@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daly Bog #144 PFIC Day 1 Afternoon Sessions

Hello Reader,
          I took more notes yesterday and I'm taking more notes this morning. I'm posting these in the hopes that you'll use them with the slides that will be posted so you can get the information presented here that is outside of the slides.

1:30pm Session Social Media Insights

This session was being presented by a woman whose company provide PI services and specifically online research about people and companies.
Websites and techniques for social media investigations
Finding links and images through duckduckgo
Finding discussion posts on omgili
Finding classified ads with searchtempest
Using ixquick to search multiple engines and find hits in the 'private web' with a meta search
I left for a conference call at this point, if you need to do online/social/web investigations of prior post this presentation does give some good links.

2:30pm Session Augmented Reality Forensics

This wasn't a forensic session per se, its more of a futurist looking at the state of upcoming and emerging technology and what that may mean for us in the DFIR field.. Still an interesting talk from a good presenter.
AR isn't perfect yet
will make a new range of forensic tools and forensic possibilities
The internet of things is coming and with it IoT forensics

4:00pm Session Chip Off or Jtag it

This was an interesting session mainly because of Zeke's personality but the tech content was a bit light for a conference that also had a hands on chip off lab taking place a few doors down.
New Zeland accents make presentations more interesting
Good jokes so far, hoping the content is as good
Overview of crimes committed and the evidence that could be found on mobile devices
Terrorists are now shooting their phones before being caught, apparently you should target the number 7 key to kill the sim and possibly the nvram chip.
Starting his review of forensics with Edmond Locard 'every contact leaves a trace'
now comparing computer v cell phone forensics, I'm going to be patient but I'm wondering if he is misjudging his audience.
A little vendor bashing on how they market their logical/physical analysis, always appreciated
'forensic explorer' is now called 'recover my files' which is around $1,000 USD and he has had good success in carving from android unallocated. Not sure how that compares to any other carving tool against the same data.
Flasher boxes are hacker boxes and break into devices? I don't think I agree with the analogy but I understand the meaning.
Discussion on if these procedures from a flasher box, jtag, chip off, and even vendor software tools are forensically sound since many are modifying the original evidence in order to extract the data
The process is what makes something forensically sound not the tool, I agree
He is now going over photographing a phone as a first step before cracking it open.
Now getting into something interesting, a survey of flasher boxes
The comedy here is winning the audience, enjoying this
Now discussing chip off, and discussing heat versus infrared for removing chips
Why would we go to chip off, because the phone isn't supported by any automated forensic software tool
Some phones, especially the off market clone phones (fake blackberry in this example) may appear normal but will actually be encrypted or having multiple sub systems making normal chip off unhelpful or pointless
Next example is a phone that looks like a remote car key fob
moving on to physically damaged phones
The speaker seems to think that Jonathan Rajewski and I are part of a Utah based cell phone forensics lab.  We can't bear to tell him we are not so we are going along with it.
Regardless of content come see Zeke just for the jokes
Sometimes repair is all you need to do instead of a chip off
Now showing generic best practice guidelines for the UK and USA
Discussing how flasher boxes and other types of phone modifications tools don't have forensic hashes as they were not made for this work, suggested putting the evidence in a forensic image afterwords to allow for verification after the fact.
Discussion of dealing with binary dumps from flashers/jtag/chip off dumps. Common methods are just feeding it to cell phone tools that will carve for known cell patterns.
this presentation is now getting a bit trippy with perspective art/illusions
Breaking down binary patterns as a method for determining data structures
discussion on bypassing android lock phones
if usb debugging is on turned on then your standard tools an get access to the file system
if not moving on to chip off and the destructive process
Moving on to JTAG and showing the 'riff' box which supports multiple pin outs
Youtube is the database for learning how to take phones apart and find jtags
Showing how the raw dump of the jtag output is a large hex dump, showing putting it into forensic explorer again
discussing using rainbow tables of possible sha1 gesture keys to determine which pattern locked the phone
Get the pattern lock and then pull the data off the phone using an automated solution to pull the intact file system for you is his recommendation.

That was day 1, that evening was casino night which is a lot of fun. One of the best parts of PFIC is that it isn't a huge conference and at things like casino night you have a couple hours of fun to mingle with your peers and make new friends.

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.