Saturday, December 20, 2008


Just wanted to cross post about a blog I recently posted on MANDIANT's blog site. I will not go into the details and let you read it but the topic is about MemScript. MemScript is an EnScript that integrates EnCase, Memoryze and Audit Viewer. Check out the post here.

MemScript Blog at M-unition

It has almost been a year since my last post but I hope to keep it more up to date if my work schedule allows for it. While out and about I noticed some bugs in my current EnScripts that I fixed. The first deals with the Prefetch Analysis EnScript. If the file executed did not have an extension of .exe the bookmark for showing the location of the executable would be mangled. This bug is now fixed. You can get the updated version below.

Prefetch Folder Analysis

I am hoping to clean up some of the EnScripts I made for actual work use and get them out during the holidays. For convience sake I have also attached the MemScript to this post, get it below.


Friday, April 18, 2008

Windows Memory Analysis

Recently I got the chance to use EnCase Enterprise's ability to acquire physical memory over the network. This is a great feature and it is nice to see that Guidance is starting to catch up with other products that already offered this feature namely Mandiant's Intelligent Response and Techopathway's Pro Discover. I had made an EnScript to parse these data dumps for current and exited processes from XP machines last summer and I have finally got the OK to release it to the public. This EnScript will take a physical memory dump, be it done with either of the aforementioned products or with good old dd and makes bookmarks of the processes data. The bookmarks will list the process id, parent process id, process start time, and process end time. If the process has exited it will display a (X) by the bookmark folder name. I based the XP off the DFRWS memory image and created a Win2K EnScript before the XP one so it is listed here to just in case there are still 2K users out there. The XP EnScript has the option to export the results to an excel file. I will be trying to add future capability to this EnScript so stay tuned and give me feedback on what you would like to see added to it.

Windows Memory Analysis (XP)
Windows Memory Analysis (2K)

Wednesday, April 9, 2008

Luhn Algorithm EnScript

After seeing a long list of posts in the forums on credit card finder module I wanted to post an EnScript I made up for some recent cases with an overwhelming amount of credit card hits with the EnCase credit card finder module. For those of you that do not know what this algorithm is I would explain it here but it is already on Wikipedia so look there. This EnScript reduces the amount of credit card number hits dramatically, from tens of thousands to hundreds. The basics of this EnScript are it looks at search hits already created by the module and then creates bookmarks of valid credit cards. Quick note is that you have to have the search hits you want to have analyzed blue checked. Have fun.

Credit Hit Analysis

Tuesday, April 8, 2008

PEvil Carver

Alright it has been a while but here is a EnScript I talked about before in some forums and I have gotten some more questions about it so I am going to post it to let all have access to it.

So you might ask "What is the PEvil Carver EnScript"? Hopefully what this EnScript will do for you is find that evil program that is on your machine but you just can not find it through traditional forensic analysis, i.e. anti-forensic techniques are not allowing you to find it. This script takes an intelligent approach to finding PE type files (.dll, .exe, ocx, to name a few) from unallocated clusters (but you can search other unstructured data types) and does not just look for the "MZ" signature. This intelligent approach starts with finding that good old "MZ" signature but goes further to find the "PE" signature that follows it after a variable amount of space specified in the Image_Dos_Header. If these two signatures are present this script will start bookmarking and carving the PE file based on the data that is stored within the PE file structure. It will also look on the local system for files that already have the same hash and not export it if it is on the local system to cut down on false hits. The PE files are exported to an EnCase LEF file that can be added to a case and then mounted with VFS and then scanned with AV or other malware finding tools such as Mandiant's Red Curtian. The bookmarks also contain a plethora of data on the PE file itself. It parses out the Image_DOS_Header, Image_Optional_Header, Image_File_Header, and each sections Image_Section_Header. Looking at the data within these headers can help you identify if the PE file found is evil or not, the data here is much like PEiD. The hash and size of the file is also included in the bookmarks and a search can be done on the size or hash of the PE file to see if it is evil or not based on previously known indicators. Other features are that you can limit the size of the PE file to be exported, in initial testing PE files of significant size (1-2GB) were found in unallocated space and traditionally evil PE files are probably not of that size and what to keep a low profile. There is also an option to limit the size of PE files exported, as mentioned already must "Evil" programs will not want to have a big presence so limiting the size of these will produce better results. Some recent tests done with this EnScript reveal you can extract full PE's from memory dumps that match NSRL hashes and files have been identified that are known evil program from unstructured data found with Red Curtain and AV. Here is the EnScript, enjoy it and please as always give feedback. Thanks to Nick Harbour for the suggestion to make this script and just as a side not I will always provide the source code to how these EnScripts work, it is important to all forensic professionals to know what the tools they use do and not just point and click and get answers but know how they got those answers.

PEvil Carver

Tuesday, March 25, 2008

Prefetch Fix posted

So I have got a few comments on the output that the prefetch gives on the location of the executable, it gave the location as a bunch of numbers instead of text, sorry coding laziness problem. I have fixed this now, I previously selected the wrong bookmark type for the report output; it was for a number and not text so this should be fixed with this version. There were also comments on the date and time that is reported I am working on this bug as I think it has to do with the early daylight savings time and how that is represented in EnCase, I have not had time to pin this down yet. I will also be working on getting the data exported to Excel. Thanks for the comments on the blog and within the forums. The link previously posted will point you to the new prefetch EnScript and so should this one.

Prefetch Folder Analysis

Friday, February 22, 2008

MSG is Good, No Bad, EnScript Anyways

I know, I know MSG is bad for you but I thought that I would post this EnScript for the EDD forensicators out there. I made this up real quick for a case where exporting the MSG from the EnCase interface was producing undiscernible files. All the exported MSG files are named with the email message subject and if there is a repeatable subject it will get renamed to subject(1), subject(2), etc. It is hard to discern what MSG is which in this way so having a date related to the message gives more info and keeping the Outlook folder structure would be nice too. So what this EnScript will do is export the MSG, name the MSG with the subject and created date, and keep the outlook pst folder structure for you. MSG is bad but sometimes you have to give your client what they want. Get the EnScript below, and again comments suggestions please on any of my EnScripts.

MSG Export

Wednesday, February 20, 2008

Prefetch Folder Analysis

I have received some feedback from the EnCase forums on posting my Prefetch Folder analysis EnScript and I thought this would be a good place to do it, and make it available to everyone. Before I get started I just wanted to give notation to Harlan Carvey and his book Windows Forensic Analysis which this script is based on from one of his perl scripts in that book.

For those of you that have not read the book or don't have idea on what prefetching is, prefetching is Windows way of saving load times for programs that are used often. The .pf files located in the pretech folder are cached portions of .exe files. This folder holds up to 128, sometimes more, .pf files and they all can be analyzed with this script. Each .pf file holds the hard page faults of the .exe along with metadata about where the executable is located and how many times that the .exe has been launched. There maybe multiple .exe .pf files with the same name in the directory such as rundll.exe-[characters).pf or even notepad.exe-[characters).pf each having a different set of random characters after the .exe-. These characters are not random and produced from the file path to where the .exe is located so if one notepad.exe is ran from system32 and another from windows it will generate two different .pf files. Evil will more then likely show up in this folder and you will be able to locate where it is being run from from looking at these files, or running this script.

So the big question is how do I use this EnScript, why should I download it. Well it will show you all the information talked about above, specifically:

Location of the .exe
Number of times .exe has ran
Last time .exe ran

The other data that you can correlate with this is the time that the file was created. Knowing when the .pf file was created and when it last ran will give you a date range on how long the .exe has been on the machine, great for malware(evil) or any case where the user is not supposed to be running program outside the enterprises gold build. You can also use data from the User Assist registry keys to see who ran the program because the .pf files do not give attribution to who ran the program but this area could be compared to the .pf files to give this. The EnScript can be downloaded below.

Prefetch Folder Analysis

Tuesday, February 12, 2008

Volatile Data Preservation

Ok it has been a while since I started this blog but I do not think any one was reading it or will for a while, so here is my first meaningful post, hope to be on a more regular schedule from now on.

One thing that I have noticed is that the collection and preservation of volatile data is not as well documented or talked about when discussing evidence, and most of the focus is based on the hard drive collection and preservation. This probably has to do with the fact that the collection of volatile data is more related to network intrusion incidents then with prosecutions of criminal acts. This data should be treated the same way as the traditional collection of the hard drive, making sure that the evidence has a chain of custody and can not be tampered with, more on this can be read here. The Snapshot does a good job in interacting with the target machine as little as possible but preservation of the evidence that is collected is just as important as not interacting with the target machine. One area lacking in the preservation of the collected evidence I have observed, as well as others, is with EnCase Enterpise's inability to preserve their "Snapshots". I have not been able to figure out how to get the data to export from the report view and many have tried this with no luck either. At one point they had a Snapshot database feature that was once available and that is supposed to come back sometime with a new release, maybe 6.99, hopefully it will come back soon (its been almost a year since they promised it would be back).

In the mean time I thought I could make something for the preservation of this evidence. This EnScript will take a Snapshot from the case and produce either a HTML view of the Snapshot or a XLS workbook. The workbook is easier to use for analysis, auto filter will be your friend, and the HTML view is good for reporting purposes. Please give me comments on what could be done to make it better or more usable. Download it below.

Snapshot Report Generator

Wednesday, January 2, 2008

Start of a new year, new blog

This year I wanted to start documenting some of the stuff that I am doing at work and at home so that I can refer back to it later. I decided to do it in a blog format so that others can learn from what I did well and what I did not do so well.