http://www.forensicfocus.com/ Forensic Focus - Computer Forensics News, Information and Community en-us Tue, 21 May 2013 00:54:13 GMT 1440 CPG-Nuke Dragonfly Forensic Focus Forums http://backend.userland.com/rss http://www.forensicfocus.com/images/logo.gif http://www.forensicfocus.com/ http://www.forensicfocus.com/Forums/viewtopic/p=6567150/#6567150 writerkeith wrote: The google search was made with a firefox browser. I decoded the Firefox history file into xls files using a Perl script written by a one-time employee of Netscape (pre-cursor to Firefox). The time stamp for the google search was Noon, which is 1 hour later than the time the other forensic expert said the search was done. Okay, so then you know/can see exactly what the script is doing, and how it's extracting and translating the time value. As such, you can then compare that to what Mozilla says is the way to go about translating the time value, and ensure that it is correct. Tue, 21 May 2013 00:54:13 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567146/#6567146 nsbuck wrote: Its an Int64 number obtained from the messages database file from a Nokia N8. I not having much success with an excel function (partly because I am feeling under the weather <img src="images/smiles/icon_sad.gif" alt="Sad" title="Sad" /> Produce another "checked" couple like this one: 63518562987097375 which is translated to 15/10/2012 14:16:13 (UTC) nsbuck wrote: I was wondering if the number has to converted initially that you can use the formula to calculate the number of nanoseconds from either 1/1/0001 or 1/1/1601. Any thoughts will be most welcome? From that single data, the number correspondent to 1/1/2000 00:00:00 is seemingly 63.114.937.214*10^6. Take this: 63.518.562.987.097.375 (in excel it will likely become 63.518.562.987.097.300) divide it by 1,000,000 get 63.518.562.987 divide this by 86400 (24*60*60) get 735.169 divide by 365 (approximated) and you get 2014. (which is close enough to 2012 to believe that the original info is "wrong" and the number actually represents nanoseconds and not hundreds of nanoseconds) Now in excel, subtract from the date 15/10/2012 14:16:13 the date 01/01/2000 14:16:13. You will get an integer number of days, 4671. Now: 4671*86400+14*3600+16*60+13= 403.625.773 63.518.562.987-403.625.773= 63.114.937.214 Check other dates calculating the time starting from 1/1/2000 00:00:00. jaclaz Mon, 20 May 2013 11:53:43 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567144/#6567144 DennisMcr wrote: I think it says "password not required" when one is required on a Windows 7 Home Premium, Version 6.1, SP1 machine. This applied to 2 user accounts on the same computer. My reasons for saying this are: Ophcrack has found a password. There is a password hint. There was an incorrect password logon attempt at 07:49 There was a logon at 07:55 The computer was seized at 08:30 ForensicUserInfo also says a password is required. Unfortunately I'm unable to VM this computer. If you're able to show/demo that the flag setting is incorrectly represented, please do so and I'll be more than happy to address it. The "password not required" entry is a flag setting, and means simply that...that a password is not required: http://technet.microsoft.com/en-us/library/cc755423(v=ws.10).aspx It does NOT mean that the account does not have a password...it means that if account policies are set on the system, with respect to password complexity, length, etc., that they do not apply to that account. That's all it means. Again, it does NOT mean that the account does not have a password. There is a sidebar on Pg 93 of "Windows Registry Forensics" that addresses this setting. Mon, 20 May 2013 10:32:07 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567139/#6567139 Is there a comparison sheet between UFED versions? Mon, 20 May 2013 07:06:10 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567138/#6567138 FYI Craig from Digital Detective was kind enough to reply to my email with the following: 2013/05/08 Quote:: Hi I am sorry, that tool is no longer available. Unfortunately, the tool was written in an older version of Visual Studio, so it would have to be re-written and updated. We do not have any plans at this moment to release it as a free tool. Regards Craig Mon, 20 May 2013 04:03:03 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567137/#6567137 The book is done and pre-order ready, fyi. https://xwaysforensics.wordpress.com/ Sun, 19 May 2013 20:37:36 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567134/#6567134 rs8191 wrote: Yes, that is correct, there two NAND Flash with the same controlline(Chipselect;WR;RE;D0-D7 CHIP0; D8-D15 chip1). Therefore that is read and write twice as quickly if the CPU must address the storage media only with a step and puts for that a 16 bit word on the data bus. Well, I am probably far thicker than you would like, but earlier you talked of 4 "items" (that I imagined being "banks", i.e. chips) 2 GB each, now you are talking of 2 of them (that you explicitly call "chips"). How many "chips" are there on that stick? How big in size are each? Which is the total capacity of the stick? Describe a "chip". jaclaz Sun, 19 May 2013 19:17:46 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567133/#6567133 One method: 1. Get another MacBook, preferably with the same OS 2. Note serial number 3. Search for serial number; make sure you include hidden/system files 4. If you find it, note the location! But you've tried this already, right? Sun, 19 May 2013 19:13:42 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567131/#6567131 taneryldz wrote: Hi, i am a technician at a forensic firm. İ am a newbie in this area so look with favor on my ignorance.Are there any duplicator or tool that can manage this work. If not, can you suggest a solution. We stronly need a solution to do this work. Any suggestion would be very appreciated, thanks a lot. Logicube products such as Dossier and Talon Enhanced can do that Sun, 19 May 2013 13:28:57 GMT http://www.forensicfocus.com/Forums/viewtopic/p=6567130/#6567130 Hi all Is there anybody who know how to fix the problem:I've used the Encase 7 to carve out a lot IBM Lotus Notes nsf files(in the unallocated space) but none of them can be opened,I'm sure there are certainly some false possitives but some of the right ones still can not be opened(I know they are not false positives because I can see in the Encase the "Lotus Notes" characters and some email header/address information through I can not see the contents-as they are confused characters).I put the carved nsf files in Lotus Notes client but it says that the email version is not right.Hope someone can give a little advice Thanks a lot Sun, 19 May 2013 12:59:46 GMT