HK_Dig4nsics

I understand that there are many imaging tools available, both free and commercial, but I wanted to share my testing results using Clonezilla as a digital forensic imaging tool. It may be useful for someone looking to add another reliable option to their forensic toolkit. If you have never heard of or used Clonezilla before, it is a free and open-source tool that can be used to preserve the state of a computer system at a specific point in time. As a digital forensic examiner, I wanted to evaluate it from a forensic acquisition perspective and determine whether it can be trusted for use in our field. Clonezilla Live can be used to create a bootable drive, which allows the examiner to boot directly into the Clonezilla environment without relying on the host operating system. This is important because it minimizes the risk of modifying the target system during acquisition. Once booted, Clonezilla presents several boot options. Each option controls the startup environment, such as nor...

Introduction UpScrolled is an emerging social media platform that continues to gain rapid adoption. As with any social media application, it presents potential evidentiary value in digital forensic investigations. This research documents the identification and structure of UpScrolled chat artifacts recovered from an iOS device using an iTunes-style logical backup extraction. Application Data Application artifacts were successfully recovered via a standard iTunes backup extraction. A preliminary review of the extracted data revealed that UpScrolled application data can be found in the following path within the iOS filesystem: /private/var/mobile/Containers/Data/Application/{UUID} Within this location, user-generated content and application data were stored in the Documents  directory: /private/var/mobile/Containers/Data/Application/{UUID}/ Documents Chat Database UpScrolled stores chat data in a SQLite database named using the format: db_{UserID}.sqlite This naming convention i...

 Forensic Analysis of Windows Subsystem for Android (WSA) Overview Microsoft released Windows 11 with a new feature, Windows Subsystem for Android (WSA). This feature enabled users to run Android applications in Windows 11 without involving third-party virtualization software. I believe that digital forensic examiners need to understand this feature as it can be used as a new source of digital evidence in Windows 11 systems. This blog post focuses on some of the critical WSA artifacts and how to extract data from the WSA environment.  Analysis of the WSA Environment Like any newly implemented feature, there is limited documentation and research regarding WSA. Figure 1 shows two primary layers to be considered during a digital forensic examination of WSA.  Wi ndows 11 is the first layer and the overall environment containing all the data, including execution, logging, and registry artifacts. The second layer is the Android environment, which contains user data and the inst...

Overview One of the capabilities found in iOS devices is the Shortcuts application. This native application can be used to create shortcuts for different types of functionalities in the system. This article examines the homescreen of an iOS device after a shortcut to open a URL was created using the Shortcut application. The article also addresses artifacts indicating that a shortcut was used to accomplish a particular task in the system. The test shortcut created for this article opens a webpage, https://thisweekin4n6.com , using the Safari browser. Apple [1] describes the Shortcuts application as "a quick way to get one or more tasks done with your apps." Meaning that the Shrotcut application allows users to custom-create shortcuts capable of completing specific tasks when users activate them. Users are also able to have sutom names and icons for the shortcuts.    Creating Test Shortcut             As mentioned...