Category "Lab"

CarvFS on a Mac

By Andreas Schuster on August 30, 2010 4:00 PM

CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.

Continue reading CarvFS on a Mac.

Test of Media Preparation Tools

By Andreas Schuster on February 23, 2010 4:00 PM

NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.

Continue reading Test of Media Preparation Tools.

010 Editor Version 3.1.0

By Andreas Schuster on February 22, 2010 4:00 PM

010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.

Continue reading 010 Editor Version 3.1.0.

Memory Analysis with FTK 3

By Andreas Schuster on October 6, 2009 4:00 PM

Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.

Continue reading Memory Analysis with FTK 3.

FTK Imager Version 2.5.5

By Andreas Schuster on March 5, 2009 4:00 PM
AccessData relased version 2.5.5 of their free FTK Imager. This version fixes a compatibility problem with E01 files and EnCase. So, the annoying error message
Error in "Header": String cannot be longer than 12 characters
is finally gone. FTK Imager is available for download from AccessData's support web site.

Accuracy of Timestamps

By Andreas Schuster on October 7, 2008 4:00 PM
Didier Stevens complains about the feigned accuracy of timestamps in forensic reports and tool outputs. Timestamps are indicated up to the dot, though the accuracy of the data source is worse. Stevens cites the electronic purse as an example. Another example, that should be well-known among computer forensic practitioners, is the FAT file system that provides timestamps with a resolution of only 2 seconds. Therefore Stevens suggests to use the scientific error notation in reports, e.g. 11:37:30 ± 675s.

pyFlag Version 0.87

By Andreas Schuster on September 8, 2008 4:00 PM
The browser-based pyFlag helps to analyze disk images, memory images and network captures. The authors of pyFlag, Michael Cohen and David Collet, and AAron Walters of Volatile Systems scored the first place in the DFRWS Linux Memory Analysis Challenge. They added a lot of new features in order to solve the challenge. These features are now available for the public in pyFlag 0.87, which can be downloaded at Sourceforge.

NIST tests FTK Imager 2.5.3.14

By Andreas Schuster on July 21, 2008 4:00 PM | 1 TrackBack
NIST has released the test results for AccessData's FTK Imager, version 2.5.3.14. According to the report, FTK Imager does not copy sectors hidden by a host protected area (HPA) or device configuration overlay (DCO). In a logical acquisition of a NTFS formatted volume the last eight sectors were not processed. Also, FTK Imager did not report the location of corrupt data in an image file.

FTK 2.0 - Security

By Andreas Schuster on April 25, 2008 4:00 PM | 1 Comment | 1 TrackBack

While I was trying to tune FTK 2.0 to my needs I came upon some settings that might affect the security of your lab. I filed a ticket with AccessData's support team and told them about my observations. They reacted promptly and announced to fix the issues with the upcoming release. Now, after FTK version 2.0.2 has been released to the public, it's time for me to disclose those issues.

Continue reading FTK 2.0 - Security.

SSdeep Version 2.0

By Andreas Schuster on April 7, 2008 4:00 PM

SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.

Continue reading SSdeep Version 2.0.
 1 2 3 4 5 

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12