Begin forwarded message:
> From: Brian Carrier <carrier(a)digital-evidence.org>
> Date: March 2, 2010 10:57:02 AM EST
> Subject: [linux_forensics] Interested in a Sleuth Kit and Open Source Forensics Users Conference?
>
> We are thinking about hosting the first ever Sleuth Kit and Open Source
> Forensics Users Conference this year on June 9 in Chantilly, VA (USA).
> It would be held in conjunction with the Basis Technology Government
> Users Conference (but it will be open to non-Government users). The goal
> of the conference would be to announce some new Sleuth Kit features,
> learn about how Sleuth Kit is integrated into other tools, learn about
> other open source forensics tools, and get some ideas on future
> directions of the tools.
>
> We have commitments from some companies who are willing to talk about
> how they are using TSK and I next wanted to get an idea about who was
> interested in attending or giving a presentation. Can you send me an
> e-mail (off list) if you would be interested in attending or presenting?
> If there is enough interest, then we'll see you in June!
>
> For those who want more location details, here is a link to the Basis
> conference site:
> http://www.basistech.com/conference/2010/directions.html
>
> thanks,
> brian
>
Just out of curiosity, was there message text in this email? I didn't
get it for some reason...
> Date: Mon, 1 Mar 2010 09:31:42 -0600
> From: "Schroeder, William" <William.Schroeder(a)cmegroup.com>
> Subject: [Vol-users] connscan ouput question
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID:
> <B61619049B3B8049A5F883C2822A080C0E11583318(a)SMAPEXMBX2.prod.ad.merc.chicago.cme.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Skipped content of type multipart/alternative
I think I know the answer to this, but I want to be certain.
I captured live memory with FTK Imager Lite (Current version)
I am now trying to examine the memory, and receive:
commandme : python volatility connections -f memdump.txt
/work/Volatility-1.3_Beta/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import sha
Usage: connections [options] (see --help)
volatility: error: Unable to load image. Possible causes: invalid dtb, wrong image type, unsupported image type.
I suspect that FTK doesn't create a linear image.
I tried this on a Mac and WIndows.
If this is correct, does anyone know of an open source tool I can analyze this ftk memory dump with? I can't recreate another.
I tried wmft_0.2 but I think that this tool is in the early stages of development. I was only able to pul a lit of drivers with it.
-- Bruce D. Meyer
Analysis & Encryption
(803) 896-0469
(803) 896-1650 (SOC)
My Key Fingerprint is:
8BC3 14B5 CE77 3C83 F4A7
5353 3F27 97FF 0591 44F9
-------------------------
South Carolina Information Sharing and Analysis Center (SC-ISAC)
Department of State I.T. (D.S.I.T)
http://sc-isac.sc.gov
~-~-~-~-~-~-~-~-~-~-~-~-~-
Upload your PGP public key, download or verify mine at:
http://keys.cio.sc.gov<http://keys.cio.sc.gov/>
Has any one seen the following on the output from connscan? The connections are both external and the PID is impossibly high.
73.0.83.0:20992 69.0.71.0:21504 6029401
