Search results

  1. P

    Recovering Data From Formated Hard Drive

    Hi Danna, Perhaps a bit late, but be sure not to recover to the same drive you are recovering from. Although this seems logical I have seen many go from bad to worse here ;) Cheers, Chris
  2. P

    Helix with network server containing 3 SCSI drives

    Hi Peter, It all depends on the error message you got. Perhaps the raid controller was not recognized by Helix, and hence not able to access the logical volume. Check the error log for raid array type of errors. You can replay the boot messages with the "dmesg" command. And with what tool...
  3. P

    Unauthorised use of memory sticks & external hard-drive

    Hi PublicAye, If you create(d) a forensic image of the system you might be able to deduct something from timestamp information. As mentioned before, check the creation date of the USB registry key to focus on a specific period. Then look at access timestamps of files touched near/after that...
  4. P

    Email inside pcap file

    Hi Elisa, Have a look at Dug Songs dsniff toolset, it includes mailsnarf: http : / / I think it might just be what you are looking for ;) Cheers, Chris
  5. P

    Wireless Access Point defense

    Hi Rk, What do you mean when you say "hacking the wireless network"?? - merely sniffing the (radio) traffic - cracking the WEP/WPA keys - hacking into the AP itself Chris
  6. P

    Cyber Crime Investigator

    Hi RK, Welcome to the forum ! You will find many good posts on this forum, some with suggestions on how to deal with a certain technical problem, some with tips related to digital forensics in general. Although some hesitation exists to discuss case related info, since this is a public forum...
  7. P


    Hi Clark, What we have actually done once is export all the documents onto a disk and add that disk to a machine with Google Desktop installed, to provide indexed search. Keep the machine offline though!! you never know what Google phones home ;) Cheers, Chris
  8. P

    Wireless Access Point defense

    Hi Cam, As mentioned before, you would want to look for digital traces supporting the suspects claim. - Was the computer hacked into? - Where any viruses active on the computer? - What was the security level of the computer (firewall/antivirus/patches). Someone else could have used the...
  9. P

    Helix and Vista

    Hi Peter, You could also try another bootable, like Knoppix, to see if it does find the hardware. Do keep in mind that some bootable distro's mount drives writeable at boot. Chris
  10. P

    Helix DD and Deleted files

    Hi Jim, If you use DD to copy the entire drive, deleted files, slack and freespace are all in the image. The syntax would be something like this: dd if=/dev/hda bs=512 conv=noerror,sync of=/mnt/dest/hda.img where IF is the source drive, hence /dev/<devicename> Mount a destination drive to...
  11. P

    DD image

    Good thing about DD is that most operating systems have a version running, often with a default installation (not Windows though, although there is a port). Furthermore most carving tools really like dd-style (raw) images. Foremost, Scalpel, dd is preferred. DD raw images are mostly also...
  12. P

    Internet Activity browsing (chat etc) on a VM image

    Hi Pathfinder, Unless you had a network wiretap running you would not be able to know what sites where visited from the other computer (from within a VMWare). If you have access to that host machine you could image the VMware host. The VMware image file is read by FTK imager. Keep in mind that...
  13. P


    Hi Clark, We've used Paraben's tool succesfully in a groupwise environment (6.5). Just point to the database folder, select the groupwise files (see documentation) and import. This CAN take quite some time. When fnished, we've exported the mailboxes in .PST format and imported them in FTK to...
  14. P

    Previous - can I still work in forensics?

    Hi Heavenly, How much do you want this? Depending on your past and motivation my guess is it should not pose a problem. Working in any field requires dedication (and skill ;) ). Chris
  15. P

    Roaming Profiles

    Also keep in mind that optionally the profile can be deleted on log of. If the user is only using one workstation and profiles are not deleted at log of, it is probable the local profile matches the network profile (unless a network error prevented the synchronisation). Also, if the user logs...
  16. P

    Open Source and free EnCase like tools?

    Hi Fantr, Have a look at Helix, it's a bootable linux distribution with sleuthkit/Autopsy included. It will take some time to get started if not familiar with Linux, but free and versatile. FTK has a 5000 items demo-mode. You can not investigate a full installation of most any operating...
  17. P

    Accessing e-mail account

    Hi Azurite, Are you LE or otherwise engaged in lawful investigative work? If not, keep in mind that in many countries what you suppose to do is considered an illegal act, often considered computer crime. Chris
  18. P

    Vista Defrag

    That, I guess, would depend on several variables... first, does the suspect know beforehand his computer will be seized? did he purposely activate the defrag or, as in Vista, did it start automatically? Did the suspect defrag the drive on a regular basis as part of regular maintenance, or just...
  19. P

    Looking for some advice

    Hi Tripsoright, Check the forum, your question is one asked on many occasion. My advice, any university degree is plus, computer and law related even better. A sound interest for computing and technology. And last, but certainly not least, good problem solving skills, creativity and...
  20. P

    Vista Defrag

    Hi Sleepy, Yes, this is true: w w w h t t p :// Not talking about how frequent this will actually happen, from a forensics perspective defragmentation is not considered a...
  21. P

    Recovering Evidence - Firefox

    I'd say regardless what management goals are (sanction/press charges), rethink your own position on doing the investigation: First of, forensic IT investigation should be about objective and impartial fact-finding. Sure management might have an agenda, but don't allow them to use you as the man...
  22. P

    Mac vs Windows: What past file records/history are left?

    Hi Tuckngo, Not sure for Apple, but on a Windows platform various variables should be considered, to name but a few: - Which filesystem is in use? - What version of Office is used? - Where was the document opened from (CD/disk/network)? - How long ago did this occur? So for Apple you could...
  23. P

    New Laws that will hurt Computer Forensics

    Here's another good reaction to this proposal from Richard Bejtlich: h t t p :// Chris
  24. P

    Temporary Internet Files

    Also check the Internet History and do a timeline analysis on it to see if it is possible the page was requested as part of "normal" internet surf behaviour (google search --> clicking on link in results, etc). Another option is to execute a virus scan on the image. Secondly verify if a...
  25. P

    How to prove that I did send an email?

    Again, the fact that it is in the Sent Items does not prove any form of receipt. Also, it could be argued that it was never sent, depending on the network/e-mail setup, for reasons already mentioned. logs of SMTP servers might be helpful, if available. They might also have information on if...
  26. P

    Capture Volatile Data

    Probably you are referring to the Helix incident response CD. Keep in mind that WinXP SP2 (might even be SP1, not sure right now) does not allow DD to access the RAM. Also have a look at this post: h t t p :// *** Note: There is a link...
  27. P

    Deleted file recovery program...

    Hi FatShadow, have a look at h t t p: //, and especially the archives. Also have a look at Foremost, insight into the working of this (open-source) tool will certainly be insightful. Regards, chris
  28. P

    Mounting with Knoppix

    Hi Wade, When boating linux, first make sure the SCSI array controller is recognized/loaded. If it's not, you'll never see the disk. Chris
  29. P

    Recovery Following Re-Format

    Hi Argol, The GetDataBack tool cybercop mentions has helped many of my friends unable or unwilling to hire professionals. Often it is a cost issue. Get a new drive, use it to install windows. Install GetDatBack (you can do a trial run to see if it finds any files) w w
  30. P

    USB Devices...

    Hi Fuzed, Check out Harlan Carvey's latest book on windows Forensics. It's got a great chapter on registry, including USB keys, it is quite extensive. Chris
  31. P


    Hi Argol, I, and undoubtedly many here, would consider your question as posted dubious to say the least. Keep in mind that destroying evidence in the face of prosecution will be considered as obstruction of justice in some countries (and will add to the weight of punishment). If your friend...
  32. P

    Retrieval length

    Hi User14, Dennis' remark is definitely valid, proceed with some caution. On the technical side, I would rate chances to be fairly low, considering your statement regarding usage and defragmentation activity. However, one can only be sure when one looks. some variables that influence your...
  33. P

    can i retrieve a viewed document on my computer

    Hi Turbo, The method described could help you, however you are looking at text fragments, carving for the file might give other/better results. First I would create the image. You are using the OS that you are going to image, so actually you are doing what "we" call a live acquisition. From...
  34. P

    can i retrieve a viewed document on my computer

    Hi Turbo, When you open a document from within Internet Explorer a copy of that document finds it's way into the temporary Internet file file structure. Regarding the chances of the document being recoverable, there are many variables here: Which filesystem is on the harddisk? How large is...
  35. P

    Recommend me an external hard disk?

    Hi Lem, LaCie has nice 2/5 inch disks in small casings. Nice also for travel purposes, similar to yoda's suggestion. Chris
  36. P

    Scratched DVD

    On the copy suggestion, use a tool to create an ISO, like Undisker. Ripping it can take some time, since it might want to re-read some tracks numerous times, but I too have had cases were the resultant copy did work.
  37. P

    social networking site cases

    Hi MSc, Have a look at this list: For a long list of social networking sites. And check-out this link for some of the examples you are looking for: (Google is your...
  38. P

    Deletion date

    Hi BlueDragon, The INFO2 file stores the original files' paths and file names, and deletion times. These are recycle bin records though. Cheers, Chris
  39. P

    Deletion date

    Hi BlueDragon, NTFS does NOT keep deletion timestamps for files or directories. However, Brian Carrier has seen some cases where last access times were change upon deletion of a file, but no pattern could be established. Same for the modification timestamp of the directory the file was in...
  40. P

    Deletion date

    Hi Blue Dragon, What file system are we talking about? Because a fair number file systems do not keep track of deletion time through timestamps. Also, are you referring to the timestamp of the file or the timestamp of the file-entry in a MFT/Inode kind of structure? A clear case of "need more...
  41. P

    Trying to create a working checklist

    Hi Sigerson, There are many, many publications and books on this. Have look for example at this one: w w DoJ guide, bit outdated perhaps, but in some respects still worth reading. Also a nice book is: Incident Response & Computer Forensics, by Mandia...
  42. P

    Restoring a DD Raw Image

    Re: restoring DD image <r><QUOTE author="cfprof"><s> </e></QUOTE> I am not so sure about restoring the image to a larger drive. Sure, for investigative purposes, but not evidence exchange. How can you verify that the restored image is representative for the actual image? Maybe I am...
  43. P

    Restoring a DD Raw Image

    Re: restoring DD image <r><QUOTE author="cfprof"><s> </e></QUOTE> One could argue this. <br/> <br/> True, they might not be good forensics analysts. But if you did not use commonly accepted techniques to handle your evidence. Or if you did not provide adequate documentation on how YOU handled...
  44. P

    Restoring a DD Raw Image

    Hi Rodriguez, I am familiar with HPA's, but would refrain from using such a labourfull and error prone task to obtain the same hash. Haven't tried this technique myself, so not sure how well this works. We sometimes boot an image (copy) and then verify those findings in the forensic image...
  45. P

    Restoring a DD Raw Image

    Hi Rodriguez239, I understand the fact that you want the copy to have the same hash as the source. But, unless you have a drive with the same specs (size/sector count), when restoring your destination will produce another hash then the source. If, however, you load the DD image in any forensic...
  46. P

    Solo III Forensics transfer rate?

    Hi Schneidude, I am not familiar with the Solo III, but we use Logicube's Talon. It can achieve speeds of about 2 - 2.4 Gb/m with MD5 and verification. One issue when we image multiple drives onto one drive, the destination drive tends to get fairly hot. speeds then do drop. Chris
  47. P

    Restoring a DD Raw Image

    Hi Rodriguez, dd is free ;) And why would you want the destination drive to have the exact hash value? Chris
  48. P

    Just a couple of questions.

    Hi Almo, One of the most important requirements is to love what you do, so you are on the right track there ;) Furthermore, CF is a multi-discipline field, so I would be hesitant to only go with a CF program. Let me give you some insight in my career so far: Computer helpdesk work for one...
  49. P

    E-Mail source

    Hi M, Keep in mind that some providers do not add the IP address of the client, Gmail is one of them. Hotmail for example does add it via the X-header items. These are added as an anti-spam measure. In some cases the IP address will lead you to a proxy or a webmail client, so be carefull...
  50. P

    FTK IMager Lite - is it freeware?

    Hi, I got a reply from AccessData on this. FTK Imager (and -Lite) are free to use, full functionality. The pricing is provided for product SKU pricing purposes. Chris

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu