Forensics Mode:
(Page 12 of 84)  < Prev  7 8 9 10 11 12 13 14 15 16 17  Next >
EXTENDED PAPER DEADLINE - 9th October - 4th Australian Digital Forensics Conference, 7th Australian Information Warfare and Security Conference, 4th Australian Information Security Management Conference 2006-10-03
Craig VALLI (c valli ecu edu au)
The paper deadline for the following conferences has been extended until
9th October

7th Australian Information Warfare and Security Conference
4th Australian Information Security Management Conference
4th Australian Digital Forensics Conference
4-5th December, 2006, Edith Cowan University, P

[ more ]  [ reply ]
Windows Search 2006-09-28
Gustav Nordenskjöld (gustav nordenskjold safeit com)

Is anyone aware of an application that can extract useful information from
the Windows Search database (in Vista). Alternatively, any of the other
similar applications like Yahoo! Desktop Search or Google Desktop.

Thank you in advance.

Best Regards,
Gustav Nordenskjöld

[ more ]  [ reply ]
Dynamic decryption procedures in malware 2006-09-24
Omar Herrera (oherrera prodigy net mx)
I wrote a paper on dynamic decryption procedures in malicious software which
can be found here:

Although the use of these techniques might prevent traditional computer
viruses and worms from spreading, they seem particularly u

[ more ]  [ reply ]
Upcoming Events Listing 2006-09-14
Baker, Dave (bakerd mitre org)
I have posted the updated digital forensics Conference and Training
list on the Forensicswiki, which is an open forum for the digital
forensics community.

Dave B.
David W. Ba

[ more ]  [ reply ]
Re: Re: RE: Mounting LVM image for analysis 2006-09-14
kush niiconsulting com
Hi ashish

You can use command losetup for mounting the image. The syntax for losetup is

losetup <loop device> <image name>. Loop devices can be /dev/loop{0,1,2,3,4,5,6,7}. If you know the major number or minor number you can create more loop devices. In your case the proper syntax will be


[ more ]  [ reply ]
ToorCon Pre-Registration Closing Friday! 2006-09-13
h1kari (at) toorcon (dot) org [email concealed] (h1kari toorcon org)

Don't miss out on the discounted rates for attending ToorCon 8, San
Diego's exclusive hacker convention, going on from September 29th
through October 1st.


Currently general admission is only $80 which w

[ more ]  [ reply ]
Re: RE: Mounting LVM image for analysis 2006-09-12
aashish uiuc edu (3 replies)
Hello :

I was able to create images of logical volume by using command :

dd if=/dev/mapper/VolGroup00-LogVol04 of=logvol.img

How do I mount the image now for further analysis.

Any thoughts will be appreciated.



[ more ]  [ reply ]
RE: RE: Mounting LVM image for analysis 2006-09-14
Artes, Francisco (francisco ea com)
RE: RE: Mounting LVM image for analysis 2006-09-14
Morin, Peter (pjmorin kpmg ca)
Re: Mounting LVM image for analysis 2006-09-13
Lance James (lancej securescience net)
Memory dumping over FireWire - UMA issues 2006-09-02
Arne Vidstrom (arne vidstrom ntsecurity nu)
Hi all,

Here is an analysis of why dumping the UMA over FireWire can be a problem:


[ more ]  [ reply ]
New tool announcement: Live View 2006-08-25
Matthew Geiger (mgeiger cmu edu)

We'd like to announce the public availability of Live View, a free,
open-source (GPL) forensics tool that creates a VMware virtual machine out of
a raw (dd-style) disk image or physical disk. Live View allows the forensic
examiner to "boot up" the image and gain an interactive, user-level

[ more ]  [ reply ]
FW: Use of USB devices 2006-08-25
Wim Remes (Wim_Remes msp be)

you should also look into the direction of stuff like Cisco Security Agent, which is an effective and manageable solution to bring endpoint security to

another level. It is based on the 'positive security model' and works with

policies rather than signature files. I've seen it do stunnin

[ more ]  [ reply ]
Re: Use of USB devices 2006-08-22
thetackdriver hotmail com
Other possiblities:

Close Bios Ports

Limit offline Files

Use monitoring software such as Spectre Pro or GoldenEye to log transactions for further auditing and accountability. Be careful w/this. I used this to catch a "leaving soon" employee.

[ more ]  [ reply ]
DFRWS File Carving Challenge Results 2006-08-22
Brian Carrier (carrier digital-evidence org)
The layout and results of the DFRWS 2006 File Carving Challenge have
been posted. The image file contained 32 files that were organized into
22 scenarios. None of the nine submissions were successful in all
scenarios, but there were several new and interesting approaches.

[ more ]  [ reply ]
RE: Mounting LVM image for analysis 2006-08-21
Nehls, Patrick (pnehls ucsd edu)
Once the VG is mounted you should be able to see all the LVs
(partitions) underneath /dev/<volumegroupname>.

In the example I'm looking at I've got an sdb4 LVM dd image with a
volumegroupname of vg00. Doing an ls /dev/vg00/ shows me lv00-lv09. You
should then be able to dd if=/dev/vg00/lv00 of=/ima

[ more ]  [ reply ]
Re: Use of USB devices 2006-08-21
jay tomas infosecguru com
Thats great for wintel, but you also better encrypt disk. Otherwise folks will boot an endpoint
mount the filesystem and copy off to external.

----- Original Message -----
From: Bill Wittmer
To: forensics (at) securityfocus (dot) com [email concealed]
Sent: Wed, 16 Aug 2006 20:23:56 -0400
Subject: Use of USB devices


[ more ]  [ reply ]
Mounting LVM image for analysis 2006-08-21
Randy Zagar (jrzagar cactus org)
Use the iSCSI Enterprise Target software to serve your disk image as a
virtual disk.

There's a good HOWTO here:

and here:

[ more ]  [ reply ]
Fuzzy Hashing 2006-08-21
Jesse Kornblum (research jessekornblum com)
Hi everybody,

I'm pleased to announce that I have published both a paper and an
implementation for our fuzzy hashing. You may have heard me talk
about this on the Cyberspeak podcast[1], and now it's out!

The program, ssdeep, works like md5deep to create a short text
signature for each input

[ more ]  [ reply ]
RE: Mounting LVM image for analysis 2006-08-21
Nehls, Patrick (pnehls ucsd edu) (1 replies)
If you've already got the partitions dd'd out, this is what I normally
do using loop devices:

How to import LVM after first dd:
losetup -f (find a free loop device)
losetup -d (if needed to unmount other loop devices)
losetup /dev/loop0 /path/to/lvm.img (map loop device to image)
pvscan (scan for n

[ more ]  [ reply ]
Re: Mounting LVM image for analysis 2006-08-21
Nathaniel Hall (nathaniel d hall gmail com)
Announcement: 2007 Conference on Digital Forensics, Security and Law 2006-08-17
Glenn Dardick (gdardick dardick net)
* * C A L L F O R P A P E R S A N D P R O P O S A L S * *
Dear colleagues:

The ADFSL 2007 Conference on Digital Forensics, Security and Law will be
held in Arlington, Virginia USA on April 18-20, 2007 and is calling for

[ more ]  [ reply ]
Use of USB devices 2006-08-17
Bill Wittmer (wr wittmer1 verizon net)
Over the months, I have seen concerns raised about the use of USB devices in
the workplace. Of concern is whether restricted data has been removed from
the site. Once date has been removed, it is an arduous task to determine if
a USB device was used and if any data was removed. For the system

[ more ]  [ reply ]
Mounting LVM image for analysis 2006-08-17
Nathaniel Hall (nathaniel d hall gmail com)
Maybe I haven't looked deep enough, but I figure the experts would know
best. I believe a system of mine may have been compromised with a
rootkit. I have already taken an image of the system and split out the
partitions using the output from mmls and dcfldd. One of my partitions
is an LVM partiti

[ more ]  [ reply ]
Re: obtaining an image from a damaged SD chip 2006-07-28
terrorpost hotmail com
I know the solve, we have it daily here on our company. It is the FAT compatibility that hangs it. Try hundereds of cardreaders, best work with PocketPC devices.

Do not try to undelete, "recover" it with some tool. Just try the most strange devices, like mp3 players, camera's etc. to read the car

[ more ]  [ reply ]
Tradeoff's in usage 2006-07-26
shyaam gmail com
Dear Group,

I just wanted to know more about the tradeoff's between turing poweroff and booting back the system for forensic analysis, doing the analysis without turning it off. I was thinking about memory based tracks. I mean metasploit is releasing new payloads like MAFIA some of whose modules re

[ more ]  [ reply ]
Re: RE: IE temporary files of wbk###.tmp 2006-07-07
kernow2001 yahoo com
wbk tmp files are used by outlook express and other news readers for decoding yenc files possibly uudecode the full file is copied in to to temp internet files folder for some reason but the full decoded file is kept for some time using a 200mb overflow which is replaced with the newer decoded files

[ more ]  [ reply ]
(Page 12 of 84)  < Prev  7 8 9 10 11 12 13 14 15 16 17  Next >


Privacy Statement
Copyright 2010, SecurityFocus