Search results

  1. C

    Safeguard Easy - Removal of encryption

    I believe EnCase supports Utimaco. Take a forensic image of the encrypted drive, import it into EnCase, it will ask for a password, enter the credentials and you're good to go. Otherwise, I agree with Art's method.
  2. C


    Is there any visible data on those partitions? Look in Prefetch to see if TrueCrypt has been run. Look at the LNK files to see if there are any references to files contained in those partitions that may be encrypted. There is a program here that claims to identify TrueCrypt containers. www...
  3. C

    Another Equipment Question

    Having been in your position once, I would recommend: Desktop with lots of RAM and CPU power Large dual monitors Extra storage devices Server 2003 or 2008 Ultimate Write Block Kit EnCase w/training Here's my justifications... Most commercial forensic tools run on Windows. Server 2003/08 will...
  4. C

    Help! How do you nullify the effects of Go.DriveClean

    ISPs will retain logs of assigned IP addresses, but I have always been assured (by the larger ones anyway) that they do not retain a listing of sites visited. This would be a huge privacy nightmare, a storage nightmare due to the large volume of data, and it is simply not needed for the normal...
  5. C

    HELP needed regarding Report writing

    Hi! Welcome to the forum! Good luck with your homework. I don't think anyone else will do it for you. Especially if you're in that much of a hurry. But, for a starting point, Google for email headers. Write your report beginning with the case facts and what steps you took to get to a conclusion.
  6. C

    2009 CFCE Conference

    During the course? Try to remember half of what they throw at you! :) For the practicals, you're going to use DiskEdit and SPADA. Pay extra attention to those modules. Everything else will help, but you're going to cover a ton in the practicals that aren't necessarily addressed in the class...
  7. C

    2009 CFCE Conference

    The practical/testing portion doesn't take place during the class. It is a looong process that starts after the class is over. My advice is start early and don't procrastinate. The coaches that help with testing are generally very knowledgeable and quiet patient as they help guide you through...
  8. C

    Live memory forensics cases

    Not sure if this will help... http ://www,130061733,339278641,00.htm
  9. C

    Affidavit and Search Warrant

    Thanks, KP. I agree, I never had a judge do anything but sign the warrant.
  10. C

    Affidavit and Search Warrant

    This is pretty open ended. Ask anything you think is necessary. Judges don't fill out search warrants - officers do. You need to learn as much information as possible. For a search warrant, you need to show that there is probable cause a crime was committed and there is evidence you can collect...
  11. C

    Operating System and Network Adapter Info

    An alternative method would be to export all the registry files and use RegRipper to process them. You'll get all that information and more.
  12. C

    For the Forensic Pro

    I respectfully disagree with Uzdcar. I was a sworn law enforcement officer and while assigned to criminal investigations worked every type of case imaginable. I also specialized in computer forensics and worked with numerous other agencies on cyber crime cases. IACIS is a law enforcement based...
  13. C

    File headers

    Yes, check out Winhex as it does have a decent carving function. There is a list of file headers within the program. Also try PhotoRec - a very nice tool as well.
  14. C

    Online identity theft

    PMs are disabled on this board. Plus, I'm not even sure what information you're looking for.
  15. C

    Free downloads?

    Here's a list of some other free options... www
  16. C

    Dead Phone Recovery?

    Bitpim is a great tool, but the phone has to be able to turn on for it to work. See if you can find another battery, some phones won't turn on with a bad battery even if plugged into a charger. That's the cheapest solution to try at this point. If you can't get the phone to turn on, you're...
  17. C

    Dead Phone Recovery?

    Did you try a different battery? If the phone won't even turn on, there are going to be additional issues than just plugging in an adapter and hooking it up to the computer.
  18. C

    Free downloads?

    Yeah... I highly suggest not doing this.
  19. C

    How to increase customer reliability on my payment system?

    You are absolutely correct - same IP. I edited the spam, but didn't delete so Admin5 could either ban the IP or remove the entire thread if he wishes.
  20. C

    Using strings.exe on a .dd ram image

    Check out Volatility and Memoryze as two tools that are specifically built for analyzing images of memory.
  21. C

    Topic for research paper

    I just had a discussion with a coworker about alternative forms of evidence. With the advance in auto technology, we wondered what could be found by performing "forensics" on a vehicle. Well, I'm still not sure, but there is some interesting stuff out there. I would be interested in an in-depth...
  22. C

    Time stamps

    I like the Live CD theory. I know some Linux CDs will run entirely in memory and the CD can be removed from the drive after it's loaded. I haven't used WinPE for a while, but will it run entirely in memory as well? Was the system possibly booted from a USB drive? And I think Vista only disabled...
  23. C

    Time stamps

    Daylight savings? :P Are you talking about access times or modified and created as well? Maybe they turned off access time updates?
  24. C


    Do a quick Google search for "limewire spam.dat" http ://www,GGGL:2006-36,GGGL:en
  25. C

    File undeletion from command line?

    F-Response isn't free, but is amazing for the price. Check out the Enterprise version. Basically you can mount a remote drive read-only and use whatever tools you want against it. So, with F-Response you can use EnCase to recover deleted files on a remote machine. I don't think it's exactly...
  26. C

    What sort of data from ISP

    PU is quite right, however, I don't think you'll ever get a listing of websites visited or connections made. Retaining that information would be too taxing on resources. It also has no bearing on billing and would be a privacy nightmare if that type of customer info was leaked.
  27. C

    What sort of data from ISP

    www Check out the retention rates and what type of info they collect. You won't get a history of sites visited or connections made. You could probably get a better "content" response through email history.
  28. C

    does an OWI disqualify someone?

    Plus if they discourage you from taking the courses they won't get your money. :lol:
  29. C


    Seems like a lot of work when you could just employ full disk encryption with a strong password and not have to worry about it either way. :D
  30. C


    You're kind of right... if you are logged in and have EFS enabled, when you move an encrypted file to a FAT drive then the file will lose its encryption on the FAT drive. Every laptop should have whole disk encryption. My laptop is encrypted but I have nothing worth investigating on there. I...
  31. C


    In my opinion, the only "anti-forensics" tool worth it's salt is encryption. If I encounter a drive with whole disk encryption and I don't have the password, then I'm pretty much done. There is simply no available data for me to get at. Look at other other tools like TimeStomp. Someone could...
  32. C

    Computer Forensic Conference 08

    Glad you had a good time. We'll definitely see about next year.
  33. C

    Cell phone hex analysis

    CPA from BK Forensics is nice, but still misses things. Most of these programs are in their infancy and don't interpret everything they should. They don't support a whole lot of phones and manual carving is still going to be needed. That being said, it will be nice in a couple of years when...
  34. C

    How do I search in ftk imager

    Just for reference, there are a couple of other things you can try. Download WinHex and then open the image under "Disk Tools". You can also do data carving/file recovery under the same menu. I've also had excellent luck with PhotoRec. It normally runs against a mounted drive and not an...
  35. C

    Basic forensic image for eDiscovery - Windows XP

    I may not be following this correctly, but... did you read the Helix manual? Start at page 91 for a description on how Helix boots and how you can image the hard drive. The basics are this - put the Helix CD in the computer you want image, start the machine to boot Helix, attach a USB drive...
  36. C

    Done with the Army (soon), on to CF!

    I would say study and get your forensic certs while working your way up from the streets. If your bosses see you working hard to achieve a goal, they may push you into that role sooner. If you walk in the door with everything already, it won't mean as much. Either way, they're not going to...
  37. C

    Best method of determining if a file has been copied

    I would love to be corrected if I am wrong, but I don't think there are any artifacts or records of a file being copied. If I drag and drop a file onto a USB drive, there will be no record other than the USB device being plugged in. It could be possible that someone copied a file to a USB...
  38. C

    Computer Forensic Conference 08

    I attended last year, but won't be going this year. Hope you have fun and it goes well!
  39. C

    Need some critical advice

    Whichever path you follow is up to you as there are pros and cons for both. My coworker and I came from entirely different backgrounds and work experience but ended up in the same place. We both bring different skills and expertise to the table. I was LE, he was corporate. Each of us...
  40. C

    Need some critical advice

    Just something to think about... if you get hired as a police officer, make sure you _really_ want to work as an officer. If your ultimate goal is to conduct computer forensic exams, it's going to take a while to get there within the department. In the meantime, you're going to have to cut...
  41. C

    Sim card reader.

    IMHO, Cellebrite UFED is going to give you the quickest and easiest results without going to a lot of classes and investing in a bunch of other solutions. A complete toolkit would be nice, but if you can only afford one thing, Cellebrite might be it. Should probably try checking out one of the...
  42. C

    Sim card reader.

    SIM cards may be updated, but probably won't go away as they're used on GSM networks. I think you can certainly justify $130 with the big bosses for the program.... OR, spend more cash, get some good training, and get the program "for free" from the class: This is taught...
  43. C

    HD recovery from fdk imager

    Just a note, FTK Imager can be downloaded for free from AccessData's website.
  44. C

    Sim card reader.

    Hey Eureka - as phones become more and more complex, they continually look at other storage areas other than the SIM. SIMs can only store a very small amount of info, but you will always find network info there. It may also have some of the phonebook and a few text messages, but don't count on...
  45. C

    BACKGROUND CHECKS & Identity Theft

    Yes, they research your background. Please see the link Ancient already provided that answers your question. Your website makes that clear. This is COMPUTER Forensics World, not DOC & OFFICE Forensics World. I'm guessing this is partly why you didn't get a response. Well, that and you've already...
  46. C

    CFCE re-certs

    Did you go through the whole CFCE certification process? If not, you don't have to worry about those requirements. For future reference, this question could quickly be answered straight from the horses mouth on the IACIS listserve, member website, or by using the contact form on the website.
  47. C

    Beginner looking for tool advice

    Regshot will snapshot the registry for you and report on changes. Process Monitor will record all activity and has powerful filtering to narrow things down. Memory DD will help capture memory which you can use something like Volatility to help parse through. All are free.
  48. C

    Digital and Computer Forensic Conferences

    http :// http ://
  49. C

    Degree Certs Question

    CISSP is more accepted overall and will open doors simply because you have it. Many HR departments will dismiss a resume if it isn't listed. I highly recommend Shon Harris' books and the website. The CISSP is security oriented, so you won't find a lot about forensics on it. If...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu