http://www.forensicblog.org Thoughts, musings, knowledge, etc. about digital forensics. As well as how computer science, IT (information technology) and IS (information security) relate. Sun, 11 May 2008 20:11:00 +0000 http://backend.userland.com/rss092 en >furniture Videnov you watch someone who is new to investigations work a case, one thing that often needs to be explained is the idea that the "smoking gun", by itself, often isn't enough. What do I mean by this? Well, Not only am I interested in what you ... http://www.forensicblog.org/2008/04/25/sometimes-the-answers-are-enough-sometimes-theyre-not/ There is always a lot of conversation about when digital evidence is and is not admissible. Questions like "are proxy logs admissible?" and "what tools generate admissible evidence?" are focused on the concept of evidence admissibility. Some of the responses to these questions are correct, and some not ... http://www.forensicblog.org/2007/07/30/the-admissibility-vs-weight-of-digital-evidence/ For those of you who haven't already seen CitySec, it's worth stopping by.  CitySec.org is a site created by Thomas Ptacek (from Matasano Chargen) to facilitate gatherings of information security professionals.  The tone of the meetings appears to be quite relaxed, to quote "What is a CitySect Meetup?": The rule of ... http://www.forensicblog.org/2007/05/24/citysec-meetup-in-los-angeles/ This is the last in a series of posts about five phases that digital forensics tools go through to recover data structures (digital evidence) from a stream of bytes. The first post covered fundamental concepts of data structures, as well as a high level overview of the phases. The second ... http://www.forensicblog.org/2007/05/24/recovering-a-fat-filesystem-directory-entry-in-five-phases/ This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the ... http://www.forensicblog.org/2007/05/08/the-five-phases-of-recovering-digital-evidence/ In a previous post I covered "The basics of how digital forensics tools work." In that post, I mentioned that one of the steps an analysis tool has to do is to translate a stream of bytes into usable structures. This is the first in a series of three ... http://www.forensicblog.org/2007/05/05/how-forensic-tools-recover-digital-evidence-data-structures/ One of the good old flamewars that comes up every now and again is which category of tools is "better": graphical, console (e.g. interactive text-based), or command-line? Each interface mechanism has its pros and cons, and when evaluating a tool, the interface mechanism used can make an impact on the usability ... http://www.forensicblog.org/2007/05/02/evaluating-forensic-tools-beyond-the-gui-vs-text-flame-war/ I've been asked a few times over the past weeks about making multiple copies of disk images. Specifically, if I were to make a copy of a copy of a disk image, would the "quality" degrade? The short answer is no. It boils down to the idea ... http://www.forensicblog.org/2007/03/21/copying-1s-and-0s/ Updating the previous post, the exhibits from the deposition are available at: Recording Industry vs The People blog. http://www.forensicblog.org/2007/03/04/exhibits-from-deposition-of-riaas-expert-available-online/ In UMG v. Lindor, the RIAA's expert was deposed on February 23rd 2007. A PDF copy of the transcript is available at ilrweb.com. Source: Recording Industry vs The People blog. http://www.forensicblog.org/2007/03/01/transcript-of-deposition-of-riaas-expert-available-online/