SANS Digital Forensics and Incident Response Blog: Author - qshamblin

Data recovery with Hex Editor and RegEx

by Quinn Shamblin

In my previous postabout recovering mp3 data from a corrupted chip, I describe a data recovery challenge that I could not solve using FTK, Foremost or Lazarus. It turned out that Regular Expressionswere my answer. But how best to run regex-based data extractionagainst a forensic image when there might be hundreds of thousands, if not millions, of individual matching frames?

Hex Editor Neowas exactly what I needed. It has a few unique features that really

...


Recovery of MP3s using regular expressions

by Quinn Shamblin

I was recently asked to recover audio MP3 from a corrupted memory chip.

The audio was recorded using a special-purpose audio recording machine configured to record in MP3 format in stereo 44.1KHz at 128kbps.

audio_editorThere are several tools and approaches that are sometimes helpful in automated data recovery. I tried Access Data's FTK, Foremost and Lazarus, but none of these worked in this case, so I needed a different approach.

An MP3 file is simply a sequential series of "frames", 417-418 bytes in length, that each have their own header that tells the MP3 player how to play that particular frame. If you carve out any single MP3 frame and save the result with a .mp3

...


Hardcopy III

by Quinn Shamblin

HC3 Controls


HC3 Controls

Parts that come in the package


Parts that come in the package

VOOM has released a new version of their forensic hard drive imaging tool: Hardcopy III


What Programs Do - Part 2

The Registry Key Reference Tool (RiKeR)

The story of this project begins with "What Programs Do - Part 1 - The project &the "What Programs Do" series". Check that out for background if you have not already done so.

In coming entries, I will provide analyses of the registry and file system impacts of various programs. The reportswill assume that you understand the Windows Registry. If you need a refresher, seethese articles inMSDN,WIkipedia, WinVistaClub

The work that the community has done to understand the registry is excellent. There are many known Registry locations

...


What Programs Do - Part 1

The project and the "What Programs Do" series

Digital Forensics is a technical and scientific field dependent on the research each of us does every day.Our communityshares informationopenly when asked.Unfortunately we don't have a central authoritative repository of information we can all contribute to and refer to, so we oftenduplicate workalready done others.

"What Programs Do" is a project intended to begin, in a small way at first,to address this need for a central repository of information.When a program is installed on a computer, it makes changes to the registry and adds files to the system. When it is run, it similarly updates the registry and writes files. When it is uninstalled, it removes most of the registry keys and files it installed, but often not all.

This concept and process is trained in detail during the SANS Computer Forensics, Investigation, and Response course on