Any opinions on what path there are after doing collections for an ediscovery company.

If a threat actor is logged into a computer remotely and they take screenshots of data, can they exfil the data to their own USB using tsusbhub.sys (Remote Desktop USB)? If so, what might that look like in the event logs?

Hey everyone,

Currently unemployed following burnout (left to focus on my mental health). Found I am autistic (probably ADHD too) and looking to get back into work, but in a job that better suits me.

A bit about me:

Master’s in Computing

8 years’ experience in IT (about 5 in sysadmin, 2 in cloud services (Azure/M365) and the last in enterprise architecture).

Used to sell consumer electronics and have repaired iPhones so fairly familiar with consumer devices too.

Wanting to move into cybersec and digital forensics ticks all my boxes for the ideal job. I’m a good communicator (written and verbal) with good attention to detail and love troubleshooting/investigating. I feel like I won’t burn out in this job as it’s gonna have a good balance of solitary work vs comms whereas ent arch was back to back meetings.

What is the best way to get into this field (taking into account my existing experience)? Postgrad degree in forensics? Cyber bootcamp? Certs?

I want to get into work asap so the quicker the better (not compromising on quality of learning of course)

Thanks!

Hello everyone! I have a couple of questions about the consistency of hashes when acquiring an SSD, but I still have some doubts. I know that if a physical acquisition (sector by sector) of an SSD is performed, the hashes are likely not to match if further acquisitions are made from the same device (due to wear-leveling, TRIM, etc.).

However, what I'm not entirely clear on is: if I acquire a partition (logical acquisition), and subsequent acquisitions are made from the same device, the hashes will match, right? Because here, not all sectors (only active sectors, without unused or pending for deletion sectors) are cloned and hashed. I understand that these can also be moved to physical areas of the SSD, but would the hash still be the same? I'm guessing it would, because it's the same logical address and the existing data is not modified. Is that right or I'm missing something.

Thanks in advance!

I'm currently pursuing my undergrad in computer science and realized I don't like software development. I've always had my eye on computer forensics since I originally wanted to do criminal justice. How can I get started with this subject?

Also (random question), do employers prefer applicants with computer science degrees?

This is a random question I'm sure it's not but maybe more niche?

Background: started in a private forensics lab but most of the work I did was just collections for eDiscovery tools. I did help our examiners with minor examinations and they'd check my work such as. Did they wipe their computer? Look for suspicious activity/file transfers (mostly IP theft) etc... I had a lot of fun of learning and growing to really like what I was doing great examiner who always challenged us.

Company closed.

Got another job where I knew I would be doing most collections. But everyone I networked with is also just doing collections and eDiscovery processing. I do know some labs that still do CF but most just are hired for collections that we can't perform etc... tools.

Anyone with a lot of experience in the private sector notice a decline in actual forensics?

Edit: meant private labs/companies.

Is there any site where I can find extracted android data for testing and analysing purposes?

Hello guys, i would really love to have some insight about the GCFE certification by the SANS, i'm planning to pass this certification without the course, are there any advices please to give me before i start this journey.
Any help will be greatly appreaciated

I'm really interested in this field and i wanna know what degree would be better for a bachelors.
Do I even need a degree in criminal justice? I'm really interested in joining some federal or law enforcement sector

I'm trying to perform a full memory dump from a Windows PC to which I don't have administrator access. Is this possible? Up to now the various solutions I have found still require elevated privileges, even software like FTK or FDD.
Thanks all

I’m not the strongest public speaker in the world and my boss asked my to give a 30m presentation on digital forensics. The audience will be college students. The topic needs to be digital evidence at the municipal policing level.

Any tips on talking points? I’m very bad at this 😭

Hey, everyone!

I just released version 1.2.1 of my OSINT / forensics tool, Horus.

Here's a link: GitHub

Here's a description of the project:

Horus is an all-in-one encompassing tool for investigations assistance, from API leveraging to compiling data. It is still a work in progress, but feel free to check out the GitHub page here. Horus has many features, ranging from IP tracking to Virustotal scans, all from your terminal!

What's Changed:

• added the following features: Numlook, Geolock, Cryptotrace, Mactrace, Pvpn
• added commands to options

Question for the analysts out there - how on earth do you get Cellebrite PDF reports to sort the entries by chronological order? I’ve tried the options of Sort by view / default when creating the report, and sorting the views in each window by date/time etc but the reports never come out as per the screen view? It makes the pdfs useless for disclosure if nobody can follow a conversation, or device events which flicking back and forth through multiply pages. Magnet Axiom does sorting correctly but their pdfs are very limited - they don’t even hyperlink to the file to play videos / images etc.

Thanks

Know of any tools where AI is used to help analyze digital data? Maybe some popular software already uses something like this?

All, I have a Cellebrite UFDR file showing 48GB of data. I processed the extraction in PA and created the report. However, if anyone tries to load the report in Reader or PA, it only produces the device info no other data. This has occurred in multiple recent reports I completed. I have already checked and there is not a "Cellebrite DB" %temp% file. Any ideas would be welcomed as some of these reports are extremely important.

Currently working in a scif, so physical books are a good source of entertainment for me. Reading through CISSP slowly because I need it someday, but I want to get into DF eventually and having some good textbooks to start digging through would be helpful.

I posted all this on autopsy forums and didn't get anywhere link here

*only one user account on this computer its mine with full privileges

Title says most of it but here we go. I'm a student and I'm trying to get Autopsy to work. A little history it was working about two months ago, although I had to disable the splash screen to get it to work, now I got a new lab tried to get it going it shows in task manager as running but no UI. I checked the error logs and found one error here

SEVERE [global]
java.lang.IllegalArgumentException: Key contains code point U+0000
at java.prefs/java.util.prefs.AbstractPreferences.get(AbstractPreferences.java:296) >

(whole log on forum post link above)

the troubleshooting steps say to copy autopsy folder, delete autopsy folder, then run it again to get fresh config files, but its a fresh install, someone also suggested deleting the user folder within autopsy but I do not have a user folder in autopsy seen here

https://preview.redd.it/2r647o4w1zuc1.png?width=147&format=png&auto=webp&s=ec9641b60739999bfdd82a0567e6e30457a66a2d

it was also suggested to remove tmc beans from APPDATA but again no tmcbeans folder in APPDATA seen here

https://preview.redd.it/p51a4fq62zuc1.png?width=131&format=png&auto=webp&s=969e8b71c61056107c734bc7a615fb95013b1e8a

I believe its windows defender, but I cant disable windows defender its just not really an option, the reason I say that is I can run sandbox and download autopsy there and it runs fine, but no data persists in sandbox so its just a huge ugly work around. so I uninstalled and tried again, still nothing. any advice would be helpful.

​

Does anyone notice, where they hide "Report table" column? I can`t find it in "Directory Browser Option, Filters, Column with in pixels" tab to add it to my X-Ways view. In older versions before 21, I know their was option to add it.

It was a column, where I can saw which files was a "virus" if I use External Virus Check.

​

I'm a Probation Officer seeking software recommendations to efficiently search probationers' phones, as the local sheriff's department's Cellebrite license expired.

My aim is to download an image of clients' phones during appointments or home visits to review content without prolonged phone seizures. The goal is to identify probation violations and criminal activity. In these situations the individual has an electronic search and seizure clause and I always have the password to the device.

I appreciate any suggestions for suitable software.

Hello, I am looking for some ideas on how to automate BECs whether this will include enterprise licenses (software), or using automation (python). Ive seen a couple of examples, but figured I would reach out here to see if anyone has instances they are using for BECs that could be of help or recommend?

TIA

I am doing my college application and I'm torn between computer forensics and [informatics](https://en.wikipedia.org/wiki/Informatics). How is the job market in computer forensics and cybersecurity, will it be easy to get a job? Is the salary good? Is it fun? Is AI a threat to computer forensics specialists?

Thanks in advance!

Hi all,

I am looking for online websites like a blog or some useful resources which posts real DFIR reports from the people who are already working in IR team, which includes the attack scenarios along with the way IR team found the threat actor in a more detailed manner. I have found the website dfirreport, which has a detailed write up of several cases but also looking if there are other websites that exists, and if so I would like to know about it as I am currently looking to learn more regarding it.

Thanks in advance

Have anyone successfully recovered the disappearing messages and cleared locked chats ? Attempted on iPhone 15 pro iOS 17 using full file system but couldnt retain the deleted messages content.

Hey everyone! I am currently working on a tool called Horus. Originally meant to be part of a renowned forensics operating system, I have decided to continue the project as currently its sole developer.
Horus is an all-in-one encompassing tool for investigations assistance, from API leveraging to compiling data. It is still a work in progress, but feel free to check out the GitHub page here. Horus has many features, ranging from IP tracking to Virustotal scans, all from your terminal!

Name changed from “Sentinel” to “Horus”

Check out Horus here!

I’m an undergraduate studying Digital Forensics does anyone know of companies that are hiring currently for interns it doesn’t matter when wether summer or fall. I just want to get my feet into the field more. I attend conferences and network a lot and run my colleges Digital Forensics conference as well as run the programs academic club. I am located in the Philadelphia, Pennsylvania area. I’m only a sophomore/junior however I attended a vocational technical school for computer programming.

Hi all, with TPM the old and trusted method of pulling the hard drive and cold imaging can’t occur anymore. What boot CDs / USBs are people using to ensure no changes occur and allow the correct imaging process? All Linux based (sift / kali etc) or has anyone found a (safe) windows based approach? Thanks

Hi

Need some help I have unlocked S21 on Android 14, but secure folder is locked, is there any forensic tools that can access the data in secure folder..I believe magnet graykey can do upto Android 13, but I am not able to confirm if supports Android 14 and for Qualcomm. Most other tools seems to support Exynos only prior to March 2020 not sure about cellebrite premium, oxygen or xry.

Thanks

Hey everyone!

I wanted to share with you a project I've been working on: OZZI, a free and open-source extension designed to simplify IOC searches.

What does OZZI do?
OZZI streamlines the process of searching IOCs across various online OSINT sources such as VirusTotal, Scamalytics, ISC, Hybrid-Analysis, and more. You can search for IPs, hashes, URLs, or ports and get insights from your preferred sources.

Key Features:

• Dynamic IOC type detection
• Customizable source selection
• User-friendly search popup
• Context-menu search - just select and search

Where can you get OZZI?

• Firefox: OZZI on Firefox Add-ons
• Chrome: OZZI on Chrome Web Store
• Microsoft Edge: OZZI on Microsoft Edge Add-ons

Please note the currently published version on Edge has a minor bug in it. The fixed version (1.5.5) is currently pending review.

Why OZZI?

• Free and open-source
• No personal gain - I just got tired of copy pasting s d opening different bookmarks all the time.
• Source code available on GitHub

Give it a try and let me know how it goes. If you find any issues or things you don't like let me know.