Skip to main content

Posts

Showing posts from 2017

One is Silver and the other Gold

Working cases the last week an old song that we sang as a kid at summer camp has been on my mind.  The lyrics were something like this:               Make new friends, but keep the old               One is silver and the other gold This same sentiment should be applied to the forensic world as well. Rephrasing to:               Find new artifacts, but keep the old               One is silver and the other gold The recent cases I’ve worked have included new mobile tech we all need to know and learn. The thing is, it almost always also includes PCs as well. Many times it also includes some kind of P2P program from Ares and eMule to BitTorrent. Without fail, I continue to lean on the basic forensic knowledge I learned all those years ago from my first forensic training course in 2002. Basic metadata like OS file dates/times cannot be properly interpreted without knowing the version of Windows running on the system. (i.e. Last Accessed post Windows XP) Foundation

Hide It Pro App Forensics - Android

Hide It Pro App Forensics - Android Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started sharing some information with the community. Luckily, I ran across some good info during a recent investigation. Using the data below, I hope it helps save someone else a lot of time if you run across this app during your own investigations. I came across some questionable images on an Android phone. The problem was, they were located in a folder that I wasn't familiar with.  ProgramData\Android\Language\.fr\Pictures Like many forensicators, not knowing is maddening. Using the all powerful Google, I found a clue to as to their app origins. Thanks to  Shubham Chaudhary    and his post  , I found out the odd folder was created by the Google Play app Hide It Pro.  It is very important to understand how an app works and is viewed by a user before digging into the bits behind the curtain. If you don't understand how an ap