Greg Kelley | 5 Oct 16:03 2005

RE: Two Windows questions

Regarding question 2...

While not a definitive resource, considering everything I have read
about file dates there are only 4 dates kept for files.  I would assume
that LastWriteTime would equate to the last time the file was modified.
ChangeTime would equate to the last time the file's entry in the MFT was
changed.

Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com

-----Original Message-----
From: keydet89 <at> yahoo.com [mailto:keydet89 <at> yahoo.com] 
Sent: Thursday, September 15, 2005 9:37 AM
To: forensics <at> securityfocus.com
Subject: Two Windows questions

All,

I've got a couple of questions, primarily for clarification.  After
researching these both for a while, I'd like to try to get some more
definitive information...

First...the UserAssist\{GUID}\Count keys:
(Continue reading)

Thomas Jones | 5 Oct 19:12 2005

Re: Two Windows questions


> -----Original Message-----
> From: keydet89 <at> yahoo.com [mailto:keydet89 <at> yahoo.com] 
> Sent: Thursday, September 15, 2005 9:37 AM
> To: forensics <at> securityfocus.com
> Subject: Two Windows questions
>
>
> All,
>
> I've got a couple of questions, primarily for clarification.  After
> researching these both for a while, I'd like to try to get some more
> definitive information...
>
> First...the UserAssist\{GUID}\Count keys:
> http://personal-computer-tutor.com/abc3/v29/vic29.htm
>
> Does anyone have any specific information (ie, definitive source)
> available on what kinds of activities result in entries in these keys?  
>
> My second question refers to the FILE_BASIC_INFORMATION structure:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
> hh/kmarch/k112_3de98e8c-d842-45e9-a9bd-948276ef1b87.xml.asp
>
> The structure is described as:
> typedef struct FILE_BASIC_INFORMATION {
>   LARGE_INTEGER  CreationTime;
>   LARGE_INTEGER  LastAccessTime;
>   LARGE_INTEGER  LastWriteTime;
>   LARGE_INTEGER  ChangeTime;
(Continue reading)

Harlan Carvey | 5 Oct 19:15 2005
Picon

RE: Two Windows questions

Greg,

Thanks for the reply. 

> While not a definitive resource, 

Again, thanks.  I do appreciate the response, and I
think I've probably read much of the same stuff you
have.  However, my question was specifically asking
for "a definitive resource that specifies the
difference between the LastWriteTime and the
ChangeTime".  I think "credible" and "authoritative"
are also words I'd use for this request.

thanks,

Harlan 

considering
> everything I have read
> about file dates there are only 4 dates kept for
> files.  I would assume
> that LastWriteTime would equate to the last time the
> file was modified.
> ChangeTime would equate to the last time the file's
> entry in the MFT was
> changed.
> 
> Greg Kelley, EnCE
> Vestige Digital Investigations
(Continue reading)

Harlan Carvey | 5 Oct 19:18 2005
Picon

Re: Two Windows questions

Thomas,

Thanks for your response.

However, I was specifically asking for a definitive
resource...something that, say, a customer could use
if any of that customer's employees had to go to court
and testify.

While I greatly appreciate your response, and the
validation you've provided to other sources I've read,
it doesn't really provide what I'm looking for...

thanks again,

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

Eoghan Casey | 7 Oct 03:26 2005
Picon

Network Investigations 3-day Workshop

This seminar goes beyond computer forensics and discusses evidence 
transfer on networks. You will learn how to preserve and analyze 
evidence stored on and transmitted using networks. Team exercises and 
instructor demonstrations will help you develop the skills to process 
evidence on remote computers, and combine data from multiple sources on 
a network to develop a more complete understanding of an incident. In 
addition, you will learn about important legal issues, and you will 
receive guidelines for preparing your Enterprise for network 
investigations. This preparation includes developing policies, 
procedures, and logging architecture. Digital evidence relating to 
network elements, including intrusion detection systems, wireless 
systems, and routers are examined through case examples and hands-on 
exercises.

Title: Network Investigations
Instructors: Eoghan Casey and Dario Forte
Dates: October 19 - 21, 2005
Location: Rome, Italy
URL: www.technologytransfer.it

Contact the instructors prior to registration with questions and to 
receive a 10% discount.

Nicholas Harbour | 7 Oct 15:05 2005
Picon

New Tool Announcement: tcpxtract

I'd like to formally announce my latest open-source
tool called tcpxtract.  

http://tcpxtract.sf.net

tcpxtract is a tool for carving files out of network
traffic.  You can think of it as the lovechild of
Foremost and Tcpdump.  It also has some advantages
over driftnet and EtherPEG which I talk about briefly
on the webpage.

It is based on libpcap and can work against a live
device or a tcpdump formatted capture file.

This tool relates more towards the field of network
forensics, security, information assurance and network
monitoring than traditional disk and filesystem
forensics.

Download it here:
http://prdownloads.sourceforge.net/tcpxtract/tcpxtract-1.0.tar.gz?download

Enjoy!

Nick

		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
(Continue reading)

ulrik | 9 Oct 01:14 2005
Picon

Re: real one player /intel signal processing library/ windows xp

Yep, I have it on my Swedish XP Pro installation. Only happened after I downloaded the upgrade to Real player
10 via the "search for upgrade" in Realp Player 8. So the file must have been corrupted somewhere on the way,
which seems unlikely. Realplayer 10 started complaining about NSP not found, cpuinfo not found, vddk???
not found, as soon as it was almost finished with installation. Irritating indeed. I'm still sorting it out.

dave kleiman | 10 Oct 18:05 2005

RE: Two Windows questions

Harlan,

In my courtroom experience, computer definitive resources are "mildly"
useful because of their lack of jury/court comprehensible terminology.
Example Brian Carriers' File System Forensics, is probably one of the most
comprehensive guides "for us" to dig into the file system.
However, if you introduced it into court to explain to a jury how something
worked, you would create your own reasonable doubt by confusing the jury.

The fact that the definitions exist, and you or your clients can be visually
demonstrate it in court so that the court can understand it, will best serve
your clients.

Have you ever had to explain to a jury how SSL or PKI works? Think about a
juries reaction if you gave them a Steven Bellovin paper to read, "credible"
and "authoritative" beyond a doubt, useful in court, maybe for technical
definitions.

Spend some time designing diagrams and such, that your grandparents or
parents (if you are a little older) can understand.

Dave

> Thomas,
>
> Thanks for your response.
>
> However, I was specifically asking for a definitive
> resource...something that, say, a customer could use if any
> of that customer's employees had to go to court and testify.
(Continue reading)

Greg Kelley | 13 Oct 22:14 2005

RE: Two Windows questions

Harlan,

You bring up an interesting point...

"a definitive resource...something that, say, a customer could use if
any of that customer's employees had to go to court and testify."

When I go to court and testify, I typically rely on 3 things:

1. Results of my test
2. Sworm affadavits
3. Generally accepted industry practices/knowledge

I would not necessarily consider a vendor, web page, book, etc. as a
definitive source that I would base my testimony on unless it falls into
one of the 3 categories above.

I think you might be forced to create an application with which you can
access the structure in question and test your results.

Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com

-----Original Message-----
(Continue reading)

Picon

Having trouble breaking partitions out of a raw image

I'm a little bit new to doing forensics, and I've run into something I
haven't seen before.

1) I created an 80Gig image of the entire drive using adepto (aka grab).
For purposes of this e-mail, the image is call image.dd.

2) Next, I wanted to break out the raw image into it's partitions, so I ran
mmls:

root <at> LinuxForensics usbdisk]# mmls -t dos image.dd
DOS Partition Table
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0002104514   0002104452   Linux Swap / Solaris x86
(0x82)
03:  00:01   0002104515   0156296384   0154191870   Linux (0x83)

3) I then used dd to pull out the Linux (0x83) partition:
[root <at> LinuxForensics usbdisk]# dd if=image.dd of=image3.dd bs=512
skip=2104515 count=154191870

4) This ran fine.  I then wanted to verify that the data looked OK, so I did
a "file" command
[root <at> LinuxForensics usbdisk]# file image3.dd
image3.dd: data

5) What?  This should have said it was a Linux filesystem, yes? (it has when
(Continue reading)


Gmane