Forensics Mode:
(Page 21 of 84)  < Prev  16 17 18 19 20 21 22 23 24 25 26  Next >
answer to questions about the Advanced Forensics Format 2005-09-20
Simson Garfinkel (simsong mac com)
A number of people asked questions about the AFF. I have summarized
the questions and my responses below.

Q: Why a new file format? What's wrong with block-by-block?
A: Raw image files take up a lot of space. In many cases this space
can be dramatically reduced by using compression.
Unfo

[ more ]  [ reply ]
Announcing: Advanced Forensics Format 1.0 2005-09-19
Simson Garfinkel (simsong eecs harvard edu) (1 replies)
I have developed a new file format for storing disk images and other
forensic information. It's called the Advanced Forensic Format. Key
features of the format include:

* Open format, free from any patent or license restriction.
Can be used with both open-source and proprietary forensic tool

[ more ]  [ reply ]
Re: Announcing: Advanced Forensics Format 1.0 2005-09-19
Thorbjørn Ellefsen (thorbjorn protectit as)
Two Windows questions 2005-09-15
keydet89 yahoo com (1 replies)
All,

I've got a couple of questions, primarily for clarification. After researching these both for a while, I'd like to try to get some more definitive information...

First...the UserAssist\{GUID}\Count keys:
http://personal-computer-tutor.com/abc3/v29/vic29.htm

Does anyone have any specific inf

[ more ]  [ reply ]
Re: Two Windows questions 2005-09-19
Francisco Pecorella (fpecor cantv net)
Linux HPA status 2005-09-14
Greg Freemyer (greg freemyer gmail com)
All,

There have been discussions on this list before about how Linux treats HPAs.

There was a recent (long) thread on LKML about changing the behavior.

http://testing.lkml.org/slashdot.php?mid=600133

Nothing was resolved, but it looks like a boot option to allow access
to the normal disk space a

[ more ]  [ reply ]
video file forensics 2005-09-14
Burak DAYIOGLU (dayioglu metu edu tr) (3 replies)
Hi all,
For one particular case at hand I need help on video file forensics. I
have a short video file in .3gp format (actually 3GPP Profile 5 file,
with QuickTime/MOV file format and s263 as the fourcc).

My goal is authorship analysis. I am interested in finding out the
actual mobile device tha

[ more ]  [ reply ]
Re: video file forensics 2005-09-15
Jeremy Pullicino (pullicino gmail com)
Re: video file forensics 2005-09-14
okrehel loews com
Re: video file forensics 2005-09-14
Lance James (lancej securescience net)
Correction: DI 2004 Articles of the year 2005-09-13
Eoghan Casey (eco digital-evidence net)
The URL where the free articles can be downloaded is
http://www.digitalinvestigation.net/

The following articles in the Journal of Digital Investigation were voted best
of the Year for 2004 by our peer reviewers.

Academic paper winner: "A hardware-based memory acquisition procedure for
digital inv

[ more ]  [ reply ]
Digital Investigation 2004: Articles of the year 2005-09-13
Eoghan Casey (eco digital-evidence net)
The Journal of Digital Investigation is pleased to announce that the following
papers were voted best of 2004 by our peer reviewers.

Academic paper winner: "A hardware-based memory acquisition procedure for
digital investigations" by Brian D. Carrier and Joe Grand

Non-academic article: "What evide

[ more ]  [ reply ]
RE: New (ISC)2 Forensics Course 2005-09-12
dave kleiman (dave isecureu com)
Updated info:

Due to the many responses and requests, I apologize for not including the
registration contact:

Registration contact:
Kim Jones
Kjones_at_isc2_org

We have had many International requests, International information:

(ISC)2 plans on bringing this course worldwide.
You should begin s

[ more ]  [ reply ]
Re: New (ISC)2 Forensics Course 2005-09-12
Bob Beringer (bob beringer usa net)
Dave,

Thanks for the update, what is the best way to register for this class?

Thanks,
Bob

------ Original Message ------
Received: Mon, 12 Sep 2005 06:54:30 AM EDT
From: "dave kleiman" <dave (at) isecureu (dot) com [email concealed]>
To: <forensics (at) securityfocus (dot) com [email concealed]>
Subject: New (ISC)2 Forensics Course

I know this is short

[ more ]  [ reply ]
Search Registry files offline 2005-09-12
Harlan Carvey (keydet89 yahoo com)
All,

I've released a Perl script that performs parsing of
raw Registry
files. The script doesn't use any MS API calls...it
opens the file in
binary mode, and parses through the Registry a byte
(well, actually...two to
four bytes, depending on where you are in the code) at
a time.

The code has

[ more ]  [ reply ]
DFRWS Memory Challenge Winners 2005-09-09
eco digital-evidence net
I am pleased to announce the joint winners of the DFRWS2004 Forensic Memory

Analysis Challenge:

Chris Betz: Developed memparser to reconstruct process list and extract

information from process memory.

George M. Garner Jr. & Robert-Jan Mora: Developed kntlist to interpret structures

in mem

[ more ]  [ reply ]
Re: [lists] Re: RE: Windows last shutdown 2005-09-08
Kurt Buff (kurt buff gmail com)
Curt Purdy wrote:
> no (at) themoment (dot) than [email concealed]x wrote:
>
>
>>If it's NT/XP/2k then, yeah just look at the last file
>>accessed times/dates.
>
>
> A more reliable resource for NT/XP/2K is to look for "Event log service was
> stopped".
>
> Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA
> Information Se

[ more ]  [ reply ]
Re: RE: Windows last shutdown 2005-09-07
no themoment thanx (1 replies)
If it's a 95,98,me pc look at....
c:\windows\schedlog.txt
It's a log file showing what time and date the scheduler service was started and stopped. Also worth noting this file as the log is sequential, so if the time/date has been rolled back on the PC, the dates will be out of sequence.

If it's N

[ more ]  [ reply ]
RE: [lists] Re: RE: Windows last shutdown 2005-09-07
Curt Purdy (purdy tecman com)
Tool Announcement: AIRT -- the Advanced Incident Response Tool 0.4.2 released 2005-08-25
madsys (admin ercist iscas ac cn)
hey all,

I'm proud to announce that the AIRT 0.4.2 is now available:

http://sourceforge.net/projects/airt-linux/

AIRT (Advanced incident response tool) is a set of incident response assistant tools on linux platform. It's useful when you want to know what evil kernel backdoor is resi

[ more ]  [ reply ]
Specifics regarding a post-mortem investigation 2005-08-26
keydet89 yahoo com
Over on the Incidents list in the thread regarding cuebot infections, a respondant made the following statement:

"One other possibility is that the attacker went straight through the
firewall using an atypical packet....... unlikely, but should be placed
on an all-inclusive roster of post-mortem in

[ more ]  [ reply ]
Presentations from the 2005 InfraGard National Conference 2005-08-24
dave kleiman (dave isecureu com) (1 replies)

---Snip----
Several presentations from the 2005 InfraGard National Conference have been
made available on the public website. The National Conference was be held in
Washington, DC from August 9 - 11, 2005. Please visit www.infragard.net to
view these files.

Topics include: First Responders, Regula

[ more ]  [ reply ]
New (ISC)2 Forensics Course 2005-09-10
dave kleiman (dave isecureu com)
Re: Forensic tool update 2005-08-24
Bob the Builder (builder173 hotmail com)
Other that than the server component does this do anything that the Windows
Forensic Toolchest doesn't (http://www.foolmoon.net/security/wft/). We
already use this and find effective in the majority of situations.

Regards,

Bob

-----Original Message-----
From: keydet89 (at) yahoo (dot) com [email concealed]
To: forensics@se

[ more ]  [ reply ]
Re: Looking for a Linux-based *.evt log viewer 2005-08-16
Harlan Carvey (keydet89 yahoo com)
Billy,

I don't have a specific, Linux-only utility to view
.evt files, but I will share with you what I do
have...

Recently, I was asked to assist with an issue in which
neither PyFlag nor any tools using the MS API (ie,
Event Viewer, psloglist, etc.) were capable of parsing
a .evt file. Viewing

[ more ]  [ reply ]
Re: Reconstructing a Raid 0 2005-08-16
Jyri Hovila (jyri hovila iki fi)
Jerry,

Runtime software's RAID Reconstructor is a great tool for
reconstructing crashed RAID 0 and RAID 5 systems. It has a unique
feature enabling it to guess the original RAID parameters (disc order
and stripe size) by measuring entropy of different parameter
combinations. After finding t

[ more ]  [ reply ]
Re: Reconstructing a Raid 0 2005-08-15
Valdis Kletnieks vt edu
On Fri, 12 Aug 2005 12:27:41 +0200, Rik Bobbaers said:
> raid0 means striping: +-50% of the data on one disk, 50% on the other, so if 1
> disk fails, or the raid breaks, you'll lose everything!
> raid1 is mirroring, which allows you to lose a disk and still retain all data

Note that "lose everythi

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-08-15
Steve Hailey (shailey edcc edu)
Two additional articles related to this topic:

The "Tools Proven in Court" Question

http://www.cybersecurityinstitute.biz/tpicq.htm

Of Mice and Man - Contrasting approaches to computer forensic analysis

http://www.cybersecurityinstitute.biz/mice&man.htm

Steve

-----Original Message---

[ more ]  [ reply ]
(Page 21 of 84)  < Prev  16 17 18 19 20 21 22 23 24 25 26  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus