int for(ensic){blog;}

Viewing a saved Windows Event Log file on a different system might be unexpectedly difficult. The Event Log Service might refuse to open the file as it appears to be corrupted. In that situation a procedure documented by Stepahn Bunting may provide first aid.

By Andreas Schuster at 12/21/2006, 05:00 PM | Permalink

MemParser by Chris Betz is one of two programs which were declared the winners of the DFRWS 2005 Memory Analysis Challenge. In the meanwhile the author publsihed the program sources at Sourceforge.

By Andreas Schuster at 12/20/2006, 05:00 PM | Permalink

The two programs LibCarvPath and CarvFS implement the concept of in-place carving. Both were developed under the Open Computer Forensics Architecture framework.

By Andreas Schuster at 12/19/2006, 05:00 PM | Permalink

Golden Richard released version 1.60 of his file carver Scalpel. This version for the first time supports the concept of in-place carving.

By Andreas Schuster at 12/18/2006, 05:00 PM | Permalink

Carving is a common technique to recover deleted files. It usually requires a lot of disk space. Now an inproved technique, called in-place, in-line or zero space carving, is going to change that - and it also noticeable speeds up processing.

By Andreas Schuster at 12/17/2006, 05:55 PM | Permalink

Version 2.07 of The Sleuth Kit has been released. Several bugs have been fixed and the tool has been adopted to the latest versions of AFFlib and libewf . The package for the Microsoft Windows platform also has been updated.

By Andreas Schuster at 12/16/2006, 08:50 PM | Permalink

NIST released two reports about WiebeTech's SATADock. They tested two versions with USB and FireWire interface.

By Andreas Schuster at 12/07/2006, 04:50 PM | Permalink

Jens Kirschner released templates for WinHex editor and X-Ways Forensics to parse structures of ReiserFS 4.veröffentlicht. Among others the collection contains templates to parse the superblock, node header, item header and directory entries.

By Andreas Schuster at 12/05/2006, 04:00 PM | Permalink

Forcing Windows to crash on a repeated press of the Ctrl-Scroll keys is a probate way to generate a memory dump. Unfortunately the system has to be configured (and rebooted) prior to an incident to enable this functionality. In a blog post C4RTMAN wonders whether there's another way to make the system crash. Now, here's an answer.

By Andreas Schuster at 12/04/2006, 05:00 PM | Permalink

The upcoming issue of Digital Investigation (Vol. 3, Issue 4) will contain an interesting article by Nick L.Petroni, AAron Walters, Timothy Fraser and William A. Arbaugh about their memory analysis tool FATKit. A preprint is available free of charge at the FATKit website.

By Andreas Schuster at 12/01/2006, 06:00 PM | Permalink