Search results

  1. K

    timeline analysis

    Three questions... First, what did you use to create the timeline? What version of Windows is the system being analyzed? What else happened 'near' the event? Thanks.
  2. K

    Location for Windows version

    I do hope you enjoy the book. The funny thing is that since the book was published, I've had the opportunity to work on other things. For example, I just created/released a tool called RegRipper, which is a plugin based tool for extracting information from Registry hive files. So far, the...
  3. K

    Which computer created a file?

    How's that? Because someone asks a question and no one can answer it? ;-)
  4. K

    Which computer created a file?

    First off, computers don't create documents...users do. To see on which computer the document had been created, open the Word document in a hex editor and look for "PID_GUID". This is followed by a globally unique identifier that, depending upon the version of Word used, may contain the MAC...
  5. K

    Benefits of command line forensic tools in investigation

    PreferredUser... Yes, that's how things go over on SlashDot. However, Bejtlich and others have documented an increase in interest in books when a review is posted on SlashDot...follow-on comments are irrelevant. A posted review on /. has been directly correlated with an increase in interest...
  6. K

    Benefits of command line forensic tools in investigation

    Guys, Thanks for the recommendations and shout-outs, re: my book. Can I get either of you to provide info on the instructor? How about this...I would greatly appreciate a book review posted to SlashDot. Here's the issue...no one makes money off of books, except the publisher. However, I...
  7. K

    Forensic Community Shortfalls

    Al, Apparently, there are few willing to discuss this... If this is something that you still wish to discuss, feel free to contact me offline...
  8. K

    Capture Volatile Data

    Wow, I post direct links in this forum and my posts get deleted and I get a nasty-gram from the admin... Anywho...Garner's version of dd.exe that you're referring to is no longer supported (he removed the ability to access the \\.\PhysicalMemory object and made the tool closed source). You...
  9. K

    Cheap Software For Practice

    I made a some-what long-ish post over in the "Open Source and free EnCase like tools?" thread...check that one out... Harlan
  10. K

    Tracking an internal IP address

    It depends on the environment that you're in. Your subject line mentions "internal", but your post doesn't elaborate...I'll assume that you're referring to an internal corporate IP address. The first place I'd start looking is DHCP logs, if the environment uses DHCP. Then I'd go with "nbtstat...
  11. K

    Looking for some advice

    There are actually a couple of ways to "break in", particularly if you're in the US... Many community colleges now teach computer forensics courses, and some even offer degrees in the topic. Some of these courses are developed by instructors, based on the needs of local law enforcement. This...
  12. K

    Open Source and free EnCase like tools?

    Yes, there are. Stephen Bunting's EnCE Study Guide book has a DVD with a limited version of EnCase meant to be used with the files on the DVD. However, there are other options, as well...on the commercial side, TechPathways offers a Basic version of ProDiscover for free. If you want to...
  13. K

    Finding deleted ms documents with Encase 4.2

    I just did that, and found a lot of links...all that have to do with tools to convert Adobe PDF files to postscript documents. If I were the OP, I'd start with the EnCase user's forum...you can register there using your dongle number. If that doesn't work, reach out to Lance at...
  14. K

    Checking previous sw installed in a computer

    Generally speaking, the Registry can be used to track software that has been installed via some kind of installation package, such as MSI. You can expect to find the appropriate entries in the Uninstall key. However, some software also creates a vendor key within the Software hive, and you...
  15. K

    Capture Volatile Data

    This won't work...Knoppix doesn't run Win32 PE files (EXEs), and Windows doesn't run Knoppix binaries...
  16. K

    Any differences between xp and vista registry?

    My upcoming book has an entire chapter on Registry analysis... Troy Larson of MS described that chapter as "worth the price of the book". If there's anything I can do to help, drop me a line at keydet89 at yahoo dot com. Thanks,
  17. K

    Registry key spreadsheet

    I've put together a spreadsheet of Registry autostart and MRU locations, and post it here: windows-ir.com/regkeys.zip Take a look, tell me what you think. Thanks, H. Carvey "Windows Forensics and Incident Recovery"
  18. K

    wbk<hex numbers>.tmp in Temporary Internet Files

    Are these files created by a WebMail client (if so which one) or are they created by something like Outlook when viewing HTML emails? I think that in a way, you've partially answered your own question with: What do you know about these files, for example? Is this your own system or someone...
  19. K

    Program run on live machines

    What are you trying to do? If you're looking to collect volatile data only, I've released the Forensic Server Project (FSP) and First Responder Utility (FRU) off of the web site for my book. The FRU available in the my book (updated version is on the web site) works for Windows systems, but...
  20. K

    Incident Recovery

    Savanted1, Perhaps your question is a bit too general. Can you clarify it a bit? H. Carvey "Windows Forensics and Incident Recovery"
  21. K

    Windows Forensics and Incident Recovery

    Well, as the author, I'd suggest checking out the page for the book on Amazon, as well as the recent reviews on Slashdot and in SC Magazine. Thanks for purchasing the book! If you're interested in standalone EXE versions of the tools (FSP, FRU) listed in the book, drop by the book's web site...
  22. K

    Forensics Methodology

    I don't think that the forensics methodology varies a great deal from system to system. The key aspects that need to be kept in mind are: 1. Documentation is king. If you didn't document it, it didn't happen. 2. Follow a proscribed process...document the system and it's surroundings...
  23. K

    Learning the Basic Skills

    Prior to writing my book, I offered a course in Windows 2000 incident response. Now that the book has been completed, I'm again offering the course, but including Windows XP and 2003. H. Carvey "Windows Forensics and Incident Recovery"
  24. K

    The Application of Computer Forensics

    This is true, but remember, many investigations are non-litigious in nature...they are intended to find out what happened and how, not to prosecute someone. This is the approach I take when addressing Windows systems in my book, "Windows Forensics and Incident Recovery". In a nutshell, data...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu