forensics tools Archives - geschonneck.com

Windows Memory Forensics Tools [update]

Posted onDienstag, 23. Dezember 2008Montag, 7. November 20114 Comments

SANS recently published a good summary of Windows memory forensics acquisition and analysis tools. It’s a good compilation

new linux incident response script

Posted onSamstag, 18. Oktober 20081 Comment

We updated the ForensiX Linux Incident Response Script. You can find the new version at

New Forensics Live Response CD published

Posted onDonnerstag, 21. Juni 2007Donnerstag, 21. Juni 20071 Comment

I’m proud to announce, that my team published yesterday a very cool Live Response CD for Linux and Windows in cooperation with the german journal iX. It contains a brand new Linux Live Response script and a build script for your own static binaries. This Live Response Script contains also an

Sector Inspector (SecInspect.exe)

Posted onMontag, 9. April 2007

Microsoft published a tool called Sector Inspector (SecInspect.exe) with the Windows 2003 Server Resource Kit. This is a command-line diagnostics tool that allows administrators to view the contents of master boot records, boot sectors, and IA64 GUID partition tables. Additional features

The Sleuthkit 2.08

Posted onFreitag, 6. April 2007

The Sleuthkit (TSK) 2.08 is out now. The new version contains

The Sleuthkit 2.07

Posted onSamstag, 16. Dezember 2006Sonntag, 11. Februar 2007

Brian Carrierr released version 2.07 of his file system analysis tool The Sleuthkit: There are a lot of updates and bug fixes. The summarized list is below. The executive summary is that there are new flags for ils to find orphan files and new flags for dls to specify allocation status.There were a lot of Read More …

Malware Analysis with PEiD

Posted onSamstag, 11. November 2006Sonntag, 11. Februar 20071 Comment

I’d like to comment on PEiD. If you have to analyse an unknown binary and you like to know some details about packers, compilers and crypto features, you should give PEiD a try.

New Helix version released

Posted onDonnerstag, 12. Oktober 2006Sonntag, 11. Februar 20071 Comment

There is a new Helix (Incident Response & Computer Forensics Live CD based on Knoppix) version released. Version 1.8 has a now Andreas Schuster’s PTFinder included an will no longer change JFS information. You can donwload Helix here. All new features at a glance:

FSP/FRU File Copy Client released

Posted onDienstag, 3. Oktober 2006Sonntag, 11. Februar 2007

Harlan Carvey just released the FSP/FRU File Copy Client on SourceForge. The FCli is a GUI client that the investigator can use to select files to be copied from the suspect system, over to the FSP server.

Live Evidence Preview with Shadow 2

Posted onFreitag, 29. September 2006Sonntag, 11. Februar 2007

For the German journal iX we tested recently the Shadow 2 box from VOOM Technologies