This category contains 88 posts

NAS Forensics Explained

by Oleg Afonin, Danil Nikolaev & Yuri Gubanov © Belkasoft Research 2015 Network Attached Storage (NAS) have a long track history of corporate deployments. Their scaled-down versions (ranging from single-bay to four-drive enclosures) are frequently used at homes and in offices. These smaller-size appliances are often called “personal clouds” for providing some parts of functionality … Continue reading

Evidence Acquisition and Analysis from Live Exchange

A great amount of legal and forensics discussion is involved when there is an investigation procedure that involves the seizing of crucial evidence from Live Exchange server. Whenever there is such an investigation, two things remain in focus Identification of suspect evidence from the network Collection approach that maintains exactitude of evidence There has been … Continue reading

Acquiring Windows PCs

by Oleg Afonin, Danil Nikolaev and Yuri Gubanov In our previous article, we talked about acquiring tablets running Windows 8 and 8.1. In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition. The obvious … Continue reading

SQLite Database Forensics – ‘Sleep Cycle’ Case Study

Recently one of our users, Dan Saunders, was kind enough to write up his experience using the Forensic Browser for SQLite on a database that was not supported by any other forensics tools – this is his story: SQLite databases are becoming more and more of a focus point for the present day Digital Forensics … Continue reading

Data Recovery As A Medium For Email Forensics

Data Recovery is the technique adopted for salvaging data from an inaccessible state which could have arrived due to deletion, corruption, or failure of the storage medium. On an Operating System, the data is saved in the form of “File” (be it documents, music, images, applications, settings etc.) and thus it is normally salvaged from … Continue reading

Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation

Authors Alan, Kelvin, Anthony and Zetta (VXRL) Disclaimer This framework was first introduced in DFRWS EU 2014 (the first DFRWS conference in Europe) at Amsterdam held in May and later presented at Hacks in Taiwan 2014 (HITCON) which is a high-tech security conference in Taiwan held in August. Abstract Digital forensics investigators are facing new challenges every … Continue reading

Can You Get That License Plate?

We find ourselves analyzing new surveillance videos almost every day, and in most cases we can either solve the problem very quickly or understand (even quicker) that there is no information to recover in the video. In special cases though, where something very specific and strange happened, or the problem is very complex, it can take … Continue reading

How To Decrypt WeChat EnMicroMsg.db Database?

WeChat is a smartphone application where users can chat with their friends, share pictures, videos and audio chats. Users can also make free video calls and voice calls with their friends as long as they have Internet connection. Recently, we received a request from the law enforcement agency to extract WeChat chat messages from an Android mobile … Continue reading

Why Offender Profiling is Changing Thanks to Mobile Forensics and Increasingly ‘Social’ Criminal Activity

by Yuval Ben-Moshe, senior director of forensic technologies at Cellebrite Mobile forensics has changed the methodology when it comes to offender profiling.  The frequent use of mobile devices has provided investigators with another source for profiling criminal suspects, as well as an insight into their habits and personalities. This is not just because of the … Continue reading

WeChat Forensics

Rapid growth of the usage of OS X has inspired forensic researchers to analyze devices such as the iPad, iPhone and Mac deeply.  Therefore, OS X forensics, starting from Jonathan Zdziarski in 2008, became a very hot topic.  However, most of the research and trainings are focused on file system analysis.  Although there are some … Continue reading

DFRWS Europe 2014 Annual Conference – Recap

This article is a recap of some of the main highlights of the Digital Forensics Research Workshop (DFRWS) held in Amsterdam from the 7th – 9th of May; over the next few weeks we will also be bringing you a number of interviews and research updates from the conference. Conference Highlights DFRWS brought together academics … Continue reading

Forensics Europe Expo 2014 – Recap

Forensic Focus attended the Forensics Europe Expo at Kensington Olympia on the 29th & 30th of April. This article is a recap of some of the main highlights and over the next few weeks we will also be bringing you a number of interviews recorded at the expo. The Digital Forensics part of the Expo … Continue reading

Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action Group (JTAG)

There have been some issues during data acquisitions with Samsung Galaxy having the Android 4.3, Jelly Bean as the operating system even if using the recommended steps for Logical File Dump, File System, or Physical Acquisitions for Cellebrite UFED Touch, Classic, and UFED4PC. All were unable to connect even if the mobile device was in … Continue reading

Detecting Forged (Altered) Images

Are digital images submitted as court evidence genuine or have the pictures been altered or modified? We developed a range of algorithms performing automated authenticity analysis of JPEG images, and implemented them into a commercially available forensic tool. The tool produces a concise estimate of the image’s authenticity, and clearly displays the probability of the … Continue reading

Catching the ghost: how to discover ephemeral evidence with Live RAM analysis

Oleg Afonin and Yuri Gubanov, © Belkasoft Research, 2013 Belkador Dali. “Losing volatile Evidence”. All rights reserved.  Ephemeral Evidence Until very recently, it was a standard practice for European law enforcement agencies to approach running computers with a “pull-the-plug” attitude without recognizing the amount of evidence lost with the content of the computer’s volatile … Continue reading


Get every new post delivered to your Inbox.

Join 816 other followers