int for(ensic){blog;}

Spirovski Bozidar posted a challenge for the forensic community. A (small!) disk image needs to be searched for incriminating evidence. Submissions are due August 20, 2008.

By Andreas Schuster at 07/24/2008, 04:00 PM | Permalink

NIST has released the test results for AccessData's FTK Imager, version 2.5.3.14. According to the report, FTK Imager does not copy sectors hidden by a host protected area (HPA) or device configuration overlay (DCO). In a logical acquisition of a NTFS formatted volume the last eight sectors were not processed. Also, FTK Imager did not report the location of corrupt data in an image file.

By Andreas Schuster at 07/21/2008, 04:00 PM | Permalink

Every year, Digital Forensics Research Workshop (DFRWS) challenges the digital forensics community to work on a certain problem. This year's challenge was about Linux memory analysis. Though there are still about three weeks until the conference starts, the first solutions appeared on the net.

By Andreas Schuster at 07/18/2008, 04:00 PM | Permalink

I'm pleased to announce my talk about the State of the Art in Windows Memory Forensics on October 8, 2008 at the ISSE 2008 Conference in Madrid, Spain. In this 30 minute talk, I will cover the recent advances in Windows Memory Analysis like new memory imaging techniques, analysis tools like Volatility, and the integration of memory analysis into the forensic process. Please see the official website to learn more about ISSE.

2008-10-09: Due to circumstances beyond my control, I had to cancel my talk on short notice. I apologize to all attendees and the organizers. My slides are available here.

By Andreas Schuster at 07/14/2008, 04:00 PM | Permalink

Version 1.2 of the memory imager mdd has been released. According to the change log, this version has been statically compiled. So, from this version on, you don't have to provide msvcr80.dll. The new version is available for download at Sourceforge.

By Andreas Schuster at 07/11/2008, 07:00 PM | Permalink