December 2006 Archives

Reconstruction of Corrupted Event Logs

By Andreas Schuster on December 21, 2006 5:00 PM | 1 Comment

Viewing a saved Windows Event Log file on a different system might be unexpectedly difficult. The Event Log Service might refuse to open the file as it appears to be corrupted. In that situation a procedure documented by Stepahn Bunting may provide first aid.

Continue reading Reconstruction of Corrupted Event Logs.

MemParser Version 1.0

By Andreas Schuster on December 20, 2006 5:00 PM
MemParser by Chris Betz is one of two programs which were declared the winners of the DFRWS 2005 Memory Analysis Challenge. In the meanwhile the author publsihed the program sources at Sourceforge.

LibCarvPath and CarvFS

By Andreas Schuster on December 19, 2006 5:00 PM | 1 Comment

The two programs LibCarvPath and CarvFS implement the concept of in-place carving. Both were developed under the Open Computer Forensics Architecture framework.

Continue reading LibCarvPath and CarvFS.

Scalpel Version 1.60

By Andreas Schuster on December 18, 2006 5:00 PM

Golden Richard released version 1.60 of his file carver Scalpel. This version for the first time supports the concept of in-place carving.

Continue reading Scalpel Version 1.60.

In-Place Carving

By Andreas Schuster on December 17, 2006 5:55 PM

Carving is a common technique to recover deleted files. It usually requires a lot of disk space. Now an inproved technique, called in-place, in-line or zero space carving, is going to change that - and it also noticeable speeds up processing.

Continue reading In-Place Carving.

The Sleuth Kit Version 2.07

By Andreas Schuster on December 16, 2006 8:50 PM
Version 2.07 of The Sleuth Kit has been released. Several bugs have been fixed and the tool has been adopted to the latest versions of AFFlib and libewf . The package for the Microsoft Windows platform also has been updated.

NIST tests Write Blockers by WiebeTech

By Andreas Schuster on December 7, 2006 4:50 PM
NIST released two reports about WiebeTech's SATADock. They tested two versions with USB and FireWire interface.

WinHex Templates for ReiserFS 4

By Andreas Schuster on December 5, 2006 4:00 PM
Jens Kirschner released templates for WinHex editor and X-Ways Forensics to parse structures of ReiserFS 4.veröffentlicht. Among others the collection contains templates to parse the superblock, node header, item header and directory entries.

Crash without CtrlScroll

By Andreas Schuster on December 4, 2006 5:00 PM

Forcing Windows to crash on a repeated press of the Ctrl-Scroll keys is a probate way to generate a memory dump. Unfortunately the system has to be configured (and rebooted) prior to an incident to enable this functionality. In a blog post C4RTMAN wonders whether there's another way to make the system crash. Now, here's an answer.

Continue reading Crash without CtrlScroll.

FATKit

By Andreas Schuster on December 1, 2006 6:00 PM

The upcoming issue of Digital Investigation (Vol. 3, Issue 4) will contain an interesting article by Nick L.Petroni, AAron Walters, Timothy Fraser and William A. Arbaugh about their memory analysis tool FATKit. A preprint is available free of charge at the FATKit website.

Continue reading FATKit.
« November 2006 | Main Index | Archives | January 2007 »

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12