Forensics Mode:
(Page 31 of 84)  < Prev  26 27 28 29 30 31 32 33 34 35 36  Next >
RE: Drive hashing-when is it *really* necessary? 2005-03-24
Greg Kelley (gkelley vestigeltd com)

How do you know for sure that the devices you mention do NOT allow
writing to the drive? Sure, Knoppix was built to only accommodate
read-only, but it is software and therefore it is susceptible to bugs.
If you went to trial with these 500 drives, I could see the following


[ more ]  [ reply ]
XP Prefetcher and forensics 2005-03-24
H Carvey (keydet89 yahoo com)


I recently blogged on the XP Prefetcher, with an eye toward the forensic value of the directory:

I have no doubt that this is nothing new to most folks out there. What I'm interested in hearing is (a) about how others have used

[ more ]  [ reply ]
Re: Drive hashing-when is it *really* necessary? 2005-03-24
James Holley ey com

Ask yourself whether you are performing an investigation or performing an IT function. If you are performing an investigation, do it right. Otherwise, don't do it! If you are conducting an investigation and you don't do it properly, you are voluntarily giving up your credibility as an invest

[ more ]  [ reply ]
Drive hashing-when is it *really* necessary? 2005-03-22
dave superelite net (1 replies)
Sounds like a simple question for this list where the answer is
"always"- but please read on.

We run hashes on drives to verify that nothing was changed during the
acquisition process. Which hash, MD-5, SHA-1, SHA-256 is not part of
this debate so please refrain from rehashing that topic. But wh

[ more ]  [ reply ]
RE: Drive hashing-when is it *really* necessary? 2005-03-24
Seamus Byrne (seamus seamusbyrne com)
Re: Macintosh wiping (but why) 2005-03-22
dosman (dosman packetsniffers org)
I recently tried several experiments with wiping hard drives by
electromagnets, the results where
quite surprising to me. My first attempt was to build my own
electromagnet which failed pretty bad. I
was able to build a fairly strong electromagnet large enough to encase a
hard drive but this desi

[ more ]  [ reply ]
RE: Reality and 2.5" laptop drives, Re: Macintosh wiping (but why) 2005-03-22
Daniel James (dajames wfubmc edu)
In a case such as this...what I would do is take a small 5 lbs
sledgehammer and finish the job! :-) If you smash the platters together
so that the platters are touching each other they will not spin
is highly unlikely that someone would take a drive with this extensive
damage and open it..

[ more ]  [ reply ]
RE: Macintosh wiping (but why) 2005-03-22
Daniel James (dajames wfubmc edu)
I "cleanse" drives for a living (about 3,000+ per year). I am
responsible for cleansing drives for disposal, donation, employee sales,
and inter/intra department transfers. The best way I have found to
cleanse any drive is with "wiping" software per DOD specs. The software
I use is WipeDrive 3.0

[ more ]  [ reply ]
Linux ISO9660 handling flaws (fwd) 2005-03-19
Michal Zalewski (lcamtuf dione ids pl)

This might be of some interest to forensics folks, since some
methodologies advocate read-only mounting and examination of acquired disk
images... it might be not such a wise idea, in general.

---------- Forwarded message ----------
Date: Thu, 17 Mar 2005 22:36:45 +0100 (CET)
Subject: Linux IS

[ more ]  [ reply ]
Tool: Web Historian 2005-03-18
Rohyt Belani (rohytbelani hotmail com)

Red Cliff's Web Historian assists users in reviewing websites (URLs) that are stored in the history files of the most commonly used browsers including: Microsoft?s Internet Explorer, Mozilla, Firefox, Netscape, Opera and Safari. It is designed primarily as a tool for computer forensic examiners; h

[ more ]  [ reply ]
RE: NTFS and inodes 2005-03-15
Jeff Bryner (jbryner1 yahoo com)
--- "Forensics @ TracingEmails" <> wrote:
> Windows & inodes??
Well, ls and inodes ;-)

> Are these the 'hidden' (system) files that windows has? Do you get
> the same output if you were to boot an image of the drive and opt
(using windows
> explorer) - to alter [tools, view, 'show the hidden files

[ more ]  [ reply ]
Re: NTFS and inodes 2005-03-14
Jeff Bryner (jbryner1 yahoo com)
It's the Master File Table index number.

The filesystem metadata layer is the inode in linux and the MFT in NT.
Both hold info like timestamps, file size.

--- H Carvey <keydet89 (at) yahoo (dot) com [email concealed]> wrote:
> When booting a Windows XP system with a Linux distro, one mounts the
> NTFS drive and runs a

[ more ]  [ reply ]
Re: Autopsy vs. FTK 2005-03-14
Greg Freemyer (greg freemyer gmail com)
On Mon, 14 Mar 2005 11:25:28 -0600, Evidence Technology
<le (at) evidencetechnology (dot) net [email concealed]> wrote:
> Greg, I know you've already solved your original issue, but I'm almost
> certain I saw something in the notes for the latest release of FTK about
> getting rid of that 2,000,000-item search limit. I just ski

[ more ]  [ reply ]
Fwd: CNFR CFP 2005-03-14
Brian Carrier (carrier cerias purdue edu)
[Forwarded on Tom's request]

From: Thomas E Daniels <daniels (at) narn.ece.iastate (dot) edu [email concealed]>

> I'm announcing a CFP for a workshop that I'm chairing this year in
> affiliation with IEEE SECURECOMM.
> For the full CFP, visit:
> Workshop website:

[ more ]  [ reply ]
(Page 31 of 84)  < Prev  26 27 28 29 30 31 32 33 34 35 36  Next >


Privacy Statement
Copyright 2010, SecurityFocus