Tuesday, September 22, 2020

Microsoft Teams artifacts and chat logs

 Take a look at location: 

C:\Users\<username>\AppData\Roaming\Microsoft\Teams\IndexedDB\


On my workstation there is a folder at this location:

https_teams.microsoft.com_0.indexeddb.leveldb

Looking at the *.log file at this location


Open the .log file in Notepad++ <download>

File--> Open--> Path to 

"C:\Users\username>\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" 

Open the .log file

Sample of the "000007.log" file in Notepad++









In Notepad++ with the .log file open --> Press "ctrl+F"

Searching for the value "renderContent" returned some messages logged from MS Teams.

Select Find All in Current Document














The find results show all lines containing the value "renderContent" followed by posted messages.

Sample recovered MS Teams messages


There are also other potential values of interest in this log including: 

"imdisplayname" 

"RichText/Html" (provided further chat and web content)

"meetingtitle"

MESSAGE time values: "composetime", "originalarrivaltime" and "clientArrivalTime"


This is a sample of artifacts left on the workstation when not logged into MS Teams that could be of potential value in an examination.  Also recommending checking out a article written a few months back at cyberforensicator <link>.


-Bryan






Posted by at No comments:

Monday, September 21, 2020

Video and Image Analysis - Authentication




Video authentication 

Video authentication is a process that is used to obtain the trustworthiness of a digital video and to assure a video hasn't been altered or tampered.


Performing Authentication Examinations of Imagery and Videos

Review visible scene content:

  • Shadows
  • Lighting
  • Density
  • Texture/Patterns (skin and background pattern)
  • Gravity
  • Physical body details (hair, muscles, body curves)
  • Contact with other objects and body
  • Skin to skin contact
  • Imperfections on body
  • Consistencies/Inconsistencies


Visual scene content includes low-quality synthesized faces, visible splicing boundaries, color mismatch, visible parts of the original face, inconsistent synthesized face orientations.








Review non-scene content:
  • EXIF info (duration, GPS, software writer, codec)
  • Comparing signatures of camera to video/image in question 
  • Behavior of file type (compression type) 
  • Reviewing binary structures and sequence of bytes in the hex of the file
  • Evidence of being opened in a video editor 
Viewing the EXIF data of a file



Using structural analysis from the video forensic tool (link MEDEX forensics) showing a video editing tool was detected in the structure of the video file.






Reference:

https://medexforensics.com/#applications-span

https://cognitech.com/

https://arxiv.org/pdf/2001.06564.pdf




Posted by at No comments:

Saturday, July 18, 2020

Downloading a DJI Drone flight log (from an iPhone)

Unmanned Aerial Vehicle (UAV) forensics

First and best place to get information about a UAV is on the controller device be it a iPhone, iPad, or Android. 

Will be looking at an unlocked iPhone and where to find flight records.


1.  First plug iPhone into a computer that has iTunes and sync/connect device





2.  Select File Sharing in left column.

                 













3. In left window select the DJI app installed on the device depending on UAV model
(typically DJI Go or DJI Fly).  In this case selecting DJI Fly.



4. Highlight the folder "FlightRecords" and save to local location.





                                  




















5. View saved Flight Records.  Saved as binary(.txt) file with date of flight in filename.




And a .dat file is saved in the MCDatFlightRecords folder:












6.  Convert the .DAT to a CSV with the DatCon tool.
Found at: DatCon download page
*requires java installed

Run tool




Add the .DAT file from the MCDatFlightRecords folder and specify an output directory:
Hit








Hit GO!





CSV Saved



7.  View CSV

The CSV contains several columns on relevant data about UAV including data about direction, temperature, height, wind, battery, controller and more data of possible interest.


Columns will show a list of the  GPS:Long and GPS:Lat and dates







8. *Another method:
AirData - plot the data online

  • Airdata.com great site to upload the downloaded .txt  file to to view the data from the UAV.
  • Create an account and select upload to upload the .txt file from the FlightRecords folder.















Shows lots of data from the binary file!



Example






















Posted by at No comments:

Friday, May 8, 2020

ANAB - Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

Long title, great document:
https://anab.qualtraxcloud.com/ShowDocument.aspx?ID=6732

From the ANSI National Accreditation Board(ANAB) these are some great forensic principals for forensic work.

 Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

1. Are independent, impartial, detached, and objective, approaching all examinations with due diligence and an open mind.

2. Conduct full and fair examinations. Conclusions are based on the evidence and reference material relevant to the evidence, not on extraneous information, political pressure, or other outside influences.

3. Are aware of their limitations and only render conclusions that are within their area of expertise and about matters which they have given formal consideration.

4. Honestly communicate with all parties (the investigator, prosecutor, defense, and other expert witnesses) about all information relating to their analyses, when communications are permitted by law and agency practice.

5. Report to the appropriate legal or administrative authorities unethical, illegal, or scientifically questionable conduct of other forensic employees or managers. Forensic management will take appropriate action if there is potential for, or there has been, a miscarriage of justice due to circumstances that have come to light, incompetent practice or malpractice.

6. Report conflicts between their ethical/professional responsibilities and applicable agency policy, law, regulation, or other legal authority, and attempt to resolve them.

7. Do not accept or participate in any case on a contingency fee basis or in which they have any other personal or financial conflict of interest or an appearance of such a conflict.

8. Are committed to career-long learning in the forensic disciplines which they practice and stay abreast of new equipment and techniques while guarding against the misuse of methods that have not been validated. Conclusions and opinions are based on generally accepted tests and procedures.

9. Are properly trained and determined to be competent through testing prior to undertaking the examination of the evidence.

10. Honestly, fairly and objectively administer and complete regularly scheduled:

  • relevant proficiency tests; 
  • comprehensive technical reviews of examiners’ work; 
  • verifications of conclusions. 

11. Give utmost care to the treatment of any samples or items of potential evidentiary value to avoid tampering, adulteration, loss or unnecessary consumption.

12. Use appropriate controls and standards when conducting examinations and analyses.

13. Accurately represent their education, training, experience, and area of expertise.

14. Present accurate and complete data in reports, testimony, publications and oral presentations.

15. Make and retain full, contemporaneous, clear and accurate records of all examinations and tests conducted, and conclusions drawn, in sufficient detail to allow meaningful review and assessment of the conclusions by an independent person competent in the field. Reports are prepared in which facts, opinions and interpretations are clearly distinguishable, and which clearly describe limitations on the methods, interpretations and opinions presented.

16. Do not alter reports or other records or withhold information from reports for strategic or tactical litigation advantage

17. Support sound scientific techniques and practices and do not use their positions to pressure an examiner or technician to arrive at conclusions or results that are not supported by data.

18. Testify to results obtained and conclusions reached only when they have confidence that the opinions are based on good scientific principles and methods. Opinions are to be stated so as to be clear in their meaning. Wording should not be such that inferences may be drawn which are not valid, or that slant the opinion to a particular direction.

19. Attempt to qualify their responses while testifying when asked a question with the requirement that a simple “yes” or “no” answer be given, if answering “yes” or “no” would be misleading to the judge or the jury.



Posted by at No comments:

MacOS - Property List Files

Property list or ".plist" files can contain relevant data for forensicating on Apple computers and iOS devices.

In a kind of obscure similarity, like how windows stores configurations and setting in the windows registry.  Apple devices can store system and user settings in .plist files.  Can show a user's preferences and/or how he/she uses an application.

Several plist files are created when a system or application is first ran.  Aside from configuration info, plist files can provide information recent items and recently accessed files.

Some plists of potential interest include:
* (~) tilde means current logged in user user's folder.  (/Users/<username>)
  • Recent Apps in the Apple Dock 

~/Library/Preferences/com.apple.dock.plist


  • OS Version and Info

/System/Library/CoreServices/SystemVersion.plist 


  • Last Logged-in user

/Library/Preferences/com.apple.loginwindow.plist


  • Deleted Users

/Library/Preferences/com.apple.preferences.accounts.plist


  • User Interaction with Apple Finder

~/Library/Preferences/com.apple.finder.plist


  • Tracking volumes from the sidebarlist
~/Library/Preferences/com.apple.sidebarlists.plist


  • Shared files list and recent items
/Users/<username>/Library/Application Support/com.apple.sharedfilelist/


  • Recent Spotlight Searches
~/Library/Application Support/com.apple.spotlight.Shortcuts


  • Installed Updates
/Library/Receipts/InstallHistory.plist


  • List of User who can sign in
<VolumeUID>/System/Library/CoreServices/SystemVersion.plist


/<VolumeUID>/com.apple.installer/SystemVersion.plist

<VolumeUID>/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

  • User Information
<VolumeUID>/var/db/CryptoUserInfo.plist




Posted by at No comments:
Subscribe to: Comments (Atom)