Mozilla Firefox
- Type "about:config" into the address bar, then press Enter.
- Accept the Warning
- In the Search bar on this page, Search for "browser.newtab.url" (without
- Right click it, and click "reset"
- Restart Firefox.
Sunday, September 23, 2012
Baybylone remove...
Wednesday, July 4, 2012
Hide Folder Without any Software...
Folder Hide : No more software need...
Step 1 : Rename any folder with extension {645FF040-5081-101B-9F08-00AA002F954E}
For eg,
If u’ve a folder with name “Anything”
press F2,
then type, “Anything.{645FF040-5081-101B-9F08-00AA002F954E}”
and Press Enter.
Step 2 : To get back to its original form,
Make a new batch file with any name and type
“ren Anything.{645FF040-5081-101B-9F08-00AA002F954E} Anything” .
Step 1 : Rename any folder with extension {645FF040-5081-101B-9F08-00AA002F954E}
For eg,
If u’ve a folder with name “Anything”
press F2,
then type, “Anything.{645FF040-5081-101B-9F08-00AA002F954E}”
and Press Enter.
Step 2 : To get back to its original form,
Make a new batch file with any name and type
“ren Anything.{645FF040-5081-101B-9F08-00AA002F954E} Anything” .
Nokia Tricks
Do you know your Nokia can do this also....
1. Imagine ur cell battery is very low, u r expecting an important call and u don’t have a charger.
Nokia instrument comes with a reserve battery. To activate, key is “*3370#”
Ur cell will restart with this reserve and ur instrument will show a 50% increase in battery.
This reserve will get charged when u charge ur cell next time.
*3370# Activate Enhanced Full Rate Codec (EFR)-Your phone uses the best sound quality but talk time is reduced by approx 5%
#3370# Deactivate Enhanced Full Rate Codec( EFR)
*#4720# Activate Half Rate Codec – Your phone uses a lower quality sound but you should gain approx 30% more Talk Time
*#4720# Deactivate Half Rate Codec
2. *#0000# Displays your phones software version,
1st Line : Software Version,
2nd Line : Software Release Date,
3rd Line : Compression Type
3. *#9999# Phones software version if *#0000# does not work.
4. *#06# For checking the International Mobile Equipment Identity (IMEI Number).
5. #pw+1234567890+1# Provider Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
6. #pw+1234567890+2# Network Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
7. #pw+1234567890+3# Country Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
8. #pw+1234567890+4# SIM Card Lock Status.(use the “*” button to obtain the “p,w” and “+” symbols).
9. *#147# (vodafone) this lets you know who called you last *#1471# Last call (Only vodofone).
10. *#21# Allows you to check the number that “All Calls” are diverted to.
11. *#2640# Displays security code in use.
12. *#30# Lets you see the private number.
13. *#43# Allows you to check the “Call Waiting” status of your phone.
14. *#61# Allows you to check the number that “On No Reply” calls are diverted to.
15. *#62# Allows you to check the number that “Divert If Unreachable(no service)” calls are diverted to.
16. *#67# Allows you to check the number that “On Busy Calls” are diverted to.
17. *#67705646# removes operator logo on 3310 & 3330
18. *#73# Reset phone timers and game scores
19. *#746025625# Displays the SIM Clock status, if your phone supports this power saving feature “SIM Clock Stop Allowed”, it means you will get the best standby time possible
20. *#7760# Manufactures code
21. *#7780# Restore factory settings
22. *#8110# Software version for the nokia 8110
23. *#92702689# (to remember *#WARRANTY#)
Displays -
1. Serial Number,
2.Date Made
3.Purchase Date,
4.Date of last repair (0000 for no repairs),
5.Transfer User Data.
To exit this mode -you need to switch your phone off then on again
24. *#94870345123456789# Deactivate the PWM-Mem
25. **21*number# Turn on “All Calls” diverting to the phone number entered
26. **61*number# Turn on “No Reply” diverting to the phone number entered
27. **67*number# Turn on “On Busy” diverting to the phone number entered
Each command is prefixed with either one or two * or # characters as follows:
** Register and Activate
* Activate
## De-Register (and Deactivate)
# Deactivate
*# Check Status
© Call button
Once each command has been entered, if it is a network command (as opposed to a local handset command) it must be transmitted to the network by pressing the YES (receiver) key which acts as an enter key – this is represented here with the © character. Always enter numbers in full international format +CountryAreaNumber ( e.g. +447712345678).
Security
Change call barring code **03*OldCode*NewCode*NewCode#©
Change call barring code **03*330*OldCode*NewCode*NewCode#©
Change PIN code **04*OldPIN*NewPIN*NewPIN#©
Change PIN2 code **042*OldPIN2*NewPIN2*NewPIN2#©
Unlock PIN code (when PIN is entered wrong 3 times) **05*PUK*NewPIN*NewPIN#©
Unlock PIN2 code (when PIN2 is entered wrong 3 times) **052*PUK2*NewPIN2*NewPIN2#©
Display IMEI *#06#
Call Forwarding (Diversions)
De-register all call diversions ##002#©
Set all configured call diversions to number and activate **004*number#©
De-register all configured call diversions (no answer, not reachable, busy) ##004#©
Unconditionally divert all calls to number and activate **21*number#©
Activate unconditionally divert all calls *21#©
De-register unconditionally divert all calls ##21#©
Deactivate unconditionally divert all calls #21#©
Check status of unconditionally divert all calls *#21#©
Divert on no answer to number and activate **61*number#©
Activate divert on no answer *61#©
De-register divert on no answer ##61#©
Deactivate divert on no answer #61#©
Check status of divert on no answer *#61#©
Divert on not reachable to number and activate **62*number#©
Activate divert on not reachable *62#©
De-register divert on not reachable ##62#©
Deactivate divert on not reachable #62#©
Check status of divert on not reachable *#62#©
Divert on busy to number and activate **67*number#©
Activate divert on busy *67#©
De-register divert on busy ##67#©
Deactivate divert on busy #67#©
Check status of divert on busy *#67#©
Change number of seconds of ringing for the given service before diverting a call (such as on no answer). Seconds must be a value from 5 to 30. De-registering the same divert will also delete this change! **service*number**seconds#© (Service numbers, see below)
Call barring
Activate barring all outgoing calls (see Security to set code) **33*code#©
Deactivate barring all outgoing calls #33*code#©
Check status of barring all outgoing calls *#33#©
Activate barring all calls **330*code#©
Deactivate barring all calls #330*code#©
Check status of barring all calls *#330*code#©
Activate barring all outgoing international calls **331*code#©
Deactivate barring all outgoing international calls #331*code#©
Check status of barring all outgoing international calls *#331#©
Activate barring all outgoing international calls except to home country **332*code#©
Deactivate barring all outgoing international calls except to home country #332*code#©
Check status of barring all outgoing international calls except to home country *#332#©
Activate barring all outgoing calls **333*code#©
Deactivate barring all outgoing calls #333*code#©
Check status of barring all outgoing calls *#333#©
Activate barring all incoming calls **35*code#©
Deactivate barring all incoming calls #35*code#©
Check status of barring all incoming calls *#35#©
Activate barring all incoming calls when roaming **351*code#©
Deactivate barring all incoming calls when roaming #351*code#©
Check status of barring all incoming calls when roaming *#351#©
Activate barring all incoming calls **353*code#©
Deactivate barring all incoming calls #353*code#©
Check status of barring all incoming calls *#353#©
Call waiting
Activate call waiting *43*#©
Deactivate call waiting #43##©
Check status of call waiting *#43#©
Calling Line Identification
The following only works if CLIP and CLIR are enabled (ask your service provider)
CLIP: Presentation of the number of the incoming call
Activate CLIP **30#©
Deactivate CLIP ##30#©
Check status of CLIP *#30#©
CLIR: Presentation of one’s own number to the to the called party
Activate CLIR **31#©
Activate CLIR for the actual call *31#number©
Deactivate CLIR ##31#©
Deactivate CLIR for the actual call #31#number©
Check status of CLIR *#31#©
COLP: Presentation of the actual number reached (if number called was diverted to another number
Activate COLP *76#©
Deactivate COLP #76#©
Check status of COLP *#76#©
COLR: Presentation of the original number called by the calling party (if the call was diverted to this cellphone)
Activate COLR *77#©
Deactivate COLR #77#©
Check status of COLR *#77#©
Source: http://kyrionhackingtutorials.com
1. Imagine ur cell battery is very low, u r expecting an important call and u don’t have a charger.
Nokia instrument comes with a reserve battery. To activate, key is “*3370#”
Ur cell will restart with this reserve and ur instrument will show a 50% increase in battery.
This reserve will get charged when u charge ur cell next time.
*3370# Activate Enhanced Full Rate Codec (EFR)-Your phone uses the best sound quality but talk time is reduced by approx 5%
#3370# Deactivate Enhanced Full Rate Codec( EFR)
*#4720# Activate Half Rate Codec – Your phone uses a lower quality sound but you should gain approx 30% more Talk Time
*#4720# Deactivate Half Rate Codec
2. *#0000# Displays your phones software version,
1st Line : Software Version,
2nd Line : Software Release Date,
3rd Line : Compression Type
3. *#9999# Phones software version if *#0000# does not work.
4. *#06# For checking the International Mobile Equipment Identity (IMEI Number).
5. #pw+1234567890+1# Provider Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
6. #pw+1234567890+2# Network Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
7. #pw+1234567890+3# Country Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
8. #pw+1234567890+4# SIM Card Lock Status.(use the “*” button to obtain the “p,w” and “+” symbols).
9. *#147# (vodafone) this lets you know who called you last *#1471# Last call (Only vodofone).
10. *#21# Allows you to check the number that “All Calls” are diverted to.
11. *#2640# Displays security code in use.
12. *#30# Lets you see the private number.
13. *#43# Allows you to check the “Call Waiting” status of your phone.
14. *#61# Allows you to check the number that “On No Reply” calls are diverted to.
15. *#62# Allows you to check the number that “Divert If Unreachable(no service)” calls are diverted to.
16. *#67# Allows you to check the number that “On Busy Calls” are diverted to.
17. *#67705646# removes operator logo on 3310 & 3330
18. *#73# Reset phone timers and game scores
19. *#746025625# Displays the SIM Clock status, if your phone supports this power saving feature “SIM Clock Stop Allowed”, it means you will get the best standby time possible
20. *#7760# Manufactures code
21. *#7780# Restore factory settings
22. *#8110# Software version for the nokia 8110
23. *#92702689# (to remember *#WARRANTY#)
Displays -
1. Serial Number,
2.Date Made
3.Purchase Date,
4.Date of last repair (0000 for no repairs),
5.Transfer User Data.
To exit this mode -you need to switch your phone off then on again
24. *#94870345123456789# Deactivate the PWM-Mem
25. **21*number# Turn on “All Calls” diverting to the phone number entered
26. **61*number# Turn on “No Reply” diverting to the phone number entered
27. **67*number# Turn on “On Busy” diverting to the phone number entered
Each command is prefixed with either one or two * or # characters as follows:
** Register and Activate
* Activate
## De-Register (and Deactivate)
# Deactivate
*# Check Status
© Call button
Once each command has been entered, if it is a network command (as opposed to a local handset command) it must be transmitted to the network by pressing the YES (receiver) key which acts as an enter key – this is represented here with the © character. Always enter numbers in full international format +CountryAreaNumber ( e.g. +447712345678).
Security
Change call barring code **03*OldCode*NewCode*NewCode#©
Change call barring code **03*330*OldCode*NewCode*NewCode#©
Change PIN code **04*OldPIN*NewPIN*NewPIN#©
Change PIN2 code **042*OldPIN2*NewPIN2*NewPIN2#©
Unlock PIN code (when PIN is entered wrong 3 times) **05*PUK*NewPIN*NewPIN#©
Unlock PIN2 code (when PIN2 is entered wrong 3 times) **052*PUK2*NewPIN2*NewPIN2#©
Display IMEI *#06#
Call Forwarding (Diversions)
De-register all call diversions ##002#©
Set all configured call diversions to number and activate **004*number#©
De-register all configured call diversions (no answer, not reachable, busy) ##004#©
Unconditionally divert all calls to number and activate **21*number#©
Activate unconditionally divert all calls *21#©
De-register unconditionally divert all calls ##21#©
Deactivate unconditionally divert all calls #21#©
Check status of unconditionally divert all calls *#21#©
Divert on no answer to number and activate **61*number#©
Activate divert on no answer *61#©
De-register divert on no answer ##61#©
Deactivate divert on no answer #61#©
Check status of divert on no answer *#61#©
Divert on not reachable to number and activate **62*number#©
Activate divert on not reachable *62#©
De-register divert on not reachable ##62#©
Deactivate divert on not reachable #62#©
Check status of divert on not reachable *#62#©
Divert on busy to number and activate **67*number#©
Activate divert on busy *67#©
De-register divert on busy ##67#©
Deactivate divert on busy #67#©
Check status of divert on busy *#67#©
Change number of seconds of ringing for the given service before diverting a call (such as on no answer). Seconds must be a value from 5 to 30. De-registering the same divert will also delete this change! **service*number**seconds#© (Service numbers, see below)
Call barring
Activate barring all outgoing calls (see Security to set code) **33*code#©
Deactivate barring all outgoing calls #33*code#©
Check status of barring all outgoing calls *#33#©
Activate barring all calls **330*code#©
Deactivate barring all calls #330*code#©
Check status of barring all calls *#330*code#©
Activate barring all outgoing international calls **331*code#©
Deactivate barring all outgoing international calls #331*code#©
Check status of barring all outgoing international calls *#331#©
Activate barring all outgoing international calls except to home country **332*code#©
Deactivate barring all outgoing international calls except to home country #332*code#©
Check status of barring all outgoing international calls except to home country *#332#©
Activate barring all outgoing calls **333*code#©
Deactivate barring all outgoing calls #333*code#©
Check status of barring all outgoing calls *#333#©
Activate barring all incoming calls **35*code#©
Deactivate barring all incoming calls #35*code#©
Check status of barring all incoming calls *#35#©
Activate barring all incoming calls when roaming **351*code#©
Deactivate barring all incoming calls when roaming #351*code#©
Check status of barring all incoming calls when roaming *#351#©
Activate barring all incoming calls **353*code#©
Deactivate barring all incoming calls #353*code#©
Check status of barring all incoming calls *#353#©
Call waiting
Activate call waiting *43*#©
Deactivate call waiting #43##©
Check status of call waiting *#43#©
Calling Line Identification
The following only works if CLIP and CLIR are enabled (ask your service provider)
CLIP: Presentation of the number of the incoming call
Activate CLIP **30#©
Deactivate CLIP ##30#©
Check status of CLIP *#30#©
CLIR: Presentation of one’s own number to the to the called party
Activate CLIR **31#©
Activate CLIR for the actual call *31#number©
Deactivate CLIR ##31#©
Deactivate CLIR for the actual call #31#number©
Check status of CLIR *#31#©
COLP: Presentation of the actual number reached (if number called was diverted to another number
Activate COLP *76#©
Deactivate COLP #76#©
Check status of COLP *#76#©
COLR: Presentation of the original number called by the calling party (if the call was diverted to this cellphone)
Activate COLR *77#©
Deactivate COLR #77#©
Check status of COLR *#77#©
Source: http://kyrionhackingtutorials.com
Techno Facts
Facts you know?
160 billion emails are sent daily, 97% of which are spam.
Spam generates 33bn KWt-hours of energy every year, enough to power 2.4 million homes, producing 17 million tons of CO2.
9 out of every 1,000 computers are infected with spam.
Spammer get 1 response to every 12 million emails they send (yet it still makes them a small profit).
A twillionaire is a twitterer with a million or more followers.
There are some 1 billion computers in use.
There are some 2 billion TV sets in use.
There are more than 4 billion cell phones in use. About 3 million cell phones are sold every day.
The first known cell phone virus, Cabir.A, appeared in 2004.
Since 2008, video games have outsold movie DVDs.
Amazon sells more e-books than printed books.
Facebook has 500 million registered users… about 100 million less than QQ.
About 1.8 billion people connect to the Internet, 450 million of them speak English.
Google indexed it’s 1 trillionth unique
URL on July 25, 2008. That is thought to be about 20% of all the pages
on the Internet but a high percentage of the World Wide Web (the public
Internet).
One google search produces about 0.2g of
CO2. But since you hardly get an answer from one search, a typical
search session produces about the same amount of CO2 as does boiling a
kettle.
Google handles more than 1 billion search queries per day, releasing some 200 tons of CO2 per day.
The average US household uses 10.6 megawatt-hours (MWh) electricity per year.
Google uses an estimated 15 billion kWh
of electricity per year, more than most countries. However, google
generates a lot of their own power with their solar panels.
The first public cell phone call was made on April 3, 1973 by Martin Cooper.
The Motorola DynaTAC 8000X was the first
cell phone sold in the US; launched on April 11, 1984, it was designed
by Rudy Krolopp and weighed 2 pounds.
About 20% of the videos on YouTube are music related.
24 hours of video viewing is uploaded every minute on YouTube.
People view 15 billion videos online every month.
On average, US onliners view 100 videos per month each.
Flickr hosts some 5 billion photographs, Facebook hosts more than 15 billion.
1 Bit = Binary Digit
8 Bits = 1 Byte
1000 Bytes = 1 Kilobyte
1000 Kilobytes = 1 Megabyte
1000 Megabytes = 1 Gigabyte
1000 Gigabytes = 1 Terabyte
1000 Terabytes = 1 Petabyte
1000 Petabytes = 1 Exabyte
1000 Exabytes = 1 Zettabyte
1000 Zettabytes = 1 Yottabyte
1000 Yottabytes = 1 Brontobyte
1000 Brontobytes = 1 Geopbyte
Technically speaking, the sum is 1024 bytes.
8 Bits = 1 Byte
1000 Bytes = 1 Kilobyte
1000 Kilobytes = 1 Megabyte
1000 Megabytes = 1 Gigabyte
1000 Gigabytes = 1 Terabyte
1000 Terabytes = 1 Petabyte
1000 Petabytes = 1 Exabyte
1000 Exabytes = 1 Zettabyte
1000 Zettabytes = 1 Yottabyte
1000 Yottabytes = 1 Brontobyte
1000 Brontobytes = 1 Geopbyte
Technically speaking, the sum is 1024 bytes.
Source : http://www.webaholics.in
Understand your Cell Phone & GSM Technology
- * Airtel to Airtel 15paise Call on 4 selected numbers. Just dial *#110#
- * To know the Tariff Validity *131#
- * To know the A/C manage Menu *121#
- * To know the HelloTunes Menu *678#
- * To know ur Balance *123*1#
- * To know Local A2A Balance *123*3#
- * To know STD Call Balance *123*6#
- * To know ISD call balance *123*2# , *123*4# , *123*5#
NOKIA CODE :
- * To Restore Battery Setting *#7780
- * To Know Manufacture Date *#3283# & *#0000#
- * To Stop Sim clock *#746025625#
- * To Stop Operator Logo *#67705646#
- * To Reset Phone Timer *#73#
- * To Warranty *#92702689#
SAMSUNG CODE :
- * To know software version *#9999#
- * To ReBoot Phone #*3849# & #*2562#
- * To On/OFF Phone Time #*2558#
- * To Unlock Phone #*7337#
- * To On/Off GSM facility #*4760#
- * To know about Memory & Data *#9998*246#
- * To know Phone’s Lock status *#7465625#
- * To Serial No. *#0001#
- * To Unlock Code No. *2767*637#
- * To See Free space *#8999*636#
- * Software Version *#1111#
- * Firmware Version *#1234#
- * Hardware Version *#2222#
- * For Call List *#2255#
LG CODE :
- * Go to Phone’s Test Mode 2945#-*#
- * For Secret Menu 2945*-#01*#
- * To know software version *8375#
- * IMEI No. *#06#
- * To Manage Sim card Lock (For LG7010&LG7020) dial 2945#*70001#
- * To Manage Sim Lock (For LG B1200) dial 1945#*5101#
- * To Manage Sim Lock (For LG B5200 & 510w) dial 2945#*5101#
- * To Manage Sim Lock (For LG 500 & 600) dial 2947#*
- * IMEI and SW (LG 510): *#07#
- * Software version (LG B1200): *8375#
- * Recount cheksum (LG B1200): *6861#
- * Factory test (B1200): #PWR 668
- * Simlock menu (LG 7020, 7010): 2945#*70001#
GSM Secret Codes :
- Type *#61# and press call - Check redirection status.
- Cancel all redirections: ##002# *43# to activate call waiting, to deactivate #43#.
- * If your phone doesn't have incoming call barring and outgoing call barring, you can try this.
- * For outgoing call barring dial *33*barcode*# and pres OK. To deactivate it dial #33#barcode*#.
- * On any phone on any network type in **43# to enable conference calls. You can make up to 7 calls at once
- * If you need to block SMS reception (if you are spammed by someone) just press this code: *35*xxxx*16# xxxx is your Call Barring code (default is 0000). To remove this barring type: #35*xxxx#
- * If you want to hide/show your phone number when calling, put one of these codes below in front of the number that you are going to call.(*#30# / *#31# or *31# / #31# ) Works on some networks.
- * Typing *0# or *nm# on the beginning of a txt message gives you detailed delivery report on some networks.. But turn off reports in message settings before.
- * When the sim card-pin blocked type **042*pin2 old*newpin2*newpin2
Friday, February 17, 2012
Essential Tasks Performed During Digital Analysis
There are three essential tasks that an examiner performs during the analysis of evidentiary digital media: (1) creation of a forensic image; (2) creation of a forensic archive from the forensic image; and (3) exporting potential probative digital data related to the investigation. All three tasks are critical to the overall success of the investigation and eventual prosecution of the case.
FORENSIC IMAGE AND FORENSIC ARCHIVE
The admissibility of potential probative data at trial is probably going to be based upon the successful creation of the initial forensic image, its digital authenticity, and its chain of custody (if appropriate). Any of the many available forensic software tools can be used to create a forensic image. They all generate a bit-by-bit copy (a “bitstream image” or “mirror image”) of the data residing on the digital media. This ensures that all the data from allocated space, unallocated space, and free space is made available for examination. Hash algorithms, such as Message Digest 5 (MD-5) or Secure Hash Algorithm-1 (SHA-1) provide a digital authenticity of not only the forensic image, but also the forensic archive and any potential digital probative data.
The admissibility of potential probative data at trial is probably going to be based upon the successful creation of the initial forensic image, its digital authenticity, and its chain of custody (if appropriate). Any of the many available forensic software tools can be used to create a forensic image. They all generate a bit-by-bit copy (a “bitstream image” or “mirror image”) of the data residing on the digital media. This ensures that all the data from allocated space, unallocated space, and free space is made available for examination. Hash algorithms, such as Message Digest 5 (MD-5) or Secure Hash Algorithm-1 (SHA-1) provide a digital authenticity of not only the forensic image, but also the forensic archive and any potential digital probative data.
After receipt and inventory, the first priority is to create both a forensic image and a forensic archive. Using an approved forensic software tool and an appropriate write blocker, the evidence is acquired, resulting in creation of the forensic image, which is normally stored on a forensic computer’s evidence hard drive. Subsequently, the forensic archive is created from this forensic image. Once the forensic archive is exported onto optical media, digital tape, and/or another hard drive, the forensic image is analyzed for potential probative data. In addition to hashing, there are certain other precautions that have to be taken into consideration to ensure the authenticity of both the forensic image and the forensic archive. Specific policy and procedure needs to be defined to preclude the commingling of forensic images from separate items or different cases. There has to be a procedure for wiping the forensic image after analysis is completed. Although the forensic image is work product, it can be considered evidence since it is an exact copy of the digital evidentiary media. Therefore, the examination area needs to be physically secured with limited access. Forensically sterile media must be used when creating the forensicarchive. If an agency chooses to archive the evidence hard drive itself, other issues will arise. These include maintaining a chain of custody, proper packaging to prevent inadvertent damage and/or deleterious change, and the costs associatedwith purchasing additional hard drives.
A number of agencies create and store all examiner-generated forensic images on a Storage Area Network (SAN). There are many advantages in doing so. Virtually all SANs are configured into a RAID (Redundant Array of Inexpensive Disks). This provides data reliability, redundancy, and increased input/output performance. A SAN can also be configured with automated tape back-ups to provide another level of redundancy. Likewise, there are some disadvantages. The initial cost of the SAN and its maintenance can be costly. There has to be policy and procedure in place to preclude not only commingling of forensic images, but also limiting access to the forensic images themselves. One method would be to create individual, secured partitions for each examiner. Security procedures would dictate that access to the individual partitions is restricted. Other issues then arise: Is the forensic image going to be maintained on the SAN after the completion of the analysis? Is a forensic archive going to be created from the forensic image and stored separately on the SAN? Will the forensic image be eventually wiped and the space reclaimed? Storing forensic images on the SAN becomes a question of sufficient hard drive capacity, physical security, and a chain of custody. Remember, although the forensic image is work product, it can still be considered as evidence. In fact, there are a number of agencies that specifically keep these forensic images available for further analysis. Other agencies allow case investigators access to the forensic image to bookmark potential probative data for prosecution purposes. When this occurs, a higher level of security has to be established. Likewise, if the SAN is used as a repository of forensic archives, then appropriate additional layers of redundancy, physical security, and access will become necessary.
POTENTIAL PROBATIVE DATA
A variety of digital media can be used when exporting potential probative data: floppy disk, zip disk, optical disc, hard drive, and digital tape. In most instances, optical discs and hard drives are the only realistic options. An important consideration is how much data to export. Although investigators and prosecutors generally want all the potential probative data, this is beginning to become an unrealistic expectation. Rather, a question should be asked: “How much potential probative data do you need?” The following is a real-world example: A 120-gigabyte evidence hard drive contained 30 gigabytes of user-generated files, which consisted of pictures and movies of apparent child pornography, e-mails, spreadsheets, and text documents. The user-generated files were burned onto seven DVDs. Each picture averaged about 100 kilobytes in size. Three gigabytes of pictures were burned onto one of the DVDs. That alone represented at least 30,000 pictures that had to be viewed. The investigator and/or the prosecutor still had to review thousands of other files on the other six DVDs for potential probative data.
A variety of digital media can be used when exporting potential probative data: floppy disk, zip disk, optical disc, hard drive, and digital tape. In most instances, optical discs and hard drives are the only realistic options. An important consideration is how much data to export. Although investigators and prosecutors generally want all the potential probative data, this is beginning to become an unrealistic expectation. Rather, a question should be asked: “How much potential probative data do you need?” The following is a real-world example: A 120-gigabyte evidence hard drive contained 30 gigabytes of user-generated files, which consisted of pictures and movies of apparent child pornography, e-mails, spreadsheets, and text documents. The user-generated files were burned onto seven DVDs. Each picture averaged about 100 kilobytes in size. Three gigabytes of pictures were burned onto one of the DVDs. That alone represented at least 30,000 pictures that had to be viewed. The investigator and/or the prosecutor still had to review thousands of other files on the other six DVDs for potential probative data.
It is recognized that in many jurisdictions, the possession of each picture of child pornography can be a separate charge. Prosecutors often use this fact to obtain a plea bargain from the suspect. However, in the above example, does the prosecutor really need to view all 30,000 pictures? Would a better approach be to export several hundred pictures of the apparent child pornography, indicating that they are representative of what was found? Since the forensic archive is available for further analysis, additional potential probative data could be generated at a later time. Every examiner, investigator, and prosecutor is continually faced with handling and sorting through gigabytes of data to determine what is of potential probative value. This will only become more difficult and time-consuming as hard drives increase in size. The question “How much potential probative data do you need?” does not have a simple answer. It can only be resolved by the investigator, prosecutor, and the court working together to determine what evidence is necessary tosupport the indictment.
John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press in 2007.
Source: Forensicmag
Forensic operation on windows registry
Windows General
Even more Windows Forensics goodness (or badness depending on your perspective).
Description: Temp folder
Location: C:\Users\<user name>\AppData\Local\Temp
Why you care: Lots of programs need a safe place, where the user has permissions, to dump temp data. This is the place to look. They may have wiped/shredded the main file, but there could be a version in this directory depending on how the application works.
Entry by: Irongeek, but thanks to Nir.
Description: Recycle Bin
Location: C:\$Recycle.Bin
Why you care: Do I really need to say?
Entry by: Irongeek, but thanks to Nir.
Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.
Entry by: Irongeek, but thanks to Nir.
Description: Event logs
Location: Should be in C:\Windows\System32\config or C:\Windows\System32\winevt\Logs depending on OS
Why you care: These may be relocated, so do a desktop search for *.evt and *.evtx. Let you know all sorts of things about what is happening on the box.
Entry by: Irongeek.
Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose (like writing an article on Forensically interesting spots in the Windows 7 file system and registry).
Entry by: Irongeek, but thanks to Nir.
Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Entry by: Irongeek.
Description: List of installed USB storage devices
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
Entry by: Irongeek.
Description: SetupAPI Device Log
Location: C:\windows\inf\setupapi.dev.log
Why you care: Log that can help you find out what USB devices have been installed, including thumbdrives. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but notthis file when I tested last.
Entry by: Irongeek, but thanks to Nir.
Description: Windows Prefetch
Location: C:\Windows\Prefetch
Why you care: Windows Prefetch is a feature in Windows XP and newer system (Including Windows 7) that is ment to speed up commonly executed application and boot load times by recording what on the system is accessed. Mark McKinnon has a tool you might be interested in for parsing this data. Also, you may want to read the Wikipedia entry: http://en.wikipedia.org/wiki/Prefetcher
Entry by: Irongeek, but thanks to Nir and Mark McKinnon.
Source: Irongeek
Even more Windows Forensics goodness (or badness depending on your perspective).
Description: Temp folder
Location: C:\Users\<user name>\AppData\Local\Temp
Why you care: Lots of programs need a safe place, where the user has permissions, to dump temp data. This is the place to look. They may have wiped/shredded the main file, but there could be a version in this directory depending on how the application works.
Entry by: Irongeek, but thanks to Nir.
Description: Recycle Bin
Location: C:\$Recycle.Bin
Why you care: Do I really need to say?
Entry by: Irongeek, but thanks to Nir.
Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.
Entry by: Irongeek, but thanks to Nir.
Description: Event logs
Location: Should be in C:\Windows\System32\config or C:\Windows\System32\winevt\Logs depending on OS
Why you care: These may be relocated, so do a desktop search for *.evt and *.evtx. Let you know all sorts of things about what is happening on the box.
Entry by: Irongeek.
Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose (like writing an article on Forensically interesting spots in the Windows 7 file system and registry).
Entry by: Irongeek, but thanks to Nir.
Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Entry by: Irongeek.
Description: List of installed USB storage devices
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
Entry by: Irongeek.
Description: SetupAPI Device Log
Location: C:\windows\inf\setupapi.dev.log
Why you care: Log that can help you find out what USB devices have been installed, including thumbdrives. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but notthis file when I tested last.
Entry by: Irongeek, but thanks to Nir.
Description: Windows Prefetch
Location: C:\Windows\Prefetch
Why you care: Windows Prefetch is a feature in Windows XP and newer system (Including Windows 7) that is ment to speed up commonly executed application and boot load times by recording what on the system is accessed. Mark McKinnon has a tool you might be interested in for parsing this data. Also, you may want to read the Wikipedia entry: http://en.wikipedia.org/wiki/Prefetcher
Entry by: Irongeek, but thanks to Nir and Mark McKinnon.
Source: Irongeek
Forensically analyze Windows 7, Vista and XP file system and registry
Windows Explorer
Not to be confused with Internet Explorer, Windows Explorer is the default GUI shell for Windows 7 / Vista / XP. It leaves all sorts of data in the registry and file system for a forensics investigation.
Description: Recently opened files from Windows Explorer
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent
Why you care: It can be quite useful to know what files have been opened recently. Think someone is accessing records of embezzlement? Maybe there is a pointer to the Excel file here that can lead you to where the data has been stored. You may also see links to videos and images in here. I've had this lead to personal embarrassment before while doing a presentation for the ISSA. :)
Entry by: Irongeek, but thanks to Nir.
Description: Network Shortcuts
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Why you care: This could show an investigator what fileservers the person is accessing, or on a captured laptop a little about the internal network (useful for pen-testing).
Entry by: Irongeek, but thanks to Nir.
Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.
Entry by: Irongeek, but thanks to Nir.
Source: http://www.irongeek.com
Not to be confused with Internet Explorer, Windows Explorer is the default GUI shell for Windows 7 / Vista / XP. It leaves all sorts of data in the registry and file system for a forensics investigation.
Description: Recently opened files from Windows Explorer
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent
Why you care: It can be quite useful to know what files have been opened recently. Think someone is accessing records of embezzlement? Maybe there is a pointer to the Excel file here that can lead you to where the data has been stored. You may also see links to videos and images in here. I've had this lead to personal embarrassment before while doing a presentation for the ISSA. :)
Entry by: Irongeek, but thanks to Nir.
Description: Network Shortcuts
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Why you care: This could show an investigator what fileservers the person is accessing, or on a captured laptop a little about the internal network (useful for pen-testing).
Entry by: Irongeek, but thanks to Nir.
Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.
Entry by: Irongeek, but thanks to Nir.
Source: http://www.irongeek.com
Subscribe to:
Posts (Atom)