Tuesday, March 31, 2009

My blog statistics

Some time ago I have played with Google Analytics and as a result here is my blog visitor's statistics, which I find quite educational.

The first one is not particularly surprising and shows which web browsers were used by geeks to view my blog.

1Firefox57.17%
2Internet Explorer28.05%
3Opera6.37%
4Safari3.74%
5Chrome2.58%
6Konqueror0.83%
7Mozilla 0.63%
8SeaMonkey0.24%
9Camino0.05%
10Mozilla Compatible Agent0.05%


The second table displays the top 70 Countries for my blog readers.

1.United States
2.United Kingdom
3.Australia
4.Italy
5.Canada
6.Netherlands
7.Germany
8.South Korea
9.France
10.Brazil
11.Spain
12.Russia
13.India
14.Belgium
15.Norway
16.China
17.Austria
18.Malaysia
19.Taiwan
20.Singapore
21.Japan
22.Poland
23.Sweden
24.Czech Republic
25.New Zealand
26.Thailand
27.Mexico
28.Portugal
29.Egypt
30.Indonesia
31.Denmark
32.Turkey
33.South Africa
34.Brunei
35.United Arab Emirates
36.Greece
37.Ireland
38.Switzerland
39.Hungary
40.Hong Kong
41.Romania
42.Israel
43.Finland
44.Saudi Arabia
45.Pakistan
46.Lithuania
47.Colombia
48.Vietnam
49.Dominican Republic
50.Serbia
51.Macau SAR China
52.Croatia
53.Ukraine
54.Morocco
55.Argentina
56.Slovakia
57.Slovenia
58.Bahamas
59.Philippines
60.Bulgaria
61.Trinidad and Tobago
62.Panama
63.Venezuela
64.Chile
65.Bosnia and Herzegovina
66.Honduras
67.Cambodia
68.Iceland
69.Ecuador
70.Nigeria

Friday, March 27, 2009

WinRAR

WinRAR is often used to protect information by compressing and encrypting various files. Since January 2002, WinRAR offers Advanced Encryption Standard [(AES) 128 bits] and it takes a considerable amount of time to decrypt/crack WinRAR files created with WinRAR version 3 and later. Usual techniques are to use Dictionary or Brute force attack utilising tools like AccessData PRTK/DNA or Elcomsoft ARPR (Advanced RAR Password Recovery) or AAPR (Advanced Archive Password Recovery). Even with Tableau Hardware Accelerator it is going to take considerable time to get in. Using FTK imported wordlists may significantly reduce the time of dictionary attack. The wordlist can be used by Elcomsoft password crackers and with PRTK/DNA it is possible to generate a custom dictionary from that list.

I found Elcomsoft ARPR to be much faster performing brute force (approximately 110 pwd/sec compared to PRTK 45 pwd/sec) and only around 21 pwd/sec for dictionary attack (one dual core PC). There is no Elcomsoft DNA (Distributed Network Attack) software available for archive cracking. From my experience, for brute force algorithm to find 4 printable characters passwords with the speed of 110 pwd/sec would take about a week to complete and more than a year for 5 printable characters passwords. PRTK is much slower then Elcomsoft at brute forcing and DNA should be used instead. I found that DNA dictionary attack with around 10 workers (computers) produced a speed of around 500 pwd/sec, which is about three times slower than using the Tableau TACC1441 Hardware Accelerator.

When performing a live analysis, the memory (RAM) dump may produce some valuable information, so it is worth getting the RAM dump even just to get WinRAR passwords stored in memory. I've had some success in getting the passwords from both the RAM dump and hiberfil.sys files by obtaining a word list and using it in the dictionary attack.

There are various tools available to decompress hiberfil.sys file and there are plenty resources discussing the procedure. X-Ways forensics offers the easiest way to decompress hiberfil.sys, and it handles well the fragments. It looks for \x81\x81 xpress chunks and starts decompression from that point. In fact, X-Ways Forensics will have the Edit Convert option greyed out, so the file needs to be opened in an editable mode. Usually I copy hiberfil.sys file somewhere on my desktop and use WinHex that comes with X-Ways Forensics to decompress it.


If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.

Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.

CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.

Friday, March 13, 2009

Useful little tools.

Mail Viewer for Outlook Express versions 4+ (.idx .mbx and .dbx), Windows Vista Mail and Windows Live mail databases including .eml files. It is very similar to OE Reader and the web site states that it is actually based on MITeC Outlook Express Reader. No installation required, it has only one 520 KB executable file. The viewer handles attachments quite well (text and HTML view) and the most importantly it is absolutely free. It works on Windows 95 --> Vista.

This web site has several interesting little application that may be useful in digital forensics http://www.mitec.cz/

ImDisk Virtual Disk Driver is only 266 KB in size (compressed), 'works on both 32-bit and 64-bit versions of Windows' and allows mounting dd images in read & write and read only mode. dd images can be mounted with right click from Windows Explorer and by selecting mount new virtual disk (Picture 1). It only works with non-splitted dd images and doesn't accept encase images. This small utility with seamless integration into Windows Explorer also allowing you to right click on selected drive and acquire dd image (Picture 2). I have compared this image with dd image of the same drive acquired with FTK Imager and md5 hash matched. ImDisk actually was about 8% faster in acquiring the image then latest version of FTK Imager, but it doesn't create a log file and it is unclear how ImgDisk handles bad sectors and errors. I haven't played with command line switches yet, so the functionality may be already there.