background preloader

Digital forensics

Facebook Twitter

GrammarViz 3.0. Time series anomaly and recurrent pattern discovery made interactive.

GrammarViz 3.0

Memory forensics

Untitled. Untitled. Untitled. Untitled. Untitled. Hi, On 8 Feb 2011, at 19:37, Phillip Susi wrote: > Is there a debugfs like tool somewhere?


I would like to manually > manipulate a test volume for debugging purposes. The closest to a debugfs like tool would be Microsoft's own NTFS DiskEdit which can be found for example on the Windows NT4 Resource Kit CD. Other than that you can use a combination of tools. Ext4 - Reverse lookup of inode/file from offset in raw device on linux and ext3/4? Untitled. Untitled. This article gives details on how to find out which file owns a given disk sector.


The main purpose for doing so is finding out which file was damaged in the event a storage device develops any bad sectors (that way you will know if you lost anything important). For most of these commands you will have to be either root or a user that has direct read access to the drive you are checking (being a member of the disk group should be enough). As usual, a current backup is always a good idea, especially if imminent drive failure is suspected. S.M.A.R.T. can help determining that. Finding bad sectors.

Android forensics

Untitled. But what is a Fourier series? From heat flow to circle drawings. Digital Forensics and Incident Response Blog. I shall be posting a series detailing the additional data not included in the paper [1] on recovering overwritten data in the following weeks.

Digital Forensics and Incident Response Blog

My thanks to Dave Kleiman (one of the original papers co-author's with myself) for reviewing and adding some details to this post series. Due to the limitations of peer reviewed papers, much of the detail of a process is commonly lost. This series of posts will endeavor to fill out the areas that are not covered in the paper in any detail and also add some further level of knowledge.

iPhone forensics

124 - Cold Boot Attack! - dump a computer's memory to a USB drive - RMPrepUSB. Free Computer Forensic Software. The Best Open Source Digital Forensic Tools – H-11 Digital Forensics. Forensic investigations are always challenging as you may gather all the information you could for the evidence and mitigation plan.

The Best Open Source Digital Forensic Tools – H-11 Digital Forensics

Here are some of the computer forensic investigator tools you would need. Most of them are free! Whether it’s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. Autopsy User Documentation: Quick Start Guide. Data sources are added to a case.

Autopsy User Documentation: Quick Start Guide

A case can have a single data source or it can have multiple data sources. Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case. Use PowerShell and Regular Expressions to Search Binary Data – Hey, Scripting Guy! Blog. Summary: Guest blogger and pioneer of the PowerSploit module talks about using Windows PowerShell and regular expressions to search binary data.

Use PowerShell and Regular Expressions to Search Binary Data – Hey, Scripting Guy! Blog

Microsoft Scripting Guy, Ed Wilson, is here. Today we kick off a four-part Windows PowerShell and security series with a new guest blogger, Matt Graeber.

Mac forensics

Hardware forensics. STANDS4 Web Services - Synonyms API. OSForensics - Digital investigation for a new era by PassMark Software® Showing Evidence. Untitled. How I Cracked your Windows Password (Part 2) If you would like to read the first part in this article series please go to How I Cracked your Windows Password (Part 1).

How I Cracked your Windows Password (Part 2)

Introduction In the first part of this series we examined password hashes and the mechanisms Windows utilizes to create and store those values. We also touched upon the weaknesses of each method and possible avenues that can be used to crack those passwords. In the second and final article in this series I will actually walk you through the process of cracking passwords with different free tools and provide some tips for defending against having your password cracked.

Windows registry quick reference. Digital forensics method validation: draft guidance (second consultation) - Consultations. Users Guide · log2timeline/plaso Wiki. This page is work in progress.

Users Guide · log2timeline/plaso Wiki

How to get started First determine which version of plaso is must suitable to your needs, for more information see Releases and roadmap Installing the packaged release To install the packaged release see: SANS Computer, Digitial Forensics, Incident Response Summit Archives. Windows Forensic Analysis DVD Toolkit - Harlan Carvey. Windows Forensic Analysis. Registry Analysis (Windows Forensic Analysis) Part 7. Finding Users Information about users is maintained in the Registry, in the SAM hive file.

Registry Analysis (Windows Forensic Analysis) Part 7

Under normal circumstances, this hive is not accessible, even to administrators, not without taking special steps to manually edit the access permissions on the hive. DEFT Linux - Computer Forensics live CD. The Law Society of Scotland - Directory of Expert Witnesses. Experts and expert witnesses. This was an appeal by a claimant in a clinical negligence claim. The defendant was a general practitioner who treated the claimant’s son. Despite treatment, the son died and the claimant sought damages for psychiatric injury based on the defendant’s alleged negligence. The Medical Defence Union (MDU) was acting for the defendant and instructed an expert to report. CRCnetBASE. Untitled. DF marking form - Excellent - A thorough investigation and a very clearly structured, written and presented report. Most significant evidence recovered - certainly enough to mount a prosecution.

" SysKey and the SAM. The Security Accounts Manager The Security Accounts Manager, or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain). It takes the form of a registry hive, and is stored in %WINDIR%\system32\config. Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables.

Partition types: List of partition identifiers for PCs. Below a list of the known partition IDs (system indicators) of the various operating systems, file systems, boot managers, etc. For the various systems, short descriptions are given, in the cases where I have some info. Sepero/SearchBin. DPATechInfo.

Network forensics

Rattlesnake. SQLite. Streaming media. M Gowrie's data at Radaris - The #1 information search database on the web. Search now! Forensic visualization.