Friday, February 22, 2008

MSG is Good, No Bad, EnScript Anyways

I know, I know MSG is bad for you but I thought that I would post this EnScript for the EDD forensicators out there. I made this up real quick for a case where exporting the MSG from the EnCase interface was producing undiscernible files. All the exported MSG files are named with the email message subject and if there is a repeatable subject it will get renamed to subject(1), subject(2), etc. It is hard to discern what MSG is which in this way so having a date related to the message gives more info and keeping the Outlook folder structure would be nice too. So what this EnScript will do is export the MSG, name the MSG with the subject and created date, and keep the outlook pst folder structure for you. MSG is bad but sometimes you have to give your client what they want. Get the EnScript below, and again comments suggestions please on any of my EnScripts.

MSG Export

Wednesday, February 20, 2008

Prefetch Folder Analysis

I have received some feedback from the EnCase forums on posting my Prefetch Folder analysis EnScript and I thought this would be a good place to do it, and make it available to everyone. Before I get started I just wanted to give notation to Harlan Carvey and his book Windows Forensic Analysis which this script is based on from one of his perl scripts in that book.

For those of you that have not read the book or don't have idea on what prefetching is, prefetching is Windows way of saving load times for programs that are used often. The .pf files located in the pretech folder are cached portions of .exe files. This folder holds up to 128, sometimes more, .pf files and they all can be analyzed with this script. Each .pf file holds the hard page faults of the .exe along with metadata about where the executable is located and how many times that the .exe has been launched. There maybe multiple .exe .pf files with the same name in the directory such as rundll.exe-[characters).pf or even notepad.exe-[characters).pf each having a different set of random characters after the .exe-. These characters are not random and produced from the file path to where the .exe is located so if one notepad.exe is ran from system32 and another from windows it will generate two different .pf files. Evil will more then likely show up in this folder and you will be able to locate where it is being run from from looking at these files, or running this script.

So the big question is how do I use this EnScript, why should I download it. Well it will show you all the information talked about above, specifically:

Location of the .exe
Number of times .exe has ran
Last time .exe ran

The other data that you can correlate with this is the time that the file was created. Knowing when the .pf file was created and when it last ran will give you a date range on how long the .exe has been on the machine, great for malware(evil) or any case where the user is not supposed to be running program outside the enterprises gold build. You can also use data from the User Assist registry keys to see who ran the program because the .pf files do not give attribution to who ran the program but this area could be compared to the .pf files to give this. The EnScript can be downloaded below.

Prefetch Folder Analysis

Tuesday, February 12, 2008

Volatile Data Preservation

Ok it has been a while since I started this blog but I do not think any one was reading it or will for a while, so here is my first meaningful post, hope to be on a more regular schedule from now on.

One thing that I have noticed is that the collection and preservation of volatile data is not as well documented or talked about when discussing evidence, and most of the focus is based on the hard drive collection and preservation. This probably has to do with the fact that the collection of volatile data is more related to network intrusion incidents then with prosecutions of criminal acts. This data should be treated the same way as the traditional collection of the hard drive, making sure that the evidence has a chain of custody and can not be tampered with, more on this can be read here. The Snapshot does a good job in interacting with the target machine as little as possible but preservation of the evidence that is collected is just as important as not interacting with the target machine. One area lacking in the preservation of the collected evidence I have observed, as well as others, is with EnCase Enterpise's inability to preserve their "Snapshots". I have not been able to figure out how to get the data to export from the report view and many have tried this with no luck either. At one point they had a Snapshot database feature that was once available and that is supposed to come back sometime with a new release, maybe 6.99, hopefully it will come back soon (its been almost a year since they promised it would be back).

In the mean time I thought I could make something for the preservation of this evidence. This EnScript will take a Snapshot from the case and produce either a HTML view of the Snapshot or a XLS workbook. The workbook is easier to use for analysis, auto filter will be your friend, and the HTML view is good for reporting purposes. Please give me comments on what could be done to make it better or more usable. Download it below.

Snapshot Report Generator