Recent content by keydet89

  1. K

    timeline analysis

    Three questions... First, what did you use to create the timeline? What version of Windows is the system being analyzed? What else happened 'near' the event? Thanks.
  2. K

    Location for Windows version

    I do hope you enjoy the book. The funny thing is that since the book was published, I've had the opportunity to work on other things. For example, I just created/released a tool called RegRipper, which is a plugin based tool for extracting information from Registry hive files. So far, the...
  3. K

    Which computer created a file?

    How's that? Because someone asks a question and no one can answer it? ;-)
  4. K

    Which computer created a file?

    First off, computers don't create documents...users do. To see on which computer the document had been created, open the Word document in a hex editor and look for "PID_GUID". This is followed by a globally unique identifier that, depending upon the version of Word used, may contain the MAC...
  5. K

    Benefits of command line forensic tools in investigation

    PreferredUser... Yes, that's how things go over on SlashDot. However, Bejtlich and others have documented an increase in interest in books when a review is posted on SlashDot...follow-on comments are irrelevant. A posted review on /. has been directly correlated with an increase in interest...
  6. K

    Benefits of command line forensic tools in investigation

    Guys, Thanks for the recommendations and shout-outs, re: my book. Can I get either of you to provide info on the instructor? How about this...I would greatly appreciate a book review posted to SlashDot. Here's the issue...no one makes money off of books, except the publisher. However, I...
  7. K

    Forensic Community Shortfalls

    Al, Apparently, there are few willing to discuss this... If this is something that you still wish to discuss, feel free to contact me offline...
  8. K

    Capture Volatile Data

    Wow, I post direct links in this forum and my posts get deleted and I get a nasty-gram from the admin... Anywho...Garner's version of dd.exe that you're referring to is no longer supported (he removed the ability to access the \\.\PhysicalMemory object and made the tool closed source). You...
  9. K

    Cheap Software For Practice

    I made a some-what long-ish post over in the "Open Source and free EnCase like tools?" thread...check that one out... Harlan
  10. K

    Tracking an internal IP address

    It depends on the environment that you're in. Your subject line mentions "internal", but your post doesn't elaborate...I'll assume that you're referring to an internal corporate IP address. The first place I'd start looking is DHCP logs, if the environment uses DHCP. Then I'd go with "nbtstat...
  11. K

    Looking for some advice

    There are actually a couple of ways to "break in", particularly if you're in the US... Many community colleges now teach computer forensics courses, and some even offer degrees in the topic. Some of these courses are developed by instructors, based on the needs of local law enforcement. This...
  12. K

    Open Source and free EnCase like tools?

    Yes, there are. Stephen Bunting's EnCE Study Guide book has a DVD with a limited version of EnCase meant to be used with the files on the DVD. However, there are other options, as well...on the commercial side, TechPathways offers a Basic version of ProDiscover for free. If you want to...
  13. K

    Finding deleted ms documents with Encase 4.2

    I just did that, and found a lot of links...all that have to do with tools to convert Adobe PDF files to postscript documents. If I were the OP, I'd start with the EnCase user's forum...you can register there using your dongle number. If that doesn't work, reach out to Lance at...
  14. K

    Checking previous sw installed in a computer

    Generally speaking, the Registry can be used to track software that has been installed via some kind of installation package, such as MSI. You can expect to find the appropriate entries in the Uninstall key. However, some software also creates a vendor key within the Software hive, and you...
  15. K

    Capture Volatile Data

    This won't work...Knoppix doesn't run Win32 PE files (EXEs), and Windows doesn't run Knoppix binaries...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu