Jesse Kornblum

From Wikipedia, the free encyclopedia

Jesse Kornblum (1975-) is a former government computer investigator and now computer forensics researcher who has written a number of papers and tools to advance the field. These papers include "Preservation of Fragile Digital Evidence by First Responders" in 2002 which presented the first automated tools for incident response. These tools allow an examiner to gather evidence with a minimum of disruption to the system and maximize the ability to take evidence to court. His other major paper, "Exploiting the Rootkit Paradox with Windows Memory Analysis" from 2006 highlighted the power of examining physical memory when searching for malware.

In addition to papers, Jesse has authored a number of valuable computer forensics tools. His most notable, ssdeep, made use of a combination of hashing algorithms to help identify highly similar but not identical files; a vexing problem with no previous solutions. Although the idea was borrowed from Andrew Tridgell's spamchecker, it was the first use of such a technique in computer forensics and opened the field to similarity matching. The tool was accompanied by the paper "Identifying Almost Identical Files Using Context Triggered Piecewise Hashing."

[edit] Papers

• Preservation of Fragile Digital Evidence by First Responders
• Identifying Almost Identical Files Using Context Triggered Piecewise Hashing
• Exploiting the Rootkit Paradox with Windows Memory Analysis

[edit] Tools

• Foremost - file carving
• md5deep - Recursive MD5, SHA-1, SHA-256, Tiger and Whirlpool client.
• ssdeep - Context Triggered Piecewise Hashing