archives

Digital Forensics

This tag is associated with 66 posts

Techno Mode – The Fastest Way To Access Digital Evidence On Damaged SSDs

by Roman Morozov, NAND Data Recovery Tutor, ACE Lab Recent statistics show that solid-state drives are getting a good share of the market of storage devices. And the popularity of SSDs is only expected to grow. There is already a large number of little-known manufacturers, who cut corners on parts of their drives. As a result, … Continue reading

Memory Dump Formats

by Chirath De Alwis As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are: RAW memory dump. Windows crash dump. Windows hibernation files. Expert witness … Continue reading

Detection Of Backdating The System Clock In MacOS

by Oleg Skulkin & Igor Mikhaylov Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there … Continue reading

Charlatans In Digital Forensics

by James Zjalic There’s a topic that is rarely publicized in the world of digital forensics, but is well known to those within the field and stories are often traded between experts when they meet at conferences and conventions. That topic is charlatans. In my eyes, there are 3 types of charlatan: – The Innocent … Continue reading

The Necessity Of Developing A Standard For Exchanging A Chain Of Custody Of Digital Evidence Data

by Jasmin Cosic, Miroslav Baca & Peter Grd Abstract Today there is no criminal investigation that does not contain a digital dimension. A large number of criminal offenses, whether official investigations conducted by judicial bodies or corporate investigations, contain digital evidence, which in most investigations is key to the identification of perpetrators. Since the cyber … Continue reading

ISO 17025 For Digital Forensics – Yay Or Nay

by Robert Merriott “Much of the digital forensic community desires to have their evidence seen in court as forensically sound and bulletproof, yet do not want to go through the rigors that other traditional forensic sciences have done to prevent evidence spoliation and other mishandling and misinterpretations.” ~ Josh Moulin, Deputy Chief Information Officer, US Federal Government, … Continue reading

Job Hunting In The DFIR Field

by Jessica Hyde, Magnet Forensics For those who don’t know, in addition to my work at Magnet Forensics, I teach Mobile Device Forensics at George Mason University. In addition to teaching the skills necessary to acquire and parse data from mobile devices, I attempt to share information that will be useful to my students who … Continue reading

Imaging Locked Motorola Devices Via Bootloader Exploit

Last-generation Android devices are gradually getting more secure, even approaching iOS-grade security in some usage scenarios. Equipped with fingerprint readers and compulsory encryption of the data partition, Android smartphones became a much tougher acquisition target compared to just a couple of years ago. In this world of increasing security, security firms go out of their … Continue reading

The CSI Effect – Expectations Vs Limitations

by James Zjalic Much has been written about the CSI phenomenon within digital forensics circles, but is there a way we as experts can reduce this effect, maybe not globally but at least amongst our own clients? In just the last couple of weeks, I’ve had requests to enhance a speaker on the other end … Continue reading

Windows Drive Acquisition

by Oleg Skulkin & Scar de Courcier Before you can begin analysing evidence from a source, it first of all needs to be imaged. This describes a forensic process in which an exact copy of a drive is made. This is an important step, especially if evidence needs to be taken to court, because forensic … Continue reading

Linux Memory Forensics: Dissecting the User Space Process Heap

by Frank Block and Andreas Dewald Abstract The analysis of memory during a forensic investigation is often an important step to reconstruct events. While prior work in this field has mostly concentrated on information residing in the kernel space (process lists, network connections, and so on) and in particular on the Microsoft Windows operating system, this … Continue reading

Focused Digital Forensic Methodology

by Haider H. Khaleel Abstract Since the end of the 19th Century until the current time, law enforcement has been facing a rapid increase in computer-related crimes. In the present time, digital forensics has become an important aspect of not only law enforcement investigations, but also; counter-terrorism investigations, civil litigations, and investigating cyber-incidents. Due to … Continue reading

Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

This is a Windows 64 bit GUI for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox. It is forensically proof. Continue reading

Digital Forensics: Iron Bars, Cement And Superglue

by James Zjalic When most people think of digital forensics they think of CSI Miami: hackers in hoodies and Mission Impossible type biometrics. But under the superficial exterior, there is a framework of laws, regulations, best practices, guidelines, and standards surrounding digital forensics which holds the field together. This framework has never been under as … Continue reading

Cellular GPS Evidence: Waze + Cellebrite + CellHawk

by Patrick Siewert, Principal Consultant, Pro Digital Forensic Consulting It’s becoming common knowledge that location evidence on cellular devices can provide a wealth of evidence in any number of civil, criminal and investigative matters. Law enforcement agencies use cellular location evidence from service providers to help place a criminal suspect at or near a crime … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,057 other followers