HexDrugsRockNRoll wrote:
Looks like it's Bitlocker that fills the space with '0x57'.Nice find <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> .
Confirmed from the mouth of the wolf:
http://blogs.technet.com/b/bitlocker/archive/2006/07/08/unallocated.aspx
Quote::
And finally, a bit of trivia: the noise that is used to overwrite free space is generated by encrypting a buffer filled with 0x57 (‘W’ in ASCII code). So, if you ever opened an encrypted volume in a disk viewer and wondered what those vast spaces filled with W’s are – that’s most probably unallocated space that has been wiped during encryption.
jaclaz
↧
General Discussion: Artifacts of wiping
↧
General Discussion: harddisk serial number
The following code fragment might give you an idea - largely based on Microsoft example
stat = DeviceIoControl(hDrive.dHandle,
IOCTL_STORAGE_QUERY_PROPERTY,
&propq,
sizeof(propq),
outputbuff,
1024,&dwRead,
NULL);
if (stat==0){
stat = GetLastError();
// AfxMessageBox("Error on IOCTL_STORAGE_QUERY_PROPTERY");
}
STORAGE_DEVICE_DESCRIPTOR *sdd;
sdd = (STORAGE_DEVICE_DESCRIPTOR *)outputbuff;
if (sdd->SerialNumberOffset){
// remove any leading spaces
for(k=0; k<0x20; k++){
if (outputbuff[sdd->SerialNumberOffset+k] !=''){
break;
}
}
movmem(outputbuff+sdd->SerialNumberOffset+k,
di[drive].drive_serial_number, 0x20);
}
↧
↧
General Discussion: Deleted data and guilt?
So, you plan to bring a passenger airplane down on March 8 and on February 3 you delete a bunch of files from your PC. <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
Quote::
It is thought the files were deleted last month by pilot Capt. Zaharie Ahmad Shah. Files containing records of simulations carried out on the program were deleted February 3.
http://www.dailymail.co.uk/news/article-2584123/Revealed-Malaysian-Airlines-pilot-high-security-US-base-Diego-Garcia-programmed-homemade-flight-simulator-deleted-data-just-taking-control-missing-plane.html
Quote::
Malaysia’s inspector-general of police, Khalid Abu Bakar, said an examination of the flight simulator seized from Capt Zaharie’s home revealed that the data logs were deleted on Feb 3. The simulator was apparently used to play three games: Flight Simulator X, Flight Simulator 9 and X-Plane 10.
http://www.telegraph.co.uk/news/worldnews/asia/malaysia/10709162/Malaysia-Airlines-Flight-MH370-Clues-deleted-from-Malaysia-Airlines-pilots-flight-simulator.html
The "news" (on the accusation front) are that:
he used the flight simulator to attempt landing on "short" strips
his flight simulator has data about a military airport Diego Garcia in the Maldives
#1 So WHAT? What the heck is the use of a flight simulator to a pilot/enthusiast if not experiment the most difficult scenarios?
#2 as well as the data of - say- 1500 other airports all around the world...
About credibility of the press, I believe that anyone that writes the following sentence (or that actually publishes it):
http://www.telegraph.co.uk/news/worldnews/asia/malaysia/10704769/Malaysian-Airlines-MH370-March-19-as-it-happened.html
Quote::
05.40 After ASMA said two objects up to 24 metres (78 ft 9 inches) in size had been spotted by satellite in the southern Indian Ocean, Reuters has published a list of the basic dimensions of the Boeing 777-200ER which was used on Malaysia Airlines Flight MH370, according to Boeing's website.
Wing span 60.9 metres (199 feet 10 inches)
Overall length 63.7 metres (209 feet)
Tail Height 18.5 metres (60 feet 9 inches)
Fuselage Diameter 6.19 metres (20 feet 4 inches)
(The length of each wing was not immediately available but the published data implies that each wing is about 27.4 metres long, after adjusting for the width of the fuselage).is capable of *anything* evil.
I mean, WOW, (60.9-6.19)/2=27.355 <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
I guess that no less than two consultants (a mathematician and an aviation expert) were called to obtain this astonishing result. <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
jaclaz
↧
General Discussion: Password Recovery Software
fraudit wrote:
I've used both Passware and Elcomsoft password recovery suites and I've found Passware product quicker and more effective. An important thing is that I used both of them almost exclusively for recovering archive and office docs passwords, not other applications and/or system.Hmmm, unless you did some specific tests, I wonder how you gathered this impression. <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
I mean <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , you have file xy.doc (or .zip or .docx or .xls or .xlsx).
You make a try at it's password with tool "a" using (say) a dictionary.
Tool "a" either manages to get the password or it does not.
If it does, I doubt that you will be going on the same file with tool "b". (you already got the password)
If it does not, you try (with the same dictionary) the same xy file with tool "b".
Tool "b" either manages to get the password or it does not.
If it does, tool "a" sucks big and tool "b" works fine.
If it does not either both tools suck big or your dictionary sucks big (or the password is a good, non dictionary word).
Same applies for bruteforcing.
You make a try at file xy with tool "a" using bruteforce.
Tool "a" either manages to get the password or it does not.
If it does, I doubt that you will be going on the same file with tool "b".(you already got the password)
If it does not, you try (with the same bruteforce pattern if any) the same xy file with tool "b"
Tool "b" either manages to get the password or it does not.
If it does, tool "a" sucks big and tool "b" works fine.
If it does not either both tools suck big or your pattern (if any) sucks big .
Can you detail your experience?
jaclaz
↧
Education and Training: Programming courses geared towards forensics
I'm aware that Control-F run a Python scripting course in the UK, however have not attended:
http://www.controlf.net/training/ps1/
↧
↧
Mobile Phone Forensics: Mobile phone forensic software/tools equipement
Igor,
How do you like MobileEdit if you use it? I am going to try the demo and see how that works out.
Thanks,
Chris Currier
↧
Mobile Phone Forensics: Nokia Lumia920 forensic problem
Apparently there is support for Windows 8 with the Secure View Physical component. Not sure if that will apply to Nokia though or not. I will have to try it out at some point as well.
Regards,
Chris Currier
↧
General Discussion: Msc. Cyber Security Versus Msc. Forensics
I understand MobilePhoneForensic and do not get offend. As I told you before I did not want to bias any people decision considering what uni to go. Personally my choice was between Cranfield and DMU. As you should be aware I decided to go for a cyber security course at DMU for because I believe that both security and forensic knowledge are essentials for people in the forensic field. I am an open minded individual and always looking to improve myself. But thing could have been said more in a nicely manner maybe cross cultural difference playing here. I did tell the University names in the previous reply. I did not see your post as a question sorry. There was no question mark, my aspiration is surely working in the forensic field but I would also like to assure the security field in case there is no job opportunity and also having a good knowledge in both surely help in real life, I hope I answer your question? I am sorry if I offence any of you guys, that was not my intention. Can you share with us MobilePhoneForensic why you choose DMU? I will start another post and will take my time to setup the poll and if any bug will contact the admin hope that jaclaz is alright with this? Hope to see you MPF soon.
Thank you for your suggestions.
Regard,
davismu.
↧
Mobile Phone Forensics: Can a SDCard be linked to a phone?
We have a number of likely candidates as regards handsets. Two were reset to factory defaults. Two others are resisting all attempts at a physical download... I haven't tried a logical yet.
↧
↧
General Discussion: Msc. Cyber Security Versus Msc. Forensics
Very brief input from my side, having just come across this thread.
The option to add a poll *is* buggy - it's a long standing issue which I just haven't found the time to address yet. From memory, it works OK as long as you don't go back and edit or delete any of the possible responses once you've created the poll initially. If that does become necessary, it's probably better just starting again from scratch.
Apologies for any confusion/frustration caused by this issue, I will try to look into it and see if it can be fixed.
Jamie
↧
Education and Training: Programming courses geared towards forensics
Sorry I cannot help you with courses - I started over 30 years ago with Kernigham and Ritchie!
Cranfield have a very good reputation.
↧
General Discussion: EO1 logical?
I took an image of an OS Partition using FTK Imager as an EO1 file. Never really took a logical image before because I always take full physical images (best practice) but I wasn't calling the shots this time. So now I can only see the volume stacks, txf, etc. and not the drive structure. I know I should have taken an ad1 image but I only have EnCase and not a full FTK. So, is there any way to load this or do I need to go back and take another image? Mahalo!
↧
Education and Training: What Certs to get?
I found this entry through a search and InfoSecCow's answer was helpful to me as well, but I could use a little additional advice. I'm a 26 year veteran law enforcement investigator (detective for 13 years, unit and division commander for another 10) and as part of my job, investigated many computer crimes. While our state lab (I'm in the US) did the actual forensics, I was trained in seizing computers and arrested many, many bad guys for computer crimes. I would like to pursue a career in digital forensics and am looking for the best education route to fill out my experience and make me employable in the field. I have all the evidence, court, criminal justice stuff down pat - I just need to develop the technical skills. Any and all advice much appreciated.
Scott
Might I also ask the most-promising fields for the work - such as civil vs. criminal, corporate, etc? Thanks.
↧
↧
General Discussion: A software to show in a tree the FTK Imager filelists?
I uploaded a first test build here.
If somebody happens to have Visual Studio 2008 still installed (it can't be downloaded any longer) I'd need the files of an empty MFC MDI (Multiple documents) project created with the "Windows Explorer" style option, because the newer Visual Studio versions add a lot of bloat to the executables when the VCRT is linked statically due to the new ribbon/dock styling system.
↧
Education and Training: What Certs to get?
Shoot me an email Scott. Cmore@77@verizon.net
↧
General Discussion: A software to show in a tree the FTK Imager filelists?
francesco wrote:
I uploaded a first test build here.
If somebody happens to have Visual Studio 2008 still installed (it can't be downloaded any longer) I'd need the files of an empty MFC MDI (Multiple documents) project created with the "Windows Explorer" style option, because the newer Visual Studio versions add a lot of bloat to the executables when the VCRT is linked statically due to the new ribbon/dock styling system.
If the "express" edition is OK, you can still get it through Wayback Machine:
https://web.archive.org/web/20080902154840/http://www.microsoft.com/Express/Download/
http://download.microsoft.com/download/E/8/E/E8EEB394-7F42-4963-A2D8-29559B738298/VS2008ExpressWithSP1ENUX1504728.iso
jaclaz
↧
Mobile Phone Forensics: Mobile phone forensic software/tools equipement
nlpd120 wrote:
Igor,
How do you like MobileEdit if you use it? I am going to try the demo and see how that works out.
Thanks,
Chris Currier
I sent a letter to you.
↧
↧
General Discussion: Deleted data and guilt?
The Flight 370 investigation is one of the best examples in recent history of where finding clues is most important, not establishing guilt. It highlights one of my personal crusades about making forensics faster and easier, because if we could analyze data quickly, the people who's lives are at risk might have a chance of survival. Flight 370, amber alerts, human trafficking, etc- all examples of the importance of computer forensics for saving lives.
On the topic at hand, the first time I performed forensics a computer with a "privacy cleaner" (anti-forensic) tool installed and periodically used, I was quite upset and tried to equate this somehow with an intention to cover the person's activities. However, I use CCleaner just to purge my caches of garbage from time to time in order to preserve SSD space. I must conclude then that the presence of cleaners does not equate to proof of intent for a specific purpose.
This poses a more basic question: Is the lack of evidence collected an indication of guilt by data destruction or is it an indication of innocence by something obviously not there?
A smart forensic examiner would try to substantiate either claim by looking at some other source- deleted files, registries and databases, networked computers, connected drives, USBSTOR data, etc. and find some proof either way. If the history or logs are deleted, there's often something else to turn to-- temporary files, file carving, non-mainstream software, backups, time stamps, timelines, program behaviors for removing logs, and the like.
With a few more details about how and when, knowing there is unrecoverable deleted data might show enough intent that the investigation can be expanded.
Eric
↧
General Discussion: EO1 logical?
I asked because you are referring to E01 (e zero 1) as EO1 (e oh 1), and your concept of logical imaging. E01 images are sector images. E01 is not aware or cares of file system structure.
A logical image of a drive, would create a volume image at most, not the partition. Although in PC world we often use partition and volume interchangeably, they are not the same. As a matter of fact, vendors often intermingle the two separate and different concepts.
Back to FTK Imager - if you image a "logical drive" (note that it is not logical image - it is logical drive) using E01 image you will get the whole partition, including folder and file structure, and the various associated slacks.
FTK Imager will not let you create a logical image in the E01 format. If you select "Contents of a Folder", which is the logical image, it defaults to AD1.
If you have an E01, it is most likely a full partition. You should have full access to the files.
laughingman_nicoli wrote:
Yes of course. I just found it odd that ftk imager would allow you to select logical and then select EO1. I figured this would be the outcome, but I suppose I was just hoping there was some way to mount it. Either way I got the drive back and took the physical image.
↧
Employment and Career Issues: Opportunities in Australia
Hi mate, where are you located? email me at gmail --> ecophobia.
↧