int for(ensic){blog;}

As shown earlier a search based on the similarity in the upper portion of Page Directories leads to several false-positives. In this article I'm going to take a closer look at these PD look-alikes.

By Andreas Schuster at 05/23/2007, 04:00 PM | Permalink

In this article I provide a spell of magic(5) which allows file(1) to identify Vista event log files in their native form (.evtx).

By Andreas Schuster at 05/22/2007, 04:00 PM | Permalink

Golden G. Richard III, Vassil Roussev and Lodovico Marziale describe a file carver that is able to work on local and remote drives. They presented their paper In-Place File Carving at the 3rd annual IFIP WG 11.9 International Conference.

By Andreas Schuster at 05/21/2007, 04:00 PM | Permalink

Virtual Address Descriptors (VAD) record the usage of virtual addresses by a process. VAD are kept in a balanced tree whereas a member of the _EPROCESS structure points to the root node. Rebuilding the VAD tree allows to reconstruct a process' memory space along with all the files mapped into it. Brendan Dolan-Gavitt will speak about the matter at the DFRWS 2007. He has just released a set of tools called vadtools accompanying his paper.

By Andreas Schuster at 05/19/2007, 05:35 PM | Permalink

Bill Tydeman reported a new event log on the Windows Forensic Analysis group at Yahoo! and on his new blog. The weird thing is, this log seemingly is not properly configured and the log file is garbled.

By Andreas Schuster at 05/15/2007, 04:00 PM | Permalink

The program library libewf supports the SMART and EnCase data formats which are widely used in disk imaging. The library compiles under Linux, *BSD, OS-X and Microsoft Windows. The latest version was released on May 12, 2007 by its authors Robert-Jan Mora and Joachim Metz. More information is available from the release notes.

By Andreas Schuster at 05/14/2007, 04:00 PM | Permalink

A lot of similar tools exist that visualize the log file of a web server in a set of bar and pie charts. However in this interesting two-part article Raju Varghese describes how to visualize web server logs in 3-dimensional, multicolored graphs using GnuPlot and Perl. The graphs are laden with dense information, yet relatively easy to interpret. Read part 1 and part 2 at O'Reilly SysAdmin.

Via SecGuru.

By Andreas Schuster at 05/11/2007, 04:00 PM | Permalink

NIST has released its test report of the ILook IXimager software, version 2.0. As with other ILook software, this product is available to law enforcement only. The report is publicly available from the NCJRS website.

By Andreas Schuster at 05/09/2007, 04:00 PM | Permalink

Under Microsoft Windows the address space of a process is split into halves: the lower 2 GiB of virtual memory are available for the userland, while the upper 2GiB are reserved for the kernel (as always I assume a 32bit platform and the absence of fancy boot options here to keep things as simple as possible). In this post I describe how this organization of address space can be exploited in order to find Page Directories.

By Andreas Schuster at 05/08/2007, 04:00 PM | Permalink

Memory analysis tools like the Microsoft Debugger or PTFinder identify processes and will additionally show you the Page Directory Base Address, because this information is needed as a starting point to reconstruct the virtual address space of the process. I was thinking for a while about reversing this method, that is, to search a memory dump for Page Directories and use that information to locate the processes. In this post I describe an elegant method to locate Page Directories, which exploits the fact that Page Directories are self-referential.

By Andreas Schuster at 05/07/2007, 04:00 PM | Permalink

My paper Introducing the Microsoft Vista Event Log File Format has been accepted for presentation at DFRWS 2007. See you in Pittsburgh!

By Andreas Schuster at 05/05/2007, 11:25 PM | Permalink