Advertisement
Computer Forensics
Subscribe to Computer Forensics

The Lead

Squirrelling Away Plists

July 31, 2014 2:36 pm | by Editor | Blogs | Comments

Plists are Apple's way of retaining configuration information. They're scattered throughout OS X and iOS like acorns and come in 2 main types — XML and binary. Due to their scattered nature and the potential for containing juicy artefacts, monkey thought a script to read plists and extract their data into an SQLite database might prove useful. 

Find the Context

July 30, 2014 3:50 pm | Articles | Comments

Digital forensic science is not a matter of recovering a file that proves somebody’s guilt; it...

Book Review: 'The Art of Memory Forensics'

July 30, 2014 3:23 pm | by Harlan Carvey | Blogs | Comments

I'm writing this review as someone who has used Volatility for some time, albeit not to it's...

Panopticlick Reveals the Cookie You Can't Delete

July 29, 2014 10:36 am | by Mark Stockley | Blogs | Comments

Cookies are an essential part of the way the web works and occupy a pivotal position in the...

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

SiQuest Corporation has added a feature to its Internet Examiner Toolkit (IXTK). With the current release of Version 4.0.1407.2503, IXTK now forensically recovers evidence of “watched YouTube videos” from the Unallocated Space and browser cache repositori

Software Forensically Recovers Watched YouTube Videos

July 28, 2014 10:32 am | by John Bradley | SiQuest Corporation | News | Comments

SiQuest Corporation has added a feature to its Internet Examiner Toolkit (IXTK). With the current release of Version 4.0.1407.2503, IXTK now forensically recovers evidence of “watched YouTube videos” from the Unallocated Space and browser cache repositories of computer hard drives, and the YouTube website directly.

As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.

File System Ops, Testing Phase 2

July 25, 2014 9:43 am | by Corey Harrell | Blogs | Comments

As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within the MFT, and the USN change journal.    

Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral.

Limitations of Volatile Memory Analysis

July 25, 2014 8:51 am | Articles | Comments

Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral. While information about running processes will not disappear until they are finished, remnants of recent chats, communications, and other user activities may be overwritten with other content any moment the operating system demands yet another memory block.

Advertisement
I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records.

File System Ops, Effects on MFT Records

July 24, 2014 8:17 am | by Corey Harrell | Blogs | Comments

I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change journal), particularly within individual records. 

The early use of digital forensics proved invaluable in a company’s investigation and legal pursuit of a renegade employee, averting potentially large business losses. Such effective outcomes can be challenging due to constant advancment of technology.

Digital Forensics in the Mobile, BYOD, Cloud Era

July 23, 2014 10:59 am | by Kerry Francis and Matt Larson, Inside Counsel | News | Comments

The early use of digital forensics proved invaluable in a company’s investigation and legal pursuit of a renegade employee, averting potentially large business losses. Such effective outcomes can be challenging due to constant advancment of technology.

I put together a python script that parses out several plist files related to Safari Internet History. Since the iPhone also uses Safari, I decided to expand the script to parse some iPhone Safari artifacts.

Safari and iPhone Internet History Parser

July 23, 2014 9:32 am | by Mari DeGrazia | Blogs | Comments

I put together a python script that parses out several plist files related to Safari Internet History. Since the iPhone also uses Safari, I decided to expand the script to parse some iPhone Safari artifacts.            

Computer Forensics Reveal Murderous Searches

July 21, 2014 9:04 am | by Andy Kravetz, Journal Star | News | Comments

Although they don’t have an eyewitness or the actual murder weapon, Peoria County, Illinois prosecutors believe they have the next best thing — a series of Internet searches on Nathan Leuthold’s computer about ways to kill someone.     

Computer Forensics with P2 Commander

July 18, 2014 9:42 am | by Pranshu Bajpai, Infosec Institute | News | Comments

Computer Forensics is the methodical series of procedures and techniques used for procuring evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. Computer Forensics has frequently been listed as one of the most intriguing computer professions, however beginners may find themselves overwhelmed quickly.

Advertisement

Live Response vs. Traditional Forensics

July 18, 2014 8:03 am | by Editor | Blogs | Comments

The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics.                                 

Approximate Matching Helps Digital Forensics Find Similar Artifacts

July 17, 2014 8:32 am | by Kim Mays, IT Business Edge | News | Comments

According to the National Institute of Standards and Technology, approximate matching is a technology that can be used in a variety of settings, including digital forensics, security monitoring and data filtering. It involves locating similarities among pieces of digital data to match objects that are alike or to find objects that contain other objects.

US GAO Report Highlights Incident Response Shortcomings

July 16, 2014 3:23 pm | by Richard Bejtlich | Blogs | Comments

The US Government Accountability Office compared documented incident response actions to requirements set by the Federal Information Security Management Act of 2002 (FISMA) and National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide. The results were surprising.

Digital Crime-fighters Face Technical Challenges with Cloud Computing

July 15, 2014 3:55 pm | by NIST | News | Comments

The National Institute of Standards and Technology has issued for public review and comment a draft report summarizing 65 challenges that cloud computing poses to forensics investigators who uncover, gather, examine and interpret digital evidence to help solve crimes.

From China with Love?

July 15, 2014 9:52 am | by Ken Pryor | Blogs | Comments

Linux forensics/incident response is a new thing for me. I've never had occasion thus far to conduct a "real" investigation into a Linux machine. This "intrusion" into my honeypot inspired me to conduct my own attack and investigation so I could learn more about the subject.

Advertisement

Internet Examiner Toolkit 4

July 15, 2014 8:19 am | SiQuest Corporation | Product Releases | Comments

SiQuest Corporation has launched Internet Examiner Toolkit Version 4 (IXTK v4), a 3-in-1 tool for recovery and analysis of Internet-based evidence.

Beware Keyloggers at Hotel Business Centers

July 14, 2014 11:12 am | by Editor | Blogs | Comments

U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

Linkz for SIEM

July 14, 2014 9:52 am | by Corey Harrell | Blogs | Comments

Security information and event management (SIEM) has been an area where I have spent considerable time researching. My research started out as curiosity to see if the technology could solve some problems then continued to get organization buy-in followed by going all in to architect, implement, and manage a SIEM for my organization.

Flasher Box or No Flasher Box?

July 11, 2014 9:27 am | Articles | Comments

Let’s be very clear before we go down the flasher box path, there is no replacement or substitute for the automated forensic tools produced by mobile forensic manufacturers. Unfortunately, with growing consumer demand for newer and more technologically advanced mobile phones, these automated and safe solutions do not meet some investigative requirements.

Random Stuff

July 10, 2014 8:57 am | by Harlan Carvey | Blogs | Comments

There are a lot of folks with different skill sets and specialties involved in targeted threat analysis and threat intel collection and dissemination. There are a lot of researchers with specific skill sets in network traffic analysis, malware reverse engineering, etc.

DFI Software Helps Croatian Police Solve International Child Abuse Case

July 9, 2014 3:09 pm | Belkasoft | News | Comments

Digital forensic investigation software was used by Croatian Police to prosecute an international case involving exploitation of children for pornography. During this case, Croatian Police used Belkasoft Evidence Center to extract and analyze information from suspects' computers, memory dumps and hard drive images.

Data Storage Issues: Part 3

July 9, 2014 8:53 am | by John J. Barbara | Digital Forensics Consulting, LLC | Articles | Comments

The incredible amount of data being produced by individuals, industries, and governments continues to increase yearly along with the demand for greater archival storage capacities. Alternative storage technologies are already under development and they may eventually replace the conventional HDD for data storage.

Windows Forensic Environment Training Course Review

July 7, 2014 10:33 am | by Ken Pryor | Blogs | Comments

As I mentioned in my last post, Brett Shavers is offering a free course on the Windows Forensic Environment (WinFE). The Windows Forensic Environment course covers the history, building and usage of WinFE. The course consists of 30 modules, including 27 video lessons, a wrap-up video, a qualification exam and a course downloads page.

Phishing Scam Targets US Marshals Service Bitcoin Auction List

July 7, 2014 10:10 am | News | Comments

Individuals on the recipients list of the leaked US Marshals Service email to Silk Road auction enquirers are being targeted in a phishing attack, and at least one individual has fallen for the scam. Several individuals on the list received phishing emails from the same source. However, not all the individuals on the leaked email recipients list were targeted.

The Frontier of Cloud Forensics

July 1, 2014 11:23 am | by William Jackson, GCN | News | Comments

Cloud computing helps to make data more accessible, but the same technologies that make it readily available — on-demand provisioning, reprovisioning and virtual environments — also can obscure it. This is creating new challenges for digital forensics, complicating incident response and criminal and civil investigations into incidents and data in the cloud.

California Authorities Arrest 275 Child Predators

June 30, 2014 10:05 am | by Tami Abdollah, Associated Press | News | Comments

A monthlong national effort to capture sex predators led to 275 arrests in Southern California that included a teaching assistant for special needs kids, a retired sheriff's deputy and a U.S. Army soldier. The effort dubbed "Operation Broken Heart" involved dozens of local, state and federal authorities throughout the month of May who targeted sex offenders, child sex traffickers, pimps, child porn traders and sex tourists traveling abroad.

In many ways preparation is key to success.

Improving Your Malware Forensics Skills

June 26, 2014 12:27 pm | by Corey Harrell | Blogs | Comments

In many ways preparation is key to success. Preparation is a significant factor to one's success in the Digital Forensic and Incident Response field. This applies to the entire field and not just malware forensics. When you are confronted with a system potentially impacted with malware your ability to investigate the system successfully depends on your knowledge, experience, and toolset.

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading