LLIMAGER ( www.llimager.com ) was developed by e-Forensics and it is the macOS acquisition tool used in all of our Mac forensic imaging jobs.

The software was designed in response to restrictive trends associated with general macOS forensic imaging and current available solutions:

    -Substantial year-to-year price increases.

    -Less choices in pricing models.

    -The “dead box” option of expensive solutions often failing

    -Apple’s continuous OS security hardening that may make “dead box” imaging a thing of the past

LLIMAGER was designed to address the need for a low-cost, no-frills “live” forensic imaging solution for Mac computers, which acquires: a) active space from ALL APFS synthesized volumes, b) active space from HFS+ volumes, and c) targeted files/folders (logical images).

The application was developed to be user-friendly and easy enough for entry level digital forensics examiners. The application leverages built-in Mac utilities, providing a versatile solution compatible with a wide range of macOS versions, both past and present. This ensures that the tool remains functional across diverse system configurations and updates.

There seems to be no slowdowns in Business E-mail Compromise (BEC) attacks involving phished employees who are socially engineered into sending wire transfers to back actors. Generally, when faced with such incidents, corporations immediately resort to filing a claim with their carrier in the hopes of covering associated losses.

Once the carrier is called in, there are one of three possible outcomes related to the selection of the IT forensics company to selected: 1) carrier will use its forensics team, 2) carrier will give option to use its team or any of the insured's liking or 3) carrier will require insured to engage its own team.

As you wait for your carrier's response, here are some important aspects to consider when using the carrier's IT forensics vendor:

    -Limited control: When using the insurance carrier's vendor, you may have less control over the vendor selection process, their service quality, and their responsiveness.

    -Conflicting interests: The insurance carrier's vendor may prioritize the carrier's interests over yours, which might affect the investigation's outcome or recommendations.

    -Vendor familiarity: You may not be familiar with the carrier's vendor or their track record, which can make it difficult to gauge their expertise and reliability.

    -Limited customization: The carrier's vendor may offer a standardized set of services, which may not be tailored to your specific needs or preferences.

    -Potential delays: If the insurance carrier's vendor is handling multiple cases simultaneously, you may experience delays in their response and investigation times.

    -Confidentiality concerns: Sharing sensitive information with an external party appointed by your insurance carrier may raise concerns about how your data is handled, stored, and protected.

    -Relationship management: Since you did not choose the vendor, it might be more challenging to establish a strong working relationship and effective communication.

On the other hand, hiring your own IT forensics vendor offers several benefits:

    -Control and choice: You have the freedom to choose a vendor based on their expertise, reputation, and suitability for your specific needs.

    -Customized services: By selecting your own vendor, you can ensure that they provide tailored services to address your unique requirements.

    -Alignment of interests: Your chosen vendor is more likely to prioritize your interests and provide unbiased advice and recommendations.

    -Familiarity and trust: Choosing a vendor you're familiar with can help establish trust and confidence in their abilities and expertise.

However, hiring your own vendor may also come with its own challenges, such as potential complications with insurance coverage. It's essential to weigh the pros and cons of each option and consider your specific needs and circumstances before making a decision.

Computer memory is one of the most important sources of information to determine what activities were developed on a certain computer, including the details of said activity, such as its execution time, the programs that were being used and the processes associated with them. The forensic analysis of memory is essential in the investigation of computer malware attacks, but can also play an important role in any other type of investigation.

As opposed to the computer's hard disk, where information can generally be copied and extracted from the computer without altering its content by using certain forensic procedures, the information in the RAM memory is very difficult or in many cases practically impossible to extract without altering its content in some way. This is so, because it is not possible to extract anything from the memory if the equipment to which it corresponds has been turned off (in which case the RAM memory loses its content) and, because if the memory is active, the extraction program, however efficient and subtle it may be, needs to use a part of the very same memory to read the content of the rest. Even with this limitation, the analysis of the extracted information can be extremely valuable in any forensic investigation. For example, there may be traces of written letters that have been securely erased or from passwords or other confidential content. Likewise, evidence of attempted access to certain sites (local or Internet). Also, for cases of cyberattacks, memory forensics may represent the most crucial source of information, since it is common that the malicious codes that have infiltrated the computer are no longer found on the computer's disks, but only as residents in the memory of the computer.

Capturing RAM

There are several forensics applications specifically designated to capture the RAM memory, among them FTK Imager, EnCase Imager, Magnet RAM capture and others. Even for cases when the computer has been turned off, it is possible to obtain RAM information from the dump that the Windows system produces when the computer goes to sleep or is turned off. In these cases, it is about analyzing one of the files that will be present in the disk image: hiberfil.sys. This file reflects the contents of memory at a certain moment (for example, when the computer hibernated for the last time), depending on how the Windows system of the corresponding computer is configured. The process of this file presents some additional complications with the newer versions of Windows (from Windows 8 on), since it is compressed and must be previously unzipped before being analyzed.

Processing RAM

RAM is generally an unstructured memory space but there are some frameworks specially designated for its analysis. Perhaps the most known and used is Volatility, which is a framework that has been around since 2007. Using Volatility, it is possible to forensically examine RAM captures to determine processes running at the time of capture, their relations (parent-child), clipboard content, user sessions, active Windows services and other forensically usable information. Volatility framework works with Windows, Mac and Linux systems.