Thursday, October 28, 2010

Seus dados ainda estão aqui...

Algumas pessoas pensam que estão seguras e seus dados estão a salvo. Mesmo usuários mais experientes, utilizando modernos sistemas de eliminação de informações de navegação, acreditam que conseguem eliminar seus rastros. Este vídeo mostra que, algumas informações são mais resistentes do que esperamos =)


Tuesday, October 26, 2010

AccessData anuncia FTK3.2 e Imager 3.0

Principais novidades incluem suporte ao sistema de arquivos EXT4 e análise de memória RAM de sistemas 64bit.


A AccessData, uma das principais fornecedoras de software de investigação forenses do mundo, anunciou novidades importantes em sua linha de produtos: FTK 3.2 e Imager 3.0. A AccessData teve muitos problemas na versão 2.X do FTK, mas conseguiu se redimir com a versão 3.X  e, desde então, só vem aprimorando a suíte de aplicativos forenses. A principal característica do FTK, que o distancia ainda mais dos seus concorrentes, é a indexação dos arquivos de evidências em um banco de dados Oracle, totalmente otimizado para ser utilizado pelo FTK. O processamento distribuído de evidências (já comentado em outros posts aqui no Blog) é uma outra característica muito importante do sistema.



Dentre as novidades do FTK 3.2, destacam-se:


FILE SYSTEM, FORENSIC IMAGE AND FILE SUPPORT...
  • Create and process Advanced Forensic Format (AFF) images.
  • Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), and Blackberry IPD backup files.
  • Sophos Enterprise and S/MIME decryption support with proper credentials.
ENHANCED WINDOWS MEMORY ANALYSIS...
  • AccessData now offers the first and ONLY commercial computer and enterprise forensics products with 64-bit memory analysis!
  • Ability to identify/display kernel structures involved with network miniport and file system filter drivers.
  • SSDT/IDT/IRP hook detection.
GREATER PROCESSING SPEED AND FLEXIBILITY...
  • Processing speed for email archives, such as PSTs, EDBs and NSFs has been increased by 200%! (Times vary, depending on the hardware.)
  • New selective archive expansion allows a user to define "drill down" options and specify which files are expanded during processing (i.e. only ZIP and PST files).
ADVANCED EMAIL ANALYTICS...
  • Email Items tree view completely refreshed:
  • Email By Date -- organized by Year, then by Month, then by Date for both Sent and Received.
  • Email Addresses -- organized by Sender/ Recipient, and subcategorized by Date, Email Domain, Display Name and Email Address.
PHYSICAL AND VIRTUAL DEVICE MOUNTING...
  • Safely mount a forensic Image (AFF/DD/E01/S01) as a physical device. Any tool that enumerates devices can find it, such as FTK Imager. Also supports booting forensic images in VMWare. 
  • Mount a logical image (AD1/L01) and physical image (AFF/E01/DD/S01) as a virtual device or volume. Once mounted the read-only media is available to any third-party Windows application and exposes the same file system artifacts as FTK.  For example you can mount an HFS+ image, and it will show up as a volume on the examiner's machine in the explorer view.
GLOBAL FILTERS, CARVERS, COLUMNS AND LABELS...
  • Users can now define global columns, carvers, filters and more, and have these available for use on all cases.
DEVICE RESTORATION...
  • Quickly restore your forensic image to media for distribution, processing with other tools, etc. This feature works with several types of forensic images.
And more!


Sobre o Imager 3.0, as principais novidades são:


PHYSICAL AND VIRTUAL DEVICE MOUNTING...
  • Safely mount a forensic Image (AFF/DD/E01/S01) as a physical device. Any tool that enumerates devices can find it, such as FTK Imager. Also supports booting forensic images in VMWare.  
  • Mount a logical image (AD1/L01) and physical image (AFF/E01/DD/S01) as a virtual device or volume. Once mounted the read-only media is available to any third-party Windows application and exposes the same file system artifacts as FTK.  For example you can mount an HFS+ image, and it will show up as a volume on the examiner's machine in the explorer view.
NEW FILE SYSTEM and FORENSIC IMAGE SUPPORT...
  • Create and view Advanced Forensic Format (AFF) images.
  • New support for DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), and Microsoft VHD (Microsoft Virtual Hard Disk)

    Maiores informações e download do sistema (é necessário licença para utilizar o sistema) podem ser obtidas em: http://www.accessdata.com/products/ftk/ad_ftk32_ftp.aspx