File Carving and Me...
 
Notifications
Clear all

File Carving and Metadata Question.

22 Posts
6 Users
0 Reactions
3,563 Views
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
 

Doesn't show the A drive as one of the option drives. I am noticing that Disk manager also is not picking up a. I need to see whats the deal with the virtual env, it is accessible otherwise.

Did you attach the floppy drive to the VM in the settings?


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

First time I have heard of PHOTOREC, looks pretty cool though. Had issues trying to run it in the VM. Doesn't show the A drive as one of the option drives. I am noticing that Disk manager also is not picking up a. I need to see whats the deal with the virtual env, it is accessible otherwise.

Well, no need for a floppy drive.
PHOTOREC can access an image allright (as long as you pass it's path/name as a parameter on command line).
http//www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

jaclaz


   
ReplyQuote
KungFuAction
(@kungfuaction)
Estimable Member
Joined: 13 years ago
Posts: 109
 

Just pay $265.98 for WinHex Specialist. Hands down, the best bang for your buck, as it does what all the other packages that have been mentioned do in one program in a fraction of the time

http//www.x-ways.net/winhex/specialist_tools.html


   
ReplyQuote
(@nerdrage)
Eminent Member
Joined: 13 years ago
Posts: 21
Topic starter  

Bithead yea, the floppy is mounted there and shows as a drive, I can access it in command prompt, which is odd, I was able to image it fine as well. I double checked the mount image as floppy setting in fusion and all looks good. Has to be some odd glitch with fusion.

Well, no need for a floppy drive.
PHOTOREC can access an image allright (as long as you pass it's path/name as a parameter on command line).
http//www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
jaclaz

Gave it another shot. Rather than just clicking the bin, this time I called photorec from command directly which allowed me to pass the dd file w/ a switch. Really cool, I like it, the only thing that I found odd was it pulled everything out as qdf file format. changed to doc and doc scrubber was able to pick up revision history where the original file name was listed in a revision meta. The qdf issue was odd though, didn't find any reason for this on the website or documentation.

Do you have any recommendations for document brute force utils? Never had any reason to use one until now.


   
ReplyQuote
KungFuAction
(@kungfuaction)
Estimable Member
Joined: 13 years ago
Posts: 109
 

Do you have any recommendations for document brute force utils? Never had any reason to use one until now.

https://www.password-find.com/prices.htm


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Gave it another shot. Rather than just clicking the bin, this time I called photorec from command directly which allowed me to pass the dd file w/ a switch. Really cool, I like it, the only thing that I found odd was it pulled everything out as qdf file format. changed to doc and doc scrubber was able to pick up revision history where the original file name was listed in a revision meta. The qdf issue was odd though, didn't find any reason for this on the website or documentation.

Strange, but it happens, the PHOTOREC uses some "heuristic to try and identify files, and sometimes it simply "misses" the right file type.
Use Trid as "post processor"
http//mark0.net/soft-trid-e.html

Do you have any recommendations for document brute force utils? Never had any reason to use one until now.

First determine which version of Excel was used.

If it's an old version there might be some freebie, I seem to remember a command line tool, but any of these should do
http//www.portablefreeware.com/?id=1241
http//www.freewordexcelpassword.com/

jaclaz


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Just pay $265.98 for WinHex Specialist. Hands down, the best bang for your buck, as it does what all the other packages that have been mentioned do in one program in a fraction of the time

http//www.x-ways.net/winhex/specialist_tools.html

Once said that IMHO also, Winhex is one of the best programs around, since you talked of fractions, please calculate this fraction wink
US $
265.98/0=
😯

You have to take into account that this thread is in
Education and Training
and the OP is a student, so unlike for a professional, freeware tools - even if they take some more time and are simpler/more "vertical" - not only are better suited, but their use will also contribute to the actual learning process of the "general approach" and of the "base" procedures.

jaclaz


   
ReplyQuote
KungFuAction
(@kungfuaction)
Estimable Member
Joined: 13 years ago
Posts: 109
 

Just pay $265.98 for WinHex Specialist. Hands down, the best bang for your buck, as it does what all the other packages that have been mentioned do in one program in a fraction of the time

http//www.x-ways.net/winhex/specialist_tools.html

Once said that IMHO also, Winhex is one of the best programs around, since you talked of fractions, please calculate this fraction wink
US $
265.98/0=
😯

You have to take into account that this thread is in
Education and Training
and the OP is a student, so unlike for a professional, freeware tools - even if they take some more time and are simpler/more "vertical" - not only are better suited, but their use will also contribute to the actual learning process of the "general approach" and of the "base" procedures.

jaclaz

As a student, he/she will eventually have to move on to professional-level tools which rely on speed and usability. At the price listed, WinHex Specialist is a phenomenal value.

I am all for conceptual learning - I come from a UNIX and DOS background, and it took me years to finally acquiesce to using a GUI. However, the programs listed are sincerely painful to use, with most of the difficulties not based on learning concepts, but actually getting the programs to work in a command line operating system environment. I've spent more time learning those programs rather than the concepts.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

As a student, he/she will eventually have to move on to professional-level tools which rely on speed and usability. At the price listed, WinHex Specialist is a phenomenal value.

As a matter of fact roll , only IF the student passes the exams AND finds a job, not to put down nerdrage, of course.

I am all for conceptual learning - I come from a UNIX and DOS background, and it took me years to finally acquiesce to using a GUI. However, the programs listed are sincerely painful to use, with most of the difficulties not based on learning concepts, but actually getting the programs to work in a command line operating system environment. I've spent more time learning those programs rather than the concepts.

Sorry, but this makes little sense.
If you actually come from DOS/*nix AND you have issues with command line THEN it is not possible that you managed to become a digital forensic professional (unless you became one in post-GUI years), though still AFAIK a number of useful programs come as command line.
And since you became a pro, if you had some difficulties, you overcame them.

Do you really think that without your experience with "basic" tools (and related difficulties and the effort to overcome them) you would have now the same level of knowledge?

Of course a command line program (expecially some *nix ones with a zillion parameters) are tough to learn, but comeon, the needed command lines till now are
photorec image.dd(then PHOTOREC becomes "interactive")
and
trid .\recup_dir.1\*.* -vor
trid .\recup_dir.1\*.* -aeIf someone has difficulties in reading the program docs or the output of
program.exe /?being a student in computer science and preparing for a digital forensics exam, my personal suggestion to him/her would be to try a different career.

I mean, the first time that - for any reason - a Python script like the several ones commonly in use need a little tuning/change or, more simply, a regular expression search or a complex SQL one is needed what will happen?

jaclaz


   
ReplyQuote
KungFuAction
(@kungfuaction)
Estimable Member
Joined: 13 years ago
Posts: 109
 

As a student, he/she will eventually have to move on to professional-level tools which rely on speed and usability. At the price listed, WinHex Specialist is a phenomenal value.

As a matter of fact roll , only IF the student passes the exams AND finds a job, not to put down nerdrage, of course.

Disagree. A student should start investing into real tools as soon as possible if he/she is serious in learning a profession. The price for this entry software is excellent, and the software is also a great learning starting point for much higher-end products.

Do you really think that without your experience with "basic" tools (and related difficulties and the effort to overcome them) you would have now the same level of knowledge?

Yes, I do. For instance, I know people in our field whom I highly respect who have never programmed in DOS. A person doesn't need to know how to program in machine or assembly language in order to program in a high-level language.


   
ReplyQuote
Page 2 / 3
Share: