Repairing Hard Drive Logic Boards

Hard drives have been the gold standard in storage medium for a very long time. However, that isn’t to say they are without faults or are not susceptible to damage or data loss. When these drives do fail, and if there are no available backups, this can come with grave consequences. This is especially true when the drive is of great evidentiary value or contain many hours of work product. Either way, shrugging your shoulders over the loss is not always acceptable. There are a number of potential factors that could have caused the drive failure. In this blog post, we will take a look at the easiest and least invasive repair we could attempt – swapping the drive PCB.

Continue reading “Repairing Hard Drive Logic Boards”

Repairing Hard Drive Logic Boards

Giveaway: Learning Python for Forensics eBook

I have been hard at work the last few months developing code and writing chapters for my latest book with Chapin Bryce titled Python Digital Forensics Cookbook. Because of this, I must admit I have no new content to post to the blog this week. Instead, I am taking this as an opportunity to elicit feedback and suggestions. In exchange for that, I will be giving away eBook copies of my first book, Learning Python for Forensicsto two randomly chosen individuals.

Continue reading “Giveaway: Learning Python for Forensics eBook”

Giveaway: Learning Python for Forensics eBook

Spotlight: Tracking a User’s Whereabouts with simplekml

The Spotlight series highlights useful Python libraries and their forensic application.

You’re no doubt aware that major technology companies, like our great benefactor Google, retain a great deal of data regarding their users. It shouldn’t come as much of a surprise considering how important users are to a company’s livelihood. Wouldn’t you want to know, if you could, every detail about your customers and who you do business with to better engage them? And as disturbing as that can be (have you seen Google’s location history timeline?), I think we can all agree that we have wished for similar omniscient-like knowledge in our investigations. I hate to disappoint you, but this isn’t a post about that.

One thing that can give us the appearance of omniscience is a history of the user’s whereabouts. It can be hard, for example, to discount a mobile device’s reported location at the scene of the crime at the time the crime occurred when the user’s alibi places them a few towns over during that same time. In this day and age who do you think you are fooling with the “My phone wasn’t with me” gimmick.

Continue reading “Spotlight: Tracking a User’s Whereabouts with simplekml”

Spotlight: Tracking a User’s Whereabouts with simplekml

Recovering Data from Damaged USBs

What happens when you receive or take custody of evidence that ends up being non-functional? Without the right tools and training, the answer might be nothing. Perhaps the owner purposely tried to damage the device or it is due to some internal malfunction. Either way, data on these devices can be of great evidentiary value that proves or disproves previously held conclusions. And while there are an ever-growing number of data recovery shops, their services can be costly and may introduce significant lag time to a case.

Whether it is due to budget or time constraints, it may be worthwhile to assess the situation yourself (after getting permission from the appropriate authorities, of course). When it comes to USBs, we will discuss a few methods we can use to extract data from the broken device. Please be aware the methods we will discuss involve using high heat to separate the memory chip from the USB logic board. It is possible to further, and even irreparably, damage the device this way. Practice, as always, is key.

Continue reading “Recovering Data from Damaged USBs”

Recovering Data from Damaged USBs

Hasty Scripts: Summarizing Installed Applications on Encrypted VMs

Virtual machines are everywhere, no longer just confined to the corporate environment. It is not unheard of for consumers to use virtualization software on their personal devices these days. Examination of these VMs does not differ much from normal host investigations. Tools, like FTK Imager, support common virtualized HDDs and can be used to preserve and review them. But what happens when a VM is encrypted and password-protected? Compound the issue with an uncooperative custodian and it may be time for more creative solutions. Thankfully, VMware, a popular virtualization program, can create an artifact on the host operating system that gives us insight into what applications are installed on the VM.

Continue reading “Hasty Scripts: Summarizing Installed Applications on Encrypted VMs”

Hasty Scripts: Summarizing Installed Applications on Encrypted VMs

Hasty Scripts: Box Edit Log Parser

How often are you tasked with reviewing large data sets in less than ideal (or even terrible) formats? Everyone has likely had to review logs containing many tens of thousands of lines at one point or another. We may not have time or budget (or patience) to review every line in a text editor. What do you do?

Continue reading “Hasty Scripts: Box Edit Log Parser”

Hasty Scripts: Box Edit Log Parser