Forensics Wiki - User contributions [en]

Talk:Main Page

2012-02-05T16:46:43Z

Cobalt2020:

== what about the validation of legal/illegal licenses of commercial software? ==

I'm sometimes requested by the Courts to process with investigations in order to detect is a company is using software (e.g. AutoCad, MS Office, Adobe) with licenses or not.
The evidence of such stuff is easy or not. The display of the "About" is sometimes enough but for some software the evidence is not so easy.

May I propose we open a new section to address such topics?

What do you think? --[[User:Chuv|Chuv]] 04:16, 19 July 2007 (PDT)

: Sounds like a good idea. How about [[How to determine if software is legally licensed]]? It should probably go in the [[:Category:Howtos]]. [[User:Jessek|Jessek]] 16:11, 19 July 2007 (PDT)

== Global Directory of Analysts ==

I am setting up a global directory of computer forensics analysts, and am looking for feedback to the idea. Although the directory is in the UK, I want it to be global. Any thoughts, please put them on Computer Forensics [http://www.computer-forensics.co.uk] in the forums section. Thanks and regards, Simon
: Given the lack of response I'm not sure this is a viable idea. [[User:Jessek|Jessek]] 21:13, 26 February 2007 (PST)
: Doesn't seem like a good idea to me. [[User:Simsong|Simsong]] 18:50, 15 March 2007 (PDT)
: Response is small because the very idea and both sites are not well known within North America. Computer forensics here has been mostly a secondary role rather than a principal focus. To raise awareness of both efforts, this wiki and computer-forensics.co.uk, you need to get their existence promoted in major publications and the primary professional organizations.

== List of OS changed files at boot time or poweroff. ==

Some times i found useful to know which files are changed on boot time of OS or on poweroff. For example to know what happened with OS ( Windows or Linux or ... ) what files to exclude or include by investigation. So i started collect this information with qemu and mactime. I think this wiki is the best place to post it, what do you think haw should i name it and the category? Also i will thankful if some one can correct my English.

I would encourage you to post it at [[Files changed at boot:Windows XP]], [[Files changed at boot:Windows Vista]], and the like. [[User:Simsong|Simsong]] 18:53, 25 October 2007 (PDT)

== Organizing Anti-Forensics and Page Naming query ==
I've made a start on trying to organize the Anti-Forensics information creating a number of sections including Category:Anti-Forensics. I created a category for Category:Anti-Forensics Tools(uppercase) with out realising there was already a Category:Anti-forensics tools (lowercase). Is there any standardization on whether page titles should be upper or lower case? I would have though upper case being the better option...
[[User:Fsck|Fsck]] 22:43, 4 July 2008 (UTC)

I've started a weekly posting of forensics research. In my quick review of the other websites that come up when doing a google search for "computer forensics" it seems that nothing is really up-to-date, so perhaps we can start a more active community here. Perhaps this will grow into a blog roll. [[User:Simsong|Simsong]] 23:46, 5 July 2008 (UTC)
:: What about next Selected Forensics Research? Two months passed without updates [[User:.FUF|.FUF]] 21:10, 17 October 2008 (UTC)
:::I got radically overcommitted. I'll try to post something this weekend. [[User:Simsong|Simsong]] 06:35, 18 October 2008 (UTC)
== Removal of non-contributing users ==

I've written a little SQL statement which will remove the 1100 or so usernames that have been registered but which have never contributed anything and have no talk. This was considered for the mediawiki project but never implemented (weird). Anyway, unless there is a suggestion, I'll go ahead and do it... [[User:Simsong|Simsong]] 05:10, 20 August 2008 (UTC)

== Tools table ==

Is it possible to add [[Wireshark]] and [[NetworkMiner]] to the Tools table on the Main Page (here: ''Network Forensics: Snort, ... '')? [[User:.FUF|.FUF]] 17:08, 11 September 2008 (UTC)
: Done [[User:Simsong|Simsong]] 04:40, 12 September 2008 (UTC).

== Did you know? ==

What about organizing "Did you know?" section with some interesting facts from articles (like in Wikipedia)? [[User:.FUF|.FUF]] 12:34, 29 October 2008 (UTC)
: I don't think that we have enough people to do this. [[User:Simsong|Simsong]] 06:50, 19 July 2009 (UTC)

== Wiki News ==

I have updated the version of SpamBlacklist. [[User:Simsong|Simsong]] 23:49, 30 October 2008 (UTC)

I have fixed the server config file so we now get /wiki/ URLs. [[User:Simsong|Simsong]] 20:33, 3 November 2008 (UTC)

== Forensics Mailing List ==
Hello all. I would like to ask, are there any mailing list focus on forensics? I need reference here. --[[User:Zakiakhmad|Zakiakhmad]] 09:48, 13 March 2009 (UTC)

: It seems a little bit passive this discussion --[[User:Zakiakhmad|Zakiakhmad]] 03:16, 23 March 2009 (UTC)

== AJAX ==

Ajax has been enabled by adding these settings to the LocalSettings.php file:
$wgUseAjax = true;
$wgEnableMWSuggest = true;
$wgMWSuggestTemplate =SearchEngine::getMWSuggestTemplate() . '&limit=20';

:Yours wikily, [[User:Simsong|Simsong]] 06:49, 19 July 2009 (UTC)

== Zalety i Wady - obiektywnie wyłącznie inżynierowie forensics ==

'''Analiza SIM karty danych i odzyskiwania usuniętych danych
ANALYSIS SIM CARD DATA AND RECOVER DELETED DATA'''

Odzyskiwanie skasowanych wiadomości SMS / tekst i wykonać kompleksową analizę danych na karcie SIM. Karta SIM ma zajęcia nabycia karty SIM i elementy analizy zajęciu urządzenia parabenów i umieszcza je w specjalistyczne karty SIM nabycia kryminalistycznych i narzędzie do analizy. Karta SIM zawiera zajęcia programowe, jak Forensic SIM Card Reader. Jeśli masz już zajęcia Device & Device Seizure Toolbox, nie ma potrzeby, aby otrzymać karty SIM zajęcia, jak również dlatego, że zawierają składniki, aby wykonać kryminalistycznych badań karty SIM i analizy. Jest to narzędzie dla badacza, który chce nabyć tylko karty SIM i nie chcesz wykonać kryminalistycznych egzaminów wszystkich danych z telefonu komórkowego. Karta SIM zawiera bezpłatne zajęcia roczną subskrypcję z zakupu.

SIM Card Seizure has unicode support to read multiple languages such as Arabic, Chinese, & Russian: Features:

* Forensic SIM Card Reader Included
* Calculates MD5 & SHA1 Hash Values
* Search Function
* Recovers Deleted SMS Data*
* Bookmarking Options
* Report Creation Wizard
* Save Workspaces for Further Review
* Time Stamps Calculate GMT Offset
* Access to Paraben's Forum
* Access to Paraben's 24 Hour Support

Data Acquired from SIM Cards

* Phase Phase ID
* SST SIM Service table
* ICCID Serial Number
* LP Preferred languages variable
* SPN Service Provider name
* MSISDN Subscriber phone number
* AND Short Dial Number
* FDN Fixed Numbers
* LND Last Dialed numbers
* EXT1 Dialing Extension
* EXT2 Dialing Extension
* GID1 Groups
* GID2 Groups
* SMS Text Messages
* SMSP Text Message parameters
* SMSS Text message status
* CBMI Preferred network messages
* PUCT Charges per unit
* ACM Charge counter
* ACMmax Charge limit
* HPLMNSP HPLMN search period
* PLMNsel PLMN selector
* FPLMN Forbidden PLMNs
* CCP Capability configuration parameter
* ACC Access control class
* IMSI IMSI
* LOCI Location information
* BCCH Broadcast control channels
* Kc Ciphering key

Pytanie 1
_________

Jakie zalety na pierwszy plan, a jakie wady które można zignorować w śledztwie?

==Spam==
In an attempt to deal with spam, account creation now requires confirmation.

Talk:Main Page

2012-02-05T16:45:55Z

Cobalt2020:

== what about the validation of legal/illegal licenses of commercial software? ==

I'm sometimes requested by the Courts to process with investigations in order to detect is a company is using software (e.g. AutoCad, MS Office, Adobe) with licenses or not.
The evidence of such stuff is easy or not. The display of the "About" is sometimes enough but for some software the evidence is not so easy.

May I propose we open a new section to address such topics?

What do you think? --[[User:Chuv|Chuv]] 04:16, 19 July 2007 (PDT)

: Sounds like a good idea. How about [[How to determine if software is legally licensed]]? It should probably go in the [[:Category:Howtos]]. [[User:Jessek|Jessek]] 16:11, 19 July 2007 (PDT)

== Global Directory of Analysts ==

I am setting up a global directory of computer forensics analysts, and am looking for feedback to the idea. Although the directory is in the UK, I want it to be global. Any thoughts, please put them on Computer Forensics [http://www.computer-forensics.co.uk] in the forums section. Thanks and regards, Simon
: Given the lack of response I'm not sure this is a viable idea. [[User:Jessek|Jessek]] 21:13, 26 February 2007 (PST)
: Doesn't seem like a good idea to me. [[User:Simsong|Simsong]] 18:50, 15 March 2007 (PDT)
: Response is small because the very idea and both sites are not well known within North America. Computer forensics here has been mostly a secondary role rather than a principal focus. To raise awareness of both efforts, this wiki and computer-forensics.co.uk, you need to get their existence promoted in major publications and the primary professional organizations.

== List of OS changed files at boot time or poweroff. ==

Some times i found useful to know which files are changed on boot time of OS or on poweroff. For example to know what happened with OS ( Windows or Linux or ... ) what files to exclude or include by investigation. So i started collect this information with qemu and mactime. I think this wiki is the best place to post it, what do you think haw should i name it and the category? Also i will thankful if some one can correct my English.

I would encourage you to post it at [[Files changed at boot:Windows XP]], [[Files changed at boot:Windows Vista]], and the like. [[User:Simsong|Simsong]] 18:53, 25 October 2007 (PDT)

== Anti-forensic Tools Link on Homepage ==

The anti-forensic tools link on the homepage of this wiki doesn't appear to go to the proper page, but rather goes to a pro-forensic tools page. Do we have a page just for anti-forensic tools? It would appear to me that the internal link should point to that type of a page rather than one on pro-forensic tools. Thoughts? [[User:Cobalt2020|AEI Forensics]]

== Organizing Anti-Forensics and Page Naming query ==
I've made a start on trying to organize the Anti-Forensics information creating a number of sections including Category:Anti-Forensics. I created a category for Category:Anti-Forensics Tools(uppercase) with out realising there was already a Category:Anti-forensics tools (lowercase). Is there any standardization on whether page titles should be upper or lower case? I would have though upper case being the better option...
[[User:Fsck|Fsck]] 22:43, 4 July 2008 (UTC)

I've started a weekly posting of forensics research. In my quick review of the other websites that come up when doing a google search for "computer forensics" it seems that nothing is really up-to-date, so perhaps we can start a more active community here. Perhaps this will grow into a blog roll. [[User:Simsong|Simsong]] 23:46, 5 July 2008 (UTC)
:: What about next Selected Forensics Research? Two months passed without updates [[User:.FUF|.FUF]] 21:10, 17 October 2008 (UTC)
:::I got radically overcommitted. I'll try to post something this weekend. [[User:Simsong|Simsong]] 06:35, 18 October 2008 (UTC)
== Removal of non-contributing users ==

I've written a little SQL statement which will remove the 1100 or so usernames that have been registered but which have never contributed anything and have no talk. This was considered for the mediawiki project but never implemented (weird). Anyway, unless there is a suggestion, I'll go ahead and do it... [[User:Simsong|Simsong]] 05:10, 20 August 2008 (UTC)

== Tools table ==

Is it possible to add [[Wireshark]] and [[NetworkMiner]] to the Tools table on the Main Page (here: ''Network Forensics: Snort, ... '')? [[User:.FUF|.FUF]] 17:08, 11 September 2008 (UTC)
: Done [[User:Simsong|Simsong]] 04:40, 12 September 2008 (UTC).

== Did you know? ==

What about organizing "Did you know?" section with some interesting facts from articles (like in Wikipedia)? [[User:.FUF|.FUF]] 12:34, 29 October 2008 (UTC)
: I don't think that we have enough people to do this. [[User:Simsong|Simsong]] 06:50, 19 July 2009 (UTC)

== Wiki News ==

I have updated the version of SpamBlacklist. [[User:Simsong|Simsong]] 23:49, 30 October 2008 (UTC)

I have fixed the server config file so we now get /wiki/ URLs. [[User:Simsong|Simsong]] 20:33, 3 November 2008 (UTC)

== Forensics Mailing List ==
Hello all. I would like to ask, are there any mailing list focus on forensics? I need reference here. --[[User:Zakiakhmad|Zakiakhmad]] 09:48, 13 March 2009 (UTC)

: It seems a little bit passive this discussion --[[User:Zakiakhmad|Zakiakhmad]] 03:16, 23 March 2009 (UTC)

== AJAX ==

Ajax has been enabled by adding these settings to the LocalSettings.php file:
$wgUseAjax = true;
$wgEnableMWSuggest = true;
$wgMWSuggestTemplate =SearchEngine::getMWSuggestTemplate() . '&limit=20';

:Yours wikily, [[User:Simsong|Simsong]] 06:49, 19 July 2009 (UTC)

== Zalety i Wady - obiektywnie wyłącznie inżynierowie forensics ==

'''Analiza SIM karty danych i odzyskiwania usuniętych danych
ANALYSIS SIM CARD DATA AND RECOVER DELETED DATA'''

Odzyskiwanie skasowanych wiadomości SMS / tekst i wykonać kompleksową analizę danych na karcie SIM. Karta SIM ma zajęcia nabycia karty SIM i elementy analizy zajęciu urządzenia parabenów i umieszcza je w specjalistyczne karty SIM nabycia kryminalistycznych i narzędzie do analizy. Karta SIM zawiera zajęcia programowe, jak Forensic SIM Card Reader. Jeśli masz już zajęcia Device & Device Seizure Toolbox, nie ma potrzeby, aby otrzymać karty SIM zajęcia, jak również dlatego, że zawierają składniki, aby wykonać kryminalistycznych badań karty SIM i analizy. Jest to narzędzie dla badacza, który chce nabyć tylko karty SIM i nie chcesz wykonać kryminalistycznych egzaminów wszystkich danych z telefonu komórkowego. Karta SIM zawiera bezpłatne zajęcia roczną subskrypcję z zakupu.

SIM Card Seizure has unicode support to read multiple languages such as Arabic, Chinese, & Russian: Features:

* Forensic SIM Card Reader Included
* Calculates MD5 & SHA1 Hash Values
* Search Function
* Recovers Deleted SMS Data*
* Bookmarking Options
* Report Creation Wizard
* Save Workspaces for Further Review
* Time Stamps Calculate GMT Offset
* Access to Paraben's Forum
* Access to Paraben's 24 Hour Support

Data Acquired from SIM Cards

* Phase Phase ID
* SST SIM Service table
* ICCID Serial Number
* LP Preferred languages variable
* SPN Service Provider name
* MSISDN Subscriber phone number
* AND Short Dial Number
* FDN Fixed Numbers
* LND Last Dialed numbers
* EXT1 Dialing Extension
* EXT2 Dialing Extension
* GID1 Groups
* GID2 Groups
* SMS Text Messages
* SMSP Text Message parameters
* SMSS Text message status
* CBMI Preferred network messages
* PUCT Charges per unit
* ACM Charge counter
* ACMmax Charge limit
* HPLMNSP HPLMN search period
* PLMNsel PLMN selector
* FPLMN Forbidden PLMNs
* CCP Capability configuration parameter
* ACC Access control class
* IMSI IMSI
* LOCI Location information
* BCCH Broadcast control channels
* Kc Ciphering key

Pytanie 1
_________

Jakie zalety na pierwszy plan, a jakie wady które można zignorować w śledztwie?

==Spam==
In an attempt to deal with spam, account creation now requires confirmation.

User:Cobalt2020

2012-02-05T16:36:48Z

Cobalt2020: Blanked the page

Talk:Timestomp

2012-02-05T16:35:48Z

Cobalt2020:

== Delete Timestamps? ==

The article text says something about TimeStomp being able to delete timestamps. That must surely be nonsense.

A timestamp (FILETIME) is just a number from 0 up to some maximum. It can be overwritten, it can be zeroed out, but it cannot be deleted. The timestamp 0 or 1 is as valid as any other timestamp.

There are some utility libraries that cannot convert such timestamps to 'strings', and instead produce something like 'Illegal time', or just an empty string, but that is due to bugs in that particular software, and should not be assumed to be anything else.[[User:Athulin|Athulin]] 09:07, 14 December 2011 (PST)

Wiebetech

2010-10-16T14:21:07Z

Cobalt2020:

http://www.wiebetech.com/

Various [[Write Blockers]], forensic field kits, etc.

[[Category:Vendors]]

Strings

2008-01-15T18:50:26Z

Cobalt2020:

Strings is a program that prints out any [[ASCII]] or [[Unicode]] strings in the input file. Forensic examiners can use strings to get a sense of the functionality of an unknown program. User prompts, error messages, and status messages can give hints, but should not be used as proof or lack or any functionality.

Most [[Linux]] distributions and other UNIX-like operating systems have a strings program included. There is a [[Windows]] version of strings by [[Microsoft|Microsoft's]] [[Mark Russinovich]]. Note that the Windows version prints an output header and searches for both ASCII and Unicode strings by default.

== External Links ==
* [http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx Strings for Windows]
* [http://www.openbsd.org/cgi-bin/man.cgi?query=strings Manual page for BSD version of strings]

Incident Response

2008-01-15T18:43:01Z

Cobalt2020: Added Sysinternals Link

{{Expand}}

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

== Tools ==

Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather userful and/or volatile data. The [[SysInternals]] suite is frequently cited as a good example of incident response tools. They are self-contained, useful, discrete, and do not create a large footprint on the victim system.

Standalone tools have been combined to create '''Script Based Tools''' like [[First Responder's Evidence Disk|FRED]] or the [[Windows Forensic Toolchest|WFT]]. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools, such as [[Microsoft|Microsoft's]] [[COFEE]] allow the user to pick and choose which standalone tools will be used in a given examination.

The final category of tools are '''Agent Based Tools''' such as [[Mandiant|Mandiant's]] [[First Response]]. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.

== See Also ==

* [[List of Standalone Incident Response Tools]]
* [[List of Script Based Incident Response Tools]]
* [[:Category:Incident response tools|Incident response tools category]]

== External Links ==
[http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]

== Papers ==

[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]

== Books ==

There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.

HTML

2008-01-15T18:08:55Z

Cobalt2020:

The '''Hypertext Markup Language''' ('''HTML''') [[file format]] is used to create/display web pages.

Its main purpose is to align text, images, or links on a website in a specific way. Web pages with '''.html''' or '''.htm''' extensions are examples of static web site files. Any server or database technologies require another language on top of HTML to create dynamic features in a web site. HTML files are mere [[TXT|plain text files]] whose contents follow certain rules.

HTML files are usually viewed using a [[Web Browser|web browser]], but can also be opened with a variety of other programs (i.e., notepad, hex editors, etc).

HTML can trace its development from SGML as a text-based markup language. [http://en.wikipedia.org/wiki/SGML]

== XHTML ==

The '''Extensive Hypertext Markup Language''' ('''XHTML''') is similar in nature to HTML, but has a stricter [[XML]]-based syntax.

== External Links ==

* [http://en.wikipedia.org/wiki/Html Wikipedia: HTML]
* [http://en.wikipedia.org/wiki/Xhtml Wikipedia: XHTML]
* [http://en.wikipedia.org/wiki/SGML Wikipedia: SGML]
* [http://www.w3.org/TR/html401/ HTML 4.01 Specification]
* [http://www.w3.org/TR/xhtml11/ XHTML 1.1 Specification]

[[Category:File Formats]]

AFIS

2008-01-15T17:29:06Z

Cobalt2020: Added link for more info.

The '''Automatic Fingerprint Identification System''' ('''AFIS''') is a system that reports if two [[fingerprint]]s are a likely match (that is, made by the same finger) or not a likely match.

AFIS is not a digital forensics technique, but it is a forensic technique that uses digital computers.

== External Links ==

[http://en.wikipedia.org/wiki/Automated_Fingerprint_Identification_System AFIS explained on wikipedia]

HFS+

2008-01-15T17:25:41Z

Cobalt2020: Added link & period.

HFS+, or Hierarchical File System Plus, is the file system designed by Apple Computer[http://www.apple.com] to supersede HFS. First introduced with Mac OS 8.1, one of the biggest differences was the lower allocation block size of 4kb, which increased performance and lowered fragmentation [http://developer.apple.com/technotes/tn/tn1121.html#HFSPlus]. It also implemented Unicode (rather than Mac proprietary formats) for naming files.

There are structurally many differences between HFS and HFS+, which are listed below[http://developer.apple.com/technotes/tn/tn1150.html#HFSPlusBasics]:
 
<CENTER><TABLE Border=1 cellpadding=2 cellspacing=0 width=75%>
<TR>
<TD>
Feature

</TD><TD>
HFS
</TD><TD>
HFS Plus
</TD><TD>
Benefit/Comment
</TD></TR>

<TR>
<TD>
User visible name
</TD><TD>
Mac OS Standard
</TD><TD>
Mac OS Extended

</TD><TD>

</TD></TR>
<TR>
<TD>
Number of allocation blocks
</TD><TD>
16 bits worth

</TD><TD>
32 bits worth
</TD><TD>
Radical decrease in disk space used on large
volumes, and a larger number of files per volume.
</TD></TR>
<TR>
<TD>
Long file names

</TD><TD>
31 characters
</TD><TD>
255 characters
</TD><TD>
Obvious user benefit; also improves
cross-platform compatibility
</TD></TR>

<TR>
<TD>
File name encoding
</TD><TD>
MacRoman
</TD><TD>
Unicode

</TD><TD>
Allows for international-friendly file names,
including mixed script names
</TD></TR>
<TR>
<TD>
File/folder attributes
</TD><TD>
Support for fixed size attributes (FileInfo and
ExtendedFileInfo)

</TD><TD>
Allows for future meta-data extensions
</TD><TD>
Future systems may use metadata for a richer
Finder experience
</TD></TR>
<TR>
<TD>
OS startup support

</TD><TD>
System Folder ID
</TD><TD>
Also supports a dedicated startup file
</TD><TD>
May help non-Mac OS systems to boot from HFS
Plus volumes
</TD></TR>

<TR>
<TD>
catalog node size
</TD><TD>
512 bytes
</TD><TD>
4 KB

</TD><TD>
Maintains efficiency in the face of the other
changes. (This larger catalog node size is due to
the much longer file names [512 bytes as opposed to
32 bytes], and larger catalog records (because of
more/larger fields)).
</TD></TR>
<TR>
<TD>
Maximum file size
</TD><TD>
231 bytes

</TD><TD>
263 bytes
</TD><TD>
Obvious user benefit, especially for multimedia
content creators.</td>
</tr>
</table></CENTER>
 
An HFS+ volume contains five special files:
<ol>
<li>
Catalog file - Describes the folder and file hierarchy of the volume. It is organized as a "balanced tree" for fast and efficient searches
</li>
<li>Extents overflow file - Additional extents (contiguous allocation blocks allocated to forks) are stored in a b-tree in this file
</li>
<li>
Allocation file - Specifies whether an allocation block is free (similar to $Bitmap in NTFS). This is stored in a bitmap, specifying a free allocation block with a "clear bit"
</li>
<li>Attributes file - Contains attribute information regarding files or folders
</li>
<li>
Startup file - Allows computers to boot that do have built in support for HFS+ file systems
</li>
</ol>
 
HFS+ also implements journaling, which allows fast recovery in the case of a crash or power outage. According to Apple, "The purpose of the journal is to ensure that when a group of related changes are being made, that either all of those changes are actually made, or none of them are made."[http://developer.apple.com/technotes/tn/tn1150.html#Journal]

Apple technical notes are available for the HFS+ file system from their [http://developer.apple.com/cgi-bin/search.pl?q=HFS+&num=10&site=default_collection website].

FCCU Gnu/Linux Boot CD

2008-01-15T17:22:13Z

Cobalt2020: Textual Cleanup

{{Infobox_Software |
name = FCCU GNU/Linux Forensic Boot CD |
maintainer = [[Christophe Monniez]], [[Geert Van Acker]] |
os = {{Linux}} |
genre = {{Live CD}} |
license = GPL for all the softwares included unless something else specified |
website = [http://www.lnx4n6.be/ lnx4n6.be] |
}}

The '''FCCU GNU/Linux Forensic Boot CD''' is a [[Live CD]] built on top of [[Knoppix]]. It focuses on [[incident response]] and [[computer forensics]]. The authors welcome comments and suggestions.

== Tools included ==

A list of included tools is available on [http://www.lnx4n6.be/index.php?sec=Documentation&page=bootcdcontent lnx4n6.be].

== Current version ==

The current version is 11.0 (19 October 2006).

This version includes new tools made by [http://www.storm.net.nz/projects/16 MetlStorm] to acquire memory through the Firewire bus.

MEDEX

2008-01-15T17:17:44Z

Cobalt2020:

MEDEX is Media Exploitation

=See Also=
[[DOCEX]] Document Exploitation

[[DOMEX]] Document and Media Exploitation

Defeating Whole Disk Encryption

2008-01-15T17:15:17Z

Cobalt2020: Textual Content Cleanup

PGP Whole Disk Encryption has the ability to generate a "temporary key." Normally the use of the temporary key leaves a trace on the disk being cracked. But according to a recent cyberspeak podcast, when this feature is used on a hard drive that has a write-blocker attached, it still works.

Bitlocker: You can unlock a drive with the cscript command, leaving the master key in the clear by using these commands:
cscript manage-bdg.wsf unlock c:
cscript manage-bdg.wsf autounlock enable c:

Timestomp

2007-10-25T16:40:59Z

Cobalt2020:

{{Expand}}

[[Image:timestomp_mace.jpg|thumb|100px|right|Timestomp MACE Values]] Timestomp is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]]. The software's goal is to allow for the deletion or modification of time stamp-related information on files.

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.

[[Image:timestomp_mace_change.jpg|thumb|100px|right|Timestomp MACE Change]] Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

[[Image:timestomp_mace_change_proof.jpg|thumb|100px|right|Timestomp MACE Change Proof]] The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

== External Links ==
* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Download Timestomp.exe]
* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]

[[Category:Anti-forensics tools]]

Timestomp

2007-10-25T16:35:48Z

Cobalt2020:

{{Expand}}

[[Image:timestomp_mace.jpg|thumb|100px|right|Timestomp MACE Values]] Timestomp is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]]. The software's goal is to allow for the deletion or modification of time stamp-related information on files. Take for example the following screenshot of a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.

[[Image:timestomp_mace_change.jpg|thumb|100px|right|Timestomp MACE Change]] Using the Timestomp application, I have completely changed the modified date and time stamp (i.e., evidenced by the second screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

[[Image:timestomp_mace_change_proof.jpg|thumb|100px|right|Timestomp MACE Change Proof]] Here is a final screenshot of the Operating System's interpretation of the Modified time stamp. It reflects the change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glace.

== External Links ==
* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Download Timestomp.exe]
* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]

[[Category:Anti-forensics tools]]

File:Timestomp mace change proof.jpg

2007-10-25T16:30:46Z

Cobalt2020: Timestomp MACE value change proof

Timestomp MACE value change proof

File:Timestomp mace change.jpg

2007-10-25T16:30:13Z

Cobalt2020: Timestomp MACE value change

Timestomp MACE value change

Timestomp

2007-10-25T16:29:31Z

Cobalt2020:

{{Expand}}

Timestomp is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]]. The software's goal is to allow for the deletion or modification of time stamp-related information on files. Take for example the following screenshot of a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user. [[Image:timestomp_mace.jpg|Timestomp MACE Values]]

Using the Timestomp application, I have completely changed the modified date and time stamp (i.e., evidenced by the second screenshot). [[Image:timestomp_mace_change.jpg|Timestomp MACE Change]] If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

Here is a final screenshot of the Operating System's interpretation of the Modified time stamp. [[Image:timestomp_mace_change_proof.jpg|Timestomp MACE Change Proof]] It reflects the change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glace.

== External Links ==
* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Download Timestomp.exe]
* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]

[[Category:Anti-forensics tools]]

File:Timestomp mace.jpg

2007-10-25T16:19:11Z

Cobalt2020: Screenshot of TimeStomp application being used to display MACE attributes of a text.txt file.

Screenshot of TimeStomp application being used to display MACE attributes of a text.txt file.

User:Cobalt2020

2007-10-25T16:11:15Z

Cobalt2020:

== Why & Where ==

I'm interested to see how forensicswiki.org will grow. I own & operate [http://www.aeicomputertech.com AEI Computer Tech], a [http://www.aeiforensics.com Forensic] & [http://www.aeidownloads.com IT-based] company.

== Important Links ==

[http://www.aeicomputertech.com/forensics_definitions.php Forensic & Technical Definitions]

[http://www.aeicomputertech.com/forensics_file_signatures.php Known File Header Library]

[http://www.aeicomputertech.com/forensics_mail_header_info.php Mail Header Instructions]

[http://www.aeicomputertech.com/forensics_ports.php Known System Ports]

[http://www.aeicomputertech.com/forensics_resources.php Forensic Resources & Articles]

[http://www.aeicomputertech.com/forensics_tools.php Forensic Tools: Free, Commercial, & Government]

Talk:Main Page

2007-10-25T16:06:25Z

Cobalt2020:

Talk:Main Page

2007-10-25T16:04:27Z

Cobalt2020:

New Technology File System (NTFS)

2007-10-25T15:59:58Z

Cobalt2020:

The '''New Technology File System''' ('''NTFS''') is a [[file system]] developed and introduced by [[Microsoft]] in 1993 with [[Windows]] 3.1. As a replacement for the [[FAT]] file system, it quickly became the standard for [[Windows 2000]], [[Windows XP]] and [[Windows Server 2003]].

The features of NTFS include:

* [[Hard-links]]
* Improved performance, reliability and disk space utilization
* Security [[access control lists]]
* File system journaling

== Time Stamps ==

NTFS keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.

Additional information on how NTFS timestamps work when files are moved or copies is available here: [http://support.microsoft.com/kb/299648 Microsoft KB 299648]

=== Changes in Windows Vista ===

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired.

== Alternate Data Streams ==
The '''NTFS''' file system includes a feature referred to as Alternate Data Streams (ADSs). This feature has also been referred to as "multiple data streams", "alternative data streams", etc. ADSs were included in '''NTFS''' in order to support the resource forks employed by the Hierarchal File System (HFS) employed by Macintosh systems.

As of [[Windows XP]] SP2, files downloaded via Internet Explorer, Outlook, and Windows Messenger were automatically given specific "zoneid" ADSs. The Windows Explorer shell would then display a warning when the user attempted to execute these files (by double-clicking them).

Sysadmins should be aware that prior to Vista, there are no tools native to the [[Windows]] platform that would allow you to view the existence of arbitrary ADSs. While ADSs can be created and their contents executed or viewed, it wasn't until the "/r" switch was introduced with the "dir" command on Vista that arbitrary ADSs would be visible. Prior to this, tools such as [http://www.heysoft.de/Frames/f_sw_la_en.htm LADS] could be used to view the existence of these files.

Examiners should be aware that most forensic analysis applications, including EnCase and ProDiscover, will display ADSs found in acquired images in red.

== External links ==
* [http://en.wikipedia.org/wiki/NTFS Wikipedia: NTFS]
[[Category:Disk file systems]]

Talk:Timestomp

2007-10-24T18:30:48Z

Cobalt2020:

This article references "MACE" values which I've never heard of. Now, humbly, that doesn't mean a whole lot ;) but I was curious if the author of this page meant to write MAC values instead. Thoughts? [[User:Cobalt2020|AEI Forensics]]
: I'm a n00b ;) I just remembered what the E stands for (the Master File Table Entry Modified time stamp of the file). Do we have a page on here for a proper explanation of the MACE acronym? [[User:Cobalt2020|AEI Forensics]]

Talk:Timestomp

2007-10-24T17:20:14Z

Cobalt2020: New page: This article references "MACE" values which I've never heard of. Now, humbly, that doesn't mean a whole lot ;) but I was curious if the author of this page meant to write MAC values instea...

Vincent Liu

2007-10-24T17:05:55Z

Cobalt2020:

{{Expand}}

[[Category:People]]

Vincent Liu is the co-author of the [[anti-forensic]] utility known as [[Timestomp]].

Talk:Organizations

2007-10-24T16:53:54Z

Cobalt2020:

Why are we changing links away from internal pages? [[User:Jessek|Jessek]] 08:42, 22 October 2007 (PDT)

I don't understand your question. [[User:Simsong|Simsong]]
: In a [http://www.forensicswiki.org/index.php?title=Organizations&diff=5989&oldid=5959 previous version] of this page, some of the links pointed to other wiki pages such as [[Defense Cybercrime Center]]. In the latest version, these links have been changed to the (external) web sites for the organizations, such as http://www.dc3.mil/ [[User:Jessek|Jessek]]
:: Ahh, I understand what he is saying. A single link was changed by myself (not multiple) to an external website. Let me change it to be an internal and an external link. [[User:Cobalt2020|Cobalt2020]]
:: Do we have a template or a better way to delineate internal and external pages? Or should the DoD link just be left internal as we have a page for it? [[User:Cobalt2020|Cobalt2020]]

Organizations

2007-10-24T16:52:57Z

Cobalt2020:

= US Government =

* [http://cybercrime.gov/ Computer Crime and Intellectual Property Section of the Department of Justice]
* [http://www.ctin.org Computer Technology Investigators Network]
* [http://www.ojp.usdoj.gov/nij/ National Institute of Justice]
* [http://ncfs.ucf.edu/home.html National Center for Forensic Science]
* [http://www.cftt.nist.gov/ National Institute of Standards and Technology, Computer Forensic Tool Testing]
* [http://www.dc3.mil/dc3/dc3.htm Department of Defense Cyber Crime Center]
* Department of [[Defense Cybercrime Center]]
* [http://www.rcfl.gov/ FBI Regional Computer Forensic Laboratory Program]
* [http://www.osi.andrews.af.mil/ Air Force Office of Special Investigations]

= Trade Organizations =

* [http://www.naidonline.org/ National Association for Information Destruction]

= Professional Organizations =

* [http://www.sans.org/ The SANS Institute]
* [http://www.htcia.org/ High Technology Crime Investigation Association]
* [http://www.cops.org/ International Association of Computer Investigative Specialists]
* [http://www.rcfg.org/ Regional Computer Forensic Group]
* [http://www.htcn.org/ High Tech Crime Network]
* [http://www.aafs.org/ American Academy of Forensic Science] The AAFS Board of Directors has approved the creation of the Digital and Multi-media section, which will be voted upon during the AAFS business meeting (during the annual meeting) in Feb 2008.
* [http://www.infoperitos.com/ Infoperitos - Computer Expert Witness Group from the Spanish Computer Engineers Association]

Talk:Organizations

2007-10-24T16:49:20Z

Cobalt2020:

Organizations

2007-10-18T17:49:20Z

Cobalt2020:

= US Government =

* [http://cybercrime.gov/ Computer Crime and Intellectual Property Section of the Department of Justice]
* [http://www.ctin.org Computer Technology Investigators Network]
* [http://www.ojp.usdoj.gov/nij/ National Institute of Justice]
* [http://ncfs.ucf.edu/home.html National Center for Forensic Science]
* [http://www.cftt.nist.gov/ National Institute of Standards and Technology, Computer Forensic Tool Testing]
* [http://www.dc3.mil/dc3/dc3.htm Department of Defense Cyber Crime Center]
* [http://www.rcfl.gov/ FBI Regional Computer Forensic Laboratory Program]
* [http://www.osi.andrews.af.mil/ Air Force Office of Special Investigations]

= Trade Organizations =

* [http://www.naidonline.org/ National Association for Information Destruction]

= Professional Organizations =

* [http://www.sans.org/ The SANS Institute]
* [http://www.htcia.org/ High Technology Crime Investigation Association]
* [http://www.cops.org/ International Association of Computer Investigative Specialists]
* [http://www.rcfg.org/ Regional Computer Forensic Group]
* [http://www.htcn.org/ High Tech Crime Network]
* [http://www.aafs.org/ American Academy of Forensic Science] The AAFS Board of Directors has approved the creation of the Digital and Multi-media section, which will be voted upon during the AAFS business meeting (during the annual meeting) in Feb 2008.
* [http://www.infoperitos.com/ Infoperitos - Computer Expert Witness Group from the Spanish Computer Engineers Association]

Organizations

2007-10-18T17:49:04Z

Cobalt2020: Added RCFL Link, Fixed Air Force and DoD links

= US Government =

* [http://cybercrime.gov/ Computer Crime and Intellectual Property Section of the Department of Justice]
* [http://www.ctin.org Computer Technology Investigators Network]
* [http://www.ojp.usdoj.gov/nij/ National Institute of Justice]
* [http://ncfs.ucf.edu/home.html National Center for Forensic Science]
* [http://www.cftt.nist.gov/ National Institute of Standards and Technology, Computer Forensic Tool Testing]
* [http://www.dc3.mil/dc3/dc3.htm Department of Defense Cyber Crime Center]
* [http://www.rcfl.gov/ Regional Computer Forensic Laboratory Program]
* [http://www.osi.andrews.af.mil/ Air Force Office of Special Investigations]

= Trade Organizations =

* [http://www.naidonline.org/ National Association for Information Destruction]

= Professional Organizations =

* [http://www.sans.org/ The SANS Institute]
* [http://www.htcia.org/ High Technology Crime Investigation Association]
* [http://www.cops.org/ International Association of Computer Investigative Specialists]
* [http://www.rcfg.org/ Regional Computer Forensic Group]
* [http://www.htcn.org/ High Tech Crime Network]
* [http://www.aafs.org/ American Academy of Forensic Science] The AAFS Board of Directors has approved the creation of the Digital and Multi-media section, which will be voted upon during the AAFS business meeting (during the annual meeting) in Feb 2008.
* [http://www.infoperitos.com/ Infoperitos - Computer Expert Witness Group from the Spanish Computer Engineers Association]

User:Cobalt2020

2007-10-18T17:45:41Z

Cobalt2020:

== Why & Where ==

I'm interested to see how forensicwiki will grow. I own & operate [http://www.aeicomputertech.com AEI Computer Tech], a [http://www.aeiforensics.com Forensic] & [http://www.aeidownloads.com IT-based] company.

Anonymous Web Browsing Tools

2007-10-18T14:24:20Z

Cobalt2020:

Anonymizer.com is home to the Safe Surfing Suite of software. More information is available at: [http://www.anonymizer.com anonymizer.com]

A website that allows the masking of the source IP address: [http://www.ibypass.com ibypass.com]

Anonymous Web Browsing Tools

2007-10-18T14:24:03Z

Cobalt2020: Textual update

Anonymizer.com is home to the Safe Surfing Suite of software. More information is available at:[http://www.anonymizer.com anonymizer.com]

A website that allows the masking of the source IP address: [http://www.ibypass.com ibypass.com]

User:Cobalt2020

2007-06-06T19:42:05Z

Cobalt2020:

== Why & Where ==

I'm interested to see how forensicwiki will grow. I own & operate AEI Computer Tech, a Forensic & IT-based company; the location of which is [http://www.aeicomputertech.com aeicomputertech.com].

User talk:Cobalt2020

2007-06-06T19:41:40Z

Cobalt2020: Removing all content from page

User talk:Cobalt2020

2007-06-06T19:41:08Z

Cobalt2020: New page: I own & operate AEI Computer Tech, a Forensic & IT-based company; the location of which is located at [http://www.aeicomputertech.com aeicomputertech.com].

I own & operate AEI Computer Tech, a Forensic & IT-based company; the location of which is located at [http://www.aeicomputertech.com aeicomputertech.com].

Talk:MD5

2007-06-06T19:37:50Z

Cobalt2020:

http://deepbyte.com/blog/2006/02/is_the_md5_hash_unreliable.html is broken. [[User:Cobalt2020|Cobalt2020]] 12:37, 6 June 2007 (PDT)

Talk:MD5

2007-06-06T19:37:43Z

Cobalt2020: New page: http://deepbyte.com/blog/2006/02/is_the_md5_hash_unreliable.html is broken.

http://deepbyte.com/blog/2006/02/is_the_md5_hash_unreliable.html is broken.

User:Cobalt2020

2007-03-14T14:04:09Z

Cobalt2020: /* Cobalt's Userpage */

== Why & Where ==

I'm interested to see how forensicwiki will grow. My own forensic-related website/company is located at aeicomputertech.com [http://www.aeicomputertech.com].

User:Cobalt2020

2007-03-14T14:03:55Z

Cobalt2020:

== Cobalt's Userpage ==

I'm interested to see how forensicwiki will grow. My own forensic-related website/company is located at aeicomputertech.com [http://www.aeicomputertech.com].

User:Cobalt2020

2007-03-14T14:03:16Z

Cobalt2020:

I'm interested to see how forensicwiki will grow. My own forensic-related website/company is located at [http://www.aeicomputertech.com].

User:Cobalt2020

2007-03-14T14:02:52Z

Cobalt2020:

I'm interested to see how forensicwiki will grow. My own forensic-related website/company is located at www.aeicomputertech.com.

User:Cobalt2020

2007-03-14T13:58:50Z

Cobalt2020: New page: I'm interested to see how forensicwiki will grow.

I'm interested to see how forensicwiki will grow.