int for(ensic){blog;}

A new issue of the Smal Scale Digital Device Forensics Journal has been released. Volume 2, number 1 contains four articles about technical and legal aspects of forensics on small devices like cell phones and video game consoles.

By Andreas Schuster at 06/25/2008, 04:00 PM | Permalink

A while ago, I compared the implementation of the XpressDecode function in the Windows XP NTLDR with the one of the Sandman project. I found several slight differences. But there is also a third implementation, in a well-known commercial forensics software. This software was released in March 2008, about a month later than Sandman's code. So let's have a closer look at it.

By Andreas Schuster at 06/24/2008, 04:00 PM | Permalink

Volatile Systems has released version 1.1.2 of their memory analysis software Volatility. This is mainly a bug-fix release. It supports Microsoft Windows XP SP2 and SP3.

By Andreas Schuster at 06/23/2008, 04:00 PM | Permalink

The paper Aquiring Volatile Operating System Data Tools and Techniques by Iain Sutherland, Jon Evans, Theodore Tryfonas and Andrew Blyth assesses the capabilities and the impact of several tools, that are commonly used in live response and memory acquisition. The article appeared in the ACM SIGOPS Operating Systems Review, April 2008. Unfortunately, access is not free.

By Andreas Schuster at 06/17/2008, 04:00 PM | Permalink

During the last weeks, three new physical memory imaging applications for the Microsoft Windows platform were released: WinEn by Guidance Software, mdd by ManTech and win32dd by Matthieu Suiche. All three applications employ a kernel driver in order to access the physical memory from Windows XP, Server 2003 and Vista.

By Andreas Schuster at 06/16/2008, 04:00 PM | Permalink