API tools faq
paste
Advertisement
LegionNET

Anonymous visits US DoJ, FBI, Police & Mil Cybercrime unit

LegionNET
Nov 18th, 2011
285
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.47 KB | None | 0 0
raw download clone embed print report
  1.  
  2. _ _ __ __
  3. __| || |__ _____ _____/ |_|__| ______ ____ ____ #antisec
  4. \ __ / \__ \ / \ __\ |/ ___// __ \_/ ___\ #anonops
  5. | || | / __ \| | \ | | |\___ \\ ___/\ \___ #OWS
  6. /_ ~~ _\ (____ /___| /__| |__/____ \ \___ \ \___ | #lulz
  7. |_||_| \/ \/ \/ \/ \/ #security
  8.  
  9. /*******************************************************************************
  10. *** #OCCUPYWALLSTREET CRACKDOWN RETALIATION TASK FORCE ***
  11. *******************************************************************************/
  12. Friday 18thNov - Lulz on Cybercrime Task Forces - US DoJ-FBI-Police-Military
  13.  
  14.  
  15.  
  16.  
  17. '...Subject: Pedobear info
  18.  
  19. Great, now they have a mascot....'
  20.  
  21. -Frank
  22. ^trollolol XD
  23.  
  24.  
  25.  
  26. QUOTES:
  27.  
  28.  
  29.  
  30.  
  31. Voicemail from +191XXXXXXXX
  32. Sep 23, 2011 PM Transcript: Hi, This is Jennifer calling from D. O. J Bureau firearm
  33. and I received your C C W renewal. B. O. F. It's now I'm sure you received the notifying out to France
  34. is not processing the C C W request everything else looks good, however I'm missing page 2 of the
  35. request in D. C. W work with them background disclosure forms. If you could give me a call. I'll be in
  36. the office on Monday at 8 o'clock. My number is (916) 274-6136 and I'm here in the office until 4:30
  37. today, thank you bye.
  38.  
  39. --------------------------------
  40.  
  41.  
  42. Does anyone know if Facebook maintains archives of a persons webpage?
  43.  
  44. Scenario: Person had something on a page, when questioned, it
  45. mysteriously disappeared !!
  46. Is there a time frame for a subpoena to obtain an archive page ???
  47.  
  48. Thanks
  49.  
  50. John W. Yeager
  51. Senior Advanced Specialist 1 - Forensics, Contractor
  52. Defense Computer Forensics Laboratory
  53. [email protected]
  54. (410) 981-0036
  55.  
  56. ^ Lulz
  57. -----------------------------------------
  58.  
  59.  
  60. Is there a Facebook white paper or other document to assist with the interpretation of a Facebook url?
  61.  
  62. I am trying to determine when a specific Facebook account was logged in during a set time.
  63.  
  64. Thanks
  65.  
  66.  
  67. William Oettinger
  68. GySgt USMC
  69. Marine Corps Base Hawaii - Legal
  70.  
  71.  
  72.  
  73. Generally, Facebook does not retain deleted content. If get a preservation
  74. letter to them before they deleted content is removed from their server,
  75. maybe 48 to 72 hours, they will hold the data for you. If not, it's gone.
  76. You may be able to find deleted content on archived web pages using sites
  77. like way back machine but I'm not sure how often that's updated. Hope this
  78. helps.
  79.  
  80.  
  81.  
  82.  
  83. ^ thanks for the tips
  84. --------------------------- -------------------
  85.  
  86.  
  87.  
  88. I have an eDonkey referral - CP - from Germany - I'm attempting to get a
  89. warrant written based on the information I've been provided...
  90.  
  91. I've attached a screenshot regarding my question -
  92.  
  93. Their eDonkey LOG file (text based) gives me my suspect's IP address,
  94.  
  95. date, time etc., with the following value of the file:
  96.  
  97.  
  98. 6BCC76487A3389941ED5248F4F1D7513
  99.  
  100. However, another document they've provided also gives me the MD5 Hash
  101. value of the file (NOT provided from the eDonkey logs) - the MD5 matches
  102. the actual file they sent me from their law enforcement CP library - the
  103. MD5 hash value of the file is this:
  104.  
  105. 857d5bedc3e75397246226c7a3c18bfa
  106.  
  107. My question is - what value is the eDonkey log reporting here ? i.e.,
  108. 6BCC76487A3389941ED5248F4F1D7513 - and how do I "convert" this to show
  109. it "matches" the MD5 hash value of the file itself?
  110.  
  111.  
  112. ****Please note new address*****
  113.  
  114. Maggi Holbrook, CFCE
  115. Sr. Computer Forensics Investigator
  116. VPD-CCSO Digital Evidence Cybercrime Unit
  117. 2800 NE Stapleton Rd
  118. Vancouver WA 98661
  119. LAB: (360) 487-7489
  120. FAX: (360) 695-3530
  121. [email protected]
  122. Member - Seattle/Pacific Northwest Regional ICAC Task Force
  123.  
  124. ------------------------------------------------
  125.  
  126.  
  127.  
  128.  
  129.  
  130. Actually, if you are using the Vista or Win7 AIK, you can set the Windows Pre-Installation Environment not to
  131. automount any devices on boot, which is what Helix, SPADA and others do with Linux. There are two changes to
  132. make in the registry of the PE system to make what Troy Larson refers to as Windows FE (Forensic Environment).
  133.  
  134. I’ve built and tested several of these using various file systems, both Windows recognized and not, as subject
  135. devices and so far none of the hash values have changed when booted with Windows FE. Windows FE is all
  136. command-line but can run FTK Imager and EnCase. The only function of EnCase I haven’t got working is EnScripts
  137. and Conditions/Filters. I think I need a language pack or something because when I view the code, it’s all
  138. garbed up.
  139.  
  140.  
  141. In regards to this post, at the motion I would want the defense expert to testify to how the Windows PE that he
  142. intends to use is built, if he’s made any modifications to the registry, if he has loaded any drivers and
  143. describe in detail the drivers he has loaded, their function and provide all these details in his testimony. I
  144. read through the Microsoft Technet information on ImageX and I have questions to the forensic integrity of this
  145. tool that would have to be proved through testing and validation. I’ve never used it and haven’t had anyone
  146. else propose using it as a forensic imaging tool. I would expect this expert would be able to provide written
  147. documentation of that testing and validation process for the prosecution’s review at the motion hearing. Those
  148. tests should then be reviewed to see that they are following sound forensic procedures. In the end, the only
  149. way to know if ImageX and the expert’s version of Windows PE are following forensic guidelines and practices is
  150. to review and thoroughly test his proposed procedures. I know this is a last minute thing but that’s why
  151. there’s caffeine in coffee.
  152.  
  153. ----------------------------------------------------------------------------
  154.  
  155. We recently got a file server a 15 TB RAID which we use for cases. We image directly to the server. The case
  156. will remain on this forensic file server for 3 years, at that point it is copied using the tape drive and
  157. archived, however it is purged off the server. Other than that, a case will not be deleted from the sever
  158. without written authorization from the investigator (we may do this for some of the really big cases) as
  159. needed.
  160.  
  161.  
  162. in reply to
  163.  
  164. Question in regard to evidence retention...
  165.  
  166. We submit our case drives and examination result CDs/DVDs as evidence and store them in our unit (the room is
  167. considered an evidence locker).
  168.  
  169. We're curious what other agencies are doing when paperwork is filed for evidence to be released / destroyed.
  170. Are you returning / destroying the computers and associated original evidence but still maintaining the case
  171. drive containing the acquired image files... Or do you destroy the CDs/DVDs and wipe the case drives for reuse?
  172.  
  173. For those imaging to Network Attached Storage, as opposed to case drives, do you retain the image on the NAS or
  174. discard that, as well...
  175.  
  176. Thanks in advance for your replies.
  177.  
  178.  
  179.  
  180. ------------------------------------------------------------------
  181.  
  182. Subject:Processing doctor/lawyer/priest/etc computers
  183.  
  184. Hello,
  185.  
  186.  
  187.  
  188. I was wondering what, if any, additional steps, processes or procedures anyone is using when processing a computer obtained via search warrant from a doctors office and/or criminal law office and/or non-criminal law office, etc. Essentially, any computer where there is a good likelihood that privileged materials on it are co-mingled with materials related to the specific criminal activity which is being conducted on the part of the doctor/lawyer/priest/etc in question.
  189.  
  190.  
  191. REPLY:
  192.  
  193.  
  194. 1> Doctor check for sexual assault videos of unconscious patients.
  195. 2> Lawyer check for fraud offences and other trust account violations.
  196. 3> Priest check for CP.
  197.  
  198.  
  199.  
  200. Peter Kingsley
  201. Ad.Dip.I.T. CFCE
  202. Operation Manager
  203. Forensic Computer Examination Unit
  204. Queensland Police Service, Australia
  205.  
  206.  
  207.  
  208.  
  209.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!