int for(ensic){blog;}

CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.

By Andreas Schuster at 08/30/2010, 04:00 PM | Permalink

NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.

By Andreas Schuster at 02/23/2010, 04:00 PM | Permalink

010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.

By Andreas Schuster at 02/22/2010, 04:00 PM | Permalink

Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.

By Andreas Schuster at 10/06/2009, 04:00 PM | Permalink

AccessData relased version 2.5.5 of their free FTK Imager. This version fixes a compatibility problem with E01 files and EnCase. So, the annoying error message

Error in "Header": String cannot be longer than 12 characters

By Andreas Schuster at 03/05/2009, 04:00 PM | Permalink

Didier Stevens complains about the feigned accuracy of timestamps in forensic reports and tool outputs. Timestamps are indicated up to the dot, though the accuracy of the data source is worse. Stevens cites the electronic purse as an example. Another example, that should be well-known among computer forensic practitioners, is the FAT file system that provides timestamps with a resolution of only 2 seconds. Therefore Stevens suggests to use the scientific error notation in reports, e.g. 11:37:30 ± 675s.

By Andreas Schuster at 10/07/2008, 04:00 PM | Permalink

The browser-based pyFlag helps to analyze disk images, memory images and network captures. The authors of pyFlag, Michael Cohen and David Collet, and AAron Walters of Volatile Systems scored the first place in the DFRWS Linux Memory Analysis Challenge. They added a lot of new features in order to solve the challenge. These features are now available for the public in pyFlag 0.87, which can be downloaded at Sourceforge.

By Andreas Schuster at 09/08/2008, 04:00 PM | Permalink

NIST has released the test results for AccessData's FTK Imager, version 2.5.3.14. According to the report, FTK Imager does not copy sectors hidden by a host protected area (HPA) or device configuration overlay (DCO). In a logical acquisition of a NTFS formatted volume the last eight sectors were not processed. Also, FTK Imager did not report the location of corrupt data in an image file.

By Andreas Schuster at 07/21/2008, 04:00 PM | Permalink

SSdeep employs fuzzy hashings in order to measure the degree of similarity between files. Jesse Kornblum has just released version 2.0 of his program.

By Andreas Schuster at 04/07/2008, 04:00 PM | Permalink

Jesse Kornblum has released the first version of his new acquisition tool dc3dd. It is based on GNU dd which ship with the coreutils (that explains the version number) and incorporates ideas from the well-known dcfldd. More information is available from the ForensicWiki article on dc3dd and the manual page.

By Andreas Schuster at 02/02/2008, 04:00 PM | Permalink