Don t Let Your Tools Make You Look Bad
|
|
- Neil Mills
- 6 years ago
- Views:
Transcription
1 No Substitute for Knowledge Troy Larson TwC Network Security Analytics Microsoft Corp.
2 Tools: Necessary. But not a substitute for knowing. Consider a simple task...
3 Raw bits:
4 Bits to Bytes: Convert to hex (for ASCII/Unicode mapping): x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01 0x40 0x04 0x40+0x04 = 0x44
5 Bytes to Hex: 44 6F 6E C F F 6F 6C D 61 6B F E 6F E 74 2E 0D 0A
6
7 Hex to Text: Don t let your tools make you ignorant.
8 Tools necessary, but not everything.
9 Tools have bugs: Crashes Data is misinterpreted Data is wrong Data is missed
10 Tools have limitations. Works as designed, but not as represented. Works as intended and as represented, but incomplete.
11 Tools have myths: Court approved.
12 Tools shape your view of the reality. The identity that we ascribe to things is only a fictitious one, established by the mind, not a peculiar nature belonging to what we re talking about. -David Hume
13
14
15
16 0: kd>.reload /f Loading Kernel Symbols..*** ERROR: Symbol file could not be found. Defaulted to export symbols for kdcom.dll -...*** ERROR: Module load completed but symbols could not be loaded for iastor.sys...*** ERROR: Module load completed but symbols could not be loaded for PxHlpa64.sys...*** ERROR: Module load completed but symbols could not be loaded for stdflt.sys.*** ERROR: Module load completed but symbols could not be loaded for spldr.sys...*** ERROR: Module load completed but symbols could not be loaded for MpFilter.sys...*** ERROR: Module load completed but symbols could not be loaded for iesvc_.sys...*** ERROR: Module load completed but symbols could not be loaded for bcmwl664.sys...*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys...*** ERROR: Module load completed but symbols could not be loaded for SynTP.sys...*** ERROR: Module load completed but symbols could not be loaded for Acceler.sys
17
18 Critical Thinking: Accurate, complete, or evident What you need to know How do you know
19 Any tool can encourage analytical blinds spots CF E $ E x t e n d 00002D H 00002D ( $ I D D D E ` N 00002D50 0B B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002D60 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002D70 B1 47 AC 12 9C 51 CC ±G œqì 00002D & 00002D F A $ O b j I d 00002DA E ` N 00002DB0 0B B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002DC0 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002DD0 B1 47 AC 12 9C 51 CC ±G œqì 00002DE & 00002DF F F8 06 $ Q u o t a ø 00002E00 1A h R 00002E10 0B B 00 B1 47 AC 12 9C 51 CC 01 ±G œqì 00002E20 B1 47 AC 12 9C 51 CC 01 B1 47 AC 12 9C 51 CC 01 ±G œqì ±G œqì 00002E30 B1 47 AC 12 9C 51 CC ±G œqì 00002E & 00002E $ R e p a r s
20 Proficiency with a forensics tool is not the same as proficiency in digital forensics. Even the best tool is limited by the investigator s understanding.
21 To prevent your tools from making you look bad, you must not rely on them to make you smart. Master the data, not just the tool.
22 Develop an understanding of forensics subject matters outside of [name of favorite forensics tool]. What evidence does an OS offer What evidence does a file format offer A file system The shell Memory
23 Learn to use the whole animal. Thank you Jesse Kornblum
24
25 ARM ReFS Boot Sector Malware Code Sets String Search Internet Linux MRU MFU UTF-8 ASCII CD ROM Office BIFFs FAT ExFAT NTFS Dates EVTX DOS Time Stamp TIF DOS < 3.1 VHDX Prefetch Shell Bags Info2 FAT Undelete Sectors Super Fetch User Assist NTFS DOS 6.1 VSC Windows 95 Registry Hard Drives Floppy Disk Jump Lists Open Office SSD TRIM USN:J Index.dat Unicode Tracks TxR TxF DOS > 3.1 EFS FAT32 X64 Junctions MAC Dates FAT16 VHD.LNK 32 Bit DOS Boot Disks Disk Imaging
26 MAC Dates TIF Don t Let Your Tools Make You Look Bad FAT Undelete FAT ASCII DOS Time Stamp FAT32 FAT16 Sectors EVTX UTF-8 Index.dat Tracks DOS < 3.1 DOS > 3.1 Linux DOS Bit Malware ExFAT Internet VSC VHD EFS SSD VHDX Info2 Registry Office BIFFs Windows 95 Floppy Disk Hard Drives NTFS Unicode Boot Sector X64 Disk Imaging Code Sets String Search DOS Boot Disks TxF Junctions Open Office USN:J.LNK MFU Prefetch TxR MRU User Assist Shell Bags ReFS Super Fetch Jump Lists ARM TRIM NTFS Dates CD ROM
27 Manageable parts: Features and components. PS> ForEach-Object Ask-AboutIt What does it do Is it evidence or can it impact investigation Is it stateful How does it work How can we read its data What does its data tell us
28 Learn about features and components what do they do
29 The critical question is it stateful Does the feature or component appear to store useful information E.g., browser tab and session recovery, link files, prefetch files, etc. Offset A B C D E F 0466E4000 1A F SCCA ð7 0466E4010 4E E 00 N E T S T A T. 0466E E X E 0466E E F 90 5A 5A ZZ 0466E B E4060 F DC FE 0B E ñ Ü' þ à3 0466E E DA D6 4D 9C 1C CF 01 D5 E9 C8 A6 D1 17 CF 01 ÚÖMœ Ï ÕéÈ Ñ Ï 0466E BE 9B CC 22 EA CE E8 58 F7 71 AE CE 01 G¾ Ì"êÎ èx q Î 0466E40A0 0C CE F4 44 6E AE CE B6 1F 6C AE CE 01 ÎôDn Î A l Î 0466E40B0 BC 34 4D C7 69 AE CE D 2F B2 22 AC CE 01 ¼4MÇi Î d /²" Î 0466E40C0 00 8C C Œ G Œ G 0466E40D ( 0466E40E E40F
30 Learn how features and components work.
31 Identity the important data structures and learn how to parse them.
32 What can a feature or component artifact tell us
33 Artifact focused research, studying, and thinking model: What Impact or interesting Proves Stateful Parse Works how
34 Model in action: What Large sectors hard drives: Windows 8 is the first OS with full support for both types of AF disks 512e and 4K Native. Does it matter to forensics Stateful
35 How does it work No cluster slack!
36 How does it work
37 Parse Will [forensics tool] work Not if it expects $MFT FRS size to be 1kb. Proves/Ramifications No cluster slack. Larger resident files. Probably more resident files. Problem for wiping tools Proves What Parse Impact or interest How Stateful
38 Model in action: What A new registry hive. Impact or why does it matter Stateful
39 Think through the model. How What Impact or interest Proves Stateful Parse Registry file parsers. Proves Executable file was there. Parse How
40 Sometimes it works backwards: Offset A B C D E F 1E029A0D C a i t 1E029A0D E E a g e n t. e x 1E029A0D e c f 0 H 1E029A0D E029A0DA E029A0DB p b 1E029A0DC B1 6A b 1'@±j 1E029A0DD0 D C 00 Ð 1E029A0DE S X 1E029A0DF0 E F 00 à p 1E029A0E X X 8 1E029A0E B E 45 4C 2E E $KERNEL.PURGE.ES 1E029A0E BCACHE 8 1E029A0E C A 8A CE *Š WVÎ 1E029A0E E029A0E D 85 0B 94 7E 75 CD 01 FF ] ~uí ÿ 1E029A0E A 00 h 1E029A0E $ T X F 1E029A0E80 5F _ D A T A c f 0 1E029A0E E029A0EA0 C A E È t` ~ 1E029A0EB
41 Sometimes it works backwards: Offset A B C D E F 0C07CED x U 0C07CEDA0 5A FB 1E Z û 0C07CEDB0 82 8B E0 82 1F D4 CE 01 D B3 8A 6E CF 01 à ÔÎ ÐH#³ŠnÏ 0C07CEDC0 5E 5E AA DB F3 6E CF B E0 82 1F D4 CE 01 ^^ªÛónÏ à ÔÎ 0C07CEDD0 00 A H H 0C07CEDE C E 00 W i n 0C07CEDF E H e x 6 4. e 4 0C07CEE D DD B e 1 ( 0C07CEE C07CEE20 D4 DD 73 4A E B D y!g9-0c07cee H 0C07CEE C07CEE A H 0C07CEE H H 0C07CEE A BE D Š 4¾0 Ð 0C07CEE V 0C07CEE C E h l à ˆ 0C07CEEA C W l 0C07CEEB0 6C C B E 45 4C 2E l G $KERNEL. 0C07CEEC E E PURGE.APPID.HASH 0C07CEED0 49 4E 46 4F INFO AID1 0C07CEEE A 75 7F :u H
42 One more thing: Learn to recognize important structures and strings on sight C FILE0 Offset A B C D E F E hbin B E vk 0 èb Offset A B C D E F D 5A FF FF MZ ÿÿ B D B D4 CE B PK Offset A B C D E F D0 CF 11 E0 A1 B1 1A E ÐÏ à ± á E FE FF > þÿ Offset A B C D E F FF D8 FF E A ÿøÿà JFIF
43 The most important forensics tool comes pre-installed, but unformatted.
44 Resources Microsoft: Trial versions on virtual hard drives. Windows Internals, now in 6 th Edition. MSDN. Open Specifications TechNet. SysInternals. Tools and information. A good hex editor.
45 Resources The Internet. Windows Incident Response, by Harlan Carvey. Journey Into Incident Response, Corey Harrell. Grand Stream Dreams, Claus Valca. M-unition, Mandiant. Sans Computer Forensics Blog. Research papers and forensics documentation. Old New Thing, Raymond Chen.
46 Go ahead and fire up your favorite forensics tool.
APPLESHARE PC UPDATE INTERNATIONAL SUPPORT IN APPLESHARE PC
APPLESHARE PC UPDATE INTERNATIONAL SUPPORT IN APPLESHARE PC This update to the AppleShare PC User's Guide discusses AppleShare PC support for the use of international character sets, paper sizes, and date
More informationCIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1
Version 1 Instructions Write your name on the exam paper. Write your name and version number on the top of the yellow paper. Answer Question 1 on the exam paper. Answer Questions 2-4 on the yellow paper.
More informationCIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1
Version 1 1. (24 Points) Show the routing tables for routers A, B, C, and D. Make sure you account for traffic to the Internet. NOTE: Router E should only be used for Internet traffic. Router A Router
More informationCIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1
Version 1 1. (20 Points) Given the class A network address 117.0.0.0 will be divided into multiple subnets. a. (5 Points) How many bits will be necessary to address 4,000 subnets? b. (5 Points) What is
More information4. Specifications and Additional Information
4. Specifications and Additional Information AGX52004-1.0 8B/10B Code This section provides information about the data and control codes for Arria GX devices. Code Notation The 8B/10B data and control
More informationCIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1
Version 1 1. (20 Points) Given the class A network address 119.0.0.0 will be divided into a maximum of 15,900 subnets. a. (5 Points) How many bits will be necessary to address the 15,900 subnets? b. (5
More informationCIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1
Version 1 1. (24 Points) Show the routing tables for routers A, B, C, and D. Make sure you account for traffic to the Internet. Router A Router B Router C Router D Network Next Hop Next Hop Next Hop Next
More informationCIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1
Version 1 1. (20 Points) Given the class A network address 121.0.0.0 will be divided into multiple subnets. a. (5 Points) How many bits will be necessary to address 8,100 subnets? b. (5 Points) What is
More informationGateway Ascii Command Protocol
Gateway Ascii Command Protocol Table Of Contents Introduction....2 Ascii Commands.....3 Messages Received From The Gateway....3 Button Down Message.....3 Button Up Message....3 Button Maintain Message....4
More informationASCII Code - The extended ASCII table
ASCII Code - The extended ASCII table ASCII, stands for American Standard Code for Information Interchange. It's a 7-bit character code where every single bit represents a unique character. On this webpage
More informationUSB-ASC232. ASCII RS-232 Controlled USB Keyboard and Mouse Cable. User Manual
USB-ASC232 ASCII RS-232 Controlled USB Keyboard and Mouse Cable User Manual Thank you for purchasing the model USB-ASC232 Cable HAGSTROM ELECTRONICS, INC. is pleased that you have selected this product
More informationThe cache is 4-way set associative, with 4-byte blocks, and 16 total lines
Sample Problem 1 Assume the following memory setup: Virtual addresses are 20 bits wide Physical addresses are 15 bits wide The page size if 1KB (2 10 bytes) The TLB is 2-way set associative, with 8 total
More informationPe h-ōe-jī Unicode Correspondence Table
Pe h-ōe-jī Correspondence Table This document contains the code points and font examples for characters needed to write Pe h-ōe-jī for Taiwanese (Hoklo). Standard latin capital and small letters are not
More informationOOstaExcel.ir. J. Abbasi Syooki. HTML Number. Device Control 1 (oft. XON) Device Control 3 (oft. Negative Acknowledgement
OOstaExcel.ir J. Abbasi Syooki HTML Name HTML Number دهدهی ا کتال هگزاد سیمال باینری نشانه )کاراکتر( توضیح Null char Start of Heading Start of Text End of Text End of Transmission Enquiry Acknowledgment
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationCMSC 313 Lecture 03 Multiple-byte data big-endian vs little-endian sign extension Multiplication and division Floating point formats Character Codes
Multiple-byte data CMSC 313 Lecture 03 big-endian vs little-endian sign extension Multiplication and division Floating point formats Character Codes UMBC, CMSC313, Richard Chang 4-5 Chapter
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, FALL 2012
CMSC 33 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 2, FALL 22 TOPICS TODAY Bits of Memory Data formats for negative numbers Modulo arithmetic & two s complement Floating point formats
More information) $ G}] }O H~U. G yhpgxl. Cong
» Þ åî ïî á ë ïý þý ÿ þ ë ú ú F \ Œ Œ Ÿ Ÿ F D D D\ \ F F D F F F D D F D D D F D D D D FD D D D F D D FD F F F F F F F D D F D F F F D D D D F Ÿ Ÿ F D D Œ Ÿ D Ÿ Ÿ FŸ D c ³ ² í ë óô ò ð ¹ í ê ë Œ â ä ã
More information21/02/2012. BIOS and boot process Storage devices Partitions. CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices.
CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives BIOS and boot process Storage devices Partitions Computer
More informationECHO Process Instrumentation, Inc. Modbus RS485 Module. Operating Instructions. Version 1.0 June 2010
ECHO Process Instrumentation, Inc. Modbus RS485 Module Operating Instructions Version 1.0 June 2010 ECHO Process Instrumentation, Inc. PO Box 800 Shalimar, FL 32579 PH: 850-609-1300 FX: 850-651-4777 EM:
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationZN-DN312XE-M Quick User Guide
ZN-DN312XE-M Quick User Guide This manual provides instructions for quick installation and basic configuration of your IP device. Step1. Connect cables to IP device Connect required cables to the device
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationCDR File Information. Comments Direct PCM
IMPORTANT NOTICE: Robert Bosch LLC and the manufacturers whose vehicles are accessible using the CDR System urge end users to use the latest production release of the Crash Data Retrieval system software
More information6.1 Font Types. Font Types
6 Font This chapter explains basic features of GP-Pro EX's "Font" and basic ways of placing text with each font. Please start by reading "6.1 Font Types" (page 6-2) and then turn to the corresponding page.
More informationUser Guide for Greek GGT-Fonts Revision date: 23 May, 2011
User Guide for Greek GGT-Fonts Revision date: 23 May, 2011 by Graham G Thomason Copyright Graham G Thomason, 2009. Permission is granted to copy or publish this document, provided this complete notice
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More informationJuly Registration of a Cyrillic Character Set. Status of this Memo
Network Working Group Request for Comments: 1489 A. Chernov RELCOM Development Team July 1993 Status of this Memo Registration of a Cyrillic Character Set This memo provides information for the Internet
More informationDescription AX5805. Default values for the permissible motors. Version: Date:
Description values for the permissible motors Version: 1.3.0 Date: 2017-06-01 Table of contents Table of contents 1 Foreword 2 1.1 Notes on the manual 2 1.1.1 Intendent audience 2 1.1.2 Origin of the
More informationChemistry Hour Exam 2
Chemistry 838 - Hour Exam 2 Fall 2003 Department of Chemistry Michigan State University East Lansing, MI 48824 Name Student Number Question Points Score 1 15 2 15 3 15 4 15 5 15 6 15 7 15 8 15 9 15 Total
More informationDigital Lighting Systems, Inc.
Digital Lighting Systems, Inc. Four Channel Dry Contacts Relays Switch Pack DMX512 compatible USER'S MANUAL -UM User's Manual - Page 1 GENERAL DESCRIPTION The is a 4-channel DMX-512 compatible electro-mechanical
More informationCIS-331 Final Exam Spring 2018 Total of 120 Points. Version 1
Version 1 Instructions 1. Write your name and version number on the top of the yellow paper and the routing tables sheet. 2. Answer Question 2 on the routing tables sheet. 3. Answer Questions 1, 3, 4,
More informationCS 537: Introduction to Operating Systems Fall 2015: Midterm Exam #1
CS 537: Introduction to Operating Systems Fall 2015: Midterm Exam #1 This exam is closed book, closed notes. All cell phones must be turned off. No calculators may be used. You have two hours to complete
More informationC1098 JPEG Module User Manual
C1098 JPEG Module User Manual General Description C1098 is VGA camera module performs as a JPEG compressed still camera that can be attached to a wireless or PDA host. Users can send out a snapshot command
More information6.1 Combinational Circuits. George Boole ( ) Claude Shannon ( )
6. Combinational Circuits George Boole (85 864) Claude Shannon (96 2) Signals and Wires Digital signals Binary (or logical ) values: or, on or off, high or low voltage Wires. Propagate digital signals
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationThis file contains an excerpt from the character code tables and list of character names for The Unicode Standard, Version 3.0.
Range: This file contains an excerpt from the character code tables and list of character names for The Unicode Standard, Version.. isclaimer The shapes of the reference glyphs used in these code charts
More informationRS 232 PINOUTS. 1. We use RJ12 for all of our RS232 interfaces (Link-2-Modbus & Link-2-PC- Serial/RS232). The diagram below shows our pin out.
RS 232 PINOUTS 1. We use RJ12 for all of our RS232 interfaces (Link-2-Modbus & Link-2-PC- Serial/RS232). The diagram below shows our pin out. 2. A DB9 Female to RJ12 Female Serial/Terminal Modular Adaptor
More informationNTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure
NTFS Recoverability CS 537 Lecture 17 NTFS internals Michael Swift PC disk I/O in the old days: Speed was most important NTFS changes this view Reliability counts most: I/O operations that alter NTFS structure
More informationCOMP091 Operating Systems 1. File Systems
COMP091 Operating Systems 1 File Systems Media File systems organize the storage space on persistent media such as disk, tape, CD/DVD/BD, USB etc. Disk, USB drives, and virtual drives are referred to as
More informationAcquirer JCB EMV Test Card Set
Acquirer JCB EMV Test Card Set July, 2017 Powered by Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available
More informationCIS-331 Final Exam Spring 2015 Total of 115 Points. Version 1
Version 1 1. (25 Points) Given that a frame is formatted as follows: And given that a datagram is formatted as follows: And given that a TCP segment is formatted as follows: Assuming no options are present
More informationSystems/DBG Debugger Version 2.20
Systems/DBG Debugger Version 2.20 Copyright c 2018, Dignus, LLC Systems/DBG Debugger Version 2.20 i Copyright c 2018 Dignus LLC, 8378 Six Forks Road Suite 203, Raleigh NC, 27615. World rights reserved.
More informationTriple DES and AES 192/256 Implementation Notes
Triple DES and AES 192/256 Implementation Notes Sample Password-to-Key and KeyChange results of Triple DES and AES 192/256 implementation For InterWorking Labs customers who require detailed information
More informationDissecting Files. Endianness. So Many Bytes. Big Endian vs. Little Endian. Example Number. The "proper" order of things. Week 6
Dissecting Files Endianness Week 6 The "proper" order of things So Many Bytes So Many Bytes On a 32-bit system, each word consists of 4 bytes So, when any 32-bit value is stored in memory, each of those
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, SPRING 2013
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, SPRING 2013 TOPICS TODAY Bits of Memory Data formats for negative numbers Modulo arithmetic & two s complement Floating point
More informationProblem 3. (12 points):
Problem 3. (12 points): This problem tests your understanding of basic cache operations. Harry Q. Bovik has written the mother of all game-of-life programs. The Game-of-life is a computer game that was
More informationBanks' TUPAS certification service for service providers
Banks' TUPAS certification service for service providers service provider's FK Federation of Finnish Financial Services for service providers CHANGE LOG Version Page Comment V2.0 All Message structures
More informationID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:
ID: 59176 Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationFirst Data Dual Interface EMV Test Card Set. Version 1.20
First Data Dual Interface EMV Test Card Set August, 2016 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available
More informationFirst Data EMV Test Card Set. Version 1.30
First Data EMV Test Card Set.30 January, 2018 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available from industry
More informationVT420 Video Terminal Programmer Reference Manual Update
VT420 Video Terminal Programmer Reference Manual Update EK VT42P UP. A01 Digital Equipment Corporation The information in this document is subject to change without notice and should not be construed as
More informationHere is a C function that will print a selected block of bytes from such a memory block, using an array-based view of the necessary logic:
Pointer Manipulations Pointer Casts and Data Accesses Viewing Memory The contents of a block of memory may be viewed as a collection of hex nybbles indicating the contents of the byte in the memory region;
More informationEncoder Software Implementation
1 of 7 12/10/2009 8:29 AM Encoder Software Implementation Updated 8/27/09 The Caption Encoder connects to the Digital Cinema Server over Ethernet. Commands are sent by the DCS using SMPTE 430-10 v 0.91.
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationDigital Lighting Systems, Inc. CD400-DMX DMX512 Four Channel Dimmer and Switch module
, Inc. DMX512 Four Channel Dimmer and Switch module Input: 5 Amps @ 6-24 VDC Outputs: 5 Amps Maximum each, total 4 outputs 8 Amps Maximum. FRONT BACK USER'S MANUAL -UM User's Manual - Page 1 GENERAL DESCRIPTION
More informationFirst Data EMV Test Card Set. Version 2.00
First Data EMV Test Card Set.00 February, 2018 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available from industry
More informationBanks Tupas Certification Service for Service Providers
Banks Tupas Certification Service for Service Providers Service description and guidelines Version 2.1 3 October 2005 SERVICE DESCRIPTION 2 (21) CHANGE LOG Version Page Comment V2.0 All Message structure
More informationUNH-IOL MIPI Alliance Test Program
DSI Receiver Protocol Conformance Test Report UNH-IOL 121 Technology Drive, Suite 2 Durham, NH 03824 +1-603-862-0090 mipilab@iol.unh.edu +1-603-862-0701 Engineer Name engineer@company.com Panel Company
More informationCIS-331 Final Exam Fall 2015 Total of 120 Points. Version 1
Version 1 1. (25 Points) Given that a frame is formatted as follows: And given that a datagram is formatted as follows: And given that a TCP segment is formatted as follows: Assuming no options are present
More informationHash Constant C Determinants leading to collisionfree
Hash Constant C Determinants leading to collisionfree (Ernst Erich Schnoor) eschnoor@multi-matrix.de Addendum to article: Core of the CypherMatrix Method http://www.telecypher.net/corecyph.htm#z6 Object
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationCommunications guide. Line Distance Protection System * F1* GE Digital Energy. Title page
Title page GE Digital Energy D90 Plus Line Distance Protection System Communications guide D90 Plus firmware revision:.9x GE publication code: 60-9070-F (GEK-3469) GE Digital Energy 650 Markland Street
More informationFile Systems. What do we need to know?
File Systems Chapter 4 1 What do we need to know? How are files viewed on different OS s? What is a file system from the programmer s viewpoint? You mostly know this, but we ll review the main points.
More informationWindows 2000/XP History, and Data Management
Unit 5 Windows 2000/XP History, and Data Management Copyright 2002 Heathkit Company, Inc. All rights reserved. Microsoft Windows98 Microsoft WindowsMe Microsoft Windows 2000 Professional Microsoft Windows
More informationWindows Live Acquisition/Triage Using FOSS and AChoir
Windows Live Acquisition/Triage Using FOSS and AChoir Who Am I D0n Quix0te @OMENScan or OMENScan@Gmail.com Creator of OMENS, OMENSApp, AChoir Global Incident Response @ Live Nation 16 Years @ NASA 7 Years
More information6. Specifications & Additional Information
6. Specifications & Additional Information SIIGX52004-3.1 Transceier Blocks Table 6 1 shows the transceier blocks for Stratix II GX and Stratix GX deices and compares their features. Table 6 1. Stratix
More informationThe FAT File System. 1. FAT Overview. 2. Boot Sector, FAT, Root Directory, and Files The FAT F 䤀耄 le System
CIS 24 Home http://www.c jump.com/cis24/cis24syllabus.htm The FAT File System 1. FAT Overview 2. Boot Sector, FAT, Root Directory, and Files 3. FAT File System Layout 4. FAT Clusters and Sectors 5. FAT,
More informationDENIC Domain Guidelines
The English translation of the DENIC Eszett Domain Guidelines is provided for the convenience of our non-german-speaking customers. Regardless of this, only the original German-language version is legally
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, FALL 2012
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, FALL 2012 ANNOUNCEMENTS TA Office Hours (ITE 334): Genaro Hernandez, Jr. Mon 10am 12noon Roshan Ghumare Wed 10am 12noon Prof.
More informationTZWorks Graphical Engine for NTFS Analysis (gena) Users Guide
TZWorks Graphical Engine for NTFS Analysis (gena) Users Guide Copyright TZWorks LLC www.tzworks.net Contact Info: info@tzworks.net Document applies to v0.39 of gena Updated: Jul 29, 2018 Abstract gena
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationAccessData Imager Release Notes
AccessData Imager 3.4.0.5 Document Date: 10/27/2015 2015 AccessData Group, Inc. All rights reserved. This document lists the changes in the verion of AccessData Imager. All known issues published with
More informationDBK24. Isolated Digital Output Chassis. Overview
DBK24 Isolated Digital Output Chassis Overview 1 Power Requirements 2 Hardware Setup 2 Card Connection 2 Card Configuration 3 DaqBook and DaqBoard Connection 4 DaqBoard/2000 Series Board Connection 5 DaqBook
More informationAcquirer JCB Dual Interface EMV Test Card Set
Acquirer JCB Dual Interface EMV Test Card Set.00 July, 2018 Powered by Disclaimer Information provided in this document describes capabilities available at the time of developing and delivering this document
More informationFirst Data DCC Test Card Set. Version 1.30
First Data DCC Test Card Set.30 April, 2018 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available from industry
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationTechnical Specification. Third Party Control Protocol. AV Revolution
Technical Specification Third Party Control Protocol AV Revolution Document AM-TS-120308 Version 1.0 Page 1 of 31 DOCUMENT DETAILS Document Title: Technical Specification, Third Party Control Protocol,
More informationAdam Harrison Principal Consultant - Verizon VTRAC
Adam Harrison Principal Consultant - Verizon VTRAC Adam Harrison (@harrisonamj) Who I am: Principal Consultant (Forensic Investigator) Verizon Threat Research Advisory Center (VTRAC Investigative Response)
More informationSMS API TECHNICAL SPECIFICATION
SMS API TECHNICAL SPECIFICATION Version 2.1 Provision of the Click SMS Gateway Service is dependent upon compliance with the specifications contained in this document. Although Click SMS has taken reasonable
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Investigative Process Analysis Framework File Systems FAT NTFS EXT2/EXT3 last
More informationImplementation should be efficient. Provide an abstraction to the user. Abstraction should be useful. Ownership and permissions.
File Systems Ch 4. File Systems Manage and organize disk space. Create and manage files. Create and manage directories. Manage free space. Recover from errors. File Systems Complex data structure. Provide
More informationFile Systems Ch 4. 1 CS 422 T W Bennet Mississippi College
File Systems Ch 4. Ë ¾¾ Ì Ï ÒÒ Ø Å ÔÔ ÓÐÐ 1 File Systems Manage and organize disk space. Create and manage files. Create and manage directories. Manage free space. Recover from errors. Ë ¾¾ Ì Ï ÒÒ Ø Å
More informationForensic analysis of Oracle log files
Jure Kajzer Abakus PLUS d.o.o. Forensic analysis of Oracle log files Abakus plus d.o.o. History from 1992, ~ employees Applications: special (DB Newspaper Distribution, FIS Flight Information System) ARBITER
More informationUnderstanding FAT12. Introduction to Computer Forensics. Kessler/Schirling
Understanding FAT12 Introduction to Computer Forensics Kessler/Schirling Fall 2002 EXP 248 Project #3 You have a floppy disk image file Examine floppy to find an address and a password, and verify MD5
More informationAxProtector Exposed. Integrity Protection of a Modular Application. Rüdiger Kügler Security Expert
AxProtector Exposed Integrity Protection of a Modular Application Rüdiger Kügler Security Expert Ruediger.Kuegler@wibu.com Wolfgang Völker Director Product Management Wolfgang.Voelker@wibu.com Introduction
More informationModules. CS2023 Winter 2004
Modules CS2023 Winter 2004 Outcomes: Modules C for Java Programmers, Chapter 7, sections 7.4.1-7.4.6 Code Complete, Chapter 6 After the conclusion of this section you should be able to Understand why modules
More informationBACKUP APP V7 MICROSOFT EXCHANGE DATABASE BACKUP AND RESTORE GUIDE
V7 MICROSOFT EXCHANGE DATABASE BACKUP AND RESTORE GUIDE Revision History Date Descriptions Type of modification 15 July 2016 First Draft New 3 February 2017 Added instructions and screen shots for Encryption
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationTEST DVD-VIDEO/ DVD-ROM For Checking DVD Players, DVD Recorders and DVD Drives TDH-940
TEST DVD-VIDEO/ DVD-ROM For Checking DVD Players, DVD Recorders and DVD Drives TDH-940 Product Introduction. Purpose of use, Features TDH-940 is a Test Disc designed for confirmation of operation of DVD
More informationChapter 12: File System Implementation
Chapter 12: File System Implementation Silberschatz, Galvin and Gagne 2013 Chapter 12: File System Implementation File-System Structure File-System Implementation Allocation Methods Free-Space Management
More informationPCL ISO 8859/5 Latin/Cyrillic
Page 1 of 5 PCL Symbol Se t: 10N Unicode gly ph correspondence tables. Contact:help@redtitan.com http://pcl.to $20 U0020 Space -- -- -- -- $21 U0021 Ê Exclamation mark -- -- -- -- $22 U0022 Ë Quotation
More information2-Type Series Pressurized Closures
2-Type Series Pressurized Closures A complete pressure tight reenterable closure system for enclosing spliced connections of communications cables in a wide variety of applications. The 2-type Closure
More informationTLS 1.2 Protocol Execution Transcript
Appendix C TLS 1.2 Protocol Execution Transcript In Section 2.3, we overviewed a relatively simple protocol execution transcript for SSL 3.0. In this appendix, we do something similar for TLS 1.2. Since
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Spring 2018 Lecture 22 File Systems Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Disk Structure Disk can
More informationPCL Greek-8 - Code Page 869
PCL Greek-8 - Code Page 869 Page 1 of 5 PCL Symbol Se t: 8G Unicode glyph correspondence tables. Contact:help@redtitan.com http://pcl.to $20 U0020 Space $90 U038A Ê Greek capita l letter iota with tonos
More informationOPERATING SYSTEM. Chapter 12: File System Implementation
OPERATING SYSTEM Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management
More informationMC68705P3 Bootstrap ROM
MC68705P3 Bootstrap ROM ;This is a listing of the Bootstrap ROM which resides in Motorola's MC68705P3 single chip ;micros. Its sole purpose is to program its own EPROM by copying the data from an external
More information