Spam detection software, running on the system "mail.securityfocus.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that

[ more ]  [ reply ]

Dear Richard,
I haven't tried it yet but should be worth trying out. Let me tell you
my understanding of how EFS works. When a user encrypts a file using EFS
for the first time, then a public/private key pair is generated and a
FEK (File Encryption Key) is generated. This FEK is a symmetric key

[ more ]  [ reply ]

Check the system log of the computer/server that the queue is setup on.
Depending on when and how much logging you have enabled on the event
logs, you will find it there.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of jefklak
Sent:

[ more ]  [ reply ]

I believe cracking EFS encrypted files is not going to likely here, unless you were able to somehow recover the deleted user profiles from the wiped version of Windows from the disk, from the domain (if it was joined to a domain) or from a backup. How exactly was the disk "wiped?"

Good informat

[ more ]  [ reply ]

I have a network printer connected to a HP jetdirect module. I need to find
out who printed lately some files. How can I retreive the log files from the
module. Thanks.
--
View this message in context: http://www.nabble.com/jetdirect-log-files-tf2904359.html#a8114092
Sent from the Security - Foren

[ more ]  [ reply ]

I have a drive where i need to investigate one encrypted folder full of
equally encrypted files. (XP default type encryption of files/folders)
The original system disk is unavailable due to a wipe, so the key is lost.

Is there any way to rebuild the files to make an investigation possible?

--
 

[ more ]  [ reply ]

The new 0.2.1 release of CarvFs ( http://ocfa.sourceforge.net/libcarvpath/ )
now comes with a script (scalpelcp) that makes it work in conjunction with
the preview mode ( the -p option) of scalpel. This script can be used to
populate the scalpel output dir with symlinks to the proper carvfs pseudo
f

[ more ]  [ reply ]

ADFSL 2007 Conference on Digital Forensics, Security and Law
============================================================
DEADLINE: CALL FOR PAPERS AND PROPOSALS - December 31, 2006
============================================================
VENUE: Arlington, Virginia USA on April 18-20, 2007
====

[ more ]  [ reply ]

Hi, since one year I'm working on a framework written in Python to parse any binary file. Some features:
* Autofix: Catch any parser error and fix them as soon as possible
* Lazy: Field value, size, description, absolute address, (...) are computed on demand
* No arbitrary limit on addresses, field

[ more ]  [ reply ]

If it were just an iso, you shouldn't have had a problem with the mount. A Windows partition has an offset of 32256 according to the Anti-Hacker Toolkit. You can do the following:
losetup -o 32256 /dev/loop0 /media/test
mount -o -ro /dev/loop0 /media/recovery
ls /media/recovery

Alex Klimov's advice

[ more ]  [ reply ]

The Open Computer Forensics Architecture (OCFA) project
just released a new version with many bug fixes.

http://sourceforge.net/projects/ocfa/

The Open Computer Forensics Architecture is a modular computer forensics
framework running on Linux.The project aims to be highly modular,
robust,fault t

[ more ]  [ reply ]

Brian,

Thanks for the pointer.

gpart found my missing partition and I now have it mounted.

Greg

On 11/20/06, Brian Carrier <carrier (at) digital-evidence (dot) org [email concealed]> wrote:
> You could use tools such as gpart or testdisk to search the drive for
> file system signatures to determine if there are file systems

[ more ]  [ reply ]

This is all done within the registry and not a log file unless some third party synchronization software was used. There are unique descriptors created for each device that lists information like what kind of device it is, number of endpoints, etc.

You can read more about descriptors here:

http://

[ more ]  [ reply ]

Hi Michael,

About a week after I sent my previous response to both you and the
forensics mailing list, I got notification that it wasn't approved for
the forensics list; I have no idea why not. Hopefully you received it,
but it is included below in any case.

Anyway, I came across the following tod

[ more ]  [ reply ]

I've watched this topic ebb and flow for quite sometime and I've often wondered if anyone has ever taken a test drive, placed a "sensitive" file on it, either a string of ascii or a whole file, overwritten the drive, and tasked another person to find it using currently available open source or comme

[ more ]  [ reply ]

Not 57+, but how about 21?

I just stumbled upon an article that states: "There are rumors that
government agencies have the capability to recover data that has been
overwritten as many as 21 times."

This is a SANS GSEC article originally published on 7/21/2001, and
updated on 6/12/2006, titled "S

[ more ]  [ reply ]

For those of you interested in zero-storage carving,
libcarvpath and carvfs now provide a simple means to
patch zero-storage carving into carving tools.

http://ocfa.sourceforge.net/libcarvpath/

A patch to the sleuthkit is included with carvfs that
includes zero-storage carvpath versions of mmls,

[ more ]  [ reply ]

The First International Workshop on Spoofing, Digital Forensics and Open Source Tools (SDFOST), in conjunction with ARES-2007 -- The Second International Conference on Availability, Reliability and Security
The conference will be held at the Vienna University of Technology (TU) in Vienna, Austria on

[ more ]  [ reply ]