Forensics Mode:
(Page 35 of 84)  < Prev  30 31 32 33 34 35 36 37 38 39 40  Next >
RE: mactimes - a network question 2005-01-27
Joe Brady (bradyj hibernia net)
Just my 2c but...

The file receives its original mactimes from the local system time on
the machine it was created on. If the file is then copied across the
network, by person or program, it will (depending on copy method)
maintain the original modification time from the first computer but get
the

[ more ]  [ reply ]
mactimes - a network question 2005-01-27
K Pugh (kpughmisc pughkilleen com)
In-Reply-To: <1169300920-1100204291-cardhu_blackberry.rim.net-11901-@engine67>

I've got a question related to the mactimes discussion. I have searched the web for an answer to this question, but I have not found anything.

I have a set of files on a hard drive that was produced from a forensic

[ more ]  [ reply ]
Black Hat new content on-line & Registration now open for Asia and Europe. 2005-01-26
Jeff Moss (jmoss blackhat com)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello ,

I would like to make some brief announcements about past as well as upcoming Black Hat events.

First, new content is on-line from our Tokyo, Japan conference. Please check out our free media archives of past presentations:
http://www.blackhat

[ more ]  [ reply ]
FW: HTCIA webinar registration OPEN 2005-01-19
Warren Kruse (wgkruse computer-forensic com)
A few seats are still available. There is no cost.

Warren Kruse, CISSP, CFCE
Computer Forensic Services, LLC
1 Industrial Way West, Bld. B
Eatontown, NJ 07724
wgkruse (at) computer-forensic (dot) com [email concealed]
http://www.computer-forensic.com
732-544-8080 ext. 11

-----Original Message-----
From: Warren Kruse [mailt

[ more ]  [ reply ]
RE: Workarounds for Windows Event File corruption 2005-01-13
Altheide, Cory B. (IARC) (AltheideC nv doe gov)
> -----Original Message-----
> From: Jerry Shenk [mailto:jshenk (at) decommunications (dot) com [email concealed]]
> Sent: Wednesday, January 12, 2005 11:37 AM
> To: jeff (at) jeffbryner (dot) com [email concealed]; forensics (at) securityfocus (dot) com [email concealed]
> Subject: RE: Workarounds for Windows Event File corruption
>
>
> There is a unix-based suite of tools by Mich

[ more ]  [ reply ]
Re: Workarounds for Windows Event File corruption 2005-01-10
Jeff Bryner (jbryner1 yahoo com)
--- Kevin. wrote: windows shell scripts

Thanks! I hadn't considered the windows shell scripting approach. I'll
keep those scripts for future use ;-)

I suppose they'd be really usefull in an incident response since it
would seem you could use them to attach remotely to a computer and dump
out the

[ more ]  [ reply ]
RE: Workarounds for Windows Event File corruption 2005-01-10
Mueller, Lance (lance mueller guidancesoftware com) (1 replies)
Jeff,

THe corrupt message you aqre getting is commonly caused by a hard shutdown or making an image of a machine that is currently running. There are several bytes that are changed when the Event logging service starts and stops in Windows. You can use the EnCase Windows Syslog Parser script to rea

[ more ]  [ reply ]
RE: Workarounds for Windows Event File corruption 2005-01-10
Jeff Bryner (jbryner1 yahoo com)
RE: Workarounds for Windows Event File corruption 2005-01-10
Johnathan Bridbord (jbridbord doar com) (1 replies)
Jeff,

Have you tried "Export List" rather than "saving" the file?

Exporting allows .txt or .csv formats, and all time stamps are
preserved.

Let us know how you fair.

Cheers,
JB

Johnathan Bridbord, CISSP

Sr Forensic Examiner

DOAR

170 Earle Avenue, Lynbrook, New York 11563

Direct Dial:

[ more ]  [ reply ]
RE: Workarounds for Windows Event File corruption 2005-01-10
Jeff Bryner (jbryner1 yahoo com) (1 replies)
RE: Workarounds for Windows Event File corruption 2005-01-12
Jerry Shenk (jshenk decommunications com)
RE: Workarounds for Windows Event File corruption 2005-01-10
Robinson, Sonja (SRobinson HIPUSA com) (1 replies)
Use dumpevt to dump your event logs.

Sonja L. Robinson, CISA
Forensic Specialist, Digital Investigations
HIP Information Security Group
Tel: 212-806-4125
srobinson (at) hipusa (dot) com [email concealed]

-----Original Message-----
From: Jeff Bryner [mailto:jbryner1 (at) yahoo (dot) com [email concealed]]
Sent: Friday, January 07, 2005 1:15 PM
To: fo

[ more ]  [ reply ]
RE: Workarounds for Windows Event File corruption 2005-01-10
Jeff Bryner (jbryner1 yahoo com)
Re: Workarounds for Windows Event File corruption 2005-01-10
H Carvey (keydet89 yahoo com) (3 replies)
In-Reply-To: <20050107181459.59991.qmail (at) web51705.mail.yahoo (dot) com [email concealed]>

>I'm working on a case where I'd like to get time stamp info out of a

>windows application event log (AppEvent.evt).

>

>If I copy the file to another windows box and open it via event viewer

>I get the dreaded message about the

[ more ]  [ reply ]
Re: Workarounds for Windows Event File corruption 2005-01-10
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Workarounds for Windows Event File corruption 2005-01-10
subscribe (subscribe crazytrain com)
Re: Workarounds for Windows Event File corruption 2005-01-10
subscribe (subscribe crazytrain com)
RE: Workarounds for Windows Event File corruption 2005-01-10
Mark Spencer (mspencer evidentdata com) (1 replies)
Hi Jeff,

Did you try (all on your second system) disabling the event log service,
rebooting, copying the event file over, then restarting the event log
service? I've never had a problem with this procedure on Win2K.

Mark G. Spencer
Director, Computer Forensics and Investigations
Northeast Regi

[ more ]  [ reply ]
RE: Workarounds for Windows Event File corruption 2005-01-10
Jeff Bryner (jbryner1 yahoo com)
(Page 35 of 84)  < Prev  30 31 32 33 34 35 36 37 38 39 40  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus