Thursday, December 24, 2009

Merry Christmas and Happy New Year!

"We make a living by what we get but we make a life by what we give."

Winston Churchill

Tuesday, November 24, 2009

Computer Forensic Jobs in Sydney.

One of the best organisations in Australia for advancing your career as a digital forensic investigator is now recruiting. The New South Wales Police Force State Electronic Evidence branch (SEEB) have a few positions opened for the qualified candidates.

What you get is a secure government job; good training; convenient location not far from Sydney Central Station; exposure to a wide variety of criminal cases, which provides you with an extremely valuable in this industry 'law-enforcement experience'.

Additionally, there are some great people over there with an extensive hands-on experience to learn from.

I suggest to check the selection criteria first, as there are strict conditions placed on the potential candidates in terms of qualifications and skills and of course criminal history.

Actually, there are two positions that are directly related to Computer Forensics, one forensic examiner and one R&D position. The third is a position for Sysadmin.

For those who interested, here is a link to these advertised jobs.

Tuesday, November 10, 2009

Ubuntu 9.10 installation problems.

It appears that new Ubuntu 9.10 has a bug that may interfere with a smooth installation process normally offered by this distribution. Some SATA drives are not recognised by Ubuntu partitioning tool. These SATA drives however are visible via fdisk -l command or by gparted tool.

The problem appears to be caused by dmraid. Dmraid provides support for 'software RAIDs'. If normal LiveCD is used, then booting this CD and removing dmraid via synaptic is the easiest way to deal with this problem. After removing dmraid, installation can begin as per normal. Alternate installation CD allows "nodmraid" option, which can be accessed by pressing F6 at boot time.

Ubuntu 9.10 is now using "fourth extended file system" by default, speaking of which SMART-2009-11-08 is out. The new version provides "enhanced support for EXT4 file system".

Wednesday, October 28, 2009

(.pst) Documentation Specs are to be released by Microsoft

Finally, Microsoft has decided to release PST specifications, so no more reverse engineering for forensic people. Here is the link to MSDN Blog.

Cyberspeak podcast Oct 25 2009 is out, Ovie and Bret eventually found the time for it. I have been listening Cyberspeak podcasts since the day one and it remains my favorite "computer forensics, computer security, and computer crime podcast". Keep up the good work boys.

Ubuntu 9.10 is due for release tomorrow (October 29th).  Canonical guys always come up with a quirky name for each release such as Fisty Fawn, Gusty Gibbon, Horny Hardon :-), and Ubuntu 9.10 is no different, it is called "Karmic Koala".

Friday, October 23, 2009

Staying Up to Date with Technology.

The only secret that you need to know
The passage of time is a one way flow
If you understand, joyously you’ll grow
Else you will drown in your own sorrow.

                                Omar Khayyam
Occasionally I found myself struggling to keep up with the rapid technological progress that we all witness today. Here is what I do for keeping up with it, which can easily be summarised into three main principles:
  • Learn
  • Embrace
  • Adapt and change your habits

sun Learn

I use Google Reader and Google News quite extensively to stay abreast of technology. I also utilise my “Blogs I read” blog roll to keep an eye on my favourite forensic blogs. I found that Podcasts, which I normally listen on the go, are great source of information & inspiration.  Reading online publications, manuals and whitepapers became my daily routine.

Since I now have an iPhone, I use iTunes to manage all subscribed Podcasts. Recently, I discovered and became a great fan of Apple’s “iTunes U”, which is a part of iTunes Store featuring FREE University lectures, audio books etc.
Books, books, books of course. They can be expensive if you buy them yourself. I consider myself a very lucky person, because I can get books for free as a reviewer at Computing Reviews. Although the review dead lines are quite strict and put you on a tight schedule, it also encourage you to read/finish the book and take comprehensive notes, which later can be summarised and converted into a review. If you have a master's degree and experience in computer related discipline, you may be eligible too. As a reviewer you have additional benefits such as free access to  "over 19,000 reviews", be published in an Association for Computing Machinery journal etc.

Joining groups of peers from Computer Security/Forensic industry for formal or informal gatherings can help gaining reality checks on your current level of knowledge,  seek out advice and guidance on technical issues and receiving valuable feedback. If you are in Sydney, AU send me an email and you may get invited to one of our monthly informal assembly [subject of approval by all members]. Attending conferences and courses is beneficial but in real live is not always possible due to involved, so I want go into this right now.

smile_speedy Embrace

I still believe that Windows XP is a great Operating System and I use Win XP 64-bit machine as my primary forensic workstation. However, for this blog post right now I am using Windows 7 Professional that just came out. It doesn’t mean that I love it so much. I have started using it, and not just playing with it, early and in a non-production environment to learn the OS. Hopefully, when I get the job involving Win 7, I wouldn’t have too many surprises.

iPhone is another example, you don’t have to like the phone, which I actually do. You simply cannot learn everything by attending iPhone forensics course if you never seen or used iPhone before. I didn’t know for example that when iPhone is plugged in to a computer to transfer music etc, a backup copy of the iPhone is automatically created on this computer. This backup contains a  wealth of information such as photos, notes, email account settings, contacts, calendars, call history, SMS messages, bookmarks, browser history and currently open pages etc. iPhone’s backup files is a separate topic though.

My point is, get yourself out of the technological comfort zone and don’t be afraid to dump your favourite web browser, at least for some time, and use something new. There is a good chance that you come across this new browser again during the forensic investigation.

 smoking Adapt

Use Google docs or another corroboration tools to do your (non sensitive) work, take notes with electronic Mind Maps, set up Google calendar and get free SMS for upcoming event. Learn how these tools work and become more productive. It definitely helps me to be more productive, better understand the technology and trends.

Monday, September 21, 2009

Taking a break from blogging!

This month I got myself an iPhone and I spend all my free time playing with all the cool things instead of blogging. I am planning to resume my ‘normal’ activities next month.

On a more serious note, I am currently busy doing some studies and also reviewing a book for Computing Reviews, which takes up all my time outside work. “…and Yes, I did get the iPhone 3GS 16GB. I have to say that I love and hate it at the same time.

Friday, August 28, 2009

Mounting Parallels HDD and HDS files

During examination of a Mac Laptop, I located a file similar to winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds. Further digging revealed that Parallels Workstation was installed and used on this computer and virtual machines have been later deleted. I found a good link that explains how to deal with .hds files. I then searched for .pvs files and DiskDescriptor.xml and was lucky to find a couple of DiskDescriptor.xml files. On of these files contained GUID 5fbfaae3-6747-49ff-82a7-750e329bcb51 and stated that the virtual disk is compressed. The rest was easy. I renamed winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds to winxp.hdd, went to Start -> All Programs -> Parallels and fired up Parallels Image Tool which was installed by default together with Parallels Workstation. With this tool I converted winxp.hdd to plain hard disk image, which took only a few minutes.

I then used my favorite free tool called ImDisk to mount the converted hard disk image. Default settings worked fine and ImDisk was able to mount 'converted.hdd' file in read-only mode.

Edit: The new version of Parallels Image Tool uses a little bit different GUI. Converting to the plain format is now done by going to "Manage disk properties" option. The quote "The perfect is the enemy of the good." from Voltaire's Dictionnaire Philosophique (1764) is quite relevant in this case because the latest version may not always successfully convert "old" HDS files, so do not yet through away/uninstall your old version of Parallels.

Saturday, August 15, 2009

Quick notes

VirtualBox dynamic disks (VDI).

Analysing VirtualBox VDI files can be sometimes tricky. It is not a problem when VDI file has header type 2, which means that you are dealing with a fixed disk. Searching for partitions with forensic tools such as EnCase or my all times favourite X-Ways Forensics makes the examination no different to examining ordinary dd or E01 files. MakeSparseVDI that comes with VirtualBox can parse information from the VDI header and partition table. This information can be used to mount fixed VDI files with ImDisk, normally by pointing it to the partition start, which is usually located at offset 73728.

The old version of VirtualBox used to have a nice utility called vditool that could carve out the raw disk image. There is a good write-up in 'Forensic Incident Response' blog about VirtualBox analysis. There were several updates since that time and vditool is no longer present and has been replaced with VBoxManage. The later can convert raw images to VDI but not the other way around. (As it turned out this is not the case. See below for details. VirtualBox help doesn't have this inforamtion. This site is more useful .)

Dynamic disks have value 1 at offset (decimal) 76 and they are not so easy to work with. Unlike flat volume images (fixed disks), dynamic disks cannot be mounted with the above mentioned tools. The only tool/method that worked for me was WinMount. It mounted VirtualBox dynamic disks with no problems. The tool has read-only option that is enabled by default in WinMount V3.2. It also capable of mounting VHD (Virtual hard disk) and VMDK (VMWare), comes with 30 days trial period and cost $61.24 AUD.

Evgueni Tchijevski posted an easier way to deal with VDI disks - vboxmanage internalcommands converttoraw source destination. It works great, thanks Evgueni.

Acquiring RAM on latest Ubuntu or Fedora becomes a little bit problematic.

/dev/mem is now protected by default. "The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access."

/dev/kmem is disabled by setting CONFIG_DEVKMEM to 'n'.

RAM acquisition via FireWire option looks really attractive now. There are two topics however that I am not prepared to discuss in this blog, and these topics are FireWire RAM acquisition and Encryption.

My favourite quotes about digital forensics and security by Richard Drinkwater and Richard Bejtlic.

Richard Drinkwater

"I don't validate my tools - I validate my results."

Richard Bejtlic

"The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena."


Both hit the nail on the head!

Tuesday, August 4, 2009

Digital Contamination

Using your mobile on a plane may not be an issue in the near future as more airlines allow its passengers to make and receive calls during flights. However, the opposite might also be true when it comes to having your mobile phone switched on during search warrants or incident responses.

Almost all latest mobile phone models now come with Wi-Fi and/or Bluethooth capabilities. These phones are often used by incident responders and digital forensic specialists, who attend search warrants or scenes of crime. Given the fact that it is almost impossible to find a laptop or desktop computer used by suspects without some kind of wireless network device built in or connected to it, the potential for accidental digital contamination should not be underestimated. Your Wi-FI or Bluetooth enabled phone could potentially be detected by the suspect's laptop and later you may find your mobile device network name (or even worse - your own name) logged by the suspect's machine.

Furthermore, Google Sync, SyncJe, the Missing Sync and many other mobile phone applications are capable of wirelessly synchronising iPhone, BlackBerry, Windows Mobile and some Nokia and Ericson standard phones with the base computer. The items that normally got synchronised are contacts, calendars, email account settings, webpage bookmarks, notes, music and photos. Theoretically, depending on set preferences these items may get automatically synced between your mobile device and the suspect's computer "if care is not taken to ensure that the investigator's devices have had their wireless functions disabled prior to approaching a suspect's device..." [Angus M. Marshall]

I am just wondering how many organisations/practitioners have implemented safeguards/policies that are dealing with the issue. I am adding a poll to my blog that will run for a couple of weeks, so please take you time to answer the question.

Does your organisation have a policy mandating wireless devices off during forensic examination?

Saturday, July 4, 2009

Vista Timestamps

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:
  • Correlate events from different sources.
  • Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.

The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • Value Name: NtfsDisableLastAccessUpdate
  • Data Type: REG_DWORD (DWORD Value)
  • Value Data: set 1 to prevent the Last Access time stamp updates.
This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing and in most circumstances modifying the file would leave 'Acessed Time' unchanged. It will only change when you copy the file or move it to another volume.

Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.

Friday, June 19, 2009

More toughts on Visualisation

The Brain, an iMindMapImage by charmainezoe via Flickr
Information visualisation is a rapidly growing research field and I see more and more people become interested in using visualisation techniques in the field of Digital Forensics. There were a series of discussions about "Visualisation" on computer forensic forums and digital forensics blogs. Last week I attended Australian High Tech Crime Centre (AHTCC) conference in Sydney where I met with a couple of researchers who were also interested in doing a research in this area.

Visualisation is a process or technique that graphically represents the collected data to enable better understanding of its significance. I have been using visualisation techniques since late 1990's after I discovered Mind Mapping technique, which was originated by Tony Buzan. Since then, I have successfully used visualisation for learning and in various presentations.

There appears to be many attempts made to enhance digital forensics techniques by adding visualisation to it. This is a welcome move considering the problems faced by forensic examiners while processing increasing quantities of digital evidence. These attempts however are mostly focused on automating the entire process, which in my view leads only to a dead-end. I believe that visualisation techniques, at least in digital forensics, must be separated in two distinct areas of 'analysis' and 'presentation. They are two different paths to two different goals.


The analysis side of visualisation involves digital data processing to produce data suitable for further analysis, pattern discovery, pattern analysis, detection of anomalies etc. In my opinion this is the most challenging area of visualisation. This is the knowledge discovery stage, which employs data reduction and data interpretation techniques and can only be performed by a qualified and experienced forensic examiner. Once such data processing is successfully carried out, a visual representation of digital evidence would enable a forensic examiner to see trends or relationships between various sets of data.


The presentation side of visualisation is simply a technique for making the facts visible and easily understood by the target audience. The significant relationships discovered during the analysis stage needs to be emphasised with vivid colours, charts, "3D" representations or Mind Maps. This PowerPoint presentation by the Department of Image Processing and Neurocomputing of University of Pannonia is good start.

Wednesday, June 10, 2009

Sparsing - New technology set to revolutionise digital forensics.

A sparse file: The empty bytes don't need to b...                         Image via Wikipedia
Periodically forensics examiners have to acquire large amounts of data and often facing a dilemma whether to compress it or not.

Using compression usually means a performance trade-off.

In circumstances when both, time and available storage are limited, X-Ways Forensics can be an invaluable tool. It is capable of creating compressed .e01 evidence files by utilising 'adaptive compression'. Unfortunately, compression negatively affects forensic examination at a later stage because compressed disk images must be decompressed before they can be used by forensic tools such as EnCase or FTK.

Raw (dd) images are commonly used because they work with practically every forensic tool. On the other hand, raw images are not compressed and one may end up with a very large dd image even if the drive contained very little amount of actual data.

Smart Acquisition Workshop or simply SAW is a "Data Acquisition and case management framework" from ASR Data. It utilises 'sparsing' to deal with large drives most commonly found on mid-range to high-end server systems. Vast majority of these drives are only 50% to 80% full and the rest of the storage contains no data (0000). When SAW is used, only nonzero data is collected and locations on the drive containing no meaningful data (all zeros) are only referenced. This method offers significant reductions in size of the forensic images and also avoids the need to decompress the data during the analysis stage. The hashing process is utilised during acquisition of the evidence to insure the integrity of the data. SAW forensic images then can be mounted with Smart Mount (available for Win32, Linux and Mac platforms) and analysed with a forensic tool of the choice. SAW can also convert the acquired 'sparsed' image to a raw image at the same time preserving integrity of the data.

During the recent demonstration a 2TB sample forensic image stored on a portable 200Gb USB drive had been mounted on a regular Eee PC without a problem.

Sparsing is not entirely new concept and NTFS for example provides full sparse file support functionality. "With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data." Knozall Software, Inc.

What is really new is the fact that this technology has been successfully applied to digital forensics with its strict data integrity requirements. SAW provides for several other functions including: converting other forensic images to sparse images and creating VMware .vmdk files directly from these images.

Thursday, May 21, 2009

FTK Imager can acquire RAM

FTK Imager 2.6.0 got a new functionality. Finally, it can capture RAM. There is no portable version as yet, so I can't see much use for it at this stage unless it can be used with F-response? I found FTK Imager be much slower compared to my favourite X-Ways Forensics tool. Additionally, I was unable to acquire RAM with the new FTK Imager on Win 2003 Server with 8GB RAM, the acquisition just stopped at 48%. I should mention that the new version of this popular imaging tool got a few bug fixes and 'improvements' listed here.

Speaking of RAM, VMware vSphere 4 supports a few TB of memory on the host server and up to 256GB of memory for a guest. That's a lot of RAM and perhaps this is the future of any forensic lab. Whilst the Cloud is often viewed as a "cost savings" that comes together with a loss of control of the computing infrastructure and various information security issues, the future may be in private cloud networks. These private clouds are capable of delivering flexible computer networks that are able to accelerate when and where it is needed most.

Saturday, May 2, 2009

Parsing setupapi.log

I mentioned about setupapi.log files in one of my posts a few months ago. Since that time a couple of good tools were released that makes my life easier when working with setupapi.log files.

One of such tools is called SetupAPI Extractor or SAEX. It is still in beta and is currently free. The tool only works with Win XP setupapi.log files and there is no support for Vista's and files yet. The best thing about this tool is its ability to parse the log files and extract only
the information you need.

Another tool I often use to work with various log files including setupapi.log files is Mandiant Highlighter. It was previously mentioned on Cyberspeak and is free to download. It works with ANY text files and allows users to highlight relevant keywords or remove unrelated lines. In case of setupapi.log files, setup event id like #-199, #140 or placeholders such Device_Description, Manufacturer_Name or Hardware_ID can be either displayed or removed, making the information contained in Setupapi logs more manageable.

Thursday, April 30, 2009

Ubuntu 9.04 guest in vmware - sluggish mouse.

I just installed Ubuntu 9.04 at work and enjoying my ‘dual screen via KVM switch’ panoramic view :-) which was not possible before due to the driver limitations.

I also tried to install Ubuntu 9.04 in VMware and it caused the mouse to be rather sluggish. Installing vmware-tools didn't help. Next, in SYSTEM > PREFERENCES > STARTUP APPLICATIONS and in startup programs tab I added the name vmware-tools and
/usr/bin/vmware-user & This did not fix the problem either.

The best option to solve this was to install xserver-xorg-input-vmmouse drivers by running the following command:
sudo apt-get install xserver-xorg-input-vmmouse. This completely solved the problem and everything now works as expected. I also found that some people were able to fix this with adding to their xorg.conf the following:

Section "InputDevice"
Identifier "VMware Mouse"
Driver "vmmouse"
Option "CorePointer"
Option "AlwaysCore"

Saturday, April 25, 2009

A couple of acrticles on DIGital FORensics.

All my free time is now consumed by a 'little' python development project. I will try to keep this blog up-to-date with anything really worth mentioning. Whilst I am busy coding and refreshing my pretty rusty math skills, I still spend about three hours a week reading about digital forensics and information security (mostly on a bus or train). Last week I came across a couple of documents by Dr. Frederick B. Cohen, Ph.D. called "Fundamentals of Digital Forensic Evidence" and "A structure for addressing digital forensics". These documents are about application of digital forensics within a legal context and I personally find them quite educational.

Saturday, April 18, 2009

Windows Event Logs

The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.

Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:

Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1

To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.

Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.

Sunday, April 19, 2009

Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.

Another interesting post re: Vista Event Logs by Rob Faber can be found here.

Saturday, April 4, 2009

The Sleuth Kit and Autopsy on Ubuntu

A quick installation guide for the latest TSK and autopsy on Ubuntu 8.04.
The default version of TSK and autopsy in Ubuntu repositories are sleuthkit-2.09-2 and autopsy-2.08-2. The latest versions are sleuthkit-3.0.1 and autopsy-2.21.

Step 1
Download afflib.tar.gz and unpack it with tar –xvf afflib.tar.gz
There are three dependencies to resolve before afflib can be installed.

Type sudo apt-get install build-essential zlib1g-dev libssl-dev
Then navigate to afflib folder and type the usual:
./configure, make, sudo make install

Step 2
Download libewf, unpack and install all three .deb packages

Step 3Install uuid-dev by typing sudo apt-get install uuid-dev
Then download sleuthkit-3.0.1.tar.gz
Unpack, and run ./configure, make, sudo make install

Step 4Download autopsy-2.21.tar.gz
Create your evidence directory, autopsy will ask for it later.
Extract autopsy and run ./configure, make, sudo make install

When asked, type the full path to your evidence directory and you done.

To start autopsy, just type sudo ./autopsy and follow the instructions.

Update for Ubuntu 9.10  - 25 November 2009

For Ubuntu 9.10 the procedure is similar except for Step 1.
afflib make  may not work, and if you really want aff support, the simple solution is to download .deb files for older distributions.

The files below worked for me:
afflib-dev_1.6.31-0ubuntu1_i386.deb and afflib_1.6.31-0ubuntu2_i386.deb

and can be downloaded from these locations:

Step 2 is easy, just get all 3 libewf packages (just search with Synaptic).

The rest of the procedure is the same.

Updates for Ubuntu 10.10 and the Sleuthkit 3.2.0 are here

Tuesday, March 31, 2009

My blog statistics

Some time ago I have played with Google Analytics and as a result here is my blog visitor's statistics, which I find quite educational.

The first one is not particularly surprising and shows which web browsers were used by geeks to view my blog.

2Internet Explorer28.05%
7Mozilla 0.63%
10Mozilla Compatible Agent0.05%

The second table displays the top 70 Countries for my blog readers.

1.United States
2.United Kingdom
8.South Korea
24.Czech Republic
25.New Zealand
33.South Africa
35.United Arab Emirates
40.Hong Kong
44.Saudi Arabia
49.Dominican Republic
51.Macau SAR China
61.Trinidad and Tobago
65.Bosnia and Herzegovina

Friday, March 27, 2009


WinRAR is often used to protect information by compressing and encrypting various files. Since January 2002, WinRAR offers Advanced Encryption Standard [(AES) 128 bits] and it takes a considerable amount of time to decrypt/crack WinRAR files created with WinRAR version 3 and later. Usual techniques are to use Dictionary or Brute force attack utilising tools like AccessData PRTK/DNA or Elcomsoft ARPR (Advanced RAR Password Recovery) or AAPR (Advanced Archive Password Recovery). Even with Tableau Hardware Accelerator it is going to take considerable time to get in. Using FTK imported wordlists may significantly reduce the time of dictionary attack. The wordlist can be used by Elcomsoft password crackers and with PRTK/DNA it is possible to generate a custom dictionary from that list.

I found Elcomsoft ARPR to be much faster performing brute force (approximately 110 pwd/sec compared to PRTK 45 pwd/sec) and only around 21 pwd/sec for dictionary attack (one dual core PC). There is no Elcomsoft DNA (Distributed Network Attack) software available for archive cracking. From my experience, for brute force algorithm to find 4 printable characters passwords with the speed of 110 pwd/sec would take about a week to complete and more than a year for 5 printable characters passwords. PRTK is much slower then Elcomsoft at brute forcing and DNA should be used instead. I found that DNA dictionary attack with around 10 workers (computers) produced a speed of around 500 pwd/sec, which is about three times slower than using the Tableau TACC1441 Hardware Accelerator.

When performing a live analysis, the memory (RAM) dump may produce some valuable information, so it is worth getting the RAM dump even just to get WinRAR passwords stored in memory. I've had some success in getting the passwords from both the RAM dump and hiberfil.sys files by obtaining a word list and using it in the dictionary attack.

There are various tools available to decompress hiberfil.sys file and there are plenty resources discussing the procedure. X-Ways forensics offers the easiest way to decompress hiberfil.sys, and it handles well the fragments. It looks for \x81\x81 xpress chunks and starts decompression from that point. In fact, X-Ways Forensics will have the Edit Convert option greyed out, so the file needs to be opened in an editable mode. Usually I copy hiberfil.sys file somewhere on my desktop and use WinHex that comes with X-Ways Forensics to decompress it.

If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.

Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.

CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.

Friday, March 13, 2009

Useful little tools.

Mail Viewer for Outlook Express versions 4+ (.idx .mbx and .dbx), Windows Vista Mail and Windows Live mail databases including .eml files. It is very similar to OE Reader and the web site states that it is actually based on MITeC Outlook Express Reader. No installation required, it has only one 520 KB executable file. The viewer handles attachments quite well (text and HTML view) and the most importantly it is absolutely free. It works on Windows 95 --> Vista.

This web site has several interesting little application that may be useful in digital forensics

ImDisk Virtual Disk Driver is only 266 KB in size (compressed), 'works on both 32-bit and 64-bit versions of Windows' and allows mounting dd images in read & write and read only mode. dd images can be mounted with right click from Windows Explorer and by selecting mount new virtual disk (Picture 1). It only works with non-splitted dd images and doesn't accept encase images. This small utility with seamless integration into Windows Explorer also allowing you to right click on selected drive and acquire dd image (Picture 2). I have compared this image with dd image of the same drive acquired with FTK Imager and md5 hash matched. ImDisk actually was about 8% faster in acquiring the image then latest version of FTK Imager, but it doesn't create a log file and it is unclear how ImgDisk handles bad sectors and errors. I haven't played with command line switches yet, so the functionality may be already there.