Recovering a FAT filesystem directory entry in five phases

May 24, 2007

This is the last in a series of posts about five phases that digital forensics tools go through to recover data structures (digital evidence) from a stream of bytes. The first post covered fundamental concepts of data structures, as well as a high level overview of the phases. The second post examined each phase in [...]

Read the full article →

The five phases of recovering digital evidence

May 8, 2007

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In [...]

Read the full article →

How forensic tools recover digital evidence (data structures)

May 5, 2007

In a previous post I covered “The basics of how digital forensics tools work.” In that post, I mentioned that one of the steps an analysis tool has to do is to translate a stream of bytes into usable structures. This is the first in a series of three posts that examines this step (translating [...]

Read the full article →

Evaluating Forensic Tools: Beyond the GUI vs Text Flame War

May 2, 2007

One of the good old flamewars that comes up every now and again is which category of tools is “better”: graphical, console (e.g. interactive text-based), or command-line? Each interface mechanism has its pros and cons, and when evaluating a tool, the interface mechanism used can make an impact on the usability of the tool. For [...]

Read the full article →

Copying 1s and 0s

March 21, 2007

I’ve been asked a few times over the past weeks about making multiple copies of disk images. Specifically, if I were to make a copy of a copy of a disk image, would the “quality” degrade? The short answer is no. It boils down to the idea of copying information from a digital format (as [...]

Read the full article →

Exhibits from deposition of RIAA’s expert available online

March 4, 2007

Updating the previous post, the exhibits from the deposition are available at: Recording Industry vs The People blog.

Read the full article →

Transcript of deposition of RIAA’s expert available online

March 1, 2007

In UMG v. Lindor, the RIAA’s expert was deposed on February 23rd 2007. A PDF copy of the transcript is available at ilrweb.com. Source: Recording Industry vs The People blog.

Read the full article →

Planting evidence

March 1, 2007

The other day, Dimitris left a comment asking about how to determine if someone has altered the BIOS clock and placed a new file on the file system. In essence, this is “planting evidence”. So, what might the side effects of this type of activity be? It’s difficult (if not impossible) to give an exact [...]

Read the full article →

Caught in the act…

January 26, 2007

I had lunch at a lounge today (I’m friends with the owners, and they have free WiFi) and when I went to pay my bill, had an interesting surprise. The waitress looked at her computer screen and said “Something’s happening”. Well she’s not the most computer literate, so I took a look at the screen [...]

Read the full article →

How digital forensics relates to computing

January 25, 2007

A lot of people are aware that there is some inherent connection between digital forensics and computing. I’m going to attempt to explain my understanding of how the two relate. However before we dive into digital forensics, we should clear up some misconceptions about what computing is (and perhaps what it is not). Ask yourself [...]

Read the full article →

← Previous Entries

Next Entries →