Posted June 22nd, 2006 by admin
By Chetan Gupta, NII Consulting
A supposedly nightmarish tool for the investigator community! Recently this tool was released at the metasploit anti-forensics site and is available here.
Like the website mentions, this tool can be a headche for any forensic investigator and a handy tool for any mischevious since it has the ability to change all the four timestamps of NTFS and not only that, it has an option to change the timestamps in such a way that Encase shows blanks. Read the rest of this entry »
Posted June 21st, 2006 by Chetan Gupta
by Chetan Gupta, NII Consulting
A small experiment…Create a new text file. Edit it using Notepad and type “Hello” in it. save and exit the editor. Right click the file and check its properties. Did you notice the two attributes “Size” and “Size on disk”. It looks something like this on my Windows XP system
Size: 5 bytes (5 bytes)
Size on disk: 4.00 KB (4,096 bytes)
Have you ever wondered why this difference? If the size of file contents is only 5 bytes, why are the remaining bytes assigned to the file? Do they serve any purpose? Well, atleast not to any average user of computer systems! Read the rest of this entry »
Posted June 4th, 2006 by admin
by Chetan Gupta, NII Consulting
I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title! Read the rest of this entry »