Questions tagged [forensics]
Computer forensics works to analyze information on computer systems in an attempt to find evidence regarding certain actions of a process, application, user or computer to determine the source of change within a host, network or device.
519
questions
0
votes
0
answers
11
views
Is it possible to repair a corrupted partition table of a Bitlocker encrypted disk? [migrated]
Assuming a disk was full-disk encrypted using Bitlocker and the partition table is corrupted or entirely missing. Is it possible in any way to recover from this, given that the original Bitlocker ...
- 6,715
0
votes
0
answers
9
views
How to properly determine if an Bitlocker encrypted disk has a corrupted partition table? [migrated]
Background: A Bitlocker encrypted hard disk (5TB WD Elements HDD USB) was accidentally wiped partially using the wiping tool Eraser Classic Portable (using the US DoD 7 passes method). The wiping ...
- 6,715
0
votes
0
answers
9
views
How to identify a GUID of a corrupted Bitlocker disk in order to find the corresponding Bitlocker recovery key? [migrated]
I have a situation where I have access to a huge list of Bitlocker recovery keys but only the combination of the identifier (GUID) and recovery key are available. However the disk in question is ...
- 6,715
0
votes
1
answer
57
views
Are there better methods of sustaining forensic integrity apart from disk hashing?
As far as I've heard, hashing a disk image before computer forensics is started, and then comparing that hash to a new hash after the forensics is finished is the most common way to make sure that ...
- 1,021
1
vote
0
answers
35
views
forensics on memfd_create
I'm doing an IR on a Linux machine. The attacker has a trojan executed in memory, the file content is backed by a memfd_create based fd.
My questions
How can I extract the contents from memfd?
When a ...
- 2,077
0
votes
0
answers
53
views
EEPROM with HDD calibration data
I understand that in a Hard Disk Drive (HDD) there is EEPROM which stores calibration data. This is not directly accessible by any ring-3 (usermode) or ring-0 (kernel mode) programs.
I was curious as ...
- 713
0
votes
0
answers
73
views
How do I start inspecting, in a basic way, what a socket is or was doing?
Exploring a plist related with a flash pop-up when booting, I found this folders:
launchctl print gui/$(id -u)/com.apple.sharingd
...
path = /System/Library/LaunchAgents/com.apple.sharingd.plist
...
- 1
1
vote
1
answer
153
views
Can malware detect memory dumping?
Morning, I recently had need to check for malware on my PC by dumping the memory and searching for unwanted processes which could be malware, my question it's, is it possibile for malware to detect ...
- 13
3
votes
1
answer
440
views
What can forensic analysts extract from a fully encrypted phone? [closed]
I was very disappointed to hear that my friend, who had his Android phone seized not too long ago, has had his phone broken by police forensics.
As far as I know, it was a few years old, Samsung, and ...
-2
votes
2
answers
709
views
Can Cellebrite be used to access any phone by the government? What is the point of encryption if they can get into any phone? [closed]
I'm currently studying forensics, and one thing that keeps coming up is the authorities breaking into phones.
There are several third party tools they can use, but one of the most popular is '...
1
vote
0
answers
179
views
Detecting hard to detect stalkerware - a theoretical question
Suppose you have a stalker and this person has access to professional advice.
Suppose your Android phone was hacked by means of physical access, i.e. known unlock pattern or stolen password note, with ...
- 11
0
votes
0
answers
27
views
Any idea on how this 36 character long string generated? [duplicate]
I have a personal id "U1KFhYtMqZhCYya6sy31PVLM8DlM5HLCkwy3", I have checked some hash functions but cannot make sure how this generated? Is this just random string generated with [a-zA-z0-9]?...
- 101
1
vote
0
answers
103
views
How to detect/trace if a Windows Live/PE used on a system?
Is it possible to detect/trace if a Windows Live/PE is used on a system?
Like with logs or dumps etc.
0
votes
0
answers
113
views
Can malware module be signed as Microsoft Corporation module?
In this security tutorial:
https://youtu.be/dykc9YC9Z6U?t=257
the author claims that "sihost is a network component of the malware..." (at 4:23). Yet, prior to his claim, at 3:09 he shows ...
- 101
1
vote
1
answer
321
views
How to forensically check if some data on .vmdk disk has been hidden/deleted?
I was presented with a task. I have .vmdk disk available and I have to check its contents - forensically check the data on it without modifiying it and then check whether some data on this disk has ...
- 13