« July 2007 | Main | September 2007 »
Side notes
The First International Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia will be held in Adelaide, Australia from January 21-24, 2008. The Call for Paper closes September 28, 2007. Among the topics of interest are data mining, multimedia source identification, image tamper detection and data carving. Further information is available at the conference website
Vista event log
I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.
Lab
Tableau has released firmware version 4.3 for its family of hardware write blockers. This version fixes a critical error when imaging drives with bad sectors and also resolves some minor issues.
Vista event log
One of the major novelties of the Windows event logging is that it supports an extensive set of data types. Those above the API are documented in a header file (WinEvt.h) and in the Microsoft Developer Network, of course.
NT event log
Do you know the meaning of all the different event ID codes in the security event log of Microsoft Windows NT, 2000, XP and 2003? The Digital Forensics Institute provides you with a cheat sheet of all the codes and their meaning. (via e-evidence.info)
Memory analysis
There's a new tool to analyze Windows memory dumps: Volatility. At a first glance it looks like Volatools, but there are some significant changes.
Side notes
I'm excited to announce that I will held a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.
Side notes
The 3rd International Conference on IT-Incident Management and IT-Forensics (IMF 2007) will be held from September 11-13, 2007 at the Fraunhofer IAO in Stuttgart, Germany.
The agenda has been published. Now there's also a 3rd day which is dedicated to workshops.
Vista event log
In the last post I've described how the substitution mechanism works and how it relies on a data structure called the "SubstitutionArray". If you know or assume a certain XML structure then the task of transforming a native event log file into a textual form actually consists in parsing the SubstitutionArray. I've written some small templates for the 010 Hex Editor in order to facilitate this task.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.