Di oggi è la notizia che l’esame del Dna ha scagionato un uomo, in carcere in Texas da ventisette anni per violenza carnale e omicidio della sua fidanzata. Come hanno commentato i media locali, James Woodward, un afroamericano di 55 anni, è il dete...
By Andreas Schuster
Copyright © 2008 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.
The introductory post already provided some indications of (dis-)similarities in "independent" implementations of a certain function by three vendors. In this post I'm comparing two of the three implementations. Also I will reveal the identities of their vendors.
The reference implementation is the Microsoft Windows NTLDR version 5.1.2600.2180 (XP SP2). I've also checked with an earlier version (5.1.2600.1106), but didn't find any significant differences. So I'll stick with that version.
Vendor "S" is Sandman, an open source project by Nicolas Ruff and Matthieu Suiche. They released their code under version 3 of the GNU Public License on February 26, 2008.
The function in question is "XpressDecode". It is used to decompress the hibernation file. The routine is called by "HbReadNextCompressedBlock". It then calls an anonymous decoder routine. I'll stick with Sandman's nomenclature and call it "Decode" henceforth.
For your convenience, here's the flow graph from the introductory post again. Microsoft's code is shown to the left and the implementation by the Sandman project in the middle.
There seem to be significant differences between both implementations. So I decided to analyze the original function on my own and compare the results with the code from the Sandman library. Also, I analyzed Sandman's hibinfo.exe sample program in the same way as NTLDR for later usage. Unless otherwise noted, line numbers refer to file source/src/compression.c of the Sandman library. If you're not interested in (admittedly very technical and boring) details you might want to skip down to the conclusions.
Now on to the differences:
No. 1: In file source/include/compression.h Sandman declares the _DECODE_DATA structure. It is 0x38 bytes in size.
Microsoft's implementation reserves 0x3c bytes on the stack for local variables. The differing 4 bytes are not accessed, though. So I conclude that the structure's size is 0x3c bytes. By chance the last DWORD is reserved for future use.
No. 2: Sandman initializes its DecodeData variable with null bytes, as it is common practice among programmers (line 72). Microsoft, however, does not.
No. 3: Sandman then continues and assigns to DecodeData.DataOffset first and then does some comparisons and branches. The Microsoft implementation does it just the other way round: First it checks whether Size1 and CompressedBlockSize are equal and then, if they're not, it assigns to DecodeData.DataOffset. This could save an unneeded assignment operation now and then.
No. 4: Sandman (in line 79) contains a little hack that increments Size2 by 0x108. This is a bit too early. Therefore line 83 will return a wrong value.
No. 5: Now follows a series of conditions. First the implementation from NTLDR in pseudo-code:
if (
(Size1 < CompressedBlockSize) ||
(CompressedBlockSize < 0) ||
(Size1 <= 
||
(CompressedBlockSize < )
{
return -1;
}
if ((Size1 > 0x10000) || (Size2 <= 0))
{
return Size2;
}
This gets somewhat over-simplified in Sandman. Please note that conditions are ordered differently.
if ((Size1 == CompressedBlockSize) || (Size1 > 0x10000) || (!Size2))
{
return Size2;
}
if (
(Size1 < CompressedBlockSize) ||
(!CompressedBlockSize) ||
(Size1 < ||
(CompressedBlockSize < )
{
return -1;
}
No. 6: Beside the different ordering there were also some conditional jump instructions slightly misinterpreted by the Sandman project, for example
mov esi, [ebp+Size2] test esi, esi ; bitwise AND of esi with itself jle return_size2 ; jump if less or equal, Size2 <= 0
was interpreted as (!Size2), but that could be expected to look more like
cmp [ebp+Size2], 0 jnz somewhere ; jump if not zero, Size2 != 0 mov eax, [ebp+Size2] ; return Size2 jmp done
This affects the following expressions:
No. 7: Some parts of the Sandman implementation lack a BlockEntry term. This affects the calculation of
No. 8: Finally there are again some differences in the ordering of conditions. First Microsoft's implementation:
if (
(DecodeData.Status == 0) ||
(DecodeData.DecodedSize > DecodeData.Size2) ||
(DecodeData.PageOffset > DecodeData.PageLimit)
)
{
return -1;
}
if (DecodeData.Size2 != DecodeData.BufferLimit)
{
return Size2;
}
if (DecodeData.Status2 == 0)
{
return -1;
}
return Size2;
And now Sandman:
if (
(DecodeData.PageOffset > DecodeData.PageLimit) ||
(DecodeData.Status == FALSE) ||
(DecodeData.Status2 == FALSE) ||
(DecodeData.DecodedSize > PtrToUlong(DecodeData.Size2))
)
{
return -1;
}
if (DecodeData.Size2 != DecodeData.BufferLimit)
{
return Size2;
}
return Size2;
Due to the wrong ordering the function will return -1 instead of Size2 in one out of 32 conditions. However, I don't know if this is of relevance in real-world conditions.
No. 9: Also please note that in the Sandman implementation the last comparison is superfluous, as it will return Size2 in any case.
Conclusion: The examined implementation of XpressDecode by the Sandman project differs from Microsoft's implementation in a dozen places. Some differences are marginal, e.g. the initialization of a variable with null bytes. However, other differences are likely to affect the proper decompression of the data stream.
What does that tell us? First, tools could benefit from peer review and (independent) tool testing. Second, bugs and subtle differences may make for a good fingerprint. What do you think are the odds that the very same differences can be found in an implementation that was independently researched and coded?
Abstract This study undertook a multiparameter evaluation of the death of a 21-year-old woman known to be an abuser of heroin and cocaine.
The toxicological analysis of multiple postmortem specimens such as blood and hair was carried out using liquid chromatography
atmospheric pressure chemical ionization tandem mass spectrometry (LC-APCI-MS-MS). The blood specimens of the deceased showed
the presence of opium components such as morphine and its glucuronides together with cocaine and benzoylecgonine. The detected
xenobiotic levels probably explained the cause of her death resulting from combined action of unintentional illicit drug overdose.
By analysis of four 2-cm long hair segments, a heroin-cocaine addiction for at least 8 months antemortem was able to be documented;
the presence of 6-monoacetylmorphine (6-MAM), cocaine, and benzoylecgonine was demonstrated. The histopathological findings
of lesions of the internal organs of the deceased were consistent with long heroin and cocaine abuse. The use of multiple
parameters, such as blood and hair segments as matrices and drug metabolites such as 6-MAM, morphine, glucuronides, and benzoylecgonine
as target compounds, gave a well-defined outline of her death.
Content Type Journal ArticleCategory Case ReportDOI 10.1007/s11419-008-0042-1Authors
Małgorzata Kłys, Jagiellonian University Department of Toxicology, Institute of Forensic Medicine, Collegium Medicum 16 Grzegórzecka St. Kraków PolandSebastian Rojek, Jagiellonian University Department of Toxicology, Institute of Forensic Medicine, Collegium Medicum 16 Grzegórzecka St. Kraków PolandPiotr Kowalski, Jagiellonian University Department of Toxicology, Institute of Forensic Medicine, Collegium Medicum 16 Grzegórzecka St. Kraków PolandEwa Rzepecka-Woźniak, Jagiellonian University Department of Toxicology, Institute of Forensic Medicine, Collegium Medicum 16 Grzegórzecka St. Kraków Poland
Journal Forensic ToxicologyOnline ISSN 1860-8973Print ISSN 1860-8965 (Source: Forensic Toxicology)
Abstract We developed a simple and sensitive method for determination of fluoride in human whole blood and urine using gas chromatography-mass
spectrometry (GC-MS). Fluoride was alkylated with pentafluorobenzyl bromide in a mixture of acetone and phosphate buffer (pH
6.8). The derivative obtained was analyzed by GC-MS in the positive-ion electron-impact mode. The lower limit of detection
for the compound was 0.5 mg/l for both matrices. The calibration curve for fluoride was linear over the concentration range
of 1–100 mg/l. The precision and accuracy of the method were evaluated, and relative standard deviation was within 10%. Using
this method, levels of fluoride in whole blood and urine were determined in a case of poisoning caused by hydrofluoric acid
exposure.
Content Type Journal ArticleCategory Short CommunicationDOI 10.1007/s11419-008-0043-0Authors
Shigetoshi Kage, Fukuoka Prefectural Police Headquarters Forensic Science Laboratory Fukuoka JapanKeiko Kudo, Kyushu University Department of Forensic Pathology and Sciences, Graduate School of Medical Sciences 3-1-1 Maidashi Higashi-ku, Fukuoka 812-8582 JapanNaoki Nishida, University of Toyama Department of Legal Medicine, Graduate School of Medicine and Pharmaceutical Sciences Toyama JapanHideaki Ikeda, Fukuoka Prefectural Police Headquarters Forensic Science Laboratory Fukuoka JapanNaofumi Yoshioka, Akita University School of Medicine Division of Forensic Sciences, Department of Social Medicine Akita JapanNoriaki Ikeda, Kyushu University Department of Forensic Pathology and Sciences, Graduate School of Medical Sciences 3-1-1 Maidashi Higashi-ku, Fukuoka 812-8582 Japan
Journal Forensic ToxicologyOnline ISSN 1860-8973Print ISSN 1860-8965 (Source: Forensic Toxicology)
Fatalities related to medical restraint devices-Asphyxia is a common finding.
Forensic Sci Int. 2008 Apr 30;
Authors: Karger B, Fracasso T, Pfeiffer H
A total of seven detailed death investigations is reported where death occurred while being restrained by a belt or a protective cover. The casualties were elderly persons who mostly showed considerable pre-existing diseases, especially dementia and coronary atherosclerosis. Concerning the cause of death, three groups were differentiated: (I) mechanical asphyxia from strangulation. (II) Mechanical asphyxia from thoracic/abdominal compression. (III) Compression of thorax/abdomen without clear signs of asphyxia. Subgroups II and III each involved one case of rib fractures without preceding resuscitation. In subgroup III, the presence of considerable compression of the trunk and the absence of a natural cause of death strongly indicate a causal connection between compression and death, e.g. from a shortened course of fatal asphyxia, endocrine stress reactions or a head-down-position: cardiac arrest in a helpless situation. The method of restraint was inadequate in most cases in that only one device was used which did not restrict the capability to move sufficiently. A good clinical documentation including medical indication, duration and method of restraint and a description/photograph of the original on-site appearance is essential but was not present in most cases. Therefore, prophylaxis is based on a clear medical indication, the proper use of restraint devices, detailed instructions of the nursing personnel and close monitoring. The forensic investigation should aim at a complete reconstruction based on autopsy, histology, toxicology and inspection of the scene and the medical records.
PMID: 18455336 [PubMed - as supplied by publisher]
(Source: Forensic Science International)
Sexual dimorphism of the hip joint in Greeks.
Forensic Sci Int. 2008 Apr 30;
Authors: Papaloucas C, Fiska A, Demetriou T
The objective of the present study was to report our measurements of hip bones within the Greek population and review the possible implications of these differences in their health as well as in social life. For this purpose the remains of 100 male and 100 female pelvic and femoral bones were studied. The distance from the pubic tubercle to the anterior rim of the acetabulum, the acetabulum diameter between its rims, their ratio, the depth of the acetabulum, the diameter of the femoral head and the ratio between the femoral head and the diameter of the acetabulum were measured. It was found that in males, in comparison to the females, the distance from the pubic tubercle to the anterior rim of the acetabulum was smaller while the acetabulum diameter and its depth, the diameter of the femoral head and the ratio between femoral head and the acetabulum diameter were larger. The above differences reached strong statistical significance. Of the two ratios used only the first one reached statistical significance. Using this ratio alone offered the best discrimination rate of up to 99% and should be the preferred choice when available.
PMID: 18455335 [PubMed - as supplied by publisher]
(Source: Forensic Science International)
MedWorm Sponsored Message: Find out how you can get your message across here by sponsoring this MedWorm news feed.
Halogenated solvent interactions with N,N-dimethyltryptamine: Formation of quaternary ammonium salts and their artificially induced rearrangements during analysis.
Forensic Sci Int. 2008 Apr 30;
Authors: Brandt SD, Martins CP, Freeman S, Dempster N, Riby PG, Gartz J, Alder JF
The psychoactive properties of N,N-dimethyltryptamine (DMT) 1a are known to induce altered states of consciousness in humans. This particular attribute attracts great interest from a variety of scientific and also clandestine communities. Our recent research has confirmed that DMT reacts with dichloromethane (DCM), either as a result of work-up or storage to give a quaternary N-chloromethyl ammonium salt 2a. Furthermore, this was observed to undergo rearrangement during analysis using gas chromatography-mass spectrometry (GC-MS) with products including 3-(2-chloroethyl)indole 3 and 2-methyltetrahydro-beta-carboline 4 (2-Me-THBC). This study further investigates this so far unexplored area of solvent interactions by the exposure of DMT to other halogenated solvents including dibromomethane and 1,2-dichloroethane (DCE). The N-bromomethyl- and N-chloroethyl quaternary ammonium derivatives were subsequently characterised by ion trap GC-MS in electron and chemical ionisation tandem MS mode and by NMR spectroscopy. The DCE-derived derivative formed at least six rearrangement products in the total ion chromatogram. Identification of mass spectrometry generated by-products was verified by conventional or microwave-accelerated synthesis. The use of deuterated DCM and deuterated DMT 1b provided insights into the mechanism of the rearrangements. The presence of potentially characteristic marker molecules may allow the identification of solvents used during the manufacture of controlled substances, which is often neglected since these are considered inert.
PMID: 18455334 [PubMed - as supplied by publisher]
(Source: Forensic Science International)
Après avoir bien organisé la première réunion, celle-ci finit par arriver...
Je rappelle aux lecteurs de ce blog que les faits décrits ici sont imaginaires et constituent un retour d'expérience destiné principalement aux futurs experts judiciaires et au public désireux de mieux connaitre cette activité.
Nous sommes jeudi, la réunion est prévue pour 10h afin de permettre à l'avocat de la société
Muratore riduce in schiavitù la moglieUn uomo di 43 anni originario di Amorosi (Benevento) è stato sottoposto a fermo con l'accusa di sequestro della consorteL'accusa è grave: sequestro e riduzione in schiavitù la consorte di 44 anni. Un muratore d...
| Related Articles |
The use of rapid diagnostic test of Procalcitonin serum levels for the postmortem diagnosis of sepsis.
Forensic Sci Int. 2008 Apr 29;
Authors: Ramsthaler F, Kettner M, Mall G, Bratzke H
Because serum Procalcitonin is reported to be a valid postmortem marker of sepsis, this prospective study was carried out to determine whether the semi-quantitative PCT-Q((R))-Test (B.R.A.H.M.S., Germany) is a reliable indicator of postmortem Procalcitonin (PCT) serum levels, thus enabling a quick "tableside" diagnosis of sepsis. Postmortem PCT-levels of 70 forensic and 78 clinical-pathological autopsy cases (n=148) were examined using the B.R.A.H.M.S-PCT-Q((R))-Test during autopsy. 27 cases were categorized as the cases of sepsis according to the ACCP/SCCM Consensus Conference criteria. 121 cases were assigned to the non-sepsis group. Among the 148 cases, 18 samples could not be analyzed by the reason of strong hemolysis. Using a cut-off point of 2ng/ml, 20 cases of sepsis were identified (true positive) whereas 3 cases of sepsis were not detected (false negative). In the non-sepsis group (107 cases) 6 cases showed a positive testing (false positive). When applied within 48h postmortem, the PCT-Q((R))-Test showed a sensitivity of 86.96% and a specificity of 94.39% (at cut-off 2ng/ml). Likelihood ratios and positive predictive values proved to be lower in the forensic autopsy group (PPV: 59.3% in forensic case vs. 85.1% in clinicopathological cases; NPV: 98.73% in forensic cases vs. 95.2% in clinicopathological cases). The PPVs using a cut-off point of 10ng/ml were 100% in both groups independent of sepsis prevalences. The results show, that a high NPV for prevalences ranging from 3% to 30% can be reached using a 2ng/ml cut-off point, whereas a cut-off of 10ng/ml ensures a high PPV for the respective prevalences in the absence of exclusion criteria. The study provides strong evidence that the introduction of rapid diagnostic test (RDTs) of postmortem PCT serum levels may be useful in achieving rapid distinction between sepsis and non-sepsis-related causes of death, especially in conjunction with the medical case history and further autopsy results. In addition, the use of RDTs enables clinicians to conduct an evidence-based validation of clinical diagnosis, thus facilitating future clinical decision-making.
PMID: 18450398 [PubMed - as supplied by publisher]
(Source: Forensic Science International)
