Sharing

Sharing information on the net has some risks associated with it. "..if you rear yourself against it, you shall fall, you shall be bruised, you shall be battered, you shall be flawed, you shall be smashed." Dickens, Bleak House (1853) Yet still, I would rather see more information and a healthy discussion or argument about the issue, than seeing nothing. I am glad to see more computer forensic blogs popping out, some of the are really great and some are just excellent. Periodically I get a chance to speak to a very knowledgeable people. These people have a lot to learn from, but they become algophobic of a very thought of putting snippets of their knowledge or ideas online.

Yes, there are risks if you haven't verified your information or your assumptions were wrong. You very well may end up in a situation like this snowman.

There might be some people out there showing off their "knowledge" without doing a thing themselves to contribute to Computer Forensic community. These people usually look and behave like this snowman :-)

Remember 'Star Thrower story' by Loren C. Eiseley where a young girl was at a beach full of washed after storm starfish. She was picking them up and throwing them back into the ocean. When she was told that she can't possibly make any difference bacuase there are thousands of them around, she picked up another one and said "Well, I made a difference to that one!".

Unfortunately I don't post often, simply because I am currently working in a country where computer forensics discipline is in its infancy and only one university recently launched a computer forensic course. There is a lot of work  in educating, training and explaining besides working the cases, which leaves me with a very little time for any research or blogging.

You cant say I am not trying tough :-)

.. and yes, lots of snow around.

PFX – Personal inFormation eXchange

A password and PFX file are needed to open encrypted e-mail messages, whose content is enveloped and attached as smime.p7m. PRTK does a good job at cracking passwords, but some PFX files have different headers which PRTK would not recognise. Chilkat Python Modules come pretty handy in this situation. Modules come with a fully-functional 30-day trial and need to be purchased for use beyond this period or for commercial purposes. I wrote a script, which is based on one of the Chilkat module examples to allow a dictionary attack on PFX and p7m encrypted message. The code is quick and dirty, but gets the job done.
You will need your.p7m encrypted message, your.pfx file and a good ASCII formatted wordlist with .txt; .dic or .lst file extension.

A sample code is provided for illustrative purposes only and  "AS IS" without any warranties of any kind. :-) The code has not been thoroughly tested under all conditions, but should work fine if you know what 're you doing. Here is the LINK to it. It should work fine on Windows and maybe on Lin/Mac machines as well (some modifications may be needed). The script relies on Chilkat modules, which must be installed prior to running the script. Instructions are on pyPFX project home.

a couple of newly discovered tools

It's been an extremely busy autumn for me. Whilst running around, I came across a couple of useful tools.

SAFE (System Acquisition Forensic Environment) is Windows PE boot disk with built in software write blocking. I use Enterprise version, which requires a dongle only to start up the environment. The dongle then can be removed to start up the next machine. A bootable USB can also be created with SAFE USB Creator. There are several tolls listed as officially SUPPORTED by ForensicSoft, but plenty of other tools can also run just fine in this environment. To get the ability to image over the network I put F-Response on the Live CD as well and found it to be working rather well.  SAFE has some problems with recognising Unicode file names when opening with OpenOffice for example and some other minor bugs. Win PE is based on Windows 7 32-bit and works well with most hardware.

Another Windows based GUI Forensic Imager has been released in beta. This time from GetData.  It has a very simple interface, works in a portable mode and supports  DD, AFF and E01 image formats. It also converts from one format to another. I wonder if it remains free after it is out of beta. 

SSD - TRIM, Encryption, Formating and Fragmentation

Operating System identify Solid State Drives by querying the hard drive for its rotational speed. To be precise it is done by identification of nominal rotation rate as described in AT Attachment – 8 ATA/ATAPI Command Set (ATA8-ACS).

Word 217
0000h - rate not reported
0001h - Non-rotating media (SSD)
0002h-0400h - Reserved
0401h-FFFEh - Nominal media rotation rate in rotations per min (rpm)
7200rpm = 1c20h 5000rpm = 1388h 10 000rpm 2710h
FFFFh – Reserved

If 0001h value is returned, Windows 7 for example turns on TRIM support and disables defragmentation. Furthermore, to reduce the frequency of writes and flushes, Windows 7 in addition to boot and application launch prefetching also disables services such as ReadyBoost and Superfetch. As far as I am aware Windows XP or Windows Vista cannot differentiate SSDs from hard drives. The following file systems are known to be TRIM supported by its respective Operating Systems: NTFS, HFS+, EXT4, Btrfs. Here I should mention that modern Linux and Apple OSX support TRIM commands as well. TRIM functionality can also be implemented independently of the operating system. The O&O Defrag for example enables TRIM operations for FAT32 and exFAT formatted SSD’s.

I know that many forensic folks are still wondering how OS’s, file systems and SSD controllers talk to each other to make TRIM work. Louis Gerbarg did an excellent job of explaining and demystifying the process.

It should be noted that Windows 7 sends the TRIM command to the SSD not only when file gets deleted or partition gets formatted, but in several other instances as described in Support and Q&A for Solid-State Drives blog post.

"The Trim operation is fully integrated with partition- and volume-level commands like Format and Delete, with file system commands relating to truncate and compression, and with the System Restore (aka Volume Snapshot) feature."

A quick format is all that is required to trigger the TRIM command on SSD and all data will be erased (zeroed out). Speaking about formatting, there has been not much difference between the Quick and Full format options in pre-Vista Windows machines. The only difference between the two was that full format also scanned for bad sectors.  The data could still be recovered from formatted drives. Since Windows Vista a full format erases all data and writes zeros and completely destroying the old data. The same applies to Windows 7 and my tests confirmed this. 

TRIM can be enabled and disabled manually. In Windows 7 to check TRIM status, as Administrator in the command prompt window, enter the following:

fsutil behavior query disabledeletenotify

Output:
DisableDeleteNotify = 1 Windows TRIM commands are disabled
DisableDeleteNotify = 0 Windows TRIM commands are enabled

The following command enables TRIM fsutil behavior set disabledeletenotify 0 and fsutil behavior set disabledeletenotify 1 disables it.

To my knowledge TRIM is not yet supported in RAID volumes. Recently there has been some confusing on this topic in relation to Intel Rapid Storage Technology supporting TRIM for RAID volumes. Intel had to publish a correction that TRIM is only supported in AHCI and RAID modes for drives that are not part of a RAID volume.

Not all SSD’s support the TRIM command; some manufacturers do not even recommend enabling TRIM. Sandforce and OCZ recommend against enabling TRIM in the Mac OS (due to Apple's implementation of TRIM) and discourage using TRIM on controllers with internal low-level compression (due to the way they operate/built).

TRIM + Encryption, a topic worth its own cookbook, so I am going to only lightly touch on it. In my previous post I have mentioned that Apple OS X Lion “FileVault 2” enables whole-disk encryption. It is certainly a big step forward compared to “FileVault 1”; however this needs to be clarified a bit. “FileVault 2” is VOLUME based encryption.  For example NTFS, FAT/FAT32 or exFAT partitions located on the same drive will not be encrypted. A recovery partitions also cannot be encrypted by “FileVault 2”. TRIM is believed to be supported on “FileVault 2” encrypted drive. The TRIM command also works on NTFS file system encrypted with Bitlocker and TrueCrypt . TrueCrypt has issued several security warnings in relation to Wear-levelling security issues and the TRIM command revealing information about which blocks are in use and which are not. (Trim Operation Link & Wear-Leveling Link) PGP WDE doesn’t support TRIM, but I remember someone has mentioned that with CLI is possible to encrypt only used sectors. It is likely that the same security issue would arise as in case of TrueCrypt.

The Mighty Lion

Snow Leopard 10.6 wasn't much of a problem from the forensics perspective and left paws imprints all over the snow. It had no TRIM enabled by default and FileVault was not particularly difficult to deal with. Advanced users could install TRIM for their SSD drives by using TRIM Enabler 1.1 but this wasn't wide spread. Apple OS X Lion 10.7 came and the game has changed.

The new OS adds support for the TRIM command and it is turned ON by default. TRIM allows OS-level garbage collection and also assists with wear-levelling and fragmentation, as well as reducing write amplifications and improves random writes speed. Basically if an operating system supports TRIM, delete really does mean delete, not just flagging space as available.

OS X Lion also introduces "FileVault 2", which instead of merely encrypting user home folders, now offering "Full Disk Encryption". Upon upgrading existing users are offered to upgrade to "FileVault 2". Old FileVault, lets call it "FileVault 1" is also supported but only for existing users of "FileVault 1". The new encryption method uses XTS-AES 128-bit encryption. When "FileVault 2" is enabled, a user is presented with the option to create a recovery key.

WARNING: You will need your login password or a recovery key to access your data. A recovery key is automatically generated as part of this setup. If you forget both your password and recovery key, the data will be lost.


Recovery key: CCQP-DDA3-XDSF-5656-UHGX-MTN8


Additionally, Apple now provides with an option to store the recovery key with them, which I am sure will be useful for both, forgetful users and law-enforcement.

Safeboot with EnCase or FTK

Both (current versions) of EnCase and FTK work with Safeboot Full Disk Encryption 4.x.
EnCase has to be 32 bit version (not 64 bit). According to Guidance Software support people Safeboot 4.1 or higher versions are not supported by EnCase. In reality Safeboot 4.1 decryption works just fine with EnCase 6.18 as long as one follows the detailed instructions.

FTK 3 officially supports SafeBoot Version 4.x and Version 5.x as well as McAfee Endpoint Encryption Version 6.x. There is no '32 bit only' limitations because there is no need to install SafeBoot Tool or anything extra.


Access to the SafeBoot server is requred when working with both EnCase and FTK.There is no need to export/copy out any files for decrypting with FTK. For Safeboot versions 4.x and 5.x the decryption key can be obtained by runing SbAdmCl.exe command line tool. It's location can vary from version to version on the Safeboot server.

SbAdmCl.exe -AdminUser:admin -AdminPwd:password -command:GetMachineKey -Machine:Machinename

To extract decryption keys for a group of computers the same command can be issued with  -Group:* instead of -Machine:Machinename

The command should return 32 bit Encryption Key(s) that can be entered in FTK when the encrypted evidence files are added to the case.

In McAfee Endpoint Encryption Version 6.x the key is exported from the server by using ePO (ePolicy Orchestrator). Check "Exporting the recovery information file from ePO" section of McAfee EETech User Guide for details. Once the .xml file is exported, a base64 key located between < key > and < / key >  needs to be copied, decoded and converted to hex. The easiest way to accomplish the task is to utilise this online "Base64 -> hexadecimal string decoder", which should produce the decryption key required by FTK.

UPDATE: 16 August 2011
 EnCase Version 6.19 just has been released. The new version now provides support for McAfee Endpoint Encryption 6.0.

No trust in a single tool.

"If the only tool you have is a hammer, you tend to see every problem as a nail."

Abraham Maslow

More and more often I find myself working on a case with at least two forensic tools simultaneously. Depending on a task I select EnCase and X-Ways or FTK and X-Ways in pairs.

All three are great and one is better than another at certain tasks.I like working with EnCase to analyse registries, automate things with enscipts or searching and bookmarking hits in unallocated space. FTK is best with emails and has excellent ‘indexed’ searching capability. X-Ways Forensics is simply fast and reliable.

There is no point in doing ALL operations with a pair of these tools. There are always several the most important pieces of evidence supporting the hypothesis that need extra attention. This is especially true when confirming the absence of certain evidence.

I don’t just use two tools in parallel, in addition I attempt to utilise different methods to confirm the facts. This becomes some sort of Devil's Advocate Peer Review Activity.

Lately, forensic tools became more complex and attempting to provide more interpretation for the sake of convenience. Not surprisingly, I frequently observe different interpretations by different tools and have to dig dipper to find the true.

Although I often use a bunch of open source or free tools like Harlan’s RegRipper or Mandiant’s Highlighter etc., having another full featured forensic tool provides an additional layer of protection. Several times I had a situation when the main tool would start constantly crashing, or be unable to process certain types of evidence in the middle of examination. Sounds famialiar? When time is limited and vendor’s technical support is slow or sometime useless, having a back up tool ready to go is as good as gold.

Selecting the right tools for different investigations requires a good knowledge of forensic tools in your arsenal. For example, Lotus Notes is very popular in the corporate environment, with over 140 million corporate licensees sold worldwide. EnCase would normally work with NSF files and handle emails quite well. You will need FTK, or some other solution, to handle Lotus Notes databases, because EnCase …. well, may be EnCase 7 will do a better job. X-Ways Forensics can’t handle NSF at all. For the sake of completeness I should mention here that since Lotus Notes version 8.5 Databases are now called Applications.

Obviously one needs to be trained on using all of these tools and this might not be economically possible for small organisations or Rookie examiners. In this case there are Open Source Resources/Tools that each examiner must become proficient with and have them ready to go. The new book by Cory Altheide and Harlan Carvey called Digital Forensics with Open Source Tools should provide you with the necessary knowledge and insight.

Most computer forensic examiners Need Shrinks

Many computer forensic specialists sooner or later get exposed to potentially psychologically harmful material. Images or (worse) videos of people being tortured and killed; children being exploited and raped are often encountered by forensic examiners. Some have only occasional exposure, and some have to constantly work with such material due to the nature of their work. The exposure causes all sorts of problems from stress and loss of productivity to more serious psychological traumas.

The above also applies to private and corporate forensic examiners who often accidentally locate offensive images or videos. What are the ways to minimise negative impacts of exposure to such material?

Prevention is better than cure.
It is technically difficult to completely insulate all personnel from the exposure. The only logical choice is to adequately prepare specialist for such situations by introducing mandatory introductory programs. These programs need to be specifically designed to deal with exposures to potentially harmful material and possible reactions to such exposures. Most importantly new computer forensic specialists must be put through the program before they walk in to the lab.

As part of occupational health and safety, career longevity and work performance initiative we are currently working with professional psychologists to develop such program for our organisation. The program is going to be integrated in the Standard Operating Procedures (SOP), and will also include mandatory reporting, debriefing and follow up. To minimise harmful effects, the arrangements are being made with psychologists to conduct debriefing within the first 24 to 72 hours after the initial exposure.

These procedures are designed to equip computer forensic personnel with knowledge, skills and professional assistance to enable them to cope with exposures to offensive graphics. As an additional benefit, the program  may also assit staff in dealing with other stressful situations. These steps are also designed to insure productivity and retention of the highly trained forensic specialists.

Oh mama - my iPhone is no longer secure!

ElcomSoft guys are offering " near-instant forensic access to encrypted information stored in iPhone devices" ...even if its hardware encrypted.  Here is a LINK to the the press release. Good job.

I hope it won't repeat destiny of COFEE. 

Relevant read from ElcomSoft's blog link1 & link2

DDos on LiveJournal - turning crisis into opportunity.

Developing an effective incident response procedure is crucial to minimizing the impact of a security breach or DDoS attack. A good incident response plan not only helps secure the impacted infrastructure, but can also increase consumer loyalty. The recent DDoS attack on LiveJournal clearly required the use of public relations techniques, which did not appear to happen in time.

In the absence of information, the rumour mill will take over. Instead, an immediate and honest statement should clarify known details, and the information be frequently updated. The organisation must demonstrate commitment and this will be appreciated by its customers.  In case certain information cannot be released it is important to offer an explanation. By doing this the organisation appear responsive and cooperative even if not a great deal of information has been released.

The organisation also must educate all employees on use of social media during the crisis and monitor Twitter, MySpace, Facebook and other social sites. Tracking and quickly responding to the relevant conversations should help uncovering and defusing any potential crises-in-the-making.

While no organisation is immune to similar  incidents, this does not necessarily have to turn into a disaster.

Accessing VMFS partitions

VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem.

Open Source VMFS Driver was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.


Mount TYPE is PHYSICAL.

Running the following command should get you into the partition via webdav interface C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav


Next navigate to http://localhost:50080/vmf and you should see VMDK files you were after.
Correction: I forgot to put an "s" at the end of the above address. The correct address would be http://localhost:50080/vmfs Thanks Tim for pointing this out.

The world isn't perfect though and you may run into a couple of problems:


Problem 1:
You may get an error similar to this:
Exception in thread "main" java.io.IOException: VMFS FDC base not found
at com.fluidops.tools.vmfs.VMFSDriver.openVmfs(VMFSDriver.java:1180)
at com.fluidops.tools.vmfs.VMFSTools.cli(VMFSTools.java:225)
at com.fluidops.tools.vmfs.VMFSTools.main(VMFSTools.java:492)


Problem 2:
There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.

There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk (PhysicalDrive4) to my Linux guest OS and started it.

vmfs-tools is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.

In Linux I installed vmfs-tools by running: sudo apt-get install vmfs-tools and typed the following command: sudo fdisk –l

The above shows that the vmfs file system is located on /dev/sdb3
 
The next command is to mount VMware VMFS partition:
mkdir /home/a/Desktop/system and vmfs-fuse /dev/sdb3 /home/a/Desktop/system
and see what's inside.... ls -alh

I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.


P.S. Paul Henry did a good write-up on a similar subject  here.

GPU password cracking.

GPU acceleration has been used to crack passwords for some time now. This is due to GPU's parallel layout, which is a hip better at large-scale mathematical operations compared to ordinary CPU’s. Before, there was only nVidia with its CUDA SDK. I must admit that while I was building the lab and doing lots of administrative work, I totally missed the arrival of AMD’s Stream SDK. It appears that ATI Radeon cards are much faster at crunching the numbers, in some cases x 10 times and software developers are quickly adding support for ATI cards. I just discovered a nice blog on password cracking by Vladimir Katalov from ElcomSoft. The blog is very informative and a good read. The author  mentioned that a new version of Elcomsoft Phone Password Breaker for example already supports both nVidia and ATI cards achieving speeds  around "7,000 passwords per second on NVIDIA GeForce GTX 580, and about 20,000 passwords per second on ATI Radeon HD 5970".

Sleuthkit 3.2.0 on Ubuntu 10.10

Some time ago I have written a short "how-to" in relation to installing the Sleuthkit on Ubuntu. Recently I have tried to install the latest Sleuthkit 3.2.0 on Ubuntu 10.10 (32-bit) and ran into a problem when compiling it. It took me some time to figure out how to get it working.

Step 1:

sudo apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev libssl-dev

Step 2:

Download and extract afflib 3.6.4
In terminal go to the extracted directory and run the usual
./configure
make
sudo make install


Step 3:

Download Sleuthkit 3.2.0 and extract it. Next I had to apply a quick fix by adding LDFLAGS link option to configure.ac file located inside the extracted sleuthkit-3.2.0 directory. Adding the following line LDFLAGS="$LDFLAGS -lsqlite3 -lpthread -ldl" seems to fix the problem.


I then navigated to sleuthkit-3.2.0 directory in terminal and run

./configure
make
sudo make install


DONE

iSCSI initiator on Win 7

F-Responce (and  Helix3 Pro) both can be handy for imaging over iSCSI.  Win 7 iSCSI initiator looks slightly different to Win XP.

Typing iscsicpl and hitting enter brings the initiator.

In Discovery tab press Discover Portal. This should open another window Discover Targt Portal. Enter IP address and port (if not default) and click Advanced button.

In Advanced Settings window mark Enable CHAP log on and enter username and password as per F-Responce target configuration.

The target(s) should appear in Discovery tab.

In Targets tab there should be the drive with status indicated as Inactive.
Click connect button.

Another window will open and there will be an option to add this disk to favorite targets. It is up to you if you 'd like to do that or not. Click Advanced button.

The same proceedure here, Enabling CHAP log on and entering username and password.

The drive should be connected now.

Imaging SAS drives the easy way.

Every time a came to image machines with Serial Attached SCSI (SAS) hard drives, I thought about SAS writeblocker. The problem was that there were no such things available. Live CD's, F-Responce, Live Imaging, SAS to SATA Adapters (I haven't tried this one) or SAS cards were the only options. I am glad that recently Tableau came up with one such device. It is called Tableau T6es SAS and I am just about getting one. 

 

Many nice things have already been said about FTK Imager 3, which is certainly my tool of the year. It even works from USB Flash drive with all these nice new features for mounting image files. Just copy the folder from "C:\Program Files (x86)\AccessData\FTK Imager" onto your portable drive and you are pretty much set.

iOS 4.2 has arrived!

Apple iOS 4.2 Software has finally arrived making my beloved iPhone and iPad even more functional and probably introducing new bugs/vulnerabilities.  I must admit that I have lately jumped on the Apple wagon, even right now I am typing this blog on MacBook Pro :-) .   

I still do most of the forensic work on Windows machines and only occasionally utilising Linux. 
Having a busy life lately, I have Mac(s) mostly for personal use, and the main reason for choosing Apple devices for me was it's functionality, relative security and low maintenance.


I recently attended a presentation, where several current Windows vulnerabilities/hacks have been demonstrated. These little beasts were able to disable all major antivirus solutions, even when executed with 'guest' privileges. Another logical attack vector on commercial antivirus software would be an attack on it's license, for example by corrupting the license or changing the clock to the future, making AV's license expired. Several commercial products dropped it's defences in my tests straight away. 


The funniest thing was that the above mentioned presentation was given right after a computer forensic presentation by a young and very enthusiastic  person, who was questioning the need to have a forensic machine disconnected from the Internet, while performing the examination. I simply have no time or energy to deal with possible security compromises and other issues that may arise from having my forensic machine connected to the Internet. At the end of the day I have bought these Apple gadgets to safe my time for something better than constantly fixing my home Windows computer or checking firewall and security logs on my forensic machine :-) after each forensic examination.

BranchCache - Distributed Cache Mode

BranchCache is designed to solve problems with the availability of information in remote offices with slow WAN connections.

According to Microsoft BranchCache is only supported on Windows Server 2008 R2 and Windows 7 Enterprise and Windows 7 Ultimate. The technology supports two modes: Hosted Cache and Distribute Cache.  It allows data to be cached on computers in the remote branch office and is made available to other computers in the branch.

In Hosted Cache mode, the content is cached on a Windows Server 2008 R2 content server on the remote branch network. In Distributed Cache mode the content is distributed between Windows 7 client computers on the remote branch network and no additional server infrastructure is required. When distributed mode is enabled, a client computer first receives information from the BranchCache content server at the head office. The next client computer that requests the same information from the head office only receives the (small in size) content information and actual content is obtained from another client computer in the remote branch.

Files changes are monitored by using hashes. If the client is unable to locate the necessary file in his own cache, it sends requests to the local subnet via UDP protocol and then fetches it from one of  the local client computer via HTTP/HTTPS.

Not only the actual content, but the requests and 'content information' might potentially be a good source of valuable evidence.

Evidence movers

Using an evidence mover helps to transfer files around and preserve its integrity. It is also savesa lot of time on image verification after the evidence have been transferred. I have been using MicroForensics Evidence Mover (the latest version is 1.1.17) for quite some time now. It is a nice free tool. There is one little problem with this tool. When the destination drive becomes unavailable, MicroForensics Evidence Mover happily reports that all files have been successfully transferred. Unless you check for the logs and make sure that every (source) file has been listed in the log, there is a good chance that the transfer is incomplete.

Nuix Evidence Mover 2.0.21 is also free and looks and feels like the one from MicroForensics, except one little detail. The tool from Nuix actually reports that all files have been transferred OK. If the destination drive becomes unavailable during the transfer, you will not see the line similar to this one:

09/27/10 12:09:58 - All files were moved successfully

DRM protection

 
This pastebin http://pastebin.com/kqD56TmU
page probably has been one of the most visited place lately. Hardware Blu-Ray rippers HDfury2 and DVIMagic may soon have software competition due to the HDCP master key getting out in the wild.

FTK RegEx

FTK 3.x "PATTERN" is using Boost C++ RegEx libraries, which is a new name for Regex++.

There are three main syntax options available for Boost: Perl, POSIX extended and POSIX Basic with Perl being default. It is good to know that FTK is definitely using Perl implementation. The exact RegEx syntax is available here.

... and yes, I am back. .. well kind of... I'm just not sure how often I 'd be able to post here.

This blog will be updated soon!

This blog has not been updated for some time. I am planning to update it soon.

Acronis Try&Decide

Acronis True Image Home 2010 is a backup utility that offers ability to perform full, differential and incremental backups. Be able to mount Acronis back-up image as a logical drive in read or read/write mode is also handy. Acronis True Image is more then just a backup software however. It includes Disk Cleanser, File Shredder, and System Clean-up, which wipes data stored on a hard disk, individual partitions or individual files.

The software also has a nifty feature called "Try and Decide". As the name might suggest, it is designed to give users a second life whilst they make potentially dangerous changes to the system. It is easily activated by pressing "Try&Decide" button.

When Try and Decide is activated, all the changes made be the user are recorded in an automatically created folder named "Acronis Try&Decide" on external hard drive instead of drive C. Virtualisation technology is used to "isolate your "real" operating system from changes" and there is no need to install VMware or other virtualisation software.

Try&Decide continue working after the system reboots. Upon completion, the user is presented with  options to accept or discard the changes.

After changes have been discarded and Try&Decide was stopped, the folder "Acronis Try&Decide" gets automatically deleted.

Inside "Acronis Try&Decide" folder the program creates a sub-folder that looks similar to C59FD9A9-D675-48B8-80E2-38662B09C411.  This sub-folder contains a single file where all temporary data is being stored by Acronis. Searching for hex value 4163726f746e6430 should locate this file unless it has been overwritten.

Knowledge - Management and Retention

Along digital forensics and information security I have always been interested in knowledge management and knowledge retention subjects. These areas are especially relevant to Information Security/Digital Forensics because these disciplines heavily rely on highly knowledgeable professionals. When such professionals leave the organisation, they create a giant gap that has to be filled.

There are several publications on this topic, many of them packed with unnecessary statistical data, useless formulas and usually boring as dry toast.

I just finished reading a book by Jay Liebowitz "Knowledge Retention Strategies and Solutions" and I was pleasantly surprised by the quality of material. This book is written to be concise and full of insights and knowledge of topic.

It is hard to disagree with the author who suggests that "younger workers are less likely to stay with one employer for more than a few years" and that a "learning organization" must develop "knowledge retention strategies so that critical knowledge does not walk out the door".

Unfortunately, I haven't seen many such organisations around, at least not in this industry. Instead, I came across many good professionals who would keep their expertise to themselves and only share the knowledge when it suits they own interests. In his book Liebowitz identifies major challenges to knowledge sharing and states that 'about 80% of knowledge management is people, culture, and process, and only 20% is technology' such as document management systems, wiki's etc. He suggests that the experts should be motivated to share their knowledge "through being recognized and rewarded". Of course this would require a competent management capable of creating the right atmosphere and build a high level of trust throughout an organisation.

The author also mentioned the knowledge-engineering paradox, which I found to be quite amusing but dead right. The knowledge-engineering paradox 'means that the more expert an individual, the more compiled his/her knowledge and the harder it is to extract that knowledge'. Recently, I was surprised when someone told me, that occasionally it is hard to get a quick technical explanation from me. I thought about it for a moment and then realised that I have to decompile this information first and only after that, translate it to a language understandable by a non technical person.

This book is a good read and should be a valuable addition to every computer forensics manager's library.

Merry Christmas and Happy New Year!

"We make a living by what we get but we make a life by what we give."

Winston Churchill

Computer Forensic Jobs in Sydney.

One of the best organisations in Australia for advancing your career as a digital forensic investigator is now recruiting. The New South Wales Police Force State Electronic Evidence branch (SEEB) have a few positions opened for the qualified candidates.

What you get is a secure government job; good training; convenient location not far from Sydney Central Station; exposure to a wide variety of criminal cases, which provides you with an extremely valuable in this industry 'law-enforcement experience'.

Additionally, there are some great people over there with an extensive hands-on experience to learn from.

I suggest to check the selection criteria first, as there are strict conditions placed on the potential candidates in terms of qualifications and skills and of course criminal history.

Actually, there are two positions that are directly related to Computer Forensics, one forensic examiner and one R&D position. The third is a position for Sysadmin.

For those who interested, here is a link to these advertised jobs.

Ubuntu 9.10 installation problems.

It appears that new Ubuntu 9.10 has a bug that may interfere with a smooth installation process normally offered by this distribution. Some SATA drives are not recognised by Ubuntu partitioning tool. These SATA drives however are visible via fdisk -l command or by gparted tool.

The problem appears to be caused by dmraid. Dmraid provides support for 'software RAIDs'. If normal LiveCD is used, then booting this CD and removing dmraid via synaptic is the easiest way to deal with this problem. After removing dmraid, installation can begin as per normal. Alternate installation CD allows "nodmraid" option, which can be accessed by pressing F6 at boot time.

Ubuntu 9.10 is now using "fourth extended file system" by default, speaking of which SMART-2009-11-08 is out. The new version provides "enhanced support for EXT4 file system".

(.pst) Documentation Specs are to be released by Microsoft

Finally, Microsoft has decided to release PST specifications, so no more reverse engineering for forensic people. Here is the link to MSDN Blog.

Cyberspeak podcast Oct 25 2009 is out, Ovie and Bret eventually found the time for it. I have been listening Cyberspeak podcasts since the day one and it remains my favorite "computer forensics, computer security, and computer crime podcast". Keep up the good work boys.

Ubuntu 9.10 is due for release tomorrow (October 29th).  Canonical guys always come up with a quirky name for each release such as Fisty Fawn, Gusty Gibbon, Horny Hardon :-), and Ubuntu 9.10 is no different, it is called "Karmic Koala".

Staying Up to Date with Technology.

The only secret that you need to know
The passage of time is a one way flow
If you understand, joyously you’ll grow
Else you will drown in your own sorrow.

                                Omar Khayyam

Occasionally I found myself struggling to keep up with the rapid technological progress that we all witness today. Here is what I do for keeping up with it, which can easily be summarised into three main principles:

• Learn
• Embrace
• Adapt and change your habits

Learn

I use Google Reader and Google News quite extensively to stay abreast of technology. I also utilise my “Blogs I read” blog roll to keep an eye on my favourite forensic blogs. I found that Podcasts, which I normally listen on the go, are great source of information & inspiration.  Reading online publications, manuals and whitepapers became my daily routine.

Since I now have an iPhone, I use iTunes to manage all subscribed Podcasts. Recently, I discovered and became a great fan of Apple’s “iTunes U”, which is a part of iTunes Store featuring FREE University lectures, audio books etc.
 
Books, books, books of course. They can be expensive if you buy them yourself. I consider myself a very lucky person, because I can get books for free as a reviewer at Computing Reviews. Although the review dead lines are quite strict and put you on a tight schedule, it also encourage you to read/finish the book and take comprehensive notes, which later can be summarised and converted into a review. If you have a master's degree and experience in computer related discipline, you may be eligible too. As a reviewer you have additional benefits such as free access to  "over 19,000 reviews", be published in an Association for Computing Machinery journal etc.

Joining groups of peers from Computer Security/Forensic industry for formal or informal gatherings can help gaining reality checks on your current level of knowledge,  seek out advice and guidance on technical issues and receiving valuable feedback. If you are in Sydney, AU send me an email and you may get invited to one of our monthly informal assembly [subject of approval by all members]. Attending conferences and courses is beneficial but in real live is not always possible due to involved, so I want go into this right now.



Embrace

I still believe that Windows XP is a great Operating System and I use Win XP 64-bit machine as my primary forensic workstation. However, for this blog post right now I am using Windows 7 Professional that just came out. It doesn’t mean that I love it so much. I have started using it, and not just playing with it, early and in a non-production environment to learn the OS. Hopefully, when I get the job involving Win 7, I wouldn’t have too many surprises.

iPhone is another example, you don’t have to like the phone, which I actually do. You simply cannot learn everything by attending iPhone forensics course if you never seen or used iPhone before. I didn’t know for example that when iPhone is plugged in to a computer to transfer music etc, a backup copy of the iPhone is automatically created on this computer. This backup contains a  wealth of information such as photos, notes, email account settings, contacts, calendars, call history, SMS messages, bookmarks, browser history and currently open pages etc. iPhone’s backup files is a separate topic though.

My point is, get yourself out of the technological comfort zone and don’t be afraid to dump your favourite web browser, at least for some time, and use something new. There is a good chance that you come across this new browser again during the forensic investigation.



  Adapt

Use Google docs or another corroboration tools to do your (non sensitive) work, take notes with electronic Mind Maps, set up Google calendar and get free SMS for upcoming event. Learn how these tools work and become more productive. It definitely helps me to be more productive, better understand the technology and trends.

Related articles:

• Has the Rate of Technical Progress Slowed? (tech.slashdot.org)

• Sources Of Knowledge - How To Gain Knowledge In Any Field
  (by Syd Hs)

Taking a break from blogging!

This month I got myself an iPhone and I spend all my free time playing with all the cool things instead of blogging. I am planning to resume my ‘normal’ activities next month.

On a more serious note, I am currently busy doing some studies and also reviewing a book for Computing Reviews, which takes up all my time outside work. “…and Yes, I did get the iPhone 3GS 16GB. I have to say that I love and hate it at the same time.

Mounting Parallels HDD and HDS files

During examination of a Mac Laptop, I located a file similar to winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds. Further digging revealed that Parallels Workstation was installed and used on this computer and virtual machines have been later deleted. I found a good link that explains how to deal with .hds files. I then searched for .pvs files and DiskDescriptor.xml and was lucky to find a couple of DiskDescriptor.xml files. On of these files contained GUID 5fbfaae3-6747-49ff-82a7-750e329bcb51 and stated that the virtual disk is compressed. The rest was easy. I renamed winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds to winxp.hdd, went to Start -> All Programs -> Parallels and fired up Parallels Image Tool which was installed by default together with Parallels Workstation. With this tool I converted winxp.hdd to plain hard disk image, which took only a few minutes.






I then used my favorite free tool called ImDisk to mount the converted hard disk image. Default settings worked fine and ImDisk was able to mount 'converted.hdd' file in read-only mode.



Edit: The new version of Parallels Image Tool uses a little bit different GUI. Converting to the plain format is now done by going to "Manage disk properties" option. The quote "The perfect is the enemy of the good." from Voltaire's Dictionnaire Philosophique (1764) is quite relevant in this case because the latest version may not always successfully convert "old" HDS files, so do not yet through away/uninstall your old version of Parallels.

Quick notes

VirtualBox dynamic disks (VDI).

Analysing VirtualBox VDI files can be sometimes tricky. It is not a problem when VDI file has header type 2, which means that you are dealing with a fixed disk. Searching for partitions with forensic tools such as EnCase or my all times favourite X-Ways Forensics makes the examination no different to examining ordinary dd or E01 files. MakeSparseVDI that comes with VirtualBox can parse information from the VDI header and partition table. This information can be used to mount fixed VDI files with ImDisk, normally by pointing it to the partition start, which is usually located at offset 73728.

The old version of VirtualBox used to have a nice utility called vditool that could carve out the raw disk image. There is a good write-up in 'Forensic Incident Response' blog about VirtualBox analysis. There were several updates since that time and vditool is no longer present and has been replaced with VBoxManage. The later can convert raw images to VDI but not the other way around. (As it turned out this is not the case. See below for details. VirtualBox help doesn't have this inforamtion. This site is more useful .)

Dynamic disks have value 1 at offset (decimal) 76 and they are not so easy to work with. Unlike flat volume images (fixed disks), dynamic disks cannot be mounted with the above mentioned tools. The only tool/method that worked for me was WinMount. It mounted VirtualBox dynamic disks with no problems. The tool has read-only option that is enabled by default in WinMount V3.2. It also capable of mounting VHD (Virtual hard disk) and VMDK (VMWare), comes with 30 days trial period and cost $61.24 AUD.

Evgueni Tchijevski posted an easier way to deal with VDI disks - vboxmanage internalcommands converttoraw source destination. It works great, thanks Evgueni.

---

Acquiring RAM on latest Ubuntu or Fedora becomes a little bit problematic.

/dev/mem is now protected by default. "The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access."

/dev/kmem is disabled by setting CONFIG_DEVKMEM to 'n'.

RAM acquisition via FireWire option looks really attractive now. There are two topics however that I am not prepared to discuss in this blog, and these topics are FireWire RAM acquisition and Encryption.

---

My favourite quotes about digital forensics and security by Richard Drinkwater and Richard Bejtlic.  

Richard Drinkwater

"I don't validate my tools - I validate my results."

Richard Bejtlic

"The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena."

 

Both hit the nail on the head!

Digital Contamination

Using your mobile on a plane may not be an issue in the near future as more airlines allow its passengers to make and receive calls during flights. However, the opposite might also be true when it comes to having your mobile phone switched on during search warrants or incident responses.

Almost all latest mobile phone models now come with Wi-Fi and/or Bluethooth capabilities. These phones are often used by incident responders and digital forensic specialists, who attend search warrants or scenes of crime. Given the fact that it is almost impossible to find a laptop or desktop computer used by suspects without some kind of wireless network device built in or connected to it, the potential for accidental digital contamination should not be underestimated. Your Wi-FI or Bluetooth enabled phone could potentially be detected by the suspect's laptop and later you may find your mobile device network name (or even worse - your own name) logged by the suspect's machine.

Furthermore, Google Sync, SyncJe, the Missing Sync and many other mobile phone applications are capable of wirelessly synchronising iPhone, BlackBerry, Windows Mobile and some Nokia and Ericson standard phones with the base computer. The items that normally got synchronised are contacts, calendars, email account settings, webpage bookmarks, notes, music and photos. Theoretically, depending on set preferences these items may get automatically synced between your mobile device and the suspect's computer "if care is not taken to ensure that the investigator's devices have had their wireless functions disabled prior to approaching a suspect's device..." [Angus M. Marshall]

I am just wondering how many organisations/practitioners have implemented safeguards/policies that are dealing with the issue. I am adding a poll to my blog that will run for a couple of weeks, so please take you time to answer the question.

Does your organisation have a policy mandating wireless devices off during forensic examination?

Vista Timestamps

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:

• Correlate events from different sources.
• Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.

The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
• Value Name: NtfsDisableLastAccessUpdate
• Data Type: REG_DWORD (DWORD Value)
• Value Data: set 1 to prevent the Last Access time stamp updates.

This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing and in most circumstances modifying the file would leave 'Acessed Time' unchanged. It will only change when you copy the file or move it to another volume.



Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.

More toughts on Visualisation

Image by charmainezoe via Flickr

Information visualisation is a rapidly growing research field and I see more and more people become interested in using visualisation techniques in the field of Digital Forensics. There were a series of discussions about "Visualisation" on computer forensic forums and digital forensics blogs. Last week I attended Australian High Tech Crime Centre (AHTCC) conference in Sydney where I met with a couple of researchers who were also interested in doing a research in this area.

Visualisation is a process or technique that graphically represents the collected data to enable better understanding of its significance. I have been using visualisation techniques since late 1990's after I discovered Mind Mapping technique, which was originated by Tony Buzan. Since then, I have successfully used visualisation for learning and in various presentations.

There appears to be many attempts made to enhance digital forensics techniques by adding visualisation to it. This is a welcome move considering the problems faced by forensic examiners while processing increasing quantities of digital evidence. These attempts however are mostly focused on automating the entire process, which in my view leads only to a dead-end. I believe that visualisation techniques, at least in digital forensics, must be separated in two distinct areas of 'analysis' and 'presentation. They are two different paths to two different goals.

Analysis

The analysis side of visualisation involves digital data processing to produce data suitable for further analysis, pattern discovery, pattern analysis, detection of anomalies etc. In my opinion this is the most challenging area of visualisation. This is the knowledge discovery stage, which employs data reduction and data interpretation techniques and can only be performed by a qualified and experienced forensic examiner. Once such data processing is successfully carried out, a visual representation of digital evidence would enable a forensic examiner to see trends or relationships between various sets of data.

Presentation

The presentation side of visualisation is simply a technique for making the facts visible and easily understood by the target audience. The significant relationships discovered during the analysis stage needs to be emphasised with vivid colours, charts, "3D" representations or Mind Maps. This PowerPoint presentation by the Department of Image Processing and Neurocomputing of University of Pannonia is good start.

Sparsing - New technology set to revolutionise digital forensics.

                         Image via Wikipedia

Periodically forensics examiners have to acquire large amounts of data and often facing a dilemma whether to compress it or not.

Using compression usually means a performance trade-off.

In circumstances when both, time and available storage are limited, X-Ways Forensics can be an invaluable tool. It is capable of creating compressed .e01 evidence files by utilising 'adaptive compression'. Unfortunately, compression negatively affects forensic examination at a later stage because compressed disk images must be decompressed before they can be used by forensic tools such as EnCase or FTK.

Raw (dd) images are commonly used because they work with practically every forensic tool. On the other hand, raw images are not compressed and one may end up with a very large dd image even if the drive contained very little amount of actual data.

Smart Acquisition Workshop or simply SAW is a "Data Acquisition and case management framework" from ASR Data. It utilises 'sparsing' to deal with large drives most commonly found on mid-range to high-end server systems. Vast majority of these drives are only 50% to 80% full and the rest of the storage contains no data (0000). When SAW is used, only nonzero data is collected and locations on the drive containing no meaningful data (all zeros) are only referenced. This method offers significant reductions in size of the forensic images and also avoids the need to decompress the data during the analysis stage. The hashing process is utilised during acquisition of the evidence to insure the integrity of the data. SAW forensic images then can be mounted with Smart Mount (available for Win32, Linux and Mac platforms) and analysed with a forensic tool of the choice. SAW can also convert the acquired 'sparsed' image to a raw image at the same time preserving integrity of the data.

During the recent demonstration a 2TB sample forensic image stored on a portable 200Gb USB drive had been mounted on a regular Eee PC without a problem.

Sparsing is not entirely new concept and NTFS for example provides full sparse file support functionality. "With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data." Knozall Software, Inc.

What is really new is the fact that this technology has been successfully applied to digital forensics with its strict data integrity requirements. SAW provides for several other functions including: converting other forensic images to sparse images and creating VMware .vmdk files directly from these images.

FTK Imager can acquire RAM

FTK Imager 2.6.0 got a new functionality. Finally, it can capture RAM. There is no portable version as yet, so I can't see much use for it at this stage unless it can be used with F-response? I found FTK Imager be much slower compared to my favourite X-Ways Forensics tool. Additionally, I was unable to acquire RAM with the new FTK Imager on Win 2003 Server with 8GB RAM, the acquisition just stopped at 48%. I should mention that the new version of this popular imaging tool got a few bug fixes and 'improvements' listed here.

Speaking of RAM, VMware vSphere 4 supports a few TB of memory on the host server and up to 256GB of memory for a guest. That's a lot of RAM and perhaps this is the future of any forensic lab. Whilst the Cloud is often viewed as a "cost savings" that comes together with a loss of control of the computing infrastructure and various information security issues, the future may be in private cloud networks. These private clouds are capable of delivering flexible computer networks that are able to accelerate when and where it is needed most.

Parsing setupapi.log

I mentioned about setupapi.log files in one of my posts a few months ago. Since that time a couple of good tools were released that makes my life easier when working with setupapi.log files.

One of such tools is called SetupAPI Extractor or SAEX. It is still in beta and is currently free. The tool only works with Win XP setupapi.log files and there is no support for Vista's setupapi.app.log and setupapi.dev.log files yet. The best thing about this tool is its ability to parse the log files and extract only
the information you need.

Another tool I often use to work with various log files including setupapi.log files is Mandiant Highlighter. It was previously mentioned on Cyberspeak and is free to download. It works with ANY text files and allows users to highlight relevant keywords or remove unrelated lines. In case of setupapi.log files, setup event id like #-199, #140 or placeholders such Device_Description, Manufacturer_Name or Hardware_ID can be either displayed or removed, making the information contained in Setupapi logs more manageable.

Ubuntu 9.04 guest in vmware - sluggish mouse.

I just installed Ubuntu 9.04 at work and enjoying my ‘dual screen via KVM switch’ panoramic view :-) which was not possible before due to the driver limitations.

I also tried to install Ubuntu 9.04 in VMware and it caused the mouse to be rather sluggish. Installing vmware-tools didn't help. Next, in SYSTEM > PREFERENCES > STARTUP APPLICATIONS and in startup programs tab I added the name vmware-tools and
/usr/bin/vmware-user & This did not fix the problem either.

The best option to solve this was to install xserver-xorg-input-vmmouse drivers by running the following command:
sudo apt-get install xserver-xorg-input-vmmouse. This completely solved the problem and everything now works as expected. I also found that some people were able to fix this with adding to their xorg.conf the following:

Section "InputDevice"
Identifier "VMware Mouse"
Driver "vmmouse"
Option "CorePointer"
Option "AlwaysCore"
EndSection

A couple of acrticles on DIGital FORensics.

All my free time is now consumed by a 'little' python development project. I will try to keep this blog up-to-date with anything really worth mentioning. Whilst I am busy coding and refreshing my pretty rusty math skills, I still spend about three hours a week reading about digital forensics and information security (mostly on a bus or train). Last week I came across a couple of documents by Dr. Frederick B. Cohen, Ph.D. called "Fundamentals of Digital Forensic Evidence" and "A structure for addressing digital forensics". These documents are about application of digital forensics within a legal context and I personally find them quite educational.

Windows Event Logs

The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.

Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:

Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1

To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.

Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.



Sunday, April 19, 2009

Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.

Another interesting post re: Vista Event Logs by Rob Faber can be found here.