Forensics Wiki - User contributions [en]

VMWare from hard drive images

2012-03-23T17:56:15Z

Pmow: added result picture

[[Category:Howtos]]

== Creating virtual machines from forensic images ==

After having no success with raw2vmdk, the Live View method has worked.

[http://liveview.sourceforge.net/index.html Live View] requires:

-Java JRE

-VMWare Workstation 5.5+ or Server

-VMWare VDDK ([http://www.vmware.com/support/developer/vddk download])

== Install ==
Install prerequisites followed by Live View (the installer will check for pre-reqs).

''Tested: Win7-64 with VMWare Workstation 7.12, Live View 0.7b, and VMWare VDDK 5.0''

[[File:LiveView.png]]

== VMX Creation ==

1. Run Live View as Administrator. ''(Messages pane will result in errors otherwise)''

2. Set memory and OS as closely as possible to target machine specs. ''(To maximize probability of success)''

3. Click "Start". ''(The screenshot error relates to maximums exceeded based on client machine.)''

[[File:VMWareWorkstation.png]]

File:VMWareWorkstation.png

2012-03-23T17:55:24Z

Pmow: Screenshot of VMWare workstation running from DD image

Screenshot of VMWare workstation running from DD image

VMWare from hard drive images

2012-03-23T17:41:52Z

Pmow: Added complete text steps.

File:LiveView.png

2012-03-23T17:32:16Z

Pmow: Live View 0.7b screenshot

Live View 0.7b screenshot

VMWare from hard drive images

2012-03-23T17:29:58Z

Pmow: Created page with "Category:Howtos == Creating virtual machines from forensic images == After having no success with raw2vmdk, the Live View method has worked. [http://liveview.sourceforg..."

User:Pmow

2012-03-23T17:12:39Z

Pmow: updated new company name

==Meatspace Name==
Gabriel Campos

==Location==
[http://www.marcumllp.com Marcum LLP]

[http://www.google.com/maps?f=q&hl=en&geocode=&q=Miami,+FL&ie=UTF8&layer=x&ll=25.760938,-80.237274&spn=0.44834,0.683899&z=11 Miami, Florida]

==Contact==
[mailto:gcampos@rachlin.com gcampos@rachlin.com]

VirtualMachineForensics

2012-03-23T17:10:13Z

Pmow: moved VirtualMachineForensics to Forensics of Virtualization Products: The title can easily refer to using virtualization in your forensics practice.

#REDIRECT [[Forensics of Virtualization Products]]

Forensics of Virtualization Products

2012-03-23T17:10:12Z

Pmow: moved VirtualMachineForensics to Forensics of Virtualization Products: The title can easily refer to using virtualization in your forensics practice.

[[Category:Howtos]]

== Dealing with Virtual Machine Images ==

It is becoming increasingly common to find evidence drives with Virtual Machines (VM) on them. The VMs may contain evidence of their own, but with their unique file structure, care must be taken during examination. Running the virtual machine could destroy artifacts that are important.

=== Virtual Box ===

There are two methods for creating a way to mount or inspect a Virtual Box VM. Virtual Box disks typically have the extension "vdi" for Virtual Desktop Infrastructure. The mount method requires a Linux system and "qemu". The other method converts a vdi to a raw image format which can then be inspected with traditional forensics tools.

==== Mount ====

# Install qemu-kvm using your preferred installation tool (apt-get, etc)
# Load the network block device module >sudo modprobe nbd
# Use Qemu to load the VDI file as a loop back device >sudo qemu-nbd -c /dev/nbd0 infile.vdi
# Mount >sudo mount /dev/nbd0p1 /mnt
# Inspect the file system as needed

To undo:
# >sudo umount /mnt
# >qemu-nbd -d /dev/nbd0

[http://bethesignal.org/blog/2011/01/05/how-to-mount-virtualbox-vdi-image/| Source Blog]

==== Convert ====

Conversion requires the Virtual Box tool kit, if you don't already have it.

# Install virtualbox-ose using your preferred installation tool (apt-get, download from VirtualBox.org, etc)
# Convert to raw format >VBoxManage internalcommands converttoraw infile.vdi outfile.img
# Inspect the raw image as per usual, either with TSK, EnCase, or mount

=== VMWare ===

User talk:Pmow

2008-07-24T15:50:05Z

Pmow:

Hi. Thanks for all of your contributions; do you want to create a user page? [[User:Simsong|Simsong]] 04:38, 24 July 2008 (UTC)

done and done!

User:Pmow

2008-07-24T15:48:54Z

Pmow: bio/contact info

==Meatspace Name==
Gabriel Campos

==Location==
[http://www.rachlin.com/serviceareas/litigation_forensic.htm Rachlin LLP]

[http://www.google.com/maps?f=q&hl=en&geocode=&q=Miami,+FL&ie=UTF8&layer=x&ll=25.760938,-80.237274&spn=0.44834,0.683899&z=11 Miami, Florida]

==Contact==
[mailto:gcampos@rachlin.com gcampos@rachlin.com]

List of Windows MRU Locations

2008-07-23T17:23:02Z

Pmow: Added more sources

==Common==
'''Regedit - Last accessed key'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
'''Regedit - Favorites'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
'''MSPaint - Recent Files'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
'''Wordpad - Recent Files '''
:Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
'''Common Dialog - Open'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
'''Common Dialog - Save As '''
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
'''WMP8 XP - Recent Files'''
:Software\Microsoft\MediaPlayer\Player\RecentFileList
'''WMP 8 XP - Recent URLs '''
:Software\Microsoft\MediaPlayer\Player\RecentURLList
'''OE6 Stationery list 1 - New Mail'''
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List (ID=example)
'''OE 6 Stationery list 2 - New Mail'''
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List (ID=example)
'''Map Network Drives'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

==Windows 2000/XP==
'''''Recently Used Files'''''
:C:\Documents and Settings\User\Recent
'''XP Search Files'''
:Software\Microsoft\Search Assistant\ACMru\5603
'''Internet Search Assistant '''
:Software\Microsoft\Search Assistant\ACMru\5001
'''Printers, Computers and People'''
:Software\Microsoft\Search Assistant\ACMru\5647
'''XP Start Menu - Recent'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
'''Remote Desktop - Connect'''
:Software\Microsoft\Terminal Server Client\Default [MRUnumber]
'''Run dialog box'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

==Windows ME, 98, and 95==
'''Doc Find Spec MRU'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
'''Find Computer'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
'''Printer Ports'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PrnPortsMRU
'''Run'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
'''Window Size/Position'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

==Microsoft Office 2000==
'''Winword - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
'''Winword - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
'''Winword - Recent Files'''
:Software\Microsoft\Office\9.0\Word\Data
'''Excel - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Open\File Name MRU
'''Excel - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Save As\File Name MRU
'''Excel - Recent Files'''
:Software\Microsoft\Office\9.0\Excel\Recent Files
'''Frontpage - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Open File\File Name MRU
'''Frontpage - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Save As\File Name MRU
'''Frontpage - Recent lists'''
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recently Created Servers
:Software\Microsoft\FrontPage\Editor\Recently Used URLs
'''PowerPoint - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Open\File Name MRU
'''PowerPoint - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
'''PowerPoint - Recent Files'''
:Software\Microsoft\Office\9.0\PowerPoint\Recent File List
'''Access - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\Open\File Name MRU
'''Access - Filename MRU'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU
:Software\Microsoft\Office\9.0\Access\Settings

==Internet Explorer==
'''Recently Entered Addresses'''
:USERNAME\software\microsoft\internet explorer\typedurls
'''Last Directory Saved To'''
:USERNAME\software\microsoft\internet explorer

==Adobe==
'''Media Browser'''
:HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU
'''Acrobat 5.0 Full'''
:HKEY_CURRENT_USER\Software\ADOBE\Adobe Acrobat\5.0\AVGeneral\cRecentFiles
'''Acrobat Reader 5.0'''
:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
'''Acrobat 8.0 Standard'''
:HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\AVGeneral\cRecentFiles [[User:Pmow|Pmow]] 16:14, 23 July 2008 (UTC)

==Windows Explorer==
'''List of Recent Programs Opened'''
:HKEY_USERS\USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
'''Save Locations by Filetype'''
:HKEY_USERS\USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
'''Most Recent Application's Use of DirectX'''
:software\microsoft\direct3d\mostrecentapplication
'''List of Recent Files Opened, by Filetype'''
:USERNAME\software\microsoft\windows\currentversion\explorer\recentdocs

==Kazaa==
'''Recent Search List'''
:USERNAME\software\kazaa\search

==Registry Editor==
'''Last Key Accessed'''
:USERNAME\software\microsoft\windows\currentversion\applets\regedit
==Sources==

[http://www.daniweb.com/tutorials/tutorial66079.html Registry MRU Locations]

[http://support.microsoft.com/kb/142298 How to Clear the Windows Explorer MRU Lists]

[http://209.85.215.104/search?q=cache:ztqvo2Bfk9UJ:www.daniweb.com/forums/thread13426.html+adobe+MRU+location&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a What are MRU files and why are they a security risk?]

[http://www.windowsbbs.com/windows-2000/47519-removing-mru-list-mapped-network-drives.html Removing MRU List from Mapped Network Drives]

List of Windows MRU Locations

2008-07-23T16:14:01Z

Pmow:

==Common==
'''Regedit - Last accessed key'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
'''Regedit - Favorites'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
'''MSPaint - Recent Files'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
'''Wordpad - Recent Files '''
:Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
'''Common Dialog - Open'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
'''Common Dialog - Save As '''
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
'''WMP8 XP - Recent Files'''
:Software\Microsoft\MediaPlayer\Player\RecentFileList
'''WMP 8 XP - Recent URLs '''
:Software\Microsoft\MediaPlayer\Player\RecentURLList
'''OE6 Stationery list 1 - New Mail'''
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List (ID=example)
'''OE 6 Stationery list 2 - New Mail'''
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List (ID=example)

==Windows 2000/XP==
'''XP Search Files'''
:Software\Microsoft\Search Assistant\ACMru\5603
'''Internet Search Assistant '''
:Software\Microsoft\Search Assistant\ACMru\5001
'''Printers, Computers and People'''
:Software\Microsoft\Search Assistant\ACMru\5647
'''XP Start Menu - Recent'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
'''Remote Desktop - Connect'''
:Software\Microsoft\Terminal Server Client\Default [MRUnumber]
'''Run dialog box'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

==Windows ME, 98, and 95==
'''Doc Find Spec MRU'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
'''Find Computer'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
'''Printer Ports'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PrnPortsMRU
'''Run'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
'''Window Size/Position'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

==Microsoft Office 2000==
'''Winword - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
'''Winword - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
'''Winword - Recent Files'''
:Software\Microsoft\Office\9.0\Word\Data
'''Excel - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Open\File Name MRU
'''Excel - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Save As\File Name MRU
'''Excel - Recent Files'''
:Software\Microsoft\Office\9.0\Excel\Recent Files
'''Frontpage - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Open File\File Name MRU
'''Frontpage - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Save As\File Name MRU
'''Frontpage - Recent lists'''
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recently Created Servers
:Software\Microsoft\FrontPage\Editor\Recently Used URLs
'''PowerPoint - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Open\File Name MRU
'''PowerPoint - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
'''PowerPoint - Recent Files'''
:Software\Microsoft\Office\9.0\PowerPoint\Recent File List
'''Access - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\Open\File Name MRU
'''Access - Filename MRU'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU
:Software\Microsoft\Office\9.0\Access\Settings

==Internet Explorer==
'''Recently Entered Addresses'''
:USERNAME\software\microsoft\internet explorer\typedurls
'''Last Directory Saved To'''
:USERNAME\software\microsoft\internet explorer

==Adobe==
'''Media Browser'''
:HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU
'''Acrobat 5.0 Full'''
:HKEY_CURRENT_USER\Software\ADOBE\Adobe Acrobat\5.0\AVGeneral\cRecentFiles
'''Acrobat Reader 5.0'''
:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
'''Acrobat 8.0 Standard'''
:HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\AVGeneral\cRecentFiles [[User:Pmow|Pmow]] 16:14, 23 July 2008 (UTC)

==Windows Explorer==
'''List of Recent Programs Opened'''
:HKEY_USERS\USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
'''Save Locations by Filetype'''
:HKEY_USERS\USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
'''Most Recent Application's Use of DirectX'''
:software\microsoft\direct3d\mostrecentapplication
'''List of Recent Files Opened, by Filetype'''
:USERNAME\software\microsoft\windows\currentversion\explorer\recentdocs

==Kazaa==
'''Recent Search List'''
:USERNAME\software\kazaa\search

==Registry Editor==
'''Last Key Accessed'''
:USERNAME\software\microsoft\windows\currentversion\applets\regedit
==Sources==

[http://www.daniweb.com/tutorials/tutorial66079.html Registry MRU Locations]

[http://support.microsoft.com/kb/142298 How to Clear the Windows Explorer MRU Lists]

Most Recently Used

2008-07-23T15:22:19Z

Pmow: trying to redirect

#REDIRECT [[MRU]]

List of Windows MRU Locations

2008-07-23T15:15:02Z

Pmow: New page: ==Common== '''Regedit - Last accessed key''' :Software\Microsoft\Windows\CurrentVersion\Applets\Regedit '''Regedit - Favorites''' :Software\Microsoft\Windows\CurrentVersion\Applets\Reg...

==Common==
'''Regedit - Last accessed key'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
'''Regedit - Favorites'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
'''MSPaint - Recent Files'''
:Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
'''Wordpad - Recent Files '''
:Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
'''Common Dialog - Open'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
'''Common Dialog - Save As '''
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
'''WMP8 XP - Recent Files'''
:Software\Microsoft\MediaPlayer\Player\RecentFileList
'''WMP 8 XP - Recent URLs '''
:Software\Microsoft\MediaPlayer\Player\RecentURLList
'''OE6 Stationery list 1 - New Mail'''
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List (ID=example)
'''OE 6 Stationery list 2 - New Mail'''
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List (ID=example)

==Windows 2000/XP==
'''XP Search Files'''
:Software\Microsoft\Search Assistant\ACMru\5603
'''Internet Search Assistant '''
:Software\Microsoft\Search Assistant\ACMru\5001
'''Printers, Computers and People'''
:Software\Microsoft\Search Assistant\ACMru\5647
'''XP Start Menu - Recent'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
'''Remote Desktop - Connect'''
:Software\Microsoft\Terminal Server Client\Default [MRUnumber]
'''Run dialog box'''
:Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

==Windows ME, 98, and 95==
'''Doc Find Spec MRU'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
'''Find Computer'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
'''Printer Ports'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PrnPortsMRU
'''Run'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
'''Window Size/Position'''
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

==Microsoft Office 2000==
'''Winword - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
'''Winword - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
'''Winword - Recent Files'''
:Software\Microsoft\Office\9.0\Word\Data
'''Excel - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Open\File Name MRU
'''Excel - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Save As\File Name MRU
'''Excel - Recent Files'''
:Software\Microsoft\Office\9.0\Excel\Recent Files
'''Frontpage - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Open File\File Name MRU
'''Frontpage - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Save As\File Name MRU
'''Frontpage - Recent lists'''
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recently Created Servers
:Software\Microsoft\FrontPage\Editor\Recently Used URLs
'''PowerPoint - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Open\File Name MRU
'''PowerPoint - Save As'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
'''PowerPoint - Recent Files'''
:Software\Microsoft\Office\9.0\PowerPoint\Recent File List
'''Access - Open'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\Open\File Name MRU
'''Access - Filename MRU'''
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU
:Software\Microsoft\Office\9.0\Access\Settings

==Sources==

[http://www.daniweb.com/tutorials/tutorial66079.html Registry MRU Locations]

[http://support.microsoft.com/kb/142298 How to Clear the Windows Explorer MRU Lists]

MRU

2008-07-23T14:29:23Z

Pmow: created

=Most Recently Used=
Most Recently Used (MRU) is a term used in computing to refer to the list of programs or documents that were last accessed. It is a feature of convenience allowing users to quickly see and access the last few used files and documents, but could also be considered bad in terms of privacy.

==See Also==
[[List of Windows MRU Locations]]

The Sleuth Kit

2008-07-17T20:50:23Z

Pmow: genre changed to Analysis from Disk file systems

{{Infobox_Software |
name = The Sleuth Kit |
maintainer = [[Brian Carrier]] |
os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
genre = {{Analysis}} |
license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
website = [http://www.sleuthkit.org/ sleuthkit.org] |
}}

'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.

[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.

=Features=

The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.

Some of the commands in Sleuth Kit are:

; dcat
: Views the contents of a [[block]].

; dls
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.

; dcalc
: Tells you where an unallocated blocks are.

; dstat
: Details about a given block.

; icat
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.

; ils
: Lists the files extents on a disk.

; istat
: Information about an inode number.

==File Systems Understood==

* [[NTFS]]
* [[FAT]]
* [[EXT2]], [[EXT3]]
* [[UFS1]], [[UFS2]]

==File Search Facilities==

* Lists allocated and unallocated files.
* Lists and sorts by file type.
* Shows a time time of creation and change.

==Historical Reconstruction==

==Searching Abilities==

* Searches for keywords.
* Builds an index.

==Hash Databases==

* Uses [[MD5]] or [[SHA1]].
* Interfaces with [[NIST NSRL]], [[Hashkeeper]] and customer databases.

==Evidence Collection Features==

* Tracks forensic activity.

=History=

==License Notes==

Is it commercial or open source? Are there other licensing options?

= External Links =

* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]

==External Reviews==

Reiserfs

2008-07-17T20:47:44Z

Pmow: Categorized

== Detecting ReiserFS in a forensics environment ==

[[Image:Superblock.png]]

Note: These are in [http://en.wikipedia.org/wiki/Little_endian little-endian] format. [[User:Pmow|Pmow]] 18:21, 17 July 2008 (UTC)
<table border="0">

<tr>
<th> '''Name''' </th>

<th> Size </th>
<th> Description </th>
</tr>
<tr>
<td> Block count </td>
<td align="center"> 4 </td>

<td> The number of blocks in the partition </td>
</tr>
<tr>
<td> Free blocks </td>
<td align="center"> 4 </td>
<td> The number of free blocks in the partition </td>

</tr>
<tr>
<td> Root block </td>
<td align="center"> 4 </td>
<td> The block number of the block containing the root node </td>
</tr>
<tr>
<td> Journal block </td>

<td align="center"> 4 </td>
<td> The block number of the block containing the first journal node 
</td></tr><tr>
<td> Journal device </td>
<td align="center"> 4 </td>

<td> Journal device number (not sure what for) </td>
</tr>
<tr>
<td> Orig. journal size </td>
<td align="center"> 4 </td>
<td> Original journal size. Needed when using partition on systems with different default journal sizes.</td></tr>

<tr>
<td> Journal trans. max </td>
<td align="center"> 4 </td>
<td> The maximum number of blocks in a transaction </td>
</tr>
<tr>
<td> Journal magic </td>

<td align="center"> 4 </td>
<td> A random magic number </td>
</tr>
<tr>
<td> Journal max batch </td>
<td align="center"> 4 </td>

<td> The maximum number of blocks in a transaction </td>
</tr>
<tr>
<td> Journal max commit age </td>
<td align="center"> 4 </td>
<td> Time in seconds of how old an asynchronous commit can be </td>

</tr>
<tr>
<td> Journal max trans. age </td>
<td align="center"> 4 </td>
<td> Time in seconds of how old a transaction can be </td>
</tr>
<tr>
<td> Blocksize </td>

<td align="center"> 2 </td>
<td> The size in bytes of a block </td>
</tr>
<tr>
<td> OID max size </td>
<td align="center"> 2 </td>

<td> The maximum size of the object id array </td>
</tr>
<tr>
<td> OID current size </td>
<td align="center"> 2 </td>
<td> The current size of the object id array </td>

</tr>
<tr>
<td> State </td>
<td align="center"> 2 </td>
<td> State of the partition: valid (1) or error (2) </td>
</tr>
<tr>
<td> Magic string </td>

<td align="center"> 12 </td>
<td> The reiserfs magic string, should be "ReIsEr2Fs" </td>
</tr>
<tr>
<td> Hash function code </td>
<td align="center"> 4 </td>

<td> The hash function that is being used to sort names in a directory</td></tr>
<tr>
<td> Tree Height </td>
<td align="center"> 2 </td>
<td> The current height of the disk tree </td>

</tr>
<tr>
<td> Bitmap number </td>
<td align="center"> 2 </td>
<td> The amount of bitmap blocks needed to address each block of the file system</td></tr>
<tr>
<td> Version </td>

<td align="center"> 2 </td>
<td> The reiserfs version number </td>
</tr>
<tr>
<td> Reserved </td>
<td align="center"> 2 </td>

<td>   </td>
</tr>
<tr>
<td> Inode Generation </td>
<td align="center"> 4 </td>
<td> Number of the current inode generation. </td>

</tr>
</table>

The following is the start of the superblock of a 256MB reiserfs partition on an Intel based system:

<pre>00000000 66 00 01 00 93 18 00 00 82 40 00 00 12 00 00 00 f........@......
00000010 00 00 00 00 00 20 00 00 00 04 00 00 ac 34 11 57 ..... ......¬4.W
00000020 84 03 00 00 1e 00 00 00 00 00 00 00 00 10 cc 03 ..............Ì.
00000030 08 00 02 00 52 65 49 73 45 72 32 46 73 00 00 00 ....ReIsEr2Fs...
00000040 03 00 00 00 04 00 03 00 02 00 00 00 dc 52 00 00 ............ÜR..
</pre>

[[Image:superblock_example.png]]

 Block count: 65638
 Free blocks: 6291
 Root block: 16514
 Journal block: 18
 Journal device: 0
 Original journal size: 8192
 Journal trans. max: 1024
 Journal magic: 1460745388
 Journal max. batch: 900
 Journal max. commit age: 30
 Journal max. trans. age: 0
 Blocksize: 4096
 OID max. size: 972
 OID current size: 8
 State: 2 (error)
 Magic String: ReIsEr2Fs
 Hash function code: 3
 Tree height: 4
 Bitmap number: 3
 Version: 2
 Inode generation: 21212

== External Links ==
* [http://en.wikipedia.org/wiki/Reiserfs ReiserFS on Wikipedia]
* [http://homes.cerias.purdue.edu/~florian/reiser/reiserfs.php The structure of the Reiser file system]
[[Category:Disk file systems]]

Training Courses and Providers

2008-07-17T20:31:22Z

Pmow: Updated Applied Decryption, broken link to AccessData's pages.

This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]]. Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.

The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
 (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)
Requests for additions, deletions or corrections to this list may be sent by email to David Baker (bakerd AT mitre.org).

{| border="0" cellpadding="2" cellspacing="2" align="top"
|- style="background:#bfbfbf; font-weight: bold"
! Title
! Date/Location
! Website
! Limitation
|-
|Macintosh Forensic Survival Course (MFSC)
|Jun 30-Jul 04, Brisbane, Australia
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
|Limited to Law Enforcement
|-
|EnCase® Enterprise v6 - Phase II
|Jun 30-Jul 03, Los Angeles, CA
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® BootCamp
|Jul 01-03, Manchester, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|BlackBag Intermediate MacIntosh Forensics
|Jul 07-11, Los Angeles, CA
|http://www.blackbagtech.com/products/training.htm
|Limited to Law Enforcement
|-
|Linux /Unix Security
|Jul 07-10, Reston, VA
|http://www.securityuniversity.net/classes_linux_sec.php
|-
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
|Jul 07-10, San Francisco, CA
|http://www.securityuniversity.net/classes_QSH.php
|-
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
|Jul 12-16, Reston, VA
|http://www.securityuniversity.net/classes_CHFI_QFE.php
|-
|Mobile Device Investigations Program (MDIP)
|Jul 14-18, Glynco, GA
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
|Limited to Law Enforcement
|-
|AccessData® Applied Decryption
|Jul 15-17, St Paul, MN
|http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=ab0c756b-3cf8-4161-8a70-0c11c6f018fc
|-
|AccessData® Windows Forensics
|Jul 15-17, London, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|WetStone- Steganography Investigator Training
|Jul 16-17, Online Training
|https://www.wetstonetech.com/trainings.html
|-
|Computer Network Investigations Training Program (CNITP)
|Jul 21-Aug 01, Glynco, GA
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
|Limited to Law Enforcement
|-
|Internet Investigations Training Program (IITP
|Jul 21-25, Glynco, GA
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
|Limited to Law Enforcement
|-
|BlackBag Intermediate MacIntosh Forensics
|Jul 21-25, San Jose, CA
|http://www.blackbagtech.com/products/training.htm
|-
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
|Jul 21-25, San Francisco, CA
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
|-
|Licensed Penetration Tester/Qualified Penetration Tester
|Jul 21-25, San Francisco, CA
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
|-
|WetStone- Live Investigator Training
|Jul 22-23, Fairfax, VA
|https://www.wetstonetech.com/trainings.html
|-
|AccessData® Windows Forensics
|Jul 22-24, St Louis, MO
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|Computer Hacking Forensic Investigator CHFI Prep/Qualified Forensics Expert
|July 28-Aug 01, San Francisco, CA
|http://www.securityuniversity.net/classes_CHFI_QFE.php
|-
|ILook® Automated Forensic Application(ILook)
|Jul 28-Aug 01, St. Louis, MO
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|Certified Wireless Network Administrator
|July 28-Aug 01, San Francisco, CA
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
|-
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
|July 29-Aug 07, San Francisco, CA
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
|-
|WetStone- Steganography Investigator Training
|Aug 02-03, 04-05, Black Hat USA
|https://www.blackhat.com
|-
|WetStone- Live Investigator Training
|Aug 02-03, 04-05, Black Hat USA
|https://www.blackhat.com
|-
|WetStone- Hacking Investigator BootCamp
|Aug 02-05, Black Hat USA
|https://www.blackhat.com
|-
|Certified Wireless Security Professional CWSP
|Aug 04-07, San Francisco, CA
|http://www.securityuniversity.net/classes_wireless_CWSP.php
|-
|Linux /Unix Security
|Aug 04-07, Reston, VA
|http://www.securityuniversity.net/classes_linux_sec.php
|-
|Qualified Edge Protection: Firewalls, IPS, Spyware, Trojans and Viruses
|Aug 04-07, Reston, VA
|http://www.securityuniversity.net/classes_QEP.php
|-
|Macintosh Forensic Survival Course (MFSC)
|Aug 04-08, Huntington Beach, CA
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
|-
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
|Aug 05-14, Reston, VA
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
|-
|Certified Wireless Network Administrator
|Aug 05-08, Reston, VA
|http://www.securityuniversity.net/classes_wireless_CWNA.php
|-
|AccessData® BootCamp
|Aug 05-07, London, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® Windows Forensics
|Aug 05-07, Louisville, KY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|Limited to Law Enforcement
|-
|Certified Steganography Examiner™
|Aug 06-07, Huntington, WV
|http://www.sarc-wv.com/training/training_huntington.aspx
|-
|Certified Wireless Security Professional
|Aug 11-14, Reston, VA
|http://www.securityuniversity.net/classes_wireless_CWSP.php
|-
|X-Ways Forensics
|Aug 12-14, Wheaton, IL
|http://www.x-ways.net/training/chicago.html
|-
|AccessData® Windows Forensics
|Aug 12-14, St Paul, MN
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® BootCamp
|Aug 12-14, Albany, NY and New York City, NY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
|Aug 18-29, Glynco, GA
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
|Limited to Law Enforcement
|-
|BlackBag Introductory MacIntosh Forensics
|Aug 18-22, San Jose, CA
|http://www.blackbagtech.com/products/training.htm
|-
|WetStone- Steganography Investigator Training
|Aug 19-20, Fairfax, VA
|https://www.wetstonetech.com/trainings.html
|-
|AccessData® BootCamp
|Aug 19-21, Manchester, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|WetStone- Live Investigator Training
|Aug 26-27, Vancouver BC
|https://www.wetstonetech.com/trainings.html
|-
|AccessData® BootCamp
|Aug 26-28, Ft Lauderdale, FL
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® BootCamp
|Sep 02-04, London, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|Seized Computer Evidence Recovery Specialist (SCERS)
|Sep 08-19, Glynco, GA
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
|Limited to Law Enforcement
|-
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
|Sep 08-12, Reston, VA
|http://www.securityuniversity.net/classes_CHFI_QFE.php
|-
|BlackBag Introductory MacIntosh Forensics
|Sep 08-12, Washington D.C.
|http://www.blackbagtech.com/products/training.htm
|-
|Macintosh Forensic Survival Course (MFSC)
|Sep 08-12, Bellingham, WA
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
|-
|Windows NT File System(NTFS)
|Sep 08-11, St. Louis, MO
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|Fundamentals of Computer Forensics Imaging
|Sep 9-12, Falls Church, VA
|http://www.mantech.com/msma/isso.asp
|-
|WetStone- Steganography Investigator Training
|Sep 10-11, Online
|https://www.wetstonetech.com/trainings.html
|-
|ILook® Automated Forensic Application(ILook)
|Sep 15-19, Meriden, CT
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|WetStone- Hacking BootCamp for Investigators
|Sep 16-19, Charleston, SC
|https://www.wetstonetech.com/trainings.html
|-
|EnCase® v6 Computer Forensics II
|Sep 16-19, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® Windows Forensics
|Sep 16-18, Columbia, SC
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|BlackBag Intermediate MacIntosh Forensics
|Sep 22-26, Richmond, VA
|http://www.blackbagtech.com/products/training.htm
|Limited to Law Enforcement
|-
|EnCase® v6 Advanced Computer Forensics
|Sep 23-26, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® Windows Forensics
|Sep 23-25, London, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® BootCamp
|Sep 23-25, Dallas, TX
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® Applied Decryption
|Sep 23-25, Ft Lauderdale, FL and London, United Kingdom
|http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=ab0c756b-3cf8-4161-8a70-0c11c6f018fc
|-
|X-Ways Forensics
|Sep 24-26, Alexandria, VA
|http://www.x-ways.net/training/washington_dc.html
|-
|BlackBag Introductory MacIntosh Forensics
|Sep 29-Oct 3, San Jose, CA
|http://www.blackbagtech.com/products/training.htm
|-
|X-Ways Forensics
|Sep 29-Oct 1, New York City, NY
|http://www.x-ways.net/training/new_york.html
|-
|WetStone- Live Investigator Training
|Sep 30- Oct 1, Fairfax, VA
|https://www.wetstonetech.com/trainings.html
|-
|EnCase® v6 Computer Forensics II
|Sep 30-Oct 03, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|BlackBag Introductory MacIntosh Forensics
|Oct 06-10, Los Angeles, CA
|http://www.blackbagtech.com/products/training.htm
|-
|X-Ways Forensics
|Oct 07-09, London, UK
|http://www.x-ways.net/training/london.html
|-
|AccessData® Windows Forensics
|Oct 07-09, Las Vegas, NV and New York City, NY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|WetStone- Steganography Investigator Training
|Oct 13-14, The Netherlands ENFSC Conference
|https://www.wetstonetech.com/trainings.html
|-
|AccessData® BootCamp
|Oct 14-16, Louisville, KY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|Limited to Law Enforcement
|-
|WetStone- Live Investigator Training
|Oct 18-19, Atlantic City, NJ HTCIA Conference
|https://www.wetstonetech.com/trainings.html
|-
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
|Oct 20-24, Reston, VA
|http://www.securityuniversity.net/classes_CHFI_QFE.php
|-
|Windows NT Operating System(NTOS)
|Oct 20-23, St. Louis, MO
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|EnCase® v6 Computer Forensics II
|Oct 21-24, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® Applied Decryption
|Oct 23-25, Sterling, VA
|http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=ab0c756b-3cf8-4161-8a70-0c11c6f018fc
|-
|Certified Steganography Examiner™
|Oct 23-24, Gaithersburg, MD
|http://www.sarc-wv.com/training/training_gaithersburg.aspx
|-
|WetStone- Live Investigator Training
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
|https://www.wetstonetech.com/trainings.html
|-
|WetStone- Steganography Investigator Training
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
|https://www.wetstonetech.com/trainings.html
|-
|X-Ways Forensics (3 days), File Systems Revealed (2 days)
|Oct 27-31, Canberra, Australia
|http://www.x-ways.net/training/
|Limited to Law Enforcement/Government
|-
|EnCase® v6 EnScript® Programming - Phase I
|Oct 28-31, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® Windows Forensics
|Oct 28-30, Manchester, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|X-Ways Forensics
|Nov 03-05, Sydney, Australia
|http://www.x-ways.net/training/sydney.html
|-
|Macintosh Forensic Survival Course (MFSC)
|Nov 03-07, Bern, Switzerland
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
|-
|Windows NT File System(NTFS)
|Nov 03-06, Meriden, CT
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|EnCase® v6 Computer Forensics II
|Nov 04-07, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® BootCamp
|Nov 04-06, London, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® Internet Forensics
|Nov 04-06, St Paul, MN
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® Windows Forensics
|Nov 04-06, Albany, NY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|X-Ways Forensics
|Nov 11-13, Hong Kong
|http://www.x-ways.net/training/hong_kong.html
|-
|WetStone- Steganography Investigator Training
|Nov 11-12, Fairfax, VA
|https://www.wetstonetech.com/trainings.html
|-
|BlackBag Intermediate MacIntosh Forensics
|Nov 17-21, Washington D.C.
|http://www.blackbagtech.com/products/training.htm
|-
|WetStone- Hacking BootCamp for Investigators
|Nov 18-21, Vancouver BC
|https://www.wetstonetech.com/trainings.html
|-
|EnCase® v6 Network Intrusion Investigations - Phase I
|Nov 18-21, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|EnCase® v6 Computer Forensics II
|Nov 25-28, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® Internet Forensics
|Nov 25-27, Manchester, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|BlackBag Intermediate MacIntosh Forensics
|Dec 01-05, San Diego, CA
|http://www.blackbagtech.com/products/training.htm
|-
|Windows Internet Trace Evidence(INET)
|Dec 01-05, St. Louis, MO
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|AccessData® Windows Forensics
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|Fundamentals of Computer Forensics Imaging
|Dec 02-05, Falls Church, VA
|http://www.mantech.com/msma/isso.asp
|-
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
|Dec 08-12, Reston, VA
|http://www.securityuniversity.net/classes_CHFI_QFE.php
|-
|Windows NT Operating System(NTOS)
|Dec 08-11, Meriden, CT
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|Application Forensics Course
|Dec 08-19, Hong Kong Police College
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
|Limited to Law Enforcement
|-
|EnCase® v6 Computer Forensics II
|Dec 09-12, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® Internet Forensics
|Dec 09-11, Dallas, TX and New York City, NY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|AccessData® Windows Forensics
|Dec 09-11, Louisville, KY
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|Limited to Law Enforcement
|-
|EnCase® v6 Advanced Computer Forensics
|Dec 16-19, Toronto, Canada
|http://www.guidancesoftware.com/training/course_schedule.aspx
|-
|AccessData® BootCamp
|Dec 16-18, Manchester, United Kingdom
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
|-
|**__2009 EVENTS__**
|_______2009_______
|-
|Linux File System for Computer Forensic Examiners(Linux)
|Jan 12-16, 2009, St. Louis, MO
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|Windows Internet Trace Evidence(INET)
|Jan 19-23, 2009, Meriden, CT
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|Linux File System for Computer Forensic Examiners(Linux)
|Mar 02-06, 2009, Meriden, CT
|http://www.nw3c.org/ocr/courses_desc.cfm
|Limited to Law Enforcement
|-
|}

Talk:Reiserfs

2008-07-17T20:17:26Z

Pmow: New page: <pre>Reporting-MTA: dns;bigfish.com Received-From-MTA: dns;mail12-va3-R.bigfish.com Arrival-Date: Thu, 17 Jul 2008 15:33:29 +0000 Final-Recipient: rfc822;florian@purdue.edu Action: failed...

<pre>Reporting-MTA: dns;bigfish.com
Received-From-MTA: dns;mail12-va3-R.bigfish.com
Arrival-Date: Thu, 17 Jul 2008 15:33:29 +0000

Final-Recipient: rfc822;florian@purdue.edu
Action: failed
Status: 5.1.1
Diagnostic-Code: smtp;550 5.1.1 <florian@purdue.edu>... User unknown
Remote-MTA: dns;mailhub248.itcs.purdue.edu</pre>

I got the above when attempting to contact "Florian" for copyright information...the page was last modified Jan 26th 2006 and I might've not cited the page correctly at all here.

AccessData

2008-07-17T20:11:43Z

Pmow: Changed FTK tag to reflect official site, added Mobile Phone Examiner update

''AccessData'' offers computer forensics software and training. Their flagship product is [[Forensic Toolkit]], but they offer several others including:
* [[FTK Imager]]
* [[PRTK|Password Recovery Toolkit]], a workstation-level password cracking application.
* [[DNA|Distributed Network Attack]], their distributed cyptographic brute force cracking network.
* [[FTK Mobile Phone Examiner]], a cellular phone evidence collection tool.

== Trivia ==

In 2006, a team from AccessData won the [[DC3 Digital Forensics Challenge]].

== External Links ==

[http://www.accessdata.com/ Official Website]

[[Category:Vendor]]

File:Superblock example.png

2008-07-17T18:27:32Z

Pmow:

Reiserfs

2008-07-17T18:27:24Z

Pmow: Editing GIFs to PNG since GIFs are not allowed

Reiserfs

2008-07-17T18:26:42Z

Pmow:

== Detecting ReiserFS in a forensics environment ==

[[Image:Superblock.png]]

Note: These are in [http://en.wikipedia.org/wiki/Little_endian little-endian] format. [[User:Pmow|Pmow]] 18:21, 17 July 2008 (UTC)
<table border="0">

<tr>
<th> '''Name''' </th>

<th> Size </th>
<th> Description </th>
</tr>
<tr>
<td> Block count </td>
<td align="center"> 4 </td>

<td> The number of blocks in the partition </td>
</tr>
<tr>
<td> Free blocks </td>
<td align="center"> 4 </td>
<td> The number of free blocks in the partition </td>

</tr>
<tr>
<td> Root block </td>
<td align="center"> 4 </td>
<td> The block number of the block containing the root node </td>
</tr>
<tr>
<td> Journal block </td>

<td align="center"> 4 </td>
<td> The block number of the block containing the first journal node 
</td></tr><tr>
<td> Journal device </td>
<td align="center"> 4 </td>

<td> Journal device number (not sure what for) </td>
</tr>
<tr>
<td> Orig. journal size </td>
<td align="center"> 4 </td>
<td> Original journal size. Needed when using partition on systems with different default journal sizes.</td></tr>

<tr>
<td> Journal trans. max </td>
<td align="center"> 4 </td>
<td> The maximum number of blocks in a transaction </td>
</tr>
<tr>
<td> Journal magic </td>

<td align="center"> 4 </td>
<td> A random magic number </td>
</tr>
<tr>
<td> Journal max batch </td>
<td align="center"> 4 </td>

<td> The maximum number of blocks in a transaction </td>
</tr>
<tr>
<td> Journal max commit age </td>
<td align="center"> 4 </td>
<td> Time in seconds of how old an asynchronous commit can be </td>

</tr>
<tr>
<td> Journal max trans. age </td>
<td align="center"> 4 </td>
<td> Time in seconds of how old a transaction can be </td>
</tr>
<tr>
<td> Blocksize </td>

<td align="center"> 2 </td>
<td> The size in bytes of a block </td>
</tr>
<tr>
<td> OID max size </td>
<td align="center"> 2 </td>

<td> The maximum size of the object id array </td>
</tr>
<tr>
<td> OID current size </td>
<td align="center"> 2 </td>
<td> The current size of the object id array </td>

</tr>
<tr>
<td> State </td>
<td align="center"> 2 </td>
<td> State of the partition: valid (1) or error (2) </td>
</tr>
<tr>
<td> Magic string </td>

<td align="center"> 12 </td>
<td> The reiserfs magic string, should be "ReIsEr2Fs" </td>
</tr>
<tr>
<td> Hash function code </td>
<td align="center"> 4 </td>

<td> The hash function that is being used to sort names in a directory</td></tr>
<tr>
<td> Tree Height </td>
<td align="center"> 2 </td>
<td> The current height of the disk tree </td>

</tr>
<tr>
<td> Bitmap number </td>
<td align="center"> 2 </td>
<td> The amount of bitmap blocks needed to address each block of the file system</td></tr>
<tr>
<td> Version </td>

<td align="center"> 2 </td>
<td> The reiserfs version number </td>
</tr>
<tr>
<td> Reserved </td>
<td align="center"> 2 </td>

<td>   </td>
</tr>
<tr>
<td> Inode Generation </td>
<td align="center"> 4 </td>
<td> Number of the current inode generation. </td>

</tr>
</table>

The following is the start of the superblock of a 256MB reiserfs partition on an Intel based system:

<pre>00000000 66 00 01 00 93 18 00 00 82 40 00 00 12 00 00 00 f........@......
00000010 00 00 00 00 00 20 00 00 00 04 00 00 ac 34 11 57 ..... ......¬4.W
00000020 84 03 00 00 1e 00 00 00 00 00 00 00 00 10 cc 03 ..............Ì.
00000030 08 00 02 00 52 65 49 73 45 72 32 46 73 00 00 00 ....ReIsEr2Fs...
00000040 03 00 00 00 04 00 03 00 02 00 00 00 dc 52 00 00 ............ÜR..
</pre>

[[Image:superblock_example.gif]]

 Block count: 65638
 Free blocks: 6291
 Root block: 16514
 Journal block: 18
 Journal device: 0
 Original journal size: 8192
 Journal trans. max: 1024
 Journal magic: 1460745388
 Journal max. batch: 900
 Journal max. commit age: 30
 Journal max. trans. age: 0
 Blocksize: 4096
 OID max. size: 972
 OID current size: 8
 State: 2 (error)
 Magic String: ReIsEr2Fs
 Hash function code: 3
 Tree height: 4
 Bitmap number: 3
 Version: 2
 Inode generation: 21212

== External Links ==
* [http://en.wikipedia.org/wiki/Reiserfs ReiserFS on Wikipedia]
* [http://homes.cerias.purdue.edu/~florian/reiser/reiserfs.php The structure of the Reiser file system]

File:Superblock.png

2008-07-17T18:26:19Z

Pmow:

Reiserfs

2008-07-17T18:21:07Z

Pmow: Creation, not attributed yet

== Detecting ReiserFS in a forensics environment ==

[[Image:Superblock.gif]]

Note: These are in [http://en.wikipedia.org/wiki/Little_endian little-endian] format. [[User:Pmow|Pmow]] 18:21, 17 July 2008 (UTC)
<table border="0">

<tr>
<th> '''Name''' </th>

<th> Size </th>
<th> Description </th>
</tr>
<tr>
<td> Block count </td>
<td align="center"> 4 </td>

<td> The number of blocks in the partition </td>
</tr>
<tr>
<td> Free blocks </td>
<td align="center"> 4 </td>
<td> The number of free blocks in the partition </td>

</tr>
<tr>
<td> Root block </td>
<td align="center"> 4 </td>
<td> The block number of the block containing the root node </td>
</tr>
<tr>
<td> Journal block </td>

<td align="center"> 4 </td>
<td> The block number of the block containing the first journal node 
</td></tr><tr>
<td> Journal device </td>
<td align="center"> 4 </td>

<td> Journal device number (not sure what for) </td>
</tr>
<tr>
<td> Orig. journal size </td>
<td align="center"> 4 </td>
<td> Original journal size. Needed when using partition on systems with different default journal sizes.</td></tr>

<tr>
<td> Journal trans. max </td>
<td align="center"> 4 </td>
<td> The maximum number of blocks in a transaction </td>
</tr>
<tr>
<td> Journal magic </td>

<td align="center"> 4 </td>
<td> A random magic number </td>
</tr>
<tr>
<td> Journal max batch </td>
<td align="center"> 4 </td>

<td> The maximum number of blocks in a transaction </td>
</tr>
<tr>
<td> Journal max commit age </td>
<td align="center"> 4 </td>
<td> Time in seconds of how old an asynchronous commit can be </td>

</tr>
<tr>
<td> Journal max trans. age </td>
<td align="center"> 4 </td>
<td> Time in seconds of how old a transaction can be </td>
</tr>
<tr>
<td> Blocksize </td>

<td align="center"> 2 </td>
<td> The size in bytes of a block </td>
</tr>
<tr>
<td> OID max size </td>
<td align="center"> 2 </td>

<td> The maximum size of the object id array </td>
</tr>
<tr>
<td> OID current size </td>
<td align="center"> 2 </td>
<td> The current size of the object id array </td>

</tr>
<tr>
<td> State </td>
<td align="center"> 2 </td>
<td> State of the partition: valid (1) or error (2) </td>
</tr>
<tr>
<td> Magic string </td>

<td align="center"> 12 </td>
<td> The reiserfs magic string, should be "ReIsEr2Fs" </td>
</tr>
<tr>
<td> Hash function code </td>
<td align="center"> 4 </td>

<td> The hash function that is being used to sort names in a directory</td></tr>
<tr>
<td> Tree Height </td>
<td align="center"> 2 </td>
<td> The current height of the disk tree </td>

</tr>
<tr>
<td> Bitmap number </td>
<td align="center"> 2 </td>
<td> The amount of bitmap blocks needed to address each block of the file system</td></tr>
<tr>
<td> Version </td>

<td align="center"> 2 </td>
<td> The reiserfs version number </td>
</tr>
<tr>
<td> Reserved </td>
<td align="center"> 2 </td>

<td>   </td>
</tr>
<tr>
<td> Inode Generation </td>
<td align="center"> 4 </td>
<td> Number of the current inode generation. </td>

</tr>
</table>

The following is the start of the superblock of a 256MB reiserfs partition on an Intel based system:

<pre>00000000 66 00 01 00 93 18 00 00 82 40 00 00 12 00 00 00 f........@......
00000010 00 00 00 00 00 20 00 00 00 04 00 00 ac 34 11 57 ..... ......¬4.W
00000020 84 03 00 00 1e 00 00 00 00 00 00 00 00 10 cc 03 ..............Ì.
00000030 08 00 02 00 52 65 49 73 45 72 32 46 73 00 00 00 ....ReIsEr2Fs...
00000040 03 00 00 00 04 00 03 00 02 00 00 00 dc 52 00 00 ............ÜR..
</pre>

[[Image:superblock_example.gif]]

 Block count: 65638
 Free blocks: 6291
 Root block: 16514
 Journal block: 18
 Journal device: 0
 Original journal size: 8192
 Journal trans. max: 1024
 Journal magic: 1460745388
 Journal max. batch: 900
 Journal max. commit age: 30
 Journal max. trans. age: 0
 Blocksize: 4096
 OID max. size: 972
 OID current size: 8
 State: 2 (error)
 Magic String: ReIsEr2Fs
 Hash function code: 3
 Tree height: 4
 Bitmap number: 3
 Version: 2
 Inode generation: 21212

== External Links ==
* [http://en.wikipedia.org/wiki/Reiserfs ReiserFS on Wikipedia]
* [http://homes.cerias.purdue.edu/~florian/reiser/reiserfs.php The structure of the Reiser file system]