Hi,
I'm Japanese and work in Tokyo.
In the forensic industry, I regard Japan as it being behind other countries. cry
Please tell me the actual condition of forensic in your country.
Question
1. Do you usually do a physical copy(not imaging)?
Or do you copy data directly from suspect HDD?
2. There are those who say that the products which take logs based on the thought of forensic are network forensic products.
Is really it network forensic?
What is the definition of "network forensic"?
3. What do you usually call a product like EnCase Enterprise?Live foresic?
4. A cell phone of Japan differs from them of other countries.
Since there is SIM lock, SIMcards are seldom used effectively in Japan.
Almost all users save the telephone directory, mail data, pictures, etc. on a memory.
Can the data deleted from the memory be investigated with an existing product like Paraben?
As it being another whether it can be realized with a cell phone of Japan…
Thanks,
Pied
4. A cell phone of Japan differs from them of other countries.
Since there is SIM lock, SIMcards are seldom used effectively in Japan.
Almost all users save the telephone directory, mail data, pictures, etc. on a memory.
Can the data deleted from the memory be investigated with an existing product like Paraben?
As it being another whether it can be realized with a cell phone of Japan…
Currently we can recover stored and deleted data from SIM/USIM, Smart/MMC cards and mobile telephones.
1. Do you usually do a physical copy(not imaging)?
Or do you copy data directly from suspect HDD?
Copies are always full physical copies made through a write-blocker such as FastBloc.
Not sure what you mean by "physical copy (not imaging)", but as above, the copy is always a image of the complete hard drive bit for bit (encase physical image etc - not logical), using a write-blocker where possible, or if not then using a boot cd and network aquisition or suchlike.
Hi,
I'm Japanese and work in Tokyo.
Hi -
Instead of an answer to you question I was wondering what problems you encounter when dealing with japanese evidence.
I would think that the text encodings and propietary encoding/file formats are a big issue. Does any text indexing work? Or searching?
Thanks,
Nik
Dear Pied
Welcome from Far Easten of Russia!
1. Do you usually do a physical copy(not imaging)?
I made clone of investigated HDD, use Ilook Iximager or Norton Ghost in DOS mode from boot CD because have no hardware write-blockers.
Computer forensic in my country is very young too (.
Currently we can recover stored and deleted data from SIM/USIM, Smart/MMC cards and mobile telephones.
Do you mean mobile telephone as a built-in flash memory and so on?
Copies are always full physical copies made through a write-blocker such as FastBloc.
Not sure what you mean by "physical copy (not imaging)", but as above, the copy is always a image of the complete hard drive bit for bit (encase physical image etc - not logical), using a write-blocker where possible, or if not then using a boot cd and network aquisition or suchlike.
I made clone of investigated HDD, use Ilook Iximager or Norton Ghost in DOS mode from boot CD because have no hardware write-blockers.
We usually use Solo3(of ICS) and need new two HDD.
Step1 copy physical raw data from suspect HDD to evidence HDD(1) with Solo3.
Step2 make image data from evidence HDD(1) to another HDD(2) with Solo3.
Step3 connect HDD(2) with examiner PC.
But I have never read that process here. 😯
In your process, where do you save imege data? In examiner's PC or removable HDD connected with examiner's PC?
And do you always make image data from suspect HDD to there directly, whichever criminal case or that of civil?
Instead of an answer to you question I was wondering what problems you encounter when dealing with japanese evidence.
I would think that the text encodings and propietary encoding/file formats are a big issue. Does any text indexing work? Or searching?
Hi, Nik D
There is no product made in Japan.
It is a very big issue for us to investigate Jananese OS.
I use some foreign forensic tools supported double byte.
But indexing and searching functions are of poor quality.
My English ability is poor too lol ,so I fear that I have answered exactly to your question…
Thank you,
Pied
Currently we can recover stored and deleted data from SIM/USIM, Smart/MMC cards and mobile telephones.
Do you mean mobile telephone as a built-in flash memory and so on?
A number of mobile telephones today use flash component, as opposed to for instance EEPROM, that holds user data from which it is possible to recover deleted and saved data. This recovery procedure can be used in addition to using read-only handset software. In some instances, where it is not possible to use read-only handset software imaging the memory component may be at times the only way to acquire data.
Recovering deleted and saved data from memory devices such as SIM/USIM and Smart/MMC cards is standard practise.
A number of mobile telephones today use flash component, as opposed to for instance EEPROM, that holds user data from which it is possible to recover deleted and saved data. This recovery procedure can be used in addition to using read-only handset software. In some instances, where it is not possible to use read-only handset software imaging the memory component may be at times the only way to acquire data.
Recovering deleted and saved data from memory devices such as SIM/USIM and Smart/MMC cards is standard practise.
Dear,trewmte
Thank you for your response.
I am glad if the tool with which the Japanese cell phone was supported comes out in a market early. D
Pied