Looking at a drive and I can't locate the index.dat files for Internet History. MS Internet Explorer version 3 was used here mostly. I know I should be looking...
Greetings, Maybe you are thinking of Mm256.dat and Mm2048.dat Files Quote: The Mm256.dat and Mm2048.dat files are cache files used by Internet Explorer...Note...
If those files were empty, and the computer HAD been used to access the web, then there's a strong shot that a "cleaner" was used. Almost all advertise to...
There's no indication that a cleaner was used at all so I think Internet Explorer was set to use the minimum amount of disk space for historic files, thus the...
Defense side of things. Can anyone recommend a Dr. that's conversant in court regarding distinguishing what is, (or not) a depiction of a real child off an...
You dont need a Dr. An experienced sexual abuse investigator that has been certified as an expert in a federal court will work. I believe retired Las Vegas...
... I am sure you know what you are doing, but as a guy who unfortunately had a close look at CP related laws in different countries, I'd suggest staying as...
... Rest assured. You can consider me as being 100% within the law in regards to this type of forensic image shite. And 99+% within the law on other things...
Hello group, I have a 40GB 3.5" Toshiba Hard drive that has a partition setup like this: /dev/hda ~40,000,000,000 /dev/hda1 ~15,000,000,000 Windows FAT32 ...
Slightly off topic, but the Atlanta Chapter of the HTCIA is again hosting the 2005 Southeast Cybercrime Summit in metro Atlanta. www.atlccs.com. The Summit is...
why don't you post the output to : # sfdisk -l -Su /dev/hda That may provide a little more information. Tony. securehell <securehell@...> wrote: Hello...
... It looks like the logical partition starts (hda5) starts way farther into the extended partition than is normal (63 sectors). You'll have to get some...
(Without write blockers) If both are windows operating systems what actually alters on a slave drive upon normal boot up? Recycle bin is on both of course....
If you are using NT, 2K, XP, and the second drive is NTFS, the MFT table will be changed (I.E will clean up any thing in the MFT that was not in order.) Joe...
2nd question to this thread. I appreciate this is a *nix group but I still think it might be a valid point here. ~~~~ If I use Windows (like maybe iLook...
This may not be what your looking for, but according to a forensic book I have and some courses I've taken, Windows alters some 200 + files each and every time...
Luis Salazar
Luis.Salazar@...
Feb 9, 2005 12:31 am
1292
Now I am sure that was some very helpful information. ... http://us.click.yahoo.com/TzSHvD/SOnJAA/79vVAA/M4xqlB/TM...
Read-only mode or virtual image view mode would work fine Luis. But the restoring (and not shutting off the system immediately thereafter) appears to alter...
Thanks for the follow-up, I knew my answer was to basic. But I couldn't resist joining the thread. I'll keep reading. Thanks. ... Read-only mode or virtual...
Luis Salazar
Luis.Salazar@...
Feb 9, 2005 1:19 am
1295
You bring up another good point here Luis. Regarding what is actually on the drive that the user knows about, installed,, or even a forensic examination can't...
Hello, I have a weird linux forensics related question. I typed up a long document in a window inside of mozilla firefox. For some reason it failed; I...
... Hello Marc, ... In all the system generally a lot of part of data is recoverable. The first thing to do in order to recover the swap space in a Linux ...
Hello everyone, My name is David and I am new to Computer Forensics and have just started reading the old posts. I have a question and wondering if anyone can...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
