CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.
NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.
Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.
Error in "Header": String cannot be longer than 12 charactersis finally gone. FTK Imager is available for download from AccessData's support web site.
While I was trying to tune FTK 2.0 to my needs I came upon some settings that might affect the security of your lab. I filed a ticket with AccessData's support team and told them about my observations. They reacted promptly and announced to fix the issues with the upcoming release. Now, after FTK version 2.0.2 has been released to the public, it's time for me to disclose those issues.
SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.