prove they were a novice or an expert???

[Brad]

Let's suppose the task was reversed. You don't need or prove they are
an expert, you already know they can barely find the 'on' button. But
what if you needed forensics to show that this person barely knew what
a keyboard was even though they used it everyday for years.
My first guess would be control panel access and administrator level
changes, but many knucklehead users default to admin instead of user.
What next?

[Greg Freemyer]

I think I'd take a look at the prefetch files.

See if they are running a lot of different things, or just the basics.

> --
> You received this message because you are subscribed to the Google Groups "aff-discuss" group.
> To post to this group, send email to aff-d...@googlegroups.com.
> To unsubscribe from this group, send email to aff-discuss...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/aff-discuss?hl=en.
>

--
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com

[Benjamin Brink]

The number of viruses installed? ;-)

An "expert" might setup a fresh/refreshed machine with a simple
configuration to handle a specific or unique task, but it's unlikely
they would allow the machine to be hijacked by others, unless it's being
used as a honeypot.

[Simson Garfinkel]

bulk_extractor pulls out the prefetch files.
Currently nobody is using this feature. I wish people were.

I'm probably going to shut down either aff-discuss or bulk_extractor-users, and move all the people from one to the other. Or recommend that everybody move to linux_forensics. Any suggestions which to do?

[Greg Freemyer]

Simson,

I wish there was one main place for all opensource / public domain
tools were discussed.

Assuming you mean the yahoo group linux_forensics, it looks like it
was almost dead last year. Look at the number of messages in history
chart at the bottom of:

http://tech.groups.yahoo.com/group/linux_forensics/?v=1&t=directory&ch=web&pub=groups&sec=dir&slk=3

So I think moving all traffic there is the better of the 2 options,
but wish there was a even more centralized list for the
communications.

Greg

[Benjamin Brink]

Since linux is not the only open source operating system, would a
project specific list, such as one of the first two, or a new, more
generic one, such as foss_forensics, oss_forensics etc have resilience?

>>> The Intersection of Evidence& Technology

[Dewhirst, Rob]

there's a bulk_extractor-users google group? I can't even find it via google.

[Greg Freemyer]

I suspect Simson knows about that one:

http://groups.google.com/group/bulk_extractor-users?lnk=srg&hl=en

[Simson Garfinkel]

Yes. 

Need to do a better job publicizing it.

bulk_extractor-users@googlegroups.com

http://groups.google.com/group/bulk_extractor-users/ 

I don't understand why Google hasn't indexed it.

But we are thinking about creating a general mailing list. That will probably happen shortly.