Some time ago I talked about BitLocker forensics and the decryption of BitLocker encrypted volumes. As a result, I received a few questions and a request regarding TrueCrypt encrypted volumes. Encryption, in general, is quite the challenge for forensic investigators. When well executed, an encrypted volume is inaccessible without the proper keys. TrueCrypt is no exception. However, while a BitLocker volume has a nice header indicating it’s encrypted, a TrueCrypt volume appears to be random data. In this post I try to answer the question: “how do you detect a TrueCrypt or Veracrypt vo ..read more

When you want to use encryption there are a lot of options available. The two big names for Windows-based systems are BitLocker and Truecrypt. I have discussed Bitlocker before in my post Encryption: BitLocker forensics, TrueCrypt however, is a different story. TrueCrypt TrueCrypt is a discontinued freeware utility used for on-the-fly encryption. It can create an encrypted volume contained within a file or encrypt complete (system)partitions. On 28-05-2014 the developer announced that it was no longer safe to use TrueCrypt. Several audits have been performed on TrueCrypt but no critical f ..read more

Encryption has become widespread and it’s common to encounter at least a few encrypted files during an investigation. Bruteforcing a password is always an option, however, depending on the type of encryption that has been used this can take a few minutes or even centuries using commonly available computer hardware. Your best bet when trying to gain access to a file/document or even entire encrypted volume is using a personalized word list. In this post, I am going to explain on how to generate such a wordlist using the free utility bulk_extractor. Wordlists A wordlist is, as its name sugg ..read more

There are a few good imaging tools out here. When creating a forensic image you always try to pick the best tool for the job. In this post, I will compare six forensic imagers. This is a comparison I wanted to do for a long time, I have always wondered if there would be a noticeable performance difference between the tools. Most tools I use during my investigation are used without a second thought. I picked them up throughout the years and they do their job. However, there is nothing wrong with checking new tools from time to time. In this comparison, I picked six well-known imaging tools ..read more

As you might know, there is a difference between deleting a file and wiping a file. For the user they seem to have the same outcome, the requested file has been removed. However, when you delete a file, it’s still possible to recover it, while wiping a file makes recovery impossible. In this article, I would like to explain the differences between deleting a file and wiping a file, and also explain how different drive types (HDD vs SSD) affect the outcome. To explain the differences between deleting a file and wiping a file, and how the drive types affect the outcome of these actions, we ..read more

Last week Brett Shaver’s had a good post on his blog about placing the suspect behind the camera (Link). Phill Moore named this post in his excellent weekly roundup This week in 4N6 and also suggested the tool Camera Ballistics. Coincidentally I got a chance this week to test the latest release of Camera Ballistics, a chance I certainly didn’t want to pass on. Disclaimer: I was able to test this product under a commercially purchased license. The license was not provided by Compelson Labs for this review and I am not affiliated with Compelson Labs and their products in any way. Camera Bal ..read more

A question I get asked a lot is “what is a forensic image?” and what is the difference between an image made with tools like FTK Imager and Acronis true Image. A simple answer would be that a forensic image contains all data stored on a device. But I believe this subject deserves a more comprehensive explanation.   Please note While it is possible to create a forensic image yourself. I would highly recommend hiring an expert to perform any kind of forensic data acquisition.   What is a forensic image? The golden rule of forensics: “Never touch, change, or alter anything until it has ..read more

When working in forensics you will have to keep yourself informed of the latest developments in the field, that’s one of the reasons I started creating this blog. Recently I have been attending several Live Online Training (LOT) courses given by Syntricate (The training branch of AccessData). After having attended over 7 courses I thought I would be nice to share my experiences with others who might be considering signing up. The signing up procedure is very simple, in my case, I contacted a sales person at AccessData and told them what course I wanted to join. The website of Syntricate has a ..read more

When you are analyzing a system you might want to document when the system was powered on. One of the best ways to do this is to analyze the windows event log. However, this can be time-consuming. Luckily there is an easy way to do this. We will be using one of the tools from my list of free investigation tools named TurnedOnTimesView created by Nir Sofer. When you start the tool it will show you a list of timestamps when the system was turned on and off. But showing the timestamps from our own system won’t do much for forensic analysis. Acquiring the required file from the evidence ..read more

When working on fraud cases it isn’t uncommon to see people trying to hide their tracks. In some cases this means hiding files in a hidden folder, in other cases, they might replace the hard drive with a new drive or reinstall the system. Therefore it’s important to reliably determine the installation date of the operating system. Currentversion When examining a Windows system, the registry is the way to go. There are a number of registry keys that can tell you a lot about a system. One of those registry keys has always been the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” key. Th ..read more