/r/computerforensics
Dedicated to the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. This field involves the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just personal computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.).
A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). Topics include digital forensics, incident response, malware analysis, and more.
Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness.
Related Subreddits:
/r/antiforensics - anti forensics
/r/crypto - cryptography
/r/forensics - forensics
/r/cyberlaws - cyberlaws
/r/malware - malware
/r/memoryforensics - memory forensics
/r/netsec - netsec
/r/reverseengineering - binary reversing
/r/UIC - reversing/malware research
Related Technical Subreddits
/r/filesystems - filesystems
/r/kernel - kernel development
/r/lowlevel - low level programming
/r/computerforensics
Hello all,
I'm a corporate videographer and who is thinking about a career pivot into Video Forensics specifically law enforcement. Looking for a place to start, most courses I see aren't local to my area. The questions I have are:
I have a Bachelors Degree in Digital Media and two years of corporate editing experience: will this be helpful to get my foot in the door or would I be starting from square one? In terms of required education.
I read that Premiere pro is commonly used with a few key plug ins, I saw a lot of them thrown around... Are there industry standard plug-ins I should start with?
Are most video forensic specialists expected to have knowledge in other areas of digital forensics as well? Will I be behind?
Thank you to anyone who takes the time to help me out, I'm sure it will take a lot of time and studying before I'm able to get in anywhere. I just need a jumping off point to get started.
Hi I'm currently doing a malware analysis, I had surfed through the internet and it said that "IE40" has deemed to be a trojan? is that true?, DXM_Runtime, IE4Data, IE5BAKEX, IEData, and MobileOptionPack is also something as far as I know. Im not sure though, any clarification would greatly help thank you.
Hello, I am attempting to create a forensic capture of the hard drive of a 2014 iMac running OS X Yosemite. The Mac is a 2TB edition. Attempting to use DiskUtility in recovery mode, I initiated an image of the disk on an external hard drive but the progress bar has done maybe 3% in 24 hours. I would rather not connect the Mac to the Internet. In my search for an alternative imaging application that is compatible with OS X, I have turned up nothing. Does anyone have any suggestions?
I’ve been doing digital forensics for 12 years now and I want to transition more into DFIR. What are the best books you have come across and used to broaden your knowledge of DFIR, especially in APT’s and malware/suspicious code analysis?
I prefer books as courses don’t give you the time to go back and test your theories. So books that help you learn and take you through the practical end to end attacks and detail the process to follow.
I have MOBILedit Forensic PRO I use as a forensic software but have run into some setbacks.
I conducted logical imaging of two separate phones and generated various file formats. The data itself, specifically the raw messages, is not viable for uploading into EDiscovery platforms.
Due to this, I had to take the xml export from MOBILedit, generate a Cellebrite ufdr, export the messages into report.xml, then use Message Crawler to convert to RSMF.
I have been working with Message Crawler extensively. I think the issues go back to MOBILedit.
What I’m inquiring about are the best and hopefully cheap tools to convert raw data into industry standard format such as .DAT
How does one take a forensic image of an older Mac that does not have USB-C? Can you use a USB-C to USB?
Have all the free Mac Forensic tools been gobbled up?
When performing a keyword search for an specific email and yields unindexed items. Do I need to care for these if I'm specifically targeting the To:, From:, Bcc:, CC: fields.
Any help appreciated. I'm normally good at Purview but some things I don't have access to experiment with.
We're thrilled to announce a modest update to the memory dumps repository curated by Volatility Foundation members.
To enhance your experience, we've reviewed and refined the collection, ensuring that each sample's link is functional with a few added comments.
Why This Matters?
With our refined repository, you can focus on what truly matters - your research and analysis - without the hassle of sorting through non-functional links.
📌 Check it out here
Hi, I have a question that might be proprietary, but it’s a pretty important one for my situation: if a cellebrite accesses a phone, I read that it can create a virtual clone, so, one, is that accurate? Two, how long does that cloned version exist for? Does it have to be manually removed, say, at the end of the investigation, normally?
Sorry, I hope I’m not asking proprietary info, but I have a bit of a unique situation I’m trying to get insight into.
Thanks for any help.
Tried posting in mobile forensics without luck. Can anyone shed light light on these? (Complete layman here... tried to research as best I could to not pose dumb questions.)
Workshopping some ideas for how to subtly hint that a suspect's phone was was tampered with before (or maybe during) forensic analysis, by a mafia plant. Probably using a android, if that matters for the answers. Thanks, in advance!
Are there any common reasons why cellbrite would fail to connect to a device? Could any of those be attributed to tampering?
Would there be any way for an accomplice's phone records (preserved from carrier) to show two text messages sent, while cellbrite of suspect's phone only shows 1 received? Even if suspect deleted one of the messages, wouldn't cellbrite still find both?
if suspect was in California (pacific standard time) and a screen grab (10 mins before a crime) showed the phone's clock was correct in PST, is there any reason cellbrite would show as Grennwich Mean Time (GMT)?
Thanks so much!
Is it possible for cellebrite to recover a deleted snapchat image after about 3 days? The phone was not powered off and was an Android version 14. The image was deleted from snapchat and didnt appear in trash. Is there any way to get the original photo back?
I have been working to parse out the MFT entries using the seek() and read() functions, but after locating the NTFS Volume Boot Block and finding the long long value which represents the location of the first entry of the table ("C00000" in little endian), I could find the first entry after adding in the offset the NTFS Volume Boot Block.
I loaded my image into FTKImager and navigated to my calculated location and was able to find the first entry of the MFT. When I printed the sector location of where the program was searching from within the image, it was the same number as the sector where I was able to locate the first MFT entry in FTKImager, but the output as all 0's and couldn't find the FILE0 header.
I have read and seen videos of people in the computer or digital forensics field that help with law enforcement or investigations in cases and them saying it’s very dark and hard on you mentally what you see and I wanna know if it is as bad as they say or if it’s not as bad as I wanna do law enforcement computer/digital forensics and wanna know if I should be prepared to see messed up stuff 24/7. (Sorry for the bad writing I’m typing in a weak cell zone)
I am looking to transition into a DFIR role. Currently, I am focusing on Windows forensics, which is a core part of the job. However, I understand that malware analysis is also important. but I don't want to go too deep into areas that might not be necessary for the role.
Here is what I think is required:
Here is what I think might be too much:
What do you guys think?
Hello! I recently misplaced a USB drive and I am trying to see when it was last plugged into my laptop to narrow the search. I have a read a bunch of forums on the correct terminal commands, but none seem to be working. Any help would be greatly appreciated !
There's a pretty publicized court case going on now where the defendant is using the following pictured output from forensic software to argue that the location data logged by Waze and analyzed by forensic software would be 3 minutes too fast (thus exonerating the defendant). Apologies for the blurriness, it's like that in the evidence exhibit. The defense expert witness did not elaborate on how exactly these clocks relate to the GPS location data. The prosecution expert witness seemed dismissive of the idea that this artifact would be used for the location timestamps. Is there merit to this idea?
The state investigator used Cellebrite, CellHawk, and Axiom, possibly some other stuff. There's a filing briefly summarizing the investigator's methodology, here:
Trooper Guarino analyzed this health data and cross-referenced it with the Native Location in Cellebrite and the location data in Axiom belonging to John O’Keefe’s phone. Trooper Guarino located a WAZE search for the 34 Fairview address conducted at 12:20:08 a.m. on January 29. The native locations then depicts Mr. O’Keefe’s phone traveling on Dedham Street and arriving at the residence at 12:24:34 a.m. Therefore, Mr. O’Keefe’s phone would have ascending/descending within the Fairview residence, prior to his arrival at the residence. The location data’s next entry is in the vicinity of 34 Fairview Road at12:59:25 a.m., in the same location. (Attached at Par. 18). A check of the location data in Axiom shows the last location at 34 Fairview Road and speed meters/seconds at 12:25:36a.m. with a speed of .6346 m/s. The location data stays constant at 34 Fairview Road with no speed being registered until 6:15:36 a.m. with a speed of .0484 m/s.
Many thanks for any insight you can provide!
Hi all! I’m wondering what types of cases consultants get to work on. Is it more private sector? Do you get to work on criminal cases? Is it a good mix or do you find yourself working a lot of the same types of cases?
TIA :)
Sorry if this isn't allowed.
But was wondering if anyone with experience with the device would be able to assist me?
Is this device compatible/be used with USB 3.0 Media Card reader? and is the device pretty universal on the options?
Thanks
Good morning r/computerforensics
Has anyone had luck with Invictus Microsoft Extractor Suite for extracting UAL? When extracting from GUI, we're limited to 50k entries. So we tried the Extractor Suite. Seemed promising until...
I get an "Unauthorized" error even when assigned Global Admin privileges. Confirmed not being stopped by conditional access policy.
Just wondering if anyone has any insight.
Thank you!
Hi there does anyone know the solution to this error? I have both modules installed though it shows it isn't.
Hello, I am new to this world and studying this discipline in uni, and now I am tasked with the acquisition of a youtube video (only the video, not the entire page) and was wondering if "yt-dlp" is a valid software or if I should use something else.
Hope I made myself clear enough and thanks in advance
This is when i try running an volatility command
Here it says that yara python and pefile modules wasn't found or available
I had arleady installed both yet i showed that it wasn't found/available??
Hi I had recently tried installing volatility3 but im encountering erros. Any help would be appreciated thank you!
Hi,
Do you have some recommendation, Whether it's to understand how iOS works, or for offensive and forensic purposes. My only point for start is : https://github.com/Cy-clon3/awesome-ios-security
He have a lot of resources (i think good one), do you have a 2-3 good one for start ?
Thanks by advance.
I recently graduated from college in 2023 with a BA in English/Writing and a minor in Education with the idea of going to grad school for school counseling. Always had been interested in cybersecurity but never took classes in college because of my scholarship rules unfortunately.
After college, I got a job in helpdesk and “moved up” to a desk support role that I’ve been in for about 3-ish months. Aside from these experiences, I have very little knowledge in IT but I’m motivated and always asking questions at work whenever possible even if it does annoy my colleagues at times (I just want to frickin learn though!).
I am taking the google cybersec course on coursera as I saw it was recommended for those new to the field of wanting to get into cybersec and also like me in the midst of transitioning form a different career field. Please let me know what more I can do as I know there’s always more that can be done and learned and preferably at a low cost if at all possible!
Not too familiar with this one, but I have a client that backs up their O365 emails on barracuda. If they provide me a copy of the backup from barracuda’s system, is that similar to getting a PST file or is there something more involved in this process?
Thanks in advance.
Does Win11 activitiescache.db still have forensic value? I can’t figure out if the value just doesn’t exist anymore, my wxtcmd is only good for w10, or if I’m missing a registry or other setting. Getting almost blank output. Was wondering if any of you still use it and if you could point me in the right direction.
Want to know how to read the indexed db from chromium browsers ?
I know that the browser is using indexedDB api to store the data in below location
C:\Users\user_name\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_web.whatsapp.com_0.indexeddb.leveldb
I need help in reading this data, I tried to open the .log files and .ldb files in the HeX editor however its just bunch of jargon, it is mentioned that they are using some snappy compression for the data.
Below is the screenshot of the database arranged, can be easily seen in debugging mode, application section.
There is not much to be found about how to extract the indexed db information, which functions does the whatsapp call from the IndexedDB API. I tried to parse the files with IndexedDB parser however it did not yield any results whatsoever.
Hi guys, I'm sorry if this post doesn't make sense. I would like to ask about the roadmap to learn forensics, where do you think I should start? Thanks!
Hey I've been studying the ALEAPP and iLEAPP scripts by Alexis Brignoni. I need some help with the dB files.
When I run the scripts on a mobile image (Josh Hickman samples), the script creates a folder where it stores files for its reports.
I've noticed it creates multiple files for data, to the point where there is repetition.
In the _Timeline folder is a database file called tl.db that contains all the data in the report.
In the _TSV Exports folder are separate TSV files for each tab in the report.
In each individual app folder there may be different dB or other files containing the same data.
Which of these would be the centerpoint of data. What's the difference in each and why does it make these separate file sets instead of a single set or single file.
If I were to use one of these as my source to represent with a custom report in a different manner, what file should I use?