How to get started?

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Go to page Previous 1 , 2

Re: How to get started?

Post Posted: Mon Aug 21, 2017 12:50 pm

- Fenrir

Is it just not possibly to recover these old files (the most of them are from 2008, but the stick was rarely used), or am i doing something wrong?
Is there another good recovery tool on linux i could try?

thanks in advanceSmile

Mind you recovery and forensics largely overlap but they are not the same thing.

I.e. Photorec is a good recovery tool, but not necessarily a good forensics one:
www.cgsecurity.org/wiki/PhotoRec

Chances of recovery is often connected to amount of fragmentation in the filesystem, typically *any* contiguous file can be recovered easily, the issues come with fragmented ones.

DMDE (Commercial but with a free version with only minimal restrictions) does have a Linux (command line) version , the Windows GUI is an excellent tool, can't say the Linux one:
dmde.com/


jaclaz


- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member

    Re: How to get started?

    Post Posted: Wed Aug 23, 2017 9:21 am

    thanks, i will try those tools laterSmile

    In the moment i have an memory dump mem.bin and i know that there are emails in it.
    It's from the jackcr's forensic challenge.
    Since i already know what the content of these mails is, i can search it with the strings command, but i wonder how i get the mail in a format like this:

    Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
    by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
    Mon, 26 Nov 2012 15:00:07 -0500
    Message-ID:
    From: "Security Department"
    To: , ,

    Subject: Immediate Action
    -Date: Mon, 26 Nov 2012 14:59:38 -0500
    -MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.5512
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
    Return-Path: isd @ petro-markets.info
    X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
    -This is a multi-part message in MIME format.
    -------=_NextPart_000_0015_01CDCBE6.A7B92DE0
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    Attn: Immediate Action is Required!!
    The IS department is requiring that all associates update to the new =
    version of anti-virus. This is critical and must be done ASAP! Failure =
    to update anti-virus may result in negative actions.
    Please download the new anti-virus and follow the instructions. Failure =
    to install this anti-virus may result in loosing your job!
    Please donwload at 58.64.132.8/download/S...1.43-1.exe
    Regards,
    The IS Department


    I know that there are a few writeups and i have even a book, where this challenge is mentioned, but they never tell the commands .___.
    thx for the help in advanceSmile

    EDIT: I came up with " strings <myfile>.bin | grep -C 35 '<attacker ip>' " and got what i wantedSmile

    Fenrir
    Newbie
    Page 2 of 2
    Go to page Previous 1 , 2




    ± Forensic Focus Partners

    ± Your Account



    Site Members:

    New Today: 0 Overall: 33343
    New Yesterday: 3 Visitors: 228

    ± Follow Forensic Focus

    Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

    RSS feeds: News Forums Articles

    ± Latest Articles

    ± Latest Webinars


    Build a Mobile Site
    View Site in Mobile | Classic
    Share by: