e-Forensics Releases LLIMAGER, the Ultimate macOS Imaging Solution!

Posted by Jesus Pena | e-forensics Inc.

LLIMAGER ( www.llimager.com ) was developed by e-Forensics and it is the macOS acquisition tool used in all of our Mac forensic imaging jobs.

The software was designed in response to trends associated with general macOS forensic imaging and current available solutions:

    -Substantial year-to-year price increases.

    -Less choices in pricing models.

    -The “dead box” option of expensive solutions often failing

    -Apple’s continuous OS security hardening that may make “dead box” imaging a thing of the past

LLIMAGER was designed to address the need for a low-cost, no-frills “live” forensic imaging solution for Mac computers, capable of capturing the entirety of a synthesized disk, including volume unallocated space, as macOS sees the disk with its partitions mounted.

The application was developed to be user-friendly and easy enough for entry level digital forensics examiners. The application leverages built-in Mac utilities, providing a versatile solution compatible with a wide range of macOS versions, both past and present. This ensures that the tool remains functional across diverse system configurations and updates.

_____________________________________________________________________________________________

Insurance Carrier's Forensics Team or Your Own?

Posted by Jesus Pena | e-forensics Inc.

There seems to be no slowdowns in Business E-mail Compromise (BEC) attacks involving phished employees who are socially engineered into sending wire transfers to back actors. Generally, when faced with such incidents, corporations immediately resort to filing a claim with their carrier in the hopes of covering associated losses.

Once the carrier is called in, there are one of three possible outcomes related to the selection of the IT forensics company to selected: 1) carrier will use its forensics team, 2) carrier will give option to use its team or any of the insured's liking or 3) carrier will require insured to engage its own team.

As you wait for your carrier's response, here are some important aspects to consider when using the carrier's IT forensics vendor:

    -Limited control: When using the insurance carrier's vendor, you may have less control over the vendor selection process, their service quality, and their responsiveness.

    -Conflicting interests: The insurance carrier's vendor may prioritize the carrier's interests over yours, which might affect the investigation's outcome or recommendations.

    -Vendor familiarity: You may not be familiar with the carrier's vendor or their track record, which can make it difficult to gauge their expertise and reliability.

    -Limited customization: The carrier's vendor may offer a standardized set of services, which may not be tailored to your specific needs or preferences.

    -Potential delays: If the insurance carrier's vendor is handling multiple cases simultaneously, you may experience delays in their response and investigation times.

    -Confidentiality concerns: Sharing sensitive information with an external party appointed by your insurance carrier may raise concerns about how your data is handled, stored, and protected.

    -Relationship management: Since you did not choose the vendor, it might be more challenging to establish a strong working relationship and effective communication.

On the other hand, hiring your own IT forensics vendor offers several benefits:

    -Control and choice: You have the freedom to choose a vendor based on their expertise, reputation, and suitability for your specific needs.

    -Customized services: By selecting your own vendor, you can ensure that they provide tailored services to address your unique requirements.

    -Alignment of interests: Your chosen vendor is more likely to prioritize your interests and provide unbiased advice and recommendations.

    -Familiarity and trust: Choosing a vendor you're familiar with can help establish trust and confidence in their abilities and expertise.

However, hiring your own vendor may also come with its own challenges, such as potential complications with insurance coverage. It's essential to weigh the pros and cons of each option and consider your specific needs and circumstances before making a decision.

_____________________________________________________________________________________________

Memory Forensics

Posted by Jesus Pena | e-forensics Inc.

Computer memory is one of the most important sources of information to determine what activities were developed on a certain computer, including the details of said activity, such as its execution time, the programs that were being used and the processes associated with them. The forensic analysis of memory is essential in the investigation of computer malware attacks, but can also play an important role in any other type of investigation.

As opposed to the computer's hard disk, where information can generally be copied and extracted from the computer without altering its content by using certain forensic procedures, the information in the RAM memory is very difficult or in many cases practically impossible to extract without altering its content in some way. This is so, because it is not possible to extract anything from the memory if the equipment to which it corresponds has been turned off (in which case the RAM memory loses its content) and, because if the memory is active, the extraction program, however efficient and subtle it may be, needs to use a part of the very same memory to read the content of the rest. Even with this limitation, the analysis of the extracted information can be extremely valuable in any forensic investigation. For example, there may be traces of written letters that have been securely erased or from passwords or other confidential content. Likewise, evidence of attempted access to certain sites (local or Internet). Also, for cases of cyberattacks, memory forensics may represent the most crucial source of information, since it is common that the malicious codes that have infiltrated the computer are no longer found on the computer's disks, but only as residents in the memory of the computer.

Capturing RAM

There are several forensics applications specifically designated to capture the RAM memory, among them FTK Imager, EnCase Imager, Magnet RAM capture and others. Even for cases when the computer has been turned off, it is possible to obtain RAM information from the dump that the Windows system produces when the computer goes to sleep or is turned off. In these cases, it is about analyzing one of the files that will be present in the disk image: hiberfil.sys. This file reflects the contents of memory at a certain moment (for example, when the computer hibernated for the last time), depending on how the Windows system of the corresponding computer is configured. The process of this file presents some additional complications with the newer versions of Windows (from Windows 8 on), since it is compressed and must be previously unzipped before being analyzed.

Processing RAM

RAM is generally an unstructured memory space but there are some frameworks specially designated for its analysis. Perhaps the most known and used is Volatility, which is a framework that has been around since 2007. Using Volatility, it is possible to forensically examine RAM captures to determine processes running at the time of capture, their relations (parent-child), clipboard content, user sessions, active Windows services and other forensically usable information. Volatility framework works with Windows, Mac and Linux systems.

_____________________________________________________________________________________________

Mac OS X Spotlight

Posted by Larry Britton | e-forensics Inc.

Digital Forensics, Computer Forensics, Windows Forensics, Miami, Fort Lauderdale, e-Forensics

Spotlight is Apple’s Mac OS X content indexing and search feature. Like any other desktop search technology, it is aimed at helping the user find files and folders on the computer. Mac Spotlight indexes all the files/folders on a volume, storing indexed metadata about filesystem objects to deliver rapid and widespread searching capabilities across the volume. The stored file or folder information includes standard filesystem metadata, MAC times (Modified, Access, Created) as well as at least part of file-internal metadata, which varies according with the type of file, for example, EXIF info for photos or word specific metadata for MS word files. These databases are created by OS X and above on each volume the machine can access, including flash drives. Most recent versions of Spotlight also store information at the user level.

Apple Unified Log (AUL)

Posted by Jesus Pena | e-forensics Inc.

Digital Forensics, Computer Forensics, Windows Forensics, Miami, Fort Lauderdale, e-Forensics

Apple Unified Logs was first implemented with Mac OS Sierra (10.12), launched on September 2016, Apple implemented a log system that is present not only in its laptops/desktops, but also on iOS devices (iPhone, iPad, iPod), Apple watches and Apple TV. The purpose was to unify and standardize the OS system logs.

Apple Unified Logs contain information useful for all sorts of forensics analysis, like user logins, use of terminal, processes that were running in the context of certain events of interest, register of time machine backups including start and end time, network usage, external media used (mount and unmount events), connections of printers or iPhones, e-mail accounts sync, and in general, data for most user interaction with the system.

Android Forensics - What Lawyers Should Know

Posted by Larry Britton | e-forensics Inc.

Digital Forensics, Computer Forensics, Windows Forensics, Miami, Fort Lauderdale, e-Forensics

As opposed to iPhone devices, Android phones are produced by a plethora of makers, brands and models, from very simple to high end devices, they share similar protection security measures when we are dealing with new devices or new Android OS versions. In fact, like iPhones, Android device content is encrypted and protected from being access using other mechanisms different from the ones officially stated by Google (Android) or by the corresponding phone maker. Thus, even if the physical memory was extracted, the decryption key would be required.

Windows Shellbags

Posted by Larry Britton | e-forensics Inc.

Digital Forensics, Computer Forensics, Windows Forensics, Miami, Fort Lauderdale, e-Forensics

When a user changes the view mode or position of folders in the Windows graphic interface, the new view remains available because Windows remembers that information in the Windows Registry keys known as “Shellbags”. Perhaps more important, Shellbags store timestamps for some of the changes, making possible to determine access chronology. Like other Windows’ artifacts, Shellbags are not intended to register user activity per se, it is only a Windows feature designed to streamline the user interface.
Shellbags are one of the most useful artifacts in identifying user activity related to IP theft, spoliation and violation of corporate polices related to access of information assets

iPhone Forensics - What Lawyers Should Know

Posted by Jesus Pena | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

While the common procedure to forensically process a laptop or desktop involves an image of its data repositories (meaning the disk or disks where the information being handled by the device, including it OS, is stored), this is not the case when the device is a smartphone. Although in this post we address only iPhones, this limitation is common with Android smartphones devices, which will be discussed in a future post

Suspect Intellectual Property Theft?

Posted by Lautaro Barrera | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

Intellectual property pertains to the absconding of inventions, or creative processes, methods or expressions which include proprietary products/services and trade secrets.

Normally, intellectual property (IP) theft using electronic means is achieved by transferring or copying the IP to portable devices or cloud repositories. For example, the thief may use his personal e-mail account, or a personal cloud storage account.

Windows Jump Lists

Posted by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

The Windows Operating System and some software applications offer functionality designed to optimize user experience and improve performance. One such feature is known as Jump Lists.

Digital Forensics in the COVID-19 Era

Posted · by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

As a result of the pandemic, the past year has been presented unique challenges across most industries worldwide. With directives to quickly -- and in many cases permanently -- relocate the on-premises laptop workstations, or remotely access desktop workstations from employees’ homes, IT security personnel have found themselves having to safeguard these systems across different networks.

Together HR and IT can strengthen the most important wall: The HUMAN FIREWALL

Posted · by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

With all the talk about walls, we forget the most important one for every business: The Human Firewall. What is this Human Firewall? It’s comprised of each and every employee or contractor who works within your network and who is being targeted by dedicated nefarious hackers to get access to your bank account or intellectual property.

Essential Artifacts Source: USB Devices

Posted · by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

One of the key elements in the forensics analysis triage is dealing with USB inserted devices. The importance of uncovering artifacts associated with inserted USB devices is simple: it’s one of the most common, quickest and easiest means of stealing company intellectual property.

Handling A Former Employee's Computer

Posted · by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

Theft of IP matters against former employees, and wrongful termination lawsuits have something in common: the former employee's computer will likely have valuable evidence. Unfortunately most of the time the computers will be re-imaged (software reloaded) and put back into production for the new hire.

Cyber Security Partnerships

Posted · by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

Companies are increasingly budgeting for employee cyber security training and awareness with an emphasis on detecting and responding to social engineering and spear phishing attacks. As businesses mitigate against new threats, there is always the question of whether or not their trading partners are adequately protected.

Solid-State Drives = Reduced Forensics Costs

Posted · by Jesus Peña | e-forensics Inc.

Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

Newer desktops and laptops are coming standard with solid-state drives (SSD). Solid-state drives are computer storage devices that differ greatly from hard disk drives (HDD), which have moving mechanical parts. Solid-state drives contain integrated circuits, similar to the architecture of USB flash drives.

CONTACT

  •  305.667.4603
  •  305.667.4472
  •  info@e-forensicsinc.com
  • 2000 S. Dixie Highway, #206
  • Miami, Florida 33133
 

INQUIRY







    Need same day forensic imaging?