Questions tagged [forensics]

Computer forensics works to analyze information on computer systems in an attempt to find evidence regarding certain actions of a process, application, user or computer to determine the source of change within a host, network or device.

Often used within the Information Security field to specifically refer to Digital Forensics. This sub-specialty of forensics science came to being largely in the 1990s as technology began encroaching deeper into society at large. Much like other forensic sciences, the principle goal is to apply the scientific method to the collection and analysis of information stored in digital formats. While primarily used as part of legal investigations, the same tools and methods are frequently engaged as part of an incident response procedure when technical assets are involved.

501 questions

votes

1 answer

How long would a computer have to be off to be resistant to a cold boot attack?

I understand that the longer a computer is off, the more resistant it is to a cold boot attack. I also understand that an AES key can be reconstructed from a redundant round key schedule even after a large percentage of the bits in memory have…

forensics memory cold-boot-attack

asked Jan 05 '16 at 18:43

Zen Hacker

votes

4 answers

Possible Rogue Admin

This does not involve me directly. However a friend believes her files are being tampered with and/or deleted by the only Windows domain admin there. (She has since kept backups) This started after she put in a complaint about him for misconduct…

forensics

asked Oct 29 '11 at 10:56

Steven

votes

3 answers

What does a court need to successfully prosecute a hacker? Please cite previous cases if possible

Once a business decides it is worthwhile to persue legal action against the attacker, what information and processes should be followed so that: Integrity of the investigation is maintained The undesired behaviour will cease The damage is properly…

incident-response legal forensics black-hat integrity

asked Nov 22 '10 at 20:32

makerofthings7

50,090
54
250
536

votes

2 answers

How can I view the NTFS $MFT using correct field names?

I am trying to view an NTFS master file table. Each tool I have used so far extracts all of the entries, but puts non standard headers such as STANDARD_INFORMATION_ON instead of say $STANDARD_INFORMATION. I have tried MFT2CSV, ntfswalk64, and…

windows tools forensics file-system ntfs

asked May 24 '13 at 20:33

Ninja2k

votes

1 answer

How can I secure my log files?

I have a cool tool that displays my syslog and kernellog on my mac's desktop. This has me concerned about what is written in them - I'm staring to feel like they are creating a hole in my privacy. I have seen filenames from when I was looking around…

logging forensics macos data-leakage

asked May 01 '11 at 20:50

KilledKenny

1,662
4
19
28

votes

3 answers

How to detect if files were saved or copied to a USB drive?

How can I find out if files from my computer were written/copied/moved to a USB storage device? I want to know if there is a solution that would work in a system that has not got any monitoring/logging of USB activity explicitly enabled and after…

windows forensics usb-drive

asked Oct 27 '12 at 12:02

Saladin

1,547
3
14
23

votes

2 answers

Anti-live forensic programs

Against dead forensics acquisition we can use disk encryption (we can use TrueCrypt for example). I was wondering do software exists against live forensic ? Can you give me a list for windows and linux (the most popular) ? What other ways there are…

windows linux forensics

asked Jun 29 '15 at 01:23

lzeowhzl

votes

2 answers

"Fingerprinting" and human error

Pretend for a moment I am investigating an attack. I find errors in the attack method (mistakes made by the human attacking my network/computer). I compile a database of these "mistakes" treating them like a fingerprint. I then look through sites…

forensics incident-response

asked Nov 22 '10 at 07:47

Everett

1,506
1
12
20

votes

8 answers

Retrieving OSx Keychain passwords

I have a computer forensics style osx login.keychain file that I am trying to find the passwords from. I have a very weak mac which I used crowbarkc on to try and brute force but the horsepower is just not there .... Is there any other way to get…

passwords attacks operating-systems exploit forensics

asked Nov 19 '10 at 16:31

MarkKGreenway

votes

3 answers

Appropriate defense for 404s in my logs - persistent web scans from one region

This seems to be a fairly easy question to figure out, but I wanted to make sure. I've got about a thousand entries on one of my web servers with phpmyadmin in the connection criterion, but as I don't have phpmyadmin installed, it always 404s. …

linux attack-prevention webserver forensics

asked Jul 14 '11 at 17:28

Thomas Ward

votes

4 answers

Special form of file system to prevent recovering after secure wipe data

I'm looking for file system with reasonably error corrections, but rugged against forensic after wipe. Say, encrypted container via loop mounted like ext4 - journal file system. This is good performance and secure in many ways. Wiping in this…

forensics file-system

asked Sep 20 '13 at 15:16

trankvilezator

votes

2 answers

What type of data can be recovered from the swap file / page file and thumbs file

This question follows on from a previously posted question on recovery of data from a wiped disk. I have been informed that no files have been found on the computer on the hard disk or in the deleted files (unallocated space / slack). Therefore if…

forensics deletion data-recovery recovery

asked Aug 16 '18 at 11:10

James009

votes

1 answer

Brute forcing encryption password (self destruct after 4 attempts)

My colleague at work lost the password to his external hard drive (HDD not SSD), a WD Elements. He remembers that his password was simple and 8 characters maximum. The problem is the encryption software he used will self destruct after 5 password…

brute-force disk-encryption forensics kali-linux destruction

asked Jun 13 '18 at 09:50

user5623335

votes

4 answers

Finding date of last network access

I have a system that contains highly sensitive data that does not reside on the Internet. However, when I was going through the machine recently, I detected that it had cookies, and temporary internet files stored on it. While I can find the date…

windows logging forensics

asked Jul 27 '12 at 03:59

Karthik Rangarajan

votes

2 answers

Is there a way to perform data acquisition on CPU's registers?

In Digital Forensics, as a best practice, an investigator should collect data from the most volatile source to the least volatile source. Usually, when talking about live/Dynamic Acquisition, most textbooks starts with the RAM as the most volatile…

forensics legal

asked May 22 '17 at 17:44

HSN

Prev 1 2 3

…

33 34 Next