_files.zip and a password.html file. The password html points to a website to buy a subscription to emload for a specific "access_password.pdf" file. has anyone come across this before/have a password? if not anyone have luck getting a password from such sources.

kmacdonald1565

@ICAC So i am reaching out for some help. i found a file that was a zip that was inside another file with potential for a descriptive file name, albeit a single word, and inside of that zip was another zip file named 579_video_files.zip and a password.html file. The password html points to a website to buy a subscription to emload for a specific "access_password.pdf" file. has anyone come across this before/have a password? if not anyone have luck getting a password from such sources.

I haven't heard of that before, but you might get lucky if they downloaded the access_password.pdf as the password might be in unallocated or slack space even if they deleted it. Have you tried building a wordlist from the suspect system(s) with Bulk Extractor to attack the hash of the ZIP?

1

FullTang

I haven't heard of that before, but you might get lucky if they downloaded the access_password.pdf as the password might be in unallocated or slack space even if they deleted it. Have you tried building a wordlist from the suspect system(s) with Bulk Extractor to attack the hash of the ZIP?

This is how I would handle it to. Use zip2john and attack the password with the word list built from a ram capture (bulk extractor)

1

kmacdonald1565

@ICAC So i am reaching out for some help. i found a file that was a zip that was inside another file with potential for a descriptive file name, albeit a single word, and inside of that zip was another zip file named 579_video_files.zip and a password.html file. The password html points to a website to buy a subscription to emload for a specific "access_password.pdf" file. has anyone come across this before/have a password? if not anyone have luck getting a password from such sources.

generically, similar mnidset for Fulltang. if you have a disk there, do a full data recovery including deleted, and carving files by header and footer. if the suspect opened and read the file, there may be a possibility it was stored as a temp file and that remains even if the original was deleted (which also may be available as a full file) (edited)

2

kmacdonald1565

@ICAC So i am reaching out for some help. i found a file that was a zip that was inside another file with potential for a descriptive file name, albeit a single word, and inside of that zip was another zip file named 579_video_files.zip and a password.html file. The password html points to a website to buy a subscription to emload for a specific "access_password.pdf" file. has anyone come across this before/have a password? if not anyone have luck getting a password from such sources.

Naming convention is somewhat similar to a torrent I have flagged before but not familiar - just did a DHT search and got nothing. Heads up that there are prior Google queries on how to open what looks like this “579” file.

Unfortunately no disk, no exam. This is on a locked newer iPhone. No known pass code but we have some ideas. it is currently unlocked and no screen time out so we were browsing it

kmacdonald1565

Unfortunately no disk, no exam. This is on a locked newer iPhone. No known pass code but we have some ideas. it is currently unlocked and no screen time out so we were browsing it

You could try generating a wordlist with Axiom WLG.

kmacdonald1565

Unfortunately no disk, no exam. This is on a locked newer iPhone. No known pass code but we have some ideas. it is currently unlocked and no screen time out so we were browsing it

as per Howards note on google searches, might it be that like other's the suspect has downloaded but not actually bought in? (edited)

Digitalferret

as per Howards note on google searches, might it be that like other's the suspect has downloaded but not actually bought in? (edited)

its possible...but our other evidence is a password protected macbook air, i think it was a A1932. case involved a lot of torrent stuff so anything chargable is what we are looking for at this point.

1

roger that. sounds like you need more than a single non-ambiguous document title. no other side ways in like torrent names? the only other way i can think of is doing the search for internet mentions of '579_video_files' and procure a list of pointers. I'd expect there'd be a consistent theme to where that resource is advertised, and it won't be cookery video sites

kmacdonald1565

its possible...but our other evidence is a password protected macbook air, i think it was a A1932. case involved a lot of torrent stuff so anything chargable is what we are looking for at this point.

Any chance the suspect was into ethical hacking? If so I have a long shot.

yeah, I didnt find too much. Thats the weird thing about all of this. There are 579 files in the zip all avi files. The contained one is a solid indicator word, but not one of the top ones that you look for...for obvious reasons i dont want to list it here.

Deleted User

Any chance the suspect was into ethical hacking? If so I have a long shot.

eh maybe

kmacdonald1565

eh maybe

My longshot was contingent on filename but since there are actively 576 files it’s null and void. The collection format, naming convention and use of .avi. If it quacks. I have something I can try and will DM you if I get a result. Ran that filename and variations through several more DHT services and got nothing again.

Hello everyone, i have a file with HIF file extension, extracted from airport scanner, how can I read and view images on windows 10?

My latest article got some decent attention on LinkedIn and I thought it might be of interest here: https://medium.com/forensic-horizons/a-jurors-perspective-of-digital-evidence-65eff2b1b574 Of note: this was a fairly straightforward trial with fairly straightforward evidence, and still, jurors had questions that prosecutors couldn't answer. Really happy for the unexpected opportunity to write about this side of jury trials.

A Juror’s Perspective of Digital Evidence

How do jurors really weigh digital evidence? Previously, I wrote about how complicated it can be to present digital evidence to…

Case concerning Cellebrite. It's about recovery of data not available at the original time but later when updates had been issued. See paras marked in yellow. Here is link to posted Court ruling https://www.bailii.org/ie/cases/IECA/2023/2023IECA148.html (edited)

Cellebrite_2023IECA148.pdf

230.04 KB

1

Does anyone have the number for the fusion center in Houston? Trying to get some info about a crew out there

Pizzantelope

Does anyone have the number for the fusion center in Houston? Trying to get some info about a crew out there

713-884-4710 is what’s listed from DHS

Is there anyone in law enforcement here in the USA working for NSA?

9:16 PM

If so how long is the hiring process?

kmacdonald1565

yeah, I didnt find too much. Thats the weird thing about all of this. There are 579 files in the zip all avi files. The contained one is a solid indicator word, but not one of the top ones that you look for...for obvious reasons i dont want to list it here.

Found a lead for you. Sent DM.

1

heyho @Cellebrite just tested new beta PA 8.5.100... have to say, works really fine, thanks

2

1

chrisforensic

heyho @Cellebrite just tested new beta PA 8.5.100... have to say, works really fine, thanks

Thank you Chris this is really important for us.

Does anyone have any recommendations for a trio cable to be used just to charge devices in a box whilst they are being bruteforced or AFU awaiting extraction? Looking for USBC,Micro and Lightning. (edited)

@Rob#0#0#0 better off getting a USB power hub (5-10 ports) with an Anker Powerline 2, a 3 in 1 cable. (edited)

1

Forensic@tor

@Rob#0#0#0 better off getting a USB power hub (5-10 ports) with an Anker Powerline 2, a 3 in 1 cable. (edited)

Will look into that cable thanks!

We have a new YouTube series that started yesterday. Briggs was my first guest. Check it out - only 19 mins of your time. https://www.youtube.com/live/JYUPc-1nWe0?feature=share Subscribe for future ones. Will run the third Tues of every month. If you want to be a guest or recommend a guest, let me know.

Cellebrite

The Dig For - Guest Alexis Brignoni

1

2

1

heatherDFIR

We have a new YouTube series that started yesterday. Briggs was my first guest. Check it out - only 19 mins of your time. https://www.youtube.com/live/JYUPc-1nWe0?feature=share Subscribe for future ones. Will run the third Tues of every month. If you want to be a guest or recommend a guest, let me know.

Thanks Heather, very informative

1

Deleted User

My longshot was contingent on filename but since there are actively 576 files it’s null and void. The collection format, naming convention and use of .avi. If it quacks. I have something I can try and will DM you if I get a result. Ran that filename and variations through several more DHT services and got nothing again.

I actually have a zip with that same name in an old case I have. Never succeeded in cracking it though. I'd like to be included on any leads you have on this. (edited)

b8vr

I actually have a zip with that same name in an old case I have. Never succeeded in cracking it though. I'd like to be included on any leads you have on this. (edited)

Will DM you shortly

1

Not sure the best channel for this question, so I'm posting it hear in general to be safe/hope that ok. I need to piece/match EML files extracted from a PST to a list if message-ID for my boss. (I have over 1000 message-id) Is there a tool to help do this or is writing a type of scraping script to scrape all the message-id from the EML files and matching back myself my best option?

Seraphina1698

Not sure the best channel for this question, so I'm posting it hear in general to be safe/hope that ok. I need to piece/match EML files extracted from a PST to a list if message-ID for my boss. (I have over 1000 message-id) Is there a tool to help do this or is writing a type of scraping script to scrape all the message-id from the EML files and matching back myself my best option?

I'm not sure of one, but if you come across one I will likely need it in the future as well for selectively carving messages that match unauthorized access logs. I have so far assumed when the time came i'd be doing something in python (edited)

OK, yeah I'm working on a python script to try and do what I want because I haven't found a tool yet myself either.

Seraphina1698

OK, yeah I'm working on a python script to try and do what I want because I haven't found a tool yet myself either.

Haven’t used it but looks like it will dump eml to csv file.

11:22 AM

https://github.com/lovasoa/eml2csv

GitHub - lovasoa/eml2csv: Convert a collection of eml files to CSV

Convert a collection of eml files to CSV. Contribute to lovasoa/eml2csv development by creating an account on GitHub.

Seraphina1698

Not sure the best channel for this question, so I'm posting it hear in general to be safe/hope that ok. I need to piece/match EML files extracted from a PST to a list if message-ID for my boss. (I have over 1000 message-id) Is there a tool to help do this or is writing a type of scraping script to scrape all the message-id from the EML files and matching back myself my best option?

Metaspike should help you do this but it needs to be purchased

it can likely be done with grep, something like grep -RLif list_of_messageids.txt *.eml | parallel "cp {} matched" to copy matched files to a folder named matched (edited)

11:43 AM

but my worry would be with the forced character width structure eml files use truncating the message id between lines (edited)

tklane

Metaspike should help you do this but it needs to be purchased

Yes. FEI will extract the message IDs and can be exported

Currently working a CSAM case, which is not my common case type. There are hundreds of CSAM images and videos on the device. I'm using Magnet Axiom and am aware of the ability to import a .csv with known CSAM hash values. Where do I obtain the most comprehensive hash value set. (edited)

Leonidas

Currently working a CSAM case, which is not my common case type. There are hundreds of CSAM images and videos on the device. I'm using Magnet Axiom and am aware of the ability to import a .csv with known CSAM hash values. Where do I obtain the most comprehensive hash value set. (edited)

What are you trying to do? Update a hash set for other investigators, use a hash set to identify additional CSAM, or provide the hash values as evidence that can be discovered?

FullTang

What are you trying to do? Update a hash set for other investigators, use a hash set to identify additional CSAM, or provide the hash values as evidence that can be discovered?

Use a hash set to identify known CSAM

Leonidas

Use a hash set to identify known CSAM

Have you tried using Thorn? Its new to Axiom Examine and should be free to LE.

12:50 PM

My understanding is it uses AI to identify CSAM instead of hashes.

FullTang

Have you tried using Thorn? Its new to Axiom Examine and should be free to LE.

I haven't.

Leonidas

I haven't.

I would give that a shot. You can also use the hashset from @Project VIC

FullTang

I would give that a shot. You can also use the hashset from @Project VIC

I'm reading Magnet's website about Thorn now, thank you for the pointers. I am assuming it's a built in feature of the Magnet.Ai categorization. I'll check into @Project VIC as well.

1

Leonidas

I'm reading Magnet's website about Thorn now, thank you for the pointers. I am assuming it's a built in feature of the Magnet.Ai categorization. I'll check into @Project VIC as well.

You have to sign up for Thorn and it can take a few days to get your key, but it should be free.

FullTang

You have to sign up for Thorn and it can take a few days to get your key, but it should be free.

Thank you! I'll call Magnet and see about getting access. Magnet's customer portal indicates it's integrated in the latest version of Axiom. I'm just not sure how to utilize it.

Leonidas

Thank you! I'll call Magnet and see about getting access. Magnet's customer portal indicates it's integrated in the latest version of Axiom. I'm just not sure how to utilize it.

I am pretty sure I signed up using the link when starting a new Axiom ~~Examine~~ Process case. (edited)

12:58 PM

Or... Its somewhere in the settings...

FullTang

Or... Its somewhere in the settings...

You are correct! Found it! Thank you!

1

FullTang

Or... Its somewhere in the settings...

Application submitted. Thanks again, Fulltang!

1

Is there a server/channel where DF freelancers can connect/refer/cooperate on jobs? Example, right now I can use someone qualified & willing to potentially testify in federal court re imaging a laptop in the region of Newark NJ (Victim laptop to be handled over to FBI office by an associate in NJ upon completion) (edited)

I love when subjects google anti-forensic tactics and then...don't delete their search history

8

2

1

DFE Travis

I love when subjects google anti-forensic tactics and then...don't delete their search history

this happened recently....and from previous cases, googling information about "how much prison time for x crime" or "is prison bad?"

Man, you can't make this stuff up

6:32 AM

To drive home his usage, even without chat logs, I'mma sum up the App Usage for the time range he was suspected of sending the messeges

DFE Travis

I love when subjects google anti-forensic tactics and then...don't delete their search history

mine cleared the history to ""cover his tracks"" then days later went to googling the same methods

5

1

Don Cav

Is there a server/channel where DF freelancers can connect/refer/cooperate on jobs? Example, right now I can use someone qualified & willing to potentially testify in federal court re imaging a laptop in the region of Newark NJ (Victim laptop to be handled over to FBI office by an associate in NJ upon completion) (edited)

We don’t have a channel dedicated to that here and I’m not sure of any other servers that do that. I know in IACIS listerv there are requests that go out similar to yours on a frequent basis.

DFE Travis

I love when subjects google anti-forensic tactics and then...don't delete their search history

At least they made an informed decision. On an armed robbery case, suspect googled about armed robbery time 3 days prior to the crime.

3

I have some Mac Time Machine backups that are saved as a sparse disk image bundle. I could not open the image in EnCase or process it with AXIOM. This bundle contains about 100 backups. Does anyone know how I could get at this data and ideally process it with Magnet AXIOM?

Jobbins

We don’t have a channel dedicated to that here and I’m not sure of any other servers that do that. I know in IACIS listerv there are requests that go out similar to yours on a frequent basis.

Thx for the lead on that, looks like I might have to re-join IACIS

Any @Law Enforcement [UK] who use CAS able to drop me a DM please?

1

Speaking of IACIS, is HTCIA still legit? How many folks here are members?

Hi guys I was wondering if anyone took the Data Science Exam for NSA

3:03 PM

If so is it hard? I was looking at the topics and they looked scary

conf1ck3r

Speaking of IACIS, is HTCIA still legit? How many folks here are members?

I’m a member for the Northern CA Chapter. I feel that the chapter here is making progress in generating new interest in the org.

Anyone in USA know of a GSA contractual vendor that is selling Tableau TX1? We were awarded a JAG grant but due to purchasing policy it must be done via GSA or I've got to obtain three quotes from different vendors.

Don Cav

Is there a server/channel where DF freelancers can connect/refer/cooperate on jobs? Example, right now I can use someone qualified & willing to potentially testify in federal court re imaging a laptop in the region of Newark NJ (Victim laptop to be handled over to FBI office by an associate in NJ upon completion) (edited)

HTCIA has a listserv that may facilitate those connections, as well. It started up again last year. (edited)

Leonidas

Anyone in USA know of a GSA contractual vendor that is selling Tableau TX1? We were awarded a JAG grant but due to purchasing policy it must be done via GSA or I've got to obtain three quotes from different vendors.

GSA Advantage is the best place to start, here are some search results for you: https://www.gsaadvantage.gov/advantage/ws/search/advantage_search?q=0:8Mediatech%20tableau&db=0&searchType=0

Don Cav

GSA Advantage is the best place to start, here are some search results for you: https://www.gsaadvantage.gov/advantage/ws/search/advantage_search?q=0:8Mediatech%20tableau&db=0&searchType=0

Nice! Thank you! Bookmarked!

conf1ck3r

Speaking of IACIS, is HTCIA still legit? How many folks here are members?

Your username is triggering me

1

Don Cav

Your username is triggering me

Is this better? troll

(edited)

Wasn’t a first responder on emotet, so we’re good now (plus, makes me think of Brenden Fraser, and how can that be triggering?)

2

1

glennard

At least they made an informed decision. On an armed robbery case, suspect googled about armed robbery time 3 days prior to the crime.

That's what detectives call a clue

Andrew Rathbun

That's what detectives call a clue

lol, gift more like. so much return for so little effort. whatsitcalled - "low hanging fruit" . In the words of the ~~immortal prophet~~ Goggins: "Merry Christmas M....r "

4:25 AM

i'd so do that, lol. soon as we get a hit, boom "Merry Christmas....M.." right across the office

We've LIVE! for528.com/summit23

2

Anyone have a good contact with Law Enforcement Liaison for T-Mobile? We have a few phones which were purchased as a result of fraud. Our victim has been made whole, but we now have two iPhone 14's with no owner. They were purchased from some T-Mobile store in the country but we have no way of finding out which one. IMEI"s are blacklisted as stolen or missing.

Ghosted

Anyone have a good contact with Law Enforcement Liaison for T-Mobile? We have a few phones which were purchased as a result of fraud. Our victim has been made whole, but we now have two iPhone 14's with no owner. They were purchased from some T-Mobile store in the country but we have no way of finding out which one. IMEI"s are blacklisted as stolen or missing.

Have you tried Search.org?

@Andrew Rathbun Well I use it all the time and for some unknown reason I did not think about it for this. Haha Thanks Rathbun.

1

Hello ! Anyone @Cellebrite can help me about a folder in Cellebrite Mobile Synchronization \Iman folder ? My question is can I delete some temp files inside ? I had around 140 Go of data on it and take some place in my C:\ folder. Also can I change this folder for a new one to free some space ? thanks

1

Hello

I’m requesting permission to share a survey form I’ve created for my PhD research work. It is a small form, well only take about 5 minutes to complete. Please advise if I can share the form? It’ll be incredibly helpful for my research work.

1

Andrew Rathbun

FYI, anyone can post surveys for grad research, vendors, etc, just run it by one of us to make sure we get it in the right channel so we avoid spam. Equal opportunity for all and every

@custard post away

1

Is anyone able to provide cryptocurrency investigation policy or freeze/seize policy related to crypto?

Attention all! Seeking your valuable insights! Hi everyone! I'm currently running a short survey on increasing digital evidence and the challenges around collecting and storing it. It'll only take 5 minutes, tops, to complete, and your input would be greatly appreciated. Here's the survey link: https://tinyurl.com/dfphdsurvey Please share your experiences and thoughts to help shed light on this important topic! Let's work together to address these challenges. Spread the word and encourage others to participate too! The more responses we gather, the better. Thank you in advance for your time and valuable input!

Hi everyone- probably a dumb question - we use 'hot swap' hard drives on a forensic PC with normal HDD's in the hot swap enclosure. Do SSD's make extractions (i.e. Cellebrite) go faster than extracting onto a normal HDD?

E. Paul

Hi everyone- probably a dumb question - we use 'hot swap' hard drives on a forensic PC with normal HDD's in the hot swap enclosure. Do SSD's make extractions (i.e. Cellebrite) go faster than extracting onto a normal HDD?

Yes. SSDs would make it faster. Mainly cuz there are no moving parts in SSDs. You should see considerable speed jump.

1

Had anyone done any work with AI since it’s growing from coding or understanding it in the background

E. Paul

Hi everyone- probably a dumb question - we use 'hot swap' hard drives on a forensic PC with normal HDD's in the hot swap enclosure. Do SSD's make extractions (i.e. Cellebrite) go faster than extracting onto a normal HDD?

In general operations SSD's are faster read/write than HDD's for instance you'll boot up far quicker as you'll likely know, but in practical terms, imaging etc, surely that would depend on the weakest/slowest link or bottleneck? <source> - - <cables/bus> - - <destination> ? (edited)

2

Ahmedl21

Had anyone done any work with AI since it’s growing from coding or understanding it in the background

Have done some rudimentary work. Used CNNs for face recognition and weapon detection Wrote the script in python with fastai library. Fine tuned existing resent network

A NAS i use once a year to store tax returns just used 200 gigabytes of traffic

9:15 AM

I went downstairs and pulled the ethernet cable out but didn’t turn it off

custard

Have done some rudimentary work. Used CNNs for face recognition and weapon detection Wrote the script in python with fastai library. Fine tuned existing resent network

Got any tips or a good starting places I been trying to learn and understand AI

Ahmedl21

Got any tips or a good starting places I been trying to learn and understand AI

thats a pretty wide set of goalposts. where have you tried already and broad or narrow focus?

Hello @MSAB @Cellebrite, In my work, I got two Radeon RX580 ARMOR 8G OC Could it be useful to add theses two graphics cards in my computer for increase the performance ? Thanks for advance

Herodote

Hello @MSAB @Cellebrite, In my work, I got two Radeon RX580 ARMOR 8G OC Could it be useful to add theses two graphics cards in my computer for increase the performance ? Thanks for advance

I'm afraid that the only graphics card that XRY can benefit from is NVIDIA cards, which can be used to enhance the performace of Image recognition.

1

@MSAB_Sofia thanks for the fast answer

. So you mean that adding a new card (NVIDIA Cards) is pertinent only for enhancing the image recognition (for MSAB)

Herodote

@MSAB_Sofia thanks for the fast answer

. So you mean that adding a new card (NVIDIA Cards) is pertinent only for enhancing the image recognition (for MSAB)

Yes, it is only image recognition that can use graphics card to enhance performance in decoding. All other modules are run using the CPU.

1

Thanks !!

Galt1

Is anyone able to provide cryptocurrency investigation policy or freeze/seize policy related to crypto?

Search #policies-and-procedures or #darknet-virtual-currencies I think it may have been talked about in there. I believe @NW3C has a template on there site as well.

Jobbins

Search #policies-and-procedures or #darknet-virtual-currencies I think it may have been talked about in there. I believe @NW3C has a template on there site as well.

nw3c is a great resource for free classes for those in leo positions

hi all- having issues with an m.2 ssd w/ linux installed. Our windows based forensic PC simply does not detect it. Ive tried an array of adapters and cables- no dice. I have an m.2 with windows that was imaged no problem with this same adapter. The linux m.2 doesnt show up in file explorer; and doesnt show up in axiom or autopsy. Using a tableau (sp?) ultrabay 4 write blocker, pcie port

E. Paul

hi all- having issues with an m.2 ssd w/ linux installed. Our windows based forensic PC simply does not detect it. Ive tried an array of adapters and cables- no dice. I have an m.2 with windows that was imaged no problem with this same adapter. The linux m.2 doesnt show up in file explorer; and doesnt show up in axiom or autopsy. Using a tableau (sp?) ultrabay 4 write blocker, pcie port

it sounds like it's in an unsupported format (like EXT4, for ex). by default, windows can't read (let alone mount) those file systems. that's incredibly odd though that axiom/autopsy can't see it. 100% confirmed that the drive hasn't been tampered with / wiped? you might have to do some manual legwork of A) verifying if the drive is observed at that port but not able to read/mount and B) if the file table is intact within the drive itself once found

8:30 AM

mountvol on windows should do the trick to list all volumes by their GUID

8:31 AM

or, hopefully, disk management

Is it nvme? Maybe only sata support?

Thanks for the advice. Im positive it was wasnt wiped or tampered with, just simply isnt recognized when plugged in. Tried axiom, autopsy, ftk, no luck

@Magnet Forensics or anyone else - performing picture categorization never completes - it hangs at random intervals. Any ideas on how to fix this issue?

E. Paul

hi all- having issues with an m.2 ssd w/ linux installed. Our windows based forensic PC simply does not detect it. Ive tried an array of adapters and cables- no dice. I have an m.2 with windows that was imaged no problem with this same adapter. The linux m.2 doesnt show up in file explorer; and doesnt show up in axiom or autopsy. Using a tableau (sp?) ultrabay 4 write blocker, pcie port

I have had the same issue. I was using an m.2 SSD to USB adapter. That particular adapter worked on other m2, it was because one was sata the other was

1

E. Paul

Thanks for the advice. Im positive it was wasnt wiped or tampered with, just simply isnt recognized when plugged in. Tried axiom, autopsy, ftk, no luck

i'd check disk management - see if it's listed as a storage location but doesn't have a drive letter assigned

1

Hello.. so Im in 4th yr of my college and I am planning on doing masters in 2026. I will be opting for digital forensics. I have mostly worked on data science projects in the past 3 years of my college and not many consider this smart but I just feel this is something I would like better. I have done cybersecurity and networking as a part of my course but I really want to dive deeper into this field. So.. how do i start? Also, I would like the courses to be slightly more challenging. For instance, the assignment questions on cs50 were more challenging(for someone who is new to coding) than other free courses. Any kind of help would greatly be appreciated, thank you.

Welcome! DF is quite a big field, do you know which parts you'd be more interested in? Mobile forensics? Desktop forensics? Network forensics? Memory forensics?

network forensics and memory forensics

Currently getting my new work laptop up and running. What is the most secure browser these days that’s recommended? Brave? Arc? Chrome? Also looking for password management suggestions. (edited)

hallux

Currently getting my new work laptop up and running. What is the most secure browser these days that’s recommended? Brave? Arc? Chrome? Also looking for password management suggestions. (edited)

I use Bitwarden with 2 factor, and complex generated passwords. I use to use lasspass until they started to charge for mobile or computer use. I can't image not using password management today with all the websites to log into.

3

Awesome. I downloaded Bitwarden now! Any browser recommendations?

Personally, I switched from Chrome to Edge and I'm happy.

Edge with vertical tabs has been awesome. 1Password has been awesome for me. Works awesome on Chrome, Firefox, and Edge

hallux

Awesome. I downloaded Bitwarden now! Any browser recommendations?

Firefox with add on’s uBlock origin + Adblock Plus and then lock the browser down to keep track of no data, so essentially perpetually in “privacy” mode. Throw in a 3rd party DNS service like OpenDNS or something similar to lock it down even more.

hallux

Currently getting my new work laptop up and running. What is the most secure browser these days that’s recommended? Brave? Arc? Chrome? Also looking for password management suggestions. (edited)

Mullvad browser and a Keepass variant

I’m a Apple user so this windows stuff is all wonky. I just had Bitwarden offer for remember a login but the buttons didn’t work to do so lol

hallux

Currently getting my new work laptop up and running. What is the most secure browser these days that’s recommended? Brave? Arc? Chrome? Also looking for password management suggestions. (edited)

Personally recommend KeepassXC for password manager. Uses local db files. Can be set up to be used with yubikey as well.

Thanks for the suggestions, landed on using Bitwarden and Edge for now and I'll see how that goes.

7:01 PM

I downloaded Maltego to play around with and see if I can use it instead of something like Datawalk as it seems to be highly recommended. I found some videos on the Maltego YouTube and it shows to be using a transform called namechkhowever no matter how I try to find that transform, I cannot... many others have complained in the comments of the same. Am I missing something? Additionally, another YouTube video I found running version CE 4.3.1 has many many more entities then I have. Is this a setting issue or did I do something incorrect during install?

carook

I downloaded Maltego to play around with and see if I can use it instead of something like Datawalk as it seems to be highly recommended. I found some videos on the Maltego YouTube and it shows to be using a transform called namechkhowever no matter how I try to find that transform, I cannot... many others have complained in the comments of the same. Am I missing something? Additionally, another YouTube video I found running version CE 4.3.1 has many many more entities then I have. Is this a setting issue or did I do something incorrect during install?

Did you install the Standard Transforms? https://www.quantusintel.group/standard-transforms-maltego/

Standard Transforms – Maltego

Ahmedl21

Got any tips or a good starting places I been trying to learn and understand AI

fast.ai has a very comprehensive course Includes CV and NLP and more

Hi I've been looking into a new laptop. My requiements are pretty high since I want to do stuff with AI and multithreadded programming. I came across the Talino laptops as a possible choice. Since they are for forensics, I figured I'd pose some questions here. Are the Talinos worth $2500 (after tax)? Is the battery life decent (> 6hrs) Are the screens bright enough to be seen outside? How heavy are they? Are they loud? What is their compatibility with aftermarket upgrades? How long do they typically last in the long term?

tapatiosec

Hi I've been looking into a new laptop. My requiements are pretty high since I want to do stuff with AI and multithreadded programming. I came across the Talino laptops as a possible choice. Since they are for forensics, I figured I'd pose some questions here. Are the Talinos worth $2500 (after tax)? Is the battery life decent (> 6hrs) Are the screens bright enough to be seen outside? How heavy are they? Are they loud? What is their compatibility with aftermarket upgrades? How long do they typically last in the long term?

i wouldn't recommend talinos as a daily driver machine tbh, they're absolutely workhorses. worth the money? yes if you're going to be using the most of their hardware. battery life is subpar imo, we keep ours plugged in 24/7. screens are bright, nothing special. loud + heavy, absolutely. not sure about compatibility but they can be opened up like any other laptop. long term, we have yet to kill one and run them constantly for investigations (i think our oldest is about 5~ years)

1

is a laptop absolutely mandatory? Going to be compromises with anything portable

Hey I have a home router that I want to do a forensic copy of it. Does anyone have an idea how to do this? Thanks

what do you mean make a forensic copy of? Are you just wanting to download router logs?

whee30

is a laptop absolutely mandatory? Going to be compromises with anything portable

Yes. I want to upgrade my current laptop which can't handle any operating system when it comes to battery. I get around two hours of battery life on both Windows 10/11 and linux. I need a computer that can also take with me to work on the field when I go for testing my ML algorithms for up to three hours a day off battery.

2:45 PM

Also, when I go back to campus, I need to be able to use it outside in the quad under direct sunlight.

E. Paul

Thanks for the advice. Im positive it was wasnt wiped or tampered with, just simply isnt recognized when plugged in. Tried axiom, autopsy, ftk, no luck

Use a Linux forensics workstation

hallux

Currently getting my new work laptop up and running. What is the most secure browser these days that’s recommended? Brave? Arc? Chrome? Also looking for password management suggestions. (edited)

I use Enpass for pw manager, Firefox developer editition as main browser.

tapatiosec

Hi I've been looking into a new laptop. My requiements are pretty high since I want to do stuff with AI and multithreadded programming. I came across the Talino laptops as a possible choice. Since they are for forensics, I figured I'd pose some questions here. Are the Talinos worth $2500 (after tax)? Is the battery life decent (> 6hrs) Are the screens bright enough to be seen outside? How heavy are they? Are they loud? What is their compatibility with aftermarket upgrades? How long do they typically last in the long term?

I’d go for a Thinkpad. Find one on sale in your budget. Will last forever.

ryd3v

I’d go for a Thinkpad. Find one on sale in your budget. Will last forever.

This Thinkpad is one recommended to me. https://www.lenovo.com/us/en/p/laptops/thinkpad/thinkpadp/thinkpad-p15v-gen-2-(15-inch-intel)/21a9s08n00

ThinkPad P15v Gen 2 Intel (15") Mobile Workstation

ww-single-model-think-workstations-thinkpadp-default

8:37 PM

It looks nice specs and cool overall laptop for a nice price.

Yes that’s nice. But I prefer the AMD version, I have one with AMD 7 Pro and it’s really fast and good battery life and better graphics than intel

These are definitely not $Microsoft but more liked hacked versions; just in case they come up during an examination. https://www.minitool.com/news/windows-11-x-lite.html https://ko-fi.com/windowsxlite

How to Download Windows 11 X-Lite and Install It on Low-End PCs

This post shows you how to download Windows 11 X-Lite and install this lite edition on your PC to experience Windows 11 although the PC is low-end.

Buy Windows X-Lite a Coffee. ko-fi.com/windowsxlite

Become a supporter of Windows X-Lite today! ❤️ Ko-fi lets you support the creators you love with no fees on donations.

If a machine's powered on and all efforts to image an m.2 drive have failed (it's simply not recognized by any forensic software or windows itself using various adapters) - just how bad is it to do a live acquisition of the SSD via FTK? I've never done this and know it's most def not 'best practice,' but in a pinch? Thoughts?

4:30 AM

By live acquisition I mean launching FTK right from the target laptop via USB and generating the e01 on an external, also plugged into the target

E. Paul

If a machine's powered on and all efforts to image an m.2 drive have failed (it's simply not recognized by any forensic software or windows itself using various adapters) - just how bad is it to do a live acquisition of the SSD via FTK? I've never done this and know it's most def not 'best practice,' but in a pinch? Thoughts?

Just write down what you did and why, thats the best what you can do. Its up to the court, if its accepted or not.

1

E. Paul

If a machine's powered on and all efforts to image an m.2 drive have failed (it's simply not recognized by any forensic software or windows itself using various adapters) - just how bad is it to do a live acquisition of the SSD via FTK? I've never done this and know it's most def not 'best practice,' but in a pinch? Thoughts?

I have had success with cheap Amazon SSD to USB adapters recognizing an M.2 SSD when none of my fancy tools would recognize it. You might also try booting the laptop into Kali Linux on a USB and see if it recognizes the SSD, I have also had success with that OS on an installed SSD when Paladin failed me.

1

4:39 AM

But I have also done a live acquisition like you are talking about. I have a 32bit portable CLI version of FTK Imager that has a minimal footprint and will run on anything for when all else fails.

FullTang

I have had success with cheap Amazon SSD to USB adapters recognizing an M.2 SSD when none of my fancy tools would recognize it. You might also try booting the laptop into Kali Linux on a USB and see if it recognizes the SSD, I have also had success with that OS on an installed SSD when Paladin failed me.

Any recommendations on Amazon? Preferably a universal m.2 to usb

E. Paul

Any recommendations on Amazon? Preferably a universal m.2 to usb

There are SATA M.2s and NVME M.2s as M.2 is just a form factor. Here the the SATA one I have used with success: M.2 SATA SSD to USB 3.0 External... https://www.amazon.com/dp/B076DCNZM3?ref=ppx_pop_mob_ap_share

M.2 SATA SSD to USB 3.0 External SSD Reader Converter Adapter Enclo...

M.2 SATA SSD to USB 3.0 External SSD Reader Converter Adapter Enclosure with UASP, Support NGFF M.2 2280 2260 2242 2230 SSD with Key B/Key B+M(Can't Fit for PCIe NVMe/PCIe AHCI with Key M)

1

E. Paul

By live acquisition I mean launching FTK right from the target laptop via USB and generating the e01 on an external, also plugged into the target

Is it possible for you to video the problem? In the early days of mobile phone examination taking a video was sometimes the only way to show info on the phone if no forensic suite was available or a mobile was malfunctioning etc.

So I just had the same issue again- excuse my ignorance, but it seems to be that our readers don’t detect the m.2 drive with “two notches” at the top (I’m new to the m.2 world). From what I gathered on Reddit, this isn’t nvme and is a different type of drive. I’m going to try the adapter from Amazon and see if that’ll detect it

E. Paul

So I just had the same issue again- excuse my ignorance, but it seems to be that our readers don’t detect the m.2 drive with “two notches” at the top (I’m new to the m.2 world). From what I gathered on Reddit, this isn’t nvme and is a different type of drive. I’m going to try the adapter from Amazon and see if that’ll detect it

see if this helps explain things https://www.atpinc.com/blog/what-is-m.2-M-B-BM-key-socket-3

FullTang

There are SATA M.2s and NVME M.2s as M.2 is just a form factor. Here the the SATA one I have used with success: M.2 SATA SSD to USB 3.0 External... https://www.amazon.com/dp/B076DCNZM3?ref=ppx_pop_mob_ap_share

@E. Paul these from Ugreen support NVME and m.2, have worked well for me https://www.amazon.com/UGREEN-Enclosure-External-Aluminum-Tool-Free/dp/B0BQ6SYQWL/ref=sxin_17_pa_sp_search_thematic_sspa?content-id=amzn1.sym.749943ff-94bd-4679-8f03-3b5488f65fae%3Aamzn1.sym.749943ff-94bd-4679-8f03-3b5488f65fae&crid=1QPDMIUF2OC88&cv_ct_cx=ugreen+nvme+enclosure&keywords=ugreen+nvme+enclosure&pd_rd_i=B0BQ6SYQWL&pd_rd_r=ca6357cb-5da5-4331-b6a5-53d0a410ebd9&pd_rd_w=MuXej&pd_rd_wg=M5DCE&pf_rd_p=749943ff-94bd-4679-8f03-3b5488f65fae&pf_rd_r=J0TXCBQC2JB1WNANSFBQ&qid=1687961354&sbo=RZvfv%2F%2FHxDF%2BO5021pAnSA%3D%3D&sprefix=ugreen+nvme+enclosure%2Caps%2C87&sr=1-4-2b34d040-5c83-4b7f-ba01-15975dfb8828-spons&sp_csd=d2lkZ2V0TmFtZT1zcF9zZWFyY2hfdGhlbWF0aWM&psc=1

UGREEN M.2 NVMe SSD Enclosure 10Gbps USB 3.2 External NVMe M.2 SSD ...

SSD Enclosure UGREEN 15512 M.2 NVMe

1

NOT SURE IF THIS ONE WILL BE FOR DFIR JOBS? Greater Manchester Police Branch/Division Public Protection and Serious Crime Division Digital Forensic Investigator 1887999, - Ref:1887999 There are 3 Full Time permanent positions available. Closing Date 23 Jul 2023 https://atsv7.wcn.co.uk/search_engine/jobs.cgi?amNvZGU9MTg4Nzk5OSZ2dF90ZW1wbGF0ZT0xMTIwJm93bmVyPTUwNDM5MTQmb3duZXJ0eXBlPWZhaXImYnJhbmRfaWQ9MCZwb3N0aW5nX2NvZGU9MzUx&jcode=1887999&vt_template=1120&owner=5043914&ownertype=fair&brand_id=0&posting_code=351

E. Paul

So I just had the same issue again- excuse my ignorance, but it seems to be that our readers don’t detect the m.2 drive with “two notches” at the top (I’m new to the m.2 world). From what I gathered on Reddit, this isn’t nvme and is a different type of drive. I’m going to try the adapter from Amazon and see if that’ll detect it

The M.2s with two notches are SATA M.2s. The link I posted earlier is a SATA M.2 reader.

7:42 AM

Usually I have issues with my tools detecting SATA M.2 SSDs and that adapter has worked several times for me so hopefully it will work for you.

Colman

NOT SURE IF THIS ONE WILL BE FOR DFIR JOBS? Greater Manchester Police Branch/Division Public Protection and Serious Crime Division Digital Forensic Investigator 1887999, - Ref:1887999 There are 3 Full Time permanent positions available. Closing Date 23 Jul 2023 https://atsv7.wcn.co.uk/search_engine/jobs.cgi?amNvZGU9MTg4Nzk5OSZ2dF90ZW1wbGF0ZT0xMTIwJm93bmVyPTUwNDM5MTQmb3duZXJ0eXBlPWZhaXImYnJhbmRfaWQ9MCZwb3N0aW5nX2NvZGU9MzUx&jcode=1887999&vt_template=1120&owner=5043914&ownertype=fair&brand_id=0&posting_code=351

add to https://discord.com/channels/427876741990711298/1021423441410281552

1

@stark4n6 OK thank you!

Beercow

Did you install the Standard Transforms? https://www.quantusintel.group/standard-transforms-maltego/

I only downloaded Maltego, so whatever it comes with out of the box is what I have. I'll assume if I don't have the namechk then I don't have what's needed and will download Standard Transforms. Thank you!

Beercow

Did you install the Standard Transforms? https://www.quantusintel.group/standard-transforms-maltego/

Appears Standard Transforms is installed, still don't seem to have namechk. I also don't have all of the entities in which I saw another individual have such as weapons, etc.

E. Paul

By live acquisition I mean launching FTK right from the target laptop via USB and generating the e01 on an external, also plugged into the target

Best practice is a set of guidelines, not carved in stone rules... be able to justify what you did (document the failures and steps you initially took to follow best practices) and you should be set.

E. Paul

So I just had the same issue again- excuse my ignorance, but it seems to be that our readers don’t detect the m.2 drive with “two notches” at the top (I’m new to the m.2 world). From what I gathered on Reddit, this isn’t nvme and is a different type of drive. I’m going to try the adapter from Amazon and see if that’ll detect it

There are PCIe and SATA standards for these drives... they look similar. when in doubt Google the part number to be sure or use an adapter that can accommodate more than one standard. I have some adapters that are specific to one standard or the other and then a USB C enclosure that works for both. If you use the wrong one you might notice your drive getting hot really quickly.

1

Looks like I needed Social Links CE possible for the weapons entities, but I still don't have namechk... I wonder if it's something for a paid version of Maltego?

I need to grab intelligence from old cases, does anybody know a software for this??

mdogilvie

I need to grab intelligence from old cases, does anybody know a software for this??

Define intelligence?

Hi everyone, We are looking for your input. We are running the annual industry trend survey, which is vendor / tool neutral. We are looking for you feedback.

What challenges do practitioners face with device, work flow and digital evidence,
How are you using digital evidence?
How does it compare over the years.

The survey should take about 5-7 mins to complete and as a thank you, your name goes in for a chance to win $500 Amazon Gift Card. https://cellebrite.iad1.qualtrics.com/jfe/form/SV_9FRTXk6o0o2NSse?promotionsource=PL

Cellebrite 2023 Industry Trends Survey

Try searching for writing style analysis tool. I've got quite a few results.

Original message was deleted or could not be loaded.

Don’t know specific tools but it sounds like an OSINT problem to me Maybe look for OSINT tools that have NLP or ChatGPT powered OSINT tools?

1:39 AM

One tool that does come to mind is pimeyes. Haven’t used it but they claim to be solving your problem.

I have a VM server that has a 3 disk raid5. I was able to create an image of the raid. I can see the partitions but none of my tools can open the file system. Does anyone know a tool that can parse the file system?

10:56 AM

VMFS file system.

try UFSExplorer https://www.ufsexplorer.com/solutions/virtual-machine-data-recovery/ or maybe Diskinternals VMFS

Original message was deleted or could not be loaded.

Give “sentiment analysis” a try.

How the humble SIM Card content is expanding and evolving to meet the demands of our multi-tech society: Device Access Platforms Visual Representation https://trewmte.blogspot.com/2023/07/device-access-platforms-visual.html Integrated embedded SIMs (eSIMs) (https://trewmte.blogspot.com/2023/07/integrated-embedded-sims-esims.html) USIM Expanded Directories and Files (https://trewmte.blogspot.com/2023/07/usim-expanded-directories-and-files.html) USIM Expanded Capabilities Pt2 (https://trewmte.blogspot.com/2023/07/usim-expanded-capabilities-pt2.html) USIM Expanded Capabilities Pt1 (https://trewmte.blogspot.com/2023/07/usim-expanded-capabilities-pt1.html)

Device Access Platforms Visual Representation

Device Access Platforms Visual Representation Back in 2016 I commented briefly about " Exploration - missing the micro-evidence" ( https://t...

Integrated embedded SIMs (eSIMs)

Integrated embedded SIMs (eSIMs) As more and more devices and products are having eSIMS (embedded SIMs) integrated at the board and circuitr...

USIM Expanded Directories and Files

3GPP TS 31.102 V18.1.0 (2023-06) 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characteri...

USIM Expanded Capabilities Pt2

USIM Expanded Capabilities Pt2 3GPP TS 31.102 V18.1.0 (2023-06) 3rd Generation Partnership Project; Technical Specification Group Core Netwo...

USIM Expanded Capabilities Pt1

3GPP TS 31.102 V18.1.0 (2023-06) 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characterist...

So it’s a holiday weekend. End of a long day. I find myself thinking about damn work. Question is maybe my triage response to digital evidence could be better. Figured I would check with people here and see what they are doing. I’m specifically interested in CSAM type cases where your trying to limit what you take. How are you treating the 10 phones, 10 SD cards, 10 USBs. Is there an automated tool your using? Are you running the triage analysis on the original without a write blocker? With a write blocker? I usually use FTK with a write blocker and review USB and SD cards. The rest if it’s off I leave it off and take it. If it’s on PC I’m using OS Triage or Digital collector along with different ram tools. Appreciate anyone’s thoughts or sharing there process. Ohh and Happy almost 4th…..

4

1

I want to do forensic of airtel wireless hotspot device Please guide me for this.

Anyone from @Oxygen Forensics available ?

Ghosted

So it’s a holiday weekend. End of a long day. I find myself thinking about damn work. Question is maybe my triage response to digital evidence could be better. Figured I would check with people here and see what they are doing. I’m specifically interested in CSAM type cases where your trying to limit what you take. How are you treating the 10 phones, 10 SD cards, 10 USBs. Is there an automated tool your using? Are you running the triage analysis on the original without a write blocker? With a write blocker? I usually use FTK with a write blocker and review USB and SD cards. The rest if it’s off I leave it off and take it. If it’s on PC I’m using OS Triage or Digital collector along with different ram tools. Appreciate anyone’s thoughts or sharing there process. Ohh and Happy almost 4th…..

I suppose this depends on how you handle your CSAM cases. are you doing on scene previews to assist with interviews and quick arrest if we find the suspect? if so we have a fair system for that. if you have to follow up later with an arrest warrant, just take stuff anyway....some fed agencies have to seize then arrest after CSAM is found well after an exam and reviewing with an AUSA. Our warrant procedure involves a few previewers (2 - 3 if we are lucky), a few interviewers, and a few people searching. We kind of work in tandem to find suspects. So lets say it is a NCMEC tip. If the tip has any info on who it might be, say based off of user name/email or OSINT that suggests it might be one of the occupants, we will start with that low hanging fruit. Interviews start there, one previewer starts there, and another previewer does whatever possible to rule out the other people in the house. Sometimes that is a full exam on phones, sometimes not, depends on how interviews and other forensics go. We try to get eyes on every device in some way, shape, or form. Generally, we plan to take everything anyway, but if we can rule out people we try not to clutter our cases and deprive the suspect's family of their devices...a lot of times they are decent enough people and had no clue the suspect was doing what they were doing. Now if we dont have a suspect and get no where on scene with developing one, we generally just take everything and sort it out later. Sometimes this is due to the suspect being unknown, an additional occupant being away at college, etc. The SD card/USB drive thing is an interesting topic. We will preview with whatever, typically FEx or EnCase but I always use a write blocker. We will look through every one we find because we don't want to miss a suspect perping their own kids and having media depicting that. Previewing them is typically quick and if evidence is found would be a horrific "slam dunk" for the case.

2

emilie_

Anyone from @Oxygen Forensics available ?

Hello, DM'd

1

@kmacdonald1565 thanks for th info. are you processing the SD cards and USBs in those forensic suites? That must take substantial time. My goal is to streamline and increase speed.

no specific processing unless we get the vibe that it needs it....loading it up and having a look around...if its full no need wont get stuff carved, if its empty I will check the hex to see if carving is worth while. It is a whole lot of improvising on the fly based on the totality of everything going on.

Is any tool available to automagically process NCMEC reports ? Like automatic IP ISP checking or so ?

A lot of the reports we get have some kind of geolocation and ISP provided.

What would be the regex expresion wich can return any file that doesn't have a .md extension?

11:37 AM

I am using this, which currently returns any file that has this extension r"(.md)"

Doomdie

What would be the regex expresion wich can return any file that doesn't have a .md extension?

you're looking for ?!

yeah but the thing is that I want to take that extension and then replace it I found that this works best

11:57 AM

so in the end I'll have this

^[^.]+(?!\.md$)[^.]*$ according to ChatGPT

Here's a breakdown of the regex pattern:

^ asserts the start of the string.
[^.]+ matches one or more characters that are not a dot (.).
(?!\.md$) is a negative lookahead assertion. It ensures that the next characters are not ".md" followed by the end of the string.
[^.]* matches zero or more characters that are not a dot (.).
$ asserts the end of the string.

well, chat gpt has some work to do when it comes to regex

it also depends on what dialect of regex you're working with. I've found that matters sometimes. All ChatGPT does is give you a running start on something. Very often the final answer doesn't come right away

2

1

I know. Anyhow thanks for the help guys, appreciate it!

Has anyone had Apple remove a firmware password from a macbook for law enforcement? They say they can do it if they have the original receipt, but naturally we didn't purchase it. (edited)

Hey, uh, can activitiescache be disabled by default prior Windows installation or is it definitely only doable by the user?

DEVNULL

Is any tool available to automagically process NCMEC reports ? Like automatic IP ISP checking or so ?

I have a powershell script that scrapes NCMEC returns for hash values to add to our database if that's of interest.

DEVNULL

Is any tool available to automagically process NCMEC reports ? Like automatic IP ISP checking or so ?

The Semantics 21 tools automatically parse the NCMEC reports. Both triage and media review tools work with Cybertips.

@Magnet Forensics hello anyone available for a quick question?

Hans Leißner

Anyone know what type of device this is?

This was found lying in the woods in our area. I have unfortunately only one picture of it... Tineye and Google Image Search negative

In the meantime, I have been able to clarify what this is via the Office for the Protection of the Constitution. It was a measuring device from a government agency. These were used to measure avalanches in our mountains, how they behave under what conditions and how fast they are carried away by the avalanche. @Digitalferret @Pianist @ryd3v (edited)

2

5

Using Sanderson Forensic Browser for SQLite, is there a way I can "search for all locations where this string is found across all the tables"?

Does anyone know how to send legal (not LEO) requests to Discord?

Cole

Has anyone had Apple remove a firmware password from a macbook for law enforcement? They say they can do it if they have the original receipt, but naturally we didn't purchase it. (edited)

I think your success here depends on making a friend at your local store

quack

Does anyone know how to send legal (not LEO) requests to Discord?

https://discord.com/company-information

Company Information - Impressum | Discord

Read Discord's Impressum, statement of ownership, as well as company information, here.

Coolit

I have a VM server that has a 3 disk raid5. I was able to create an image of the raid. I can see the partitions but none of my tools can open the file system. Does anyone know a tool that can parse the file system?

Did you get this resolved? I just did a data recovery op on some antique RAID setups.

1

Anyone stood up timesketch recently and not have the webpage come up after login? Not seeing anything wrong offhand here- fresh pull of the docker containers with their script

Please help me to take the disk image of the password protected Mac book.

theshark started a thread. 7/7/2023 8:45 AM

Anybody using a 3D printer for things around the lab?

1:54 PM

I was thinking of printing picks and cards, but maybe things to hold cords, etc. Any other suggestions or known uses? (edited)

sholmes

Anybody using a 3D printer for things around the lab?

Could print a big FIND EVIDENCE button

7

sholmes

I was thinking of printing picks and cards, but maybe things to hold cords, etc. Any other suggestions or known uses? (edited)

This sounds suspiciously like “Should we get a PS3 in the lab to conduct testing?” back in the day.

(edited)

8

2

We cleared out a Xbox 360 and PS3 recently. Brilliant array of games with them too

3

For the record, we did have one relatively serious case involving a PS3. So it was important to have experience with them.

3

Arsenal

This sounds suspiciously like “Should we get a PS3 in the lab to conduct testing?” back in the day.

(edited)

"Test how fun the thing is and report that o the boss"

1

Electonics Engineer on my work placement in the 90s requisitioned the scanner to have back in the day. Yupiteru 7000 series (several hundred GBP) His need? just to hear the radio telemetry in the water meter they were designing, which amounted to a few short sharp farty sounds. it wasn't even to decode, just to know it was transmitting. ofc he just had to borrow it, cycling home to the sound of The Archers radio program (UK). i bought one too, years later, superb radio and let me in on some of the best humour and comedy I've ever heard....

4:19 PM

local police radio before all that stuff got encrypted

4:21 PM

some of the banter between the cops was drier than a witches tit. had me in fits for evenings on end (edited)

I find it very interesting that police comms in the US aren’t all digitally encrypted

Matt

I find it very interesting that police comms in the US aren’t all digitally encrypted

One agency could be but then a mile down the road the smaller department's isn't. US LE is incredibly fragmented on many levels. Current LE correct me if I'm wrong but that's how it was in my experience. Just because one department has XYZ or does XYZ doesn't mean the same departments even in the same county/state do the same thing

4

Andrew Rathbun

One agency could be but then a mile down the road the smaller department's isn't. US LE is incredibly fragmented on many levels. Current LE correct me if I'm wrong but that's how it was in my experience. Just because one department has XYZ or does XYZ doesn't mean the same departments even in the same county/state do the same thing

Interoperability must be a nightmare

3

Matt

Interoperability must be a nightmare

It has to exist first for it to be considered a nightmare

1

Matt

Interoperability must be a nightmare

When department heads are the warring feudal lords of their own fiefdoms, interoperability isn’t even a concept. Us lowly troops can only hope the occasional ceasefire that occurs when that massive incident happens that absolutely requires us to work with each other.

3

Arsenal

This sounds suspiciously like “Should we get a PS3 in the lab to conduct testing?” back in the day.

(edited)

Exactly why I’m trying to find legitimate things people have used them for…….

sholmes

Exactly why I’m trying to find legitimate things people have used them for…….

exotic door stop?

1

FullTang

When department heads are the warring feudal lords of their own fiefdoms, interoperability isn’t even a concept. Us lowly troops can only hope the occasional ceasefire that occurs when that massive incident happens that absolutely requires us to work with each other.

We have it very easy here by comparison

Matt

We have it very easy here by comparison

Sounds amazing. Just based on what I have seen on this server, UK law enforcement looks like a tight knit group of professionals.

1

FullTang

Sounds amazing. Just based on what I have seen on this server, UK law enforcement looks like a tight knit group of professionals.

Agreed. That was one of the first things I learned being here that I never would've otherwise. Whenever someone tags LE UK and asks a question it's always a fascinating read, in a good way. A different world from here that I don't have any other insight into outside of this server. Admiration from afar!

Well it depends, 43 different forces can work together well in some cases and less so in others

sholmes

Anybody using a 3D printer for things around the lab?

gridfinity for storage

5:10 PM

or action figures...

sholmes

Anybody using a 3D printer for things around the lab?

extenders/adapters for small SSDs

1

https://github.com/user163/image-encryption

GitHub - user163/image-encryption: Encryption / Decryption of image...

Encryption / Decryption of images with AES-CBC/ECB - GitHub - user163/image-encryption: Encryption / Decryption of images with AES-CBC/ECB

7:17 AM

Private Internet Browsing Forensics https://www.champlain.edu/Documents/LCDI/Incognito.docx.pdf

anyone else heard of ArtiFast from Forensafe Software Solutions (edited)

MartinInDFIRland

anyone else heard of ArtiFast from Forensafe Software Solutions (edited)

try the search bar ↗️ with artifast, there are a number of mentions including links to articles

Digitalferret

try the search bar ↗️ with artifast, there are a number of mentions including links to articles

I know, and already did, just wanna discuss more about it

1:40 AM

Just 9 results from 3 ppl, and I want to know if anyone has used it, and in what use cases are it useful

ah, my bad. that's the art in asking the proper question then

1:40 AM

of course the simple answer to the above would have been "yes", but I'm only on my first coffee

(edited)

Also part of my fault

all good dude, it's monday morning after all

3

1:42 AM

and as well as being a Moderator I'm the official channel Grinch

1:42 AM

got to big it up where i can

1

1:43 AM

best oif luck, I'm sure more will reply, but bear in mind we is worldwide. a lot of our cousins are still in bed

haha, where I live, the sun is already high above my head

1:45 AM

So, let me explain my my thoughts. There is not yet buy version of Artifast, and free version takes 500MB

MartinInDFIRland

Also part of my fault

did you find the Artifast pdf guide yet?

1:46 AM

ooops. aaand that's the phone, bbl

1

take your time my dear

MartinInDFIRland

So, let me explain my my thoughts. There is not yet buy version of Artifast, and free version takes 500MB

My choice is collect all evidence as well from victim computer. And then use ArtiFast for parser. I just concern about that: ArtiFast supports parsing of various evidence types (edited)

1:50 AM

But dont know which one could be used for collect evidence

1:53 AM

Their last tweet from May 18, 2021

1:53 AM

Not sure they still update

MartinInDFIRland

My choice is collect all evidence as well from victim computer. And then use ArtiFast for parser. I just concern about that: ArtiFast supports parsing of various evidence types (edited)

maybe mail their support?

seem like Kape & plaso still the best choice

2:39 AM

lol

2:39 AM

MartinInDFIRland

seem like Kape & plaso still the best choice

if you are into Kape, you might want to check https://discord.com/channels/427876741990711298/427982915230498826/1126632123537829920 if you haven't already

Digitalferret

if you are into Kape, you might want to check https://discord.com/channels/427876741990711298/427982915230498826/1126632123537829920 if you haven't already

thanks @Digitalferret , I learned a lot from SANS FOR508

2:48 AM

both KAPE and EZtools are in my toolkit already

2:48 AM

Swiss Army knife

1

Does anyone have a favorite IP lookup site or software. I have a few but interested in seeing favorites...

Quick question, Can cellebrite collect edited iMessages?

A few years back there was gov't grant funding to update agencies to digitally encrypted frequencies. we can "patch" together with surrounding agencies on the same channels now. Problem is that the "encryption" part costs extra and the update to the system as a whole was optional and with strings attached. So some smaller agencies didn't take the funding in order to do their own thing. So it still isn't fixed.

Hey, can some one scan my weChat QR so I can access the app, Trying to do some testiing with the app didn't know this was a requirement to access it?

MartinInDFIRland

Not sure they still update

@Forensafe

whee30

A few years back there was gov't grant funding to update agencies to digitally encrypted frequencies. we can "patch" together with surrounding agencies on the same channels now. Problem is that the "encryption" part costs extra and the update to the system as a whole was optional and with strings attached. So some smaller agencies didn't take the funding in order to do their own thing. So it still isn't fixed.

Not to mention that Motorola owns the encryption patent that the LEO's use and they license charge for each handset and squad to use it yearly. Its not cheap.

MartinInDFIRland

Not sure they still update

they update frequently https://forensafe.com/blog.html

DCSO

Not to mention that Motorola owns the encryption patent that the LEO's use and they license charge for each handset and squad to use it yearly. Its not cheap.

only a few squads have encrypted channels over here. If you run surveillance you get it, otherwise they don't spend the money on it.

1

khushigupta0641

Quick question, Can cellebrite collect edited iMessages?

https://www.doubleblak.com/blogPosts.php?id=27

4:51 PM

If you get the database there are things to look for.

whee30

If you get the database there are things to look for.

Thank you!!

theshark

Does anyone have a favorite IP lookup site or software. I have a few but interested in seeing favorites...

probably ipinfo.io

2

theshark

Does anyone have a favorite IP lookup site or software. I have a few but interested in seeing favorites...

Ipinfo io

1

theshark

Does anyone have a favorite IP lookup site or software. I have a few but interested in seeing favorites...

ipvoid.com is another one

1

Anyone else had an issue with migrating a large hash DB from PA7 to PA 8 Ultra? I have a DB with 97 million hashes and 8 just isnt having it, smaller DBS around 25 million are going in after about 15 minutes but the larger one isnt.

MartinInDFIRland

anyone else heard of ArtiFast from Forensafe Software Solutions (edited)

Hey there! I am from @Forensafe team. We wanted to thank you for reaching out to us about ArtiFast. We have multiple versions of our software, and we continuously update it to ensure the best experience for our users. We truly appreciate your feedback. We're also aware that our social media accounts aren't up to date, and we want you to know that we're actively working on improving that.

3

Great opportunity to learn what happens at SWGDE and to help take part in the development of community #DFIR guidelines! Register as a guest before July 21 https://docs.google.com/forms/d/e/1FAIpQLSeC8qr7DxXANzCx41c860chmHhvIKdO7zEMoqK37UTvI8JwYQ/viewform

Guest Attendance Request Form

The Scientific Working Group on Digital Evidence (SWGDE) is composed of member agencies from all levels of government, academia, and private industry. Our group has a mission of fostering communication and cooperation at all levels. We are working in the forensic community to establish sound practices and standards in the handling of digital and...

whee30

only a few squads have encrypted channels over here. If you run surveillance you get it, otherwise they don't spend the money on it.

Some of the agencies around here have the opposite problem. They HAVE access to encrypted channels, even for inter ops, yet they still pick unencrypted for things they should not

. Others want to have everything encrypted, even fire departments.

CyberGhost

Some of the agencies around here have the opposite problem. They HAVE access to encrypted channels, even for inter ops, yet they still pick unencrypted for things they should not

. Others want to have everything encrypted, even fire departments.

before you know it Govt officials will be taking documents home and reading them in the ~~John/Shitter~~ bathroom: wcpgw?

Digitalferret

before you know it Govt officials will be taking documents home and reading them in the ~~John/Shitter~~ bathroom: wcpgw?

What's m2m_dir, m2o_dir and o2m_dir in an ATT CDR?

12:59 PM

All I can think is originating to mobile? Don't see it anywhere on the record key

Pumpkin

What's m2m_dir, m2o_dir and o2m_dir in an ATT CDR?

In the context of an AT&T Call Detail Record (CDR) I think m2m_dir likely refers to a call from a mobile device to another mobile device. m2o_dir could refer to a call from a mobile device to a non-mobile device. o2m_dir likely refers to a call from a non-mobile device to a mobile device.

I've read from a random court doc online that M2M signifies a call between two ATT phones and DIR is outbound unless it gets forwarded. But that doesn't at all match up with the records I'm reading

Pumpkin

What's m2m_dir, m2o_dir and o2m_dir in an ATT CDR?

This is from an older AT&T Key:

Can someone please help me with the process you use for investigating e sims in an iPhone?

JRCC_4N6

This is from an older AT&T Key:

Ohhh there we go. That's incredibly helpful. Thanks!

1

khushigupta0641

Can someone please help me with the process you use for investigating e sims in an iPhone?

be more specific

Question to those that use #Belkasoft, do you have the possibility to redact text/data after processing and that be shared to an investigator to go through?

trillian

Question to those that use #Belkasoft, do you have the possibility to redact text/data after processing and that be shared to an investigator to go through?

pinging @Belkasoft in case it's a feature / one they plan to add / is in beta / nope, sorry

2

trillian

Question to those that use #Belkasoft, do you have the possibility to redact text/data after processing and that be shared to an investigator to go through?

Do you mean the report text or extracted evidence texts? Please let us know the use case for the feature (which we do not directly have atm; only on the level of editing the case database)

elizavetabelkasoft

Do you mean the report text or extracted evidence texts? Please let us know the use case for the feature (which we do not directly have atm; only on the level of editing the case database)

I meant more for removing confidential conversations either email or sms/messenger app. We would need to remove the information and create a new "clean" case for the investigator (not in pdf or excel, but in the same format as when it is processed with belkasoft)

trillian

I meant more for removing confidential conversations either email or sms/messenger app. We would need to remove the information and create a new "clean" case for the investigator (not in pdf or excel, but in the same format as when it is processed with belkasoft)

Interesting request. We can add it to the "Features waitlist." Please contact us at support@belkasoft.com so that we can discuss the details.

1

Will do! and thanks

(edited)

does anyone have experience pulling screen time data on an iPhone from over 90 days ago? In settings it only goes back about 3 weeks...

or any third party apps that collect historical screen time data

Hey guys does anyone know if it’s possible to see if a phone was in range of a wireless router? For example, let’s say you have a burglary and the suspect’s phone was within range of your router at a specific time, is that logged anywhere and accessible?

braz989

Hey guys does anyone know if it’s possible to see if a phone was in range of a wireless router? For example, let’s say you have a burglary and the suspect’s phone was within range of your router at a specific time, is that logged anywhere and accessible?

Not sure if any detailed logs are made for "in range" detection. It is posisble to subpoena the ISP provider (eg. spectrum) for the detailed connection logs of that account/router/modem if anything, then you could match IP's to a logon or off's, but if you suspect a connection was never made then may be out of luck. Apple may also log info on wireless connection detection for a device/appleid with timestamps but again, not sure.

ufed 4pc 7.64 in 100

dollar for 1 pc is that true ?!

theshark

Not sure if any detailed logs are made for "in range" detection. It is posisble to subpoena the ISP provider (eg. spectrum) for the detailed connection logs of that account/router/modem if anything, then you could match IP's to a logon or off's, but if you suspect a connection was never made then may be out of luck. Apple may also log info on wireless connection detection for a device/appleid with timestamps but again, not sure.

Thank you for the reply

1

braz989

Hey guys does anyone know if it’s possible to see if a phone was in range of a wireless router? For example, let’s say you have a burglary and the suspect’s phone was within range of your router at a specific time, is that logged anywhere and accessible?

Might be a to identify from the phone, if you get a FFS from a iPhone cache_encryptedB.db may have harvested mac addresses of wifi locations, but the dates and times of those are when they're downloaded to the phone as far as I know, not necessarily when it was there. (edited)

Does anyone have good third party application for re-organizing Cellebrite (excel) extraction data, timeline visualizer, etc.?

Quick question, I'm looking at a document of intellectual proprty theft done in India of a large scale piracy incident. When I request it from the webserver, it seems to be the servers are down. The cache version works but the images don't load. Any ideas of how to get these images to appear up on the cached version ? Doing so because the investigation covered tremendously helps with the work. Sorry for such a weird question. (edited)

$CozyBear

Quick question, I'm looking at a document of intellectual proprty theft done in India of a large scale piracy incident. When I request it from the webserver, it seems to be the servers are down. The cache version works but the images don't load. Any ideas of how to get these images to appear up on the cached version ? Doing so because the investigation covered tremendously helps with the work. Sorry for such a weird question. (edited)

could try a few other caching sites, https://github.com/dessant/web-archives I like to use this plugin to hit a bunch at once

GitHub - dessant/web-archives: Browser extension for viewing archiv...

Browser extension for viewing archived and cached versions of web pages, available for Chrome, Edge and Safari - GitHub - dessant/web-archives: Browser extension for viewing archived and cached ver...

1

Turns out that the http://dot.gov.in is down, Assuming their server are down xD pretty strange for .gov site, idk (edited)

Are there any good examples/templates of what a chain of custody should look like?

8:22 PM

I yanked it from here but it looks about what I have used in the past- they're all pretty similar just formatting changes https://formspal.com/pdf-forms/other/blank-chain-of-custody-form/

Not really sure where this fits, so I'll chuck it in General for now. I am making the shift from LE to private sector, in a training capacity. I would be curious to know: 1. If anyone who has previously done this, any advice, learning or wisdom you may have? 2. Any resources or open-source tools I should be considering taking with me into this new role? Happy to discuss in an open forum or in private message. Just reach out

(edited)

Is It Done Yet?

Not really sure where this fits, so I'll chuck it in General for now. I am making the shift from LE to private sector, in a training capacity. I would be curious to know: 1. If anyone who has previously done this, any advice, learning or wisdom you may have? 2. Any resources or open-source tools I should be considering taking with me into this new role? Happy to discuss in an open forum or in private message. Just reach out

(edited)

might be worth echoing that in #training-education-employment too.

Digitalferret

might be worth echoing that in #training-education-employment too.

Ta muchly, will do.

I have a client that is using a UFDR on a VM via AWS. She has told me that she cannot see any images and when she has shared her screen none of the images are showing. She has mentioned that during training the trainer told her that there is a setting that she may need to enable to allow her to see images and she cant remember what it is. Ive had a look but its been a couple years since i have used it and I cant remember any setting. Anyone know of a setting off the top of their heads that may do this? The images are loading but all appear white in the thumbnail view and any other view.

@Cellebrite ^

1

Majeeko

I have a client that is using a UFDR on a VM via AWS. She has told me that she cannot see any images and when she has shared her screen none of the images are showing. She has mentioned that during training the trainer told her that there is a setting that she may need to enable to allow her to see images and she cant remember what it is. Ive had a look but its been a couple years since i have used it and I cant remember any setting. Anyone know of a setting off the top of their heads that may do this? The images are loading but all appear white in the thumbnail view and any other view.

Ive had alot of investigators with the same issue, i think they usually restart the program and it just works sometimes. If there is a more permanent fix i would also love to hear it. We have assumed its some sort of bug

Johnie

Ive had alot of investigators with the same issue, i think they usually restart the program and it just works sometimes. If there is a more permanent fix i would also love to hear it. We have assumed its some sort of bug

Ive never had this issue with Cellebrite reader, although i generally always used UFED PA but its been a few years since i used it consistently and I dont remember anyhting like this. I'm wondering if it is because it is being used via AWS/VM but I dont see why. Its a weird issue.

Majeeko

Ive never had this issue with Cellebrite reader, although i generally always used UFED PA but its been a few years since i used it consistently and I dont remember anyhting like this. I'm wondering if it is because it is being used via AWS/VM but I dont see why. Its a weird issue.

Our investigators get the issue on regular computers and not VM. But its very random and sometimes a few images load in but not all. And usually it works after a restart

Just a cellebrite reader restart or a whole machine restart?

Apple doesn't keep detailed gps logs and I am interested in knowing the phone location at a certain time over 90+ days ago. Would love to hear any ideas to see if I havent tried something.

theshark

Apple doesn't keep detailed gps logs and I am interested in knowing the phone location at a certain time over 90+ days ago. Would love to hear any ideas to see if I havent tried something.

any photos of that time frame that may be GPS tagged in EXIF

I wish, none were taken.

6:38 AM

I did a apple/google takeout. No data in those artifacts help.

Johnie

Our investigators get the issue on regular computers and not VM. But its very random and sometimes a few images load in but not all. And usually it works after a restart

a reset has worked. This was litterally the first question I asked her when she first asked for my help, have you tried shutting it down a d restsrting and i was told yes. P.I.C.N.I.C error as always. Thanks for your help

Has anyone else had XRY 10.6 crash to desktop when clicking "Done" after taking photos? Happened to my colleague and myself. Not every time just occasionally. Photos don't save and so continuity is comprised (evidence bag unsealed before first photo).

Does anyone have an answer for what "uninitialized file area" is? Magnet Axiom lists it as part of its inaccessible file carving, but I cannot determine what it actual contains. The user guide also does not define it. Not sure if it is wording specific to Axiom or something more general.

Cole

Does anyone have an answer for what "uninitialized file area" is? Magnet Axiom lists it as part of its inaccessible file carving, but I cannot determine what it actual contains. The user guide also does not define it. Not sure if it is wording specific to Axiom or something more general.

The uninitialized file area is disk space that has been reserved by a file but isn’t yet being used by it, or the difference between the logical file size and the valid data length. Edited to add - I realized I didn't completely answer your question, the term 'uninitialized file area' is not unique to AXIOM. I'm assuming you are dealing with an NTFS volume, any given file has an allocated physical and logical size - physical based on cluster size and logical based on actual usage. So for a given file with a logical size less than cluster size, you have the typical file slack (i.e, end of the logical file to the end of the cluster). NTFS uses an approach to file initialization that leads to the storage space which is set aside for a new file not always being completely used. When this occurs, the unused space which was designated for a file is uninitialized space. While the concept is similar to file slack, it is distinct as it is entirely contained within the logical file size. (edited)

TIL

10:06 AM

Fat space on library shelf and a thin book gets put in there

1

10:06 AM

i think ...

Digitalferret

TIL

Except there's something in place that keeps you from getting at the thin book.

yep

10:09 AM

i use a similar analogy to explain fragmentation,where there's a large fat book, but lots of thin spaces. rather than moving all the books along, (OS/FS) tears the book into pages and shoves them all over the library, but makes an entry in a file table, per stored sheet, so that the composite parts can be put back together again

10:10 AM

and if that index is lost or corrupt, and the files are fragged, you my only find the front cover and 2 pages

10:10 AM

it's not so much how general pc users think "it's corrupt" its simply been scattered to the 4 winds

Digitalferret

i use a similar analogy to explain fragmentation,where there's a large fat book, but lots of thin spaces. rather than moving all the books along, (OS/FS) tears the book into pages and shoves them all over the library, but makes an entry in a file table, per stored sheet, so that the composite parts can be put back together again

That's a great analogy and I'm stealing it

Also, when shoving those thin books going into the fat spaces, some of them push a page or two from another book behind them and they're trapped (aka unitialized file area).

then SSD

chriscone_ar

That's a great analogy and I'm stealing it

Also, when shoving those thin books going into the fat spaces, some of them push a page or two from another book behind them and they're trapped (aka unitialized file area).

yteh, this. thin book, perspex box shelf divider. i can't use it rn so neither can you

Digitalferret

then SSD

Ugh! Trim, wear leveling, and spare areas just make it all worse!

heheh

10:14 AM

but understood re page-or-two. it's not necessarily clean empty space, can equally be old data / garbage (edited)

Digitalferret

but understood re page-or-two. it's not necessarily clean empty space, can equally be old data / garbage (edited)

Exactly. And that old data / garbage will remain in that uninitialized file area as long as the file occupying that space remains. And the user would have no idea it was there or any method for accessing it.

chriscone_ar

Exactly. And that old data / garbage will remain in that uninitialized file area as long as the file occupying that space remains. And the user would have no idea it was there or any method for accessing it.

hmmmm. so, would that be such a granular level that you couldn't examine with a hex editor in some DR hardware like PC3000 or Atola or would that be sub block size? (edited)

10:22 AM

ie smaller than the accessible smallest unit

chriscone_ar

Exactly. And that old data / garbage will remain in that uninitialized file area as long as the file occupying that space remains. And the user would have no idea it was there or any method for accessing it.

btw, are you free for a quick DM? unrelated

chriscone_ar

The uninitialized file area is disk space that has been reserved by a file but isn’t yet being used by it, or the difference between the logical file size and the valid data length. Edited to add - I realized I didn't completely answer your question, the term 'uninitialized file area' is not unique to AXIOM. I'm assuming you are dealing with an NTFS volume, any given file has an allocated physical and logical size - physical based on cluster size and logical based on actual usage. So for a given file with a logical size less than cluster size, you have the typical file slack (i.e, end of the logical file to the end of the cluster). NTFS uses an approach to file initialization that leads to the storage space which is set aside for a new file not always being completely used. When this occurs, the unused space which was designated for a file is uninitialized space. While the concept is similar to file slack, it is distinct as it is entirely contained within the logical file size. (edited)

Ok that's what I was guessing (about windows giving it more space than it uses). In what way is it different than file slack? I understand the logical size/physical cluster size difference which creates file slack. Does windows allocate even more data for files?

10:27 AM

Ok rereading your explanation I think I get it more

Digitalferret

btw, are you free for a quick DM? unrelated

Absolutely! I just made it back to the desk.

1

Cole

Ok that's what I was guessing (about windows giving it more space than it uses). In what way is it different than file slack? I understand the logical size/physical cluster size difference which creates file slack. Does windows allocate even more data for files?

I suppose if we're splitting hairs, that it's NTFS that allocates the space for files. There's end of file and valid data length. The EOF is the allocated logical space for the file and VDL is the actual length/end of the file on disk. In instances where the VDL is < EOF you have uninitialized file area. What causes the discrepancy between initialization and actual write to disk? Computers, right

Overall, it is similar in concept to slack, just a distinction.

3

In a cellebrite extraction within the log entries can anyone confirm that "Wifiin: WifiOut" details show that a phone is being reconnected to the wif?

I'm trying to get into a MacBook Pro (apple silicone) to image it, but do not know the admin pw. I do have a ffs of an iPhone linked to the same iCloud with the keychain decrypted, but I don't see the MBP lockscreen pw anywhere in plain english. How can I use the phone Keychain to unlock the MacBook (can I even do this?)

Cole started a thread. 7/14/2023 12:35 PM

Is anyone here having issues with the new windows 11 update KB5028185 was making their computer not want to recognize/correctly use the network cards?

Hi everyone ! Does somoeone know if we can extract informations from a YubiKey ? Thank you !

RiL

Hi everyone ! Does somoeone know if we can extract informations from a YubiKey ? Thank you !

is it your yubikey?

Digitalferret

is it your yubikey?

no

is it a legal case?

Digitalferret

is it a legal case?

yes

sorry, had to check, we get a few "suss" characters in here

2:03 AM

2:04 AM

nolt that I'm giving away trade secrets

Digitalferret

sorry, had to check, we get a few "suss" characters in here

no worries, thank you !

RiL

Hi everyone ! Does somoeone know if we can extract informations from a YubiKey ? Thank you !

They’re designed to be write-only, you can’t extract the secrets from them to the best of my knowledge

however, @Matt @RiLif it's a Police case, they may want to investigate if the suspect/miscreant have any backup codes? (edited)

Very difficult to do so without logging into the account to check if additional HSKs are registered. There may be some artefacts around YubiKeys on windows which could identify if the subject used multiple keys on their device? I’m not aware of any though, haven’t dealt with a YubiKey other than as a user PepeLaugh

1

can't remember how alternative authentication works

Digitalferret

can't remember how alternative authentication works

Depends on the provider tbh; sometimes they mandate use of a HSK, others times they allow the use of the HSK or a password + 2FA SOTP

1

basically you're trying to find a way back in as if you are the user having lost or broken his yubikey

1

Talking about logging in and being authenticated I did some work a while back with an organisation that operated what I called 7 (steps) FA (Factor Authentication) for each and every time a login was required. 1) Random Username initiated by Organisation 2) Password number initiated by Organisation using NI number but password can changed 3) Country/Region (must be entered) 4) Location (must be entered) 5) Reference location access point (must be entered) 6) Approved mobile phone number (must be entered) 7) SMS one-time only usage generated code which needs to be entered at site before entering website

Just wanted to drop this thought here for whoever may be reading and have similar thoughts… Last year I went back to school for my master’s degree. In particular, I’m doing my degree in securities and intelligence studies. I didn’t realize it but there’s entire schools and research fields on intelligence from academics who form opinions and thesis that make their ways to think tanks and ultimately in to global policy. What’s amazed me the most on this journey is the lack of practical experience by a number of the folks in academia. How terrifying is that? The folks who are influencing, and I mean heavily influencing, national and global policy, sometimes have zero practical experience. That being said, their work does have value – they are smart people doing smart work and coming up with the right questions, asking the right people, and getting good data. But good lord does this field need more of it. There’s a lot of charlatans out there. You could write a whole paper just defining what is “cyber conflict” right now, and make it completely consist of quoting other authors and papers and hoooolyyyyy craaaaap I’m tired of reading that. Can we please get a single definition and move on>>>> If you have realistic intelligence community experience, and even if you were never part of the IC but you have intelligence or other government experience, man, the academic world could use your input. I highly, highly encourage anyone on the fence to go back to school and pursue it. I’m in my 30’s, closing in on my 40’s, and I’ve found my ability to draw from my professional experience and real world knowledge has massively helped by school work. Vice versa, the academics side is also influencing how I look at and do my regular work. Tl;dr If you go back to school, lots of opportunities to be the smartest person in class. And we need more practical and experienced voices making their voices heard in this area. (edited)

6

3:12 PM

There's actually a whole community setup around intelligence history. https://www.intelligencehistory.org/

Home | NASIH

About the North American Society for Intelligence History

DeeFIR 🇦🇺 started a thread. 7/16/2023 3:55 PM

Shodan $5 sale is back https://twitter.com/shodanhq/status/1680723526494609409

Shodan (@shodanhq)

The $5 Membership sale is now live! The sale lasts until July 17 23:59 UTC: https://t.co/0iqiq2vTpn

Likes

153

7

1

stark4n6

Shodan $5 sale is back https://twitter.com/shodanhq/status/1680723526494609409

got to lol, bought this in last sale, still haven't made use. now I'm a membership hoarder

1

2:39 AM

In progress autometic stop

2:39 AM

Cph2015

anyone from magnet available?

@Magnet Forensics

1

Cenizas

anyone from magnet available?

I’m available

chriscone_ar

I’m available

Sent you a message

Hello everyone. I've recently switched jobs and now I have the opportunity to lead a Forensics department. And one of the things I want to implement is the regular publication of blog articles, covering general digital forensics: types of artifacts, acquisitions, testing of open-source and commercial tools, etc. How do you organize yourselves? How much time do you dedicate to this? How do you organize the information you gather and how do you summarize it? Who do you consult with to get feedback? Thanks!

1

Ghibra Mad

Hello everyone. I've recently switched jobs and now I have the opportunity to lead a Forensics department. And one of the things I want to implement is the regular publication of blog articles, covering general digital forensics: types of artifacts, acquisitions, testing of open-source and commercial tools, etc. How do you organize yourselves? How much time do you dedicate to this? How do you organize the information you gather and how do you summarize it? Who do you consult with to get feedback? Thanks!

maybe start by working out who your prospective audience are, then let them know about your blog plan and ask what would be most useful by way of topic. eveything else will fall into place. this is much like the adage of waiting to see where the footsteps go in the garden before building a path

Digitalferret

maybe start by working out who your prospective audience are, then let them know about your blog plan and ask what would be most useful by way of topic. eveything else will fall into place. this is much like the adage of waiting to see where the footsteps go in the garden before building a path

That makes sense. Thanks!

1

Ghibra Mad

Hello everyone. I've recently switched jobs and now I have the opportunity to lead a Forensics department. And one of the things I want to implement is the regular publication of blog articles, covering general digital forensics: types of artifacts, acquisitions, testing of open-source and commercial tools, etc. How do you organize yourselves? How much time do you dedicate to this? How do you organize the information you gather and how do you summarize it? Who do you consult with to get feedback? Thanks!

That’s awesome you get to dedicate time (what I’m assuming) through your employer. Consider any social media policy the organization might have, then follow it. I have a personal blog, which gives me the flexibility of writing anything that doesn’t represent the organization I work for. I try to get a piece written at least once a month in my own time. I try to start with things I have questions about, then write about it. I imagine others may have the same question and benefit from what I find out. If I find anything interesting, I try to write it down. This allows me to further develop it when time permits as a draft. If inspiration strikes, sometimes I can knock it out in a couple of days. Others, I have drafts sit for a couple of months. I also keep relevant pictures or screenshots with the draft. It may help me focus on why I have the draft in the first place. When I started, I found Phill Moore’s post at This Week in 4n6 helpful. https://thisweekin4n6.com/starting-a-blog/ (edited)

Phill Moore

Tips for Starting a Blog

I’ve had a few people ask for tips on blogging, and thought I’d put it all in one place. I also put down a few reasons why you should create your own home on the web here. Set a schedul…

derekeiri

That’s awesome you get to dedicate time (what I’m assuming) through your employer. Consider any social media policy the organization might have, then follow it. I have a personal blog, which gives me the flexibility of writing anything that doesn’t represent the organization I work for. I try to get a piece written at least once a month in my own time. I try to start with things I have questions about, then write about it. I imagine others may have the same question and benefit from what I find out. If I find anything interesting, I try to write it down. This allows me to further develop it when time permits as a draft. If inspiration strikes, sometimes I can knock it out in a couple of days. Others, I have drafts sit for a couple of months. I also keep relevant pictures or screenshots with the draft. It may help me focus on why I have the draft in the first place. When I started, I found Phill Moore’s post at This Week in 4n6 helpful. https://thisweekin4n6.com/starting-a-blog/ (edited)

Damn, those are some great tips. Thank you very much!

1

Oh Hai

10:20 PM

I like how one of my most popular posts can be summarised with "write it down publically"

5

6

randomaccess

I like how one of my most popular posts can be summarised with "write it down publically"

sometimes it's as simple as that though, the barrier to entry is low but people get scared to do so. I know it took me months to share after working on this I wanted out there

Hi folks, I am looking for assistance in identifying transaction logs from MSSQL's LDF and MDF files. I have tried all tools on first 2 pages of google. The LDF and MDF files load but none show the transaction logs directly. Has anyone encountered the same? Specifically looking to identify who ran what query. (edited)

stark4n6

sometimes it's as simple as that though, the barrier to entry is low but people get scared to do so. I know it took me months to share after working on this I wanted out there

imposter syndrome

I have a Mac Studio 2022 and MacBook Pro 2021, does anyone know if Target Disk Mode will work with Digital collector and if it is filevault encrypted, how many times I can attempt a password to see if it will unlock ?

Jay528

I have a Mac Studio 2022 and MacBook Pro 2021, does anyone know if Target Disk Mode will work with Digital collector and if it is filevault encrypted, how many times I can attempt a password to see if it will unlock ?

pretty sure it is 10 attempts.

10:55 AM

settings can be modified although

Thanks.

is aboutdfir.com the best place to look for entry-level jobs in DFIR. Background: Got GCFE and a masters in digital forensics from Champlain. Looking to get into DFIR but entry level jobs seem hard to come by

Cash

is aboutdfir.com the best place to look for entry-level jobs in DFIR. Background: Got GCFE and a masters in digital forensics from Champlain. Looking to get into DFIR but entry level jobs seem hard to come by

Wasnt great for me. Reach out to companies directly (email. linkedin dm, website inquiry page). Thats what worked for me.

1

theshark

Wasnt great for me. Reach out to companies directly (email. linkedin dm, website inquiry page). Thats what worked for me.

my current company is trying to move me to forensics full time but most of the stuff we're doing is acquisitions so far.

1

11:37 AM

move is going slow so far

Cash

is aboutdfir.com the best place to look for entry-level jobs in DFIR. Background: Got GCFE and a masters in digital forensics from Champlain. Looking to get into DFIR but entry level jobs seem hard to come by

There are several places to look - Here is a post I wrote on 10 places to look for a Digital Forensics Job https://www.hexordia.com/blog-1-1/top-10-places-to-search-for-a-digital-forensics-job TLDR; Google's job search,Ninjajobs, aboutDFIR, This server, Twitter/LinkedIn/Mastodon/Threads, GetYourStartInDFIR, USAJobs... but if I can be blunt (and some may disagree), DFIR isn't always an entry level role. Some PDs do open up entry level positions (i.e. NYSP does each year, but none at the moment). And there are some hires that come from interning - but a lot of folks wind up in the Security Operations Center first. I would look at SOC roles. I also have two suggestions 1) See if you can obtain a cert - what cert? The one the roles you want require 2) Post some demonstrable work ie blog, whitepaper, github, presentation etc. I wrote my thoughts here: https://www.hexordia.com/blog-1-1/top-10-places-to-search-for-a-digital-forensics-job

Top 10 places to search for a Digital Forensics Job — Hexordia

Top 10 places to job hunt in Digital Forensics or Incident Response (DFIR)

2

b1n2h3x

There are several places to look - Here is a post I wrote on 10 places to look for a Digital Forensics Job https://www.hexordia.com/blog-1-1/top-10-places-to-search-for-a-digital-forensics-job TLDR; Google's job search,Ninjajobs, aboutDFIR, This server, Twitter/LinkedIn/Mastodon/Threads, GetYourStartInDFIR, USAJobs... but if I can be blunt (and some may disagree), DFIR isn't always an entry level role. Some PDs do open up entry level positions (i.e. NYSP does each year, but none at the moment). And there are some hires that come from interning - but a lot of folks wind up in the Security Operations Center first. I would look at SOC roles. I also have two suggestions 1) See if you can obtain a cert - what cert? The one the roles you want require 2) Post some demonstrable work ie blog, whitepaper, github, presentation etc. I wrote my thoughts here: https://www.hexordia.com/blog-1-1/top-10-places-to-search-for-a-digital-forensics-job

thanks for the link! Would you recommend me waiting it out to see how me moving to digital forensics at my current company goes first before looking at SOC jobs? I want to get FOR 508 next to improve my WIndows forensics skills. I also have a blog site but it's pretty basic so far

Cash

thanks for the link! Would you recommend me waiting it out to see how me moving to digital forensics at my current company goes first before looking at SOC jobs? I want to get FOR 508 next to improve my WIndows forensics skills. I also have a blog site but it's pretty basic so far

I drafted that while you were typing - so I would say NO! If you can start getting DFIR skills under your belt, document those on your resume. The SOC situation may not be appropriate for you. Start documenting your DFIR skills, tools, knowledge, and new title. And if things aren't picking up where you are getting more exposure/learning - look for an opportunity that will get you more hands on cases

1

11:43 AM

You already had the intro to security role at your current company and successfully made the pivot!

11:44 AM

But I will give the same advice I share with all my mentees - Your resume is a living document! Make a primary copy that tracks everything - at this time you probably are learning a new skill or exposure you can be adding biweekly. So please continue to update the document.

b1n2h3x

But I will give the same advice I share with all my mentees - Your resume is a living document! Make a primary copy that tracks everything - at this time you probably are learning a new skill or exposure you can be adding biweekly. So please continue to update the document.

thanks again, been keeping some stuff on my blog site. I'm not sure what is good content to show on it. Examples are labs I do, beginner knowledge posts, and getting into more technical topics. I can share a link privately if anyone wants to give suggestions (edited)

Cash

thanks again, been keeping some stuff on my blog site. I'm not sure what is good content to show on it. Examples are labs I do, beginner knowledge posts, and getting into more technical topics. I can share a link privately if anyone wants to give suggestions (edited)

sharing is caring, do whatever interests you. Would love to add it to my blog roll on https://startme.stark4n6.com, I'm sure @randomaccess would add it to his This Week In 4n6 site too

3

Cash

thanks again, been keeping some stuff on my blog site. I'm not sure what is good content to show on it. Examples are labs I do, beginner knowledge posts, and getting into more technical topics. I can share a link privately if anyone wants to give suggestions (edited)

Agree with @stark4n6 - share more widely. Also consider submitting any new research with DFIR Review dfir.pubpub.org

1

stark4n6

sharing is caring, do whatever interests you. Would love to add it to my blog roll on https://startme.stark4n6.com, I'm sure @randomaccess would add it to his This Week In 4n6 site too

nice website! I've used it a couple times haha (edited)

2

stark4n6

sharing is caring, do whatever interests you. Would love to add it to my blog roll on https://startme.stark4n6.com, I'm sure @randomaccess would add it to his This Week In 4n6 site too

I'd appreciate it if you added my blog too. I'm not a frequent poster, but doing more lately and hoping to continue. digiforensics.blogspot.com

1

Ken Pryor

I'd appreciate it if you added my blog too. I'm not a frequent poster, but doing more lately and hoping to continue. digiforensics.blogspot.com

Already had you on there from way back Ken

stark4n6

Already had you on there from way back Ken

haha didn't even know that. Thanks!!!

1

Is there a way to search for a FB account by the ID number. I remember being about to a couple of year ago.

digital Bowles

Is there a way to search for a FB account by the ID number. I remember being about to a couple of year ago.

You should be able to put the ID number into the URL. IE: https://www.facebook.com/1234567890123456789

Thank you.

1

Do we have a rep for magnet forensics that I can contact?

@Magnet Forensics

1

Borderbingo

Do we have a rep for magnet forensics that I can contact?

I’m happy to help.

Anyone with experience getting workout data (raw coordinate data) from Apple Health? I am tring to access the raw contents of the healthdb_secure.sqlite so I can hope there is logged lat/long at a certain time of high activity. Will I need to request the data from Apple if it wasn't recovered extensively with Cellebrite?

Has anyone been using Caine? I’m looking to install and try out . Hit me up!

Looking for guidance on best channel to ask - my gf WhatsApp receives a call for a 2FA code, minutes later is logged out of WhatsApp, but since 2FA pin passcode is requested account is still secured. How is the other party receiving the 2FA code from the phone call to almost get into the account?

thatboy_leo

Looking for guidance on best channel to ask - my gf WhatsApp receives a call for a 2FA code, minutes later is logged out of WhatsApp, but since 2FA pin passcode is requested account is still secured. How is the other party receiving the 2FA code from the phone call to almost get into the account?

SIM cloning?

Andrew Rathbun

SIM cloning?

Yea my concern since the 2FA only shows as an incoming call, thankful that the 2FA pin protected account but will need to see how to protect in case of sim cloning

Hello Everyone. "Long time listener, first time caller" type of message here. I'll start with my bottom line up front: Am I on the right path? I preface that to say if I am in the wrong area, please guide me along the right path. Right down to it, I'm a future career switcher and aspiring contributor to Digital Forensics field. I've been data mining my way around which led me to this discord, several LinkedIn profiles, podcasts, Magnet Summit earlier this year and have done what is considered my best to gather pertinent info for what I think are my 1st steps to switching careers. Quick background: B.S. Criminal Justice, military experience as military police officer, currently employed by DoD as an Assistant Inspector General (like auditing but of various military programs). Within that timeline, I'd consider myself to have the standard minimum cybersecurity knowledge. With my go-getter spirit, I enrolled in a certificate (bootcamp) program which I completed in June. Currently have my ITF cert, foregoing my A+ but will obtain Net+, Sec+ and maybe AWS Cloud Practitioner, which comes with the classes. Meat & Potatoes of it all: I will likely enroll and commit to Cyber5W's all access pass. (Can't beat the content creators value, input and their prices, so thank you @b1n2h3x & @binary ) Concurrently pending the commitment of family, life, work, education balance I would find me a local on the job training/internship as much as I can however this has been probably the most challenging. If anyone reading has connections in the San Diego/ Riverside/LA county area that I can take to lunch just to get some face to face time, I'd really appreciate it. I expect my plan to be revised but wanted to gain any feedback out there on what I am missing from this plan, how to bullet-proof it as much as possible, etc. Open canvas willing to hear any feedback to launch me into the field.

Welcome @CyberTitan11 - Good luck and please feel to reach out if you need to Salute

1

@Deleted User you around mate?

2:31 AM

wondering if you've lost any socks

CyberTitan11

Hello Everyone. "Long time listener, first time caller" type of message here. I'll start with my bottom line up front: Am I on the right path? I preface that to say if I am in the wrong area, please guide me along the right path. Right down to it, I'm a future career switcher and aspiring contributor to Digital Forensics field. I've been data mining my way around which led me to this discord, several LinkedIn profiles, podcasts, Magnet Summit earlier this year and have done what is considered my best to gather pertinent info for what I think are my 1st steps to switching careers. Quick background: B.S. Criminal Justice, military experience as military police officer, currently employed by DoD as an Assistant Inspector General (like auditing but of various military programs). Within that timeline, I'd consider myself to have the standard minimum cybersecurity knowledge. With my go-getter spirit, I enrolled in a certificate (bootcamp) program which I completed in June. Currently have my ITF cert, foregoing my A+ but will obtain Net+, Sec+ and maybe AWS Cloud Practitioner, which comes with the classes. Meat & Potatoes of it all: I will likely enroll and commit to Cyber5W's all access pass. (Can't beat the content creators value, input and their prices, so thank you @b1n2h3x & @binary ) Concurrently pending the commitment of family, life, work, education balance I would find me a local on the job training/internship as much as I can however this has been probably the most challenging. If anyone reading has connections in the San Diego/ Riverside/LA county area that I can take to lunch just to get some face to face time, I'd really appreciate it. I expect my plan to be revised but wanted to gain any feedback out there on what I am missing from this plan, how to bullet-proof it as much as possible, etc. Open canvas willing to hear any feedback to launch me into the field.

Great work and thanks for checking out the content. A lot of my thoughts are here https://www.hexordia.com/blog-1-1/pathway-to-digital-forensics I’ll DM as well. Great initiative!

Pathway to Digital Forensics — Hexordia

I am often asked how to get into Digital Forensics and/or Incident Response. It is a great question, often filled with a lot of nuances based on the background of the person asking as well as their areas of interest. That said, I think there are 7 key things that need to be considered; namely, Educa

5

CyberTitan11

Hello Everyone. "Long time listener, first time caller" type of message here. I'll start with my bottom line up front: Am I on the right path? I preface that to say if I am in the wrong area, please guide me along the right path. Right down to it, I'm a future career switcher and aspiring contributor to Digital Forensics field. I've been data mining my way around which led me to this discord, several LinkedIn profiles, podcasts, Magnet Summit earlier this year and have done what is considered my best to gather pertinent info for what I think are my 1st steps to switching careers. Quick background: B.S. Criminal Justice, military experience as military police officer, currently employed by DoD as an Assistant Inspector General (like auditing but of various military programs). Within that timeline, I'd consider myself to have the standard minimum cybersecurity knowledge. With my go-getter spirit, I enrolled in a certificate (bootcamp) program which I completed in June. Currently have my ITF cert, foregoing my A+ but will obtain Net+, Sec+ and maybe AWS Cloud Practitioner, which comes with the classes. Meat & Potatoes of it all: I will likely enroll and commit to Cyber5W's all access pass. (Can't beat the content creators value, input and their prices, so thank you @b1n2h3x & @binary ) Concurrently pending the commitment of family, life, work, education balance I would find me a local on the job training/internship as much as I can however this has been probably the most challenging. If anyone reading has connections in the San Diego/ Riverside/LA county area that I can take to lunch just to get some face to face time, I'd really appreciate it. I expect my plan to be revised but wanted to gain any feedback out there on what I am missing from this plan, how to bullet-proof it as much as possible, etc. Open canvas willing to hear any feedback to launch me into the field.

Don't do it! Turn around and run now, before "the rabbit hole" consumes you! j/k Whole raft of professionals in here that can give you incredible insight. Welcome and best wishes.

2

Hi! Does anyone know if this path comes from an instagram story? var/mobile/Containers/Data/Application/APPID/Library/Caches/com.burbn.instgram.GSparseVideoPrefetchCache

What's the best way to explain Greykey when asked in a trial?

4:57 AM

Is there a standard response?

DFE Travis

Is there a standard response?

Pretty sure they have a pdf on their customer portal you can download for legal responses on what you should or shouldn't say along with what you can or cannot release

I sadly don't have a customer account, only the others in my lab do

5:04 AM

Explaining that it functions by performing a brute-force attack against the passcode would be sufficient, correct?

Anyone thats familiar with @Griffeye maybe help me with a quick tip. When you have a file in thumbnail view that has multiple visual copies is there a quick way to see both separately? I know if I hover on the "VIS #" it pops them both up but I'm trying to look at the other visual copy in more detail to see more about it. (path, dates, metadata etc) I know I can probably turn off the option that hides visual copies, was just hoping theres a quick way as I locate items of interest.

DFE Travis

Explaining that it functions by performing a brute-force attack against the passcode would be sufficient, correct?

I'd have them log into the support portal for you and search for the "Requests for Information Regarding GrayKey" and download the PDF. Not trying to be vague but NDAs and what not for GK capabilities I don't want to put anything down. The article answers your question and is a better reference for your testimony than guy on DFIR discord

Much appreciated!

Anybody use Synology NAS in their lab workflow?

2

1

snoop168

Anyone thats familiar with @Griffeye maybe help me with a quick tip. When you have a file in thumbnail view that has multiple visual copies is there a quick way to see both separately? I know if I hover on the "VIS #" it pops them both up but I'm trying to look at the other visual copy in more detail to see more about it. (path, dates, metadata etc) I know I can probably turn off the option that hides visual copies, was just hoping theres a quick way as I locate items of interest.

Click Visual Copies at the bottom? To the right of grid view.

Queen-L

Hi! Does anyone know if this path comes from an instagram story? var/mobile/Containers/Data/Application/APPID/Library/Caches/com.burbn.instgram.GSparseVideoPrefetchCache

#mobile-forensic-decoding

b1n2h3x

Great work and thanks for checking out the content. A lot of my thoughts are here https://www.hexordia.com/blog-1-1/pathway-to-digital-forensics I’ll DM as well. Great initiative!

I love this article.

1

CyberTitan11

I love this article.

Thank you!

Digitalferret

Don't do it! Turn around and run now, before "the rabbit hole" consumes you! j/k Whole raft of professionals in here that can give you incredible insight. Welcome and best wishes.

hahaha too late for me. I'm to the point of no return....I told my wife lol She never lets me back out of commitments

2

CyberTitan11

Hello Everyone. "Long time listener, first time caller" type of message here. I'll start with my bottom line up front: Am I on the right path? I preface that to say if I am in the wrong area, please guide me along the right path. Right down to it, I'm a future career switcher and aspiring contributor to Digital Forensics field. I've been data mining my way around which led me to this discord, several LinkedIn profiles, podcasts, Magnet Summit earlier this year and have done what is considered my best to gather pertinent info for what I think are my 1st steps to switching careers. Quick background: B.S. Criminal Justice, military experience as military police officer, currently employed by DoD as an Assistant Inspector General (like auditing but of various military programs). Within that timeline, I'd consider myself to have the standard minimum cybersecurity knowledge. With my go-getter spirit, I enrolled in a certificate (bootcamp) program which I completed in June. Currently have my ITF cert, foregoing my A+ but will obtain Net+, Sec+ and maybe AWS Cloud Practitioner, which comes with the classes. Meat & Potatoes of it all: I will likely enroll and commit to Cyber5W's all access pass. (Can't beat the content creators value, input and their prices, so thank you @b1n2h3x & @binary ) Concurrently pending the commitment of family, life, work, education balance I would find me a local on the job training/internship as much as I can however this has been probably the most challenging. If anyone reading has connections in the San Diego/ Riverside/LA county area that I can take to lunch just to get some face to face time, I'd really appreciate it. I expect my plan to be revised but wanted to gain any feedback out there on what I am missing from this plan, how to bullet-proof it as much as possible, etc. Open canvas willing to hear any feedback to launch me into the field.

welcome! I would go look at Amazon and search for digital forensics. A couple books I like that are intro are "Handbook of Digital Investigations" by Eoghan Casey and "File System Forensics" by Brian Carrier. SANS courses are great too but are expensive

2

9:55 PM

but if you can get help from where you work, it's worth it

Cash

welcome! I would go look at Amazon and search for digital forensics. A couple books I like that are intro are "Handbook of Digital Investigations" by Eoghan Casey and "File System Forensics" by Brian Carrier. SANS courses are great too but are expensive

Definitely will look into the books. I was actually looking at trying to use my veteran status for GI Bill and having them pay for it.

‍♂️ Still working this angle. I meet a guy via LinkedIn that was able to do this.

1

CyberTitan11

Definitely will look into the books. I was actually looking at trying to use my veteran status for GI Bill and having them pay for it.

‍♂️ Still working this angle. I meet a guy via LinkedIn that was able to do this.

obviously depends on the funds for where you work, but you should be able to get approved. Someone else can probably chime in to see if you get a discount on prices for being a veteran

10:16 PM

I'd start with FOR500 first if you don't know a ton about Windows forensics, then go for FOR508 a little later

CyberTitan11

Definitely will look into the books. I was actually looking at trying to use my veteran status for GI Bill and having them pay for it.

‍♂️ Still working this angle. I meet a guy via LinkedIn that was able to do this.

They have an MS program at SANS and that is how some GI Bill recipients pay for the classes, certs and degree… worth looking at that

1

How long do you guys retain extractions?

7:28 AM

Esp for places dealing with a lot of extractions per day

DefendingChamp

How long do you guys retain extractions?

12yo inside me wants to say "til the tooth fairy gives me the coin" . i'll see myself out

thatboy_leo

Yea my concern since the 2FA only shows as an incoming call, thankful that the 2FA pin protected account but will need to see how to protect in case of sim cloning

Looking online it shows that a 6 digit pin code can be used for whatsapp ? https://faq.whatsapp.com/1278661612895630?helpref=faq_content

Kaarvonen

Anybody use Synology NAS in their lab workflow?

We do but as of lately they have become more and more picky on what HDD's you can use in the system. It becomes a pain to obtain those certain HDD's. My 2 cents.

1

@DCSO I just got 8 ironwolf 20TB NAS drives and the first thing it said was that they were not recommended

9:25 AM

Oh well. We have to go through purchasing for everything and it’s working for now I guess. I don’t want to have to wait 3 months on more drives.

Kaarvonen

@DCSO I just got 8 ironwolf 20TB NAS drives and the first thing it said was that they were not recommended

Nice, I'm glad it still working for you. Some of our hard drives it refused to work in the unit becuase it was not ones they recommend. We also had issue of upgrading the firmware in the NAS and afterwards there HDD's that were in the unit for years was not able to be seen because it was not part of the specs they wanted for HDD's

1

Thanks for the heads up!

Hey, has anyone encountered C:\Windows\System32\catroot2\dberr.txt and knows what it's linked to / what actions it logs?

Deleted User

Hey, has anyone encountered C:\Windows\System32\catroot2\dberr.txt and knows what it's linked to / what actions it logs?

Looks like lots of Event Log Providers being logged here, for some reason.

1:10 PM

Here is one from like 2008 from an open source forensic image

CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-RecDisc-Package~31bf3856ad364e35~x86~en-US~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-RecDisc-Package~31bf3856ad364e35~x86~~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-RemoteAssistance-Package-Server~31bf3856ad364e35~x86~en-US~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-RemoteAssistance-Package-Server~31bf3856ad364e35~x86~~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-RemovableStorageManagement-Package~31bf3856ad364e35~x86~en-US~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-RemovableStorageManagement-Package~31bf3856ad364e35~x86~~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-Rights-Management-Services~31bf3856ad364e35~x86~en-US~6.0.6001.18000.cat
CatalogDB: 3:36:21 AM 1/19/2008: SyncDB:: AddCatalog:  Microsoft-Windows-Rights-Management-Services~31bf3856ad364e35~x86~~6.0.6001.18000.cat

1:10 PM

Then, here are some entries from my Windows 11 system. Appears to have millisecond counts now, for some reason

CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (16ms): Microsoft-Windows-MediaPlayer-Opt-Package~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (31ms): Microsoft-Windows-Media-Player-Package~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (15ms): microsoft-windows-netfx3-ondemand-package-Wrapper~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (63ms): Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (0ms): microsoft-windows-notepad-system-fod-package-Wrapper~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (0ms): Microsoft-Windows-Notepad-System-FoD-Package~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (0ms): microsoft-windows-powershell-ise-fod-package-Wrapper~31bf3856ad364e35~amd64~~10.0.22621.1972.cat
CatalogDB: 9:09:56 AM 6/30/2023: DONE Adding Catalog File (16ms): Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~~10.0.22621.1972.cat

1:10 PM

but those 100% look like event log providers

1:11 PM

Now, that being said, doesn't mean they are, they just appear to be very similar to event log providers I've seen. Maybe they are package names or something

1:13 PM

Have you considered running ProcMon to try and isolate what is writing to dberr.txt @Deleted User?

1:15 PM

I also wonder if that's an error log for Windows updates or something. if you search 31bf3856ad364e35 or similar strings, you see it hits on cumulative updates in Google

Andrew Rathbun

Have you considered running ProcMon to try and isolate what is writing to dberr.txt @Deleted User?

No, haven't yet, just came across a device where transacted hollowing was executed and it logged the errors there, it seems like I can actually add saved logs to Event Viewer from the files logged in folders from catroot2 too

1

Deleted User

No, haven't yet, just came across a device where transacted hollowing was executed and it logged the errors there, it seems like I can actually add saved logs to Event Viewer from the files logged in folders from catroot2 too

Report back with any cool findings please!

Definitely!

I found a velociraptor doc about it (the .txt file itself actually seems to be related to windows updates & I have no idea why it logs errors with failed hollowing); Here's the doc: https://docs.velociraptor.app/blog/2021/2021-06-09-verifying-executables-on-windows-1b3518122d3c/

Verifying executables on Windows :: Velociraptor - Digging deeper!

How do we know if a windows executable is a legitimate program written by the purported developer and not malware? This post covers the basics of Authenticode signatures in windows and how to verify and query them using Velociraptor.

Any way to view Citrix netscaler logs on a Windows machine? Client gave me a bunch of newnslog logs but are they only readable in Linux?

Hey, got another question; On Windows devices with AMD, there's a directory which logs all opened processes (windowed applications etc) In C:\Windows\System32\AMD\EeuDumps; if anyone has ever encountered it, are there any ways of making it humanly readable with paths to applications? I could send the example .txt log if needed

Deleted User

Hey, got another question; On Windows devices with AMD, there's a directory which logs all opened processes (windowed applications etc) In C:\Windows\System32\AMD\EeuDumps; if anyone has ever encountered it, are there any ways of making it humanly readable with paths to applications? I could send the example .txt log if needed

Send it my way please, am very curious

Andrew Rathbun

Send it my way please, am very curious

It's quite a mess

R-gpu-0-g6-c200-2023-7-21-16-29-27-356.log

369.46 KB

4:46 PM

Is there a website that has windows images to practice on?

Cash

Is there a website that has windows images to practice on?

Aboutdfir.com has an index of them. Otherwise cfreds

1

Cash

Is there a website that has windows images to practice on?

https://digitalcorpora.org/

simsong

Home

1

anyone has exprirences with the social network "ok.ru"? They're probably not very cooperative, are they?

Hello. I am new here. I aspire to be a digital forensics examiner one day. But I am too confused. I have a masters degree in IT. Have worked for two years in cyber security. I recent got a job in fraud forensics, where they use FTK for investigations. So I am taking it thinking that it will be a good stepping stone for me to have a career in digital forensics. This job pays a little less though. But I am very confused on the path, the skills I need to build, the pace I should follow. I tend to start everything at once and then complete nothing. I am really lost and desperate and ruining my life rapidly. If someone could be give me some advise please.

stardustgirl

Hello. I am new here. I aspire to be a digital forensics examiner one day. But I am too confused. I have a masters degree in IT. Have worked for two years in cyber security. I recent got a job in fraud forensics, where they use FTK for investigations. So I am taking it thinking that it will be a good stepping stone for me to have a career in digital forensics. This job pays a little less though. But I am very confused on the path, the skills I need to build, the pace I should follow. I tend to start everything at once and then complete nothing. I am really lost and desperate and ruining my life rapidly. If someone could be give me some advise please.

What you mean your ruining your life?

elco6719

What you mean your ruining your life?

well i am too confused, i left my job because i wanted to switch the field. i wasn't able to get it because no experience. I had to resort to a job which is paying me less, and it's embarrassing coz people my age are earning so much. i have no idea what am doing with my life, just feels like wasting time and walking in circles, i am not able to even apply to jobs effeciently.

11:44 PM

i had one job offer which paid good money, but because it was not the field i wanted to pursue i declined the offer. i figured that if i want to switch and do something for my end goal, i need to find a job which falls in the vicinity of digital forensics.

11:46 PM

in hindsight it feels like a mistake perhaps, but idk. It is said that you should follow your interests, but idk how sensible it is do so.

11:46 PM

am sorry for pouring all this out, just stuck in a bad place

(edited)

@stardustgirl You should not regret something you did, or tried. In what way can we help?

florus

@stardustgirl You should not regret something you did, or tried. In what way can we help?

some career advise, the career path for digital forensics, skills to build, certifications....is it possible to get a job in digital forensics with 2+ years of work experience? Or is more experience in other fields needed? (edited)

stardustgirl

some career advise, the career path for digital forensics, skills to build, certifications....is it possible to get a job in digital forensics with 2+ years of work experience? Or is more experience in other fields needed? (edited)

You could also check #training-education-employment regarding to your questions. I think its important to let uw know in what country you would like to persue a dfir job. In this way people from that area can give you the best advice. I think 2 years of experience is enough, as long as you are eager to learn. (edited)

florus

You could also check #training-education-employment regarding to your questions. I think its important to let uw know in what country you would like to persue a dfir job. In this way people from that area can give you the best advice. I think 2 years of experience is enough, as long as you are eager to learn. (edited)

ok, I will check it out. thank you.

I am from India.

@Law Enforcement [India] You might be lucky some Indian's want to answer your question in a DM or so. @stardustgirl (edited)

stardustgirl

Hello. I am new here. I aspire to be a digital forensics examiner one day. But I am too confused. I have a masters degree in IT. Have worked for two years in cyber security. I recent got a job in fraud forensics, where they use FTK for investigations. So I am taking it thinking that it will be a good stepping stone for me to have a career in digital forensics. This job pays a little less though. But I am very confused on the path, the skills I need to build, the pace I should follow. I tend to start everything at once and then complete nothing. I am really lost and desperate and ruining my life rapidly. If someone could be give me some advise please.

look deep inside. what really "floats your boat"? It will be something that when you are working on it, the time just flies by. like 4 hrs just disappeared. Don't get too hung up on pay grade, that can be worked on later. just change Co every 2-3 yrs. Keep adding a bit of education/certs before your next move. Digital Forensics can be more of a "calling", the detective in you wants it, rather than the wage. You might also want to find a "cause" like <gender> or <violence/abuse> issues/rights and make that a side niche. Makes you feel like you are fighting for something worthwhile. best wishes

stardustgirl

ok, I will check it out. thank you.

I am from India.

Check DM

2

I was wondering if anyone on here has come across the file called "webapp_registry.xml" on the Google Chrome application on android and if they would be able to give a little bit more insight into what it is?

Anyone from @Magnet Forensics about for a question about keywords and emojis?

Rob

Anyone from @Magnet Forensics about for a question about keywords and emojis?

I’m available

stardustgirl

am sorry for pouring all this out, just stuck in a bad place

(edited)

welcome! I can understand your pain, I was in a similar boat with not knowing what to do. I took a pay decrease to be in a more forensics role from what I was doing because it's what I want to do as a career. As the cliche saying goes "One step back but two steps forward". I'm just starting a DFIR role in June after being in DLP and Linux Admin for 2 years. I got the role by getting my masters and GCFE (SANS cert). There's tons of paths (Windows, Linux, Mac, Network, Malware). I'd start with looking at the book list on r/computerforensics and buy some books. This will get you some beginner's knowledge and is way cheaper than a master's program. I have a blog site just to show what I'm working on. I think this is a valuable way to show employers your passion for forensics and demonstrate your knowledge of different tools I'd get to know some free tools and do some lab experiments trying to find data. Document that somewhere to show employers you know what you're doing. A more expensive option is SANS courses, but I don't recommend that for you right now if you're still exploring if this is the right field for you. IMO, I think you made the right career move. It's very tough to enter the digital forensics field (most jobs are mid to senior level). Get the experience and in 2-3 years you can then move to something that pays better. I'm far from an expert but if you got questions, shoot me a dm. (edited)

2

stardustgirl

Hello. I am new here. I aspire to be a digital forensics examiner one day. But I am too confused. I have a masters degree in IT. Have worked for two years in cyber security. I recent got a job in fraud forensics, where they use FTK for investigations. So I am taking it thinking that it will be a good stepping stone for me to have a career in digital forensics. This job pays a little less though. But I am very confused on the path, the skills I need to build, the pace I should follow. I tend to start everything at once and then complete nothing. I am really lost and desperate and ruining my life rapidly. If someone could be give me some advise please.

I will not re-iterate what others have said already, but they are right... My contribution to this is that you should consider expanding your network, if you don't have LinkedIn already. Get it. Build a network of people you aspire to be like, ask questions and have informed opinions. You should strive to build a relationship with those in the community and see whether anyone is willing to mentor / coach you, there are plenty of people out there who get satisfaction from helping others get into the field. You just have to take the first step... (edited)

1

Is It Done Yet?

I will not re-iterate what others have said already, but they are right... My contribution to this is that you should consider expanding your network, if you don't have LinkedIn already. Get it. Build a network of people you aspire to be like, ask questions and have informed opinions. You should strive to build a relationship with those in the community and see whether anyone is willing to mentor / coach you, there are plenty of people out there who get satisfaction from helping others get into the field. You just have to take the first step... (edited)

good point about mentors. I'm relatively new so looking for one myself

If anyone has experience using a Synology NAS in their workflow that backs up to AWS S3 Glacier can you like this or dm me. I have a few questions about accessing the data using AWS data transfer services and how to get a file structure similar to what is on the NAS. I have a few gaps in my knowledge with AWS so just looking to ask a few basic questions to clear it up for myself and take the right approach to setup what needs to be done!

I recently picked up a Ramsey STE6000 Faraday enclosure for the office. (https://ramseytest.com/ste6000) The box is enormous, plenty of room for activities in there. It measures roughly 15"H x 34"W x 22"D internal dimensions. Came with two LED strips to light up the inside and a power strip along the back for the toys. These boxes are built to order so your specs will likely be a bit different than mine if you have or are going to order one. Mine has a shielded ethernet port as the only interface. I also have locking hasps on the front, which I sorely missed on the Mission Darkness blockbox XL it replaced. The gloves are thicker than those on the Mission Darkness, velcro shouldn't be a concern here in wearing them out. Overall I am happy with the purchase, I have a few criticisms but they wouldn't sway me from getting it again. I needed the room to be able to manage 9-10 devices at a time into a large faraday bag to allow for opening the lid to add or remove items. The blockbox XL was okay in this respect but still cramped at times. The STE6000 is not cramped in any sense while working with that number of devices. The gloves came in very "short", not getting much past halfway to the back wall of the enclosure. I totally didn't adjust the glove mount to allow myself more reach towards the back... The gloves are one size and Ramsey says it's intentional to avoid people plugging/unplugging things through the gloves as they "don't advise" I do that activity. I don't actually buy this explanation since my much smaller STE3000 has gloves that reach the back wall and power strip just fine. I think they just don't stock longer gloves. As it sits I can't quite touch the back wall but I shouldn't lose devices out of reach. My second criticism is that the two LED strips make the interior visible but due to the size it is still quite dim. I would prefer brighter LED strips inside to make things more legible inside the box. (edited)

RAMSEY ELECTRONICS

11:51 AM

FWIW I purchased through Saelig, they were easy to deal with and came in under other vendors on price

Is It Done Yet?

I will not re-iterate what others have said already, but they are right... My contribution to this is that you should consider expanding your network, if you don't have LinkedIn already. Get it. Build a network of people you aspire to be like, ask questions and have informed opinions. You should strive to build a relationship with those in the community and see whether anyone is willing to mentor / coach you, there are plenty of people out there who get satisfaction from helping others get into the field. You just have to take the first step... (edited)

Yes! I have recently started connecting with some people in digital forensics on LinkedIn, also following their posts, it is very informative, i am getting to know the world of DF slowly. Hence, I also asked this question on Discord and got amazing responses! People indeed are so helpful! Starting to like Discord now, I have never been active before but now I will. There is so much to learn!!

whee30

I recently picked up a Ramsey STE6000 Faraday enclosure for the office. (https://ramseytest.com/ste6000) The box is enormous, plenty of room for activities in there. It measures roughly 15"H x 34"W x 22"D internal dimensions. Came with two LED strips to light up the inside and a power strip along the back for the toys. These boxes are built to order so your specs will likely be a bit different than mine if you have or are going to order one. Mine has a shielded ethernet port as the only interface. I also have locking hasps on the front, which I sorely missed on the Mission Darkness blockbox XL it replaced. The gloves are thicker than those on the Mission Darkness, velcro shouldn't be a concern here in wearing them out. Overall I am happy with the purchase, I have a few criticisms but they wouldn't sway me from getting it again. I needed the room to be able to manage 9-10 devices at a time into a large faraday bag to allow for opening the lid to add or remove items. The blockbox XL was okay in this respect but still cramped at times. The STE6000 is not cramped in any sense while working with that number of devices. The gloves came in very "short", not getting much past halfway to the back wall of the enclosure. I totally didn't adjust the glove mount to allow myself more reach towards the back... The gloves are one size and Ramsey says it's intentional to avoid people plugging/unplugging things through the gloves as they "don't advise" I do that activity. I don't actually buy this explanation since my much smaller STE3000 has gloves that reach the back wall and power strip just fine. I think they just don't stock longer gloves. As it sits I can't quite touch the back wall but I shouldn't lose devices out of reach. My second criticism is that the two LED strips make the interior visible but due to the size it is still quite dim. I would prefer brighter LED strips inside to make things more legible inside the box. (edited)

We purchased the STE6000 boxes over 2 years ago and haven't looked back since. Working in an accredited ISO17025 lab, everything needs to be planned, recorded and tested. We have had no issues. The gloves themselves can be lengthened as there is extra material retained by the clasp which can be released, although still not enough to reach to the rear of the box. We have both USB 3.0 x 2 and Ethernet x 2 ports, and use our CP adapters/GK units inside each box. We have found that as long as the practitioners have planned their examinations with the relevant cables and charger/cable already connecetd and powered on, plus utnesils such as a screen stylus etc all inside in advance, then everyhthing runs evenly enough. The lights being slightly dimmed means photographs taken are not affected by screen glare. Yes everything is a play off , however the capability and functionality. are excellent and certainly helped sustain our lab accreditation.

Hi All, not sure if this is the right place to ask, but hope for some assistance. In short, I got elected to work on phishing alerts although I do not have much experience with this. I know how to interpret mail headers, however struggle to perform any additional validation beyond that. In fact, checking SPF, DKIM, and DMARC is not even much of a concern, because we have Proofpoint Protection Server in front of our O365 infrastructure that should reject anything that fail the mentioned checks. But there are situations that Proofpoint passes an email, say for example sent from an gmail account, and afterwards Defender for 0365 determines a URL within such email as malicious (detection technology == URL detonation reputation). However, when I click on the URL within Defender often I just see Summary == No detonation summary, Screenshots == No screenshots to display, Behavior details == No detonation behaviors lol ( very helpful, indeed). How should I proceed with this? It is just me how should be looking after this. Should I reach out to the end user asking “hey is this an e-mail you were waiting to be delivered?”.

3:56 AM

We don't have any sandbox, I spent some time trying to figure out what is going on: 1. Browsed the URL in https://www.browserling.com using Windows 10 /Chrome 114 and the link https://cw010uiy.page[.]link/R6GT got redirected to http://fsvnr.quram[.]cc/34546de4235m342356

the page.link domain looked interesting to me and from what google returned it looks like a Firebase dynamic link that from what I understood may behave differently depending how it is accessed
check the fsvnr.quram[.]cc domain on abuseipdb.com and it returned 6 reports and a confidence of abuse of 20%, IP geo location Russia 194.50.130.[0], geo location confirmed on ipinfo.io as well
submitted the URL to virustotal -> 5 security vendors flagged this URL as malicious

Browserling – Online cross-browser testing

Try for free now! Cross browser test your websites online in all web browsers – Internet Explorer, Edge, Chrome, Safari, Firefox, and Opera.

3:56 AM

5. Browsed the initial URL https://cw010uiy.page[.]link/R6GT in https://www.browserling.com using Android / default browser 7.1 and was redirect (yesterday) to http://fox-ca.assesslikely.co[.]in/crim/vip/UK/7012/?bet=28368923&affsub2=my today nothing happens …

virustotal search for http://fox-ca.assesslikely.co[.]in/crim/vip/UK/7012/?bet=28368923&affsub2=my returns “1 security vendor flagged this domain as malicious”

Browserling – Online cross-browser testing

Try for free now! Cross browser test your websites online in all web browsers – Internet Explorer, Edge, Chrome, Safari, Firefox, and Opera.

3:56 AM

7. submitted yesterday the URL to urlscan.io and it looked like some sort of crypto investment scam https://urlscan.io/result/a3611f0c-31d9-44af-9fe9-4f331322c3ff/compare 8. as of today no able to resolve the domain Based on the findings, I can’t really tell what was the intention of this, information gathering, malware distribution etc? But would classify this as malicious. What could I have done more ? What should I have done differently ? Should I block the IP on my firewall etc? If anyone with experience could guide me a bit, that would be awesome ! THANK YOU !

fox-ca.assesslikely.co.in - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

eziboi

5. Browsed the initial URL https://cw010uiy.page[.]link/R6GT in https://www.browserling.com using Android / default browser 7.1 and was redirect (yesterday) to http://fox-ca.assesslikely.co[.]in/crim/vip/UK/7012/?bet=28368923&affsub2=my today nothing happens …

virustotal search for http://fox-ca.assesslikely.co[.]in/crim/vip/UK/7012/?bet=28368923&affsub2=my returns “1 security vendor flagged this domain as malicious”

nicely de-linked ty. "co[.]in" maybe drop any replies into a Thread to, easier to follow if

4:33 AM

and yeh possibly better, as you have done, in #incident-response

anyone have luck with GPS trackers? we have a request for one and just wondering if anyone has any ideas. its a Trak4 LTE and has a usb port on it

USB might be charging only. The unit should have an external product key or IMEI number you could subpoena to manufacturer for subscriber information or warrant for logs. Might have a sim card you could rip to get identifiers to issue a subpoena on if you don't see any external identifiers

1

yeah, thats what i believe was done by case detective, but the FAQ says it stores locations if out of cell range...which gave us a little hope there might be something on it

Anyone who is cellebrite certified...what modality would you recommend for the course (instructor led, online, on demand)

9:05 AM

in particular the CCO/CCPA (edited)

I have doubt. Is it possible to create two files with same size (bit by bit) with two different values. For example, Is it possible to create spiderman (photo) in jpg And Superman (photo) in jpg format with same file size.. (Bit by bit should be same). if so the hashing value of those files will be same right?. Thanks in advance

Afeef

I have doubt. Is it possible to create two files with same size (bit by bit) with two different values. For example, Is it possible to create spiderman (photo) in jpg And Superman (photo) in jpg format with same file size.. (Bit by bit should be same). if so the hashing value of those files will be same right?. Thanks in advance

only 2 files exactly alike will have exact matching hash values

1

10:02 AM

that's the whole point of accepting "hashed" as a definitve in court.

10:05 AM

that isn't affected by the name though. exact copies with different names will have the same hash value if the contents are exactly alike

^to add to this, keep in mind there are several hashing algorithms, which by their nature will produce different hashes

10:07 AM

for example, you have a base16 or base32 for sha1

to some extent it also depends on the hash, if the hash is 64 bits, there are "only" 2^64 different files, so 2^64+1th file will have identical hash as one of the previous ones

yep ^ from stackechange:

The hash of a file is the hash of its contents. Metadata such as the file name, timestamps, permissions, etc. have no influence on the hash.

Assuming a non-broken cryptographic hash, two files have the same hash if and only if they have the same contents. The most common such hashes are the SHA-2 family (SHA-256, SHA-384, SHA-512) and the SHA3 family. This does not include MD5 or SHA-1 which are broken, nor a CRC such as with cksum which is not a cryptographic hash.

there are algorithms for reverse hashing - that is, making a file that has a given hash

but the OP was asking if the hashes will be the same for different files but with the same size. not the other way round

doesn't mean it will be a Spiderman image, though

but then again, everytime i read it, i think something is lost in translation

(the OP)( (edited)

this is called hash collision

kmacdonald1565

this is called hash collision

yep, argument has come up in court here. MD5 iirc

10:12 AM

so rare an event tho

i always kind of thought too much emphasis was put on the uniqueness of a hash when it comes to finding "identical files"...so as to mean if it is a file that is the target of an investigation (illicit file, CSAM, stolen file, etc), it is viewed and verified anyway. the hash is a tool to help, not the be-all end-all

3

yep, in context it can be pretty much moot. Mk1 eyeball tells all

10:14 AM

it's a tool, no more

BzdoOREK

there are algorithms for reverse hashing - that is, making a file that has a given hash

Wouldn't this be like a rainbow table, but for files? Correct me if I'm wrong

the sound byte of "the file is known to be the file with more certainty than a DNA test" or similar in court is great but meh

10:16 AM

going back to UAPs chat, fries my brain less

Andrew Rathbun

Wouldn't this be like a rainbow table, but for files? Correct me if I'm wrong

that sounds like a nightmare to try and figure out, its literally an infinite amount of bit combinations

10:18 AM

like passwords are a pain enough to break and they are like limited to usually under 20 characters, with whatever encoding

Andrew Rathbun

Wouldn't this be like a rainbow table, but for files? Correct me if I'm wrong

to be honest - no idea, and I don't think it is computationally feasible for serious hashing functions, but I do remember reading some kind of paper on the subject (sigh, can't remember how the process was called, I am an old fart with short memory and English is my 2nd language)

10:24 AM

I was looking for ideas for my game, I use CRC32 to identyify files

10:24 AM

and wondered if someone can generate file with a given CRC

https://preshing.com/20110504/hash-collision-probabilities/

Hash Collision Probabilities

A hash function takes an item of a given type and generates an integer hash value within a given range. The input items can be anything: strings, compiled shader programs, files, …

hashing functions are much more unique, but it is basically the same idea

BzdoOREK

to be honest - no idea, and I don't think it is computationally feasible for serious hashing functions, but I do remember reading some kind of paper on the subject (sigh, can't remember how the process was called, I am an old fart with short memory and English is my 2nd language)

If anyone is curious, i can generate collisions for some of the popular hashes relatively easily

10:58 AM

producing 2 files with MD5 collisions is not difficult at all these days

10:58 AM

and for SHA1 its also pretty easy, but only starting from the work that Google did, not freestarting

11:00 AM

for SHA256, 512, and the SHA3 family of hashes, there aren't any publicly known collisions to date

11:00 AM

and producing one would be computationally infeasible as far as we know

md5 had one that was relatively simple right...like a text file compared against another one each with a different characters in it?

yes, the shortest MD5 one is easily short enough to paste here (edited)

11:06 AM

those are the 2 strings that collide

11:07 AM

the difference is best shown with highlighting though, one sec

11:07 AM

there

11:07 AM

from the wiki page for MD5

11:07 AM

https://en.wikipedia.org/wiki/MD5

MD5

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as RFC 1321. MD5 can be used as a checksum to verify data integrity against unintentional corruption. Historically it was widely used as a cry...

nice

These two photos have the same MD5 hash.

11:14 AM

2

1

11:14 AM

Nice!

11:16 AM

the examples i have generated all contain chickens for... well obvious reasons

1

11

kmacdonald1565

yeah, thats what i believe was done by case detective, but the FAQ says it stores locations if out of cell range...which gave us a little hope there might be something on it

Will you update when/if you get a resolution on this? Sounds interesting.... if it's possible to use it without active service and just place/pick up to get a historical location it'd be good to learn a bit more!

will do, we are going to try a few things

whee30

Will you update when/if you get a resolution on this? Sounds interesting.... if it's possible to use it without active service and just place/pick up to get a historical location it'd be good to learn a bit more!

i cracked it open and saw a esp32 inside

4:54 PM

didnt see any specific memory chips, but i didnt google each thing on the board

4:55 PM

i know i can take a usb to ttl or similar type thing to read/write, just dont know if anything will be useful from it.....

4:56 PM

i have several esp32 and esp8266 type micro controller boards in smart outlets and all. i know i can pull a bin of the program on there, just dont know if i can get any useful memory off of it (edited)

Hi, anyone from @AccessData/Exterro/@Exterro able to DM me please?

@S1 drop me a dm

S1

Hi, anyone from @AccessData/Exterro/@Exterro able to DM me please?

Sorted now thanks

does anyone know of or have a script/tool that can build databases for all or most tools? so griffeye, xways, ufed and axiom etc all have their own built in hash database manager and axiom has their central database manager however it would be nice to have 1 tools or script that you can throw a bunch of hash files into a generate a db file for each tool that can be pushed out to all machines.

equalexpert

does anyone know of or have a script/tool that can build databases for all or most tools? so griffeye, xways, ufed and axiom etc all have their own built in hash database manager and axiom has their central database manager however it would be nice to have 1 tools or script that you can throw a bunch of hash files into a generate a db file for each tool that can be pushed out to all machines.

Sounds like a open source project idea to me.

Beercow

Sounds like a open source project idea to me.

I thought as much

theshark

Anyone who is cellebrite certified...what modality would you recommend for the course (instructor led, online, on demand)

I prefer instructor led, more important for CCO as you'll get hands-on with devices/extractions. CCPA doesn't matter as you're working with extractions.

1

So I am building a parser for forensic images that are formatted with ReFS (more type of FS support will be added in the future) and I was wondering what features would an investigator find useful in such a tool. For ex: Console based or GUI based or Both Have the different fs structures bytes highlighted with colors Having the ability to create on demand reports from a opened case based on the evidence etc etc Let me know!

equalexpert

I thought as much

too bad these companies cant collaborate on a standard server to use across all tools. My vote is for @Griffeye to lead the charge with this and their GID system since a lot of our classifications come back in from griffeye at least in our lab

12:01 PM

does anyone know where I can find IOS update logs? Looking to see when the phone was updated to the current ios version its on, preferably see the version that it upgraded from

Anyone concerned about eSIMs becoming suddenly more mainstream - causing major problems for LEA to ensure network isolation for mobile devices pending and during examination (with traditional isolation boxes and rooms being very much cost and practical prohibitive)?

MBdet

Anyone concerned about eSIMs becoming suddenly more mainstream - causing major problems for LEA to ensure network isolation for mobile devices pending and during examination (with traditional isolation boxes and rooms being very much cost and practical prohibitive)?

Yep, everyone is trying to think of solutions and they are all costly.

DCSO

Yep, everyone is trying to think of solutions and they are all costly.

A signal jammer with a reasonable degree of range control is the only solution I’m aware of that could be far cheaper and get the job done without the many practical challenges and limitations to boxes and room cladding. Notwithstanding some legal challenges to overcome in terms of the interference, but that shouldn’t be overly difficult eg with an appropriate standing authority. But I’m not sure if the technology is sufficiently developed or available, and it would need to be reasonably so to ensure the interference is limited to the required areas….

If you are familar with the ZRTCLOCATIONMO db in a FFS cellebrite IOS 16 extraction can you check out my question in #mobile-forensic-extractions (edited)

Hi, can somebody explain to me why it is (not) possible to extract the memory of a OnePlus Nord N10 5G (Android 11). I can extract an encrypted image of the userdata partition with edl: https://github.com/bkerler/edl

MBdet

A signal jammer with a reasonable degree of range control is the only solution I’m aware of that could be far cheaper and get the job done without the many practical challenges and limitations to boxes and room cladding. Notwithstanding some legal challenges to overcome in terms of the interference, but that shouldn’t be overly difficult eg with an appropriate standing authority. But I’m not sure if the technology is sufficiently developed or available, and it would need to be reasonably so to ensure the interference is limited to the required areas….

I think one of the major problems with signal jamming would be FCC signoff

1

1:22 PM

for the US, anyhow

1:25 PM

I'd be curious how controllable the range of a jammer could be. Like could you have a deskpad that jams signals for a foot or two max?

plmi

Hi, can somebody explain to me why it is (not) possible to extract the memory of a OnePlus Nord N10 5G (Android 11). I can extract an encrypted image of the userdata partition with edl: https://github.com/bkerler/edl

#mobile-forensic-extractions

Hey, got a question (not sure if this is even related to Forensics though); So there's a function in system informer that can create a kernel live dump, though in the past it used to bluescreen on some windows 11 builds so I was wondering if maybe there are any other forensic tools that can do the same thing (or) if it's been fixed

3:58 PM

I mainly have to work on Live systems so not looking for anything related to RAM / .MEM dumps of the entire system

Deleted User

I mainly have to work on Live systems so not looking for anything related to RAM / .MEM dumps of the entire system

Wouldn’t something like DumpIt be what you are looking for? https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/

MAGNET DumpIt for Windows - Magnet Forensics

MAGNET DumpIt for Windows is a fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines.

1

DCSO

Yep, everyone is trying to think of solutions and they are all costly.

DSCO how are LEA[US] dealing with it currently - are eSIMs already quite prevalent there?

FullTang

Click to see attachment 🖼️

Could you please snd me those file once again. I'm getting dfrnt hash value. Nd file size of plane nd ship were different.

MBdet

DSCO how are LEA[US] dealing with it currently - are eSIMs already quite prevalent there?

iPhone 14 in US and Canada is eSIM only if memory serves me right

Matt

iPhone 14 in US and Canada is eSIM only if memory serves me right

That's what I thought, can imagine it won't be long til it happens over here soon

Agreed, it’s only a matter of time until it’s mandatory here too

1

Afeef

Could you please snd me those file once again. I'm getting dfrnt hash value. Nd file size of plane nd ship were different.

Here is a blog post with the two images. https://natmchugh.blogspot.com/2015/02/create-your-own-md5-collisions.html?m=1

Create your own MD5 collisions

A while ago a lot of people visited my site ( ~ 90,000 ) with a post about how easy it is to make two images with same MD5 by using a chos...

1

Matt

iPhone 14 in US and Canada is eSIM only if memory serves me right

Here in Argentina, we are starting to receive iPhones 14 with only eSIM. We are currently exploring different options to counter this new technology

nachito 4n6s

Here in Argentina, we are starting to receive iPhones 14 with only eSIM. We are currently exploring different options to counter this new technology

Faraday cages or bags is our solution. But we haven't seen many yet (Louisiana,

)

Yes, we are in the process of shielding the entire lab with a faraday cage. For seizing devices we don't have many faraday bags, so we found a cheap but effective way to mimic a faraday bag using 5 turns of aluminum foil on the device

5

nachito 4n6s

Yes, we are in the process of shielding the entire lab with a faraday cage. For seizing devices we don't have many faraday bags, so we found a cheap but effective way to mimic a faraday bag using 5 turns of aluminum foil on the device

tinfoil! no really

Yes tinfoil sorry

@Cellebrite need some assistance please!

1

theshark

in particular the CCO/CCPA (edited)

That would really depend on your existing exposure to the materials covered. If it would be for someone with no exposure to it then instructor lead would be my preference for a new crew member. The ability to ask questions and get immediate answers from the instructor is the big selling point for this format.

1

Matt

iPhone 14 in US and Canada is eSIM only if memory serves me right

We still have the physical SIM slots on the Canadian version of the iPhone 14. It wont be long though..........

snoop168

too bad these companies cant collaborate on a standard server to use across all tools. My vote is for @Griffeye to lead the charge with this and their GID system since a lot of our classifications come back in from griffeye at least in our lab

that would be nice. yeah @Griffeye would be pretty good as it handles hashes that are re-categorised nicely so then could roll out a new master hashset to other formats

Faraday bag at time of seizure from a live owner is best but quite costly to deploy to "all" first responders -- the reality is that for deceased victims and phones found at crime scenes, it is impossible to shield from RF immediately at the time of the incident/event -- if network isolation cannot be ensured from the incident location to the lab, then there is zero point in building robust and costly lab solutions that would often be too late in the whole affair (e.g. putting the phone in a Faraday box or $50K Faraday room like 6 days after the murder, after it sat on the floor of the kitchen for 18 hours then in an unshielded evidence bag while in transit and booking in on its way to your lab is completely depressing

) (edited)

2

equalexpert

that would be nice. yeah @Griffeye would be pretty good as it handles hashes that are re-categorised nicely so then could roll out a new master hashset to other formats

I actually sent an open email the @Griffeye and @Magnet Forensics bosses to request they collaborate on this. I think since Magnet makes a competing media review product it would be difficult. It was entirely predictable that hashset manager would come to compete with gid with no real benefit for the double work I now need to do tor nsrl and CAID updates. I’ve noticed both use mongodb dbms so I need to see if having one data store and some ‘virtual’ tables are possible though…

CLB-dan.techcrime

Faraday bag at time of seizure from a live owner is best but quite costly to deploy to "all" first responders -- the reality is that for deceased victims and phones found at crime scenes, it is impossible to shield from RF immediately at the time of the incident/event -- if network isolation cannot be ensured from the incident location to the lab, then there is zero point in building robust and costly lab solutions that would often be too late in the whole affair (e.g. putting the phone in a Faraday box or $50K Faraday room like 6 days after the murder, after it sat on the floor of the kitchen for 18 hours then in an unshielded evidence bag while in transit and booking in on its way to your lab is completely depressing

) (edited)

Definitely.. for us local Kiosk sites are an essential DF solution to address majority of our (Level 1) examinations. So for us the challenge is to isolate devices: 1. From scene 2. In storage (labs and examination rooms can’t store all of those exhibits for the duration of their recovery) 3. At local Kiosk sites (these are dedicated rooms/labs for ISO 17025) 4. At Level 2 / forensic unit lab(s) 5. In transit between all of the above So just having a faraday room for 4. At great cost and practical difficulty (needs; an airlock, to be big enough for multiple workstations to deal with the volume, UPS to work, aircon to work, network and power connectivity to work, to be tested and maintained etc) isn’t going to solve it.

1

i've got an image with older onenote files (.one) ingested into autopsy. Anyone know if there is a way to view their contents in autopsy ?

Anyone with any experience with bouncie GPS units for vehicles? It’s a module that plugs in by the steering wheel.

Random question, has anyone here ever worked an incident or intrusion where they saw the threat actor give up, or been in an organization where they got a threat actor to move on? I'm looking at several competing theories of cyber deterrence but there's not a lot of hard data showing what works. The big three theories Retaliatory Deterrence: (Being afraid to hit a target for fear of retribution. For example, threat actor checking what's on the box and seeing EDR's and seeing it has X provider, so they stop activity because they don't wanna get mentioned on their blog again) Deterrence by Denial: (Giving up because the walls are too thick and it's just not worth the time) Entanglement Deterrence: (Not DDOSing OVH or DigitalOcean because your infrastructure is also hosted their and you don't wanna take them down) I've seen a few of these myself, but curious what your experience has been? (edited)

conf1ck3r

Random question, has anyone here ever worked an incident or intrusion where they saw the threat actor give up, or been in an organization where they got a threat actor to move on? I'm looking at several competing theories of cyber deterrence but there's not a lot of hard data showing what works. The big three theories Retaliatory Deterrence: (Being afraid to hit a target for fear of retribution. For example, threat actor checking what's on the box and seeing EDR's and seeing it has X provider, so they stop activity because they don't wanna get mentioned on their blog again) Deterrence by Denial: (Giving up because the walls are too thick and it's just not worth the time) Entanglement Deterrence: (Not DDOSing OVH or DigitalOcean because your infrastructure is also hosted their and you don't wanna take them down) I've seen a few of these myself, but curious what your experience has been? (edited)

I've seen Threat Actors "give up" by detonating ransomware when they are caught in the middle of lateral movement/discovery(I think this was a lockbit RAAS case but not sure- been a while). Have also seen SCATTERED SPIDER give up once as the client was able to catch the sim swap within 5 minutes. Normally SCATTERED still tries but this wasn't exactly a prime target for them which may have been why

Any LE people here dealing with large amounts of videofootage in high impact crimes? I hope someone is available for a short chat or teams-call, for a thesis im writing. Doesnt have to happen soon, but trying to look at the big picture. Please sent me a DM if you got time and willing to help

(edited)

1

Thinking from a ISO17025 point of view....Does a hardware write-blocker stop TRIM from occurring? Do you disable TRIM when imaging an m.2/SSD storage device? I ask as we discuss TRIM/Garbage Collection in our Measurement of Undertainty document for 17025. To summarise we say that we can't stop garbage collection from happening but the write-blocker stops the OS initiating TRIM but I am aware some organisations still turn TRIM off prior to imaging.

Spoke with our Nuix representative last week and they dropped the bomb that Workstation won’t be available as a standalone product anymore. Will be replace with a different infrastructure named Nuix NEO. With the anticipated price increase that this change will bring, we are looking into moving away from Nuix. Are there other data processing tools out there that allow some type of automation as well as the possibility of outputting data in Load File format to our eDiscovery platform?

I guess my first real question here would be, if I have some resource(s) that I think(with high probability) will be useful for the majority of people on this server, is it advised to post it - just to post it ? For example, if I would post resources related to traffic-analysis, I would of course post it in #network-forensics (and so on) And note, it will not be "a big list" of stuff, this is why I ask, so I know in the future :) Or.. Is it more advised to :

post the resource when it's requested ? (I always check previous messages as well, so I never post a duplicate)
make 1 github repo and just post that link? instead of editing one's reply when updating it? Regards, Will.

(edited)

Ken-Kaneki

I guess my first real question here would be, if I have some resource(s) that I think(with high probability) will be useful for the majority of people on this server, is it advised to post it - just to post it ? For example, if I would post resources related to traffic-analysis, I would of course post it in #network-forensics (and so on) And note, it will not be "a big list" of stuff, this is why I ask, so I know in the future :) Or.. Is it more advised to :

post the resource when it's requested ? (I always check previous messages as well, so I never post a duplicate)
make 1 github repo and just post that link? instead of editing one's reply when updating it? Regards, Will.

(edited)

Take a peak at #dfir-open-source-projects - that might be better suited

1

anyone from @Magnet Forensics around for a quick question about Axiom?

Matt

Take a peak at #dfir-open-source-projects - that might be better suited

So just to be sure - that's for posting resources? And thanks for replying;

Ken-Kaneki

So just to be sure - that's for posting resources? And thanks for replying;

Yep!

1

sholmes

anyone from @Magnet Forensics around for a quick question about Axiom?

I can try to help.

1

Anybody have any experience capturing AWS with @Magnet Forensics AXIOM Cyber? Having some issues with AWS user permissions.

1

Hey, can i use Microsoft certifications to earn CPE's for GIAC renewals? I couldn't find the answer on SANS/GIAC website

kime

Hey, can i use Microsoft certifications to earn CPE's for GIAC renewals? I couldn't find the answer on SANS/GIAC website

maybe echo in #training-education-employment too

kime

Hey, can i use Microsoft certifications to earn CPE's for GIAC renewals? I couldn't find the answer on SANS/GIAC website

You just need to submit them. The only issue is, they usually don’t give you all the CPE’s unless it has something to do with SANS. I’ve had a couple trainings, that even started on the certificate of completion, that it was 36 CPE’s and only received half of them through GIAC.

Hi, I'm looking for sources regarding digital forensic artifacts and analysis for BSD systems (specifically FreeBSD, OpenBSD and NetBSD). I'm specifically interested in anything covering artifacts for evidence of persistence, lateral movement, privilege escalation and or data exfiltration. I'm looking for possible starting points for a thesis paper. I have checked with a few catalogs covering published papers and searched using Google. So far, I have found little to nothing in that regard. I would appreciate some pointers regarding usable papers, blog posts or similar for this (seemingly very niche) topic.

XenoWarrior

Hi, I'm looking for sources regarding digital forensic artifacts and analysis for BSD systems (specifically FreeBSD, OpenBSD and NetBSD). I'm specifically interested in anything covering artifacts for evidence of persistence, lateral movement, privilege escalation and or data exfiltration. I'm looking for possible starting points for a thesis paper. I have checked with a few catalogs covering published papers and searched using Google. So far, I have found little to nothing in that regard. I would appreciate some pointers regarding usable papers, blog posts or similar for this (seemingly very niche) topic.

when you say Sources - do you include like Resources too? as in, (as you state, blog posts), I thought would github repositories also be helpful? ^ broadly speaking; sorry for the weirdly-formatted question (edited)

Ken-Kaneki

when you say Sources - do you include like Resources too? as in, (as you state, blog posts), I thought would github repositories also be helpful? ^ broadly speaking; sorry for the weirdly-formatted question (edited)

I also happily take github repos.

XenoWarrior

I also happily take github repos.

noted!

anyone have experience parsing gmail email headers to get IP? On a base level you only get the mailserver but I am trying to find the IP of the sender prior to it being received by the mails server.

8:07 AM

or outlook

theshark

anyone have experience parsing gmail email headers to get IP? On a base level you only get the mailserver but I am trying to find the IP of the sender prior to it being received by the mails server.

i believe it depends on the client if that gets stamped on the header... If its there it would be the one furthest down on the header since each server adds their headers to the top pushing everything else down (edited)

1

theshark

anyone have experience parsing gmail email headers to get IP? On a base level you only get the mailserver but I am trying to find the IP of the sender prior to it being received by the mails server.

Is it a traffic-dump? or regex? or wait I am a bit confused by the end of the question uhm; (edited)

Ken-Kaneki

Is it a traffic-dump? or regex? or wait I am a bit confused by the end of the question uhm; (edited)

Not sure. Just “show original message” and got that big header info

1

theshark

Not sure. Just “show original message” and got that big header info

ohh

Out of gmail. No files

okay; aight sorry I was confused; and; nvm my bad; hope it solves itself; (edited)

I tried using traceroute. But that original IP is internal and protected by google

theshark

anyone have experience parsing gmail email headers to get IP? On a base level you only get the mailserver but I am trying to find the IP of the sender prior to it being received by the mails server.

https://mha.azurewebsites.net/ Have you tried this?

1

Andrew Rathbun

https://mha.azurewebsites.net/ Have you tried this?

Something similar. I’ll try this one thanks

theshark

Something similar. I’ll try this one thanks

I've used it for years and it's been really helpful. Hopefully it helps you with this but let me know if it doesn't. Maybe something I can learn, as well

1

Andrew Rathbun

I've used it for years and it's been really helpful. Hopefully it helps you with this but let me know if it doesn't. Maybe something I can learn, as well

It still won’t help with private IP’s I guess those are sort of untouchable/unroutable

11:58 AM

Makes sense it would not be easily recovered but I’m trying to find any public tool that can help me get a public routable IP that it attached to the private one. Probably only found on google servers idk. (edited)

Andrew Rathbun

https://mha.azurewebsites.net/ Have you tried this?

I'm stunned. That's a brilliant resource thanks for posting it! (edited)

Ken-Kaneki

okay; aight sorry I was confused; and; nvm my bad; hope it solves itself; (edited)

also, a question to staff - should I remove any "obsolete" reply I have written? as I did here; or should I leave it be?

Ken-Kaneki

also, a question to staff - should I remove any "obsolete" reply I have written? as I did here; or should I leave it be?

I'd much rather the full context of conversations here be memorialized here for the purpose of search. You never know what may help someone years down the road. Ideally, keep your messages high fidelity so you have as little as possible where you feel you may want to delete them

4

2

Andrew Rathbun

I'd much rather the full context of conversations here be memorialized here for the purpose of search. You never know what may help someone years down the road. Ideally, keep your messages high fidelity so you have as little as possible where you feel you may want to delete them

oh okay, that's noted! Thanks I'll probably be making myself some templates for posting replies. Thanks again and have a good night on you! Salute

(edited)

people

12:16 PM

who

12:16 PM

type

12:16 PM

like

12:16 PM

this

12:16 PM

that's not the ideal way to post here, since it's more of a professional/serious discussion environment.

3

Andrew Rathbun

that's not the ideal way to post here, since it's more of a professional/serious discussion environment.

Yes, sorry did I post like that? sorry - I have a bad habit of editing my messages. (edited)

Ken-Kaneki

Yes, sorry did I post like that? sorry - I have a bad habit of editing my messages. (edited)

Not from what I’ve seen

1

Oh okay, I will try my best. Thanks to both of you! (edited)

I am a new member, and I have a question about the worldwide DNS DOH of famous network service providers. I am currently using Google DNS and want to know how to check if their DNS has a DOH feature. Also, I want to know about the security and Privacy policies of Google, Cloudflare, and OpenDNS. Google steals user information, while Cloudflare claims they do not store user data for over 24 hours. However, I have noticed that the speed and connection of Cloudflare are not as good as Google DNS. Can you give me an overview of these two network service providers, Cloudflare and Google?

Welcome! Wishes from Sweden. I only wanted to welcome, really. ^_^ (edited)

3

Deleted User

I am a new member, and I have a question about the worldwide DNS DOH of famous network service providers. I am currently using Google DNS and want to know how to check if their DNS has a DOH feature. Also, I want to know about the security and Privacy policies of Google, Cloudflare, and OpenDNS. Google steals user information, while Cloudflare claims they do not store user data for over 24 hours. However, I have noticed that the speed and connection of Cloudflare are not as good as Google DNS. Can you give me an overview of these two network service providers, Cloudflare and Google?

How does Google "steal" user information ?

DCSO

How does Google "steal" user information ?

I have seen some articles where they said Google has taken user information and they are still being fined by some government.

Hey y’all. Trying to break into digital forensics, working on getting my CHFI right now, graduating college around this time next year, saving up money to do SANS FOR500 for the GCFE. Trying to look at different positions and entry level positions to get an idea of what’s out there, where I should be looking and what skills I should be working on. Any tips for things I should really focus on, and what keywords I should be looking at for entry level positions. I have been looking but most entry level positions seem to be SOC analysts, or something along that line. Any tips are appreciated! (edited)

CasuallyJoseph

Hey y’all. Trying to break into digital forensics, working on getting my CHFI right now, graduating college around this time next year, saving up money to do SANS FOR500 for the GCFE. Trying to look at different positions and entry level positions to get an idea of what’s out there, where I should be looking and what skills I should be working on. Any tips for things I should really focus on, and what keywords I should be looking at for entry level positions. I have been looking but most entry level positions seem to be SOC analysts, or something along that line. Any tips are appreciated! (edited)

Hey! I had some discussion with people about this here: https://discord.com/channels/427876741990711298/537760691302563843/1131519366001856522 . DFIR has a ton of different areas you can focus in. IMO, it’s pretty tough to break into the field as an entry-level but not impossible. The computer forensics Reddit FAQ has some books that are good for learning the basics. I also recommend the 13Cubed channel as hell go over tools and artifacts, some of it will be on the FOR500 test (Introduction to Windows playlist)

6:59 PM

I’m working through the File System Forensics book and it seems pretty good. Only complaint is that it’s outdated and doesn’t go into SSD. Book is from 2000’s. Maybe someone else has a similar resource that is more current?

Cash

I’m working through the File System Forensics book and it seems pretty good. Only complaint is that it’s outdated and doesn’t go into SSD. Book is from 2000’s. Maybe someone else has a similar resource that is more current?

I have been reading through the 6th edition of guide to computer forensics and investigations by Bill Nelson and others, it goes into file systems some, but I’m unsure if it’s at the level you’re looking for (As I am a beginner it seems like a pretty advanced breakdown of everything, but it very well may be not as advanced as you’re looking for)

Cash

Hey! I had some discussion with people about this here: https://discord.com/channels/427876741990711298/537760691302563843/1131519366001856522 . DFIR has a ton of different areas you can focus in. IMO, it’s pretty tough to break into the field as an entry-level but not impossible. The computer forensics Reddit FAQ has some books that are good for learning the basics. I also recommend the 13Cubed channel as hell go over tools and artifacts, some of it will be on the FOR500 test (Introduction to Windows playlist)

It does seem to be something that isn’t very entry level friendly. I have been working for a year as a vulnerability manager, but nothing really geared towards forensics. It’s been tough trying to figure out the path I should really take.

CasuallyJoseph

I have been reading through the 6th edition of guide to computer forensics and investigations by Bill Nelson and others, it goes into file systems some, but I’m unsure if it’s at the level you’re looking for (As I am a beginner it seems like a pretty advanced breakdown of everything, but it very well may be not as advanced as you’re looking for)

I’ll have to take a look at it. I’m not really advanced. I completed For500 in December and have my masters in Dfir. Just started a Dfir job last month

I have watched 13Cubed’s content, it’s good stuff

3

Cash

I’ll have to take a look at it. I’m not really advanced. I completed For500 in December and have my masters in Dfir. Just started a Dfir job last month

Congrats!

CasuallyJoseph

Congrats!

Thanks. I got pretty lucky in finding my path. Think most places want a cert of some kind at least from what I’ve seen

@CasuallyJoseph look at sans edu to see if you can get it at a discount by enrolling in one of their programs. The full price of 9k or whatever isn't cheap obv

SOC analyst seems the most popular path for entry level. I also got a blog site I am putting projects and tutorials on different tools. Kinda using it as a resume. @stark4n6 has a good site with lots of resources

^^^ what cash said. SOC is pretty good to start, and you might be able to get an employer to pay for the SANS training instead which could save you a ton too.

https://discord.com/channels/427876741990711298/537760691302563843/1130936056422862868 link to his website

@Magnet Forensics someone around for DM ? (edited)

emilie_

@Magnet Forensics someone around for DM ? (edited)

I’m available.

@Oxygen Forensics Free for a quick DM?

Jeezy

@Oxygen Forensics Free for a quick DM?

Of course, please DM me

1

Hi I would also like to discuss with someone from Belgium @Law Enforcement [Belgium] I am a last year student in computer science and would like to apply, thanks!

Hey does anyone know if AXIOM ever had a Search Warrant Return processing option? I’m on v6.10 with computer, smartphone, and cloud licenses and don’t see it anywhere, but I could have sworn it was once an option.

1

Yes, there are search warrant return options for several service providers. If you aren't seeing them in the UI, it could be due to a license restriction. Let me know which provider you're looking at and I can send a temp license to use for cloud if you don't currently have one.

Spooky

Hi I would also like to discuss with someone from Belgium @Law Enforcement [Belgium] I am a last year student in computer science and would like to apply, thanks!

I have DM you

1

Looking for someone to image a Macbook Pro in Dominica. Any chance somebody knows somebody?

Jerry Hatchett

Looking for someone to image a Macbook Pro in Dominica. Any chance somebody knows somebody?

You might have luck on the IACIS forum I've seen requests there for private forensics similar to this request.

Spooky

Hi I would also like to discuss with someone from Belgium @Law Enforcement [Belgium] I am a last year student in computer science and would like to apply, thanks!

Sure, send me a DM.

1

Looking for insight on Telegram. @Cellebrite and @Magnet Forensics parsed the cache4.db's "search_recent" table. While trying to validate this finding, I noticed a "sent_files_v2" table. This could potentially be useful in my case, but not really sure. So before I go down the rabbit hole on an adventure that might not make a difference in this case, I thought I would reach out to see if anyone had any insight into this DB/tables. The question is, does this table contain the file names my guy actually sent? It has a column for "uid," "type" which contains numeric values (0,1,2), "data" which is potentially encrypted/encoded but definitely not easily readable, and "parent" which contains data formatted as "sent_0_7644_1817668042_3_61366." (edited)

1

People who have gotten a new job in the last 6 months: how is the job market for you? How easy was it? Reason I ask: Reading reddit comments it seems like there's two extremes. People looking for jobs for six months with dozens of interviews and zero luck, and people who snapped up a full remote job with 30% pay bump without issue. What's the experience for you all and whats the difference between those experiences? (edited)

DCSO

You might have luck on the IACIS forum I've seen requests there for private forensics similar to this request.

Thx.

Hi, what is the easiest way to create a forensic image of an apple mobile device on windows?

tapatiosec

Hi, what is the easiest way to create a forensic image of an apple mobile device on windows?

This may be helpful https://blog.elcomsoft.com/2020/04/ios-acquisition-methods-compared-logical-full-file-system-and-icloud/ (edited)

iOS acquisition methods compared: logical, full file system and iCloud

The iPhone is one of the most popular smartphone devices. Thanks to its huge popularity, the iPhone gets a lot of attention from the forensic community. Multiple acquisition methods exist, allowing forensic users to obtain more or less information with more or less efforts. Some of these acquisition

Hey, are there any tools that can, for example, scan the MFT for modified attributes? Anything related? (Looking for something that can make it easier to find files that have attributes changed using tools like attribute changer / bulk file changer etc)

Deleted User

Hey, are there any tools that can, for example, scan the MFT for modified attributes? Anything related? (Looking for something that can make it easier to find files that have attributes changed using tools like attribute changer / bulk file changer etc)

pretty sure autopsy does this and is free

Oh, I'll check it out, thanks!!

Does anyone here have experience converting Sigma rules into SPL with pySigma?

Deleted User

Hey, are there any tools that can, for example, scan the MFT for modified attributes? Anything related? (Looking for something that can make it easier to find files that have attributes changed using tools like attribute changer / bulk file changer etc)

Are you asking for a change timestamp Or a log of changes? Or to compare a previous MFT with the current MFT. Because they all have different answers

2:59 PM

the USN journal is probably your best bet though

Yeah Journal should work too, might be more time consuming; looking for something that can "detect" if file's date modified attributes was edited, or something that can detect most attribute editors out there

This is cool. https://pauljerimy.com/security-certification-roadmap/

Paul Jerimy

Security Certification Roadmap - Paul Jerimy Media

IT Security Certification Roadmap charting security implementation, architecture, management, analysis, offensive, and defensive operation certifications.

10

Hi there! Our agency is looking into soldering equipment for repairing damaged exhibits and board-level acquisition. Just want to know if many other agencies out there that have already deployed this kind of tool and what challenges they may of have faced. Cheers!

Private Derp

Hi there! Our agency is looking into soldering equipment for repairing damaged exhibits and board-level acquisition. Just want to know if many other agencies out there that have already deployed this kind of tool and what challenges they may of have faced. Cheers!

You may want to ask @TeelTech via email to see if they can provide you with a contact.

1

Hey, is there a major difference between a ram capture and a memory dump if my aim is to potentially see what was run from a command prompt? I'm assuming there's a difference if these (.raw & .mem captures) are separate things

Deleted User

Hey, is there a major difference between a ram capture and a memory dump if my aim is to potentially see what was run from a command prompt? I'm assuming there's a difference if these (.raw & .mem captures) are separate things

https://www.magnetforensics.com/blog/full-memory-crash-dumps-vs-raw-dumps-which-is-best-for-memory-analysis-for-incident-response/

Full Memory Crash Dumps vs. Raw Dumps: Which Is Best for Memory Ana...

Matt Suiche talks full memory crash dumps vs. raw dumps how they measure up for memory analysis during incident response investigations.

❤️

Hello I am new to this server. I have been working on the offensive side of things, but I want to have some stats from a blue side perspective how would you categorize the following in 2022-2023? Very Frequent Common Rare Extremely rare types of attacks BEC ( business email compromise ) Data breaches cloud environments attacks IoT attacks hacktivism

blackleitus

Hello I am new to this server. I have been working on the offensive side of things, but I want to have some stats from a blue side perspective how would you categorize the following in 2022-2023? Very Frequent Common Rare Extremely rare types of attacks BEC ( business email compromise ) Data breaches cloud environments attacks IoT attacks hacktivism

Check out the Verizon dbir. It answers that and much more!

Does any of our agencies or as an individuals have experience with the tool CobWebs. No tool is perfect just looking to see if it is better then average and worth the price to a small (200 sworn) agency.

Jason

Check out the Verizon dbir. It answers that and much more!

https://www.verizon.com/business/resources/reports/dbir/ this?

2023 Data Breach Investigations Report

Read the official 2023 Data Breach Investigations Report (DBIR) today.

blackleitus

https://www.verizon.com/business/resources/reports/dbir/ this?

Bingo

hey guys, what's the possibility tocreate threat driven intelligence? I dont need all data , but pretty specific like threat data ( profiling ) , data type vectors , resilience , purple team , red team, apt reports extraction , etc. how much time / money can you consider to build this?

I create a graph with data attack vectors and possible economic impact loss .. how accurate is it? I did my best to extract information, economic loss data points ,etc (edited)

digital Bowles

Does any of our agencies or as an individuals have experience with the tool CobWebs. No tool is perfect just looking to see if it is better then average and worth the price to a small (200 sworn) agency.

I sent you a DM

blackleitus

Click to see attachment 🖼️

It’s very difficult to quantify because the source data is not available. Also the size of the organization is an important factor, as well as other factors

Morning! Is anyone aware of or has anyone ever compiled a checklist / assessment kit for tool evaluation in the field of digital forensics? Specifically 1) data collection tools 2) data processing tools 3) review tools. Thanks!

Does anyone know how I can change my server tags? I used to be LE private sector but I am about to start a new job in LE public sector UK, thanks

Will change your role now Lauren

1

hey what is the purpose of legitimate software to use encoding, obfuscation techniques? I'm looking into writing a custom detection in Defender for Endpoint when PowerShell invokes encoded code for example powershell.exe -EncodedCommand. I've seen legit processes usnig this a lot, and after decoding the base64 block it is just normal PowerShell code checking execution policy etc. Why do vendors do this ? This isn't going to help much from my point of view (although I might be missing something) as this can result in number of false positives. Anyone ?

When I did SOC work, Microsoft defender did it a lot. I was surprised how often it did tbh.

1

6:01 AM

As for legitimate reasons, quotes and escape characters aren’t needed when it’s encoded. That’s often why Defender was doing so

2

So I guess false positives in this case are not avoidable ...

The commands are often repetitive so we were able to ignore alerting for those specific commands within our endpoint agents for a MS Defender parent process

eziboi

hey what is the purpose of legitimate software to use encoding, obfuscation techniques? I'm looking into writing a custom detection in Defender for Endpoint when PowerShell invokes encoded code for example powershell.exe -EncodedCommand. I've seen legit processes usnig this a lot, and after decoding the base64 block it is just normal PowerShell code checking execution policy etc. Why do vendors do this ? This isn't going to help much from my point of view (although I might be missing something) as this can result in number of false positives. Anyone ?

My understanding as to why legitimate software uses obfuscation is to secure their code. If threat actors don't understand the code, they can't find the vulnerabilities in it.

1

Hey, random question, are there any webs / tools or, anything really, that has the list of some known teams in the "dark web"?

Fierry

It’s very difficult to quantify because the source data is not available. Also the size of the organization is an important factor, as well as other factors

sure, but as a general overview frequency vs loss is okay since if you add more factors you will lose sense

Deleted User

Hey, random question, are there any webs / tools or, anything really, that has the list of some known teams in the "dark web"?

There are some list that track known ransomware groups, if that's what you're asking. Most of the "hacking" groups or politically motivated groups use Telegram channels.

Yeah I'm looking for something like that, where could I find it?

I'm looking into my next cert and not sure where to go. I'm in an incident response job that does a fair amount of digital forensics work, including memory, network, and host. They'll pay for a SANS/GIAC course and test, so I was thinking GCFE or GCFA. Is one of them better to take first? (I currently hold Sec+ and GCIH)

Deleted User

Yeah I'm looking for something like that, where could I find it?

https://www.ransomlook.io/groups & https://ransomwatch.telemetry.ltd/#/INDEX are the two I used the most

ransomwatch

the transparent ransomware claim tracker

️

Thanks!

1

Desert

I'm looking into my next cert and not sure where to go. I'm in an incident response job that does a fair amount of digital forensics work, including memory, network, and host. They'll pay for a SANS/GIAC course and test, so I was thinking GCFE or GCFA. Is one of them better to take first? (I currently hold Sec+ and GCIH)

I kind of depends are your current skill set. GCFE (FOR500) is more focused on Windows forensics involving a single machine. GCFA (FOR508) is more incident response/forensics at scale. I think you get the most out of them if you can take FOR500 first and then FOR508. There is some overlap in FOR508 with FOR500, but you would be better off already having a solid foundation first.

3

CyberGhost

I kind of depends are your current skill set. GCFE (FOR500) is more focused on Windows forensics involving a single machine. GCFA (FOR508) is more incident response/forensics at scale. I think you get the most out of them if you can take FOR500 first and then FOR508. There is some overlap in FOR508 with FOR500, but you would be better off already having a solid foundation first.

And after FOR500, maybe don't skip FOR508 and go straight to FOR572

1

chriscone_ar

And after FOR500, maybe don't skip FOR508 and go straight to FOR572

FOR508 has been hard, no lie lol. It's a lot of material

chriscone_ar

And after FOR500, maybe don't skip FOR508 and go straight to FOR572

Hm, it seems like someone has specific experience with that

10:07 AM

Cool, I just applied for my organization to pay for FOR500. Thanks for the help!

Desert

Hm, it seems like someone has specific experience with that

While they aren't pre-reqs, each of those 3 courses definitely build on each other. All are a TON of material and directly applicable to real world work. And yes, direct experience. I skipped FOR508 and regret that. Not because it isn't do-able, but because I miss the government paying for those classes for me and I'd really like to take FOR508.

Hoping to knock all three out within 12 months. Should be doable

Hi all, I wanted to see if anyone else has been using PA Ultra over PA 7.X . I have been using it for a few weeks now but I am not sure if this is really better than regular PA or not and if anyone had some insight. Thanks!

Does anyone know how to combine the .json files that Hubstream Intelligence Agent downloads? I'd rather have one large json than have to import multiple iterations...

FEJelinek

Hi all, I wanted to see if anyone else has been using PA Ultra over PA 7.X . I have been using it for a few weeks now but I am not sure if this is really better than regular PA or not and if anyone had some insight. Thanks!

I've been using it recently. It opens much faster, which is a definite Pro. The complaints I have so far is that there is a delay when tagging and when I complete an all projects search, I cannot collapse down the individual categories... I need to filter on the "type" column to eliminate categories I don't care about. Also, when I try to open some uncategorized objects, I really want a hex view if the program isn't going to attempt to convert the thing for me. I don't want to have to find it in the advanced search area.

1

whee30

I've been using it recently. It opens much faster, which is a definite Pro. The complaints I have so far is that there is a delay when tagging and when I complete an all projects search, I cannot collapse down the individual categories... I need to filter on the "type" column to eliminate categories I don't care about. Also, when I try to open some uncategorized objects, I really want a hex view if the program isn't going to attempt to convert the thing for me. I don't want to have to find it in the advanced search area.

We installed Ultra here because 7 was hit or miss on giving us "reports generated with error" message. So far that has not happened with Ultra. What I am wondering is if there are still updates with PA 7, would there be a reason to go back to 7 when we already have Ultra. I like the dashboard a lot more with Ultra as well.

I think as long as you are happy with the "shortcomings" of Ultra you should be okay. They claim that the parsers are on par with each other. Personally I am still using 7 to output readers to investigators out of my immediate area of influence since they aren't used to any interface changes. For cases that I am personally examining I have started to use Ultra.

1

I have someone asking for phone data but they only have a Macbook. Does anyone know if a @Magnet Forensics Axiom Portable case or a @Cellebrite UFED Reader report will run on a Macbook?

FullTang

I have someone asking for phone data but they only have a Macbook. Does anyone know if a @Magnet Forensics Axiom Portable case or a @Cellebrite UFED Reader report will run on a Macbook?

Portable case will not, needs 64 bit Windows.

1

Doesn't seem intended for the use but this article talks about an emulator of sorts that allows windows games to run on mac

2:50 PM

the article doesn't specify anything but games but it might be worth trying an application?

2:50 PM

https://www.theverge.com/2023/6/7/23752164/apple-mac-gaming-game-porting-toolkit-windows-games-macos

Apple’s new Proton-like tool can run Windows games on a Mac

Developers now have some serious tools to get Windows games on Mac

FullTang

I have someone asking for phone data but they only have a Macbook. Does anyone know if a @Magnet Forensics Axiom Portable case or a @Cellebrite UFED Reader report will run on a Macbook?

Same, it requires windows OS.

1

whee30

Doesn't seem intended for the use but this article talks about an emulator of sorts that allows windows games to run on mac

I don't think I will try to get them to run an emulator, but it's not a bad idea. I'll probably just give them a .pdf from PA.

1

whee30

Doesn't seem intended for the use but this article talks about an emulator of sorts that allows windows games to run on mac

Do keep in mind that other parties might ask questions about using emulator software to run your forensics tool, ie about expected behavior etc

I'm not suggesting it's a great idea, just one worth exploring if there's a need

You can always run full Windows in a VM, even on ARM nowadays. No need to emulate anything

3

Why would McAfee Security on iPhone have 3.2 GBs, 3x the system storage on this iPhone? Is this typical?

Original message was deleted or could not be loaded.

Cool book

, Thanks for sharing.

Original message was deleted or could not be loaded.

probably not a good idea to post a download link to a full book without the author's consent

3

Having a frustrating time trying to learn Timesketch. I made a timeline with the latest version of Plaso, not realizing that Timesketch doesn't support the latest version. Once I found that didn't work, I installed an older version of Plaso but get an error when trying to create a disk.plaso file with it. Has anyone seen this?: Unable to write to storage with error: Unsupported attribute container type: event_source attribute: path_spec data type: dfvfs.PathSpec Hoping it's not too long before Timesketch supports the latest Plaso/log2timeline.

Anyone have a faraday bag brand they recommend for isolating devices?

I tested a grip of them a few years back and the silicon forensics were decent. Now we have mission darkness bags with the shielded USB port but those are pricy

https://siliconforensics.com/products/accessories/faraday-bags/siforce-faraday-bags.html

SiForce Faraday Bags

Our SiForce Faraday Bags have inner protective linings that block RF signals to preserve the integrity of wireless devices. Comes in various sizes to fit cell phones, tablets, and laptops. Now with Dual Layer Shielding!

5:08 PM

https://mosequipment.com/collections/analysis-enclosures/products/mission-darkness-window-charge-shield-faraday-bag

Mission Darkness™ Window Charge & Shield Faraday Bag

Please Note: 2-3 Week Lead Time KEEP DEVICES SHIELDED AND LIVE From Seizure to Evidence Storage to Data Extraction To effectively access and recover data from cell phones, tablets, and similar electronics, the latest forensic tools requir...

5:10 PM

the silicon forensics bags are inexpensive and seem to work well enough. The mission darkness bags came with a blocker locker we picked up so devices didn't keep burning out their batteries and turning off. Now the mission darkness locker is the priority location and the pile of other bags is the backup solution.

Ken Pryor

Having a frustrating time trying to learn Timesketch. I made a timeline with the latest version of Plaso, not realizing that Timesketch doesn't support the latest version. Once I found that didn't work, I installed an older version of Plaso but get an error when trying to create a disk.plaso file with it. Has anyone seen this?: Unable to write to storage with error: Unsupported attribute container type: event_source attribute: path_spec data type: dfvfs.PathSpec Hoping it's not too long before Timesketch supports the latest Plaso/log2timeline.

Did you use the Timesketch CLI importer tool? It’s more reliable than the web UI

whee30

the silicon forensics bags are inexpensive and seem to work well enough. The mission darkness bags came with a blocker locker we picked up so devices didn't keep burning out their batteries and turning off. Now the mission darkness locker is the priority location and the pile of other bags is the backup solution.

Thank you for this

Original message was deleted or could not be loaded.

be welcome here

(edited)

Fierry

Did you use the Timesketch CLI importer tool? It’s more reliable than the web UI

From the error messages I'm seeing, it appears that the version of log2timeline I'm using is not yet supported by TimeSketch. I don't think it's really an upload issue if I'm understanding the error messages correctly.

anyone here with expierience running Atomic Red Team tests to test detections on their security stack ? Running one test at a time ( does it make sense?) Would it be a realistic approach to testing this ? What I'm wondering is the lack of behavioral context that could cause EDR not triggering alerts at all ...

3:32 AM

also, would it be the case as it is with Eicar that it would trigger no matter what, because all security vendors incorporate detection's for the Atomic Red Team tests (since they are know and publicly accessible)? (edited)

I'm guessing their InvokeAtomic-Runner is what you may be looking for? Here you could create your own sequence of tests to mimic an actual attack flow https://github.com/redcanaryco/invoke-atomicredteam/wiki/Adversary-Emulation

Adversary Emulation

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Re...

Ken Pryor

From the error messages I'm seeing, it appears that the version of log2timeline I'm using is not yet supported by TimeSketch. I don't think it's really an upload issue if I'm understanding the error messages correctly.

That’s really odd, I’ve had that error before when the version was too old

Does anyone have any experiences with using Ditto x86 SE Kit for imaging? (https://wiebetech.com/products/ditto-x86-se/) (edited)

Justin Lauzet

Ditto X86 SE

Tr4pSec 🇳🇴

Does anyone have any experiences with using Ditto x86 SE Kit for imaging? (https://wiebetech.com/products/ditto-x86-se/) (edited)

No I haven't had the chance yet. But I do use some of there other products and would be confident in trying it out.

So I'm the digital forensics detective at a mid-sized sheriff's office in the US, I have a a counterpart (and mentor) at the small city PD within my county. My county has recently obtained a very large building that has plenty of vacant space to create a joint lab. If both of us bring our equipment to a combined MultiJurisdictional Unit we will double our output. I frequently get cases in which 10 devices all seized at once need to be run, but limited resources this can take a week just to extract everything, thats without any analysis. By doubling our toolset we can both drop the everyday cases and power through 10 devices in a day or two to get intel much faster in the case of murders etc. My problem is how to pitch this best to each agency head. I've heard there are grants and funding available to such multijurisdictional units that aren't available to individual agencies, but I haven't been able to find any. Additionally I'm trying to find an example of a similar unit elsewhere to pick their brains but also haven't found it. Thats not surprising given these units aren't usually front page news. Essentially the more logisitcal issues I can have solved prior to pitching a proposal for the unit the easier it is for my Brass to high five and call it a win. Anyone have any recommended resources or know of any jursidictions that already use a multi-agency unit for Digital Forensics?

BadgerBacon

So I'm the digital forensics detective at a mid-sized sheriff's office in the US, I have a a counterpart (and mentor) at the small city PD within my county. My county has recently obtained a very large building that has plenty of vacant space to create a joint lab. If both of us bring our equipment to a combined MultiJurisdictional Unit we will double our output. I frequently get cases in which 10 devices all seized at once need to be run, but limited resources this can take a week just to extract everything, thats without any analysis. By doubling our toolset we can both drop the everyday cases and power through 10 devices in a day or two to get intel much faster in the case of murders etc. My problem is how to pitch this best to each agency head. I've heard there are grants and funding available to such multijurisdictional units that aren't available to individual agencies, but I haven't been able to find any. Additionally I'm trying to find an example of a similar unit elsewhere to pick their brains but also haven't found it. Thats not surprising given these units aren't usually front page news. Essentially the more logisitcal issues I can have solved prior to pitching a proposal for the unit the easier it is for my Brass to high five and call it a win. Anyone have any recommended resources or know of any jursidictions that already use a multi-agency unit for Digital Forensics?

A bit different but same idea: Around the country are regional computer forensic labratories (RCFLs) which are a combination of federal and local agency personel handling cases from all particpating agencies. https://www.rcfl.gov/

Regional Computer Forensics Laboratory (RCFL) | Regional Computer F...

The FBI’s Regional Computer Forensics Laboratory (RCFL) program provides forensic services and expertise to support law enforcement agencies in collecting and examining digital evidence to support a wide range of investigations, including child pornography, terrorism, violent crime, and fraud.

1

Alright calling all internet sluths, I have a case where a suspect left there bumper for me unfortunately it did not have a license plate. I know it belongs to a Ford based on the tagging inside of it but the numbers are not the product numbers but more of a manufacturing numbers according to a Ford parts guy. Any help is appreciated, ! (edited)

2008 or 2009 Ford Taurus X perhaps? @DCSO (edited)

4:59 PM

This example looks fairly similar except for the middle divider, which may be missing in the damaged bumper left behind https://static.cargurus.com/images/site/2007/06/27/2009_ford_taurus_x-pic-39652-1600x1200.jpeg (edited)

2

4

Nice work !! Thank you

1

Free smartphone charging !!

13

I asked about the ditto yesterday for imaging / capturing disk, but I now realised that does not solve my issues with capturing memory. So I have to change my question: How do you aquire disk and memory images (on user workstations) in an enviroment where the users dont have local admin rights out of the box? Do you use seperate elevated credentials when running the tools on the workstation? Do you have the tools available on a share, where they are auto elevated somehow? Or what do ppl usually do? (edited)

Cyberinsight Canada

Free smartphone charging !!

looks like a HAK5 freebie demo booth

1:59 AM

charges your phone $25 for the privilege

Do any of you know of any non-commercial collaboration solutions or tools suitable for Incident Response (IR)? I've already evaluated Aurora IR and DFIR IRIS. While Aurora IR is lightweight, it lacks comprehensive collaboration capabilities. On the other hand, DFIR IRIS offers a fully-fledged IR platform, but it's somewhat cumbersome to use and doesn't accommodate convenient features like avoiding the need for a permanent VPN connection during on-site investigations. Any recommendations would be greatly appreciated.

cyber_p4nn0n1us

Do any of you know of any non-commercial collaboration solutions or tools suitable for Incident Response (IR)? I've already evaluated Aurora IR and DFIR IRIS. While Aurora IR is lightweight, it lacks comprehensive collaboration capabilities. On the other hand, DFIR IRIS offers a fully-fledged IR platform, but it's somewhat cumbersome to use and doesn't accommodate convenient features like avoiding the need for a permanent VPN connection during on-site investigations. Any recommendations would be greatly appreciated.

The hive prehaps?

any knows the average day rate for a Sr./Pr. Strategy advisor across US? (edited)

Looking for what the best steps are to report errors in the @Cellebrite CCPA live on demand course, if i can get a rep let me know.

Mark send me a DM and i'll make sure the info gets shared with proper channels @theshark (edited)

1

Can anyone recommend a legit vendor for Windows licenses besides MS?

Does anyone have a good set of resources for capturing https via mitmproxy from a website (brand infringement) I need to pull together a documentation (edited)

coolcalmPC

Can anyone recommend a legit vendor for Windows licenses besides MS?

https://computerinfobits.com/best-places-to-buy-windows-10-key/#:~:text=The%20best%20place%20to%20buy,a%20Windows%2010%20key%20online!

12 Best Places To Buy Windows 10 Keys (Windows 11 Included)

Windows keys can be bought from so many vendors these days. This article aims to provide you with some of the best options to buy Windows product keys safely and as cost-effective as possible.

Andrew Rathbun

https://computerinfobits.com/best-places-to-buy-windows-10-key/#:~:text=The%20best%20place%20to%20buy,a%20Windows%2010%20key%20online!

Thanks! I will take a look.

moving here: Does anyone know if timesketch by default has a folder that it monitors to auto upload plaso/csv files? or a command to bulk upload a folder containing csv/plasos?

https://twitter.com/Cthulhu_Answers/status/1690941202160627712?t=0ykLH9OmPbGuy5EA5E5aaw&s=19

Cthulhu Answers Ⓥ

on Twitter

https://t.co/2nAiqwjDO2

1

1:00 AM

Yall people are gonna be jobless soon, DFIR is fake

Twitter drama

no idea if he binned it but it aint there for my timeline. trolls?

who is he?

4:37 AM

lol

I don't know the full extent of the drama, nor do I care to, but he's earned himself Persona non Grata status in the cyber security community I think thanks to multiple incidents that I'm not privy to the details

5:25 AM

All I care about is he's making a mess on Twitter over the years and not HERE

5

Original message was deleted or could not be loaded.

Jonathan Scott, basically the american equivalent of the dutch cyber charlatan called Rian van Rijbroek

5:36 AM

He is crazy

Andrew Rathbun

All I care about is he's making a mess on Twitter over the years and not HERE

Once a year I see a meme passing surrounding that dude, good laugh

5:38 AM

No dw

Turb0Yoda

moving here: Does anyone know if timesketch by default has a folder that it monitors to auto upload plaso/csv files? or a command to bulk upload a folder containing csv/plasos?

it doesn't, and if the csv files aren't from select sources you'll need to provide column selections for timestamp, timestamp description, and message there's a timesketch_importer tool that can be scripted to import a bunch at once

rayeh

it doesn't, and if the csv files aren't from select sources you'll need to provide column selections for timestamp, timestamp description, and message there's a timesketch_importer tool that can be scripted to import a bunch at once

Yeah- I am Just gonna make a messy bash script for it lol

what I'm doing is creating templates for the column selections for common log sources we use

kladblokje_88

https://twitter.com/Cthulhu_Answers/status/1690941202160627712?t=0ykLH9OmPbGuy5EA5E5aaw&s=19

This guy (the account in the screetshot) is a controversial person and pretty much nothing but drama. His view points on information security and DFIR are.....out there to say the least. He has published “reports” trying to disprove the use of government spy tools.

CyberGhost

This guy (the account in the screetshot) is a controversial person and pretty much nothing but drama. His view points on information security and DFIR are.....out there to say the least. He has published “reports” trying to disprove the use of government spy tools.

I know, I had a little internet fight with him before about something

My agency has purchased IBM’s i2 Analysis Notebook but can’t pay to send someone to the training for it. Is there anyone here willing to give some pointers or know of any guides

rabbit1709

My agency has purchased IBM’s i2 Analysis Notebook but can’t pay to send someone to the training for it. Is there anyone here willing to give some pointers or know of any guides

This is such a government thing to do

hopefully someone can help you out

1

Andrew Rathbun

This is such a government thing to do

hopefully someone can help you out

This is such a government thing to do I'm so adopting this. Incredibly useful new2me pejorative

1

Surprised they didn't pull the "we don't have any budget card"

2:06 AM

Trying to get anything is a challenge

Hey, I was wondering if there are any servers / malware analysis professionals that / who can review a "tool" and determine if it's genuinely malicious or what's wrong with it?

The tool is accused of loading a malicious driver but from my personal analysis it's the same driver Process Hacker uses & the company seems to be verified with Microsoft...

Question, How do I go about preparing for the SC-200. My biggest issue I can ready the theory and look at images but what's the point if I can't use a stimulated environment of things work in action like Microsoft Defender, EDR , Investigating alerts, Is anyone aware of I can use emulated enviroments ? (edited)

actually nvm

Anyone use forensic email collector alot please Dm me! I just need to know what to do if Its having trouble parsing a few items and then also how I can make the report of emails more readable - I only seem to be getting a MIME folder. Can they be parsed in @Cellebrite ? Thanks in advance!

theshark

Anyone use forensic email collector alot please Dm me! I just need to know what to do if Its having trouble parsing a few items and then also how I can make the report of emails more readable - I only seem to be getting a MIME folder. Can they be parsed in @Cellebrite ? Thanks in advance!

I use it quite a bit. Sending you a DM now

1

alright I broke l2t yet again.. I thought based on some random threads that l2t would just parse the bodyfile from mftECMD in but.. I guess I'm missing a flag here?

Turb0Yoda

alright I broke l2t yet again.. I thought based on some random threads that l2t would just parse the bodyfile from mftECMD in but.. I guess I'm missing a flag here?

they changed to require explicit --storage_file output_file semi-recently (edited)

9:38 AM

instead of implicitly by parameter order

I see

9:38 AM

Let me try that in a sec

sudo docker run -it -v /path/to/mounted/disk:/in:ro -v /path/to/incident/folder/plaso-out:/out/ log2timeline/plaso log2timeline.py --status_view none --parsers win7_slow --storage-file /out/identifier-plaso.body /in/

this is how I usually incant it, or without docker log2timeline.py --parsers win7_slow --storage-file output-folder/identifier-plaso.body /path/to/mounted/disk (edited)

oooh that looks to be working..

rayeh

sudo docker run -it -v /path/to/mounted/disk:/in:ro -v /path/to/incident/folder/plaso-out:/out/ log2timeline/plaso log2timeline.py --status_view none --parsers win7_slow --storage-file /out/identifier-plaso.body /in/

this is how I usually incant it, or without docker log2timeline.py --parsers win7_slow --storage-file output-folder/identifier-plaso.body /path/to/mounted/disk (edited)

You could make the /in directory read only by adding :ro eg /path/to/mounted/disk:/in:ro

ah wait I should have had the bodyfile and then the .plaso huh... whoops

Matt

You could make the /in directory read only by adding :ro eg /path/to/mounted/disk:/in:ro

I used to, and I'm glad you call it out because it may be important depending on how it's mounted

9:47 AM

But for our workflow the disk is already mounted read only or on a write-blocker

Oh yes I agree, it’s more of a sanity check than an evidential failsafe

1

wow

9:48 AM

overall me processsing these collections with mftecmd took.. 15 minutes... and using l2t took.. 2 hours...

9:50 AM

I don't know why l2t was hanging up on the MFT...

for me the value of plaso is running the entire bucket of parsers against the disk while I step back and work on other things

9:51 AM

the parser group win7_slow includes mft, but if you wanted to do mft separately the win7 preset may be better for you

yeah.. that would be ideal however we've got 60 collections and a massive time crunch.. life

it excludes esedb and mft

I wish it was still march

in my experience the system used for processing can make a significant difference with plaso also, it will run multiple processes for as many threads available on the system

32 core 64GB ram EC2 instance on io1 SSD.. my 7950X3D rig with 980 pros in RAID 0.. something in MFT was causing it to choke idk what

it may be worth just running it without MFT, as if you're using timesketch multiple timelines will be interleaved so you could just provide the output from mftecmd

yeah that's the plan

9:55 AM

I'm waiting for my crappy ass upload to move this meshed .plaso into timesketch to make sure it's not borked... (edited)

one thing I ran into recently, that felt like a silent failure with timesketch- if you check the timeline and the file's event count is much lower than the timeline's event count the underlying opensearch process may have decided it's unsafe to write new records to the indexes due to disk usage

9:57 AM

even with several hundreds of GB free, it stopped writing once it reached I think 95% use

there will be warnings in the opensearch logs indicating the disk usage, but not the implication that it will stop writing

10:01 AM

not a recommendation to do this proactively, but in a gotta get it done situation adding:

- cluster.routing.allocation.disk.threshold_enabled=false # added per https://stackoverflow.com/questions/63880017/elasticsearch-docker-flood-stage-disk-watermark-95-exceeded

to the docker-compose file in opensearch's environment section will get things rolling

I need to pull pics and audio off the notes app in an iPhone 14 max pro. Is there a way to do this on cellebrite ufed?

Anybdy have any good articles to read about IPFS links and how to decode them.

Hi, we have the possibility of accessing European funds and we are thinking of building a central data-center to act as a central forensic processing computing power for all of our locations spread throughout the country. We are thinking of building virtual machines with dynamic resource allocation that could be accessed from thin-clients. Our tools include the usual commercial tools (Axiom, Physical Analyzer, Oxygen, EnCase, FTK). Does anybody use this scenario for forensic processing? Is this ideea feasible/doable? Would transporting extractions and reports through LAN be too slow? Would it be better than individual forrensic workstations for each examiner? Can each examiner use its own dongle/license in the virtual environment? I know for example that the Cellebrite dognle doesn't like the remote desktop connection. Can this problem be solved with another licensing model? I would appreciate any thoughts/recommendations on this idea. Thank you!

@Cellebrite anyone free to for a quick chat?

1

Does anyone work in the financial sector and have a cloud lab? Would love to chat through some questions I have.

Cip

Hi, we have the possibility of accessing European funds and we are thinking of building a central data-center to act as a central forensic processing computing power for all of our locations spread throughout the country. We are thinking of building virtual machines with dynamic resource allocation that could be accessed from thin-clients. Our tools include the usual commercial tools (Axiom, Physical Analyzer, Oxygen, EnCase, FTK). Does anybody use this scenario for forensic processing? Is this ideea feasible/doable? Would transporting extractions and reports through LAN be too slow? Would it be better than individual forrensic workstations for each examiner? Can each examiner use its own dongle/license in the virtual environment? I know for example that the Cellebrite dognle doesn't like the remote desktop connection. Can this problem be solved with another licensing model? I would appreciate any thoughts/recommendations on this idea. Thank you!

Vmware Vcenter supports creating vms on the fly. Vmware Horizon/Citrix can be useful for app virtualization. Most of the forensic software vendors support vms, some require additional RDP licenses. Most of the dongles can be served from a single vm, so the processing vms can use remote licenses. You can plug a dongle to a server and assign it to a vm. I used this scenario for 6 years (when i was the director of a large CF department) and was perfectly usable. During covid we didn't need to stop operations, gave the investigators VPN access to the system. You need fast network connections (10G+) for individual servers and storage. Since all data will be processed on vms, you can give your examiners basic laptops (even raspberry pis) to access the system. My personal opinion is to have a hybrid system with desktops and servers, since some operations may require a physical computer. Also you can consider imaging to a NAS system directly from your write blockers. There are a number of these devices that have network ports. Finally you can use a forensic lab solution to automate processes. Since i'm developing one, i can't advertise ours for the sake of this discord's rules, but i can tell that an automation solution makes your life much easier. You can choose templates and trigger processes when image creation is complete. Good luck, ping me if you need anything. (edited)

1

Hi there i have a question about oppo phone there is an error during backup as the connection lost to the device do you have a solution for this problem

Mohassan

Hi there i have a question about oppo phone there is an error during backup as the connection lost to the device do you have a solution for this problem

do it again

I’ve tried 3 times but the same thing happened

Mohassan

I’ve tried 3 times but the same thing happened

What tool are you even using? Try a new cord. Any error/trace log available ? need to be way more descriptive for me to help.

@Cellebrite anyone available for a quick question ?

1

1:19 AM

about digital collector (edited)

Hey everyone! I'm a student about to start my masters in Digital Forensics Investigations in a week or so at Champlain. I'm very excited as this is what I've been working towards since I was just 16! I'm looking for someone that would want to be a mentor in the field and help guide me/talk and answer questions/network. DFIR seems like such a difficult career field to break into from an outside perspective and I'd love any insight. If there's a specific channel for this please redirect me there

tinylilbones

Hey everyone! I'm a student about to start my masters in Digital Forensics Investigations in a week or so at Champlain. I'm very excited as this is what I've been working towards since I was just 16! I'm looking for someone that would want to be a mentor in the field and help guide me/talk and answer questions/network. DFIR seems like such a difficult career field to break into from an outside perspective and I'd love any insight. If there's a specific channel for this please redirect me there

Feel free to DM me and we can chat

tinylilbones

Hey everyone! I'm a student about to start my masters in Digital Forensics Investigations in a week or so at Champlain. I'm very excited as this is what I've been working towards since I was just 16! I'm looking for someone that would want to be a mentor in the field and help guide me/talk and answer questions/network. DFIR seems like such a difficult career field to break into from an outside perspective and I'd love any insight. If there's a specific channel for this please redirect me there

^^ Ditto!

Although I'm UK based so different experiences

Thank you guys! I'll send you a message!

Is there any way of making and image of a hard disk in a windows environment without using a tool, like using powershell or anything. I tried the following command Get-Content -Path "\\.\PhysicalDriveX" -Raw | Add-Content -Path "DriveImage.bin" but it was not able to access the physical drive. I am trying to figure out how to test a write blocker without having to install other tools. Thought i could take an image of the drive hash it, connect the write blocker, try moving data to it, writing files to it etc. Then create another image hash it and compare the hashes.

fcha256

Is there any way of making and image of a hard disk in a windows environment without using a tool, like using powershell or anything. I tried the following command Get-Content -Path "\\.\PhysicalDriveX" -Raw | Add-Content -Path "DriveImage.bin" but it was not able to access the physical drive. I am trying to figure out how to test a write blocker without having to install other tools. Thought i could take an image of the drive hash it, connect the write blocker, try moving data to it, writing files to it etc. Then create another image hash it and compare the hashes.

If you have wsl you could use dd natively. There's also a dd for Windows, but I've never used it.

Awesome! I didn't even thing about using WSL. Thanks,

fcha256

Awesome! I didn't even thing about using WSL. Thanks,

Depends if you’re using WSL v1 or v2. You won’t be able to do it using v1.

Vendetta

Anybdy have any good articles to read about IPFS links and how to decode them.

https://docs.ipfs.tech/concepts/dht/#kademlia from there you can go down a rabbit hole

Distributed Hash Tables (DHT) | IPFS Docs

Learn what distributed hash tables (DHTs) are, how they store who has what data, and how they play a part in the overall lifecycle of IPFS.

Cip

Hi, we have the possibility of accessing European funds and we are thinking of building a central data-center to act as a central forensic processing computing power for all of our locations spread throughout the country. We are thinking of building virtual machines with dynamic resource allocation that could be accessed from thin-clients. Our tools include the usual commercial tools (Axiom, Physical Analyzer, Oxygen, EnCase, FTK). Does anybody use this scenario for forensic processing? Is this ideea feasible/doable? Would transporting extractions and reports through LAN be too slow? Would it be better than individual forrensic workstations for each examiner? Can each examiner use its own dongle/license in the virtual environment? I know for example that the Cellebrite dognle doesn't like the remote desktop connection. Can this problem be solved with another licensing model? I would appreciate any thoughts/recommendations on this idea. Thank you!

Depends on your budget, definitely doable, more or less boils down to planning, location and hardware. Since it would be for investigation purposes, you would need a highly secured locale and very strict client access rules. I probably wouldn’t use a cloud provider, so basically you need to create Azure in your office, for large scale. If it’s just a few workstations, you can use a Remote Desktop over vpn with a hop to a lan server which could host your vms (edited)

4:05 PM

The other problem is transferring sensitive data, like evidence over the wire.

4:06 PM

With large amounts of data, like drive images for example, that would get expensive fast, unless you’re self sufficient.

4:07 PM

You would definitely need to hire a network engineering team, a systems architect and a cybersecurity consultant to efficiently design and implement a safe and secure environment to suit your needs. (edited)

4:09 PM

Last thing you would want on the open net, leaked data and or evidence. Cases thrown out because of a stipulation regarding your data and how the data was handled.

4:10 PM

In reality. A smarter approach, depending on your infrastructure, would be specialized units in the location of your endeavours.

2

Hello Everyone! I have an E01 image collected from a RHEL based Linux host, and am having some issues getting the E01 to mount properly. Is there a better tool to use to be able to mount those E01s to start scanning the filesystem? I figured a Linux based E01 image would need to be mounted in a Linux environment, but am not sure if there is a way to mount that image in Windows as well. I have been running into issues with using ewfmount & the native mount command in a SIFT VM, and was curious if there was an easier process to mount the images?

M1k3

Hello Everyone! I have an E01 image collected from a RHEL based Linux host, and am having some issues getting the E01 to mount properly. Is there a better tool to use to be able to mount those E01s to start scanning the filesystem? I figured a Linux based E01 image would need to be mounted in a Linux environment, but am not sure if there is a way to mount that image in Windows as well. I have been running into issues with using ewfmount & the native mount command in a SIFT VM, and was curious if there was an easier process to mount the images?

Definitely easier to mount in a Linux environment if possible. You can mount it on a Windows environment (using AIM, FTK, etc) and then navigate the disk/file structure with whatever tool supports the filesystem of the image. Assuming it's something like ext4 with LUKS, you're going to have an easier time mounting it in a dedicated Linux environment, instead of mucking around with wsl & loopback to try and mount encrypted partitions. What issues are you having? What errors are you seeing when you try and mount it? What's the filesystem in the image? Any encrypted partitions?

DeeFIR 🇦🇺

Definitely easier to mount in a Linux environment if possible. You can mount it on a Windows environment (using AIM, FTK, etc) and then navigate the disk/file structure with whatever tool supports the filesystem of the image. Assuming it's something like ext4 with LUKS, you're going to have an easier time mounting it in a dedicated Linux environment, instead of mucking around with wsl & loopback to try and mount encrypted partitions. What issues are you having? What errors are you seeing when you try and mount it? What's the filesystem in the image? Any encrypted partitions?

The filesystem I believe is xfs. As far as I am aware no encrypted partitions. I am able to use ewfmount to create a ewf1 file, and then I am using kpartx to created loopback partitions. I am able to mount all of the loopback partitions except for one (the main one with data) in which I get the following error: unknown filesystem type 'LVM2_member'

Mobile Forensics aligned to Prawitz epistemic grounding Dag Prawitz is a Swedish logician and philosopher known for his contributions to proof theory and the philosophy of language. One of his significant ideas is the concept of "epistemic grounding," which pertains to the logical connection between a conclusion and the premises that support it. Epistemic grounding essentially refers to the relationship between a proposition (conclusion) and the evidence or reasons (premises) that justify accepting that proposition as true. It deals with how we can establish the validity of a conclusion based on the information or knowledge we have available. Prawitz's work in epistemic grounding emphasizes the connection between logical inference and the justification for making inferences. Prawitz's epistemic grounding is relevant in various ways. One example is Analyzing Reasoning: Understanding epistemic grounding can help in analyzing and evaluating arguments in various fields, such as philosophy, science, law, and everyday discourse. It provides a framework for assessing the strength and validity of reasoning processes.

9:44 AM

Prawitz's epistemic approach in the context of mobile forensics examination in simple terms: Idea (Conclusion): The main idea is to understand what happened on a mobile device, like a phone or tablet, during a specific event. This could be related to a crime or an incident. Evidence (Support): To figure out what happened, experts use different types of evidence: -Text Messages: They look at messages to see who was talking to whom and what they were saying. -Call Logs: They check who called or was called and when. -Photos and Videos: They examine pictures and videos to understand what was captured. -App Usage: They analyze which apps were used and when. Connecting the Dots (Epistemic Grounding): Just like solving a puzzle, experts piece together the evidence to understand the story. They use their knowledge and skills to interpret the evidence and find patterns that explain what happened on the device. Prawitz's epistemic approach in mobile forensics is like being a detective who collects clues (evidence) to understand a situation (idea) by putting the pieces together based on their experience and understanding (connecting the dots).

is this homework?

ryd3v

is this homework?

I don't have such homework

1

tinylilbones

Hey everyone! I'm a student about to start my masters in Digital Forensics Investigations in a week or so at Champlain. I'm very excited as this is what I've been working towards since I was just 16! I'm looking for someone that would want to be a mentor in the field and help guide me/talk and answer questions/network. DFIR seems like such a difficult career field to break into from an outside perspective and I'd love any insight. If there's a specific channel for this please redirect me there

If you have a class with Dave White tell him K says hi and something something tacos

1

DeeFIR 🇦🇺 started a thread. 8/19/2023 3:18 PM

I am brand new to DFIR. Is it possible to get an internship with law enforcement as a citizen or would it be better to get an internship with the feds?

Gomer95

I am brand new to DFIR. Is it possible to get an internship with law enforcement as a citizen or would it be better to get an internship with the feds?

maybe echo in #training-education-employment too

Digitalferret

maybe echo in #training-education-employment too

Done.

I am also wondering if there is a mentorship program or I can obtain a mentor who can help me in getting a job with the federal government in the DFIR area or something similar? I have been reading a lot about careers in intelligence and law enforcement agencies within DFIR but I still need guidance in what experience and skills I need for those kinds of jobs.

I need to transcript several hours of phone calls (2 persons talking) in pt_BR. I was thinking about using Google Speech-to-text API to start with and then listen to the audio files to correct mistakes. But even using an AI, it will be a labor job. Is there anyone here with experience that could give me some tips and hits, even tools used to make this job less painful? Thanks!

Can I throw out a general question without it being a political discussion of any kind. Those of you (LE) whose country (EU) has sanctioned Russia-based or established companies. Are you still allowed to use Oxygen Forensics? feel free to DM me

tclahr

I need to transcript several hours of phone calls (2 persons talking) in pt_BR. I was thinking about using Google Speech-to-text API to start with and then listen to the audio files to correct mistakes. But even using an AI, it will be a labor job. Is there anyone here with experience that could give me some tips and hits, even tools used to make this job less painful? Thanks!

Whisper works rather well. Offline also, so nothing going to the internet. https://github.com/openai/whisper

GitHub - openai/whisper: Robust Speech Recognition via Large-Scale ...

Robust Speech Recognition via Large-Scale Weak Supervision - GitHub - openai/whisper: Robust Speech Recognition via Large-Scale Weak Supervision

3

1

Beercow

Whisper works rather well. Offline also, so nothing going to the internet. https://github.com/openai/whisper

+1 for Whisper. I used it recently for transcription on small and it was pretty good. I didn't have the chance to put it on a computer with a better GPU and really try out how accurate large could be. Highly recommend.

tclahr

I need to transcript several hours of phone calls (2 persons talking) in pt_BR. I was thinking about using Google Speech-to-text API to start with and then listen to the audio files to correct mistakes. But even using an AI, it will be a labor job. Is there anyone here with experience that could give me some tips and hits, even tools used to make this job less painful? Thanks!

possible to hire a professional transcriptor? I've tried <programs> before and they seem ok with general basic language, but you add in anything like technical / slang terms they go to sh*t. left field, but i ended up using Camtasia which gave a graph of the audio, so i could skip past huge amounts of dead space when transcribing ATC type chat.

1

busted4n6

I actually sent an open email the @Griffeye and @Magnet Forensics bosses to request they collaborate on this. I think since Magnet makes a competing media review product it would be difficult. It was entirely predictable that hashset manager would come to compete with gid with no real benefit for the double work I now need to do tor nsrl and CAID updates. I’ve noticed both use mongodb dbms so I need to see if having one data store and some ‘virtual’ tables are possible though…

Maybe I’ll get my wish with Griffeye joining @Magnet Forensics

busted4n6

Maybe I’ll get my wish with Griffeye joining @Magnet Forensics

Maybe you're the reason

2

interesting read if anyone is interested. https://techcrunch.com/2023/08/19/cellebrite-asks-cops-to-keep-its-phone-hacking-tech-hush-hush/

Lorenzo Franceschi-Bicchierai

Cellebrite asks cops to keep its phone hacking tech ‘hush hush’ | T...

For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and In a leaked video, a Cellebrite employee urges law enforcement customers to keep their use of its phone hacking technology secret.

I'm curious if anyone uses RDP to work on cases remotely. I've historically been uncomfortable with the idea but the amount of time I'm wasting zipping up cases to take with me when im out of the office for an extended period is frustrating. I still wouldn't want to work ICAC cases out of the office but for other stuff that just needs attention while I'm gone I've been considering it. Looking for opinions/policies/procedures for remote work, if any of you do it.

11:00 AM

I've been out of the office a lot lately traveling for various things and being able to keep up on cases would be so nice. There are obvious security concerns opening pandoras box like this but I am so unfamiliar with RDP (have never actually used it) that I don't know if my assumed concerns are overblown or not.

As long as you connect through the company VPN before using RDP, that's the important bit. (edited)

Any connection to RDP must be through a VPN

11:06 AM

Yeah exactly as @Sea9 said (and beat me to it :p) (edited)

Just barely

There are some other concerns like cached credentials and lingering sessions, but those are problems whether you're local or not. Protecting against MITM is the big thing (because hardly anyone validates certificates properly), and using a VPN at least helps to alleviate the majority of that concern.

1

2

Hey, does someone has some infos about the next cellebrite ctf on september, 20 ? On their youtube channel they have announced it but there is no webpage with it

(edited)

Hey all, strange question. I have an SMS.db that I'm trying to filter for privilege. When I export the DB from PA, I can't delete any records from it (Execution finished with errors. no such function: after_delete_message_plugin). I can issue a replace command as a way of redacting the information, however. Has anyone had any success or even guidance on how to filter//sanitize a DB in this way?

1:35 PM

(Of course, it goes without saying that the original sms.db is unaltered in the PA and on the GK extraction)

K8pl3r

Hey, does someone has some infos about the next cellebrite ctf on september, 20 ? On their youtube channel they have announced it but there is no webpage with it

(edited)

the cellebrite CTF ?

whee30

I'm curious if anyone uses RDP to work on cases remotely. I've historically been uncomfortable with the idea but the amount of time I'm wasting zipping up cases to take with me when im out of the office for an extended period is frustrating. I still wouldn't want to work ICAC cases out of the office but for other stuff that just needs attention while I'm gone I've been considering it. Looking for opinions/policies/procedures for remote work, if any of you do it.

We do. I have a workstation in the office and I work from home. I work IR and corp DF cases so content isn't a concern. The main issue is data transfer. If I download a data set on my laptop, getting it across and into the forensic network can be annoying or slow. So for some stuff it's just easier to get into the office

1

segumarc

the cellebrite CTF ?

yes sorry

K8pl3r

yes sorry

Seems like more info will be coming

Okay, thanks, I'm waiting so

whee30

I've been out of the office a lot lately traveling for various things and being able to keep up on cases would be so nice. There are obvious security concerns opening pandoras box like this but I am so unfamiliar with RDP (have never actually used it) that I don't know if my assumed concerns are overblown or not.

I would also recommend baselining thr system and then hardening it using something like dod stigs or something similar to help ensure its secure

anyone using @Elcomsoft iOS Forensic Toolkit that has a minute to DM? I just have some questions about the tool

does anyone have osquery to query/parse the SRUM database?

@Moderators ^ (edited)

Ty

2

Has anyone dealt with OneDrive Android app? Subject admitted to csam in his vault but won't give finger print or pin. Did a quick selective extraction for only one drive and found a bunch of cached csam images associated with it. Is that something Microsoft would be able to decrypt and send if issued legal?

trillian

anyone using @Elcomsoft iOS Forensic Toolkit that has a minute to DM? I just have some questions about the tool

Sure, I am here to help

1

Solec

Has anyone dealt with OneDrive Android app? Subject admitted to csam in his vault but won't give finger print or pin. Did a quick selective extraction for only one drive and found a bunch of cached csam images associated with it. Is that something Microsoft would be able to decrypt and send if issued legal?

I'm asking some colleagues right now about this, I know we have gotten many of the other hosting providers with returns, Onedrive isn't in my memory banks as if we've tried or not. My gut says yes you can get the data with a SW. I'll confirm later

OneDrive doesn't support true zero-knowledge end-to-end encryption to my knowledge, so unless the subject encrypted or otherwise protected data prior to upload, Microsoft should be able to provide everything (even vault contents). (edited)

Yep, SWR for Onedrive works in the same manner as the others. Sea9 is the correct, as long as it's not an alternative or secondary encryption you shoul be good

@Nanotech Norseman @Sea9 appreciate it, thank you! Will get paperwork started

1

whee30

I'm curious if anyone uses RDP to work on cases remotely. I've historically been uncomfortable with the idea but the amount of time I'm wasting zipping up cases to take with me when im out of the office for an extended period is frustrating. I still wouldn't want to work ICAC cases out of the office but for other stuff that just needs attention while I'm gone I've been considering it. Looking for opinions/policies/procedures for remote work, if any of you do it.

been rolling my own openvpn server for years and rdp from all over, works great, as long as you have everything setup good

Not sure where to ask this but does anyone have any experience with the Nvidia Jetson Orin Nano Developer Kit?

K8pl3r

Okay, thanks, I'm waiting so

Stay tuned we will be releasing info soon when it becomes available. Sub to YT page and you’ll get the details when they are ready to go out.

2

Call for papers is open for MVS/MUS https://www.magnetforensics.com/blog/global-call-for-papers-now-open/

Global Call for Papers Now Open! - Magnet Forensics

We’re excited to be bringing back Magnet Virtual Summit February 27-March 7, 2024! MVS is a fantastic chance for DFIR experts and newcomers alike to join a virtual event that offers a wide variety of presenters from many areas of expertise sharing their research in the latest trends in the fields of digital forensics, incident … Continued

Hello all, is there a tool that can pin point which VPN service an IP is registered to?

greynoise or spur.us might track that

Greynoise uses sour

1:45 AM

Spur

which tool do you guys use to extract from eml files? The text and attachments

I have a user whose Facebook account was hacked. The hacker changed her associated contact information (email address, cell phone number). She cannot report the hack to Facebook as Facebook no longer shows an account associated with her email address and cell phone number. Any suggestions for contacting Facebook about this issue?

seattleebm

I have a user whose Facebook account was hacked. The hacker changed her associated contact information (email address, cell phone number). She cannot report the hack to Facebook as Facebook no longer shows an account associated with her email address and cell phone number. Any suggestions for contacting Facebook about this issue?

When dealing with this previously, I found that Facebook sends an email alerting of pending changes to any existing email addresses on file for the account (including recovery addresses) so that a user can revert just such an account takeover attempt. Those messages may get filtered away into a spam folder, though.

Does ufed camera usually support audio?

Hello everyone. I have a couple of questions regarding timelines created with log2timeline. How do you typically use it? Do you provide it with a full image, or do you filter with KAPE and extract only the artifacts, events, logs, etc., and then run log2timeline on the resulting VHD?

DefendingChamp

Does ufed camera usually support audio?

No not that i recall but the camera we had never had audio built in

Original message was deleted or could not be loaded.

What's the question? Sounds like something others would benefit from. Also, #computer-forensics would be a good channel to ask

Anyone have issues with the GrayKey plugin in Magnet Axiom? Very often, when transferring image from the GK onto my local machine (via Axiom), the import fails. Axiom log reports "The requested operation culd not be completed due to a file system limitation" The current failure I'm getting is with a 70gig iPhone FFS from GK onto a 3+TB free NTFS raid. I can't think of any file system limitation that is being exceeded.

@Magnet Forensics any ideas?

Leonidas

@Magnet Forensics any ideas?

Hi @Leonidas sending you a DM

What forensics workstations do you guys use? We still have digital intelligence FREDS from, like, 2018, and are looking to upgrade. Looking at possibly Talino workstations from Sumuri, but seeing what our options are.

silvance.

What forensics workstations do you guys use? We still have digital intelligence FREDS from, like, 2018, and are looking to upgrade. Looking at possibly Talino workstations from Sumuri, but seeing what our options are.

There are a good number of options. Depends on how much you want to spend and where you want to get them from. 'Forensic' providers (Sumuri, Digital Intelligence, EDAS Fox, Bitmindz, Silicon Forensics) or big box (HP, DELL, Lenovo)?

Most likely through forensic providers. It's easier to get leadership to pay if they're a reputable forensic company.

silvance.

Most likely through forensic providers. It's easier to get leadership to pay if they're a reputable forensic company.

Yeah, that is common. It is something many have to deal with. If given the opportunity in the future I'd push back against that misnomer because a workstation is a workstation. What matters is the cost, what components are in it, and the quality of the service if you didn't build it yourself. Having said that, any of the forensic providers I listed could work. We have used DI, Bitmindz and we have some Talinos being built.

Does anyone regularly use oxygen for their reports? I don't understand why the 'From:' column is not matching the 'Originating Number', unlike the CDR view which appears correctly.

@Oxygen Forensics ^

1

Original message was deleted or could not be loaded.

Try #training-education-employment

1

Hi, from a forensic perspective, how similar are iPadOS and iOS when it comes to data acquisition and artifacts?

I'm having many issues with Oxygen. I love the interface, it's great, but so buggy ime

Are encryption keys wiped on an iPhone once it has become "Disabled" or "Unavailable"?

Andrew Rathbun

Try #training-education-employment

Thanks

Iown

Are encryption keys wiped on an iPhone once it has become "Disabled" or "Unavailable"?

I’ll try to find an old post of mine where I asked this, the answer is currently “yes, depending on iOS version”. The specific version is what I don’t remember and will try to find. Nothing recent.

8:44 PM

https://discord.com/channels/427876741990711298/427877097768222740/1095115104263086100 I was informed via DM that from iOS 12.1 onward there was no hope of recovery.

whee30

I’ll try to find an old post of mine where I asked this, the answer is currently “yes, depending on iOS version”. The specific version is what I don’t remember and will try to find. Nothing recent.

Thank you!

question for you more experienced folks out here. What do you use for case management? Since i've been using a lot of free tools so far everythings been excel and word files and a file share for collecting objects. It feels like a really bad solution. Curious what is out there and recommended. I took a look at DFIR-IRIS but couldn't get it to run

SubtleLunatic

question for you more experienced folks out here. What do you use for case management? Since i've been using a lot of free tools so far everythings been excel and word files and a file share for collecting objects. It feels like a really bad solution. Curious what is out there and recommended. I took a look at DFIR-IRIS but couldn't get it to run

I've heard really good things about @Monolith Forensics. @Matt - Monolith Forensics should be around for any questions or guidance (no this message is not sponsored

) (edited)

awesome thank you

Ask away about Monolith I can answer them

@SubtleLunatic www.monolithforensics.com free trial available, taker er for a test ride free

Will do, appreciate it

we have a faraday cage (standing adult size tent) that used to work but doesnt seems to work anymore (I can send sms and scroll the web while inside it). Do you know what could be the issue here ? (I already checked for potential holes but I haven't found any) (edited)

emilie_

we have a faraday cage (standing adult size tent) that used to work but doesnt seems to work anymore (I can send sms and scroll the web while inside it). Do you know what could be the issue here ? (I already checked for potential holes but I haven't found any) (edited)

check grounding?

ok, good suggestion, I don't see any problems so far (edited)

emilie_

we have a faraday cage (standing adult size tent) that used to work but doesnt seems to work anymore (I can send sms and scroll the web while inside it). Do you know what could be the issue here ? (I already checked for potential holes but I haven't found any) (edited)

Could there be any changes to the frequencies the cells in the area are broadcasting on?

How do you close the enclosure? Over time the seal can wear and start letting signals through. And do you know if any new masts have appeared in your area recently?

Private sector folks, how do you collect Quickbooks Desktop data?

ThePM.01

Spoke with our Nuix representative last week and they dropped the bomb that Workstation won’t be available as a standalone product anymore. Will be replace with a different infrastructure named Nuix NEO. With the anticipated price increase that this change will bring, we are looking into moving away from Nuix. Are there other data processing tools out there that allow some type of automation as well as the possibility of outputting data in Load File format to our eDiscovery platform?

I'm in the same boat and need to at least find another tool to compare to before moving ahead with renewal; one that is more than the built-in black box processing from the various eDiscovery platforms. I'm curious if you landed on anything and happy to discuss.

SameTatsumaki

I'm in the same boat and need to at least find another tool to compare to before moving ahead with renewal; one that is more than the built-in black box processing from the various eDiscovery platforms. I'm curious if you landed on anything and happy to discuss.

We are not satisfied with our current eDiscovery platform, so we definitely don’t rely on that. We started looking at Axiom Cyber and the Automate software, but it’s not as flexible as Nuix. Closest to Nuix we have at the moment is Intella, but again it’s kind of a pale version of Nuix with less features, scripting, searching capabilities. So no definite answer for now. But would be happy to discuss also.

Joey Juarez

Ask away about Monolith I can answer them

I have a question. I can see that Monolith has tasks within a case and also notes within a case. But is it possible to take notes within a task? For example a task being acquiring a drive, processing some data, converting some files or whatever. Our current homemade case manager operates a lot like a helpdesk ticketing system and we like that, but we are having trouble finding this type of structure in a case management software.

secluding

Private sector folks, how do you collect Quickbooks Desktop data?

I don't have the answer for you other than to say I've had a copy of quickbooks kicking around in my office for years waiting to find the person that uses the software... I've heard it's a proprietary format but never had the "pleasure".

9:12 PM

Tagging along to see what folks have to offer though, I'm sure there has to be an open source alternative

Ross Donnelly

Could there be any changes to the frequencies the cells in the area are broadcasting on?

I don't think so, because we have another faraday cage that works

12:30 AM

it's just this one in particular

Does anyone have any tricks to recover a frozen physical analyzer session? My go-to is patience but at a certain point it just isn't going to recover that way... I've had it work a few times trying to shut it down and then canceling the shutdown when it prompts to save a session. Looking for other tips if anyone has them.

whee30

Does anyone have any tricks to recover a frozen physical analyzer session? My go-to is patience but at a certain point it just isn't going to recover that way... I've had it work a few times trying to shut it down and then canceling the shutdown when it prompts to save a session. Looking for other tips if anyone has them.

might be a 'senior moment' but what exactly is the physical analyzer?

Cellebrite PA

1

whee30

Cellebrite PA

i'd go right ahead and ping @Cellebrite

^^

I've bumped into an issue when I use mitmproxy CA from mitm.it and Inset into the android store in ADB, the app denies the fake CA obviously the security being in place. Not so sure what exactly security term is for this

2:34 PM

However, can the magisk plugin bypass this and help create fake CA certs

@$CozyBear are you referring to cert pinning?

@Cellebrite Good morning, can someone tell me how to add in my Physical Analyzer report, the original path of a video file? I can see it in PA in General File Info but I couldn't find a way to add it in report.

DeeFIR 🇦🇺

@$CozyBear are you referring to cert pinning?

Not cert pinning within apps but the root store that you find settings which denies the mitmproxy CA from being imported into the root store of the android phone (edited)

whee30

Does anyone have any tricks to recover a frozen physical analyzer session? My go-to is patience but at a certain point it just isn't going to recover that way... I've had it work a few times trying to shut it down and then canceling the shutdown when it prompts to save a session. Looking for other tips if anyone has them.

hover over the floating window in the taskbar then attempt to close with the x in the top right of the floating window - should force the popup that asks you if you want to close or not and can sometimes save the session (edited)

Has anyone looked into installation date for applications that has been restored from a backup on an iPhone? I'm looking into 3 specific applications and I can see that the application folders are created on the same date as the phone gets restored. But when looking at the artifacts for installed applications it presents a installation timestamp that's 2 months after the phone gets restored. I haven't found anything that suggests that the applications have been deleted in between the dates from the reset and the applications installation timestamp. Anyone encountered anything like this before? Or have any suggestions where to find more information?

https://www.autopsy.com/4-21-0-release-with-faster-search-and-malware-scanning/?utm_campaign=2023-08%20Autopsy%20Release&utm_medium=email&_hsmi=272227896&_hsenc=p2ANqtz-8faDQrvXVwcyxkZ-47E5aqL1VfJjh6A5hyFdVuACYuiai3Mfx-qJ0_0SbrWUtKJ00ougL9q1DYmWsAE5Sf5HZVpKPK1-1h9eGQ1UpOPhzL-Byz7H4&utm_content=272227447&utm_source=hs_email

Brian Carrier

Autopsy - 4.21.0 Release with Faster Search and Malware Scanning

The 4.21 version of Autopsy is out and this blog post will cover three of the most notable new features. You can see the full list of changes here. We’re […]

Google Warrants. Helping an agency on a case where the suspect wiped their Android, so all the agency has is the IMEI and MSISDN of phone, but not the associated GMAIL account to send a Search Warrant to Google. One of our detectives said that using IMEI and MSISDN and submitting this to Google in a search warrant worked years ago, but more recent attempts google has said they can't search that way. Has anyone had an issue like this and was succesful? Did you first have to send a SW to google looking for subscriber info using the IMEI and MSISDN, then send a follow up warrant once they gave you the associated GMAIL accounts? Any recent insight / knowledge appreciated. Thanks. [If it makes a difference, this is for an agency in California]

I don't know where to put it : https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown/layout_view

FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cybe...

The FBI and the Justice Department announced a multinational operation to disrupt and dismantle the malware and botnet known as Qakbot.

1

Grok

Google Warrants. Helping an agency on a case where the suspect wiped their Android, so all the agency has is the IMEI and MSISDN of phone, but not the associated GMAIL account to send a Search Warrant to Google. One of our detectives said that using IMEI and MSISDN and submitting this to Google in a search warrant worked years ago, but more recent attempts google has said they can't search that way. Has anyone had an issue like this and was succesful? Did you first have to send a SW to google looking for subscriber info using the IMEI and MSISDN, then send a follow up warrant once they gave you the associated GMAIL accounts? Any recent insight / knowledge appreciated. Thanks. [If it makes a difference, this is for an agency in California]

@Law Enforcement [USA] created a thread above, if you don't mind using that to respond. Might help keep things more organized for this question

I have a Samsung S8 (SM-G950F) which will not connect to any forensic software. I have full access, usb debug is on, the port is clean. I have changed the port, changed the usb cable, revoked debugging but all it does when it connects is have the error USB not recognised. It can’t be drivers because a different S8 connects with no issues. All the phone does is charge and that’s it. I never get the USB debug prompt because it never gets that far, any suggestions would be gratefully received! (edited)

12:05 PM

I have also tried Decrypting Boot Loader in UFED with no success. Trevor doesn’t see it, neither does GK or Oxygen, get the picture?

Can someone please explain the zhandle table in a call history database of an iPhone? I have a device we're attempting to prove the user deleted all call data prior to handing the device over. There are no calls in the zcallrecords table, but over 10,000 in the zhandle table. Also can someone please define the z_ent, z_opt, and ztype headings (found in zhandle). Thank you for any help you can offer!

Zhaan

I have a Samsung S8 (SM-G950F) which will not connect to any forensic software. I have full access, usb debug is on, the port is clean. I have changed the port, changed the usb cable, revoked debugging but all it does when it connects is have the error USB not recognised. It can’t be drivers because a different S8 connects with no issues. All the phone does is charge and that’s it. I never get the USB debug prompt because it never gets that far, any suggestions would be gratefully received! (edited)

does it charge correctly, or at ~0.5A only?

12:49 PM

no MDM apps installed?

Zhaan

I have a Samsung S8 (SM-G950F) which will not connect to any forensic software. I have full access, usb debug is on, the port is clean. I have changed the port, changed the usb cable, revoked debugging but all it does when it connects is have the error USB not recognised. It can’t be drivers because a different S8 connects with no issues. All the phone does is charge and that’s it. I never get the USB debug prompt because it never gets that far, any suggestions would be gratefully received! (edited)

Sounds like it's the Data portion of that connection that's bad. Wonder if perhaps some of the pins on the charging port are oxidized / missing, but the power ones still there. Might consider doing a manual extraction first (with video) and then seeing if you can repair the charging port and hopefully that will fix the data access issue.

Zhaan

I have a Samsung S8 (SM-G950F) which will not connect to any forensic software. I have full access, usb debug is on, the port is clean. I have changed the port, changed the usb cable, revoked debugging but all it does when it connects is have the error USB not recognised. It can’t be drivers because a different S8 connects with no issues. All the phone does is charge and that’s it. I never get the USB debug prompt because it never gets that far, any suggestions would be gratefully received! (edited)

Before what I said above though, I have had some phones where it keeps changing the USB connection to "Charge Only" instead of "Transfer Files/MTP" options. So make sure that's not what's happening first. If so, might be something on the device like an app trying to prevent access.

Steve

Can someone please explain the zhandle table in a call history database of an iPhone? I have a device we're attempting to prove the user deleted all call data prior to handing the device over. There are no calls in the zcallrecords table, but over 10,000 in the zhandle table. Also can someone please define the z_ent, z_opt, and ztype headings (found in zhandle). Thank you for any help you can offer!

Definitely ask #mobile-forensic-decoding

Thank you!

Arcain

does it charge correctly, or at ~0.5A only?

Yes it does, 0.99 and wireless charges no issue

no fast charge?

Grok

Sounds like it's the Data portion of that connection that's bad. Wonder if perhaps some of the pins on the charging port are oxidized / missing, but the power ones still there. Might consider doing a manual extraction first (with video) and then seeing if you can repair the charging port and hopefully that will fix the data access issue.

I replaced the port with one that was working on another S8

Grok

Before what I said above though, I have had some phones where it keeps changing the USB connection to "Charge Only" instead of "Transfer Files/MTP" options. So make sure that's not what's happening first. If so, might be something on the device like an app trying to prevent access.

Tried switching to data but just keeps detecting as USB not recognised

Arcain

no fast charge?

Yeah, fast charge kicks in

Grok

Before what I said above though, I have had some phones where it keeps changing the USB connection to "Charge Only" instead of "Transfer Files/MTP" options. So make sure that's not what's happening first. If so, might be something on the device like an app trying to prevent access.

Not that many apps and certainly no security or monitor apps

if fast charge works, usb data should work as well. I assume you get unknown device in download mode as well?

Arcain

if fast charge works, usb data should work as well. I assume you get unknown device in download mode as well?

Yes, SPL is 2020 to so it ain’t as if it’s to recent either

1:34 PM

It’s not the main phone so it could be why the owner bought a new one but that doesn’t help

if it's detected in download, then usb is fine

1:38 PM

one thing that comes to mind, if it's detected in download, to try Passware

1:38 PM

and bootrom mode

1:40 PM

testpoint is fairly problematic, as it's next to the UFS, under the metal emi shield (edited)

1:44 PM

although this is one easier and should work as well, if exists on your board (edited)

Arcain

one thing that comes to mind, if it's detected in download, to try Passware

It isn’t detected in download

2:44 PM

It’s detected as USB not recognised

2:45 PM

Which kind of isn’t

Zhaan

It isn’t detected in download

Can you board swap?

Hi everyone, I'm in the process of doing a full rework of my resume and I was just wondering about something: Would it safe to put in my summary something like experienced forensic analyst (got my GCFA) even though my current role is actually a SOC analyst. The thing is, I work with DFIR principles on a daily basis, minus the memory analysis.. just a bit confused.. (edited)

Rob

Can you board swap?

I am doing that tomorrow, I’ve swapped the daughter board with the connector on which didn’t change anything so will put the main board in a different phone tomorrow

1

Zhaan

I am doing that tomorrow, I’ve swapped the daughter board with the connector on which didn’t change anything so will put the main board in a different phone tomorrow

Board swapped, no change at all, very odd. (edited)

Zhaan

Board swapped, no change at all, very odd. (edited)

check and replace those 2 diodes

1:17 AM

they were often a problem in s7 series, although this should also break fast charging over usb

Arcain

check and replace those 2 diodes

Ahh, will do, just dumping via BT

Arcain

check and replace those 2 diodes

Thanks for that

Zhaan

Ahh, will do, just dumping via BT

see you next week

1

Arcain

see you next week

I forgot how painful it is, if anyone ever said life was better in the old days I will beat them with a UFED Touch.

2

1:24 AM

DISCLAIMER I would not beat anyone unless in self defence.

Arcain

see you next week

Not so bad, 466 pictures estimated to take 1 hour and 25 minutes!

Zhaan

I forgot how painful it is, if anyone ever said life was better in the old days I will beat them with a UFED Touch.

Wonder what's more reliable, a UFED Touch or a Nokia 3310 (edited)

Rob

Wonder what's more reliable, a UFED Touch or a Nokia 3310 (edited)

3310 day and night, flush it, rage quit it, it is the cockroach of the phone world

1

2:35 AM

I tell you now, when the sirens go, thats what I am taking into my bunker with Trevor.

2

hi

1

Zhaan

DISCLAIMER I would not beat anyone unless in self defence.

isnt beating by definition not self defense, because beating kind of implies that the other side is losing. Also what is self defense like in the UK?

1

Anyone with recent/direct experience getting a preservation letter equivalent served to Mega in New Zealand?

Zhaan

I forgot how painful it is, if anyone ever said life was better in the old days I will beat them with a UFED Touch.

Bring back Infrared acquisitions!

Ross Donnelly

Bring back Infrared acquisitions!

Now you’re talking!

theintern

isnt beating by definition not self defense, because beating kind of implies that the other side is losing. Also what is self defense like in the UK?

like beating a carp;et, you mean?

1

10:14 AM

or an egg

or some meat

behave, lol

3

Not strictly dfir but probably the best place to ask. Is there any software to block failed attempts to port connections, like fail2ban but not just for ssh? Or can fail2ban do this? After something lightweight as apposed to a full ips

firewall normally does that

11:08 AM

normally if the port is not open or being routed through nat it will drop the connection

11:08 AM

open meaning a service is running on it

11:10 AM

so i guess what im saying is, ufw

fail2ban can be configured to support various services, as long as it's logged somewhere

https://serverfault.com/questions/1067723/how-to-set-up-fail2ban-with-ufw-on-ubuntu-20-04 here is a nice page that you might be interested in

How to set up fail2ban with UFW on Ubuntu 20.04?

I'm trying to block IP addresses with fail2ban and ufw with the following configuration and the default ufw.conf in /etc/fail2ban/action.d. Jail config [app-custom] enabled = true maxretry = 1

Anyone from @SUMURI available to help troubleshoot a ReconLab install??

@MeGaBiTe sure thing, I’ll shoot you a dm and we can get your issue resolved

1

Anyone know how many agents you can deploy with your axiom cyber license? Can it handle 2k endpoints?

1

hi, anyone to provide a reliable way to determine processes behind SMB connections ? https://xkln.net/blog/determining-which-process-is-making-smb-requests-on-windows/ this seams not to work

Determining Which Process Is Making SMB Requests On Windows

How would you go about finding what process was making SMB requests on a Windows PC? If you’re like me you probably answered either or PowerShell’s . These are…

kartoffel4n6

Anyone know how many agents you can deploy with your axiom cyber license? Can it handle 2k endpoints?

@Magnet Forensics

Thankyou I'll have a play about

@Law Enforcement [USA] Best options for a burner phone/sim? What option have you found works best for limited use phones, such as receiving verification texts for accounts etc.?

MeGaBiTe

@Law Enforcement [USA] Best options for a burner phone/sim? What option have you found works best for limited use phones, such as receiving verification texts for accounts etc.?

$40 phone from a dollar general type store. Any basic android device works out just fine. Have dept petty cash in hand and buy a sim. Good to go and have been many times using it. Bought with cash. Used with a VPN account bought with crypto if needing internet. I’ve also ported over a previously contracted number like an actual AT&T number to Google voice and it works great. Many providers think it’s still AT&T and haven’t had to pay for a long time. (edited)

1

MeGaBiTe

@Law Enforcement [USA] Best options for a burner phone/sim? What option have you found works best for limited use phones, such as receiving verification texts for accounts etc.?

Purchase trial sim with Mint Mobile. Can get it from Best Buy for a buck or so.

Google voice?

@MeGaBiTe I usually go to Walmart and for 100 bucks walk out with a phone and a month of service with an Android device

Pizzantelope

Google voice?

https://voice.google.com/u/0/signup

Google Voice

Google Voice gives you one number for all your phones, voicemail as easy as email, no charge US long distance, low rates on international calls, and many calling features like transcripts, call blocking, call screening, conference calling, SMS, and more.

1

+1 for Google Voice 95% of the time, but I have seen where some companies won't allow 2-factor on VoIP numbers. (edited)

sudochaos

Purchase trial sim with Mint Mobile. Can get it from Best Buy for a buck or so.

I have plenty of these, however looking for a solution where I can keep the number for longer than 7days.

MeGaBiTe

@Law Enforcement [USA] Best options for a burner phone/sim? What option have you found works best for limited use phones, such as receiving verification texts for accounts etc.?

Google Voice works most of the time, but I have run into more and more services that don't like VoIP accounts. I also use MySudo to create VoIP numbers. Most social media platforms I have been able to use a Google Voice/VoIP number. A work around I have done is opened a Mint Mobile account for a month or two and then I ported that number into Google Voice. This has worked for several months so far, services don't see it as a VoIP number. But I'm almost positive it will eventually stop working.

Original message was deleted or could not be loaded.

This service seems almost too good to be true lol. Very curious where they get their numbers from if they are not detected as VoIP. They must not be getting them from the big names like Bandwidth or Twilio

MeGaBiTe

@Law Enforcement [USA] Best options for a burner phone/sim? What option have you found works best for limited use phones, such as receiving verification texts for accounts etc.?

Straight talk wireless phone at walmart

2:24 PM

and bluestacks emulator

2:25 PM

dress homeless when you buy it don't have an ID. They prob won't ask anyway. Wear a covid mask

1

2:26 PM

and a hat

2:26 PM

toss it in a faraday bag and turn it on at a fast food place don't use big chains

2:26 PM

use their wifi to configure it

2:27 PM

turn off and faraday bag it when you leave

2:28 PM

Straight talk you can get a year of service for like $400 that's unlimited

2:34 PM

I get one every year before DEFCON lol

So I have learned a new hyper-focus, wardriving. I have been playing around with using the idea to collect information from known areas in my area to help with locate devices of interest in investigations. All that to ask can someone point me to learning resources for this, collection device setup, how to decipher collected data, and how to move forward. Thanks

There are "off the shelf" open source solutions, you can use an rpi

5:45 PM

https://www.designer2k2.at/en/mods/elektronik/156-raspberry-pi-wardriving-setup

Raspberry Pi Wardriving setup

Standalone Wardriving setup with the Raspberry Pi using Kali Linux and Kismet on a Oled screen.

Kismet will log data into a CSV file. Most cell phones now days use a randomized MAC address when connecting to access points to make them difficult to track. https://www.kismetwireless.net/docs/readme/configuring/wardrive/

Wardrive Mode

The wardriving mode configuration overlay (and code to support it) was added to Kismet in 2022-01-git and subsequent releases. Wardriving mode # Kismet is already equipped for what most would consider to be wardriving out of the box: With a GPS and one (or more) Wi-Fi cards, Kismet will generate logs suitable for uploading to Wigle or generating...

3

CyberGhost

Kismet will log data into a CSV file. Most cell phones now days use a randomized MAC address when connecting to access points to make them difficult to track. https://www.kismetwireless.net/docs/readme/configuring/wardrive/

yep it'll use a new randomized MAC for each SSID, but it'll keep a consistent for that SSID. Devices will scream into the void for any SSIDs they've previously connected to periodically to try to get a connection as well.

6:25 AM

https://www.bleepingcomputer.com/news/security/wifi-probing-exposes-smartphone-users-to-tracking-info-leaks/

If you've not played with his project...well, makes some time as it's pretty neat and useful. https://pwnagotchi.ai/

Pwnagotchi - Deep Reinforcement Learning instrumenting bettercap fo...

not sure if I can ask this , but here we go. Which solution can you use to build from the ground a custom Kali Linux machine or an offensive machine that you can overwrite config files, and install toolkit at runtime like docker in a programmatic way or firebase?

blackleitus

not sure if I can ask this , but here we go. Which solution can you use to build from the ground a custom Kali Linux machine or an offensive machine that you can overwrite config files, and install toolkit at runtime like docker in a programmatic way or firebase?

You could create your own custom Kali ISO

2:37 PM

An alternative would be to write a bash script to auto-install your tools like Docker automatically

exactly , but the another problem would to output format like ova , vmdk to send to someone to deploy the machine

Just do it and them send them the image once you set it uo

is there a possibility to just send 5MB file config files and depoy themself? like docker

I mean yeah, just make a docker image and tell them what its called

Can anyone recommend me a list of forensic tools use for disk forensic and file craving. Thanks

Heisenberg

Can anyone recommend me a list of forensic tools use for disk forensic and file craving. Thanks

There is an absolute wealth of knowledge, pinned posts, DFIR community room posts, and other links which have recently been posted if you want to have a look around.

Thanks. Ill look into it (edited)

Hello, just got my GFACT, Would be a good idea to jump to the GCFA directly or do the Windows one first for Forensic?

hiddenbook46

Hello, just got my GFACT, Would be a good idea to jump to the GCFA directly or do the Windows one first for Forensic?

How did you find the GFACT

It was good indeed I learned more there than in 3 years at the university. Honestly

hiddenbook46

It was good indeed I learned more there than in 3 years at the university. Honestly

Did you find it difficult or just new?

There were a few new topics for me, indeed but it was okay. Indexing it helped me a lot as well. I enjoyed two section for response and forensic

5:20 AM

But not much stuff indeed

5:22 AM

Would be a big jump for your experience ?

I haven't done the 275 class. But I think going to that without any understanding of windows forensics is a big jump

5:39 AM

I know that a lot of people read gcfa on job requirements and want to skip there....but there's a lot of knowledge that is assumed or required to get the most out of that class

275 explain also Linux and windows file system.

5:40 AM

Maybe for500 is the best solution before I get the 508

5:42 AM

Anyway I know something about jt. Gonna see then thank you

Yep. Suggest you take a look at the course descriptions for 308-498-500

hiddenbook46

Hello, just got my GFACT, Would be a good idea to jump to the GCFA directly or do the Windows one first for Forensic?

I took the GCFA as my first cerification, had only been working as an analyst for 1 year roughly. If you build a good index and study there wont be any problems imo. Check this guide out https://tisiphone.net/2015/08/18/giac-testing/ 13cubed has good videos aswell, he also has a certification now which I havent done myself but im sure its great. (edited)

hacks4pancakes

Better GIAC Testing with Pancakes

It’s no secret that I’m a fan of SANS and their associated GIAC infosec certifications. Certifications aren’t worth a ton of credibility in the information security arena, but the…

1

(for the record I don't think you won't pass the gcfa if you go there quickly. I just think that there's a lot of stuff that people miss by going straight to it)

2

quick unix question, would you recommend ddrescue or ewfacquire in order to do a physical extraction of a USB flash drive? (edited)

randomaccess

Yep. Suggest you take a look at the course descriptions for 308-498-500

I studied the council one for basic forensic stuff, and maybe can be helpful with it( but it is all about theory anyway so I did not enjoy at all. PS: Yes I checked Anyway People saying 508 is a monster one, and Windows one would be a good choice. Thanks anyway for the help (edited)

isvak

I took the GCFA as my first cerification, had only been working as an analyst for 1 year roughly. If you build a good index and study there wont be any problems imo. Check this guide out https://tisiphone.net/2015/08/18/giac-testing/ 13cubed has good videos aswell, he also has a certification now which I havent done myself but im sure its great. (edited)

Yes I followed it before, thanks anyway

Couple questions... does anyone have any person target templates where you'd include demographics, picture, etc for an ops plan? Also, looking to see what everyone is using to map / link phone tolls?

emilie_

quick unix question, would you recommend ddrescue or ewfacquire in order to do a physical extraction of a USB flash drive? (edited)

IMHO ddrescue loses some of it's usefulness on flash media. If you want a raw image, use dc3dd. If you need an EWF image then use ewfacquire. And you can always export and EWF image to raw later if that's what you want. Depends on your goals/needs.

2

Anyone have a contact for someone at Maltego, looking to ask some questions to see if their product would work for my use case.

Can someone please be so kind as to post a link to a publicly accessible web page which lists the data retention periods, broken down by data type (such as calls, SMS, internet history, voicemail, email, etc. ) , of the major US internet service and telecommunications providers?

5cary

IMHO ddrescue loses some of it's usefulness on flash media. If you want a raw image, use dc3dd. If you need an EWF image then use ewfacquire. And you can always export and EWF image to raw later if that's what you want. Depends on your goals/needs.

Thank you for your answer, can you elaborate a bit more on why ddrescue isn't that usefull on flash media ?

Quick question in a forensic process. Let's say I have a soft copy of computer OS and I want to know the owner of the desktop computer which the os was installed. aside from these two Evidence Assessment and Evidence Examination. What else do you think I need to add. Thank you (edited)

Hi everyone, I have a quick question. I've been task to create a blue team report following a vendor red team engagement. What would be the best approach when it comes to structuring such report? Create a timeline-like or structure with separate sections for each impacted hosts?

hi, new to this and would like to ask, while performing red team activities (not talking about phishing simulation capmaings from Proofpoint etc.) how would you send such crafted phishing emails ?

6:55 AM

asking because there's just me in the infosec director in my company but would like to test how well our tooling would defend against phishing scenarios such as html smuggling --> password protected zip --> contains .iso --> that eventually results in a .lnk file opening calc.exe (edited)

Alex H.

Hi everyone, I have a quick question. I've been task to create a blue team report following a vendor red team engagement. What would be the best approach when it comes to structuring such report? Create a timeline-like or structure with separate sections for each impacted hosts?

This reminded me I lent my comp sec textbook to someone and I should definitely try to get that back... Anyway its been awhile, but some of the things I remember from school (I don't do reports on these) are to start with an executive summary of the important parts, something that "executives" from the company can read, digest, and understand action items quite quickly (the people who need to pay the bills but aren't necessarily comp sec tech savvy). Then dive into a technical summary for the more technically minded people with more specifics on what went well and what didn't go well. Don't forget to say what went well so they can continue to do that. In the technical section, you can probably also give a timeline of events if that seems important, or just focus on the impacted hosts and give a brief high-level summary view of the timeline.

emilie_

quick unix question, would you recommend ddrescue or ewfacquire in order to do a physical extraction of a USB flash drive? (edited)

ddrescue is a data recovery tool. If the drive is working fine, stick with ewfacquire or dc3dd. Those also include hashing as part of the process, where ddrescue does not.

Hello, I'm not very active here in the forum and I have a question regarding data recovery. is it possible to restore a whatsapp history on an iphone? the data was lost because whatsapp was uninstalled. Is there any way to find the data? Thank you

John

Hello, I'm not very active here in the forum and I have a question regarding data recovery. is it possible to restore a whatsapp history on an iphone? the data was lost because whatsapp was uninstalled. Is there any way to find the data? Thank you

Your best bet is to restore from a backup. Otherwise you would need a forensic extraction to maybe recover whatsapp data. Unless phone is jailbroken you won't be able to load data back into the phone though. Also whatsapp might save your history and put it back on your phone if you install the app again, but be warned if you do that you'll probably erase any app remnants left or it will be hard to determine what data was from what installation.

1

emilie_

Thank you for your answer, can you elaborate a bit more on why ddrescue isn't that usefull on flash media ?

It's not that ddrescue isn't useful. It still is, but the features that make it most useful are designed for dealing with errors on spinning media (map files, splitting, etc.). ddrescue was designed to deal in a very specific way when splitting and reducing errors that it encounters. In many cases, "bad reads" on a flash drive are related to EPROM blocks that can't be read. And as much as devices like USB thumb drives try to emulate ATA disks - the failures don't translate well. You could find ddrescue will simply freeze as it waits for the media to respond to read requests. Of course the same is true for other imaging software as well, but ddrescue's strength is in it's recovery options. If you are doing this for actual casework, you should be using something like PC3000 Flash on damaged/bad flash based storage devices. If the media is working fine, then normal imaging software is fine.

Anyone know what the command is to remove software write-protection via linux command line? I'm in Paladin and want to mount a device as read/write but I need to do it via terminal because I cannot access Paladin Toolbox. I can try using "mount" but it will only allow read-only. (edited)

I don't know if this will help, but could you just use mount option rw?

hello is there anyone here using sift work station ubuntu. I was working on looking for the owner of the desktop computer in the disk. What are the command u use oftern to know just details. Thanks

Cole

Anyone know what the command is to remove software write-protection via linux command line? I'm in Paladin and want to mount a device as read/write but I need to do it via terminal because I cannot access Paladin Toolbox. I can try using "mount" but it will only allow read-only. (edited)

blockdev --setrw /dev/[device]

1

tclahr

blockdev --setrw /dev/[device]

Yes that's it!! Thanks!

Does anyone have a recommendation for a tool that can take bulk Lat and Longs, and convert into addresses? I have a csv with lat and longs and wanting to convert these into addresses in bulk. Preferably an open source tool. I appreciate the help in advance

Mavum1

Does anyone have a recommendation for a tool that can take bulk Lat and Longs, and convert into addresses? I have a csv with lat and longs and wanting to convert these into addresses in bulk. Preferably an open source tool. I appreciate the help in advance

How's your python? This looks like it would be trivial to implement, depending on how precise you want the results. https://pypi.org/project/reverse-geocode/

reverse-geocode

Reverse geocode the given latitude / longitude

@5cary Python I will check this out. Thanks!

Any recommended product to create link charts? Ideally I'm looking to visually graph out suspect targets and their relations to vehicles, people, phone numbers, businesses etc...

5:22 PM

I don't have this data in any real usable manner so I will have to manually create every object, and link.

carook

Any recommended product to create link charts? Ideally I'm looking to visually graph out suspect targets and their relations to vehicles, people, phone numbers, businesses etc...

Try mind map software, maybe? I use XMind to create these, for example: https://github.com/AndrewRathbun/DFIRMindMaps/tree/main/Tools/KAPE/KapeTriage

DFIRMindMaps/Tools/KAPE/KapeTriage at main · AndrewRathbun/DFIRMind...

A repository of DFIR-related Mind Maps geared towards the visual learners! - AndrewRathbun/DFIRMindMaps

I'm hoping to find a method to select say a license plate / vehicle entity and see who else is linked to it.

Andrew Rathbun

Try mind map software, maybe? I use XMind to create these, for example: https://github.com/AndrewRathbun/DFIRMindMaps/tree/main/Tools/KAPE/KapeTriage

Interesting. Does this mind map software allow you to filter by entity to see who / what else is associated with it?

5:24 PM

I wasn't sure if something like Maltego, I2 Analyst Notebook or Datawalk would be ideal. There really isn't anything that is out of budget right now, except I2. (edited)

carook

Interesting. Does this mind map software allow you to filter by entity to see who / what else is associated with it?

Nah it's not meant to be analytical or anything. Mostly good for visualizing data and that's about it

fam, I am invited to speak at an event on the cyber workforce. Please advise me with a heads-up, on topics to discuss. Much appreciated

Hey all just got my first job in cybersec on a digital forensics team currently I am doing insider threat and edisco. Our lab is ANAB accredited so I have to have either GCFE or CFCE to do forensics work so I am deciding between the two. I work in the private sector currently. Any suggestions?

6:08 PM

Sadly I have to front the money either way then I get reimbursed after 2 paychecks but man that’s gonna hurt to front

NotIronManBTW

Hey all just got my first job in cybersec on a digital forensics team currently I am doing insider threat and edisco. Our lab is ANAB accredited so I have to have either GCFE or CFCE to do forensics work so I am deciding between the two. I work in the private sector currently. Any suggestions?

To me, CFCE is more foundational. It really helps you understand what the tools are doing. It’s a ton of work and takes a long time. GCFE is geared more toward the artifacts. It also takes a lot of work but for me it was much less time than CFCE.

If I did CFCE they told me I’d be goin down to Orlando for a week or something. My boss and coworker both have that one but we also work with law enforcement a lot and they recommend that.

6:56 PM

Might go with that over sans

6:58 PM

Thanks for the input though @Joe Schmoe

NotIronManBTW

If I did CFCE they told me I’d be goin down to Orlando for a week or something. My boss and coworker both have that one but we also work with law enforcement a lot and they recommend that.

Between the two, I would do the CFCE first. Of the certs I’ve done, that’s the one that felt like an accomplishment when it was done. (edited)

Hello everyone! I'm having an annoying bug on my Windows machine : the Temp folder on C: gets filled with thousands of small "tomcat.randomnumbers.8123" files.. I had this problem about one year ago, and I remember it came just after a Ufed PA update. No idea if it's still the case this time, but does anyone know how to fix it? I haven't tried reinstalling PA yet though... (if it's indeed the culprit)

@Cellebrite ^

Welp I’ve decided to take sans GCFE because my work pays upfront for that one and the other one I’d have to pay out of pocket

6:51 AM

Has anyone here taken GCFE?

NotIronManBTW

Has anyone here taken GCFE?

Many have. Let's move to #training-education-employment for this discussion though

Apologies will move there

1

can anyone help me out. I want to view these file inside recycler folder. What would be the command for that. Thanks

Hello everyone! Does anyone know of any research or have any information on the use of electron microscopes such as scanning electron microscopes and atomic force microscopes in the analysis of computer chips/hard drives/other digital information (especially in a digital forensic context)?

1

Heisenberg

can anyone help me out. I want to view these file inside recycler folder. What would be the command for that. Thanks

List the files in that location. There should be files named Dc{number} along with the file extension, if memory serves me. Those are the deleted files.

Beercow

List the files in that location. There should be files named Dc{number} along with the file extension, if memory serves me. Those are the deleted files.

yup there 3 DC names

@Heisenberg https://youtu.be/Gkir-wGqG2c

13Cubed

Recycle Bin Forensics

New here. I'm sure it's been discussed before, but can anyone point me to information about getting info off a chromebook? From everything I've read you need the username and password.

@Magnet Forensics might know a thing or two when it comes to chromebook extraction

Edgar_55

New here. I'm sure it's been discussed before, but can anyone point me to information about getting info off a chromebook? From everything I've read you need the username and password.

Like Isaac has said, Manet have their own tool - MAGNET Chromebook Acquisition Assistant - which you can acquire from their Magnet idea lab. Alternatively, you could log into the device with the username/password and perform a live examination.

1

I don't know if it's possible offline bruteforce a chromebook in case you don't have the password

hey! where can i find a clean windows 7 iso ?

NotIronManBTW

Has anyone here taken GCFE?

twice

NotIronManBTW

Welp I’ve decided to take sans GCFE because my work pays upfront for that one and the other one I’d have to pay out of pocket

lucky, I paid out of pocket for the course sadge_business

Saaru

hey! where can i find a clean windows 7 iso ?

https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool

3

So I’ve been tasked at work with building a forensics workstation so we don’t have to buy talinos anymore. Do y’all have a good option/ guide on where to look. They gave me minimum specs and I have 10,000 usd to spend on it

NotIronManBTW

So I’ve been tasked at work with building a forensics workstation so we don’t have to buy talinos anymore. Do y’all have a good option/ guide on where to look. They gave me minimum specs and I have 10,000 usd to spend on it

well <cough> volunteered <cough>

1

Haha I came up with somewhat of a cool one. They want it to look cool too because we do a lot of tours of our lab (like 5 a week). Our current ones are maxed out 2017 talinos

1:23 PM

I do have access to a local microcenter as well

1:26 PM

Keeping it under 10k would be best if possible. Our EVP is comin In Monday and we just wanna show him we can do it below talinos price before we buy it

wolf in sheeps clothing. power pack it and house it in the shittiest, but air-iest, tin box you can find, and batter it a few times with a mallet. show how hard working and efficient/economical your Dept is

1:56 PM

do.not.buy.led.lit.pc's

Ahh so load it with RGB perfect

3:48 PM

That’s what I was thinking too high ups are gonna love the rgb

This is a long shot but I am curious if anyone on the splunk threat research team is on this discord?

Original message was deleted or could not be loaded.

keep up to date, use a long password, use lockdown mode

I am investigating a potential Gulima malware infection and kind of got confused. What i've got a is a js file but it is wrapped between xml, package, component, script, and cdata - in that order. Obviously, I want to execute this in a controled envornment. Now, do I understand that this kind of file need to be saved with a .wsf exntension before executing it?

8:57 AM

I did something like this

<?xml version="1.0"?>
<job>
    <package>
        <component id="...">
            <script language="JScript">
                <![CDATA[
                // long js here 
                ]]>
            </script>
        </component>
    </package>
</job>

(edited)

8:58 AM

And upon executing it, nothing happened. nada!

cmd.exe

I am investigating a potential Gulima malware infection and kind of got confused. What i've got a is a js file but it is wrapped between xml, package, component, script, and cdata - in that order. Obviously, I want to execute this in a controled envornment. Now, do I understand that this kind of file need to be saved with a .wsf exntension before executing it?

Fixed

You’re correct on the wsf extension

11:12 AM

It could be a lot of things here tbh though. Could be a dependency thing possibly?

11:13 AM

Could also try running as admin to see if it’s a permission thing too

11:13 AM

Debugger will be best bet after that

cmd.exe

Fixed

Nvm just read this lol. What ended up bein issue?

NotIronManBTW

Nvm just read this lol. What ended up bein issue?

Turns out it was checking a specific software and it would exit if the software was missing. So I had done everything correctly except I was not paying attention

i have a weird question, that i like to preface with an introductory message, like this....how many of your phones do you have to clean out to get a good connection? we have an oddly high number that need to be cleaned out in my area. also what are you using? tweezers from small electronic tool kits work well for iPhones for me, but anything USB-C is a tight fit

kmacdonald1565

i have a weird question, that i like to preface with an introductory message, like this....how many of your phones do you have to clean out to get a good connection? we have an oddly high number that need to be cleaned out in my area. also what are you using? tweezers from small electronic tool kits work well for iPhones for me, but anything USB-C is a tight fit

I use dental tools for cleaning out ports.

12:56 PM

Dental Tools, 6 Pack Teeth... https://www.amazon.com/dp/B078R7ZX1W?ref=ppx_pop_mob_ap_share

Plaque Remover for Teeth, Professional Dental Hygiene Cleaning Kit,...

Plaque Remover for Teeth, Professional Dental Hygiene Cleaning Kit, Stainless Steel Tooth Scraper Plaque Tartar Cleaner, Dental Pick Scaler Oral Care Tools Set - with Case

12:57 PM

The 2nd and 3rd from the left in the main photo are my goto’s

that might work, but i worry about USB-C...i couldnt even get a sim card removal tool down one, the dental pic has to be super thin. i have a set for cleaning my weapons (which i wont mix with the electronics) but they all seem too big anyway

12:58 PM

on USB-C i have gunk down the short side of the port, which i can kinda get out, just not fully and my ocd hurts

Yeah, the bottom thingy of those two tools that I mentioned are slim and long. I have yet to find a USB-C that they won’t work on.

i am going to order those and try it though, they are cheap enough

1:00 PM

the ones i use for my rifle is from harbor freight i think

1:00 PM

which are a little bulkier judging by pics

kmacdonald1565

the ones i use for my rifle is from harbor freight i think

+1 for all non-electrical tools from harbor freight for most things. Just having the right tool for the job is critical, quality isn’t as important if it isn’t used all the time. I might have tried gun cleaning tools, and if I did they weren’t as skinny as the dental tools.

ill check them out when i get home to see if they might work, but i will probably order what you got

1:04 PM

this is what i was refering to: https://www.harborfreight.com/6-piece-pick-set-93514.html

Hook & Pick Set, 6 Piece

1:05 PM

it is not a gun cleaning tool by default, but work great for a lot of hard to reach areas....believe it or not the texture grip on a couple of the tools is great for carbon build up on my firing pin and stuff like that.

1

1:06 PM

seriously though, thanks for the input...apparently my jurisdiction is a sweaty dirty constituancy

1

kmacdonald1565

this is what i was refering to: https://www.harborfreight.com/6-piece-pick-set-93514.html

I have that set... but I wish I'd sprung for the one with the better handles

1:59 PM

hard to really get leverage with them, but I was using them for popping a car side mirror case off

hello how should i know in a pcap file the the following question. Thanks Who are the people communicating in the transmission? IP Address right? When does the first transmission begin and the last transmission finish?

Checking in on behalf of someone who I've been providing "pro bono" consulting, as they're approaching requests that's now out of my wheelhouse, but I'd try to do some due diligence in checking my communities (before searching online): Are there any commercial (non-LEO) digital forensic firm reps here that are able to handle iOS/MacOS forensics? Maybe better if you're around Frankfurt, DE or in some proximity. Also taking UK. (edited)

Does anyone know if Magnet Process Capture has the ability to capture high level (I can't think of a better word) processes like csrss.exe, winlogon.exe, etc?

1

10:28 PM

I think kernel level is the word

@Magnet Forensics ^

hi guys

6:05 AM

anyone has good criminology servers (edited)

Jack New

Hi, is there any information about android "data_usage.db" tables and columns?

Hi Jack, did you find any information regarding 'data_usage.db'?

Does anyone have insight into best practice on how to collect GitHub repositories with all "revisions"?

ForensicDev

Does anyone have insight into best practice on how to collect GitHub repositories with all "revisions"?

Fork the repo? Then you can just browse the fork and go back in time to every commit.

Andrew Rathbun

Fork the repo? Then you can just browse the fork and go back in time to every commit.

Would that allow an "offline" browsing and restoring of versions? Are there any tools that would help ensure the proper git command options are used? Also, would the "fork event" be evident in the source repo?

ForensicDev

Would that allow an "offline" browsing and restoring of versions? Are there any tools that would help ensure the proper git command options are used? Also, would the "fork event" be evident in the source repo?

simply put, you can git clone <path to repo>, move the whole folder (.git files and all) to an offline box that has git installed. you can then "check out" branches that might exist in the repo & review the data within. here's a good starter for using the basic commands for comparison: https://blog.jpalardy.com/posts/git-how-to-find-modified-files-on-a-branch/

ForensicDev

Would that allow an "offline" browsing and restoring of versions? Are there any tools that would help ensure the proper git command options are used? Also, would the "fork event" be evident in the source repo?

Yes when you fork a repo, it'll increment the number of forks and the owner will be able to see who forked it. Like @babybat said, you can clone the repo and and browse the history that way, too

12:14 PM

could also try GitHub Desktop if you want a GUI, maybe. Download the repo, then point GitHub Desktop to an existing repo, then click on the History tab and you can see all the commits that way

Thanks. So "git clone" would be considered the most "forensically sound" / "read-only" approach to capturing a GitHub repo and all its historic data?

yep, by default that's how you're gonna get every version / branch / etc. optional flags will simply decrease the amount of data you pull

2

Heisenberg

hello how should i know in a pcap file the the following question. Thanks Who are the people communicating in the transmission? IP Address right? When does the first transmission begin and the last transmission finish?

That looks like a homework question

‍♂️

ryd3v

That looks like a homework question

‍♂️

project, we were given a pcap file to investigate and allow ask someone to help us through (edited)

You can make some tools to automate the info for you or manually review the pcap

any of yall got any good resources for some at home labs for practice with dfir? moving into IR soon and pretty nervous for it. been doin DF for a bit

NotIronManBTW

any of yall got any good resources for some at home labs for practice with dfir? moving into IR soon and pretty nervous for it. been doin DF for a bit

Try this: https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/!Images#aptsimulatorvm

DFIRArtifactMuseum/Windows/!Images at main · AndrewRathbun/DFIRArti...

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access t...

@Cellebrite Is there any functionality to see where a licence key was last used if that device was connected to the internet?

Hello guys- looking for some advice and guidance on how to analyse a couple of loose emails to determine if they have been tampered and analysing their metadata. Any particular tools or guidance will really be helpful

1

6:07 AM

More reason to get those downloads done vs letting them wait in a queue…

6:07 AM

Anyone test this yet?

Will-ko

@Cellebrite Is there any functionality to see where a licence key was last used if that device was connected to the internet?

What are you trying to accomplish.. feel free to dm me if you want

Does anyone know of a third party software that can screen record android devices that don't have the capability of screen recording. Preferably something that doesn't require the device to connect to network or download an app

CLB-Paul

What are you trying to accomplish.. feel free to dm me if you want

Thanks for the reply. Someone from within the office had taken one of the licence keys and it could not be located. I’ve since found it, but at the time was trying to see if there was any reference to find where a licence had last been used in the hope to identify a device name or something.

1

whee30

Anyone test this yet?

they wouldnt believe that web history for me. they all know better

ZlatanX

Hello guys- looking for some advice and guidance on how to analyse a couple of loose emails to determine if they have been tampered and analysing their metadata. Any particular tools or guidance will really be helpful

https://mha.azurewebsites.net/

7:06 AM

In terms of tampering, like someone provided you loose emails and you're wondering if they changed the contents of the email before passing it along to you? I suppose you could check $J from the system it came from, if it exists, and see if there's any DataExtend or DataTruncate events for the individual email file(s). Also, any LNK files indicating they opened those emails prior to providing them to you?

Gooner

Does anyone know of a third party software that can screen record android devices that don't have the capability of screen recording. Preferably something that doesn't require the device to connect to network or download an app

maybe offboard the recording by mirroring the screen, ie bluetooth pairing, to another device and record from there?

Digitalferret

maybe offboard the recording by mirroring the screen, ie bluetooth pairing, to another device and record from there?

Yeah that was an idea but the problem is that doesn't really work with phones that don't have their own screen recording capabilities :/

7:11 AM

It's a pain the ass cause I am struggling to find anything

Gooner

It's a pain the ass cause I am struggling to find anything

you could go real McGyver and set up a camera to watch the screen?

kmacdonald1565

they wouldnt believe that web history for me. they all know better

I’m downloading the app when I get into the office today, sucks that it’ll take two weeks before it does anything cool but might as well start now

i checked Epiphan which I've used before for oddball stuff, but they don't do phones, likely bc there's no GFX output port

Digitalferret

you could go real McGyver and set up a camera to watch the screen?

Thats what we're tryna move away from to something that looks better and more clean

Gooner

Thats what we're tryna move away from to something that looks better and more clean

yeh, understood. for me, i'd probably get a copy stand, good qual camera and possibly adjustable shutter speed, bc screen flicker, and place the phone underneath it whilst operating. it makes a huge difference having everything still, framed and well lit (screen brightness not spotlights)

7:20 AM

my setup is just for still pictures / books, docs that don't scan too well, circuit boards, hard drive parts and more. i should try a phone sometime to show results

7:22 AM

and bluetack / sticky<something> to hold bits steady

Andrew Rathbun

In terms of tampering, like someone provided you loose emails and you're wondering if they changed the contents of the email before passing it along to you? I suppose you could check $J from the system it came from, if it exists, and see if there's any DataExtend or DataTruncate events for the individual email file(s). Also, any LNK files indicating they opened those emails prior to providing them to you?

Thanks @Andrew Rathbun for the advice

ZlatanX

Thanks @Andrew Rathbun for the advice

maybe also check other emails for same/similar content & keywords. we caught some guys, having found they received a particular email from a guy, they re-edited to suit their own needs before re-printing and presenting in court, as (patently false) evidence later. (edited)

whee30

I’m downloading the app when I get into the office today, sucks that it’ll take two weeks before it does anything cool but might as well start now

Let us know how it turns out!

Updating my test phone now, I’ll do some browsing today and grab a download then stick it on power for a couple weeks

1

@Cellebrite does PA support the new version What’sapp on a advance logical on a iOS?

1

Hi, someone of @Passware Support for questions please ?

anyone know for Recon ITR?

12:44 AM

Is there anyone who knows why the MD5 and SHA-1 hashes within the log files created alongside the image file differ when verified?

Gooner

Does anyone know of a third party software that can screen record android devices that don't have the capability of screen recording. Preferably something that doesn't require the device to connect to network or download an app

hi, perhaps an x to hdmi cable and an hdmi capture card could work

2:46 AM

like we do with most dvrs

2:47 AM

if the device supports hdmi output

AnTaL

Hi, someone of @Passware Support for questions please ?

Sure, DM me

Hi guys anyone has any idea how to get my Windows to display the Korean characters which are part of the filename? Right now it is all showing some weird characters

ZlatanX

Hi guys anyone has any idea how to get my Windows to display the Korean characters which are part of the filename? Right now it is all showing some weird characters

checked this yet? https://www.digitalcitizen.life/changing-display-language-used-non-unicode-programs/

Thanks @Digitalferret ! Will check it out.

1

Dr. Kaan Gündüz

hi, perhaps an x to hdmi cable and an hdmi capture card could work

Yeah that stuff works for devices that have screen recording capabilities but not for ones that dont

HI everyone. The Cellebrite CTF is getting ready to launch next week. You can acces datasets and prepare starting today. Please join the cellebrite-ctf channel. https://cellebrite.com/en/cellebrite-capture-the-flag-september-2023/

4

1

Is everyone from @Cellebrite available for a dm question.

1

as a UK univeristy student I have send off a project to a industry contact who I sent projects to before they tend to respond within a few days but on this occasion its been over a week I want to send them a message to check on the progress with things(I assume their just busy) but don't want to appear rude or self-important we are not under any form of contract or obelgation, they merely took a interest in some of my questions which lead to our repeated corespondent any advice?

Toast()

as a UK univeristy student I have send off a project to a industry contact who I sent projects to before they tend to respond within a few days but on this occasion its been over a week I want to send them a message to check on the progress with things(I assume their just busy) but don't want to appear rude or self-important we are not under any form of contract or obelgation, they merely took a interest in some of my questions which lead to our repeated corespondent any advice?

Give them a call, and tell them exactly what you are saying here

You got this! (edited)

Toast()

as a UK univeristy student I have send off a project to a industry contact who I sent projects to before they tend to respond within a few days but on this occasion its been over a week I want to send them a message to check on the progress with things(I assume their just busy) but don't want to appear rude or self-important we are not under any form of contract or obelgation, they merely took a interest in some of my questions which lead to our repeated corespondent any advice?

Fortnights holiday maybe? Give it a few days, and/or pretty much as florus said.^ "Hi <name>, hope all's well there? just mailing to check my last project (posted 7th Sept) landed ok? thanks and kind regards, Toast". It follows a Royal protocol of "Don't complain, don't explain". the date offers detail that they might be able to find it without having to look too hard, and show's you appreciate their time and effort. (edited)

@florus @Digitalferret Thank you both will follow that. I like that royal protocol will keep it in mind

Hi DFIR Community Daniel here. We are hosting a two day Forensic Technology Event in South Germany 26. + 27. September. There will be around 15 Software Vendors i.e. Exterro, Griffeye, Opentext, Oxygen, Web-IQ, Passware and many more. We Expect around 200 Visitors from the Digital Forensic Sector and you can have discussions with other practioners or Vendors on challenges and solutions. We still have free Slots and it is completeley free of Charge to come, Food and Drinks are included as well. more information and registration @ https://ft-day.de/en/ Hope to see you soon. please DM me if you have any Questions about the Event.

1

Hello all, I am wondering if I can get any use out of this information. I have checked the serial number, but am unable to link it to an apple product.

Does anyone happen to know a method using Maltego to create essentially a dual arrowed link? I have a boyfriend and girlfriend that I want to link with either a dual arrow or better recommended method... any idea?

LeatherCouch

Hello all, I am wondering if I can get any use out of this information. I have checked the serial number, but am unable to link it to an apple product.

"Apple registration numbers and Apple hardware product serial numbers use the numbers 0 (zero) and 1 (one) instead of the letters “O” or “I”." So the fact that your serial number has an I in it suggests it's not actually the device's serial number. Not that I can rule out an obscure device where Apple doesn't follow its own rules! Source https://support.apple.com/en-gb/HT204308

Find the serial number of your Apple product

Find out how to find the serial number of an iPhone, iPad, iPod, HomePod, Mac or other Apple product.

Ross Donnelly

"Apple registration numbers and Apple hardware product serial numbers use the numbers 0 (zero) and 1 (one) instead of the letters “O” or “I”." So the fact that your serial number has an I in it suggests it's not actually the device's serial number. Not that I can rule out an obscure device where Apple doesn't follow its own rules! Source https://support.apple.com/en-gb/HT204308

Thank you

Does anyone have any recent (within last 2 years) research, blog links or open source projects on gaming console forensics (Xbox / Playstation)? Have several cases involving such devices and want to read up on the challenges and possible forensic artifacts they may contain. Given the fast release cycle of consoles, I find older articles may no longer be valid due to encryption or other structural changes that may have been introduced. Any pointers would be much appreciated.

Are there any command line tools that can generate live kernel dumps?

Yes

Black and White

Are there any command line tools that can generate live kernel dumps?

https://belkasoft.com/ram-capturer

7:05 PM

It’s really great

Hi. Noob question so please don't laugh. Are there any notable differences between let's say Oxygen and Cellebrite? Are there features that one can do and the other can't? I'm trying to understand if I should become proficient with a single tool for upskilling or learn multiple.

As a beginner myself, from all of the corporate-grade tools I've used they all generally have similar features. The way these features are presented could be different. For instance, Belkasoft X and Magnet Axiom have alot of overlap, but Belkasoft presents certain features in a more user-friendly way in my opinion. Essentially, the different corporate grade tools are different spins on a unified set of command line tools.

Buragany

Hi. Noob question so please don't laugh. Are there any notable differences between let's say Oxygen and Cellebrite? Are there features that one can do and the other can't? I'm trying to understand if I should become proficient with a single tool for upskilling or learn multiple.

I'd say that it'd be good to get really good with the tools that you are most likely to use. Also do what I'm doing and also try to get familiar with the command line versions of certain software in/and CAINE.

but if I understand correctly and based on my very limited experience, these CLI and FOSS tools are no match for the commercial ones

Buragany

but if I understand correctly and based on my very limited experience, these CLI and FOSS tools are no match for the commercial ones

In some situations, yes… in other situations, no. It would be naive for a digital forensics practitioner to take the position (and sometimes they do) that all they need to be competent in their work was either open source or commercial tools - especially when dealing with cases requiring maximum exploitation rather than scratch-and-sniff forensics.

1

Buragany

but if I understand correctly and based on my very limited experience, these CLI and FOSS tools are no match for the commercial ones

Use both commercial and Foss/free tools. Ultimately answer the questions asked. How you get to the answer really doesn't matter. But don't get sucked into thinking that just because you pay for it that it's better or will give you all the answers.

4

Buragany

but if I understand correctly and based on my very limited experience, these CLI and FOSS tools are no match for the commercial ones

Proprietary paid for often means they do much the same as that which you can do manually at CLI but have a much more user friendly interface and it's all under one hood.

5:33 AM

in an environment that is time / efficiency critical, it's often worth the premium paid. (edited)

5:34 AM

also much like the Windows v Linux airlines joke/meme, it's either all welded shut under the hood, and you trust the Dealership/Mechanic/Airline or "here's a box of spanners" (edited)

5:41 AM

what really counts is that you understand the fundamentals. Recent misapprehensions by newbros is that

Paid for >> FOSS
Forensic means better system / software /tool than (say) Data Recovery. It doesn't. 'Forensic' means you have to abide by a certain framework of law whether that's digital or organic/biological (wet). Folks should not add the word Forensic or DFIR merely to legitimise or "big up" a skillset / toolset / service,

much like Screenshare / Mincecraft / GTA guys do in order to catch cheats (whilst also snooping about someones PC looking for other "opportunities"). (edited)

5:42 AM

Simply having a powerful set of paid for programs does not bestow upon the user god like trade status, much as having a bag of power tools does not make one a carpenter (edited)

2

I was thinking can you use PlayWright to test malicious sites ? (edited)

Could anyone point me in the direction of any resources on how to conduct forensics on servers? It'd be greatly appreciated.

hi all. Im really interested in DFIR but really stuck on how do I practice skills w/o actually being in the field. is there a channel that I could be pointed to to get me started?

aots

Could anyone point me in the direction of any resources on how to conduct forensics on servers? It'd be greatly appreciated.

maybe echo in #computer-forensics too

@Remmoto What are you looking to do in DFIR? https://www.sans.org/white-papers/ultimate-guide-getting-started-digital-forensics-incident-response/

The Ultimate Guide to Getting Started in Digital Forensics & Incide...

Digital Forensics and Incident Response roles will always be required, and always be in demand. Crimes involving digital assets are becoming increasingly common, and as technology and techniques evolve over time, the field needs to adapt and innovate to stay one step ahead, which makes DFIR such an interesting area to work in.

1

I am curious, how do you guys think regarding internet/network on a forensic workstation? In my case both our workstations are completely offline which makes it a pain updating tools and we dont have Microsoft Office (does license activation work without internet?) which would make things easier when writing the report. I can understand airgapping/isolating a malware sandbox, but maybe it would be ok to have internet on a workstation that we just do disk imaging and timeline analysis on? Would be interesting to hear how other people have their labs setup. Maybe you use a Timesketch server? Forensic server? (edited)

Forensic network has significant network filtering. So not completely air gapped but no open internet. Allows access to specific domains for updates etc.

1

You could write your reports in markdown and covert them to a doc if need be with pandoc

1

10:27 PM

https://pandoc.org

Has anyone ever used come across a stimluated environment using CarbonBlack ? I'm trying to practice the process of isolating threats on a customer endpoint. Was hoping if someone could guide me to resources concerning CarbonBlack ?

$CozyBear

Has anyone ever used come across a stimluated environment using CarbonBlack ? I'm trying to practice the process of isolating threats on a customer endpoint. Was hoping if someone could guide me to resources concerning CarbonBlack ?

https://carbonblack.vmware.com/resource/best-practices-endpoint-standard-blocking-isolation-rules#introduction

Best Practices: Endpoint Standard Blocking & Isolation Rules | VMware

This whitepaper is intended to relay practical knowledge that you can apply in your day-to-day usage of VMware Carbon Black Endpoint Standard.

I was hoping if there's actual labs

3:18 PM

But I guess they don't exist

but gg lad, thanks for this.

I would have to refer you to a platform like letsdefend or something of that nature. Not unless you have a copy and can make a lab yourself

3:19 PM

no problem I tried man.

3:20 PM

Its highly locked propriety stuff so doing osint to find it is a bit tricky

isvak

I am curious, how do you guys think regarding internet/network on a forensic workstation? In my case both our workstations are completely offline which makes it a pain updating tools and we dont have Microsoft Office (does license activation work without internet?) which would make things easier when writing the report. I can understand airgapping/isolating a malware sandbox, but maybe it would be ok to have internet on a workstation that we just do disk imaging and timeline analysis on? Would be interesting to hear how other people have their labs setup. Maybe you use a Timesketch server? Forensic server? (edited)

Look into something called inetsim. This would simulate internet services so a program that is wanting to be only ran on the internet will think it is on the WWW when it is simply on a VNet that you created. I hope thats what you were needing. (edited)

1

Rock3t

I would have to refer you to a platform like letsdefend or something of that nature. Not unless you have a copy and can make a lab yourself

I want something more cooperate focused, VMware courses. It does replicate it to a high level but its comes at a cost, quite out of my budget unfortunately. (edited)

is this being done for a company?

Rock3t

is this being done for a company?

No, just training purposes for myself.

check dms

Request sent

Any @Magnet Forensics technical sales available for a chat? I have a quick question about Magnet Review. In particular cloud-based vs. on-premise.

goofycom

Any @Magnet Forensics technical sales available for a chat? I have a quick question about Magnet Review. In particular cloud-based vs. on-premise.

Not sure if there’s anyone from sales, but I may be able to answer - feel free to DM any questions and I’ll put you in contact with someone if I don’t know the answer.

@Cellebrite quick question .. was "Show preview" intentionally taken out of the UFED? I can't seem to find an option to enable it in v7.66

6:21 AM

I thought it was quite useful for quick info on SIM data

6:21 AM

Instead of opening PA

Does anyone happen to know of a usb connector I could use to pull data off of a nvme 9300 series SSD? Myself and a colleague have been unable to find such.

Remmoto

hi all. Im really interested in DFIR but really stuck on how do I practice skills w/o actually being in the field. is there a channel that I could be pointed to to get me started?

TryHackMe, Hack the Box Academy

randomaccess

Forensic network has significant network filtering. So not completely air gapped but no open internet. Allows access to specific domains for updates etc.

How are you filtering traffic into your forensic network? Router, Firewall, DNS?

I dont suppose anyone has encountered this database in the following location before have they? I am struggling to 'define' it and understand what its actual purpose is...any knowledge would be most welcome! /data/data/com.google.android.googlequicksearchbox/app_si/state_dump_event_content_store/content_store.db

N1nj4

Does anyone happen to know of a usb connector I could use to pull data off of a nvme 9300 series SSD? Myself and a colleague have been unable to find such.

I believe its a SATA connection ? So SATA to write blocker should work.

DCSO

I believe its a SATA connection ? So SATA to write blocker should work.

It's not SATA it's U.2 unfortunately

9:31 AM

Different PINs

N1nj4

It's not SATA it's U.2 unfortunately

Whould this work ? https://a.co/d/c4Jt3sg

SABRENT USB 3.2 Type A to SATA/U.2 SSD Adapter Cable with 12V/2A Po...

SABRENT USB 3.2 Type A to SATA/U.2 SSD Adapter Cable with 12V/2A Power Supply [EC-U2SA]

Kind of a random question, how do agencies typically go about disposing of old hardware, particularly if it was obtained from a grant? Trying to get rid of boxes of old write blockers and computers that haven't been used in 7-8 years just taking up space

DCSO

Whould this work ? https://a.co/d/c4Jt3sg

Thank you! This is exactly what we need. Not sure why we couldn't find this

1

Solec

Kind of a random question, how do agencies typically go about disposing of old hardware, particularly if it was obtained from a grant? Trying to get rid of boxes of old write blockers and computers that haven't been used in 7-8 years just taking up space

Ewaste and speaking of, Ill take some of it off your hands if thats ok

dcs453

How are you filtering traffic into your forensic network? Router, Firewall, DNS?

At least firewall. Our network team takes care of it

1

One time post. I’ve left the corp world after 20+ years “in the industry” doing some side work while helping my wife’s business. Customized IT / CyberSec swag is my new gig. Check it out while it’s cheap during early stages. https://bigtimebrands.etsy.com/listing/1564843675

Top 20 Passwords Word Search 8x10 Hanging Canvas Print - Etsy

This Wall Hangings item is sold by BigTimeBrands. Ships from Greer, SC. Listed on Sep 12, 2023

Hi everyone- does anyone have any guide or portal which can serve as a guide for someone who is a new starter in a digital forensics role?

ZlatanX

Hi everyone- does anyone have any guide or portal which can serve as a guide for someone who is a new starter in a digital forensics role?

Startme.stark4n6.com

Thanks @florus

Hi all, does anybody knows legal requirement applied in Netherlands for digital acquisition going to court ? ( who , how limitation etc..)

Sam

I dont suppose anyone has encountered this database in the following location before have they? I am struggling to 'define' it and understand what its actual purpose is...any knowledge would be most welcome! /data/data/com.google.android.googlequicksearchbox/app_si/state_dump_event_content_store/content_store.db

Just bumping this!

Hey @Sam - You would be better off posting that question in the @mobile-forensic-decoding channel

1

Anyone exclusively moved to Windows 11 for their forensic machines, and if so, have you had any problems with any software tools not working as expected?

5:16 AM

This question I guess could also go out to vendors to chip in if their software has been tried and tested working on Windows 11. (edited)

3X3

This question I guess could also go out to vendors to chip in if their software has been tried and tested working on Windows 11. (edited)

Good question! We had it come up recently. At this moment I have a laptop running Windows 11 with OFD installed - no issues. My main workstation is Windows 10 running OFD. I am also running Oxygen Corporate Explorer and Oxygen Analytic Center servers on Windows 11 and Windows Server 2022 VMs, also no issues. Additionally, our remote personnel, if they use personal machines for work, are at about 50/50 using Windows 11 or 10

(edited)

2

Oxygen Forensics

Good question! We had it come up recently. At this moment I have a laptop running Windows 11 with OFD installed - no issues. My main workstation is Windows 10 running OFD. I am also running Oxygen Corporate Explorer and Oxygen Analytic Center servers on Windows 11 and Windows Server 2022 VMs, also no issues. Additionally, our remote personnel, if they use personal machines for work, are at about 50/50 using Windows 11 or 10

(edited)

Thanks for the prompt and full reply! Much appreciated.

1

Hi All, Been asked a question - Does anyone have a CSAM/IIOC keyword origin list i.e. what does x stand for?

6:47 AM

Just got a few 4 letter keywords and trying to say it means this etc.

3X3

Anyone exclusively moved to Windows 11 for their forensic machines, and if so, have you had any problems with any software tools not working as expected?

Heyho sunny greets from Austria ! No problem here with Oxygen Forensic Detective, UFED4PC and XRY on Windows 11 Pro, 22H2

1

chrisforensic

Heyho sunny greets from Austria ! No problem here with Oxygen Forensic Detective, UFED4PC and XRY on Windows 11 Pro, 22H2

Hey Chris, greetings from rainy UK, haha! - Thanks for the information

1

Rob

Just got a few 4 letter keywords and trying to say it means this etc.

Never heard of one but welcome to DM and I can try translate from experience.

Any known tools one could use to find local file access via Chrome? Looking for evidence of local file exfiltration via a user's personal Gmail account accessed via Chrome.

MilkFarts

Any known tools one could use to find local file access via Chrome? Looking for evidence of local file exfiltration via a user's personal Gmail account accessed via Chrome.

Windows, Linux or mac?

1

Jason

Windows, Linux or mac?

Windows

MilkFarts

Windows

Parse SRUM. Hopefully the NetworkUsages table is present.

anyone from @Cellebrite available for a question about digital collector ?

1

MilkFarts

Any known tools one could use to find local file access via Chrome? Looking for evidence of local file exfiltration via a user's personal Gmail account accessed via Chrome.

That's going to be rough. You'll get the URLs that may give you an indication

3:10 AM

SRUM may be useful depending on what they're taking but bearing in mind attachments are going to be 10mb unless they hit google drive, and that standard internet activity can be that size it might not spike up

3:10 AM

You may get something in cache/leveldb/chrome file system

3X3

Anyone exclusively moved to Windows 11 for their forensic machines, and if so, have you had any problems with any software tools not working as expected?

Pleasantly surprised that PA Ultra is running well on Win11 Pro during the CTF. Mind you, it's a beefy spec machine, so that might be helping all the various pieces of the puzzle 'just get along'.

1

g h

Pleasantly surprised that PA Ultra is running well on Win11 Pro during the CTF. Mind you, it's a beefy spec machine, so that might be helping all the various pieces of the puzzle 'just get along'.

i'd love someone to compare that on an equivalent spec machine (with W10), just had to help a neighbours kid. new "gaming" PC with W11 on. runs like a 3 legged blind donkey. this mc here is 5-6yrs older, and W10 runs a good deal quicker. with Linux on it it's like shit off a teflon shovel (edited)

1

Separate NVMe drives makes a big difference to Ultra, as per the CTF video on setting up PA

2

MilkFarts

Any known tools one could use to find local file access via Chrome? Looking for evidence of local file exfiltration via a user's personal Gmail account accessed via Chrome.

Try the Windows Search Index too. Try SIDR on GitHub

Original message was deleted or could not be loaded.

#mobile-forensic-decoding ?

@Magnet Forensics - anyone free to talk about Slack collection ? can they DM me

1

Digitalferret

i'd love someone to compare that on an equivalent spec machine (with W10), just had to help a neighbours kid. new "gaming" PC with W11 on. runs like a 3 legged blind donkey. this mc here is 5-6yrs older, and W10 runs a good deal quicker. with Linux on it it's like shit off a teflon shovel (edited)

I feel like it would run a lot better if it used more than 2 cores.

1

MilkFarts

Any known tools one could use to find local file access via Chrome? Looking for evidence of local file exfiltration via a user's personal Gmail account accessed via Chrome.

Cellebrite Inspector is pretty nice with internet and browser artifact parsing, albeit processing speeds. I also use OSForensics a lot for the User Activity modules that clump the SRUM, Event Logs, Browser, etc together nicely into a timeline- works really quick.

MilkFarts

Any known tools one could use to find local file access via Chrome? Looking for evidence of local file exfiltration via a user's personal Gmail account accessed via Chrome.

AXIOM is my go-to

do you know how to mount .aff4 on linux ?

emilie_

do you know how to mount .aff4 on linux ?

Have a look at affuse, or a tool which uses it. IIRC, imagemounter uses affuse. (edited)

thank you

When does an app change app id? I have a file that iam pretty sure it comes from an app but when i check that app it has a diffrent appid

Anyone know of any tried and tested tools for taking a full copy of a current Windows installation with software etc. installed, and creating a .ISO or bootable installation media containing all installed software.

2:45 AM

Essentially looking to clone an installation onto other machines.

i used macrium reflect to move or restore working instalations

3X3

Anyone know of any tried and tested tools for taking a full copy of a current Windows installation with software etc. installed, and creating a .ISO or bootable installation media containing all installed software.

https://clonezilla.org/ also possible and it's free

Do both of these solution require the boot drive to be removed and cloned to? (Apologies, was out of office) (edited)

Emtek

When does an app change app id? I have a file that iam pretty sure it comes from an app but when i check that app it has a diffrent appid

Relating to Windows? Could be a different version of the same app. https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt For example ^^

JumpList/JumpList/Resources/AppIDs.txt at master · EricZimmerman/Ju...

Contribute to EricZimmerman/JumpList development by creating an account on GitHub.

Emtek

When does an app change app id? I have a file that iam pretty sure it comes from an app but when i check that app it has a diffrent appid

AppID is a hash of the path of the executable. If an update changes the path at all, or the executable moves for any other reason = different AppID https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/

adam

JumpLists file names and AppID calculator

2

1

We were awarded with the High Technology Crime Investigation Association's (HTCIA's) "Case of the Year" last week for our work in the ongoing Bhima Koregaon case. Many of you are now familiar with this case, which involves electronic evidence tampering resulting in a staggering human cost - imprisonments >5 years and now one death. For those that are not yet familiar with the case, here are some resources:

3

5:46 AM

Arsenal reports with exhibits: First Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip Second Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-II.zip Third Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip Fourth Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip Fifth Report: https://ArsenalExperts.com/persistent/resources/pages/BK-Case-Stanislaus-Lourduswamy-SJ-Report-V.zip Washington Post coverage of Arsenal’s reports: https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8087f172-61e0-11eb-a177-7765f29a9524_story.html https://www.washingtonpost.com/world/2021/04/20/india-bhima-koregaon-activists-report/ https://www.washingtonpost.com/world/2021/07/06/bhima-koregaon-case-india/ https://www.washingtonpost.com/world/2022/12/13/stan-swamy-hacked-bhima-koregaon/ Links to an article about a new analysis technique and open source tools developed by Joakim Schicht during this case: https://arsenalrecon-dev.s3.amazonaws.com/arsenal-forensic-analysis-of-the-netwire-stack-dfm-article---promotional.pdf https://github.com/ArsenalRecon/NetWireStackForensics https://github.com/ArsenalRecon/NetWireLogDecoder (edited)

5:50 AM

I think we can all agree that most (nearly all) claims of "electronic evidence tampering" are absurd, if not comical. This case involves actual electronic evidence tampering, and at an incredible scale. The fact that extremely detailed digital forensics reports are publicly available is a gift, so please take it. Officially, we have been called liars and our findings "rather weird" - each of you should decide for yourselves.

SkyNow TV DRM platform, Microsoft’s PlayReady DRM decryption keys got leaked some time ago. Source of piracy is scalable for VOD channels without premium subscriptions. Most firms don't bother about CA/DRM vulnerability management. In fact never mentioned within the security community. pirates apps often embded 'drm decryption keys' but employ tls pinning

Thought I'd share as people may find it cool to read. (edited)

same old, same old. mate years ago made his fortune selling "Sky Cards" - DIY programmable PIC controller PCB. dudes bought the PCB's "for educational purposes" and d/l'd the code from newsgroups. worldwide trade. he had money pouring in (edited)

Most security firms don't even bother patching their DRM, and they wonder why people exploiting their systems. Maybe if they added a calendar reminder once in a while to patch their DRM systems. Piracy is lucrative business, no doubt her made alot of money from it. (edited)

However, most of the piracy existing today (telegram piracy) channels often scam or often employ credential stuffing, embed malicious payloads in links or phishing techniques in linking sites (website that provides organized and searchable hyperlinks that direct a user to content hosted on other pirates websites) and exploit consumers of pirate content. One individual deiced take part in a ponzi scheme to scam people. (edited)

$CozyBear

Click to see attachment 🖼️

some guys

Thought I'd shed some new light on the digital forensics community. Hope it was insightful xD. (edited)

1

sounds like another case for Pirogi

(edited)

Digitalferret

sounds like another case for Pirogi

(edited)

Ive always wanted to help that man. my blackhat days were spent messing with those tards (edited)

I'm 21, idk if too young to know him. (edited)

ScammerPayback

$CozyBear

I'm 21, idk if too young to know him. (edited)

youtube it

^

i played my own games with them.

1

At least im not the only one

let them carry on showing me ordinary Win error msg logs.

2

3

2:56 PM

then i say "whoa, i think I know what the issue is!"...

2:56 PM

Yes sir? what is problem.

deletes system32

1

2:56 PM

I think we both need to restart

me: oh it's terrible.... i can actually smell it....

2:56 PM

Sir?

2:56 PM

can you smell....

2:56 PM

oh t is, yes...

2:56 PM

Bullshit

2:56 PM

I just took their data and deleted their systems, making sure to do the 0000000 overwrite overnight. (edited)

more like there's an issue with your DDL files and then precedes on to remotely connecting on to your computer.

it was like playing a slavehack game if you have any clue what that is

3:00 PM

Only the dummys always connected to you

https://www.youtube.com/watch?v=4DL6vyNPbV4

Lewis's Tech

Tech Support Scammer vs Real Malware #2

1

3:00 PM

Looks like something will keep me awake tonight xD, nearly midnight in the UK (edited)

$CozyBear

Looks like something will keep me awake tonight xD, nearly midnight in the UK (edited)

same, yeh, have to be careful not to get on the youtube spiral of doom

23:05 :blink: 02:35

Oh dear Rundll32.exe are maliciously modifying my system too in the background.

Digitalferret

same, yeh, have to be careful not to get on the youtube spiral of doom

23:05 :blink: 02:35

It came down your suggestion and now I'm in the spiral of doom, ADHD issues

(edited)

1

https://www.youtube.com/watch?v=5f-JlzBuUUU - My favorite scientist of all time, massive frantic for biology. If anyone has the time to listen to the podcast on evolutionary biology attempt to listen to it, quite insightful. (edited)

Lex Fridman

Richard Dawkins: Evolution, Intelligence, Simulation, and Memes | L...

My main issue with him is that he's got some pretty radical views

Views of Richard Dawkins

Richard Dawkins is an English ethologist, evolutionary biologist, and writer. Dawkins himself has stated that his political views are left-leaning. However, many of Dawkins's political statements have created controversy among left-wing and atheist communities.

4:19 PM

I mean, the title of his book "The God Delusion" illustrates his views pretty well

I agree, his views are radical to others who hold strong beliefs of their religious systems or may come across bit oppressive in his behavior. Nevertheless, he can very hash when approaching a subject on religion or often described within his rhetrics or terms like megalomaniac and comparable to the small pox virus. i don't really focus much on this side of thinking but his viewpoints on darwinsim. That's where i like him the most, really just biology stuff. (edited)

go find Christopher Hitchins

Id like to do a poll of linux vs windows in this community. Not that either is 'better' than the other. just a weird question lol (edited)

Rock3t

Id like to do a poll of linux vs windows in this community. Not that either is 'better' than the other. just a weird question lol (edited)

There won’t be a standard response as you’d expect in a normal consumer environment (ie do you use linux or windows on your main desktop, choose A or B). You’ll have a tonne of responses, mostly along the lines of ‘it depends’. Which OS for which purpose? Analysis? What kind of analysis? Does using WSL count as Windows or Linux? Does using a Windows VM in QEMU on Linux host count as Windows or Linux? What if I’m just doing corporate stuff and writing reports on my windows box?

1

DeeFIR 🇦🇺

There won’t be a standard response as you’d expect in a normal consumer environment (ie do you use linux or windows on your main desktop, choose A or B). You’ll have a tonne of responses, mostly along the lines of ‘it depends’. Which OS for which purpose? Analysis? What kind of analysis? Does using WSL count as Windows or Linux? Does using a Windows VM in QEMU on Linux host count as Windows or Linux? What if I’m just doing corporate stuff and writing reports on my windows box?

Right thats actually my curiosity is the vast amount of setups youd see. Why people take the different routes they do

5:46 PM

I guess that wouldnt be a poll more a discussion. My lack of wording there misrepresented it

I always say it’s like a socket set, you got standard and metric. You use Windows or Linux depending on the task, but you should be proficient in both.

does anyone here can help me out to find the sql of a disk image of a damaged mobile phone . I been stuck for weeks now no progress at all. Thanks (edited)

Rock3t

Id like to do a poll of linux vs windows in this community. Not that either is 'better' than the other. just a weird question lol (edited)

i prefer Linux environment, but, as per Deefir, it's whatever you pick up as per "tools for the job". PC-3000 requires Windows, so that's what I have. Similarly other proprietary s/w is Windows only and works alongside the DR hardware. Missus hhas no such needs and is happily running an ancient laptop with MX Linux on it (and she's prolly less bamboozled than if it was Tile City on a Win Box)

3:26 AM

Still runing W10 here and no desire to leave it until forced

See I’m like 100% Linux bc I’ll either pass through or virtualize everything. But at the same Time I run into weird problems alllll the time instead of windows where it’s just

8:22 AM

Works

8:23 AM

And like you said there’s certain pieces of software it’s either windows or go home.

Rock3t

Works

yep, and in a professional environment it's as bad as taking a bleeding edge Linux distro and having to rebuild every time the SHTF. you just can't afford the time and effort, or the risk of loss (edited)

Digitalferret

yep, and in a professional environment it's as bad as taking a bleeding edge Linux distro and having to rebuild every time the SHTF. you just can't afford the time and effort, or the risk of loss (edited)

Eh Ive never had these problems. Ive always had problems in windows. All applications work but Ill have the weirdest things and I just couldnt fix them.

10:07 AM

then data recovery for NTFS is just awful. I tried BTRFS and just been in heaven ever since. I had 1 time that my first linux image got corrupted by a bad update bc power went out in the middle of the ending of it (perfect timing). But Fallback image brought it back to life, did a btrfs snapshot replace and boom im up. 2 commands.

10:11 AM

those are my experiences though. Im sure someone can come around and give a ubuntu horror story lol

Rock3t

Eh Ive never had these problems. Ive always had problems in windows. All applications work but Ill have the weirdest things and I just couldnt fix them.

my first taste was redhat 5-ish "dependency hell"

Digitalferret

my first taste was redhat 5-ish "dependency hell"

See that gives me shivers just

10:12 AM

no

10:12 AM

LOL

trying to get mandrake to hook up to the modem. days. forum users not much use at all

10:14 AM

went with Arch when it wasJudd Vinet at the helm, and in its infancy. folks rallied and he crowdsourced funds for a new server. felt like you belonged to something. but always felt you were a few inches short of a proper Linux beard

I was too young to even understand was arch was in those days

but now like DXO photolab - nothing remotely like it on Linux

10:15 AM

snagit-ccamtasia, nada