Subscribe to Tips

The Lead

Binary Files Analysis

April 18, 2014 8:40 am | by Daniel Cabezas and Bram Mooij | Articles | Comments

There are multiple techniques for comparing the code of two binaries, where none or only partial source code is present. A trivial way is to use a binary diffing utility. This utility is used in a similar way as plaintext code comparison listing.

Ropin' in Facebook, Twitter, LinkedIn

April 11, 2014 8:54 am | by Gary Torgersen | Articles | Comments

Each social media platform is different, with unique code and variations. Each one runs on its...

A Smartphone is Never Just a Smartphone

April 4, 2014 9:09 am | by Ronen Engler and Christa M. Miller | Articles | Comments

Vendors and operating systems can vary widely, particularly with Android, but also even within...

Physical Memory Acquisition

March 28, 2014 8:15 am | by Dr. C Andras Moritz, Kristopher Carver, Jeff Gummeson | Articles | Comments

Once a password has been bypassed, an investigator has full access to the computer, allowing...

View Sample


Investigator Turns Eyewitness

March 21, 2014 8:21 am | by Benjamin Wright | Articles | Comments

In today’s world of social media, investigators are taking on a new role; they are becoming a form of eyewitness. As the eyewitness, an investigator observes evidence that might not be visible to any other available investigator. The investigator is wise to create a record of what he or she sees at any particular point in time, including print outs of screenshots.  

Challenges in Smartphone Forensics: Passwords and Encryption

March 10, 2014 6:20 am | by Ronen Engler and Christa M. Miller | Cellebrite | Articles | Comments

Not only does data storage vary from device to device and OS to OS, but devices may also be passcode-protected and/or encrypted. iPhone passcodes fall into two categories: simple and complex. A mobile data extraction tool should be able to reveal a simple passcode automatically for most devices.

Education in Digital Forensics

March 7, 2014 8:36 am | by John J. Barbara | Articles | Comments

A question often asked is, “What education and training is necessary to work in digital forensics?” There is not one easy, simple answer to this question. First of all, an individual has to make a choice of career pathways, namely do they wish to work in the public sector or in the private sector. 


Plaintext Files Analysis

February 23, 2014 11:41 pm | Articles | Comments

Source code and text comparison is an established, well-known analysis technique. Using a program capable of simply listing file A in the left window and file B in the right window and highlighting the differences between each and every line, preferably in a different color, is frequently an easy way to detect copied text. Some of the more advanced analysis utilities can also compare, merge, and synchronize files and directories. 

The Need for a Faraday Bag

February 21, 2014 9:44 am | by Eamon P. Doherty | Articles | Comments

It is very important that the digital evidence be preserved from the time of seizure until it is presented as evidence in court. If evidence is suspected of being tampered with, it could be ruled as inadmissible in court. Therefore, it is important for CCEs to preserve digital evidence by using a Faraday bag and noting its usage on the chain of evidence form.

Smartphone Challenges: Prepaid Phones

February 7, 2014 10:10 am | Cellebrite | Articles | Comments

Prepaid phones have been a problem for some time, and continue to be a problem for law enforcement in particular. That’s because the disabled data port on these devices cannot be enabled, and vendors don’t make the devices’ APIs available to commercial forensic extraction tools’ developers.  

Take an Active Role When Working Cases with Attorneys

January 30, 2014 7:00 pm | Articles | Comments

These days a great deal more is required of an attorney before the motion for injunctive relief can be filed. You can help them meet their professional obligations by providing advice on the preliminary steps that need to be addressed to preserve electronically stored information. The attorney must first establish a litigation hold of all potentially relevant electronically stored information. 

Some Challenges to Preparing for Accreditation in Digital Forensics

January 23, 2014 7:00 pm | Digital Forensics Consulting, LLC | Articles | Comments

To attain ASCLD/LAB – International accreditation, a laboratory must achieve 100% compliance with every applicable clause in the accreditation requirements. Often overlooked is the fact that just about every sentence or lists of items in the accreditation requirements are ratable clauses to which the laboratory must demonstrate conformance.


A Good Case Management Workflow Is Crucial for Website Capture

January 16, 2014 6:46 pm | Articles | Comments

Good case management workflow for website capture should include researching the suspect company background and website, identifing necessary resources required for the project, initiating and executing the project, and reporting and testimony.

Apply Locard's Exchange Principle to Digital Forensics

January 9, 2014 7:00 pm | Articles | Comments

Locard’s Exchange Principle is often cited in forensics publications, “Every contact leaves a trace.” In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis.

Effective Courtroom Testimony: Trick Questions

December 19, 2013 7:00 pm | Articles | Comments

Cross-examination can be very tricky and quickly make you appear to be feeble minded. There are two types of questions often asked to catch you off guard, whereby attempting to discredit your testimony. Once you have deciphered which type of question you are being asked, thoroughly think through your answer before speaking, and then answer with confidence.  

GPS Evidence

December 19, 2013 7:00 pm | Articles | Comments

Trackpoints are the Holy Grail in GPS forensics. They are the electronic breadcrumb trail that tells an investigator exactly where and when the device was in a specific location. With trackpoints, criminal acts can be pinpointed down to almost the exact second a crime was committed.

Expert Report Writing: Know Your Audience

December 19, 2013 7:00 pm | Articles | Comments

In writing your report you need to keep in mind the likely reader or readers. If technical explanations are required, you need to provide interpretations of the technical matters in lay terms that all of the people reading your report can understand. Define technical terms in the body of the report or with footnotes. 


Collecting Evidence from the Cloud

December 12, 2013 6:17 pm | Articles | Comments

The lack of control on the examiner's part makes collection the generally accepted problem with cloud-based evidence. Because the examiner has neither access to the physical hard drive nor control over the network, s/he will at most have access to the data through the end user's Web browser, or through a computer connected to the same network's access.

Digital Image Integrity

December 5, 2013 5:00 am | Articles | Comments

What most agencies fail to realize is that the lack of SOPs involving digital image integrity and workflow means images submitted for court purposes may not survive if challenged by a knowledgeable attorney. These digital complexities have not yet been realized, so images taken by photographers will likely fail one of three very basic criteria.

How to Collect Internet Evidence

November 24, 2013 7:00 pm | Articles | Comments

The courts have generally accepted evidence collected from the Internet as long as its authenticity can be established. Commonly accepted digital forensic methodologies can all be used to identify a three-pronged approach to Internet forensics.

Report Writing Guidelines: Break it Up

November 20, 2013 3:06 am | Articles | Comments

Reports can get long and are often very detailed. While I would like to think that they marvel over every word, I know that what they really want to do is to zero in on the really juicy bits, and be able to navigate easily to other points as needed.

A Task List Can Help in Starting a Digital Forensics Section

November 13, 2013 1:06 pm | Articles | Comments

For those contemplating starting a Digital Forensics section, review the issues listed below. Although not a complete listing, minimally, it can serve as a starting point. Individual specific needs and requirements will possibly identify others that have to be addressed.

Rethinking 'Pulling the Plug'

November 7, 2013 7:00 pm | Articles | Comments

Investigators are normally trained not to interact with a live system, or minimally, however, “pulling the plug” on a live system is not without inherent risk. All stored volatile information is lost when power is removed. Removing power from a live system with a BIOS password will cause difficulties later when a forensic examiner attempts to gain access to the BIOS to obtain system information.

Performing Xbox Live Searches

October 30, 2013 9:42 am | Articles | Comments

Consoles today play an increasing part in even local police investigations across the country. In a presentation to law enforcement, Microsoft made clear that "investigators may participate in Xbox live in undercover operations."

Gain Credibility in the Courtroom

October 24, 2013 8:00 pm | by Evan Dixon | Articles | Comments

There are two things an investigator can do to gain credibility in the courtroom as an expert witness. One is cross-validation of the tools used. The second is to make sure the investigator has a solid understanding of the evidence and how it was gathered.

Prepare for Android Devices Now

October 17, 2013 9:28 pm | Articles | Comments

As a result of the Android's secure architecture, forensic examiners do not have a built-in mechanism we can use on the phone to extract core user data. Instead, new techniques must be developed which require some interaction with the device. There are four primary ways to approach forensics on an Android device.

Expert Witnesses: Changes to the Federal Rules of Civil Procedure

October 10, 2013 8:00 pm | Articles | Comments

When serving as an expert in federal court, the most significant change is that an expert witness need not disclose prior versions of their report, or communications had with the hiring attorney about the report. This eliminates a common technique of cross examination in which the expert's evolving drafts were reviewed with the idea of creating the impression on the jury that the expert was willing to change his or her opinions.

Life on the Range

September 27, 2013 5:00 am | by Gary Torgersen | Articles | Comments

The industry of digital forensics and electronic discovery is still a rather young one. Yet it has been around long enough to develop standards and best practices for handling multiple types of digital files on various mediums. The challenge of taming the land of social media and Webmail—where each platform has its own rules, or no rules at all—is just like taming the Wild West.

Prep Your Mobile Device Examination Computer

September 20, 2013 7:38 am | Articles | Comments

When the examiner is ready to investigate a phone, he may have a checklist to make sure that the examination machine is ready. This computer, known as the examination computer can be a laptop or a desktop. The main requirement is that it has at least a Pentium 90 for processing speed and enough RAM to operate the cell phone forensic software. 

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.