ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Bzip2" and "Blogs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Joachim Metz moved page Bz2 file to Bzip2)
 
(Challenges (and test images))
 
Line 1: Line 1:
{{expand}}
+
[[Computer forensics]] related resources like: blogs, fora, tweets, tools and challenges (and test images).
  
The bzip2 (.bz2) file consists of a single bzip2 stream. The bzip2 stream consists of:
+
= Blogs =
* The stream header.
+
  
The stream header is 4 bytes in size and contains:
+
== English ==
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
| "BZ"
+
| Signature (magic number)
+
|-
+
| 2
+
| 1
+
|
+
| Version <br> 'h' for Bzip2 ('H'uffman coding), '0' for Bzip1 (deprecated)
+
|-
+
| 3
+
| 1
+
|
+
| Block size <br> Value is defined in increments of 100 kB <br> '1'..'9' block-size 100 kB-900 kB (uncompressed) <br> <b>Note: currently assumed that kB should be kiB</b>
+
|}
+
  
* followed by zero or more compressed blocks
+
* [http://www.appleexaminer.com/ The Apple Examiner]
<pre>
+
* [http://computer.forensikblog.de/en/ Computer Forensics Blog], by [[Andreas Schuster]]
.compressed_magic:48            = 0x314159265359 (BCD (pi))
+
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
.crc:32                        = checksum for this block
+
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
.randomised:1                  = 0=>normal, 1=>randomised (deprecated)
+
* [http://windowsir.blogspot.com/ Windows Incident Response Blog], by [[Harlan Carvey]]
.origPtr:24                    = starting pointer into BWT for after untransform
+
* [http://geschonneck.com/ Computer Forensics Blog], by [[Alexander Geschonneck]]
.huffman_used_map:16            = bitmap, of ranges of 16 bytes, present/not present
+
* [http://forensicblog.org/ Computer Forensics Blog], by [[Michael Murr]]
.huffman_used_bitmaps:0..256    = bitmap, of symbols used, present/not present (multiples of 16)
+
* [http://forenshick.blogspot.com/ Forensic news, Technology, TV, and more], by [[Jordan Farr]]
.huffman_groups:3              = 2..6 number of different Huffman tables in use
+
* [http://unixsadm.blogspot.com/ UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems], by [[Criveti Mihai]]
.selectors_used:15              = number of times that the Huffman tables are swapped (each 50 bytes)
+
* [http://intrusions.blogspot.com/ Various Authors - Intrusions and Malware Analysis]
*.selector_list:1..6            = zero-terminated bit runs (0..62) of MTF'ed Huffman table (*selectors_used)
+
* [http://chicago-ediscovery.com/education/computer-forensics-glossary/ Computer Forensic Glossary Blog, HOWTOs and other resources], by [[Andrew Hoog]]
.start_huffman_length:5        = 0..20 starting bit length for Huffman deltas
+
* [http://secureartisan.wordpress.com/ Digital Forensics with a Focus on EnCase], by [[Paul Bobby]]
*.delta_bit_length:1..40        = 0=>next symbol; 1=>alter length
+
* [http://www.crimemuseum.org/blog/ National Museum of Crime and Punishment-CSI/Forensics Blog]
                                                { 1=>decrement length;  0=>increment length } (*(symbols+2)*groups)
+
* [http://forensicsfromthesausagefactory.blogspot.com/ Forensics from the sausage factory]
.contents:2..∞                  = Huffman encoded data stream until end of block
+
* [http://integriography.wordpress.com Computer Forensics Blog], by [[David Kovar]]
</pre>
+
* [http://jessekornblum.livejournal.com/ A Geek Raised by Wolves], by [[Jesse Kornblum]]
 +
* [http://computer-forensics.sans.org/blog SANS Computer Forensics and Incident Response Blog by SANS Institute]
 +
* [http://www.digitalforensicsource.com Digital Forensic Source]
 +
* [http://dfsforensics.blogspot.com/ Digital Forensics Solutions]
 +
* [http://forensicaliente.blogspot.com/ Forensicaliente]
 +
* [http://www.ericjhuber.com/ A Fistful of Dongles]
 +
* [http://gleeda.blogspot.com/ JL's stuff]
 +
* [http://4n6k.blogspot.com/ 4n6k]
 +
* [http://justaskweg.com/ JustAskWeg], by [[Jimmy Weg]]
 +
* [http://blog.kiddaland.net/ IR and forensic talk], by [[Kristinn Gudjonsson]]
 +
* [http://c-skills.blogspot.ch/ c-skills], by [[Sebastian Krahmer]]
 +
* [http://sketchymoose.blogspot.ch/ Sketchymoose's Blog]
 +
* [http://www.swiftforensics.com/ All things forensic and security related], by [[Yogesh Khatri]]
  
* immediately followed by an end-of-stream marker containing a 32-bit CRC for the uncompressed data.
+
=== Windows ===
<pre>
+
* [http://blogs.msdn.com/b/ntdebugging/ ntdebugging - Advanced Windows Debugging and Troubleshooting]
.eos_magic:48                  = 0x177245385090 (BCD sqrt(pi))
+
.crc:32                        = checksum for whole stream
+
.padding:0..7                  = align to whole byte
+
</pre>
+
  
The compressed blocks are bit-aligned and no padding occurs.
+
== Dutch ==
  
== See also ==
+
* [http://stam.blogs.com/8bits/ 8 bits], by [[Mark Stam]] (also contain English articles otherwise use [http://translate.google.com/translate?u=http%3A%2F%2Fstam.blogs.com%2F8bits%2Fforensisch%2Findex.html&langpair=nl%7Cen&hl=en&ie=UTF-8 Google translation])
* [[gzip file]]
+
  
== External Links ==
+
== French ==
  
* [http://en.wikipedia.org/wiki/Bzip2 Wikipedia: bzip2]
+
* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
  
[[Category:File Formats]]
+
== German ==
 +
 
 +
* [http://computer.forensikblog.de/ Computer Forensik Blog Gesamtausgabe], by [[Andreas Schuster]] ([http://computer.forensikblog.de/en/ English version])
 +
* [http://computer-forensik.org computer-forensik.org], by [[Alexander Geschonneck]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
 +
* [http://henrikbecker.blogspot.com Digitale Beweisführung], by [[Henrik Becker]] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
 +
 
 +
== Spanish ==
 +
 
 +
* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
 +
* [http://www.inforenses.com InForenseS], by [[Javier Pages]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
 +
* [http://windowstips.wordpress.com El diario de Juanito]
 +
* [http://conexioninversa.blogspot.com Conexión inversa]
 +
 
 +
== Russian ==
 +
 
 +
* Group-IB: [http://notheft.ru/blogs/group-ib blog at notheft.ru], [http://www.securitylab.ru/blog/company/group-ib/ blog at securitylab.ru]
 +
 
 +
= Related blogs =
 +
 
 +
* [http://www.c64allstars.de C64Allstars Blog]
 +
* [http://www.emergentchaos.com/ Emergent Chaos], by [[Adam Shostack]]
 +
* [http://jeffjonas.typepad.com/ Inventor of NORA discusses privacy and all things digital], by [[Jeff Jonas]]
 +
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking], by [[Golden G. Richard III]]
 +
 
 +
= Circles/Fora/Groups =
 +
* [http://forensicfocus.com/ Forensic Focus]
 +
* [http://tech.groups.yahoo.com/group/win4n6 Yahoo! groups: win4n6 · Windows Forensic Analysis]
 +
 
 +
= Tweets =
 +
* [http://twitter.com/#!/search/%23DFIR?q=%23DFIR #DFIR]
 +
* [http://twitter.com/#!/search/%23forensics #forensics]
 +
 
 +
= Tools =
 +
* [http://www2.opensourceforensics.org/ Open Source Digital Forensics]
 +
* [http://forensiccontrol.com/resources/free-software/ Free computer forensic tools]
 +
* [http://code.google.com/p/libyal/ Yet another library library (and tools)]
 +
 
 +
= Challenges (and test images) =
 +
* [http://www.dc3.mil/challenge/ DC3 Challenges]
 +
* [http://testimages.wordpress.com/ Digital Forensics Test Images]
 +
* [http://www.forensicfocus.com/images-and-challenges Forensic Focus - Test Images and Forensic Challenges]
 +
* [https://www.honeynet.org/challenges/ Honeynet Project Challenges]
 +
* [http://testimages.wordpress.com/ Digital Forensic Test Images]
 +
* [http://secondlookforensics.com/linux-memory-images/ Second Look - Linux Memory Images]
 +
* [http://sourceforge.net/projects/nullconctf2014/ NullconCTF2014]
 +
 
 +
= Conferences =
 +
See: [[:Category:Conferences|Conferences]]
 +
 
 +
[[Category:Further information]]

Revision as of 06:52, 29 January 2014

Computer forensics related resources like: blogs, fora, tweets, tools and challenges (and test images).

Blogs

English

Windows

Dutch

French

German

Spanish

Russian

Related blogs

Circles/Fora/Groups

Tweets

Tools

Challenges (and test images)

Conferences

See: Conferences