My Road to Digital Forensics Excellence

CEIC2012 Part 2

Posted by Paul Bobby on May 24, 2012

One of the best things about conferences is the social aspect, meeting people you only know online and getting reacquainted with those you’ve met previously. Spent some time chatting with Simon Key about the developer program, James Habben my enscript instructor. Finally met Geoff Black and Jon Stewart (you do have your Lightgrep beta right?) (btw Jon, hopefully I catch you before the conference is over). Met plenty of names from Guidance (hey Joshua), folks who recognize my name from blogging (howdy Sgt Doug Collins), and names associated with vendors, such as Blackbag, Clearwell etc.

Session 3: Anti-anti Forensics. So ever encountered ccleaner usage or other system wipers/cleaners? Of course you have. This presentation focused on ‘what was executed’ and  ‘when was it executed’?’ The hardest bit of course, “what was deleted”? David Cowen (Hacking Exposed: Computer Forensics) has done some original research with the $Logfile. We’ve seen MFT records, INDX files and LNK files carved from the $Logfile, but those 4k record pages can contain much more. One part of the research he was willing to share is a portion of the record file that shows the before and after filename change when a file gets renamed (a typical function in system cleaners). There’s apparently plenty more research, but he’s hoping to present at Blackhat this year – watch his blog for more details. (He’ll post two tools called Splitter and SectionSearch)

Session 4: What’s new in Windows Forensics? John Marsh presenter. Couple of things I didn’t know and need to research more fully. Microsoft Virtual Disks – never really played with them, but for testing purposes they look really cool. The transaction log, $TxF – anyone know if this has been parsed or the file structure documented anywhere? The ‘Virtual Store’ folder – if 32bit apps are executed by non-admins, or 64bit apps executed that aren’t coded to ‘play well’, then they get written to a ‘virtual store’ folder structure to be separated from the Program Files area. There’s also a ‘virtual store’ registry area too – this is stored in the UsrClass.dat registry file, not in NTUser.dat. Something else I didn’t know. Gotta start looking there in general, and for testing purposes to see what gets written.

Session 5: Timelines with Encase. Sgt Doug Collins, RCMP. Good presentation, and he called out my blog and a post on the Windows Reliability Monitor. Doug has created an enscript to parse temporal data sources and feed them to a MySQL data base he runs in a custom linux VM. He’s included deduplication checks and a spreadsheet with a database query front end. Cool stuff. One source of temporal data I’d not considered before is Google Analytics cookies (almost every page uses them) – there’s several timestamps in there associated with when the site was first visited, last visited etc. He also mentioned Google Chrome and how Chrome indexes every page you visit, storing that data locally – at least that’s “how I heard him”. I need to test that – but if that’s the case, the good lord, that’s quite the treasure.

Session 6: MMA Forensics Challenge. This is the session you live for – an opportunity to flex your 4n6 muscle and take on a class of forensicators. The challenge, contrived obviously, included memory analysis, dead box analysis, pcap analysis and timeline analysis. Points awarded based on answers to five groups of questions, and prizes for the first to solve each group. I won one of the groups, and took away the prized parrot 🙂 Yes there were signed copies of various 4n6 books to be won, but heck, that parrot spoke to me 🙂 Pieces of forensic8 (drole).


One Response to “CEIC2012 Part 2”

  1. cpldbc said

    Thanks Paul for the review on my presentation. Its hard to tell up there how its received, so its good to get the feedback. Glad you enjoyed it.

    As for the Chrome Index, I haven’t had enough time to fully dive into it, but it is definitely indexing text from at least some of the websites visited. The file “History Index” is a SQlite database and will give up the goodies with “SELECT pages_content.c0url,pages_content.c1title,pages_content.c2body,info.time FROM pages_content,info WHERE pages_content.rowid = info.rowid”. Definitely, has some promising stuff in it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: