Wednesday, September 10, 2008

Drive Prophet for Windows **Beta**

Well it is finally going mainstream public, the Drive Prophet for Windows Beta. Now if you have not heard anything about this then it may be new to you. If you listen to either cyberspeak podcast (July 19 Podcast 10:40 into the podcast) or Forensic 4Cast podcast (Episode 8) then you would have heard it mentioned. Here is a quick overview.

So what is Drive Prophet? Drive Prophet is a Triage tool to give you a quick look at what can be found on the drive. It runs against a write blocked drive or DD image that has been mounted to your computer. If you go the DD image route then you can use any software to mount the image (VMWare Mount, Mount Image Pro, Encase, Etc...). Now this does not mean that this is going to avoid a full forensic exam, it should not but it will give you a jumping off point into that exam and hopefully start to steer you in the right direction. My vision for this was a tool to help examiners either in the field or back in the lab get a quick look at a drive and be able to act on that information (ie: question a suspect or start an exam).

Now After the drive is mounted you can then start Drive Prophet and process the drive. Once the drive has been processed then you will be presented with many reports that you can then go thru, here is a listing of the possible reports they.

LIST OF ALL USERS ON THE SYSTEM
LIST OF THE PROGRAMS BASED ON THE "PROGRAM FILES" DIRECTORY
UNIQUE LIST OF USB DEVICES THAT HAVE BEEN ATTACHED TO THE SYSTEM
LAST PROGRAMS THAT HAVE BEEN RUN AND THE NUMBER OF TIME RUN
ALL THE DIRECTORIES THAT CONTAIN JPG FILES
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER AND THE NUMBER OF VISITS
SOFTWARE INSTALLED ACCORDING TO THE REGISTRY
RECENTLY ACCESSED FILES FROM RECENT FOLDERS
FILES ON THE DESKTOP
FAVORITES DIRECTORY
URLS THAT HAVE BEEN TYPED IN INTERNET EXPLORER
MS MEDIA PLAYER: RECENT FILE LIST
MS MEDIA PLAYER: LAST OPENED PLAYLIST
COMPUTER OWNER INFORMATION
VIDEO FILES THAT WERE OPENED WITH WINDOWS MEDIA PLAYER
MS MEDIA PLAYER: RECENT OPEN DIRECTORY
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER ORDERED BY THERE LAST ACCESS TIME
INTERNET SEARCHES
PROGRAMS THAT WILL RUN ON SYSTEM STARTUP ACCORDING TO THE REGISTRY
LIST OF ALL THE PROGRAMS THAT HAVE BEEN RUN THAT WERE NOT FOUND ON THE HARD DRIVE
SCHEDULED TASKS DEFINED ON THE SYSTEM
LIST LAST SERACH TERMS FROM THE SEARCH ASSISTANT
LIST ADOBE ACROBAT READER MOST RECENTLY ACCESED FILED
LIST ALL MOUNT POINTS ON THE SYSTEM
LIST STARTUP AND SHUTDOWN TIMES ACCORDING TO THE EVENT LOGS
LAST PROGRAMS THAT HAVE BEEN RUN AND NUMBER OF TIMES RUN - TECHNICAL
LIST PROGRAMS THAT HAVE RUN WITH THE MICROSOFT MANAGEMENT CONSOLE
PROGRAMS THAT HAVE RUN ON THE SYSTEM AT SOME POINT IN TIME
APPLICATIONS TO LOOK FOR
PROGRAMS THAT HAVE BEEN RUN/EXECUTED FROM USERS TEMP DIRECTORY
IP ADDRESSES ASSIGNED TO COMPUTER
NUMBER OF TIMES COMPUTER NORMALLY SHUTDOWN
LIST ALL DOC FILES
LIST ALL XLS FILES
LIST ALL PDF FILES
LIST ALL LNK FILES
INFORMATION ABOUT VIRTUAL MACHINES ON SYSTEM

Now if you do not see a report that you would like then more reports can be added. There are a few options that you can do as well after the drive has been processed, these are not included in the processing of the drive as they may take a long time to process themselves. The other options are

1.“Parse/Report EXIF Information” which will scan all the JPG files on the system and report back which JPG files have EXIF information and display this information along with the graphic.

2.“Run Time Line Report” will ask for a begin date and end date (end date is optional and if not supplied will take the current date as end date) and will produce 4 reports.
     1.Report of all files that were Created that are between the 2 dates supplied.
     2.Report of all files that were Modified that are between the 2 dates supplied.
     3.Report of all files that were Last Accessed that are between the 2 dates supplied.
     4.Report of all files that have a Created, Modified, Last Accessed date/time between the 2 dates supplied.

3.“Run Picture Thumbnail Report” will generate a report of all jpg's, png's, bmp's that were found on the drive. There is an option to copy those files to the reporting directory so that you can then be available for your report.

4.“Run Vista Thumbcache Report” will generate a report of all jpg's, png's, bmp's that were in the vista thumbcache files. These files will be copied to the reporting directory so that they can then be available for your report.

Now if after all this you still do not see certain things then let me know and they can be added to the list of future enhancements. The Drive Prophet Forum can be found here where you can request future report enhancements and other enhancements, report bugs, etc...

One other feature is a program called Back Log Breaker. This program was designed to allow the user to "Batch" up runs of Drive Prophet and process them all at once. This could allow agencies that do have a backlog to try and cut thru them.

Now if this is something that interests you then send an email to prophet-beta at RedWolfComputerForensics dot com with your name, agency/company and contact info. This program will be available to all, it is not restricted to anyone. I will then reply with a email telling you how to download the Beta. You can also download the install guide and quick start guide as well.

18 comments:

Anonymous said...

For those who haven't tried it yet, I want to say I think it's well worth your time to do so. This software is going to be a huge asset to your computer toolbox.

Anonymous said...

Looks like an excellent product.

Maybe especially good for law enforcement who need a brief run down of a machine for an interview prior to sending the item for analysis.

Anonymous said...

Of all modern luxury brands, replica handbags can claim to maintain the richest and most varied associations with the world of art – indeed, it is a tradition that dates back almost to the origins of replica handbags uk . This desire to continuously create and reinvent, whilst maintaining and transmitting the history and identity of replica bags , has been transformed into multiples collaborations, most of time quite unexpected.

Penis Enlargement Pills said...

The article is worth while reading, I like it very much and which you shared the info in this post is very useful. Thanks for sharing a wonderful post.

Stacey said...
This comment has been removed by the author.
pay per head said...

very nice post I am really enjoyed visiting your blog thanks for sharing…

Unknown said...
This comment has been removed by the author.
Unknown said...

Keep your system updated with download free software 2014

Unknown said...

Thank you for making this awesome and wonderful post!!keep it up!
Full Crack Software

baixar facebook said...

Great post. i like it. feeling great when reading your post .
----
apply baixar facebook movel online free | baixar facebook | baixar facebook gratis

Unknown said...

Thank you for making this awesome and wonderful works of yours!!keep it up!specially you about
Windows Beta.
Free Full Version Software

Unknown said...
This comment has been removed by the author.
Unknown said...

Full Version Software With Crack Free Download from Celestia Jackson

Unknown said...

This is such a great post.
data rescue pc 3.2 keygen | mediacoder crack

Unknown said...

its very helpful, thanks for sharing this
vmware workstation portable

tina tin said...

oh wow!! this is really nice, such a nice piece of work..............
usf explorer pro

Unknown said...

this is a valuable and helpful sharing.thanks for this posting..
kaspersky antivirus 15.0.2 activation code

buy twitter followers said...
This comment has been removed by the author.