Tuesday, September 30, 2008

Skype Log Parser Update.......

Wow in the last 20 days this program has been downloaded over 290 times. I have received a few calls/email's about it and I thought I would update the program. There is still more to do with it but I thought I would post this update to it. The program can be downloaded here

What I have updated is to add parsing of the SMS records. This will parse the sms256.dbb, sms512.dbb and sms1024.dbb. I did not have a sms16384.dbb so that file will not be parsed. The report that will be outputted is the Messages that was sent and the phone number that it was sent to. I have yet to figure out where the date is stored so that is not included at this time. This is something I will be working on.

I have also added a timeline of all the transactions. This is similar to the "History" tab on the Skype program.

I am also planning on updating this program some more in the new future, add reports, parse voicemail, figure out the date/time for SMS messages, and other things. If you think something else should be added to it please shoot me an email, you can find my email somewhere on the blog or just leave a comment.

Thoughts/Comments/Questions?

Wednesday, September 24, 2008

Google Chrome stores plain text passwords….sort of.

My interest was of course piqued when Google announced they would be entering the browser realm, with Chrome. One of the things that has always interested me is the way different programs store passwords. While we are still working on decrypting the Chrome passwords from an imaged drive, I did make an interesting discovery about Chrome storing plain text passwords. Chrome is reliant on several files under the following paths

(dependent on OS):

XP:

Documents and Settings/User/Local Settings/Application Data/Google/Chrome/


Vista:

Users/App Data/Local/Google/Chrome/


As it turns out, if you visit a site that does not require you to log in via https or any variety of other secure methods, Chrome will create a cookie, which can be found in the file “Current Session” under Chrome/User Data/Default. Within that file will be a plain text cookie with your login name and password. If the site requires https, you can still view the log in, but the password is encrypted. However, there is one neat twist to this. If you log in with an incorrect password, even from an https site, the password is still saved in plain text. Using this information, you may be able to make an educated guess on what the actual password was. You can open the file with any text viewing program, or a Hex editor program.


This password recovery method unfortunately only works if, during the last instance of the browser being opened, the person typed in their password when prompted at a site that does not use a secure method to log-in. I also created a slide show presentation, which is can be found here, detailing the steps and data that can be viewed within Chrome.

As always Thoughts/Comments/Questions?

Wednesday, September 10, 2008

Drive Prophet for Windows **Beta**

Well it is finally going mainstream public, the Drive Prophet for Windows Beta. Now if you have not heard anything about this then it may be new to you. If you listen to either cyberspeak podcast (July 19 Podcast 10:40 into the podcast) or Forensic 4Cast podcast (Episode 8) then you would have heard it mentioned. Here is a quick overview.

So what is Drive Prophet? Drive Prophet is a Triage tool to give you a quick look at what can be found on the drive. It runs against a write blocked drive or DD image that has been mounted to your computer. If you go the DD image route then you can use any software to mount the image (VMWare Mount, Mount Image Pro, Encase, Etc...). Now this does not mean that this is going to avoid a full forensic exam, it should not but it will give you a jumping off point into that exam and hopefully start to steer you in the right direction. My vision for this was a tool to help examiners either in the field or back in the lab get a quick look at a drive and be able to act on that information (ie: question a suspect or start an exam).

Now After the drive is mounted you can then start Drive Prophet and process the drive. Once the drive has been processed then you will be presented with many reports that you can then go thru, here is a listing of the possible reports they.

LIST OF ALL USERS ON THE SYSTEM
LIST OF THE PROGRAMS BASED ON THE "PROGRAM FILES" DIRECTORY
UNIQUE LIST OF USB DEVICES THAT HAVE BEEN ATTACHED TO THE SYSTEM
LAST PROGRAMS THAT HAVE BEEN RUN AND THE NUMBER OF TIME RUN
ALL THE DIRECTORIES THAT CONTAIN JPG FILES
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER AND THE NUMBER OF VISITS
SOFTWARE INSTALLED ACCORDING TO THE REGISTRY
RECENTLY ACCESSED FILES FROM RECENT FOLDERS
FILES ON THE DESKTOP
FAVORITES DIRECTORY
URLS THAT HAVE BEEN TYPED IN INTERNET EXPLORER
MS MEDIA PLAYER: RECENT FILE LIST
MS MEDIA PLAYER: LAST OPENED PLAYLIST
COMPUTER OWNER INFORMATION
VIDEO FILES THAT WERE OPENED WITH WINDOWS MEDIA PLAYER
MS MEDIA PLAYER: RECENT OPEN DIRECTORY
LIST OF DOMAINS THAT HAVE BEEN VISITED BY USER ORDERED BY THERE LAST ACCESS TIME
INTERNET SEARCHES
PROGRAMS THAT WILL RUN ON SYSTEM STARTUP ACCORDING TO THE REGISTRY
LIST OF ALL THE PROGRAMS THAT HAVE BEEN RUN THAT WERE NOT FOUND ON THE HARD DRIVE
SCHEDULED TASKS DEFINED ON THE SYSTEM
LIST LAST SERACH TERMS FROM THE SEARCH ASSISTANT
LIST ADOBE ACROBAT READER MOST RECENTLY ACCESED FILED
LIST ALL MOUNT POINTS ON THE SYSTEM
LIST STARTUP AND SHUTDOWN TIMES ACCORDING TO THE EVENT LOGS
LAST PROGRAMS THAT HAVE BEEN RUN AND NUMBER OF TIMES RUN - TECHNICAL
LIST PROGRAMS THAT HAVE RUN WITH THE MICROSOFT MANAGEMENT CONSOLE
PROGRAMS THAT HAVE RUN ON THE SYSTEM AT SOME POINT IN TIME
APPLICATIONS TO LOOK FOR
PROGRAMS THAT HAVE BEEN RUN/EXECUTED FROM USERS TEMP DIRECTORY
IP ADDRESSES ASSIGNED TO COMPUTER
NUMBER OF TIMES COMPUTER NORMALLY SHUTDOWN
LIST ALL DOC FILES
LIST ALL XLS FILES
LIST ALL PDF FILES
LIST ALL LNK FILES
INFORMATION ABOUT VIRTUAL MACHINES ON SYSTEM

Now if you do not see a report that you would like then more reports can be added. There are a few options that you can do as well after the drive has been processed, these are not included in the processing of the drive as they may take a long time to process themselves. The other options are

1.“Parse/Report EXIF Information” which will scan all the JPG files on the system and report back which JPG files have EXIF information and display this information along with the graphic.

2.“Run Time Line Report” will ask for a begin date and end date (end date is optional and if not supplied will take the current date as end date) and will produce 4 reports.
     1.Report of all files that were Created that are between the 2 dates supplied.
     2.Report of all files that were Modified that are between the 2 dates supplied.
     3.Report of all files that were Last Accessed that are between the 2 dates supplied.
     4.Report of all files that have a Created, Modified, Last Accessed date/time between the 2 dates supplied.

3.“Run Picture Thumbnail Report” will generate a report of all jpg's, png's, bmp's that were found on the drive. There is an option to copy those files to the reporting directory so that you can then be available for your report.

4.“Run Vista Thumbcache Report” will generate a report of all jpg's, png's, bmp's that were in the vista thumbcache files. These files will be copied to the reporting directory so that they can then be available for your report.

Now if after all this you still do not see certain things then let me know and they can be added to the list of future enhancements. The Drive Prophet Forum can be found here where you can request future report enhancements and other enhancements, report bugs, etc...

One other feature is a program called Back Log Breaker. This program was designed to allow the user to "Batch" up runs of Drive Prophet and process them all at once. This could allow agencies that do have a backlog to try and cut thru them.

Now if this is something that interests you then send an email to prophet-beta at RedWolfComputerForensics dot com with your name, agency/company and contact info. This program will be available to all, it is not restricted to anyone. I will then reply with a email telling you how to download the Beta. You can also download the install guide and quick start guide as well.

Tuesday, September 9, 2008

Interview On Forensic 4cast

The guys on Forensic 4Cast (Lee and Simon Whitfield) were kind enough to ask me on the show and let me talk about a few things I have been working on. Two of the projects I have just blogged about a few minutes ago. The other project will be my next topic and I will be putting that out within the next day. The interview can be found here.

Skype Log Parser

At the DC3 Challenge there is a challenge that deals with parsing the log files created by Skype. Well I went searching on the Internet for programs that would deal with getting me information from these logs and every program I found only dealt with the Chat sessions. Now Looking at my own logs I could tell there was more to it then that. I was very disappointed that the programs I looked at did not look at these other log files. I thought to myself am I the only one seeing that an examiner is potentially missing some important data (Phone log, transferred files, etc..). Well I could not let this opportunity get passed by so I created a program that will parse out these log files and produce some reports. The program can be downloaded here.

Now if anyone uses this program for the DC3 Challenge please let me know, I am always curious if the programs I publish ever get used.

As always send all comments/questions/suggestions good or bad to the comment section below or you can email me at mark dot mckinnon at sbcglobal dot net.

Google Chrome Log Parser

Google Chrome has been out for about a week and here is my first attempt to create a program that will parse out all the chrome logs and put together some useful reports. The program can be found here.

Just like Firefox, Chrome also stores their logs into a SQLite database. Some of these logs are very similar to the Firefox logs. One thing to note is that Chrome is not very consistent with which format they use for date/time. In some logs they use Unix Epoch time (Jan 1 1970) and in others they use Microsoft Epoch time (Jan 1 1601). Chrome also stores a thumbnail of web pages in these logs as well. These thumbnails are used when you fist start chrome to show you 9 pages you have visited. With the above log parser it will pull these thumbnails out and present them in the reports as well.

As I stated above this program is a work in progress and there is still more research to be done to make it a better. I just wanted to get it out to all you guys to start to play with it.

As always Questions/Comments/Suggestions.