Recent content by Lids

  1. Lids

    Necessary to access original data?

    Hi Olga, If by original data, you are referring to “live data” - this should only be done as a last resort. The better approach is to take triage images of key data (I.e. registry hives) and perform offline analysis whilst physical / logical imaging is being performed. Due to time pressures...
  2. Lids

    FTK Imager Windows 10 with bitlocker

    I'm intrigued that you mentioned you logged into the laptop as local admin and then imaged -- so you imaged whilst logged into the machine? In this instance, the physical image won't be complete ... if you still have the laptop I would recommend either removing the hard drive or booting into a...
  3. Lids

    Forensic picture evidence

    To determine if someone opened an image, you could look through LNK files as well as MRU's for the file extension that the picture was saved in and software tools installed that are capable of opening files. I would suggest parsing the registry hives / link files and searching across them for...
  4. Lids

    Contemporaneous Notes – NEVER Use MS Word or OneNote

    I have worked for forensic investigators in the past who have told me to limit how contemporaneous my notes are, because if I am too honest it could be questioned in court -- for example, when imaging a machine it may have taken a few reboots prior to accessing the boot menu to boot from a...
  5. Lids

    timeline analysis

    Realise this is an old thread now, but I agree with chris- 's answer ... most likely scenario is folder was copied from another location. Good response. -Sean
  6. Lids

    CompTIA A+

    How do you mean, @azuleonyx - are the questions deliberately written to be misleading?
  7. Lids

    GIAC Certified Forensic Examiner (GCFE)

    Happy new year all, thought I'd start 2019 off by contributing my thoughts to the forum! I obtained my GCFE in 2015 (I think it's due to expire this year :oops:) so my information may be a little outdated - as a TL;DR, it's a very useful cert for entering the world of Windows-based CF and...
  8. Lids

    How do I transition from Government to Private Sector?

    Hi @jwailes and welcome to the forum! I currently work for one of the "Big 4" consulting firms doing computer forensic and eDiscovery and within our ranks are a lot of ex-law enforcement. During my time in Australia, most of the Managers and Partners within Forensic had some sort of law...
  9. Lids

    Facetime Extraction in Cellebrite - Records not visible on phone?

    Whilst I can't answer this specific question, I would validate what you're seeing with another tool -- some examples are XRY and Oxygen, or if you can parse out the call log databases and validate manually. Cellebrite is certainly one of the best tools on the market but even it has its flaws...
  10. Lids

    Cloud forensic investigation

    Great point @tinna01, date/timestamps need to have particular attention paid to them -- and not all collection tools operate the same in this regard
  11. Lids

    Video forensics tools recommendations?

    Reaching out to a friend of mine who used to do video forensic work for the UK police -- will try to get him into the forum to provide an answer or will communicate it through ----UPDATE---- He says "It depends on what he's looking into. If he wants a bells and whistles tool that will...
  12. Lids

    Google Takeout

    Appreciate the well thought out and considered response, @JLowery In this instance, we were subject to collections from a third party which arrived in MBox format -- fortunately, Nuix can process without issue.
  13. Lids

    Cyber Forensic Investigation

    Morning all -- just to add on to my post above, please see this link for a presentation at ACFE (Australian Certified Fraud Examiners association) that Dr Graeme Edwards (that I referenced in my previous post) made on the topic of cloud investigations, this was just before he finished his...
  14. Lids

    Cyber Forensic Investigation

    @RobertM I haven't performed my own analysis so can only replay the conversation we had based on his research - I believe he made mention that if data was noticed to be getting exfiltrated, a notice similar to a "cease and desist" may be issued by the relevant French authorities. I'll try to...
  15. Lids

    Cyber Forensic Investigation

    It's a great point - here in Switzerland for instance, it's illegal to enter the country in order to perform a collection with a plan to then take that data out of the country without informing the federal authorities first. From an eDiscovery standpoint, you can in most cases provide access to...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu