Talk:Main Page

From ForensicsWiki
Revision as of 16:26, 16 March 2018 by Lehi (Talk | contribs) (Getting Started with FTK: new section)

Jump to: navigation, search

what about the validation of legal/illegal licenses of commercial software?

I'm sometimes requested by the Courts to process with investigations in order to detect is a company is using software (e.g. AutoCad, MS Office, Adobe) with licenses or not. The evidence of such stuff is easy or not. The display of the "About" is sometimes enough but for some software the evidence is not so easy.

May I propose we open a new section to address such topics?

What do you think? --Chuv 04:16, 19 July 2007 (PDT)

Sounds like a good idea. How about How to determine if software is legally licensed? It should probably go in the Category:Howtos. Jessek 16:11, 19 July 2007 (PDT)

Global Directory of Analysts

I am setting up a global directory of computer forensics analysts, and am looking for feedback to the idea. Although the directory is in the UK, I want it to be global. Any thoughts, please put them on Computer Forensics [1] in the forums section. Thanks and regards, Simon

Given the lack of response I'm not sure this is a viable idea. Jessek 21:13, 26 February 2007 (PST)
Doesn't seem like a good idea to me. Simsong 18:50, 15 March 2007 (PDT)
Response is small because the very idea and both sites are not well known within North America. Computer forensics here has been mostly a secondary role rather than a principal focus. To raise awareness of both efforts, this wiki and, you need to get their existence promoted in major publications and the primary professional organizations.

List of OS changed files at boot time or poweroff.

Some times i found useful to know which files are changed on boot time of OS or on poweroff. For example to know what happened with OS ( Windows or Linux or ... ) what files to exclude or include by investigation. So i started collect this information with qemu and mactime. I think this wiki is the best place to post it, what do you think haw should i name it and the category? Also i will thankful if some one can correct my English.

I would encourage you to post it at Files changed at boot:Windows XP, Files changed at boot:Windows Vista, and the like. Simsong 18:53, 25 October 2007 (PDT)

Organizing Anti-Forensics and Page Naming query

I've made a start on trying to organize the Anti-Forensics information creating a number of sections including Category:Anti-Forensics. I created a category for Category:Anti-Forensics Tools(uppercase) with out realising there was already a Category:Anti-forensics tools (lowercase). Is there any standardization on whether page titles should be upper or lower case? I would have though upper case being the better option... Fsck 22:43, 4 July 2008 (UTC)

I've started a weekly posting of forensics research. In my quick review of the other websites that come up when doing a google search for "computer forensics" it seems that nothing is really up-to-date, so perhaps we can start a more active community here. Perhaps this will grow into a blog roll. Simsong 23:46, 5 July 2008 (UTC)

What about next Selected Forensics Research? Two months passed without updates .FUF 21:10, 17 October 2008 (UTC)
I got radically overcommitted. I'll try to post something this weekend. Simsong 06:35, 18 October 2008 (UTC)

Removal of non-contributing users

I've written a little SQL statement which will remove the 1100 or so usernames that have been registered but which have never contributed anything and have no talk. This was considered for the mediawiki project but never implemented (weird). Anyway, unless there is a suggestion, I'll go ahead and do it... Simsong 05:10, 20 August 2008 (UTC)

Tools table

Is it possible to add Wireshark and NetworkMiner to the Tools table on the Main Page (here: Network Forensics: Snort, ... )? .FUF 17:08, 11 September 2008 (UTC)

Done Simsong 04:40, 12 September 2008 (UTC).

Did you know?

What about organizing "Did you know?" section with some interesting facts from articles (like in Wikipedia)? .FUF 12:34, 29 October 2008 (UTC)

I don't think that we have enough people to do this. Simsong 06:50, 19 July 2009 (UTC)

Wiki News

I have updated the version of SpamBlacklist. Simsong 23:49, 30 October 2008 (UTC)

I have fixed the server config file so we now get /wiki/ URLs. Simsong 20:33, 3 November 2008 (UTC)

Forensics Mailing List

Hello all. I would like to ask, are there any mailing list focus on forensics? I need reference here. --Zakiakhmad 09:48, 13 March 2009 (UTC)

It seems a little bit passive this discussion --Zakiakhmad 03:16, 23 March 2009 (UTC)


Ajax has been enabled by adding these settings to the LocalSettings.php file:

 $wgUseAjax = true;
 $wgEnableMWSuggest = true;
 $wgMWSuggestTemplate =SearchEngine::getMWSuggestTemplate() . '&limit=20';
Yours wikily, Simsong 06:49, 19 July 2009 (UTC)

Zalety i Wady - obiektywnie wyłącznie inżynierowie forensics

Analiza SIM karty danych i odzyskiwania usuniętych danych ANALYSIS SIM CARD DATA AND RECOVER DELETED DATA

Odzyskiwanie skasowanych wiadomości SMS / tekst i wykonać kompleksową analizę danych na karcie SIM. Karta SIM ma zajęcia nabycia karty SIM i elementy analizy zajęciu urządzenia parabenów i umieszcza je w specjalistyczne karty SIM nabycia kryminalistycznych i narzędzie do analizy. Karta SIM zawiera zajęcia programowe, jak Forensic SIM Card Reader. Jeśli masz już zajęcia Device & Device Seizure Toolbox, nie ma potrzeby, aby otrzymać karty SIM zajęcia, jak również dlatego, że zawierają składniki, aby wykonać kryminalistycznych badań karty SIM i analizy. Jest to narzędzie dla badacza, który chce nabyć tylko karty SIM i nie chcesz wykonać kryminalistycznych egzaminów wszystkich danych z telefonu komórkowego. Karta SIM zawiera bezpłatne zajęcia roczną subskrypcję z zakupu.

SIM Card Seizure has unicode support to read multiple languages such as Arabic, Chinese, & Russian: Features:

   * Forensic SIM Card Reader Included
   * Calculates MD5 & SHA1 Hash Values
   * Search Function
   * Recovers Deleted SMS Data*
   * Bookmarking Options
   * Report Creation Wizard
   * Save Workspaces for Further Review
   * Time Stamps Calculate GMT Offset
   * Access to Paraben's Forum
   * Access to Paraben's 24 Hour Support

Data Acquired from SIM Cards

   * Phase Phase ID
   * SST SIM Service table
   * ICCID Serial Number
   * LP Preferred languages variable
   * SPN Service Provider name
   * MSISDN Subscriber phone number
   * AND Short Dial Number
   * FDN Fixed Numbers
   * LND Last Dialed numbers
   * EXT1 Dialing Extension
   * EXT2 Dialing Extension
   * GID1 Groups
   * GID2 Groups
   * SMS Text Messages
   * SMSP Text Message parameters
   * SMSS Text message status
   * CBMI Preferred network messages
   * PUCT Charges per unit
   * ACM Charge counter
   * ACMmax Charge limit
   * HPLMNSP HPLMN search period
   * PLMNsel PLMN selector
   * FPLMN Forbidden PLMNs
   * CCP Capability configuration parameter
   * ACC Access control class
   * LOCI Location information
   * BCCH Broadcast control channels
   * Kc Ciphering key

Pytanie 1 _________

Jakie zalety na pierwszy plan, a jakie wady które można zignorować w śledztwie?


In an attempt to deal with spam, account creation now requires confirmation.

OLM Viewer

Kernel OLM Viewer is more reliable perfect software, It can easy to viewed from Outlook 2011 OLM file on Windows platform using this utility. This software easy to display all OLM Items like emails, calendar, contacts, tasks, journals, and notes. That software supported all update OS version such as windows 8.1 or 8 and MS outlook 2013.

Click here - http:☣wwwnucleustechnologies·com/olm-viewer·html

Getting Started with FTK

Using FTK: FTK is database driven, it uses postgres database to organize its case data. Therefore one of the first things you’d have to do is to set up a postgres db. Once a db is set, Login into FTK and create a case:

Open FTK > Case > New > (Fill in Case details: Case Name and Case Folder Directory) Choose a Processing profile (the different profiles are predefined configurations with aim to facilitate your forensics analyzes, you can also customize your own if you’d like) Manage Evidence screen will pop up, this is where you add the evidences such as images, files, physical drive, etc. Add > Pick evidences you want to load > Select timezone in which the evidences will be based from > OK > Wait FTK to load evidences into the case (database). > Close Explore: Allows users to explore the full image including partitioned and unpartitioned space. From this tab a user can view the content of the image, create bookmarks for further investigation or for items to add to a report, and to activate QuickPicks.

Overview: The overview tab breaks down all of the content discovered in the image and puts them into different categories. File Items logically separates discovered items by those you have checked, items that are marked as evidence, and items that haven’t been checked. File Extension organizes found items by their extension. Items that show up red have the named extension but has been identified as a different file extension. File Category groups items by the categories they fall under whether they are documents, presentations, graphics, system files, etc. These categories are grouped further to be more specific and can be seen by clicking the plus sign next the category. File Status groups items by the alert, red flags, or warnings they give off. These include bad extensions where the item says it is one file type but is really a different file type, encrypted files, deleted files, KFF flagged, etc. Email Status groups items by if they are attachments, replys, forwarded, or related content. Labels are created and set by the user. Bookmarks are created and set by the user.

Email: The Email tab is similar to the email section in the Overview tab but further breaks down the content for analysis into categories by organizing them by things such as date, who the sender was, or who the recipient was.

Graphics: The Graphics tab is used to quickly view the graphics in the image. This is very handy when used in conjunction with the QuickPicks selector. QuickPicks is activated by selecting the arrow to the left of the content. If the arrow is filled green that means QuickPicks is activated for that folder/section. Images under areas where QuickPicks has been activated will be available for quick access and viewing in the Graphics tab. (Tip: If you are unable to turn on QuickPicks you may need to make sure it is enabled on the top bar next to “Filter Manager”)

Video: The Video tab makes it easy to view video content and analyze it. Videos can usually be played from a built in viewer in FTK. If the videos do not play in FTK the video can be right clicked on and a user can use “Open With …” to select the appropriate application for viewing the video. This tab will also create thumbnails of the video at specified time or percentage segments to allow quicker examination of the content of the video without needing to watch the whole video. Internet/Chat: The Internet/Chat tab organizes and groups files that have been found on the image that relate to browsers and online chat rooms/clients. Bookmarks: Bookmarks are used to easily keep track of and organize files for things like further investigation or things that are evidence. To add items to bookmarks just right click on the item you want to create or add a bookmark for and select the option you want to use. Bookmarks can be created from most of the other viewing tabs.When creating a new bookmark it must be given a name and be given a parent bookmark.

Live Search: The Live Search tab allows a user to create a live search on the image and supports text, pattern/regex, and hex searching. On the pattern section there are some play image buttons next to the text entry box. These provide regex assistance and some predefined regex searches that can search for things such as credit card numbers. Live Search is much slower than index search.

Index Search: The Index Search tab is used to do searches among the indexed content. Upon case creation and the addition of the evidence FTK should have already indexed the image. Index search is very fast and can also accumulate the results of multiple search terms.

System Information: The System Information tab provides the system information that may be difficult to find. Here you can find a list of users and their hashes, what applications are installed, and even what URLs they have viewed in browsers. It is not uncommon for there to be no information when you get to this tab. If that is the case select Evidence > Additional Analysis > Indexing / Tools > Generate System Information. Then select “OK” and the system information will be gathered and then should show up in the “System Information” tab when processing is complete.