As shown earlier a search based on the similarity in the upper portion of Page Directories leads to several false-positives. In this article I'm going to take a closer look at these PD look-alikes.
In this article I provide a spell of magic(5) which allows file(1) to identify Vista event log files in their native form (.evtx).
Golden G. Richard III, Vassil Roussev and Lodovico Marziale describe a file carver that is able to work on local and remote drives. They presented their paper In-Place File Carving at the 3rd annual IFIP WG 11.9 International Conference.
Bill Tydeman reported a new event log on the Windows Forensic Analysis group at Yahoo! and on his new blog. The weird thing is, this log seemingly is not properly configured and the log file is garbled.
The program library libewf supports the SMART and EnCase data formats which are widely used in disk imaging. The library compiles under Linux, *BSD, OS-X and Microsoft Windows. The latest version was released on May 12, 2007 by its authors Robert-Jan Mora and Joachim Metz. More information is available from the release notes.
Under Microsoft Windows the address space of a process is split into halves: the lower 2 GiB of virtual memory are available for the userland, while the upper 2GiB are reserved for the kernel (as always I assume a 32bit platform and the absence of fancy boot options here to keep things as simple as possible). In this post I describe how this organization of address space can be exploited in order to find Page Directories.
Memory analysis tools like the Microsoft Debugger or PTFinder identify processes and will additionally show you the Page Directory Base Address, because this information is needed as a starting point to reconstruct the virtual address space of the process. I was thinking for a while about reversing this method, that is, to search a memory dump for Page Directories and use that information to locate the processes. In this post I describe an elegant method to locate Page Directories, which exploits the fact that Page Directories are self-referential.
My paper Introducing the Microsoft Vista Event Log File Format has been accepted for presentation at DFRWS 2007. See you in Pittsburgh!
