What are
/r/computerforensics'
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/computerforensics:
The most popular Services mentioned in /r/computerforensics:
Eraser
SourceForge
PhotoRec
Kali Linux
Wireshark
elasticsearch
ZDNet
Cybrary
FileDropper.com
TestDisk
ExifTool
Caine
MxToolBox
USBDeview
Splunk
The most popular Android Apps mentioned in /r/computerforensics:
The most popular VPNs mentioned in /r/computerforensics:
The most popular reviews in /r/computerforensics:
I'm fairly sure that's pihole looking for updates.
You'll find all those names as SourceForge mirror providers
They are all resolving for me. They just aren't meant to be used as the website, and redirect you to sourceforge.net
A lot of ad-blocker lists are stored and maintained there. So access to those addresses is reasonable.
The homeassistant thingy seems to have a presence on sourceforge as well
Try looking for mention of those addresses on your systems.
grep -r "dl.sourceforge.net" /etc/
I always mess up grepping, so maybe check if that command is correct; that is coming from the top of my head.
If you want to hide your tracks, you would be better of using a Linux LiveCD like Tails.
Everything is tunnelled through ToR by default (be sure to read up on the security pitfalls first), and the version of FF that comes with it also uses the HTTPSEverywhere add-on.
Always ensure you do a clean shutdown so Tails can do a RAM wipe, which can help defend against Cold Boot Attacks.
If you need to store anything, use an encrypted MircoSD card. Why MicroSD? You can easily swallow them in a hurry, and they are small enough to pass through with little discomfort.
Just try and buy yourself some time first, possibly by barricading the door.
One more thing: As convenient as they are, avoid using Tails as a LiveUSB. It's probably just me being paranoid, but a USB stick is a read/write medium. There is always a chance that something could be written to it that could incriminate you in some way. Always burn Tails to a write once CD... Yes it's a little slower, but what do you want, speed or safety?
If you have physical access to the box you should be able to chat with the i2c bus using DDC over VGA/HDMI/DVI-*, which, depending on the platform, may allow you to access the memory directly. Here is a breakout board designed for talking i2c over VGA. In order for this to work, though, you would need to know the address of the memory controller, and it would need to support certain features. It would also have to share the i2c bus, which is unlikely.
Some connectors such as thunderbolt expose the PCI bus.
You could also try and get a shell some other way.
Check the VT's (Usually switchable with Ctrl+Shift+F1-24) and see if there is an open shell on any.
Failing that you could also try and see if there is a console on the serial line, which I doubt.
Depending on the version of Unity, this bug may not be patched.
You can also try Ctrl+Alt+NumpadMultiply. But I doubt that will work.
~Everything below assumes Linux and a terminal;
Use linux to dd an image to a disk with enough free space for the whole disk being copied.
dd if=/dev/sdb of=/home/username/Desktop/diskimage.iso
where /dev/sdb is your disk and can be determined by
df -h or
fdisk -l
and looking for the right details.
I'd recommend reading the man page for dd as there are options for handling bad block errors and other disk issues.
Then use Foremost to scan the disk image for all files.
It can take a bit of tweaking to get Foremost to get all the files you want but it will recover anything that looks like a readable file.
If it recovers video, be sure to check the whole video as it sometimes can mash 2 different mpeg file together into one file.
All of the windows or osx based file recovery software tools are rubbish and rarely work on truly screwed up filesystems.
Foremost is designed to recover files from intentionally ruined filesystems and is able to reconstruct partial files.
Use XnView and VideoLan to play/check partial media files. Documents can be touch and go as there is so much variation in each formats error handling.
Get YUMI, then boot to any of these anti-virus/anti-malware ISOs:
Acronis Antimalware CD
AOSS (Malware Scanner) system\stage1
AVG Rescue CD (Antivirus Scanner)
AVIRA AntiVir Rescue CD (Virus Scanner) ; does install to root of drive
Bitdefender Rescue Disk (Antivirus Scanner)
Comodo Rescue Disk (Antivirus Scanner)
Dr.Web Live CD ; does install to root
F-Secure Rescue CD
GDATA Rescue CD
Kaspersky Rescue Disk (Antivirus Scanner)
Panda SafeCD
Windows Defender Offline
I've had plenty of cases where a phone had never been connected to a PC other than to charge. So yes, as you said, if their opsec is at least a little thought out, they'd minimize any foot prints on other devices.
I guess going to apple (chances seem high this is an iPhone) for their account would work to a degree, but we are assuming they at least have an Apple ID to connect with the phone, maybe via IMEI (or if they had sync'd to a PC of course). Apple has become rather tight lipped about users data stored on their end as I recall though since iOS 9 (or 8?) stating it's encrypted there..... but wait... (a little googling before saving this found this article, https://theintercept.com/2014/09/22/apple-data/ )
I am going to consider the feebie's nerds have sat around and had this very discussion we are, with more facts and less assumptions, and must have come up somewhat short.
I'll point out that if they somehow got a rootkit on your machine they'll have your banking credentials, and are simply waiting for you to supply your mobile credential.
Think of yourself walking into a bank vault, and then going to your safe deposit box (which requires a bank employee to assist in opening), and without realizing it there was this guy getting a piggy back ride on your back the whole time. You and the bank employee unlocked the box just for him, and he takes your stuff and runs out (and he's invisible, lol).
While it's certainly encouraged, multi-factor authentication is not a panacea of security. And I'm not just making this up.
Sorry I left you hanging there, I had some urgent things to do.
I assume you still have a functioning PC at your disposal.
Download TestDisk and do a deep scan. It should pick up your missing filesystem. This is a very straightforward explanation of how to use it.
Post here if you have any questions.
If they're all getting the same results, likely issue is bad sectors. The data that was on those sectors are no longer there, likely, because the sector is not readable. It also, sometimes and not often, it just may take a few more trys for a sector to be read before it'll work again correctly and return a result. Some forensic software isn't designed to keep trying to read a sector, some of them and I wish I knew exactly which ones will only make a fee attempts to read it and move on. The rapidspar, which I happen to have, does just this. It'll dig into sectors and keep digging, but I'm unaware of the results of what happens when sectors are tried over and over again to be read, I'm assuming they'll fail eventually and the data there is lost forever.
There is a open source software out there for photo recovery. I believe it'll carve out what's needed to get it done. Others here have used, I believe, but I have not needed it yet, thankfully. Try this
If it doesn't work, PM me and I'll be curious to see if my rapidspar would be able to help you out.
Good luck.
You should be able to use photorec to recover photos from your SDCard. It will carve out any pictures it can find, you might have some you've deleted on purpose and some that are corrupt, but you should get most if not all back.
I rely on my cell phone's clock. It is set from the carrier, and they track activity to a small fraction of a second.
If that is not enough, you can use "ClockSync". It can verify the setting to 1 thousands of a second.
Most newer cell towers self sync through GPS.
I can't say for sure because their software is closed source and they don't advertise exactly how their software works, but I would bet money that it just does some fairly simple wiping algorithms.
SSDs are a little different and I've never had to work with recovering data from them, but this article tells you why standard disk wiping techniques don't work (and a way to wipe an SSD).
Regshot is a good tool for watching the registry changes and is what I'd likely use to monitor that side. Combine that with CaptureBAT as noted by /u/wzr as well (it still works in 32 bit Windows 7 and 8) and you'll probably see what you are looking for without much difficulty.
Another option would be to monitor the install process with Process Monitor, export the session to .csv, and import into Procdot for a handy flowchart.
You could also try to dig up an old copy of Installwatch Pro and see if it will still work.
Create a file listing, including hashes, of all files on the image. I think FTK imager may do this? Otherwise you can script TSK to do it for you. Autopsy may be able to as well. You can then created another file listing when you come back. You will probably have to do some vlookup magic in excel, but you should be able to filter out any files with the same path, name, and hash value. What is left will be any files that were renamed, moved, changed, created, or deleted.
Use TSK to extract the $logfile, $MFT, and $USN files from the image when you return, and parse them with https://www.gettriforce.com/product/anjp-free/.
Use https://sourceforge.net/projects/regshot/ to compare your registry before and after.
Use Log2Timeline and Plaso to create a timeline with the image after you return.
I assume you are doing all this because you are traveling internationally and are worried about getting hacked. If so, just do this:
Backup all your files to either network storage at your company or an offline external hard drive. Ideally, back up to both. Have It issue you a new, freshly imaged laptop, or have them re-image yours. Restore to the new laptop just the files you need. When you get back, save any new or changed files you need to keep, and wipe the laptop. While abroad, follow basic security rules: don't run any programs you don't know, don't install programs unless you absolutely need to, dont access sensitive websites on unknown WiFi, try not to connect to WiFi at all. If you need internet, have your company buy you a hotspot that will work where you are traveling.
By just using an SSD it would not make a evidence from a system inadmissible in court. If you have an intact image of a machine there are still plenty of other points of evidence that would allow someone to be convicted of various cyber crimes.
Now if you had a single SSD drive system that had evidence on it, and you secure deleted the SSD by using either the secure delete tool that came with it or by using a livecd linux distro that had hdparm PartedMagic, then you would destroy most of the evidence on that machine. That does not mean that a cyber crime can't be determined by using other live memory, files, network logs, pcaps, or service history that can be extracted from another machine.
I have successfully found incriminating evidence on SSD's, the only thing that would be a potential issue is if I needed to carve deleted files out of unallocated space. But I would still have system memory, MFT's, system restore, and shadow copies etc to work with (in the case of windows hosts). Even then I'd could resort to more exotic methods of data extraction using tools such as these. By using an SSD it does not make evidence on a system impossible to find or any less relevant as evidence.
I hope this clears things up a bit.
If you are looking for a simple GUI approach, checkout MantaRay which is bundled with SIFT 3. If you load a bitstream image or any single file into it, it will carve out matching files with foremost.
If you are interested in using the command line, checkout ExplainShell which is my favorite man page website for reference. If you want, you can even paste the below command in it and it will parse it telling you what each argument does (though it does not recognize the -t arg).
An example foremost command that would carve JPG and GIF from an image with 512 byte blocks is:
foremost -b 512 -d -o "/path/to/new/folder" -t jpg,gif -i "/path/to/image.001"
This lets you do reverse DNS lookups
The hostname itself will probably not help you at all though. Some are just gibberish, and you don't really need it to match an IP to an ISP
Agree with all. The moment windows recognizes the device registry changes begin to occur. See tools: http://www.nirsoft.net/utils/usb_devices_view.html http://www.woanware.co.uk/forensics/usbdeviceforensics.html
We're doing some cool things at Blumira...... feel free to ask me any questions. I'm not in sales/marketing but can always point you in that direction if you're interested (free demo/PoC, but not sure how long they last?)
I've also worked with several other log ingestion platforms if you have other questions :) (elk/splunk mostly)
Have you verified that the malware you are looking for, actually are detected by the Antivirus scanner.
Im sure you allready know this, its by far all malware that are detected, and the artefacts.
​
I would try to identify it, as mentioned from mounting the E01. Then test it on malwr.com or virustotal.com (When possible.) Or Simply create a HASH value and check if its known or if its detected by other malware scanners. Then try to scan with the products that actually detect the malware.
​
A neat little trick is to collect all the artefacts from the malware, and put it into a password protected folder. That way you can securely store the malware.
If you then unzip this folder onto a test machine, with the latest signature from the vendor. THen you can verify if all the artefacts are detected or not.
Hope this makes sense :)
Is the assignment to only look for 'malicious activity'? As that can be a bit broad if you're not sure what to look for specifically. (example: machine is sending out a lot of spam, malware downloading other files (GET or POST), ....)
Two things that can, in most cases, help what you're looking for is: NetworkMiner & NetworkTotal
Don't rely solely on those though, carve through the PCAP yourself (using Wireshak for example), filter packets which you think are interesting (for example only HTTP traffic) and create a new, smaller capture to be able to spot weird behaviour more easily.
If you want to get experience with a forensic tool suite like FTK or Encase, you might take a look at Autopsy. It is a free Windows forensic framework that has a lot of forensic functionality (hash databases, file recovery, file type mismatch identification, loading forensic image formats, etc). Give it a shot. http://www.sleuthkit.org/autopsy/index.php
If the drive was formatted as NTFS, you could try to manually recreate the partition using the NTFS backup VBR. However, since you tagged the post "noob question" I assume, that you might not be comfortable with this option. If recovering the partition is not an option, I would go for photorec (http://www.cgsecurity.org/wiki/PhotoRec)
I have a couple Tableau T8u's and just use standard NVMe / M.2 USB adapters. I'm also a fan of ACASIS offline cloning dock as it allows imaging to a host SSD for testing and use. (Some things you just need a memory capture of...)
If you're simply asking for what NVMe/SSD/M.2/U.2 adapters aren't hot garbage... I think you listed the more reliable ones. Plenty of options that just cool garbage out there but YMMV (as well as your opinion.)
I use a combination of Bitlocker, Veracrypt and hardware-based encryption. For on-site client collections, I’ve started to use these:
CipherShield 256-bit AES USB-C... https://www.amazon.com/dp/B07S865CMD?ref=ppx_pop_mob_ap_share
I could recommend https://logseq.com for your cross-plattform, offline notes. It's a bit similar to Obsidian, except it's main focus is on daily journals.
In Obsidian, the smallest entity is a page, while in Logseq the entity is a block in a page. So you can scatter all your thoughts and notes in the journal, tag them appropriately and gather them later.
You're going to need a lot more software knowledge in digital forensics, and there are a lot of great books to get you started. Best if you start practicing on your own computer and smartphone to get some free experience using open source software. If it turns out you enjoy it, you might go for a certification.
Practicing your writing skills is important too as there are a lot of reports to write!
This book shows you a bunch of Linux command line tools and how to set up a test lab. Pricey on Amazon should be able to get a cheap used version some where or a PDF version. It's pretty old at this point.
Practical forensic imaging
https://www.amazon.com/Practical-Forensic-Imaging-Securing-Evidence/dp/1593277938
That sounds you're more interested in .... well, motivational books, than those that deal with the real nitty gritty of the job.
Neil Barret's Traces of Guilt (https://www.amazon.com/dp/0552160458/ref=cm_sw_em_r_mt_dp_1PHBFS0BCFYJTZ43PRD2) might be a possibility. It has been criticized for being factually incorrect in places, but that, if correct, would probably be less important.
I used something like this, but mine was manual crank way back in the ps2 era for disks that I bought used that were in bad shape. As long as the scratches were shallow it worked wonders.
I use the below NVME dock combined with either a Weibetech USB writeblocker or my built in Tableau.
RIITOP NVMe to USB Docking Station, External M.2 PCI-e NVMe SSD to USB-C Reader Adapter for M.2 (M Key) NVMe SSD https://smile.amazon.com/dp/B089JXSMB8/ref=cm_sw_r_cp_api_i_M1TH58R8ZDGT2BKMCK2J?_encoding=UTF8&psc=1
If you have a computer you can boot to Paladin you won’t need a hardware writeblocker.
Look for what is needed in the industry.
I started with incident Response and advanced to forensics.
Start with Gcih, it will to some extend cover forensics.
And advance from there.
There are more companies that is in the need of incident response, that of forensic.
Thats from a european perspective and of course my personal opinion.
Tip
Have a look at this book. It will cover the basics you need to advance.
https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684
like everything else, find what interests you and make it your own :)
As of Windows 10, Microsoft updated the underlying data structure of jump list files. The DestList stream has been updated (expanded) and now includes an access count for individual entries. Because of the change to the data structure, many existing tools fail to correctly parse Windows 10 jump lists. The authors of this research released a tool to accurately parse these files: https://sourceforge.net/projects/jumplistext/
Source: A forensic insight into Windows 10 Jump Lists, Bhupendra Singh*, Upasna Singh, Digital Investigation 17 (2016) 1-13 (Journal) http://www.sciencedirect.com/science/article/pii/S1742287616300202
I thought Valkyrie-X Security Research Group already written about this last year. You can grab it here https://www.fbiic.gov/public/2011/jul/facebook_forensics-finalized.pdf or here https://sites.google.com/site/valkyriexsecurityresearch/announcements/facebookforensicspaperpublished
The latest version of ELK stack allows you to drag and drop log files in a familiar format straight into Kibana. ELK has really come a long way from the dark early days with logstash.
A php script that does this would be quicker than messing around with any programs in my opinion.
http://php.net/manual/en/book.exif.php
Those functions will work for jpegs/tiff.
http://stackoverflow.com/questions/2190236/how-can-i-read-png-metadata-from-php
Thats not a bad solution for pngs.
source: Used to manage TB of video and image content with all info stored in meta data.
The best way to get any job is to know someone. You should be connecting with the people and firms that do this kind of work both in areas like interns but also in hobbyist clubs. Look on meetup.com for any sort of sufficiently nerdy club. I probably wouldn't say too much about yourself.
​
Add this advice to cyb3rcheese's.
Yes, let's get this sorted out. Could we move this discussion over to the mailing list? https://groups.google.com/forum/#!forum/timesketch-users
I'll make sure you get up and running, and then fix the documentation :)
The Netgear N300 (WNR2000) should have a serial port labelled JP1 on the PCB. This may be useful to you:
You may have to solder a 4-pin header on there and will also require a serial to TTL adapter. I typically use a Bus Pirate for this but there's lots of options including using an Arduino if you have one kicking around. After that you'll be able to serial in to the device and continue your research!
Make sure your phone is an Android One, not just any Android. https://www.android.com/one/
Make sure you password protect your screenlock, not with your fingerpring or your birthday date.
Make sure to switch off the phone if Chinese authorities grab you while recording Hong Kong protests, otherwise they will just plugin a device on the USB port and make a copy of everything while the phone is decrypted. I am just making a wild guess here about possible use for that set up.
It doesnt really matter if the video is 1080p or 720p or 4K, this is not relevant.
my understanding is that this might work on older systems, but newer ones (kernel 2.6+) restricts or eliminates access to these locations.
> dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").
You could try this: https://www.systoolsgroup.com/outlook-pst-reporter.html
Or maybe something with python like here: https://www.safaribooksonline.com/library/view/learning-python-for/9781783285235/ch11.html (you'll need to buy the book).
I don't think you'll be able to get all of that info you are looking for just from email though.
There are also some other tools out there like Catelas and Intella which can do more but are not free.
ipinfo.io now. They have a good API and the ability to curl IPs easily (until you hit their max query) that return stuff in JSON format.
infosniper.net is my favorite, but they have a limit now of like 5 a day without being subscribed.
Personally I'd just plugged it into EnCase at work and pull everything back but as this is probably home-user based question, I have previously used this with great (read 100%) success. Just don't install it to the USB drive you are trying to recover :-p
http://www.recovermyfiles.com/data-recovery-software-download.php
Software may be available on some kind of torrent-site type thing should you desire a full version ;)
Dang I thought it was in the title. Here ya go:
Writeup (slides): http://www.eweek.com/security/slideshows/caine-linux-distribution-helps-investigators-with-forensic-analysis.html
Download: http://www.caine-live.net/
You mention that you "have no way to connect the drive from the computer to your laptop". I would assume this means you don't have access to a write blocker?
You can still take a forensically sound image once you have collected the RAM and shut down the computer. You can boot to CD or USB using a Live CD like CAINE and guyimager: http://www.caine-live.net/page10/page10.html. This will mount the drive as Read Only to create a forensic image.
Once you have the image, work with that. However, keep in mind the other comments here regarding COC etc if there is even a remote chance this will end up in court.
One more option to check out:
https://twrp.me/devices/lgnexus5.html
Read up on TWRP. It functions similarly to a Linux boot cd allowing you to read the devices storage.
You may need an OTG cable since there is no SD card slot.
I just did a quick test with exif metadata tool. It'll pull metadata from doc / docx, and other Microsoft Office formats, as well. Well, it'll pull metadata from almost anything, then you could pipe out and handle removing other file types on the back end. There's also some conditional processing options as well.
Deft is typically my go-to for live booting. The other distros mentioned here will work just as well.
A big part of getting the distros to run live is properly preparing (burning) the disk/USB drive. I recently started using Etcher and I'm really liking it so far. https://etcher.io
Another neat one to look at is YUMI. It allows you to boot multiple Linux distros from one USB drive. https://www.pendrivelinux.com/yumi-multiboot-usb-creator/
This is an assignment I would give my new interns to do, it is a great exercise and definitely something a forensicator should know how to do. Good luck!
Sorry, sometimes I go down rabbit trails and forget the main point. The forensic accountant likes duplicate physical drives, not images. Physical device-to-device duplication using Guymager is faster on SATA connections than using a USB adapter, and Guymager makes a physical duplication including empty space and case management metadats.
It's also faster for quick and easy logical disk duplication using Clonezilla - not forensic duplication, no empty space and no metadata, just a quick operational hard drive clone for end users. I do a lot of mech drives to SSDs, which speeds up PCs and makes end users happy.
One more rabbit trail - when a drive starts having problems, losing sectors and so forth, Clonezilla has a repair feature that has rescued drives more than once for my clients. Very handy.
And Ventoy is the easiest to set up multiboot Live USB I've used. Set up the USB, then simply copy ISO files into the Ventoy folder.
https://www.ventoy.net/en/index.html
I've been thinking of using faces from https://thispersondoesnotexist.com/ to generate fake linkedin profiles for the next phishing test I run.
I'm trying to think of easily obtainable pictures that wouldn't show up on a tineye or Google images search. Are they modified in some way?
I cannot rate this course as Ive not done it, but Cybrary does some excellent resources and at the end of the courses you get to do practice exams. The link: https://www.cybrary.it/course/computer-hacking-forensics-analyst/ Best of luck!
The broken symlink is the file that used to be there (the pyc). Sadly /proc/[pid]/fd is just a bunch of symlinks to open files rather than copies of them.
I believe your only possibility is to grab the pyc out of the running process' memory. If you create a pyc yourself you might be able to see the binary borders of the file and search through the memory to find it.
Alternatively just doing strings on the whole memory dump might help you find it.
Looks like this will be a good resource for how to actually perform the dump: http://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file
Started off at DataQuest.io and did the data analyst track, it taught me how to work with datasets, which are just spreadsheets essentially, and using python to read, edit, and save the files. I didn't go too full on with the data analysis, because you can start to learn how to build graphs and such with data but I wasn't too interested in that.
I bought a couple of courses off of Udemy.com which focused more on applications. My biggest tip is don't try and build something BIG right from the get go. Write small little scripts that do simple things because this is what bigger projects are based on, Example:
- A script that moves a text file from Folder A to Folder B,
- Similar, except make it open the text file first, if it has text, display the contents, then move it to Folder B, if its empty, do nothing.
So by that point I was familiar with handling data I was expecting, I then moved on to handling unknown data.
- Look inside a folder, if there are any text files in there open them and see what the text is, if the text meets a certain condition (contains a word, certain length, etc), move that file to a folder somewhere else, check to make sure that folder exists first, if it doesn't, make the folder then move the file.
And this is basically what I do at work except a bit more complex. I might get given 20Gb's of data that was stored on a company server that got hacked. I need to figure out what the data is, whats in the data, is the data confidential, if it is I need to extract the data and compile it all into a format I can hand back to the client so they can inform the owners of the data.
​
​
What's rotten regarding their alerts and correlations? They work fine for me.
Splunk has an add on called Enterprise Security, it's a full-fledged SIEM. I don't put too much stock in Gartner, but they claim it's one of highest rated ones out there.
Problem is it's not free.
IIRC Splunk has a free version (500 mb/day, self hosted) that you can play with. They also have three free beginner classes on log analysis: https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Not sure if this is the kind of thing you're looking for though.
https://dban.org/ will wipe the whole disk to a level of thoroughness that will thwart nation-states. Wiping isolated data is trickier, I wouldn't try so I don't know what's out there.
Most "secure erase" type programs can customize the pattern used to overwrite the deleted file space.
In particular, I'm thinking of the freeware program Eraser, which can use any custom patter the user specifies:
This is a solid response. Is Eraser more thorough in your opinion? Can it overwrite all unallocated space? If not, what is the best?
Also just curious, is there a way for a consumer to obtain Magnet's software (IEF Or Axiom)? Is it any better than the other forensics software out there? The article depicts it like it can do things other forensics software can't.
> I have nothing to hide in terms of databases and other sensitive info they may be concerned about, but have had email correspondence (on my personal gmail account) with new business partners which I do not wish to be seen by my present organisation.
> My question is if I delete gmail from the laptop, as well as any other personal info I wish to keep private, will a forensic search of the laptop retrieve this?
Yes, unless you use ccleaner and then wipe the unallocated space (use https://eraser.heidi.ie/ for this). You must have administrative privileges to your drive.
What is the context of the question? How do you know a MAC address changed? Why is this change a concern? If you have 2 MAC addresses you can google them to see basic information about the device. https://www.wireshark.org/tools/oui-lookup.html
If the end header is intact, the files may be recoverable. Are you able to open up one of the 7z archives in a hex editor and check whether the end header is intact?
The example on this page explains process.
I'm not very savvy with CRC stuff, but yes, you need to modify the CRC value, as it uses CRC to confirm things were not screwed with, or someone isn't inserting a payload into a zip file.
Without wading through the entire source code, it looks like the link you provide to that txt file shows there are numerous CRC values throughout 7zip.
Given how they are distributed, I fear you may be looking at CRC's that match and are checked per block, IIRC how things work. Of course, the text is for 7.1 of 7Zip, so any newer versions or subversions may have altered this configuration.
I'm guessing you simply can't repackage the zip files to include your extra data?
Does your 7zip utility give you the option to repair the "damaged" file?
Also this may or may not help you locate the proper CRC values! It gets decently in depth, but I can't tell off the bat if this will help.
I don´t think they have hidden partitions but if you want to be paranoid download Gparted, delete the partition and reformat everything and create a new partition. https://gparted.org/
.BAK is just an extension, usually created as a backup to the original file. You can still read the file in an appropriate program.
After a quick search is appears that BES, Blackberry Enterprise Server, uses Microsoft SQL as a database server. So, you would need a program to read MS SQL database.
You could go through the hassle of mounting it to a SQL Server or use a free SQL Express, but I just did a quick search and found a SQL reader called RazorSQL
I have the data I need backed up offline. Also, if you read through the "ShellExecute('Powershell.exe'" command, you can piece through the setup of the scheduled task. It was indeed sitting there in the "Task Scheduler Library" exactly as the script had set it up. It was scheduled to run, but had not yet run. I don't think there's anything in the script that would have kicked it off immediately (though I'm still looking and learning about powershell commands and the one that makes me wonder is StartBoundary).
I think the interesting part here is whether or not the AutoIt3.exe script can be reverse engineered. FWIW, I wanted to investigate a little more about the AutoLT 3 scripting language, so I installed AutoIT V3. Indeed the exe file has the same CRC as the one from the malware package, it as /u/LightningRurik suggested "AutoIt is very likely just AutoIt". It is.
In F2FS, most likely not. F2FS has built in, idle "housekeeping" which runs in the background.
You can find earlier source code or more recent one online. Maybe review of it can give you some alternate ideas.
If you have the finances to back you, X1 social discovery is decent program. It's awful at web capturing, however it's metadata acquisition and social media utilities are pretty good. Keep in mind though, the software is super buggy, and requires a lot of hand-holding.
All my info is from 2014 when I got mine, but I did the official online course and the 2-part study guide that was included. There's also a third party study guide available.
The exam (at least, used to be, and I'm pretty sure still is) (1) an online, open-book multiple choice and after passing, (2) a practical examination of evidence and report written answering some 15 questions. The first part is very straightforward, the second much less so.
I would buy File System Forensic Analysis and read it a few times before even considering any certs. The book is like 15 years old at this point, but still a fantastic glimpse into forensics and how file systems work at the lowest level. Great primer for the field.
So many options! I would focus on learning Linux and Autopsy as well as you can. This will set the groundwork for a lot of future learning. You will need to know Windows well in order to be useful as well, so perhaps make investigations of Windows boxes using Autopsy running on Linux a plan? Trust me you will never run out of things to study when you start following the industry. Check out
https://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172
https://www.amazon.com/Windows-Forensics-Incident-Recovery-Harlan/dp/0321200985
Hop between VPN providers every 2-4 hours is a very interesting strategy. If I may ask, why do you say every 2-4 hours? it seems like a relatively specific time frame.
I like your idea. Very creative. I am strongly considering implement it once I do some more research. Thanks:)
EDIT: On second thoughts switching between VPN providers every 2-4 hours wouldn't do anything because correlation attacks are done in real time, so an adversary can see the inbound/outbound connections to a VPN provider as the connections are made.
On another note....
This is part of an email I sent NordVPN explaining to a NordVPN rep that encryption doesn't stop correlation attacks. I'd like you to read it so you understand what I'm talking about :
" Passive traffic-analysis attacks/timing attacks/correlation attacks don't need to break the encryption to see packet sizes and also don't need to break the encryption for timing packets on inbound/outbound connections to NordVPN. For example; major law enforcement cyber crime units and Government organizations like NSA have a software program that allows them to gadge packet sizes and time packets on inbound/outbound connections to VPN providers like NordVPN.
No they can't read the traffic. But they can see the packet sizes and they can time the packets.
Here is a classic case: Jonathan Kalla who was an administrator of a darknet market (Wall Street Market) used a unknown VPN provider to mask his IP address and traffic. The German Federal Police uncovered his IP address by using a correlation attack."
//////////////////////////////////////////////////////////////////////////////////////////////////////
Most tell you that they don't but no one really knows there's NordVPN and it's super secret audit, then there's the chances the soft phone connect whilst your vpn is not connected or that your tunnel drops for some reason and your traffic hits the gateway outside of your vpn. Or that the app sends some sort of unique identifier to the voip gateway, or that you are profiled via a none technical means.
Or other things, but to be honest you come across as an arrogant douche bag when reading your replies to someone who didn't know the finer details of your setup as they had not been pre shared. So good luck with what ever it is you are doing.
GCFA is not entry level. GBFA would be entry level for forensics. GCFE for Windows analysis. You’ve jump in to a medium-high difficulty exam. Kudos for getting so close though. NTFS, if you want more thorough knowledge on this File System Forensic Analysis is a great book. File System Forensic Analysis https://www.amazon.com/dp/0321268172/ref=cm_sw_r_cp_api_i_VTDpFbK7KTWHY
Recommendation for Rule 6:
Required reading, short term (before asking a technical question): How To Ask Questions The Smart Way by Eric S. Raymond and Rick Moen at http://www.catb.org/~esr/faqs/smart-questions.html - keeping in mind some of the content may not be as relevant in 2020 as it once was, but most of it is.
Required reading, longer term (before getting in the habit of asking technical questions): The Demon-Haunted World: Science as a Candle in the Dark by Carl Sagan and Ann Druyan at https://www.amazon.com/Demon-Haunted-World-Science-Candle-Dark/dp/0345409469
These might be "big asks" in a lot of Subreddits, but since this is computer forensics...
Generally speaking, your IT background should allow you to get into an entry level forensic position (though there aren't a ton of those). Public sector would be your best chance, but as has been stated most of those positions are sworn if it isn't a large agency. At one training, as we discussed our backgrounds, an officer stated that he was sent because he was able to help the Chief at his agency put an icon on his desktop. A lot of it is push button with procedures being the thing we worry about most. It's the non-lowhanging fruit that will require some IT skill.
​
3 to 4 years of IT experience should get you an interview. From there I would just read of on forensics in general and not worry too much about certifications. Most are vendor specific and each department/company is going to dictate what you use and most likely pay to train you.
​
On the mobile side I would suggest this book:
I read the first edition and it was really spot on. Covers everything from seizing the device properly to performing an extraction and then presenting the data.
​
You should also start learning Python. The above book covers part of it and I use it almost daily to make things easier. Also, I build tools to help myself and other investigators so it is really a tool you should have in your arsenal.
​
Good luck!
Well our system is integrated with Office365, so users can log into their email remotely from anywhere. It's our own exchange server, so we'd be able to look at our logs and everything but it might not resolve to much.
From above:
Example with placeholder names:
Alice & Bob are both employees using the same exchange server for their respective emails.
&
With Office365, either of them can work from home and still have full email access, just by going to Office365 and logging in with or .
Bob, however, is older and insists on writing down passwords. The suspicion is that Alice found a sticky note with that information on it.
Alice then went to Starbucks with her personal laptop (as in, not a company issued one). Then on that laptop, loaded up a VPN client (Private Internet Access, as that's the one I'm most familiar with), and then logged into Office365 as , using the written down password.
It sounds like I'm SOL finding any evidence of what Alice may be doing. We'll have to set up something like your recommendation, to prevent future issues like this.
- Initially I was trying to find something to prove Alice's guilt/innocence.. but looking like that isn't going to happen unfortunately.
Yes and no.
Example with placeholder names:
Alice & Bob are both employees using the same exchange server for their respective emails.
&
With Office365, either of them can work from home and still have full email access, just by going to Office365 and logging in with or .
Bob, however, is older and insists on writing down passwords. The suspicion is that Alice found a sticky note with that information on it.
Alice then went to Starbucks with her personal laptop (as in, not a company issued one). Then on that laptop, loaded up a VPN client (Private Internet Access, as that's the one I'm most familiar with), and then logged into Office365 as , using the written down password.
It sounds like I'm SOL finding any evidence of what Alice may be doing. We'll have to set up something like your recommendation, to prevent future issues like this.
- Initially I was trying to find something to prove Alice's guilt/innocence.. but looking like that isn't going to happen unfortunately.
I have this one. Haven't run into any issues. Granted this is NOT a rework station. But it's the same model they are issuing in Fed labs. $135 gets you great soldering iron which wide range adjustable temps, set of various tips, though if you are doing ISP you'll want the very fine tips...I'll have to find the number for the ones I use...The only other thing you would want for ISP is decent magnification to work under.
This book would be a good start. The first part focuses on verbal testimony, but there is a bit section on report writing and includes templates.
But as others have said, it depends on your jurisdiction, if it is civil or criminal and a whole host of other things. You can even just generate one in EnCase (if that is what you are using), but it's fiddly to make something presentable.
Check this out. Goes from really beginner levels stuff to more experienced by the end of the first section. This book will answer all your question about tool during all phases of forensics analysis. Hope it helps.
there's a textbook I used in college for one of my computer forensics courses. the class was strictly directed for the software use. It didn't cover a lot, but it has a few programs with case studies. here's the link for the textbook: http://www.amazon.com/Guide-Computer-Forensics-Investigations-Book/dp/1435498836/ref=sr_1_11?ie=UTF8&qid=1461343696&sr=8-11&keywords=computer+forensics
Though your company cannot fund formal training, this should be doable. If they refuse to pay at all I still suggest buying it. $40 is worth having it in your personal library.
I would actually recommend this book instead.
It uses the test image that Guidance provides and does a complete run through of the case, from installing EnCase to exporting the report. I ran through this before my EnCE and it helped tremendously.
The book you linked to is a fantastic resource that has a lot of good information but this one actually puts the knowledge into play. I also like how it tied together a lot of the random things I had read about or learned through playing around on my own.
OP, have you picked this book up yet?
It's both a detailed guide to the program and a decent overview of computer forensics in general.
Well, if you have never touched either, I would install a VM of OS X and some variation of one of the major Linux Kernels. Learn the systems first as a user before trying to understand the ins and outs of the much more detailed concepts. If you want to jump straight into the forensic side of them, check out this book for Linux concepts and this book for Mac.
I recommend NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, and have heard good things regarding Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder.