Computer Forensics/E-Discovery Tips/Tricks and Information

Certifications are Evil.....By John McCash

2009-10-05T18:19:00.006-05:00

Note: The following does not represent the opinion of Mark McKinnon. He merely had the good grace to allow me a forum in which to post it after it was respectfully declined (for obvious reasons) by the SANS Institute's Forensic Blog. I wrote it chiefly because I hadn't seen anything recently, or as I recall, ever, that so much as acknowledged any downside to certification. I respect the pro-certification viewpoint, but I do disagree with it. And so, without further ado...

Certifications are Evil

by John McCash

Folks, this is an opinion piece, and it's going to be a controversial one. Some of you started composing a scathing rebuttal to it as soon as you read the title. Normally I restrict myself to what I hope are useful technical tidbits, but like most of you out there, I'm a forensic practitioner, and I have little patience for time sinks which provide no benefit (no I'm not including the training in that category, save your flames for the end). I've always begrudged the time commitment (over and above what's required to actually take the training and learn the included material) required to attain certifications, despite which I'm in possession of five, soon to be six, not counting my master's degree, so I like to think I speak from some degree of experience.

I do understand the arguments used by the proponents of certification. In essence, they allow people who have no understanding of a technical discipline to discriminate between other people who do and don't have that understanding. At least that's what they're supposed to do. Let me list two of the most egregious counterexamples that I have found in my own personal experience (with no disrespect intended to either Microsoft or the International Information Systems Security Certification Consortium). I have met, in my career, an extraordinarily large number of clueless CISSPs and MCSEs. These are people who were apparently able to pass the test, but who were unable to, respectively, secure or administer their way out of wet paper bags. To state it in more general/inflammatory terms, one problem with certifications is the number of idiots who are in possession of them. On the flip side of this, I personally oversaw the hiring of a system administrator back in 1996 who had nothing but a High School Diploma and a clue. I still work with him on occasion, and his hiring was one of the smartest decisions I ever made.

One logical response to this issue is simply to make certifications more difficult to get, but there we run into a second fundamental problem. When a certification raises its difficulty in order to exclude a certain percentage of unqualified people, they also exclude a certain percentage of qualified people. As the difficulty raises more and more, the incremental number of unqualified people being excluded gets smaller, and the incremental number of qualified people being excluded becomes larger. The amount of work required in order to to pass increases substantially as well. Qualified people get excluded for several reasons. For one, the more difficult a certification, the more training is typically required before attempting the exam. One forensic certification I heard about last week, the one which finally prompted me to write this posting, requires six months of training and six exams. That's a tremendous amount of time committed to obtaining a fancy certificate and some alphabet soup to put on your resume. Don't get me wrong, I'm not saying that training is useless. But what do you do if you're already in possession of 75% of the knowledge this training is intended to pass on? It's in the financial interest of the certification providers to make it more difficult to pass the certification if you haven't attended their custom-designed training program. Review guides may be available, but typically cover more material than the certification vendor's training, without the subtle emphasis often provided by that training. The practical upshot of this is that an individual who may know 75% of the material on the exam off the top of his head, substantially better than a graduate of the certification course will be (probably) after six months or so, may still have to complete a long and expensive training course just to get to a point where he can reliably pass the certification exam. For many of us, it's simply not worth it. We resign ourselves to being filtered out because we don't have the requisite alphabet soup, even though we're otherwise qualified.

You'd think that at some point, an exam would filter out all the idiots, but that's much harder than you'd think. That's why IQ tests have fallen out of vogue, and why an actual interview is still the best way to select a new employee. This brings me to the third reason certifications, or more specifically certification exams are bad. Many standardized tests consist of simple regurgitation of facts. They don't require that the subject really be able to think, just memorize. Personally, I believe that any idiot can pass such a test if they put sufficient time into preparation. It's possible to design questions to test problem solving ability, but it's difficult. One tactic that's often resorted to, and this is a personal hot button of mine, is to provide the subject limited information, allow him to assume the rest, and make him pick the 'most reasonable' or 'best' solution from the list. The problem with this occurs when the test subject is smarter or knows more than the individual who designed the question. I personally have run into this several times on various certification exams (I got a couple of the questions changed), and I find it intensely frustrating.

Finally, certifications are bad because they provide lazy people with a tool that can be easily misused. Rather than read 100 resumes to determine the 15 most qualified for a particular position (which he may lack the expertise to do anyway), an HR person can simply filter out all those lacking a specific certification. If this still results in a number of resumes that is too large, he can filter on another certification. This sort of data reduction can easily remove more qualified people than unqualified. In my opinion, it's better to pass all 100 resumes down to the hiring manager.

Certifications are bad for hiring managers, because they reduce their pool of qualified candidates, and they're bad for the candidates, because they enable those candidates' resumes to be filtered out before the manager sees them. In the end, they provide the most benefit to the vendors who provide them and their associated training, and to HR organizations, who are able to get by with fewer and less expert people.

Once a certification is accepted as required in a certain area, this fact can be used by people who lack training in that area to obtain it. The downside of this is that people who are already qualified sometimes must forgo more advanced training to take training just to get the certification. I'm not suggesting they don't learn anything in this training, but typically it will be much less than they could have learned had they been able to attend training of their choice.

So, you might ask, what's the alternative? Isn't there some other low-overhead way to reliably tell if a candidate knows anything about a given specialty without actually reading his resume or interviewing him? Well, I have a suggestion. Maybe somebody out there can make it work. It's based on word of mouth, and the PGP web of trust. Basically, there are a number of people who's word I trust if they say somebody has a clue. If everybody had one or more PGP keys with a comment that said "I am an expert in X", then people could sign that key, and the subject could publish the result. If Rob Lee, Ed Skoudis, & Josh Wright all say I'm an Uber Geek (and I'd like to think they might), I tend to think most people would buy into it. Maybe we could call this the web of cluefulness.

As always, please feel free to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.

Let the flames commence!

John

Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7

2009-08-25T12:06:00.007-05:00

This information was provided to me by Longshot (Just passing this great information along).

Decoding the DateCreated and DateLastConnected registry values from the registry keys

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}

In Vista and Windows 7

The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:

Year
Month
Weekday
Day
Hour
Minutes
Seconds

Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:

d9070200020018001700140025000001

d907 0200 0200 1800 1700 1400 2500 0001

Year = h4 = d907 = 07d9 = 2009

Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc....}

Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc...}

date = h4 = 1800 = 0018 = 24

hour = h4 = 1700 = 0017 = 23

minutes = h4 = 1400 = 0014 = 20

Seconds = h4 = 2500 = 0025 = 37

The Month and Weekday fields have to be converted to their proper Month and weekday name.

which would yield the following:

Date First Connected: Tuesday, 24 February 2009 23:20:37

Here is the perl code to do the above, I only include the $data as a place holder that would need to get data fed to it:

use strict;

# This is the binary data that would be read from the registry file
my $data = "";

my %month_type = (1 => "January",
2 => "February",
3 => "March",
4 => "April",
5 => "May",
6 => "June",
7 => "July",
8 => "August",
9 => "September",
10 => "October",
11 => "November",
12 => "December");

my %dayofweek_type = (0 => "Sunday",
1 => "Monday",
2 => "Tuesday",
3 => "Wednesday",
4 => "Thursday",
5 => "Friday",
6 => "Saturday");

my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack("h4 h4 h4 h4 h4 h4 h4", $data);

#This part converts the year
my $finalyear= hex(reverse $year);

#Now we convert the month
my $monthnumber=hex(reverse $month);
my $finalmonth = $month_type{$monthnumber};

#Now we convert the weekday
my $weekdaynumber=hex(reverse $weekday);
my $finalweekday = $dayofweek_type{$weekdaynumber};

# This converts the date
my $finaldate=hex(reverse $date);

#This converts the hour
my $finalhour=hex(reverse $hour);

#This converts the minute
my $finalminute=hex(reverse $minute);
my $howlongisfinalminute=length($finalminute);
if ($howlongisfinalminute == 1){
$finalminute="0$finalminute";
}
if ($finalminute eq "0"){
$finalminute='00';
}

#This converts the second
my $finalsecond=hex(reverse $second);
my $howlongisfinalsecond=length($finalsecond);
if ($howlongisfinalsecond == 1){
my $finalsecond="0$finalsecond";
}
if ($finalsecond eq "0"){
$finalsecond='00';
}

my $ssidtimestamp= "$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond";
if ($n =~ /Created/){
$finaln="Date First Connected:";
} else {
$finaln="Date Last Connected:";
}

print "$finaln $ssidtimestamp\n";

Update Skype Log Parser..........

2009-08-07T22:57:00.005-05:00

I know this whole blog has gotten pretty stale as there have not been any posts in a loooong time. Well I am going to try and remedy that with some good posts in the coming weeks.

Well the skype log parser, which is my most downloaded tool, has gone through a few updates since I last posted at the end of last year/beginning of this year. The current version is 1.7. A few of the notable changes are (for full list see change_log.txt):

1. Ability to search for the log files from the gui.
2. Skype 4.x is now supported.
3. The ability to merge 2 cases into 1 report to compare the reports.
4. Ability to cancel the program at anytime.
5. Ability to parse the iTunes iPhone/iPod Touch backup files and get the skype log files if skype is installed.
6. If record in UserXXXXX.dbb file was truncated would throw program into infinite loop and this has been fixed.

The new program can be found here. I have also created a new email account that I would like to use for support and also to send out email's to users when I update the program. If you would like to receive updates about the skype log parser send an email to skype-parser at redwolfcomputerforensics dot com. Comments are encouraged good or bad and requests for enhancements.

As always Thoughts/Comments/Questions.........

Sans "WhatWorks in Forensics and Incident Response Summit" in July

2009-04-14T10:38:00.004-05:00

The agenda is out and it looks to be a fantastic lineup of expert briefings and panels. The summit will be in Washington DC July 7 and 8, 2009. I was lucky enough to be chosen to be on the "Essential Forensic Tools" panel. With me on the panel are some of the big names in the Forensic/IR community, they are:

Jesse Kornblum who has made significant contributions with the free tools (MD5Deep, SSDeep, and Miss Identify and others) he has provided as well as the excellent papers he has written ("Using Every Part of the Buffalo in Windows Memory Analysis" and "Implementing BitLocker Drive Encryption for Forensic Analysis" as well as others), Jesse also has a blog that can be found here.

Troy Larson who is the Senior Forensic Investigator with Microsoft’s IT Security Group. Troy has presented my times at different conferences (Recovering Information from Deleted Security Event Logs, Vista Shadow Volume Forensic, etc.. and is a coauthor of the Handbook of Computer Crime Investigation: Forensic Tools and Technology.

and finally

Lance Mueller of the blog Computer Forensics, Malware Analysis and Digital Investigations. Lance has provide many enScripts on his blog to be used by all. I do not use Encase but I have learned many things by looking at the enScripts that Lance has developed, they have provided me insights into many areas of computer forensics.

I look forward to joining this panel of experts who have distinguished themselves in the field of Computer Forensics and Incident Response as well as meeting quite a few people who I have had the privilege of trading ideas and email's with.

As always Thoughts/Comments/Questions.........

Gmail offline...

2009-02-18T07:11:00.005-05:00

Not to long ago someone brought to my attention that Gmail was offering to be able to have your gmail account offline. What this means is that you can look at all your e-mail that had been synched even if you are not connected to the net, sorry to say you cannot send e-mails or save them at this time that I can tell. I have come up with a parser for your gmail offline account. It only does the basics right now but we will look to add more in the future. Some of the sample reports are:

1. Contact information
2. Email conversations with hyperlink to email
3. Word Xref to email

That last one has 2 flavors depending on the option you pick when you run the parser. In the gui if you choose not to create the e-mail xref report then you will only get a report with all distinct words in the emails. If you choose to create the e-mail xref report then it will create the report with distinct words and those words will be hyperlinked to a report that will show each e-mail that the word appears in. This may take a while depending on how big the mailbox is, but it is pretty cool.

The program can be found here.

As always Questions/Comments/Suggestions.

Updated Prefetch Parser......

2009-02-09T12:06:00.003-05:00

I have updated the prefetch parser so it will now read all the prefetch files in a directory. It will produce a main report that will show each prefetch file, the actual file name, the number of times run and the embedded date/time. You can also click on the prefetch file name and see the dll/files that were loaded when the program was run. This will work for XP, 2003 and Vista. The new program can be found here. I have left the old program out there as well in case you still want to parse a single file.

As always Questions/Comments/Thoughts?

Internet Parser Update

2009-01-27T08:32:00.005-05:00

In honor of Randy G (see this post) and the fact that I found a new browser, I have updated the Internet parser program to now include the Flock browser, which is based on the Mozilla framework. Now I have not done an extensive analysis on yet but I have done enough to know it fits right in with Firefox 3.x and Google Chrome as it uses SQLite to store its history and other files. One thing to note is that there is a new report added called Form History. This is a new database that flock uses that keeps data that was entered into any forms. That is about all I know about the forms at this point. There are quite a few new databases that Flock uses and I will have to test them out to see what data points can be pulled out.

So in honor of Randy G. here is the download.

Questions/Comments/Suggestions?

DOD Cybercrime Conference......

2009-01-27T08:12:00.003-05:00

Well the DOD Cybercrime Conference should be getting into full swing now. Unfortunately I could not attend but it sounds like it will be a great conference. If there is anyone who reads this and is attending please find Randy G. who created this years (2009) and last years (2008) DC3 challenge and shake his hand and tell him what a wonderful job he did creating and running the challenge last year. Since I can not tell him personally since I am not there I will do that here.

Great job with the challenge Randy keep up the fantastic work and I look forward to this years challenge.

Questions/Comments/Suggenstions?

Happy New Year

2008-12-31T13:53:00.003-05:00

Thanks for stopping by this year. I hope I have helped some of you out with the programs/information I have provided. As always I wish I had posted more but things always seem to get in the way. I will be planning on posting more next year. If you can think of any topics or programs that would be nice to see/have then shoot me an email and we can discuss them mark dot mckinnon at sbcglobal dot net.

I hope everyone has a safe and happy new year.

Mark

Updates Before the New Year

2008-12-31T13:22:00.005-05:00

Here are a few updates to some of the programs I have provided this year.

Skype Log Parser:

This program will now parse the voicemail logs and report on them. It will also extract some more information about the users. The avatars will also be parsed out and saved to the report directory as well. The program can be found here. I also want to thank the University of New Orleans (Team NSSAL) for using this program in the DC3 Challenge this year, I created the program for my use in the challenge but when I got bogged down with other things I thought I would release it in hopes that someone would use it for the challenge.

Thumbnail_Html:

I do not recall if I ever released this or not but what what it will do is parse a directory and create a web page with thumbnails of graphics files in it. This program is good if you need to create a file that has graphics that you want to send to someone and be able to put it on a CD/DVD. This program will also read some of the EXIF info for the graphics and output that information as well. The program can be found here.

Internet Parser:

This is the updated google chrome parser with a few more reports and I have also added the option to include Firefox history files as well. With this program if someone had both Firefox and Google Chrome you can add both of there history files to the same database and do 1 reports instead of multiple reports. This program can be found here.

Internet History:

This program reads in the Internet Explorer index.dat, the cookie index.dat and the History index.dat files and will produce reports on them. The reports should be similar to the internet parser program. That program can be found here.

I hope you enjoy all these updated and new programs and that you get quite a bit of use out of them.

As always Questions/Comments/Suggestions/Thoughts?

Happy Birthday Ovie..........

2008-10-29T08:37:00.002-05:00

Within the next few days it will be Ovie Carroll's Birthday. So that everyone can wish him a happy birthday I have set up a special e-mail account that will forward to him all your birthday wishes if you would like to send him a wish. The email address is happy_birthday_ovie@redwolfcomputerforensics.com. I will leave this up for about 1 1/2 weeks so everyone can wish Ovie a happy birthday.

I wont tell you how old he is but here are some general statistics from that time period.

World Population: 3.276 billion
US Population: 191,888,791
Life expectancy: 70.2 years
Violent Crime Rate (per 1,000): 23.9
Property Crime Rate (per 1,000): 22.0
Homicide Rate (per 100,000): 5.1
US GDP (1998 dollars): $663 billion
Federal spending: $118.53 billion
Federal debt: $316.1 billion
Consumer Price Index: 31
Unemployment: 5.7%
Cost of a first-class stamp: $0.05
Cost of a new home: $20,500.00
Cost of a new car: $
Cost of a first-class stamp: $0.05
Cost of a gallon of regular gas: $0.30
Cost of a dozen eggs: $0.54
Cost of a gallon of Milk: $0.95

Once again that email address is happy_birthday_ovie@RedWolfComputerForensics.com

Happy Birthday Ovie!

Drive Prophet for Windows Beta Ends......

2008-10-05T18:42:00.003-05:00

I want to thank everyone who beta tested Drive Prophet for Windows. I have concluded the beta and made any necessary fixes. I have posted a demo version of the program and it can be downloaded here. There will be 2 versions of Drive Prophet the Standard and Professional. You can go to the following site and see what the differences are. Drive Prophet Web Site. I will offer a discount for the next 30 days to any blog reader or beta tester. If there are any questions you can shoot me an email at prophet at redwolfcomputerforensics dot com or mark dot mckinnon at redwolfcomputerforensics dot com.

Once again a big thank you to everyone who tried it out and to those who provided feedback, your help was very valuable.

Skype Log Parser Update.......

2008-09-30T21:57:00.003-05:00

Wow in the last 20 days this program has been downloaded over 290 times. I have received a few calls/email's about it and I thought I would update the program. There is still more to do with it but I thought I would post this update to it. The program can be downloaded here

What I have updated is to add parsing of the SMS records. This will parse the sms256.dbb, sms512.dbb and sms1024.dbb. I did not have a sms16384.dbb so that file will not be parsed. The report that will be outputted is the Messages that was sent and the phone number that it was sent to. I have yet to figure out where the date is stored so that is not included at this time. This is something I will be working on.

I have also added a timeline of all the transactions. This is similar to the "History" tab on the Skype program.

I am also planning on updating this program some more in the new future, add reports, parse voicemail, figure out the date/time for SMS messages, and other things. If you think something else should be added to it please shoot me an email, you can find my email somewhere on the blog or just leave a comment.

Thoughts/Comments/Questions?

Google Chrome stores plain text passwords….sort of.

2008-09-24T21:42:00.005-05:00

My interest was of course piqued when Google announced they would be entering the browser realm, with Chrome. One of the things that has always interested me is the way different programs store passwords. While we are still working on decrypting the Chrome passwords from an imaged drive, I did make an interesting discovery about Chrome storing plain text passwords. Chrome is reliant on several files under the following paths

(dependent on OS):

XP:

Documents and Settings/User/Local Settings/Application Data/Google/Chrome/

Vista:

Users/App Data/Local/Google/Chrome/

As it turns out, if you visit a site that does not require you to log in via https or any variety of other secure methods, Chrome will create a cookie, which can be found in the file “Current Session” under Chrome/User Data/Default. Within that file will be a plain text cookie with your login name and password. If the site requires https, you can still view the log in, but the password is encrypted. However, there is one neat twist to this. If you log in with an incorrect password, even from an https site, the password is still saved in plain text. Using this information, you may be able to make an educated guess on what the actual password was. You can open the file with any text viewing program, or a Hex editor program.

This password recovery method unfortunately only works if, during the last instance of the browser being opened, the person typed in their password when prompted at a site that does not use a secure method to log-in. I also created a slide show presentation, which is can be found here, detailing the steps and data that can be viewed within Chrome.

As always Thoughts/Comments/Questions?

Drive Prophet for Windows Beta

2008-09-10T07:50:00.004-05:00

Well it is finally going mainstream public, the Drive Prophet for Windows Beta. Now if you have not heard anything about this then it may be new to you. If you listen to either cyberspeak podcast (July 19 Podcast 10:40 into the podcast) or Forensic 4Cast podcast (Episode 8) then you would have heard it mentioned. Here is a quick overview.

So what is Drive Prophet? Drive Prophet is a Triage tool to give you a quick look at what can be found on the drive. It runs against a write blocked drive or DD image that has been mounted to your computer. If you go the DD image route then you can use any software to mount the image (VMWare Mount, Mount Image Pro, Encase, Etc...). Now this does not mean that this is going to avoid a full forensic exam, it should not but it will give you a jumping off point into that exam and hopefully start to steer you in the right direction. My vision for this was a tool to help examiners either in the field or back in the lab get a quick look at a drive and be able to act on that information (ie: question a suspect or start an exam).

Now After the drive is mounted you can then start Drive Prophet and process the drive. Once the drive has been processed then you will be presented with many reports that you can then go thru, here is a listing of the possible reports they.

LIST OF ALL USERS ON THE SYSTEM
LIST OF THE PROGRAMS BASED ON THE "PROGRAM FILES" DIRECTORY
UNIQUE LIST OF USB DEVICES THAT HAVE BEEN ATTACHED TO THE SYSTEM
LAST PROGRAMS THAT HAVE BEEN RUN AND THE NUMBER OF TIME RUN
ALL THE DIRECTORIES THAT CONTAIN JPG FILES
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER AND THE NUMBER OF VISITS
SOFTWARE INSTALLED ACCORDING TO THE REGISTRY
RECENTLY ACCESSED FILES FROM RECENT FOLDERS
FILES ON THE DESKTOP
FAVORITES DIRECTORY
URLS THAT HAVE BEEN TYPED IN INTERNET EXPLORER
MS MEDIA PLAYER: RECENT FILE LIST
MS MEDIA PLAYER: LAST OPENED PLAYLIST
COMPUTER OWNER INFORMATION
VIDEO FILES THAT WERE OPENED WITH WINDOWS MEDIA PLAYER
MS MEDIA PLAYER: RECENT OPEN DIRECTORY
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER ORDERED BY THERE LAST ACCESS TIME
INTERNET SEARCHES
PROGRAMS THAT WILL RUN ON SYSTEM STARTUP ACCORDING TO THE REGISTRY
LIST OF ALL THE PROGRAMS THAT HAVE BEEN RUN THAT WERE NOT FOUND ON THE HARD DRIVE
SCHEDULED TASKS DEFINED ON THE SYSTEM
LIST LAST SERACH TERMS FROM THE SEARCH ASSISTANT
LIST ADOBE ACROBAT READER MOST RECENTLY ACCESED FILED
LIST ALL MOUNT POINTS ON THE SYSTEM
LIST STARTUP AND SHUTDOWN TIMES ACCORDING TO THE EVENT LOGS
LAST PROGRAMS THAT HAVE BEEN RUN AND NUMBER OF TIMES RUN - TECHNICAL
LIST PROGRAMS THAT HAVE RUN WITH THE MICROSOFT MANAGEMENT CONSOLE
PROGRAMS THAT HAVE RUN ON THE SYSTEM AT SOME POINT IN TIME
APPLICATIONS TO LOOK FOR
PROGRAMS THAT HAVE BEEN RUN/EXECUTED FROM USERS TEMP DIRECTORY
IP ADDRESSES ASSIGNED TO COMPUTER
NUMBER OF TIMES COMPUTER NORMALLY SHUTDOWN
LIST ALL DOC FILES
LIST ALL XLS FILES
LIST ALL PDF FILES
LIST ALL LNK FILES
INFORMATION ABOUT VIRTUAL MACHINES ON SYSTEM

Now if you do not see a report that you would like then more reports can be added. There are a few options that you can do as well after the drive has been processed, these are not included in the processing of the drive as they may take a long time to process themselves. The other options are

1.“Parse/Report EXIF Information” which will scan all the JPG files on the system and report back which JPG files have EXIF information and display this information along with the graphic.

2.“Run Time Line Report” will ask for a begin date and end date (end date is optional and if not supplied will take the current date as end date) and will produce 4 reports.
     1.Report of all files that were Created that are between the 2 dates supplied.
     2.Report of all files that were Modified that are between the 2 dates supplied.
     3.Report of all files that were Last Accessed that are between the 2 dates supplied.
     4.Report of all files that have a Created, Modified, Last Accessed date/time between the 2 dates supplied.

3.“Run Picture Thumbnail Report” will generate a report of all jpg's, png's, bmp's that were found on the drive. There is an option to copy those files to the reporting directory so that you can then be available for your report.

4.“Run Vista Thumbcache Report” will generate a report of all jpg's, png's, bmp's that were in the vista thumbcache files. These files will be copied to the reporting directory so that they can then be available for your report.

Now if after all this you still do not see certain things then let me know and they can be added to the list of future enhancements. The Drive Prophet Forum can be found here where you can request future report enhancements and other enhancements, report bugs, etc...

One other feature is a program called Back Log Breaker. This program was designed to allow the user to "Batch" up runs of Drive Prophet and process them all at once. This could allow agencies that do have a backlog to try and cut thru them.

Now if this is something that interests you then send an email to prophet-beta at RedWolfComputerForensics dot com with your name, agency/company and contact info. This program will be available to all, it is not restricted to anyone. I will then reply with a email telling you how to download the Beta. You can also download the install guide and quick start guide as well.

Interview On Forensic 4cast

2008-09-09T06:33:00.002-05:00

The guys on Forensic 4Cast (Lee and Simon Whitfield) were kind enough to ask me on the show and let me talk about a few things I have been working on. Two of the projects I have just blogged about a few minutes ago. The other project will be my next topic and I will be putting that out within the next day. The interview can be found here.

Skype Log Parser

2008-09-09T06:17:00.003-05:00

At the DC3 Challenge there is a challenge that deals with parsing the log files created by Skype. Well I went searching on the Internet for programs that would deal with getting me information from these logs and every program I found only dealt with the Chat sessions. Now Looking at my own logs I could tell there was more to it then that. I was very disappointed that the programs I looked at did not look at these other log files. I thought to myself am I the only one seeing that an examiner is potentially missing some important data (Phone log, transferred files, etc..). Well I could not let this opportunity get passed by so I created a program that will parse out these log files and produce some reports. The program can be downloaded here.

Now if anyone uses this program for the DC3 Challenge please let me know, I am always curious if the programs I publish ever get used.

As always send all comments/questions/suggestions good or bad to the comment section below or you can email me at mark dot mckinnon at sbcglobal dot net.

Google Chrome Log Parser

2008-09-09T06:02:00.004-05:00

Google Chrome has been out for about a week and here is my first attempt to create a program that will parse out all the chrome logs and put together some useful reports. The program can be found here.

Just like Firefox, Chrome also stores their logs into a SQLite database. Some of these logs are very similar to the Firefox logs. One thing to note is that Chrome is not very consistent with which format they use for date/time. In some logs they use Unix Epoch time (Jan 1 1970) and in others they use Microsoft Epoch time (Jan 1 1601). Chrome also stores a thumbnail of web pages in these logs as well. These thumbnails are used when you fist start chrome to show you 9 pages you have visited. With the above log parser it will pull these thumbnails out and present them in the reports as well.

As I stated above this program is a work in progress and there is still more research to be done to make it a better. I just wanted to get it out to all you guys to start to play with it.

As always Questions/Comments/Suggestions.

Thumbcache Version 2

2008-07-03T08:55:00.004-05:00

If anyone has been to one of Ovie Carroll's recent presentations on Vista you will probably have heard mention of this program. It was also mentioned during my interview on cyperspeak. This is a rewrite to the program that was written for this blog entry. This program will read either a directory where the thumbcache_*.db files are or the individual thumbcache files, if you happen to pull the thumbcache_*.db files out make sure you include the thumbcache_idx.db file, this will add a date/timestamp to the reports for each picture extracted. This program will not only read the thumbcache and export the files but it will also create a nice/professional report to pass along to someone. You can also copy the whole directory and burn it to a CD and the reports will still display everything correctly.

The program an be found here . This program is a little different as I have started playing with the NSIS installer. The installer will ask you to input your name, agency name and a location for your organization's logo. This information is used for the reports to give that professional look. If you do not fill the information in then they will be a few blank spots on the reports.

As Always Questions/Comments/Suggestions/Etc....

Cyberpark

2008-07-03T08:49:00.003-05:00

Nuff said

Montreal Area Blog Readers

2008-06-20T08:33:00.003-05:00

I will be in Montreal from July 6 thru July 10th. If anyone wants to get together for dinner one evening then let me know. You can contact me at mark dot mckinnon at sbcglobal dot net and we can set something up.

What Does This Tell You - The Answer

2008-06-18T06:24:00.004-05:00

And the answer is ......... a program called "Advanced Registry Fix" was run on the system. I saw this program advertised in Bits Du Jour which I blogged about here. There is a free download for the program so I thought I would download it and try it out seeing what it actually did to the regstry.

One of the things I found is that to "Clean" up the registry what it does for the MRUList is to see if the files still exist on the system. If they do not then it removes the file name from the MRUList (a and b were removed), the thing is that it does not remove the entry from the MRUList for that item so that is why Harlans RegRipper displayed 2 blank lines, it expected entries there becuase the MRUList said there were suppose to be entries there, I was not sure how RegRipper would handle this when I first saw what Advanced Registry Fix did, and was happy to see how it handled it (great job Harlan).

Here is the before image of the registry

a REG_SZ F:\methodology_form_blank.pdf
b REG_SZ F:\report_blank.pdf
c REG_SZ C:\Mark\dc3_challenge\methodology_form_blank.pdf
d REG_SZ C:\Mark\dc3_challenge\report_blank.pdf
MRUList REG_SZ cdba

Where the F:\ drive was a usb thumb drive.

Here is the after image of the registry after running "Advanced Registry Fix"

c REG_SZ C:\Mark\dc3_challenge\methodology_form_blank.pdf
d REG_SZ C:\Mark\dc3_challenge\report_blank.pdf
MRUList REG_SZ cdba

Another thing I did find out is that once you open a program that will write to the MRUList it will correct everything (MRUList will have the non existant entries removed).

This just goes to show you how a $10 (price on Bits du Jour) to $20 (retail price) piece of software can really throw you for a loop and get you thinking that someone was deliberatly trying to hide something when they were not, they were just trying to keep their system running in an optimal state by using valid system maintenance software.

Thoughts/Questions/Comments????

What does this tell you

2008-06-13T11:57:00.003-05:00

I have been doing some testing with Harlan Carvey's RegRipper which is a pretty cool tool and I ran accross this entry after running it against my ntuser.dat file.

ComDlg32\OpenSaveMRU
**All values printed in MRUList order.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
LastWrite Time Wed Jun 11 18:48:27 2008 (UTC)

..
..

Subkey: pdf
LastWrite Time Fri Jun 13 12:41:16 2008 (UTC)
MRUList = cdba
c -> C:\Mark\dc3_challenge\methodology_form_blank.pdf
d -> C:\Mark\dc3_challenge\report_blank.pdf
b ->
a ->

..
..

I cut out the stuff before and after the pdf subkey. Now after looking at this what do you think it is telling you. Is this some kind of Anti Forensics tool that was run. Why are there entries missing. I will hold of the answer until next week to see if someone wants to throw an answer out there.

Questions/Comments/Thoughts?

What's in your Ipod........

2008-06-12T14:08:00.003-05:00

Ok so I stole the title and tweaked it a little. The question of the day is what type of music do you listen to when you are doing forensic work. Are you like Hugh Jackman in SwordFish jamming out as your fingers fly accross the keyboard? Besides the big name individuals or groups ( I like Bob Seger, Tom Petty, The Eagles, 3 Doors Down, John Melloncamp and many more) have you found some local musical group that you like to listen to when you need to do some heads down forensic work. Now are you willing to share that with the rest of us? I will go first, the Four Lincolns out of Grand Rapids Michigan, you can check out their myspace page and listen to there tunes. So who else is willing to share there favorite local band/musician or other big name group with the rest of us and add some more music selections to our ipods?

Bits du Jour

2008-06-12T11:56:00.002-05:00

Over on the Bits du Jour website you can find daily deals on software you may never have heard of. You can subscribe to there daily deals and get an email every day. This is an excellent way to stay current on software that is low cost and something you may come across in your travels

For example I have seen wiping programs, partition managers, photo hiding and spying software being sold on this site. All the software offers a free demo as well as being low cost. Another excellent way to acquire software to evaluate and research.

This is just one more way to keep you informed of what may be out there.

Questions/Comments/Thoughts?

Professional Investigator License in Michigan

2008-06-12T10:35:00.004-05:00

This is another example of how the government in the state of Michigan is trying to screw with it's residents. They have already done enough harm to this state I am not sure why they wanted to do more. I will only hit on a few things here. If you want to read the whole thing you can find it here

Now according to the new law it takes effect immediately. Now what does this do to your current case load. Do you go and find a PI that will allow you to go under there license? If you want to still practice you will. There is a lead time of aprox 12 weeks in order to get thru the process. The funny thing is as of yesterday they do not have the new application to use to apply for the license. Now how can a law go into effect and there be no lead time in order to get your affairs together? Brilliant thinking on the Legislature's part

Now for those that do happen to read this bill here is the intro to it:

"An act to license and regulate professional investigators; to provide for certain powers and duties for certain state agencies and local officials; to provide for the imposition for certain fees; to protect the general public against unauthorized,
unlicensed and unethical operations by professional investigators; to provide for immunity for certain persons under certain circumstances; to provide for penalties and remedies; and to repeal acts and parts of acts."

Now reading the law they have there standard requirements about age, felonies but here is where it gets interesting:

"A graduate of an accredited institution of higher education with a baccalaureate or postgraduate degree in the field of police administration, security management, investigation, law, criminal justice, or computer forensics or other computer forensic industry certificated study that is acceptable to the department."

Now I can have a degree in Police Administration, investigation or Criminal Justice and practice forensics? Yep that is what it says. So do I really need to know anything about computer forensics to practice if I have a 4 year degree in CJ? I can easily go purchase any of the packages and hang my shingle out and state I practice Computer Forensics. So that being said I do not see where this has helped out the general public except to put decent forensic examiners out of work until they can get there license, which without the proper applications being made available may take some time if they even get them out there.

Now do not get me wrong I think regulation is fine, as an industry we probably should be regulated but not with laws like this. But in true State of Michigan fashion lets do a crappy job and not think things thru. For being a full time Legislature you would think they would do a better job.

Living and practicing in the State of Michigan I am waiting for the proper applications to be made available so I can apply. We will see how it goes. I hope I meet their criteria to be able to practice Computer Forensics.

Questions/Comments/Thoughts??

Forensic 4Cast - A New PodCast

2008-05-18T20:18:00.003-05:00

Well these is a new forensic podcast on the block. It is called Forensic 4Cast and can be found here. I just listened to it and it is pretty good especially being their first podcast. Lee and Simon are the hosts for the show and they are Forensic Investigators/Analysts in the UK. They discuss Cofee, the UK Extreme Porn Bill and the Computer Misuse act. If you want to email the guys there email address is 4cast at whitfields.org.

Lee and Simon keep up the good work

Questions/Comments/Suggestions

CSC Parser Version 2.0

2008-03-22T13:34:00.004-05:00

As there have been over 490 downloads of this program and I have helped numerous people recover there Offline Folder/CSC directory I thought I update the software. You can find version 2.0 here. It has changed in that it uses drop down menus now instead of buttons. When you try and recover files you have 2 choices using the 00000002 or the csc1.tmp file. Both options will now copy the files that can be recovered to a directory of your choosing. Remember that you must have a good copy of the 00000002 or the csc1.tmp file. To run the program just unzip into a directory and run the program csc_parser.exe. I have removed the source code this time but this program is still free for personal use, for commercial use please contact me about using this program.

Now for those users who have reinitialized there offline folder/csc then I also have a program that might work for you as it scans the CSC folder and trys and rebuilds what was there. This is the professional version of the csc_parser. This program can be purchased for $50.00 (button is on the side of the blog). This program will also have the above functionality in it as well.

I have also added a Donate button on the side of the blog. If this program helps you out and you would like to donate that would be great, you are under no obligation to donate if you do not want to. If you do decide to donate and you donate 27.00 then I will also send you a complimentary copy of the CSC_Parser_Pro program.

Questions/Thoughts/Comments?

Prefetch Information

2008-02-27T21:17:00.005-05:00

Here is a quick and dirty program to parse a prefetch file and output some important information. It is only a command line program currently and does not use a database or scan the prefetch directory (I know I am slacking and that would be some good improvements to make and pretty easy). What it will do is parse the prefetch file giving you the standard information that other programs have given ie: embedded date, number of time run and executable name plus a list of directories and files that are/have been loaded. The program can be found here.

To run the program just type

prefetch_info.exe < directory/prefetch file name >.

Here is an example of the output for the following prefetch file AID4MAIL.EXE-1EE932F2.pf. Now one thing to note is where the AID4MAIL.EXE program was run from, kinda cool to see it did not run from the hard drive of my laptop but a usb thumb drive.
You can also see what song I was listening to when I ran the AID4MAIL program as well (you can search for that one).

As always Questions/Comments/Thoughts?

File Name that was run AID4MAIL.EXE

Date/Time prefetch file was created Thu Feb 28 02:16:21 2008
Date/Time prefetch file was modified Thu Feb 28 02:16:21 2008
Date/Time prefetch file was last accessed Thu Feb 28 02:16:21 2008

File AID4MAIL.EXE was run 1 times

AID4MAIL.EXE Embeded date/time is Thu Feb 28 02:16:11 2008

List of files and Directories whose pages are to be loaded

\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISK3\DP(1)0-0+8\AID4MAIL\AID4MAIL.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GDI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LPK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USP10.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CTYPE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AMINIT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTKEY.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\TEMP\AEXAM\AEXFD.TMP
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLE32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MPR.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\VERSION.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_659
5B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHELL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINMM.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ENTAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETAPI32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTEXCEPTIONS.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTRULES.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTFIME.IME
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCSS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WDMAUD.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SETUPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINTRUST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRYPT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMAGEHLP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MIDIMAP.DLL
\DEVICE\HARDDISKVOLUME2\$MFT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\APPHELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CLBCATQ.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMRES.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\REGISTRATION\R000000000013.CLB
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\TORTOISESVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WININET.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPR_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSWSOCK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCR80.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRUTIL_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRICONV_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\INTL3_SVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCP80.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHFOLDER.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\WINDOWS-1252.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\_TBL_SIMPLE.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\UTF-8.SO
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED20.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WIN.INI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USERENV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DRPROV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTLANMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETRAP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SAMLIB.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DAVCLNT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTSHRUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ATL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WPDSHEXT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144C
CF1DF_1.0.2600.2180_X-WW_522F9F82\GDIPLUS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PORTABLEDEVICEAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AUDIODEV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMVCORE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMASF.DLL
\DEVICE\HARDDISKVOLUME2\MARK\ITUNES\EMINEM\CURTAIN CALL - THE HITS (EDITED VERSI
ON)\SHAKE THAT (EDITED VERSION).M4A
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSIMTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SECUR32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\TEMPORARY INT
ERNET FILES\CONTENT.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\COOKIES\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\HISTORY\HISTO
RY.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RTUTILS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSV1_0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPHLPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SENSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\URLMON.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MLANG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSOCK32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\HNETCFG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSHTCPIP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\BONJOUR\MDNSNSP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASADHLP.DLL

NoteCase For Those Case Notes and Outlines

2008-02-27T18:59:00.005-05:00

While I was surfing for something to create a task type list I came across this software NoteCase note manager. It can be found here. Here is there brief description from there site:

NoteCase is a hierarchical note manager (aka. outliner). It helps you organize your everyday text notes into a single document, with individual notes placed in the tree-like structure (each note can have its sub-notes, ...). To ensure your privacy, encrypted document format is supported, along with standard unencrypted format. Project is free and open source.

After choosing which version to download (I went with the Windows portable version so I can take it with me) and installing it I started to play around with it. Now this is a pretty cool open source project. What it allows you to do is to create a outline (series of expandable nodes) and add text, pictures, links and attachments to each node. You can add a date time entry and also cross out entries as you create them. If saving your file encrypted is an option you want you can do that also. You can even export into html, text and even an executable. If you want to use another language other then English you have your choice of 33 other languages. I blogged last year about TiddlyWiki and how it was nice to have something to carry with you to take notes and so forth and I would rate this product right up there with TiddlyWiki, especially since it does so many languages (looking at where you readers are I can see where the other languages would come in handy).

Thoughts/comments/questions?

Addendum, Feb 28. 2008

I forgot to mention that NoteCase is available for all these platforms:

Linux/Unix (with GTK+ 2.x installed)
Windows 9x/2000/XP/Vista
Mac OS X
Free BSD (available elsewhere on Internet)
Sharp Zaurus platform (running pdaxrom or angstrom Linux distro)
Nokia Maemo platform (Nokia N770/N800)
Nokia Maemo OS2008 platform (Nokia N800/N810)

Mount That DD Image with VMWare........

2008-01-23T22:40:00.000-05:00

As most of you are aware you can use Live View to create a virtual machine so you can boot up and check it out. If you use the snapshot feature to make it read only then you can do what ever you want to the image and it will not harm it (I won't go into VMWare's Snapshot features). Now what if you want to mount one of the partitions to a drive and scan it with a virus scanner or some other tool? Well now you can, by using the 4 Perl scripts and executables I created. The zip file containing the Perl scripts and executables can be found here.

Now in order to use these scripts you will need to have created the DD image into a VMware machine using LiveView (this is so that a snapshot is taken and you can revert back to the snapshot, this makes it read only, make sure you do this otherwise it will not be read only). Once you have created the VM here is what you need to do, run the following programs:

vm-vol-list.exe <PATH to VM>\<VMDK File> -- path and file in quotes if it contains spaces

This will list all the volumes in this virtual machine. You need to pick the one you want mounted then issue the following command.

vm-mount.exe <PATH to VM>\<VMDK File> <Drive Letter to mount to without :> <Volume number from previous step> -- path and file in quotes if it contains spaces

This will then mount your volume to the drive specified. You can then do anything you want. To unmount the drive issue the following command.

vm-unmount.exe <Drive Letter to mount to without :>

This will umount the volume from the drive. To revert the image back to its original state issue the following command.

vm-snapshot.exe <PATH to VM>\<VMX File> -- path and file in quotes if it contains spaces NOTE: vmx file not the vmdk file.

This will revert any changes that were made back so the image will look exactly as it did just before you mounted it. This uses the default snapshot name created by Live View so if you use another name then you will have to change the Perl script.

Questions/Comments/Thoughts???

A file tool mark Library

2008-01-12T17:03:00.000-05:00

Adding to Hogfly's idea about an application tool mark library and looking at my last post I think it might be interesting to have a File type tool mark library. What if you were able to look at a file and determine what program was used to create it? In my last blog I showed how a doc file that had been originally created in word once save in Word Perfect changed. Now how could this be important? Well if that file was found on a pc that did not have Word Perfect Installed then you can show that the file was not maintained there.

Thoughts/Comments/Questions??

What is your MS Office Metadata Telling You???

2008-01-11T18:32:00.000-05:00

So you are given a couple of word documents and the person who gave them to you wants to know what you can tell them about the files. You tell them no problem and start to analyze them. You can get the files here. Now they all look like Word Docs, they open like word docs but some of them smell kinda funny. The reason some of them smell funny is that they have no normal word metadata. Now the first file has all the usual metadata but the rest of them seem to have lost their metadata. Now to cut to the chase every document after test-1.doc was opened in Word Perfect and saved in a MS Word Document format. I have not really heard any discussion about this until I came ac cross a file just like the ones I will be discussing (how I find this stuff sometimes I will never know).

The first file, test-1.doc was created in Microsoft Word 2003 and saved. If you run Harlan Carveys WMD.pl program you will see that it comes back with a whole slew of metadata. Every file after this one was opened in Word Perfect (WP) and saved in MS Word 97/XP/2003 format. You really need to look at these files in a hex editor to appreciate what is going on here.

In test-2.doc everything looks like test-1.doc except that towards the end of the file you can see where the body of the text document I typed in resides with the changes I made. This is very interesting because each time I save the file it switches between the top text and the bottom text. If you compare the 2 areas you can see one is the newly edited text and the other one is the last saved text (I numbered each sentence I types so you can tell what order I saved them in). Kinda cool how you can start to see the changes in the file. Now after the first save in WP if you search for the hex values FEFF00 you should find 2 spots in the file where the word metadata resides (my name, company, title, etc..). Now after you save the file again that first section of metadata disappears (if you look at the difference between test-2.doc and test-3.doc you will see what I mean). Now after the third save the next set of word metadata is gone (test-4.doc). Now you understand why there was no metadata. Files 5, 6 and 7 are just to show how the text of the file goes back and forth between the 2 areas. Also in the file you will see the words Corel Corporation which leads you to believe that it was edited in WP.

Now lets say that you have files test-1.doc, test-2.doc and test-3.doc what can you really say about them? Well here is what I would state about these files:

Test-1.doc was created in word, you can tell by the way the file looks and all the metadata (a word document has the same fundamental look).

test-2.doc was edited and saved in word at one time because of the presence of the 2 sections starting with FEFF00. With the words "Corel Corporation" in the file and the exact same text in 2 spots in the file I can say that the file was last saved with Word Perfect.

test-3.doc was edited and saved in word at one time because of the presence of 1 section starting with FEFF00. With the words "Corel Corporation" in the file and the there are 2 areas of edited text and they do not match then I can say that the file was saved with Word Perfect the last 2 times it was saved.

Does this make sense and do you come to the same conclusions I have?

Now one thing to note if you are using the wmd.pl program mentioned above is that after a couple of saves in WP the metadata will show that the file was created on a mac and not windows. I have told Harlan about this so he is aware of it.

Now the question to ask your self is what other programs that do a "save as" another format exhibit this type of behavior.

Now I hope I was clear in what I was saying. If not then download the files and check them out and I think it will be clearer.

Questions/Thoughts/Comments???

Another Year Come and Gone.......

2007-12-31T00:06:00.000-05:00

As another year vanishes and a new one starts I would like to take the time to wish every reader a happy new year. With the new year I will try and post more often and keep you all comming back for more information. I have a few things in the works and I am always looking for more projects. If anyone has any ideas drop me a line (mark dot mckinnon at sbcglobal dot net) or if anyone has a good idea for a utility that can be written let me know.

Wishing you all a safe and joyful New Year

Mark

ISystemWiper Analysis

2007-12-30T23:46:00.000-05:00

I ran into this program during an examination. The examination was on site and I could not take the image with me so I could not boot it up in vmware and check out the program to see what the settings were. What I did do was take a copy of the directory where the program was installed, the registry keys for the program and the download install file. From there I was able to bring it back into my lab and install it and figure out what settings the user had enabled. I have created a PDF of my notes and it can be downloaded here.

The program is pretty interesting in that it allows you create your own custom plugins to delete user definable items. There are also quite a few plugins that come with the product and by going through the files you can actually learn something about those products. If you check out the program you will see for your self. I did not go through all the plugins as I will leave that up to you if you are curious.

Now is this something that you all would like to see more of? If so then let me know and I can try and create some more. If anyone out there has done any analysis on any programs and would like to share please let me know and I can make you a guest blogger.

As always questions/comments/thoughts/improvements?

Vinetto - A Thumbs DB Parser/Viewer

2007-12-29T21:46:00.000-05:00

A while ago I blogged about a program to view the contents of a thumbs.db file. In the comments Christophe Monniez AKA d-fence (who created the FCCU GNU/Linux boot CD) brought to my attention the open source project Vinetto which is a forensics tool to examine Thumbs.db files written by Michel Roukine. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32). Now I tried it on Cygwin and thought it was a great tool to have in the old tool belt, you can never have enough tools. Since I do not know python I thought it would be a good time to learn it. Well I am still trying to learn it and hopefully in the future will be providing so new tools in it.

Now as most of you know most of my tools will run on Linux (command line) and windows (command line and gui) and I try and strive to make sure that they will work on both (some will only work on windows because that is where the libraries are). Now I saw that Vinetto would work under Cygwin but not win32 natively. So I thought I would see what it would take to make it so it would work natively under win32. Those that just want to use the program and not worry about what I changed can skip to the bottom to the link where the program is (I have compiled the program so there is no need to have python on your system to use the program).

After downloading it and making sure that I had the pre reqs ( Python-2.3 or later and PIL (Python Imaging Library) 1.1.5 or later) installed I opened up the files and looked at what would have to change. Here is all that had to change.

Changes to program vinetto

Line 1 change #!/usr/local/bin/python to #!c:\python25\python
Line 160 chage /usr/share/vinetto/header to ./res/header
Line 161 change /usr/share/vinetto/quantization to ./res/quantization
Line 162 change /usr/share/vinetto/huffman to ./res/huffman
Line 320 change open(outputdir + "/" + NUMBERED_THUMBS_DIR + "/" + TNfname(SIDstr, "2") + ".jpg", \
to open(outputdir + "/" + TNfname(SIDstr, "2") + ".jpg", \

changes to vinreport.py program

Line 62 change /usr/share/vinetto/HtRepTemplate.html to ./res/HtRepTemplate.html

changes to the setup.py program

replace everything with the following

from distutils.core import setup
import py2exe

setup(console=['vinetto'])

run the following to create the executable

python setup.py py2exe

Once the executable has been created (if you already have python and PIL then you do not need to create the executable) you just need to copy the res directory underneath the dist directory (if you are lost here do not worry I have everything compiled for you and if you have done this before you will understand). I then tested it out and it works great (there is one error that states the number of arguments are not correct that I have not looked into) and outputs the files and created the html report.

So future changes/additions for this I think will be to add a autoit gui front end for the windows users who are command line adverse and an option to scan a directory (top most directory) to find all the thumbs.db files. Any other additions I would have to use the program so more

For more information about this program go to the website http://vinetto.sourceforge.net/.

To download my changes and an executable copy of the program go here

Registery Repository Project....

2007-11-30T10:56:00.000-05:00

Well now that I am back from Holiday and waded through all the e-mails and voice mails I can finally try and get something out here.

For anyone who has not followed the comments on Harlans blog for Pimp my Registry I have volunteered to create a database for a registry repository. I have created an initial ERD diagram and was wondering if all you readers out there would take a look at it and see if there is any information that I have missed. I tried to keep the names informative so that is why they seem long. The pdf can be found here. A description of the fields can be found here

The group_app table will define what type of investigation you may want to do, ie: CP, Fraud, IR, etc.. The category_table will define the type of categories the apps are, ie: P2P, Internet, Security, ETC.. I also tried to think ahead and added the tables to be used for Parameter files (INI and config files) and any notable files that might be used within an application. I have also added a user table because I think it is important that who ever submits entries to be added should be able to be contacted to ask questions about them. This will also provide some ownership to the data as well.

I have also thought of a few other things to add but I would like the public's opinion. Do the following fields add value to the Registry_Info table?

Key_created_on_Install - was the key created on installation of the app or created later

Format of data - Unicode, ROT13, etc..

Are there any other additions anyone thinks should be added?

The main goal of this project will be to collect this information into 1 source and then from that source export the information into usable files (parameter files, xml, html, csv, etc..) that can be used with other programs as well as the programs that I have written to read/parse the registry into a database and report on it.

Hopefully this will all makes sense to you.

As always Questions/Comments/Thoughts/Modifications?

Vista Recycle Bin Names in X-ways.....

2007-11-02T14:17:00.000-05:00

For all you X-Ways forensics users out there here is a script/executable that you can define to x-ways that will copy to the clipboard the actual name of the $R file based on the $I file. You can then add the file name to the comments section in the directory browser.

To use in define the file to x-ways as in callable executable program. In the Recycle.Bin directory right click on the $I file and call the executable program and it will copy the actual file name to the clipboard for you so you can just paste it in your directory browser.

Questions/Comments/Suggestions/Improvements????

Dumpster Diving with Ovie.....

2007-11-02T09:09:00.000-05:00

On the Oct 15 Cyberspeak Podcast Ovie Carroll talked about Vista Recycle bin forensics. Based on Ovie's chat I have created a program that will read the $I files and create a simple report. The report consists of the $I file name, the actual filename with directory, the date/time the file was deleted and the file size. I have also added the functionality to copy the $R (actual data file that was deleted) to the actual name into a directory specified by you.

So what does the prorgam do? Once you fire up the gui you need to provide a filename for the database that is created that will store the data that is read. Provide a direcotry where the $I files are, if you want to copy the $R files to there original names then they need to be in the same directory. Optionally you need to provide an output directory where you want to write out the deleted files to with there actual names. Once that is done then press the buttons and watch it go to work. When you are ready to run the report you can either sort the data in ascending or descending order based on the deletion date and show the report in either excel or your favorite web browser.

If you want to see the gory details the code is provided. As always this script can be run on OS's other then Windows (the report piece will have to be modified some).

The programs can be found here. As always Questions/Comments/Improvements let me know.

Interest in Making Other tools X-ways Forensics Friendly...

2007-10-30T12:02:00.000-05:00

The thought just occurred to me to see if there is any interest in my making more of the tools I have put out there callable from x-ways. If there is interest in this let me know and as I develop them I will add this capability as well. If you would like one of the older tools to be callable from x-ways then let me know and I can try and accommodate it. Leave a comment or shoot me an email mark dot mckinnon at sbcglobal dot net.

What's that time Zone....

2007-10-30T11:37:00.000-05:00

A few weeks ago I was asked to image a couple of laptops by a global company. The laptops had been previously deployed at 2 of there overseas sites. After imaging the drives I went to look at the bios for the machines so I could document the settings and the date/time. After looking at the date/time I wondered what time zone it was. Now since I am lazy and really only want to do this once I came up with this little autoit gui program that will tell me what time zone a specific date/time is from compared to my time zone.

For example if the my current date/time is 10/30/2007 8:30:00 and the bios date/time setting 10/30/2007 19:00:00 then the time zone setting is GMT+5:30. Possible areas that may be in this time zone are Chennai, Kolkata, Mumbai, New Delhi, Sri Jayawardenepura.

The program can be found here. Once you start up the program it will put the current date/time in the 2 fields, You will have to make the change to the date/time to figure out field then click on the "get time zone information". It will then bring up a box with the potential cities for that time zone (based on windows time zones).

Questions/Comments/Suggestions?

Calling Thumbcache Parser from X-Ways Forensics...

2007-10-30T11:19:00.000-05:00

I saw a post on the x-ways forums about carving out data from the thumbscache and thought to myself now why did I not think of making my thumbcache parser able to be called from x-ways. Well now you can. I made a few small modifications to the program and you can now call if from x-ways forensics by right clicking on one of the thumbcache files and picking an external program.

To install it download the zip file from here . Unzip in to the directory of your choice. Take the headersig.txt and put that in the temp folder you have defined in x-ways forensics (this is under options=>general, if you do not do this the program will not work and will just hang). Now define the EXE or perl script (your choice) in the external programs definition section (options=>external programs). That is all that is needed to set it up. To run it right click on one of the thumbcache_??.db files and pick the external program to run. The program will then ask you where you want to put the jpg/bmp/png files that will be exported from the thumbcache file. Once the program has finished you can then import the files into your case.

As always I hope you find this useful. Questions/Comments/Suggestions?

Thumbs Up To Ovie......

2007-10-15T19:24:00.001-05:00

On the Sept 23 podcast of Cyberspeak Ovie Carroll talked about the thumbs cache that is new in Windows Vista. In response I have created a perl script with a autoit gui front end that will parse all 4 of the thumbcache files.

The base program is based on the sigs.pl script originally written by Harlan Carvey. What the perl script does is open the specified thumbscache files and then scans for file header signatures. Once it finds a jpg, png or bmp file header it then backs up and reads what I will call the file header record of that image file. In this record is the size and internal name of the file. I have not figured out how it gets that particular name but if someone knows please let all of us know. The thumbcache_32 and 96 files appear to only contain bmp files while the thumbcache_256 and 1024 contain png and jpg's. For all the gory details see the perl code.

Since the thumbcache files I had were very limited this is about as much as I know. As for the gui just pick the file you want to parse, input the directory with a "\" as the end where the thumbcache files are and input a directory to write all the images to and click on the parse button and watch it go.

Now since this does not use any windows specific perl modules there is no reason that you cannot run it on Linux or a Mac. The code and executable can be found here.

Thanks to Ovie for the idea for this program. Ovie and Bret keep up the great work on the podcast.

As always questions/comments/thoughts/problems let me know. My eyes and ears are always looking for great new projects.

Database Security.....

2007-10-03T08:11:00.000-05:00

I was just catching up on some reading and came across this article about securing the database in eWeek.

Now as I read this i have to shake my head and wonder why all they mention is the DBA that is in charge of this. In my experience the DBA usually has the database pretty secure. It is when you introduce the applications that will use the database that it becomes insecure. For those who do not know in an Oracle database the one of the highest permissions to grant is DBA in SQL Server it is SA and in DB2 it is Sysadm. Now for quite a few installs that I have been involved with using Oracle and SQL Server datbases the installation needs either and account created with DBA or SA or they need the actual SA account. Now as far as I am concerned this is just pure laziness on the application side, I know it is easier to just grant DBA/SA as you do your development, which is fine because that is usually a test/development environment, but before you release it to prime time take the 10-15 minutes to figure out the access you actually need. I just love it when the user actually has access to drop and create users, tables, tablespaces, etc.. becuase the application says they need the access.

The next thing I really love is all the applications that leave user names and passwords in plain text in there configuration files. Talk about insecure what is better then having a web server out on the DMZ that has a user name/password in plain text in an XML configuration file. Now if the DBA was involved in the installation of this and is aware of this then something can be done to minimize the impact of this, (figuring out the maximum access that is actually needed and only granting that access) but usually the application folks are in charge of this so the DBA does not know that the account that has DBA rights is sitting out on the DMZ in plain site.

Now the last thing I really love is when you get those application developers demanding DBA access. Now I don't know if it is because they can't have that access that they want it or what but they always want it. Here is a conversation between myself and a developer about this:

Developer: I need DBA access.

Mark: Why do you need DBA access.

Developer: Becuase I need to access things.

Mark: What things? Do you need to create tablespaces?

Developer: No I don't need to create tablespaces, but I need DBA Access.

Mark: Do you need to create users, profiles, switch log files, create rollback segments, etc....

Developer: No, No nothing like that but I need DBA access.

Mark: Well why don't you figure you the actual access you need and I will grant it to you, I don't have a problem granting access to you if you need it but you do not need DBA.

Manager: Well isn't it just easier to grant DBA then figure out the access.

Now this is where the conversation just went over the cliff, along with the manager and the developer.

So now that I am done ranting about this Thoughts/Questions/Comments?

Help Wanted....Lurkers Apply within

2007-10-02T08:36:00.000-05:00

I am looking for a few good lurkers. In the comming months I will have some new tools to test and I would really love to have a few lurkers out there test them for me. It is always good to get a different perspective on things and different views and different data. I can send them to some of the people I know but thought this would be a good opportunity for some lurkers. If you are out there and want to get involved but do not think that you can contribute then this opportunity is for you. I do not care what your level is from beginner to expert, everyone can contribute, I will just need some of your time to test somethings that I am working on before I release them here. If you feel this opportunity is for you send me an email at Mark dot McKinnon at sbcglobal dot net with a subject of "Help Wanted...Lurker Applying".

CSC/Offline File Parser/Copier

2007-09-17T12:40:00.004-05:00

Addendum, Mar 22, 2008: Look at the March 22 2008 blog Entry as it has a newer version of the software. That post can be found here

As promised here is a link to the CSC/Offline File parser Copier. There is some more work that needs to be done on this but it does work pretty well.

In the zip file you can either run the csc_parser_gui.exe (autoit program) if you want to run in windows. Here is an explanation of the fields on the screen:

csc base file to parse : This is either 00000002 or csc1.tmp (backup of 00000002). Without this file your CSC is useless.

Database file to create: This is the sqlite database file that will be created and read from.

Base CSC Directory: Where you saved the CSC directory to. The default CSC directory is C:\Windows\CSC

Type of program to run: You can either run the perl scripts (.pl) or the executable (.exe). I did this encase you want to change the perl scripts and still want to use the gui.

Program to open the report in: Which program do you want to open the report in Excel or a web browser.

Once you fill in the fields you want then just press the button of the action you want, if you do not fill in one of the fields required for that action it will let you know.

Now if you want to run the perl scripts on a platform other then windows here is the sequence to run them in and parameters needed:

read-csc-dir.pl <base file to parse , with 00000002 or csc1.tmp> <DB File Name if it does not exist then it will be created> <Base CSC Directory, ie: c:\Windows\CSC>

read-csc-file.pl <DB File Name created in previous step>

To get a report of the files run this program, (Note: this will create a temp file and will try and open excel or a web browser so you may want to modify this program to your needs):

print-csc-files.pl <DB File Name created in previous step> <Directory to copy files to> <A or U for Allocated files or Unallocated files>

Sqlitespy.exe has been included in case you want to look at the database.

Any feedback would be appreciated. One thing that probably needs to be done is to be able to parse the sqlite database and recreate the directory structure so you can copy into the correct directories. If I get some more time I will try and document the file structures but in the mean time look at the code and you should be able to figure it out. Hope this helps someone out.

As always Comments/Questions/Suggestions are always welcome.

Addendum, Dec 6, 2007: After several questions I realized I failed to mention that you have to read/parse the csc file before you can report on it, so hit the read/parse buttone before any other button Also if you have spaces in any of the file/direcotry names then you will have to put double quotes around the whole field. If I get time I will try and make the change in the code to allow for this.

Offline Folders

2007-08-30T11:37:00.000-05:00

Offline folders use to go by the name of Client Side Cache. This is evident with the directory this information is stored in C:\Windows\CSC, this directory is still there even if you do not use offline folders. You will find Offline folders more in a corporate environment and mainly on laptops. The thoughts behind this is that you want to store your data on a network drive but also have access to it when you are not on the network. There is a synchronization process that happens between your computer and the network drive where your data is stored. Depending on what your settings are is when the synch will happen.

One of the interesting things about this is that if you login into a laptop that is not yours at your company, your files on the network drive will start to synch to that laptop. After the synch your files should now be on that laptop. Now lets say you are looking at leaving the company and decide to remove all your files from the network drive and then resynch on your laptop, all the data is then removed from the offline folder on your laptop and is gone. Now what about that other laptop you logged into, guess what your files are still on that one and they can be potentially harvested. Now all you E-Discovery folks should be drooling at the mouth right about now since files that were deleted may be found somewhere else (especially if the backup tapes of the network drive are no good, lost, etc..). You just have to find out where you logged into besides your own laptop.

Now one downside to this is that your cube mate is an idiot and stores his porn on the network drive. He decides to login to your laptop and his files are now on your laptop. There is an investigation and they take both yours and his laptops. Without understanding Offline folders you may get accused of having porn on your laptop when you never put it there, your idiot cube mate did.

Now lets take a high level look at the offline folders (I am still gathering information so there may be some holes in it). Under the C:\Windows\CSC directory you will the following:

Directories named d1 to d8 - these hold all the files used for offline folders, the file names are system generated.

file 00000001 - this points to the network drive that you will synch to

file 00000002 - this files holds all the references to what directories your files are stored in and what there names are.

file 00000003 - Don't know have not figured this out yet (I did say this was a work in progress and any help would be appreciated)

file csc1.tmp - this appears to be a copy of file 00000002

Now in each directory (d1..d8) you will find 2 types of files, ones that have a first character of 0 or 8. The ones with a first character of 8 are the actual files that you stored there. The files that start with 0 hold the information/cross reference between the generated name and what their actual names are as well as size of the file and the date that the file was created (this is another place where I am still figuring it out but I do have some of the information).

In the next post I will dive deeper into the format of the files that start with 0 and provide some Perl programs that will be able to read those files and provide some useful information.

Now hopefully I was clear in what I just stated if not hopefully you will let me know.

Questions/Thoughts/Comments????

It's been a while

2007-08-30T11:33:00.000-05:00

It has been quite a while since I last posted something. I hope to soon rectify this and start to post a few things. Some of the things that I hope to talk about will be Offline folders, a few informational postings on different programs, and other things.

Comparing Large Hash sets Against NSRL.......

2007-05-22T07:50:00.000-05:00

I recently saw a post on a list I belong to asking about DeDuplicating and DeNSRLing some files. He was trying to do this in a very popular forensic product and after 4 days he still had nothing. Someone replied (I had thought the same thing) about using a SQL Server database to do this. Now if you are not that familiar with using databases then this would not be an easy task. Thinking about this I thought it would make a good project. To start off you first need to accommodate a large amount of data and it should perform well (that is a bigger challenge then you may think).

The parameters for the project are:

1. The NSRL reference table will only hold 1 set of hash values (I chose MD5 to use but you could choose SHA1 or CRC).

2. Load the NSRL data in a timely manner.

3. Be able to add my own hash sets to compare against as well.

4. Use as much free software as possible.

5. Load my hashs to compare in a timely manner.

6. Compare my hashs in a timely manner.

7. Be able to easily report and extract knowns and unknown hash sets from what I loaded.

8. Work on both Windows and Linux (Sorry Mac)

I started off by using SQLite with a perl script to load the NSRL data. I was able to load the NSRL data in aprox 1 hour which for the amount of data and an embedded database I thought was pretty good as well as you would only do this task possibly once a quarter. The problem came next when I tried to create an index on the table and it went out to lunch. After a couple of hours I knew I would have to come up with a different database solution. I then looked at the free version of Oracle (I am pretty familiar with this database and it also has a Linux version, that is why I chose it over SQL Server), now here is where it starts to get hard since I am limited to only having 4GB of data in the free version. I installed it without a problem and started it up. It was using aprox 300M of memory so for anyone out there wanting to do this you should probably have 1gb of memory on your machine.

I next started to create some tablespaces, users and tables. I then used Oracle's SQL Loader product to load the data into the database and then indexed the table. This took about 3.5 GB between the index and table (40,000,000+ rows). I then created a list of hashs from a previous examination that using x-ways forensics version 13. I then loaded this data into the database (600,000+ rows) and then created a table of known and unknown hashs for the examination. After trying many different things to make it fast and small I finally came up with the following:

NSRL table is deduplicated from 40,000,000 rows down to 14,000,000+ rows and from 3.5 GB (table and index) down to 1.2gb (table and index) with a load time of aprox 36 minutes.

My hash set was smaller then 500m and took aprox 5 minutes to load the 660,000+ rows and create 2 tables (known hash set and unknown hash set). The known hashs table has aprox 46,000 rows with the unknown hashs tables having 604,000+ rows.

Now I have uploaded the scripts here (sql and sqlload) and batch files to run to create your own little hash comparison system. There is a install.txt file to help you get started. Once you install Oracle Express and download the NSRL data you should be able to get started.

If you don't want to use the MD5 that I did then just change the MD5 references to SHA1 or CRC and then the load cards to only load what you want. You can also change the hash set tables to what ever you want to load. Just use what I supplied as a template to make your modifications. With a little creativity you can also create your own list of knowns and unknowns and use these to compare against as well, just use the nsrl schema as a template.

Now looking back I feel I accomplished everything I set out to. It is fast, 41 minutes from start to finish if I do not have the NSRL already loaded, otherwise it takes roughly 5 minutes for 660,000+ rows. It is a free solution. I can now export the rows, create reports as well. Using Oracle Express I can run it on either Windows or Linux platform and since I do not use any gui tools there are not too many modifications to make it work on either platform. I would love to hear your experiences with using this and what timing's you get with your hash set comparisons.

Questions/Comments/Thoughts?

Thumbs DB Files

2007-05-07T12:30:00.000-05:00

I received a email about a new product from InfinaDyne. It is called ThumbsDisplay and you can display the contents of the Thumbs.db file. It will also do the following:

Cut and paste the picture to another application

Print 3 types of report (Contacts Sheet with all the pictures displayed, Picture with date and time, Full Size picture with date and time).

Scan the drive for all thumbs.db files.

You can also call the program with a thumbs.db file as a parameter and it will load that file into the viewer. This is really nice since you can then use it to view thumbs.db files from within other forensics programs, ie: X-Ways Forensics. One of the best things about this program is the price, only $29.99. If you want to test drive it before you buy they also have a demo version you can download.

The only draw back I see right now is that you can only print the reports, you can't save them. You need someting installed like cutePDF to print the file to a PDF file. Maybe in a future release they will add this feature. Otherwise it seems like a great inexpensive tool to keep in the toolbox. And in case you are wondering I did pay for my own copy of the program I am not getting anything free here.

Thoughts/Comments/Questions.

Registry Files in the Restore Point.

2007-04-23T06:25:00.000-05:00

Your in the middle of an examination of an Windows XP machine and your wondering what some registry settings were during a specific time and you think to yourself, why don't I look in the System Restore Point. As you navigate to the restore point directory all of a sudden you see 20+ restore points and you think "Oh ????? (insert word here)". As you look at all the restore points you start to think how are you going to get all that information out and not take forever. You only want to look at 5 different registry keys over some time period that resides within those 20+ restore points. Don't despair I have a solution.

What I have done is taken Harlan Carvey's regp.pl program and modified it to scan a directory and read the raw registry files and insert the entries into a SQLite database (of course). I then created a program to read the database and output registry keys in chronological order so you can see the dates and times of what the entries are along with the restore point they belong to in a comma separated file. For example here is a sample of the output looking at the following registry keys.

Registry File Name, Registry Key, Last Write Date Time, Registry Key Name, Data Type, Registry Value, Registry Value, File Location
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Wed Apr 18 20:55:01 2007,StartTime,2007/04/18-16:55:01, //-:U:,c:/mark/restore/RP603/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Tue Apr 17 23:29:36 2007,StartTime,2007/04/17-19:29:36, //-:):6,c:/mark/restore/RP602/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Mon Apr 16 22:57:56 2007,StartTime,2007/04/16-18:57:56, //-:W:V,c:/mark/restore/RP601/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Sat Apr 14 21:10:18 2007,StartTime,2007/04/13-13:41:27, //-:A:,c:/mark/restore/RP600/snapshot,

_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Sat Apr 14 21:10:18 2007,ExitTime,2007/04/13-12:22:04, //-:":,c:/mark/restore/RP600/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Mon Apr 16 22:57:56 2007,ExitTime,2007/04/16-16:05:08, //-::,c:/mark/restore/RP601/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Tue Apr 17 23:29:36 2007,ExitTime,2007/04/17-16:33:14, //-:3:,c:/mark/restore/RP602/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Wed Apr 18 20:55:01 2007,ExitTime,2007/04/18-15:51:38, //-:Q:8,c:/mark/restore/RP603/snapshot,

Pretty cool.

Now for the gory details. The main program takes as input a directory (where you exported the restore point to) and a database file name that you want to create. It scans the directory recursively until it finds a file named _REGISTRY (the beginning name of all the registry files in the restore point) . It then opens that file and parses it and inserts the records into the database. As it inserts the records it will take anything with a record type of binary (with a length less then 2000 bytes) and convert it to ascii so it is potentially readable. The report program takes a database file name and output file name as parameters. It reads a txt file that specifies what registry entries will be outputted. I have also included a autoit gui front end for the command line averse folks. The gui front end end will ask for the restore point directory and database file name for reading the registry and the database file name and output directory for the report. You can specify a verbose mode which will tell you what files you are currently processing. There is one more option to choose on the gui and that is the file extension to run, I did this in case you want to run either the .pl (perl source) or the .exe (executable version of the perl source).

One small problem with the program is that reading the registry files is pretty slow. In my testing I had a total directory size of aprox 250M (only counting the registry file sizes) which included 4 restore points and it took about 20 minutes to parse all of them. I have looked at the program at most of the time is in reading the registry files themselves not inserting into the database. The report runs pretty quickly though. One thing to note I felt it was quicker to get everything versus looking for what I want since what you want may change during the exam or overtime and the only thing you would then have to change is the report ini file.

Hopefully I have not confused everyone. Some of the code is ugly and all the comments may not be there so I apologize for that. As always report problems and so forth back to me and hopefully it helps out, saves time and gets you the data you need.

The zip file with all the goodies can be found here.

Questions/Comments/Suggenstions?

U3 Smart Technology.......

2007-04-08T22:40:00.000-05:00

Man do I love technology sometimes. What is great about U3 smart technology is that as long as autorun is enabled for the cd you can potentially tell when one of these USB devices has been plugged in. By looking in the windows prefetch directory all you have to look for are these files, Launchu3.exe, Launchpad.exe and cleanup.exe. The 2 launch programs are run when ever the USB drive is plugged in (assuming autorun is enabled). The cleanup program is run whenever the USB drive is ejected using the launchpad.

Now if you are lucky you may see multiple entries for these files in the prefetch or you can see different create and modified dates for them as well. Now you may also notice that these files may have multiple different dates and times. Here is an example from the prefetch directory of the multiple dates and times.

Filename Created Modified Accessed
LAUNCHU3.EXE-XXXXXXXX.pf 2/5/2007 13:56 2/13/2007 5:52 2/13/2007 5:52
LAUNCHPAD.EXE-XXXXXXXX.pf 2/5/2007 13:57 2/13/2007 5:52 2/13/2007 5:52
CLEANUP.EXE-XXXXXXXX.pf 2/12/2007 21:54 2/13/2007 7:01 2/13/2007 7:01

Looking at these entries in the prefetch it tells me that the USB drive was attached on February 5, 2007 and also February 13, 2007. The drive was then removed on February 12 2007 and February 13, 2007. Pretty cool that I can tie the USB device to being used on 3 separate occasions. Also by looking in the setupapi.log file ypu can see when the drive was first attached which potentially adds a 4th time the drive was attached. Now you see why I love technology sometimes.

Thoughts/Comments/Questions?

URL History.

2007-04-05T21:31:00.000-05:00

I wrote this program back in December 2005, what it does is to read in a ie or mozilla history file and will output it to a comma delimited, tab delimited or html file. You can also open it in Excel or a browser and sort the records in ascending or descending order. I know there are many programs that will do this but this program has one special feature that I added, you can make it output url records between specific dates so you can narrow down your search of url records.

When I created this I modeled it after pasco. It is a gui program and that is why it is so large, this would probably be a good candidate for an autoit front end instead of perl. One thing I did find out about pasco is that it looks in the index.dat file for the size of the file and only reads until the file size. What I found is that file size stored in the index.dat files is not always kept up to date. My program just reads until the end of the file so it will always get all the records.

The code and executable can be found here. As always comments, suggestions, improvements to the program are always welcome.

Thoughts, Comments, Suggestions?

Acquiring a Forensic Copy of a Floppy Disk Checklist For Peer Review

2007-03-26T21:49:00.000-05:00

Here is a checklist for Acquiring and Creating a Forensic Copy of a Floppy Diskette. It can be found here. Give it the once or twice over and let me know how it looks and if any changes should be made to the doc. Enjoy.

Comments/Thoughts/Questions

Reviews

2007-03-26T06:41:00.000-05:00

Over on Hogfly's Forensic Incident Response blog he has a great entry about peer reviews. I agree with everything he says and support it. One thing I was thinking about was by publishing this information you are letting every Tom, Dick and Harry have the information, they would then throw out there own shingle and state that they are a computer forensics professional because they know how to acquire a drive. Now this may be true but as you questions these individuals and talk to them at length you will then realize that they are no better then a 1st line of support. You know what I am talking about, you call support and they run you through every step you have also run through before calling them, that is why you are calling them. What I am getting at is the process/procedure is as only as good as the person who understands it and can explain it. After talking to some just going through the steps of the procedure you can ask why they did step 6. If you get the "Deer in the headlights" look you know you can question them further and that they do not understand the peer reviewed process that is published on the Internet. So I guess the previous line of thought should now be a moot point.

Now that Hogfly has thrown down the gauntlet I guess it is time to polish up those procedures and get a peer review or 2.

Comments/Thoughts/Questions?

Remote Caputure Solution Posted On X-ways Capture Site

2007-03-20T13:34:00.000-05:00

The solution I posted earlier about using X-Ways Capture for remote imaging has been posted on there site.

Mention on Cyberspeak

2007-03-19T13:42:00.000-05:00

If you were listening to the end of Cyberspeak then you might have heard my company mentioned as well as this blog (not in name though, hopefully in a future podcast). Hopefully I can live up to keeping the topics flowing and providing information that is useful and helpful. As always any comments, tips, topics, help you may need are always welcome. You can reach me at mark[dot]mckinnon[at]sbcglobal[dot]net.

Thanks for the mention Bret and Ovie.

Questions/Comments/Thoughts?

Reading Apache Access Logs

2007-03-19T12:44:00.000-05:00

There are many scripts out there that read the Apache access log. More recently Jesse Kornblum posted his script for parsing the logs for search queries. Well here is my attempt at doing this, as always there is a database involved.

All this script does is read in the apache log file, parse it and save it to the database. You can then write sql to get back the data for you, IE:

select * from apache_log where access_dttm = '10/Mar/2007';

Now to run the program just type read_apache_log.pl access_log. The program and table creates can be downloaded here.

For users of X-ways Forensics you can define this program as an external program and load the database right from x-ways as you are doing your analysis. Just make sure you change the spot where your database points to.

Thoughts/Questions/Comments?

Your Local Public Library.

2007-03-13T20:54:00.000-05:00

If you are not aware your local public library more then likely has software that you can check out and install (both kids software and adult software, not porn). One good thing about this is that you can create a virtual machine and install the software you checked out and start creating some hash sets. Some library's will probably have quite a list of software to check out. At my local library there are approx 30 titles for adult software and approx 50 children's titles and it is not a very large library. So happy hash set creation.

Thoughts/Questions/Comments?

Imaging that remote PC/Server.....

2007-03-12T06:17:00.000-05:00

So what better thing to do on a Monday morning then go through all the e-mails, blogs and news that has piled up this weekend, especially on a time change weekend. So I will try and keep this lite but I am sure it will raise questions. What I have for you today is a way I have found to do a remote image of a machine. The tools I will use are a simple batch file, Autoit, psexec and X-Ways Capture (Capture being the only non free tool but well worth the money). I will not go into very much detail about Capture except for just doing the image of the machine, it is worth looking at though as it has many features for live imaging and incident response as well.

I have uploaded a zip file with my autoit script and executable and a couple of batch files and it can be found here. What I do in a nut shell is psexec a batch file to the remote machine and execute it. I use the copy flag on psexec which copies the file to the machine to run it. From what I have tested, and I still need to do more but wanted to introduce this to everyone, this is what I have seen being changed:

1. Entry in $MFT for batch file and file stored in $MFT (file is only 111 bytes)
2. On Xp systems prefetch files are created for psexec.exe, batch file, capture.exe, net.exe.
3. Registry is updated.

Now for what I did. In the autoit script Remote_capture.exe I ask for the following fields to be filled in:

1. Remote computer's Name - Defaults to current machine name and will be name of machine to image.
2. Domain\Username - Domain (if any) and username to log onto, must be a administrator on that machine.
3. Password - Password of the account to login.
4. Capture Drive Mapping - Drive and unc path to where the capture software is.
5. Output Drive Mapping - Drive and unc path to where the output (image and logs) will go.
6. Capture executable directory - Directory on drive where X-Ways Capture Resides.
7. Capture output directory - Directory on drive where output will go.

There are 2 buttons to push, one is to show the mapped drives on the machine you are going to image which is helpful to make sure that you do not try and map the wrong drive, the other button is to start the process. Once all the information is filled in and you start the process here is what happens.

1. Batch file is executed to run psexec and pass it all the fields above as parameters which executes another batch file on the machine to acquire.
2. Batch file is copied to the remote machine and executed and does the following:

      1. Map the drive for the capture software.
     2. Map the drive for output to go to.
     3. Change directory to where the capture software is.
     4. Execute the X-Ways Capture and image the drive.
     5. Delete both drive mappings.

3. Batch file is executed to show drive mappings of the remote machine to show that they have been deleted.

That is it in a nut shell. I have tested this on a VM server, a remote pc and citrix and I have successfully imaged each machine and was able to import the image into X-Ways Forensics.

A few neat features of this are:

1. Autoit script and batch file can be give to administrator and shows that you are not doing anything out of the ordinary.
2. The passwords do not echo back so an administrator can type the password in for you so you do not need to know it (yes I know you can change the batch file to echo it but we have no need to do that).
3. When scripts run on remote machine no windows are opened and the only indication that anything is running is a couple of extra processes in the task manager and lots of disk activity.
4. If you really want to be slick you can rename the capture.exe program to svchost.exe (or something along that line) so if a user does look or the program abends it will look like a normal running program (I did abend the program and saw a error message pop up on the remote machine saying capture.exe abended).

Hope this helps. If it is not clear let me know and I will try and explain further.

Thought/Questions/Comments?

Service and Process Information For IR

2007-03-05T22:21:00.001-05:00

Over at Harlan Carvey's blog he talks about getting the service information during a incident response. Well lets take it a step further by collecting this information before the incident and storing it into a database. By doing this we can then compare the data when in incident does happen or if were lucky and have added monitoring to the processes we may catch it.

What I have put together is a program that will read the database to get a list of servers that you want to get the process and services information for. I have also included web pages that you can view the data with and update the known process and services information. If you constantly run the batch program you can see if there are any unknown processes added to the servers. If you want to take it a step further you could check the database after the batch run and send a message if there are any unknown services/processes that are found (assumes that you have gone through every service/process on each server which if you have a large server farm may take awhile).

The zip file for these programs is here. There are 3 directories,

SQL - Has the create statements for the database
batch_update - Program that reads the servers from the database and updates the current processes/services in the database. I did not write this program just extended one that I had found. The original author was Thomas Berger.
web_pages - The web pages for data entry and showing what service/process is running on what servers.

As you get it and check it out I am sure you might find a few mistakes and possible extensions to the programs as well. If you extend it further then shoot me an email and let me know what you did, it is always interesting to see how ideas can grow.

Questions/Comments/Suggestions?

Autoit and Things to Come...

2007-03-02T15:07:00.000-05:00

No I have not fallen off the face of the earth, between kids mid winter break (I don't remember this when I went to school) and work I have been a little busy. I have a few things I am working on which I hope you will like. In up coming posts I will chat about Remote Acquisitions, Offline Folders/CSC and anything else I can come up with or anything anyone else wants to mention. I am always looking for good topics to research and share with everyone. If you don't want to post a comment then just shoot me an email (mark dot mckinnon at sbcglobal dot net).

A colleague of mine showed me this nifty little free windows script automation tool called Autoit. It is pretty simple to use and you can make nice GUI front ends for many command line tools. It can be compiled into a stand alone executable and even comes with a editor and build environment. The biggest struggle I had was getting the screens formatted that I had created (my problem not that of the language), once I overcame that hurdle it is a pretty slick tool. You can easily provide a nice GUI wrapper for your command line programs to give them a more professional polished look. You can also make it easier for users who are not as command line savvy as others able to use the command line programs. In the near future I will have a sample program that I have written with Autoit.

Thinking out loud maybe one project for this would be a wrapper around Brian Carrier's Sleuth Kit. Since there is really no native port for Brian's Autopsy Forensic Browser for windows it might be a cool project to start.

Thoughts/Comments/Suggestions??

2007-02-19T07:45:00.000-05:00

Ever need to know what words were in what emails? Ever need a cross reference for those words to what emails they came from. Don't want to spend a lot of money to get this done but want to be able to do this with many mailbox types and do it quickly? Well do I have some good news, with some Perl scripting, a sqlite database (I told you I love databases) and 2 programs from Fookes Software, Aid4mail and MailBag Assistant (both are also part of Paraben's email examiner).

So here is what you need to do. I will use a Outlook pst as an example. First open up Aid4Mail and export your pst file to a directory into eml format (make sure you recreate the directory structure of the mailbox). Next open up Mailbag Assistant and import all the eml files including the subdirectories. You will need to create the following script and template to use (I will put all the files in a zip archive and put them on my webserver for you).

Script: Save_Body_As_Text

IfEmpty End
MergeData Save_Body_As_Text

Template: Save_Body_As_Text

>>>Files ?\{Mailbox}\{Subject}.txt
{Body}

The script will take all the selected emails (alt-a) from the "Grid View - Main" and run the template unless no emails were selected. The template will save the text body of the eml file to a directory you will be prompted for with a structure of <Directory Specified>\<Mail Box, IE: Inbox, Deleted, etc..>\<subject line>.txt. Once all the files have been extracted, run the get-word.pl Perl program passing the top level directory of where the email bodies were extracted to you will extract all the words and put them into the database ( I am not include a listing of the program but will have it available for download). Now you can run sql against the database to find the keywords that you want, you can also run the following sql against the database to create copy statements for you so that you can copy the emails you want out to another directory (If you want to get even fancier then include a table with the keywords you are looking for and add a subselect to the query, if you don't know what that is email me and I will explain it further)

select 'copy "'||directory_found_in||'/'||filename_found_in||
'" "c:/stuff/test/test/'||filename_found_in||'"'
from word_file_xref a, words b
where b.word_seq_num = a.word_seq_num and word = 'Oracle';

You can also make a slight modification and add a table with words you do not want to see (IE: and, if, or, not, etc..).

I will package all the code and database create statements up and also include a exe of the Perl program in case you do not have Perl but still want to test out the program (I know the code is not the neatest but it is functional). It can be found here.

One interesting thing to note is that this could be the beginning of an open source e-discovery email production package. Any takers for a project like this?

Questions/comments/suggestions?

Incident Response Hash Set Creation....

2007-02-09T16:03:00.000-05:00

I use x-ways forensics as my main tool and I am pretty impressed with the product and support you get from the vendor. One of the things that I have been doing is creating my own hash sets. X-ways allows you to create the hash sets using many different methods (sha1, md5, sha256, etc..). Since x-ways is very light I thought I would try a little experiment. Using version 13.0 I installed it on my Hard Drive (no registry settings needed and weighs just over 4M with the external viewer and hash database). I then RDP'd to a QA server and mapped a drive back to my machine. I then fired up x-ways and examined the drives on the QA machine. I was then able to create a sha256 hashset of each drive of the server (4 seperate hashsets at this point for 4 drives). I then exported the 4 hashsets into a directory and reimported the directory naming the hashset the same name as the server (aprox 78,000 hashs created). I then waited 4 hours and rehashed all the drives on the QA server and compared it to what I created earlier. I was left with aprox 150 files that I had to look at, makes life a lot easier during a incident response. This is one of the many features X-ways has that can be used to help during Incident response.

Posting of Sample Notes

2007-02-06T14:29:00.000-05:00

As requested I am putting up a sample of the information I have (it has been sanitized) of some notes I recently took during an investigation. The file is here. In the future when you leave comments if you can let me know who you are I would greatly appreciate it. If you don't feel comfortable leaving your name then just shoot me an email Mark.McKinnon@sbcglobal.net, I like to know who is requesting things and commenting.

I know I have not blogged lately and I am getting some stuff ready to share with everyone so be patient. If anyone has something they want passed along let me know and I will pass it along. You can contact me at the above email address. Make sure you put something in the subject relating to the blog.

Anyone will to share any file hashs that they have built? I have some hashs that I am putting together and will try and get them out within the Month.

Sorry this is short but more will be comming.

Notes During the Investigation....

2007-01-22T12:10:00.000-05:00

So I am just sitting down to start an investigation and get out my notebook and pencil so I can jot down any notes when suddenly the lightbulb goes off and I wonder why not try TiddlyWiki. I blogged about this a little while ago about using it to keep specific information in so you would not have to search for it later, I was not thinking about using it during an investigation to keep my notes in.

For the reports I write I have 4 sections: Results/Things found, Opinion, Steps Taken and Technical Explainations. So what I started to do was instead of writing things down in my notebook I started typing in TiddlyWiki. I make each thing I found it's own tiddler with a tag of what section in the report I would put it in. As I started to do this I found out how much simpler it is then writing it down in a notebook. I can easily cut and past things as well as keep everything in a time line so I know when I ran accross it. I can search and make references to other sections as well. Also I can use this as a template for the next investigation that I have, it can be a start of a very detailed and comprehensive checklist.

Now I know some people will argue the need for a check list but I think it is a good idea to have one, I don't know about you but there is so much information out there, and to remember it all I think is just too much sometimes. I think it would be better to have tiddlers of things to look at and if it does not apply to the case then say so and move on (with the many flavors of OS's there will be things that you will do for some OS's and not others), if a lawyer wants to know why you did not do a specific step then your notes should say why (The OS was win98 so that is why I did not search the restore Point directory). In a former life when I had some pretty big system implementations to do I always had a checklist to follow, it made me make sure I did not forget anything and also I could use it for documentation then next time I did an upgrade to the system since upgrades were a few years apart.

Questions/Comments/Suggestions???

To DB or Not To DB The Report

2007-01-12T21:56:00.000-05:00

As requested I have uploaded a sample of a program (create_report.zip) that will create a comma delimited file from executing a sql statement. The program expects an argument of the a ini type file to be passed to it. The program create-report.pl is the program and the sql-report.txt is the ini file. The create-report.pl program reads the file (sql-report.txt) that is passed to it, each line has 3 parameters in it (database file, output file and sql text). Each sql statement gets parsed and executed and written to a file. I chose to create a comma delimited file because that is the easiest, you could create any type of output you would want. By using this program all you have to do is edit/create new ini files for each database you have.

Questions/Comments/Suggestions?

To DB or Not To DB.........

2007-01-11T21:10:00.000-05:00

Man do I really love to use databases. When you have a decent database and a good design there is nothing that you can not accomplish. Now when I say databases you are probably thinking Oracle, DB2, Sql Server, Mysql, etc... Those are all great databases with rich features but I am thinking more along the lines of an embedded database. What I usually use is Sqlite, it is a embedded relational database that is small and fast and supports most of SQL92. By combining Sqlite and perl I can do many things. Some examples of what I can do are as follows:

Store data from log files and report on them based on different criteria.

Load data and use sql to generate commands, ie: load up file names and then use sql to generate rename commands for the files.

Load multiple log files and types and correlate the data into a comprehensive report.

I will now show you what I am talking about. I will use one of Harlan Carveys Cpan scripts that reads the event logs. I will use the lsevt3.pl program and make a few modifications to insert the records into a Sqlite database. The initial program looks like this:

#! c:\perl\bin\perl.exe

use strict;
use File::ReadEvt;

my $file = shift || die "You must enter a filename.\n";
die "$file not found.\n" unless (-e $file);

my $evt = File::ReadEvt::new($file);
my %hdr = ();
if (%hdr = $evt->parseHeader()) {
# no need to do anything...
}
else {
print "Error : ".$evt->getError()."\n";
die;
}

my $ofs = $evt->getFirstRecordOffset();

while ($ofs) {

my %record = $evt->readEventRecord($ofs);
print "Record Number : ".$record{rec_num}."\n";
print "Source : ".$record{source}."\n";
print "Computer Name : ".$record{computername}."\n";
print "Event ID : ".$record{evt_id}."\n";
print "Event Type : ".$record{evt_type}."\n";
print "Time Generated: ".gmtime($record{time_gen})."\n";
print "Time Written : ".gmtime($record{time_wrt})."\n";
print "SID : ".$record{sid}."\n" if ($record{sid_len} > 0);
print "Message Str : ".$record{strings}."\n" if ($record{num_str} > 0);
print "Message Data : ".$record{data}."\n" if ($record{data_len} > 0);
print "\n";

# length of record is $record{length}...skip forward that far
$ofs = $evt->locateNextRecord($record{length});
# printf "Current Offset = 0x%x\n",$evt->getCurrOfs();
}
$evt->close();

One of the programs I use to create the database is SqliteSpy. This is a nice gui to create and view the data that you load into the database. What I did was create a table with the following definition:

CREATE TABLE events
( file_name text,
Record_Number number,
Source text,
Computer_Name text,
Event_ID number,
Event_Type text,
Time_Generated text,
time_generated_unix number,
Time_Written text,
time_written_unix number,
SID text,
Message_Str text,
Message_Data text);

You can compare this definition to the $record in the lsevt3.pl script. I have added 3 extra columns to make the table more flexible, they are:

file_name which is the event file name that is being loaded, this allows for multiple event logs to be inserted into the database.

time_generated_unix and time_written_unix were added to allow for easier selecting and sorting of timestamps.

The following is the changed lsevt3 program that does the inserts into the database (Added lines in Bold):

#! c:\perl\bin\perl.exe

use strict;
use File::ReadEvt;

use DBD::SQLite;

# Attributes to pass to DBI to manually check for errors
my %attr = (
PrintError => 0,
RaiseError => 0
);

# Create the connecton to the database
my $dbh = DBI->connect("dbi:SQLite:events.db3","","",\%attr);

my $file = shift || die "You must enter a filename.\n";
die "$file not found.\n" unless (-e $file);

my $evt = File::ReadEvt::new($file);
my %hdr = ();

my $sid = "";
my $message = "";
my $data = "";

if (%hdr = $evt->parseHeader()) {
# no need to do anything...
}
else {
print "Error : ".$evt->getError()."\n";
die;
}

my $ofs = $evt->getFirstRecordOffset();

# Make it so Inserts run in a batch mode
$dbh->do("Begin Transaction");

while ($ofs) {

my %record = $evt->readEventRecord($ofs);

# Convert data and check type to be inserted
if ($record{sid_len} > 0) {
$sid = $record{sid};
} else {
$sid = "";
}
if ($record{num_str} > 0) {
$message = $record{strings};
} else {
$message = "";
}
if ($record{data_str} > 0) {
$data = $record{data};
} else {
$data = "";
}

# Insert statement for the data into the events tables Use prepate and execute to handle quotes in the string fields
my $sql_stmt = qq{Insert into events values ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)};
my $sth = $dbh->prepare( $sql_stmt);
$sth-> execute( $file, $record{rec_num}, $record{source}, $record{computername},
$record{evt_id}, $record{evt_type}, $time_gen, $record{time_gen},
$time_wrt, $record{time_wrt}, $sid, $message, $data);

# Check for any errors in the insert statement
my $err_desc = $dbh->errstr();
if (($err_desc =~ m/not\sunique/) || ($err_desc eq "")) {
} else {
print "Error in Database $err_desc\n";
print "loading Record ".$record{rec_num}."\n";
}

# length of record is $record{length}...skip forward that far
$ofs = $evt->locateNextRecord($record{length});
# printf "Current Offset = 0x%x\n",$evt->getCurrOfs();
}

# Commit the Batch
$dbh->do("Commit");

$evt->close();

By running this program from the command line, lsevt3_db.pl Sysevent.evt, the events will now be loaded into the Sqlite database. You can then load multiple event logs into the table and report on them through sqlite.

The following is an example of a query to show when the Removable Storage Service wrote to the event log:

select * from events where source like 'Remov%';

or

To show the when the computer was started and stopped.

select * from events where event_id in (6009, 6006) order by time_generated_unix desc;

If you were to add the application events then you can see everything that happened during a specific time period as well (now you will see why the unix time is important to have since it is much easier to use and sort by).

select * from events where time_generated_unix between 1168484317 and 1168516719 order by time_generated_unix desc;

Now if you use x-ways forensics you can define the perl script under the external viewer programs and when you select a file you can have it run this program and it will load up the database as if you were running the program from the command line.

If there is interest I can post a generic perl script to print out reports from the database, just leave some comments and I will put one out there.

Hopefully I did not confuse you to much, if I did then let me know and I will try and make it less confusing.

A Tiddly Wiki Travel Notebook

2007-01-09T19:05:00.000-05:00

How many times have you been on site somewhere and not had access to the Internet and wanted to get some small piece of information that you can't quite remember but know where to look for it on the net. Well TiddlyWiki can come to the rescue. Here is a excerpt from there website:

a free MicroContent WikiWikiWeb created by JeremyRuston and a busy Community of independent developers. It's written in HTML, CSS and JavaScript to run on any modern browser without needing any ServerSide logic. It allows anyone to create personal SelfContained hypertext documents that can be posted to a WebServer, sent by email or kept on a USB thumb drive to make a WikiOnAStick. Because it doesn't need to be installed and configured it makes a great GuerillaWiki. This is lastest version is 2.1.3, and is published under an OpenSourceLicense.

I have added some information to a TiddlyWiki to get anyone who downloads it started. I tried to enter some tiddlers (name given to a unit of microcontent) with examples of how you can use it to try and give you a leg up. It can be saved from the following link

http://RedWolfComputerForensics.com/downloads/Computer_Forensic_Tiddly_Wiki.htm

Now for the challenge. How much information do you think that we can put in this wiki and help spread our knowledge to each other. If you would like to help out on this little project you can email me @ Mark.McKinnon@sbcglobal.net (Put "Forensic Wiki" in the subject) with your entries and I will put them in the wiki with the proper credit to you.

Questions/Comments/Suggestions/Help?

No This Is Not Mork From Ork.

2007-01-08T09:32:00.000-05:00

Ok so I watched the original series when it came out, but I am not that old. What I plan to enlighten you about today is the Mork database file format. This file is mainly used in Firefox for Internet History, there are a few more files that use this format but we will concentrate on the History.dat file. Now there are numerous programs that will read this file Mandiant Web Historian, Digital Detective NetAnalysis and even a perl script by Jamie Zawinski , the problem is what if the file is broken. When the file is broken it cannot be processed by any of the above programs. A friend of mine recently had this problem and was unable to parse the history.dat file by any of the above programs. By understanding how the database worked I was able to lend him a hand.

Below is a simple file that I have of a history.dat file. I will try and take it apart and show how to hand parse the file. If anything this will allow you to eyeball the file to see if there is anything that would keep one of the above programs from parsing it. The file I will use is as follows, please note the first line is somewhat edited to make it show up in the posting.

// < !-- < mdb : mork:z v="1.4" > -->
< <(a=c)> // (f=iso-8859-1) (8A=Typed)(8B=LastPageVisited)(8C=ByteOrder) (80=ns:history:db:row:scope:history:all) (81=ns:history:db:table:kind:history)(82=URL)(83=Referrer) (84=LastVisitDate)(85=FirstVisitDate)(86=VisitCount)(87=Name) (88=Hostname)(89=Hidden)>
<(80=LE)(8B=http://redwolfcomputerforensics.com/)(9F=1166463003773295) (9A=1166448674185405)(8D=redwolfcomputerforensics.com)(8E =C$00o$00m$00p$00u$00t$00e$00r$00 $00F$00o$00r$00e$00n$00s$00i$00c$00s$00/\$00U$00n$00l$00o$00c$00k$00 $00P$00a$00s$00s$00w$00o$00r$00d$00s$00/$00E$00l$00\e$00c$00t$00r$00o$00n$00i$00c$00 $00D$00i$00s$00c$00o$00v$00e$00r$00y$00) (A0=3)(8F=http://www.certified-computer-examiner.com/)(9E =1166462906212309)(9B=1166448699473785)(91 =certified-computer-examiner.com)(92 =I$00S$00F$00C$00E$00 $00-$00 $00C$00e$00r$00t$00i$00f$00i$00e$00d$00 $00C\$00o$00m$00p$00u$00t$00e$00r$00 $00E$00x$00a$00m$00i$00n$00e$00r$00) (9D=2)>
{1:^80 {(k^81:c)(s=9)[1(^8C=LE)]} [A(^82^8B)(^84^9F)(^85^9A)(^88^8D)(^87^8E)(^86=3)] [B(^82^8F)(^84^9E)(^85^9B)(^83^8B)(^88^91)(^87^92)(^86=2)]}
@$${1{@
<(A1=1166463169292586)(A2=4)(A3=http://www.google.com/)(A4 =1166463174778175)(A5=google.com)(A6=1)(A7=G$00o$00o$00g$00l$00e$00)>
{-1:^80 {(k^81:c)(s=9)1 } [-A(^82^8B)(^84^A1)(^85^9A)(^88^8D)(^87^8E) (^86=4)]B [-C(^82^A3)(^84^A4)(^85^A4)(^88^A5)(^8A=1)(^86=2)(^87^A7)]}@$$}1}@
@$${2{@@$$}2}@

Kinda ugly when you first glance at it but once you understand it is not so bad.

File Header: // < !-- < mdb :mork:z v="1.4"> -->

Fields and Descriptions for the database, not all fields will be used

< <(a=c)> // (f=iso-8859-1) (8A=Typed)(8B=LastPageVisited)(8C=ByteOrder) (80=ns:history:db:row:scope:history:all) (81=ns:history:db:table:kind:history)(82=URL)(83=Referrer) (84=LastVisitDate)(85=FirstVisitDate)(86=VisitCount)(87=Name) (88=Hostname)(89=Hidden)>

Actual history data. Note that the last three sections are all delimited by <>

<(80=LE)(8B=http://redwolfcomputerforensics.com/)(9F=1166463003773295) (9A=1166448674185405)(8D=redwolfcomputerforensics.com)(8E =C$00o$00m$00p$00u$00t$00e$00r$00 $00F$00o$00r$00e$00n$00s$00i$00c$00s$00/\$00U$00n$00l$00o$00c$00k$00 $00P$00a$00s$00s$00w$00o$00r$00d$00s$00/$00E$00l$00\e$00c$00t$00r$00o$00n$00i$00c$00 $00D$00i$00s$00c$00o$00v$00e$00r$00y$00) (A0=3)(8F=http://www.certified-computer-examiner.com/)(9E =1166462906212309)(9B=1166448699473785)(91 =certified-computer-examiner.com)(92 =I$00S$00F$00C$00E$00 $00-$00 $00C$00e$00r$00t$00i$00f$00i$00e$00d$00 $00C\$00o$00m$00p$00u$00t$00e$00r$00 $00E$00x$00a$00m$00i$00n$00e$00r$00) (9D=2)>

Cross Reference of the actual history to the fields. Note this section is delimited by Curly Braces ({}). This is the important part and I will try and give as much detail as I have found out.

{1:^80 {(k^81:c)(s=9)[1(^8C=LE)]}
[A(^82^8B)(^84^9F)(^85^9A)(^88^8D)(^87^8E)(^86=3)]
[B(^82^8F)(^84^9E)(^85^9B)(^83^8B)(^88^91)(^87^92)(^86=2)]}

The following should always be in this section, not sure what it is but it has been in every file I have looked at : 1:^80 {(k^81:c)(s=9)[1(^8C=LE)]}.

The rest is the actual mapping in brackets ([]) for each site visited, each pair in parenthesis is a mapping of the field and the actual data, ie: ^82 = URL and ^8B = http://redwolfcomputerforensics.com. The mapping of the first record (A) would look like this

(^82^8B) = (URL=http://redwolfcomputerforensics.com)

(^84^9F) = (LastVisitDate=1166463003773295 - First 10 digits is Unix time)

(^85^9A) = (FirstVisitDate=1166448674185405 - First 10 digits is Unix time)

(^88^8D) = (Hostname=redwolfcomputerforensics)

(^87^8E) = (Name=Computer Forensics/Unlock Passwords/Electronic Discovery) - this data field actually needs to have all the $00 removed to make it readable.

(^86=3) = (VisitCount = 3)

If we look at Record B then we can see one more database field that is being used

(^82^8F) = (URL=http://www.certified-computer-examiner.com/)
(^84^9E) = (LastVisitDate=1166462906212309 - First 10 digits is Unix time)
(^85^9B) = (FirstVisitDate=1166448699473785 - First 10 digits is Unix time)
(^83^8B) = (Referrer = http://redwolfcomputerforensics.com)
(^88^91) = (Hostname=certified-computer-examiner)
(^87^92) = (Name=ISFCE - Certified Computer Examiner) - this data field actually needs to have all the $00 removed to make it readable.
(^86=2) = (VisitCount = 2)

You can now see that field ^83 was added which shows that the http://www.certified -computer-examiner.com site was referenced from a link on http://redwolfcomputerforensics.com.

2 fields that have not been mentioned above are following.

8A - Whether url was typed into address bar will have a value of 1
89 - Whether hidden data was passed in url will have a value of 1

A couple of things to note that I have observed:

When you exit firefox it may have multiple cross references sections delimited by @$${X{@ type of characters. This appears to be the last browsing session, each time the firefox program loads it reads the history.dat in and consolidates the file back into main 4 sections.

In each multiple cross reference section you may have updated data ie: (LastVisitDate or VisitCount) that appears there as well, this will get consolidated as noted above.

Hopefully this helps and I did not confuse everyone.

Questions/Comments?

Printing Restore Point Information From Another Computer

2007-01-05T10:10:00.000-05:00

Since Harlan Carvey gave me an intro I felt I had to give up something else in order to make you want to come back.

Looking at the restore points you may wonder what all those files actually are and what they relate to in each RPXXX directory. Now if you are like me you will start to poke around and see if you can figure it out. At some point you may see that in the change.log.x there is a reference from the file found in the restore to another file located else where. Now what all the other information in the file means who knows since MS does not divluge that information.

Now MS has a nice little tool in the %SYSTEMROOT%\system32\restore directory called srdiag.exe. What this program does is to parse the restore point directory and give you all kinds of information about your restore points. Now you are probably asking how this will help me since when I run srdiag it will only produce the reports (it creates a cab file with all the info stored in it) for the restore point on my analysis computer.

Here are the steps to get restore point information from an xp image that you are analyzing (do the following steps putting your information in replace of mine):

1. Make sure Restore Points have been turned on for your analysis machine.

2. Make sure you have access to your "System Restore Directory" - Use the following command to get the access cacls ":\System Volume Information" /E /G :F

3. On the xp image you are analyzing copy the restore point directory in the "System Volume Information" directory to the "System Volume Information" on your analysis machine. At this point you should see 2 directories like _restore. One will be your analysis machine guid and the other will be from the image.

4. You will now need to edit your registry. Go to the following entry HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore\Cfg and rename the following field from MachineGuid to MachineGuid_old. Next create a new String Value of MachineGuid, edit this field and put the GUID that you copied from your image, use the MachineGuid_old as a template if you need to, the format of the 2 entries should be similar.

5. Now run the srdiag.exe from the %SYSTEMROOT%\system32\restore directory. Once the program has completed you should see a cab file with your machine name on it. In the cab file there will be all kinds of good information for you to look at.

6. Finally delete or rename the MachineGuid registry entry and rename the MachineGuid_old back to MachineGuid and remove the directory from your "System Volume Information" directory.

That is it in a nut shell. Enjoy looking at all the infromation provided to you by srdiag.

A New Beginning

2007-01-05T07:19:00.000-05:00

Well he is my first post. I was reading Harlan Carveys lastest windowsir Blog post and took his advice and I am starting this blog. I know I do not have as much knowledge as others in the field and I am still constantly learning but who knows maybe I might be able to help one or two individuals, at least I hopefully get better at writing.

What I would like to accomplish with this blog is to pass along knowledge that either I or someone else has gained. If someone else passes the info along to me expect to get credit, if there is nothing more that I hate then people passing along an idea and not getting credit for it. I will try to post a couple times a week but will not make any promises.

How I came up with the title cfed-ttf. I was reading Jesse Kornblum's Blog's lastest entry about naming tools and had to come up with something so cfed is Computer Forensics/Electronic Discovery and ttf is Tips/Tricks and inFo. I tried to be creative but sometimes it is hard.

Now on to the show ( The reason we are here):

Ever wonder what hard drives have been attached to an xp machine. Well if restore points have been enabled then wonder no more. There is a file called drivetable.txt under the root restore point directory. This file contains a list of hard drives that are attached when the computer boots up (from what I can tell so far). Now the cool thing about this is that under each restore point directory there is also a copy of the drivetable.txt file at the time the restore point was taken. Now hopefully you can see where I am going with this. Since each restore point is a point in time you should be able to see when a hard drive was attached and not attached based on date/time of the restore and be able to create a time line of attached hard drives to the computer. This works with USB hard drives as well.

Feedback? Good or Bad who cares I know I am not always right and I will admit it. If I have to be wrong to learn something then I can eat a little humble pie.