/r/computerforensics

Photograph via snooOG

Dedicated to the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. This field involves the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just personal computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.).

Computer Forensics

A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). Topics include digital forensics, incident response, malware analysis, and more.

Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness.

Read the FAQ before posting.


Related Subreddits:

/r/antiforensics - anti forensics

/r/crypto - cryptography

/r/forensics - forensics

/r/cyberlaws - cyberlaws

/r/malware - malware

/r/memoryforensics - memory forensics

/r/netsec - netsec

/r/reverseengineering - binary reversing

/r/UIC - reversing/malware research


Related Technical Subreddits

/r/filesystems - filesystems

/r/kernel - kernel development

/r/lowlevel - low level programming

/r/computerforensics

69,688 Subscribers

2

Why is volatility3 so bad?

I can't wrap my head around it, has volatility3 been left for dead to be replaced by memproc fs or something else? Is there a plugin that fixes all the output issues among all the features it lacks from volatility2.

I am by NO means super intelligent (im pretty dumb), but I could make a new version of volatility in a month with no output issues, a way easier setup, all the plugins from vol2 and more (I might do this to learn memory forensics better)

Essentially I am asking if I am missing something or should I make a plugin that fixes all the problems with volatility3?

7 Comments
2024/10/31
11:26 UTC

2

New Cellphone Machine

I ordered my new machine for processing cellphones today, built to the optimum specs for Cellebrite Inseyets , hopefully it handles it well cause it was 3x the cost I had initially planned to replace my cell phone machine with. The old machine didn't like running PA 8 so I have been stuck on the 7 Track till the new machine arrive.

3 Comments
2024/10/31
00:15 UTC

4

Tool to determine when a PDF was created

Hi All- someone sent me a pdf file with the creation/modification properties listed as today, while claiming it was sent weeks ago. I need to know if this file was actually created weeks ago or if it was created today. Is there a free tool I can use to determine the date of the file's actual creation? Thanks

9 Comments
2024/10/30
22:51 UTC

5

Arsenal: Mounting Read Only Drives

I'm learning how to use arsenal and attempting to mount a newly created image.

Here's my setup:

Ubuntu Bare metal machine hosting a W10 VM (Vbox) and creating an image with FTK

W10 OOBE with C:\ <-- image created of this disk (Vdisk)

D:\imgs\ <-- img will be placed here (Secondary Vdisk)

the image is mounted read only and is "online" but shows uninitalized in disk management.

Here's some hopefully helpful info:

https://preview.redd.it/7fx92z2xfwxd1.png?width=752&format=png&auto=webp&s=86c8e5ecb0d632ee8abca5d7b88dcb287b9f010e

https://preview.redd.it/c5mgcs3xfwxd1.png?width=988&format=png&auto=webp&s=f76f6e1472323ff6f937e273850048849747192e

https://preview.redd.it/g5y9513xfwxd1.png?width=673&format=png&auto=webp&s=273373dc288e63d7af2a1a0d283c9860fd6d30be

I read on the FAQ (for mounting read/write disks) that read/write mode is required for vm launching virtual machines, im not sure if that applies here, the core forensic feature is the read only mode (for the learning module im doing) and if i recall i was unable to get the disk to mount in either mode

Arsenal is being run w/ elevated permissions.

Any help appreciated

edit: image mounts fine in FTK

7 Comments
2024/10/30
13:56 UTC

6

How important are certs like the GCFA?

I'm not a good test taker. Still managed to get my undeegrad in IT and MS in digital forensics. Now I have about 8 years directly in the field. I have the Ence from back when Encase was cool. But I can't pass this damn Sans GCFA. I've failed it twice, about to take it a third time and just bracing I'll fail.

I only fail by 2 or 3 points each time. If I fail I might throw in the towel on this one. Do you consider this cert make or break in this field? Would you hire someone with experience, who took the class (twice) but doesn't have the cert? I know a lot of jobs prefer it and I promise I understand the material and do the actual job just fine. Just can't pass the test. It's just unreasonable to put what feels like our entire career knowledge into a 3 hour test.

19 Comments
2024/10/29
23:41 UTC

2

Samsung Galaxie Note 10+ SMS text extraction

I need to extract the SMS text messages from a Samsung Galaxie Note 10+. I have a Magnet Axiom extraction from a year ago but I now need to access and print relevant SMS messages for the last year and do not have access to Axiom at this time. I have a backup of the phone in Google Drive and Samsung Cloud as well, as the text messages are currently still on the phone. I am looking for advice on any free software to extract the messages from the phone or backups or a way that isn't too expensive. I cannot justify the price of Axiom for such limited use. Any help or recommendations would be greatly appreciated.

9 Comments
2024/10/29
15:03 UTC

7

UK Law Enforcement DF to Private Incident Response

Is it easy to transfer between Police Digital Forensics (specialise in phones but have some computer background) and private company incident response? What skills are needed to transfer? What should I train up on?

1 Comment
2024/10/29
08:04 UTC

1

Referral percentage?

I was thinking of starting an on the side forensics business. I was talking to another friend who offered to throw me some of his extra business and said just come up with a referral contract and we could work something out. What percentage do you normally give the referring company? Is there a standard in the forensics community?

1 Comment
2024/10/28
20:43 UTC

7

Going from Audit to forensics. Need advice on tool/software based certifications.

Are there any tools I can get specifically certified in? Like how palo alto and such have certs for their tools.

14 Comments
2024/10/28
19:37 UTC

15

13Cubed XINTRA Lab Walkthrough

The latest 13Cubed episode is out! Join us for a complete walkthrough of KG Distribution, the 13Cubed challenge created for XINTRA Labs. Learn more at xintra.org/labs.

Episode:
https://www.youtube.com/watch?v=A7Bh7vnAooQ

More at youtube.com/13cubed.

0 Comments
2024/10/28
11:31 UTC

2

Please suggest an app that will help monitor any type of change being made to a windows [server] system

In the context of application support, finding the root cause of a problem in the host environment is often a challenging task. We often are reported issues which are caused by its host environment but the root cause is unknown until discovered based on experience or through hit and trial.

Some times, windows logs are helpful but a lot of times the cause of the problems is in changes made to security policies which in some way restrict the way application works thus causing problem.

I want to know how people have solved this problem by knowing any minute change being made to the host environment, and what tools and techniques do they use or suggest to make know exactly what change is made to the host environment.

4 Comments
2024/10/28
10:38 UTC

0

I want to buy "Tableau forensic bridge t35689iu"

https://preview.redd.it/djwu8gzrugxd1.png?width=804&format=png&auto=webp&s=b886e24deac81e3b134bd8ecab97b901bb3103b1

Hello everyone. Thank you admin for approving this article. I want to buy a used tableau forensic bridge t35689iu device with both parts as in the picture. If anyone has it, please contact me or contact me via email: Thangtt0204@gmail.com

2 Comments
2024/10/28
09:32 UTC

1

App for phone Yeap

Has anyone here dealt with the Yeap app?
The share stories one, not the parent transport one.

0 Comments
2024/10/28
04:09 UTC

0

autopsy file carving plug-in

I know that filecaving can be done using a separate plug-in in autopsy. What plug-ins are available? I'd appreciate it if you could answer.

4 Comments
2024/10/27
14:15 UTC

21

Seeking Guidance on Starting My Journey in Digital Forensics

I'm really interested in digital forensics and want to explore it further, but I'm not quite sure where to start. Can someone guide me on how to begin this journey?

I've already read about half of "A Practical Guide to Digital Forensics Investigations", but I’d love more direction on what steps to take next, whether it’s additional resources, courses, or practical experiences I should pursue.

Any advice would be greatly appreciated!

9 Comments
2024/10/26
20:50 UTC

5

Help with Macos and Ios IdentityServices Logs Please

Is anyone familiar with identityservices on ios and macos? I keep running into logs within the idstatuscache.plist and ids-pub-id.db that have "com.apple.private.alloy.nearby" and I can't for the life of me figure out what is triggering these logs. I am aware that com.apple.madrid is imessage, for instance, and I am also aware that the logs are for apple id authentication. I just need to determine what action/app is correlated to the nearby logs. I also have determined that it is NOT at all actually nearby, because I have confirmation that multiple of the logs are from devices in other cities or even other states. Please let me know if you have any knowledge on this or even any guidance on where I can look. Thank you so much!

0 Comments
2024/10/26
00:42 UTC

3

Examples of entry level positions?

Hi, I'm in high school and I'm considering being a digital forensics analyst as a potential career option.

I heard that a good way to get work experience is to be a sworn law enforcement officer or be in the military. I don't want to do either of these.

What are some other entry level positions that I can do to get experience for a few years before becoming a digital forensics analyst?

20 Comments
2024/10/26
00:23 UTC

3

TKSTAR GPS tracker

Hi everyone, I have a special request. Could anyone give me advice on performing forensic analysis on a TKSTAR GPS tracker? I’m looking to retrieve information like location history, on/off timestamps, and similar data.

Here’s the link to the tracker model: https://amzn.eu/d/6W6a5M2

Thanks in advance!

1 Comment
2024/10/25
17:40 UTC

7

Purview (premium)

Hello all!

We did a recent collection for teams + mailbox data using ediscovery premium. Each was done separately, but we added sharepoint/onedrive to the custodians (including private chats/their sharepoint location) and then defined in the search query what we wanted.

In the search for mailboxes, we limited the export to email, meetings, metadata headers, recalls, resend. However, we found a folder for sharepoint in the export. I checked the load file and all the docs in sharepoint (docx, pdf, etc) are marked as attachment, some with no parent as well. Their locations were also from other people's sharepoint and some teams chats.

I'm tempted to just ignore the folder as I don't imagine the processing engine going to the sharepoint and linking any doc their to its content (since the Fam ID/File ID etc don't match), however I'd still prefer to understand what happened. The theory is these are unindexed items that were included and orphaned from their original messages (waiting on the report that IT missed to see) or they're attachments for private teams messages that were orphaned.

Has anyone ecer faced this or has an idea what it could be?

Thank you!

16 Comments
2024/10/25
16:20 UTC

6

Best beginner certs for BA in CJ beginning grad school in the fall?

I graduate in May, majoring in Criminology and double minoring in Cyber crime and computing tech applications. I am considering applying to either a graduate certificate program for computer forensics, or a masters in cybersecurity with a concentration in DFIR. I'm leaning towards the latter. I am completing all my graduation requirements this semester, so with my last semester I plan to take classes in math and python to help makeup for my lack of technical experience in my course work, which has been heavily legally focused.

What certifications that are reasonably affordable or skills/languages should I be learning in my free time now and next semester to best prepare myself for grad school and be a better internship candidate?

14 Comments
2024/10/25
06:55 UTC

4

Team Viewer Deleted Files Case

Hey, I’m relatively new to digital forensics and still gaining knowledge in the field, but I’m determined to succeed. Recently, I was assigned a case involving a company’s Windows PC. A customer from this company had remote access to the computer via Microsoft TeamViewer. The customer was using his own notebook to connect remotely, and during this session, he deleted some files and chats.

The company noticed this activity and immediately shut down the PC. Now, I have the PC, but the owner doesn’t know exactly what was deleted. He’s only aware that something has been removed from the system.

The PC has a BitLocker-encrypted partition, but I managed to get access to it. I created an image of the PC and began analyzing it with Magnet Forensics, but so far, I haven’t found any useful data—no app data, nothing in the trash, no significant logs.

I’ve been working on this for three days now and I’m at a bit of a standstill. I don’t want to give up on this case. Do you have any suggestions on how I can proceed further?

Thanks for your help, and I apologize for any mistakes in my English.

9 Comments
2024/10/24
14:21 UTC

0

I'm doing a CTF challenge that had a memory dump that needs analyzed with redline or something for an IP address, is there anyone that wants to help, for fun?

I can send you the instructions, i just need help, I've tried to use the tool, but didn't have too much luck solving it.

5 Comments
2024/10/24
14:18 UTC

4

Text Message Visualization

I recently executed legal process to a text messaging service/app and recovered several excel spreadsheets of text messages.

I am looking to see if anyone has a way to visualize the results? Obviously, the produced excel spreadsheets are the actual evidence, but I am looking to see if there is a way I can create a visual aid to increase readability.

I appreciate any help you guys have to offer.

11 Comments
2024/10/24
01:10 UTC

4

E01’s Belonging to Windows Logical Volune

I have three (3) individual E01’s files of HDDs that based on volume information, are part of one Windows Logical Volume spanning the three drives. Due to this, I am having a hard time navigating the file structure and forensic tools don’t seem to recognize any file system, thus only carve data from the drives. There is plenty of data there, but I’m trying to restore the file system to recover the file paths and locations of files on the drives.

The system these images came from is unavailable.

Can anyone recommend any options I may have?

In the event it matters, compression was used creating the E01’s and the tools I’ve tried include FEX and Magnet AXIOM.

9 Comments
2024/10/23
15:45 UTC

8

Recovery CCTV Images

Good afternoon guys,

I am trying to recover images from CCTV system. First of all, I tried to use photorec in the HDD , however was not possible .

The HDD filesystem is xfs.

Do you have any idea how I can proceed to recovery the image files ??

Thank you guys .

11 Comments
2024/10/23
13:41 UTC

2

Need command line tool to acquire C: image

Hello, Does anyone know that is there any command line utility to acquire a C drive image.

13 Comments
2024/10/23
12:43 UTC

2

How to Record Examination Sessions Without Installing Anything On The Device

I have a computer I want to examine, but I want to preserve its state as much as I could. This means we can't install screen recording software on the device under examination. I also wish to leave a digital record trail for each time we examine the computer.

Is there an open source or free software that can record what is done on the computer screen during each examination?

Best case scenario is the software automatically records when I plug in my USB (doesn't write onto the computer, but stores on my USB) then stops recording when I eject the USB. Lastly, it can label each footage by date and time. Thanks.

25 Comments
2024/10/22
23:40 UTC

10

Digital forensics or IT?

I come from a civilian LE background. I did crime scenes, got my masters in IT, and then worked in digital forensics a bit using cellebrite with cellphones.

I moved towards IT the last couple years with software and applications. I have an opportunity to go back to digital forensics and I’m not sure what to do. Are there enough digital forensic opportunities out there to make a full career out of it? I feel more stable in IT

8 Comments
2024/10/22
18:33 UTC

6

Intel-Based MacOS Ventura acquisition tools

Can anybody suggest to me free-to-use tools for memory acquisition on this device? Some people say OSXPMem can be used but when I read the documentation it says only up to Mac 10.12.

Notes: Please helppp🙏

3 Comments
2024/10/22
06:47 UTC

1

Oxygen Forensics

Does anybody know more about the history of Oxygen? I did some digging and discovered that they are Russian based and also found an article about them stealing code. I was originally told that their servers were based at headquarters in VA, but later discovered that is not true... The more I researched the more sketchy it seemed. Opinions?

Article linked below:

https://medium.com/@techheadings/ios-16-secret-hack-revealed-by-russian-phone-forensics-lawsuit-d46fe42bdf02

0 Comments
2024/10/21
15:40 UTC

Back To Top