General Discussion: EnCase Second Copy
Joking aside, do you know you can still get a free processor dongle for each license you own? This allows you to process evidence without tying up a full license.
View ArticleMobile Phone Forensics: Phone hex dumps
schoon wrote: Can anyone give me a brief answer to the following general questions: 1. Why would you need a to do a physical (as opposed to a logical) phone dump? Because the hex dump or file system...
View ArticleForensic Software: Recovering H.264 video files with Defraser 1.3.0 for free ?
Quote:: With random data, you can always get false positive hits I agree. However, looking at the sample in my previous message, they are certainly false positives but their content doesn't look...
View ArticleGeneral Discussion: Raid 0 - Block Size (stripe size)
I'm trying to determine manually what the stripe size is for a RAID 0 setup I'm analyzing.. If i have the sector sizes, FAT1 and FAT2 entry sizes , etc, what do I do to determine the block size ? FAT1...
View ArticleMobile Phone Forensics: iPad 2 locked
bigjon wrote: mobileforensicswales wrote: If you do have the keys from the machine you could also try waterboard Does the Waterboard have their own examiners now ?? :lol:I think it was a misspelling,...
View ArticleForensic Software: Software to visually display areas that are non zero-filled?
Hi, I'm looking for a software, preferably for Linux and with a GUI, to display which areas of a drive contain data else than 0x00, and which would ideally allow to click in those areas to explore...
View ArticleForensic Software: Any carver that store LBA addresses ?
Hi, Is there any file carver that let explore the bytes that surrounds the found segments ? i.e. a low-level carver that 1) remembers addresses of carved contents 2) allow to open an hex editor that...
View ArticleGeneral Discussion: Raid 0 - Block Size (stripe size)
Do you have to do it manually? We just finished writing some code to do automatic detection of RAID layouts based on the RAID set meta data. PM me if you want to try it out.
View ArticleGeneral Discussion: Determine active user accounts on SBS 2003
No I looked at the NTUser.dat files for the various user accounts and with the list the IT guy gave me of current/deisabled/old accounts I used the timestamps to corroborate. Thanks again.
View ArticleForensic Software: GMail Header Information / IP Locations
Thanks Bulldawg, kinda suspected as much, but was hoping for some glimmer of light. I will look into the BSSID route, however there are a lot of connctioning to the internet happening via 3G dongles,...
View ArticleMobile Phone Forensics: IPhone 3GS with iOS6
Hi all, I have a IPhone 3GS with iOS 6 (no password protected) and I managed to do a physical acquisition using Cellebrite Physical Analyzer. I am trying to do recovering of photos which have been...
View ArticleMobile Phone Forensics: Phone hex dumps
Thanks very much. Those answers seem obvious now!
View ArticleForensic Software: Any carver that store LBA addresses ?
I am not really sure to understand the question. gsar: http://home.online.no/~tjaberg/ https://svn.osgeo.org/fdocore/branches/3.2.x/Thirdparty/gsar/man/cat1/gsar.1.txt Will: find a sequence of bytes...
View ArticleForensic Software: Monitoring copy operations in windows.
ashishdhingra81 wrote: I am looking at windows OS. basically problem on hand is theft detection when someone copies the file without accessing it and it need not be shared. Copy invoked by a user on a...
View ArticleMobile Phone Forensics: State of iPhone and iPad forensics (physical & logical)
Alistair wrote: - Physical and logical extraction possible on devices up to iPhone 4 and iPad 1 running firmware up to iOS 5. Physical Analyzer from Cellebrite supports physical and file system...
View ArticleGeneral Discussion: Likely locations for passwords?
Hi Jaclaz, thank you SO much for the clarification! That's just what I needed-I did as you recommended and attempted to extract the zip as normal (not even launching TC) and the password I used worked...
View ArticleEducation and Training: Ensript not producing any results
Been trying to write a simple enscript for a school project to read the information stored in the registry. Looked into enscript help and decided to try the registry class example script. while...
View ArticleGeneral Discussion: can't get physical image from HPFS/NFTS partition
digitalcoroner wrote: I have tried FTK Imager 3.1.2 and FTK 5.0 to take a physical image off of a hard drive that has a HPFS/NTFS partition. The partition always shows up as unrecognized. The hard...
View Article