Search results

  1. R

    Spouse Consent to Search

    Sounds to me like he has a reasonable expectation to privacy on that machine.... I would not do it on the consent of a spouse that does not have access to the machine
  2. R

    Help! How do you nullify the effects of Go.DriveClean

    Excellent point Warlockz... The caveat being...if it is in a home lan or something similar doing NAT you will only have the information of every computer on that lan and where it went..... for example, I have several computer in my home for the rest of the family..... The ISP logs would show...
  3. R

    Protecting your forensic workstation from viruses

    make an image of your pristine forensic workstation....... you should only have you virus set to notify you of potential viruses..... Many hacker type tools will be flagged as viruses by anti virus programs... these may be evidentiary... you can research the reported programs and their effects...
  4. R

    Linen: Physical vs. logical disk

    you could also have privacy issues or restriction on your search authority..... you may not be allowed to seize other areas of the disk
  5. R

    Affidavit and Search Warrant

    sorry for the late reply....... basically you need to establish the constitutional requirements for the search warrant to be issued..... you need to describe the crime being investigated... establish the probable cause (why you believe that the evidence being sought will be where ever you...
  6. R

    Credit Crisis & Fraud

    The spike in demand has less to do with the economic situation and or increased crime in general, and more to do with the proliferation of digital devices....... In the old days a crime might have a piece of paper or communications related to it. Now days that paper or communication is...
  7. R

    help with ip lookup

    If she is concerned about contact with him why is she trying to track him...... If he is not contacting her no problem..... If he does then he has violated the protection order and the police can deal with it. If he has been arrested for violating the order and convicted then the court surely...
  8. R

    International Computer Forensics

    CF exist in all nations... the issues become the laws that exist in those nations..... I am of the thought that the Info Systems is a great way to leverage your knowledge...if you wish to get into the CF field look at certification in that area over a specialized Masters...... I see little...
  9. R

    Book Question

    While there may be good arguments for the A to Z approach.. The problem is that no two cases will be alike... so the A to Z approach may only address a small portion of the total population of potential cases. Technical is easy...... you can use the technical skills in any case situation... you...
  10. R

    What to wear?

    If you have a sleeve..... wear a long sleeve shirt anytime you may be dealing with the public.......and don't make it a white one that you can see through enough that people can get a hint of your sleeve.... make sure it totally conceals your ink. People are going to be looking at you and...
  11. R

    How to prove a HDD was being re-image before?

    the fact that all the time a date stamps show a big gap could be a clue..... for example... the made the original image 6 months to a year ago.... and the image that is on the machine now show a big gap in time and date stamps on files between that image time and current time.... or better yet...
  12. R

    Time stamps

    was it a vista machine..... I believe vista does not update MAC times unless the registry key telling it not to is changed.
  13. R

    log on/log off

    check the index.dat files for the urls... and look at temp Internet cache... might be some cached pages there
  14. R

    Master Degree Discussion

    Alot depends on where you are now...... if you are in an organization that governmental or quasi-governmental. The the aspects of the MBA and are really good for the ability to move up the later and be a better administrator of programs... be they CF related or otherwise..... I know in my MS...
  15. R

    Master Degree Discussion is my 2 cents... as a person with a MS that got it while working... Just judging by my recollection of you past post, I would say you have sufficient training and experience in this area. Most Masters Programs are for higher level personnel..... I would suggest an MBA with a...
  16. R


    I remember reading about some image carving tools that would look for the hex numbers that represented skin tones in image files...... I don't remember the tool/s that is was about... and im not sure how reliable it would be with the potential variations on skin tone and image quality... blah...
  17. R

    Wiped files

    presence of a file wiping program.... logs from that program........ entries in the MRU keys of the registry that point to files that are gone....... lots of little clues that help paint a picture...alot of them will leave directory entries though the files will be wiped
  18. R

    Hidden Images On Slack Spaces

    no carving utilities i the imager... not sure about the demo..... if you like you could probably export out the unallocated space and use a carving tool on it to recover the files.. Most of the tools on penguin sleuth have been ported to run on windows, but may require cygwin..... Penguin...
  19. R

    What sort of data from ISP

    Sorry.. I did not have time to post the link to the DOJ's guide to what you can get with Subpoena, 2703d court orders and search warrants.... it is very informative and has alot of information which can trip you up if you are not aware of it remove spaces and your good to go http: //www...
  20. R

    FTK Imager Lite - How to read FS

    I dont know if Access data ever fully implemented this concept.... originally you could collect the folder contents, and you can review them from the imager... then you can export out what ever files you are interested in etc.... up to FTK 1.6ish you could not load those into the full version of...
  21. R


    Yup... thats the clause I was referring to.
  22. R


    Helix has a is not free for commercial use....check the license....... I'm sure the $250 is licensing for commercial use.
  23. R

    What sort of data from ISP

    you wont get connections info (URL's visited) with a subpoena anyway....... you need a 2703d court order or search warrant for that..... look over the DOJ's electronic and digital evidence court guide for what you can and cant get with what and when.. (you might be able to get them based on...
  24. R

    ASCLAD Lab certification

    It is a Pain... there is alot that goes into it...... mostly administrative minutia........... unless you are required to do it my suggestion is not to do it... especially in these days of constricting budgets.... I see little fiscal responsibility in the process... it reduces productivity and...
  25. R

    E-mail Header information question

    Well provided that they were not spoofing the address and not using an open relay or mail service yes you can assume that they came from the same network...... There are alot of things that can be done to hide the location of the sender..... so the only true way is to get log files from the...
  26. R

    Fullproof Way To Hide Any File - Yes it Can Be Done

    Create a host protected area, if one is not already on the disk....... If you want to be really anal write your image backward ( you can use tail or dd rescue) in the host protected area to help obfuscate carving it back out with data carving tools or even offset it by a byte or so to further...
  27. R

    Some info on an ibm thinkpad t42 hdd

    if it has the hard drive security password set you are pretty much dead in the water..... see if you can find other devices used by the same subject ans look for passwords on them... maybe they used the same one for the hard drive.
  28. R

    ASCLAD Lab certification

    Yeah..... Most of the ASCLAD certified digital evidence labs have multiple examiners....... My organization moved the disipline into the lab, which is ASCLAD certified, thus the discipline must be ASCLAB certified............ but they don't /wont add resources to the discipline......... this...
  29. R

    ASCLAD Lab certification

    Basically... Im looking for info from small labs that might be certified.....(public Sector) that are less than 5 or 10 examiners??? Anyone????????
  30. R

    ASCLAD Lab certification

    Sorry for the late reply to the replies.... Ive been busy with remediation and forgot what I needed now???? Always the first to go ;) Anyway.... for those that are certified.... about how many bodies do you have in your lab??
  31. R

    ASCLAD Lab certification

    Anyone here in a ASCLAD certified digital evidence lab????
  32. R

    What am I legally allowed to do?

    there are plenty of technology option available to you..... you can use CMOS passwords, Disk security passwords.... anyone of the encryption tools that will do full disk encryption......... all of these will be effective tools for you.... provided your user knows how to not give other people...
  33. R

    Your opinion needed on the most important new technology...

    Sorry for the late reply...been tied up.. The more I think about it im not sure about recovery or not..... I think its going to depend on the approach taken by the producer of the device..... It think you might be able to carve out data provided you can gain direct access to the memory area...
  34. R

    Identifying Stolen Property - Notebook

    Regarding your ethical flag.... this should not be an issue because your bad guy isn't claiming a property interest in the property..... the "these aren't my pants kind of thing"...Thus it is abandoned property and law enforcement has a interest/duty to return property to it legitimate...
  35. R

    Your opinion needed on the most important new technology...

    Yes the nature of the way solid state drives work is not compatible with the recovery of deleted files......
  36. R

    Your opinion needed on the most important new technology...

    I can tell you what the most important tool not developed has been...... Cell Phone tools..................development is difficult though.... nature of the beast...................disparate systems, carriers and vendors....... all are very individual in nature......................... Cell...
  37. R

    Identifying Stolen Property - Notebook

    WE can answer that here...... the question will you feel comfortable testifying to it in court..... It may not be a real issue or it may become a big issue...... If all you do is find a former user name or files that belonged to a victim owner you may be able to get around the...
  38. R

    Ethics and law regarding retrieved email password

    I agree strongly with you guys here....... the examination should be limited to the local computer...... logging in to account you do not have legal access to is a big no no....... If you can avoid the potential issues do so......If legal access is not clear I would suggest you petition the...
  39. R

    Forensic Time Travel?

    Refernce the comment stating that if content changes but file size does not then the modified time will not be updated??? I dont agree with that........ try this simple test...... look at you mac times for a simple document file you created some time in the past..... now open the file change a...
  40. R

    Forensic Time Travel?

    Wayne....based on what you have said I would tend to concur.... (without looking at the evidence of course I can only provide and guess based on what you have said). really look at other time a date stamps that are based on exterior sources if you can.......... if the server is doing proxy or...
  41. R

    Identifying Stolen Property - Notebook

    You probably wont find any drive encryption on that older system... you can view the Mac file system with FTK imager and parse the file system to look for e-mails or other files that might help identify your owner. If you dont want to pull the drive out..... Powerbooks and macbook pros are...
  42. R

    Ethics and law regarding retrieved email password

    Okay... that clears it up a bit.... here is my take.... the father can give permission to image and examine the computer and its contents....... that child probably has no reasonable expectation to privacy to content on the computer... dependent on how the father has dealt with the child in the...
  43. R

    Ethics and law regarding retrieved email password

    thats some pretty vague what if..... you need to be more specific...... did they have permission to image and examine the machine.... and was that where the info came from........or did they get that passwords from there and then log onto some other machine to get the contents............its not...
  44. R

    Need Help - Over 2TB Raid array in forensic workstation

    here is a thought...... If it works in your infrastructure use FreeNAS or some other storage solution (Server/SAN/NAS/etc) and put your drives there for archiving with a fast NIC/s... then use your forensic workstations only for processing...... this helps prevent the possibility that some...
  45. R

    some problem with d-link switch.

    This isn't really the proper forum for this question... This forum is for computer forensic related questions not network support Buuuuuuuuttttttttttt ...... you don't mention a router/server or proxy anywhere in there.............. if you don't have something doing NAT and issuing IP's...
  46. R

    Forensic Time Travel?

    I think you might have misunderstood the way created and modified stamps work...... you could end up with a modified time after the created time if the following way.... Created times show when a file first appeared on that piece of media....... soooo lets say that the file was originally on a...
  47. R

    How can I tell if a file was accessed?

    Sorry for the late reply........ I had not seen can look in the registry for the MRU (most Recently Used) registry keys for the extension in question..... that can help you see if maybe is was used recently... you can also look in restore points if one was created around the time...
  48. R

    VersaCheck Examination

    u need to use versa check to view them... there may also be some java scripts in the temp internet cache that may be of interest also... so look there..... where are you in Tucson ans are you with an agency??????
  49. R

    External Hard Drive Not spinning

    Ditto what everyone else has mentioned here.... the vast majority of reported external drive failure I have been exposed to are really just power supplies that has gone the way of the dinosaurs..... Break out that Volt Ohm meter and test that sucka.
  50. R

    How long are Hotmail messages retained by MS?

    Well you might want to reconsider your selection of user names...... And not to worry..... If you didn't breech your contract I'm sure there will be nothing in the subpoena returns. Party On Garth!!!!

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu