Colapse all |
Post message
Forensic disk duplication modifies the evidence hard disk 2005-05-27 Steven McLeod (steven mcleod ozemail com au) (1 replies) Re: Forensic disk duplication modifies the evidence hard disk 2005-05-27 Brian Carrier (carrier cerias purdue edu) Ghost Norton Fingerprint signature 2005-05-27 ricci (ricci cs ust hk) Hello All, In an article by Symantec, it mentioned that the hard disk cloned by Norton Ghost will have a fingerprint in the free space of the hard disk. Is there any pattern that I can search that from the hard disk using Encase? In addition, for other software or hardware hard disk duplication s [ more ] [ reply ] Re: Question about Windows XP RestorePoint 2005-05-24 Matthew Farrenkopf (farrenkm ohsu edu) If the filesystem is NTFS, the $MFT entry will have the date and time it was created. This typically corresponds to the date and time that the OS was installed. This is not guaranteed, however, as the FS could have been converted from FAT32. A quick Google brought me to http://www.mcse.ms/archive [ more ] [ reply ] Question about Windows XP RestorePoint 2005-05-24 ricci (ricci cs ust hk) Hello All, I was given a Windows XP Pro bootup hard disk for verification of its first installation date. What information I can verify when the hard disk was first installed? Secondly, if the OS was cloned and reproduced from another source, how can I verify that? Other than Norton Ghost, what ot [ more ] [ reply ] Know Your Enemy: Phishing 2005-05-17 David Watson (david honeynet org uk) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Honeynet Project and Research Alliance are excited to announce the release of their new paper "KYE: Phishing". This technical white paper provides behind the scenes information on how phishing attachs are performed. The paper is based on the resea [ more ] [ reply ] Steganography Application Fingerprint Database Hash Set Updates - Available Now! 2005-05-16 Chad W. Davis (chad davis backbonesecurity com) The Steganography Analysis and Research Center (SARC) is pleased to announce the newest release of the Steganography Application Fingerprint Database (SAFDB) hash sets! Version 1.1 of the SAFDB contains 14,857 files associated with 230 steganography and other data-hiding applications. The SAFDB ha [ more ] [ reply ] Journal of Digital Investigation and DFRWS 2005-05-14 eco digital-evidence net Colleagues, A new Journal of Digital Investigation (Volume 2, Issue 1) is now available. The articles and research papers in this issue are listed below. I am also pleased to announce that Digital Investigation is a sponsor of the 2005 Digital Forensic Research Workshop (DFRWS), which will [ more ] [ reply ] 2005 DFRWS Update 2005-05-13 Gary Palmer (palmerg mitre org) Registration for the 5th Annual Digital Forensic Research Workshop is now available. The workshop will be held August 17-19 in New Orleans, LA and Wieste Venema, co-author of "Forensic Discovery," The Coroner's Toolkit (TCT), and many other software packages, will be the keynote speaker. The W [ more ] [ reply ] Generic read-only IDE driver for Windows? 2005-05-13 Jyri Hovila (jyri hovila iki fi) Hello everybody! Despite extensive searching I have not been able to find a generic read-only IDE driver for Windows 2000/XP. If anyone is aware of existence of such driver, I would love to hear about it. If such driver does not exist, I'll see if I can make one. Therefore I would also apprecia [ more ] [ reply ] Re: DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-12 Thor Arne Johansen (thorj ibas no) (1 replies) In-Reply-To: <4281C818.2080803 (at) foi (dot) se [email concealed]> Arne Vidström writes: > >Another really bad thing is that disk wipe tools do not wipe a disk with >a DCO set on it. For example, the very common tool ExpertEraser 2.0 from >IBAS can be tricked into wiping as little of a disk as wished by setting >a DCO on t [ more ] [ reply ] Re: DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-13 Mark Furner (mark furner gmx net) DCFLDD Updates (v1.2.2) 2005-05-03 Nicholas Harbour (nicholasharbour yahoo com) <a href="http://sourceforge.net/project/showfiles.php?group_id=115587">dcfl dd releases</a> Sorry for the back to back releases, but I had to fix one huge bug as well as let you guys start playing with some new features! I am going with the open source philosophy of "Release early, release often" w [ more ] [ reply ] SARC Steganography Examination & Prevalence Survey 2005-05-03 Chad W. Davis (chad davis backbonesecurity com) The Steganography Analysis and Research Center (SARC) is excited to announce a new survey that has been designed to facilitate discussion between computer forensics examiners and the SARC about the prevalence of steganography in their examinations. The answers you provide in this short survey will b [ more ] [ reply ] File system recovery problem 2005-05-02 Unix Boy (green_unix yahoo co uk) (2 replies) Hi All, I have a 80 GB disk with 6 partitions with win2k & Linux installed. Mix of NTFS & EXT3. I formatted one of the ext3 partition as NTFS from Windows, copied my data on to it. Later, by mistake tried mounting this partition in linux (thought if its a ext3 partition). Ran fsck with -y option & [ more ] [ reply ] GMail Drive footprints 2005-04-28 H Carvey (keydet89 yahoo com) I hope someone finds the following information useful... As a follow-up to my Registry key spreadsheet (containing autostart and MRU locations, archived at http://www.windows-ir.com/regkeys.zip), I wanted to take a look at the 'footprints' created on a system by installing the GMail drive shell e [ more ] [ reply ] New version of DCFLDD (v1.2) 2005-04-25 Nicholas Harbour (nicholasharbour yahoo com) After a bit of work this weekend, version 1.2 is finally upon us. It only took a little over 3 years for me to get around to updating this. get it here: <A HREF="http://prdownloads.sourceforge.net/dcfldd/dcfldd-1.2.tar.gz?downlo ad">dcfldd-1.2.tar.gz</A> What has changed? - Added SHA-1, SHA-256, S [ more ] [ reply ] Is There a Need for Industry Control? 2005-04-22 admin forensicfocus com A recent article at Forensic Focus entitled "Is There a Need for Industry Control?" has generated some interesting forum discussion http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=215 I wonder what list members make of this issue? Is there a need for further accreditation sch [ more ] [ reply ] RE: Looking for a resource 2005-04-19 Reava, Jeffrey (jeffrey reava pfizer com) (1 replies) When you say "exchange" of information, do you mean something more oriented towards 'original' research -- however that would be defined -- which would be the forensic equivalent of the content we see in the vuln-dev lists? I have two projects that I've roughed out in outline form, and I need to ma [ more ] [ reply ] DCO discovery 2005-04-21 Nick Puetz (nickpuetz yahoo com) (3 replies) Does anyone know of any good tools or methods for discovering if and ATA hard drive has a device configuration overlay (DCO) area? I know of tools that are available to detect a host protected area (HPA) such as dmesg, hdparm, and diskstat. But to my knowledge, these do not work with DCOs. Than [ more ] [ reply ] DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-11 Arne Vidström (arne vidstrom foi se) (1 replies) More about DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-26 Arne Vidström (arne vidstrom foi se) Re: DCO discovery 2005-04-21 Chris Palmer (chris eff org) (1 replies) RE: Looking for a resource 2005-04-19 Arnold, Robert P (Robert P Arnold msfc nasa gov) Harlan, If you meet the criteria (LE, Gov., HD, etc...) you may be able to get approved access to the https://cybercop.esportals.com/. Also for a product specific user forum you can register for access to the EnCase Message board. (http://www.encase.com/support/MessageBoard/index.shtm) I use thes [ more ] [ reply ] |
Privacy Statement |
SMART Anti-Forensics
This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk. A discussion is provided
which demonstrates that although the forensic duplication process may not
directly modify data on the evidence hard disk, a
[ more ] [ reply ]