In an earlier article I discussed timestamps in thread and process objects. In this post I'll show how this information can be used to narrow in on the time a certain routine was executed at.
Finally digital forensics has got a Wiki of its own, Simson Garfinkel set it up recently. Until now about 70 authors registered and created just under 40 pages. To make the Wiki grow Garfinkel asks the forensic community for contributions.
To search memory images for processes and threads I resort on a structure named _DISPATCHER_HEADER. This article provides you with a summary of the relevant information.
In his presentation Yann Berthier introduces Netflows as an information source for network forensics.
During the last weeks I've documented _EPROCESS and _ETHREAD structures for several versions of Microsoft Windows in the main (that is German) section of this blog. The declarations are in English anyway. I'd like to avoid duplicating those long lists here for several reasons, penalties by search engines among them. This post will guide you to the relevant articles. If there are still questions left please do not hestiate to ask me.
On Feb. 13th Scalpel v1.54 and Foremost v.1.1 were released to the public. Both are file carvers, so why not let them compete against each other?
A registry viewer and a hex editor suffice to enumerate the members of a group during post-mortem analysis of a Microsoft Windows installation.
Nwdiff compares two files. With its special way to display diferences, this free tool enables one to identify differences to a single bit. It also grants some insight into the structure of a file.
