Month: December, 2006

Self replicating software - Part 4 - The difference between worms and viruses

29 December, 2006 (16:07) | Digital forensics, Self replicating code | No comments

This is the fourth part of the installment on self replicating software. This post deals with worms (a subset of computer viruses).
Briefly, a computer virus is a program that infects other programs with an optionally mutated copy of itself. This is the basic definition that Fred Cohen (the “father” of computer viruses) used in [...]

Two tools to help debug shellcode

24 December, 2006 (23:31) | Code forensics, Digital forensics, Forensic tools | No comments

Here are two small tools to help debug/analyze shellcode. The goal of both tools is to provide an executable environment for the shellcode. Shellcode is usually intended to run in the context of a running process, and by itself doesn’t provide the environment typically provided by an executable.
The first tool, make_loader.py is a [...]

Site move

16 December, 2006 (02:09) | Administrivia | No comments

Welcome to the new Forensic Computing blog (forensicblog.org). The old site (forensiccomputing.blogspot.com) is no longer active, although I will keep it up for archival purposes. I’m no longer on blogger, instead this is a self-hosted Wordpress installation.

The basics of how digital forensics tools work

3 December, 2006 (23:14) | Digital forensics, Forensic tools, Fundamentals | 1 comment

I’ve noticed there is a fair amount of confusion about how forensics tools work behind the scenes. If you’ve taken a course in digital forensics this will probably be “old hat” for you. If on the other hand, you’re starting off in the digital forensics field, this post is meant for you.
There are two primary [...]