December 2006 Archives

Reconstruction of Corrupted Event Logs

| 1 Comment

Viewing a saved Windows Event Log file on a different system might be unexpectedly difficult. The Event Log Service might refuse to open the file as it appears to be corrupted. In that situation a procedure documented by Stepahn Bunting may provide first aid.

MemParser Version 1.0

MemParser by Chris Betz is one of two programs which were declared the winners of the DFRWS 2005 Memory Analysis Challenge. In the meanwhile the author publsihed the program sources at Sourceforge.

LibCarvPath and CarvFS

| 1 Comment

The two programs LibCarvPath and CarvFS implement the concept of in-place carving. Both were developed under the Open Computer Forensics Architecture framework.

Scalpel Version 1.60

Golden Richard released version 1.60 of his file carver Scalpel. This version for the first time supports the concept of in-place carving.

In-Place Carving

Carving is a common technique to recover deleted files. It usually requires a lot of disk space. Now an inproved technique, called in-place, in-line or zero space carving, is going to change that - and it also noticeable speeds up processing.

The Sleuth Kit Version 2.07

Version 2.07 of The Sleuth Kit has been released. Several bugs have been fixed and the tool has been adopted to the latest versions of AFFlib and libewf . The package for the Microsoft Windows platform also has been updated.

NIST tests Write Blockers by WiebeTech

NIST released two reports about WiebeTech's SATADock. They tested two versions with USB and FireWire interface.

WinHex Templates for ReiserFS 4

Jens Kirschner released templates for WinHex editor and X-Ways Forensics to parse structures of ReiserFS 4.veröffentlicht. Among others the collection contains templates to parse the superblock, node header, item header and directory entries.

Crash without CtrlScroll

Forcing Windows to crash on a repeated press of the Ctrl-Scroll keys is a probate way to generate a memory dump. Unfortunately the system has to be configured (and rebooted) prior to an incident to enable this functionality. In a blog post C4RTMAN wonders whether there's another way to make the system crash. Now, here's an answer.

FATKit

The upcoming issue of Digital Investigation (Vol. 3, Issue 4) will contain an interesting article by Nick L.Petroni, AAron Walters, Timothy Fraser and William A. Arbaugh about their memory analysis tool FATKit. A preprint is available free of charge at the FATKit website.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12