archives

Forensics 101

This category contains 85 posts

Making Complex Issues Simple: A Unique Method To Extract Evidence From RAID With Lost Configuration

by Alexander Leonenko Today we would like to talk about RAID arrays with lost configuration and how to extract evidential data from them. Let’s start with understanding what a RAID is in the first place. RAID. What is it? RAID is a Redundant Array of Independent Drives. The system shows it as a virtual storage … Continue reading

Employee Turnover And Computer Forensic Analysis Best Practices

by Larry Lieb Organizations historically have struggled with addressing terminated employees’ important evidence sources such as company-issued laptops, oftentimes materially affecting the organization’s ability to deal effectively with disputes that arise after an employee leaves the company. This article will provide a documented, transparent, and repeatable process with actual tools to identify and correctly preserve … Continue reading

Finding And Interpreting Windows Firewall Rules

by Joakim Kävrestad Determining with whom and in what way a computer has communicated can be important and interesting in several types of examinations. Communications can be an important part of analyzing if and how a computer has been remote controlled or with whom the computer has shared information. It can also be a good … Continue reading

From Crime To Court: Review Principles For UK Disclosure

by Hans Henseler UK Law Enforcement agencies are facing significant challenges related to digital evidence disclosure in criminal prosecution cases. Suspects who are charged with a crime must have access to all relevant evidence to ensure a fair trial, even if the evidence can undermine the prosecution. To avoid disclosure errors and ensure that digital … Continue reading

Leveraging DKIM In Email Forensics

by Arman Gungor My last article was about using the Content-Length header field in email forensics. While the Content-Length header is very useful, it has a couple of major shortcomings: Most email messages do not have the Content-Length header field populated If the suspect is aware of this data point, the integer value in the Content-Length header … Continue reading

Following The RTM: Forensic Examination Of A Computer Infected With A Banking Trojan

by Oleg Skulkin  Researchers became aware of the activities of the RTM group in December 2015. Since then, phishing emails distributing the trojan have been sent to potential victims with admirable persistence. From September to December 2018 the RTM group sent out more than 11,000 malicious emails. The cybercriminals, however, are not going to stop … Continue reading

Walkthrough: Carving With Belkasoft Evidence Center

by Yuri Gubanov, Danil Nikolaev & Igor Mikhailov © Belkasoft Research Carving is an irreplaceable technique widely used in data recovery and digital forensics. By using carving, we essentially perform a low-level scan of media for various artifacts, looking for signatures—specific sequences of bytes, characteristic of different types of data. This also means that carving … Continue reading

Using The Content-Length Header Field In Email Forensics

by Arman Gungor As forensic examiners, we often have to analyze emails in isolation without the benefit of server metadata, neighbor messages, or data from other sources such as workstations. When authenticating an email in isolation, every detail counts—we review a long list of data points such as formatting discrepancies within the message body, dates hidden in … Continue reading

How To Install And Use The Optional Thunderbolt I/O Card On Logicube’s Falcon-NEO

Welcome to Logicube’s tutorial on the optional Thunderbolt I/O card on the Forensic Falcon-NEO. In this session, we’ll show you how to install and use this card. The optional Thunderbolt I/O card connects directly to Falcon-NEO’s source or destination I/O card ports. This card allows you to image directly to or from Thunderbolt USB C, … Continue reading

Email Forensics: Investigation Techniques

by Chirath De Alwis Due to the rapid spread of internet use all over the world, email has become a primary communication medium for many official activities. Not only companies, but also members of the public tend to use emails in their critical business activities such as banking, sharing official messages, and sharing confidential files. However, … Continue reading

Scene Of The Crime: You’ve Found A Drone. What Do You Do?

by Lee Reiber, COO, Oxygen Forensics, Inc. The proliferation of recreational drones and their impact on digital incident response has dramatically increased during the last several years. In January 2018, Nextgov stated the U.S. Federal Aviation Administration (FAA) reported over 1 million drone operators registered with the United States government. This number continues to grow … Continue reading

How To: Multitask With Logicube’s Forensic Falcon NEO

Welcome to Logicube’s tutorial on the Forensic Falcon NEO. In this session we’ll show you how to multitask. For this tutorial I have connected the Falcon NEO to a network, and from a PC on the same network I’ve logged into the unit using a web browser so that I can operate remotely. I’ve already … Continue reading

How To: Integrate LACE Carver With Griffeye Analyze DI Pro

Let’s talk about the exciting new LACE Carver Integration with Analyze DI Pro. Once you have the proper license, you can head over to your Downloads page on MyGriffeye.com and go to the LACE Carver download. Once the app package has been downloaded, we can go back to Griffeye and install it under Settings, Plugins, … Continue reading

Forensic Analysis Of The μTorrent Peer-to-Peer Client In Windows

by Michael R. Godfrey The μTorrent software client is the most popular BitTorrent peer-to-peer software application worldwide [1]. Contraband files such as copyrighted movies and music, child pornography and pirated content, are frequently acquired through the peer-to-peer (P2P) file sharing protocol BitTorrent. This research will include the digital forensic analysis of the μTorrent client, specifically, the … Continue reading

Word Forensic Analysis And Compound File Binary Format

by Arman Gungor Microsoft Word forensic analysis is something digital forensic investigators do quite often for document authentication. Because of the great popularity of Microsoft Office, many important business documents such as contracts and memoranda are created using Word. When things go south, some of these documents become key evidence and subject to forensic authentication. My goal … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,271 other followers