Monday, September 27, 2010

Evidence movers

Using an evidence mover helps to transfer files around and preserve its integrity. It is also savesa lot of time on image verification after the evidence have been transferred. I have been using MicroForensics Evidence Mover (the latest version is 1.1.17) for quite some time now. It is a nice free tool. There is one little problem with this tool. When the destination drive becomes unavailable, MicroForensics Evidence Mover happily reports that all files have been successfully transferred. Unless you check for the logs and make sure that every (source) file has been listed in the log, there is a good chance that the transfer is incomplete.

Nuix Evidence Mover 2.0.21 is also free and looks and feels like the one from MicroForensics, except one little detail. The tool from Nuix actually reports that all files have been transferred OK. If the destination drive becomes unavailable during the transfer, you will not see the line similar to this one:

09/27/10 12:09:58 - All files were moved successfully

Friday, September 17, 2010

DRM protection

 
This pastebin http://pastebin.com/kqD56TmU
page probably has been one of the most visited place lately. Hardware Blu-Ray rippers HDfury2 and DVIMagic may soon have software competition due to the HDCP master key getting out in the wild.

Saturday, September 11, 2010

FTK RegEx

FTK 3.x "PATTERN" is using Boost C++ RegEx libraries, which is a new name for Regex++.

There are three main syntax options available for Boost: Perl, POSIX extended and POSIX Basic with Perl being default. It is good to know that FTK is definitely using Perl implementation. The exact RegEx syntax is available here.

... and yes, I am back. .. well kind of... I'm just not sure how often I 'd be able to post here.