Forensics Mode:
(Page 13 of 84)  < Prev  8 9 10 11 12 13 14 15 16 17 18  Next >
FW: Reading Active Directory Database 2006-07-07
Greg Kelley (gkelley vestigeltd com)
I see clear text strings that appear to be computer names in the
NTDS.dit file. However, the Encase v5 script, which pulls out computer
accounts and user accounts, does not display these computer names.

Either these computer names are tombstoned accounts, computer accounts
that Encase doesn't reco

[ more ]  [ reply ]
Hardware needed for a complete drive acquisition tool kit and techniques for RAID acquisition 2006-07-10
Robertson, Seth (JSC-IM) (Seth Robertson-1 nasa gov)
I'm considering upgrading a drive acquisition toolkit and I'm torn
between write-blockers and PCMCIA cards given one unique requirement:
software write-blocking (booting into Linux and mounting the drive
read-only) is sufficient to guarantee the drive has not been tampered
with for this level of res

[ more ]  [ reply ]
RE: Reading Active Directory Database 2006-07-07
Robertson, Seth (JSC-IM) (Seth Robertson-1 nasa gov)
See LDIFDE. You can script a daily dump of AD using it and diff it
against yesterday's to to see what changes were made.

Seth Robertson

-----Original Message-----
From: Greg Kelley [mailto:gkelley (at) vestigeltd (dot) com [email concealed]]
Sent: Wednesday, July 05, 2006 12:21 PM

[ more ]  [ reply ]
Nigilant32 - Free Windows Incident Response Tool based on Sleuthkit - Final Article Released 2006-07-07
mshannon agilerm net
To all-

Agile Risk Management is committed to advancing information security concepts, technology, and techniques. As such, we have recently released Nigilant32, a freeware Windows GUI Incident Response tool based on the source code provided by Sleuthkit.

Nigilant32 is an incident response to

[ more ]  [ reply ]
DFRWS 2006 Challenge Reminder 2006-07-10
Brian Carrier (carrier digital-evidence org)
A friendly reminder that DFRWS 2006 File Carving Challenge
submissions are due on July 17. We have already received several
exciting submissions with new tools and techniques. We have
allocated time during the DFRWS 2006 program for the results to be
presented and the winner will be ident

[ more ]  [ reply ]
obtaining an image from a damaged SD chip 2006-07-08
Robert Wright (dc0 hackthisohio com)
Good evening,

So i brought this SD card into my lab, and recieved a series of error
messages. To confirm that my write blocker was not damaged, i used a known
good SD card from my own personal digital camera. Works like a champ, and
was able to obtain a 128mb DD image.

So currently windows and lin

[ more ]  [ reply ]
Reading Active Directory Database 2006-07-05
Greg Kelley (gkelley vestigeltd com) (2 replies)
Has anyone found an application that allows one to read the entire
Active Directory file (NTDS.dit) from a Windows 2000 (or 2003) server?
I know that Encase has a script to perform this function, but I believe
it is missing information in the case I am working on.

Greg Kelley, EnCE
Vestige Digital

[ more ]  [ reply ]
RE: Reading Active Directory Database 2006-07-07
David Smith (nich95ds gmail com)
RE: Reading Active Directory Database 2006-07-07
eric ch13-12westtex org
Re: Determine if data has been stolen from a stolen hdd. 2006-07-04
securityfocus 438947 p king port5 com

' not quite sure what you mean - esp. "steal" (ie remove or view) but since it would normally be possible to identify that at least something is missing I guess you mean 'viewed'.

If I were doing this I would image the disk/partition and recreate the relevant data locally - to which you wo

[ more ]  [ reply ]
Re: Tracing Excel Worksheets beyond metadata 2006-07-04
keydet89 yahoo com
It may be that what you're looking for simply is not available.

[ more ]  [ reply ]
Re: Determine if data has been stolen from a stolen hdd. 2006-07-03
visitbipin hotmail com (1 replies)
>HI Vipin,

>Well wht u shud check is the last access times of files using


>Antiforensics techniques and use a tool like timestomp.exe (

> to

>change the

>aceess times of the files.

>So, make sure you look for traces of such

[ more ]  [ reply ]
Re: Determine if data has been stolen from a stolen hdd. 2006-07-10
David Pick (d m pick qmul ac uk)
Determine if data has been stolen from a stolen hdd. 2006-07-03
visitbipin hotmail com (3 replies)
hello list,

I have a question thats more of a cueriosity that came from the recent case Ref [1]


Suppose a hard disk gets stolen & is recovered after a certain time. The normal forensics reveal no hints of any foreign body atempting to copy the data from the hdd. (PHYSICALLY)

But f

[ more ]  [ reply ]
Re: Determine if data has been stolen from a stolen hdd. 2006-07-04
Jim Halfpenny (jim openanswers co uk)
RE: Determine if data has been stolen from a stolen hdd. 2006-07-04
Brewis, Mark (mark brewis eds com) (1 replies)
RE: Determine if data has been stolen from a stolen hdd. 2006-07-07
Sun, David (dsun SunBlockSystems com)
RE: Determine if data has been stolen from a stolen hdd. 2006-07-03
David Smith (nich95ds gmail com)
Tracing Excel Worksheets beyond metadata 2006-07-03
inspector tester pik

We have an Excel XP version workbook with three worksheets and we have to trace which worksheet came from which user.

The Metadata shows which user last opened the file and saved the file, but not specifically which sheet.

We've tried to replicate the environment by creating a virtu

[ more ]  [ reply ]
Re: PECompact2 2006-07-03
Stefan Kelm (stefan kelm secorvo de)

> > Now I would like to unpack the executable to carry on with the
> > analysis. From what I could understand this would only be possible
> > by running it in a test win32 system, probably using a dissasembly
> > tool, since it only "unpacks" itself when being executed. Is that
> > correct? W

[ more ]  [ reply ]
Re: PECompact2 2006-06-29
losos1 rambler ru
if you cannot unpack manually try unpecompact

[ more ]  [ reply ]
PECompact2 2006-06-23
als hush com (1 replies)


I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.

I did some research and it seems this

[ more ]  [ reply ]
Re: PECompact2 2006-06-30
Andrei Saygo (asaygo as ro) (1 replies)
Re: PECompact2 2006-07-06
RaMatkal (RaMatkal hotmail com)
Network Forensics Methodology 2006-06-16
obichbiche googlemail com
I read an article in insecure Magazine Titled "Structured Traffic Analysis" written by Ritchard Bejtlich ( and I'm wondering if there is a recognised or official methodology for Network Forensic Analysis. The procedure described by the author of the

[ more ]  [ reply ]
Using Solo III for USB drive acquisition 2006-06-16
naavi vsnl com

Dear Michael,

I suggest you should try this procedure to use Solo III on USB drives.

1. Use the FW/USB Option of the Solo 3, connecting the unit to a notebook through either the FW or USB ports. Connect the target drive to the Solo 3.

2. Connect the external hard drive (USB or FW) to the

[ more ]  [ reply ]
(Page 13 of 84)  < Prev  8 9 10 11 12 13 14 15 16 17 18  Next >


Privacy Statement
Copyright 2010, SecurityFocus