forensics – Page 4 – WindowsTechs.com

How to obtain a lost version of an edited notepad [.txt] file on a Windows 10 hard drive using a SATA SSD to USB dongle [migrated]

Posted on July 17, 2023 by LilWhiteHatHacker

About 1 year ago I had saved some code on a notepad text file (.txt) I was building using a Windows 10 computer. However, I deleted a portion of the code and saved the text file with a new c++ code patch thinking it was no big deal. Howeve… Continue reading How to obtain a lost version of an edited notepad [.txt] file on a Windows 10 hard drive using a SATA SSD to USB dongle [migrated]→

Tracking Down a Suspect through Cell Phone Records

Posted on July 17, 2023 by Bruce Schneier

Interesting forensics in connection with a serial killer arrest:

Investigators went through phone records collected from both midtown Manhattan and the Massapequa Park area of Long Island—two areas connected to a “burner phone” they had tied to the killings. (In court, prosecutors later said the burner phone was identified via an email account used to “solicit and arrange for sexual activity.” The victims had all been Craigslist escorts, according to officials.)

They then narrowed records collected by cell towers to thousands, then to hundreds, and finally down to a handful of people who could match a suspect in the killings…

Continue reading Tracking Down a Suspect through Cell Phone Records→

Typing Incriminating Evidence in the Memo Field

Posted on June 27, 2023 by Bruce Schneier

Don’t do it:

Recently, the manager of the Harvard Med School morgue was accused of stealing and selling human body parts. Cedric Lodge and his wife Denise were among a half-dozen people arrested for some pretty grotesque crimes. This part is also at least a little bit funny though:

Over a three-year period, Taylor appeared to pay Denise Lodge more than $37,000 for human remains. One payment, for $1,000 included the memo “head number 7.” Another, for $200, read “braiiiiiins.”

It’s so easy to think that you won’t get caught.

… Continue reading Typing Incriminating Evidence in the Memo Field→

Identifying the Idaho Killer

Posted on June 13, 2023 by Bruce Schneier

The New York Times has a long article on the investigative techniques used to identify the person who stabbed and killed four University of Idaho students.

Pay attention to the techniques:

The case has shown the degree to which law enforcement investigators have come to rely on the digital footprints that ordinary Americans leave in nearly every facet of their lives. Online shopping, car sales, carrying a cellphone, drives along city streets and amateur genealogy all played roles in an investigation that was solved, in the end, as much through technology as traditional sleuthing…

Continue reading Identifying the Idaho Killer→

Operation Triangulation: Zero-Click iPhone Malware

Posted on June 9, 2023 by Bruce Schneier

Kaspersky is reporting a zero-click iOS exploit in the wild:

Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to the device. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv,” similar to a super-timeline used by conventional digital forensic tools.

Using this timeline, we were able to identify specific artifacts that indicate the compromise. This allowed to move the research forward, and to reconstruct the general infection sequence:…

Continue reading Operation Triangulation: Zero-Click iPhone Malware→

My Return to Techno Security Conference

Posted on June 2, 2023 by jj

I have a long history with the Techno Security Conference, thanks to my mentor and friend “Uncle” Jack Wiles. At one point, over 10 years ago, I was the conference’s youngest ever keynote speaker. It’s with great honor I return again this year to deliv… Continue reading My Return to Techno Security Conference→

How can I get the Product Key with Autopsy or FTK viewer? [closed]

Posted on May 2, 2023 by P00

I have a disk image divided in 4 files, image.E01, image.E02, image.E03 and image.E04. I created a case in autopsy and I’m trying to recover the Product ID and the Product Key.
The product ID I already found it in the Operating System Info… Continue reading How can I get the Product Key with Autopsy or FTK viewer? [closed]→

How to forensically check if some data on .vmdk disk has been hidden/deleted?

Posted on April 18, 2023 by Nejc Ahtik

I was presented with a task. I have .vmdk disk available and I have to check its contents – forensically check the data on it without modifiying it and then check whether some data on this disk has been deleted. I also have to check whethe… Continue reading How to forensically check if some data on .vmdk disk has been hidden/deleted?→

Get file from the linux_volshell from volatility

Posted on April 4, 2023 by P00

I am analyzing a mem and trying to recover a file that an attacker used to exploit drupalgeddon2 vulnerability. I discover that the process with pid 11046 executes the request with the file h38x.php (the one the attacker submitted).
I need… Continue reading Get file from the linux_volshell from volatility→

How to recover a file with volatility from a linux profile

Posted on April 1, 2023 by P00

I’m trying to recover files from a .mem file with volatility. The mem file is from a Linux machine. I have already loaded the profile and it works fine. I have discovered that the drupalgeddon2 vulnerability was exploited but I need eviden… Continue reading How to recover a file with volatility from a linux profile→