Harlan Carvey posted some comments and an article regarding the analysis of pool allocations. One of the remaining taks is to identify "interesting" pool tags. I already wrote about network activity to illustrate the top-down approach. Now here's a tool to aid in bottom-up.
Today IMF 2006 starts - and I'm excited to announce the public release of a new tool named PoolFinder. PoolFinder accompanies my paper Pool Allocations as an Information Source in Windows Memory Forensics which I will present at IMF.
Not everybody feels at home at a command prompt. Therefore Richard McQuown has created a frontend for PTFinder.
Microsoft pushed out Release Candidate 2 of Vista. Among the host of new features in Vista there is a new file format for event logs. This article is the first in a series which shall help you to accustom yourself to the new format.
In an earlier post I refered to a paper by Hany Farid which analyzes quantization tables found in JPEG file headers. As I'd like to introduce his method in my lab I'm taking a closer look.
The paper Digital Image Ballistics from JPEG Quantization by Hany Farid describes how digital stills can be attributed to camera makes due to certain differences in the implementation of JPEG compression.
