Recent content by gralfus

  1. G

    Anti-Forensics

    Just curious, has the cluster ever proven effective for you against encrypted volumes?
  2. G

    Corrupt BMP & JPEG repair

    There wasn't anything to repair. It was just a small snippet of the beginning of a BMP file with the rest missing (either overwritten or fragmented elsewhere). Sometimes hex tells you more than an automated tool...
  3. G

    Corrupt BMP & JPEG repair

    It doesn't appear to be another kind of graphic that was modified to look like a BMP, though I will look at that some more. It is a pretty small file overall, so I doubt it would be very large even if it were a valid file. I also tried changing the internal size to match the file you made...
  4. G

    Corrupt BMP & JPEG repair

    That file is only a fragment of the original file. It is 29KB, and the original (according to the size listed within the BMP) is 787.5KB. There is no fixing that without the rest of the file. Unfortunately, BMP files have no footer, so that can be a problematic if it is fragmented on the...
  5. G

    Corrupt BMP & JPEG repair

    There are lots of sites that contain the specifications for how a JPG file is constructed (as well as BMP, GIF, TIF, and other graphics). This is how I learned what belonged and what didn't. It is not a trivial "just read this 3 step process and you'll be whiz", it is fairly involved...
  6. G

    Corrupt BMP & JPEG repair

    Not besides a hex editor and lots of patience. I've repaired a few JPGs this way, but the problems were usually obvious, like extraneous headers or a missing footer.
  7. G

    Fed Case: Plaint says HD image is not the same

    I'm not sure what your point is ThomasCrw. If the hash of the drive and the hash of the image match, you have an exact copy of the latent data. If the individual hashes of files match with the hashes of the files in the image, then you have exact copies of the data. The nature of the data is...
  8. G

    Creating a DD image from multiple files

    I use a tool called MagicISO, which can create ISO images of whatever files you like. A dd image of a CD, and an ISO image of the same CD are the same thing, at least I can use them interchangeably. Keep in mind that a dd image can be of any kind of drive, so you need to know what sort of...
  9. G

    File Extension finder

    "foremost" is a command-line program that searches for specific file headers and footers, and so ignores the file names and extensions. For example, I provide it a disk image to scan, and tell it to look for JPGs and it will search the hex code of the disk image for FF D8 indicating the...
  10. G

    Programming Languages

    I've been learning Python recently and it has come in handy for certain JPG type identification (progressive vs standard encoding) and manipulation (stego practice). I started years ago with basic, visual basic, C, shell scripts, and PERL. All of them are useful for learning ways of manipulating...
  11. G

    Hard drive corrupt/inaccessible

    I've also had good luck recovering "dead" drives with SpinRite from grc.com. As long as the drive will spin up, I've been able to recover the drive. Yes, a Knoppix or Ubuntu Live CD could also probably access the disk, if it isn't too far gone. You could transfer files via CAT5 cables and a...
  12. G

    Hardware Drive Wipers

    DBAN, aka "Darik's Boot And Nuke", free software that does the job.
  13. G

    Steganography Question

    The issue of steganography is often twofold. If you can determine that data is hidden, you can try to recover it. Once it is recovered, it could also be encrypted, and then you have to try to decrypt it. I have tried StegoSpy and StegDetect against some JPGs where I hid data (in order to test...
  14. G

    DAT and LTO tape data recovery.

    There is a very applicable method for finding the right block size with DD on this site: crazytrain.com/dd.html It is a short article by Thomas Rude on how to use DD effectively, and mentions some of the lesser known switches for finding block size. He basically says that if you feed dd a block...
  15. G

    Civilian Steganography

    The laws on exporting cryptographic software relaxed under Clinton back in 1996. According to "en.wikipedia.org/wiki/Export_of_cryptography" the laws now mostly restrict export to rogue nations or known terrorist groups. However, many open source crypto packages are available for download from...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu