What was your least...
 
Notifications
Clear all

What was your least/most successful moment while analyzing?

16 Posts
12 Users
0 Reactions
1,170 Views
binarybod
(@binarybod)
Reputable Member
Joined: 18 years ago
Posts: 272
 

best
Finding 2500+ indecent photos and movies of children in a hidden trucrypt volume inside a normal truecrypt volume which itself was inside a Windows virtual machine on a Linux system. Watching his face in interview - priceless!

worst
That nagging feeling that I've missed something vital, I get this with just about every job (


   
ReplyQuote
(@littledave)
Active Member
Joined: 17 years ago
Posts: 8
 

Hi Binarybod.

Quick question - how did you even begin to manage cracking the TrueCrypt volume? Did you use a password cracking tool?

Dave


   
ReplyQuote
binarybod
(@binarybod)
Reputable Member
Joined: 18 years ago
Posts: 272
 

The password to the outer volume was a variation of other passwords on his system. I used PRTK to crack that. I'm afraid I'll have to be a bit coy about how I accessed the hidden partition though.

I did require him to disclose the password (something we can do in certain circumstances in the UK) but naturally he refused, so he was convicted of failing to disclose the password too; just a nice little addition to the other offences he was convicted of.


   
ReplyQuote
(@littledave)
Active Member
Joined: 17 years ago
Posts: 8
 

Cool. Thanks for the info. I'm actually from the UK, I just live in Germany.

I'll have to take a look at PRTK. I was thinking about maybe how it could be done with certain disk encryptions As the encrypted disk was used inside a virtual machine, it is probably possible to fish out the password from the RAM snapshot files the virtual machine creates, but I'm unsure.

Thanks for the info!

..and back to the topic -)

Dave


   
ReplyQuote
(@paul206)
Trusted Member
Joined: 17 years ago
Posts: 70
 

I had a case where someone had printed the cartoon from the New York Post with the police shooting the monkey and had posted it on the bulletin board thereby offending a whole bunch of people. I was asked to analyze the hard drive of the main suspect and much to my surprise I found the name of the .jpg in a Java script print que buried in the Java log files. It made me very happy to be able to pin it down to the individual and I can not take credit for finding it on my own. I was running index searches in FTK when I ran into it. My most unhappy moment was trying to nail a person who violated all their professional ethics and trust in MySpace and another time trying to find Hotmail activity by a prison inmate. Both cases came up empty due to the lack of logging that now takes place. I was very disappointed. I can't remember any of the stupid things I have done so I guess that means there aren't any! D


   
ReplyQuote
(@Anonymous)
Guest
Joined: 1 second ago
Posts: 0
 

…I can't remember any of the stupid things I have done so I guess that means there aren't any! D

I *wish* I could forget my "Doh!" moments!

oops


   
ReplyQuote
Page 2 / 2
Share: