I'm renewing my request-I have images with AF stuff ready and need someone to verify it in fully licensed software, please could anyone check it for me ?
They’re waiting on-line, anyone interested please send me a email and I'll give all details
I would be very gratefull for any help
Many Thanks
Pajkow
Forgot to mention, the original thread for this is here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2998
Most of the people willing to help then did not come back to me, although I've sent images on CDS'
Hi Pajkow..sorry I can't help you with your request but topic of anti-forensics is very interesting & no doubt challenging. Some of my thoughts below,..
Typical examination~Lets say you have a computer image obtained when HD is mounted with write-protection enabled & examine the image (which would be a copy of the original image I might add) using forensic software (X-ways, FTK). You locate Pictures, documents, cached websites or whatever is of interest for the investigation & you bookmark these….this would all be factual.
At the end of the examination you run a hash check (we use Gizmo) to make sure your MD5 hash or whatever hash set algorithm you use matches the original.
You create a statement of facts to state what you located/observed & can present results in court where your methodology is asked to be explained.
On the topic of anti-forensics, with reference to Wikipedia, one recent anti-tool techniques targets the integrity of the hash that is created to verify the image. By affecting the integrity of the hash, any evidence that is collected during the subsequent investigation can be challenged. Source of this was from a Anti-Forensic Presentation given to Lockheed Martin.
This doesnt make sense anyway…"By affecting the integrity of the hash, any evidence that is collected during the subsequent investigation can be challenged". Yes…that would be expected, but why would you want to affect the integrity of the hash while the Hard Drive is being imaged, say in FTK imager or X-Ways imager.
Its not a forensically sound way of doing things. You'd expect & hope the Hard Drive is connected to an examination computer via a Tableau with write-protection enabled.
Dear Robbo747
I know all of this and I have done all of this already lol
The reason I asked forensic community do to this is to check whether in fully licensed software it is possible to find more. Obviously experience in the profession also matters.
Images are available on-line and also the list to fill in what was found. Only analyze and fill itl in. Maybe you can be tempted.
It takes only 40 mins to do all of this? lol
So anyone? roll