Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _ _ __ __
- __| || |__ _____ _____/ |_|__| ______ ____ ____ #antisec
- \ __ / \__ \ / \ __\ |/ ___// __ \_/ ___\ #anonops
- | || | / __ \| | \ | | |\___ \\ ___/\ \___ #OWS
- /_ ~~ _\ (____ /___| /__| |__/____ \ \___ \ \___ | #lulz
- |_||_| \/ \/ \/ \/ \/ #security
- /*******************************************************************************
- *** #OCCUPYWALLSTREET CRACKDOWN RETALIATION TASK FORCE ***
- *******************************************************************************/
- Friday 18thNov - Lulz on Cybercrime Task Forces - US DoJ-FBI-Police-Military
- '...Subject: Pedobear info
- Great, now they have a mascot....'
- -Frank
- ^trollolol XD
- QUOTES:
- Voicemail from +191XXXXXXXX
- Sep 23, 2011 PM Transcript: Hi, This is Jennifer calling from D. O. J Bureau firearm
- and I received your C C W renewal. B. O. F. It's now I'm sure you received the notifying out to France
- is not processing the C C W request everything else looks good, however I'm missing page 2 of the
- request in D. C. W work with them background disclosure forms. If you could give me a call. I'll be in
- the office on Monday at 8 o'clock. My number is (916) 274-6136 and I'm here in the office until 4:30
- today, thank you bye.
- --------------------------------
- Does anyone know if Facebook maintains archives of a persons webpage?
- Scenario: Person had something on a page, when questioned, it
- mysteriously disappeared !!
- Is there a time frame for a subpoena to obtain an archive page ???
- Thanks
- John W. Yeager
- Senior Advanced Specialist 1 - Forensics, Contractor
- Defense Computer Forensics Laboratory
- John.Yeager.ctr@dc3.mil
- (410) 981-0036
- ^ Lulz
- -----------------------------------------
- Is there a Facebook white paper or other document to assist with the interpretation of a Facebook url?
- I am trying to determine when a specific Facebook account was logged in during a set time.
- Thanks
- William Oettinger
- GySgt USMC
- Marine Corps Base Hawaii - Legal
- Generally, Facebook does not retain deleted content. If get a preservation
- letter to them before they deleted content is removed from their server,
- maybe 48 to 72 hours, they will hold the data for you. If not, it's gone.
- You may be able to find deleted content on archived web pages using sites
- like way back machine but I'm not sure how often that's updated. Hope this
- helps.
- ^ thanks for the tips
- --------------------------- -------------------
- I have an eDonkey referral - CP - from Germany - I'm attempting to get a
- warrant written based on the information I've been provided...
- I've attached a screenshot regarding my question -
- Their eDonkey LOG file (text based) gives me my suspect's IP address,
- date, time etc., with the following value of the file:
- 6BCC76487A3389941ED5248F4F1D7513
- However, another document they've provided also gives me the MD5 Hash
- value of the file (NOT provided from the eDonkey logs) - the MD5 matches
- the actual file they sent me from their law enforcement CP library - the
- MD5 hash value of the file is this:
- 857d5bedc3e75397246226c7a3c18bfa
- My question is - what value is the eDonkey log reporting here ? i.e.,
- 6BCC76487A3389941ED5248F4F1D7513 - and how do I "convert" this to show
- it "matches" the MD5 hash value of the file itself?
- ****Please note new address*****
- Maggi Holbrook, CFCE
- Sr. Computer Forensics Investigator
- VPD-CCSO Digital Evidence Cybercrime Unit
- 2800 NE Stapleton Rd
- Vancouver WA 98661
- LAB: (360) 487-7489
- FAX: (360) 695-3530
- maggi.holbrook@ci.vancouver.wa.us
- Member - Seattle/Pacific Northwest Regional ICAC Task Force
- ------------------------------------------------
- Actually, if you are using the Vista or Win7 AIK, you can set the Windows Pre-Installation Environment not to
- automount any devices on boot, which is what Helix, SPADA and others do with Linux. There are two changes to
- make in the registry of the PE system to make what Troy Larson refers to as Windows FE (Forensic Environment).
- I’ve built and tested several of these using various file systems, both Windows recognized and not, as subject
- devices and so far none of the hash values have changed when booted with Windows FE. Windows FE is all
- command-line but can run FTK Imager and EnCase. The only function of EnCase I haven’t got working is EnScripts
- and Conditions/Filters. I think I need a language pack or something because when I view the code, it’s all
- garbed up.
- In regards to this post, at the motion I would want the defense expert to testify to how the Windows PE that he
- intends to use is built, if he’s made any modifications to the registry, if he has loaded any drivers and
- describe in detail the drivers he has loaded, their function and provide all these details in his testimony. I
- read through the Microsoft Technet information on ImageX and I have questions to the forensic integrity of this
- tool that would have to be proved through testing and validation. I’ve never used it and haven’t had anyone
- else propose using it as a forensic imaging tool. I would expect this expert would be able to provide written
- documentation of that testing and validation process for the prosecution’s review at the motion hearing. Those
- tests should then be reviewed to see that they are following sound forensic procedures. In the end, the only
- way to know if ImageX and the expert’s version of Windows PE are following forensic guidelines and practices is
- to review and thoroughly test his proposed procedures. I know this is a last minute thing but that’s why
- there’s caffeine in coffee.
- ----------------------------------------------------------------------------
- We recently got a file server a 15 TB RAID which we use for cases. We image directly to the server. The case
- will remain on this forensic file server for 3 years, at that point it is copied using the tape drive and
- archived, however it is purged off the server. Other than that, a case will not be deleted from the sever
- without written authorization from the investigator (we may do this for some of the really big cases) as
- needed.
- in reply to
- Question in regard to evidence retention...
- We submit our case drives and examination result CDs/DVDs as evidence and store them in our unit (the room is
- considered an evidence locker).
- We're curious what other agencies are doing when paperwork is filed for evidence to be released / destroyed.
- Are you returning / destroying the computers and associated original evidence but still maintaining the case
- drive containing the acquired image files... Or do you destroy the CDs/DVDs and wipe the case drives for reuse?
- For those imaging to Network Attached Storage, as opposed to case drives, do you retain the image on the NAS or
- discard that, as well...
- Thanks in advance for your replies.
- ------------------------------------------------------------------
- Subject:Processing doctor/lawyer/priest/etc computers
- Hello,
- I was wondering what, if any, additional steps, processes or procedures anyone is using when processing a computer obtained via search warrant from a doctors office and/or criminal law office and/or non-criminal law office, etc. Essentially, any computer where there is a good likelihood that privileged materials on it are co-mingled with materials related to the specific criminal activity which is being conducted on the part of the doctor/lawyer/priest/etc in question.
- REPLY:
- 1> Doctor check for sexual assault videos of unconscious patients.
- 2> Lawyer check for fraud offences and other trust account violations.
- 3> Priest check for CP.
- Peter Kingsley
- Ad.Dip.I.T. CFCE
- Operation Manager
- Forensic Computer Examination Unit
- Queensland Police Service, Australia
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement