Saturday, August 12, 2017

Field Project Investigations

Conducting a technology review/audit prior to commencing field projects is an important task in order to understand the 'technology estate' owned and/or operated by an organisation. It is for revelation purposes and to comprehend [legacy] technology as stand-alone or interconnected/intra-connected with [current] technology and significantly if or how legacy has been ported-over to operate via applications/software to work with current. So more information has been posted. This is for the purposes as mentioned previously dealing with cases requiring 'field project investigations' (from installs to troubleshooting). I am sharing these .pdfs because I found forensics became one of the tools to be applied during investigations and not the main tool. Knowing the background details (tech spec, set-up, logs files, install procedures, etc.) assists understand "why an artefact was there".

To read the posts -

Latest Updates: Institute for Digital Forensics

- Windows Registry Reference
- Apple Reference Cards and iPad iOS7 Quick Guide
- USB Guide & USB Key Guide
- Hardware Configuration Dell Precision WorkStation
- Legacy DOS
- 100 Windows 8 Keyboard Shortcuts
- 100 Chrome Tips

Institute for Digital Forensics - Previous Updates

- Tron Commands
- Malware, Junkware, Virus
- Checking Implemented Security
- Backups
- Troubleshooting, Tips and Guides
- Windows NT Server Resource Reference
- Admin Tools To Know and Explained
- Corrupted Registry
- Windows Resource Kit Reference
- Fasteners
- Projects - Win 10
- Projects - Win 8
- Projects - Win 7
- Vulnerabilities in Critical Evidence Collection
- Imaging with Image-X: The Ghost Killer
- A Guide for the Forensically Sound Examination of a Macintosh Computer
- Interpol's Forensic Report on FARC Computers and Hardware
- Reducing Data Lifetime Through Secure De-allocation
- Realising - Risk Sensitive Evidence Collection
- Notes on Computer Systems and Operating Systems
- Finding Child Porn in the Workplace
- Drafting Electronic Evidence Protocols
- Data Hiding in Journaling File Systems
- Investigation of Protected Electronic Information
- Electronic Evidence: The Ten Commandments
- Electronic Evidence Best Practices
- Laws of evidence in criminal proceedings throughout the European Union
- Evaluating Commercial Counter-Forensic Software
- Hacking into computer systems
- Windows device interface security
- NSA Redacting with Confidence: How to Safely Publish Sanitized Reports
- Reproducibility of Digital Evidence
- Windows Memory Analysis
- Secure Deletion Myths
- Spoliation of Evidence
- Forensic Discovery
- VMware to boot cloned/mounted hard disk images
- Volume Serial Numbers: Format Verification Date/Time

Wednesday, July 26, 2017

Eternal Blues - SMBv1

Newspapers, TV, Radio and Internet have been full of reports about ransomware attacks WannaCry, NotPetya and so on. This short article is not going to repeat those reports but to acknowledge that there is a new FREE tool "Eternal Blues" that helps businesses and consumers to find out, at the push of a button and scan of the network, whether the access point Server Message Block (SMB) version 1 (SMBv1) to determine the enabled state of the host; thus might be vulnerable to attack. Knowing this it enables businesses and consumers to take action to close down a potential threat. As Elad Erez confirmed to trewmte blogspot:
"Please note that having the SMBv1 in use, does not mean a host is vulnerable. SMBv1 was patched by Microsoft 4 months ago. So, the tool helps you find if hosts are in one of these states:
- SMBv1 enabled, but patch not applied, therefore host is vulnerable (the riskiest scenario)
- SMBv1 enabled and patch applied, therefore host is not vulnerable (but it is still risky to keep SMBv1 enabled, even according to Microsoft)." 
To get a brief insight to SMBv1, here is the link to Microsoft's website discussing how to disable it:
To find out about Eternal Blues visit website:
To get this FREE tool go to Download webpage:
When running this discovery tool consumers can see an IP Address range. A really easy to follow and understandable advice can be found here: " - Private Network IP Address Notation"
For businesses with different IP Address ranges check out, as a starting point, FAQs webpage here:
Good luck, stay safe!

Big shout out for Elad Erez (Eternal Blues) for creating this FREE tool.

Tuesday, July 25, 2017

New IPhone 7 passcode unlock tool

Obviously this is causing a bit of excitement. 

I have been keeping an eye on two websites selling this product but yet to find any customer feedback. Enquiries so far have drawn a blank response.

Interesting to see what Apple will have to say on this access method?

Sunday, July 23, 2017


Smart Switch is a useful back-up and restore tool for particular user-content on various (but not all) Samsung smartphones. To coin a phrase the program "does what it says on the tin". For general user back-up and restore of certain data it avoids the need for uploading to the cloud.
We've been running some tests to see if Samsung Smart Switch back-up/restore utility could be used for capturing forensic images from e.g. the J3. The program was initially checked using CFF to check the internals to find files guarded by MD5 and SHA-1:
Before forensic examinations are undertaken we ran tests as a user and purchased 3 x J3.
The J3 handsets were UK versions:
We see the US versions are compatible for use with Samsung Knox for BYOD:
This is an early evaluation, so the post is just a heads-up so you can check within your organisation/s.
This post is not a legal notice or  anything else.

Saturday, July 08, 2017

What's happening with Contemporaneous Notes

Contemporaneous note (CN) taking is an essential process and procedure. The title is often used as a widely applied statement to include other associated processes and procedures, such as Simultaneous Notes (SN), etc.; as some of you know CN, SN, IN and VN are covered in my training courses for e-Discovery, (forensic) examination and evidence E3.  

I have taken the opportunity to bring on board Robert Merriott, Founder of Forensic Notes, to provide an overview of some of the methods and tools out there for preparing and producing Contemporaneous Notes. From Robert's well informed discussion (below) this clearly is a subject where strong opinions are held and a subject which we will return in future discussions.

Robert Merriott
Digital Forensic Examination Notes

The purpose of this post isn’t to provide a singular and definitive answer to the question of what ‘examination notes’ should look like.   In fact, every country or region will have its own accepted practices developed to satisfy the laws of the land.   Instead, this article is presented to discuss the many facets of this important subject and to help you find a solution that will best meet your needs.
A recent discussion regarding Contemporaneous Notes on Forensic Focus showed that there are differing views on how strict guidelines should be in relation to examination notes.  This difference of opinion reveals how much the process of conducting digital forensic examinations can vary from one office to the next.

Importance of Documentation

The importance of documenting your examinations can not be understated.  Although you may never need to defend your case in court, you should complete every case as if you would be testifying as an expert in Supreme Court.
Recently, experts and influential leaders in Digital Forensics provided quotes on the Importance of Documentation.
As Greg stated…
“Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics.
They hold the examiner to their own account of conduct when no one else is around to witness what is happening.”

Examination Notes – Current Solutions

Investigators dealing with digital evidence will document their examinations in one of several ways:
-          Traditional paper notebook and pen
-          Word processors such as MS Word or OneNote
-          Purpose built electronic note-taking system
-          Scrap pieces of paper
-          Do not document!

Paper Notebook and Pen

The classic way of writing contemporaneous notes. 
This form of documentation has been relied upon in law enforcement and scientific labs for decades and has continued to standup to the scrutiny of the courts when properly completed.

Although widely accepted in courts, writing your notes in a paper notebook can be slow and result in notes that are illegible and incomplete.  For many young examiners that can quickly type out long messages on a virtual mobile keyboard, the idea of handwriting notes seems like a step back in productivity.
Attempts to correct spelling and grammatic mistakes only further complicate the process of writing and disclosing notes.

MS Word or OneNote

Electronic documentation is becoming more common even in traditional settings like law enforcement were only paper notebooks and pens were previously trusted.
Electronic documentation offers many advantages including the ability to edit and modify the content of the notes as required.
Being able to edit the content of an electronic note allows the examiner to correct any spelling, grammatical errors or omissions. As a result, some examiners feel electronic documentation provides a more professional form of their notes as they are able to correct these issues prior to providing them to colleagues or the courts.
But if notes can be changed at a later date with no previous history of the contents originally entered, can they really be considered contemporaneous?
And does this open up Pandora’s Box for defense lawyer questioning? 
If you admit you modified some of your notes for “grammar” and “typos”, will defense begin to argue you changed other aspects of your notes as well?  And what if you did change something else for reason beyond simple grammar or typos, how will you explain that change in court?
Criminal courts would never allow a law enforcement officer to wite-out® portions of his notes in a paper notebook and then overwrite that information with new information. So why should the courts trust electronic notes to be a true representation of your thoughts at the time stated if they can be edited without including the previous entries?
Although many Digital Forensic Examiners are using MS Word and OneNote successfully in courts throughout North America and Europe, we as examiners know that the majority of courts have failed to keep up with the complexities of digital data and how easily files can be manipulated.
Of course, there are ways to make electronic notes immutable with the use of Digital Signatures and digital timestamps, but few organizations are properly setup to implement this solution.
Will you be able to defend the authenticity of your MS Word or OneNote examination notes in court if questioned?

Electronic Note-Taking Application

Electronic Note-Taking applications offer the best of both worlds if designed and used properly.  But remember, not all applications are created equal.
When deciding on what electronic note-taking application you want to use, you will have to consider your specific needs and requirements not only now, but in the future when your cases finally go to trial.
-          Can you easily print notes in sequential order for court?
-          Can you edit existing notes while retaining the original note for Full Disclosure?
-          Can you arrange your notes in a logical manner during the investigation to keep your information organized?
-          Can you search through your notes to find answers quickly?
-          Is your information securely saved and encrypted?
-          Do Audit Logs exist allowing you to clearly see who else accessed a particular note or notebook?
-          Is the application able to timestamp individual notes from a trusted and independent Timestamping Authority (TSA)?
-          Will the courts be able to authenticate your notes if required without calling in another expert?
-          Can you access your notes on multiple devices, including mobile, so that you can take notes outside of your office such as during live analysis at the scene or meetings with other investigators?
-          If you include screen captures and images in your notes, will you be able to print the image in a high-quality format at a later date if it becomes a key piece of evidence?
-          Are the owners of the application trusted members of the digital forensic community?
When choosing an Electronic Note-Taking Application, you should select an application that works the way you work instead of being forced to work within the constraints of the application they provide.

Scrap Pieces of Paper

Although it’s common to use scrap pieces of paper to quickly jot down information, they should not be used as a place to write notes during an examination unless other options discussed above are not available.
If scrap pieces of paper are used to document important information, this should be transcribed into your proper notes as soon as possible. Often, if done in a reasonable time frame, these transcribed notes will be considered contemporaneously written.

Do Not Document Examination

Some examiners do not see a need to document their examinations. This is often as result of poor training, inexperience or laziness. If your examination involves criminal or civil litigation, then it’s imperative that you conduct your examinations in a professional manner.   Poorly documented investigations can lead to bad caselaw that affects us all.

Should Standards Exist for Examination Notes?

Preston Coleman provides a valid and well thought out response to the idea of standards for examination notes.
As Preston points out, if standards were to be created for examination notes, then they should be general in nature to allow for the flexibility needed within most examinations.  At a minimum, the following “universal elements should be observed”
-          Contemporaneous Notes
Document actions and results sequentially as they occur
-          Timestamp Notes
Include Date & Time with every note made
-          Immutability
Notes should be fixed and non-editable upon completion of the examination
-          Available
Provide to others, including the courts, if required
Depending on your particular circumstances and the types of files that you are investigating, you may decide on more stringent requirements for your own note taking.

Odds n’ Ends

Now let’s discuss a few more questions regarding examination notes…

Simultaneous Notes

As discussed within the “Forensic Chip Off – Notes in Progress” post, Greg asked the question “how would you keep contemporaneous notes (CN) simultaneously whilst removing a chip?”
If Simultaneous Notes (SN) were required during a technical hands-on examination, then a video of the examination (as shown in the blog post) could be used to allow the examiner to concentrate on the task at hand while still properly documenting the actions being taken. Upon completion, the video file could be hashed with the resulting hash being noted within your Contemporaneous Notes.
A purpose-built forensic Electronic Note-Taking application would allow you to attach the original video to the note and automatically Hash and Timestamp the video in only a couple steps.

Destroy Notes After an Examination Is Complete?

In some American states, it is apparently common practice to destroy both paper and electronic notes once a final examination report has been written.
If the destruction of examination notes is currently allowed where you work, you should ask yourself:
-          What happens if the accuracy or credibility of the report is questioned?
-          What reasoning will you provide if questioned on why you felt it was necessary to destroy your notes?
o   The opposing party may ask “What were you trying to hide in those notes that it was so important that you destroy them prior to court?”

Restrictive Warrants

In many regions, warrants authorizing forensic examinations are becoming restrictive with respect to the type of data that can be analyzed and included in forensic reports.  In practice, you may observe other evidence in plain view (eg: Child abuse material) that does not fit within the restrictions of the warrant.
In this case, it is suggested that you immediately stop your current examination and re-apply for a warrant that includes the evidence you observed in plain view.
If you fail to take proper contemporaneous notes or destroy your notes upon completion of a report, would you be able to properly articulate how you came to observe the images or data that you weren’t authorized to have searched which resulted in a more comprehensive warrant being sought?
If not, you risk having all your evidence excluded from the trial.
Many investigators fail to recognize that obtaining a new warrant is easy in comparison to defending the merits of the new warrant at trial. Are you willing to lose all that hard work due to a lack of proper documentation?


The digital forensic community needs a “Best Practice” guideline in creating contemporaneous notes during an examination. Without a clear guideline, Digital Forensic Examiners are left to rely on potentially false or misleading information from fellow members who do not fully recognize the need or value in creating proper notes during an examination.
At a minimum, all professional Digital Forensic Examiners should use the following list as the current “Best Practice” guideline:
-          Contemporaneous Notes
-          Timestamp Notes (Date & Time)
-          Immutability
-          Available
By continuing to discuss this important subject, we as a community can further improve “Best Practice” guidelines that will help ensure existing and new examiners take the necessary steps during digital forensic examinations.
After evaluating the “Best Practice” guidelines, you can make an informed decision on what is the best solution for recording Examination Notes given your particular circumstances and needs.
Will you stick with the classic pen and paper, utilize a word processing application such as MS Word or OneNote or go with a more forensic solution such as a purpose-built electronic note-taking system like Forensic Notes?
About Author:
Robert Merriott founded TwiceSafe Software Solutions Inc. (Forensic Notes) after realizing the need for a digital note-taking application that would meet the high standards of digital forensic evidence in the courts. Robert has a Degree in Computer Information Systems and obtained both Microsoft MVP and ASPInsider status during the infancy of ASP.Net. He now works as a Digital Forensic Examiner.
DISCLAIMER: This article is not meant to provide legal advice or information. Legal statements made are only provided as guidance for the reader to seek professional legal advice within their jurisdiction. No information contained within this article should be acted upon without discussing the merits of such information with a legal professional. The author of this article is NOT A LAWYER and takes no legal responsibility for the information presented. In addition, the information provided is based on personal beliefs and ideas and does not represent his employer.


Wednesday, June 28, 2017

IM Telegram Replay Attack - Android

Hopefully, readers will have had the opportunity and time to read about WhatsApp here at the trewmte.blogspot:

WhatsApp network forensics -
Whisper Signal WhatsApp -

So it's time to move on to the next instant messaging app known as Telegram. It is relevant to mention this app at this time as it appears the Russians are targeting this app as well - - and the thought must be what will they discover by way of a flaw or vulnerability or do they what they are already?
The IM Telegram Replay Attack - Android uncovered from the following research published in Tomáš Sušánka thesis can be found here: .
As a primer, a replay attack is an attack where an attacker sniffs data sent by the application and then resends them at a different time with a malicious intent. Unlike WhatsApp where all accounts are controlled by source; Telegram relies upon some third party developers to implement security updates that Telegram has informed them about; if developers don't update after that many devices using Telegram could be unsafe even today potentially enabling attacks across networks.
Deobfuscator.cpp file
To gain a background understanding to IM and security related issues the thesis considers other IM apps, including WhatsApp, and noted security issues with them.
One interesting comment noted in a paragraph in the conclusion reveals the influences foreign policy subjects itself on software developers regarding censorship: "We have scrutinized the code base of the official application for Android and concluded that the state of the application is at serious odds with the documentation. This concerns mainly the undocumented obfuscation method Telegram uses. The MTProto traffic is encrypted one more time with the key and IV prepended to the data. This has no effect on the data security and is easily debunked by the deobfuscation program we have implemented. When the Telegram team was confronted with these claims, they noted the method is used to circumvent some of the less sophisticated methods of censorship in certain countries."
The author's research relating to apparent Telegram vulnerability, that has been published, he has also provided his background research e.g. source code etc., (so you better get it before it goes) :
CD's directory structure is:
-  data
- Telegram source code
-  src 
- Telegram Deobfuscator
- Telegram Extractor
- Trudy Go module
- LaTeX source codes
- diagrams
source codes
- text
- appendices
- thesis.pdf
Excellent research and discovery!

U-N-I update on posts

- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Appication Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)

Whisper Signal WhatsApp

Following on from this post WhatsApp network forensics 2017/06/whatsapp-network-forensics.html you may know WhatsApp changed the protocol to 'Open Whisper System's Signal Protocol end-to-end encryption'. A useful analysis of "Signal" can be found here regarding capturing the “ratcheting” key update structure:

A Formal Security Analysis of the Signal Messaging Protocol

Vulnerability attacks have already started to determine Signal weaknesses. The "last resort key" looks interesting as does internal messaging attacks that have produced some results:


WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages

Friday, June 23, 2017

Universal Network Investigations

Just started a new LinkedIn group called 'Universal Network Investigations (UNI)'. It is a group only for those involved in the wider area of fixed, mobile and large-scale computer networks. The group exists to assist cyber, forensics and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.) If you are a member of LinkedIn and want to participate in the group here is the link: