Forensics Mode:
(Page 22 of 84)  < Prev  17 18 19 20 21 22 23 24 25 26 27  Next >
RE: RAID rebuild/recover question 2005-08-15
Greg Kelley (gkelley vestigeltd com)
I think that there would always be that possibility if disk wiping is
not used.

Regardless of the RAID configuration, one is dealing with block sizes.
Block sizes are typically 16k, 32k or 64k. That means even if you
change from striping to non-striping or vice versa, you still have the

[ more ]  [ reply ]
RE: Looking for a Linux-based *.evt log viewer. 2005-08-15
Johnathan Bridbord (jbridbord doar com)

I suggest you grab the VMware binaries for linux. You will be able to
boot the NT HDD and examine the logs within the windows environment. Let
us know how you fair.


Johnathan Bridbord, CISSP/CIFI/EnCE
Senior Forensic Examiner
DOAR Litigation Consulting
DD: (516) 823-4077

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-08-14
evb (swiver cox net)
After seeing so many diverse opinions on this issue, I wrote an article
about it. It's now posted at my Web site, .


:-----Original Message-----
:From: Valdis.Kletnieks (at) vt (dot) edu [email concealed] [mailto:Valdis.Kletnieks (at) vt (dot) edu [email concealed]]
:Sent: Friday, June

[ more ]  [ reply ]
Forensic tool update 2005-08-11
keydet89 yahoo com
I recently posted an update to the First Responder Utility (Commandline) (FRUC) to my web site at:

A brief explanation of the FRUC and it's server component, the FSPC, is available on my blog:

[ more ]  [ reply ]
Looking for a Linux-based *.evt log viewer. 2005-08-11
Billy (billydalud gmail com) (4 replies)
Hi all,

Is there any such thing as a Linux-based log viewer that can read
Windows NT event logs?
I need to read the *.evt files from the hard drive of a server that
has long been taken out of the network ever since our office went into
an all-Linux configuration.
I can't boot up the original NT mac

[ more ]  [ reply ]
Re: Looking for a Linux-based *.evt log viewer. 2005-08-15
Thorbjørn Ellefsen (thorbjorn protectit as)
Re: Looking for a Linux-based *.evt log viewer. 2005-08-15
Nathan Catlow (nathan ccc-ltd com)
Re: Looking for a Linux-based *.evt log viewer. 2005-08-15
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Looking for a Linux-based *.evt log viewer. 2005-08-15
Oliver Schneider (Borbarad gmxpro net)
RAID rebuild/recover question 2005-08-10
Sun, David (dsun SunBlockSystems com)
Scenario: You have a RAID array with data on it. You change the RAID
config, for example go from a RAID5 to RAID1+0 (pick any to/from
config). You logically reload files on to the newly built container
(restore from tape). Now you image the array.

Question: Will the unallocated/slack areas of th

[ more ]  [ reply ]
Reconstructing a Raid 0 2005-08-08
KC (lists sonicc net) (2 replies)
Hi All,

I have a machine here with onboard serial ATA RAID capabilities, one of
the disks managed to remove itself from a RAID 0 that the
user had created on the system.

It's an MSI mainboard with a Promise onboard SATA RAID Controller.

Now, without both components of the RAID functioning, windo

[ more ]  [ reply ]
Re: Reconstructing a Raid 0 2005-08-12
Rik Bobbaers (Rik Bobbaers cc kuleuven be)
RE: Reconstructing a Raid 0 2005-08-10
Jerry Shenk (jshenk decommunications com)
REVIEW: "File System Forensic Analysis", Brian Carrier 2005-08-08
Rob, grandpa of Ryan, Trevor, Devon & Hannah (rslade sprint ca)

"File System Forensic Analysis", Brian Carrier, 2005, 0-321-26817-2,
%A Brian Carrier
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2005
%G 0-321-26817-2
%I Addison-Wesley Publishing Co.
%O U$49.99/C$69.99 416-447-5101 800

[ more ]  [ reply ]
Obtaining items from ISA Server 2k Cache 2005-08-02
security (security commstar com au)
I wish to able to extract/copy some items from the cache of ISA Server 2000.
Does anyone know of any tools that let me achieve this?

I have tried using CacheDir.exe from the ISA support tools folder (off the Isa 2k CD) that lets me view the contents but not extract.

I also downloaded the Newer Cac

[ more ]  [ reply ]
DFRWS 2004 Final Report Available 2005-08-03
eco digital-evidence net
The Digital Forensic Research Workshop 2004 Final Report is now available at, and the DFRWS 2005 is scheduled for August 17 to 19, 2005.

The 2005 program includes a keynote address by Wietse Venema, select

presentations of new research and developments in the field, and discussio

[ more ]  [ reply ]
RE: Windows last shutdown 2005-08-02
Greg Kelley (gkelley vestigeltd com)
If you are talking about XP or 2K, check the time and date stamp of the
NTUSER.dat files. That will help you.

Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 F

[ more ]  [ reply ]
RE: Windows last shutdown 2005-08-02
Collins, Stephen (Stephen Collins nrc-cnrc gc ca)
Mark and All,

Excellent question! If the system was improperly shut down and did
not have the opportunity to successfully update the EVT files, these
files would have a timestamp of the last proper shut down.

In this case, I would have to say it is impossible to get an EXACT
time and the best you

[ more ]  [ reply ]
RE: Windows last shutdown 2005-08-02
Lee, Sangyop (sangyop_lee standardandpoors com)
>Then you need to google for a tool to decode that data to show time and date
>in readable form. I know that EnCase will do it, but I have not used EnCase
>to do this. I used DCode Date V.2.00 from Digital - Will
>download to a floppy disk, and works great.

EnCase WILL do it. Th

[ more ]  [ reply ]
RE: Windows last shutdown 2005-08-02
Collins, Stephen (Stephen Collins nrc-cnrc gc ca) (1 replies)

Check the timestamps on the event logfiles.

and possibly SecEvent.EVT

Located at C:\WINDOWS\system32\config for XP
and C:\WINNT\system32\config for earlier versions.


Steve Collins
Information Systems Security Analyst|Analyst de la securite de system

[ more ]  [ reply ]
RE: Windows last shutdown 2005-08-02
Mark Barwinski (markbarwinski hotmail com)
RE: Windows last shutdown 2005-08-02
Milloff, Timothy (MilloffT sec gov) (1 replies)
You find that info in the registry. Go to

Look for the Shutdown Time block,

Then you need to google for a tool to decode that data to show time and date
in readable form. I know that EnCase will do it, but I have not used EnCase
to do this.

[ more ]  [ reply ]
RE: Windows last shutdown 2005-08-03
dave kleiman (dave isecureu com)
Windows last shutdown 2005-08-02
Stefano Bizzarri (nexius email it) (2 replies)
Hi all...

I'm writing here to now if someone knows the way to acquire the exact time and
date when a Windows xx machine was shutted down the last time.

I ever think that serching the swap files and aquireing their date and time I
could know that but someone told me that It's not correct.


[ more ]  [ reply ]
Re: Windows last shutdown 2005-08-02
Valdis Kletnieks vt edu
Re: Windows last shutdown 2005-08-02
John Kinsella (jlk thrashyour com)
RE: Digital forensics of a image? 2005-08-02
Baker,David W. (BAKERD mitre org)
You can try EasyExif, a freeware program. It will dump data on a single
file into text, CSV or XML output, or you can process a whole directory
of images.

It will output photoshop/camera info, whatever i

[ more ]  [ reply ]
Re: How to copy the pagefile.sys from a live system 2005-08-01
visitbipin hotmail com
thats simple,

take any software that will read the particular sector of the hdd directly... to dump files like pagefile.sys SAM etc.

1 easy solution is, use ANY file undelete software. Open the software, browse the file & try copying the file (pagefile.sys) to another location as you would do if y

[ more ]  [ reply ]
Re: Digital forensics of a image? 2005-08-01
Brewis, Mark (mark brewis eds com)
A very useful site on EXIF is:

see for some excellent information on the data structures used by various cameras.


Mark Brewis

Forensic Services - EMEA
UK Information Assurance Group

[ more ]  [ reply ]
(Page 22 of 84)  < Prev  17 18 19 20 21 22 23 24 25 26 27  Next >


Privacy Statement
Copyright 2010, SecurityFocus