Any tool missing from the computer forensics world? What tool would you like to see become available or would be useful? Any help would be greatly appreciated. Want to get some idea's from the experts here regarding a final year project. Some possible projects i think need to be addressed are Game cosole Forensics, Anti-Forensics,Cloud computing forensics. Any help would be greatly appreciated
My first thoughts are…. Oh great, another encrypted package to contend with. I don't wish to sound negative.
ok but i dont want do a cryptography app
How about an app that you can point to an image acquired from a Vista, Windows 2008, or Windows 7 system…just an image…and have it identify and give you access to the Volume Shadow Copies?
The problem is that right now, if I want to access, say 5 Volume Shadow Copies on a 70GB HDD, I have two options
1. Access the drive while it's still in the live system, mount each Volume Shadow Copy, and acquire each one individually. That means I have to have 5 x 70GB of space available, and that includes the associated time for acquiring each mounted volume. So I need 420GB of space to acquire all that, plus the original 70GB.
2. Image the drive, and then mount the image on a like OS; ie, if I image a Vista system, I need to have a Vista system available to mount the image on. From there, I can access the Volume Shadow Copies, but the fact remains that I still need that Vista system just for this process, even though all of my other tools might not work on Vista.
So, being able to image, say, a Vista system, then access the Volume Shadow Copies from an XP system…that would be useful.
Or, how about a tool to parse the Windows Vista and above Windows Event Logs (.evtx files) into a simple, text-based format for inclusion into a spreadsheet, database, etc.
I second the motion on the VSS access! If anyone develops a "point to a VSS and image" tool, I'll be the first customer.
The functionality for this is already available, but it's something of a manual process. Having such a tool would be extremely useful.
after doing a bit of research i think ill go ahead with this, what programming language would you recommend for doing this? Windows SDk or what do you think would be easiest way to go, java? C?
after doing a bit of research i think ill go ahead with this, what programming language would you recommend for doing this? Windows SDk or what do you think would be easiest way to go, java? C?
I vote for cross-platform, so no to Windows SDK.
If you've done some research, you've probably realized that there needs to be some level of access to the MS APIs…so it would have to be via the Windows SDK, to some extent.
Volume Shadow Copy Service Overview (Windows)
http//
VShadow Tool and Sample (Windows)
http//