Down at DC3 (dc3.mil) taking the CIRC course for two weeks in Linthicum, MD - ugggg. Class is full of Fort Bragg Army MI peeps who are barely old enough to drink beer. Apparently, after this class we are classified as Certified Digital Media Collector (CDMC), but we all know what certs really mean, nada - but I am not complaining...
Recently in Forensics Category
I am at Cell phone forensics training this week at DC3 in Linthicum, MD. The class looks really interesting and will be focusing on the operating systems associated with the main PDA devices - Palm, Windows, CE, RIM Blackberry, common cellular handsets, and a basic understanding of SIM cards. In addition, they will be talking about the hybrid versions of these devices for acquisitions and analysis. Should be a fun week....
Just got to St. Louis, MO a few hours ago ready for the DoD CyberCrime Conference. The talks look to be pretty interesting, we will see how the week goes though. The conference will be held at the St. Louis Renaissance Grand Hotel this week. Tomorrow is the classified briefings at Scott AFB so that should be interesting, supposed to have lunch with my old office-mate Dan, hopefully that will be able to happen.
Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.
The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.
On Sunday, Orem, Utah-based forensic-software maker Paraben
plans to introduce a unique piece of enterprise software developed to
detect and analyze images on workplace networks and computers for
suspect content. The system looks for a number of sophisticated
parameters and grades images at three levels, based upon their
correlation with criteria that have been programmed into the system.
http://news.cnet.com/8301-1009_3-10084938-83.html?tag=mncol;title
Using foremost which is a console program that recovers files based on their headers, footers, and internal data structures.
genhog foremost-1.5 # ./foremost -h -V - display copyright information and exit
foremost version 1.5 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t
[-b
-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen
Continue reading Using foremost to pull out binaries from a pcap file.
Just lately, I was thinking about writing a tool that extracted binary streams out of a pcap (tcpdump) packet caputre file. No need to do that when someone else has already done that. Actually, you can use two tools, one is called tcpxtract and the other is foremost, the former built from the latter. The latest version of tcpxtract is version 1.0.1:
Usage: ./tcpxtract [OPTIONS] [[-d
Valid options include:
--file, -f
--device, -d
--config, -c
--output, -o
--version, -v display the version number of this program
--help, -h display this lovely screen
Continue reading tcpxtract / foremost howto.
Will be in training all week at the Regional Computer Foresics Group at GMU - should be interesting. Here is some information about the RCFG:
"The Regional Computer Forensic Group (RCFG) symposium is sponsored by RCFG, Inc. The RCFG is a non-profit Virginia corporation supporting the Law Enforcement and computer forensic community training needs. Membership is free and is comprised of local, federal, state employees and contractors sponsored by the government in support of law enforcement and combating cyber crime."
Ran into a error while compiling dcfldd. Here were the errors: (duing the make)
Making all in src
make[2]: Entering directory `/vm/forensics/dcfldd-1.0/src'
source='dcfldd.c' object='dcfldd.o' libtool=no \
depfile='.deps/dcfldd.Po' tmpdepfile='.deps/dcfldd.TPo' \
depmode=gcc3 /bin/sh ../depcomp \
gcc -DLOCALEDIR=\"/usr/local/share/locale\" -DSHAREDIR=\"/usr/local/share\" -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I. -I../lib -I../intl -g -O2 -c `test -f dcfldd.c || echo './'`dcfldd.c
dcfldd.c:1523:1: error: unterminated argument list invoking macro "_"
dcfldd.c: In function
Primary and Extended Fdisk Partitions:
There was originally only one type of PC disk partition: the "Primary" partition. This so called "primary partition" is what we have been calling an "fdisk partition". The primary partitions are the ones listed in the MBR partition table.
To add more partitions to a disk, a backwards compatible scheme was devised to create a new partition type, the "Extended" partition. The Extended Partition is really a special type of Primary Partition. It must be sub-divided into "Logical Partitions" if it is to be of any use. The "logic" defining the logical partition is exactly this sub-dividing data structure. Finding the actual data structure describing the boundaries of a logical partition requires you to follow a pointer from the MBR to a linked list beginning in the first sector of the Extended Partition. Some fdisk programs are blind to logical partitions because they don't know how to do that.
Having suffered from the four partition limit of the MBR, the designers of the Extended partition weren't about to be caught short. They exchanged the table structure of the MBR for a linked list!
Conceptually, an Extended Partition is much like a Primary Partition in which Unix has defined its own vtoc. Both are containers beginning with data structures that define another level of partitions.
