Search results

  1. B

    Need Help Basic Forensic Questions

    The answer to most of these questions is completely file system specific and even then probably depends on the manner and in which the file was deleted and the application used to do so. I would give different answers to these questions depending if the file system was HFS(+), Ext(2, 3 or 4)...
  2. B

    Incompatible dates and times

    OK, I thought in your OP that you were probably referring to files in the IE cache and looking at the main history and trying to tie the two in. I now take it that you are looking at main history index.dat records that refer to URL's like 'file:\\{somefile}'. In my experience these are much...
  3. B

    Incompatible dates and times

    There isn't really enough information here. How far out are the time stamps? Do you have an example? Which Index.dat file are you examining? There are 5 types (Main, Weekly, Daily, Cache and Cookie). Each record in the index.dat files mentioned has at least four embedded time stamps and they...
  4. B

    Cloning question

    You can also set up an HPA if you have older drives. HPA was introduced with the ATA-4 standard whilst DCO was introduced with the ATA-6 standard. Paul
  5. B

    How to take image of Win XP/7 using open source tools

    If you want '.E01' files then ewfacquire which is part of the libewf suite (look on sourceforge for libewf). Will work in both *nix and Windows. It's not open source but it is free: AccessData FTK Imager (not to be confused with FTK) which you can get from the AccessData downloads page. HTH Paul
  6. B

    Forensic tools

    If you are looking for forensic tools, the list to be found here is hard to beat: http : // www /page11 /page11.html (hint remove the spaces as CFW don't like direct links [which is pretty annoying, mod to note]) Moderator Note: The purpose of not allowing direct links is to...
  7. B

    Forensic examination of a Linux machine

    Listing the similarities is probably a shorter list. Your questions is far too open ended - would you like to pin down what you want to know a bit more? Paul
  8. B


    Apart from the academic journals there's: http :// www .digitalforensicsmagazine .com/ Paul
  9. B

    need help with computer forensics

    Truecrypt: http : // www .truecrypt . org/ downloads (remove the spaces) Paul
  10. B

    Software for detecting pornography

    The problem with scanning software is striking the right balance between false positives/false negatives. We use C4All: http : // www .c4all .ca/ It's free and you can set up a database to reflect whatever categories you like. It is surprising how quickly you can build up a core database of...
  11. B

    Computer Forensics vs. Security

    shawnboy, I see no-one has answered your question so I'll have a go... I can't speak for the security industry but in the UK, computer forensics is really, really difficult to break in to at the moment. There are opportunities but they are few and far between and it seems there is a legion of...
  12. B

    ! Computer Forensics, A day in the life?

    In an adversarial legal system, giving evidence in chief is easy but being cross examined never is, particularly when you are a key witness and the opposing side can make you look stupid/unprofessional thus giving them a chance to get the jury to discount your evidence. Having the in-depth...
  13. B

    webmail forensics

    Have a look at Internet Evidence Finder: http : // www . jadsoftware .com / go / ?page_id=141 I don't know how it performs on Linux images but many of the artefacts are the same whatever the OS Paul
  14. B

    A little advice please

    Firstly I should declare an interest as I am a tutor on M889 so you can factor in any perceived bias :wink: M889 is really only an introduction to computer forensics and it won't qualify you to work in this field. If you are a system administrator then it is ideal as an introduction to the...
  15. B

    grep expressions

    I have this printed out on my desk for just such occasions. http : // www .addedbytes .com /cheat-sheets/regular-expressions-cheat-sheet/
  16. B

    need help with some guidelines.....

    @daryl_c I don't know if you've read any other posts on this forum but I think you'll find there is an aversion to answering posts like yours that ask 'Please can you do my homework for me?' For my part, I do some part time lecturing at the Open University in the UK. If I saw a student of mine...
  17. B

    firefox history

    I don't want to seem condescending but can't you test this really quickly for yourself. You could probably test that more quickly than writing the question. Paul
  18. B

    Windows Registry Switch interpretation

    To virtualize the device from an .E01 file (or files) using free tools: You can either mount the device using (http :// /projects /libewf /files/) or in Windows, using FTK imager (version 3 and above). Qemu or VirtualBox OSE will do the rest. Paul
  19. B

    HELP : Rookie Queries

    1) Balancing the need to eliminate false positive search hits whilst maximising the number of true positive hits is the art of the forensic analyst. You have to think long and hard about the search terms you use - it saves effort and hours of boring work later on. 2) Don't bother too much...
  20. B

    MAC Forensics

    /Volumes is the default mount point parent directory. Paul
  21. B

    Question about file recovery from unallocated clusters

    It really depends on the file system. All file systems have an indexing system of some sort or other and a means of retaining metadata about the files (location on disk, dates, file name etc). The reason a file ends up in unallocated clusters is because the file system has lost track of the...
  22. B

    hard drive recovery

    It sounds to me like the partition table or the volume boot is corrupt. This is a common situation for forensic analysts. Unfortunately the cheap way is not necessarily the easiest and if you don't know what you are doing you can make things even worse. With a drive that is showing signs of...
  23. B

    Boot Camp/Certified courses in London UK

    The Open University excels in distance learning and has a postgraduate course in computer forensics: http : //www3 .open Paul
  24. B

    Masters Thesis Ideas

    Accessing encrypted files/volumes/drives
  25. B

    PST files

    In the final analysis, data is just a bunch of binary numbers; with enough knowledge the underlying data can be changed and anything can be done. It really depends what was done and how skilful the person was. Paul
  26. B

    How to trace the uploader/sender in a google?

    My hobby - poking trolls with a stick to see if you can get them to chase you. :twisted:
  27. B

    How to trace the uploader/sender in a google?

    What kind of value-laden statement is that? I don't think PreferredUser was comparing them, just making a statement about Yahoo policy which is the inference from the posting prior to that and with a minimal amount of information to go on too.
  28. B

    AFF and E01 Command Line Tools

    For AFF images use aimage from 'http: //' , It's the native AFF acquisition tool For EnCase (ewf) imaging I tend to use ewfacquire from the libewf project at 'http: //' Paul
  29. B

    Working on Bachelors now, hoping to move into this field

    phaqueue, I answered a question similar to this just the other week. Have a browse around the forum and you'll find loads of questions similar to yours. Paul
  30. B

    I'm really interested in Computer Forensics.Wat should I do?

    Stretch, This is a really common question, look around the forum you'll find that this has been answered frequently in one form or another. Paul
  31. B

    Student in need of a professional interview...

    Sure, no problem. Paul
  32. B

    Student in need of a professional interview...

    I was surprised to find that the technical stuff is fairly easy because most suspects leave plenty of material all over the place. It is rare to find someone that employs anything like sophisticated anti-forensics techniques. When you do get one, it is a challenge and a great feeling to crack...
  33. B

    ! Computer Forensics, A day in the life?

    Actually, £££ in my case :)
  34. B

    Student in need of a professional interview...

    Where in the world are you? Paul
  35. B

    ! Computer Forensics, A day in the life?

    Day 1: View really bad porn - the kind of stuff that no one wants to see [that's the bad bit], and then show how it came to be where it is on that machine [that's the fun bit]. Day 2: repeat day 1 [ad infinitum]... Day ?: Give evidence in court and know what stress really means. Day ? + 1...
  36. B

    Webcam streaming video recovery

    What application was the suspect/witness using at the time? If your session is vital then I would investigate the artifacts left behind after using a VM and just by using a web-cam session in the relevant application. My experience is that by-and-large you would be lucky to find anything. Paul
  37. B

    is it possible to take EnCase E01/E02 images

    OK here are some other options... I've had some success (and a few failures) using xmount from https : / / www you might want to read Mike Penhallurick's MSc Thesis available here: http : / /
  38. B

    Conflicts between Computer forensics and business processes

    Do a Google search for 'Forensic Readiness' and have a look at some of the stuff that appears there. In particular have a look for a paper by Robert Rowligson of QinetiQ. Then do a search for 'Business Continuity Planning' and some of the documentation that appears there. If you have access to...
  39. B

    Hash mismatch

    This is not meant to sound facetious but it probably does; learn from the mistake. If you aren't going to be able to access the evidence later then verify the hash there and then. If it doesn't match, reacquire it. Then back up the image. Paul
  40. B

    Disk Cleanup

    I have no definitive answer but surely it's fairly easy to test in a VM? Paul
  41. B

    What Hashing Algorithim is being used today?

    Two files with the same MD5 hash can be easily checked with a CRC32 hash. If that is the same then it is even more improbable that the files are different. Even the lab generated collision couldn't withstand a combined MD5 and CRC32. When MD5 was created by Ronald Rivest it was in response to a...
  42. B

    DriveSpy & Image

    Try caine http :// w w w. caine-live. net/ Paul
  43. B

    Document meta

    Bill, It would seem that there is nothing strange going on here then... When a file is copied across partitions using Windows Explorer, the created date on the NEW copy will change to the current date/time (NTFS or FAT it doesn't matter). If other applications are used to copy the file then...
  44. B

    Document meta

    Bill, In order to answer your question fully I for one, would like a bit more information: What type of file are you looking at? What exactly is the 'meta software' you mention? (so I can work out what the meta information you are looking at is) What is the file system? (NTFS, FAT, Ext3, HFS+...
  45. B

    browsing record

    If it is MSIE then there are 5 types of history file: Daily, Weekly and Main history as well as the cookie and cache histories. My experience is that index.dat daily history files get deleted when the records are placed in the weekly history. A deleted daily history can be recovered in the same...
  46. B

    16 and eager to learn...

    Hi, No programming language is 'essential' but you are so much better placed and much more flexible if you can write programs. From where I sit, C is good because you get a good feeling for the underlying data structures and it provides a basis for many derived languages (C++, Java, EnScript...
  47. B


    DJ I agree entirely. I think this might come down to a semantic point about the definition of 'forensics' in a computing context. From my perspective forensics is about the careful collection and analysis of EVIDENCE for later production at court. A good analyst will employ elements of...
  48. B

    Student Looking For Info From Pro

    DenverGuy, I'm a police officer who had a hobby in computing, here's my take on your questions: School: I went to a really basic school (taught to turn out grommets in the local factory). At 27 I joined the police. At 40 I had the classic mid-life crisis and ended up getting a degree with the...
  49. B


    Re: Preferreduser <r><QUOTE author="securityxxxpert"><s> </e></QUOTE> I have mixed feelings about this, on one hand I think it is naive to think that knowledge of forensics will prevent attacks. My belief is that computer forensics gives you the ability to investigate attacks WHEN they happen...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu