archives

Forensics 101

This category contains 74 posts

Memory Dump Formats

by Chirath De Alwis As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are: RAW memory dump. Windows crash dump. Windows hibernation files. Expert witness … Continue reading

Detection Of Backdating The System Clock In MacOS

by Oleg Skulkin & Igor Mikhaylov Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there … Continue reading

Imaging Locked Motorola Devices Via Bootloader Exploit

Last-generation Android devices are gradually getting more secure, even approaching iOS-grade security in some usage scenarios. Equipped with fingerprint readers and compulsory encryption of the data partition, Android smartphones became a much tougher acquisition target compared to just a couple of years ago. In this world of increasing security, security firms go out of their … Continue reading

The CSI Effect – Expectations Vs Limitations

by James Zjalic Much has been written about the CSI phenomenon within digital forensics circles, but is there a way we as experts can reduce this effect, maybe not globally but at least amongst our own clients? In just the last couple of weeks, I’ve had requests to enhance a speaker on the other end … Continue reading

Windows Drive Acquisition

by Oleg Skulkin & Scar de Courcier Before you can begin analysing evidence from a source, it first of all needs to be imaged. This describes a forensic process in which an exact copy of a drive is made. This is an important step, especially if evidence needs to be taken to court, because forensic … Continue reading

New Security Measures In iOS 11 And Their Forensic Implications

by Oleg Afonin, Elcomsoft Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some … Continue reading

An Introduction To Challenges In Digital Forensics

by W.Chirath De Alwis Digital forensics is a technique in the identification of computer based crimes. But digital forensics faces a few major challenges when it comes to conducting investigations. According to Fahdi, Clarke & Furnell (2013), th challenges of digital forensics can be categorized into three parts. Technical challenges – e.g. differing media formats, … Continue reading

RAM Forensic Analysis

by Eliézer Pereira 1 Goal The purpose of this article is show how to perform a RAM memory forensic analysis, presenting some examples of information that can be retrieved and analyzed to help identify indications of security incidents as well as fraud and other illegal practices through information systems. 2 Good Practices and Techniques for Computer … Continue reading

An Introduction To Theft Of Trade Secrets Investigations

by Laurence D. Lieb, Managing Director, HaystackID. The subjects we will be covering include: Defining When One Should Reasonably Panic Reasonable Triage Steps to Take in Order to Identify if There is Only Smoke or an Actual Fire The Importance of Defining “Win” Upfront and the Avoidance of Mission Creep Definition and Identification of trade … Continue reading

Internet Of Things Mobility Forensics

by K M Sabidur Rahman & Matt Bishop (University of California Davis) and Albert Holt (NSA) Abstract The Internet of Things (IoT) comes with great possibilities as well as major security and privacy issues. Although digital forensics has long been studied in both academia and industry, mobility forensics is relatively new and unexplored. Mobility forensics deals … Continue reading

Asking A VPS To Image Itself

by Chris Cohen There is a Linux Virtual Private Server (VPS) that you have been tasked to collect using a forensically sound method while ensuring confidentiality, integrity and availability. You have the password for a user who has ssh access to a shell account on that VPS and the user is in the super user … Continue reading

Samsung sBrowser – Android Forensics: A Look Into The Cache Files

by Robert Craig and Michael Lambert Abstract Samsung devices are a large portion of the Android OS market.  Samsung has its own Internet Browser, “sbrowser”, installed onto their devices.  All web browsers leave artifacts from user activity.  The “sbrowser” cache files were similar to other browsers.  An embedded source URL gave insight where the cached … Continue reading

Unlocking The Screen of an LG Android Smartphone with AT Modem Commands

by Oleg Davydov, CTO, Oxygen Forensics Modern smartphones are much more than just a device for voice calls. Now they contain a lot of personal data – contact list, communication history, photos, videos, Geo tags etc. Most smartphones can also work as a modem. Almost every modem is Hayes-compatible which means it supports commands of the … Continue reading

Mobile Forensics Monkey Wrench: iOS 10.2 and Encryption

by Patrick Siewert, Pro Digital Forensic Consulting It’s not secret to those involved in the study and practice of mobile forensics that Apple likes to throw us curve balls with almost every new iteration of the iOS operating system. It turns out, iOS 10.2 is no different (released December 12, 2016). A conversation began recently … Continue reading

Windows 10 PE for Digital Forensics

by Robin Brocks, IT Forensic Expert and Incident Responder Only a few years ago, it was a real pain creating a portable Windows on CD/ DVD or thumb drive, because the Operating System was not prepared to run on those media. There have been numerous projects and volunteers, like BartPE or the WindowsFE (Forensic Edition), to … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,152 other followers