The introductory post already provided some indications of (dis-)similarities in "independent" implementations of a certain function by three vendors. In this post I'm comparing two of the three implementations. Also I will reveal the identities of their vendors.
A recent incident motivated me to go in with software forensics. To be precise, the question is to detect plagiarism. In this post I'm going to describe the case. Also I will discuss a simple indicator for similarities in executables.
While I was trying to tune FTK 2.0 to my needs I came upon some settings that might affect the security of your lab. I filed a ticket with AccessData's support team and told them about my observations. They reacted promptly and announced to fix the issues with the upcoming release. Now, after FTK version 2.0.2 has been released to the public, it's time for me to disclose those issues.
SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.
I've just completed another dry-run of FTK 2.0: preprocessing of a 256 MB thumb drive resulted in a full-text index of more than 3 GB and about 200 MB of table space were filled in the Oracle database. However, the whole operation took more than 4 hours! So let's have a closer look at the process and see what exactly is so time consuming.
While I was creating my first case with brand-new FTK 2.0, the program suddenly ceased to work. But much to my surprise not all of the previous effort was lost.
