This category contains 20 posts

Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving

SQLite is a widely popular database format that is used extensively pretty much everywhere. Both iOS and Android employ SQLite as a storage format of choice, with built-in and third-party applications relying on SQLite to keep their data. A wide range of desktop and mobile Web browsers (Chrome, Firefox) and instant messaging applications use SQLite, … Continue reading

A guide to RegRipper and the art of timeline building

Background I have often heard RegRipper mentioned on forums and websites and how it was supposed to make examining event logs, registry files and other similar files a breeze (the event logs and the other files isn’t per say examined by RegRipper, but they will be used for creating timelines further on in this post with … Continue reading

Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions

We published an article on SSD forensics in 2012. SSD self-corrosion, TRIM and garbage collection were little known and poorly understood phenomena at that time, while encrypting and compressing SSD controllers were relatively uncommon. In 2014, many changes happened. We processed numerous cases involving the use of SSD drives and gathered a lot of statistical … Continue reading

Understanding Cyber Bullying – Notes for Digital Forensics Examiners

by Carole Phillips The phenomenon of cyber bullying has received a significant amount of attention in the last decade and literature in this field has grown exponentially with advice and guidance on how to deal with cyber bullying. Yet the term cyber bullying did not exist in the public’s consciousness a decade ago and the … Continue reading

Coming apart at the SIEMs …

Security Information and Event Management (SIEM)1 systems are all the rage at the moment – and with good cause. As you are all aware, one item of data2 does not a case make, it is the combination & correlation between _all_ of the data that creates “evidence” – and here in the SIEM we are … Continue reading

Extracting Evidence from Destroyed Skype Logs and Cleared SQLite Databases

Summary This article describes common approaches used for the recovery of cleared Skype histories and deleted chat logs, and discusses methods and techniques for recovering evidence from cleared and damaged SQLite databases. Introduction It is difficult to underestimate popularity of Skype. Hundreds of millions of people use Skype every day, generating a lot of potential … Continue reading

Does Deviant Pornography Use Follow A Guttman-Like Progression?

by Kathryn C. Seigfried-Spellar (a), Marcus K. Rogers (b) (a) The University of Alabama, Tuscaloosa, AL 35487, USA (b) Purdue University, West Lafayette, IN 47907, USA Abstract This study investigated whether deviant pornography use followed a Guttman-like progression in that a person transitions from being a nondeviant to deviant pornography user. In order to observe … Continue reading

Cyberbullying – a growing concern in a connected society

Megan Meier was just twelve years old when the events began that would ultimately lead to her death. Like many teenagers, Megan had accounts on common social networks, including MySpace, where she first met “Josh Evans”. Ostensibly a sixteen-year old boy, “Josh” was actually an accumulation of Sarah, an old friend of Megan’s, Sarah’s mother, … Continue reading

KS – an open source bash script for indexing data

KS – an open source bash script for indexing data ABSTRACT:  This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage . Often during a computer forensics analysis we need to have all the keywords indexed into a database for making many … Continue reading

Bad Sector Recovery

Bad Sector Recovery Hard drives are built in a way so that they never return unreliable data. This means that if a hard drive cannot guarantee 100 percent accuracy of the data requested, it will simply return an error and will never give away any data at all. This article explains how bad sector recovery … Continue reading

Forensic Artifact: Malware Analysis in Windows 8

Windows is the most used operating system worldwide. I have met a lot of IT guys in my country and also other computer elites. My discovery was that 90 percent of them use Windows. I felt maybe that was just in my country, then I decided to contact some friends from UK, USA, India, and … Continue reading

Forensic Analysis of Windows 7 Jump Lists

Forensic Analysis of Windows 7 Jump Lists Abstract The release of Microsoft Windows 7 introduced a new feature known as Jump Lists which present the user with links to recently accessed files grouped on a per application basis.  The records maintained by the feature have the potential to provide the forensic computing examiner with a … Continue reading

The need for Transnational and State-Sponsored Cyber Terrorism Laws and Code of Ethics

Today, terrorists are making the best use of information technology to carry out their objectives. The NATO definition of cyber terrorism is “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or to intimidate a society into an ideological goal” (Everard P, 2007 p 119). Cyber terrorism … Continue reading

IPOD – Timestamps secrets

ABSTRACT This is a description how the Apple Ipod/Iphone stores the timestamps into their plist files. After an experiment we tried to order the various ways that Apple Idevices manage and store these data. We found the timestamps into PlayCounts.plist are in local time and not in absolute time GMT. During an experiment on an … Continue reading

New Linux Distro for Mobile Security, Malware Analysis, and Forensics

by Jay Turla, a contributor to InfoSec Resources. A new GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs and experience has just been released and its alpha version is now available for download. It’s called Santoku Linux. Santoku is a general … Continue reading


Get every new post delivered to your Inbox.

Join 735 other followers