archives

Forensics 101

This category contains 68 posts

Apple iPhone Forensics: Significant Locations

by Patrick Siewert, Principal Consultant, Pro Digital Forensic Consulting I recently attended a conference of civil litigators in Virginia. During the cocktail hour and after a very interactive CLE presentation on “Leveraging Data in Insurance Fraud Investigations”, I was talking with a few attendees about the different types of data available to them in their … Continue reading

Digital Forensics Resources

by Scar de Courcier One of the most frequent questions I’m asked by digital forensics students is about resources: where can they go to continue learning, where can they find out more about the industry, what are the best blogs and social accounts out there for DFIR people? The below is by no means an … Continue reading

Searching And Filtering Emails When Forensically Collecting Mailboxes

by Arman Gungor When mailboxes are forensically preserved for eDiscovery or digital forensic investigations, their contents are almost always searched and filtered. Filtering emails helps overcome time, scope and cost constraints and alleviates privacy concerns. There are two main ways of filtering emails—before and after the forensic acquisition. Each method has its pros and cons, … Continue reading

Finding Metasploit’s Meterpreter Traces With Memory Forensics

by Oleg Skulkin & Igor Mikhaylov Metasploit Framework is not only very popular among pentesters, but is also quite often used by real adversaries. So why is memory forensics important here? Because Meterpreter, for example – an advanced, dynamically extensible Metasploit payload – resides entirely in the memory and writes nothing to the victim’s drive. In … Continue reading

Jailbreaking iOS 11 And All Versions Of iOS 10

by Oleg Afonin, Mobile Product Specialist at ElcomSoft Jailbreaking iOS is becoming increasingly difficult, especially considering the amounts of money Apple and independent bug hunters are paying for discovered vulnerabilities that could lead to a working exploit. Late last year, a bug hunter at Google’s Project Zero discovered one such vulnerability and developed and published an … Continue reading

Oxygen Drone Forensics – How To Deal With A New Threat

It was not too long ago when drones were discussed we would often think of military use or large commercial type applications. However, today drones are now in the hands of hobbyists who frequently use the devices for taking aerial pictures and shooting unique video footage. Not to mention law enforcement use them to monitor … Continue reading

Evidence Acquisition Using Accessdata FTK Imager

by Chirath De Alwis Forensic Toolkit or FTK is a computer forensics software product made by AccessData. This is a Windows based commercial product. For forensic investigations, the same development team has created a free version of the commercial product with fewer functionalities. This FTK Imager tool is capable of both acquiring and analyzing computer forensic … Continue reading

Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat

by Patrick Bell This walk-through will show you how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it’s decrypted. Scenario: You’ve got a Macbook in. MacOS has been removed and Debian 9.0 has been installed. The suspect is using LUKS (Linux Unified Key … Continue reading

Techno Mode – The Fastest Way To Access Digital Evidence On Damaged SSDs

by Roman Morozov, NAND Data Recovery Tutor, ACE Lab Recent statistics show that solid-state drives are getting a good share of the market of storage devices. And the popularity of SSDs is only expected to grow. There is already a large number of little-known manufacturers, who cut corners on parts of their drives. As a result, … Continue reading

Memory Dump Formats

by Chirath De Alwis As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are: RAW memory dump. Windows crash dump. Windows hibernation files. Expert witness … Continue reading

Detection Of Backdating The System Clock In MacOS

by Oleg Skulkin & Igor Mikhaylov Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there … Continue reading

Imaging Locked Motorola Devices Via Bootloader Exploit

Last-generation Android devices are gradually getting more secure, even approaching iOS-grade security in some usage scenarios. Equipped with fingerprint readers and compulsory encryption of the data partition, Android smartphones became a much tougher acquisition target compared to just a couple of years ago. In this world of increasing security, security firms go out of their … Continue reading

The CSI Effect – Expectations Vs Limitations

by James Zjalic Much has been written about the CSI phenomenon within digital forensics circles, but is there a way we as experts can reduce this effect, maybe not globally but at least amongst our own clients? In just the last couple of weeks, I’ve had requests to enhance a speaker on the other end … Continue reading

Windows Drive Acquisition

by Oleg Skulkin & Scar de Courcier Before you can begin analysing evidence from a source, it first of all needs to be imaged. This describes a forensic process in which an exact copy of a drive is made. This is an important step, especially if evidence needs to be taken to court, because forensic … Continue reading

New Security Measures In iOS 11 And Their Forensic Implications

by Oleg Afonin, Elcomsoft Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,103 other followers