February 2008 Archives

64bit Magic

By Andreas Schuster on February 29, 2008 4:00 PM
The sole purpose of this short posting is to provide you with an extended snippet for your magic(5) file. Now file(1) can identify both 32bit and 64bit versions of crash dumps and tell the most important of their properties.
Continue reading 64bit Magic.

64bit Crash Dumps

By Andreas Schuster on February 28, 2008 4:00 PM

Crash Dumps of 32bit and 64bit versions of Microsoft Windows differ significantly. Because the market share of 64bit machines increases steadily, I decided to update my post on the Crash Dump (DMP) format.

Continue reading 64bit Crash Dumps.

Sandman Version 1.0.080226

By Andreas Schuster on February 26, 2008 9:50 PM

Matthieu Suiche and Nicolas Ruff have just released their first public version of the Sandman Framework.

Continue reading Sandman Version 1.0.080226.

A Blog from the Netherlands

By Andreas Schuster on February 26, 2008 4:00 PM
Recently I discovered the blog "8 bits" by Mark Stam. He writes about IT, Information Security and Computer Forensics. If you don't speak Dutch, you could still try to read his posts through Google Translate.

Acquisition (6): The Guillotine

By Andreas Schuster on February 25, 2008 4:00 PM

Cutting the power or forcing a reset may not look like being proper procedures to preserve a computer's main memory. However, current research tells a different and fascinating story.

Continue reading Acquisition (6): The Guillotine.

Registry Hives in Memory

By Andreas Schuster on February 11, 2008 4:00 PM

Brendan Dolan-Gavitt describes in a detailed blog post , how to find and how to interpret information about registry hives in memory images.

Continue reading Registry Hives in Memory.

Get-together at CeBIT

By Andreas Schuster on February 5, 2008 4:00 PM
ACME Portable Computer GmbH will host a get-together of computer forensics experts from Germany and abroad at the CeBIT trade fair in Hannover, Germany at 5 March, 2008. Beside a meet and greet there are two talks on the agenda. Alexander Geschonneck will present on Vista forensics, while eTRACE from Italy will speak about the examination of Linux systems. For further information and registration please see here.

Acquisition (5): FireWire

By Andreas Schuster on February 4, 2008 4:00 PM | 1 Comment

FireWire provides a simple and reliable means to image another computer's main memory. In this article I'll briefly talk about the history of direct memory access through FireWire. Also I will explain how to acquire a RAM image using the Helix boot CD.

Continue reading Acquisition (5): FireWire.

dc3dd, Version 6.9.91

By Andreas Schuster on February 2, 2008 4:00 PM
Jesse Kornblum has released the first version of his new acquisition tool dc3dd. It is based on GNU dd which ship with the coreutils (that explains the version number) and incorporates ideas from the well-known dcfldd. More information is available from the ForensicWiki article on dc3dd and the manual page.
« January 2008 | Main Index | Archives | March 2008 »

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12