Profile

Cover photo
John Lehr
176 followers|307,657 views
AboutPosts+1's

Stream

John Lehr

Shared publicly  - 
1
Êʒêvaʃêrrêmmzênungofë Tʃaakatoêtaallrêfêë's profile photo
 
Hi, my vriend, I have a question, I use Lazarus (form recovery Chrome extension) on Opera, the problem is that in chrome, we can't look in all database liek with the Firefox version of Lazarus, now I have a trouble, I was writing a post on Twitter, and closed Opera, because he freezed, after restart I written others tweet, after getting in that (France 2 Presse), I was unable to recovery the form because Lazarus show a list but the screen to small, and I don't know how the scroll that list... (Install Lazarus on Chrome to test what I'mean in any form windows you will see some kind of key up right of corner.

I searched on web, how to read the database, I found the file, I puted it in Google Drive,

https://drive.google.com/open?id=0B47j2kzmh1vrUXNBeU9pY0w4cGc

I open it with DB Browser, but I can't find my data... Who contain #TVMAG or @TVMAG & ƩALVA‑ΘJË‑ÔNË

Can you please help, since I readed this page,

https://linuxsleuthing.blogspot.be/2013/05/sqlite-hidden-data-in-plain-sight.html

but I'm a noob & I amnesiac, so I have difficulty to do this by my own, can you please explain me ?
Add a comment...

John Lehr

Shared publicly  - 
 
URLs : U R Loaded with Information
In my early days of forensics, I considered URLs in web histories as nothing more than addresses to websites, and strictly speaking, that’s true. But URLs often contain form information supplied by the user and other artifacts that can be relevant to an in...
1
1
Paula Bailen's profile photoJohn Lehr's profile photo
2 comments
 
Hi Paula. Sorry, I do not (and really cannot) know the answer to your question. A few guesses: 1) you could be interpreting interpreting the date stamps incorrectly, 2) History can be erased from the database through the settings, 3) you could have run a third party system cleaner/privacy tool to delete history entries. None of these makes much sense, though, since you have dates surrounding the missing range.

As for recovery, once the data has been dropped from the database, recovery involves carving and reconstructing records from SQLite table leaf pages, and carving records from unallocated space. This is very difficult because the fields in the places.sqlite database, for the most part, are variable length. Further, you need to join two tables to properly produce a record, and if memory serves, the RowID is required to join the tables. The RowID is destroyed when the record is dropped. So you see, this is quite difficult.
Add a comment...

John Lehr

Shared publicly  - 
 
Getting Attached: Apple Messaging Attachments
I sometimes get questions about showing attachments in Apple iDevice messaging databases. The questions, however, seem to come at a time when I don’t have any databases on hand to study the issue. Well, this week I stumbled on the chats.db during an exam ...
I sometimes get questions about showing attachments in Apple iDevice messaging databases. The questions, however, seem to come at a time when I don’t have any databases on hand to study the issue. Well, this week I stumbled o...
4
Jeff Keen's profile photoJohn Lehr's profile photo
2 comments
 
+Michelle Moreno Hi Michelle. I'm afraid there are no SQL commands to recover messages deleted from a databases. Dropped (deleted) records have their RowIDs overwritten and thus cannot be looked up with a query. While message recovery is possible, it requires they be located and carved out of the database leaf table page. Even then, the record header (a map of the record that describes the data in the columns) must be identified and interpreted to properly extract the record. I touched on this here (http://linuxsleuthing.blogspot.com/2013/09/recovering-data-from-deleted-sqlite.html), but I have not posted complete recovery instructions.
Add a comment...

John Lehr

Shared publicly  - 
 
Searching for Searches
In a recent examination of smart phone content, it became necessary to know the personal interests of the device's owner.  You can browse internet and app history, but that can be extensive to review every URLs to every clicked link and served page.  To get...
In a recent examination of smart phone content, it became necessary to know the personal interests of the device's owner.  You can browse internet and app history, but that can be extensive to review every URLs to every click...
1
1
Add a comment...

John Lehr

Shared publicly  - 
 
Identifying Owners of Locked Android Devices
Locked Devices are not Always Secure I was handed a device I’ve never seen before: A Verizon Ellipsis 7" tablet. The device was suspected to be stolen, but it was password locked with no sd card or sim card installed. USB debugging and mass storage mode w...
Locked Devices are not Always Secure I was handed a device I’ve never seen before: A Verizon Ellipsis 7" tablet. The device was suspected to be stolen, but it was password locked with no sd card or sim card installed. USB de...
2
Add a comment...

John Lehr

Shared publicly  - 
 
iPhone: Recovering from Recovery
I was attempting to brute force an iPhone 4 passcode for data recovery. The phone was in poor condition and had undergone modifications:...
I was attempting to brute force an iPhone 4 passcode for data recovery. The phone was in poor condition and had undergone modifications: the home button had been replaced as well as the back cover, maybe more. I could not rel...
4
Erich Wacha's profile photo
 
hi JOHN PLEASE CONTACT ME erichwacha@googlemail.com
Add a comment...

John Lehr

Shared publicly  - 
 
Android SDK on 64-bit Linux
I commonly use adb and fastboot to access Android devices.  Ubuntu has packages for those tools making installation easy: $ sudo apt-get install android-tools-adb android-tools-fastboot But, in recent months, I have encountered instances where the adb and f...
1
Add a comment...

John Lehr

Shared publicly  - 
 
Riffbox and Windows 10
I decided to bite the bullet and try out Windows 10. I wanted to learn the new operating system and determine if I could run specific software/hardware combinations under the new Windows that I had been running in Windows 7, specifically Riffbox. I happy ...
1
Add a comment...

John Lehr

Shared publicly  - 
 
Finding Felons with the Find Command
Digital devices are common place. Digital device examiners are not. How does the digital dutch boy prevent the digital device dam from breaking? By sticking his preview thumb into the leak. The point of a forensic preview is to determine if the device yo...
2
1
Devin Stewart's profile photo
 
Great article. Thanks John!
Add a comment...

John Lehr

Shared publicly  - 
 
Identifying Android Device Owners
I work in a college town.  That means lots of unsecured electronics.  Lots of unsecured electronics means lots of thefts and 'misplaced'-- "I'm not as think as you drunk I am!"-- devices.   I've seen a trend in recovered stolen devices over the past few yea...
I work in a college town.  That means lots of unsecured electronics.  Lots of unsecured electronics means lots of thefts and 'misplaced'--"I'm not as think as you drunk I am!"--devices.   I've seen a trend in recovered stol...
1
Add a comment...

John Lehr

Shared publicly  - 
 
Finding Serial Numbers on Locked iPhones
Apple iDevices have their serial number engraved on the back, right? So why the article? Because it's not true of newer devices like the iPhone 5, 5s, and 5c. Also, original cases can be replaced and serial numbers obliterated through unprotected use or ...
Apple iDevices have their serial number engraved on the back, right? So why the article? Because it's not true of newer devices like the iPhone 5, 5s, and 5c. Also, original cases can be replaced and serial numbers obliterate...
1
1
Duane Vince's profile photoJohn Lehr's profile photoFabiano Querceto's profile photo
5 comments
 
Just to add at the discussion, i tried with an iPhone 5 locked with a pin
i used a port of libimobiledevice compiled forr windows and the output of the command you suggested ('ideviceinfo -s')
contained (amongst other things) the device "udid", the "ChipID", the device "color", the device "name"
the hardware model, the iOS version (ProductVersion), the WiFi adapter mac address.
Thanks again
Add a comment...

John Lehr

Shared publicly  - 
 
Making Sense of the Senseless
SQLite to the Rescue One of the tasks I’m asked to perform is to geolocate mobile phone calls from Call Detail Reports (CDR). These usually arrive from a carrier as spread sheets: one with details of calls to and from a particular number, and one or more c...
SQLite to the Rescue One of the tasks I’m asked to perform is to geolocate mobile phone calls from Call Detail Reports (CDR). These usually arrive from a carrier as spread sheets: one with details of calls to and from a part...
2
Add a comment...
Story
Introduction
I perform Digital Forensics using the Linux operating system.
Basic Information
Gender
Male
John Lehr's +1's are the things they like, agree with, or want to recommend.
Chrome Browser - Google
market.android.com

Browse fast with the Chrome web browser on your Android phone and tablet. Sign in to sync your Chrome browser experience from your computer

Google Calendar
market.android.com

Experience Google Calendar on devices running 4.0.3 or later.The Calendar app displays events from each of your Google Accounts that synchro

Blogger
market.android.com

Start blogging on the go with the official Blogger app!Experience the official version of the Blogger app. You can easily publish posts with