Hola Readers, Every image is a special snowflake in regards to what software you find installed. There are times though when an investigator, myself included, gets comfortable as to what to expect and what they believe their tools are already doing for them. I had such an occasion last month when I found an image where the user was using Google Chrome as their browser. The
. Read More........
Tampilkan postingan dengan label computer forensics. Tampilkan semua postingan
Tampilkan postingan dengan label computer forensics. Tampilkan semua postingan
What did they take when they left? Part 4 (External Devices) - Where did it go and what did they take?
Howdy Reader, It's been quite some time since my last blog post, I apologize. Things have been pretty busy, apparently the recession/depression has really spurred civil crimes and I had a very nice vacation. In our last time together we discussed more detectable methods of how suspects remove data from their systems. I've left off the most common and lengthy portion of the post so I could give
. Read More........
What did they take when they left? Part 3 - Where did it go and what did they take?
Howdy Reader, In the prior posts in this series we've talked about how to determine if our suspect burned a CD and then what programs he ran before he left. In this post we will discuss ways our suspect could have taken out of the system and how we can find out what they took. There are several options available to someone who wants to take data depending on the environment they are in. They
. Read More........
What did they take when they left? Part 2 � Finding out what they ran before they left
Hello Reader, In Part 1 we discussed how to determine if a CD was burned. Knowing what application it was burned with and what other tools they ran before they left is also important. User AssistOne way to determine this is with the user assist registry keys. Over the years since the user assist registry keys were first discovered (they were included in our windows analysis chapter in 2005
. Read More........
What did they take when they left? Part 1 - Detecting CD Burning
Dear Reader, We've been discussing server level analysis for the last couple posts but there is plenty to talk about on the desktop. This will be a multi part series discussing different artifacts that we can recover that give us provable facts regarding a user's activity. It is easy to speculate on actions based on speculative data such as access data or related files or dll's accessed on
. Read More........
When is powerpoint file not a powerpoint file?
Dear Reader, Today we will not discuss OWA again. Rather we will discuss a peculiar case of a temporary file that lead into a journey of discovery into Microsoft internals. I was working a case Lockheed Martin v L-3, et al (6:05-cv-1580-Orl-31KRS), which has since settled, which involved amongst other things several files that were contained on a CDROM and accessed on a laptop. On this CDROM
. Read More........
Outlook Web Access Log Analysis
Hello Reader,In this entry I�d like to discuss log analysis on Outlook Web Access servers. I�ve successfully used OWA log analysis in the past to quickly determine who has been reading mailboxes other than their own. Two pieces of information in the logs that exist by default in the OWA creation process allow this to occur. The first is that OWA uses NTLM authentication for web mail users who log
. Read More........
YACFB - Yet another computer forensics blog
Hello readers, after recently searching for new tools and techniques I found Harlan Carvey's blog and this blog. I had no idea outside of the Encase support forums, smart support forums, and local HTCIA groups that there was a discussion of new findings. I am one of the co-authors of Hacking Exposed: Computer Forensics (second edition is being written as we speak) and a
. Read More........
Langganan:
Komentar (RSS)
