>>92338

>>92339

there are 2 torrents

1st torrent magnet:magnet:?xt=urn:btih:dc654b50ec08a8ad5d8f6275f9cd4fcae29686c1&dn=CnuDA4EHJS0glXNC.zip&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannouncetorrent contains 1 file:ic9WLQaUKTRWV2Sv.zipfile size:18500880652 (about 18.5 GB)sha256 checksum:>sha256sum ic9WLQaUKTRWV2Sv.zipfa2875888b3d80dae9d8b8d19225602a1d7557bfe212bb26fdaa27eba26f5239 ic9WLQaUKTRWV2Sv.zip

ic9WLQaUKTRWV2Sv.zip contains:EMSSERVER.E01file size:20360943414 (about 20.4 GB)sha256 checksum:>sha256sum EMSSERVER.E01758cba7e566d9140882c33300ed79e578a272b74d0e7db148fea259d6ac42453 EMSSERVER.E01filetype of EMSSERVER.E01:>file EMSSERVER.E01EMSSERVER.E01: EWF/Expert Witness/EnCase image file format

2nd torrent magnet:magnet:?xt=urn:btih:dc654b50ec08a8ad5d8f6275f9cd4fcae29686c1&dn=CnuDA4EHJS0glXNC.zip&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannouncetorrent contains 1 file:CnuDA4EHJS0glXNC.zipfile size:18737362756 (about 18.7 GB)sha256 checksum:>sha256sum CnuDA4EHJS0glXNC.zipfcffcd8b6071cd90f3315f02dbf4521b2f6e9657684aedfd848e229a7c38fe58 CnuDA4EHJS0glXNC.zip

CnuDA4EHJS0glXNC.zip contains:EMSSERVER_v2.E01file size:20591064705 (about 20.6 GB)sha256 checksum:>sha256sum EMSSERVER_v2.E011f5a657a7943285c7728e73625e429ead87c19243bdc84b53a047d4282cfaf8b EMSSERVER_v2.E01filetype of EMSSERVER.E01:>file EMSSERVER_v2.E01EMSSERVER_v2.E01: EWF/Expert Witness/EnCase image file format

>>92392

EWF/Expert Witness/EnCase image file format

some info on this file format

https://www.andreafortuna.org/2018/04/11/how-to-mount-an-ewf-image-file-e01-on-linux/

Often, during a forensic analysis, you may need to explore an EWF image (usually a file with .E0X extension) in order to extract some artifacts.

EWF files (Expert Witness Format) are a type of disk image, that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer’s physical memory (RAM).

EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum, compressed into 32 kb chunks which are stored back to back in groupings inside the file to improve random access efficiency.

EWF files may take one of two forms

The first is referred to as a “bitstream or forensic image”: a sector-by-sector copy of the source, replicating the structure and contents of the storage device independent of the file system, including inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.

The second form is called “logical evidence file” and it preserves the original files as they existed on the media and also documents this metadata:

assigned file name and extension

datetime created, modified, and last accessed

logical and physical size

MD5 hash value

permissions

starting extention and original path

Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an “evidence grade” container.

References

http://www.forensicswiki.org/wiki/Encase_image_file_format

https://en.wikipedia.org/wiki/Adler-32

http://www.forensicswiki.org/wiki/Libewf

http://www.dfrws.org/sites/default/files/session-files/paper-extending_the_advanced_forensic_format_to_accommodate_multiple_data_sources_logical_evidence_arbitrary_information_and_forensic_workflow.pdf

>>92392

>>92393

Encase image file format

https://web.archive.org/web/20190915171358/http://www.forensicswiki.org/wiki/Encase_image_file_format

The Encase image file format is used by EnCase used to store various types of digital evidence e.g.

disk image (physical bitstream of an acquired disk)

volume image

memory

logical files

>>92392

>>92393

>>92395

libewf

https://github.com/libyal/libewf/

libewf is a library to access the Expert Witness Compression Format (EWF).

Project information:

• Status: experimental

• Licence: LGPLv3+

Read or write supported EWF formats:

• SMART .s01 (EWF-S01)

• EnCase

• .E01 (EWF-E01)

• .Ex01 (EWF2-Ex01)

Not supported:

• .Ex01 (EWF2-Ex01) bzip2 compression (work in progress)

• .Ex01 (EWF2-Ex01) encryption

Read-only supported EWF formats:

• Logical Evidence File (LEF)

• .L01 (EWF-L01)

• .Lx01 (EWF2-Lx01)

Other features:

• empty-block compression

• read/write access using delta (or shadow) files

• write resume

Work in progress:

• Dokan library support (experimental)

• Python bindings (including Python 3 support)

• write EWF2-Ex01 support

• Multi-threading support

Planned:

• write EWF-L01 and EWF2-Lx01 (long-term)

The libewf package contains the following tools:

• ewfacquire; which writes storage media data from devices and files to EWF files.

• ewfacquirestream; which writes data from stdin to EWF files.

• ewfdebug; experimental tool does nothing at the moment.

• ewfexport; which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.

• ewfinfo; which shows the metadata in EWF files.

• ewfmount; which FUSE mounts EWF files.

• ewfrecover; special variant of ewfexport to create a new set of EWF files from a corrupt set.

• ewfverify; which verifies the storage media data in EWF files.

For previous project contributions see:

• libewf on SourceForge: https://sourceforge.net/projects/libewf

For previous stable releases see:

• Downloads: https://github.com/libyal/legacy/tree/master/libewf

For more information see:

• Project documentation: https://github.com/libyal/libewf/wiki/Home

• How to build from source: https://github.com/libyal/libewf/wiki/Building

Info about the Encase/Witness Format files

EMSSERVER.E01

>ewfinfo EMSSERVER.E01ewfinfo 20140608Acquiry information Case number: 052321 Description: EMSSERVER Examiner name: cjh Evidence number: 00003 Notes: Acquisition date: Sun May 23 22:30:36 2021 System date: Sun May 23 22:30:36 2021 Operating system used: Win 201x Software version used: ADI4.2.0.13 Password: N/AEWF information File format: FTK Imager Sectors per chunk: 64 Compression method: deflate Compression level: no compressionMedia information Media type: fixed disk Is physical: yes Bytes per sector: 512 Number of sectors: 1952448512 Media size: 931 GiB (999653638144 bytes)Digest hash information MD5: 3d7cf05ca6e42db765bf5c15220c097d SHA1: eab06a7ea23586de2746b9142461717e075f5c9f

EMSSERVER_v2.E01

>ewfinfo EMSSERVER_v2.E01ewfinfo 20140608Acquiry information Case number: 052621 Description: EMSSERVER_v2 Examiner name: cjh Evidence number: 00002 Notes: Acquisition date: Wed May 26 23:43:17 2021 System date: Wed May 26 23:43:17 2021 Operating system used: Win 201x Software version used: ADI4.2.0.13 Password: N/AEWF information File format: FTK Imager Sectors per chunk: 64 Compression method: deflate Compression level: no compressionMedia information Media type: fixed disk Is physical: yes Bytes per sector: 512 Number of sectors: 1952448512 Media size: 931 GiB (999653638144 bytes)Digest hash information MD5: 52861d5a7750ab535a9d5f7277469c10 SHA1: 1bf8f22edb37f72bb29428a591046a1f64279a3f

>>92408

Partition tables contained in the disk images

EMSSERVER.E01

>mkdir /tmp/EMSSERVER>ewfmount EMSSERVER.E01 /tmp/EMSSERVER>cd /tmp/EMSSERVER>lsewf1>fdisk -l ewf1Disk ewf1: 931 GiB, 999653638144 bytes, 1952448512 sectorsUnits: sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisklabel type: dosDisk identifier: 0x4ce684cdDevice Boot Start End Sectors Size Id Typeewf1p1 * 2048 1026047 1024000 500M 7 HPFS/NTFS/exFATewf1p2 1026048 1952448511 1951422464 930.5G 7 HPFS/NTFS/exFAT

EMSSERVER_v2.E01

>mkdir /tmp/EMSSERVER_v2>ewfmount EMSSERVER_v2.E01 /tmp/EMSSERVER_v2>cd /tmp/EMSSERVER_v2>lsewf1>fdisk -l ewf1Disk ewf1: 931 GiB, 999653638144 bytes, 1952448512 sectorsUnits: sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisklabel type: gptDisk identifier: 36ADB84F-E9FD-476E-8FC7-20BEF32A6A5ADevice Start End Sectors Size Typeewf1p1 34 262177 262144 128M Microsoft reservedewf1p2 264192 1032191 768000 375M Windows recovery environmentewf1p3 1032192 1234943 202752 99M EFI Systemewf1p4 1234944 1952446463 1951211520 930.4G Microsoft basic data

>>92410

partition tables very different before and after the "update" by Dominion employee

could be that they overwrote the full disk with new image, as suggested yesterday by CM and others at Lindell symposium

>>92414

in the process of performing further analysis

>>92428

things getting real

expecting acceleration

>>92428

symposium was PACKED with info

if you watched closely, they were basically explaining all the state representatives what they should do

masterfully executed OP

>>92433

>They Symposium was a honey trap.

could be, partly

or also done to educate legislators as to what could happen to them

crash course in OPSEC

>>92438

agreed

>>92439

Tom (and anyone else interested), your Windows machine could be handy

I think I found a relatively easy way to open the CM disk images:

install https://www.autopsy.com/download/

it might also work on your apple computers

it should be able to open the Encase images and let you explorer them with a graphical interface

I was doing it via the command line, and it was a pain

GUI might be easier

>>92443

http://www.sleuthkit.org/autopsy/

Easy to Use

Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you through every step. All results are found in a single tree. See the intuitive page for more details.

Extensible

Autopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Some of the modules provide:

Timeline Analysis - Advanced graphical event viewing interface (video tutorial included).

Hash Filtering - Flag known bad files and ignore known good.

Keyword Search - Indexed keyword search to find files that mention relevant terms.

Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.

Data Carving - Recover deleted files from unallocated space using PhotoRec

Multimedia - Extract EXIF from pictures and watch videos.

Indicators of Compromise - Scan a computer using STIX.

See the Features page for more details. Developers should refer to the module development page for details on building modules.

Fast

Everyone wants results yesterday. Autopsy runs background tasks in parallel using multiple cores and provides results to you as soon as they are found. It may take hours to fully search the drive, but you will know in minutes if your keywords were found in the user's home folder. See the fast results page for more details.

Cost Effective

Autopsy is free. As budgets are decreasing, cost effective digital forensics solutions are essential. Autopsy offers the same core features as other digital forensics tools and offers other essential features, such as web artifact analysis and registry analysis, that other commercial tools do not provide.

>>92456

>DROP 128

C_A on 4chan

moved to 8chan

3 letter agency took over next door

moved to mnr

kek

>>92458

>ANONS: Windows machine to check Tor file

ANONS: Software to check the CM EMS disk images

https://t.me/theprofessorsrecord/1945

last line

"P.S. - Brian Cates is a deep state hack."

looked at Brian Cates' telegram history, and he spent a lot of time today muhing about the PCAPs, basing his assertions on a WP fake news article

eyes on

>>92462

for records keeping

>>92464

for records keeping

>>92465

for records keeping

>>92466

for records keeping

>>92467

for records keeping

apparently, some "TruthHammer888" was mad too because he was "promised PCAPs"

Brian Cates:

"I have left the Symposium. Back at my hotel. Lindell promised a silver bullet. Irrefutable proof based on data packet captures. For whatever reason, he and his team did not deliver on the promise of irrefutable pcaps. I can’t sugar coat this. The buildup, the relentless hype of the pcap evidence, all done by Lindell himself in a series of videos and interviews over a period of 3 months, has led to a massive letdown."

what a retard

>>92469

very wise words

>>92470

could also have been bait

>>92473

>apple

>cheap

does not compute

>>92475

>member finding the NSAKey back in the day.. kek

they never stopped:

https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network

MS: BitLocker is super secure

security researchers: lol

>>92476

oh I see, my bad

>>92476

>>92478

technically speaking, Asus delivered that to you for under 600

MS only "gives" you the spyware that comes with it

>>92480

magnets here: >>92392

>feck I knew you would say that.. kek

haha, had to

>>92482

you mean client?

I use a seedbox, and I don't know Windows clients

utorrent?

don't forget to use a VPN while torrenting

>>92487

windows is also an updates nightmare in addition to being a spyware

>>92491

my VPN setup is complicated, can't disclose

>>92492

haha, can't recall, even though I must have heard his ads hundreds of time

Bongino play ads for expressvpn if I recall correctly

>>92498

you need both

1 is the image before the dominion employee

the other is the image after

I'm exhausted

done enough work for the day

will resume tomorrow

>>92498

leave your client on during the night

if for some reason one of your torrent is not picking up right now, it might while you're sleeping

also verify that your client doesn't have a queue, such as 'only download 1 torrent at a time'