±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 32784
New Yesterday: 6 Visitors: 186

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

How to get started?

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: How to get started?

Post Posted: Mon Aug 21, 2017 12:50 pm

- Fenrir

Is it just not possibly to recover these old files (the most of them are from 2008, but the stick was rarely used), or am i doing something wrong?
Is there another good recovery tool on linux i could try?

thanks in advance Smile

Mind you recovery and forensics largely overlap but they are not the same thing.

I.e. Photorec is a good recovery tool, but not necessarily a good forensics one:
www.cgsecurity.org/wiki/PhotoRec

Chances of recovery is often connected to amount of fragmentation in the filesystem, typically *any* contiguous file can be recovered easily, the issues come with fragmented ones.

DMDE (Commercial but with a free version with only minimal restrictions) does have a Linux (command line) version , the Windows GUI is an excellent tool, can't say the Linux one:
dmde.com/


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: How to get started?

Post Posted: Wed Aug 23, 2017 9:21 am

thanks, i will try those tools later Smile

In the moment i have an memory dump mem.bin and i know that there are emails in it.
It's from the jackcr's forensic challenge.
Since i already know what the content of these mails is, i can search it with the strings command, but i wonder how i get the mail in a format like this:

Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
Mon, 26 Nov 2012 15:00:07 -0500
Message-ID:
From: "Security Department"
To: , ,

Subject: Immediate Action
-Date: Mon, 26 Nov 2012 14:59:38 -0500
-MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: isd @ petro-markets.info
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
-This is a multi-part message in MIME format.
-------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus. This is critical and must be done ASAP! Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions. Failure =
to install this anti-virus may result in loosing your job!
Please donwload at 58.64.132.8/download/S...1.43-1.exe
Regards,
The IS Department


I know that there are a few writeups and i have even a book, where this challenge is mentioned, but they never tell the commands .___.
thx for the help in advance Smile

EDIT: I came up with " strings <myfile>.bin | grep -C 35 '<attacker ip>' " and got what i wanted Smile  

Fenrir
Newbie
 
 

Page 2 of 2
Go to page Previous  1, 2