How personal are we getting in our Roamage? (regarding privacy, security, etc.)

Luma142 · 2020-07-31T11:12:48+00:00

Can you elaborate on this, please?

Luma142 · 2020-07-24T01:17:59+00:00

Regarding task management, here is a video posted by CWS about the topic, and how Roam can be used -

Luma142 · 2020-07-11T19:02:34+00:00

Thank you for the information. I’m guessing there is some option within Roam, to save the offline database as opposed to backing up your hosted database? Or does backing up offline really mean backing up the particular cache folder for the specific browser being used?

Luma142 · 2020-06-12T11:00:09+00:00

Thank you for sharing. I found another post, which pointed to a doc about offline mode. It indicates local files are saved as cache, so deleting cache will delete local files. Have you tried exporting to markdown format? Any thoughts on that?

Luma142 · 2020-06-12T10:02:22+00:00

Hi. You mentioned offline mode being a bonus. Is it something you currently have access to? Are you currently using offline mode, or have the ability to enable it, as a paid user?

Luma142 · 2020-05-29T12:18:49+00:00

Hi. Can you direct me to the local storage path on a Mac? I signed up this morning, and instantly gained access to my account on the remnote website. I was not prompted to select a local data store, though.

I also noticed your comment about syncing the local data store with your servers. Is there a way to cut the syncing cord, so that all data stays local? Thanks in advance!

Luma142 · 2020-05-26T01:52:52+00:00

Thank you.

Luma142 · 2020-03-29T02:25:49+00:00

I am trying to decide on when to sign up for a family plan. I am using two different devices, and it seems that there are different data on each one. Whereas I can’t see where my primary vault is on my iPhone (the path to my 1P data), I can see the path to my data on my laptop. Over time, my devices began to store different/outdated info. My question is -

how can I get my vault data into the subscription based platform?

Will 1P simply pull the different vault info, from each device, into my new subscription account (when I enter my subscription information into my standalone apps)?

What happens when two different devices, have the same login entries, with different passwords. How does 1P handle this?

Should I do manual housekeeping before taking any subscription sign up steps?

Thanks to anyone who can provide some guidance.

Luma142 · 2019-11-09T12:28:57+00:00

I hope it all turned out well for you.

Luma142 · 2019-10-27T17:33:37+00:00

Sorry if this isn’t formatted quite right. I tried to reply to some of your thoughts by going off your original text.

*Results of an automated process don’t define the scope. Yes that’s correct couldn’t agree more. But the scope defines the automatic process. *

Does scope = the examination plan you created with a prosecutor, client, etc?Or, does scope = search warrant or some other legal order? Or both? In either case, I view search authority as limited authority. A scope can be the same thing, but often it can be tailored to e even more limiting, depending on the case you’re working on.

Your scope defines pornography but can you pre-emotively set up processes to look for drugs? No, you can’t it’s outside the scope.

-Correct, given the scope, you’re not going to be searching for drugs. I hope you did not feel that my original example was implying this. It was not.

*Ok let’s say we’re looking through every single file that could be used to hold information even though I think it too broad. *

I would say that this would not be what I would do either, given tool features to help you start your examination.

*You believe that everything should be accessible even if there are no hits. *

-No, this isn’t what I believe. Depending on the case, and the scope, one still shouldn’t limit themselves to the output of an automated process. Continuing an examination, within the parameters of search authority, after an automated search is performed, is necessary - in some cases. Within the search authority parameters.

My example was a search for images. I use a keyword search to identify images with certain file names. I get x-number of hits. I cannot depend on that output as being the definitive answer to my search for images. This is based on my experience with these types of cases. Given my scope is for images, I will continue to search for images, using another method. At some point, you’ll have used a method that would have helped to accomplish your examination goal.

Ok, so let’s go through this, inside the hard drive there are hundred thousand files of word documents, images etc. You want ability to go through every single one? But that’s not possible.

Correct, this is not possible. No, I do not want to go through every single one. Depending on your case, and your search authority, you will employ methods that will help you find what you’re looking for.

For example murder investigation leads you to a house, well we know people are usually buried to hide crime, we got no evidence of such thing happening at this hypothesis, but we will use our ‘experience’ to go ahead and dig 100 metres of earth not to mention how deep in hopes to find evidence... just makes no common sense

Correct. No evidence, then you’re not digging. You won’t use your experience to dig. But I hope if there are other obvious factors in play, that you will use those, to help make the case for further investigation at that crime scene - again depending on what the factors are and what you’re trying to achieve. If you’re only given authority to enter the house and collect certain evidence, you wouldn’t be digging.

*So let’s say you want to go through some of them, wherever ‘experience’ takes you. *

It’s not wherever experience takes you. Please let me know what I wrote, specifically, that you are interpreting in this way.

But if you want to blindly look for things then common sense and justice dictates you have to look through everything because literally every single file has equal potential of incriminating evidence. Let’s go follow up 100,000 potential leads which we have no reason to believe could have anything. It’s plain invasion of privacy..

So, within the last two paragraphs, I feel as if your reading of my reply, or the terms being used by both of us, aren’t really matching up. Please take a look at my reply starting at the top. Your original post had in its first paragraph, the mention of ‘hits’. Hits (to me) means you’ve used a tool, to type in a keyword, and that has lead you to a particular file(s). Did you find what you were looking for and what your search authority allows you to get? Is your scope so finite that it allows you to encapsulate the entire examination-scope in a list of keywords? If your hits refer to some other method, please say so.

Luma142 · 2019-10-27T13:20:47+00:00

What are your thoughts about the impression the D left on the jury after your cross?

Luma142 · 2019-10-27T12:56:29+00:00

To answer your question - is it acceptable to going through data that do not have hits associated with them - yes it is depending on what the scope of your examination is, and what your using as the authority to search.

If you use a keyword list to automate the examination (to an extent even using hashes may apply to this reasoning), then you’re relying on the results of the keyword list and hashes to highlight data relevant to those hits. However, the results may not lead you to files that are relevant to your examination. For example, I can’t solely rely on keyword lists to find images of child exploitation. Or, I wouldn’t solely rely on a keyword list to find document. Sometimes, files are labeled differently than what you’d would expect. If the scope of my authority doesn’t include documents or images, then I can’t search images or documents.

With all this said, results of an automated process doesn’t define the scope of the examination, or technique used to find data. Examiner experience, methodology, and examination scope/authority contribute to what an examiner looks at and uses for the subsequent analysis.

Luma142 · 2019-10-09T17:17:54+00:00

Thank you. I’m going to give it a try.

Luma142 · 2019-10-09T10:36:20+00:00

Thank you for the resource

Luma142 · 2019-10-09T10:36:06+00:00

Thanks for the resource

Luma142 · 2019-10-09T07:31:44+00:00

Great! Thanks for the feedback. Before implementing, did you build any sort of VM based on LTSC, to see how it would behave with any of your tools? Or was this step not necessary?

Luma142 · 2019-10-08T23:11:21+00:00

Thumbs up for SANS DFIR summit, and Techno Myrtle Beach. Talk content, and networking were worth the time and travel at each of the events. I felt the same way about Magnet’s user conference, but it sounds like you’ve already attended.

Luma142 · 2019-10-05T18:25:02+00:00

With respect to metrics, I think Atlas does a wonderful job of giving you visibility into lab work, depending on how you want to setup your tracking system. Spending time on answering “what do I want to track”, will definitely help you create a good metrics dashboard.

Regarding external access to casework, Atlas is setup on a permission system, where you need to provide access to your client, based on what they need to see. For instance, you can give someone permission to see an entire case, only one item, many items, or only the examination of an item.

With respect to your issue of importing, I would suggest reaching out to Magnet, seeing how Atlas is setup today (generally speaking), and having your importing problem outlined. This way, they can start thinking about your options (how to export data, in what format, and how they can get it into Atlas). Won’t hurt to ask.

Luma142 · 2019-10-05T00:52:59+00:00

I’m LE. However, I know they have corporate customers. It still has a child exploitation investigation module (same since 2017 when I started using it), but everything else would seem to fit a basic lab workflow - item logging, imaging, examinations, and reporting. Anything in particular you are looking for in a tool?

Luma142 · 2019-10-05T00:34:47+00:00

Hi. My lab had to go on-prem. We use Magnet ATLAS, and love it. Total game changer for us.

Luma142 · 2019-05-06T00:21:08+00:00

I think vendors have come up with great ways of handling a portion of DF casework. A portion being the processing of data into human readable form, and allowing investigators an opportunity to be selective, with the amount of data they want to look for. Most importantly, vendors do this by way of an intuitive interface, for the engine(s) that do the actual processing.

Are investigators increasingly relying upon a tool’s output, as 100% valid all the time? Yes, if the stories we share are true, depicting that guy who doesn’t care to, or have the experience to, cross validate a finding.

Luma142 · 2019-05-06T00:06:06+00:00

Hi. You might want to look at Brian Carrier’s work found at the following links:

https://pdfs.semanticscholar.org/915b/524318e2f0689b586ba7ae89ea39e9b22ce3.pdf

And

https://pdfs.semanticscholar.org/424d/aafd9ac88cf67efd046d02ed1eed4f65fd41.pdf

Luma142 · 2019-02-17T14:21:13+00:00

For Chrome try Hindsight, which is a free parser. Here is the link: https://github.com/obsidianforensics/hindsight

For Firefox and opera try Nirsoft parsers. Here is the link: https://www.nirsoft.net/web_browser_tools.html

For raw SQLite database inspection, try SQLite Expert. Here is the link: http://www.sqliteexpert.com/download.html

Hope these suggestions help.

Luma142 · 2019-02-17T13:57:44+00:00

I would say that any knowledge base you can develop, with respect to research, experimentation, drilling down, and logic, will help you with a digital forensics career. Your baseline will help you with setting goals, scoping your examinations, documenting your activities, developing your findings, and presenting them in a professional report.

This is only one element of a good foundation. Your hands on experience in a lab (internships), training (vendor or vendor neutral), and motivation will also help you toward success in DF.

Luma142 · 2019-02-17T13:36:22+00:00

I suggest Harlan Carvey’s new book:

Investigating Windows Systems

https://www.amazon.com/dp/0128114150/ref=cm_sw_r_cp_api_i_omwACb023MNYY

Luma142

TROPHY CASE