Forensics Mode:
(Page 21 of 84)  < Prev  16 17 18 19 20 21 22 23 24 25 26  Next >
answer to questions about the Advanced Forensics Format 2005-09-20
Simson Garfinkel (simsong mac com)
A number of people asked questions about the AFF. I have summarized
the questions and my responses below.

Q: Why a new file format? What's wrong with block-by-block?
A: Raw image files take up a lot of space. In many cases this space
can be dramatically reduced by using compression.

[ more ]  [ reply ]
Announcing: Advanced Forensics Format 1.0 2005-09-19
Simson Garfinkel (simsong eecs harvard edu) (1 replies)
I have developed a new file format for storing disk images and other
forensic information. It's called the Advanced Forensic Format. Key
features of the format include:

* Open format, free from any patent or license restriction.
Can be used with both open-source and proprietary forensic tool

[ more ]  [ reply ]
Re: Announcing: Advanced Forensics Format 1.0 2005-09-19
Thorbjørn Ellefsen (thorbjorn protectit as)
Two Windows questions 2005-09-15
keydet89 yahoo com (1 replies)

I've got a couple of questions, primarily for clarification. After researching these both for a while, I'd like to try to get some more definitive information...

First...the UserAssist\{GUID}\Count keys:

Does anyone have any specific inf

[ more ]  [ reply ]
Re: Two Windows questions 2005-09-19
Francisco Pecorella (fpecor cantv net)
Linux HPA status 2005-09-14
Greg Freemyer (greg freemyer gmail com)

There have been discussions on this list before about how Linux treats HPAs.

There was a recent (long) thread on LKML about changing the behavior.

Nothing was resolved, but it looks like a boot option to allow access
to the normal disk space a

[ more ]  [ reply ]
video file forensics 2005-09-14
Burak DAYIOGLU (dayioglu metu edu tr) (3 replies)
Hi all,
For one particular case at hand I need help on video file forensics. I
have a short video file in .3gp format (actually 3GPP Profile 5 file,
with QuickTime/MOV file format and s263 as the fourcc).

My goal is authorship analysis. I am interested in finding out the
actual mobile device tha

[ more ]  [ reply ]
Re: video file forensics 2005-09-15
Jeremy Pullicino (pullicino gmail com)
Re: video file forensics 2005-09-14
okrehel loews com
Re: video file forensics 2005-09-14
Lance James (lancej securescience net)
Correction: DI 2004 Articles of the year 2005-09-13
Eoghan Casey (eco digital-evidence net)
The URL where the free articles can be downloaded is

The following articles in the Journal of Digital Investigation were voted best
of the Year for 2004 by our peer reviewers.

Academic paper winner: "A hardware-based memory acquisition procedure for
digital inv

[ more ]  [ reply ]
Digital Investigation 2004: Articles of the year 2005-09-13
Eoghan Casey (eco digital-evidence net)
The Journal of Digital Investigation is pleased to announce that the following
papers were voted best of 2004 by our peer reviewers.

Academic paper winner: "A hardware-based memory acquisition procedure for
digital investigations" by Brian D. Carrier and Joe Grand

Non-academic article: "What evide

[ more ]  [ reply ]
RE: New (ISC)2 Forensics Course 2005-09-12
dave kleiman (dave isecureu com)
Updated info:

Due to the many responses and requests, I apologize for not including the
registration contact:

Registration contact:
Kim Jones

We have had many International requests, International information:

(ISC)2 plans on bringing this course worldwide.
You should begin s

[ more ]  [ reply ]
Re: New (ISC)2 Forensics Course 2005-09-12
Bob Beringer (bob beringer usa net)

Thanks for the update, what is the best way to register for this class?


------ Original Message ------
Received: Mon, 12 Sep 2005 06:54:30 AM EDT
From: "dave kleiman" <dave (at) isecureu (dot) com [email concealed]>
To: <forensics (at) securityfocus (dot) com [email concealed]>
Subject: New (ISC)2 Forensics Course

I know this is short

[ more ]  [ reply ]
Search Registry files offline 2005-09-12
Harlan Carvey (keydet89 yahoo com)

I've released a Perl script that performs parsing of
raw Registry
files. The script doesn't use any MS API
opens the file in
binary mode, and parses through the Registry a byte
(well, actually...two to
four bytes, depending on where you are in the code) at
a time.

The code has

[ more ]  [ reply ]
DFRWS Memory Challenge Winners 2005-09-09
eco digital-evidence net
I am pleased to announce the joint winners of the DFRWS2004 Forensic Memory

Analysis Challenge:

Chris Betz: Developed memparser to reconstruct process list and extract

information from process memory.

George M. Garner Jr. & Robert-Jan Mora: Developed kntlist to interpret structures

in mem

[ more ]  [ reply ]
Re: [lists] Re: RE: Windows last shutdown 2005-09-08
Kurt Buff (kurt buff gmail com)
Curt Purdy wrote:
> no (at) themoment (dot) than [email concealed]x wrote:
>>If it's NT/XP/2k then, yeah just look at the last file
>>accessed times/dates.
> A more reliable resource for NT/XP/2K is to look for "Event log service was
> stopped".
> Information Se

[ more ]  [ reply ]
Re: RE: Windows last shutdown 2005-09-07
no themoment thanx (1 replies)
If it's a 95,98,me pc look at....
It's a log file showing what time and date the scheduler service was started and stopped. Also worth noting this file as the log is sequential, so if the time/date has been rolled back on the PC, the dates will be out of sequence.

If it's N

[ more ]  [ reply ]
RE: [lists] Re: RE: Windows last shutdown 2005-09-07
Curt Purdy (purdy tecman com)
Tool Announcement: AIRT -- the Advanced Incident Response Tool 0.4.2 released 2005-08-25
madsys (admin ercist iscas ac cn)
hey all,

I'm proud to announce that the AIRT 0.4.2 is now available:

AIRT (Advanced incident response tool) is a set of incident response assistant tools on linux platform. It's useful when you want to know what evil kernel backdoor is resi

[ more ]  [ reply ]
Specifics regarding a post-mortem investigation 2005-08-26
keydet89 yahoo com
Over on the Incidents list in the thread regarding cuebot infections, a respondant made the following statement:

"One other possibility is that the attacker went straight through the
firewall using an atypical packet....... unlikely, but should be placed
on an all-inclusive roster of post-mortem in

[ more ]  [ reply ]
Presentations from the 2005 InfraGard National Conference 2005-08-24
dave kleiman (dave isecureu com) (1 replies)

Several presentations from the 2005 InfraGard National Conference have been
made available on the public website. The National Conference was be held in
Washington, DC from August 9 - 11, 2005. Please visit to
view these files.

Topics include: First Responders, Regula

[ more ]  [ reply ]
New (ISC)2 Forensics Course 2005-09-10
dave kleiman (dave isecureu com)
Re: Forensic tool update 2005-08-24
Bob the Builder (builder173 hotmail com)
Other that than the server component does this do anything that the Windows
Forensic Toolchest doesn't ( We
already use this and find effective in the majority of situations.



-----Original Message-----
From: keydet89 (at) yahoo (dot) com [email concealed]
To: forensics@se

[ more ]  [ reply ]
Re: Looking for a Linux-based *.evt log viewer 2005-08-16
Harlan Carvey (keydet89 yahoo com)

I don't have a specific, Linux-only utility to view
.evt files, but I will share with you what I do

Recently, I was asked to assist with an issue in which
neither PyFlag nor any tools using the MS API (ie,
Event Viewer, psloglist, etc.) were capable of parsing
a .evt file. Viewing

[ more ]  [ reply ]
Re: Reconstructing a Raid 0 2005-08-16
Jyri Hovila (jyri hovila iki fi)

Runtime software's RAID Reconstructor is a great tool for
reconstructing crashed RAID 0 and RAID 5 systems. It has a unique
feature enabling it to guess the original RAID parameters (disc order
and stripe size) by measuring entropy of different parameter
combinations. After finding t

[ more ]  [ reply ]
Re: Reconstructing a Raid 0 2005-08-15
Valdis Kletnieks vt edu
On Fri, 12 Aug 2005 12:27:41 +0200, Rik Bobbaers said:
> raid0 means striping: +-50% of the data on one disk, 50% on the other, so if 1
> disk fails, or the raid breaks, you'll lose everything!
> raid1 is mirroring, which allows you to lose a disk and still retain all data

Note that "lose everythi

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-08-15
Steve Hailey (shailey edcc edu)
Two additional articles related to this topic:

The "Tools Proven in Court" Question

Of Mice and Man - Contrasting approaches to computer forensic analysis


-----Original Message---

[ more ]  [ reply ]
(Page 21 of 84)  < Prev  16 17 18 19 20 21 22 23 24 25 26  Next >


Privacy Statement
Copyright 2010, SecurityFocus