Search results

  1. D

    Software for detecting pornography

    I haven't seen skin detection software that is reliable enough to use in my work flow... you still have to look at every file to find false hits and find what was missed. There are just too many variables for it to be affective. DL
  2. D

    forensic image analysis

    I would also look at MATLAB, from MathWorks. They have a dedicated module for Image and Video Processing. DL
  3. D

    Student in need of a professional interview...

    You might read this too. It really is pretty accurate on what the life of a Forensic Computer Examiner/Analyst is like. http : // johnjustinirvine .com/ post/ 339744451 DL
  4. D

    What Hashing Algorithim is being used today?

    You might try reading this. http : // www . forensicmag.com/print/235
  5. D

    X-Ways, FTK, EnCase, WinFE, or Live Distros

    I encourage people to start with FTK demo version. It will only process 5000 file items. They can process most camera media cards, thumb drives and other removable memory. It will give you a good base for understanding for how these tools work. DL
  6. D

    email header

    Oh, look, in the example the first, second and third IP Address are all the same, and fourth and fifth. DL
  7. D

    encase and net history

    It should be pretty obvious. The creation date of the index.dat should be prior to the modified date, and prior to or equal to the oldest internal dates in the index.dat records. When the index.dat is copied to a second computer the creation date will be after the modified date. From the...
  8. D

    email header

    Read the header from the bottom up to find the source IP. 74.50.213.185 - Geo Information IP Address 74.50.213.185 Host nkwt185computer.nexusconsltng.com Location US, United States City Phoenix, AZ 85028 Organization Tech Solutions ISP Tech Solutions AS Number AS3257 Tinet SpA Latitude...
  9. D

    Hash Device drive or external/removable device

    Can you use prodiscover to "load/mount" the .eve image to perform an examination? When it is loaded/mounted in prodiscover will prodiscover let you verify or hash the image? Is the .eve a logical image or a physical image? DL
  10. D

    Hash Device drive or external/removable device

    Are you mounting your image file before you hash it? DL
  11. D

    Hash Device drive or external/removable device

    Unless we misunderstood the question, you should probably get your tuition money back because your professor is wrong too. Here is the test results that I conducted prior to my earlier post, I used ACESLE XP WriteBlocker, and FTK Imager, as was suggested in an earlier post. Write blocker on ...
  12. D

    Hash Device drive or external/removable device

    If a write blocker is in place, and working properly, the values should be the same between the hash of the device and the hash of the image file. Make sure you are hashing and imaging the same drive partition in both the device and the image, physical or logical. You should be using physical...
  13. D

    MD5 Collision Attacks

    Hash Value Collisions http : // www . forensicmag.com/ articles.asp?pid=238 Note: Since I wrote this the collision search for SHA-1 using the distributed computing platform BOINC, which began August 8, 2007, organized by the Graz University of Technology. The effort was abandoned May 12, 2009...
  14. D

    File structure listed in FTK report

    Isn't sguy.INFERNO consistent with a domain username? I would need to see more information regarding the structure of the file system and evidence file data to make any judgement on the Orion v. Inferno question. Also you don't indicate which version of FTK was used to create the report. DL
  15. D

    is citizenship a major issue for a forensic investigator?

    I'd say that it really depends on the agency you are going to work for. Not having citizenship will limit your options. DL
  16. D

    NW3C "Stop Training"

    They are offering an update class for their TUX4N6 program, if you have been to STOP you should get an invite. DL
  17. D

    Retriever 2.0

    NW3C has a class named STOP (Secure Techniques for Online Preview) which utilizes Helix to do exactly what you are suggesting. It works pretty well. DL
  18. D

    How to get Court Presidence on Forensic Software?

    I have been a beta tester for several forensic products including FTK, and would be willing to test your software. email me at dthstker @ yahoo and I'll provide you more information and try to help if I can. DL
  19. D

    Forensic Lab and Analysis Equipment

    It is a broad question. I would like to know more about your business to provide a more targeted answer. I have a law enforcement lab. We had three examiners when it was set up. We are running an air gapped 1gb speed network for examinations. Our server, image storage machine, has two -...
  20. D

    Merchant Payment Card Breaches.

    I am in local law enforcement and have worked several POS exploitation cases over the past year. The cases our jurisdiction has had have been quite simple in the method used to exploit the systems. The POS terminal gets a software keylogger installed through a breach of the system. The...
  21. D

    Windows 7 Analysis

    It runs Windows XP in a Virtual PC session. In my testing I have had some minor issues with hardware limitations. The Dell laptop has too good of a video display, which won't downsize to 600x800, no playing an early version of command and conquer. I could probably tweak it but didn't need to...
  22. D

    Windows 7 Analysis

    There are some slight differences and new features for instance, XP Mode Virtualization, and portable bitlocker. DL
  23. D

    Smart Phones treated like computers?

    Short answer, yep. forensicmag.com/articles.asp?pid=288 DL
  24. D

    getting started.. trouble using ftk imager / dd for dc3

    AccessData still has a demo version of FTK 1.81. Just remember there is a 5000 file object limitation, so it may not be able to show you much. DL
  25. D

    Date jpg was created

    If the .jpg is exif you should have a date stamp in the metadata. Irfanview will display it in the information from the menu. DL
  26. D

    EnCase vs. FTK

    I voted "other". I use both. They each have their strengths and limitations. I also have X-Ways Forensic, and used ILook when it was available. I have about 40 additional utilities some free some low cost. It is nice to have enough tools to validate what you are finding with your "main"...
  27. D

    File Recovery

    You can't open a low resolution image and recover a high resolution image. You can only down sample the image.
  28. D

    Cases where u might break outer boxes for examination

    I have had a couple of cases with MyBooks, and have discovered they can be opened with a little brute force. On the spine side of the MyBook in the radial corner on each end is a pretty hefty plastic retainer clip. Apply some force using a flat blade screw driver, and they can be poped open...
  29. D

    Virtual memory

    Sudha, Registry Viewer comes with "Summary Reports" one is SAM, which parses that data nicely. DL
  30. D

    how to retrieve SMS messages from samsung i900 omnia

    A write blocker may prohibit access to the phone when using Device Seizure, which is a "forensically safe tool". Can you post more information about your phone such as service provider, communication protocol (GSM or CDMA, GSM uses a SIM Card). When was the phone last turned on? Do you...
  31. D

    FTK, index search help required

    FTK 1.X allows for post case processing. Try from the menu Tools > Analysis Tools > Full Text Indexing. DL
  32. D

    Computer Forensics Master's Degree

    I thought the University of Central Florida had a Masters in Digital Evidence/Computer Forensics. DL
  33. D

    imaging issues

    You may have an incompatible IDE adapter try a different one. I have previously encountered this on some older drives. Don L.
  34. D

    RAID imaging

    The Live Side of the Helix disc will let you DD a logical image of the RAID using FTK Imager. DL
  35. D

    CCE with no experience?

    If you are familiar with data recovery, one or more of the forensic suites, and some of the suggested reading material, you might be ok to try. I would also encourage you to attempt their sample exams to evaluate areas you may need to concentrate in. isfce. com/sample-test. htm Don L.
  36. D

    MAC Forensics

    Blackbag Technologies is also another group who are well respected in this area of forensics. blackbagtech. com/products/training. htm Don L.
  37. D

    Imaging photocopier Hard drives

    I don't think imaging would be significantly different from any other hard drive. Data Interpretation could be a whole different story though. Don L.
  38. D

    Student Research Paper: Use of Mobile Phones in Crime

    2005 == 5 cell phones examined 2006 == 26 cell pohnes examined 2007 == 79 cell phones examined 2008 == 149 cell phones examined 3/2/2009 1445 hours waiting to testify on a cell phone examination.
  39. D

    Online identity theft

    Google "Trace IP" Don L.
  40. D

    Help!

    Check with the University of Central Florida, they have a pretty well known program. They also host the National Center for Forensic Science. Don L.
  41. D

    Dead Phone Recovery?

    That phone is a GSM (has a SIM card). Bitpim only supports CDMA phones. You might try Data Pilot, check their site for supported phones. www . susteen. com Don L.
  42. D

    Q: Computer forensic software

    x-ways/winhex forensics, http: // www . x-ways. net/ There is also a lot of custom made software from the Netherlands. Don L.
  43. D

    fdisk on a Windows image

    Here is a list, does it help? Type Codes which represent some Filesystems 01 DOS 12-bit fat 02 XENIX root 03 XENIX /usr 04 DOS 3.0+ 16-bit FAT (up to 32M) 05 DOS 3.3+ Extended Partition 06 DOS 3.31+ 16-bit FAT (over 32M) 07 OS/2 IFS (e.g., HPFS) 07 Advanced Unix 07 Windows NT NTFS 07...
  44. D

    Maping cell phone via sim cards.

    Actually a SIM Card can contain lcation information for the last cell tower connection. It is incumbent on the provider to write this entry to the SIM Card. LOCI = 'LOC'ation 'I'nformation It is EF LOCI in the SIM File System. www . wrankl. de/SCH /SIM. pdf Try this document and use the...
  45. D

    Helix 3 Install from ISO

    When you burn the disc, slow the burn speed down. Don L.
  46. D

    Recovering Messenger Conversations

    I have had good results recovering conversations using text string searches in EnCase on MacBook's running OSX. Search on the user names. Don L.
  47. D

    Time stamps

    So some of the registry keys, dates and times, etc., were not written, which occurs when you perform a normal shutdown. Don L.
  48. D

    Analysis of a CD

    CD/DVD inspector will allow you to retry when it hits errors, or skip errors. It will also generate a report listing all the errors. Don L.
  49. D

    skintone?

    I agree, I have seen enough images with similar color and tone to expect a rather high false positive rate. To charge and testify to the results I'd visually verify all the images. Don L.

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu