Events

DFRWS USA 2017

As mentioned in my last blogpost, I had the pleasure to participate in this years DFRWS USA and present our paper. The paper and presentation can be freely viewed and downloaded here or here. Note that there is also an extended version of the paper, which can be downloaded here.

The keepassx, zsh and heap analysis plugins are now also part of the Rekall release candidate 1.7.0RC1, so it’s easier to get started.

The conference had some great talks and workshops, which I’m going to briefly sum up.
Continue reading “DFRWS USA 2017”

Continue reading
Events

DFRWS EU 2016 Summary

In this article, I want to provide a concise sum-up of the (to me) most interesting talks of this year’s DFRWS EU (http://www.dfrws.org/2016eu/).

Eoghan Casey, one of most famous pioneers in digital forensics, and David-Olivier Jaquet-Chiffelle, professor in police science at University of Lausanne, gave a keynote that emphasized the need for theoretical fundamental basis research in the field of digital forensics, which I fully agreed on, as this was exactly what I addressed in some of my former research.

Michael Cohen and Arkadiusz Socala received the best paper award for their work “Automatic Profile generation for live Linux Memory analysis“, which was indeed very interesting and the article is worth reading.

Continue reading “DFRWS EU 2016 Summary”

Continue reading
Events

Generic RAID Reassembly using Block-Level Entropy

DFRWS EU 2016 Talk Forensic Raid Recovery
DFRWS EU 2016 Talk Forensic Raid Recovery

We just presented our Paper “Generic RAID Reassembly using Block-Level Entropy” at the DFRWS EU 2016 digital forensics conference (http://www.dfrws.org/). The article is about a new approach that we developed for forensic RAID recovery. Our technique calculates block-wise entropy all over the disks and uses generic heuristics on those to detect all the relevant RAID parameters such as stripe size, stripe map, disk order, and RAID type, that are needed to reassemble the RAID and make the data accessible again for forensic investigations (or just for data recovery).

We developed an open source implementation of our approach that is freely available at https://www1.cs.fau.de/content/forensic-raid-recovery/. The tool is able to recover RAID 0, RAID 1 and RAID 5 volumes from the single disks or disk images.
It is also able to recover a missing or failed disk in case of RAID 5 systems from the RAID redundancy information.

Continue reading “Generic RAID Reassembly using Block-Level Entropy”

Continue reading