/r/computerforensics

Photograph via snooOG

Dedicated to the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. This field involves the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just personal computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.).

Computer Forensics

A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). Topics include digital forensics, incident response, malware analysis, and more.

Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness.

Read the FAQ before posting.


Related Subreddits:

/r/antiforensics - anti forensics

/r/crypto - cryptography

/r/forensics - forensics

/r/cyberlaws - cyberlaws

/r/malware - malware

/r/memoryforensics - memory forensics

/r/netsec - netsec

/r/reverseengineering - binary reversing

/r/UIC - reversing/malware research


Related Technical Subreddits

/r/filesystems - filesystems

/r/kernel - kernel development

/r/lowlevel - low level programming

/r/computerforensics

70,526 Subscribers

2

Question about Volume size and Thumb Drives

Hello,

I recently imaged a thumb drive from a lesser known company. The drive was labled as a 16gb thumb drive on the drive, itself. However, X-Ways is telling me it's a 32gb drive. When I do the math on sector size and number of sectors, i also get 32gb.

My question is, how often do you come across misslabled drives with drive size being twice that of what is written on the side of the drive itself?

Thank you!

4 Comments
2024/11/29
16:33 UTC

3

Defender for Endpoint + Binalyze

Hi,

I am currently trying to integrate Binalyze in our MS Defender for Endpoint structure. We want to run the Binalyze Agent (live) to collect forensic data when the device is isolated via MS Defender.

Is someone having experience with allowing certain ports/FQDN while in Defender isolation? As it seems it is not possible to give exceptions to defender natively. Is this correct? Do you have any other ideas to do this type of integration? We were trying to create offline images via live response but this does not work properly; neither with KAPE nor with Binalyze.

If you have recommedations or hints please let me know.

2 Comments
2024/11/29
12:35 UTC

3

CacheGrab

0 Comments
2024/11/29
07:22 UTC

2

Similarity Test

Hello everyone,

I need to compare 5k documents with each other and find a percentage of similarity between them (something very similar to plagiarism).
I have already tested software like Intella and XWays but the functionality is not 'perfect' (for example Xways give only the top 3 match and 1 of them is always the file itsel)

Do you have any suggestions or any ideas?

16 Comments
2024/11/28
10:48 UTC

2

Forensic Collection and Decoding of Tyco American Dynamics VideoEdge 2U Network Video Recorder NVR

Has anyone done a forensic collection from this NVR model before? Would appreciate any tips or suggestions if so. I'm unsure if it will allow me to boot to Paladin and image the drives or if it would be better to pull each drive and image separately.

https://www.americandynamics.net/products/VideoEdge-Hybrid

https://www.americandynamics.net/products/GetDocument/58465

Additionally when I have the drives imaged if I will need some PC Software from Tyco to interface with the data on the drives. Some previous NVRs I've actually cloned the drives and literally purchased the same exact NVR and placed the cloned drives inside. I've also seen some NVRs will have a PC utility that can interface with the drives if mounted in Windows.

Appreciate any tips!

4 Comments
2024/11/27
16:06 UTC

3

Google Search for Metadata in PDF

Does anyone know a way to Google search for metadata in PDF files?

Chat GPT says use google dork search for below, but it does not seem to search metadata.
filetype:pdf "confidential" "author"

I have tested it with a specific search for a file that I know is available and I know has metadata with author name, but search does not find it.

5 Comments
2024/11/26
19:38 UTC

10

Windows Artifact Viewer GUI

0 Comments
2024/11/26
07:02 UTC

3

How to Determine if a Mobile App Was Installed on an iPhone Under Examination?

Hey everyone,

I have an iPhone that I need to examine, and I have to find out whether a specific mobile app has been installed on it, even if it has been deleted. Is there a way to check if an app was previously installed on the device? Any methods or tools that could help would be greatly appreciated. Open source and free tools prefered.

Thanks in advance!

6 Comments
2024/11/25
13:11 UTC

9

Best Practices for Forensic Evidence Acquisition and Analysis - Advice Needed

Hi everyone,

I’m currently diving into the field of forensic cybersecurity and would greatly appreciate insights from experienced professionals. I have a few questions regarding the best practices for evidence acquisition and analysis:

  1. Physical Machine Acquisition: What are the best practices for acquiring a disk image and RAM from a compromised physical machine?
  2. Distant Machine Acquisition: If the machine is remote and I only have CLI access, what are the best tools and methods to use for acquiring both the disk image and RAM safely and securely?
  3. Using External Media: If I had access to a physical machine, my plan would be to use tools stored on a USB flash drive and an external HDD to export the RAM and HDD images directly to the external drive. Is this considered a good method? Are there better alternatives?
  4. Forensic Workstation Setup: Once I acquire the images, I understand that analysis should be conducted on a forensics workstation that is isolated from any network. My reasoning is that the forensic artifacts could contain malicious data capable of spreading. Is this approach correct, or are there additional precautions I should take?
  5. General Advice: Finally, if there’s any additional advice you can offer—things I need to know or be aware of—it would be invaluable. For context, I’m currently enrolled in a Windows Forensics course, but the setup is focused on a local environment with two VMs (one compromised machine and the other serving as the forensic workstation). This virtual setup simplifies evidence acquisition, so I’m looking for insights that extend to real-world scenarios.

Thank you in advance for your guidance!

9 Comments
2024/11/25
08:51 UTC

0

LEO with cybersecurity degree

By the team I graduate in 2026, I’ll have 3 years of experience in law enforcement. As a patrol deputy, with no prior experience in tech; could I still be qualified for DFIR positions in private or public? Also, what are some differences in private DFIR and government?

25 Comments
2024/11/23
19:47 UTC

4

Is there any AI tools that takes the output of "strings" command and tell me if there are some "human things"? Particularily useful when the file is large so "strings" gives a lot of output that would be impossible to observe manually.

For "human things" I'm referring to human text like in english or in other languages

17 Comments
2024/11/23
14:59 UTC

5

Cellebrite limitations

I've been reading about cellebrite and it seems handy. But what are limitations.

Let's say it is analysing an unlocked pixel 5, with only 15gb free storage, with normal use all deleted items will eventually be overwritten right? Could it get data from 6 months ago such as deleted pictures or web browsing history?

19 Comments
2024/11/23
12:43 UTC

1

Some Useful Forensic Tools I Made

0 Comments
2024/11/23
02:34 UTC

5

iCloud subpoena production

Anyone have a cheat sheet or more info how to interpret an iCloud subpoena return? Under the account details tab I am seeing "full iCloud" under account type but then see iCloud backup is disabled under the features used section. I am interested in obtaining photos and messages backed up to the iCloud account. These features are supposedly turned onaccording to the features used section. Will I be able to obtain them with a SW or will it be a wasted exercise serving a SW on apple for messages and photos backed up to the cloud?

11 Comments
2024/11/22
21:35 UTC

7

CHFI Exam Guide

Hello everyone, I’m planning to take the CHFI certification exam along with its course. I was wondering if anyone certified with CHFI could guide me on how to prepare effectively. Could you share a basic roadmap, including any key resources or topics not covered in the course? Any advice would be greatly appreciated!

1 Comment
2024/11/22
06:57 UTC

0

Cellebrite UFED

During the process of saving a report from UFED to hard drive does anyone know if I can disconnect the device during this time?

Answer…. Lack of sleep made me impatient. U but the bullet and disconnect med the device. The report continued to save to hard drive. Fingers crossed it’s complete when I return to work.

9 Comments
2024/11/21
14:02 UTC

19

13Cubed ACME Memory Analysis (Short) (Unique Method)

If this goes against 13Cubeds policies let me know and I'll take it down immediately!

Anyway, this is my unique approach to analyzing the 13Cubed ACME challenge, I've never seen anybody analyze a Memory Dump the way I did in the video so I decided to record it. I only analysed the memory (I found everything without the Disk image) and this is only a short snippet, there's a lot more to find like some dodgy drivers etc but I'm sure everyone already knows how to do that!

https://youtu.be/a-PLg6KDWjY

Shoutout to  for carrying the DFIR community on his shoulders btw, SANS doesn't come close!

3 Comments
2024/11/21
11:56 UTC

5

Learning Material Cheaper than the FOR500

Hello folks, I got a budget approved from my workplace for any Cybersecurity related education. Can anyone vouch for training material that are worth the value they ask for but is cheaper than the FOR500 as it's slightly above the budget allocation? I'd also prefer if the material has practical content.

Ive taken a look at 13cubed and DFIRSciences YouTube content but don't know if the paid courses are worth it. I've seen some courses on Udemy too but some haven't been updated since 2021.

Thanks

10 Comments
2024/11/21
02:43 UTC

4

Identifying author of .doc files?

I received a Word document from the tax office and need to identify who sent it. I suspect it’s someone I spoke to on the phone who assured me the document would be correct. I used ExifTool but found no author information. What other forensic methods can I try to uncover the author?

5 Comments
2024/11/19
19:23 UTC

2

Need help in ESXI Forensics

Hello community,

I want to learn about ESXI forensics does anyone have content for this, please share.

7 Comments
2024/11/19
05:33 UTC

11

Is getting a Masters worth it for Digital Forensics?

Hello all. I was wondering how the people in the field feel about this. Is getting my MS in Digital Forensics worth it to make me stand out for jobs? Administration roles? I accepted an offer to Champlain for thewir MS in Digitial Forensics. I didn't get but so much applicable experience in undergrad. Currently, my area I am going to be in for the next 2-3 doesn't have a big scene. State Police is about the only thing, and they already filled the opening. I want to make sure that it's going to be worth it. I at least see it as more experience for me, and having a Masters isn't bad either. it's only going to cost 17k, which I qualify for loans for. I want to do more application and get to use more tools, which again, I didn't get to do in my undergrad.

So what's the word on getting an MS? If there are any hiring managers around in the thread, how do you feel about it? People who know hiring managers, how would they feel about it?

Any insight is welcomed and appreciated!

Edit: I realize now I should have clarified (ADHD): I have a BS in Cyber Forensics and Security. I have pretty good experience for not being in the field yet.

32 Comments
2024/11/16
19:57 UTC

5

What would you put on a forensics collection form?

Hi folks, I work for a security firm that has the pleasure of occasionally doing small digital forensics projects for corporate customers. This often takes the form of a turned-off computer being dropped on my desk with a chain of custody form. I am normally a few people removed from the person who actually uses the computer. After some miscommunication, frustration, and missed opportunities, I'm trying to avoid these headaches by proposing a form to provide to the customer anytime forensic work is requested. I came up with this list. I'm not planning to assume the answers are correct, but it seems like a good starting point when I'm handed a laptop. What do you think of this? Is there anything else you would add to it?

  1. Make / model and description of asset: Serial number:
  2. Do you have a power cable for this? (If so, please provide)
  3. Is this device encrypted with FDE (full disk encryption), like BitLocker? []Yes []No []I don't know
  4. If yes, can you provide the encryption key / recovery key? []Yes - contact info: ____________________ or []No
  5. Is TPM enabled on this device? []Yes []No []I don't know
  6. Is there a UEFI / boot password on the device? []Yes []No []I don't know

If yes, please provide it here, or provide contact info to coordinate secure exchange of the password: ___________________________________________________
7. Do you have the username and password of the following? [] Local Admin [] User (password upon last session - this may be different from their current password!)
Please list those here, or provide contact info to coordinate secure exchange of the password: ___________________________________
8. What are your goals for this forensic investigation? What data do you want us to recover, or what questions do you want us to answer? (Specific detail is better) _______________________________
9. Do you have any additional relevant data that might add context to our findings? Examples might include:
- Records or snapshots from antivirus / EDR software
- Email, Internet, web application, network access logs
- Support tickets
- Volatile data collected during the incident (like RAM or network connections)
- Incident reports, notes, or summaries
If so, who should we contact for this? ___________________________________________________
10. Is there anything else important for us to know about this device or engagement? ____________________________________________________________________

Contact info for a technician familiar with the computer and this engagement:
Name: __________ Phone number: _______________ Email: __________________

Contact info for returning the asset when forensic collection is complete:
Name: __________ Phone number: _________________ Email: __________________

13 Comments
2024/11/16
19:52 UTC

3

.evt logs viewing and parsing

Hi There,
I've received some .evt logs from an old machine and was interested if anyone knew any tools to quickly parse them and output them into a CSV output? Alternatively, are there any better tools than windows event log viewer to look at them?

Thanks,

18 Comments
2024/11/16
16:04 UTC

2

Is there a way to link from a word doc directly to pysical analyzer

Im interested im creating a report on a word doc that I can link to specific data in Physical Analyzer.

For example, if I wanted to reference a chat in PA on the word doc, can I insert a link on the word doc that, when clicked, would take the user directly to that conversation on PA?

Is that even possible?

3 Comments
2024/11/16
14:36 UTC

2

SRUM The foreground cycle time

I have a windows 10 computer and I try to analyze how often an application was used. I saw that there is quite some data in the SRUM.

I want to tell how long a application was used by converting the the foreground cycle time to minutes. Is that possible? Is the value of cycle time in nanoseconds?

Example:

https://preview.redd.it/0eyakxr9b41e1.png?width=477&format=png&auto=webp&s=e2e43a4e9d410c09618e8a05fec2b8df7bb04153

9 Comments
2024/11/15
19:37 UTC

23

Websites to practice digital forensics

Hi, i’m a student preparing for my exams and i’m looking for websites to get practices from. so far, i’ve found https://digitalcorpora.org but it doesn’t give solutions cause it’s password protected. so if possible, can i get some help in websites where they give the file and solution. Thank you.

5 Comments
2024/11/15
13:57 UTC

2

Imaging OLD MacBook Pro - A1278

I got a MacBook Pro A1278 ("Mid-2012") in my lab today that was seized in an "on-state." The lid was closed on it on scene and it has remained on charge since. It is an Intel i5 chipset and from what I can tell on my research, it does not have any of the security features of the newer Macs. I am trying to figure out the best way to go about imaging it and have been looking through all of my manuals, but they are all focused on the newer Macs with security features. For imaging, I have PALADIN, a TX1, and an MPB (2019), among others. If it were deadbox, I would probably just pull the HDD, but since it was brought in from a "live" state, I am not exactly sure where to go next on this, as it seems like there may be a potential for live memory collection. At this time, I do not have the password to the device, but do have other devices which may help provide it. Any suggestions would be greatly appreciated.

12 Comments
2024/11/14
22:17 UTC

7

Metadata Hunter

Metadata Hunter is a forensic tool designed to read and report metadata from various types of files. It supports a wide range of file formats, including documents, images, audio, videos, and many others. With its comprehensive analysis capabilities, Metadata Hunter enables users to extract crucial metadata information, aiding in detailed forensic investigations and providing valuable insights for both professional and research purposes.

Download link: https://canerkocamaz.github.io/index.html

Supported file extensions:

  • Archive: 7z, rar, zip
  • Audio: aiff, wav, mp3
  • MS Office: doc, docm, docx, dotx, dotm, ppt, pptx, xls, xlsx
  • E-book: azw3, epub, mobi, pdb
  • PDF: pdf
  • Open Office: odp, ods, odt
  • Images: bmp, btf, ciff, djvu, jfif, jpe, jpg, jpeg, jp2, jpm, heic, heif, orf, ori, png, psd, psp, tiff, webp
  • Raw Formats: arw, cr2, cr3, crm, dng, dcp, dcr, mrw, nef, nrw, orf, ori, raf, raw, rw2, rwl, sr2, srf, thm
  • Videos: 3gp, 3gpp, avi, f4v, mp4, mpg, m2v, mpeg, mov, mqv, ogg
  • Executable: dll, exe
  • DICOM: dcm, dc3, dic, dicm
7 Comments
2024/11/14
18:24 UTC

6

Is it possible to find out which company is using which product?

My manager wants to know which tool is the most popular and has the ability to do remote collections, and after two days of searching the forensics subreddits, I've come to the conclusion that Magnet Axiom Cyber is the way to go.

But my manager also wants to know which company is actually using it, and I haven't found anything in a couple of hours.

Does the company even disclose that?

17 Comments
2024/11/14
00:36 UTC

10

Cellebrite certification

I’m currently law enforcement and trying to move into the field of digital forensics. I’m looking at doing the CCME certification but my department won’t pay for it. That’s fine because I don’t plan on being with them long if they don’t have a use for someone with that cert. My question is, is the CCME certification a good starting point for getting into digital forensics and is it worth spending nearly $5k to get it?

35 Comments
2024/11/13
17:58 UTC

Back To Top