HK_Dig4nsics

Introduction UpScrolled is an emerging social media platform that continues to gain rapid adoption. As with any social media application, it presents potential evidentiary value in digital forensic investigations. This research documents the identification and structure of UpScrolled chat artifacts recovered from an iOS device using an iTunes-style logical backup extraction. Application Data Application artifacts were successfully recovered via a standard iTunes backup extraction. A preliminary review of the extracted data revealed that UpScrolled application data can be found in the following path within the iOS filesystem: /private/var/mobile/Containers/Data/Application/{UUID} Within this location, user-generated content and application data were stored in the Documents  directory: /private/var/mobile/Containers/Data/Application/{UUID}/ Documents Chat Database UpScrolled stores chat data in a SQLite database named using the format: db_{UserID}.sqlite This naming convention i...

 Forensic Analysis of Windows Subsystem for Android (WSA) Overview Microsoft released Windows 11 with a new feature, Windows Subsystem for Android (WSA). This feature enabled users to run Android applications in Windows 11 without involving third-party virtualization software. I believe that digital forensic examiners need to understand this feature as it can be used as a new source of digital evidence in Windows 11 systems. This blog post focuses on some of the critical WSA artifacts and how to extract data from the WSA environment.  Analysis of the WSA Environment Like any newly implemented feature, there is limited documentation and research regarding WSA. Figure 1 shows two primary layers to be considered during a digital forensic examination of WSA.  Wi ndows 11 is the first layer and the overall environment containing all the data, including execution, logging, and registry artifacts. The second layer is the Android environment, which contains user data and the inst...

Overview One of the capabilities found in iOS devices is the Shortcuts application. This native application can be used to create shortcuts for different types of functionalities in the system. This article examines the homescreen of an iOS device after a shortcut to open a URL was created using the Shortcut application. The article also addresses artifacts indicating that a shortcut was used to accomplish a particular task in the system. The test shortcut created for this article opens a webpage, https://thisweekin4n6.com , using the Safari browser. Apple [1] describes the Shortcuts application as "a quick way to get one or more tasks done with your apps." Meaning that the Shrotcut application allows users to custom-create shortcuts capable of completing specific tasks when users activate them. Users are also able to have sutom names and icons for the shortcuts.    Creating Test Shortcut             As mentioned...

Introduction       Having multiple software and hardware tools while conducting mobile device forensics can assist examiners in overcoming any obstacles caused by operating systems updates, new data file formats, unsupported applications/operating system/device modules, and other issues that often arise while examining mobile devices. This research reviewed and tested a tool named 3uTools to determine its advantages and disadvantages for iOS device forensics. This research begins with reviewing the tool, which focuses extensively on utilities within the tool that could be of use for forensic examiners dealing with iOS devices. The testing phase of the research included utilizing 3uTools to extract data from iOS devices and other tests to determine the capabilities of the tool. The last part of the research was centered around the results of the data backups created by 3uTools and comparing them to a full filesystem extraction conducted using Cellebrite UFED. D...