I am happy to announce that frag_find version 1.3 is released! You can download it from http://afflib.org/ frag_find is a sector hash-based carver. Given a...
3177
Simson Garfinkel
simsongarfinkel
Jan 13, 2010 5:52 am
I see that yahoo removed the line indents from my program; you can find it as part of the iverify.py program in the fiwalk package at afflib.org. Simson ...
3178
Harvey Rothenberg
forensic28sa
Jan 28, 2010 6:04 pm
OOOps ! Sorry I did not mean not to include this group, so here is this information on Version 3.0 and Linux. Regards, Harvey ... From: Harvey Rothenberg...
3179
Nanni Bassetti
nannib7013
Feb 19, 2010 10:35 am
Yesterday we launched AIR 2.0.0 (Automated Image and Restore) A new version of AIR has been released. The primary change is that it now supports the dc3dd...
3180
Lehr, John
slopd4256
Feb 23, 2010 11:49 pm
Does anyone know if sqlite databases can leech old block data into their structure? My situation: I am examining a Mac with sleuthkit. As part of my exam, I...
3181
Lehr, John
slopd4256
Feb 24, 2010 12:07 am
Maybe it is a deleted record? ______________________________ John Lehr Evidence Technician San Luis Obispo Police Department ______________________________ ...
3182
Jacques B.
jboucher_work
Feb 24, 2010 1:18 am
... There was an article in 2009 in Digital Investigation publication as follows: Forensic analysis of the Firefox 3 Internet history and recovery of deleted...
3183
Mada R Perdhana
mrp_bpp
Feb 25, 2010 7:17 pm
dear list, are there any ways to mount a splitting dd image without re-joining the image (ex:cat img.001 img.002 etc), since I'm using ext hd which partitioned...
3184
Barry Grundy
grundy_b
Feb 25, 2010 8:33 pm
Actually, there is. Read up on mdadm and the linear option (linear raid). Associate each split part with a loop device, then create a linear raid from the...
3185
Brian Carrier
bdcarrier
Mar 2, 2010 3:57 pm
We are thinking about hosting the first ever Sleuth Kit and Open Source Forensics Users Conference this year on June 9 in Chantilly, VA (USA). It would be held...
3186
Mada R Perdhana
mrp_bpp
Mar 3, 2010 12:33 am
I already use the loopback and mdadm, but still could not access it, I don't know why, but when I have the ext partition, I could access it. then I try using...
3187
Lehr, John
slopd4256
Mar 3, 2010 5:24 am
I don't know if my first reply got through, sorry to be repetitive if it did. I'm pretty sure that afflib (www.afflib.org) will mount split dd images with the...
3188
Lehr, John
slopd4256
Mar 4, 2010 7:48 pm
Good Morning, Everyone, Does anyone know how the file command interprets the time information in a CDF document, like Microsoft Word? Scenario: I have...
3189
Jacques B.
jboucher_work
Mar 4, 2010 9:24 pm
... The file command uses the magic file. On my system it's located at /usr/share/misc/magic. You can edit the magic file and re-compile it, or create a new...
3190
Simson Garfinkel
simsongarfinkel
Mar 4, 2010 9:35 pm
it doesn't. You need to use wvSummary ... [Non-text portions of this message have been removed]...
3191
Luis Salazar
Luis.Salazar@...
Mar 8, 2010 9:36 pm
Hello group, I was wondering if the group has a list of linux based forensic training that you wouldn't mind sharing. I'm aware of Farmer Dude's site. Are...
3192
Clayton Hoskinson
cfexaminer1
Mar 18, 2010 5:06 pm
http://psmtecnologia.com/louismarie.html...
3193
Clayton Hoskinson
cfexaminer1
Mar 19, 2010 1:35 am
http://crescentstudies.com/Gloria.html...
3194
Brian Carrier
bdcarrier
Apr 1, 2010 9:39 pm
The first ever Sleuth Kit and Open Source Digital Forensics Conference will be held on June 9, 2010 in Chantilly, Virginia (USA) and feature talks by leading...
3195
Simson Garfinkel
simsongarfinkel
Apr 2, 2010 7:37 pm
I have an E01 file that appears corrupted. It's big (15GB), so I hate to lose it. Anyone know if there is a way to get ANY of the data out of the file? $...
3196
Jacques B.
jboucher_work
Apr 2, 2010 8:57 pm
If it's only the EnCase metadata that's corrupted you could use SMART from ASRDATA (or contact Andy Rosen at ASRDATA for assistance) to still open the image...
3197
Gary Funck
garyfunck
Apr 3, 2010 10:34 am
... Maybe try another application, like FTK imager, or Mount Image Pro, and see they'll ignore the corrupted header?...
3198
Simson Garfinkel
simsongarfinkel
Apr 3, 2010 4:02 pm
... Thanks. It seems that FTK imager doesn't read E01 files. I tried FTK 3.0 and it wouldn't read it. I may go through the libewf source code and try to create...
3199
David Kovar
dkovar
Apr 3, 2010 4:19 pm
Greetings, FTK Imager will convert an E01 image (EnCase) to a raw dd image. Start Imager, select Create Disk Image, select Image File, point it at the first...
3200
Nanni Bassetti
nannib7013
Apr 3, 2010 8:16 pm
I read E01 files by FTK Imager 2.5.4.16 :-) I tried on 2 .E01 files...one of them is the demo case in Encase 6.0 Demo:Hunter XP.E01 bye ... Dott. Nanni...
3201
Mada R Perdhana
mrp_bpp
Apr 8, 2010 4:47 am
"Never Trust an Operating System You don't have the Source for..." "Closed Source for device Driver are ILLEGAL and not Ethical... act!" "Isn't it, MS Windows...
3202
Gary Funck
garyfunck
Apr 8, 2010 11:31 pm
Just tried installing the afftools-3.3.4-7.fc11.x86_64 RPM on Fedora Core 11. Installed without complaint. Then tried to run 'affuse' and received the...
3203
Lehr, John
slopd4256
Apr 9, 2010 12:04 am
Hi Gary, I use the affuse tool to mount images all the time. It is very effective. It looks that the rpm you installed has a binary built without fuse...
3204
Gary Funck
garyfunck
Apr 9, 2010 1:16 am
John, thanks for the info. We generally like to install rpm's/packages from the distro repositories when we can. But if that's not going to work, then will...
