Category "Lab"

CarvFS on a Mac

CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.

Test of Media Preparation Tools

NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.

010 Editor Version 3.1.0

010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.

Memory Analysis with FTK 3

Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.

FTK Imager Version 2.5.5

AccessData relased version 2.5.5 of their free FTK Imager. This version fixes a compatibility problem with E01 files and EnCase. So, the annoying error message
Error in "Header": String cannot be longer than 12 characters
is finally gone. FTK Imager is available for download from AccessData's support web site.

Accuracy of Timestamps

Didier Stevens complains about the feigned accuracy of timestamps in forensic reports and tool outputs. Timestamps are indicated up to the dot, though the accuracy of the data source is worse. Stevens cites the electronic purse as an example. Another example, that should be well-known among computer forensic practitioners, is the FAT file system that provides timestamps with a resolution of only 2 seconds. Therefore Stevens suggests to use the scientific error notation in reports, e.g. 11:37:30 ± 675s.

pyFlag Version 0.87

The browser-based pyFlag helps to analyze disk images, memory images and network captures. The authors of pyFlag, Michael Cohen and David Collet, and AAron Walters of Volatile Systems scored the first place in the DFRWS Linux Memory Analysis Challenge. They added a lot of new features in order to solve the challenge. These features are now available for the public in pyFlag 0.87, which can be downloaded at Sourceforge.

NIST tests FTK Imager 2.5.3.14

| 1 TrackBack
NIST has released the test results for AccessData's FTK Imager, version 2.5.3.14. According to the report, FTK Imager does not copy sectors hidden by a host protected area (HPA) or device configuration overlay (DCO). In a logical acquisition of a NTFS formatted volume the last eight sectors were not processed. Also, FTK Imager did not report the location of corrupt data in an image file.

FTK 2.0 - Security

| 1 Comment | 1 TrackBack

While I was trying to tune FTK 2.0 to my needs I came upon some settings that might affect the security of your lab. I filed a ticket with AccessData's support team and told them about my observations. They reacted promptly and announced to fix the issues with the upcoming release. Now, after FTK version 2.0.2 has been released to the public, it's time for me to disclose those issues.

SSdeep Version 2.0

SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.

 1 2 3 4 5 

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12