archives

Forensics 101

This category contains 65 posts

Finding Metasploit’s Meterpreter Traces With Memory Forensics

by Oleg Skulkin & Igor Mikhaylov Metasploit Framework is not only very popular among pentesters, but is also quite often used by real adversaries. So why is memory forensics important here? Because Meterpreter, for example – an advanced, dynamically extensible Metasploit payload – resides entirely in the memory and writes nothing to the victim’s drive. In … Continue reading

Jailbreaking iOS 11 And All Versions Of iOS 10

by Oleg Afonin, Mobile Product Specialist at ElcomSoft Jailbreaking iOS is becoming increasingly difficult, especially considering the amounts of money Apple and independent bug hunters are paying for discovered vulnerabilities that could lead to a working exploit. Late last year, a bug hunter at Google’s Project Zero discovered one such vulnerability and developed and published an … Continue reading

Oxygen Drone Forensics – How To Deal With A New Threat

It was not too long ago when drones were discussed we would often think of military use or large commercial type applications. However, today drones are now in the hands of hobbyists who frequently use the devices for taking aerial pictures and shooting unique video footage. Not to mention law enforcement use them to monitor … Continue reading

Evidence Acquisition Using Accessdata FTK Imager

by Chirath De Alwis Forensic Toolkit or FTK is a computer forensics software product made by AccessData. This is a Windows based commercial product. For forensic investigations, the same development team has created a free version of the commercial product with fewer functionalities. This FTK Imager tool is capable of both acquiring and analyzing computer forensic … Continue reading

Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat

by Patrick Bell This walk-through will show you how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it’s decrypted. Scenario: You’ve got a Macbook in. MacOS has been removed and Debian 9.0 has been installed. The suspect is using LUKS (Linux Unified Key … Continue reading

Techno Mode – The Fastest Way To Access Digital Evidence On Damaged SSDs

by Roman Morozov, NAND Data Recovery Tutor, ACE Lab Recent statistics show that solid-state drives are getting a good share of the market of storage devices. And the popularity of SSDs is only expected to grow. There is already a large number of little-known manufacturers, who cut corners on parts of their drives. As a result, … Continue reading

Memory Dump Formats

by Chirath De Alwis As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are: RAW memory dump. Windows crash dump. Windows hibernation files. Expert witness … Continue reading

Detection Of Backdating The System Clock In MacOS

by Oleg Skulkin & Igor Mikhaylov Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there … Continue reading

Imaging Locked Motorola Devices Via Bootloader Exploit

Last-generation Android devices are gradually getting more secure, even approaching iOS-grade security in some usage scenarios. Equipped with fingerprint readers and compulsory encryption of the data partition, Android smartphones became a much tougher acquisition target compared to just a couple of years ago. In this world of increasing security, security firms go out of their … Continue reading

The CSI Effect – Expectations Vs Limitations

by James Zjalic Much has been written about the CSI phenomenon within digital forensics circles, but is there a way we as experts can reduce this effect, maybe not globally but at least amongst our own clients? In just the last couple of weeks, I’ve had requests to enhance a speaker on the other end … Continue reading

Windows Drive Acquisition

by Oleg Skulkin & Scar de Courcier Before you can begin analysing evidence from a source, it first of all needs to be imaged. This describes a forensic process in which an exact copy of a drive is made. This is an important step, especially if evidence needs to be taken to court, because forensic … Continue reading

New Security Measures In iOS 11 And Their Forensic Implications

by Oleg Afonin, Elcomsoft Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some … Continue reading

An Introduction To Challenges In Digital Forensics

by W.Chirath De Alwis Digital forensics is a technique in the identification of computer based crimes. But digital forensics faces a few major challenges when it comes to conducting investigations. According to Fahdi, Clarke & Furnell (2013), th challenges of digital forensics can be categorized into three parts. Technical challenges – e.g. differing media formats, … Continue reading

RAM Forensic Analysis

by Eliézer Pereira 1 Goal The purpose of this article is show how to perform a RAM memory forensic analysis, presenting some examples of information that can be retrieved and analyzed to help identify indications of security incidents as well as fraud and other illegal practices through information systems. 2 Good Practices and Techniques for Computer … Continue reading

An Introduction To Theft Of Trade Secrets Investigations

by Laurence D. Lieb, Managing Director, HaystackID. The subjects we will be covering include: Defining When One Should Reasonably Panic Reasonable Triage Steps to Take in Order to Identify if There is Only Smoke or an Actual Fire The Importance of Defining “Win” Upfront and the Avoidance of Mission Creep Definition and Identification of trade … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,080 other followers