August 2007 Archives

e-Forensics 2008

The First International Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia will be held in Adelaide, Australia from January 21-24, 2008. The Call for Paper closes September 28, 2007. Among the topics of interest are data mining, multimedia source identification, image tamper detection and data carving. Further information is available at the conference website

A Parser to Transform Vista Event Log Files into Plain Text

I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.

Critical Update for Tableau Write Blockers

Tableau has released firmware version 4.3 for its family of hardware write blockers. This version fixes a critical error when imaging drives with bad sectors and also resolves some minor issues.

Evtx Data Types

One of the major novelties of the Windows event logging is that it supports an extensive set of data types. Those above the API are documented in a header file (WinEvt.h) and in the Microsoft Developer Network, of course.

Security Event ID Cheat Sheet

Do you know the meaning of all the different event ID codes in the security event log of Microsoft Windows NT, 2000, XP and 2003? The Digital Forensics Institute provides you with a cheat sheet of all the codes and their meaning. (via e-evidence.info)

From Volatools to Volatility

There's a new tool to analyze Windows memory dumps: Volatility. At a first glance it looks like Volatools, but there are some significant changes.

Upcoming Workshop on Windows Memory Analysis

I'm excited to announce that I will held a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.

IMF 2007

The 3rd International Conference on IT-Incident Management and IT-Forensics (IMF 2007) will be held from September 11-13, 2007 at the Fraunhofer IAO in Stuttgart, Germany. The agenda has been published. Now there's also a 3rd day which is dedicated to workshops.

A Template to Parse Substitution Arrays

In the last post I've described how the substitution mechanism works and how it relies on a data structure called the "SubstitutionArray". If you know or assume a certain XML structure then the task of transforming a native event log file into a textual form actually consists in parsing the SubstitutionArray. I've written some small templates for the 010 Hex Editor in order to facilitate this task.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12