Collaborate Disseminate
I am currently working on a home "forensic" lab and I have set up an OPNsense-based transparent proxy (squid) to intercept and analyze HTTPS traffic coming from a Windows 11 client. I can successfully decrypt traffic using TLS ke… Continue reading How to capture fully decrypted HTTPS traffic in a transparent proxy setup without TLS key logs?
Let’s say I have an SSD on a Windows machine that supports TRIM. After I delete a file / some files on it, assume the TRIM command is sent, and those pages are marked as invalid. At some point, the garbage collection process will collect t… Continue reading How long does SSD garbage collection take?
I noticed that when the secure boot options is disabled on a Bitlocker enabled Windows laptop with TPM, in order to boot into a forensic live OS like Kali in Forensic Mode or Parrot OS that the TPM is not cleared at least on some HP laptop… Continue reading Are there any known BIOS that clear a TPM on disabling secure boot?
I wonder if entering the Windows (advanced) startup menu changes or logs anything on the disk itself. Where does this exactly happen in the boot sequence? If for example, a laptop was to be forensically imaged without a write-blocker would… Continue reading Is booting into the Windows (advanced) startup menu without a write-blocker forensically safe?
Some malware today use anti-analysis features such as:
Detecting Virtualisation (Adapternames, UTC Timedifference between realtime and in VM,…)
Check if Internet is available
…
Also a lot of malware is staged, so if the anti-analysis… Continue reading Analysing Advanced Malware
I’m using the following commands to capture 2 memory dumps, one for bios only and the other the first MB of the memory on a old laptop that uses phoenix legacy, non uefi , Bios and run fedora .
sudo dd if=/dev/mem bs=1k skip=960 count=64 o… Continue reading Linux / Fedora Memory Capture and Analysis Guide Needed
I’m reading about Error Level Analysis (ELA) in image forensics as means to detect if modifications were made to a photo. ELA is nicely described here: https://fotoforensics.com/tutorial.php?tt=ela. Also below examples are from that site.
… Continue reading Is Error Level Analysis (ELA) in image forensics a reliable indicator for detecting digital modifications?
This is from 404 Media:
The Graykey, a phone unlocking and forensics tool that is used by law enforcement around the world, is only able to retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, which are two recently released versions of Apple’s mobile operating system, according to documents describing the tool’s capabilities in granular detail obtained by 404 Media. The documents do not appear to contain information about what Graykey can access from the public release of iOS 18.1, which was released on October 28.
More …
I have just started trying to learn to do some basic forensics tasks to try to find data hidden in a file. I am specifically trying to find hashes hidden within files, but I have been unsuccessful and I am not sure how best to proceed (I k… Continue reading Identifying hidden hashes in files [closed]
Considering the metadata such as creation and modification datetimes of files in terms of computer forensics. If tampering of such metadata date information is expected, can Benford’s law be used to proof or disprove the act of metadata al… Continue reading Can Benford’s law be used for the purpose of detecting deviations in a file metadata dates?