to the administrator / moderator(s) of this site... granted i have only posted on this site two (2) times, however 695+ people have viewed my post(s) and no-one has replied...??? am i posing my questions in the "wrong area"???
as is inevitable, time and stubbornness usually answers ones questions for them lol 
the answer to my first question posed in post 1 was simple... BUY ANOTHER COMPUTER... i did and everything works perfectly now...
the answer to my second question posed in post 2 ended up being simple as well... (thank the godz that the password was a simple one =) had it been seven (7) characters or more using a combination of alpha numerics, and specials, i probably would not have been able to break the AES-256 bit encryption. as it was a brute force / xeive attack cracked the encryption in a little over 36 hours... (a side note to those of you that may want to try to get into the file, the zip file itself is corrupted, let alone the file inside being encrypted)
having said that lol, i have another computer forensic question for any gurus that may be lurking 
a few of the students in this program and i actually "stumped" the forensic expert(s) / lawyer(s) that run said program recently... the only answer we got from them was a "stumbling", "you did what???" that's really cool but i don't think it is "legally forensically sound"...
what we did was take the bit-stream ISO image from FTK imager, and use it to virtually recreate the target machine using VMware...
i understand their argument when they say if you even touch the virtual recreation you have compromised the "evidence"... and having done that any discovery will not stand up in a court of law...
but my point is this... the examiner / investigator can ALWAYS simply reset the virtual recreation of the target machine back to its original state, regardless of what they do with it...
given this fact, the virtually recreated target machine meets the scientific criteria of being able to REPRODUCE YOUR RESULTS...
having said this, wouldn't it be much simpler for the expert witness to explain to the "lay client or juror" that is not so tech savvy, what the suspect has done by pointing and clicking to where the "demonstrative evidence" resides, rather than trying to explain in layman's terms the intricacies of known forensic tools such as FTK or Encase???
all-right sorry for being so long winded... i guess what i'm asking is, is it possible to "image a virtual machine" so that the same SHA-1 and MD5 hash values found in the original image, are retuned from the image of the virtually recreated "target machine"???
peace,
GabrielelohimLast edited on Wed Apr 30th, 2008 09:58 am by Gabrielelohim
|
