Forensic Focus

Computer Forensics Job Vacancies: Computer Forensics Examiners- Virginia

Sat, 13 Mar 2010 19:56:37 GMT

debaser_ wrote: In his defense, he did say ground floor. Maybe the website isn't even finished yet. :) Why do you feel the need to defend anyone in this case? I simply pointed to the web page, and I didn't say anything negative about the company. If they are 'ground floor', that's simply something for applicants to consider. Nothing negative about going in with your eyes wide open. Some people like that, some may not.

Education and Training: Disertation ideas?

Sat, 13 Mar 2010 19:40:04 GMT

Does anyone like these ideas...? 1. Log extractor for the Digsby I.M client to GUI for easy viewing (Digsby handles multiple I.M accounts) 2. Android information extractor 3. Chrome information extractor 4. Safari cache.db files, extracting information Thanks

General Discussion: Nothing on hard disk to recover?

Sat, 13 Mar 2010 19:33:50 GMT

A few years ago I had a desktop with an 80 GB primary drive and an 250 GB secondary drive. There was there was a 3rd hard drive laying unattached to the bottom of the case it was 80 Gb. I imaged all three drives. When I examined the third drive I found it to contain almost all multimedia material. I was sure that the 250 GB HD had all the evidence I was looking for. I loaded the image of the 250 Gb HD into FTK and went to sleep while the program did its thing. When I woke up I found I had virtually nothing. At first I tried to figure out how I could have wiped the 250 Gbyte image. After a while I went into the registry that was on the primary 80 GB HD. Once there I could see what happened. The 250 GB HARD drive that I had been given was brand-new. There had been a different 250 GB hard drive installed in that computer, but it was long gone. This was a domestic case in which the SUBJECT had apparently tapped the phone. He heard my client, his wife make arrangements for me to receive the computer. He thereupon removed the 250 GB hard drive, went to Best Buy and bought a replacement which I ended up with. We were able to verify all of that with Best Buy records and through a brother-in-law who the loudmouthed SUBJECT confided in. We had of course the serial number of the "new" 250 Gbyte HD and the serial number of the one he had removed. The case was all about substantial community assets that he had ratholed. The lawyer and I want to move forward and supeoena the missing hard drive. But the client, apparently still hopeful of a reconciliation dropped the case. I thought of that when you said that you couldn't find anything on the hard drive.

General Discussion: Procedure for CP evidence?

Sat, 13 Mar 2010 19:03:23 GMT

Greetings, Does anyone have any citations containing more information about the repair guy who ended up doing jail time? I suspect there's more to the story .... -David

General Discussion: Coping Strategies

Sat, 13 Mar 2010 18:58:45 GMT

Azrael, "Individuals who are exposed to images of sexual abuse on a regular basis should attend a psychological support scheme. A minimum of one session per year should be considered and group or individual sessions may be appropriate or a combination of both of these. Consider, too, a protocol for 24-hour access to occupational health and restrict access to the environment where these images are being viewed." You guys in the UK have got it made with getting your head shrunk at least once a year! Frankly, I consider it all psychobabble and a waste of the taxpayers money. I would really worry about continuing to use someone who was really emotionally stressed by sexual abuse. Many years ago, I sat as a case supervisor for approximately 300 sex offenses per month. That's all I did, 40 hours a week. I did that for one year. I'll admit that it caused me to focus on the behavior of strangers more than normal, but it didn't make me feel stressed or anything like that. Later, when it took over that entire division I reorganized so as to mix all types of crimes against persons. Thus the individual case supervisors would get to vary their caseload so as to include, assaults, homicides and sex offenses. It is I see it, a lot of this business is dirty and distasteful. That goes with the territory. Working with a computer graphic is only a part of the investigative problem. However, it is indeed a part of that cannot be ignored. I would worry about employing anyone in that capacity who was psychologically challenged by that part of the work.

General Discussion: Dell Hard disk failure

Sat, 13 Mar 2010 18:04:19 GMT

athulin wrote: I suggest you try Seagate again: they are the experts. If this is the Barracuda 7200.11 problem (which also affects some other drives), it is a firmware bug that locks the drive up when it is powered on. As far as I know, you can download the firmware patch from their support site. In this case, ordinary recovery tools won't be any help: the drive has locked up, and you simply can't access it unless the firmware is patched.Not really. <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" border="0" /> The firmware won't be of any use until you unbrick it: http://www.msfn.org/board/index.php?showtopic=128807 A fully detailed guide (for the 7200.11 ONLY, and ONLY for the two common "bricking" problems, i.e. LBA0 and BSY) is, besides the above given thread, here: http://www.mapleleafmountain.com/seagatebrick.html Seagate has been VERY, VERY elusive about the problem. And lately i365 after a few documented free recoveries started again charging money for the recovery. The 5400.3 is an alltogether different thing. Most probably it lost some "tracking data", such problems can usually be solved, but it is not a DIY kind of job, you need specialized software/hardware, very, very costly (please read as PC3000 - linked above - or similar solutions form salvationdata, if I am not mistaken in the US$ 2,500÷3,500) jaclaz

General Discussion: Unrecognized SD Card

Sat, 13 Mar 2010 17:52:23 GMT

Can you access it as \\.\PhysycalDrive? <img src="images/smiles/icon_question.gif" alt="Question" title="Question" border="0" /> I mean what you are you using to access it? Explorer? What happens in Disk Management (or in diskpart)? Nothing? Is this what you mean by: Quote:: - Different versions of Windows/Linux and computers does not even acknowledge that the card exists. jaclaz

General Discussion: Top 100 Computer Forensics Twitterers to Follow

Sat, 13 Mar 2010 16:34:55 GMT

Alan, good to hear from you - it's been a while! I must admit I was equally skeptical to begin with but Twitter has actually proved to be one of the more effective networking tools I've used in recent years. Jamie

Commercial/Proprietary Software: FTX 1.x, 2.x or 3.x ??

Sat, 13 Mar 2010 16:21:03 GMT

I have used all three versions of FTK. At this point, I wouldn't waste my time or money on FTK 1.x or 2.x. FTK 1 was and I suppose still is, a reliable workhorse. FTK 2. came out as a dog. Many, like I threw it in the trashcan and went back to FTK 1 or switched to another product or both. Later versions of FTK 2.x worked well. However access data management picked up on the fact that they had alieated and perhaps lost a lot of customers with the initial issue of FTK 2.0. Very much of their credit they moved forward with FTK 3. There were some early problems, but the current version FTK 3.0.4 is an absolute gem! Some people seem to have problems but they sound hardware related in many cases. I personally have had almost no problems at all with FTK 3.0.4 and would recommend it highly. It takes so much of the grunt work out of the initial analysis, it's a pleasure to use. I am currently using the 64-bit version on a 64 XP bit machine. My processor is an Intel core i7 and I have 12 gb of RAM. I am using it on a single machine and I have not tested it in a distributed processing mode.

Education and Training: Sample forensic images

Sat, 13 Mar 2010 10:51:17 GMT

Thanks!