±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 1 Overall: 35530
New Yesterday: 7 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

How to get started?

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 

Senior Member

Re: How to get started?

Post Posted: Aug 21, 17 18:50

- Fenrir

Is it just not possibly to recover these old files (the most of them are from 2008, but the stick was rarely used), or am i doing something wrong?
Is there another good recovery tool on linux i could try?

thanks in advance Smile

Mind you recovery and forensics largely overlap but they are not the same thing.

I.e. Photorec is a good recovery tool, but not necessarily a good forensics one:

Chances of recovery is often connected to amount of fragmentation in the filesystem, typically *any* contiguous file can be recovered easily, the issues come with fragmented ones.

DMDE (Commercial but with a free version with only minimal restrictions) does have a Linux (command line) version , the Windows GUI is an excellent tool, can't say the Linux one:

- In theory there is no difference between theory and practice, but in practice there is. - 


Re: How to get started?

Post Posted: Aug 23, 17 15:21

thanks, i will try those tools later Smile

In the moment i have an memory dump mem.bin and i know that there are emails in it.
It's from the jackcr's forensic challenge.
Since i already know what the content of these mails is, i can search it with the strings command, but i wonder how i get the mail in a format like this:

Received: from d0793h (d0793h.petro-markets.info [])
by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
Mon, 26 Nov 2012 15:00:07 -0500
From: "Security Department"
To: , ,

Subject: Immediate Action
-Date: Mon, 26 Nov 2012 14:59:38 -0500
-MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: isd @ petro-markets.info
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
-This is a multi-part message in MIME format.
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus. This is critical and must be done ASAP! Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions. Failure =
to install this anti-virus may result in loosing your job!
Please donwload at
The IS Department

I know that there are a few writeups and i have even a book, where this challenge is mentioned, but they never tell the commands .___.
thx for the help in advance Smile

EDIT: I came up with " strings <myfile>.bin | grep -C 35 '<attacker ip>' " and got what i wanted Smile  

Page 2 of 2
Page Previous  1, 2