Forensic Focus – Articles
Data Recovery
KS – an open source bash script for indexing data
KS – an open source bash script for indexing data ABSTRACT: This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage . Often during a computer forensics analysis we need to have all the keywords indexed into a database for making many … Continue reading
Bad Sector Recovery
Bad Sector Recovery Hard drives are built in a way so that they never return unreliable data. This means that if a hard drive cannot guarantee 100 percent accuracy of the data requested, it will simply return an error and will never give away any data at all. This article explains how bad sector recovery … Continue reading
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It
by Yuri Gubanov yug@belkasoft.com, Oleg Afonin aoleg@voicecallcentral.com Belkasoft Ltd. http://belkasoft.com Abstract Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the … Continue reading
Android Forensics
Smartphones are changing the IT and Communication landscape vastly. A Smartphone can do almost every good thing a computer can do. Today most of the corporate employee access and manage their official emails through the e-mail client installed on their Smartphone. Right from booking movie tickets to making fund transfers, all e-commerce and online banking … Continue reading
Retrieving Digital Evidence: Methods, Techniques and Issues
by Yuri Gubanov yug@belkasoft.com Belkasoft Ltd. http://belkasoft.com Abstract This article describes the various types of digital forensic evidence available on users’ PC and laptop computers, and discusses methods of retrieving such evidence. Download article in PDF format Introduction A recent research conducted by Berkeley scientists concluded that up to 93% of all information never leaves the digital domain. This … Continue reading
Parallels hard drive image converting for analysis
Abstract The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives. To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images. The simplest way I … Continue reading
Mobile Phone Forensic Challenges
Introduction A great number of the mobile phones used worldwide every second require special knowledge and skills from forensic experts. More often it is not enough to be an experienced expert in computer forensics to understand all the peculiarities and difficulties of the mobile forensics. This article describes technical problems encountered by specialists in mobile … Continue reading
Firefox Cache Format and Extraction
Introduction In the forensic lab where I work, we frequently investigate malware-infected workstations. As our user population started shifting from Internet Explorer to Firefox, we observed that one of our favorite forensic tools, Kristinn Gudjonsson’s log2timeline, wasn’t able to provide as much data for Firefox as it was for IE. The missing component was cache … Continue reading
Eleventh Circuit Rules Defendant Cannot Be Compelled to Divulge Encryption Passphrase
Barely three weeks after I penned Another Judge Rules Encryption Passphrase not Testimonial Under Fifth Amendment Analysis, the Eleventh Circuit has held that a defendant’s “decryption and production of the hard drives’ contents would trigger Fifth Amendment protection because it would be testimonial, and that such protection would extend to the Government’s use of the drives’ contents.” For … Continue reading
Forensic Imaging of Hard Disk Drives- What we thought we knew
By Todd G. Shipley and Bryan Door (A complete copy of this white paper and its figures and diagrams can be found at http://www.nfdrtc.net). WHAT WE HAVE BEEN TAUGHT Imaging of hard drives has been the main stay of the “Science” part of digital forensics for many years. It has been articulated by many, including us, … Continue reading
Android Forensics Study of Password and Pattern Lock Protection
Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process. What is Pattern Lock? Generally pattern lock … Continue reading
Data Recovery Handling Tips & ESD Precaution
First published April 2005 by ActionFront Data Recovery Labs http://www.ActionFront.com Data Recovery Handling Tips & ESD Precaution Mishandling is a leading cause of hard disk drive failure. ESD (Electrostatic Discharge) A familiar form of Electrostatic Discharge, often called “static electricity”, is the shock we receive after walking across a carpet. In a technical environment, ESD … Continue reading
Beware Do-it-Yourself Data Recovery Solutions and Products
First published April 2005 by ActionFront Data Recovery Labs http://www.ActionFront.com Do-It-Yourself data recovery software may complicate your problems and diminish the prospects of a successful recovery. The object of many fix/doctor/repair programs is to try to make the drive, file-system or volume usable – not to recover existing data. Do not run any program or … Continue reading
Recovering unrecoverable data – the need for drive-independent data recovery
First published March 2005 by Charles H. Sobey, Chief Scientist of ChannelScience [Note from Jamie Morris, Forensic Focus – In February 2005 Nick Majors of ActionFront Data Recovery Labs Inc. happened to post a link in the Forensic Focus forums to a whitepaper commissioned by his company in April last year. With his kind permission … Continue reading
Hard Drive Crash? The Essential Data Recovery Report
First published January 2005 by Greg Duffield Your worst nightmare just became a horrifying reality. You keep hearing that little voice in your head mockingly shout “you should have backed that stuff up” The voice keeps echoing throughout your head as you perform a quick inventory all of the important information that you just lost…..your … Continue reading
