I just finished a second week of EnScript training in Melbourne, Australia with an Australian training partner named Invest-e-gate (website down for remodel at the moment). The founder of the company and I used to work together at Guidance a lifetime ago, but it was great to see him again and to find that he is staying on the cutting edge of things, just like usual.
It was a great group of students, very committed and interested in taking the use of EnCase to the next level through automation and getting some results and configurability that you can't get through the...
It has been several weeks since my last post and I have been fairly busy, but I thought I would post a quick update.
I just finished an EnScript Programming course in Sydney, Australia. I have to say, the students who attended the course were very sharp. All of them immediately began to come up with ideas and ways to use EnScripts in their workloads.
A couple of ideas that came from the students were using an EnScript to parse through all the archive files and extract all the user-defined file-types, such as JPGs, GIFs & PNGs...
I have previously posted a couple different practical exercises here for people to work through and practice. You can see the previous ones here: Practical #1, Practical #2, Practical #3.
This exercise is going to be a little more theoretic because I cannot share the data that I have and I have no ability to make additional data for sharing.
So here is the scenario (BTW, it's a real scenario). Local police detectives have responded to the scene of a homicide. During their investigation they have discovered that there is a CCTV system that may have caught...
An investigator contacted me this week about an investigation involving several hundred TIFF files that had been generated from a fax machine. The investigator had a need to quickly extract all the metadata out of the TIFF files. A couple different external programs could be used to do this, for example, ExifTool by Phil Harvey.
My goal was to create a quick EnScript to parse the TIFFs and provide the data without having to export the files out of EnCase. This caused me to take a closer look at TIFF format and the associated metadata that is stored inside. TIFF...
Earlier today I posted an EnScript that parses the 'nk' registry records from any selected files in EnCase. You can read about that EnScript in the original post here.
This EnScript essentially does the same basic function, except it searches for 'vk' records, which are the records that hold data values. The registry hive holds different types of data in different records. A 'vk' record can have the data value "resident" inside the 'vk' record itself, or it can be "non-resident" and have its own record elsewhere in the registry hive.
Therefore, when searching for 'vk' records, it is common...
I know if your reading my blog you've seen ROT13 and know it is used by Microsoft in the UserAssist Registry Key.But now I’ve found Microsoft using ROT(-29) or Rotate Minus 29 which is considerably more devious, then ROT13, for the forensic investigator. Do the following steps to uncover ROT(-29):1. First find a computer running Windows 7 or Vista.2. Open Notepad and type: “
*********** The First 5 Steps are exactly the same as my last posted regarding Walk-Through: Volatility Batch File Maker and Volatility's ProcDump. The Walk-through Portion is repeated here for future discussions. Skip if applicable.******************1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the
1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the files in e:\exemlar6\ directory2. Add the downloaded files together and extract with the following cmd prompt code: Copy /b “exemplar6.tar.gz.001”+ “exemplar6.tar.gz.002”+” exemplar6.tar.gz.003” exemplar6.tar.gz3. Extract using WinRAR (exemplar6.tar.gz
The Tool: VolatilityBatch File Maker DownloadI wanted to take the text output of the various tools (Ptfinder, PtFinderFE and Volatility >PsScan2) which identifies all the offsets for (running) processes and input that offset data into several Volatility tools (ProcDump, MemDmp and VadDump). This program creates three batch files. After running the batch files I can quickly leverage
I had the following a question from Mr Anonymous about Matthieu Suiche's Sandman Shell Project:“...the same happens with hibrshell. When I execute the command it crashes while "Retrieving Kernel Image base". I tried with 3 different hiberfil.sys files so I guess it's not the file. The bad thing is that I also tried with different pcs and it crashed too, this means that I have no idea of what it
Tech news and business reports by CNET News. Focused oninformation technology, core topics include computers, hardware, software,networking, and Internet media..
The new iTunes-based social network is getting hit by comment spam since Apple apparently left it vulnerable through a lack spam or URL filtering, according to Sophos.
Proposal for a global "cyberpeace" treaty has met "a lot of resistance" from industrialized nations, says head of U.N.'s International Telecommunication Union.
Notices of winning the lottery and requests from Russian women who want to know you better are also up there on Panda Security's ranking of decade's top Net swindles.
News Feeds
