Forensics Mode:
(Page 15 of 84)  < Prev  10 11 12 13 14 15 16 17 18 19 20  Next >
cmd.exe hack 2006-05-11
James Zaros (hawespipe hotmail com)
This question relates to the post immediately below. When the cmd.exe task
is running it shows to be running as the administrator in the task manager.
Is that incorrect, it is actually running as SYSTEM?

From: Wim

[ more ]  [ reply ]
Re: Tracking moved files? 2006-05-11
Butterworth, Jim (jim butterworth guidancesoftware com)
LNK file analysis will do the trick, but you need to use a forensic method to extract and analyze them. There are embedded dates within these LNK files that you can use, also looking through the registry under the USBSTOR for thumb drives, matching to drive letters might provide some clues.


[ more ]  [ reply ]
Recovering files from RAID 0 set 2006-05-11
pentesticle yahoo com
I have a situation where one of the people working an investigation attempted to turn on a computer and a static shock arced through the on-off switch. The PC would not recognize any of the RAID drives inside. I pulled the CMOS battery and unplugged, then the BIOS found the drives but I'm guessing

[ more ]  [ reply ]
DFRWS File Carving Challenge 2006-05-10
Brian Carrier (carrier digital-evidence org)
Based on the success of the Digital Forensic Research Workshop (DFRWS)
2005 memory analysis challenge, a new challenge is being posted for
DFRWS 2006. This year, the focus is on file carving techniques.

The challenge data set contains JPEG, ZIP, Office, HTML, and text files
and fragments. The g

[ more ]  [ reply ]
Problem with path variables in a cmd shell, Windows IR script 2006-05-09
l1st3r gmx net

I am trying to create a windows first response IR script for Windows 2000
Pro using binaries that do not touch the file system, but am having problems
making the environment variables stick.

In order to do this, I use filemon to note which DLLs are used by the
programs, copy these off the orig

[ more ]  [ reply ]
RE: Tracking moved files? 2006-05-08
Ricardo Landrau (rlandrau tig ogp gobierno pr)
How about checking the antivirus log? If it is done right the real time
check will tell you it scanned the thumbdrive and all the files there...
Plus many also check when copying/moving

Ricardo Luis Landrau Millan
OGP Coordinador de Tecnologias de Informacion

[ more ]  [ reply ]
RE: Tracking moved files? 2006-05-08
Wim Remes (Wim_Remes msp be)

you can gain SYSTEM privileges by scheduling cmd.exe as administrator. When the app starts it runs under SYSTEM. This was shown to me by MS support when

I had some GPO stuff where one of my admins took to many righs away. When

running cmd.exe scheduled, from there you can start mmc or any other

[ more ]  [ reply ]
RE: Tracking moved files? 2006-05-08
Greg Kelley (gkelley vestigeltd com) (1 replies)
I don't think you will find any log file. The only time you would find
a log file for something like this is if the person moved the file with
a backup application or if it was a CD and they made a burn of files.

Try to look for LNK files, IE history (file:/// links) and MRUs in the
registry to se

[ more ]  [ reply ]
Re: Tracking moved files? 2006-05-08
Tom Marchand (M0rchand comcast net)
Re: Tracking moved files? 2006-05-07
MikeMackrill BC com (1 replies)
Did you check the recent items to look for a reference to the file on the thumb drive?

All I could think of on a Sunday morning.

Mike Mackrill

-----Original Message-----

From: Serge Jorgensen <filbanks (at) gmail (dot) com [email concealed]>

To: forensics (at) securityfocus (dot) com [email concealed] <forensics (at) securityfocus (dot) com [email concealed]>

Sent: Thu May

[ more ]  [ reply ]
RE: Tracking moved files? 2006-05-08
Admin.mmm (admin mmm iinet net au)
Tracking moved files? 2006-05-04
Serge Jorgensen (filbanks gmail com) (1 replies)

I'm try to show that files were copied and/or moved off a W2K drive
onto a USB stick. Obviously the registry and setupapi files show the
USB installation info - but I can't find the log file (or other
method?) that Windows must use to track files being moved and copied.

I don't have the USB

[ more ]  [ reply ]
Re: Tracking moved files? 2006-05-09
Bart Somers (zon4jou gmail com)
e-crime and computer evidence 2006 CFP reminder & extension 2006-05-02
Angus Marshall (angus n-gate net)
Several potential authors/speakers for the ECCE 2006 conference have requested
an extension to the deadline for submission of abstracts. As a result, to be
fair to all possible contributors, the conference committee has decided to
extend the deadline to 22nd May 2006.

Details of the call are giv

[ more ]  [ reply ]
Offline NTFS Journal Parser 2006-04-27
m0rchand comcast net (Tom Marchand)
Has anybody seen a tool that will allow examine of an offline copy of a NTFS Journal Log($LogFile).

[ more ]  [ reply ]
Re: MBR deleted 2006-04-27
bsmathers reypd com
I believe you can only restore the MBR if you used the Active@ Partition Recovery software to back it up.

You should be able to repair or re-create the MBR by using the fdisk /mbr command if the OS you are using is either Win95, 98, or ME. For NT, 2000, or XP, you can boot from startup disks or

[ more ]  [ reply ]
Forensics image of SGI host 2006-04-26
Cindy Jenkins (cj u washington edu) (1 replies)
Hi all,

I need to create a foensics image from an older SGI host on a MIPS
architecture and using IRIX/XFS journaling filesystem.

I'm fairly certain I cannot boot up with any of the Linux cds like
Helix or FCCU. Those would normally be my first choice to get access
using dcfldd.

Any ideas o

[ more ]  [ reply ]
Re: Forensics image of SGI host 2006-05-04
Paul Robertson (compuwar gmail com)
DD mount on loop dev of SGI xfs image 2006-04-29
cj u washington edu (2 replies)
I have an odd problem with forensics on an SGI host. I've got a dd image of it's two hard drives. The host OS is SGI IRIX 6.4, and the format is xfs. The fstab does not show any seperate journaling partition or location, so I am assuming the journaling is on the partitions with the data.

My probl

[ more ]  [ reply ]
Re: DD mount on loop dev of SGI xfs image 2006-05-09
ilaiy (ilaiy e gmail com)
Re: DD mount on loop dev of SGI xfs image 2006-05-03
subscribe (subscribe crazytrain com)
FW: Analysing a Windows registry from Linux or another Windows system 2006-04-26
Scott Gossard (Scott Gossard wal-mart com)

I've used WRA before and it seems decent. Haven't used it on a Win98 system though.

> -----Original Message-----

> From: Rikard Johnels [mailto:rikard.j (at) rikjoh (dot) com [email concealed]]

> Sent: Tuesday, April 11, 2006 2:00 PM

> To: forensics (at) securityfocus (dot) com [email concealed]

> Subject: Analysi

[ more ]  [ reply ]
Re: MBR deleted 2006-04-26
Bill Wittmer (wr wittmer1 verizon net)

"Bill Wittmer" <wr.wittmer1 (at) verizon (dot) net [email concealed]> wrote in message news:...
> Try Partition Table Doctor. I found this to be an excellent product for
> MBR recovery.
> Reards,
> Bill
> <jgmarec (at) gmail (dot) com [email concealed]> wrote in message
> news:20060417092138.24794.qmail@securityfoc

[ more ]  [ reply ]
RE: MBR deleted 2006-04-21
Shenk, Jerry A (jshenk decommunications com)
First things first - I would image that drive before doing ANYTHING

else...might even image it twice. My guess is that you still have all

your information on the drive but if you do the wrong things, you can

make that increasingly difficult to recover.

My personal preference for imaging a dri

[ more ]  [ reply ]
RE: MBR deleted 2006-04-21
Paul Giddens (PaulG graycon com)
Way to go is with Hiren boot cd ... Tons of tools on there for data and
partition recovery. Hope this helps!

paul g
Graycon Group
Suite 19, 319

[ more ]  [ reply ]
RE: Analysing a Windows registry from Linux or another Windows system 2006-04-21
Mike (mike superiorholidayadventures ca)
I've used RegView in the past to peek into the registry. It's essentially a DOS based Regedit.

Mike Fetherston

> -----Original Message-----
> From: Rikard Johnels [mailto:rikard.j (at) rikjoh (dot) com [email concealed]]
> Sent: Tuesday, April 11, 2006 2:00 PM
> To: forensics (at) securityfocus (dot) co [email concealed]

[ more ]  [ reply ]
IMF 2006 - IT-Incident Management & IT-Forensics 2006 2006-04-19
Hardo Hase (ml hase-bexbach de)
Dear all,

for your information:

The deadline to submit papers for the IMF Conference 2006 has been
extended to 2006-05-01.

Please excuse possible cross-postings.


[ more ]  [ reply ]
(Page 15 of 84)  < Prev  10 11 12 13 14 15 16 17 18 19 20  Next >


Privacy Statement
Copyright 2010, SecurityFocus