The First International Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia will be held in Adelaide, Australia from January 21-24, 2008. The Call for Paper closes September 28, 2007. Among the topics of interest are data mining, multimedia source identification, image tamper detection and data carving. Further information is available at the conference website
August 2007 Archives
I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.
Continue reading A Parser to Transform Vista Event Log Files into Plain Text.
Tableau has released firmware version 4.3 for its family of hardware write blockers. This version fixes a critical error when imaging drives with bad sectors and also resolves some minor issues.
One of the major novelties of the Windows event logging is that it supports an extensive set of data types. Those above the API are documented in a header file (WinEvt.h) and in the Microsoft Developer Network, of course.
Continue reading Evtx Data Types.
Do you know the meaning of all the different event ID codes in the security event log of Microsoft Windows NT, 2000, XP and 2003? The Digital Forensics Institute provides you with a cheat sheet of all the codes and their meaning. (via e-evidence.info)
Continue reading Security Event ID Cheat Sheet.
There's a new tool to analyze Windows memory dumps: Volatility. At a first glance it looks like Volatools, but there are some significant changes.
Continue reading From Volatools to Volatility.
I'm excited to announce that I will held a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.
Continue reading Upcoming Workshop on Windows Memory Analysis.
The 3rd International Conference on IT-Incident Management and IT-Forensics (IMF 2007) will be held from September 11-13, 2007 at the Fraunhofer IAO in Stuttgart, Germany.
The agenda has been published. Now there's also a 3rd day which is dedicated to workshops.
In the last post I've described how the substitution mechanism works and how it relies on a data structure called the "SubstitutionArray". If you know or assume a certain XML structure then the task of transforming a native event log file into a textual form actually consists in parsing the SubstitutionArray. I've written some small templates for the 010 Hex Editor in order to facilitate this task.
Continue reading A Template to Parse Substitution Arrays.
