nibble on dav nads

Timeline Analysis: The Hybird Approach

2012-01-16T09:25:00.000-08:00

Harlan Carvey recently blogged about approaches to conduct Timeline Analysis:

"So, anyway...I've been thinking about some of the things that I put into pretty much all of my timeline analysis presentations. When it comes to creating timelines, IMHO there are essentially two "camps", or approaches. One is what I call the "kitchen sink" approach, which is basically, "Give me everything and let me do the analysis." The other is what I call the "layered" or "overlay" approach, in which the analyst is familiar with the system being analyzed and adds successive "layers" to the timeline. When I had a chance to chat with Chad Tilbury at PFIC 2011, he recommended a hybrid of the two approaches...get everything, and then view the data a layer at a time, using something he referred to as a "zoom" capability. This is something I think is completely within reach...but I digress."

I very much agree with the various approaches outlined above and their respective descriptions. Well put, Harlan and Chad Tilbury.

Over the years I have observed the traditional "kitchen sink" approach evolve into a "layered - overlay" approach. Fundamentally this has been the building blocks of timeline analysis. Harlan, Rob Lee, and the Sleuth kit have been primary drivers of this transformation with contributions such as "regtime.pl", "mac_daddy", and "fls". These contributions have allowed us to take the "kitchen sink", a entire hard drive image, and break it up into different "layers". Each layer representing a specific artifact type such as registry or file system.

What I appreciate about the "layered - overlay" approach is that it is a effective method of "removing the noise". This is my way of saying, hone in on specific areas of interest. In contrast, the "kitchen sink" approach can result in overwhelming volumes of data that can easily lead to distraction.

For example, if I'm only interested in reviewing USB connections, there are specific "data points" that I only need to look at. In such, I would only apply relevant layers of data points to my timeline (i.e. registry, setupapi.log) to identify the connections. Then if needed, I could double check my results by adding a third layer into the timeline, ".evtx" files (event logs in win7 logs usb connections system) which should essentially overlay my existing USB connections and confirm my results.

Perhaps, I then wanted to see if there was any ".lnk" files created on the hard drive image to show files being accessed from the USB device during the date/time of a USB connection. Subsequently, a fourth layer, file system activity could be added to the timeline for review and quickly filtered by ".lnk" files. In summary, this fundamental process of building a timeline is the concept of the "layered - overlay" approach.

Adobe Photoshop (a graphic design application) is a good example of putting this concept to use. For anyone not familiar with the product (pictured to the right), multiple layers are used to represent and control each part of a image; background, shading/coloring, objects, etc. All of the individual layers merged together (overlayed) make up the "entire picture."

However, as Harlan alluded to, not using the "kitchen sink" approach will dilute visibility into the context of specific artifacts -- limiting your analysis to specific layers instead of looking at the "entire picture." :

"the more data we have, the more context there is likely to be available. After all, a file modification can be pretty meaningless, in and of itself...but if you are able to see other events going on "nearby", you'll begin to see what events led up to and occurred immediately following the file modification."

So how does Dav Nads' combine the best of the two approaches into one - the Hybird Approach?

To my knowledge there's no "out of box solution" or "push button" solution for this. It's a process of using multiple tools and applications. It's a manual process but comprehensive process. The process like all processes should be is constantly redefining to adapt to technology and needs..

It all starts out with owning a lot of real estate, 2 x 24" monitors :-) Having tall and wide monitors is key for any type of timeline analysis. It allows you to see more data (and context) at one glance and increases efficiently by reducing clicking n' scrolling.

I use one monitor to display the timeline data output from log2timeline-sift in SPLUNK. This process is described in detail by Klein&Co. Why do I use SPLUNK to display my log2timeline-sift output?

Running log2timeline-sift on a 120GB hard drive image can easily result in a 2-3 GB of output. Not to mention, try running log2timeline on a 500 GB hard drive image. Microsoft Excel ain't going to work to review all of your data. It has limitations, period.
Sure you can use "l2l_process" to cull your resulting output from log2timeline down by criteria such as date-range, but this still does not guarantee your resulting output will be a manageable volume. It also takes away context and makes the process of building timeline a iterative process if you need to adjust later on.
Most people know enough Python, SQL, GREP or PERL to be dangerous but not productive. Therefore, having a GUI based platform similar to Excel tends to be a preference when reviewing timeline data.

SPLUNK indexes timeline data, providing the ability to search, filter, and sort data on the fly. It's also scalable, in the sense it's a enterprise tool that is designed to work with GBs of data. With the click of a button I can easily refine my timeline to only show certain data types. Note, DAV NADS does not work for SPLUNK, it's just the the best solution I have found.

Harlan raises an excellent point, "That leads me to this question...if you're running a tool that someone else designed and put together, and you're just pushing a button or launching a command, how do you know that the tool got everything? How do you know that what you're looking at in the output of the tool is, in fact, everything?"

If I were to rely solely on the using the output of log2timeline and SPLUNK as a review tool for my analysis, that would be a issue for 2 reasons:

First , let's be honest regardless of what tool used (commercial or open source) they all have or had at one point BUGS. Just as recently as a week ago, a bug in log2timeline was identified on the win4n6 list and was subsequently fixed.

Secondly, timelines are what I like to refer to as skeletons. They do not show you the meat on the bones. Reviewing timeline data may reveal that "Top Secret - Receipt for Coke.docx" was created and opened. However the limitation with timeline data is, you can't view the document. That's when the second monitor comes into the picture...

I use the second monitor to display the hard drive image in a Forensic tool (Encase, FTK, etc). This allows me now to take a look at "Top Secret - Receipt for Coke.docx" and see that it's just a document that discusses how Coke's secret formula is now on exhibit in World of Coca-Cola in Atlanta! This also allows me to potentially see anything that may be in context of this event that is not displayed in my timeline as a layer.

Leveraging a second tool simultaneously to view the data from a different perspective allows me to also double check and verify findings. For instance, if I see that how_to_kill_the_dog.doc was created on January 1, 2013 in my timeline data, I can quickly check to see if I'm seeing the same thing from my forensic tool or if this is a odd anomaly and potentially a issue with my timeline.

From my experience, the Hybrid timeline analysis approach is really finding synergy between the "full kitchen" and "layered - overlay" approaches. The important thing to understand to sucessfully deploy this approach is the strengths and weakness of the tools you use. For instance, identifying the difference between timeline data (output from log2timeline or wherever) that may only contain X where the full disk image contains Z and empowering a processing to fill these gaps. This allows you to develop a Hybird approach, like I described above that fits your needs.

- DAV NADS, tweetin' @DAVNADS tweet at me cyber girls!

2012-01-04T07:31:00.000-08:00

Thank you to all of my #DFIR followers. Hope everyone had a great New Years. Let 2012 bring many dongles, matching hashes, and cold blowing CPU fans to everyone!

-DAV NADS

Digital Forensics SIFT'ing: Cheating Timelines with log2timeline

2011-12-18T14:01:00.001-08:00

Check out my article on SANS about cheating timeline with log2timeline.

Digital Forensics SIFT'ing: Cheating Timelines with log2timeline

Extending Reg Ripper, again.

2011-11-28T06:30:00.001-08:00

A few months ago I posted how to automate the process of reporting all date/time instances a USB connection was made (including from Restore Points), using a combination of Mount Image Pro, SubInACL.exe, Reg Ripper, and some batch script Kung Foo. For one engagement, the scope was 50 + hard drives. Exercising this process reduced analysis time from hours to minutes per hard drive and translated into a significant time and cost savings to the client.

Recently, I received 50 + SYSTEM registry hives from various host systems. Note, due to special circumstances only the SYSTEM hives were provided -- fyi -- there are other artifacts that log USB connections. All hives where preserved in Logical Evidence File (L01s) format. Using Encase I took a look at the L01 files. Based on full path information of the SYSTEM registry hives collected, it appeared they were from both active and Restore Point locations.

For this engagement I needed to report all date/time instances a USB connection was made based on the SYSTEM registry hives provided...

Since I was dealing with hives from various hosts within the L01s-- the only thing segregating them was the directory structure (full path information) they were preserved in. It would be key to preserve this same full path information for each hive in whatever output/report created. This would allow one to tie a Hive back to a specific host later on.

Therefore, it was time to put my thinking cap on. Below is the list of options I came up with:

Manually parse out the Hives.
Run the Encase Advanced Enscript USB parser, but that outputs into a messy log file that is not delimited. Experience also tells me it can be hit or miss.
Export the Hives and run Reg Ripper on each of them one by one, manually building a report as I go.
Build a Reg Ripper batch script, but this would not preserve the file name and full path source of the hive in the output.
Script that sh!@t!!

I like being challenged so scripting that sh!@t using Python sounded trivial. Note, as I stated in my post about using Python to automate the process of creating folder structures, my coding skillz are script kiddie at best so please no LuLzing.

The requirements of the tool needed to be:

Recursively walk through a directory structure (using Encase I exported all L01's preserving folder paths to a case folder).
Identify any "SYSTEM" or "_REGISTRY_MACHINE_SYSTEM" registry hives.
For each Hive it finds:

Append File name to processingaudit log
Run Reg Ripper against it withspecific plug in ( USBSTOR3 to show me all USB connections)
Import Reg Ripper output intoPython memory based list/db
Foreach line imported, append full path of original hive parsed (for auditpurposes -- will allow me to tie a hive back to it's original source later).

Export CSV report for all hivefiles found.

Below is the pretty Python code I compiled. For funI’m going to try to add some error handling, convert to OO, and port into an Executable. For now, all I can say is it works and saved me a ton of manual effort/time.

importos, fnmatch, csv

a =[]

deffind_files(directory, pattern): #Recursively walk directory path for files

print 'Recursively search directory for SYSTEM hives..'

for root, dirs, files in os.walk(directory):

for basename in files:

if fnmatch.fnmatch(basename, pattern):

filename = os.path.join(root, basename)

yield filename

forfilename in find_files('C:\directory_structure_to_search)' ,'*SYSTEM'): #Define dir path and hive type to look for

print 'Found Hive:', filename

print 'Ripping...'

os.system('""C:\\Program Files (x86)\\RegRipper032911\\rip.exe "-r "' + filename + '" -p usbstor3> c:\\final.csv"')

print 'Done Ripping.'

print 'Processing Output...'

with open('c:\\final.csv', 'r+') as f: #Import RegRipper output into list

writer = csv.writer(f)

reader = csv.reader(f)

for row in reader:

row.append(filename)

a.append(row)

log= open('c:\\log.txt', 'r+') #Append each processed file to log output

log.writelines(filename + '\n')

output= open('c:\\output.csv', 'r+') #print 'Writing output CSV'

wr =csv.writer(output)

fori in a:

print i

wr.writerow(i)

printa

output.close

print'Done'

exit

Truly,

Dav Nads

Intellectual Property (IP) Theft and Technology 1o1o1o1

2011-11-13T11:03:00.000-08:00

I'm working on a paper on High Tech Intellectual Property Theft so I thought I would share some food for thought!

According to Wikipedia (whatev that's worth), Intellectual Property (IP) is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law and theft is the illegal taking of another person's property without that person's freely-given consent.

Do the math, IP + Theft is a equation for stealing s$% you shouldn't!! If you add technology as a variable into this equation, stealing $#% can get super geeky. For instance, a employee can copy the text from a document containing the recipe for Coke onto a website called pastebin.com. This is a website where you can freely copy and paste text making it accessible to the world with just a few clicks. It is a convenient and "virtually untraceable" platform for people to share large amounts of text. The website has been traditionally used by programmers to store source code but also more recently used by HaX0r groups like Anonymous, 4chan, and LulzSec to post their pirated caches and booties.

Methods of IP theft are becoming more advanced and mutually difficult to detect. Traditional methods of detection (i.e. usb connection analysis, print spool files, e-mail, etc.) are not going to CUT it in some cases. I used one example of a insider COPYING and PASTING IP out of a network, but their are many other advanced methods such as transferring data from a laptop to a mobile device in someone's pocket via ad-hoc networking, to installing mobile malware/spyware software on a VIP.

However, traditional methods of IP theft may not be as advanced but just as difficult (if not more difficult) to detect. For instance, taking pictures of IP with a camera phone or calling a partner and communicating IP over a phone. In these cases it's more important to be aware of these methods and put governance and policies in place to prevent so your NOT responding to the "perfect crime".

Let's also not forget about how the most simple digital crime can become ah so difficult. For instance, a terminated user transferred documents from a computer to a USB storage device a week before they resign. During that week, a Windows Update is also run and all USB last connection date/time information in the active registry are unfortunately updated. Now you, as a forensic examiner are challenged to think outside of the box and look elsewhere ;-)

Below is a collaborative (thank you unnamed co-worker) brain dump of potential methods of IP Theft. Note, some of these methods may leave little to NO forensic residue - the emphasis of the paper I'm writing is identification and detection from a Computer Forensic purpose. The purpose of this list is to promote awareness and hopefully assist with your due diligence or your next IP Theft investigation .

Personal e-mail account usage (i.e. user logs into personal e-mail account via web mail and attaches documents or copies text to e-mail message).
Instant Messaging software such as AIM, MSN, Yahoo, Gtalk, or ICQ (i.e. transfer text or attachment over instant messaging conversation)
Internet activity to online storage tools, file sharing services, social media platforms, and public/private forums (i.e. upload documents to online storage service or copy text to website such as pastebin.com).
Access to network resources such as file servers (i.e. copy documents from file server directly to USB device) without subsequently accessing it.
Network connectivity to private networks via Bluetooth, wifi, or remote access to transfer data (i.e. computer transfers documents to another computer via Bluetooth network).
Removable storage device (i.e. user copies data to thumb drive or external hard drive). Keep in mind removable storage devices do not not always get tracked comprehensively (i.e. O/S update occurs that updates all USB last connection date/time information in registry).
Screen capture applications run from removable devices to minimize forensic residue (i.e. run screen recording tool from USB drive).
Use of non-standard applications/protocols such as VPN, FTP, SFTP, P2P, SHH (i.e. Use FTP application to transfer data to remote server).
Copy data to device that be configured as USB storage device such as mobile phone or music player (i.e. copy data via USB to iPhone or iPod).
Bypassing the operating system by booting the system into a bootable disk to copy data to an external drive (i.e. anti-forensic or forensic software such as Helix or Knoppix).
Traditional forensic and IT methods of cloning hard drives (i.e. extract hard drive from system and use forensic software/hardware to copy/clone data).
Host and Mobile device based Spyware/Malware
Other "low tech" methods of exfiltrating data include:

Taking hard copy documents or electronic devices,
Photography or video,
printing,
scanning,
use of unknown devices,
making a phone call and communicating the IP.

Stay tuned.. I will be posting some more forensication soon.

-Dav Nads

Reminiscing about my CEIC 2010 video competition entry

2011-11-07T19:10:00.000-08:00

In 2010, Guidance Software hosted a video competition for 2 free passes to their CEIC conference. We did not win because apparently it was not appropriate.I still went anyways, but reminiscing about our great video!

Debian GNU/Linux Postfix Server Incident - p'owned?

2011-08-24T12:18:00.000-07:00

Reason to believe a server was compromised and it's a physical Debian GNU/Linux mail server in a production environment? ..Sounds like fun!

Below is a short list of items to consider when responding to a incident. This is from a technical perspective and by no means a work plan for a comprehensive investigation.

If you haven't already, try to get a physical or logical image of the device. If the server can't be turned off to acquire physically, consider acquiring the logical partitions live:

    Attach USB
    mkdir /m1
    mount /dev/sdb1 /m1 # Substitute /dev/sdb1 for your USB device’s partition, fdisk –l helps
    dd if=/dev/sda1 of=/m1/my_image.img # this cmd is very basic and will dd the partition to the USB disk. If it uses logical volume manager, copy the logical partition as reconstructing the raid/lvm later could be an issue.

Identify all logs that could contain potential evidence related to the intrusion. Logs are going to be one of the key points of analysis in Linux based investigations. To that point, don't forget to inquiry about log retention polices and procedures during your scoping. For instance, are logs from the target server collected using a SIM, backed up to tape, or maybe logging is not even enabled? A good analogy is, make sure to account for ("or eat") all the crumbs that may be surrounding the cookie.

Here is a short list:

    /var/log/secure
    /var/log/secure.*
    /var/log/messages
    /var/log/messages.*
    /var/log/wtmp
    /var/log/wtmp.*
    /var/log/btmp
    /var/log/btmp.*
    /var/log/mail.log
    /var/log/mail.log.*
    /var/log/apache
    /var/log/auth.log
    /var/spool/
    Check syslog configuration (/etc/syslog.conf typically) and see if additional log files are stored
    If the machine is behind a firewall, check firewall (machine/appliance)logs.

Dear Dav Nads, help me make some folders

2011-07-06T16:31:00.000-07:00

yoGirl: Davnads, you put the "sic" in forensic bc you got skillz.

Davnads: dat rite

yoGirl: I'm trying to stage some data on my network for a eDiscovery engagement that I need to process using the Cloud. I don't have time to manually create 500 staging folders with sub directories. 

Davnads: Yo chair yo' Problem 

yoGirl: :-(

Davnads: Damn sad faces, they always get 2 me. Okay I will help!

In response to my fan mail, I created a ugly (I don't program for a paycheck) Python script that will assist the process of creating directory structures in mass. This script uses the os module. "As is" the script will read a comma delimited file, containing 3 folder names, line by line.

Folder_Names.csv

David Nides,HDD SN XX,Mobile Phone,Network Share
Danny Nides,HDD SN XX,SharePoint Data,Network Share

For each line, it will create a directory structure consisting of the parent folder named based on the first line variable, and sub directories using the second, third, and forth line variables. For example:

>David Nides
   >>HDD SN XX
   >>Mobile Phone
   >>Network Share

>Danny Nides
   >>HDD SN XX
   >>Share Point Data
   >>Network Share

The code is listed below. Note it is currently set to write the folder structure out to the "D:\" drive but this can be easily changed. Let me know if you have any questions.

-----------------------------------------------------------------------------------------------------

#Created by David Nides, 6/29/11
#This python script will input a CSV file (refer to the input.txt template)
#Parse each row and create a directory.
import os
import csv
file = csv.reader(open('folder_names.csv'), delimiter=',')
for row in file:
    os.chdir('d:')
    os.mkdir(row[0])
    print "creating ",row[0]
    temp1='d:/'+row[0]+'/'+row[1]
    temp2='d:/'+row[0]+'/'+row[2]
    temp3='d:/'+row[0]+'/'+row[3]
    os.mkdir(temp1)
    print "creating ",temp1
    os.mkdir(temp2)
    print "creating ",temp2
    os.mkdir(temp3)
    print "creating ",temp3
    os.chdir('d:')

Basic Groundwork for cmd line Scripting Computer Forensic Tasks + VIDEO BONUS

2011-06-21T16:25:00.000-07:00

Watch the video tutorial that I created for our internal team to see this in action and how it works:
http://dl.dropbox.com/u/27705041/final%20bat%20with%20redact.wmv

Task: 50 hard drives, Windows XP, report all date/time instances a USB drive connection was made.

Purposed Solution: Open Encase, Mount Image using Physical Disk Emulator module, Manually change Window’s security permissions/ownership of System Volume Information directory OR export Restore Point directory, Open up CMD prompt, Execute RegRipper against %/Windows/System32/config/SYSTEM and Restore Point, slice and dice output, and misc.

~ 1 hour per hard drive.

Alternative Solution: Batch script that shit!

~ 2 hours of development resulting in ~5 mins per hard drive.

This is the groundwork and a start to scripting computer forensic tasks via the command line. It’s simple, yet very powerful stuff that anyone can do.

Also, a special thank you to David Kovar who was so kind to give me a few pointers along the way. He has volunteered to take this initiative and port it over to Python. More to come from David and I as we work together on expanding on this.

Requirements:

1. Windows XP Examiner Machine
2. Image with Windows XP
3. Mount Image Pro (fully functional 30 day demo available)
4. SubInACL.exe
5. RegRipper

About the Batch:

• Will prompt for disk image Full Path Location (.ad1, .e01, .dd, .vmdk, etc…)

• Automatically mount disk image using Mount Image Pro CLI

• List disk mounting information (drive letters mounted, volume name, file system, etc...)

• Prompt for drive letter that %/SYSTEM VOLUME INFORMATION/% is located. This is where Restore Points are saved. By default this directory is protected and not accessible by the system. This can be automated later on

• Prompt for local Administrator account name

• Automatically Change ownership and grant full access to the %/SYSTEM VOLUME INFORMATION/% directory using SysInternal’s Subinacl.exe.

• List %/SYSTEM VOLUME INFORMATION/% information

• Prompt for Restore Point Directory Name you would like to parse

• Then do work...

• Currently set to execute RegRipper (RipXP.exe) using the USBSTOR3 plugin. This will parse the local SYSTEM hive and every Restore Point System Hive subsequently outputting a nice CSV file showing every USB drive (and corresponding date/time) EVER plugged into the system.

• Anything that is cmd line accessible can be set to be executed after the drive is mounted.

Get Started:

Copy the code below into notepad, save as XXX.bat, and execute via the command line. Make sure you have the three dependencies installed and your paths are defined to the three executables.

Let me know if you have any questions or suggestions… It is just a rough draft but gets the job done for me! A lot more to come... stay tuned

------------------------------------------------------------------------

@ECHO OFF

::v.1

::Date: 6/15/2010

::Created by: David Nides, KPMG LLP

::This batch script will mount image using Mount Image Pro (MIP4.exe),  use Microsoft's SubInACL (SubInACL.exe)  command to take ownership and grant full access to System Volume Information, and then do work such as execute RipXP.exe.

:: This requires that you have installed Mount Image Pro (Demo is available for free), 

:: SubInACL (http://www.microsoft.com/downloads/en/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en)

:: Any other tools you want to cool

::Set full path of where all your .exe's are located below

set MIP_PATH="C:\Program Files\GetData\Mount Image Pro v4\MIP4"

set RR_PATH="C:\Program Files\Reg Ripper\RegRipper032911\ripxp"

set SUBINACL_PATH="C:\Program Files\Windows Resource Kits\Tools\subinacl"

:input for Mount Image Pro CMD Line

set /P IMAGELOC="Enter Image full path (e.g d:\image.dd): "

echo Your input was: %IMAGELOC%

echo ----------------------------------------------

echo Please wait while drive is being mounted.....

echo ----------------------------------------------

%MIP_PATH% mount "%IMAGELOC%"

echo ----------------------------------------------

echo Please wait while mounted device details are populated.....

%MIP_PATH% STATUS

echo ----------------------------------------------

:input to locate SYSTEM VOLUME INFORMATION - this can be automated later

set /P MOUNTED_DRIVE_LETTER="Look at the above List of Mounted Devices and input drive letter where SYSTEM VOLUME INFORMATION directory is located (e.g. H): "

echo Your input was: %MOUNTED_DRIVE_LETTER%

echo ----------------------------------------------

:input collect username to setowner and grant access to

set /P USER="Enter Administratve user account name to setowner and grant access to SYSTEM VOLUME INFORMATION (e.g. Administrator): "

echo Your input was: %USER%

%SUBINACL_PATH% /subdirectories "%MOUNTED_DRIVE_LETTER%:\System Volume Information" /setowner="%USER%" /grant="%USER%"=F

echo ----------------------------------------------

dir /ah "%MOUNTED_DRIVE_LETTER%:\System Volume Information\"

set /P RP_FOLDER_NAME="Enter Restore Point Folder you would like to parse in /System Volume Information/ (e.g. _restore{46DE8921-1D39-44D2-A9E9-64119261F211}): "

echo ----------------------------------------------

echo Lets do work......

echo ----------------------------------------------

::The below can be set for user config later. In the mean time this is the tell RegRipper to do X section.

::set /P HIVE_to_PARSE="Enter Registry Hive to Parse (e.g. SYSTEM, SAM, NTUSER, SECURITY, SOFTWARE): "

::set /P RR_PLUGIN="RR Plugin to Parse with (e.g. USBSTOR3) "

%RR_PATH% -r "%MOUNTED_DRIVE_LETTER%:\WINDOWS\system32\config\SYSTEM" -d "%MOUNTED_DRIVE_LETTER%:\System Volume Information\%RP_FOLDER_NAME%" -p usbstor3>> c:\output.csv

If  you are interested in reading more about expanding RegRipper and similar projects, I suggest reading Corey Harrell's blog post, Triaging my way.

cHECK oUT Microsoft’s Audit Object Access Policy for Forensic Evidence!

2011-03-28T15:55:00.000-07:00

Let's say client XYZ maintains sensitive budget information within a select folder on one particular Windows fileserver. When originally created, the folder was restricted to specific AD users. At some point, everyone was granted access to the folder. Is there any available trail of activity in Windows to tell who accessed what and when?!?!

YES (if it's turned on)... !!!!!

I learned today that Microsoft’s audit object access policy handles auditing access to all objects outside AD. It is disabled by default, but IF enabled you can audit access to almost any kind of Windows object including files, folders, registry keys, printers, and services.

Pretty cool. I see this as a useful source of information for many investigations so I thought I would share.

http://technet.microsoft.com/en-us/library/cc776774%28WS.10%29.aspx

If it's not turned on, I believe enabling Audit Object Access either within GPO or the local server policy should do the trick. Please note that depending on how many files/folders you have this auditing, disk space may be an issue. You really need a SIEM to go alongside this to parse and alert on anomalies if you want to use this as a true real-time investigate tool.

FTK Imager (for OS X) to the Rescue

2010-08-18T12:36:00.001-07:00

So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing;

· Your favorite Linux distribution disk won’t boot,

· You spent hours taking the laptop apart only to discover the internal hard drive has a ZIFF or LIF interface and you don’t have an adapter,

· The Firewire and Ethernet ports are missing,

· there is only one USB port,

· and the laptop won’t boot from your USB hub.

This documentation specifically applies to Apple’s Macbook Air models. However, the procedures outlined here should be applicable to all Intel-based Macs. When acquiring Macbook Airs traditional acquisition methods can often be challenged by the lack of external media interfaces and software compatibility issues.

SO…WHAT’S NEXT?!?! In April 2010, Access Data released Command Line (CLI) versions of its popular FTK Imager tool. Supported by one of the versions are Intel-based Mac OS versions 10.5 and 10.6x. I have found this tool to be a strong candidate for Mac collections. This article will explore two collection techniques that exercise this tool:

1. (Live Collection) – Acquisition of a targeted system in a live (booted) state. FTK CLI tool is executed from target’s system and image is written to external USB hard drive. This method is frequently used to acquire systems that cannot be taken offline or when encryption is involved.

2. (Secondary-boot Collection) – Acquisition of a targeted system from a secondary-boot device. Target’s system is booted from a bootable external USB hard drive containing OS X and pre-installed with the FTK CLI tool. Once booted FTK CLI imager is executed from this device and image is written to the same USB hard drive in a separate partition FAT32 partition.

Note: As a forensic practitioner, you should weigh the pros and cons of the two collection techniques and use discretion to what method (if any) suits the requirements and needs of your engagement.

Approach 1: Live Collection – Preparation:

1. OS X does not natively support writing to NTFS or EXT volumes. Therefore, you will need to prepare a HSFS or FAT32 formatted hard drive to write your image too. I prefer FAT32 over HFS because it is readily accessible from Windows.

If you decide to go the HFS route, there is a tool called MacDrive that will allow full read/write to HFS from Windows (http://www.mediafour.com/products/macdrive6/)

2. Download and extract “ImagerCLI 2.9.0_Mac.zip” from Access Data onto the external device:

File: Mac/FTK ImagerCLI 2.9.0_Mac.zip

Link:http://accessdata.com/downloads/current_releases/imager/FTK%20ImagerCLI%202.9.0_Fedora.tar.gz
Supports: Mac OS 10.5 and 10.6x
MD5: 5b33f0ec0c6d5096371f07d19cc698de

Approach 1: Live Collection – Getting Started:

1. If applicable, power on the device and log in.

2. Plug in the USB hard drive you have prepared as the destination drive.

3. Open the console application located in: /Applications/Utilities/Console

This is a window into the other side of OS X. All commands hereafter will be issued from the console.

4. Switch to user “root”: Ftechs-Mac-mini:~ ftech$ Su root

Root privileges are needed for FTK CLI to interact with the host device. You will be prompted for the root password.

*Note 1: The default Mac OS X installation has the "root" account disabled. To enable it, follow the steps here: http://www.spy-hill.com/~myers/help/apple/EnableRoot.html

*Note 2: If you don’t know the root password you can try this to reset it, http://www.macosxhints.com/article.php?story=20001217230925152.

*By following this step you are making substantial changes to the host system.

5. After you have switched users to root, you will need to identify the source and destination hard drives for acquisition: Ftechs-Mac-mini:~ root$ diskutil list

This will query all active disks and their partition layouts:

This information can be interpreted as follows:

"/dev/disk0" is representative of the first physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is the hard drive inside of the system. In this example, the physical device, "/dev/disk0" will be the source of the acquisition.

“/dev/disk1” is representative of the second physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is destination hard drive connected via USB to the system.

On this hard drive there is one volume disk1s1 named Evidence_Drive. This is the volume we will use to write the acquisition to.

However, before you can write to a volume you need to determine what the “mount point” of the volume is. A mount point is the connection the operating system uses to interact with a volume on a hard drive.

6. Mac OS will automatically create a mount point (with full read/write permissions) when a device is attached to the system with a recognizable file system.

The mount point should be consistent with the volume name appended to /Volumes/. The mount command can be used to verify this: Ftechs-Mac-mini:~ root$ Mount

This will list all volumes mounted on the system:

We see here that “/Volumes/Evidence_Drive” is the full path of the mount point for volume “disk1s1” on the destination hard drive “/dev/disk1”. This is the destination mount point.

This now establishes that we will be imaging (source): /dev/disk0 and writing our acquisition image to (destination mount point): /Volumes/Evidence_Drive

After you have determined the source and destination mount point, navigate to the destination mount point where the FTK CLI took resides: Ftechs-Mac-mini:~ root$ cd /Volumes/Evidence_Drive

7. Execute the following command and flags to execute FTK CLI. This will acquire the source /dev/disk0 (physical hard drive inside of the computer) and save to /Volumes/Evidence_Drive (on the destination hard drive volume) in .EO1 format and fragment every 4 GB with no compression

Ftechs-Mac-mini:~ root$ ./ftkimager /dev/disk0 /Volumes/Evidence_Drive/imagename –e01 –frag 4G –compress 0

A full list of usage and options can be viewed on the man page. This can accessed from the command by: Ftechs-Mac-mini:~ root$ ./ftkimager help

Approach 2: Secondary-boot Collection – Preparation:

1. Before you start you will need:

· An Intel-based Mac to use (examiner maEV0ne),

· OS X 10.5.x or later installation DVD,

· and a large enough external USB hard drive to install both OS X onto and contain the image(s) of the collection (apx. 320 gb +).

2. You will need to partition the USB hard drive with two volumes:

1. Volume 1 - Boot: Approximately 16 GBs formatted OS X Extended (Journaled)

2. Volume 2 - Storage Area: Remainder of drive formatted Fat 32

Partition Layout Example:

· One volume to install OSX which will be the boot partition. The second volume as a storage area that can be used to write your image(s) to.

· I would suggest using Apple’s Disk Utility, located at /Applications/Utilities/, to prepare this drive.

3. To make the USB hard drive bootable it must have ownership enabled.

1. Locate the 16 GB volume on your Mac desktop, right-click its icon, and select ‘Get Info’ from the pop-up menu.

2. In the Info window that opens, expand the ‘Sharing & Permissions’ section, if it’s not already expanded.

3. Click the lock icon in the bottom right corner.

4. Enter your administrator password when asked.

5. Remove the check mark from ‘Ignore ownership on this volume.’

6. Close the Info panel.

7. Once you complete, your USB flash drive will be ready for you to install OS X.

4. Install OS X - Summarized

1. Plug USB hard drive (prepared above) into Mac.

2. Put Install DVD in the Mac.

3. Reboot.

4. Choose to install OS X on the USB hard drive 16 GB partition, OSX Journaled Extended.

5. You may want to customize the software packages that OS X will install to minimize disk space required for the installation.

5. After install, test to make sure the Mac will boot from the secondary boot drive you just created instead of the internal hard drive. At start up hold down the “Option” key and you will be prompted with the boot options menu.

6. Once you are booted to the USB hard drive, the secondary OSX boot drive, you will need to copy over the FTK CLI application onto it. You can use a flash drive to do this or just go online and download it if you are connected to the internet.

7. The default Mac OS X installation has the "root" account disabled. Enable it by following the steps listed here: http://www.spy-hill.com/~myers/help/apple/EnableRoot.html

8. Your secondary OSX boot drive is now created and has FTK CLI on it.

Approach 2: Secondary-boot Collection – Getting Started:

1. Plug the secondary OSX boot drive you created above into the Mac maEV0ne you would like to acquire.

2. Start the Mac up holding down the Option key at start up to get to the boot options menu. Select to boot to the external secondary OSX boot drive.

3. Once booted, follow the steps listed above starting in Approach 1.3. In summary:

a. Go to console.

b. Switch to user root.

c. As illustrated below, identify the physical source hard drive (hard drive inside of the computer)

d. As illustrated below, identify the destination hard drive, volume, and mount point of the FAT32 storage-area volume on the Secondary-boot hard drive.

Attached disks:

Mounted devices:

e. Navigate to the location of the FTK CLI tool and execute the command with the proper usage and flags.

Ftechs-Mac-mini:~ root$ ./ftkimager /dev/disk0 /Volumes/EV0-09027_F/imagename –e01 –frag 4G –compress 0

MacBook Air Fun

2010-06-29T08:10:00.000-07:00

I had a small window of time the other day to image a Apple Macbook Air. It was like “my first time” so I felt it would be appropriate to do a little research about “how to turn it on” and “what buttons to press” to make sure things didn’t get sloppy ;-p

I can’t emphasize how important it is to go into situations with more than one option. It’s like the old sang, “Why carry a tool box if you only have one tool in it?” After a little research, I came up with a Plan A and Plan B. Not talking about the Plan B - One-Step here :-)

Before I jump into my procedures, let me note a few things:

I knew ahead of time that this Macbook Air did not have an Apple Super Drive (external CD/DVD drive). I do not have an external CD/DVD drive or Apple Super Drive in my forensic kit. Maybe I need to get one!! Furthermore it is reported that not all USB CD/DVD drives are compatible.The Macbook Air only has one USB port. This USB port is buried in the shell so not all thumb drives will physically fit into it. Yes, I had this problem… What can I say, Dav Nads has a BIG USB thumb drive!!
Similar to the external CD/DVD drive issue, it is reported that some USB hubs do not let you let you boot from them. The one I tried was a Belkin Desktop Hub (Model F4U016) which comes with an external power supply to power the USB ports.
The Macbook Air does not have a Firewire port. Therefore, you CANNOT acquire using Targeted Disk Mode.
There is no eSata port, ethernet port, or PCMCIA slot

Here’s what I tried:

A) Forensic Linux Boot Disk to Acquire:

We have an in-house Linux variant comparable to Helix, Knopix, Raptor that we use for boot acquisitions. Note that since I did not have an external CD/DVD drive it was a requirement that I load the Boot Disk into RAM since the laptop only has one USB port. I needed the one and only USB port free so I could plug in an external USB hard drive as a destination to save the image to. Our boot disk has a “Load to RAM” option which allowed me to do this. I believe others do as well.

Boot to Forensic Linux from USB thumb drive.
Load into RAM. Some boot disks have this option as noted above.
Remove USB thumb drive and plug USB storage hard drive in.
Image away.

Unfortunately, the specific chipset in the Macbook Air I was acquiring from was not compatible with my Linux boot disk. I found this interesting because it worked for a colleague a few months ago on an earlier MacBook Air model which was also Intel-based. Regardless, it was on to Plan B. I will note here that I have heard Raptor works well booting in Mac environments. However, I did not have time to try it in the field and I do not think it has the option to load into RAM.

Here is what I did:

B) Remove Hard Drive:

Before you get started note that for Rev A Macbook's I would expect you would find a PATA ZIF hard drive. For Rev B&C, you should find a SATA LIF hard drive.

Unfortunately, I have not found a adapter yet for LIF interfaces. So stop reading here if you know that is what your working with. The only place I have seen an adapter advertised for purchase is here, but it has always been out of stock. I recently told that LIF adapters could also be purchased here but I have not personally verified this. If you don't have a adapter to interface with LIF and now looking for a plan C, check back for my next post on FTK's CLI tool for OSX.

There is an excellent tutorial, written by Lee Whitfield, on Forensic 4cast documenting how to remove the hard drive from a Macbook Air. This can be found here. Alternatively, there are a number of videos on YouTube. This is the one I watched.
Whenever I take something a part, I like to draw a picture of where I extracted each piece/screw from. Something that may come in handy when putting it back together! It's also not a bad idea to tape the screws to the piece of paper. I actually had an experience were a person knocked the screws over once and I had to be real creative about putting the laptop back together. Live and learn LOL.
If the laptop has a SSD hard drive you will need a ZIF adapter. I recommend the one that Tableau sells (now owned by Guidance Software). If you use this one, it must be connected this way: To image a Samsung 1.8" drive, connect the Tableau TC20-3-2 ZIF cable to the adapter label face-up. Then connect the cable to the Samsung 1.8" drive, positioning the drive label face-up
Image the hard drive externally using hard drive duplicator or your tool of choice.
Put it back together!!

I will note that it has been reported that some Linux boot disks may temporary disable or render the one USB Port inactive. To reset the USB port, make sure the Mac is turned off. Press and hold the following keys on the keyboard: Shift, Control, Option (all on the bottom left side of the keyboard) and Press and hold the Power button (top right of the keyboard). Hold for about 5 seconds and then release them all. You will not see indication of anything. Try to boot from the External Drive again.

I will document another collection option using FTK Imager CLI for OSX in my next post.

Incident Response Questions

2010-06-01T21:10:00.000-07:00

The next time your network gets p'owned don't choke your suspects with USB cables, just ask the same questions Dav Nads would!

Understand the Nature of the Incident’s Background

1. What is the nature of the problem(s), as it has been observed so far?

2. How was the problem(s) detected initially?

3. When was it detected and by whom (build time line and list stake holders)?

4. Who is aware of the incident? What are their names and affiliation to the organization?

5. What groups or people are internally affected or targeted by the incident?

6. Were other security incidents observed in the affected environment or the organization recently?

7. Is there any history of similar situations or patterns?

8. Who is designated as the primary incident response coordinator?

9. Who is authorized to make business decisions regarding the affected operations of the IT infrastructure?

10. What theories exist for how the initial compromise occurred?

11. Are we aware of compliance or legal obligations tied to the incident? (e.g., PCI, breach notification laws, etc.)

Review the Initial Incident Survey’s Results

1. What analysis actions were taken during the initial survey when qualifying the incident?

2. What commands or tools were executed on the affected systems as part of the initial survey?

3. What measures were taken to contain the scope of the incident? (e.g. disconnected from the network)?

4. What alerts were generated by the existing security infrastructure compromise (e.g. IDS , anti-virus, etc.)

5. If logs were reviewed, what suspicious entries were found? What additional suspicious events or state information, was observed?

Technical Assessment to Determine Scope

Infrastructure

1. The affected IT infrastructure components are physically located where?

2. Request/ Review Network Topology diagram.

3. Does an automated IT Asset Discovery tool exist? If not, account for all IT assets related to the compromise in the infrastructure

4. Identify each Host by Name, network address (internal and external), O/S, and purpose, asset #, make, model, version, build, etc.)

5. Understand how the network functions: Firewalls, Domains, VPN, DMZ, Gateways, Access Points, Intrusion Detection systems, Intrusion Prevention systems, Proxy, Anti-Virus, Domain Controllers, Data Storage, E-mail systems, ERP systems, and etc.

6. Service provider, DNS, Internal IP Ranges, and external facing IP ranges.

Logging

1. What assets have the ability to log? What is turned on and what is off?

a. Network:

i. Firewall,

ii. Routers,

iii. Wireless Access Points,

iv. Domain Controller,

v. AV,

vi. ID and/or IP Systems (IDPS),

vii. Systems,

viii. Network appliances,

ix. File Servers,

x. Backups,

xi. etc.

b. Physical:

i. Building entry / exit,

ii. Video surveillance, etc.

2. Are logs backed up or written over?

Security

1. What is the security posture of the affected IT infrastructure components? How recently, if ever, was it assessed for vulnerabilities?

2. What security infrastructure components exist in the affected environment? (e.g., firewall, anti-virus, etc.)

3. How are the security components configured (Wireless, Firewall, DMZ, Segmentation, etc)?

4. Do computers have standard images/builds?

a. OS versions and service patches?

b. Local and network policies?

5. Do servers have standard images/builds?

a. OS versions and service patches?

b. Local and network policies?

6. IDPS Systems Network and/or Host based?

a. What kind? Version?

b. Passive or Reactive?

7. Anti-virus Network and/or Host based?

a. What kind? Version?

b. Definition updating policies?

8. Password policies / account audits?

9. Wireless Access Point Security type (i.e. Authentication, encryption, etc.)

10. E-mail Server and Security (i.e. Attachments Scanned, dumpster, retention)?

11. File Servers?

a. Type?

b. Share permissions?

c. File System?

d. Achieved/Backed up?

12. Guest and Remote access?

13. Backup Policies, routines, documentation, continuity plans, data storage?

Users

1. Active Directory or eDirectory Listing: Active or Departed?

Prepare for Next Incident Response Steps

1. Does the affected group or organization have specific incident response instructions or guidelines?

2. Does the affected group or organization wish to proceed with live analysis, or does it wish to start formal forensic examination?

3. What tools are available to us for monitoring network or host-based activities in the affected environment?

4. What backup-restore capabilities are in place to assist in recovering from the incident?

5. Who will be leading this effort from the Organization?

Communication Parameters

6. Communication mechanisms will be defined to communicate when handling incident.

7. What is your availability to schedule external regular progress updates? Who is responsible for leading them?

DAV NADS @ CEIC IN VEGAS!!!

2010-05-25T17:08:00.000-07:00

Dav Nads is tweeting from the CEIC conference in Las Vegas this week!! Holla @ me if your reading and check back for updates!!

Dav Nads gets Certified!!

2010-05-18T14:31:00.001-07:00

I have always been eager to learn and challenge myself to further develop intellectually. Over the last 3 months, I challenged myself to obtain 3 professional certifications. Dav Nads is now EnCE, EnCEP, and ACE certified, Bit%hes!!

Sorry it's been awhile.. I been working hard on my smarts. Dav Nads is BACK!

Dav Nads & USB protection

2010-02-11T13:46:00.000-08:00

The Windows operating system has a Registry setting that can add USB write protection to a computer system. It is like a switch that can be enabled to make use of the write protection or disabled to allow write processes. Check it out:

ON!!

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]

"WriteProtect"=dword:00000001

OFF!!

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]

"WriteProtect"=dword:00000000

Always write-blocking, never cock-blocking,

Dav Nads

GroupWise .. Who the F#$% knew this...??!!

2010-02-08T08:16:00.000-08:00

I was out and about doing some "Live" GroupWise E-mail collections. For the living sake of me, I could not figure out how the #$% to "log out" of one users mailbox and log into another, from the client application.

It ends up GroupWise has commands that you can use when you start the client. Quoted from Novell itself,

"Some of them are for your convenience, while others are necessary to run GroupWise on your particular hardware."

Well if it was for my #$%#$% convince, why the hell wouldn't you just make a button somewhere or put this in the options box??? I didn't know you needed to be a freaking rocket scientist to administer the system.

Well anyways, if you have the pleasure of logging into GroupWise this may come in handy. The switch you will need to use to re-activate the login dialog box is: /@u-?

A list of the other switches can be found in Novell's Documentation.

Using a GroupWise Startup Switch

Right-click the GroupWise icon on the desktop > click Properties.
Click the Shortcut tab.
In the Target text box, after the GroupWise executable, type a space, type the startup switch(es), then click OK.
1. Separate multiple startup switches with a space, like this:
```
J:\GRPWISE.EXE /ph-pathname /@u-?
```
  In this example, /ph- is the startup switch to specify the path to the post office. The pathname is the path to the post office. The /@u-? switch is used to display a login dialog box a user can supply with login information whenever he or she opens GroupWise. This switch is useful when two or more users share a workstation but have separate GroupWise Mailboxes.
2. Restart GroupWise.
  
  Holla, DNAds

Exchange 2007 Collections ....ugggh!

2010-01-29T11:26:00.000-08:00

Once upon a time, DAV NADS was collecting mailboxes from a 64-bit Exchange 2007 server environment (LOL!). I wanted to take a moment to highlight a few things I learned that I hope you may find helpful.

“ExMerge” no longer exists. As of 2007, this functionality has been integrated into Exchange’s Management Shell Cmdlet’s (available in SP1 and SP2).
Cmdlets is NOT compatible with 64-bit servers ONLY 32-bit. I will describe a “work-around” I used in detail below.
The CMD you will need to know and use is called: Export-Mailbox.

One notable advantage of “Export-Mailbox” over “ExMerge” is it does NOT have issues exporting mailboxes over the 2GB PST limit.
Export-Mailbox will include “Dumpster” data on Exchange 2007. On Exchange 2010 is does NOT…!
Just like ExMerge, before you can use Export-Mailbox, you need the proper account rights.

Local Administrator rights.
Exchange Server Administrator Role on the target Exchange 2007 mailbox server.
Full access to the mailboxes against which the import/export operation is run.

It is quite cumbersome, but STILL possible to install Exmerge on a client machine and connect to Exchange 2007 remotely. A tutorial on this procedure is here: www.exchangeinbox.com/article.aspx?i=88

The work-around I followed to the 64-bit limitation was quite simple:

1.       Because I could not export to PST but still had the ability to export to a mailboxes, we created a “dummy” mailbox and exported to this mailbox. For example, the below command will export ALL e-mail from the “davnads@blogspot.com” identity to the “MyData” folder in the “DummyMailbox”.

     Export-Mailbox -Identity davnads@blogspot.com -TargetMailbox DummyMailbox -TargetFolder MyData

2.       After we exported the data to a “DummyMailbox” we authenticated to the mailbox with Outlook.

3.       Manually created a new “Local” Outlook Data File (PST file).

4.       Manually copied over all e-mail from the Exchange “DummyMailbox” to the “Local” PST file.

Now, if you are working with a 32-bit Exchange server, this is the command you need to use to export the contents of a Exchange mailbox to a local PST file:

    Export-Mailbox -Identity davnads@blogspot.com -PSTFolderPath C:\PSTFiles\davnads.pst

Dav Nads the Exchange Guy.

Don't go fishing for server data.. Just ask Dav Nads!!!

2010-01-26T17:34:00.000-08:00

No one likes to go fishing for data, so this is the basic list of information I request from IT administrators before I start cutting data!! If you don't get answers, check out this secret millitarty instructional interrogation video on water boarding. I'm just saying!

1.) Listing of Active Directory and/or User Names for all Custodians.

2.) For all Custodians, a Permission listing of all Personal and Group Shares they have write-access to (i.e.: Custodian Dav Nads has write access to directory ABC on the File Server XXX).

3.) Lotus/Exchange Mailbox name(s) for all custodians (i.e.: DavNadz.nsf) and servers they reside on.

4.) If possible, Local and Admin Security ID files and passwords to access the respected custodian’s local and server mailboxes.

Always catching and never fishing,

DNads

"Dav" + "Nads" = "Dav Nads" - Use excel to CONCATENATE!

2010-01-25T14:25:00.000-08:00

CONCATENATE is the method of joining two or more text strings into one text string.

The syntax in Excel 2007 is: CONCATENATE (text1,text2,...)

Text1, text2, ... are 2 to 255 text items to be joined into a single text item. The text items can be text strings, numbers, or single-cell references.

Always saving time,

Dav Nads.

Nads does HFSX with Encase

2010-01-21T16:48:00.000-08:00

Encase does NOT support the OS X Extended (HFSX) file system... but it's on the feature request list!! So leave it to Dav Nads to find a workaround. It's not what I would call a forensically sound procedure, but if you document it, this 3 step hack may be what it's worth.

1. Convert your image over to a RAW format like DD.
2. Fire up a Hex Editor
3. Modify 2 bytes in the 3rd sector of the HFSX partition by changing the second byte of the sector from a 'x' into a '+' and changing the byte value of the 4th byte from \x05 into \x04.

Congratulations. You just changed the HFSX partition into a HFS Plus (HFS+) partition... which Encase readily supports :-)

NOTE this little byte swap is not the only difference between the two files systems! For instance, HFSX supports case sensitivity so Encase may not properly handle file names (i.e.: Evidence.txt vs. evidence.txt). This means proceed with your own Nads.

Your welcome,

Dav Nads

Dav the Data Carver Nads (from Carver County, MN)

2010-01-20T15:15:00.000-08:00

Two products I wanted to give a shout out to this week are in result to a recent initiative involving the recovery of video fragments from unallocated space. File Salvage ($89.95) for the Mac's and Stellar Phoenix ($69.99) for the PC's.

Overall, I was surprisingly impressed with my experience and results. Both tools were straight forward and simple to use. From a technical perspective, I liked how both products integrated a categorized predefined signatures list into the User Interface. So I was quickly able to identify file signatures pertaining to my request. Additionally, both tools allowed me to preview results and selectively export them.

On the not so great side, I found there was a few discrepancies between what the manufactures stated on their website and what was provided. For example, it was stated that File Salvage supported (DD, E01, NTFS, HFS, etc..) and actually it only supported whole-disks or mountable DMG files. So I had to use FTK Imager to converter my E01 to DD and then rename the DD to a DMG. Also, note that this does not work on segmented files.

Another thing I would like to note is when reviewing corrupted and fragmented video files, some viewers work better then others... I had bad luck using the standard Windows Media Player, good luck using Windows Media Player Classic, and THE BEST luck using VNC player. Using a combination of all three viewers was what I found the ultimate solution.

Also, something unique pertaining to this request was that file volumes were requested for any recovered data. In respect to files that where “partially” recovered, the file volume (MBs) would be reported on the basis of what could be recovered. In most instances this value can be assumed to be less than the “original”.

A more precise estimate of the “original” file volume can be calculated based on the meta data value of video length. For instance, a partially recovered video is 2 minutes in length and 10 MB in volume. However, the files meta data value for video length is 20 minutes. Therefore, you could assume 10 MB /2 mins = approximately 5 MB per 1 minute frame. So the actual movie size would be more like 100 MB.

Enough said,

Dav Nadsss

Working with Lotus Notes...

2010-01-14T14:54:00.000-08:00

So let’s start with the BASICS here… what the heck does a NSF file stand for and what does it DO? Notes Storage Facility and it is used primarily for E-MAIL (and other stuff)...!! Kind of like a PST or OST!

Now since we have taken care of that, let’s jump into the common types of security and protection we commonly encounter while handling NSF files in an OFFLINE environment… As outlined below, there are 3 major classifications, Local Security, Local Encryption, and Message Level Encryption.

The first step is to identify how a NSF file is protected, if protected at all. Now, this sounds like a simple task but it’s actually quite tedious and can be the utmost challenging part… Let’s take a look at the options.

Common sense says “Hey, let’s just crack open a duplicate/working-copy to see what happens?!” Actually, this is not a bad idea... Based on the error message you receive alone, if any, you can instantly determine how a NSF file is protected! For example;

"You are not authorized to access that database", and fails to open, means you’re dealing with Local Security.

"This database has local access protection & you are not authorized to access it locally”, and fails to open, means you’re dealing with Local Encryption.

Unfortunately, there’s no way to determine if Message Level Encryption is in place based on opening the NSF file alone. Since it’s the actual message is encrypted vs. the container itself.

When is this NOT such a great idea? How about when you have 2,000 NSF files to analyze!! So, there are two alternatives that I’m aware of...

One, just push all the messages through your “processing tool” of choice and hope to G-d it has intelligence (like Dav Nads!) smart enough to report on exceptions. In other words, what it couldn’t process due to errors or security protection. This can then be analyzed on a file by file, case by case, basis as outlined above.

The second option is to automate this process with a bit of scripting. Again to my knowledge there are no tools on the shelf that will do this stand alone. But let’s just say I know it can be done pretty easily because I have seen a proof of concept for this. Feel free to ping me for more info but in a nutshell you just need to know how to query the ACL table.

So now before we jump into how to resolve these types of protection and encryption, let’s briefly explore how they work…

Inside of a NSF file is an Access Control Levels (ACL) table. These settings control the type of actions a user can perform on the contents of a database and on the database itself. Access levels range from Local Encryption, which encrypts the database, No Access, which prevents a user from opening a database without proper credentials, to Manager, which lets a user read, create, and edit the ACL and all documents in the database. Further details on these setting can be found at IBM.

So in summary, ACLs limit access to the NSF files. The ACL define what actions each type of user is allowed to take.

Finally, here are the options available to remove these types of protection/security:

Local Security

1.      Use the associated ID File and Password to manually remove the ACL permissions protecting the NSF file.

2.      What happens if you don’t have it? Use a Lotus Notes local security removal tool. For instance, Securase, removes local security from NSF files. It's simple to use and helps you save time running around trying to find the correct user id and password to open a local NSF file.

Again this process, can be automated :-)

Local Encryption

1.      Use the associated ID File and Password combination to manually remove the ACL permissions encrypting the NSF file.

2.      What happens if you don’t have the password? Well, here a little trick that works sometimes… when a user is prompted change their password from the default to their personal, it does not change the actual key used for encryption.

Therefore, the ID file that the admin generated the day the employee started or the local ID file, with the default password of 'password1', or the user's last name, or whatever the admin likes to use, will still decrypt the NSF file that is protected by the new, unknown password.

3.      Despite what some tools claim, there are no tools that will “magically” decrypt encrypted Lotus Notes Databases. However, Access Data’s Password Recovery Toolkit will brute-force attack the ID file. I have never successfully accomplished this but in theory it should work. Just might take some time :-)

Message Level Encryption

With the exception of asking for the password or brute-force attacks, I’m not aware of any way to challenge message level encryption . Please help me out with this if you can!!

Yours Truly,

Dav Nads

dNADS got BRAINS!!!

2010-01-08T14:51:00.000-08:00

... scored 11/10 on the "Cables, plugs, wires, cords...that connect your TV, audio, computer, and iPod" TEST. If you think you got SMARTS about computer forensics this is where is all starts... LEARN THE SYSTEMS, LEARN THE SOFTWARE, then ya got SYNERGY. The boss once put it like that ;-)

check it OUT!

Dear PhotoShop, Thank You for makin the prettiest Dav Nads in the Planet

2010-01-07T21:54:00.000-08:00

Dear Gizmodo,

These photochop girls look GrEaT! But I'm REALLY looking forward to the sexiest man in the planet contest starring... DAV NADS!!

"What would happen if Angelina Jolie and Chalize Theron had a baby with Megan Fox, Monica Belucci, and twelve hot actresses? I don't know if this would be the result, but I'd like to

watch them try." ThiS IS wHAT would HAPpEn...

GodMode

2010-01-05T08:20:00.000-08:00

By creating a new folder in Windows 7 and renaming it with a certain text string at the end, users are able to have a single place to do everything from changing the look of the mouse pointer to making a new hard-drive partition.

The trick is also said to work in Windows Vista, although some are warning that although it works fine in 32-bit versions of Vista, it can cause 64-bit versions of that operating system to crash.

To enter "GodMode," one need only create a new folder and then rename the folder to the following:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

twenty-ten

2010-01-03T00:22:00.000-08:00

twistin joysticks, rolling trackballs N' pushing big buttons. my handle is nads and i work the sketch pads. flip that switch, wack that biatch, this aint no computer glitch. im simpimply a boy genious that plays the keyboard...

D_NADS

US airforce p'owned with $26 data carving tool... LOL!!!

2009-12-22T05:25:00.000-08:00

It was reported last week by a number of sources, that Iraqi insurgents found a way to INTERCEPT airplane (and drone) video feeds with $26.00 SHAREWARE software...LOL!!!! The software in the spotlight is called SkyGraber. Essentially, this is just a little data carving tool... It connects to your satellite connection and carves out known file types from the air. One just happening to be unencrypted video feeds! The best thing to compare it to is a network sniffer.

The amazingly insecure protocol the government uses is called: Remotely Operated Video Enhanced Receiver (ROVER). This technology was deployed in 2002, "Since then, nearly every airplane in the American fleet - from F-16 and F/A-18 fighters to A-10 attack planes to Harrier jump jets to B-1B bombers has been outfitted with equipment that lets them transmit to ROVERs. Thousands of ROVER terminals have been distributed to troops in Afghanistan and Iraq..." -Wired.

An encryption package can be added to the ROVER; however, not all troops have the encryption package. The latest ROVER model being tested by the Pentagon comes equipped with two advanced encryption packages. Sources report, an official document puts a completion date to secure the feeds by 2014 :-/

...Not to mention, this all came to about, when the military kept finding hours and hours of it's OWN surveillance videos from computers it was imaging out in the field...

YUPPPP!!!!

-Dav NADS

NEW Advanced Format gives ya 11% MORE capacity on your Hard Drive!

2009-12-14T09:57:00.000-08:00

Western Digital has a fancy new way to format hard drives. This consists of changing your hard drives sector size to 4KB that uses a pooled Sync/DAM header and ECC blocks.

Dav Nad's on Sharing ;-)

2009-12-09T12:43:00.000-08:00

A situation arose yesterday where a deliverable, Microsoft Office Excel workbook, needed to get out the door under a tight deadline. I had a team of 5 resources at my disposal to assist with the project. However, given the nature of the complexity and manual task at hand, it would have just made things more time consuming and convoluted by delegating work out to each resource. So I thought to myself it would be amazing if we could put this workbook in a neutral location where we could all work on this task collectively and see each other’s changes and monitor progress.

So I recalled that Microsoft Office 2007 had the capability of doing this. So I took the workbook, placed it on file server that resides on our LAN that everyone has access to. I then “Shared” the workbook to the specified “users” I wanted to delegate “write-access” to and setup the settings associated with how to save and update the changes within the workbook. In all, this process took me about 10 minutes to setup and test.

The end result was this amazing feature allowed me to delegate work efficiently while maintaining a management oversight. Work Smarter not Harder with Sharing!

Here is a link to Microsoft's detailed documentation on this feature.

Encase and Windows 7, Server 2008

2009-12-03T16:18:00.001-08:00

The Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7 and Server 2008.

The traditional fix to this in XP and Server 2003 was to use the MSTSC command with a /console flag (or /admin for later service packs) to carry out console mode. However this does not work anymore. So I did a little research...

It's stated on Guidance's website that "EnCase is not officially supported running over Remote Desktop due to the manner in which the Remote Login Account is given access to the System devices". A discussion with one of their support representatives and some messages on their forum in fact further confirmed that Encase has never supported RDP (in any of their releases).

BUT, Guidance then goes to say in the same article that "IF the RDP configuration does not work the only alternative is to purchase the SAFE NAS (Network Authentication Server) to license EnCase over the network." Well, if that's not a contradicting statement, I don't know what is! So they are saying its not supported but if you want to make it work you can BUY something they sell to make it work? As a user this makes me shake my head and as a shareholder, I would be lying if I said I wasen't smiling :-)

Some say this is a licensing strategy, a method to prevent multiple users from using multiple instances of encase off of one license. But I don't see how that type of "abuse" is even technically possible under the current limitation of RDP and Encase only working in console mode. So I don't buy that really. I think the reason it does not work in Windows 7 and 2008 server is because of something that has changed in the O/S. I'm not sure what this is but I'm going to look into it.

So here's a solution I purpose to Guidance. Migrate over to a system like Access Data's License Manager and Code Meter dongle (hold on, did I just say something good about AD?). With Access Data's License Manager system a user has the ability to transfer/update licenses from and to their dongles. Ideally, one could use a dongle normally and then if one wanted to use RDP, they could migrate their license over from the dongle to the NAS Safe. Then vice versa. Damn I think that is genius! LOL But this would sure make people happy!

Well enough of that, here's something good. I have 2 round about workarounds for Win 7 and 2008 Server to get RDP working -

Disable Fast User Switching, Disable User Account Controls, start up your instance of Encase Forensic, open your case up/start your processing. THEN, remote in using the "mstsc /admin" command and log in as the same user you have an instance of Encase already running under. This works.
Now, you can always use a VNC or PCAnywhere application to accomplish this as well. Works like a charm.

But neither of these are practical solutions. Welp, back to XP for me!

Dav Nads

- Posted using BlogPress from my iPhone

Did ya know this?

2009-12-03T07:38:00.001-08:00

In Windows Vista and 7 when using device manager to do a "full format" it will actually zero out the drive. That's a legit REAL wipe! "Quick format" remains the same, it only wacks out the volume boot record.

Sounds like an easy way to wipe hard drives :-) I'm curious how fast it is?

http://support.microsoft.com/kb/941961

Dav Nads
-from my iPhone

SharePoint Collections can be tricky!

2009-12-02T20:52:00.000-08:00

I had an opportunity to collect data from a Microsoft SharePoint (SP) server yesterday... Sounds ez, right? Sure it should be with all the top-notch vendors out there that have integrated SP connectivity into their e-Discovery products... Kazeon Systems, KPMG, Kroll, AvePoint, Autonomy to just name a few (click on the links to go their press releases).

Well what happens when the SP server you are collecting from is not in a live production environment... In fact, it’s just a dusty old’ .E01 (Encase format) image of a system you collected a year ago?

…Well based on my market research, there's not much out there that’s going to be able to help you. Nonetheless, I can't imagine there even being a demand for this type of one-off collection in the market place. So on that note, here is some food for thought and research about the various collection approaches of SP databases under these unique circumstances.

Approach 1: Leverage virtualization technology by using Liveview and VMware Server to boot the image natively. Subsequently, start the SP services, and remotely collect site(s) with any one of the widely available tools listed above. Well, hold your horses their speedy!! This sure sounds like a great approach; however, you need to take account for a number of variables that make this approach a tad bit complicated. To name a few:

Does the image consist of a physical or logical acquisition? If it’s logical, yup move onto approach two, can’t boot that up one up.

Is it physical? Well is it a RAID..? Yeah, can’t boot that up either without a serious fight, move on to approach two.

Is the image segmented… or in the wrong format? Start merging/converting those files.

Don’t know the password to log into the system? Eh, you can try to crack it.. with a boot CD.

Approach 2: Extract relevant SP data from the image and implant it into a existing controlled SP environment. First step here is to crack that image open and start identifying some significant information.

What version of SP and SQL is installed? This can generally be found by looking in the registry or associated “program files” directory.

What are the SP files I’m looking for? Each SP database is identified by two files: the database file, which has a .mdf filename extension, and the transaction log file, which has a .ldf extension.

Where are the SP files stored? If you have a default Windows SharePoint Services installation, the database files are in the \Program FilesMicrosoft SQL Server\MSSQL$SHAREPOINT\Data directory. You will typically find the following 4 files in that directory:

STS_Config.mdf
STS_Config_log.LDF
STS_Computer_Name_1.mdf
STS_Computer_Name_1_log.LDF

Now that you have identified the various databases and configuration files, extract them from the image.

The next step is to install the same version of SP, SQL, and operating system that is found in the image file on a computer/server in your controlled lab environment. This might be overkill but effective!

Generally after you get things installed, you will need to turn off SP services, disconnect the default database, copy over the extracted files and do the switchero. Then, start the services back up and connect the database. This process is well documented in Microsoft’s TechNet article. Keep in mind that you may need to repair the database because it may not have been properly detached during the point of collection and in result corrupted.

Approach 3: Let’s say that neither approach worked out. Well I’m going to assume you successfully extracted the relevant SP data (as outlined in Approach 2) from the image. Given that assumption, download the Sharepoint 2003 and 2007 Database Exporter tool. This tool allows you to point to a SP database, view contents, and export. An alternative tool is called SharePoint Database Explorer and SPExport which does the same thing. Both solutions are well documented.

Approach 4 - Catch All: If all else fails, go back to the damn live server and recollect!!

For all four of the approaches outlined, I strongly suggest to validate and perform quality control testing.

-Dav Nads

knock knock

2009-12-01T15:04:00.000-08:00

phish, snort, spoof, tunnel, boom, p'ownd! dav nads is knocking while that firewall trying to be blocking. logged in as root and out with the loot. my intrusions make illusions cause your vulnerabilities compile my credibility's. alwayz leaving traces from outer space, with null to chase, dnads plays hide n go' seek for the geeks :-p

Linux, Mount them segmented DD file Images!!

2009-11-26T13:36:00.000-08:00

To mount split/segmented DD files in Linux you can use the "mdadm" command along with the "losetup" command. For example, if I have six split image files in a directory called Images:

losetup /dev/loop0 /mnt/Images/image.000

losetup /dev/loop1 /mnt/Images/image.001

losetup /dev/loop2 /mnt/Images/image.002

losetup /dev/loop3 /mnt/Images/image.003

losetup /dev/loop4 /mnt/Images/image.004

losetup /dev/loop5 /mnt/Images/image.005

The command to mount it would look like this:

mdadm --build --auto=part -verbose /dev/md1 --level=linear -n6 /dev/loop[0-5]

If you are mounting a hard drive with two partitions, partition1 is on "/dev/md1p1" and partition2 is on "/dev/md2p2".

-Dav Nads

Call the Paparazzi... COFEE was LeAkEd!!

2009-11-22T21:51:00.000-08:00

OMG is right..!! Microsoft's super-secret Computer Online Forensic Evidence Extractor ("COFEE") available to Law Enforcement only, was leaked into the torrents last week... LOL! ABOUT TIME IS ALL THAT I HAVE TO SAY!

It was about a year ago when I first heard about this tool. The press releases poured COFEE out like this..

"With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation."

To say the least, the tool was intellectually intriguing. I WANTED A COPY for Chanukah!! Unfortunately, I couldn't have one because I was not in Law Enforcement and was living in China at the time (without a whole lot to do). So, I decided to do some research and start programming a COFEE of my own :-) Well, that turned into a long drawn out project called BOOP. I'm saving BOOP for a later date and blog entry of its own.

As for COFEE, let's say I saw it!!! My thoughts, It's nothing but a simple GUI wrapper for a # of Microsoft SysInternal, Windows XP, and other misc. freeware command-line tools. It facilitates batch execution of these utilities and customized payloads. It does not even include a tool to dump physical memory. Honestly, looks like a amateur high school programming project. I had dreams of it being stealthy, sexy, ninja like, super secret, high tech, and a ultimate computer forensic swiss army knife. As I'm sure you can tell, I feel really disappointed and let down here. I think the last time I felt this way was when my girlfriend cheated on me. LOL. 15 MB of trash pretty much sums that tool up. Thanks Microsoft, for ruining my life. Now, back to whole-disk imaging computers.

-This one is for my high school programming class .

Dav Nads

OSX Mail and E-Discovery ..

2009-11-17T21:54:00.000-08:00

Whats up NERDZ! Did ya miss me?? Since I wrote about OSX last week, I thought I would keep things in the ROM... LOL! I'm starting to see more and more Macs in the field and less and less "know how" out in the field to deliver! By no means do I claim to be a expert BUT my first computer was a Apple 2E, second was a Performa 410 and third was a power Macintosh 6400. So I'm just saying... Ms. Apple and I have a little history together :-p

I want to talk about OS X mail here. This is a subject that I feel is not well documented in the community as it pertains to e-Discovery. The fact is I don't know ANY end-to-end e-Discovery appliances/and or solutions that properly handles and processes OSX mail in all variations and native formats. This means I find myself MANUALLY migrating OSX mail to our dear all mighty PST quite frequently. In this blog, I will explore the various common formats of OSX mail and options available to migrate your data to PST format. Ultimately, meeting the requirements and working within the limitations of our e-Discovery software.

In OS X 10.3 (Panther), all messages for each inbox, are stored in .MBOX format. All you need to do is identify these and convert to PST with your favorite MBOX to PST migration utility. It's that simple! I suggest using Aid4Mail and exercising the option to "recover deleted items". Remember it's important to preserve file structure during export and migration.

One of the most compelling reasons to upgrade to OS X 10.4 (Tiger) is because of it's amazing indexing and search features. Apple's Mail.app leveraged this powerful searching ability with Mail 2.0. However, to allow for speedy indexing and searching of e-mails via Spotlight, Apple had to split those large .MBOX files into individual .EMLX files. So you will find ONE .EMLX file for EVERY e-mail. These EMLX files are stored, by default, in the following location. Note that multiple users may have mail accounts.

/Library/Mail/

Now there are a few options to migrate .EMLX files over to the "other side". The first approach, use a e-mail migration utility of your choice to migrate the data. Again, Aid4Mail does a good job at this. This approach assumes you have already exported your data (maintaining file structure) or mounted the image.

The second approach takes into account that some e-Discovery software WILL accept .EML as a valid message type input format. Also, let's be honest, who wants manually convert each extention for every email. Not me!! So lets do this this...

If your on a Mac: Launch the Terminal, change into the directory the .EMLX files are located (ie. cd ~/Library/Mail/) and execute this command to batch rename all the files:

for file in *.emlx ; do mv $file `echo $file | sed 's/$.*\.$emlx/\1eml/'` ; done

If your on a PC: Launch DOS, change into the directory the EMLX file are located, and execute this command to batch rename all the files:

ren *.emlx *.eml

.EMLX and .EML are transparent in format because the messages are stored in pure plaintext. Therefore, renaming the file extension, as demonstrated in the above approach, works great if your software supports the .EML format.

NOW off to the races, what happens if the custodian uses IMAP? In addition to seeing .EMLX files you will see .EMLXPART and PARTIAL.EMLX files. That's a total of three file formats that are used to manage IMAP accounts. That means there are now four file formats you need to take account to during your identification phase. Let's examine these two new formats, .EMLXPART and PARTIAL.EMLX.

An emlxpart file is an attachment, either an image, a document or an HTML version of a message. It doesn’t contain the metadata which is included in an emlx file. This means attachments are stripped from .EMLX files and stored separately as these emlxpart files. It's file name is same number as the corresponding emlx file. For example, Cybergirl223 sends me a picture of her today. Her message is locally cached in my Mail folder as 473.emlx and the attachment as 473.2.emlxpart. Make sense?

In IMAP accounts, a third file type, partial.emlx, also sometimes appears. This is for partially locally-cached copies messages on the IMAP server, saved for indexing or something.

Migrating these 3 files is a little more time and resource consuming as some of the other approaches. This consists of two steps; Migrate everything to MBOX and the secondly migrate the MBOX to PST.

To start, there is only one tool that I'm aware of that entirely migrates .EMLX, EMLXPART, and PARTIAL.EMLX files while persevering folder structure and attachments. This tool is called "Emailchemy" and can be purchased here: http://www.weirdkid.com/products/emailchemy/index.html

After you have converted to your loose e-mail files to MBOX, then again use your tool of choice (I think you know what mine is by now) to migrate to PST.

Well that's all I have on this topic. Make sure you account for all four file types discussed; .MBOX, .EMLX, .EMLXPART, and PARTIAL.EMLX during your identification and/or pre-processing phases - then migrate over accordingly :-) Also, remember the importance of verifying your results when migrating data. I like to tell people if you migrate A to Z you should be able to migrate from Z to A. This is one of simplest forms of logic and basic validation.

hope u enjoyed, all the best, dnasty

Reminder

2009-11-11T17:14:00.000-08:00

24" inch rims and 240-pin DIMMs. spinning platters and pullin magnetic chatter. flying down the system bus i hit the i7 with thrust. some say i overclock but i know its cause i aint stock. my case flowin liquid and your girl blowin somethin, dav nads be energy efficient while your girl being coefficient. from the circuit boards to the cords, u get outscored. nibble on nads just dropped banner ads!

Mac Parallels

2009-11-11T09:50:00.000-08:00

When i aint speaking dictionary attacks or prefetching unicode on the snatch. I'm actually working on the blog. my bouyie, Christian Lander, got a job too. he's droppin text like "Stuff White People Like" where # 40 is a shout out just for Apple Macs. So, heres one for ya -

E-discovery - HOW tO get my f#$%ing data out of Mac Parallels!!!

The most "popular" format of virtual storage is VMware's .VMDK format. Encase does a great job at supporting these in native format by automatically mounting em. However, what about the not so cool formats like Parallels? Well Guidance has it on their far future "feature request" list at number 4,332,545 (guessestimate) to support it sometime in the near future.

Now the big question is how do you get that data out?? Here are my notes on a couple of approaches:

1.) Manually identify the .HDD and .PVS file extensions associated with the Parallels application in your case. Create a file-ext condition in Encase to accomplish fast and efficiently.

HDD ext - During the creation, the virtual machine acquires a virtual hard disk file with the .hdd extension.

PVS ext - A virtual machine configuration file that contains information about the virtual machine resources, devices and other settings.

Don't see those, but you are seeing .HDS files? you can rename these to HDD. Check out this good tutorial.

2.) Extract relevant Parallels data to your work space while preserving folder structure to avoid file name collisions.

3.) Install Parallels on your examiner machine.

A free 30 day demo is available at http://download.parallels.com. Don't ask me this voids some EULA bs cause whatever - just saying yo. If all possible, install a version consistent with the custodian's machine. You can check version by analyzing the .PLIST and/or .PDF user manual artifacts found in the Parallels application folder.

4.) Parallels has developed a special utility for increasing the virtual hard disk capacity and managing its properties - this tool is called Parallels Image Tool.exe and is included with a standard install.

5.) You will need to use this tool to change the properties of your .HDD file. Execute, select "manage..", point to your .HDD file, and convert to plain format.

...This will change the file from a expandable image format to raw disk type.

6.) Rename the extension of the .HDD file to a .VMDK and bring into encase as a loose file. Whalaaa you should see data!!? Otherwise you can use a free program like ImDisk to mount the converted hard disk image. This even has support for "read-only" mode.

FYI - this is just one approach and just like FTK, it does not always work.. Lol! For obvious reasons, there are technical limitations and variables in the above example that will cause issues. Another tool you can use, with newer versions of Parallels disk formats, is the VMware Converter. Similarly, this tool allows to migrate virtual hard drives from one format to another.

So you have FAILED.. and never want to use a Mac again at this point. Here's another approach soldiers:

1.) Blow out your image to a physical hard drive using the tool of your choice. I like DC3DD whooohoo

2.) Now attach this external hard drive to your Mac examiner machine as a slave. Boot to this hard drive instead of the primary hard drive. Boot options are made available by holding down the options key at start up.

3.) So now you just booted into your custodians machine. Sweeeet! The cool thang about Mac's is they don't nearly require the degree of driver support that PC's do upon start up. Mac's have a very transparent set of drivers between all of their products. So you can practically use any Mac machine (at least consistent with chip sets) to boot native.

4.) Now you may get stuck at the login password because you don't know the custodians password. If this is the case, it doesn't hurt to just ask for it DERRRR! If you need to reset it, then use the OS X restoration DVD. You can figure it out.. just GOOGLE IT! Just beware you will need the OS X recovery disk paired with the installation version.

5.) Once you get in, boot the virtual machine(s) normally and acquire using a live-image tool. I like throwing FTK imager lite on a thumb drive, adding it as a read-only device into the virtual machine, and porting the image over to a saved network share location or external data source. As always, just document your shiat.

Update (12/6/2009): Just in, thanks to Beatle over at forensicfocus.com, another approach, try UFS Explorer . I have not tested, but it is documented that this software will to read into the Parallels image file and allow you to mount the file system locally with read-only access. If you have experience using this software, I would be interested to hear your feedback.

As always, these are just some of my notes. Test, validate, document, your work!

its good

2009-11-10T20:54:00.000-08:00

we aint be airing for 24 n i aready gotz stalkers. girlz be bookmarking n crackers be marking. cut paste copy erase. dnads is a polymorphic strand that aint loosing system command. i'm shootin tripple DES while y'all still bootin 95. nibble, nobble, nads gets in with a snort and out with a port. ya better run update cause dav nads don't procasanate. stay tuned for more stringing accsi

ctrl alt del.. P'0wned!! DAV NADS iz ONLINE!

2009-11-09T22:43:00.000-08:00

Wazzzzzzap! I'm werking on layin down some HUGE tricks fo' my blog project includin: hardddcore digi FORENSICS, e-discovery "where the MONEY is @", reverse engineering for snitching, , reality TV and some NEWS.

BUT Rigt' now.. put yo PC on deep freeeeze and MACs 2 sleepz! cause I'm working! spread the word that DAV NADS is ONLINE aND be bloggin' ritee HERE. www.http://davnads.blogspot.com. this the REAL thing y'all!