« December 2005 | Main | March 2006 »

Memory analysis

Dating the execution of certain routines

In an earlier article I discussed timestamps in thread and process objects. In this post I'll show how this information can be used to narrow in on the time a certain routine was executed at.

(more...)

By Andreas Schuster at 02/27/2006, 07:55 PM |

Side notes

Wiki about computer forensics

Finally digital forensics has got a Wiki of its own, Simson Garfinkel set it up recently. Until now about 70 authors registered and created just under 40 pages. To make the Wiki grow Garfinkel asks the forensic community for contributions.

By Andreas Schuster at 02/26/2006, 11:30 PM |

Memory analysis

_DISPATCHER_HEADER

To search memory images for processes and threads I resort on a structure named _DISPATCHER_HEADER. This article provides you with a summary of the relevant information.

(more...)

By Andreas Schuster at 02/25/2006, 01:50 PM |

Network forensics

Netflows as a source of forensic information

In his presentation Yann Berthier introduces Netflows as an information source for network forensics.

(more...)

By Andreas Schuster at 02/19/2006, 06:40 PM |

Memory analysis

More on Processes and Threads

During the last weeks I've documented _EPROCESS and _ETHREAD structures for several versions of Microsoft Windows in the main (that is German) section of this blog. The declarations are in English anyway. I'd like to avoid duplicating those long lists here for several reasons, penalties by search engines among them. This post will guide you to the relevant articles. If there are still questions left please do not hestiate to ask me.

(more...)

By Andreas Schuster at 02/19/2006, 04:20 PM |

Lab

Scalpel 1.54 vs. Foremost 1.1

On Feb. 13th Scalpel v1.54 and Foremost v.1.1 were released to the public. Both are file carvers, so why not let them compete against each other?

(Dieser Beitrag ist auch auf Deutsch verfügbar.)

(more...)

By Andreas Schuster at 02/18/2006, 10:30 PM |

Lab

List Members of a Windows Group

A registry viewer and a hex editor suffice to enumerate the members of a group during post-mortem analysis of a Microsoft Windows installation.

(Dieser Beitrag ist auch auf Deutsch verfügbar.)

(more...)

By Andreas Schuster at 02/07/2006, 09:45 PM |

Lab

Compare Binary Files with Nwdiff

Nwdiff compares two files. With its special way to display diferences, this free tool enables one to identify differences to a single bit. It also grants some insight into the structure of a file.

(Dieser Beitrag ist auch auf Deutsch verfügbar.)

(more...)

By Andreas Schuster at 02/06/2006, 11:35 PM |