Forensics Mode:
(Page 36 of 84)  < Prev  31 32 33 34 35 36 37 38 39 40 41  Next >
Workarounds for Windows Event File corruption 2005-01-07
Jeff Bryner (jbryner1 yahoo com) (4 replies)
I'm working on a case where I'd like to get time stamp info out of a
windows application event log (AppEvent.evt).

If I copy the file to another windows box and open it via event viewer
I get the dreaded message about the file being corrupted.

Web searches all lead to support articles suggesting

[ more ]  [ reply ]
Re: Workarounds for Windows Event File corruption 2005-01-10
Tim (tim-forensics sentinelchicken org)
Re: Workarounds for Windows Event File corruption 2005-01-10
Lance James (lancej securescience net)
RE: Workarounds for Windows Event File corruption 2005-01-10
dave kleiman (dave isecureu com)
Re: Workarounds for Windows Event File corruption 2005-01-09
Jack Seward (JackSeward msn com)
Re: forensic imaging and the host protected area on ATA drives (was Two hash) 2005-01-06
Gordon Stevenson (gs vogon co uk)
In-Reply-To: <002901c4f171$cdbef9a0$d2c8f181 (at) PDS (dot) LOCA [email concealed]L>

Vogon's Windows based imaging software uses our write-protection hardware and the user is warned that hidden sectors are present on the disk and is allowed to image the visible area or whole disk or any area he choses. Our write blocking hardw

[ more ]  [ reply ]
Re: Two hash 2004-12-31
taylormade rocketmail com
In-Reply-To: <87f94c370412231304693d0e66 (at) mail.gmail (dot) com [email concealed]>

>

>Now that you mention it, in the absense of a printed LBA I could boot

>under Linux and use hdparm to get the total sector count, then boot

>back into Win32 to do the Encase image.

>

Or... always image in Linux and then "add raw im

[ more ]  [ reply ]
Re: mactimes 2004-12-30
taylormade rocketmail com
In-Reply-To: <5a51d61b0412220740703b8b19 (at) mail.gmail (dot) com [email concealed]>

Modified time follows the file.

Created really means "Created on this media".

File was created on a HDD or other media.

Last modified on 9/28/2004 @ 9:12AM CST.

Copied/moved to the floppy on 10/1/2004 @ 1:12 AM.

FAT12 only tracks

[ more ]  [ reply ]
Hardware write-blockers (not the whole anwser) 2004-12-27
Greg Freemyer (greg freemyer gmail com) (1 replies)
In response to a previous post about using the hdparm command as a
software write-blocker, a couple people sent private e-mails
suggesting a hardware write-blocker should always be used.

One particular concern was that doing Linux read-only mount of a
filesystem does make small changes to the files

[ more ]  [ reply ]
Re: Hardware write-blockers (not the whole anwser) 2004-12-28
subscribe (subscribe crazytrain com) (1 replies)
Re: Hardware write-blockers (not the whole anwser) 2004-12-28
Rikard Johnels (rikjoh norweb se)
RE: Two hash 2004-12-23
Christopher Brown (clbrown techpathways com)
Farmerdude, Greg,

Yes, all versions of ProDiscover include a device driver that allows
investigators to dynamically access and image the HPA from within
Windows. The network version can even do this on remote systems. One of
the key features of this capability is that unlike many int13 approaches
w

[ more ]  [ reply ]
RE: Two hash 2004-12-23
crazytrain.com (subscribe crazytrain com) (2 replies)
On Tue, 2004-12-21 at 14:45, Greg Freemyer wrote:
> I can't speak for Encase, nor do I know the specifics of this case,
> but it is my belief that Win32 based imaging tools cannot access the
> HPA of any drive.
>

I believe this depends on how the tool operates. For example, I thought
TechPathway

[ more ]  [ reply ]
RE: Two hash 2004-12-28
Barry J. Grundy (bgrundy imx hq nasa gov)
Re: Two hash 2004-12-23
Greg Freemyer (greg freemyer gmail com)
(Page 36 of 84)  < Prev  31 32 33 34 35 36 37 38 39 40 41  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus