int for(ensic){blog;}

I'm excited to release version 0.3.05 of PTFinder to the public. This version fixes an endianess issue. It provides support for dumps that where obtained while under the effect of the Intel Physical Address Extension (PAE). Also there's a ready-to-run binary available for the Microsoft Windows platform.

By Andreas Schuster at 11/27/2007, 04:00 PM | Permalink

Lance Mueller has released an EnScript that searches a memory dump for MFT entries.

By Andreas Schuster at 11/15/2007, 04:00 PM | Permalink

Guidance Software's EnCase provides the forensic examiner with a powerful scripting language, called EnScript. Beside the vendor-operated fora there's not much information about EnScript circulating in the net. A blog by Lance Mueller fills some need here.

By Andreas Schuster at 11/14/2007, 04:00 PM | Permalink

Evtim Batchev of SUN Iberia presented about live-response on the SUN Solaris platform at the 22^nd TF-CSIRT meeting. His slides cover several data structures of the Solaris kernel and how they can be used in an examination of a running system.

By Andreas Schuster at 11/12/2007, 04:00 PM | Permalink

The Fall 2007 issue of the International Journal of Digital Evidence (IJDE) has been posted. This issue contains three articles.

By Andreas Schuster at 11/09/2007, 04:00 PM | Permalink

Some time ago Skape and Skywing have published a Catalogue of Windows Kernel-mode Backdoor Techniques.

By Andreas Schuster at 11/07/2007, 04:00 PM | Permalink

I have overhauled PoolFinder and the accompanying tools. The tools now use a SQLite data base instead of flat files for exachanging data. An experimental package now provides stand-alone versions of the tools, along with an embedded Perl interpreter.

By Andreas Schuster at 11/05/2007, 04:00 PM | Permalink