Hacking help!

I've been contacted a few times recently to provide help getting to some part of a computer file or recovering some sort of data. I don't mind responding to people who reach out and generally need help, in fact, I'd like to think I've actually helped quite a few people. Here are some guidelines to make sure I can help you as much as I can.

What to do before reaching out to me for help

1. It would be really awesome if you would read the relevant blog posts and attempt it on your own first.
2. Know what you are asking for and likely to get. Data recovery and carving can generate lots of data but it generally is a shotgun approach.
3. Do the work once you have the data. I can't generate lovely time-indexed, cross-referenced, collated reports of the data. I'll just generally give you the data and expect that you'll donate some elbow-grease to the equation.

What I need to help you

1. A description of the system (Mac, PC), the operating system (XP, 7), the relevant programs (Skype, Firefox). Version of the programs is a nice-to-have for me.
2. The relevant files!
3. Any information that would help searching data. Names of the parties, dates of events, locations, etc...

What I can promise

1. My best effort to recover data
2. Getting to the task of investigating as soon as possible (I do have a life!)
3. Utmost secrecy... I will only share your information with you, no one else. Nobody but me will ever see it. I promise to delete all copies of data and emails once I've finished investigating and sent results. 
4. Discretion. I've been through this myself and I know how personally devastating going through this kind of event can be through my own experience.

How to contact me

1. Post a comment to the blog and I will reach out to you. I moderate all comments and will not make any comments public that contain personal info like an email address.
2. Email me at dead.nt.sleeping [at] gmail [dot] com
3. I have put together a web form for a contact page you will be able to see on the top tabs of the blog. Here's a link to it anyway: Contact Form.

V/r - DNS

Computer Pseudo-Forensics; Tools

Where to start? Disclaimers!
1. I'm not a computer tech/analyst
2. I'm not a lawyer
3. Follow your own judgment before trying anything here. See #1 and #2 above.

Computer forensics is a scientific field of analyzing and preserving digital information to support legal matters. Police forensics analysts seize computers, phones, servers from bad guys and search them for kiddie porn, bootlegging, and details of illicit financial transactions. Lawyers often refer people to private investigators to perform computer forensics in civil matters such as divorce. Lots of information can be gained from computer forensics and to be admissible as evidence it most definitely has to be done by an independent party. Given that, what I'm describing in these blog posts falls far short of the professional definition of forensics. That's why this post is titled Pseudo-Forensics.

There are an almost infinite combination of computer platforms, operating systems, and programs. I'm not familiar with every system. Most work I have done is based on Windows XP, Vista and 7.

Tools
Here are some handy tools. Most are free or low-cost and download links are provided in the hyperlinked name of the tool, below.
1. HxD Hex Editor
HxD is a free hex editor. It allows you to translate the hexadecimal code of machine language into text. This is handy for viewing files where a cached value maybe hiding. Very useful for looking at Skype's databases.
2. SQLite Database Browser
The SQLite Database Browser is a free tool useful for exploring the SQLite databases behind the scenes of Skype and several popular browsers.
3. ChromeAnalysis, FoxAnalysis
The good people at Foxton Software have provided a freeware version of their browser analysis tools. The pay versions have many more features but weigh-in at £68.
4. ChromeCacheView, IECacheView, MozillaCacheView
The good people at NirSoft have compiled some free utilities to view the contents of popular browsers' cache folders. The contents provide URL, accessed date and give an option to extract to a folder to view the contents (useful for cached images!)
5. SkypeLogView
The good people at NirSoft have provided a tool for analyzing the Skype database files for call logs, chats, etc. It is a very handy tool but much more data can be gathered using HxD. This will be the content of a future post.
6. SkypeChatsyncReader
A utility created by Rasmus Riis Kristensen from the Computer Crime Unit of Danish National Police. This tool reverse engineered the location of data in the .dat files of Skype.
7. PCWin Recovery
The good people at Frontier DG have a tool (about $10, I believe) which can be loaded onto a USB drive and will reset the Windows password. This is hardly a stealth operation... it wipes out the password.
8. MiniTool Power Data Recovery
The good people at MiniTool have an application which can recover deleted files from the PC, SD Cards and USB drives. The trial version allows 1GB to be recovered free. The cost of the software is around $65.
9. Thumbs.db Viewer
The good people at Janusware have created a utility to view all of those little thumbnail pictures that are created in Windows. These thumbnail images often exist long after the file itself was deleted. They offer a trial version which is relatively useless. The product costs $25 and is recommended.
10. OSForensics
The good people at Passmark Software have put out a freeware forensics suite. It is feature-heavy with the ability to clone a drive without accessing the OS, virtual drive mounting and data carving tools. However, the tool set is complicated for a non-forensic analyst to use. The pay version is about $500 and allows multiple file export, performance enhancement, unlimited data indexing and other useful features.

Spyware
We've talked mostly about looking at past data records. Monitoring and spyware will be the subject of a future post.

--- DNS