SMART Anti-Forensics

This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk. A discussion is provided
which demonstrates that although the forensic duplication process may not
directly modify data on the evidence hard disk, a

[ more ]  [ reply ]

Hello All,

In an article by Symantec, it mentioned that the hard disk cloned by Norton
Ghost will have a fingerprint in the free space of the hard disk.

Is there any pattern that I can search that from the hard disk using Encase?

In addition, for other software or hardware hard disk duplication s

[ more ]  [ reply ]

If the filesystem is NTFS, the $MFT entry will have the date and time it was created. This typically corresponds to the date and time that the OS was installed. This is not guaranteed, however, as the FS could have been converted from FAT32.

A quick Google brought me to http://www.mcse.ms/archive

[ more ]  [ reply ]

Hello All,

I was given a Windows XP Pro bootup hard disk for verification of its first
installation date. What information I can verify when the hard disk was
first installed?

Secondly, if the OS was cloned and reproduced from another source, how can I
verify that? Other than Norton Ghost, what ot

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Honeynet Project and Research Alliance are excited to announce
the release of their new paper "KYE: Phishing". This technical white
paper provides behind the scenes information on how phishing attachs
are performed. The paper is based on the resea

[ more ]  [ reply ]

The Steganography Analysis and Research Center (SARC) is pleased to announce
the newest release of the Steganography Application Fingerprint Database
(SAFDB) hash sets!  Version 1.1 of the SAFDB contains 14,857 files
associated with 230 steganography and other data-hiding applications.  The
SAFDB ha

[ more ]  [ reply ]

Colleagues,

A new Journal of Digital Investigation (Volume 2, Issue 1) is now available. The

articles and research papers in this issue are listed below.

I am also pleased to announce that Digital Investigation is a sponsor of the 2005

Digital Forensic Research Workshop (DFRWS), which will

[ more ]  [ reply ]

Registration for the 5th Annual Digital Forensic Research Workshop is
now available. The workshop will be held August 17-19 in New Orleans,
LA and Wieste Venema, co-author of "Forensic Discovery," The Coroner's
Toolkit (TCT), and many other software packages, will be the keynote
speaker. The W

[ more ]  [ reply ]

Hello everybody!

Despite extensive searching I have not been able to find a generic
read-only IDE driver for Windows 2000/XP. If anyone is aware of
existence of such driver, I would love to hear about it.

If such driver does not exist, I'll see if I can make one. Therefore I
would also apprecia

[ more ]  [ reply ]

In-Reply-To: <4281C818.2080803 (at) foi (dot) se [email concealed]>

Arne Vidström writes:
>
>Another really bad thing is that disk wipe tools do not wipe a disk with
>a DCO set on it. For example, the very common tool ExpertEraser 2.0 from
>IBAS can be tricked into wiping as little of a disk as wished by setting
>a DCO on t

[ more ]  [ reply ]

<a
href="http://sourceforge.net/project/showfiles.php?group_id=115587">dcfl
dd
releases</a>

Sorry for the back to back releases, but I had to fix
one huge bug as well as let you guys start playing
with some new features! I am going with the open
source philosophy of "Release early, release often"
w

[ more ]  [ reply ]

The Steganography Analysis and Research Center (SARC) is excited to announce
a new survey that has been designed to facilitate discussion between
computer forensics examiners and the SARC about the prevalence of
steganography in their examinations. The answers you provide in this short
survey will b

[ more ]  [ reply ]

Hi All,

I have a 80 GB disk with 6 partitions with win2k &
Linux installed. Mix of NTFS & EXT3. I formatted one
of the ext3 partition as NTFS from Windows, copied my
data on to it. Later, by mistake tried mounting this
partition in linux (thought if its a ext3 partition).
Ran fsck with -y option &

[ more ]  [ reply ]

I hope someone finds the following information useful...

As a follow-up to my Registry key spreadsheet (containing autostart and MRU locations, archived at http://www.windows-ir.com/regkeys.zip), I wanted to take a look at the 'footprints' created on a system by installing the GMail drive shell e

[ more ]  [ reply ]

After a bit of work this weekend, version 1.2 is
finally upon us. It only took a little over 3 years
for me to get around to updating this.

get it here: <A
HREF="http://prdownloads.sourceforge.net/dcfldd/dcfldd-1.2.tar.gz?downlo
ad">dcfldd-1.2.tar.gz</A>

What has changed?

- Added SHA-1, SHA-256, S

[ more ]  [ reply ]

A recent article at Forensic Focus entitled "Is There a Need for Industry Control?" has
generated some interesting forum discussion

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=215

I wonder what list members make of this issue? Is there a need for further accreditation
sch

[ more ]  [ reply ]

When you say "exchange" of information, do you mean something more
oriented towards 'original' research -- however that would be defined --
which would be the forensic equivalent of the content we see in the
vuln-dev lists?

I have two projects that I've roughed out in outline form, and I need to
ma

[ more ]  [ reply ]

Does anyone know of any good tools or methods for discovering if and ATA hard drive has a device configuration overlay (DCO) area? I know of tools that are available to detect a host protected area (HPA) such as dmesg, hdparm, and diskstat. But to my knowledge, these do not work with DCOs. Than

[ more ]  [ reply ]

Harlan,

If you meet the criteria (LE, Gov., HD, etc...) you may be able to get
approved access to the https://cybercop.esportals.com/. Also for a product
specific user forum you can register for access to the EnCase Message board.
(http://www.encase.com/support/MessageBoard/index.shtm)

I use thes

[ more ]  [ reply ]