This category contains 30 posts

SQLite Database Deleted Records Carving & Forensics

SQLite is a compact database engine highly integrated with embedded devices and locally used applications in various Operating Systems. Recent years have seen extensive usage of portable devices like tablets, smartphones, etc. and this has given rise to adaption of the SQLite application. It also amplifies the chances for surfacing digital evidence using forensic analysis … Continue reading

Microsoft Edge Browser Forensics – Exploring Project Spartan

Formerly known as Internet Explorer and then as Project Spartan, Microsoft Edge Browser has evolved a lot. From the User Interface to the technology it’s built upon, the browser has completely changed in its variant meant for Windows 10. This post will provide an insight into the artifacts left behind on the local machine by … Continue reading

Evidence Acquisition and Analysis from Live Exchange

A great amount of legal and forensics discussion is involved when there is an investigation procedure that involves the seizing of crucial evidence from Live Exchange server. Whenever there is such an investigation, two things remain in focus Identification of suspect evidence from the network Collection approach that maintains exactitude of evidence There has been … Continue reading

Data Recovery As A Medium For Email Forensics

Data Recovery is the technique adopted for salvaging data from an inaccessible state which could have arrived due to deletion, corruption, or failure of the storage medium. On an Operating System, the data is saved in the form of “File” (be it documents, music, images, applications, settings etc.) and thus it is normally salvaged from … Continue reading

Carving out the Difference between Computer Forensics and E-Discovery

Over the past few years, it has been noticed that computer forensics and E-discovery have been a buzz word in the computer security arena and in legal societies. Although both of them refer to the process of handling digital data but is there any difference between them? To clear the confusion further we need to … Continue reading

Browser Anti Forensics

This write-up is just to demonstrate that how one’s browser history can go off track misleading the examiner. An investigator can identify it by noticing the odd in history, sample given in Figure 2. Let’s first take a closer look at this page below (Figure 1)– the URL (says and the title of tab … Continue reading

Forensics Europe Expo 2014 – Recap

Forensic Focus attended the Forensics Europe Expo at Kensington Olympia on the 29th & 30th of April. This article is a recap of some of the main highlights and over the next few weeks we will also be bringing you a number of interviews recorded at the expo. The Digital Forensics part of the Expo … Continue reading

WhatsApp – discovering timestamps of deleted messages

ABSTRACT:  This is a procedure for locating and parsing deleted messages timestamps in Android WhatsApp database. I did a little reverse engineering, using the hexadecimal tool of Physical Analyzer (UFED by Cellebrite), of the database of the popular messaging app WhatsApp for Android, because P.A. 3.8.6 does not display deleted messages WhatsApp, at least on … Continue reading

OS X Mavericks Metadata

Apple recently released the newest version of their desktop operating system, Mac OS X Mavericks.  As a free update to all supported Apple desktops and laptops, a wide adoption rate was expected, and in fact it was estimated that within the first 24 hours, 5.5% of all Mac laptops and desktops were already running the … Continue reading

KS – an open source bash script for indexing data

KS – an open source bash script for indexing data ABSTRACT:  This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage . Often during a computer forensics analysis we need to have all the keywords indexed into a database for making many … Continue reading

What are ‘gdocs’? Google Drive Data – part 2

Following up from the recent post on Google Drive, designed to give a high level introduction to the product, this post will delve a bit deeper into the technical issues relating to the data stored and also the best approach on how to access it. The artefacts discussed in this post are based on Windows … Continue reading

What are ‘gdocs’? Google Drive Data

As “the Cloud” (a varied mix of internet based services ranging from web-based email accounts, on-line storage and services that synchronise data across multiple computers) becomes more relevant and the dominance of the PC or tablet as the exclusive “home” for data reduces, the days when simply taking a snapshot of a computer to capture … Continue reading

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

Introduction Documents identified by computer forensic investigations in civil litigation typically require review and analysis by attorneys to determine if the uncovered evidence could support causes of action such as breach of contract, breach of fiduciary duty, misappropriation of trade secrets, tortious interference, or unfair competition.  In addition, bit-for-bit forensic imaging of workstations is also … Continue reading

Collecting and Processing Bloomberg Data

A few years ago, Bloomberg data may have been relatively unusual, however today we see Bloomberg chat and email data being collected quite frequently. Not a surprise really considering some of the headlines relating to certain Banks and Financial institutions of late. Below are some examples of the tips, tricks and considerations involved in working … Continue reading

Evernote from a Forensic Investigation Perspective

by Stuart Clarke, Millnet Recently we have been looking at Evernote from a forensic investigation perspective, as we feel it is a great product which will grow in popularity therefore wanted to share some initial findings. While at the 2012 CEIC conference I had a discussion with Chris Dale from the e-Disclosure Information Project about … Continue reading


Get every new post delivered to your Inbox.

Join 836 other followers