Forensics Mode:
(Page 27 of 84)  < Prev  22 23 24 25 26 27 28 29 30 31 32  Next >
MS-DOS stub program question 2005-06-09
keydet89 yahoo com
I posted this to my blog this morning, but wanted to follow up here, as well...

In PE executable files, there is an MS-DOS stub program, added by the linker, prior to the PE header (ie, "PE\0\0"). The stub program contains the message "This program cannot be run in DOS mode" or some variation. Th

[ more ]  [ reply ]
Re: airtf.exe 2005-06-09
keydet89 yahoo com
Any references to the file in the Registry or file system (ie, autoruns locations)?

Have you performed any analysis of the file itself?

Do you have a copy of the file, as well as any supporting files (ie, DLLs, etc) available for analysis?

H. Carvey
"Windows Forensics and Incident Recovery"
http

[ more ]  [ reply ]
Re: autoruns for dead systems? 2005-06-09
keydet89 yahoo com
This is something I'm working on, with improvements, using the latest version of ProDiscover from TechPathways...Chris Brown is incorporating Perl as the scripting language for PD.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

---------

[ more ]  [ reply ]
More on breathalyzers: Only open source forensics can be trusted? 2005-06-09
Gary Funck (gary intrepid com)

Interesting thread on Declan's Politech discussion list:

http://www.politechbot.com/2005/06/08/more-on-breathalyzers/

Previous Politech message:
http://www.politechbot.com/2005/06/07/dui-cases-tossed/

-------- Original Message --------
Subject: Re: [Politech] DUI cases tossed out because of clo

[ more ]  [ reply ]
RE: autoruns for dead systems? 2005-06-09
Arnold, Robert P (Robert P Arnold msfc nasa gov)
It can be extracted from the registry files in the config directory. You an
manually extract it or you can use the EnCase Autoruns Enscript. Hope this
helps.

-----Original Message-----
From: Julio Vicente [mailto:juliov (at) ti.parmapatas (dot) net [email concealed]]
Sent: Wed 6/8/2005 4:38 AM
To: forensics (at) lists (dot) secu [email concealed]rityfocu

[ more ]  [ reply ]
RE: autoruns for dead systems? 2005-06-08
Altheide, Cory B. (IARC) (AltheideC nv doe gov)
> -----Original Message-----
> From: Julio Vicente [mailto:juliov (at) ti.parmapatas (dot) net [email concealed]]
> Sent: Wednesday, June 08, 2005 2:39 AM
> To: forensics (at) lists.securityfocus (dot) com [email concealed]
> Subject: autoruns for dead systems?
>
> Is there any equivalent of the "autoruns/autorunsc" utility
> (http://www.sysinternals.co

[ more ]  [ reply ]
autoruns for dead systems? 2005-06-08
Julio Vicente (juliov ti parmapatas net)
Is there any equivalent of the "autoruns/autorunsc" utility
(http://www.sysinternals.com/Utilities/Autoruns.html) that can be
applied to the disk image of a dead system?

Julio.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analy

[ more ]  [ reply ]
airtf.exe 2005-06-08
Luis Garcia (lgcg ti parmapatas net) (2 replies)
Anyone else has encountered "airtf.exe" before? It seems to open a
backdoor on port 9988 but apart from that I can't figure out what else
it does.

Its MD5 hash:

C:\> md5sum airtf.exe
bd1e5edbf73c137aae2c4b0256660052 airtf.exe

Thanks in advance,
Luis

-------------------------------------------

[ more ]  [ reply ]
RE: airtf.exe 2005-06-09
List Account (list account cerdant com)
Re: airtf.exe 2005-06-09
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
The Security Monitoring and Attack Detection Planning Guide 2005-06-07
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa pacbell net)
http://www.microsoft.com/downloads/details.aspx?familyid=95a85136-f08f-4
b20-942f-dc9ce56bcd1a&displaylang=en
<http://www.microsoft.com/downloads/details.aspx?familyid=95a85136-f08f-
4b20-942f-dc9ce56bcd1a&displaylang=en>

This guide is designed to help organizations plan a security monitoring
and a

[ more ]  [ reply ]
Re: Determining author from PDF 2005-06-02
David Jacoby (dj outpost24 com)
Hi List!

The Author information is stored in the headers in the PDF
file. There are many ways to gather this information you can
for example use an PDF reader and view the properties of
the file.

I have written a small perl script that will extract some of the
information from the headers, a scree

[ more ]  [ reply ]
RE: Determining author from PDF 2005-06-01
Johnathan Bridbord (jbridbord doar com) (1 replies)
Craig,

While examining a PDF you may want to parse the following attributes:

<<PDF FileName>>
<<PDF Version>>
<<PDF Security>>
<<PDF PageCount>>
<<MediaBox>>
<<page 0 MediaBox>>
<<CropBox>>
<<page 0 CropBox>>
<<OpenAction>>
<<Title>>
<<Keywords>>
<<Subject>>
<<Creator>>
<<Author>>
<<CreatedDate>>

[ more ]  [ reply ]
RE: Determining author from PDF 2005-06-02
Darren Stephens (darren stephens hull ac uk)
CFP: DFRWS -- Extended Deadline 2005-06-01
Brian Carrier (carrier cerias purdue edu)
The paper submission deadline for DFRWS 2005 has been extended until
Friday June 3, 2005. For those who have already submitted papers, you
can still edit your submission on the server. For those who requested
an extension or are behind because of the long weekend, you have a few
more days to f

[ more ]  [ reply ]
Determining author from PDF 2005-05-31
NEWELL Craig -TSDC (craig newell torsdc ca) (1 replies)
Hi,

When we open up a PDF in WordPad, we find an entry as follows:

/Creator (Acrobat Capture Server 2.01)
/CreationDate (D:20050207111015)
/Author (\376\377\000C\000L\000O\000W\000E\000S\000D\000A)
/Producer (Acrobat PDFWriter 4.05 for Windows NT)
/ModDate (D:20050207111015)

We are trying to find

[ more ]  [ reply ]
Re: Determining author from PDF 2005-06-01
David MacDonald (davidpmacdonald gmail com) (2 replies)
Re: Determining author from PDF 2005-06-01
Bob Jones (jonesb svcc edu) (1 replies)
Re: Determining author from PDF 2005-06-01
David MacDonald (davidpmacdonald gmail com) (1 replies)
Re: Determining author from PDF 2005-06-02
Steve Barnet (barnet chem wisc edu)
Re: Determining author from PDF 2005-06-01
Valdis Kletnieks vt edu
Re: Forensic disk duplication modifies the evidence hard disk 2005-05-30
Clinton E. Troutman (troutman mesh net)
On Sunday 29 May 2005 19:27, Mark Menz wrote:
> Heisenberg's Uncertainty Principle does not apply in a digital enviroment.
>

In a theoretical environment in which all things are either of "state1" or
"state2", perhaps...

However, in the real world, even "state1" and "state2" are not exact.

Heise

[ more ]  [ reply ]
RE: Ghost Norton Fingerprint signature 2005-05-29
Steve Hailey (shailey edcc edu) (1 replies)
The oriignal question was along the lines of "how to find the signature," not "would the signature be present in a forensic clone of a drive that already contained the signature." My original information is correct based on the question asked.

The -fnf switch turns off the Ghost fingerprint cr

[ more ]  [ reply ]
Re: Ghost Norton Fingerprint signature 2005-05-29
Valdis Kletnieks vt edu
Re: Forensic disk duplication modifies the evidence hard disk 2005-05-28
Pavel Gladyshev (pavel gladyshev info)

> The point of the acquisition is to copy and preserve the state of data
> that could be evidence. If the SMART data, low-level disk
> configuration, and disk caches aren't being used as evidence, then is
> it ok if they are changed? If not, then we need to seriously change
> the acquisition

[ more ]  [ reply ]
RE: Ghost Norton Fingerprint signature 2005-05-27
Steve Hailey (shailey edcc edu)
You will typically find the signature for Ghost in the sectors between the Master Boot Record and the first Boot Record. You'll know it when you see it. If the disk was cloned using the proper switches to create a forensically sound sector-by-sector clone, you will not find a signature.

Regard

[ more ]  [ reply ]
Re: Forensic disk duplication modifies the evidence hard disk 2005-05-27
Dr. Marc Rogers (rogersmk exchange purdue edu)
While this is a very interesting discussion topic, I find some of the
article's suggestions/conclusions problematic. One has to be extremely
careful about determining/deciding what constitutes evidence, potential
evidence, or the exact location of evidence. The decision re the trade off
between spee

[ more ]  [ reply ]
(Page 27 of 84)  < Prev  22 23 24 25 26 27 28 29 30 31 32  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus