Well these is a new forensic podcast on the block. It is called Forensic 4Cast and can be found here. I just listened to it and it is pretty good especially being their first podcast. Lee and Simon are the hosts for the show and they are Forensic Investigators/Analysts in the UK. They discuss Cofee, the UK Extreme Porn Bill and the Computer Misuse act. If you want to email the guys there email address is 4cast at whitfields.org.
Lee and Simon keep up the good work
Questions/Comments/Suggestions
Sunday, May 18, 2008
Forensic 4Cast - A New PodCast
Saturday, March 22, 2008
CSC Parser Version 2.0
As there have been over 490 downloads of this program and I have helped numerous people recover there Offline Folder/CSC directory I thought I update the software. You can find version 2.0 here. It has changed in that it uses drop down menus now instead of buttons. When you try and recover files you have 2 choices using the 00000002 or the csc1.tmp file. Both options will now copy the files that can be recovered to a directory of your choosing. Remember that you must have a good copy of the 00000002 or the csc1.tmp file. To run the program just unzip into a directory and run the program csc_parser.exe. I have removed the source code this time but this program is still free for personal use, for commercial use please contact me about using this program.
Now for those users who have reinitialized there offline folder/csc then I also have a program that might work for you as it scans the CSC folder and trys and rebuilds what was there. This is the professional version of the csc_parser. This program can be purchased for $50.00 (button is on the side of the blog). This program will also have the above functionality in it as well.
I have also added a Donate button on the side of the blog. If this program helps you out and you would like to donate that would be great, you are under no obligation to donate if you do not want to. If you do decide to donate and you donate 27.00 then I will also send you a complimentary copy of the CSC_Parser_Pro program.
Questions/Thoughts/Comments?
Wednesday, February 27, 2008
Prefetch Information
Here is a quick and dirty program to parse a prefetch file and output some important information. It is only a command line program currently and does not use a database or scan the prefetch directory (I know I am slacking and that would be some good improvements to make and pretty easy). What it will do is parse the prefetch file giving you the standard information that other programs have given ie: embedded date, number of time run and executable name plus a list of directories and files that are/have been loaded. The program can be found here.
To run the program just type
prefetch_info.exe < directory/prefetch file name >.
Here is an example of the output for the following prefetch file AID4MAIL.EXE-1EE932F2.pf. Now one thing to note is where the AID4MAIL.EXE program was run from, kinda cool to see it did not run from the hard drive of my laptop but a usb thumb drive.
You can also see what song I was listening to when I ran the AID4MAIL program as well (you can search for that one).
As always Questions/Comments/Thoughts?
File Name that was run AID4MAIL.EXE
Date/Time prefetch file was created Thu Feb 28 02:16:21 2008
Date/Time prefetch file was modified Thu Feb 28 02:16:21 2008
Date/Time prefetch file was last accessed Thu Feb 28 02:16:21 2008
File AID4MAIL.EXE was run 1 times
AID4MAIL.EXE Embeded date/time is Thu Feb 28 02:16:11 2008
List of files and Directories whose pages are to be loaded
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISK3\DP(1)0-0+8\AID4MAIL\AID4MAIL.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GDI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LPK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USP10.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CTYPE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AMINIT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTKEY.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\TEMP\AEXAM\AEXFD.TMP
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLE32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MPR.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\VERSION.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_659
5B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHELL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINMM.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ENTAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETAPI32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTEXCEPTIONS.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTRULES.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTFIME.IME
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCSS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WDMAUD.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SETUPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINTRUST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRYPT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMAGEHLP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MIDIMAP.DLL
\DEVICE\HARDDISKVOLUME2\$MFT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\APPHELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CLBCATQ.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMRES.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\REGISTRATION\R000000000013.CLB
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\TORTOISESVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WININET.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPR_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSWSOCK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCR80.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRUTIL_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRICONV_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\INTL3_SVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCP80.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHFOLDER.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\WINDOWS-1252.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\_TBL_SIMPLE.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\UTF-8.SO
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED20.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WIN.INI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USERENV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DRPROV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTLANMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETRAP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SAMLIB.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DAVCLNT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTSHRUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ATL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WPDSHEXT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144C
CF1DF_1.0.2600.2180_X-WW_522F9F82\GDIPLUS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PORTABLEDEVICEAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AUDIODEV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMVCORE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMASF.DLL
\DEVICE\HARDDISKVOLUME2\MARK\ITUNES\EMINEM\CURTAIN CALL - THE HITS (EDITED VERSI
ON)\SHAKE THAT (EDITED VERSION).M4A
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSIMTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SECUR32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\TEMPORARY INT
ERNET FILES\CONTENT.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\COOKIES\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\HISTORY\HISTO
RY.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RTUTILS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSV1_0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPHLPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SENSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\URLMON.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MLANG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSOCK32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\HNETCFG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSHTCPIP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\BONJOUR\MDNSNSP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASADHLP.DLL
NoteCase For Those Case Notes and Outlines
While I was surfing for something to create a task type list I came across this software NoteCase note manager. It can be found here. Here is there brief description from there site:
NoteCase is a hierarchical note manager (aka. outliner). It helps you organize your everyday text notes into a single document, with individual notes placed in the tree-like structure (each note can have its sub-notes, ...). To ensure your privacy, encrypted document format is supported, along with standard unencrypted format. Project is free and open source.
After choosing which version to download (I went with the Windows portable version so I can take it with me) and installing it I started to play around with it. Now this is a pretty cool open source project. What it allows you to do is to create a outline (series of expandable nodes) and add text, pictures, links and attachments to each node. You can add a date time entry and also cross out entries as you create them. If saving your file encrypted is an option you want you can do that also. You can even export into html, text and even an executable. If you want to use another language other then English you have your choice of 33 other languages. I blogged last year about TiddlyWiki and how it was nice to have something to carry with you to take notes and so forth and I would rate this product right up there with TiddlyWiki, especially since it does so many languages (looking at where you readers are I can see where the other languages would come in handy).
Thoughts/comments/questions?
Addendum, Feb 28. 2008
I forgot to mention that NoteCase is available for all these platforms:
Linux/Unix (with GTK+ 2.x installed)
Windows 9x/2000/XP/Vista
Mac OS X
Free BSD (available elsewhere on Internet)
Sharp Zaurus platform (running pdaxrom or angstrom Linux distro)
Nokia Maemo platform (Nokia N770/N800)
Nokia Maemo OS2008 platform (Nokia N800/N810)
Wednesday, January 23, 2008
Mount That DD Image with VMWare........
As most of you are aware you can use Live View to create a virtual machine so you can boot up and check it out. If you use the snapshot feature to make it read only then you can do what ever you want to the image and it will not harm it (I won't go into VMWare's Snapshot features). Now what if you want to mount one of the partitions to a drive and scan it with a virus scanner or some other tool? Well now you can, by using the 4 Perl scripts and executables I created. The zip file containing the Perl scripts and executables can be found here.
Now in order to use these scripts you will need to have created the DD image into a VMware machine using LiveView (this is so that a snapshot is taken and you can revert back to the snapshot, this makes it read only, make sure you do this otherwise it will not be read only). Once you have created the VM here is what you need to do, run the following programs:
vm-vol-list.exe <PATH to VM>\<VMDK File> -- path and file in quotes if it contains spaces
This will list all the volumes in this virtual machine. You need to pick the one you want mounted then issue the following command.
vm-mount.exe <PATH to VM>\<VMDK File> <Drive Letter to mount to without :> <Volume number from previous step> -- path and file in quotes if it contains spaces
This will then mount your volume to the drive specified. You can then do anything you want. To unmount the drive issue the following command.
vm-unmount.exe <Drive Letter to mount to without :>
This will umount the volume from the drive. To revert the image back to its original state issue the following command.
vm-snapshot.exe <PATH to VM>\<VMX File> -- path and file in quotes if it contains spaces NOTE: vmx file not the vmdk file.
This will revert any changes that were made back so the image will look exactly as it did just before you mounted it. This uses the default snapshot name created by Live View so if you use another name then you will have to change the Perl script.
Questions/Comments/Thoughts???
Saturday, January 12, 2008
A file tool mark Library
Adding to Hogfly's idea about an application tool mark library and looking at my last post I think it might be interesting to have a File type tool mark library. What if you were able to look at a file and determine what program was used to create it? In my last blog I showed how a doc file that had been originally created in word once save in Word Perfect changed. Now how could this be important? Well if that file was found on a pc that did not have Word Perfect Installed then you can show that the file was not maintained there.
Thoughts/Comments/Questions??
Friday, January 11, 2008
What is your MS Office Metadata Telling You???
So you are given a couple of word documents and the person who gave them to you wants to know what you can tell them about the files. You tell them no problem and start to analyze them. You can get the files here. Now they all look like Word Docs, they open like word docs but some of them smell kinda funny. The reason some of them smell funny is that they have no normal word metadata. Now the first file has all the usual metadata but the rest of them seem to have lost their metadata. Now to cut to the chase every document after test-1.doc was opened in Word Perfect and saved in a MS Word Document format. I have not really heard any discussion about this until I came ac cross a file just like the ones I will be discussing (how I find this stuff sometimes I will never know).
The first file, test-1.doc was created in Microsoft Word 2003 and saved. If you run Harlan Carveys WMD.pl program you will see that it comes back with a whole slew of metadata. Every file after this one was opened in Word Perfect (WP) and saved in MS Word 97/XP/2003 format. You really need to look at these files in a hex editor to appreciate what is going on here.
In test-2.doc everything looks like test-1.doc except that towards the end of the file you can see where the body of the text document I typed in resides with the changes I made. This is very interesting because each time I save the file it switches between the top text and the bottom text. If you compare the 2 areas you can see one is the newly edited text and the other one is the last saved text (I numbered each sentence I types so you can tell what order I saved them in). Kinda cool how you can start to see the changes in the file. Now after the first save in WP if you search for the hex values FEFF00 you should find 2 spots in the file where the word metadata resides (my name, company, title, etc..). Now after you save the file again that first section of metadata disappears (if you look at the difference between test-2.doc and test-3.doc you will see what I mean). Now after the third save the next set of word metadata is gone (test-4.doc). Now you understand why there was no metadata. Files 5, 6 and 7 are just to show how the text of the file goes back and forth between the 2 areas. Also in the file you will see the words Corel Corporation which leads you to believe that it was edited in WP.
Now lets say that you have files test-1.doc, test-2.doc and test-3.doc what can you really say about them? Well here is what I would state about these files:
Test-1.doc was created in word, you can tell by the way the file looks and all the metadata (a word document has the same fundamental look).
test-2.doc was edited and saved in word at one time because of the presence of the 2 sections starting with FEFF00. With the words "Corel Corporation" in the file and the exact same text in 2 spots in the file I can say that the file was last saved with Word Perfect.
test-3.doc was edited and saved in word at one time because of the presence of 1 section starting with FEFF00. With the words "Corel Corporation" in the file and the there are 2 areas of edited text and they do not match then I can say that the file was saved with Word Perfect the last 2 times it was saved.
Does this make sense and do you come to the same conclusions I have?
Now one thing to note if you are using the wmd.pl program mentioned above is that after a couple of saves in WP the metadata will show that the file was created on a mac and not windows. I have told Harlan about this so he is aware of it.
Now the question to ask your self is what other programs that do a "save as" another format exhibit this type of behavior.
Now I hope I was clear in what I was saying. If not then download the files and check them out and I think it will be clearer.
Questions/Thoughts/Comments???
Subscribe to:
Comments (Atom)
