A common situation I encounter is a file, especially an email inbox file, that is zeroed out during a disk overflow crash. I use Thunderbird, so the mailboxes...
Hello, Not really sure if anyone can help me here or not. Or maybe point me in the right spot. I have a few question, but first I will explain why I'm...
I will be out of the office starting 04/09/2007 and will not return until 04/18/2007. From 04/09 until 04/12, If it is urgent please call Ninfa Altadonna, my ...
... That is totally dependant on the resolution fo the image. If it's a 1 megapixel image, then it will get fuzzy fairly quickly vs a 8 megapixel image. When...
... I would suggest that Jacques has overlooked a middle ground: you can have a forensic analyst make and hold an image copy of the drive. Also have that ...
... Good point. For that matter you yourself could run data recovery tools against a copy/the image if you wished. But ultimately if it's going to court it...
Hello, And thank all of you for your replys. Yes, it could be the only thing we have. So, is there any way I can look to see if it's just still on there....
... Regards to looking at it without messing anything up, that can be done by booting the computer with a forensically sound live CD (this being a Linux system...
I thought that this would be the correct group to learn what software OR written procedures are being used to be the overall structure for a department. I know...
Greetings All, I have a case where it is suspected that a highly skilled individual was given a WinXP laptop system acquired from a deceased user's effects,...
Steve Fowler
sfowler@...
Apr 27, 2007 1:54 am
2512
... Two areas that you can look at to help you determine if date/time manipulation took place would be the Windows events logs (.evt files) and the Windows...
... Look for evidence of windows re-activation, as the most effective way to remove evidence is to trash the drive and the most effective way of covering that...
If history files can be scrounged up from active or unallocated space, it might also be interesting to see if there are places where history dates are way out...
The below was found on another board. I believe it may be what you are looking for. Test before relying on the validity of the information as the UserAssist...
... Neat. Didn't know that one. I tested it quickly and it seems to only change when you make a change to the date/time. I was double clicking on the time...
Steve, I'm not sure I've got a grasp exactly of the problem, so I can't really offer any solution. That being said, if it's thought that this user only ...
I've been playing around with the dd command using the conv=noerror,sync option. I was always told that sync will pad sectors generating read errors with \x00...
It is a good question, but there are some forensic reasons for using the sync option, for instance if you are backing-up or reading from a tape you will have...
The reason for the "sync" option is so that your offset remains the same and the data can be intelligently interpreted, as I am sure you are aware. Your...
On 5/9/07, Bob Kardell <bobkardell@...> wrote: <snip> ... Thanks for that info Bob. My only concern with your method is that with the dd option | to md5...
On 5/10/07, Sutton, Blare <bsutton@...> wrote: However, you may be interested to note that dcfldd has an inbuilt ... Interesting. I was not aware of...
... That is correct. And if you are zero filling due to read errors, you are also hashing those zeros that you write. But we are talking best evidence rules...
... A. No. No data is added to the original file. The hash is computed based on the exact duplicate, and on a pad used to fill the final block after the ...
Thanks Blare for that excellent explanation! Very good, detailed info. And thank you Stevens for your feedback. Of course I was playing Devil's advocate and...
It's good for all of us here to play the advocate for both sides. No telling what a judge will permit or how well your (or the other side's) lawyer will...
... My involvement has been on the criminal side. I've only had to testify a few times (most times I'm not required either because of a guilty plea,...
... Agreed! That is why I have always advised _against_ the detailed, meticulous, paramilitary-style logging forms that police departments routinely use....
Hello All, I am selling a Logicube Forensic MD 5 with hard case. I purchased the unit a little over a year ago and have only used it 6 times. I had the same...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
