Recovering a FAT filesystem directory entry in five phases

This is the last in a series of posts about five phases that digital forensics tools go through to recover data structures (digital evidence) from a stream of bytes. The first post covered fundamental concepts of data structures, as well as a high … [Continue reading]

The five phases of recovering digital evidence

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and … [Continue reading]

How forensic tools recover digital evidence (data structures)

In a previous post I covered "The basics of how digital forensics tools work." In that post, I mentioned that one of the steps an analysis tool has to do is to translate a stream of bytes into usable structures. This is the first in a series of … [Continue reading]

Evaluating Forensic Tools: Beyond the GUI vs Text Flame War

One of the good old flamewars that comes up every now and again is which category of tools is "better": graphical, console (e.g. interactive text-based), or command-line? Each interface mechanism has its pros and cons, and when evaluating a tool, … [Continue reading]

Copying 1s and 0s

I've been asked a few times over the past weeks about making multiple copies of disk images. Specifically, if I were to make a copy of a copy of a disk image, would the "quality" degrade? The short answer is no. It boils down to the idea of … [Continue reading]

Exhibits from deposition of RIAA’s expert available online

Updating the previous post, the exhibits from the deposition are available at: Recording Industry vs The People blog. … [Continue reading]

Transcript of deposition of RIAA’s expert available online

In UMG v. Lindor, the RIAA's expert was deposed on February 23rd 2007. A PDF copy of the transcript is available at ilrweb.com. Source: Recording Industry vs The People blog. … [Continue reading]

Planting evidence

The other day, Dimitris left a comment asking about how to determine if someone has altered the BIOS clock and placed a new file on the file system. In essence, this is "planting evidence". So, what might the side effects of this type of activity … [Continue reading]

Caught in the act…

I had lunch at a lounge today (I'm friends with the owners, and they have free WiFi) and when I went to pay my bill, had an interesting surprise. The waitress looked at her computer screen and said "Something's happening". Well she's not the most … [Continue reading]

How digital forensics relates to computing

A lot of people are aware that there is some inherent connection between digital forensics and computing. I'm going to attempt to explain my understanding of how the two relate. However before we dive into digital forensics, we should clear up some … [Continue reading]