geoffblack.com

codeslack.blogspot.com

Codeslack: Lightgrep 1.0

http://codeslack.blogspot.com/2012/06/lightgrep-10.html

Software, programming, computer forensics, and EnScript. I've just released Lightgrep for EnCase. 10 Lightgrep is a new multipattern regular expression search engine that I've been developing with my colleagues over the last two years, and our EnCase integration makes it the fastest way to conduct searches over digital evidence. I'm hoping I'll be writing more blogposts now, as I allow my mind to wander a bit more. Posted by Jon Stewart. Subscribe to: Post Comments (Atom). And an author of Lightgrep.

codeslack.blogspot.com

Codeslack: 2012-12

http://codeslack.blogspot.com/2012_12_01_archive.html

Software, programming, computer forensics, and EnScript. A year and a half ago, I bought a new system. Meet Virgil:. 24GHz, 6 cores, 12MB L3, hyperthreading—apiece). The legendary EVGA SR-2. A pair of WD RE4 2TB hard drives. In a Lian Li PC-V2120. All kinds of I/O ports and a ho-hum-but-CUDA-capable GPU. Volume. I no longer had a redundant 2TB drive; I had a 4TB drive with twice the probability of failure as a single drive and no redeeming performance qualities. Of course, by the time I realized this (di...

ils-ipp.blogspot.com

ESIgns: December 2010

http://ils-ipp.blogspot.com/2010_12_01_archive.html

The ESIgns blog is brought to you by International Litigation Services, Inc. It is authored by our consultants each of whose practice is concentrated in specialized areas of electronic discovery. Our practice areas range from discovery strategy and management, electronic data collections, esi filtering/processing and electronic document review. With our blog we intend to bring current news, observations and our practice insights to our readers. Tuesday, December 14, 2010. This much is obvious by now....

taksati.org

indx Archives - TAKSATI

http://www.taksati.org/tag/indx

I needed to walk a directory index for another script I was working on. I figured, as long as I was there trying to prototype that, I would just dump out the entire Index. Like the MFT parser below, this dumps to the console. Blue check the folder of interest and run. It will operate successfully against multiple checked folders, but the output is kinda long and hard to keep straight, so I don’t recommend it. Posted on 2011-09-20, 12:35 am. Andre Ross's digfor. Bruce Schneier's Him on Security.

taksati.org

autoruns Archives - TAKSATI

http://www.taksati.org/tag/autoruns

This is an EnCase EnScript I wrote a few years back. The original design goal was to implement Sysinternals Autoruns.exe inside EnCase so it could be run against dead drives during forensics cases. Sysinternals has since reworked Autoruns.exe so it can work against a dead drive, thus limiting the usefulness of this script. It still comes in handy for certain tasks since it is faster than mounting the drive to run Autoruns.exe. Due to changes in the Registry files, this doesn’t work on Windows 7. Richard ...

taksati.org

June 2013 - TAKSATI

http://www.taksati.org/2013/06

Monthly Archives: June 2013. I’m not sure how I missed it when it came out in 2009, but Peter Norris has put together an absolutely fantastic write up on the internal structures of the Registry. Deep internal knowledge like this is vital when you are finding parts of old registry files in unallocated space, the page file, or memory. For anyone else who has seen this paper, it is hosted here:. Http:/ amnesia.gtisc.gatech.edu/ moyix/suzibandit.ltd.uk/MSc/. Posted on 2013-06-17, 11:19 pm. Mac OS X Forensics.

taksati.org

August 2012 - TAKSATI

http://www.taksati.org/2012/08

Monthly Archives: August 2012. Microsoft publishes a CODEC Pack that will enable its built-in viewers to also properly display most of the RAW image formats. It is available for download here:. Http:/ www.microsoft.com/en-us/download/details.aspx? Posted on 2012-08-07, 9:31 pm. Andre Ross's digfor. Bruce Schneier's Him on Security. BugBear's Security Braindump. Chad Tillbury's Forensic Methods. Chris Pogue's The Digital Standard. Command Line Kung Fu. Corey Harrell's Journey Into Incident Response.

taksati.org

enscript Archives - TAKSATI

http://www.taksati.org/tag/enscript

I needed to walk a directory index for another script I was working on. I figured, as long as I was there trying to prototype that, I would just dump out the entire Index. Like the MFT parser below, this dumps to the console. Blue check the folder of interest and run. It will operate successfully against multiple checked folders, but the output is kinda long and hard to keep straight, so I don’t recommend it. Posted on 2011-09-20, 12:35 am. Posted on 2011-08-16, 9:33 pm. Posted on 2011-08-12, 7:29 pm.

taksati.org

October 2014 - TAKSATI

http://www.taksati.org/2014/10

Monthly Archives: October 2014. People still use Word macros! I got an interesting email today. Received: from mail-qa0-f47.google.com (209.85.216.47) by. Myexchange.server (192.168.1.1) with Microsoft SMTP Server id. 142347.0; Wed, 22 Oct 2014 09:02:52 -0400. Received: by mail-qa0-f47.google.com with SMTP id cm18so2352642qab.6. Wed, 22 Oct 2014 06:02:51 -0700 (PDT). X-Received: by 10.140.30.53 with SMTP id c50mr52767444qgc.77.1413982971840;. Wed, 22 Oct 2014 06:02:51 -0700 (PDT). Does not designate 122&...

taksati.org

January 2015 - TAKSATI

http://www.taksati.org/2015/01

Monthly Archives: January 2015. Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file as a whole. Contained within this header are the following:. Signature: “regf”. Type (0=Registry file; 1=Log file). Offset to root key record. Offset to first non-used block. Value is either 0 or 1. Unknown: “rmtm”. Checksum (XOR32 of above). Here’s what it would look like in a hex editor:. Padding (cont)(repeated lines removed). The type at offset ...