Search results

  1. B

    Recover files from USB RAW partition

    Thank you. I have requested the physical SD card and I will make a dump with FTK Imager. Best!
  2. B

    Recover files from USB RAW partition

    Hi. I'll give it a try. However, it's strange that with EASEUS Data Recovery, it carves the files and finds 4 MP4 files larger than 2GB. And when I try to restore them, their size is only some Kilobytes... Thanks for your help!
  3. B

    Recover files from USB RAW partition

    Hi! I created the image with WinImage 9.0 (Download WinImage ). Autopsy doesn't show absolutely anything. Is as if it was a completely blank file.
  4. B

    Recover files from USB RAW partition

    Hi all, I have an SD card with important files on it. Whenever I plug it in windows, it comes up with this message (or st similar): "The drive cannot be used and must be formatted. ¿Do you want to do so?" No! I have important files in there, and I want to recover them first! The drive...
  5. B

    Open TrueCrypt volume only with MasterKey

    Yes, it helped. 2 x 256 bit key = 1 512 key. That's correct. The think it's that you have to try and guess which 2 strings are the correct ones. Many thanks!
  6. B

    Open TrueCrypt volume only with MasterKey

    I think I finally got it, with example 4 of the readme: image key input4.tc output4.dd aes --aes bac01155a46547f00c3ddf9a4a765159fbe1f68d94bf11a3bd6910eedf26d867a63263c949812cd68b7dad91a8dfdacb96942b93cc1b21ffafeeb4791a0befa4 Anyway, I have had to try several combinations to get the Key, by...
  7. B

    Open TrueCrypt volume only with MasterKey

    Hi. That's right. That option doesn't show up in the "official" version, and I can't seem to fin than mod. Indeed there is a "Keyfiles" option, but it doesn't work. I load the master key and it gives me error. Maybe TrueCrypt is expecting another king of keyfile, and not the master key...
  8. B

    Open TrueCrypt volume only with MasterKey

    Hi! I have a ciphered TrueCrypt volume and I don't have the password, but I have the masterkey. ¿Is there any way to open it with masterkey? I have seen this video but I don't know which version of TrueCrypt he's using. Can it be done? Thanks!
  9. B

    Find data from Truecrypt with Volatility

    Hello! The thing is, I have a memory dump in which appears the process "Truecrypt.exe" and a mounted volume, and I want to find the key. I issue: volatility truecryptmaster volatility truecryptsummary volatility truecryptpassphrase The 2 firsts give me results, but the last one yields no...
  10. B

    Extract live data from a memory dump

    Hi. I have a Windows memory dump and I am analyzing it with Volatility. I have seen many interesting processes. However, I would need to get some live data regarding these processes. Such as linked Paths, opened documents, passwords entered, and so on. ¿How can achieve this? Many thanks!
  11. B

    Recover removed /var/log directory

    Hi! Yes. Indeed. I digged into carved files directory and found files with the relevant content. Then I extracted the files and was able to recover some data. Many thanks!
  12. B

    Recover removed /var/log directory

    Autopsy does show lots of deleted files. The issue is that the names are not clarifying, and thus I don't know how to carve or where to begin from.
  13. B

    Recover removed /var/log directory

    They are raw *.dd files. I don't know which tool was used, but I am able to mount them either with mount command or with Autopsy for windows. Thanks!
  14. B

    Recover removed /var/log directory

    Hello, I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files. It seems it has been removed on purpose. ¿Is there any way to recover them? I am using Autopsy software, and I can't find anything in...
  15. B

    Volatility shows network connection PID but pslit doesn't

    Hello, I'm investigating a windows memory dump and with connscan I find a web connection with a certain PID. However, when I issue pslist, pstree or psscan I can't seem to find that PID. ¿Any clue about this? ¿Where is that damn process? Thanks!
  16. B

    FMEM and DD segmentation fault

    Yes. I am running it directly as root
  17. B

    FMEM and DD segmentation fault

    Hi all, I am trying to acquire a live memory dump from an Ubuntu system. This is what I do: 1. Download fmem tool 2. Compile it with make and run ./sh 3. A /dev/fmem is created I know this is a special file and I have to specify the size for dd. However, I either end up with a small file or I...
  18. B

    Autopsy, windows image and no data

    Hello, @BIOS First of all, many thanks for your reply. Indeed I have found some filenames ending in "-slack", and I don't know what they mean (I have to do a deeper read to your links). I have opened my $MFT file with a hex viewer and I have searched for the name of the original file, with no...
  19. B

    Autopsy, windows image and no data

    Hello, I'm new to forensics and I'm performing some tests with Autopsy and a Windows dump image. It's a challenge. I am supposed to find relevant info. That's what I have found so far: - $Logfile, $MFT and orphaned files. - 2 JPG images. - 2 txt files with the same name. One of them deleted...

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu