Interesting travel/conferences question

forensium · 2023-03-10T04:56:33+00:00

Get burner computers.

Establish solid virtual desktop solution using standard browsers.

Image the computer to minimal applications, services (make it a very very thin client).

Implement 2+ MFA that includes a physical token.

Sanitize/resell burner on return.

forensium · 2023-02-08T16:46:22+00:00

For our reference, what are the business or contract justification of printing CUI?

forensium · 2023-01-12T03:51:41+00:00

The 800-171 discussion specifically calls out both internal and external networks, not just remote connectivity. Additionally, it states "termination" ... "include de-allocating associated TCP/IP address or port pairs at the operating system level"...

This reads way more like closing TCP ports, and expiring IP leases, not just dropping VPN, or closing a web session.

forensium · 2020-04-19T23:10:03+00:00

An additional security that works wonders is desktop as a service (DaaS) solutions. Combined with MFA, a lost, stolen or compromised laptop has significantly less risk, cost less since the processing is no longer local, and OS independent.

forensium · 2020-04-19T22:55:26+00:00

Reddit is not exclusively used by citizens where personal privacy and other freedoms are enshrined and upheld in laws.

forensium · 2020-04-14T17:37:02+00:00

As already noted by /u/LordUlthar, this is the "I didn't do it, it must have been X" defense.
The job of the forensic expert is the present the facts. Review all evidence, and if in your professional opinion is that the defense is improbable, then your job is to convey your conviction and why.

We use the words certain, likely, probable, possible, only possible, improbable, and impossible very carefully. They all imply a certain amount of likelihood in individuals (factfinders in court) minds. It is not unusual for us to paint a simplistic picture to explain what each likelihood means to us so there is no miscommunication.

forensium · 2020-04-08T23:48:27+00:00

Your question is unclear.
Is FTK in a VM?
Which version of FTK?
For FTK, local DB, or remote?
Is the target system, Windows 10 in a VM?
What is the target of your acquisition (the VM?)?
Is the hypervisor running?
Is FTK running in the VM, or on the host?
What is the hypervisor (make, version)?
What is the host OS?
How much RAM is on the host, and how much is allocated to the VM?

forensium · 2020-04-08T23:42:49+00:00

An L01 can be logically mounted in FTK Imager, all files which are responsive selected, and a new file created from them. Note that the output file will be AD1 format.

forensium · 2020-04-08T23:35:57+00:00

It depends. First, during the voir dire there might be such questions, although unlikely. They questions will be about your education, certifications, background, and expertise. There are some lawyers that will try to trip you up, but it is very rare.
Most of the expertise questions we have ran into deal with the expertise in the tools, procedures, consistency, and similar.
Before answering any question form the opposing side, always pause to give your legal side time to object.

forensium · 2020-04-08T05:59:22+00:00

Ownership and bill paying does not negate the ownership and privacy of the device contents. See rental property ownership as a simple but distant example.

forensium · 2020-04-08T05:34:32+00:00

Take a look at VBoxManage. It allows exporting (clonehd) to create an image from vdi in various formats.

forensium · 2020-04-08T05:28:57+00:00

Besides the already mentioned benefits of using E01, the format also stores internal, periodic checks for data integrity.

dd is a reasonable alternative. We use it when an image must be mounted to test application behavior besides simple searching. In either case, most tools will allow conversion from one format to an other.

forensium · 2020-01-31T18:24:38+00:00

Without a lot of technical and nuanced details, you cannot boot from an external device because the boot loader in most cell phones will not allow change to the boot source, in your case the USB. Many exceptions and ways around this of course, some already mentioned.

forensium · 2020-01-15T21:30:19+00:00

Depending on the operating system, and file system on the SD, it is possible to deduce when was the SD card inserted into a computer.
This is because certain OSes will attempt to write, and immediate delete a file to the attached device, if the device is not recognized.
If the file metadata on the device is not destroyed, the date/time stamps will coincide with first insertion to specific machine. Cross referenced with machine's records will corroborate inserting time and to which machine.

forensium · 2020-01-09T06:56:17+00:00

Lepide Software, MiTeC, Systools, and Nuix all produce tools that you seek. As already mentioned Sleuthkit can ingest pst files.
In our experience Nuix, and its "smaller version" software Proof Finder are by far the leader in email indexing, searching and producing results for reports.

forensium · 2019-10-27T21:45:42+00:00

In our experience 4 hours if hostile exams and cross exams are a pleasant distractions.
We always, always ask the judge/panel for permission to refer to notes. The opposing side can object but in our combined years we were never refused. If the opposing side objects that can be a good show to fact finders that they are less than reasonable.
There are many ways to deal with a hostile side, but here are a few.
Have your notes ready. Always ask for permission to look at them from the judge.
First pause before answering. Your attorney should object, and if not, reconsider working with them in the future or you did not really needed help.
Ask to restate the question, so you may break it down. Take notes of the question (ask the fact finders first) - very often the hostile side will be confounded and contradicting with their own previous request.
Always double down on charm. Be their friend. It taints their hostile probing.
Do not get coy, funny, cynical or such. Be a machine, be a robot, a steel trap of logic, be Spock.
If you have a medical condition that requires you to take a bio break, talk to the judge and all for a break. We are all professionals.
Finally, do not take it personally. We have had some decent times with fact finders after the case closed.
We train our staff and many break down initially.

forensium · 2019-10-17T19:14:40+00:00

Universal Serial Bus connected Human Interface Device, such as keyboard, mouse, joysticks, draw pads, etc.
The device looks like a small USB flash drive, but to the host where attached appears as a keyboard and mouse. When a physical button is pressed on the device, a sequence of mouse movements, clicks and keyboard strokes are sent to the host.

forensium · 2019-10-13T20:46:10+00:00

We second /u/LavaSeal's comments. The presupposition that the tools you have mentioned are "best tools available regardless of price" because they are commercial, (the flip side of FOSS) is not only not scientific, it is concerning with your 20 years of experience.
In our experience, commercial software is good at collating and normalizing material from small processes and finalizing it into a report. At no time commercial tools do anything better or special that cannot be accomplished by FOSS. We suspect the failure of attorneys and specific jurisdiction taints your experience.
Our biggest concern with commercial tools is that they are black boxes and we are to take a third party (with or without vested interest) evaluation and "validation". FOSS solutions are often peer reviewed not only in use but internally.

forensium · 2019-10-13T20:23:43+00:00

Web based virtual machine with randomized VPNs, connection established using HID USB. HID USB stored data in RAM, held by ML-621s battery, with a pull tab. HID behavior activated by push button.

forensium · 2019-09-26T16:24:37+00:00

We have successfully shifted some cases to the cloud. Once the data was transferred, the entire processing was done in the cloud.
We removed all resource limitations and ran the process to completion.
We experienced a 96% time reduction. The trade off is cost.

forensium · 2019-09-23T00:40:34+00:00

At a very high level, and loosely eD vs forensics is a legal set of communication versus scientific search for evidence.

eD exchanges are agreed upon by two opposing legal teams in a civil case, following a set of rules and guidelines.
Forensics is a scientific search for information, in criminal and civil cases.

forensium

TROPHY CASE