New tool – CERT/CMU Live View

I am in Lafayette, Indiana this week at DFRWS2006. A gent from CERT was present and demonstrating an excellet tool called “Live View” which, from first impressions to be a p2v GUI that automates running dd images in vmware. It appears that the features of it are far beyond what dd2vmdk does in some respects: you appear to point it at an image upon which it:
* generates a vmware vmdk
* generates a corresponding virtual machine definition
* fixes up the driver boot problem
* optionally lets one set the time to a different value.
* automatically boots up the image in vmware

On the downside, it doesnt appear to handle disk images, just partition images. This introduces further complications such as having to specify the OS used, and remapping of drive letters, which they do however handle. I am not convinced that their insistence of replacing the MBR is necessary either.

When I get back from DFRWS I will be testing if it does handle disk images, and if it does, how it copes with geometry problems and LDM.


tool – pasco2

I am off to the DFRWS 2006 conference in a week or so to present my paper “A correlation method for establishing provenance of timestamps in digital evidence”. In this paper I describe some research I have performed in characterising where the behaviour of computer clocks differs from the ideal.

A second theme of the paper is the identification of methods of correlating commonly found evidence to establish provenance of timestamps. In this case, I have been correlating Internet Explorer Cache and History files with Squid cache logs.

As a part of my work I reimplemented and extended a parsing tool for the IE cache and history index.dat files. This was due to finding bugs in the initial pasco tool (which was missing some error conditions from the read() system call). That and I am more productive using java.

The tool, which I have named pasco2 in honour of Keith Jones’ earlier IE parser, pasco , can be found here: pasco2.