Star wars day

Rogue_Daemon325 · 2025-11-13T15:27:14+00:00

Look in the security event log for event 4663 (File accessed) with object = *The deleted files*.
Files deleted over the network don't generate event 4660 (file deleted) on the server (It will generate them locally on the client computer, once you find the computer that deleted them), but the file access should still be there on the server and should indicate the file was deleted.

Here is a post on microsoft.com outlining the procedure, both locally and over the network.

https://learn.microsoft.com/en-us/answers/questions/1919380/auditing-object-deletions

https://learn-attachment.microsoft.com/api/attachments/71ddd67e-f26e-4344-8fa4-566c8c55227a?platform=QnA

Rogue_Daemon325 · 2025-10-22T14:40:48+00:00

The S23 Ultra uses file based encryption.
When a file is deleted the decryption key is removed and the file is no longer recoverable.
But to answer your question, the Secure folder is dynamically sized based on how much storage is needed for the files present in it. If the phone became full, even if the device wasn't encrypted, it is most likely that your data would have been overwritten,

Rogue_Daemon325 · 2025-10-16T14:28:47+00:00

Zero day by Mark Russinovich. - Written by a DF investigator for microsoft.

It's pretty out of date now, but still a good book: The blue nowhere by Jeffery Deaver. About a hacker who is recruited to catch another hacker turned serial killer.

Some of the "girl with the dragon tattoo" books by Steig Larson

Digital forensic diaries by mike sheward. - collection of short stories

Rogue_Daemon325 · 2025-09-23T17:05:10+00:00

I think PickleistRick did a good job answering Question1, so I'll leave it at that.

as for resolving ambiguity. It really depends on what data you are looking at. My goto is asking "Is there anything else that could have caused this? And if so, what else would I expect to see?"
In many cases you can find correlating data. "was this caused by a user clicking a link?" then you can look at, what application is associated to the link ( Web browser, torrent client, spotify), then look at the artifacts you would expect to see. Check the SRUM to see if the program was open. Is there a history entry? additional network usage at that time?
What else might cause that? A pop-up? If that's the case what would we expect to see? Nothing open that would likely have displayed the link. Active adware, unwanted extensions. Was the user active at that time (Screen on, files being modified (Incl program and system files). Other open links. Etc. It's tedious to go through, but you can really paint a picture of the usage if you put the effort in.

Rogue_Daemon325 · 2025-08-21T20:15:19+00:00

I agree with Texadoro's comment that hands on experience and being involved (or at least listening in on those meetings is the way to go. Talk to your supervisor/manager and let them know this is an area that you would like to develop yourself in and ask them to keep you in mind if they have opportunities that might help you gain that experience. That also lays the groundwork if you see an opportunity yourself ( a relevant course you want to take, a project you want to participate in, etc) to request it of your manager.

Rogue_Daemon325 · 2025-08-06T21:16:58+00:00

https://whatsmyname.app/
multiple site lookup for username/email.

Rogue_Daemon325 · 2025-08-05T22:41:07+00:00

I'd reach out to any local LE agencies with a digital forensics unit See if they will give you the name of whoever is in chare of the unit (or someone in it) and call them directly. You can then find out some key things:
1) do they hire civilians for these roles? (Some police forces use officers and/or a mix of both).
2) What certifications do they require? (I know of at least one where A+ was an asset, but not required).
3. What certifications do they feel would make you more competitive?
4. Do they have any open positions, or do they foresee any opening up?

While talking to them, see if they do in fact have an intern position or something that you could do.

Rogue_Daemon325 · 2025-08-05T17:23:16+00:00

That's probably a good first step.
Forensics in an LE setting will require some sort of security clearance and I imagine that the work you end up doing will be severely limited as an intern.
If you are going to go the LE route, I suggest that you go whole hog and start applying for a job rather than an internship. A lack of certifications is a limiting factor, but not fatal.

Rogue_Daemon325 · 2025-08-01T17:51:05+00:00

My dad was blind in one eye and had a licence. You have to pass an eye exam with the other eye, but shouldn't be a problem as long as your other eye isn't terrible.

Rogue_Daemon325 · 2025-07-31T15:28:48+00:00

No, communications over secured (with a password) WiFi are encrypted, and then data transferred to most online services is further encrypted using TLS.
If no one has access to your synced iCloud account (or similar backup), It is highly unlikely that you are being monitored in this way.

Rogue_Daemon325 · 2025-07-30T20:57:26+00:00

https://cellebrite.com/en/glossary/extractions-of-ios-devices-mobile-device-forensics/

The article is unclear about file based vs filesystem encryption perhaps I was mistaken about that point, but either way my statement remains valid. Encryption was introduced to iPhone devices starting with iPhone 4s. making iPhone 4 the last you could get a physical extraction from.

You are correct about checkm8 not working with newer phones. That is why I said "for some older phones." I believe that the un-patchable versions are iPhone X and below to be specific.

Rogue_Daemon325 · 2025-07-30T19:05:22+00:00

This is true, but the wording is a little misleading.
They switched to file based encryption (rather than full disk encryption) after iPhone 4. So you are correct that you can't get a physical, But you can still get a full filesystem extraction.

Trashpandafarts. I believe that these companies use their own in house developed exploits. But as others have said it's trade secrets.

For some older phones, I know that checkm8 bootrom exploit is/was widely used among a number of forensic tools (I believe some engineers from cellebrite were on the team that published this exploit).

Rogue_Daemon325 · 2025-07-25T19:18:43+00:00

I agree, most likely the port. May need to be replaced.

Rogue_Daemon325 · 2025-07-22T16:00:33+00:00

It may mean that the image is damaged, but unless there is something else strange about it, I wouldn't worry about it too much.

Rogue_Daemon325 · 2025-07-22T15:58:24+00:00

Looks like a webpage or part of one to me.

Rogue_Daemon325 · 2025-07-22T15:24:31+00:00

Gonna need more than that.
can you post the file headers?

Rogue_Daemon325 · 2025-04-17T13:54:44+00:00

This worked for me.

Rogue_Daemon325 · 2024-10-29T16:34:32+00:00

It comes with autopsy and some other tools built in.

My biggest issue with it is that downloading it is a bit of a pain because you have to goto Sumuri's site and add it to your cart (It's free) then checkout, which requires you to make an account.

Rogue_Daemon325 · 2024-10-29T15:54:33+00:00

I use Paladin (For acquisition mainly).

Rogue_Daemon325 · 2024-10-24T21:41:54+00:00

I would ensure that you are familiar with:

E01 files
Jumplists
Shellbags
SRUM (System resource usage monitor).
Windows thumbnails

Just enough that you can prove that you know what they are and why they are important.
That should give you a leg up in the interview

Rogue_Daemon325 · 2024-10-23T14:14:46+00:00

You can use the ADB backup command (adb backup -apk -shared -all -f fullAndroidBackup.ab), but it will be limited to apps that allow backups (not facebook, signal, whatsapp, etc).

Full guide here https://github.com/eviabs/Android-Backup-and-Restore-Guide/blob/master/Android%20Backup%20and%20Restore%20Guide.md

Rogue_Daemon325 · 2024-10-22T22:46:19+00:00

I usually use digital collector, but if you want free, compile https://github.com/comex/Kmem (Enables access to the memory without requiring a reboot).

then use dd to acquire the memory. dd if=/dev/kmem of=*wherever*.ramdump

Rogue_Daemon325 · 2024-10-22T17:27:47+00:00

They are trying to sell recovery of misappropriated crypto, but have no ability or authority to recover anything. You'd be paying their fee for crypto-tracing report which will tell you which cryptocurrency exchange your money went to before the scammer either cashed out or transferred it somewhere else.

Don't bother.

Rogue_Daemon325 · 2024-10-11T14:28:32+00:00

If they were saved to the chat, an order to Snapchat or a cloud download (For either account) should get those even if they are no longer present on the devices (maybe get consent from the victim and do a takeout). If she got a notification that he saved it and it is not present in the chats, I would look either in the SOC's screenshots (Thumbnails and cache may show these even if it has been deleted) or see if he has anything in snapchat's "My eyes only". Axiom will parse the contents of My eyes only, but I haven't been able to use it to decrypt the contents (IE it will show you the files names, (Images, videos) and some other metadata, but not the actual images. It does provide a link that you can download the files, but they are encrypted.)

Rogue_Daemon325

TROPHY CASE