NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.
010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.
Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.
AccessData relased version 2.5.5 of their free FTK Imager. This version fixes a compatibility problem with E01 files and EnCase. So, the annoying error message
Error in "Header": String cannot be longer than 12 charactersis finally gone. FTK Imager is available for download from AccessData's support web site.
Didier Stevens complains about the feigned accuracy of timestamps in forensic reports and tool outputs. Timestamps are indicated up to the dot, though the accuracy of the data source is worse. Stevens cites the electronic purse as an example. Another example, that should be well-known among computer forensic practitioners, is the FAT file system that provides timestamps with a resolution of only 2 seconds. Therefore Stevens suggests to use the scientific error notation in reports, e.g. 11:37:30 ± 675s.
The browser-based pyFlag helps to analyze disk images, memory images and network captures. The authors of pyFlag, Michael Cohen and David Collet, and AAron Walters of Volatile Systems scored the first place in the DFRWS Linux Memory Analysis Challenge. They added a lot of new features in order to solve the challenge. These features are now available for the public in pyFlag 0.87, which can be downloaded at Sourceforge.
NIST has released the test results for AccessData's FTK Imager, version 2.5.3.14. According to the report, FTK Imager does not copy sectors hidden by a host protected area (HPA) or device configuration overlay (DCO). In a logical acquisition of a NTFS formatted volume the last eight sectors were not processed. Also, FTK Imager did not report the location of corrupt data in an image file.
SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.
Jesse Kornblum has released the first version of his new acquisition tool dc3dd. It is based on GNU dd which ship with the coreutils (that explains the version number) and incorporates ideas from the well-known dcfldd. More information is available from the ForensicWiki article on dc3dd and the manual page.
NIST has released the test results for version 2.0 of DCCIdd. According to the report DCCIdd did not acquire sectors that were hidden by a Device Configuration Overlay (DCO). Following a faulty sector the tool filled up to 7 additional sectors with null bytes.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.