Is not turning off your computer "forensically" safe?
Does it affect data recovery, etc.?
Continue reading Is not turning off your computer "forensically" safe?
Category Archives: forensics
Any approach to copy the disk and take RAM shapshot of RouterOS (Mikrotik)?
everyone!
I have discovered suspicious activity on one of Mikrotik Routers. This device had an outdated version of RouterOS with open ports web, winbox, etc. I believe that it was infected by malware, and there is a need to analyze the con… Continue reading Any approach to copy the disk and take RAM shapshot of RouterOS (Mikrotik)?
New technique excels at lifting fingerprints from shell casings
It would be great if forensics teams could easily lift fingerprints off of bullet casings left at crime scenes, but unfortunately doing so is often quite difficult. A new technique developed at the University of Nottingham could change that.Continue Re… Continue reading New technique excels at lifting fingerprints from shell casings
Could "System Volume Information" be used to find out on which system the storage was used?
If one uses a storage device (USB stick or SD card) on Windows, then it leaves "System Volume Information" folder in the file system. Would there be a way so a forensic guy could definitely tell on which computer the storage devi… Continue reading Could "System Volume Information" be used to find out on which system the storage was used?
Are there differences on how storages are formatted between different OS?
If one formats the same USB stick (or SD card) to FAT32 file system on Windows, or on Linux, or on Android – would there be differences so a forensic guy could definitely tell on which OS or even on which specific machine the USB stick was… Continue reading Are there differences on how storages are formatted between different OS?
Which traces leave on a flash card after using it?
If one uses a micro SD card with a card reader on Windows, or on Linux, or on Android – would there be a way so a forensic guy could definitely tell on which computer the flash card was used by examining it?
I know OS can log which devices… Continue reading Which traces leave on a flash card after using it?
What traces are left on a flash card reader after using it?
If one uses a micro SD card with a card reader on Windows, or on Linux, or on Android, would there be a way to forensically determine on which computer the card reader was used?
I know OS can log which USB devices was connected. As far as … Continue reading What traces are left on a flash card reader after using it?
What traces are left on a USB stick after using it?
If one uses a FAT32-formatted USB stick on Windows, Linux, or Android, would there be a way to determine on which computer the USB stick was used by examining the USB stick?
I know OS can log which USB sticks were connected. As far as I kn… Continue reading What traces are left on a USB stick after using it?
Why is it advisable to capture a disk image before shutting down?
I am currently studying windows forensics and I have found that it would be advisable to image the drive while it is powered on and live. If you power it off, you likely will not be able to recover the keys. What would be the importance of… Continue reading Why is it advisable to capture a disk image before shutting down?
Is it possible to create an NTFS partition having only the $MFT and $J tables ? Forensics CTF
This is the third part of a forensics challenge in a European CTF, and it is apparently the most difficult one because only three people flagged it among 700 participating.
I’m only here for guidance on what could be done and only want an … Continue reading Is it possible to create an NTFS partition having only the $MFT and $J tables ? Forensics CTF