Dedicated to the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. This field involves the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just personal computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.).
A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). Topics include digital forensics, incident response, malware analysis, and more.
Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness.
/r/antiforensics - anti forensics
/r/crypto - cryptography
/r/forensics - forensics
/r/cyberlaws - cyberlaws
/r/malware - malware
/r/memoryforensics - memory forensics
/r/netsec - netsec
/r/reverseengineering - binary reversing
/r/UIC - reversing/malware research
Related Technical Subreddits
/r/filesystems - filesystems
/r/kernel - kernel development
/r/lowlevel - low level programming
Hi all, I was considering purchasing the 13Cubed Windows Forensics course. The website FAQs state, “If you purchased the course prior to January 1, 2024, there is no expiration”. However it does not say if you’ll only have access to the earlier content videos or whether you’ll also have access to updated content as it is created. Does anyone know about this?
Apologies for the noob question. I'm currently undertaking a course in computer forensics and one of our tasks is to analyse two mobile acquisition images (one a logical acquisition and the other a physical acquisition in .ufdr format) using Cellebrite Reader and write a report on the differences between the two.
The first thing I've noted as a difference between the two is that the logical acquisition shows audio and image files, and the file system can be viewed in Cellebrite, whereas the physical acquisition does not show the file system or audio / image files, but has more call log history, contacts and messages.
My understanding is that a logical acquisition involves accessing the files and folders as we would see them in the file explorer, and a physical acquisition is a bit-by-bit acquisition typically used to find deleted files or folders. What I'm not sure on is why the file explorer and audio / image files are not viewable in the physical acquisition when it's a bit-by-bit copy? I was of the understanding that a physical acquisition would show what can be seen in the logical, plus config files, deleted files, databases etc.
Would greatly appreciate any assistance to better understand this.
I need to make a forensic container for some folders/ files (not full drive image). The third party that will process the data prefers it to be in L01 format. Is it possible to create a logical image of folders using FTK imager in L01 format?
When I create the image it’s automatically in .AD1 format. I wasn’t prompted to pick the format.
Any suggestions for extracting data from an apple watch that isn’t quite dodgy??
Has anyone here ever used Wasabi Cloud to store backed up hard drives? I stored some backed up hard drives there using FTK and I want to know how I can read the files or how I can open them up in case I need to see what is inside. Thank you.
I have been trying to download aquire for I think three weeks. Magnet has not gotten back with me but I am receiving their promotional emails. I’m with LE just fyi.
Any help with this?
I'm wondering if anyone here has taken the Magnet AX350 course on Mac examinations and has any thoughts: https://training.magnetforensics.com/w/courses/22-ax350-magnet-axiom-macos-examinations
I'm looking to expand my knowledge for Mac forensics investigations. I have been doing DFIR for about 8 years, and have my GNFA and GX-FA. I'm wondering how this would compare to the Sumuri courses, the cellebrite courses or SANS.
I'm using free version of Paladin software to image a MacBook pro A1502. How to tell which is the synthesized drive to image?
Hello! Has anyone had any experience processing VMGS files (virtual machines in a guest state) aka VM snapshots? If so, what tool was used?
Hi, I hope this is the appropriate forum, and apologies if not. I have been presented with Hospital Reports by someone that is suing me for personal injury. I strongly suspect that these documents have been manipulated/ edited (apparent changes in font/ misaligned bullet points etc). The metadata indicates that the document was created by PDFium, and does not name an author, which seems suspicious in itself. Can anyone suggest a basic analysis tool that may help me gain more information through analysis of layout etc. I am a Mac user. Any assistance greatly appreciated.
I thought about when a mass incident occurs and I need to do sampling on several endpoints quickly, how to use open source tools to collect data and use it as a feed to be visualized in a number of viewers such as Elastic or Splunk. Has anyone experienced this?
Ran into something interesting today, and can’t find anything documenting a change. I ran Nirsoft’s ChromePass on my forensic machine today to do some testing. It didn’t populate any passwords, and when I went into the Chrome Profile, there wasn’t a file called Login Data like I expected. Has the login storage been moved to a different file in the Chrome profile? This was in the Chrome Dev build, so maybe it’s a new feature that hasn’t made it into the standard build yet
Hey yall, I’m a student trying to understand how the registry works. If I’m trying to pull my registry on my own system, what’s the best way to go about doing that?
What’s the best software to use to enhance a blurry blink camera video?
New to doing forensics. So, not real familiar with some of these tools. I pulled it TWRP back up of an Android phone. How do I analyze it in autopsy? Do I need to convert this backup into another format or can I directly analyze the file folder containing all the files for the backup
Has graykey not been offering the ability to bruteforce untethered for anyone else? This has been pretty much across all devices. The ability to disconnect and let gk do its thing hasn't been appearing.
Any tips to get it back?
Hello there, I'm trying to wrap my head around this. With MDM software can Cellebrite still take screenshots, and can axiom still create an iTunes Backup image? Or would MDM prevent that from happening.
Not the one that Microsoft offers in modules. But any legitimate third party training source? Premium is a different beast I'm not used to I don't understand how no errors show up from review set to export, but then the number of skipped items and errors in summary?
Things I don't understand.
Hi. I am familiar with assembly and hexdump linux but I'm having a bit of a time understanding how to track down data in a Windows memory dump. I really don't understand how shared memory works that well, yet. It's a 128gb dump via volatility3 that I split into manageable chunks- I dumped all the pid memory to individual files. I'm reading it via various tools that are new to me in Windows such as 010. I'm seeing a lot of crossover between pid's that should contain literally none of the data i'm looking at but I am seeing bread crumbs of it anyway. Are there trips/tricks or other tools that I can use to short cut my efforts in finding certain data in memory? i;m focusing in on strings. Windbg seems to crash whenever I load any dmp file into it. thanks.
Which is the cost effective method of storing the disk images between S3 vs Google Drive? Any techniques to reduce sizes via compression apart from 7z
Log parsing, renaming files, extracting data, etc.
For those currently running labs can I ask what level of validation you are performing against your tools? I know the ISO standards require some level of validation but can you show what you test against? Particularly for mobile phones against cellebrite for example. Thanks
Hello Community, is it possible to emulate a cell phone backed up by ufed. So like a computer system e.g. with VMware. In other words, I would like to get a better idea of the appearance, structure and settings.
Just curious for newer iPhone, & iPads running iOS 16+. What do you normally collect with?
Cyber/Elcomsoft iCloud backups? Ensuring all options are on that are required? Ex. iMessages
UFED partial logical?
Not really looking for a correct answer as this is opinion based and why you might use one over the other. I've done both but for separate reasons... Ex. Person could not live without their phone for a day or let us image it because of potential hours it could take.
Anyways always looking to make forensic friends and poke each other's brains <3
I am an IT administrator for a University, I have been tasked with creating a forensics lab in our VDI environment that includes Magnet Axiom.
My question is how long should the process of evaluating one of the Magnet provided disk images take? I know there's not a lot to go on from that. Should it take 15 minutes, 4 hours, 8 hours?
They are using the Dell Latitude 256GB disk image, I have provisioned the VM with 4 3GHZ CPUs and 12GB RAM. As far as I know they are not using the AI analysis that requires a VGPU. The process currently takes 6-8 hours.
I have suggested to the professor(try it some time, it's not fun) that maybe adjusting the query to include/exclude criteria, or do like a cooking show, the raw cake goes in one oven(start the analysis process) and then go over to the other oven where the done cake is (share the pre-processes analysis output).
All constructive real-world feedback is welcome!
Does anyone know of a cloud service that allows for virus analysis, DDoS simulations, etc. for educational purposes?
We are looking to create a forensics lab for our university students, we don't have the resources to do this type of specialized lab in house.
i have a set of Ex01 files and when i try and load them into Autopsy as a data source i am getting this error
Unsupported image type (EWF Version 2 (Ex01)) (Sector offset: 0)
is there a fix for this or will i need to use encase to analyse them
While reading through Chapter 18 of The Art of Memory Forensics textbook, I noticed the authors modified the gh0st_decode.py script from the chopshop suite of tools to allow the decoded streams to be outputted in body format. I looked through the source code of gh0st_decode.py to see if I could figure out a way to implement that functionality, but I couldn't find anything in the book, and Google isn't much help in this case, either. Has anyone successfully modified gh0st_decode.py to do what is shown in the book?
If anyone has any insight on how this file is modified to allow the output to be in the body-file format and how I might be able to modify the file to achieve such functionality, I would appreciate it.