int for(ensic){blog;}

The sole purpose of this short posting is to provide you with an extended snippet for your magic(5) file. Now file(1) can identify both 32bit and 64bit versions of crash dumps and tell the most important of their properties.

By Andreas Schuster at 02/29/2008, 04:00 PM | Permalink

Crash Dumps of 32bit and 64bit versions of Microsoft Windows differ significantly. Because the market share of 64bit machines increases steadily, I decided to update my post on the Crash Dump (DMP) format.

By Andreas Schuster at 02/28/2008, 04:00 PM | Permalink

Matthieu Suiche and Nicolas Ruff have just released their first public version of the Sandman Framework.

By Andreas Schuster at 02/26/2008, 09:50 PM | Permalink

Recently I discovered the blog "8 bits" by Mark Stam. He writes about IT, Information Security and Computer Forensics. If you don't speak Dutch, you could still try to read his posts through Google Translate.

By Andreas Schuster at 02/26/2008, 04:00 PM | Permalink

Cutting the power or forcing a reset may not look like being proper procedures to preserve a computer's main memory. However, current research tells a different and fascinating story.

By Andreas Schuster at 02/25/2008, 04:00 PM | Permalink

Brendan Dolan-Gavitt describes in a detailed blog post , how to find and how to interpret information about registry hives in memory images.

By Andreas Schuster at 02/11/2008, 04:00 PM | Permalink

ACME Portable Computer GmbH will host a get-together of computer forensics experts from Germany and abroad at the CeBIT trade fair in Hannover, Germany at 5 March, 2008. Beside a meet and greet there are two talks on the agenda. Alexander Geschonneck will present on Vista forensics, while eTRACE from Italy will speak about the examination of Linux systems. For further information and registration please see here.

By Andreas Schuster at 02/05/2008, 04:00 PM | Permalink

FireWire provides a simple and reliable means to image another computer's main memory. In this article I'll briefly talk about the history of direct memory access through FireWire. Also I will explain how to acquire a RAM image using the Helix boot CD.

By Andreas Schuster at 02/04/2008, 04:00 PM | Permalink

Jesse Kornblum has released the first version of his new acquisition tool dc3dd. It is based on GNU dd which ship with the coreutils (that explains the version number) and incorporates ideas from the well-known dcfldd. More information is available from the ForensicWiki article on dc3dd and the manual page.

By Andreas Schuster at 02/02/2008, 04:00 PM | Permalink