Search results

  1. G

    Anti-Forensics

    Just curious, has the cluster ever proven effective for you against encrypted volumes?
  2. G

    Corrupt BMP & JPEG repair

    There wasn't anything to repair. It was just a small snippet of the beginning of a BMP file with the rest missing (either overwritten or fragmented elsewhere). Sometimes hex tells you more than an automated tool...
  3. G

    Corrupt BMP & JPEG repair

    It doesn't appear to be another kind of graphic that was modified to look like a BMP, though I will look at that some more. It is a pretty small file overall, so I doubt it would be very large even if it were a valid file. I also tried changing the internal size to match the file you made...
  4. G

    Corrupt BMP & JPEG repair

    That file is only a fragment of the original file. It is 29KB, and the original (according to the size listed within the BMP) is 787.5KB. There is no fixing that without the rest of the file. Unfortunately, BMP files have no footer, so that can be a problematic if it is fragmented on the...
  5. G

    Corrupt BMP & JPEG repair

    There are lots of sites that contain the specifications for how a JPG file is constructed (as well as BMP, GIF, TIF, and other graphics). This is how I learned what belonged and what didn't. It is not a trivial "just read this 3 step process and you'll be whiz", it is fairly involved...
  6. G

    Corrupt BMP & JPEG repair

    Not besides a hex editor and lots of patience. I've repaired a few JPGs this way, but the problems were usually obvious, like extraneous headers or a missing footer.
  7. G

    Fed Case: Plaint says HD image is not the same

    I'm not sure what your point is ThomasCrw. If the hash of the drive and the hash of the image match, you have an exact copy of the latent data. If the individual hashes of files match with the hashes of the files in the image, then you have exact copies of the data. The nature of the data is...
  8. G

    Creating a DD image from multiple files

    I use a tool called MagicISO, which can create ISO images of whatever files you like. A dd image of a CD, and an ISO image of the same CD are the same thing, at least I can use them interchangeably. Keep in mind that a dd image can be of any kind of drive, so you need to know what sort of...
  9. G

    File Extension finder

    "foremost" is a command-line program that searches for specific file headers and footers, and so ignores the file names and extensions. For example, I provide it a disk image to scan, and tell it to look for JPGs and it will search the hex code of the disk image for FF D8 indicating the...
  10. G

    Programming Languages

    I've been learning Python recently and it has come in handy for certain JPG type identification (progressive vs standard encoding) and manipulation (stego practice). I started years ago with basic, visual basic, C, shell scripts, and PERL. All of them are useful for learning ways of manipulating...
  11. G

    Hard drive corrupt/inaccessible

    I've also had good luck recovering "dead" drives with SpinRite from grc.com. As long as the drive will spin up, I've been able to recover the drive. Yes, a Knoppix or Ubuntu Live CD could also probably access the disk, if it isn't too far gone. You could transfer files via CAT5 cables and a...
  12. G

    Hardware Drive Wipers

    DBAN, aka "Darik's Boot And Nuke", free software that does the job.
  13. G

    Steganography Question

    The issue of steganography is often twofold. If you can determine that data is hidden, you can try to recover it. Once it is recovered, it could also be encrypted, and then you have to try to decrypt it. I have tried StegoSpy and StegDetect against some JPGs where I hid data (in order to test...
  14. G

    DAT and LTO tape data recovery.

    There is a very applicable method for finding the right block size with DD on this site: crazytrain.com/dd.html It is a short article by Thomas Rude on how to use DD effectively, and mentions some of the lesser known switches for finding block size. He basically says that if you feed dd a block...
  15. G

    Civilian Steganography

    The laws on exporting cryptographic software relaxed under Clinton back in 1996. According to "en.wikipedia.org/wiki/Export_of_cryptography" the laws now mostly restrict export to rogue nations or known terrorist groups. However, many open source crypto packages are available for download from...
  16. G

    Civilian Steganography

    There are so many ways to take what you have said, and I see a couple of views simultaneously. Philosophically, privacy is a freedom that we all cherish, and the ability to protect private information is fundamental to keeping freedom real. Your statement about "cryptographic techniques that no...
  17. G

    Broke DVD

    That sounds good in theory, but I've yet to see it actually work, particularly where the data closest to the hub is affected.
  18. G

    Broke DVD

    The crack may look small to your eyes, but to a laser it is the grand canyon. It is dead and gone. On a similar note, I was doing tests last year on CDs and DVDs that weren't being read (from software errors usually), and if the computer didn't recognize them as disks, there was no software...
  19. G

    CSC Folder/ Offline Files

    If this guy is an average user, it is also possible that he did this without even realizing what he was doing. I have helped countless people in my help desk days who barely knew where the power button was, and they could delete an entire department's drive contents to "free up a bit of space".
  20. G

    Noob question about searching

    One other option is the program "foremost" which you can feed hex numbers, and it will scan the disk image for those numbers. For example, you can tell it to look for a header of FF D8, and have it carve out a particular amount of data, or tell it to look for an associated footer like FF D9...
  21. G

    Noob question about searching

    If I open a file in a hex editor, I can see the first few bytes automatically and don't need to do a search. It is like opening a text file with a text editor, you can automatically see the first few lines. If I open a JPG file, for example, I can see the FF D8 right at the start, so I don't...
  22. G

    Partition that has been ecrypted and erased

    Lem, I'm not sure what you are asking. When you create the TrueCrypt partition or container, any data you store in it is automatically encrypted. if the computer were then shut off, the data would be encrypted and meaningless to anyone without the password and a copy of TrueCrypt. The only...
  23. G

    Grounds for investigating someones PC because of suspision

    I'd imagine that has to do with *who* is suspicious, and what the activity is. You might provide more detail about what you are really asking. If it is a wife or roomate, she would have to convince the authorities that there is a legitimate concern, such as providing links or pictures, or...
  24. G

    ABC News on false CP possession

    Here is a link to an interview with the the DA involved in this case: abcnews.go.com/2020/story?id=2791529&page=1
  25. G

    ABC News on false CP possession

    abcnews.go.com/2020/LegalCenter/story?id=2785054&page=1 (By "false" in this context, I meant he didn't deliberately or knowingly download it) The behavior of the prosecution in this case is really appalling to me, at least the way it is being reported. I always take ABC with a grain of salt...
  26. G

    Evidence Deletion

    I can't imagine that these new laws will go unchallenged. If normal procedures like defragging will suddenly be seen as "deletion of evidence", we're all screwed. The very concept shows a dramatic lack of technical understanding, and seems to assume guilt.
  27. G

    NTFS mount RW

    I've seen a lot of warnings in the various Live-CD forums about writing to NTFS from Linux, particularly that it can corrupt the file system. I've always been hesitant to try it. Reading NTFS is fine.
  28. G

    ntuser.dat.log says "dirty"

    "dirty" refers to the live system hive not being updated properly: scilnet.fortlewis.edu/tech/NT-Server/registry.htm When you make changes to the Registry that affect the HKEY_LOCAL_MACHINE\SYSTEM hive, the changes are first applied to the actual system hive, then to the alternate hive. If...
  29. G

    netcat - multiple files?

    TARing seems to be the best approach in this situation. Regarding the netcat link being broken after one transfer, that didn't come from a manual, but from actually trying it. The receiving machine gets one file and then closes the connection. This may be a function of the OS, and I'll try it on...
  30. G

    netcat - multiple files?

    Thanks for your input, but you aren't really getting what I want to do. Say I have 15 files, and just want to transfer the lot of them back to the lab. I don't want to do the whole disk, just a set of files. Netcat seemed like a good approach, but is apparently limited to single files and then...
  31. G

    netcat - multiple files?

    No, I'm talking about a simple host to host transfer of files. Netcat works well for a single file transfer, but there does not seem to be any way to "hold it open" or give it a batch command to transfer other files as well.
  32. G

    netcat - multiple files?

    Is there any way to get netcat to work with multiple files in one session? If not, any suggestions on a similar transfer method?
  33. G

    Secure "erasing" - how effective IS it?

    For whole drive or partition wiping, I like to use DBAN (Darik's Boot 'N Nuke). For just freespace wiping, Heidi's Eraser (Not Erase 2003) is what I use. Having tested both, I was unable to recover overwritten data using FTK and Foremost.
  34. G

    Secure "erasing" - how effective IS it?

    Eraser uses a different term for slack space: Cluster Tips. Here is what I wrote in the Eraser forum: It is a lot easier to draw a picture than to explain with words, but here goes. When a file does not fill up the last cluster (group of sectors) it is using, an incomplete sector is filled in...
  35. G

    Secure "erasing" - how effective IS it?

    I hear the multiple passes claim mentioned a lot, but haven't seen anyone back up the claim with modern equipment. As I posted in this same thread back on May 6, my own experiments show that one pass of pseudorandom data completely prevents the recovery of any data that occupied the same space...
  36. G

    Favorite Tools: What are yours?

    FTK dd nc (netcat) Helix collection Knoppix-STD (more for penetration testing, demonstrations of network non-security) SLAX live CD (for non-forensic quick imaging using dd and nc. Can load into RAM to free up the drive) XVI32 (Hex editor. There are better ones, but it works for me.) SpinRite...
  37. G

    Carve tool --> Scalpel

    Thanks! I'll try it out. I wasn't able to get the link to the PDF to work. The cs.uno.edu portion doesn't seem to exist.
  38. G

    dd restore problem

    The last entry indicates the use of scramdisk, a disk encryption utility. Without this software to interpret the disk image, I doubt that your OS will be able to interpret the image as a disk.
  39. G

    Forensics Project

    I'd try to find something that you personally find intriguing. I recently found a "new" way of concealing data that was pretty nifty, so I spent a month or so finding all the permutations of how it works and documenting it. I figure if I ever do pursue a degree in forensics, I'll have a ready...
  40. G

    Steganography

    Yes. Google can help you find them.
  41. G

    Batch file

    Have you tried doing the statement? This sounds rather like a homework question.
  42. G

    Images Between Tracks

    If you have a raw image of the drive, you can carve it out using the free linux tool "foremost". It doesn't care where the files are located. It must be forensics school quiz-time, based on the kind of questions being posted today.
  43. G

    Find out when a hard drive was partitioned.

    I don't recall that any date information is saved to the drive after formatting or partitioning. Assuming the drive was not erased, if there was already data on the drive prior to formatting or partitioning, then it is possible to recover dates from that information, meaning the formatting or...
  44. G

    File Header Indentification

    One place to start is filext.com The information there is minimal. I have found the best way to do it is drag files into a hex editor and examine the header and footer for each file type. Some types have a standard header and footer, like JPGs. Others only have a header and you have to guess...
  45. G

    Computer Forensic School Seekers

    Did I read that right? $17K per year for Champlain?
  46. G

    Going on 40-need opinions

    "Why do something like this to get students hopes up then those same students after graduating cannot get a job? " Money from those that hope to get a job. Honestly, the more I look into this field, the more I concur with AlanOne's statement about needing a large bank account to make it (or...
  47. G

    Network Question

    Typically, in a wired switched network like you describe, the traffic is kept separated from one another. Downloads taking place on one laptop would not show at all on another. This sounds very similar to the setup my wife and I use at home. The only way I even know her computer is on the same...
  48. G

    Management of Information Systems

    I'm considering going more towards a general network security type postion as well. This is more appealing anyway, since most of my recent education was focused on networks (though I have years of experience in the guts of PCs). I still intend to pursue the CCE, and keep studying on my own...
  49. G

    Evidence Question

    Also, the rules for what can be admitted as evidence are supposed to be stricter in criminal court than in civil.
  50. G

    Benefits of command line in forensics tools

    Yes, we could give a better answer than someone who has never used the tools. However, your teacher is not looking for our answer or our experiences. If you are taking the class, then this information should have already been provided to you. Perhaps you should find a different field of study...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu