Forensics Mode:
(Page 37 of 84)  < Prev  32 33 34 35 36 37 38 39 40 41 42  Next >
RE: Two hash 2004-12-20
LERTI - Paul Vidonne (paul vidonne lerti fr)
At 17:23 16/12/04 -0800, Siebert, Bill wrote:
>Paul and I discussed this off list and discovered "the issue."

I agree with Bill summary. May I just add an advise : when hashing
a "disk", carefully note how many sectors you hashed (and how you
hashed).

Best regards.

--
LERTI - Laboratoire d'Expert

[ more ]  [ reply ]
RE: Two hash 2004-12-17
Siebert, Bill (bill siebert encase com) (2 replies)
Paul and I discussed this off list and discovered "the issue."

Linux and DOS were able to reach 5,103 sectors of non-addressable Unused
Disk Area, that Windows was not. Thus a different hash value.

The drive in question was 74.5GB in size.

Partitions:
Code Type Star

[ more ]  [ reply ]
SV: Two hash 2004-12-20
Svein Yngvar Willassen (svein willassen no)
RE: Two hash 2004-12-20
subscribe (subscribe crazytrain com)
RE: Cluster size 2004-12-16
Watkins Capt Timothy J (WatkinsTJ IIMEF USMC MIL)

Lily,

Is this the information your looking for?

http://www.computerworld.com/softwaretopics/os/story/0,10801,73872,00.ht
ml

and more info on Fat and NTFS at

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e
n-us
/Default.asp?url=/resources/documentation/Windows/XP/all/reski

[ more ]  [ reply ]
Cluster size 2004-12-14
Lily Tse (lily_tse908 yahoo com) (3 replies)


Hi,

I know that there are different default cluster sizes an operating

system uses during a high level format depending on how big the volume

is. However, cluster size can be changed easily. Assuming that the all

the VBRs on a hard disk have been destroyed (BIOS parameter block info

i

[ more ]  [ reply ]
Re: Cluster size 2004-12-21
Brian Carrier (carrier cerias purdue edu)
RE: Cluster size 2004-12-17
Chris Eagle (cseagle redshift com)
Re: Cluster size 2004-12-16
Valdis Kletnieks vt edu
Re: Two hash 2004-12-12
Jason Coombs (jasonc science org)
You may also have specified a range of sectors for your EnCase acquisition that do not match those that are being read from the linux device /dev/sda.

If you conduct a few tests using dd with a small source drive and examine the start and end sectors as they were imaged by dd, you should be able to

[ more ]  [ reply ]
Re: Two hash 2004-12-12
Jason Coombs (jasonc science org)
Paul,

Your linux filesystem is mounted and you are using md5sum to hash the logical drive? In EnCase your acquisition image is likely to be a hash of the physical device rather than logical.

However, the explanation may be simpler than this. Are you certain that md5sum is working in binary and not

[ more ]  [ reply ]
Two hash 2004-12-11
LERTI - Paul Vidonne (paul vidonne lerti fr) (6 replies)
Hello,

How can a same physical disk can receive a different hash (MD5)
from EnCase and Linux md5sum ? (both through a drive lock) ?
Does smb meet this question ? Thanks.

--
LERTI - Laboratoire d'Expertise et de
Recherche de Traces Informatiques
http://www.lerti.fr +33.4 76 90 65 97

--------

[ more ]  [ reply ]
Re: Two hash 2004-12-13
Valdis Kletnieks vt edu
Re: Two hash 2004-12-13
LERTI - Paul Vidonne (paul vidonne lerti fr) (3 replies)
Re: Two hash 2004-12-16
Nathan Catlow (nathan ccc-ltd com)
Re: Two hash 2004-12-13
Greg Freemyer (greg freemyer gmail com)
RE: Two hash 2004-12-13
Svein Yngvar Willassen (svein willassen no)
Re: Two hash 2004-12-11
Raymond C. Parks (rcparks comcast net)
Re: Two hash 2004-12-13
Ivan Hernandez (ivan hernandez globalsis com ar)
Re: Two hash 2004-12-11
Greg Freemyer (greg freemyer gmail com)
Re: Two hash 2004-12-11
subscribe (subscribe crazytrain com)
RE: Network Forensic Suites 2004-12-08
Watkins Capt Timothy J (WatkinsTJ IIMEF USMC MIL)
I have used eEye's product called Iris in the past.

It does a great job of assembling packets back into sessions so that you can
view webpages or emails or other events in question. It definitely was
taxing on the machine to try and store all of the information, but it did a
great job when filtere

[ more ]  [ reply ]
image and drivespy 2004-12-07
Frank Ribitch (frankr detroitmac com)
I am new to forensics, so i picked up the CHFI course materials from
eccouncil.org. I have been reading through the books and finally
started to actually do some of the labs. These labs require me to use
image.exe and drivespy.exe. The CD is supposed to have everything
needed to run these, howev

[ more ]  [ reply ]
Tool Announcement: AIRT -- the Advanced Incident Response Tool (linux) 2004-12-06
madsys (madsys ercist iscas ac cn)
hey all,

I'm proud to announce that the AIRT 0.2 is now available:

http://159.226.5.93/projects/airt.htm

AIRT (Advanced incident response tool) is a set of incident response assistant tools on linux platform. It's useful when you want to know what evil kernel backdoor is resident on you

[ more ]  [ reply ]
(Page 37 of 84)  < Prev  32 33 34 35 36 37 38 39 40 41 42  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus