Forensics Mode:
(Page 28 of 84)  < Prev  23 24 25 26 27 28 29 30 31 32 33  Next >
Forensic disk duplication modifies the evidence hard disk 2005-05-27
Steven McLeod (steven mcleod ozemail com au) (1 replies)

SMART Anti-Forensics

This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk. A discussion is provided
which demonstrates that although the forensic duplication process may not
directly modify data on the evidence hard disk, a

[ more ]  [ reply ]
Re: Forensic disk duplication modifies the evidence hard disk 2005-05-27
Brian Carrier (carrier cerias purdue edu)
Ghost Norton Fingerprint signature 2005-05-27
ricci (ricci cs ust hk)
Hello All,

In an article by Symantec, it mentioned that the hard disk cloned by Norton
Ghost will have a fingerprint in the free space of the hard disk.

Is there any pattern that I can search that from the hard disk using Encase?

In addition, for other software or hardware hard disk duplication s

[ more ]  [ reply ]
Re: Question about Windows XP RestorePoint 2005-05-24
Matthew Farrenkopf (farrenkm ohsu edu)
If the filesystem is NTFS, the $MFT entry will have the date and time it was created. This typically corresponds to the date and time that the OS was installed. This is not guaranteed, however, as the FS could have been converted from FAT32.

A quick Google brought me to

[ more ]  [ reply ]
Question about Windows XP RestorePoint 2005-05-24
ricci (ricci cs ust hk)
Hello All,

I was given a Windows XP Pro bootup hard disk for verification of its first
installation date. What information I can verify when the hard disk was
first installed?

Secondly, if the OS was cloned and reproduced from another source, how can I
verify that? Other than Norton Ghost, what ot

[ more ]  [ reply ]
Know Your Enemy: Phishing 2005-05-17
David Watson (david honeynet org uk)
Hash: SHA1

The Honeynet Project and Research Alliance are excited to announce
the release of their new paper "KYE: Phishing". This technical white
paper provides behind the scenes information on how phishing attachs
are performed. The paper is based on the resea

[ more ]  [ reply ]
Steganography Application Fingerprint Database Hash Set Updates - Available Now! 2005-05-16
Chad W. Davis (chad davis backbonesecurity com)
The Steganography Analysis and Research Center (SARC) is pleased to announce
the newest release of the Steganography Application Fingerprint Database
(SAFDB) hash sets!  Version 1.1 of the SAFDB contains 14,857 files
associated with 230 steganography and other data-hiding applications.  The

[ more ]  [ reply ]
Journal of Digital Investigation and DFRWS 2005-05-14
eco digital-evidence net

A new Journal of Digital Investigation (Volume 2, Issue 1) is now available. The

articles and research papers in this issue are listed below.

I am also pleased to announce that Digital Investigation is a sponsor of the 2005

Digital Forensic Research Workshop (DFRWS), which will

[ more ]  [ reply ]
2005 DFRWS Update 2005-05-13
Gary Palmer (palmerg mitre org)
Registration for the 5th Annual Digital Forensic Research Workshop is
now available. The workshop will be held August 17-19 in New Orleans,
LA and Wieste Venema, co-author of "Forensic Discovery," The Coroner's
Toolkit (TCT), and many other software packages, will be the keynote
speaker. The W

[ more ]  [ reply ]
Generic read-only IDE driver for Windows? 2005-05-13
Jyri Hovila (jyri hovila iki fi)
Hello everybody!

Despite extensive searching I have not been able to find a generic
read-only IDE driver for Windows 2000/XP. If anyone is aware of
existence of such driver, I would love to hear about it.

If such driver does not exist, I'll see if I can make one. Therefore I
would also apprecia

[ more ]  [ reply ]
Re: DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-12
Thor Arne Johansen (thorj ibas no) (1 replies)
In-Reply-To: <4281C818.2080803 (at) foi (dot) se [email concealed]>

Arne Vidström writes:
>Another really bad thing is that disk wipe tools do not wipe a disk with
>a DCO set on it. For example, the very common tool ExpertEraser 2.0 from
>IBAS can be tricked into wiping as little of a disk as wished by setting
>a DCO on t

[ more ]  [ reply ]
Re: DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-13
Mark Furner (mark furner gmx net)
DCFLDD Updates (v1.2.2) 2005-05-03
Nicholas Harbour (nicholasharbour yahoo com)

Sorry for the back to back releases, but I had to fix
one huge bug as well as let you guys start playing
with some new features! I am going with the open
source philosophy of "Release early, release often"

[ more ]  [ reply ]
SARC Steganography Examination & Prevalence Survey 2005-05-03
Chad W. Davis (chad davis backbonesecurity com)
The Steganography Analysis and Research Center (SARC) is excited to announce
a new survey that has been designed to facilitate discussion between
computer forensics examiners and the SARC about the prevalence of
steganography in their examinations. The answers you provide in this short
survey will b

[ more ]  [ reply ]
File system recovery problem 2005-05-02
Unix Boy (green_unix yahoo co uk) (2 replies)
Hi All,

I have a 80 GB disk with 6 partitions with win2k &
Linux installed. Mix of NTFS & EXT3. I formatted one
of the ext3 partition as NTFS from Windows, copied my
data on to it. Later, by mistake tried mounting this
partition in linux (thought if its a ext3 partition).
Ran fsck with -y option &

[ more ]  [ reply ]
Re: File system recovery problem 2005-05-07
joe henderson (joe henderson1 insightbb com)
RE: File system recovery problem 2005-05-03
Will Veno (wjveno shaw ca)
GMail Drive footprints 2005-04-28
H Carvey (keydet89 yahoo com)

I hope someone finds the following information useful...

As a follow-up to my Registry key spreadsheet (containing autostart and MRU locations, archived at, I wanted to take a look at the 'footprints' created on a system by installing the GMail drive shell e

[ more ]  [ reply ]
New version of DCFLDD (v1.2) 2005-04-25
Nicholas Harbour (nicholasharbour yahoo com)
After a bit of work this weekend, version 1.2 is
finally upon us. It only took a little over 3 years
for me to get around to updating this.

get it here: <A

What has changed?

- Added SHA-1, SHA-256, S

[ more ]  [ reply ]
Is There a Need for Industry Control? 2005-04-22
admin forensicfocus com
A recent article at Forensic Focus entitled "Is There a Need for Industry Control?" has
generated some interesting forum discussion

I wonder what list members make of this issue? Is there a need for further accreditation

[ more ]  [ reply ]
RE: Looking for a resource 2005-04-19
Reava, Jeffrey (jeffrey reava pfizer com) (1 replies)
When you say "exchange" of information, do you mean something more
oriented towards 'original' research -- however that would be defined --
which would be the forensic equivalent of the content we see in the
vuln-dev lists?

I have two projects that I've roughed out in outline form, and I need to

[ more ]  [ reply ]
Re: Looking for a resource 2005-04-21
Valdis Kletnieks vt edu
DCO discovery 2005-04-21
Nick Puetz (nickpuetz yahoo com) (3 replies)

Does anyone know of any good tools or methods for discovering if and ATA hard drive has a device configuration overlay (DCO) area? I know of tools that are available to detect a host protected area (HPA) such as dmesg, hdparm, and diskstat. But to my knowledge, these do not work with DCOs. Than

[ more ]  [ reply ]
RE: DCO discovery 2005-05-17
Jens Kirschner (jk x-ways com)
DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-11
Arne Vidström (arne vidstrom foi se) (1 replies)
More about DCO discovery & removal, capabilities of imaging & wiping tools 2005-05-26
Arne Vidström (arne vidstrom foi se)
Re: DCO discovery 2005-04-21
Chris Palmer (chris eff org) (1 replies)
Re: DCO discovery 2005-04-26
subscribe (subscribe crazytrain com) (1 replies)
Re: DCO discovery 2005-04-30
Greg Freemyer (greg freemyer gmail com)
RE: Looking for a resource 2005-04-19
Arnold, Robert P (Robert P Arnold msfc nasa gov)

If you meet the criteria (LE, Gov., HD, etc...) you may be able to get
approved access to the Also for a product
specific user forum you can register for access to the EnCase Message board.

I use thes

[ more ]  [ reply ]
(Page 28 of 84)  < Prev  23 24 25 26 27 28 29 30 31 32 33  Next >


Privacy Statement
Copyright 2010, SecurityFocus