Memory analysis
Searching for Page Directories (3)
In a blog post Jacky Wu describes how to search for Page Directories if Windows XP SP2 is operating in PAE mode.
« November 2007 | Main | January 2008 »
Library
Credit Card Forensics
In the December issue (vol. 50, no. 12) of the Communications of the ACM Hal Berghel takes a closer look at unsuspicious cards with a magnetic stripe on it, like membership cards, gift certificates or hotel room keys. He found the duplicated data of credit cards.
Memory analysis
A Page Directory Pointer Table Template for the 010 Editor
I expect to examine an increasing number of memory images of Microsoft Windows in PAE mode. Today I release a template for the 010 Editor that parses structures from thePage Directory Pointer Table down to the single Page Table Entry.
Library
The Journal of the ext3 File System
In his paper Taking advantage of Ext3 journaling file system in a forensic investigation Gregorio Narváez describes the journal of the ext3 file system.
Multimedia
Manipulations of JPEG Quantization Tables (2)
In the last post I demonstrated how a the origin of an image could be concealed by small changed to the quantization tables. In this article I'm attempting to make a drawing look like a photograph - at least in regards to its quantization tables.
Multimedia
Manipulations of JPEG Quantization Tables (1)
Blog reader Mark Cox pointed out that it is easy to forge a quantization table. That's true! In this article I provide a first example on how the tables can be manipulated in order to conceal the origin of an image.
Memory analysis
User Data Persistence
In an article for Digital Investigation Jason Solomon, Ewa Huebner, Derek Bem and Magdalena Szeżynska examine the persistence of userland data on SuSE Linux 10.0 and Microsoft Windows XP SP2. For both operating systems the authors observed that almost no data could be recovered from the userland portion of the address space 5 minutes past the termination of the owning process.
Multimedia
Comparing JPEG Quantization Tables
With this blog post I release a small script that helps in comparing quantization tables of JPEG images.
Search
Deutsch
Deutschsprachige Ausgabe
Categories
- Lab (40)
- FTK 2 (5)
- Library (20)
- Side notes (48)
- Topics
- Carving (9)
- File Systems (1)
- Multimedia (7)
- Network forensics (2)
- Windows (1)
- Memory analysis (97)
- NT event log (8)
- Vista event log (24)
Archives
- December 2009
- November 2009
- October 2009
- May 2009
- April 2009
- March 2009
- February 2009
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- December 2005
- November 2005
- October 2005
Latest articles
Subscribe
Imprint
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.