Lantern Version 2.2.3 has been released.
http://katanaforensics.com/
~Hew
Tuesday, March 27, 2012
Passware Releases a new Version
Passware 11.5 has been released.
Acceleration using GPU / TACC has been enhanced.
More file types are supported.
For full notes visit: http://www.lostpassword.com/kit-forensic.htm
There is not listing of what is new versus what was present in release 11.3.
~Hew
Acceleration using GPU / TACC has been enhanced.
More file types are supported.
For full notes visit: http://www.lostpassword.com/kit-forensic.htm
There is not listing of what is new versus what was present in release 11.3.
~Hew
Friday, March 23, 2012
BlackBag Technolgies Released new Black Light
Black Light 2012 Release 1 is out!
The new features listed are still for 2011 Release 5.
www.blackbagtech.com
~Hew
The new features listed are still for 2011 Release 5.
www.blackbagtech.com
~Hew
Wednesday, March 21, 2012
Micro Systemation releases a new version of XRY
Micro Systemation XRY 6.2 has been released!
Things that have been updated/changed
www.masb.com
~Hew
Things that have been updated/changed
- Apple iOS - passcode, dumping, and encryption
- Android - automatic rooting and swipe codes
- Support for an additional 70 Chinese clones
- Blackberry - Improved physical support
- More CDMA and iDEN support
www.masb.com
~Hew
Current Versions
Just a reminder.
The first post in January (the first post of the blog) is a listing of all the tools I have been following, and their current release versions.
The is an up to date list that I update weekly.
~Hew
mail.h11dfs.com
The first post in January (the first post of the blog) is a listing of all the tools I have been following, and their current release versions.
The is an up to date list that I update weekly.
~Hew
mail.h11dfs.com
Monday, March 19, 2012
AccessData releases new PRTK and DNA
Access Data has released a new version of PRTK v.6.6.0
They have also released a new version of DNA v.3.6.0
This release has seen the following updates/changes:
New Modules:
http://accessdata.com/support/adownloads
~Hew
They have also released a new version of DNA v.3.6.0
This release has seen the following updates/changes:
- Enhanced processing to utilize multiple cores more effectively
- No longer run as a Windows Service
- Installation must be done as an Administrator
- Uses the latest patched version of Java 1.6
- More efficient on 64bit workers
- Dictionary Utility can work against passwords that are longer than 64 characters
- Users can now select multiple dictionaries of a similar name using shift+alt
- User Interface cleanup in the job properties dialog
New Modules:
- Cypherus
- DGCA
- iPhone
- TightVNC
- Leet Speak
- Case Permutations
- Tertiary
http://accessdata.com/support/adownloads
~Hew
Friday, March 16, 2012
Updated the Comparrison of Hardware Requirements entry.
Guidance Software sent me the official specifications for EnCase and it has now been updated.
Also I have listed the specs of both computers I have that are running EnCase 7x and FTK 3.
Hope this is interesting.
~Hew
www.h11dfs.com
Also I have listed the specs of both computers I have that are running EnCase 7x and FTK 3.
Hope this is interesting.
~Hew
www.h11dfs.com
Thursday, March 15, 2012
Comparison of Hardware Requirements
This is a list of Hardware Requirements that I have been able to find concerning some of the leading tools.
A number of people have asked me during trainings, what is the hardware requirement of various tools.
I thought it would be nice to make a brief list of the these requirements, it was harder than I thought to find these.
*Please note this is what I have been able to dig up myself (and with help from the vendors now.) I will not guess on anything (unless otherwise stated) and will only use data that I have found on the vendor websites.
**Guidance Software sent me an official specifications sheet today! (16-Mar-2012)
EnCase
EnCase 7 - I am running it on my computer and am satisfied with the speeds.
Minimum Setup
EnCase 7 Processor - Guidance has released the following specifications:
FTK 3 and FTK 4
Minimum Setup
I hope this helps anyone who has been curious.
~Hew
www.h11dfs.com
matt@h11dfs.com
A number of people have asked me during trainings, what is the hardware requirement of various tools.
I thought it would be nice to make a brief list of the these requirements, it was harder than I thought to find these.
*Please note this is what I have been able to dig up myself (and with help from the vendors now.) I will not guess on anything (unless otherwise stated) and will only use data that I have found on the vendor websites.
**Guidance Software sent me an official specifications sheet today! (16-Mar-2012)
EnCase
EnCase 7 - I am running it on my computer and am satisfied with the speeds.
Minimum Setup
- Dual-core Processor
- 4 GB RAM
- First Hard Drive for OS and Software with 300 MB available space
- Second Hard Drive for cases
- Windows XP Pro, Server 2003, Server 2008, Vista, 7 (32bit)
- Gigabit network
- Quad-core Processor (Intel Itanium is not supported)
- 16 GB RAM
- First Hard Drive for OS and Software with 300 MB available space (I really like the WD velociraptor for its speed of 10,000 rpm)
- Second Hard Drive should be a RAID array for I/O speeds and redundancy
- Windows 7 (64bit)
- Gigabit network
- 2.67 GHz Quad-core processor (Intel Q9400)
- 8 GB of RAM DDR3 PC3-10600
- Velociraptor 10,000rpm Operating System Drive
- 1 TB Drive for Cases
- Windows 7 Professional (64 bit)
EnCase 7 Processor - Guidance has released the following specifications:
- CPU Quad-core i7
- 16 GB of RAM
- Drive 1: Operating System and Pagefile
- Drive 2: Evidence
- Drive 3: Primary Evidence Cache (This drive should be as fast as possible)
- Windows 7 (64bit) or Windows Server 2k8 R2 (64bit)
- (Make sure you have a Gigabit network before trying this)
FTK 3 and FTK 4
Minimum Setup
- One Computer with
- Quad-core processor
- 2 GB RAM per core. A Quad-core would have 8 GB RAM
- First Hard Drive with FTK and 500 MB of free space
- Second Separate large Hard Drive for the database
- (I have found no recommendation for Windows but with the RAM constraints it must be a 64bit install)
- (I have attempted this with FTK 3.0. It was extremely bogged down. I would personally recommend a minimum of a dual quad-core with 16 GB of RAM if you are going to run this on a single computer.)
- Separate Computers (You must have a Gigabit network for this to work properly)
- First Computer runs FTK
- Dual Quad-core (8 cores)
- 2 GB RAM per core. Dual Quad-core would have 16 GB RAM
- 5 GB available space for install of FTK
- (I have found no recommendation for Windows but with the RAM constraints it must be a 64bit install)
- Second Computer
- Dual Quad-core (8 cores)
- 2 GB RAM per core. Dual Quad-core would have 16 GB RAM
- Separate HDD RAID 5 or 6 for Database
- (I have found no recommendation for Windows but with the RAM constraints it must be a 64bit install)
- Third+ Computer/s can be added as processors
- Dual Quad-core Xeon 2.5Ghz
- 16 GB RAM DDR3
- First Hard Drive 7200rpm for OS and Software
- Second Hard Drive RAID 5 for redundancy and I/O speeds. This is the database drive array.
- Windows 7 Ultimate (64bit)
I hope this helps anyone who has been curious.
~Hew
www.h11dfs.com
matt@h11dfs.com
Wednesday, March 14, 2012
Logicube releases a new software update for the Quest 2
Software update 1.08 has been released for the Quest 2.
It appears the only change in this update is the addition of Chinese Language support (both Traditional and Simplified)
www.logicube.com
It appears the only change in this update is the addition of Chinese Language support (both Traditional and Simplified)
www.logicube.com
AccessData releases new License Manager
License Manager 3.1.3.60 has been released.
Access Data also released a new CodeMeter Runtime v. 4.4.0
Both 32 bit and 64 bit
www.AccessData.com
Access Data also released a new CodeMeter Runtime v. 4.4.0
Both 32 bit and 64 bit
www.AccessData.com
Monday, March 12, 2012
Guidance Software Releases EnCase 7.03.1 and 6.19.4
Guidance Software has released two new versions of EnCase.
EnCase 7.03.1 fixed a bug in relation to mounting compound files.
EnCase 6.19.4 now allows support of Sophos Safeguard.
www.guidancesoftware.com
~Hew
EnCase 7.03.1 fixed a bug in relation to mounting compound files.
EnCase 6.19.4 now allows support of Sophos Safeguard.
www.guidancesoftware.com
~Hew
Thursday, March 8, 2012
EnCase 7.03 Experiences 002
I stated at the end of EnCase 7.03 Experiences 001 that I would go into greater detail a concern about the copy folders / files option.
I currently have a ticket open with Guidance Software concerning the below issue and will update this post when they respond, and share their response.
The issue:
Again, this is an issue that I have noticed with EnCase 7.03
I have tried three different scenarios and have come up with similar results on all of them. Two are listed below.
The issue is that when exporting folders from EnCase 7.03, EnCase reports that it is going to export more "space" than is on the volume. I will explain in more depth by walking through my scenarios:
Scenario 1: A small FAT32 Partition from a Windows 7 Machine.
In the report of the volume the:
Total Capacity = 39.1 MB
Total Allocated = 8.9 MB
Total Unallocated = 30.2 MB
When I blue check all and export folders the total size displayed is 43.8 MB which is more than the capacity of the volume. I followed through to see if just the report was in error, and 43.8 MB exported.
I removed the unallocated sectors (unchecked) and exported the remainder and was shown 13.6 MB which is more than previously reported.
I tried just the unallocated (only it checked) and was shown 30.2 MB unallocated, which was the previously shown total.
It appears that the allocated area is having an issue.
Scenario 2: A small NTFS Partition from a Windows Vista Machine.
In the report of the volume the:
Total Capacity = 14.6 GB
Total Allocated = 4.4 GB
Total Unallocated = 10.3 GB
This one was similar to the previous but even more pronounced...
With Export all I had a total size of 35.4 GB, more than twice the partition size.
With the removal of unallocated it showed 25.1 GB.
With just unallocated it showed 10.3 GB.
Again it appears the issue is somewhere in the allocated memory. Is there any reason that this would report such a vast discrepancy?
www.h11dfs.com
~Hew
Update for EnCase 7.03.01
Sadly this hasn't been fixed. The errors are still the same.
~Hew
**I got an update on this from Guidance.
The discrepancy is caused by a file named $BadClus.Bad
If/when bad clusters are found they are mapped to this file. The initialized size is 0 so it is safe, and recommended to be skipped. This file can potentially be as large as the volume so be careful to deselect it when copying out files.
There is a series of posts in the support files of the Guidance Software site discussing this issue.
I currently have a ticket open with Guidance Software concerning the below issue and will update this post when they respond, and share their response.
The issue:
Again, this is an issue that I have noticed with EnCase 7.03
I have tried three different scenarios and have come up with similar results on all of them. Two are listed below.
The issue is that when exporting folders from EnCase 7.03, EnCase reports that it is going to export more "space" than is on the volume. I will explain in more depth by walking through my scenarios:
Scenario 1: A small FAT32 Partition from a Windows 7 Machine.
In the report of the volume the:
Total Capacity = 39.1 MB
Total Allocated = 8.9 MB
Total Unallocated = 30.2 MB
When I blue check all and export folders the total size displayed is 43.8 MB which is more than the capacity of the volume. I followed through to see if just the report was in error, and 43.8 MB exported.
I removed the unallocated sectors (unchecked) and exported the remainder and was shown 13.6 MB which is more than previously reported.
I tried just the unallocated (only it checked) and was shown 30.2 MB unallocated, which was the previously shown total.
It appears that the allocated area is having an issue.
Scenario 2: A small NTFS Partition from a Windows Vista Machine.
In the report of the volume the:
Total Capacity = 14.6 GB
Total Allocated = 4.4 GB
Total Unallocated = 10.3 GB
This one was similar to the previous but even more pronounced...
With Export all I had a total size of 35.4 GB, more than twice the partition size.
With the removal of unallocated it showed 25.1 GB.
With just unallocated it showed 10.3 GB.
Again it appears the issue is somewhere in the allocated memory. Is there any reason that this would report such a vast discrepancy?
www.h11dfs.com
~Hew
Update for EnCase 7.03.01
Sadly this hasn't been fixed. The errors are still the same.
~Hew
**I got an update on this from Guidance.
The discrepancy is caused by a file named $BadClus.Bad
If/when bad clusters are found they are mapped to this file. The initialized size is 0 so it is safe, and recommended to be skipped. This file can potentially be as large as the volume so be careful to deselect it when copying out files.
There is a series of posts in the support files of the Guidance Software site discussing this issue.
https://support.guidancesoftware.com/forum/showthread.php?t=36504&highlight=bad+clusters
~Hew
EnCase 7.03 Experiences 001
This is an initial review of EnCase 7.03 as it relates to experiences with 7.02.04.
There are some major positives that I would like to share!
The right-click has returned. The majority of the functions that were available with a right-click in EnCase 6.x have finally returned, some are listed below...
www.h11dfs.com
Hew
There are some major positives that I would like to share!
The right-click has returned. The majority of the functions that were available with a right-click in EnCase 6.x have finally returned, some are listed below...
- Recover Folders (This is great and I will explain in detail below the list.)*
- Remove Recovered Folders
- Bookmark
- Copy Files / Folders (An issue with this is explained below.)***
- View File Structure (YAY)
- Add To Hash Library
- Hash / Run Signature on Selected (See below for added bonus to this)*
- Acquire E01 / Ex01
- Acquire L01
- Disk View (A Limitation listed below)**
- Restore
- Scan Disk Config
- Share with PDE / VFS
- Share with Enterprise View
- Modify Time Zones
- Send To File Viewers
- This is independent of the Evidence Processor!
- This means that you can do it multiple times prior to running the Evidence Processor, and select which volumes to run the recover folders on.
- If you select disk view from a right-click you will go to the cluster of that file. Not the Sector.
- The limitation is that there is no way to un-check the cluster view box and stay where you are located. Once you un-check cluster view you are taken to the start of the volume.
- Make sure to document the Physical Sector in the data bar (GPS) so that you can return to the correct Sector!
- Instead of going into full detail here I will create a new post concerning this issue.
www.h11dfs.com
Hew
New Cellebrite Release
Cellebrite has released Firmware update 1.1.9.4
With Regards,
Hew
- This updates their support of Chinese phones
- This is also an update for more support for logical extractions from Android phones
With Regards,
Hew
Friday, March 2, 2012
Vound Software releases New Intella
Intella 1.5.4 was released on March 01.
Intella is a great tool for email and data investigations. If you are unfamiliar with them you can download a fully functional time limited trial version.
http://www.vound-software.com/download-request
Whenever I have a case where email is an artifact I use Intella, so give them a try!
Hew
Intella is a great tool for email and data investigations. If you are unfamiliar with them you can download a fully functional time limited trial version.
http://www.vound-software.com/download-request
Whenever I have a case where email is an artifact I use Intella, so give them a try!
Hew
Subscribe to:
Posts (Atom)