search for: forensicswiki

...ee structure of the registry hive. Although this may seem verbose, it makes processing the data significantly easier. Is working with the hivexml system in a production environment? If so, do you have any thoughts on this matter? You can find an example of the digital forensics XML at: http://www.forensicswiki.org/wiki/Fiwalk Regards, Simson Garfinkel

Hello List, One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem: I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example.

...doning this program. Instead, I am willing to take over maintenance of it. I am involved in computer forensics. I are in the midst of developing an XML standard to describe the Windows Registry. There are several programs that export the windows registry at XML. I have listed them at: http://www.forensicswiki.org/wiki/Windows_Registry_XML The XML produced by hivexml is somewhat difficult to work with. It also has some problems in that it doesn't properly quote strings, and doesn't atke into account other important information. I have come up with a new form and would like to modify hivexml to o...

...euthkit If you wish to use Fiwalk on your images, you should convert any of your disk images to a raw image or Expert Witness Format. Actually, I don't suppose qemu-img has a FUSE-like wrapper that exposes the underlying image as a raw file? DFXML has an entry on the Forensics Wiki: http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML As for your external-to-filesystem data question: I think you got the essential non-file-system data. I can imagine data fragments from past/shrunken file systems, or hidden-data regions that fall outside what's recorded in the partition table. My ima...

Thank you all for your suggestions! Richard W.M. Jones: > I keep meaning to write a comprehensive "virt-diff" tool. I needed it > myself just yesterday. Most interesting. I guess there are two reasons for creating such a tool: just compare the images (show the diff) and/or check for malicious additions in the other image. Did you consider implementing the former or both? Do