« March 2008 | Main | May 2008 »

Side notes

The Implementation by Vendor "S"

The introductory post already provided some indications of (dis-)similarities in "independent" implementations of a certain function by three vendors. In this post I'm comparing two of the three implementations. Also I will reveal the identities of their vendors.

(more...)

By Andreas Schuster at 04/30/2008, 04:00 PM |

Side notes

The 3 Vendors

A recent incident motivated me to go in with software forensics. To be precise, the question is to detect plagiarism. In this post I'm going to describe the case. Also I will discuss a simple indicator for similarities in executables.

(more...)

By Andreas Schuster at 04/28/2008, 04:00 PM |

FTK 2

FTK 2.0 - Security

While I was trying to tune FTK 2.0 to my needs I came upon some settings that might affect the security of your lab. I filed a ticket with AccessData's support team and told them about my observations. They reacted promptly and announced to fix the issues with the upcoming release. Now, after FTK version 2.0.2 has been released to the public, it's time for me to disclose those issues.

(more...)

By Andreas Schuster at 04/25/2008, 04:00 PM |

NT event log

Windows Log Forensics

In Issue 16 of the free (IN)SECURE magazine Rob Faber describes the design and the various features of Microsoft Windows event logging services. His article covers both, the old log of the NT family of kernels and the redesigned event logging services found in Vista and Windows Server 2008.

By Andreas Schuster at 04/24/2008, 04:00 PM |

Lab

SSdeep Version 2.0

SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.

(more...)

By Andreas Schuster at 04/07/2008, 04:00 PM |

FTK 2

FTK 2.0 - Performance

I've just completed another dry-run of FTK 2.0: preprocessing of a 256 MB thumb drive resulted in a full-text index of more than 3 GB and about 200 MB of table space were filled in the Oracle database. However, the whole operation took more than 4 hours! So let's have a closer look at the process and see what exactly is so time consuming.

(more...)

By Andreas Schuster at 04/03/2008, 04:00 PM |

FTK 2

FTK 2.0 - Crash and Recovery

While I was creating my first case with brand-new FTK 2.0, the program suddenly ceased to work. But much to my surprise not all of the previous effort was lost.

(more...)

By Andreas Schuster at 04/01/2008, 04:00 PM |