Articles

Comprehensive Forensic Chat Examination with Belkasoft

Call logs, SMSes, emails, social networks communications and, of course, chats in instant messengers can give you a lot of important information in a course of a forensic investigation. Let's see how one single chat product can be examined from different aspects, each of which gives one more – unique! – part of puzzle.

In our case, the suspect had Skype installed on his laptop and mobile device which were seized and investigated with Belkasoft Evidence Center 2017.

Read entire article

Read more

I Have Been Hacked

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

Read entire article

Read more

SSD and eMMC Forensics 2016 - Part 3

In the previous part of the article, we talked about eMMC storages and external SSDs. We also mentioned TRIM when talking about trimming behavior of eMMC. We will talk a bit more about TRIM this time and then move on to some real-life cases.

Read entire article

Read more

SSD and eMMC Forensics 2016 - Part 2

This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.

In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.

As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.

Read entire article

Read more

SSD and eMMC Forensics 2016 - Part 1

This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.

In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.

As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.

Read entire article

Read more

BelkaScript: How to Get Most out of Digital Forensic Software

Digital investigator nowadays has access to a wide array of solid forensic tools. Some of them offer mobile forensics only, some help with computer or laptop analysis, some – like Belkasoft Evidence Center – support all types of devices, but the task flow and product logic is more or less fixed in every product. If an investigator faces an unusual task, it is hard to solve it within the workflow offered by a product. And unusual tasks are not that rare – we hear about them very often, just take a glance at various forensic forums.
In this article, we will discuss some real life stories that involved cases hard to solve with the standard workflow in Belkasoft Evidence Center:
  • Good Employee, Bad Employee
  • Bar Fight
  • Digging Deep Inside Photos

However, it became possible with BelkaScript, a free built-in scripting module that allows users to write custom scripts to extend Evidence Center capabilities. Scripts can be used to automate some of the routine (for example, reporting or bonding together two operations) or to extend product’s functionality for a specific situation. But it most certainly does not end there as we will now show on real-life examples.

Read entire article

Read more

The Future of Mobile Forensics: November 2015 Follow-up

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things have changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

Read entire article

Read more

Countering Anti-Forensic Efforts - Part 2

In the first part of this paper we talked about the most common - and also some of the simplest - ways suspects can try to cover their tracks in an attempt to slow down the investigation. This part of the article is dedicated to some of the more advanced techniques that sometimes can really be challenging to deal with. Let's take a look at some of the possible workarounds when the data we are looking for was deleted or encrypted.

Read entire article

Read more

Countering Anti-Forensic Efforts - Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same time, criminals routinely make attempts to counter forensic efforts by wiping data, deleting files, faking or clearing logs, histories and other traces of performed activities. Anti-forensic efforts are not limited to just that. In this whitepaper, we will have a brief overview of common anti-forensic techniques frequently used by suspects who are not specialists in high-tech, and ways to counter them during the investigation.

What this paper does not discuss is the suspects’ use of advanced tools dedicated to countering forensic efforts. Instead, we will talk about the most common anti-forensic techniques. In this paper, we will move from easy to moderately difficult anti-forensic techniques, explaining who might be using these methods and how to counter them.

Read entire article

Read more

NAS Forensics Explained

Network Attached Storage (NAS) have a long track history of corporate deployments. Their scaled-down versions (ranging from single-bay to four-drive enclosures) are frequently used at homes and in the offices. These smaller-size appliances are often called “personal clouds” for providing some parts of functionality of online cloud services.

More and more people prefer using their laptop computers at home instead of a full-size desktop. As many laptops are equipped with relatively small, non-expandable storage, NAS becomes an obvious and convenient way to increase available storage. In home environments, NAS storage are often used for keeping backups and/or storing large amounts of multimedia data such as videos, music and pictures, often including illicit materials. Due to the sheer size of these storage devices and their rapidly increasing popularity with home users, NAS forensics becomes increasingly important.

When acquiring information from the suspect’s computer, investigators often face a challenge of extracting information also from all external storage devices. Why is NAS acquisition a challenge, and what can be done to overcome it?

Read entire article

Read more

Future of Mobile Forensics

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

Read entire article

Read more

Acquiring Windows PCs

In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition. The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sounds familiar? Well, in today’s connected world things do not work quite like that.

In this article, we will have a look at measure the investigator has to take before taking the disk out, and even before pulling the plug, review Windows security measures and how they can work in combination with the computer’s hardware.

Read entire article

Read more

Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage.

Read entire article

Read more

Kik Messenger Forensics

Kik Messenger is a popular free messaging app for all major mobile platforms. Available for Android, iOS and Windows phone, Kik Messenger had a user base of more than 130 million users just a year ago. Today, the company claims over 200 million registered accounts, with another 250,000 users added each day. The messenger’s user base consists of teenagers and young adults. It is estimated that approximately 40 per cent of 13- to 25-year-olds in the United States are using Kik.

As a result, Kik Messenger becomes one of the forensically important messenger apps. With hundreds of millions of users communicating with Kik on daily basis, ignoring this popular messenger during an investigation may lead to missing important evidence. With Kik’s user base mostly consisting of teenagers and young adults, Kik messages can come especially handy when investigating cases of molesting.

Read entire article

Read more

Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police departments, especially those from Germany, Italy, and the UK about extracting and analyzing JTAG and UFED-produced dumps of Windows phones. While in the past we were reluctant to work in this direction considering how small of a market share these devices had, the recently published numbers of every 10th device sold in Europe being a Windows Phone made us change our mind.

Read entire article

Read more

Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving

SQLite is a widely popular database format that is used extensively pretty much everywhere. Both iOS and Android employ SQLite as a storage format of choice, with built-in and third-party applications relying on SQLite to keep their data. A wide range of desktop and mobile Web browsers (Chrome, Firefox) and instant messaging applications use SQLite, which includes newer versions of Skype (the older versions don’t work anyway without a forced upgrade), WhatsApp, iMessages, and many other messengers.

Forensic analysis of SQLite databases is often concluded by simply opening a database file in one or another database viewer. One common drawback of using a free or commercially available database viewer for examining SQLite databases is the inherent inability of such viewers to access and display recently deleted (erased) as well as recently added (but not yet committed) records. In this article, we’ll examine the forensic implications of three features of the SQLite database engine: Free Lists, Write Ahead Log and Unallocated Space.

Read entire article

Read more

SSD Forensics 2014. Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions

We published an article on SSD forensics in 2012. SSD self-corrosion, TRIM and garbage collection were little known and poorly understood phenomena at that time, while encrypting and compressing SSD controllers were relatively uncommon. In 2014, many changes happened. We processed numerous cases involving the use of SSD drives and gathered a lot of statistical data. We now know more about many exclusions from SSD self-corrosion that allow forensic specialists to obtain more information from SSD drives.

Read entire article

Read more

Recovering Destroyed SQLite Evidence, iPhone/Android Messages, Cleared Skype Logs

The SQLite format is extremely popular with developers. Android and Apple iOS are using SQLite extensively throughout the system, storing call logs, calendars, appointments, search history, messages, system logs and other essential information. Desktop and mobile versions of third-party apps such as Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer and hundreds of other tools are also using SQLite. Major Web browsers such as Mozilla Firefox, Chrome and Safari are using SQLite to store cache, downloads, history logs, form data and other information. With all those operating systems and applications relying heavily on SQLite, this database becomes one of the most important formats for digital investigations. Learn how Evidence Center helps investigators recover destroyed evidence stored in SQLite databases.

Read entire article

Read more

Detecting Altered Images

Are digital images submitted as court evidence genuine or have the pictures been altered or modified? We developed a range of algorithms performing automated authenticity analysis of JPEG images, and implemented them into a commercially available forensic tool. The tool produces a concise estimate of the image’s authenticity, and clearly displays the probability of the image being forged. This paper discusses methods, tools and approaches used to detect the various signs of manipulation with digital images.

Read entire article

Read more

Catching the ghost: how to discover ephemeral evidence with Live RAM analysis

Many types of evidence are only available in computer’s volatile memory. However, until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice, without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Certain information just never ends up on the hard drive, while some other information may be stored securely on an encrypted volume with all the decryption keys conveniently available in the computer's volatile memory.

By simply pulling the plug, forensic specialists will slam the door to the very possibility of recovering these and many other types of evidence. Read about how to capture and analyze volatile data, learn how to make a RAM dump and perform a comprehensive analysis of the memory dump.

Read entire article

Read more

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.

Read entire article

Read more

Retrieving Digital Evidence: Methods, Techniques and Issues

This article describes the various types of digital forensic evidence available on users’ PC and laptop computers, and discusses methods of retrieving such evidence.

Read entire article

Read more

Interviews

Forensic Interviews project

Renowned experts in computer forensics, owners and executives of multiple forensic companies, investigators, software resellers and law enforcement officials give their interviews to Yuri Gubanov, CEO of Belkasoft and computer forensic expert. Check out extremely interesting interviews from active or retired police investigators, experts from such companies as Digital Intelligence, Paraben, ADF Solutions, Videntifier, F-Response, Fulcrum Management, DFLabs and others!

Go to the f-interviews site
Read more

Belkasoft CEO's interview to ForensicFocus

Yuri Gubanov gives an interview to industry known online magazine about Belkasoft history, its tools and gave some predictions on computer forensics future.

Read the interview
Read more

Older articles

Forensic Instant Messenger Investigation

This article deals with the subject of forensic investigation of Instant Messenger histories: why it is needed, what messenger types there are, what difficulties are involved in investigating histories, and what tools can help overcome those difficulties.

Read all article
Read Chinese version
Read more

Secure Instant Messenger Communication

These days Instant Messengers cannot surprise anyone. They are widely used by people with access to the Internet, by people of any age, gender and occupation. You can exchange jokes with your friends via your IM, discuss business questions with your colleagues, support your customers, make a date with your girlfriend, and even to propose marriage through your favorite messenger. A important question arises immediately: How secure is all this communication? Are you and your recipient the only ones who can see your conversation? Can anybody else access your history which is probably confidential, especially when it comes to business and personal matters? Can any malicious user or your boss or your parent learn your secrets?

Read all article
Read more

Other Articles