December 2007 Archives

Searching for Page Directories (3)

By Andreas Schuster on December 27, 2007 4:00 PM

In a blog post Jacky Wu describes how to search for Page Directories if Windows XP SP2 is operating in PAE mode.

Continue reading Searching for Page Directories (3).

Credit Card Forensics

By Andreas Schuster on December 21, 2007 4:00 PM
In the December issue (vol. 50, no. 12) of the Communications of the ACM Hal Berghel takes a closer look at unsuspicious cards with a magnetic stripe on it, like membership cards, gift certificates or hotel room keys. He found the duplicated data of credit cards.
Continue reading Credit Card Forensics.

A Page Directory Pointer Table Template for the 010 Editor

By Andreas Schuster on December 17, 2007 4:00 PM
I expect to examine an increasing number of memory images of Microsoft Windows in PAE mode. Today I release a template for the 010 Editor that parses structures from thePage Directory Pointer Table down to the single Page Table Entry.
Continue reading A Page Directory Pointer Table Template for the 010 Editor.

The Journal of the ext3 Filesystem

By Andreas Schuster on December 12, 2007 4:00 PM | 1 Comment

In his paper Taking advantage of Ext3 journaling file system in a forensic investigation Gregorio Narváez describes the journal of the ext3 filesystem.

Continue reading The Journal of the ext3 Filesystem.

Manipulations of JPEG Quantization Tables (2)

By Andreas Schuster on December 11, 2007 4:00 PM

In the last post I demonstrated how a the origin of an image could be concealed by small changed to the quantization tables. In this article I'm attempting to make a drawing look like a photograph - at least in regards to its quantization tables.

Continue reading Manipulations of JPEG Quantization Tables (2).

Manipulations of JPEG Quantization Tables (1)

By Andreas Schuster on December 10, 2007 4:00 PM

Blog reader Mark Cox pointed out that it is easy to forge a quantization table. That's true! In this article I provide a first example on how the tables can be manipulated in order to conceal the origin of an image.

Continue reading Manipulations of JPEG Quantization Tables (1).

User Data Persistence

By Andreas Schuster on December 5, 2007 4:00 PM
In an article for Digital Investigation Jason Solomon, Ewa Huebner, Derek Bem and Magdalena Szeżynska examine the persistence of userland data on SuSE Linux 10.0 and Microsoft Windows XP SP2. For both operating systems the authors observed that almost no data could be recovered from the userland portion of the address space 5 minutes past the termination of the owning process.

Comparing JPEG Quantization Tables

By Andreas Schuster on December 3, 2007 4:00 PM | 1 TrackBack

With this blog post I release a small script that helps in comparing quantization tables of JPEG images.

Continue reading Comparing JPEG Quantization Tables.
« November 2007 | Main Index | Archives | January 2008 »

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12