±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 161

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Search found 7 matches

Physical extraction of iPhone 5S iOS 11.2.2

Post Posted: Dec 19, 19 15:30

Hello,

I have a client asking for evidence of copying WhatsApp messages to a separate device, as well as evidence of a user having illicit access to an email account after the password was changed ...
jparsont03
Topic: Physical extraction of iPhone 5S iOS 11.2.2
Replies: 1
Views: 1177
 

Re: Deleted files & user SID

Post Posted: Dec 05, 18 21:43

[quote="JimC"]If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out:

[ ...
jparsont03
Topic: Deleted files & user SID
Replies: 11
Views: 4782
 

Re: Deleted files & user SID

Post Posted: Dec 03, 18 21:01

[quote="athulin"][quote="jparsont03"] Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certai ...
jparsont03
Topic: Deleted files & user SID
Replies: 11
Views: 4782
 

Re: Deleted files & user SID

Post Posted: Dec 03, 18 20:49

[quote="jaclaz"][quote="athulin"]
Administrators are a minor nuisance, but they also need to be covered. [/quote]

A very interesting sentence (if taken out of context) Wink Very Happy

@jparsont03
...
jparsont03
Topic: Deleted files & user SID
Replies: 11
Views: 4782
 

Re: Deleted files & user SID

Post Posted: Dec 03, 18 20:15

[quote="athulin"]
Why are you looking at the files? They will only tell you what rights users/groups had to perform read/write/etc. on the files themselves. Right to delete seems to have been added ...
jparsont03
Topic: Deleted files & user SID
Replies: 11
Views: 4782
 

Deleted files & user SID

Post Posted: Dec 03, 18 17:19

I am working on a project where I've been requested to prove that a certain user deleted files from a Windows PC. The PC is running Vista. I took a forensic image of the machine and I am examining in ...
jparsont03
Topic: Deleted files & user SID
Replies: 11
Views: 4782
 

Deleted data showing up as corrupt?

Post Posted: Nov 27, 18 21:03

I took a forensic image of a 500 GB PC hard drive using FTK Imager. The image was created successfully. I then processed the image in FTK 6.4 and ran data carving (no custom, just selected from the de ...
jparsont03
Topic: Deleted data showing up as corrupt?
Replies: 2
Views: 1147
 
Page 1 of 1