int for(ensic){blog;}

CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.

By Andreas Schuster at 08/30/2010, 04:00 PM | Permalink

Andrew Hoog has written step-by-step instructions that explain how to install the event log parser and its prerequisites on Ubuntu Linux 10.04. Thank you very much, Andrew!

By Andreas Schuster at 08/09/2010, 04:00 PM | Permalink

I'm excited to announce that I will speak at the ZISC 2010 Workshop on Digital Forensics and Security. I will report on the latest advancements in forensic memory analysis on Linux, Mac OS X and Microsoft Windows.The workshop will be held on September 13, 2010 at armasuisse in Berne, Switzerland.

By Andreas Schuster at 07/14/2010, 04:00 PM | Permalink

There's a new version of my Windows Event Log Parser available for download. Version 1.0.5 comes with faster calculations of CRC32 check sums and support for additional data types.

By Andreas Schuster at 05/07/2010, 04:00 PM | Permalink

Unfortunately, SANS had to postpose the London Forensics Summit due to massive travel problems caused by volcanic ash floating around the atmosphere. I intended to answer many questions from the forensic community on the native Windows Event Log file format during the presentation. I'm releasing my slides in the hope that this will answer at least some of the questions, though the narrative is missing.

By Andreas Schuster at 04/19/2010, 04:00 PM | Permalink

Version 1.0.4 of my Microsoft Vista and Windows 2008 Event Log parser is now available for download. This version adds data integrity checking and fixes some errors.

By Andreas Schuster at 03/25/2010, 04:00 PM | Permalink

The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.

By Andreas Schuster at 03/11/2010, 04:00 PM | Permalink

I'm excited to announce that my proposed tutorial on file system analysis was accepted for the 22^nd Annual FIRST Conference. I'm going to explain how to proceed when the usual tools like EnCase, FTK, and X-Ways Forensics are unable to parse a file system.

By Andreas Schuster at 03/01/2010, 04:00 PM | Permalink