« December 2007 | Main | February 2008 »
Lab
NIST has released the test results for version 2.0 of DCCIdd. According to the report DCCIdd did not acquire sectors that were hidden by a Device Configuration Overlay (DCO). Following a faulty sector the tool filled up to 7 additional sectors with null bytes.
Library
Every year the Digital Forensics Research Workshop challenges the digital forensics community to work on a special assignment in order to stimulate focused research and the development of new tools. This year the challenge is to analyse the memory dump of a Linux host. The assignment and some details were just posted to the DFRWS web site. Submissions are due July 20, 2008.
Lab
The US National Institute of Justice has published a short white paper titled Increasing Efficiency in Crime
Laboratories.
Side notes
Is it possible to recover data from a hard disk drive that has been overwritten with zeros? This is the question behind the The Great Zero Challenge that starts today.
Side notes
Various news sources report that WiebeTech LLC was acquired by CRU Data-Port as of today.
Lab
NIST just released the test reports for two software write blockers by Booz, Allen, Hamilton. They tested version 5.02.00 for Microsoft Windows 2000 and version 6.10.00 for Microsoft Windows XP. The tests identified anomalies in both versions.
Memory analysis
Microsoft Windows supports a suspend to disk mode. Whenever the system is sent to sleep, it saves all of the system's state in a file called hiberfil.sys. Nicolas Ruff and Matthieu Suiche developed a library, called Sandman, that allows to read and write the hibernation file. They recently presented their results at PacSec 07.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.