Forensic Focus – Articles
File Systems
Geo-tagging & Photo Tracking On iOS
As you may already know, Apple has always been criticized for using their extremely popular devices to track users and use this information to expand their own databases. This tutorial assumes that you have already jailbroken your device and you know how to navigate your way through iOS menus, if you don’t then check out our other articles … Continue reading
Interpretation of NTFS Timestamps
Introduction File and directory timestamps are one of the resources forensic analysts use for determining when something happened, or in what particular order a sequence of events took place. As these timestamps usually are stored in some internal format, additional software is needed to interpret them and translate them into a format an analyst can … Continue reading
Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images
When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic. What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code. … Continue reading
Parallels hard drive image converting for analysis
Abstract The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives. To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images. The simplest way I … Continue reading
Android Forensics Study of Password and Pattern Lock Protection
Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process. What is Pattern Lock? Generally pattern lock … Continue reading
Standard Units in Digital Forensics
by Dr Chris Hargreaves Lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. Units of measurement are critical to science, so much so that there is a standard that defines science’s … Continue reading
Windows Search forensics
Analyzing the Windows (Desktop) Search Extensible Storage Engine database by Joachim Metz jbmetz@users.sourceforge.net Summary While some may curse Windows Vista for all its changes, for us forensic investigators it also introduced new interesting ‘features’. One is the integration of Windows (Desktop) Search into the operating system. Most corporations have been reluctant to adopt Vista, however … Continue reading
EnCase file copying and Windows Short File Names
First published May 2010 By Lee Hui Jing, EnCe Edited by Sarah Khadijah Taylor ABSTRACT A couple of months ago, one of my clients, an Investigating Officer from a Law Enforcement Agency, had requested me to extract some of the files from an image copy of a hard disk. The total number of files to … Continue reading
Timeline Analysis – A One Page Guide
First published February 2010 by Darren Quick Comments and suggestions may be sent to darren_q@hotmail.com Prepare The scope of the request determines the data to be collected, such as within a specific timeframe, and data of relevance such as specific documents, pictures or video. Can be from multiple computers, other digital data holdings, or other … Continue reading
Shrinking the gap: carving NTFS-compressed files
First published October 2009 Recovering deleted NTFS-compressed files By Joachim Metz Hoffmann Investigations http://www.hoffmannbv.nl 1.0 Joachim Metz September 2, 2009 Initial version. Summary An important part of digital forensic investigation is the recovery of data, particulary files. The recovery of data and files highly depends on the recovery tooling used. This paper focusses on a … Continue reading
Simple Steganography on NTFS when using the NSRL
First published October 2009 Adam Hurwitz ahurwitz@biaprotect.com Business Intelligence Associates, Inc. 39 Broadway, NYC, NY 10006 Abstract NTFS is structured so that there can be a physical separation of the data that comprises a file and the properties or metadata of the file. One side-effect of this is that when a file is hashed on … Continue reading
Linux for computer forensic investigators: «pitfalls» of mounting file systems
First published October 2009 by Suhanov Maxim ITDefence.Ru Introduction Forensic Linux distribution is a customized Linux distribution that is commonly used to complete different tasks during computer forensics investigations. These distributions are often used to complete the following tasks: – Quick preview of various data storage devices (for example, to determine installed operating system); – … Continue reading
Apple Property List: Comparing the Mac OS X Property List to the Windows Registry
First published April 2009 Dennis Browning Champlain College Burlington, VT dennisbrowning@gmail.com Abstract This paper will introduce the Property Lists in the Apple OS X and compare them to the Microsoft Windows Registry. Also within this paper we will examine how important some of the Property List can be to an examination. Examples of crucial information … Continue reading
Forensic Analysis of the Microsoft Windows Vista Recycle Bin
First published May 2008 By Mitchell Machor MMachor@gmail.com 1/22/2008 (click here for a PDF version of this paper) – 1 – Introduction Contrary to due belief, when a file is deleted on a Microsoft operating system, it still exists on the computer. It is hidden away in a location commonly known as the Recycle Bin. … Continue reading
Potential Impacts of Windows Vista on Digital Investigations
First published December 2007 by Christopher Hargreaves and Howard Chivers Paper received 30th April, 2007. C.J.Hargreaves, Cranfield University, Defence Academy of the United Kingdom, Shrivenham, SN6 8SW (+44 (0)1793 785753; e-mail: c.j.hargreaves@cranfield.ac.uk).H.Chivers, Cranfield University, Defence Academy of the United Kingdom, Shrivenham, SN6 8SW (+44(0)1793 785656; e-mail: h.chivers@cranfield.ac.uk). From Proceedings of Advances in Computer Security and … Continue reading
