Cerbero Blog

WIM Format Package

We’re excited to announce the release of the WIM Format package, which adds support for the Windows Imaging (WIM) file format.

Once installed, you can explore the contents of WIM images directly in Cerbero Suite. This includes browsing the file hierarchy, inspecting individual files, and performing in-depth forensic analysis.

Additionally, when used in conjunction with the ISO Format package, it’s possible to seamlessly access WIM images embedded within ISO files—making the analysis of Windows installation media even more efficient.

HFS+ File System

We’re excited to announce the release of the HFSPlus Format package, which adds support for the HFS+ file system.

Once installed, you can explore HFS+ file systems directly in Cerbero Suite.

EXT File Systems

We’re excited to announce the release of the EXT Format package, which adds support for the EXT2, EXT3 and EXT4 file systems.

Once installed, you can explore EXT file systems directly in Cerbero Suite.

NTFS File System

We’re excited to announce the release of the NTFS Format package, which adds support for the NTFS file system.

Once installed, you can explore NTFS file systems directly in Cerbero Suite.

ExFAT File System

We’re excited to announce the release of the ExFAT Format package, which adds support for the ExFAT file system.

Once installed, you can explore ExFAT file systems directly in Cerbero Suite.

Disk Format Package

We’re excited to announce the release of our Disk Format package, which adds support for parsing and analyzing disk layouts including MBR and GPT partition tables.

If a partition contains a supported file system, it will be automatically added as a child object. The package also enables exploration of the MBR boot code using the Carbon disassembler.

FAT File System

We’re excited to announce the release of our FAT Format package, which adds support for the FAT12, FAT16, and FAT32 file systems.

Once installed, you can explore FAT file systems directly in Cerbero Suite.

Prototype Memory & Services

We are excited to announce the release of version 0.3 of our Memory Analysis package, currently in beta. This update introduces two major features: support for prototype Page Table Entries (PTEs) and the ability to enumerate and display Windows services from memory captures.

Continue reading “Prototype Memory & Services”

ISO Format 2.0 Package

Our ISO Format package, which supports the ISO9660 and UDF file systems, used to be slow when handling larger file systems. We’ve completely rewritten it, and now it performs effortlessly.

Memory Decompression & Pagefiles

Windows 10 (version 1507) introduced memory compression, a feature that allows certain memory pages to be compressed and managed by the “MemCompression” process. As a result, in a memory snapshot, some pages may be unavailable because they reside in compressed memory. Memory compression in Windows is optional and can be disabled if desired, but it is enabled by default.

We are excited to announce the release of version 0.2 of our Memory Analysis package, currently in beta, which adds support for memory decompression and reading paged-out memory from pagefiles.

In the example image below, we can see a case where certain registry keys are missing when examining a memory snapshot—these keys are located in memory pages that have been compressed. In the lower part of the image, after enabling memory decompression, the previously missing keys become visible.

Continue reading “Memory Decompression & Pagefiles”