Forensics Mode:
(Page 25 of 84)  < Prev  20 21 22 23 24 25 26 27 28 29 30  Next >
Re: Tools accepted by the courts 2005-06-25
Jack Seward (JackSeward msn com) (1 replies)
Agree with some of what Jerry Hatchett had to say, except the forensic
examiner "must" reinvest in new technologies, like tools to conduct remote
imaging if that is prudent right along with efficient tools for text
searching.

I think today's examiner needs to constantly improve the tool box, becaus

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-06-25
Evidence Technology (le evidencetechnology net)
RE: Tools accepted by the courts 2005-06-25
farrell (farrell cyberia coldstream ca)
On Fri, 24 Jun 2005, Evidence Technology wrote:

> Question: Do you (or anyone else, of course) know of cases in which tool
> issues like this have actually had an impact on case outcome? I recently
> read an article about a case in which some evidence was challenged because
> the examiner worked fr

[ more ]  [ reply ]
Re: Tools accepted by the courts 2005-06-24
Valdis Kletnieks vt edu (1 replies)
On Thu, 23 Jun 2005 20:20:17 CDT, Evidence Technology said:

> If an auto mechanic testifies as an expert witness in an auto-related case,
> is more weight given to his testimony because he chose a Craftsman ratchet
> instead of a Snap-On? No. Weight is assigned because he convinces the court
> that

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-06-24
Evidence Technology (le evidencetechnology net)
RE: Identifying seed file IP address in Exeem, BT and KaZaA 2005-06-23
Brian May (bmay actlit com)
> -----Original Message-----
> From: Lance James [mailto:lancej (at) securescience (dot) net [email concealed]]
> Sent: Wednesday, June 22, 2005 1:36 PM
> To: Pluto
> Cc: forensics (at) securityfocus (dot) com [email concealed]
> Subject: Re: Identifying seed file IP address in Exeem, BT and KaZaA
>
>
> Pluto wrote:
>
> >On Fri, Jun 17, 2005 at 06:20:37PM

[ more ]  [ reply ]
Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499 2005-06-23
John Herron (john herron rrc state tx us)
I've always heard the same thing but have never verified it. I heard it
a lot with virus writing techniques, but I'm not sure if it's because
they intercept the int call and do something special or not, but I used
to hear that viruses could survive a warm reboot. The other place I
heard it was fro

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-06-22
Andre Protas (aprotas eeye com) (1 replies)
As basic of a certification it is, an A+ will actually help in courts as
well. Pretty much, does "some certification body recognize that you
know how to remove the hard drive correctly".

For more advanced forensics, the best cert (certifications are KEY for
court cases) is the CFCE (http://www.iac

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-06-24
Evidence Technology (le evidencetechnology net)
Re: Identifying seed file IP address in Exeem, BT and KaZaA 2005-06-22
Pluto (pluto stderr de) (1 replies)
On Fri, Jun 17, 2005 at 06:20:37PM -0700, Lance James wrote:
>
> There are tools, mostly standard network forensic tools. BitTorrent you
> can see the owner of the seed since the IP address is embedded within
> their .torrent file.

the ip of the tracker, who does not have to have any relations

[ more ]  [ reply ]
Re: Identifying seed file IP address in Exeem, BT and KaZaA 2005-06-22
Lance James (lancej securescience net)
Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499 2005-06-22
tearsong (tearsong6 gmail com) (1 replies)
> One thought, though: doesn't a reboot reset the RAM anyway?

i have heard (and i wouldnt, by any means, stake my life on this!)
that *only* a soft boot (reboot) will not completely clear the RAM...
however a hard boot (shut down) will most definatly. if anyone can
verify/deny this, i'd be gratef

[ more ]  [ reply ]
Re: RE: Tools accepted by the courts 2005-06-22
hatzesberger t-online de (1 replies)
EnCase from Guidance Software is widely accepted but its not only about using the right tool. The investigator needs to be trained appropriately and has to make sure, that the rules of evidence are not broken (fx: Only one chance to do it correctly).

Regards from Germany

Manfred Hatzesberger, CISS

[ more ]  [ reply ]
Re: RE: Tools accepted by the courts 2005-06-22
Kevin (kkadow gmail com)
RE: Tools accepted by the courts 2005-06-21
Craig, Tobin (OIG) (tobin craig va gov) (1 replies)
I wouldn't be so hung up on the choice of tool as the means to validate
it for court. Given the wide variety of carving tools that have already
witheld courtroom scrutiny, I'd question the choice to "roll your own"
tool instead of using an already courtroom-accepted one. This stuff is
hard enough,

[ more ]  [ reply ]
RE: Tools accepted by the courts 2005-06-22
evb (swiver cox net)
Raids 2005-06-20
Brett Shavers (bshavers gmail com)
The most current release of Winhex Forensics interprets RAID 0 and 5
(haven't reconstructed a RAID with it, but can examine one with it).
And the price is very reasonable.

Brett Shavers
Renton Police Department

[ more ]  [ reply ]
RE: Reconstruct a hardware RAID from the raw images of each HD 2005-06-20
Greg Kelley (gkelley vestigeltd com) (1 replies)
Try RAID Reconstructor from www.runtime.org.

I took 6 Encase images of 6 physical drives involved in a RAID 5
configuration. I used RAID Recontructor to help me determine the order
of the drives, block size and whether or not it was right-handed.

Greg Kelley, EnCE
Vestige Digital Investigations
C

[ more ]  [ reply ]
Re: Reconstruct a hardware RAID from the raw images of each HD 2005-06-20
Eddie Cornejo (cornejo gmail com)
RE: Reconstruct a hardware RAID from the raw images of each HD 2005-06-20
Matthew Galgoci (mgalgoci redhat com)
> Date: Sun, 19 Jun 2005 12:59:03 +0200
> From: Joel A. Folkerts <jfolkert (at) hiwaay (dot) net [email concealed]>
> To: forensics (at) securityfocus (dot) com [email concealed]
> Subject: RE: Reconstruct a hardware RAID from the raw images of each HD
>
> One pricey solution is EnCase -- Starting with EnCase 4, it has the ability
> to reconstruct a hardw

[ more ]  [ reply ]
RE: Carving deleted messages from PST file remains 2005-06-20
Andrew Sheldon (andrew evidencetalks com)
Hi,

You might want to check out LoPe
(http://www.evidencetalks.com/forensic_toolsets/email_forensics.php) which
does exactly what you're describing below - and its forensically sound.

>>I use it mainly to convert pst files into individual mails, to be able
>>to handle for instance more than 500 p

[ more ]  [ reply ]
RE: Minimal RAM footprint boot CD? 2005-06-20
Bojan Zdrnja (Bojan Zdrnja LSS hr)


> -----Original Message-----
> From: Rikard Johnels [mailto:rikjoh (at) norweb (dot) se [email concealed]]
> Sent: Friday, 17 June 2005 2:18 a.m.
> To: forensics (at) securityfocus (dot) com [email concealed]
> Subject: Re: Minimal RAM footprint boot CD?
>
> If the reboot prompt is PRIOR to shutdown and reset there MIGHT be a
> possibility to either

[ more ]  [ reply ]
Re: undetected drive 2005-06-18
atrav (atrav copper net)
----- Original Message -----
From: "Tamarcus A Person" <tperson (at) csc (dot) com [email concealed]>
I am,
> at the moment, encountering the same issues with 5 hard drives that I had
> wipe to remove the sensitive data previously stored on them. Once the disk
> drives were ready for reuse, I was unable to use them because, a

[ more ]  [ reply ]
RE: Reconstruct a hardware RAID from the raw images of each HD 2005-06-18
Croff, Micah (mcroff exchange csuchico edu)
Rasec,

We just tried this with an Xserve RAID device and Apple told us it wasn';t possible. If you figure out a way please let us all know!

Thanks!

Micah

________________________________

From: Rasec Platff [mailto:platff (at) gmail (dot) com [email concealed]]
Sent: Fri 6/17/2005 1:32 PM
To: forensics (at) securityfocus (dot) co [email concealed]

[ more ]  [ reply ]
Digital forensics of the physical memory (an introduction) 2005-06-17
Mariusz Burdach (M_Burdach compfort pl)
Hello,

I have written a research paper on Digital forensics of the physical memory. This is an introduction to new area of forensics.

The objective of this document is to demonstrate methods that the physical memory image from the compromised machine can be analyzed. At the moment, only Linux mem

[ more ]  [ reply ]
Re: undetected drive 2005-06-18
Eamonn Saunders (eamonn saunders gmail com)
Gary Funck wrote:

>>2. Does anybody have any other suggestions as to how I might access the
>>data on this disk?
>>
>>
>
>There are different levels of "working" that should be checked in the following
>order:
>
>1) spins up. After starting the system from power off, can you hear the drive
>"

[ more ]  [ reply ]
(Page 25 of 84)  < Prev  20 21 22 23 24 25 26 27 28 29 30  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus