This category contains 32 posts

What Changes Do We Need To See In eDiscovery? Part VI

by Harold Burt-Gerrans Welcome to Part 6, the last in this series. In case you’re joining late, the previous parts are available as follows: Standards Standards and De-Duplication Levels New Approach to Managing Duplicative Documents Family Level Coding Recursive De-Duplication and Time Zones With salutations to Monty Python: “And now for something completely different…” Languages Several … Continue reading

What Changes Do We Need To See In eDiscovery? Part V

by Harold Burt-Gerrans Welcome to Part 5. As promised in Part 4, I’ll start by discussing recursive de-duplication. Recursive De-Duplication: Using Aliases Within De-Duplication I can’t count the number of times that clients have complained about x.400/x.500 addresses in emails. Unfortunately, if the collected data comes with those address structures and not, we’re stuck with … Continue reading

What Changes Do We Need To See In eDiscovery? Part IV

by Harold Burt-Gerrans In Part 3, I introduced the concept of consolidating duplicates by tracking Metadata at a DocID level and coding and/or document actions at a Document Level. For ease, I’m duplicating part of the example charts here as I will refer back to them to illustrate some of the following discussion. Sample Current Data … Continue reading

What Changes Do We Need To See In eDiscovery? Part III

by Harold Burt-Gerrans Duplicative Documents At the end of Part 2, I put forth an argument that de-duplication should always be done globally to bring the data set down to just unique documents. And now that you’re convinced (or should have been) that Global De-Duplication is the only way to go, I’m going to completely blow … Continue reading

What Changes Do We Need To See In eDiscovery? Part I

by Harold Burt-Gerrans I’m approaching this multi-part article from a software development point of view, as I believe many of the following issues have been brought about by the evolution of eDiscovery software following the procedures used by handling boxes of paper. Historically, my opinion has been that eDiscovery software providers have engineered new features … Continue reading

Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

This is a Windows 64 bit GUI for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox. It is forensically proof. Continue reading

Attributing A Third Party To A Recovered (Deleted) IOS SMS Message

In a recent forensic case involving recovered deleted sms messages from an sms.db file on an IOS mobile device none of the mainstream mobile phone forensic software made the link between sender and recipient for the recovered records of interest. I have been asked a few times recently about obtaining the third party of a … Continue reading

Browser Anti Forensics

This write-up is just to demonstrate that how one’s browser history can go off track misleading the examiner. An investigator can identify it by noticing the odd in history, sample given in Figure 2. Let’s first take a closer look at this page below (Figure 1)– the URL (says and the title of tab … Continue reading

Forensics Europe Expo 2014 – Recap

Forensic Focus attended the Forensics Europe Expo at Kensington Olympia on the 29th & 30th of April. This article is a recap of some of the main highlights and over the next few weeks we will also be bringing you a number of interviews recorded at the expo. The Digital Forensics part of the Expo … Continue reading

WhatsApp – discovering timestamps of deleted messages

ABSTRACT:  This is a procedure for locating and parsing deleted messages timestamps in Android WhatsApp database. I did a little reverse engineering, using the hexadecimal tool of Physical Analyzer (UFED by Cellebrite), of the database of the popular messaging app WhatsApp for Android, because P.A. 3.8.6 does not display deleted messages WhatsApp, at least on … Continue reading

OS X Mavericks Metadata

Apple recently released the newest version of their desktop operating system, Mac OS X Mavericks.  As a free update to all supported Apple desktops and laptops, a wide adoption rate was expected, and in fact it was estimated that within the first 24 hours, 5.5% of all Mac laptops and desktops were already running the … Continue reading

KS – an open source bash script for indexing data

KS – an open source bash script for indexing data ABSTRACT:  This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage . Often during a computer forensics analysis we need to have all the keywords indexed into a database for making many … Continue reading

What are ‘gdocs’? Google Drive Data – part 2

Following up from the recent post on Google Drive, designed to give a high level introduction to the product, this post will delve a bit deeper into the technical issues relating to the data stored and also the best approach on how to access it. The artefacts discussed in this post are based on Windows … Continue reading

What are ‘gdocs’? Google Drive Data

As “the Cloud” (a varied mix of internet based services ranging from web-based email accounts, on-line storage and services that synchronise data across multiple computers) becomes more relevant and the dominance of the PC or tablet as the exclusive “home” for data reduces, the days when simply taking a snapshot of a computer to capture … Continue reading

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

Introduction Documents identified by computer forensic investigations in civil litigation typically require review and analysis by attorneys to determine if the uncovered evidence could support causes of action such as breach of contract, breach of fiduciary duty, misappropriation of trade secrets, tortious interference, or unfair competition.  In addition, bit-for-bit forensic imaging of workstations is also … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,271 other followers