A Geek Raised by Wolves [entries|archive|friends|userinfo]
jessekornblum

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

When I'm Sixty Four (Bits) [Nov. 3rd, 2009|07:26 am]
[Tags|, ]

Sixty-Four bit computing is here! What does that mean? What will the impact be on computer forensics? I've written a tech note, When I'm Sixty Four (Bits) to explain the changes. (You could also use it as justification for buying some new hardware...) The first paragraph:
Forensic examiners are going to have to process computers running 64-bit operating systems in the near future. While this won't affect people doing document forensics, it will require significant changes for those who do code based forensics such as reverse engineering, malware analysis, etc.
LinkLeave a comment

Audit paper published [Dec. 12th, 2008|08:03 am]
[Tags|, , , ]

This morning the latest issue of Digital Forensic Practice was published. Among the article in this issue is my piece Auditing Hash Sets: Lessons Learned from Jurassic Park. The abstract is below, but this paper is important because it highlights where traditional hash matching techniques fall down during incident response or tool testing. We have good tools to find matches to known files and good tools to find files that aren't known matches. Hashdeep is the first tool I know of that does both and provides a complete picture of known files in compared to the current filesystem. It's intended for forensics geeks and system administrators, but all are welcome to try it out.

Auditing Hash Sets: Lessons Learned from Jurassic Park
Auditing a set of cryptographic hashes allows a forensic examiner to determine the state of a target directory as compared to those hashes. Unlike traditional hash comparison methods, an audit takes into account all of the files in the target directory and their relative paths. Not taking these data into account can impair examinations and tool certifications. An audit examines each file in the target directory, computes its hash, and compares it to a file containing the known hash values. Any file not in the set of known hashes is flagged as being inserted. When all of the files in the target directory have been examined, any known hashes that have not been matched are flagged as being missing. The result is a complete picture comparing the set of known hashes and the target directory.
LinkLeave a comment

navigation
[ viewing | most recent entries ]

Advertisement