Open Source Email Analysis

Computer Forensics - Analyzing Exchange and mbox e-mail files using Free and Open Source Software
Login Register Forums Columnists Articles/Papers Education Reviews Interviews Newsletter Jobs Events Blog Advertise
Search Forensic Focus Search Forensic Education
Analyzing Exchange and mbox e-mail files using Free and Open Source Software Page: 1/4 Mike Harrington, CFCE EnCE linuxchimp@gmail.com Innovative Digital Forensic Solutions, L.L.C. Mark Lachniet, CISA CISSP mlachniet@analysts.com Analysts International
Custom Search
COURSE DIRECTORY
Columnists
"I erred." "I was mistaken." Craig Ball A cloud by any other name Simon Biles Copyright and games console modification Dan Gaskell Digital Forensics and self-tracking Chris Hargreaves 'Web 2.0' as evidence Sean McLinden Its not always what you find... Sam Raincock How to seduce your (potential) employer David Sullivan Scalability: A Big Headache Dominik Weber
Table of Contents 1.Document Overview 2.LIBPST/LIBDBX 3.Locating Exchange .dbx/.pst Files 3.2 Locating files in the filesystem 3.2.1 Deleted Files 3.2.2 Allocated Files 3.3 Exporting from Exchange 4.Converting .dbx/.pst files 5.Viewing decoded .dbx/.pst files with Thunderbird 6.Converting to HTML with MHONARC 7.Bonus Ideas 7.1Converting Eudora e-mail 7.2Converting UNIX e-mail 7.3Importing mbox into other e-mail clients 7.4Using uudeview to extract attachments 7.5Carving for .eml and using eml2mbox for conversion 8.Summary 1. Document Overview E-mail is everywhere and the digital forensic examiner is often faced with the task of searching e-mail for evidence of wrongdoing. This paper attempts to outline a simple methodology for using free and open source based tools for converting Microsoft Outlook or Outlook Express files into a flat mbox format that can be then manually imported into the Mozilla Thunderbird e-mail client for viewing, or manipulated using other useful scripts. This document is really just a primer for basic e-mail analysis, and is intended to be a living document. If you have any questions, comments
User Info
Welcome Anonymous
Nickname Password
Login
(Register) Membership: Latest: TheKaisho42 New Today: 6 New Yesterday: 14 Overall: 16600 People Online: Members: 4 Visitors: 61 Bots: 7 Staff: 0 Staff Online: No staff members are
http://www.forensicfocus.com/index.php?name=Content&pid=65&page=1 (1 of 6) [24/11/2010 02:45:20 p.m.]
Main Menu
or suggestions (including sections that you think should be added!) please contact the authors directly The paper will be divided into several sections. Section two details installing Libpst and Libdbx to convert the outlook and Outlook Express files. Section three deals with finding the .dbx or .pst e-mail files. Section four details converting the found .dbx or .pst files into the flat mbox format using the readdbx or readpst tools that were compiled in Section One. The fifth section covers how to import these converted files into the Mozilla Thunderbird e-mail client for viewing. The sixth section will discuss how to parse mbox files into threaded HTML documents and extract attachments for easy searching and manipulation. The last section will discuss other useful tools and tricks that could be of use to the examiner. Throughout this paper the examples we will be using are based on my forensic laptop that is an AMD64 machine running Gentoo an x86_64 2.6.12 kernel 1. The examples should work exactly the same for x86 based machines or other UNIX-type systems in general.
online!
Latest Jobs
MY ACCOUNT LOGIN REGISTER LINK TO US COMMUNITY FORENSIC FORUMS MOBILE FORUM LIVE/NETWORK FORENSICS FORUM EMAIL GROUP LINKEDIN GROUP MEMBERS MAP MEMBERS MAP HELP EMPLOYMENT EMPLOYMENT FORUM EMPLOYMENT TIPS JOB VACANCIES EDUCATION COURSE DIRECTORY RESOURCES ARTICLES/PAPERS REVIEWS FORENSIC BASICS INTERVIEWS NEWSLETTER MOBILE FORENSICS HARDWARE REPORT WRITING TERMS OF ENGAGEMENT EVENTS CALENDAR TRAINING DOWNLOADS BOOKS (US STORE) BOOKS (UK STORE) FORENSIC VIDEOS FORENSIC FEEDS FORENSIC LINKS
Independent Forensic Technicians - Boston - NY Washington Last post by Jacqueline_Sanaghan in Computer Forensics Job Vacancies on Nov 24, 2010 at 16:37:59 COMPUTER FORENSIC PROFESSIONAL SHANGHAI, 4500060000 Last post by ScottBurkeman in Computer Forensics Job Vacancies on Nov 23, 2010 at 09:50:37 Manager Forensics and Incident Response, London 50-60K Last post by ScottBurkeman in Computer Forensics Job Vacancies on Nov 23, 2010 at 09:43:28 COMPUTER FORENSIC ANALYST DUBAI, 3000040000 (Equivalent Last post by ScottBurkeman in Computer Forensics Job Vacancies on Nov 12, 2010 at 17:01:01 Cell Site Analyst Staffordshire
2. LIBPST/LIBDBX The readbx and readpst executables are created from the Libdbx and Libpst source code respectively. You can find the source for both at the following site. http://sourceforge.net/project/showfiles.php? group_id=18756&release_id=117314 (Of course, using Gentoo one only needs to use the commands 'emerge libdbx' or 'emerge libpst'...;-) Once you've downloaded the source to a download location of your choice (in this case I've downloaded the source to '/usr/local/forensicapps') you need to untar and unzip the archives. chimp forensicapps# tar xvzf libdbx_1.0.3.tgz chimp forensicapps# tar xvzf libpst_0.3.4.tgz Then change into the directory for libdbx. chimp forensicapps# cd libdbx_1.0.3 chimp libdbx_1.0.3# make You should now have a file called readbx in this directory. Make sure its executable by issuing the following command chimp libdbx_1.0.3# chmod +x readbx
FORENSICS NEEDED? MISC SUBMIT PAPER/ ARTICLE SUBMIT NEWS LINK TO FF ADVERTISE CONTACT US
Follow Forensic Focus
Now move the executable to a directory in your path usch as /usr/local/ bin. chimp libdbx_1.0.3# mv ./readbx /usr/local/bin Repeat the following steps for untaring/zipping and compiling readpst. You will then have file named readpst that you can then make executable by the same method described above. Also move this into a directory in your path. That's it! You can now move onto the next section which details the .dbx and .pst files that you want to convert.
Last post by s1lang in Computer Forensics Job Vacancies on Nov 11, 2010 at 10:18:22 Area Sales Manager UK & Ireland - Flexible UK location + tra Last post by mercury1 in Computer Forensics Job Vacancies on Nov 08, 2010 at 10:52:15 Entry - Mid Level Computer Forensics Chicago or NYC Last post by RaederLandree in Computer Forensics Job Vacancies on Nov 01, 2010 at 12:43:44 IT Specialist (Forensic Examiner), GS 7/9 - Quantico, VA Last post by markg43 in Computer Forensics Job Vacancies on Oct 30, 2010 at 04:03:50 Mobile Phone Forensic Analyst Midlands, UK Last post by jammie_b in Computer Forensics Job Vacancies on Oct 29, 2010 at 16:03:50 Vulnerability Research Software Engineer, Pittsburgh, PA Last post by vlduchak in Computer Forensics Job Vacancies on Oct 28, 2010 at 16:57:38
Join newsletter Join LinkedIn group Follow on Twitter Subscribe to news Subscribe to forums Subscribe to blog Subscribe to tweets Members' blogs External feeds Bookmark & share:
Next Page (2/4)
Computer Forensics Newsletter
You must be a registered user to receive our newsletter Register Now!

Computer Forensics Blog
Interview with
Stephen Mason Barrister, author and publisher UK legal professionals - interested in writing for Forensic Focus? A big thank you from David Benford! Digital Forensics and self-tracking Its not always what you find... How to seduce your (potential) computer forensics employer A cloud by any other name... Programming for Digital Forensics Student work experience and placements - When is time money? What is "Information Security" anyway? read more...
Members' Blogs
Recent Blog Entries Files copied to USB or external devices : view in Registry Forensics CD and DVD Download links for .ISO and USB Live Acquisition Project whoozie OSX Mail Migration SharePoint
Collections can be tricky! Windows Vista and 7 Full Disk Format Start Blogging
What is Computer Forensics?
Computer forensics (or forensic computing) is the use of specialized techniques for recovery, authentication, and analysis of electronic data with a view to presenting evidence in a court of law.
Computer Forensics Downloads
1: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (pdf) 2: ACPO Good Practice Guide for Computer based Electronic Evidence 3: Electronic Crime Scene Investigation: A Guide for First Responders (pdf) 4: Ancysoft Data Recovery Software 5: Forensics Plan Guide & Forensic Cookbook 6: HELIX incident response CD 7: PDA Forensic Tools:An Overview and Analysis 8: Recover My Files
9: Autopsy Forensic Browser Version 2.03 (source code) 10: Handy Recovery
Forensic Focus
Copy and paste the text below to insert the button displayed above on your site. Thanks for your support!
<a href="http://www.f orensicfocus.com" target="_blank"><i mg src="http://www.for ensicfocus.com/ima ges/other/forensic-f ocus-button.gif" alt="Forensic Focus" border="0" /></a>
Use of this website signifies your agreement to the Terms of Use/Privacy Policy available here. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest 2010 Forensic Focus Interactive software released under GNU GPL, Code Credits, Privacy Policy
.: fisubsilver shadow phpbb2 style by Daz :: CPG-Nuke port by norseman :: ported to CPG-Dragonfly by jamin :.
Custom Search
Columnists
Analyzing Exchange and mbox e-mail files using Free and Open Source Software Page: 2/4 3. Locating Exchange .dbx/.pst Files The next required step is to find the e-mail files (mailboxes) that you want to analyze. To do this, you can either find a copy on the client workstation, or export them from an Exchange server.
COURSE DIRECTORY
User Info
Welcome Anonymous
3.2 Locating files in the filesystem
Nickname Password
3.2.1 Deleted Files First of all, you should determine whether or not there may be copies of email DBX and PST files in the deleted and slack portions of the file system. You may wish to use an automated forensic program such as SMART (http://www.asrdata.com/tools/) to see if it is possible to recover any older, deleted files. SMART can also be used to extract pure unallocated data for you to concentrate on exclusively. Remember deleted files may contain the "smoking gun" you are looking for! The way we'll cover here is by using the Foremost carving tool (http:// foremost.sourceforge.net). Since we cant assume that everyone is using a distro with a decent package management tool (Gentoo anyone?) lets grab the source and compile it ourselves (remember to check the md5sum of the download). Now with the source downloaded let's extract it (I've downloaded the source to my temp directory. chimp temp# tar xvzf foremost-069.tar.gz (Register)
Login
Membership: Latest: TheKaisho42 New Today: 6 New Yesterday: 14 Overall: 16600 People Online: Members: 1 Visitors: 65 Bots: 7 Staff: 0 Staff Online: No staff members are
Main Menu
chimp temp# cd foremost-069 chimp temp# cat README | less chimp temp# make && make install This will extract the gzipped tar archive and then reading the README file will tell you about how to compile and install ('make && make install'). One thing to note is that the foremost.conf file that contains the header and footer information for the file types you want to carve needs to be in the directory you run foremost from. Take a peek inside the foremost.conf file to see how its formatted and what types of files are already supported. For our purposes simply open up foremost.conf in a text editor and uncomment (erase the '#' that begin before a line) the .dbx (or .mbx,.pst) line. They are located in the Microsoft Office section. chimp bin# nano -w foremost.conf Now with that done you need to run foremost over your image files. Foremost requires an empty directory to dump files it finds. It also keeps an audit of the files it finds and the offset in the image file where they were found. What if you have multiple image segments? No worries mate! One of the cool things that foremost can do is create output directories on the fly so let's just write a script to take care of our multiple segments. First make the initial output directory (you could script this as well..;-)) chimp evid# mkdir carvdbx Now the script: #!/bin/bash x=0 # the above sets a counter for i in /your/image/dir/ #This loops through your segments do foremost -v $i -o /your/output/dir$x #this carves with verbose output turned on and outputs to your dir x = 'expr $x + 1' #this increments the value of 'x' by one done With the files carved proceed on... 3.2.2 Allocated Files
online!
Latest Jobs
The most common location for .dbx files to be located is in the following path (on a Windows XP box). C:\Documents and Settings\\Local Settings\Application Data\Identities \{GUID}\Microsoft\Outlook Express Common .dbx files you might see in this location might include Inbox.dbx, Sent Items.dbx and Drafts.dbx. There might be others as well. Simply copy these files out to a directory on your mounted forensic drive (in my example my suspect NTFS partition is mounted read only at '/mnt/win'). chimp ~# cp /mnt/win/"Documents and Settings"/$USER/"Local Settings"/"Application Data"/Identities/{GUID}/Microsoft/'Outlook Express"/*.dbx /mnt/evidence/e-mail/dbx/ If you want to make sure your not missing any .dbx files you can use the find command to locate the .dbx files and copy them over to your forensic directory. chimp ~# find /mnt/win -type f -name "*.dbx" -print -exec cp '{}' /mnt/ evidence/e-mail/dbx \; Passing the '-print' parameter to the find command gives you a nice output of what is being found and copied over. Omit this to suppress the output. The procedure for finding .pst file is exactly the same. The default location on a Windows XP box for .pst file is in the following path. C:\Documents and Settings\$USER\Local Settings\Application Data \Microsoft\Outlook\ Got all that? Good. Now we can progress onto the next section where we detail how to convert our newly found files into a flat mbox format that will be easily imported into the Thunderbird e-mail client.
3.3 Exporting from Exchange In the event that you don't have access to a user's workstation, but do have administrator access to the Exchange server, you may be able to export a user's data to a PST file using the ExMerge program. To download this file, refer to: http://www.microsoft.com/downloads/details.aspx? displaylang=en&familyid=429163ec-dcdf-47dc-96da-1c12d67327d5 According to the documentation contained in this download, "You can use the program to extract data from one or more Exchange mailboxes into .
pst files". You may wish to run this program if you have to recover some very old data, perhaps as part of a legal discovery process. For example, if all that exists within an organization are backup tapes, you may have to build up a server, restore from tape, and then use the ExMerge program to extract that user's old e-mail spool to a PST file for analysis.
Interview with
Members' Blogs
Previous Page (1/4) - Next Page (3/4)
Forensic Focus
Custom Search
Columnists
Analyzing Exchange and mbox e-mail files using Free and Open Source Software Page: 3/4 4. Converting .dbx/.pst files Ok so you've found your files and copied them over to the forensic directory of your choice. It's now time to convert those bad boys into a flat mbox format that will be easily imported into the Mozillla Thunderbird e-mail client or parsed with handy tools. First change into the directory you copied the files into. chimp ~# cd /mnt/evidence/e-mail/dbx Now make a directory or your decoded .dbx files. chimp dbx# mkdir ../decoded After doing this its time to convert the files into our mbox format. We accomplish this by doing a little for loop in our /mnt/evidence/e-mail/dbx directory. chimp dbx# for X in *.dbx; do /$pathto/readdbx -f "$X" -o /$pathof/ forensic/directory/"$X.$$"; done Make sure to put the path to your evidence and forensic directory in the above. The '.$$' appends the process number of the command to the file (not strictly needed but I put it there to identify the decoded files). Now you should have the decoded files in your forensic directory. If you received some errors for readdbx or readpst decoding the files check to see if the decoded files are empty files. Double check that the original files are empty as well.
COURSE DIRECTORY
User Info
Welcome Anonymous
Nickname Password
Login
Main Menu
The procedure for decoding .pst files is similar to the above. The only real change we need to make is to put the output file option before the . pst file, as is shown below. chimp dbx# for X in *.pst; do /$pathto/readpst -o /$pathto/ forensicdir/"$X.$$" "$X"; done Sweet! Now we are all decoded and ready to move onto other tools.
online!
Latest Jobs
5. Viewing decoded .dbx/.pst files with Thunderbird Okay, you successfully decoded the .dbx/.pst files that you are interested in viewing and now you want to do just that view the files...so how do we do that? Read on my friend... This section assumes that you have Mozilla Thunderbird (my e-mail client of choice) installed on your system. It is beyond the scope of this paper to help you install Thunderbird for your particular system but it should be incredibly easy. You should be able to import these decoded files into the e-mail client of your choice (in fact I tested this out for Evolution and it works and obviously the mail client in Mozilla is the same a Thunderbird). A little side note a good habit to get into is reinstalling a fresh copy of the OS of your forensic machine for every case you work. This assures that you have no cross contamination of evidence. At the very least a fresh install of your e-mail client. To view the decoded mail files in Thunderbird we need to do a little prep work. Fire up Thunderbird and create a new email account that is going to be used to track your suspect mail. Enter in a bogus SMTP and POP server etc and name the account in a way that will make it easy for you to organize; something like..."Suspect Mail". It is also important to uncheck the "Use Global Inbox" and the "Download Messages Now" options. The account name should show up in Thunderbird with default compliment of sub-folders underneath it. Then simply copy the decoded file into your new Thunderbird "Inbox" directory. chimp ~# cp -v /$pathto/decoded/files/inbox /$pathto/ new thunderbird/ mail/inbox Now fire up Thunderbird and the files you want to view should appear as a "folder" where you copied them. If converted file was non-empty the
folder you copied it into should have one or more e-mails contained within them. Something I have found helpful in organizing my converted and imported suspect mail is to go into the Thunderbird directory and make directories that will delineate it as the suspect's Inbox, Deleted, etc. mail. If you are using Evolution you need to select "File" from the menu and then import. From there select auto for the import format and where you want to import the file.
6. Converting to HTML with MHONARC Once you have your mbox format file, you may want to archive them in an easily searchable format, or strip off attachments in one fell swoop. One handy way of doing this is to use the MHONARC program from: http:// www.mhonarc.org/ This is also a very handy way to archive your *own* old e-mail so you can get your hands on old addresses, attachments, etc. without clogging up your e-mail client with gigabytes of data. Just remember to backup your mbox format files every time you upgrade a server or something and you should be fine. I personally have years worth of my own mbox files backed up this way, and its very handy. Download and install the package, and read the internal instructions. In particular, you may choose to write a script to do all the conversion and so on. My script looks like the following: #!/bin/sh -f # ./MHonArc-2.6.10/mhonarc yourfile.mbx -add -attachmentdir /path/to/ attachments \ -folrefs -idxfname index.html -main -multipg -outdir /path/ to/htmlemail -reverse This script will open up your file 'yourfile.mbx' which is your mbox formatted file, and then copy all the attachments to /path/to/attachments and all the e-mails themselves in a threaded format to /path/to/ htmlemail. At this point, you can open up either the threaded or date-sorted HTML index files, or you can grep for interesting information using a command such as chimp dbx# grep badstuff /path/to/htmle-mail/* to find all e-mails with the word 'badstuff' in them. You should be aware of case sensitivity for your particular grep program, and obviously also consider the types of keywords that are likely to match such as p0rn, pr0n, etc. Finding a simple e-mail address, for example to cut out conversations with a particular person, is a piece of cake.
Interview with
Members' Blogs
Previous Page (2/4) - Next Page (4/4)
Forensic Focus
Custom Search
Columnists
Analyzing Exchange and mbox e-mail files using Free and Open Source Software Page: 4/4 7. Bonus Ideas Here are some bonus ideas and tools. Suggest some more!
COURSE DIRECTORY
User Info
Welcome Anonymous 7.1 Converting Eudora e-mail There is a nice script to handle Eudora Mail. It is available at the following site http://www.xs4all.nl/~maryniak/eudora2unix/. Nickname Password
Login
7.2 Converting UNIX e-mail Hey, you say, I've got UNIX e-mail, how do I analyze it? Well, luck for you its already in mbox format, so you don't have to do anything at all. Just look for mail spool files. These are sometimes stored in directories such as /var/spool/mail, /var/mail, etc. You'll also frequently find mbox format spools in temporary directories. For example, if you have a bunch of email that couldn't get delivered (perhaps you were an open mail relay and wanted to see what kind of Viagra or whatnot you were relaying) you may find mbox format files awaiting delivery in /var/spool/mqueue or a similar directory. 7.3 Importing mbox into other e-mail clients Say you have an mbox file, and you want to import it into a different email client than Thunderbird and this program doesn't allow importing, but does work as a POP3 client. Fortunately, you can easily do this as long as you have a UNIX mail server to do it with. All you need to do is make an account on the server, copy the mbox file over that user's e-mail file,
Main Menu
usually in /var/mail or /var/spool/mail and then use a POP3 client to download the mail. All the email will be downloaded to your client as if it were brand new.
online!
Latest Jobs
MY ACCOUNT LOGIN REGISTER LINK TO US COMMUNITY FORENSIC FORUMS MOBILE FORUM LIVE/NETWORK FORENSICS FORUM EMAIL GROUP LINKEDIN GROUP MEMBERS MAP MEMBERS MAP HELP EMPLOYMENT EMPLOYMENT FORUM EMPLOYMENT TIPS JOB VACANCIES EDUCATION COURSE DIRECTORY RESOURCES ARTICLES/PAPERS REVIEWS FORENSIC BASICS INTERVIEWS NEWSLETTER MOBILE FORENSICS HARDWARE REPORT WRITING TERMS OF ENGAGEMENT EVENTS CALENDAR TRAINING DOWNLOADS BOOKS (US STORE) BOOKS (UK STORE) FORENSIC VIDEOS FORENSIC FEEDS FORENSIC LINKS 7.4 Using uudeview to extract attachments Say you are a glutton for punishment, and you really really want to extract attachments from the ASCII MIME-encoded text in your mbox file. You can do this. First just cut the e-mail out using a word processor, starting from the first "From:" field, and ending before the next one, and save it as plain text. Then download uudeview.exe from: http://www.fpx. de/fp/Software/UUDeview/. Then simply run the program on the text file it will find the mime-encoded sections, convert them to binary and dump them on the filesystem. You'll want to suggest this option if the opposing attorney wants to verify your work, since it is very easy to explain, and makes them work a lot harder. This is a very handy way to cut naughty pictures out of e-mail so you can insert them into your report.
7.5 Carving for .eml and using eml2mbox for conversion Using the techniques described above (and after figuring out the header/ footer) you could have foremost carve out .eml files (an extension used by some email clients-including Outlook Express-for mail)and use the eml2mbox.rb program available at this site http://www.broobles.com/ eml2mbox/ to convert them to mbox format.This program needs the Ruby interpreter to be on your system. This should be installed on many linux distributions by default and easily obtainable on others (remember emerge?). The website has all the documentation on how to run the script.
8. Summary This article showed you various ways to convert mail files to mbox format and parse them using free and open source tools. The article should cover the most common forms of Windows based e-mail clients encountered by the forensic examiner, but is only a basic primer. Beyond the scope of this article is web-based e-mail and more advanced types of e-mail such as Novell Groupwise. We hope the article was informative and helpful to you in your forensic endeavors. The authors welcome all comments and suggestions.
1. It should be noted that some programs will not cross-compile correctly in the pure AMD64 Gentoo environment-notably readpst. If the program is compiled in a 32bit chroot environment-or on an x86 machine- and the
proper emulation libraries are installed for the AMD64 box - the binaries will function properly. Obviously the discussion of 32bit chroot environments is beyond the scope of this article.
--
Previous Page (3/4)

Interview with
Members' Blogs
Forensic Focus

Open Source Email Analysis

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Open Source Email Analysis

Загружено:

Авторское право:

Доступные форматы

Computer Forensics - Analyzing Exchange and mbox e-mail files using Free and Open Source Software

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=1 (1 of 6) [24/11/2010 02:45:20 p.m.]

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=1 (2 of 6) [24/11/2010 02:45:20 p.m.]

Next Page (2/4)

Computer Forensics Newsletter

You must be a registered user to receive our newsletter Register Now!

Computer Forensics Blog

What is Computer Forensics?

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=1 (6 of 6) [24/11/2010 02:45:20 p.m.]

3.2 Locating files in the filesystem

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=2 (1 of 6) [24/11/2010 02:46:16 p.m.]

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=2 (2 of 6) [24/11/2010 02:46:16 p.m.]

Computer Forensics Newsletter

You must be a registered user to receive our newsletter Register Now!

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=2 (3 of 6) [24/11/2010 02:46:16 p.m.]

Computer Forensics Blog

Previous Page (1/4) - Next Page (3/4)

What is Computer Forensics?

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=2 (6 of 6) [24/11/2010 02:46:16 p.m.]

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=3 (1 of 6) [24/11/2010 02:46:58 p.m.]

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=3 (2 of 6) [24/11/2010 02:46:58 p.m.]

Computer Forensics Newsletter

You must be a registered user to receive our newsletter Register Now!

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=3 (3 of 6) [24/11/2010 02:46:58 p.m.]

Computer Forensics Blog

Previous Page (2/4) - Next Page (4/4)

What is Computer Forensics?

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=3 (6 of 6) [24/11/2010 02:46:58 p.m.]

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=4 (1 of 6) [24/11/2010 02:47:33 p.m.]

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=4 (2 of 6) [24/11/2010 02:47:33 p.m.]

Previous Page (3/4)

Computer Forensics Newsletter

You must be a registered user to receive our newsletter Register Now!

Computer Forensics Blog

What is Computer Forensics?

http://www.forensicfocus.com/index.php?name=Content&pid=65&page=4 (6 of 6) [24/11/2010 02:47:33 p.m.]

Вам также может понравиться