The five phases of recovering digital evidence

May 8, 2007

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In [...]

Read the full article →

How forensic tools recover digital evidence (data structures)

May 5, 2007

In a previous post I covered “The basics of how digital forensics tools work.” In that post, I mentioned that one of the steps an analysis tool has to do is to translate a stream of bytes into usable structures. This is the first in a series of three posts that examines this step [...]

Read the full article →

Evaluating Forensic Tools: Beyond the GUI vs Text Flame War

May 2, 2007

One of the good old flamewars that comes up every now and again is which category of tools is “better”: graphical, console (e.g. interactive text-based), or command-line?
Each interface mechanism has its pros and cons, and when evaluating a tool, the interface mechanism used can make an impact on the usability of the tool. For [...]

Read the full article →

Copying 1s and 0s

March 21, 2007

I’ve been asked a few times over the past weeks about making multiple copies of disk images. Specifically, if I were to make a copy of a copy of a disk image, would the “quality” degrade? The short answer is no. It boils down to the idea of copying information from a [...]

Read the full article →

Exhibits from deposition of RIAA’s expert available online

March 4, 2007

Updating the previous post, the exhibits from the deposition are available at:
Recording Industry vs The People blog.

Read the full article →

Transcript of deposition of RIAA’s expert available online

March 1, 2007

In UMG v. Lindor, the RIAA’s expert was deposed on February 23rd 2007. A PDF copy of the transcript is available at ilrweb.com.
Source: Recording Industry vs The People blog.

Read the full article →

Planting evidence

March 1, 2007

The other day, Dimitris left a comment asking about how to determine if someone has altered the BIOS clock and placed a new file on the file system. In essence, this is “planting evidence”.
So, what might the side effects of this type of activity be? It’s difficult (if not impossible) to give an [...]

Read the full article →

Caught in the act…

January 26, 2007

I had lunch at a lounge today (I’m friends with the owners, and they have free WiFi) and when I went to pay my bill, had an interesting surprise. The waitress looked at her computer screen and said “Something’s happening”. Well she’s not the most computer literate, so I took a look at [...]

Read the full article →

How digital forensics relates to computing

January 25, 2007

A lot of people are aware that there is some inherent connection between digital forensics and computing. I’m going to attempt to explain my understanding of how the two relate. However before we dive into digital forensics, we should clear up some misconceptions about what computing is (and perhaps what it is not).
Ask [...]

Read the full article →

The basics of how programs are compiled and executed

January 11, 2007

Well, the post “The basics of how digital forensics tools work” seemed to be fairly popular, even getting a place on Digg. This post is focused on the basics of how a program gets compiled and loaded into memory when the program is executed. It’s useful for code analysis (reverse engineering), and is [...]

Read the full article →