Search results

  1. 4

    Hello all

    Since you are LE, may I suggest that you go to the IACIS training that is in Orlando every year? I believe they have their annual one coming up soon ( If you are new to forensics, this will give you a good core understanding of forensic methodology etc. - it is not vendor...
  2. 4


    sounds like a homework assignment :) If you want to be more specific in your question, I'm sure you could get some better answers.
  3. 4

    Any MD5 list for HDD wiping softwares?

    That would be useful only if the suspect did not uninstall the software from the HD after use. Better criteria would be to search registry and other locations for hints of a wipe software being installed and/or used. To answer your question though, I have not seen one.... but then again I have...
  4. 4

    notepad hidden message

    Hi: Welcome. What makes you think its encrypted? What makes you think there are two messages in it? Are you seeing them in hex or plain text? Can you give us some more information? Thanx -Art-
  5. 4


    I'm not understanding what you are looking for. - Where are you located? - Why the two month wait? - Are you concerned that the virus recorded your keystrokes 2 months ago or is continuing the record it right now still - Do you still have the virus on your computer? Why hasn't it been removed...
  6. 4

    Starting out Advice?

    IMHO - training is expensive and getting a job in CF is hard too. Stick with the company you are working with and see if they can train and move you into the forensic component of their business - assuming they have one. Good luck! Art
  7. 4

    Finding real domain name owner

    That depends on on many factors IMHO. 1. Did the registrant pay via a "gift" visa card - like the one you get from Walmart? 2. Did they pay via paypal or some other pay service? 3. Did they register in a different country? ...and many more like that.... Assuming you are law enforcement, you...
  8. 4

    someone is meddling with my hard drive

    Evil Maid requires physical access to your computer to put the code in to run at boot so it can capture your encrypted drive password. If you restrict physical access to your computer and do what Cybercop said, you should be fine. You are only as strong as your weakest link - there may be...
  9. 4

    Invesitgating if Source Code File dates have been modified

    To check and see if system dates were changed, you are going to need his computer. I believe that still depends on whether that event code is captured and is still available to you. If you get his system imaged, you could see if you can find any link files to the script - but that would not...
  10. 4

    MAC Address Resolution

    I guess the machine_name information would depend on what your firewall is tracking. (not much of a IDS, IPS person) Can you analyze the other packets from the same MAC and see what else your user is up to? Maybe you can find a pattern or a website/url that could help you narrow down who it...
  11. 4

    GREP Proximity Search w/ wildcard operator

    Not much of an Encase power user, but try this website and see if it helps. It is my understanding that grep expressions are standard.... (but then again i could be mistaken) http: // www .regular-expressions. info/
  12. 4

    GREP Proximity Search w/ wildcard operator

    Does this help? http : // www .
  13. 4

    States that I know of requiring PI licensing

    Mindy: I think your list is old or incomplete. In 2008, Michigan passed a law making it a felony to do CF work without a PI license. -=Art=-
  14. 4

    Computer Forensics Examiner position in GCC?

    Are you planning on leaving the Feds? Why those countries? (just curious :D ) Why can't you get a posting thru the Feds there, there are many positions in media exploitation where the Feds send their examiners overseas. You may want to explore those opportunities - will keep you with the Fed...
  15. 4

    Total Beginner

    Agreed. At the risk of sounding rude (and please believe me I am not....) The CF field is not the IT field of the 1990s when everyone decided to take a few classes and get their MCSE en-masse and become IT folks - nor should it be taken as such. The CF field may seem cool, but it requires a...
  16. 4

    System Software/Hardware/Files Inventory Tool??

    Look at SIW by Gabriel Topala Works really well IMHO -=Art=-
  17. 4

    So you want to be a Computer Forensics Expert

    :) Cybercop. I didn't mean to imply that you wrote it. It was an interesting article in general. It would have been nice of the author had done more research into it especially for those trying to get into the field. Thanks for posting it though. Be safe. -=A=-
  18. 4

    So you want to be a Computer Forensics Expert

    Nice, but could have done some more research and put more details into it. Example - Only mentions Encase - Calls it a LE software - Mentions Evidor, by X-ways but doesn't mention X-ways Forensics which is fast becoming a software to reckon with. - According to the Xways site, Evidor is no...
  19. 4

    Need help cleaning up audio message to find missing man

    Hi Mark: Not to speak for PreferredUser, but I think what he is trying to say is HOW was the message recorded by YPD? - Did they access the vmx thru a phone and have a recorder close the speaker? - Was it exported from a system directly in wav? Regardless... Being that the son is 26, it's...
  20. 4

    Interview for school paper

    Michael: If you have not gotten any responses yet... may I suggest you find someone local - someone with the local PD or Sheriff's Dept or even the state forensic guys. They will have interesting stories and will also give you the local angle. Good luck! -=Art=-
  21. 4

    Exchange Rules

    Not a big Exchange person, but if i recall.... Exchange stores deleted messages for 30 days before they are dumped. I *THINK* you can use Exmerge to get those messages. Have you tried that? Are there backups you can look at? Can you image the drive and search unallocated space for remnants...
  22. 4

    How would you solve this case?

    Ah ok.... I see where you are coming from. If the local PD lacks the knowledge or experience, they will (like they have) get help from their State counterparts generally. Most Agencies do not take it lightly when a minor is involved. I know it is tough to feel helpless esp as the Father of...
  23. 4

    How would you solve this case?

    Are you law enforcement or working on behalf on the Defendant. If you are LE, your subpoena power will get you more information from those companies than if you are not. However, like others have said on this post - you will not get the "smoking gun" - you will get information to aid you in...
  24. 4

    Remote computer takeover

    Thanx :) Thought I missed something ;) I agree with Cybercop. The remote user can do just about anything on the target PC, depending on the software installed and the privileges given to the remote user. Some software by default gives the remote user full control automatically. Other...
  25. 4

    Remote computer takeover

    :?: :?: :?: What's a VICO 20?
  26. 4

    Who can issue the Preservation Request to ISPs?

    I'm assuming each ISP will be different on what they will accept - either a formal letter from your attorney or a court order. I am pretty sure they will *NOT* accept anything from you as a Plaintiff or Defendant. The location of the ISP and the jurisdiction your attorney/court may have could...
  27. 4

    WTF!!! This is why we should not be lumped in with PI's

    Too many "impressive" words in many sentences... "...Our expert team of professional computer forensic investigators...." "...We can also provide important evidence by strategically evaluating the digital trail left by the subject..." Clicking their Cell Phone Forensics link takes you to a...
  28. 4

    Bernoulli Disk recovery

    You did ask if anyone had heard of them.... Anyways... from Iomega's FAQ site: http : // www . Ofcourse, BillWatson has offered his services too. Good luck :) -=A=-
  29. 4

    Bernoulli Disk recovery

    You mean like these??? Google is your friend :D http : // en.wikipedia . org/wiki/Iomega_Bernoulli_Box
  30. 4

    May be an odd question, but...

    Owen: Welcome to the field. Fasten your seatbelt - this may turn out to be one helluva ride for you :) Computer Forensic work is *never* performed on actual media except in very few exceptional circumstances. The majority of the time, we will remove hard drives from the computer; connect...
  31. 4

    legal issue of forensic analysis of a hard drive

    Not really sure what a forensic examiner can do for you if you do not have the suspect's machine. In the US, we can only get ISP logs etc after court orders. Get a hold of your local police in India and see what they recommend.
  32. 4

    Virus deletion/ Evidence integrity

    As Binarybod said... you can't make ANY change to a drive without affecting the hash. You could: - image drive - clean virus - image drive again You would then have a before and after of the same drive - you would also have a clean HD, but it is not a forensic copy or image of the original...
  33. 4

    I'm being cyberstalked. Can anybody help me?

    I still think you need to continue to contact your local Law Enforcement Agency (assuming you are in the US - coz I am not sure of the SOPs of Agencies in other countries) and give them hard evidence of what is happening every time it happens. I don't see why they won't at least take an...
  34. 4

    I'm being cyberstalked. Can anybody help me?

    How old are you? If you are under 18 either the Bureau or the local law enforcement agency should/will take an interest in your case. Regardless, i would try to contact the local agency again and talk to someone in Investigations or Cyber Crimes (if you live in a big city). Have all your...
  35. 4

    Nicro SD Card Issue? Suggestions

    Couple of thoughts... Do you have the phone with you or a similar phone and can you test it yourself. - Wipe an SD card and take some photos with it. - Delete a few of them - Analyze it (since you say the phone was not used after deletion) **If you don't have the phone, can you clone (after...
  36. 4

    Need utility to search scanned PDF files

    I agree. If it was scanned in with optical character recognition and then turned into a PDF, you may be able to search it. However if it was scanned as an image and Preferred said, then you are SOL. The Office docs, HTML files may be searchable. The scanned documents will depend on the...
  37. 4

    EC-council CHFI certification

    Hey Laura: Your questions have been answered on the other website forum you also posted to. In case you have not been there yet - you may want to see what the respondents have to say :) -=A=-
  38. 4

    Computer Forensics and Terrorism

    I believe you mean satellite (not cell) phone - but yes you are correct - Mobile Forensics in general. Similar case with the Mumbai, India attacks from a year ago - Thanksgiving time - I read someplace that satellite phones were heavily used and forensic work done on them helped that case a lot.
  39. 4

    Files accociated with particular sectors (data recovery)

    Try to make another image but this time change as many factors as you can: - different forensic imaging computer - different write blocker - different imaging software maybe? - different connection into your forensic machine. Have you tried linux to image? It is more forgiving than a...
  40. 4

    Some Questions

    Hi Not to skirt your questions... but... If you believe this will end up in litigation - you should get someone properly trained to do it. If you mess it up - you could/would lose your case. You should consult your company's legal team for their opinion before you delve into this. I get the...
  41. 4

    Some Questions

    Hmmm.... are the two questions related? If so, you may be confusing yourself. 1. FTK Imager will create a forensic image for you. It can create a DD or and E01 (or Smart) image, but you will need software to view and analyze those images. Ghost does not *natively by default* create forensic...
  42. 4

    File on CD linked to original computer

    :) be nice (j/kidding) - obviously this is his first post to the list and it is very possible he is not a forensic examiner - but rather patrol or a D. Maybe he has days off... ;) @OHIOCOP: Like Preferred said, we need more information. Version of Word, OS of the laptop, do you have...
  43. 4

    Windows Vista last accessed times

    Yes, you are correct. When the last accessed time is disabled in a Vista OS, the OS will put the file CREATED date/time in that slot. See if THIS LINK will help you. -=ART=- [Edited by Admin: no direct links please. See other posts.]
  44. 4

    Event For Closing the Laptop lid

    That depends on what the ADVANCED settings in the POWER control panel window are set to. The choices (on mine at least) are: - Do Nothing - Standby You would have to look for the Event Code for STANDBY, but I don't know if there is a way to tell the difference between a LID SHUT Standby and a...
  45. 4

    Remote or virus affecting workstation

    I'm assuming that the AV scanning program found a virus on the workstation and reported it to the mother ship (server). If no other workstations reported infection, then I would not even waste my time with them. There has to be a reason for them to waste time on other machines. CAN they...
  46. 4


    I think that depends on what program was used to FTP it. Does the program log such stuff AND was it turned on and working? You should do some testing on it if you know what program is on that computer. Is this in reference to your CP case that you are defending? You posted something similar...
  47. 4

    Safeguard Easy - Removal of encryption

    Never used Safeguard, but COULD you try this: - Forensically wipe a hard drive that is the same size or greater than the evidence drive. - Create a forensic clone from the evidence drive to the new drive (this will now give you forensic copy of the evidence drive). - Decrypt the NEW drive using...
  48. 4

    URGENT Trying to prove an e-mail never existed in my account

    If it was faxed to them, somewhere there is a electronic version (probably with the receiver). They should be able to produce another printed copy with full headers. Without that, I would contend that it is weak evidence at best - anyone can create a printed version of the email with fake...
  49. 4

    URGENT Trying to prove an e-mail never existed in my account

    Here's a thought: If they have the electronic version of it, have them print it out with LONG HEADERS shown (different from the headers you see normally). Then use the header information to figure out what the originating IP address is and what the ISP. If you don't use that ISP, then you...
  50. 4

    CF Recommended Imaging Hardware?

    WestonMachine: Check out the Tableau SATA/IDE combo write blocker. There are other ofcourse... but we have a few of these and they work great. Good luck! -=ART=-

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu