Fellow forensic members, I am in need of assistance in retrieving web history from a Kindle Fire.
I have used IEF and X-Ways but have come up short on my collection. The data is on the device as have verified via the interface. Any assistance would be appreciated.
Fellow forensic members, I am in need of assistance in retrieving web history from a Kindle Fire.
I have used IEF and X-Ways but have come up short on my collection. The data is on the device as have verified via the interface. Any assistance would be appreciated.
Are you having issues acquiring an image of the device (if this is the case see here)
http//www.forensicfocus.com/Forums/viewtopic/p=6566669/
http//
or interpreting the filesystem/artifacts/whatever?
jaclaz
Thank for your reply sir!
So that may be part of the problem. I can image the device via Imager which gets me a 5GB DD. (Maybe I am missing something as I have not rooted the device).
Then I import the DD in IEF and attempt to extract web history. I have tried the various ways - DD - File Dump - Files and Folders. All options give me no Web history. I have even pulled it into UFED as a Droid OS device…. finds Facebook artifacts and Images every time on both solutions but no Google Chrome History.
So that may be part of the problem. I can image the device via Imager which gets me a 5GB DD. (Maybe I am missing something as I have not rooted the device).
AFAIK the device has 8 (eight) Gb storage
http//
I would expect an 8 Gb dd image. ?
This CEIC 2013 paper from Guidance seems t o me like detailed enough to allow you to compare what you have gathered (and what you have done) with what you should get (and do)
https://
jaclaz
jaclaz - Thanks for your help. I have handled it in a manual fashion (if anyone is interested pm me). My worry with these methods, which are good ideas, would be what happens to the Kindle?
If I ROOT the device does this not change data on the device? Has anyone in the community produced something for court that has been ROOTED or JAILBROKEN?
Just curious as this is a real problem as the mobile world continues to grow.
Anyone?
I have handled it in a manual fashion (if anyone is interested pm me).
Why not posting it on the Forum publicly?
jaclaz
Depends on the court & the judge (and to some extent both side of the bar).
If you can demonstrate that the change you have made did not impact materially the evidence, and the exact changes you have made are well documented, there is no reason it is not "sound" evidence.
I hear this all the time, and it is goofy. In all forensics we "change" the evidence. We pick up that hair, dab the blood, and so on. Those are all changes.
jaclaz - Thanks for your help. I have handled it in a manual fashion (if anyone is interested pm me). My worry with these methods, which are good ideas, would be what happens to the Kindle?
If I ROOT the device does this not change data on the device? Has anyone in the community produced something for court that has been ROOTED or JAILBROKEN?Just curious as this is a real problem as the mobile world continues to grow.
Anyone?
Well said jhup. With all do respect as I do not know your background have you done this and presented for court?
as I do not know your background
http//www.forensicfocus.com/c/aid=66/interviews/2013/john-huperetes-senior-forensics-instructor/
jaclaz