The American Academy of Forensic Sciences has recently posted program
information for the 2008 Annual Meeting. There are a number of
interesting talks during the Digital Evidence Session. The session
program can be found under the General Scientific Sessions Schedules
(http://www.aafs.org/pdf/08General.pdf). In particular, we will presenting
on our collaborative effort with NIST:
"Using Hashing to Improve Volatile Memory Forensic Analysis", AAron R.
Walters, MS*; Blake Matheny, BS; Douglas White, MS
It was only a matter of time....
In case you might have missed it during the holidays, the latest version
of PyFlag now leverages the Volatility Framework to add volatile memory
analysis to it's outstanding list of capabilities. As a result, making
PyFlag the first and only tool publically available that allows the
digital investigator to correlate disk images, log files, network traffic,
and RAM captures all within an intuitive interface. While the current
functionality is still preliminary, just imagine the possibilities!
Since PyFlag loads memory images through its standard IO source interface,
it is also now possible to store your memory images using the EWF format,
commonly used in commercial tools. Once the memory image is uploaded to
PyFlag, information can either be accessed through a browseable /proc
interface or through the Stats view. Michael Cohen and his team have
provided a tutorial and image to get you started:
As I mentioned in a previous post, a special thanks to Europol for
bringing our teams together through the High Tech Crime Expert Meeting.
I also want to thank Michael Cohen for the great work he has done with
PyFlag and his contributions to Volatility! Stay tuned for further
exciting collaborations and future Volatility releases in 2008!