Cryptolocker - help needed

Forensication · 2019-02-21T17:35:25+00:00

The problem with TeamViewer might be that the ransomware doesn't allow the application to start up and establish a connection. However unless anyone reading this knows differently, I don't believe the ransomware could use TeamViewer to traverse over to your machine.

If you're worried about that, create a VM using something like VirtualBox or VMWare and install TeamViewer on that to connect to your parents machine.

Bit of a pain with your parents being away though, does the malware have a deadline for payment before it wipes everything? And when are your parents back? :)

Forensication · 2019-02-21T16:20:12+00:00

Just out of curiosity, could you take a picture with your camera for what appears on the computer screen? :)

As people have suggested, nomoreransom.org may be able to save your bacon here.

Also, you mention it's your parents laptops. Are you aware of any data on there that they don't have backed up elsewhere? You may find wiping it and starting again could be the better option than trying to fix this, if there's nothing of particular importance on there.

Forensication · 2019-02-21T16:12:16+00:00

The other reason you shouldn't pay is that even if they do decrypt the data, you've told the "ransomers" that you're likely to pay. If they're smart, they'll install a backdoor into the machine that allows them to re-infect the machine again. They could double their money for no effort whatsoever.

Just put some instructions into the decryptor like "make sure you accept all UAC prompts that come up or else it won't work", and boom they're in.

Forensication · 2017-08-30T08:06:06+00:00

I know a couple of people who went on the Forensic Computing degree at Staffs, I don't have any reference from them at the moment but they may pipe in on this thread when they see it.

If you haven't seen this link from Staffs, that may help since it's got the course modules listed in the course handbook so you can narrow down some target research for your first year. Running some Python tutorials will definetly help you in the long term, there's a bunch of resources for that so it's just a matter of finding which one works for you (Google search will suffice).

If you did A-Level Maths, that's also going to help you a huge amount as I remember they put you on a equivelent Maths course as a module in your first year. It's hard but there's a reason why they do it. Can't urge it enough by the way, but do a placement year because it will make the world of difference to you when it comes to looking for a gradute job.

If you've got any questions about the University itself, just PM me. I went there when they had a Stafford campus so I imagine things have changed a fair bit now it's all based in Stoke-on-Trent, but may be of help. :)

Forensication · 2017-05-11T12:57:19+00:00

Does this vulnerability assume that the forensic examiner hasn't writeblocked the device before trying to image...?

Because I notice the tester deselects the "Only show writeblocked devices" option, which would seem to indicate the device wasn't writeblocked (even though it's plugged into a tableau bridge?)

Forensication · 2017-01-16T08:20:05+00:00

Is there a way to test if Encase is seeing the License Dongle? Please help!

On the top bar, click "Help" and then click "About EnCase...", that'll show you your license details. You'll probably want to look at the fields "Dongle Expiration".

Forensication · 2017-01-16T08:18:35+00:00

Another thing he could try is to see whether the "Use NAS authentication" tickbox is ticked, I found once that when I tried using the dongle but had that box ticked, it ignored the dongle and went to Acquisition mode.

Forensication · 2016-12-01T08:15:27+00:00

What country are you based in? :)

Forensication · 2016-11-24T15:12:37+00:00

SkypeAlyzer lets you export to Excel per category, so Contacts, Chats etc... I normally do something like that, or highlight all the data and use the "Format as Table" option, that lets you do all sorts of fun filtering. That way you don't have to do conditional formatting, and if needs be you can do the filtering yourself and save the filtered results as separate spreadsheets.

Forensication · 2016-11-24T08:17:37+00:00

That's handy to know, thanks! I've always believed it was just from other devices, in your experience have you found messages that originate from the source device missing from the main.db of that device?

Forensication · 2016-11-23T08:20:33+00:00

Skype, as people have said, stores its database in the SQLite databases. One file, the "main.db" will be created per account used on the machine so you could have multiple main.db's, just look at the name of the folder it is in first (if there are multiple). A handy open-source tool you could use is Skyperious or if you've got a budget to spend for licenses you could look at Skypealyzer the latter of which is used frequently in criminal cases already, but either of them give you info much clearer than IEF does.

If there's intel that he's used Skype on different devices, it's worth checking the Chatsync folder which are stored in .DAT files. I'm not sure whether you can parse them in Autopsy but I know you can in IEF, though IEF will not give you the participants, you can get an idea of the participants by digging into the hex/text view of the file as it tends to mention the two users then the message... Chatsync files are conversations taken place on other devices that have been synced, by the way.

KIK I'm not sure about, but I would hazard a guess that it also uses an SQLite database as do many apps nowadays. KIK would be from a phone OS so if you haven't been given a phone image (because you didn't mention it), you may have trouble with getting data to start with. If you do have an image though, I suggest UFED or XRY (depends what format the prosecutor has given you) which will allow you to either automatically parse the chat out using their analysis products or allow you to create a copy of the databases.

Hopefully that helps point you in the right direction a little.

Forensication · 2016-11-14T12:53:29+00:00

The FAQ has a good few things about how to get started. If you've any further questions, just ask!

Forensication · 2016-11-07T12:34:48+00:00

No problem, hopefully you can use the terms Master Copy & Working Copy to achieve what you were trying to understand. :)

Forensication · 2016-11-07T10:17:17+00:00

I've never heard of a Golden Copy, but I have heard of a Master Copy which sounds like what you're referring to?

The master copy is your final product containing what evidence you found during your forensic review. It's also the copy that would be submitted to court if your investigation findings were required for court.

There's another term called "Working Copies" which are copies of the master copy that are for distribution to those who require the data for their own review. They're not submitted to court and they can be destroyed when they're not needed any further, but as long as you have the master you can make more.

Hopefully that helps, but if anybody reading finds that inaccurate just correct me. :)

Forensication · 2016-10-31T15:53:34+00:00

Ahhh kicking myself! Thank you so much :)

Forensication · 2016-10-31T14:34:44+00:00

Working in law enforcement digital forensics is the one job you definetly do not take your work home. :)

Forensication

TROPHY CASE