Recent content by Prickaerts

  1. P

    Recovering Data From Formated Hard Drive

    Hi Danna, Perhaps a bit late, but be sure not to recover to the same drive you are recovering from. Although this seems logical I have seen many go from bad to worse here ;) Cheers, Chris
  2. P

    Helix with network server containing 3 SCSI drives

    Hi Peter, It all depends on the error message you got. Perhaps the raid controller was not recognized by Helix, and hence not able to access the logical volume. Check the error log for raid array type of errors. You can replay the boot messages with the "dmesg" command. And with what tool...
  3. P

    Unauthorised use of memory sticks & external hard-drive

    Hi PublicAye, If you create(d) a forensic image of the system you might be able to deduct something from timestamp information. As mentioned before, check the creation date of the USB registry key to focus on a specific period. Then look at access timestamps of files touched near/after that...
  4. P

    Email inside pcap file

    Hi Elisa, Have a look at Dug Songs dsniff toolset, it includes mailsnarf: http : / / monkey.org/~dugsong/dsniff/ I think it might just be what you are looking for ;) Cheers, Chris
  5. P

    Wireless Access Point defense

    Hi Rk, What do you mean when you say "hacking the wireless network"?? - merely sniffing the (radio) traffic - cracking the WEP/WPA keys - hacking into the AP itself Chris
  6. P

    Cyber Crime Investigator

    Hi RK, Welcome to the forum ! You will find many good posts on this forum, some with suggestions on how to deal with a certain technical problem, some with tips related to digital forensics in general. Although some hesitation exists to discuss case related info, since this is a public forum...
  7. P

    Presentation

    Hi Clark, What we have actually done once is export all the documents onto a disk and add that disk to a machine with Google Desktop installed, to provide indexed search. Keep the machine offline though!! you never know what Google phones home ;) Cheers, Chris
  8. P

    Wireless Access Point defense

    Hi Cam, As mentioned before, you would want to look for digital traces supporting the suspects claim. - Was the computer hacked into? - Where any viruses active on the computer? - What was the security level of the computer (firewall/antivirus/patches). Someone else could have used the...
  9. P

    Helix and Vista

    Hi Peter, You could also try another bootable, like Knoppix, to see if it does find the hardware. Do keep in mind that some bootable distro's mount drives writeable at boot. Chris
  10. P

    Helix DD and Deleted files

    Hi Jim, If you use DD to copy the entire drive, deleted files, slack and freespace are all in the image. The syntax would be something like this: dd if=/dev/hda bs=512 conv=noerror,sync of=/mnt/dest/hda.img where IF is the source drive, hence /dev/<devicename> Mount a destination drive to...
  11. P

    DD image

    Good thing about DD is that most operating systems have a version running, often with a default installation (not Windows though, although there is a port). Furthermore most carving tools really like dd-style (raw) images. Foremost, Scalpel, dd is preferred. DD raw images are mostly also...
  12. P

    Internet Activity browsing (chat etc) on a VM image

    Hi Pathfinder, Unless you had a network wiretap running you would not be able to know what sites where visited from the other computer (from within a VMWare). If you have access to that host machine you could image the VMware host. The VMware image file is read by FTK imager. Keep in mind that...
  13. P

    GroupWise

    Hi Clark, We've used Paraben's tool succesfully in a groupwise environment (6.5). Just point to the database folder, select the groupwise files (see documentation) and import. This CAN take quite some time. When fnished, we've exported the mailboxes in .PST format and imported them in FTK to...
  14. P

    Previous - can I still work in forensics?

    Hi Heavenly, How much do you want this? Depending on your past and motivation my guess is it should not pose a problem. Working in any field requires dedication (and skill ;) ). Chris
  15. P

    Roaming Profiles

    Also keep in mind that optionally the profile can be deleted on log of. If the user is only using one workstation and profiles are not deleted at log of, it is probable the local profile matches the network profile (unless a network error prevented the synchronisation). Also, if the user logs...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu