I usually have a few personal projects ongoing at any given time. Here is where I summarise anything worth talking about.
Docket
Coming from the position of an examiner, and having to record actions and analysis for investigations and examinations, I have an idea of what a case management system should or could be. My idea of an ideal system has changed over time, and will continue to change as the field itself changes.
One of my projects is Docket, a Windows-based forensic CMS I’m writing in C#. As this is an ongoing project, I have no commercial aspirations as yet, and my even open-source the project in the future.
Many features can’t be seen or explored by image alone, and I’ve tried to pack Docket with as many useful features as possible. For example, every entry or change of data generates a fingerprint value that can be used like hash verification to see if data has been modified outside of the interface. Drag and Drop features heavily too – drop images on an exhibit tab to upload them, or drop an imaging log on the imaging section and watch as it’s intelligently parsed and uploaded.
NAND Image Analysis
Reconstructing a NAND physical image is notoriously difficult. I’m looking at statistical and signal processing methods for analysing an image to make manual inspection and reconstruction easier. For example, I’ve tried using cross-correlation to identify sector size.
The left image shows a bit map that can be interpreted by an analyst, but the image on the right shows (by the massive drop) the detected data and spare area locations, and therefore sector size (in this case 512 + 16 = 528).
James G. Watson 