It's been quite some time (over a month) since I made a post (to here or the forensically sound yahoo group). I've had a whirlwind of client work, including teaching at a number of SANS conferences. I did get a bit of press coverage while at the San … [Continue reading]

“Forensically Sound Duplicate” (Update)

So after the whirl of feedback I've received, we've moved discussions of this thread from Richard Bejtlich's blog to a Yahoo! group. The url for the group is: We now return this blog to it's … [Continue reading]

“Forensically Sound Duplicate”

I was reading Craig Ball's (excellent) presentations on computer forensics for lawyers at ( One of the articles mentions a definition for forensically sound duplicate as: "A 'forensically-sound' duplicate of … [Continue reading]

Self replicating software – Part 3 – Other methods

Up until now, this thread of posts has been rather theoretical, talking about Turing machines, etc. the only time there was some source code was for showing a program that can print out a description of itself (its source code). Well, one problem … [Continue reading]

Self replicating software – Part 2 – Recursion theorem proof

In this post I'll cover the proof of the Recusion theorem (see Self Replicating Software - Part 1 - The Recursion Theorem). The proof for the Recursion theorem is a constructive proof, meaning that a Turing Machine (TM) that can reference its own … [Continue reading]

Self replicating software – Part 1 – The Recursion Theorem

This is the first in a multi part post about computing theory and self replicating software. This post assumes you have knowledge and understanding of a Turing Machine (abbreviated TM). If you aren't familiar with Turing Machines (TMs) then you may … [Continue reading]

Naming structure of recycle bin files

Was doing some research on the structure of the Windows Recycle Bin, and found an interesting article over at Microsoft. It talks about the naming structure of the files in the Recycle Bin directories. In essence, the structure is as follows: … [Continue reading]

Base+Offset notation (or why we start counting with zero)

Every now and again, I get the question about why we starting counting things such as arrays, offsets, etc. with zero (0) and not one (1). The answer is simple, when specifying a data structure, we normally specify the byte (or whatever unit) offset … [Continue reading]

Argument for MD5

So, there has been a lot of talk over the past few years about using MD5 hash sums in digital forensics, due to the fact that some collisions have been found for MD5. First, a hash algorithm/function has the following properties: 1) The algorithm … [Continue reading]

The switch to Levenger

For years I've carried around a small notebook, one of the spiral bound that is almost a 3x5 card size. I've even got a nice leather cover for them somewhere at my Dad's house. I normally use the notebook to do things like take case notes, … [Continue reading]