Everything started from an encrypted container on a flash drive, which couldn’t be opened for some reason. The examination confirmed, that the container didnât accept the password provided. The first thought was the customer forgot the right one. But we decided to try to find a solution to open it. We started from checking NTFS file system. Analysis revealed the …
Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the platform. Nevertheless, sometimes we have to forensicate such devices, so it’s very important to have methods of fast and simple data extraction. For quite a long time the only option of physical extraction has been JTAG or Chip-off techniques, but thanks to …
We continue our unforgetable journey to the world of cloud forensics. This time we are going to forensicate pCloud desktop application – pCloud Drive. pCloud is a file storage and synchronization service, emerged on September 13, 2013. The service supports cloud storage, file sharing, data backup and user collaboration. As of May 2018, pCloud has over 8 000 000 registered users all over the world, …
It seems we really enjoy forensicating desktop apps for cloud services. Last week we started from really secure cloud service app – Mega. This time we are going to continue with another, much more forensically friendly app, – Box. So Box is a popular enterprise content management platform, but, of course, can be used by regular users for managing content in the …
Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Drive, Google Drive are some of the most popular services. There are also some services focused on security of their users data – one of such services is MEGA. According to the developers, “MEGA is fully accessible without prior software installs and remains the only cloud …
Timestamps play a very important role in many digital forensic examinations, so it’s very important for any forensic examiner or analyst to clearly understand how they work. SANS Institute has an amazing Windows Forensic Analysis poster illustrating Windows Time Rules, but recently a few of our DFIR friends noticed, that those rules are not working anymore. We have decided to …
Metasploit Framework is very popular not only among pentesters, but also quite often used by real adversaries. So why memory forensics is very important here? Because, for example, Meterpreter, an advanced, dynamically extensible Metasploit’s payload, resides entirely in memory and writes nothing to victim’s drive. In this article we will show you how to use Volatility Framework to find Metasploit’s traces with …
SQLite databases are very common sources of forensic artifacts nowadays. A lot of mobile applications store data in such databases, you can also find them on desktop computers and laptops as well, for example, forensicating web-browsers, messengers and some other digital evidence sources. There are a lot of forensic tools on the market that support analysis of SQLite databases, for …
Recently we have received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research. If we are talking about Windows system clock backdating – there are a lot of information to help, for example, this …
Yet another registry parser, or yarp, is a library and tools to deal with Windows registry files [1]. Despite the name, yarp is not a simple registry parser. The project started as an attempt to fully implement the Windows registry file format specification [2] and to provide features important to incident responders and forensic examiners. This article will highlight one …
Login
