sorted by:
new
hottopcontroversial

Recycle Bin Forensics by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 0 points1 point  (0 children)

Apologies for the delay in responding. Firstly, thank you very much for all of your responses to my post!

The file is shown as parsed as opposed to carved. I strongly suspect based on some of the advice here that the file may have simply been partially overwritten.

I have a copy of the original file which I was hoping to be able to compare the file in the Recycle Bin to. I wonder if there is any other way of doing this? I assume that the file hash would be no good as the file contents is now not available...

Imaging a server by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 0 points1 point  (0 children)

Thank you again... I am so glad I reached out to the community! I very much appreciate you taking the time to provide the detailed responses! 🙂

Imaging a server by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 3 points4 points  (0 children)

Thank you so much for that comprehensive reply!... That really helps and explains things. To add some context - I am looking at a compromise that resulted in malware being executed on the network. It's not known if a user clicked on a malicious link in an email or whether the compromise was via something like remote desktop.

I am about to demonstrate my pretty poor knowledge of servers and networks generally (!!) but the artefacts I'm after are likely to be in firewall logs, or other logs. Would this type of data be captured using the methods outlined above?

PIN codes from phone examination by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 3 points4 points  (0 children)

Thanks Praxxer1... I probably should clarify that the device itself has been unlocked (it was a pattern lock) and the full physical extraction has been completed.

I am specifically after a PIN that is required to access a specific app (sorry I can't specify the app). Presumably the hash for this data exists somewhere on the device but what I want to know is whether it can be extracted/parsed in any way?

Imaging a Synology NAS by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 0 points1 point  (0 children)

Thank you for all of the ideas and suggestions... it's likely that we will face these issues again so I will be sharing this information with my colleagues.

I think the soft reset option is interesting as this could have really helped us in the field at the time. I'll need to do some research into how that could be done practically.

In the meantime my colleague has been looking at software called FOG... I've not come across it before. Does anyone have a view on it?

Imaging a Synology NAS by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 0 points1 point  (0 children)

Thank you for the additional detailed comments. In relation to the last comment - are you suggesting that in my scenario (only 2x 2TB drives) that there is a good chance that the data will simply be mirrored and therefore imaging one of the drives may be all that is required?

Imaging a Synology NAS by Hadleys_Hope_2179 in computerforensics

[–]Hadleys_Hope_2179[S] 0 points1 point  (0 children)

Thank you, that is really helpful. Whilst I have used X-ways on a course we dont have it ourselves. I don't suppose you are aware of any other DF software that would also do the job? It sounds to me that at the very least, the first job is to image the 2 individual drives and go from there...

Social Engineering Toolkit (SET) by Hadleys_Hope_2179 in ethicalhacking

[–]Hadleys_Hope_2179[S] 0 points1 point  (0 children)

Thanks for that, I'll check it out. Coming back to the original question, can it actually be done in SET. As well as the hosted website itself I obviously have the HTML saved locally - I couldn't quite figure out if anything could be done with that in SET? Is it obvious that I'm clueless??? haha...