Thursday, January 29, 2009

Helix3 Pro

As expected, e-fense is moving to a commercial business model with their Helix3 Pro (to be released in April) and no free support or user's forum will be available to Helix users from 2 February 2009. To get access to Helix support and forum e-fense is introducing the membership for $19.95 a month or $239 a year. It is not very clear at this stage; whether Helix3 Pro will be available for free download to non-members.

30 January 2009
I have a clarification in relation to Helix3 Pro availability. The product will not be free ........... So Long free Helix!


Youtube videos:

e-fense Inc. announces new management team

Helix3 vs Helix3 Pro

2 May 2009

E-fense desided to keep a free version of Helix3 alive.

It can be downloaded at here.

Wednesday, January 21, 2009

Learning the Open Systems Interconnection Reference Model

Here is a link for an excellent OSI model tutorial that I recently came across. It is good for refreshing your memory and includes mnemonics and even review questions.

Saturday, January 17, 2009

Internet Explorer 8 in ‘anti forensic mode’

Microsoft has introduced some new features to the new Internet Explorer 8, which is currently in beta. 'InPrivate' browsing mode, which has been called by the media "porn mode" is one of such features that I found to be worth looking at.

The similar functionality can be found in Firefox via plug-ins and built in Safari 'Private browsing', but given the significant market share of Internet Explorer this new feature may have some serious impact on the successful identification of the suspect's web browsing activities.

Here is some information found on IEBlog.

While InPrivate Browsing is active, the following takes place:
  • New cookies are not stored
  • All new cookies become "session" cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New history entries will not be recorded
  • New temporary Internet files will be deleted after the Private Browsing window is closed
  • Form data is not stored
  • Passwords are not stored
  • Addresses typed into the address bar are not stored
  • Queries entered into the search box are not stored
  • Visited links will not be stored

It is very easy to switch to InPrivate mode by simply entering Ctrl+Shift+P. All tabs and new windows after that will also be opened in InPrivate mode.

'InPrivate' can be useful for corporations to make use of this feature as an additional step to negate their liability in various harassment etc. litigations. Some however may decide to turn this feature off and it is also easily done via editing Group Policies. Here is one way of doing this via GPEdit.msc


A quick search for artefacts left by 'InPrivate' browsing confirmed that there was no browsing history saved.

Whilst in 'InPrivate' mode I went to google.com web site and changed search preferences to "Do not filter my search results". Later I was able to recover this: http://images.google.com.au/setprefs?sig=0_Ai3r3BRa_NyzSVLmEfe1fo_5H6M%3D&hl=en&lang=all&safe=off&num=10&q=&prev=http%3A%2F%2Fimages.google.com.au%2Fimghp%3Fhl%3Den%26tab%3Dwi&submit2=Save+Preferences+

I then searched for "military tanks" pictures and clicked on several links. After viewing some images, I closed IE 8 and went searching for any traces of the above-mentioned activities. To accomplish this task I used X-Ways Forensics and Netanalysis tools. I was unable to locate my typed search term "military tanks" and no browsing history was found.

Searching inside
c:\Users\%USER%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RandomFolderName
produced good results and I was able to recover most of the deleted images.

Digging further confirmed that upon exiting 'InPrivate' mode, IE 8 deleted Temporary Internet Files and inside %Windows%\Temp directory. IE 8 beta 2 was tested on Windows XP and Windows 7 Beta test machines. In general, 'InPrivate' mode works as stated by Microsoft with only a few traces left behind, which means extra work for forensic examiners.

Sunday, January 11, 2009

Antivirus and Last Access timestamps

Last October I blogged about Time and Time Stamps . I have recieved a question in relation to Antiviruses and their ability to preserve the Last Access timestamp of files that are scanned by such AV.

I desided to post a quick answer here.

Corporate and Retail Antivirus solutions are usually designed a bit differently. Many corporate information systems are utilising various File Replication Services, Migration of files based on last access date and Backups. A non compliant Antivirus solution my result in excessive replications, long or failed backups of unchanged files, and failed security audits that are depending on Last Access timestamps.

A good example a corporate Antivirus solution that deals with such issues is Norton Antivirus (NAV) Corporate edition. To my knowledge since NAV version 7.61 Symantec includes "Preserve file times" option. This option allows restoring the Last Access timestamp of files that are scanned by NAV "Auto-Protect" module. See attached image of NAV Corp v 10 for details.


"During a scan, NAV will save various attributes of the file (file attributes, the security descriptor GetFileSecurity, last access timestamp, and so forth) before the scan so that the file can be restored to its original condition.... " Microsoft Article ID: 284947

On the time forensics site you can find a resonable quality research paper by K. Chow, F. Law, M. Kwan, P. Lai called "the Rules of Time on NTFS" that describes the relationship between file searching tools, Antiviruses and the Last Access Time Stamp. Just keep in mind that there are also Corporate Antivirus Solutions and other tools, which may be using defferent methods to open files.