Plists are Apple's way of retaining configuration information. They're scattered throughout OS X and iOS like acorns and come in 2 main types — XML and binary. Due to their scattered nature and the potential for containing juicy artefacts, monkey thought a script to read plists and extract their data into an SQLite database might prove useful.
Digital forensic science is not a matter of recovering a file that proves somebody’s guilt; it...
I'm writing this review as someone who has used Volatility for some time, albeit not to it's...
SiQuest Corporation has added a feature to its Internet Examiner Toolkit (IXTK). With the current release of Version 4.0.1407.2503, IXTK now forensically recovers evidence of “watched YouTube videos” from the Unallocated Space and browser cache repositories of computer hard drives, and the YouTube website directly.
As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.
Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral. While information about running processes will not disappear until they are finished, remnants of recent chats, communications, and other user activities may be overwritten with other content any moment the operating system demands yet another memory block.
I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.
The early use of digital forensics proved invaluable in a company’s investigation and legal pursuit of a renegade employee, averting potentially large business losses. Such effective outcomes can be challenging due to constant advancment of technology.
I put together a python script that parses out several plist files related to Safari Internet History. Since the iPhone also uses Safari, I decided to expand the script to parse some iPhone Safari artifacts.
Although they don’t have an eyewitness or the actual murder weapon, Peoria County, Illinois prosecutors believe they have the next best thing — a series of Internet searches on Nathan Leuthold’s computer about ways to kill someone.
Computer Forensics is the methodical series of procedures and techniques used for procuring evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. Computer Forensics has frequently been listed as one of the most intriguing computer professions, however beginners may find themselves overwhelmed quickly.
The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics.
According to the National Institute of Standards and Technology, approximate matching is a technology that can be used in a variety of settings, including digital forensics, security monitoring and data filtering. It involves locating similarities among pieces of digital data to match objects that are alike or to find objects that contain other objects.
The US Government Accountability Office compared documented incident response actions to requirements set by the Federal Information Security Management Act of 2002 (FISMA) and National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide. The results were surprising.
The National Institute of Standards and Technology has issued for public review and comment a draft report summarizing 65 challenges that cloud computing poses to forensics investigators who uncover, gather, examine and interpret digital evidence to help solve crimes.
Linux forensics/incident response is a new thing for me. I've never had occasion thus far to conduct a "real" investigation into a Linux machine. This "intrusion" into my honeypot inspired me to conduct my own attack and investigation so I could learn more about the subject.
SiQuest Corporation has launched Internet Examiner Toolkit Version 4 (IXTK v4), a 3-in-1 tool for recovery and analysis of Internet-based evidence.
U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.
Security information and event management (SIEM) has been an area where I have spent considerable time researching. My research started out as curiosity to see if the technology could solve some problems then continued to get organization buy-in followed by going all in to architect, implement, and manage a SIEM for my organization.
Let’s be very clear before we go down the flasher box path, there is no replacement or substitute for the automated forensic tools produced by mobile forensic manufacturers. Unfortunately, with growing consumer demand for newer and more technologically advanced mobile phones, these automated and safe solutions do not meet some investigative requirements.
There are a lot of folks with different skill sets and specialties involved in targeted threat analysis and threat intel collection and dissemination. There are a lot of researchers with specific skill sets in network traffic analysis, malware reverse engineering, etc.
Digital forensic investigation software was used by Croatian Police to prosecute an international case involving exploitation of children for pornography. During this case, Croatian Police used Belkasoft Evidence Center to extract and analyze information from suspects' computers, memory dumps and hard drive images.
The incredible amount of data being produced by individuals, industries, and governments continues to increase yearly along with the demand for greater archival storage capacities. Alternative storage technologies are already under development and they may eventually replace the conventional HDD for data storage.
As I mentioned in my last post, Brett Shavers is offering a free course on the Windows Forensic Environment (WinFE). The Windows Forensic Environment course covers the history, building and usage of WinFE. The course consists of 30 modules, including 27 video lessons, a wrap-up video, a qualification exam and a course downloads page.
Individuals on the recipients list of the leaked US Marshals Service email to Silk Road auction enquirers are being targeted in a phishing attack, and at least one individual has fallen for the scam. Several individuals on the list received phishing emails from the same source. However, not all the individuals on the leaked email recipients list were targeted.
Cloud computing helps to make data more accessible, but the same technologies that make it readily available — on-demand provisioning, reprovisioning and virtual environments — also can obscure it. This is creating new challenges for digital forensics, complicating incident response and criminal and civil investigations into incidents and data in the cloud.
A monthlong national effort to capture sex predators led to 275 arrests in Southern California that included a teaching assistant for special needs kids, a retired sheriff's deputy and a U.S. Army soldier. The effort dubbed "Operation Broken Heart" involved dozens of local, state and federal authorities throughout the month of May who targeted sex offenders, child sex traffickers, pimps, child porn traders and sex tourists traveling abroad.
In many ways preparation is key to success. Preparation is a significant factor to one's success in the Digital Forensic and Incident Response field. This applies to the entire field and not just malware forensics. When you are confronted with a system potentially impacted with malware your ability to investigate the system successfully depends on your knowledge, experience, and toolset.
- Page 1