In digital Forensics, there are 2 types of acquisitions: 

  1. Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid.
  2. Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password. 

For both types, there are 4 methods of collecting data: 

  1. 1.    Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create on or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files.
  2. 2.    Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disk’s geometry to match the original drive.
  3. 3.    Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited.
  4. 4.    Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesn’t need to examine the whole drive.

To determine the appropriate acquisition method, the investigator must consider the following:

  1. The size of the source disk.
  2. Can you retain the source disk as an evident or must you return it to the owner?
  3. Time to do perform the acquisition.
  4. Location of the evidence


Source: GCFI, 4th ed, Ch4

I would recommend python 2.7 on all local machines

I suspect everyone is already ok?

[root@apu etc]# python2.7 -V
Python 2.7.3

Instructions for python 2.7 install on windows 7, ubuntu, mac will be on another page.

Because of centos 6.3 on the cluster machines, we need both 2.6 and 2.7 to coexist there. hopefully only there.

Centos relies on python 2.6 for yum

if you install python 2.7 in any way other than the following you will destroy the system and make yum inoperable

zlib failure message may be from internal python scripts doing uncompression and they may be referring to python module files, rather than looking at links directly. Not sure.

I believe only the x86_64 zlib is needed. i.e. you don’t need 32-bit and 64-bit, but just follow these instructions. They worked on apu.0xdata.loc ( on 9/28/2012

to check centos version

[root@apu etc]# cat /etc/redhat-release
CentOS release 6.3 (Final)

How to install Python 2.7.3 on CentOS 6.2 (worked for 6.3 which is 0xdata install version)

stolen from Daniel Eriksson. Thanks Daniel!

Posted on 2012/06/25

CentOS 6.2 ships with Python 2.6.6 and depends on that specific version. Be careful not to replace it or bad things will happen. If you need access to a newer version of Python you must compile it yourself and install it side-by-side with the system version.

Here are the steps necessary to install Python 2.7.3. The procedure is exactly the same for installing Python 3.2.3, just make sure you use the command “python3.2 install” when you install distribute.

Execute all the commands below as root. Either log in as root temporarily or use sudo.

Install development tools

In order to compile Python you must first install the development tools:

yum groupinstall "Development tools"

You also need a few extra libs installed before compiling Python or else you will run into problems later when trying to install various packages:

yum install zlib-devel
yum install bzip2-devel
yum install openssl-devel
yum install ncurses-devel

Download, compile and install Python

cd /opt
tar xf Python-2.7.3.tar.bz2
cd Python-2.7.3
./configure --prefix=/usr/local
make && make altinstall

It is important to use altinstall instead of install, otherwise you will end up with two different versions of Python in the filesystem both named python.

After running the commands above your newly installed Python 2.7.3 interpreter will be available as /usr/local/bin/python2.7 and the system version of Python 2.6.6 will be available as /usr/bin/python and /usr/bin/python2.6.

you can create a symbolic link in /usr/local/bin and things should be fine be careful here:

cd /usr/local/bin
ls -ltr python*
ln -s /usr/local/bin/python2.7 /usr/local/bin/python

Installing and configuring distribute (setuptools)

After installing Python 2.7.3 you also need to install distribute (setuptools) so you can easily install new packages in the right location.

cd /opt
tar xf distribute-0.6.27.tar.gz
cd distribute-0.6.27
python2.7 install

The commands above will generate the script /usr/local/bin/easy_install-2.7. Use this script to install packages for your new Python version. You should be able to use “easy_install” if “which easy_install” points to the correct 2.7 versions

which easy_install
ls -ltr /usr/local/bin/easy_install*

easy_install-2.7 requests
easy_install-2.7 psutil
easy_install-2.7 paramiko

(easy_install should work too, if your PATH gets /usr/local/bin first)




Great article …

Click to access wp-using-cookiedigger-web-session-mgmt.pdf

HOW TO: Track what changes are made on your computer during a program installation.

Ever wanted to know exactly what changes (file and registry) that program you are installing is making on your computer? Ya I have too. Well this guide is intended to teach you how to do that.

What you need


  • Very Easy

Advance Notice

  • Be warned that this method can be a bit slow – 2-3 mins per install, depending on your computer.


Zsoft Uninstaller is a program that improves upon the normal Windows uninstallation methods; it helps you remove all traces of the installed program, including registry changes and left over files. However, I am not telling you to download Zsoft Uninstaller for its ability to uninstall programs. I am telling you to download Zsoft Uninstaller because of its feature to analyze installations.

You see how Zsoft Uninstaller works is that to ensure full removal of a program, you have the ability to ‘analyze’ and record the changes that the installer makes on your computer. Zsoft tracks not only file changes, but also registry changes; it will tell you exactly where a new file is added, or from where a file was deleted. Samething with registry. All you do is scan your computer before you install the program and scan your computer after you install the program. Zsoft will compare the changes and store them, giving you the ability to view them whenever you want. It is this analyzing feature that we are interested in.


First download and install Zsoft Uninstaller. This is a ‘no duh’ step, but as my C++ teacher said – never underestimate the power of human stupidity. Not saying that whoever is reading this is stupid – far from it. In fact whoever is reading this is an enlightened genius. But you get the point right? 😀

All the steps from now onwards you have to repeat everytime you want to track the changes made by a particular program during installation.

Run/start Zsoft uninstaller. Click on the ‘Analyze’ button up top:

In the window that pops up, make sure “Analyze an installation” is selected and hit “Next”:

At the next screen, select which hard drives will be effected by the installation of you program (C drive + the one you are going to install into). If you don’t know which drive to check, chances you are going to install into your C drive so leave just C drive checked. Hit “Before installation”:

This will start a scan of your computer. Wait for the scan to finish. How long it takes will depend on your computer. Yes I know it is kind of slow. After the scan is finished leave this window open and normally install your program. After you have installed your program, run it once for good measure. After that, open up the Zsoft window and hit “After installation”:

You will then be prompted with a window to enter a name for the software you installed:

The name can be anything you want, but make sure to make it meaningful so you will be able to recognize what software it was that you installed by looking at the name. Hit “OK” after you are done. Zsoft will again start to scan your computer. Wait for the scan to finish. After the scan is finished, Zsoft will automatically compare the two scans and try to find the differences. Wait until you see this window:

Hit “OK” and you will be brought back to the main program window. From that window, click on the “Analyzed Programs” tab:

You should now see the program you just analyzed. I had analyzed CHM Editor and named it CHM Editor, therefore you will see CHM Editor in my screenshot. Right click on this program and click on “Show Recorded Info”:

A window will open up that will list all the changes that were made to your computer during the installation of that program you have selected. The changes include file changes and registry changes both. However, from this window you are unable to search the changes to find any specific one you are looking for (I am talking about Ctrl + F search). So, what you need to do is click on the blue button that is located in the top left corner:

This will allow you to save all the changes made into a .txt file. Name the .txt file whatever you want and save it. After you have saved the .txt file, browse to the .txt file and open it. You will now be able to search all the changes with Ctrl + F.

That is it. As I said earlier, you will have to do this process everytime you want to track the changes made by an installation.

Before I end this post, I would like to say you are welcome to use Zsoft Uninstaller to uninstall your programs also – Zsoft is pretty decent in that area although I found it to be rather annoying. However, my recommendation would be to use RevoUninstaller to uninstall programs and just keep Zsoft for its analyzing abilities.


Aside  —  Posted: May 8, 2013 in Defense, Misc

Sending files between Linux machines

Posted: April 20, 2013 in Misc

For a single file, try the “scp” command. You can use this as a “push” or a “pull” command, but let’s start with pushing the file to the other server. While on alice, use the command “scp myfile fieldmouse@madhat:thatfile”. This will copy the file over to the other system, into the fieldmouse userid, with the name “thatfile”. If you were logged in on the other system, you could just as easily pull the file with the command “scp rabbit@alice:myfile thatfile”, and get the same results.