I've been playing around with the dd command using the conv=noerror,sync option. I was always told that sync will pad sectors generating read errors with \x00...
It is a good question, but there are some forensic reasons for using the sync option, for instance if you are backing-up or reading from a tape you will have...
The reason for the "sync" option is so that your offset remains the same and the data can be intelligently interpreted, as I am sure you are aware. Your...
On 5/9/07, Bob Kardell <bobkardell@...> wrote: <snip> ... Thanks for that info Bob. My only concern with your method is that with the dd option | to md5...
On 5/10/07, Sutton, Blare <bsutton@...> wrote: However, you may be interested to note that dcfldd has an inbuilt ... Interesting. I was not aware of...
... That is correct. And if you are zero filling due to read errors, you are also hashing those zeros that you write. But we are talking best evidence rules...
... A. No. No data is added to the original file. The hash is computed based on the exact duplicate, and on a pad used to fill the final block after the ...
Thanks Blare for that excellent explanation! Very good, detailed info. And thank you Stevens for your feedback. Of course I was playing Devil's advocate and...
It's good for all of us here to play the advocate for both sides. No telling what a judge will permit or how well your (or the other side's) lawyer will...
... My involvement has been on the criminal side. I've only had to testify a few times (most times I'm not required either because of a guilty plea,...
... Agreed! That is why I have always advised _against_ the detailed, meticulous, paramilitary-style logging forms that police departments routinely use....
Hello All, I am selling a Logicube Forensic MD 5 with hard case. I purchased the unit a little over a year ago and have only used it 6 times. I had the same...
Hello All, I am selling a Logicube Forensic MD 5 with hard case. I purchased the unit a little over a year ago and have only used it 6 times. I had the same...
I am working with a drive image in EnCase (6.5 Enterprise). I am just starting to learn EnCase so bear with me. The image I am working with is 40gb and is...
... Well, if you want to get the deleted files on the drive, use TCT/Autopsy then. If you want help in using Encase, report it as a bug to the software vendor...
Harry Duncan
usr.src.linux@...
May 16, 2007 7:22 pm
2538
... I don't have EnCase in front of me, but I suspect the case is that you are filtering for deleted files, not deleted and overwritten (which may be what...
... Forgot to mention, the other issue is if you have the home plate on the entire case. If not, you will only see files for the directory in which you are...
While this is a *nix forensics list, not an EnCase forensics list (EnCase has it's own list), the variances you noted are variances in the approaches the two...
Hi All I appreciate that this may be bread and butter to most on this list, but if you don't know you don't know :) How do I go about viewing compound file...
... From the snippet you've posted: 1) His dictionary definition of forensics is incorrect / incomplete. 2) His view on the usefulness of digital forensics is...
yes, several people posted comments on the original web page that it was poorly written. aside from that, has anybody here encountered these problems? I knew...
This sort of thinking is perpetual in magazines aimed at senior corporate officers. The line about "hobby level" is especially telling. He's just playing to...
Digital Investigation: The International Journal of Digital Forensics & Incident Response The Journal of Digital Investigation is a widely referenced...
nikkel@...
Jun 5, 2007 1:13 pm
2549
Hi I am currently working on an image of a 20 Gb /root partition (/dev/sda2). I then used foremost to look for video files of interest and found a number of...
Hi Stu, ... What strings are you looking for? What grep terms? How are you looking for the file? Was the file allocated or unallocated? ... Nothing at all?...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
