Forensics

April 02, 2009

New forensic tool based on strings and SQL (Windows)

At the moment I'm working on a new forensic tool for Windows, based on strings and SQL. I will write more about this tool in the near future. Last night I did a test by writing a short text and hiding the textfile somewhere in a subfolder.

My tool did find the text string and parsed 2.150.954.083 string elements (that's over two biljon elements!) in 36894.77 seconds (10:14:54 hours), which is certainly not bad.

Of course, there are many tools which can find text strings, but not for windows and not based on SQL.

Apr 2, 2009 8:08:16 PM | Forensics, Windows

March 29, 2009

Pipe stdin to logparser

I'm still workin' on it, but it seems to be possible to pipe the stdin output to logparser.

For example:

strings c:\temp\test.img | logparser "select * from stdin" -o:datagrid

example 2:

netstat -a | logparser "select * from stdin" -i:tsv -iseparator:space -nsep:2 -o:datagrid -fixedsep:off -nskiplines:2

This can have great possibilities and I certainly have to do more research

added March 31:

a real nifty combination: logparser and sed for windows

example:

logparser "select * from file1.csv" -i:TSV | sed "s/\"/ /g"

logparser and gawk for windows

example:

logparser "select * from file1.csv" -i:TSV | gawk {print$1$2$3$4}

 

Mar 29, 2009 3:19:29 PM | Forensics

Netbook forensics

With CaineLiveUsb you can boot and investigate devices without a CD-Rom drive (like netbooks etc.).

CAINE (Computer Aided INvestigative Environment) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio Emilia. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Cainecd

Visit the Caine website

Mar 29, 2009 12:11:08 PM | Forensics

March 17, 2009

Open source memory analysis

PC memory analysis is increasingly important because of ever arising encryption techniques, polymorphic malware etc. Simply pulling the plug of a live machine and investigating the contents of the harddisk is not enough anymore. Here's a short guide how you can do a proper (minimal) analysis of live memory.

Continue reading "Open source memory analysis" »

Mar 17, 2009 1:56:03 PM | Forensics

January 20, 2009

What's interesting about Limewire

Limewire is a peer-to-peer (P2P) application that is based around the Gnutella protocol. The Gnutella protocol is a communication protocol that allows a user to connect to a network with no centralized server, every node in a P2P network can talk to every other node. This allows the community to determine content with no supervision, making it ideal for the trading of illegal material.

Limewire files of interest include: library.dat, createtimes.cache, version.xml, fileurns.cache and limewire.props. Taken together the content of these files will give the investigator a picture of the users’ library, what they downloaded, dates and times, SHA1 values, what the user shared and what not.

Continue reading "What's interesting about Limewire" »

Jan 20, 2009 1:44:19 PM | Forensics

January 06, 2009

HTTP LogStat testdrive

Werner Rumpeltesz recently updated his free HTTP Logstat tool (v. 1.2.1). I downloaded it and took it for a test drive. The tool works fine with Windows XP but in my case it crashed under Vista.

With the help of Webmin I downloaded some Apache logfiles of one of my servers.

---

Possible interesting logfiles (Linux server):

/var/log folder:

auth.log (but also auth.log.0, auth.log.1.gz etc.as logfiles are rotating)
daemon.log
mysql.log
syslog
user.log

/var/log/apache2 folder:

access.log (access.log.1, access.log.1.gz etc.)
error.log (error.log.1, error.log.1.gz etc.)

Several other logfiles can exist on a server, as some programs tend to create and maintain their own specific logs.

---

In this testcase, I use HTTP LogStat to study the contents of access.log.2.gz, which I have copied to my local pc:

2009-01-06_095724 

First thing I do now is change the language of the tool, as German is not my favorite language. Click in Extras to do so.

Now, you have to make a profile for you server.

2009-01-06_095913

This seems to be an unnecessary step to take, but the tool doesn't work without a profile.

2009-01-06_100048 

Now, I can select the logfile I have downloaded from my server (Path / file mask)

2009-01-06_100258 

After this you can create a report

2009-01-06_100455

The tool creates a very clear report. You can find an example here.

The free HTTP LogStat tool is a great help to learn more about your own server or to use in hack investigations.

Jan 6, 2009 10:18:54 AM | Forensics, Logging

January 05, 2009

6th Australian Digital Forensics Conference

In December 2008 the sixth edition of the Australian Digital Forensics Conference was being held. Several very interesting presentations are available for download, like:

iPhone Forensics, Forensic Acquisition and Analysis of the TomTom One Satellite Navigation Unit, Extraction of User Activity through Comparison of Windows Restore Points, Email 'Message-IDs' helpful for forensic analysis?, Data Hiding in Windows Executable Files and The Impact of U3 Devices on Forensic Analysis.

You can download the complete proceedings here

Jan 5, 2009 11:16:49 AM | Forensics

November 24, 2008

MD5 hashwaarde berekenen met PHP

Het is mogelijk om met PHP de MD5 hashwaarde van een bestand te berekenen. Dit kan erg handig zijn bij het uploaden van bestanden naar een server, om te controleren of een bestand op de server gewijzigd is, of om te controleren of een bestand na een langere periode nog steeds integer is.

Voorbeeld script:

<?php
$file = 'Outlook1.pst';
echo 'MD5 file hash of ' . $file . ': ' . md5_file($file);
?>

de output is de MD5 hashwaarde.

Als je wilt controleren of een bestand op de server gewijzigd is, dan kun je gebruik maken van het volgende script:

<?php
$file_xls = "test.xls";
$file_md5 = "test.xls.md5"; // Must exists and must be writable for PHP
$md5_new_file = trim(md5_file($file_xls));
$md5_old_file = trim(file_get_contents($file_md5));

if($md5_new_file <> $md5_old_file)
    {
    echo "file is out of date, updating now...";
    rename($file_md5, $file_md5.".bak");
    $fp = fopen($file_md5, 'w');
    fwrite($fp, $md5_new_file);
    fclose($fp);
/*
Here we do some job...
In my case - dealing with "Spreadsheet Excel Reader"
*/
    unlink($file_md5.".bak");
    }
// "Not for crontab" - Remove the following section if you are intending to run it in crontab
else
    {
    echo "file is up to date, nothing to do...";
    }
// End "Not for crontab";
?>

Nov 24, 2008 1:40:35 PM | Forensics, php

November 13, 2008

Vind verwijderde bestanden terug met Recuva

2008-11-13_155525

De makers van CCleaner blijken tevens een handig bestandsherstelprogramma'tje gemaakt te hebben genaamd Recuva. Met deze gratis tool voor Windows kun je eenvoudig verwijderde bestanden terug vinden en, als je geluk hebt, herstellen. Ik heb versie 1.20.361 van het programma zojuist geprobeerd en met behulp van de deep scan functie kon ik een hoop verwijderde bestanden vanaf mijn draaiende laptop terug vinden. Het mooie van Recuva is dat het de toestand van een verwijderd bestand aangeeft. Zo kan een bestand nog geheel beschikbaar zijn (excellent) of reeds zwaar overschreven door een ander bestand (poor).

Recuva heeft zijn eigen website, waar je het installatiebestand kunt downloaden.

Nov 13, 2008 3:56:59 PM | Forensics

October 29, 2008

Installatie van PTK 1.0

Zojuist heb ik versie 1.0 van PTK geinstalleerd op een stand alone Ubuntu 8.04 server. De installatie verliep als volgt:

Zorg dat je eerst de volgende software hebt geinstalleerd op de Ubuntu server:

Sleuthkit
Libewf
Afflib
afflib-dev
apache2
apache2-utils
apache2.2-common
apache2-mpm-prefork
libapache2-mod-php5
php5
php5-cgi
php5-common
php5-mysql
php5-pgsql
mysql-server-5.0
mysql-common
mysql-client-5.0
libmysqlclient15off
libdbd-mysql-perl
dcfldd
foremost
libtsk-dev
rdd
scalpel
tct
unhide
vinetto
libapr1

Het merendeel van deze pakketten zijn aanwezig in de Ubuntu repositories en kunnen eenvoudig via apt-get install ... worden geinstalleerd.

Continue reading "Installatie van PTK 1.0" »

Oct 29, 2008 8:02:34 AM | Forensics, Sleuthkit
« | »

Mark

The Typepad Team

Search

My Other Accounts

Recent Comments