New Kid on the block!
Allow me to introduce myself. My name is Al Kaplan and I'm a licensed Private Investigator in Las Vegas, NV. I own my own business in partnership with my wife of 50 years, Ruth, who is also a licensed PI. We have had that business for 26 years. Prior to that, I was a Senior Investigator for billionaire Howard Hughes. I went to work for Hughes after retiring from the USAF where I had been a Special Agent and later Chief of Worldwide Criminal Operations for the OSI (Air Force Office of Special Investigations).
In a nutshell, I have been doing nothing but investigation for more than four decades. Ruth and I are blessed with good health and have never even discussed, retiring. I'm convinced that mental, physical and emotional challanges keep the juices flowing. We are still able to provide a first rate service for clients who are still willing to pay us well to provide them.
Our first PC was an IBM 1 which we bought in 1982. along the way we put together about 8 or 10 computers for family, but did not go much past the keyboard until about 1990 when it became clear that if we were to avoid being strangled by the privacy advocates, we had to own or control large databases. Over the next several years we acquired data an put together several relational databases, primarily using Paragon and Access. We have used those with considerable success.
Even though we try to keep up with technology, it is not unusual to find ourselves out in the street doing things, "the old fashioned way". Every once in a while I find myself laying under some guy's car installing a tracking device, in his driveway at 4AM. Or Ruth dons her addled bag lady disguise and pushes her shopping cart at 3AM into a loading dock area so that she can get a close look at what the bad guys are up to.
In that same genre of on the street techniques and tactics is the "trash cover" or what is commonly know as "dumpster diving" or just "stealing the guy's garbage". Of all the thing we do, that technique has been the most rewarding and cost effective thing we do.
It does not take much imagination to see the analogy between that "dumpster diving" and the analysis of the data on a hard drive. With that in mnd, I decided to learn computer forensics – not in an effort to change carrer fields, but merely to add another technique to my toolbox. From my perspective, it is merely an aid to investigation – a tool just like a surveillance or an interview. It can have a critical place in resovling investigative issues, but it is not, from my perspective, an end, in and of itself.
I attended an FTK Intermediate Boot Camp about 14 months ago, and was the dumbest kid in the class. Most were cops with extensive Encase experience, a data recovery expert, a computer system security manager, etc. About 6 months ago I attended seminars on Computer Forensics Evidence Discovery and Advanced Computer Forensics Techniques conducted by BIA. I was intrigued by the de-emphasis on the automatic forensic software suites and the focus on the sometimes more efficient and reliable approaches using products like WinHex and an array of small highly specialized products that did only one or two things, but did them well. Needless to say, I was still the dumbest kid in the class but I was getting motivated to step out and try to do more manually (like data carving) if that appeared to be a solution to the problem.
I subsequently bought virtually exerything X-Ways (WinHex) manufactures and will be attending an X-Ways WinHex Forensics Seminar in Seattle next month.
Since starting, I have examined about 40 hard drives for clients. I've been using a combination of Access Data products and X-Ways products plus a few other gap fillers. Thus far I've learned two things. First, how much I have to learn about computer forensics and second - how full of holes the varous software products are. They all tell you what they will do. None of them tell you what they will not do. Right now, I'm about to buy a couple of Paraben products to fill gaps in the screening process.
Overall, I have been pleased with the results of my HD examinations, but I know that I have a lot to learn to bring myself up to my standards.
I have had the opportunity to read every thread published in this forum and have in fact saved every one to my forensics library. I must say how impressed I am not only with the technical knowledge of many of the members, but with the uniform courtesy and unselfishness that is exhibited in the sharing of such knowledge.
I am in awe and honored to be a part of this group. As a neophyte it is clear that I will not be a contributer of know-how. However, I am certain to be a contributer of questions.
If you're interested in the capabilities of EnCase, but don't have the funds to support that tool, I'd recommend taking a look at ProDiscover from TechPathways. Chris Brown has put a respectable tool together, and it's getting better and more mature all the time.
I downloaded the ProDiscovery demo. He gives you 5 lives and I managed to use up two of them thus far without getting enough done to reach any conclusions. It's going to have to wait until I have more time. I did note however that he talks about using the National Drug Intelligence "Hashkeeper"database. Is that restricted to law enforcement or can it be downloaded by anyone?
Hi Al â€“ and welcome, your profile is quite fascinating; it sounds like youâ€™ve had an interesting career. Here is a link for hash sets: -
I think you can download them free of charge.
Welcome to the forum, it's always nice to broaden the experience base.
What do you want to do with the hash sets? The hashkeeper sets are primarily of known applications. Meaning you can eliminate those files that match from your search activities as they are identical to the files as they were written and distributed by the manufacturer. I think there may be a set or two on that site for things such as hacker tools. These would be notable files, or things that you would want to look for in an analysis. Like the child porn hash sets that we use a lot in Law Enforcement. Of course you can also create your own hash sets and these can be the most useful. You can use these to demonstrate that a security video or digital picture hasn't been alterred, or to stand as additional proof that a file was created on a specific computer. Use them anytime you wish to demonstrate that two files found in different places are identical.
Thanks guys for the input on the hash question. I did go to the site Andy suggested and downloaded huge hash sets - 4 of the most recent ones. There is a text listing of the hashes included and these are categorized, and specifically identified in a permuted list as follows.
Product name (i.e. Acrobat, Keynote, Outlook, Sim City)
Manufacturer name (i.e. Adobe, Apple, Microsoft, Maxis)
Application type (i.e. games, hacker tools, accounting)
Product code (not intuitive, included for cross references)
Interestingly, they solict contributions from the public of of software that they don't have.
I want this to enhance my known file filtering capability. I use FTK which offers an expandable KFF library that is 64MB in size for filtering out benign known files. The downloads I made from the site totaled 850MB in the categories listed above. I assume that once incorporated into my KFF Library, my filtering capability will be greatly enhanced. I expect that that will cost me processing time, but I won't know the impact timewise until I try it.
They encourage downloads and burning to CD/DVD but they do not warrant the integrity of the filter unless you buy a CD from them. At this point the risk of using the downloaded version is of no consequence. However, if I were a cop having to testify as to the integrity of the products I used, that warning caveat would made me pay them the $90, or whatever it is to get their warranted CD.
As of this time, I have not determined how I am supposed to covert the ISO files that are downloaded, into something I can use. They furnish a free conversion utility, but I have not yet had the opportunity to use it.
In any case, Andy, I appreciate you pointing me in that direction. al
The .iso files are cdrom image files. Look at your burning utility and find "record cd from cd image". On Easy CD Creator go to "make a data cd" then look under the file menu and you'll see that option. It then allows you too browse for the image, select .iso files and find them and your set. Once you burn it you'll see the file structure that was intended.
Why go through all that? Use Daemon tools and create a virtual drive.