int for(ensic){blog;}

In an earlier post I described the structure of quantization tables in a JPEG file. Closer inspection reveals that there are two different ways to store the information.

By Andreas Schuster at 10/22/2007, 04:00 PM | Permalink

The Digital Forensics Research Workshop 2008 (DFRWS) will be held in Baltimore, MD, US from August 11 to 13, 2008. The Call for Papers has been published; deadline is March 17, 2008.

03/14/2008: The submission deadline was extended to March 24, 2008.

By Andreas Schuster at 10/17/2007, 05:00 PM | Permalink

Jesse Kornblum has released version 2.0 of his popular file-hashing application md5deep. The tool now supports unicode characters in file names when run on the Microsoft Windows platform. From now on md5deep also processes hash values from hash sets in EnCase format (.hash). Please see the changelog for details and further bug fixes.

By Andreas Schuster at 10/17/2007, 04:00 PM | Permalink

BinHash by Chris Rohls calculates the usual hash sums like MD5 and SHA-1 on program files that are in either ELF (Unix) or PE (Microsoft Windows) format. Unlike similar tools the hashes are not calculated and displayed for the whole file, but for every single section. The author makes use of this technique in order to compare variants of malware. Some time ago I had proposed the same technique for memory analysis purposes.

By Andreas Schuster at 10/16/2007, 04:00 PM | Permalink

In an earlier post I had described how a hex editor can be used to enumerate the members of a group out of the security manager's database. By request of a reader I now release the complete template for the 010 Editor.

By Andreas Schuster at 10/08/2007, 04:00 PM | Permalink