Stay up to date with our RSS Feed. Get it here 

Epyx Blog

Mounting and Malware-scanning Split Android Images in Linux Ubuntu 12.10

    I was recently given the opportunity to attend an advanced mobile forensics course taught by Joe Church from Digital Shield.  As part of the rite of passage certification process, Joe handed us an image of an infected Android device and challenged us to find the malware.  

Mounting Shadow Volumes in Linux Ubuntu 12.04

    While examining an image of a Windows 7 computer, I struggled to find specific files that I knew at one point resided on the computer.  After hours of searching through both the allocated and unallocated area, I found the files in question on the shadow volumes. 

Hash Set Analysis using Linux Ubuntu 12.04

    Recently while examining an image of a computer, I came across the need to determine if the image contained a set of specific files.  For me those specific files were a series of pictures.  I was faced with two options, I can either manually go through all of the folders to search for the pictures, or I can search for those specific pictures using some sort of automated way.  I chose the automated way.

Cloning and Verifying Physical Disks in Linux Ubuntu 12.04

    Whether you need to make a forensic copy of an evidence drive for analysis, or restore a drive to look at the computer in a live manner, at one point or another you are probably going to find yourself needing to clone a drive.  Cloning a drive differs from imaging, in which cloning uses a target drive to make an exact duplicate of the original drive.

Extract the MFT With icat and Parse it With analyzeMFT in Linux Ubuntu 12.04

     The master file table (MFT) is a database that contains information about all files on an NTFS file system.  Among other things, the MFT tracks times, size, name, and location of every file including itself.  It stores this information in entries, appropriately named MFT entries.  Each MFT entry gets assigned its own record number.

Use PhotoRec to Carve for Files With Linux Ubuntu 12.04

   While examining the contents of an external hard drive in a recent case, I came across the need to recover videos from the unallocated area of the drive.  Interestingly enough, the videos in question were in the form of ISO images.  When my preferred commercial carving tool didn’t offer an option to carve for ISO’s, PhotoRec did.   

Registry Analysis using FRED in Linux Ubuntu 12.04

   The Windows registry is used by the operating system to store information about its configuration, users, applications and much more.  It is an excellent source of evidence for the forensic examiner.

Recovering IE History Using Pasco in Linux Ubuntu 12.04

     Reconstructing and examining web browsing history is a task that is required during most forensic examinations.  Luckily, popular commercial tools have done a good job of simplifying the reconstruction process for us. While commercial tools simplify the process, the software often comes with a hefty price tag.

Mounting E01 images of physical disks in Linux Ubuntu 12.04

    The E01 image format, also known as the Expert Witness Format or the EnCase Image Format is perhaps the de facto standard for forensic analysis.  Is it a format owned by Guidance Software containing a bitstream of an acquired disk, case information, checksums for every block of 64 sectors, and a footer with an MD5 hash for the entire bitstream.

Acquiring E01 Images Using Linux Ubuntu 12.04

     When it comes to media acquisition using Linux, tools like Raptor and Paladin are hard to beat.  These tools are able to boot the computer and acquire the internal devices all while write-blocking the devices.  If a GUI acquisition tool for Linux is what you need then look no further, Guymager is it.

Pages