Troy 4N6

How to Explain Deleted Data For Attorneys, Clients, Juries and More I was recently asked by a colleague for an analogy to help them explain how it was possible to recover data that a user had emptied from the Recycle Bin / Deleted. The question reminded me that it’s easy to slip into the belief that everyone inherently knows how stuff works. Attending forensic training and conferences we sometimes forget that what appears to us to be basic and simple, can sound like Star Trek Next Generation’s well known technobabble. i.e. “Increase the neutrino stream to the warp engine transducers”. Completing reviews of digital data and finding new artifacts can be exhilarating for a forensic investigator. The feeling of accomplishment at finding the truth from the data is euphoric. That is the fun part. The truly difficult part comes when we have to explain the information verbally and in written form so that it is useful to those that need it most. The recipients can include management, cl...

Quick Tip on Reviewing Report/Discovery PDFs Acrobat Document Scrolling Settings: Changing Acrobat so that documents are automatically set to Single Page Scrolling view as default This isn't my typical forensics blog, but I'm sure I'm not the only one that reviews numerous pages of reports/discovery before performing a forensic examination. If you are not reviewing reports prior to an exam, how do you know what you are looking for? I've always been annoyed by the default view in Acrobat. Trying to scroll through a PDF and having it jump to the next page when I'm still reading the previous page at the bottom. I seemed to waste time changing the Page Display setting under View for continuous scrolling. Not only does this make it easier to read, but it also makes scrolling through an OCR'd PDF faster. This is especially true when scrolling with a wheel-mouse, touchpad or on touchscreen computers.  1.         ...

Facebook Messenger (Android) App Media Files Share Tracking In past blog posts, I've stressed the importance of testing and validating information. This post is no different. It's imperative that as a digital forensic investigator, we test apps from the user's perspective and then analyze what happens to the data behind the scenes. I recently had a case which featured a specific media file artifact located in the "fb_temp" folder of the Facebook Messenger app. At first glance, the assumption would be that the user must have sent this media to someone using the app. But we all know what happens when we assume. Below is the testing I conducted and the information I found that can help you track whether files or media were actually shared in the app and when. FACEBOOK MESSENGER TESTING METHODOLOGY A video was located in the Facebook Messenger app’s fb_temp folder on an Android phone. Since “temp” denotes a temporary folder, it was necessary to test Faceboo...

Timelines in P2P Forensic Cases 2018-03-11 Troy Schnack Creating a timeline of activity in a digital forensic (4n6) case can be vitally important to the ultimate goal of placing a person at the scene. In criminal 4n6 cases, the investigator, whether law enforcement or defense, is assigned the task to put a “butt in the seat”. This blog is intended to help avoid the many misconceptions seen regarding dates / times (DT) on reports from both sides. We’ve all spent countless hours gathering various artifacts and combining the data into a timeline. I’ve used my past mistakes and testing to help you avoid the same errors. The sole intent of this blog is to help find the truth. Information and technology are continually changing. Please feel free to identify any incorrect conclusions or other errors on my part as I’m always excited to learn. Brett Shavers ( Blog ) and others have written about our innate need to solve problems and the processes we can employee. 4n6 investigators...