Search results

  1. Lids

    FTK Imager

    Completely agree with @kalinko's solution - preferred course of imaging is physical removal however if not possible (missing adapters - e.g. for the M2 SSD drives - covert collection, etc) then boot from USB - may require some BIOS settings to be changed to disable SecureBoot and UEFI - into...
  2. Lids

    Necessary to access original data?

    Hi Olga, If by original data, you are referring to “live data” - this should only be done as a last resort. The better approach is to take triage images of key data (I.e. registry hives) and perform offline analysis whilst physical / logical imaging is being performed. Due to time pressures...
  3. Lids

    FTK Imager Windows 10 with bitlocker

    I'm intrigued that you mentioned you logged into the laptop as local admin and then imaged -- so you imaged whilst logged into the machine? In this instance, the physical image won't be complete ... if you still have the laptop I would recommend either removing the hard drive or booting into a...
  4. Lids

    Forensic picture evidence

    To determine if someone opened an image, you could look through LNK files as well as MRU's for the file extension that the picture was saved in and software tools installed that are capable of opening files. I would suggest parsing the registry hives / link files and searching across them for...
  5. Lids

    Contemporaneous Notes – NEVER Use MS Word or OneNote

    I have worked for forensic investigators in the past who have told me to limit how contemporaneous my notes are, because if I am too honest it could be questioned in court -- for example, when imaging a machine it may have taken a few reboots prior to accessing the boot menu to boot from a...
  6. Lids

    timeline analysis

    Realise this is an old thread now, but I agree with chris- 's answer ... most likely scenario is folder was copied from another location. Good response. -Sean
  7. Lids

    CompTIA A+

    How do you mean, @azuleonyx - are the questions deliberately written to be misleading?
  8. Lids

    GIAC Certified Forensic Examiner (GCFE)

    Happy new year all, thought I'd start 2019 off by contributing my thoughts to the forum! I obtained my GCFE in 2015 (I think it's due to expire this year :oops:) so my information may be a little outdated - as a TL;DR, it's a very useful cert for entering the world of Windows-based CF and...
  9. Lids

    How do I transition from Government to Private Sector?

    Hi @jwailes and welcome to the forum! I currently work for one of the "Big 4" consulting firms doing computer forensic and eDiscovery and within our ranks are a lot of ex-law enforcement. During my time in Australia, most of the Managers and Partners within Forensic had some sort of law...
  10. Lids

    Facetime Extraction in Cellebrite - Records not visible on phone?

    Whilst I can't answer this specific question, I would validate what you're seeing with another tool -- some examples are XRY and Oxygen, or if you can parse out the call log databases and validate manually. Cellebrite is certainly one of the best tools on the market but even it has its flaws...
  11. Lids

    Cloud forensic investigation

    Great point @tinna01, date/timestamps need to have particular attention paid to them -- and not all collection tools operate the same in this regard
  12. Lids

    Video forensics tools recommendations?

    Reaching out to a friend of mine who used to do video forensic work for the UK police -- will try to get him into the forum to provide an answer or will communicate it through ----UPDATE---- He says "It depends on what he's looking into. If he wants a bells and whistles tool that will...
  13. Lids

    Google Takeout

    Appreciate the well thought out and considered response, @JLowery In this instance, we were subject to collections from a third party which arrived in MBox format -- fortunately, Nuix can process without issue.
  14. Lids

    Cyber Forensic Investigation

    Morning all -- just to add on to my post above, please see this link for a presentation at ACFE (Australian Certified Fraud Examiners association) that Dr Graeme Edwards (that I referenced in my previous post) made on the topic of cloud investigations, this was just before he finished his...
  15. Lids

    Cyber Forensic Investigation

    @RobertM I haven't performed my own analysis so can only replay the conversation we had based on his research - I believe he made mention that if data was noticed to be getting exfiltrated, a notice similar to a "cease and desist" may be issued by the relevant French authorities. I'll try to...
  16. Lids

    Cyber Forensic Investigation

    It's a great point - here in Switzerland for instance, it's illegal to enter the country in order to perform a collection with a plan to then take that data out of the country without informing the federal authorities first. From an eDiscovery standpoint, you can in most cases provide access to...
  17. Lids

    Google Takeout

    Thanks @twicesafe, really appreciate your response -- do you know, if a company is using Google Business Suite would the "administrator" have access to perform Takeout's on any emails within their purview or do you have to access each account individually, create the Takeout, then download, etc...
  18. Lids

    Google Takeout

    Morning all, Has anyone used Google Takeout for email acquisition? I remember colleagues in the past loved it and preferred it over other acquisition tools, but I was curious as to the community's thoughts. Also, if you have used it - does it recover deleted emails when it creates the MBox...
  19. Lids

    Reading List

    Is that the one with the painting of the cigar on the front cover? I love the intro to that book about how you ask x number of people what it is and get different answers
  20. Lids

    How much can be found?

    Agreed @azuleonyx, sometimes proof that a cover-up has attempted to be performed - accompanied by other supporting evidence - will be exactly what's needed ahead of the custodian interview to obtain a confession or steer the conversation in a certain direction
  21. Lids

    Reading List

    @twicesafe : How are the courses on there?
  22. Lids

    Reading List

    @azuleonyx Was Ghosts in the Wire, the Kevin Mitnick book?
  23. Lids

    How much can be found?

    Sometimes proving that CCleaner or equivalent was run can be just as damning -- reference to the files could still be found in MRU's, Registry (can use tools like Yaru for instance to undelete Registry items if the registry hasn't been compressed), Volume Shadow Copies, etc
  24. Lids

    Reading List

    For something a bit cyber-esque, I quite enjoyed this read a few years back: Kingpin - How One Hacker Took Over The Billion Dollar Underground essentially about how "Iceman" - who you end up empathising with by the end of it - started his life by phreaking phone systems and hacking his high...
  25. Lids

    Data theft investigation

    I realise this is an old thread now so the investigation may have come and gone - would be interesting to hear how it went if so. But in general, you want to isolate the suspected machine as soon as possible after believing something untoward has taken place. Then you should absolutely have...
  26. Lids

    One reason why Hunchly has become so popular...Court Decision

    The court's judgement is an interesting read, I'm fascinated that a police department would be using SnagIt for web capture but I guess we work with what we have available at the time. I remember testing an early version of X1 Social Discovery and found it to be an interesting tool, earlier...
  27. Lids

    New User Restrictions

    Thanks twicesafe ^_^
  28. Lids

    Computer Forensic in responding to Data Breach issues

    You may want to determine if the employee/s that are in scope for the investigation have signed off on an "acceptable use policy" or similar document when they were hired. Any information related to user access rights, whether USB ports are locked down, ability for user's to install their own...
  29. Lids

    Starting Computer Forensics & have some questions

    1. What do you like and dislike about this field? Like RobertM said above, every day is different -- there's always new tech coming out on the market, new software applications, new HDD standards, new encryption methodologies. Always something to learn about and refine existing understanding...
  30. Lids

    New User Restrictions

    Does this restriction apply to the chat room also -- I realised I don't have permission to post

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu