« November 2006 | Main | January 2007 »

NT event log

Reconstruction of Corrupted Event Logs

Viewing a saved Windows Event Log file on a different system might be unexpectedly difficult. The Event Log Service might refuse to open the file as it appears to be corrupted. In that situation a procedure documented by Stepahn Bunting may provide first aid.

(more...)

Memory analysis

MemParser Version 1.0

MemParser by Chris Betz is one of two programs which were declared the winners of the DFRWS 2005 Memory Analysis Challenge. In the meanwhile the author publsihed the program sources at Sourceforge.

Carving

LibCarvPath and CarvFS

The two programs LibCarvPath and CarvFS implement the concept of in-place carving. Both were developed under the Open Computer Forensics Architecture framework.

(more...)

Lab

Scalpel Version 1.60

Golden Richard released version 1.60 of his file carver Scalpel. This version for the first time supports the concept of in-place carving.

(more...)

Carving

In-Place Carving

Carving is a common technique to recover deleted files. It usually requires a lot of disk space. Now an inproved technique, called in-place, in-line or zero space carving, is going to change that - and it also noticeable speeds up processing.

(more...)

Lab

The Sleuth Kit Version 2.07

Version 2.07 of The Sleuth Kit has been released. Several bugs have been fixed and the tool has been adopted to the latest versions of AFFlib and libewf . The package for the Microsoft Windows platform also has been updated.

Lab

NIST tests Write Blockers by WiebeTech

NIST released two reports about WiebeTech's SATADock. They tested two versions with USB and FireWire interface.

Lab

WinHex Templates for ReiserFS 4

Jens Kirschner released templates for WinHex editor and X-Ways Forensics to parse structures of ReiserFS 4.veröffentlicht. Among others the collection contains templates to parse the superblock, node header, item header and directory entries.

Memory analysis

Crash without CtrlScroll

Forcing Windows to crash on a repeated press of the Ctrl-Scroll keys is a probate way to generate a memory dump. Unfortunately the system has to be configured (and rebooted) prior to an incident to enable this functionality. In a blog post C4RTMAN wonders whether there's another way to make the system crash. Now, here's an answer.

(more...)

Memory analysis

FATKit

The upcoming issue of Digital Investigation (Vol. 3, Issue 4) will contain an interesting article by Nick L.Petroni, AAron Walters, Timothy Fraser and William A. Arbaugh about their memory analysis tool FATKit. A preprint is available free of charge at the FATKit website.

(more...)