Archive

Archive for the ‘Computing’ Category

My favorite scene in Guardians of the Galaxy, plus some thoughts on the EnCe (forensics) and the art of clumsiness

August 24, 2014 2 comments

Hey y’all… been out for the EnCe Prep Course. Pleased to say that I passed the written part, and now I have to work on the practical. My recommendation is that if you’re going to take the written exam and don’t feel that you’re prepared enough from going through the study guide, sign up for the prep course. Yes it’s expensive (unless you have the training pass or are lucky enough to get it paid for by your organization) but it’s worth it. Make sure you have taken Forensics I and II because they will ask you to send proof. If you haven’t take those two classes, the Bootcamp package will include it in “onDemand” format. I prefer to go to training myself because in my work environment it’s hard to get time away enough to do computer based training and I work better under a live instructor, but that’s just me.

The test is hard, not going to lie. 2 hours, 150 questions, and you absolutely have to keep track of time throughout. If you have any additional questions about the written test, send a comment. I may or may not be able to answer depending on what it is, but I’ll try to help as much as possible πŸ™‚

The day before I actually flew out for the prep course, I managed to fracture my toe by tripping over my suitcase. That’s how clumsy I can actually be, folks. Talk about pain. One of the hardest things I ever had to do was make the choice to fly out the next day, but I couldn’t exactly cancel on the prep course and flight, could I? No refunds at that late date. So, I turned off the fear in my head and went. Still hobbling a week later (and my toes are still a nice shade of blue), but I’m confident it’ll heal. Note: If you go in for a toe fracture, 9 times out of 10 the doctor will not give you warning he or she is going to set it. I screamed, and I didn’t care who heard me at that point. But do see a doctor right away. You don’t want it to heal wrong.

Anyway, now that I’m back home and getting back into work mode, I thought I’d share a video that kept my spirits up during trainings. Actually, any time I need a smile, I click on it. It’s the scene in Guardians of the Galaxy where baby Groot is dancing. I debated posting it for some time because some could see it as a spoiler, but then Marvel released it due to popular demand. So, why not.

Fun fact: James Gunn (director of the movie) did the dancing for baby Groot. Apparently he threw everyone off set, turned on a video camera and got jiggy. Then, he sent it off to the animators for the scene and made them promise to never show the video to anyone. Homie’s got some moves πŸ™‚ Remember: dance like no one’s watching whenever you feel the need. It’ll get you in a good mood quick.

Β 

Image compression in EnCase and what it really means

May 30, 2012 Leave a comment

It’s often said in the digital forensics world that a RAW image can be seen as more “reliable” as other image types, such as the EnCase .E01 format. The reasons usually given include:

  • The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.
  • The RAW Image Format was originally used by dd, but is supported by most of the computer forensics applications.
  • The RAW image is uncompressed.

It is true that an EnCase image can be smaller than the actual drive size, or by comparison, to an image taken of the same drive in RAW format. There is no data loss, however; the reason why EnCase can give a smaller image is because it by default it compresses the image to save space. All data in each bit of the original drive still exists. And, EnCase also stores metadata, which isn’t something a RAW image includes by default (although there are cases where metadata can be stored in secondary files).

I performed an experiment on a 150 GB drive, where I first created a RAW image in HELIX (same resulting file size of 150 GB), then an EnCase image which was compressed down to about 60 GB by default. Then, I acquired the image again in EnCase, unchecking all compression options. The second EnCase image was 150 GB. Bit for bit, it was a mirror copy of the HELIXΒ  RAW image, only with inclusion of the metadata.

I’m sure this is old hat to a lot of forensics folks out there, but for the newbies starting out, it’s a pretty handy concept to know πŸ™‚

How to create .E01 images in HELIX

January 10, 2012 2 comments

EnCase Forensic Edition

One of the issues I’ve come across in computer forensics is the lack of documentation for certain tasks I want to accomplish. For example, HELIX 3 Pro has the ability to create images in both RAW and EnCase 4, 5, and 6 format. However, if you try to select the EnCase formats, you may not be able to complete them as such, only in RAW. It’s almost as if EnCase needs to know that you have a working copy of EnCase in some way, shape, or form.

I have versions 6 and 7 (Forensic edition) loaded on my laptop. So again, how to associate one with the other?Β  The easiest way I’ve seen it done is to go through the motions of creating a boot disk for LinEn in EnCase and appending it to an ISO of HELIX 3 Pro:

  1. Launch EnCase (only 4,5, and 6 will work for this until HELIX updates to allow for 7). Choose Tools > Create Boot Disk.
  2. Choose ISO as the destination and click Next.
  3. In the Formatting Options dialog box, ensure that Alter Boot Table is selected, the Image Path points to the directory where you have your original HELIX ISO, and the Destination Path points to a directory that houses a new altered ISO of HELIX that you will name. Click Next.
  4. The LiNen executable is usually found in the root directory of EnCase. Therefore, in the Copy Files dialog box, right click under Name (right hand pane) and click New. Browse to the location of LinEn (example C:\Program Files\EnCase6\linen). Click Finish, and EnCase will start to create your new and improved ISO.
  5. Once you get into HELIX, you should be able to select EnCase 4, 5, or 6 as the output format. I only have 6 so that limits my options personally.

Hope this helps πŸ™‚ If you have any questions, feel free to shoot me a message.

How to open a RAW image created by HELIX in EnCase

November 30, 2011 Leave a comment

RAW images can be created by different forensic products with various file extensions like .DD or .001. I use HELIX sometimes for evidence acquisition, and it defaults to .001 and up for every 2 GB image file it creates. Viewing these HELIX-created files in EnCase wasn’t a successful venture for me for a while now. Now, I figured out why, and hopefully this will help other digital forensic analysts out there who are having the same issues.

If you try to open a RAW image file in EnCase, you have a few choices of how you want to open it (Disk, Volume, CD-Rom, etc.). Easy enough. In my example, I had two NTFS partition images (created in HELIX)Β  from the same drive that I wanted to add to my case as seperate Volumes. However, if you’ve ever tried adding the component files starting from the .001 beginning point (sequential order), you’ve probably run into the issue I did, which is EnCase not recognizing the files and adding them as a single file only.

Here’s my protip: Add the files in reverse order. Let’s say my last file has the extension .027. Click on that file, hold down the Shift key, and then click on the .001 file. This will highlight all the files in between and will successfully add in the files into an EnCase-approved file structure into your case. Now you’re ready to begin your forensic examination.

Sidenote: It would have been nice to have seen these instructions in the EnCase documentation, but I did not see them anywhere.

And if you already knew how to do this, then I bow to you, digital forensics guru πŸ™‚

“A service installation section in this INF is invalid”: a fix that worked for me

November 15, 2011 5 comments

Admittedly, Windows XP is an older operating system. However, my forensics laptop has to use it so I can use certain tools for imaging and investigations. Today, in testing an Android tablet, I was encountering the following error when trying to connect:

“A service installation section in this INF is invalid

So I said ok, this tablet doesn’t come with drivers on a CD, let me check out the manufacturer’s website to download the INF file. Easy enough. However, Windows kept giving me grief saying that it could not find it in the directory I downloaded it to.

In looking for a fix, I found options like editing the registry to modifying the INF file in Windows.Β  However, in the end, what fixed it was installing the Microsoft User Mode Driver Framework for WinXP. It can be found here.

Thanks to the following post for help:

http://forum.xda-developers.com/showthread.php?t=1150211

So, if you encounter this error in WinXP, perhaps it may help. I can’t vouch for Win 7 πŸ™‚

Categories: Computing

Steve Jobs, I owe a lot of my computing existence to you

October 6, 2011 Leave a comment

From the Apple IIe that my cousins got in the 80s, to the Macintosh LC that I programmed my first BASIC files in Computer Math class, Macs defined my early years. True, later I went mostly the Windows route as a server admin and a systems analyst, but Macs stayed within the perifery. Steve, you made all that happen.

So now I mourn with an iPhone in one hand, and an iMac keyboard in the other, and say Godspeed, Mr. Jobs. You were an innovator through and through.

Steve and Bill

Categories: Computing

The easiest Ranch Dressing recipe and words about words

August 28, 2011 Leave a comment

If you’re like me bottled ranch dressing leaves a lot to be desired. I like it thinner, with a more oniony flavor. Think Jason’s Deli or Wing Stop. Hell, if you got a Double Dave’s or Gumby’s you know what I’m talking about. It’s what they give you with pizza rolls (don’t get me started on them boy howdy).

Check it…

Ingredients:

  • 1 cup mayonnaise
  • 1/2 cup buttermilk
  • 1/2 tsp ground black pepper
  • 1 tsp Hidden Valley Ranch mix (get the Buttermilk packet, works the best here)
  • 1/8 tsp garlic powder
  • 1/8 tsp paprika

Whisk it up and put in the fridge to set for at least an hour. If you want it thinner, add more buttermilk. Erik made his special chicken wings last night for his parents and nephew, and I made the above recipe as a dip. Very tasty combination.

So, about those words…

Grad school starts again for me this week. Sometimes it’s hard to get right back into the thick of things after three months off, but it should prove fruitful. I think I’ve finally started to figure out what could be the beginnings of my Master’s project. I don’t want to say until I get final approval from my advisor, but it’s shaping up. Hopefully he gives me the go-ahead.

A couple of weeks ago I took the second part of the EnCase Computer Forensics course at the Woodlands. Erik went along as a little vacation. He proved to be a great flying companion, even giving me the window seat. What a guy, right? We had some issues with his navigation skills early on, but otherwise it was successful. As for the training, I learned more about the stuff I’m starting to tackle now like recovering files, finding files that may be intentionally renamed, and setting up custom hash sets. Things are much clearer now than ever before.

As for Erik, I took him to some great eateries, we strolled around Market Square, very Melrose Avenue. A highlight was finding Borders bookstore having a huge going out of business sale. Bad for Borders, great for my bookshelf. Another was partaking in a pomegranate berry smoothie from the heavens above (sorry, I meant to say Jamba Juice). The taste buds were doing cartwheels and were sad when I was done. “More, Jen, more!” Sorry kids, no Jamba Juice around here. If there was I’d be there every other day.

I like the Woodlands. It’s not as fast paced as Metro Houston. Actually reminds me a lot of College Station, albeit with more traffic jams. However, it’s very conservative. As liberal as this gal is, it’s hard to walk into sandwich shops blaring Fox News 24/7. But hey, whatever floats your boat.

I predict that the weekdays will get busier with school, work, and martial arts classes. I find that the more I have to do, the more accomplished I feel. That’s not to say that I don’t still enjoy a few hours of reading a book or watching Arrested Development with my beloved husband. That’s cool too πŸ™‚

%d bloggers like this: