My Road to Digital Forensics Excellence

Archive for March, 2010

$Secure Streams and Descriptors

Posted by Paul Bobby on March 29, 2010

I was reading through some of the documentation at trying to get a handle on Access Control Entries, or ACE. The easiest way for me to process this data was by walking through a test scenario. So I took a 2gig thumb drive, formatted it NTFS and created a non-resident text file called ‘test.txt’.

I parsed out the Standard Information Attribute:


Search for the Security ID in the $Secure:$SII stream


Go to the offset, 960, in the $Secure:$SDS stream


The following code from the Linux NTFS documentation site describes the details of the Access Control Entry mask.


Posted in Forensics, General Research | Leave a Comment »


Posted by Paul Bobby on March 22, 2010

I have completed my Enscript for identifying and bookmarking data sources that can be parsed with Log2Timeline. The Enscript can be downloaded here.

Some limitations:

  1. No EXIF file gathering. The Exiftool can process a large number of files, and even when limiting the collection to JPG, the enscript method of identifying and verifying the presence of EXIF data is time consuming. The recommendation is to run EXIF Parser under Case Processor, and use the bookmarks generated to supplement your data collection.
  2. IIS W3C log files are not searched for
  3. Opera history files are not searched for
  4. ISA text export files are not searched for
  5. PCAP files are not searched for
  6. The XP Firewall log is not searched for.

The enscript, as always, is available as an enscript and not Enpacked, so feel free to modify if you need to add the above formats.

Once the potential data sources are identified and bookmarked, the analyst should manually review each item prior to export. Selecting the bookmark and using Tag Selected Items will ensure the files are tagged under the Entries view. From that point you can Copy/Unerase, Copy Folders, or even create a Logical Evidence File. The easiest method is to use Copy/Unerase and then point Timescanner at that folder.

Posted in EnCase, Forensics | 2 Comments »

Enscript treat – dynamic signature checking

Posted by Paul Bobby on March 19, 2010

For a while, Enscript writers did not have access to Signature checking mechanisms from within the Enscript framework. One was required to kick off a signature analysis first, then run your script against predetermined signature criteria. This restriction was lifted for version 6, and when writing my Log2timeline enscript, I discovered that the example code to generate this type of dynamic signature check, was incorrect.

Here is the correct code. If you would like to test it, add some evidence to your case and manually select several ZIP files and several non-ZIP files. Then run the script. The Console will show which ones have valid ZIP signatures based on the magic and file extension. This sample code will be used within my Log2timeline enscript as a means to verifying input data prior to bookmarking.

   1: class MainClass {

   2:   void Main(CaseClass c) {

   3:     SearchClass search();

   4:     SearchClass::SigClass sig();

   5:     uint sigOptions = SearchClass::CHECKSIG;

   6:     String fileSigStr;


   8:     FileSignatureClass myFileSignatureTree();

   9:     FileTypeClass myFileTypeTree();


  11:     FileSignatureClass fileSig();

  12:     fileSig.SetExpression("\\x50\\x4B\\x03\\x04");

  13:     myFileSignatureTree.Insert(fileSig, NodeClass::INSERTLAST,myFileSignatureTree.FirstChild());


  15:     FileTypeClass fileType();    

  16:     fileType.SetExtensions("ZIP");

  17:     myFileTypeTree.Insert(fileType, NodeClass::INSERTLAST, myFileTypeTree.FirstChild());


  19:     forall (EntryClass e1 in c.EntryRoot()) {

  20:      if (e1.IsSelected()) { // For testing, select several ZIP files and non-zip files

  21:       if (search.Create(myFileSignatureTree, myFileTypeTree)) {

  22:         search.CheckSignature(e1, sig, sigOptions);

  23:         fileSigStr = SearchClass::SigClass::Types::SourceText(sig.Type());

  24:         if (fileSigStr.Compare("MATCH") == 0)

  25:           Console.WriteLine("Signature Match: " + e1.FullPath());

  26:         else

  27:           Console.WriteLine("Bad Signature for file: " + e1.FullPath());

  28:       }

  29:      }

  30:     }

  31:   }

  32: }

Posted in EnCase | 3 Comments »


Posted by Paul Bobby on March 19, 2010

Kristinn has developed a great tool, and it has been discussed in many places. Timeline analysis is becoming the phrase of the year along with APT, and while timeline analysis is commonplace in my caseload, I decided to give this tool a run – mainly because it has an output mechanism to feed the SIMILE timeline widget 🙂

I had to fix a couple of code issues – one with the input mechanism for reading TLN formatted data, and one with the new file to read McAfee logs. My next goal is to get it to work under Cygwin since for right now I can only get it working under Ubuntu running in a virtual machine.

Encase has the ability to mount evidence using a VFS or PDE mechanism (network share versus emulated disk drive). There are pros and cons in both methods, VFS lets me get to the System Restore points, PDE lets me traverse the tree structure properly when sharing this PDE mounted evidence through SharedFolders in VMWare.

The problem with VFS is that I can’t traverse the tree properly when sharing this mounted file system through VMWare. The problem with PDE is that the System Restore point area is not visible to VMWare.

The issue is still present when mounting using Mount Image Pro.

And I can only get this far if I run VMWare as an administrator. I’m running Vista 64bit, perhaps this issue will go away if I use Windows XP as the host OS. Anyway, that’s too much to change.

So for right now my solution is to identify Log2timeline input files in Encase. Enscript to the rescue. My next post will include this detail. The idea is to traverse the evidence tree and bookmark all files that can be processed by Log2timeline. The investigator then reviews these bookmarks, tags files, and considers exporting to LEF, Copy/Unerasing or Copy Folders as an option to extract data.

Posted in EnCase, Incident Response | 3 Comments »